Vendor import of Unbound 1.6.4.

svn path=/vendor/unbound/dist/; revision=333537
svn path=/vendor/unbound/1.6.4/; revision=333538; tag=vendor/unbound/1.6.4

Makefile.in

@@ -100,6 +100,9 @@ PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
 SUBNET_SRC=edns-subnet/edns-subnet.c edns-subnet/subnetmod.c edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c
 SUBNET_OBJ=@SUBNET_OBJ@
 SUBNET_HEADER=@SUBNET_HEADER@
+IPSECMOD_SRC=ipsecmod/ipsecmod.c ipsecmod/ipsecmod-whitelist.c
+IPSECMOD_OBJ=@IPSECMOD_OBJ@
+IPSECMOD_HEADER=@IPSECMOD_HEADER@
 COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
 util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
 util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
@@ -109,7 +112,7 @@ iterator/iter_scrub.c iterator/iter_utils.c services/listen_dnsport.c \
 services/localzone.c services/mesh.c services/modstack.c services/view.c \
 services/outbound_list.c services/outside_network.c util/alloc.c \
 util/config_file.c util/configlexer.c util/configparser.c \
-util/shm_side/shm_main.c \
+util/shm_side/shm_main.c services/authzone.c\
 util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
 util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
 util/rtt.c util/storage/dnstree.c util/storage/lookup3.c \
@@ -122,7 +125,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
 edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
 edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
 cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
-$(DNSTAP_SRC) $(DNSCRYPT_SRC)
+$(DNSTAP_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC)
 COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
 as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
@@ -132,8 +135,9 @@ fptr_wlist.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
 random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
 slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
-val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \
-$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ)
+val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo authzone.lo\
+$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
+$(IPSECMOD_OBJ)
 COMMON_OBJ_WITHOUT_NETCALL+=respip.lo
 COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
 outside_network.lo
@@ -159,10 +163,10 @@ UNITTEST_SRC=testcode/unitanchor.c testcode/unitdname.c \
 testcode/unitlruhash.c testcode/unitmain.c testcode/unitmsgparse.c \
 testcode/unitneg.c testcode/unitregional.c testcode/unitslabhash.c \
 testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c \
-testcode/unitecs.c
+testcode/unitecs.c testcode/unitauth.c
 UNITTEST_OBJ=unitanchor.lo unitdname.lo unitlruhash.lo unitmain.lo \
 unitmsgparse.lo unitneg.lo unitregional.lo unitslabhash.lo unitverify.lo \
-readhex.lo testpkts.lo unitldns.lo unitecs.lo
+readhex.lo testpkts.lo unitldns.lo unitecs.lo unitauth.lo
 UNITTEST_OBJ_LINK=$(UNITTEST_OBJ) worker_cb.lo $(COMMON_OBJ) $(SLDNS_OBJ) \
 $(COMPAT_OBJ)
 DAEMON_SRC=daemon/acl_list.c daemon/cachedump.c daemon/daemon.c \
@@ -605,6 +609,7 @@ depend:
 			-e 's?$$(srcdir)/dnscrypt/dnscrypt_config.h??g' \
 			-e 's?$$(srcdir)/pythonmod/pythonmod.h?$$(PYTHONMOD_HEADER)?g' \
 			-e 's?$$(srcdir)/edns-subnet/subnetmod.h $$(srcdir)/edns-subnet/subnet-whitelist.h $$(srcdir)/edns-subnet/edns-subnet.h $$(srcdir)/edns-subnet/addrtree.h?$$(SUBNET_HEADER)?g' \
+			-e 's?$$(srcdir)/ipsecmod/ipsecmod.h $$(srcdir)/ipsecmod/ipsecmod-whitelist.h?$$(IPSECMOD_HEADER)?g' \
 			-e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' \
 			> $(DEPEND_TMP)
 	cp $(DEPEND_TARGET) $(DEPEND_TMP2)
@@ -622,18 +627,19 @@ depend:
 # Dependencies
 dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
  $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/util/locks.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
+ $(srcdir)/sldns/sbuffer.h
 infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
 rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \
@@ -656,11 +662,11 @@ msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/d
 msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/util/module.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
@@ -674,10 +680,11 @@ iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterato
  $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h \
  $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/random.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
 iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
  $(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
@@ -719,17 +726,18 @@ iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/i
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h \
  $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/validator/val_anchor.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/str2wire.h
 listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
-  $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/sbuffer.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/util/rbtree.h  $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h
 localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@@ -737,27 +745,30 @@ localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/serv
  $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/as112.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/as112.h
 mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
- $(srcdir)/util/data/dname.h $(srcdir)/respip/respip.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/util/data/dname.h $(srcdir)/respip/respip.h
 modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/services/view.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(PYTHONMOD_HEADER) \
+ $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
 view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@@ -766,31 +777,32 @@ view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(s
 outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
  $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- 
+ $(srcdir)/dnscrypt/cert.h 
 outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \
  $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h   \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/dnstap/dnstap.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+  $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
+ 
 alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h util/configparser.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/iana_ports.inc
 configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
@@ -798,24 +810,33 @@ configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configy
 configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
 shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-   $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rtt.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
+authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/validator/val_secalgo.h
 fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/outside_network.h  $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h  \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/services/authzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
  $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
@@ -823,38 +844,42 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
  $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h \
+ $(PYTHONMOD_HEADER) $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h \
  $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h $(srcdir)/edns-subnet/addrtree.h \
  $(srcdir)/edns-subnet/edns-subnet.h
 locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
 mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h
 module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
 netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/ub_event.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/dnstap/dnstap.h  \
  
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/wire2str.h \
+ 
 random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
 rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h $(srcdir)/util/regional.h
 rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h
 dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \
@@ -863,25 +888,25 @@ dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/s
 lookup3.lo lookup3.o: $(srcdir)/util/storage/lookup3.c config.h $(srcdir)/util/storage/lookup3.h
 lruhash.lo lruhash.o: $(srcdir)/util/storage/lruhash.c config.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 slabhash.lo slabhash.o: $(srcdir)/util/storage/slabhash.c config.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h
 tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
 ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
 ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
  $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
@@ -894,9 +919,10 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
  $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/modstack.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
+ 
 val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
@@ -912,7 +938,8 @@ validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/val
  $(srcdir)/validator/autotrust.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/validator/val_kcache.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/validator/val_kentry.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
@@ -921,13 +948,15 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
 val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+ 
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
 val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
@@ -943,14 +972,16 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
 val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
  $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/sbuffer.h \
+ 
 val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
  $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
+ 
 val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@@ -958,15 +989,16 @@ val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/val
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \
  $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/parseutil.h
 dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
 edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
  $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
 subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
@@ -976,8 +1008,9 @@ subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/e
  $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h \
  $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/edns-subnet/subnet-whitelist.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/services/modstack.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
 addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
@@ -985,18 +1018,43 @@ addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util
 subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \
  $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/regional.h $(srcdir)/util/config_file.h
-cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h
+ $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
+cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/services/cache/dns.h $(srcdir)/validator/val_neg.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/validator/val_secalgo.h $(srcdir)/iterator/iter_utils.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/sbuffer.h
 respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h \
  $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h \
  $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
  $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/respip/respip.h
 checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/testcode/checklocks.h
+dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h
+ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \
+ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h
+ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h \
+ $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
 unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@@ -1005,14 +1063,15 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
-unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
  $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/random.h \
- $(srcdir)/respip/respip.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/random.h $(srcdir)/respip/respip.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h
 unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \
  $(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
@@ -1049,18 +1108,24 @@ unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h
  $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \
  $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/edns-subnet.h
+unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
-cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
+cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
+ $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
  $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h \
@@ -1068,24 +1133,27 @@ cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon
  $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
  $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
  $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+   $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
  $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h \
  $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h $(srcdir)/respip/respip.h
-remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/alloc.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
   $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
  $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
@@ -1098,48 +1166,51 @@ remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h
  $(srcdir)/services/outside_network.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/sldns/wire2str.h
 stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
- $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+  $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
 unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
  $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-  $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
+  $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+  $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/util/shm_side/shm_main.h
+ $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
 testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
  $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
- $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/testcode/fake_event.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
   $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@@ -1153,69 +1224,72 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
  $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+  $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/util/shm_side/shm_main.h
+ $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+   $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
  $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h \
  $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h $(srcdir)/respip/respip.h
 stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
- $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+  $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
 replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
- $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/testcode/testpkts.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/util/rbtree.h  $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h  \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
 pktview.lo pktview.o: $(srcdir)/testcode/pktview.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/testcode/readhex.h $(srcdir)/sldns/sbuffer.h \
@@ -1224,10 +1298,10 @@ readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/r
  $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h
 memstats.lo memstats.o: $(srcdir)/testcode/memstats.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
 unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
@@ -1235,14 +1309,14 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
  $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h $(PYTHONMOD_HEADER)
 worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h
 context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbound/context.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@@ -1251,7 +1325,7 @@ context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbou
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/sldns/sbuffer.h
 libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
  $(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
@@ -1261,22 +1335,22 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
  $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/services/cache/rrset.h \
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
-libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h   \
- $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/sldns/str2wire.h
+libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
+ $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/dnscrypt/cert.h  $(srcdir)/services/mesh.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
+ $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/str2wire.h
 unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
 asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
@@ -1287,34 +1361,40 @@ streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util
  $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
+ 
 perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
+ $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/shm_side/shm_main.h $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h
 unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
+ 
+petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
+ 
 pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h
+  $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/regional.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h \
+ 
 win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
  $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
    $(srcdir)/daemon/worker.h \
  $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
 w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
 unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
  $(srcdir)/winrc/w_inst.h
@@ -1322,11 +1402,14 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
  $(srcdir)/winrc/w_inst.h
 anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
-keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
+keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/sldns/rrdef.h \
+ 
 sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
 wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/keyraw.h
+ $(srcdir)/sldns/keyraw.h \
+ 
 parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/sldns/sbuffer.h
 parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
@@ -1346,9 +1429,11 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
 strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
 strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
+ 
 getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \
+ 
 getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
 explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h

cachedb/cachedb.c

@@ -171,12 +171,13 @@ static int
 cachedb_apply_cfg(struct cachedb_env* cachedb_env, struct config_file* cfg)
 {
 	const char* backend_str = "testframe"; /* TODO get from cfg */
+	(void)cfg;     /* need this until the TODO is implemented */
 	if(backend_str && backend_str[0]) {
 		cachedb_env->backend = cachedb_find_backend(backend_str);
 		if(!cachedb_env->backend) {
 			log_err("cachedb: cannot find backend name '%s",
 				backend_str);
-			return NULL;
+			return 0;
 		}
 	}
 	/* TODO see if more configuration needs to be applied or not */
@@ -374,6 +375,36 @@ good_expiry_and_qinfo(struct module_qstate* qstate, struct sldns_buffer* buf)
 	return 1;
 }
 
+static void
+packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract)
+{
+        size_t i;
+        size_t total = data->count + data->rrsig_count;
+	if(data->ttl > subtract)
+		data->ttl -= subtract;
+	else	data->ttl = 0;
+        for(i=0; i<total; i++) {
+		if(data->rr_ttl[i] > subtract)
+                	data->rr_ttl[i] -= subtract;
+                else	data->rr_ttl[i] = 0;
+	}
+}
+
+static void
+adjust_msg_ttl(struct dns_msg* msg, time_t adjust)
+{
+	size_t i;
+	if(msg->rep->ttl > adjust)
+		msg->rep->ttl -= adjust;
+	else	msg->rep->ttl = 0;
+	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+
+	for(i=0; i<msg->rep->rrset_count; i++) {
+		packed_rrset_ttl_subtract((struct packed_rrset_data*)msg->
+			rep->rrsets[i]->entry.data, adjust);
+	}
+}
+
 /** convert dns message in buffer to return_msg */
 static int
 parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
@@ -420,24 +451,18 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
 	qstate->return_rcode = LDNS_RCODE_NOERROR;
 
 	/* see how much of the TTL expired, and remove it */
+	if(*qstate->env->now <= (time_t)timestamp) {
+		verbose(VERB_ALGO, "cachedb msg adjust by zero");
+		return 1; /* message from the future (clock skew?) */
+	}
 	adjust = *qstate->env->now - (time_t)timestamp;
+	if(qstate->return_msg->rep->ttl < adjust) {
+		verbose(VERB_ALGO, "cachedb msg expired");
+		return 0; /* message expired */
+	}
 	verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust);
-	/*adjust_msg(qstate->return_msg, adjust);*/
-	/* TODO:
-		msg->rep->ttl = r->ttl - adjust;
-		msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
-		for(i=0; i<d->count + d->rrsig_count; i++) {
-			if(d->rr_ttl[i] < adjust)
-				d->rr_ttl[i] = 0;
-			else    d->rr_ttl[i] -= adjust;
-		}
-		if(d->ttl < adjust)
-			d->ttl = 0;
-		else    d->ttl -= adjust;
-		*/
-	/* TODO */
-
-	return 0;
+	adjust_msg_ttl(qstate->return_msg, adjust);
+	return 1;
 }
 
 /**

config.h.in

@@ -79,6 +79,10 @@
    don't. */
 #undef HAVE_DECL_INET_PTON
 
+/* Define to 1 if you have the declaration of `NID_ED25519', and to 0 if you
+   don't. */
+#undef HAVE_DECL_NID_ED25519
+
 /* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
    don't. */
 #undef HAVE_DECL_NID_SECP384R1
@@ -157,6 +161,9 @@
 /* Define to 1 if you have the `EVP_cleanup' function. */
 #undef HAVE_EVP_CLEANUP
 
+/* Define to 1 if you have the `EVP_DigestVerify' function. */
+#undef HAVE_EVP_DIGESTVERIFY
+
 /* Define to 1 if you have the `EVP_dss1' function. */
 #undef HAVE_EVP_DSS1
 
@@ -666,6 +673,9 @@
 /* Define to 1 to enable dnscrypt support */
 #undef USE_DNSCRYPT
 
+/* Define to 1 to enable dnscrypt with xchacha20 support */
+#undef USE_DNSCRYPT_XCHACHA20
+
 /* Define to 1 to enable dnstap support */
 #undef USE_DNSTAP
 
@@ -678,9 +688,15 @@
 /* Define this to enable an EVP workaround for older openssl */
 #undef USE_ECDSA_EVP_WORKAROUND
 
+/* Define this to enable ED25519 support. */
+#undef USE_ED25519
+
 /* Define this to enable GOST support. */
 #undef USE_GOST
 
+/* Define to 1 to use ipsecmod support. */
+#undef USE_IPSECMOD
+
 /* Define if you want to use internal select based events */
 #undef USE_MINI_EVENT
 

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.6.3.
+# Generated by GNU Autoconf 2.69 for unbound 1.6.4.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.6.3'
-PACKAGE_STRING='unbound 1.6.3'
+PACKAGE_VERSION='1.6.4'
+PACKAGE_STRING='unbound 1.6.4'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -638,9 +638,12 @@ INSTALLTARGET
 ALLTARGET
 SOURCEFILE
 SOURCEDETERMINE
+IPSECMOD_HEADER
+IPSECMOD_OBJ
 DNSCRYPT_OBJ
 DNSCRYPT_SRC
 ENABLE_DNSCRYPT
+ENABLE_DNSCRYPT_XCHACHA20
 DNSTAP_OBJ
 DNSTAP_SRC
 opt_dnstap_socket_path
@@ -755,6 +758,9 @@ UNBOUND_CHROOT_DIR
 UNBOUND_RUN_DIR
 ub_conf_dir
 ub_conf_file
+UNBOUND_LOCALSTATE_DIR
+UNBOUND_SYSCONF_DIR
+UNBOUND_SBIN_DIR
 EGREP
 GREP
 CPP
@@ -851,6 +857,7 @@ enable_subnet
 enable_gost
 enable_ecdsa
 enable_dsa
+enable_ed25519
 enable_event_api
 enable_tfo_client
 enable_tfo_server
@@ -867,6 +874,7 @@ with_libfstrm
 enable_dnscrypt
 with_libsodium
 enable_cachedb
+enable_ipsecmod
 with_libunbound_only
 '
       ac_precious_vars='build_alias
@@ -1429,7 +1437,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.6.3 to adapt to many kinds of systems.
+\`configure' configures unbound 1.6.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1494,7 +1502,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.6.3:";;
+     short | recursive ) echo "Configuration of unbound 1.6.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1531,6 +1539,7 @@ Optional Features:
   --disable-gost          Disable GOST support
   --disable-ecdsa         Disable ECDSA support
   --disable-dsa           Disable DSA support
+  --disable-ed25519       Disable ED25519 support
   --enable-event-api      Enable (experimental) pluggable event base
                           libunbound API installed to unbound-event.h
   --enable-tfo-client     Enable TCP Fast Open for client mode
@@ -1547,6 +1556,8 @@ Optional Features:
   --enable-dnscrypt       Enable dnscrypt support (requires libsodium)
   --enable-cachedb        enable cachedb module that can use external cache
                           storage
+  --enable-ipsecmod       Enable ipsecmod module that facilitates
+                          opportunistic IPsec
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -1703,7 +1714,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.6.3
+unbound configure 1.6.4
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2412,7 +2423,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.6.3, which was
+It was created by unbound $as_me 1.6.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2764,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=6
 
-UNBOUND_VERSION_MICRO=3
+UNBOUND_VERSION_MICRO=4
 
 
 LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
 LIBUNBOUND_AGE=5
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2822,6 +2833,7 @@ LIBUNBOUND_AGE=5
 # 1.6.1 had 7:0:5 # ub_callback_t typedef renamed to ub_callback_type
 # 1.6.2 had 7:1:5
 # 1.6.3 had 7:2:5
+# 1.6.4 had 7:3:5
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -4106,6 +4118,11 @@ case "$prefix" in
 		prefix="/usr/local"
         ;;
 esac
+case "$exec_prefix" in
+        NONE)
+		exec_prefix="$prefix"
+        ;;
+esac
 
 # are we on MinGW?
 if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
@@ -4117,6 +4134,12 @@ fi
 #
 # Determine configuration file
 # the eval is to evaluate shell expansion twice
+UNBOUND_SBIN_DIR=`eval echo "${sbindir}"`
+
+UNBOUND_SYSCONF_DIR=`eval echo "${sysconfdir}"`
+
+UNBOUND_LOCALSTATE_DIR=`eval echo "${localstatedir}"`
+
 if test $on_mingw = "no"; then
   ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
 else
@@ -17598,7 +17621,7 @@ fi
 
 done
 
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -18046,6 +18069,47 @@ fi
       ;;
 esac
 
+# Check whether --enable-ed25519 was given.
+if test "${enable_ed25519+set}" = set; then :
+  enableval=$enable_ed25519;
+fi
+
+use_ed25519="no"
+case "$enable_ed25519" in
+    no)
+      ;;
+    *)
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+	      ac_fn_c_check_decl "$LINENO" "NID_ED25519" "ac_cv_have_decl_NID_ED25519" "$ac_includes_default
+#include <openssl/evp.h>
+
+"
+if test "x$ac_cv_have_decl_NID_ED25519" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_NID_ED25519 $ac_have_decl
+_ACEOF
+if test $ac_have_decl = 1; then :
+
+
+cat >>confdefs.h <<_ACEOF
+#define USE_ED25519 1
+_ACEOF
+
+      		use_ed25519="yes"
+
+else
+   if test "x$enable_ed25519" = "xyes"; then as_fn_error $? "OpenSSL does not support ED25519 and you used --enable-ed25519." "$LINENO" 5
+	      	fi
+fi
+
+      fi
+      ;;
+esac
 
 # Check whether --enable-event-api was given.
 if test "${enable_event_api+set}" = set; then :
@@ -20309,6 +20373,73 @@ else
   as_fn_error $? "The sodium library was not found. Please install sodium!" "$LINENO" 5
 fi
 
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing crypto_box_curve25519xchacha20poly1305_beforenm" >&5
+$as_echo_n "checking for library containing crypto_box_curve25519xchacha20poly1305_beforenm... " >&6; }
+if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char crypto_box_curve25519xchacha20poly1305_beforenm ();
+int
+main ()
+{
+return crypto_box_curve25519xchacha20poly1305_beforenm ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' sodium; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
+
+else
+  ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm" >&5
+$as_echo "$ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm" >&6; }
+ac_res=$ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+            ENABLE_DNSCRYPT_XCHACHA20=1
+
+
+$as_echo "#define USE_DNSCRYPT_XCHACHA20 1" >>confdefs.h
+
+
+else
+
+            ENABLE_DNSCRYPT_XCHACHA20=0
+
+
+fi
+
 
 
 $as_echo "#define USE_DNSCRYPT 1" >>confdefs.h
@@ -20322,6 +20453,8 @@ $as_echo "#define USE_DNSCRYPT 1" >>confdefs.h
 
 
   else
+    ENABLE_DNSCRYPT_XCHACHA20=0
+
 
         ENABLE_DNSCRYPT=0
 
@@ -20347,6 +20480,27 @@ $as_echo "#define USE_CACHEDB 1" >>confdefs.h
     	;;
 esac
 
+# check for ipsecmod if requested
+# Check whether --enable-ipsecmod was given.
+if test "${enable_ipsecmod+set}" = set; then :
+  enableval=$enable_ipsecmod;
+fi
+
+case "$enable_ipsecmod" in
+	yes)
+
+$as_echo "#define USE_IPSECMOD 1" >>confdefs.h
+
+		IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo"
+
+		IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h'
+
+		;;
+	no|*)
+		# nothing
+		;;
+esac
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
 $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
 # on openBSD, the implicit rule make $< work.
@@ -20488,7 +20642,7 @@ _ACEOF
 
 
 
-version=1.6.3
+version=1.6.4
 
 date=`date +'%b %e, %Y'`
 
@@ -21007,7 +21161,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.6.3, which was
+This file was extended by unbound $as_me 1.6.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -21073,7 +21227,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.6.3
+unbound config.status 1.6.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[6])
-m4_define([VERSION_MICRO],[3])
+m4_define([VERSION_MICRO],[4])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
 LIBUNBOUND_AGE=5
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -72,6 +72,7 @@ LIBUNBOUND_AGE=5
 # 1.6.1 had 7:0:5 # ub_callback_t typedef renamed to ub_callback_type
 # 1.6.2 had 7:1:5
 # 1.6.3 had 7:2:5
+# 1.6.4 had 7:3:5
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -109,6 +110,11 @@ case "$prefix" in
 		prefix="/usr/local"
         ;;
 esac
+case "$exec_prefix" in
+        NONE)
+		exec_prefix="$prefix"
+        ;;
+esac
 
 # are we on MinGW?
 if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
@@ -120,6 +126,12 @@ fi
 #
 # Determine configuration file
 # the eval is to evaluate shell expansion twice
+UNBOUND_SBIN_DIR=`eval echo "${sbindir}"`
+AC_SUBST(UNBOUND_SBIN_DIR)
+UNBOUND_SYSCONF_DIR=`eval echo "${sysconfdir}"`
+AC_SUBST(UNBOUND_SYSCONF_DIR)
+UNBOUND_LOCALSTATE_DIR=`eval echo "${localstatedir}"`
+AC_SUBST(UNBOUND_LOCALSTATE_DIR)
 if test $on_mingw = "no"; then
   ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
 else
@@ -680,7 +692,7 @@ else
 	AC_MSG_RESULT([no])
 fi
 AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify])
 
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
@@ -906,6 +918,23 @@ case "$enable_dsa" in
       ;;
 esac
 
+AC_ARG_ENABLE(ed25519, AC_HELP_STRING([--disable-ed25519], [Disable ED25519 support]))
+use_ed25519="no"
+case "$enable_ed25519" in
+    no)
+      ;;
+    *)
+      if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+	      AC_CHECK_DECLS([NID_ED25519], [
+      		AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
+      		use_ed25519="yes"
+	      ], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
+	      	fi ], [AC_INCLUDES_DEFAULT
+#include <openssl/evp.h>
+	      ])
+      fi
+      ;;
+esac
 
 AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
 case "$enable_event_api" in
@@ -1353,6 +1382,21 @@ case "$enable_cachedb" in
     	;;
 esac
 
+# check for ipsecmod if requested
+AC_ARG_ENABLE(ipsecmod, AC_HELP_STRING([--enable-ipsecmod], [Enable ipsecmod module that facilitates opportunistic IPsec]))
+case "$enable_ipsecmod" in
+	yes)
+		AC_DEFINE([USE_IPSECMOD], [1], [Define to 1 to use ipsecmod support.])
+		IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo"
+		AC_SUBST(IPSECMOD_OBJ)
+		IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h'
+		AC_SUBST(IPSECMOD_HEADER)
+		;;
+	no|*)
+		# nothing
+		;;
+esac
+
 AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
 # on openBSD, the implicit rule make $< work.
 # on Solaris, it does not work ($? is changed sources, $^ lists dependencies).

contrib/README

@@ -31,3 +31,6 @@ distribution but may be helpful.
   Contributed by Yuri Voinov.
 * unbound.socket and unbound.service: systemd files for unbound, install them
   in /usr/lib/systemd/system.  Contributed by Sami Kerola and Pavel Odintsov.
+* redirect-bogus.patch: Return configured address for bogus A and AAAA answers,
+  instead of SERVFAIL. Contributed by SIDN.
+* fastrpz.patch: fastrpz support from Farsight Security.

contrib/redirect-bogus.patch

@@ -0,0 +1,344 @@
+Index: daemon/worker.c
+===================================================================
+--- daemon/worker.c	(revision 4191)
++++ daemon/worker.c	(working copy)
+@@ -663,8 +663,21 @@
+ 		if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, rep,
+ 			LDNS_RCODE_SERVFAIL, edns, worker->scratchpad))
+ 			goto bail_out;
+-		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
+-			qinfo, id, flags, edns);
++		if (qinfo->qtype == LDNS_RR_TYPE_A &&
++			worker->env.cfg->redirect_bogus_ipv4) {
++			/* BAD cached */
++			fixed_address_encode(repinfo->c->buffer,
++				LDNS_RCODE_NOERROR, qinfo, id, flags, edns,
++				worker->env.cfg->redirect_bogus_ipv4);
++		} else if (qinfo->qtype == LDNS_RR_TYPE_AAAA &&
++			worker->env.cfg->redirect_bogus_ipv6) {
++			fixed_address_encode(repinfo->c->buffer,
++				LDNS_RCODE_NOERROR, qinfo, id, flags, edns,
++				worker->env.cfg->redirect_bogus_ipv6);
++		} else {
++			error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
++ 			qinfo, id, flags, edns);
++		}
+ 		rrset_array_unlock_touch(worker->env.rrset_cache, 
+ 			worker->scratchpad, rep->ref, rep->rrset_count);
+ 		if(worker->stats.extended) {
+Index: doc/unbound.conf.5.in
+===================================================================
+--- doc/unbound.conf.5.in	(revision 4191)
++++ doc/unbound.conf.5.in	(working copy)
+@@ -1244,6 +1244,18 @@
+ This can make ordinary queries complete (if repeatedly queried for),
+ and enter the cache, whilst also mitigating the traffic flow by the
+ factor given.
++.TP 5
++.B redirect-bogus-ipv4: \fI<IPv4 address>
++Set a fixed address for DNSSEC failures that are cached
++Instead of responding to A queries with SERVFAIL, respond
++with NOERROR and the address specified here
++The TTL of the response will be 5 seconds
++.TP 5
++.B redirect-bogus-ipv6: \fI<IPv4 address>
++Set a fixed address for DNSSEC failures that are cached
++Instead of responding to AAAA queries with SERVFAIL, respond
++with NOERROR and the address specified here
++The TTL of the response will be 5 seconds
+ .SS "Remote Control Options"
+ In the
+ .B remote\-control:
+Index: services/mesh.c
+===================================================================
+--- services/mesh.c	(revision 4191)
++++ services/mesh.c	(working copy)
+@@ -1006,6 +1006,7 @@
+ 	struct timeval end_time;
+ 	struct timeval duration;
+ 	int secure;
++	int bogus_override = 0;
+ 	/* Copy the client's EDNS for later restore, to make sure the edns
+ 	 * compare is with the correct edns options. */
+ 	struct edns_data edns_bak = r->edns;
+@@ -1016,6 +1017,7 @@
+ 		rcode = LDNS_RCODE_SERVFAIL;
+ 		if(m->s.env->cfg->stat_extended) 
+ 			m->s.env->mesh->ans_bogus++;
++		bogus_override = 1;
+ 	}
+ 	if(rep && rep->security == sec_status_secure)
+ 		secure = 1;
+@@ -1047,17 +1049,34 @@
+ 	} else if(rcode) {
+ 		m->s.qinfo.qname = r->qname;
+ 		m->s.qinfo.local_alias = r->local_alias;
+-		if(rcode == LDNS_RCODE_SERVFAIL) {
+-			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
+-				rep, rcode, &r->edns, m->s.region))
+-					r->edns.opt_list = NULL;
+-		} else { 
+-			if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
+-				&r->edns, m->s.region))
+-					r->edns.opt_list = NULL;
++		if(bogus_override && m->s.qinfo.qtype == LDNS_RR_TYPE_A &&
++			m->s.env->cfg->redirect_bogus_ipv4) {
++			fixed_address_encode(r->query_reply.c->buffer,
++				LDNS_RCODE_NOERROR, &m->s.qinfo, r->qid,
++				r->qflags, &r->edns,
++				m->s.env->cfg->redirect_bogus_ipv4);
++		} else if(bogus_override &&
++			m->s.qinfo.qtype == LDNS_RR_TYPE_AAAA &&
++			m->s.env->cfg->redirect_bogus_ipv6) {
++			fixed_address_encode(r->query_reply.c->buffer,
++				LDNS_RCODE_NOERROR, &m->s.qinfo, r->qid,
++				r->qflags, &r->edns,
++				m->s.env->cfg->redirect_bogus_ipv6);
++		} else {
++			if(rcode == LDNS_RCODE_SERVFAIL) {
++				if(!inplace_cb_reply_servfail_call(m->s.env,
++					&m->s.qinfo, &m->s,
++					rep, rcode, &r->edns, m->s.region))
++						r->edns.opt_list = NULL;
++			} else { 
++				if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo,
++					&m->s, rep, rcode, &r->edns,
++					m->s.region))
++						r->edns.opt_list = NULL;
++			}
++			error_encode(r->query_reply.c->buffer, rcode,
++				&m->s.qinfo, r->qid, r->qflags, &r->edns);
+ 		}
+-		error_encode(r->query_reply.c->buffer, rcode, &m->s.qinfo,
+-			r->qid, r->qflags, &r->edns);
+ 		comm_point_send_reply(&r->query_reply);
+ 	} else {
+ 		size_t udp_size = r->edns.udp_size;
+Index: util/config_file.c
+===================================================================
+--- util/config_file.c	(revision 4191)
++++ util/config_file.c	(working copy)
+@@ -273,6 +273,8 @@
+ 	cfg->ratelimit_factor = 10;
+ 	cfg->qname_minimisation = 0;
+ 	cfg->qname_minimisation_strict = 0;
++	cfg->redirect_bogus_ipv4 = NULL;
++	cfg->redirect_bogus_ipv6 = NULL;
+ 	cfg->shm_enable = 0;
+ 	cfg->shm_key = 11777;
+ 	cfg->dnscrypt = 0;
+@@ -602,6 +604,10 @@
+ 		}
+ 		oi[cfg->num_out_ifs++] = d;
+ 		cfg->out_ifs = oi;
++	} else if (strcmp(opt, "redirect-bogus-ipv4:") == 0) {
++		cfg->redirect_bogus_ipv4 = strdup(val);
++	} else if (strcmp(opt, "redirect-bogus-ipv6:") == 0) {
++		cfg->redirect_bogus_ipv6 = strdup(val);
+ 	} else {
+ 		/* unknown or unsupported (from the set_option interface):
+ 		 * interface, outgoing-interface, access-control,
+@@ -1250,6 +1256,12 @@
+ 	free(cfg->dnstap_version);
+ 	config_deldblstrlist(cfg->ratelimit_for_domain);
+ 	config_deldblstrlist(cfg->ratelimit_below_domain);
++	if (cfg->redirect_bogus_ipv4) {
++		free(cfg->redirect_bogus_ipv4);
++	}
++	if (cfg->redirect_bogus_ipv6) {
++		free(cfg->redirect_bogus_ipv6);
++	}
+ #ifdef USE_IPSECMOD
+ 	free(cfg->ipsecmod_hook);
+ 	config_delstrlist(cfg->ipsecmod_whitelist);
+Index: util/config_file.h
+===================================================================
+--- util/config_file.h	(revision 4191)
++++ util/config_file.h	(working copy)
+@@ -444,6 +444,9 @@
+ 	/** minimise QNAME in strict mode, minimise according to RFC.
+ 	 *  Do not apply fallback */
+ 	int qname_minimisation_strict;
++	/** construct fake responses for DNSSEC failures */
++	char *redirect_bogus_ipv4;
++	char *redirect_bogus_ipv6;
+ 	/** SHM data - true if shm is enabled */
+ 	int shm_enable;
+ 	/** SHM data - key for the shm */
+Index: util/configlexer.lex
+===================================================================
+--- util/configlexer.lex	(revision 4191)
++++ util/configlexer.lex	(working copy)
+@@ -410,6 +410,8 @@
+ response-ip-tag{COLON}		{ YDVAR(2, VAR_RESPONSE_IP_TAG) }
+ response-ip{COLON}		{ YDVAR(2, VAR_RESPONSE_IP) }
+ response-ip-data{COLON}		{ YDVAR(2, VAR_RESPONSE_IP_DATA) }
++redirect-bogus-ipv4{COLON}	{ YDVAR(1, VAR_REDIRECT_BOGUS_IPV4) }
++redirect-bogus-ipv6{COLON}	{ YDVAR(1, VAR_REDIRECT_BOGUS_IPV6) }
+ dnscrypt{COLON}			{ YDVAR(0, VAR_DNSCRYPT) }
+ dnscrypt-enable{COLON}		{ YDVAR(1, VAR_DNSCRYPT_ENABLE) }
+ dnscrypt-port{COLON}		{ YDVAR(1, VAR_DNSCRYPT_PORT) }
+Index: util/configparser.y
+===================================================================
+--- util/configparser.y	(revision 4191)
++++ util/configparser.y	(working copy)
+@@ -44,6 +44,7 @@
+ #include <stdlib.h>
+ #include <assert.h>
+ 
++#include "sldns/str2wire.h"
+ #include "util/configyyrename.h"
+ #include "util/config_file.h"
+ #include "util/net_help.h"
+@@ -141,6 +142,7 @@
+ %token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
+ %token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_FAKE_DSA VAR_FAKE_SHA1
+ %token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR VAR_TRUST_ANCHOR_SIGNALING
++%token VAR_REDIRECT_BOGUS_IPV4 VAR_REDIRECT_BOGUS_IPV6
+ %token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
+ %token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
+ %token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
+@@ -228,6 +230,7 @@
+ 	server_access_control_tag_data | server_access_control_view |
+ 	server_qname_minimisation_strict | server_serve_expired |
+ 	server_fake_dsa | server_log_identity | server_use_systemd |
++	server_redirect_bogus_ipv4 | server_redirect_bogus_ipv6 |
+ 	server_response_ip_tag | server_response_ip | server_response_ip_data |
+ 	server_shm_enable | server_shm_key | server_fake_sha1 |
+ 	server_hide_trustanchor | server_trust_anchor_signaling |
+@@ -1873,6 +1876,34 @@
+ 	#endif
+ 	}
+ 	;
++server_redirect_bogus_ipv4: VAR_REDIRECT_BOGUS_IPV4 STRING_ARG
++	{
++		uint8_t data[4];
++		size_t data_len = 4;
++		OUTYY(("P(name:%s)\n", $2));
++		if(cfg_parser->cfg->redirect_bogus_ipv4) {
++			yyerror("redirect-bogus-ipv4, can only use one address");
++		}
++		if(sldns_str2wire_a_buf($2, data, &data_len) != LDNS_WIREPARSE_ERR_OK) {
++			yyerror("redirect-bogus-ipv4, not a valid IPv4 address");
++		}
++		free(cfg_parser->cfg->redirect_bogus_ipv4);
++		cfg_parser->cfg->redirect_bogus_ipv4 = $2;
++	}
++server_redirect_bogus_ipv6: VAR_REDIRECT_BOGUS_IPV6 STRING_ARG
++	{
++		uint8_t data[16];
++		size_t data_len = 16;
++		OUTYY(("P(name:%s)\n", $2));
++		if(cfg_parser->cfg->redirect_bogus_ipv6) {
++			yyerror("redirect-bogus-ipv6, can only use one address");
++		}
++		if(sldns_str2wire_aaaa_buf($2, data, &data_len) != LDNS_WIREPARSE_ERR_OK) {
++			yyerror("redirect-bogus-ipv6, not a valid IPv6 address");
++		}
++		free(cfg_parser->cfg->redirect_bogus_ipv6);
++		cfg_parser->cfg->redirect_bogus_ipv6 = $2;
++	}
+ stub_name: VAR_NAME STRING_ARG
+ 	{
+ 		OUTYY(("P(name:%s)\n", $2));
+Index: util/data/msgencode.c
+===================================================================
+--- util/data/msgencode.c	(revision 4191)
++++ util/data/msgencode.c	(working copy)
+@@ -48,6 +48,7 @@
+ #include "util/regional.h"
+ #include "util/net_help.h"
+ #include "sldns/sbuffer.h"
++#include "sldns/str2wire.h"
+ #include "services/localzone.h"
+ 
+ /** return code that means the function ran out of memory. negative so it does
+@@ -914,3 +915,63 @@
+ 		attach_edns_record(buf, &es);
+ 	}
+ }
++
++void 
++fixed_address_encode(sldns_buffer* buf, int r, struct query_info* qinfo,
++	uint16_t qid, uint16_t qflags, struct edns_data* edns, char* data)
++{
++	uint16_t flags;
++	uint8_t addr_data[16];
++	size_t addr_len = 16;
++	if (qinfo->qtype == LDNS_RR_TYPE_A) {
++		sldns_str2wire_a_buf(data, addr_data, &addr_len);
++	} else if (qinfo->qtype == LDNS_RR_TYPE_AAAA) {
++		sldns_str2wire_aaaa_buf(data, addr_data, &addr_len);
++	} else {
++		return error_encode(buf, LDNS_RCODE_NOERROR, qinfo, qid, qflags, edns);
++	}
++	sldns_buffer_clear(buf);
++	sldns_buffer_write(buf, &qid, sizeof(uint16_t));
++	flags = (uint16_t)(BIT_QR | BIT_RA | r); /* QR and retcode*/
++	flags |= (qflags & (BIT_RD|BIT_CD)); /* copy RD and CD bit */
++	sldns_buffer_write_u16(buf, flags);
++	if(qinfo) flags = 1;
++	else	flags = 0;
++	sldns_buffer_write_u16(buf, flags);
++	sldns_buffer_write_u16(buf, 1);
++	flags = 0;
++	sldns_buffer_write(buf, &flags, sizeof(uint16_t));
++	sldns_buffer_write(buf, &flags, sizeof(uint16_t));
++	if(qinfo) {
++		// query
++		if(sldns_buffer_current(buf) == qinfo->qname)
++			sldns_buffer_skip(buf, (ssize_t)qinfo->qname_len);
++		else	sldns_buffer_write(buf, qinfo->qname, qinfo->qname_len);
++		sldns_buffer_write_u16(buf, qinfo->qtype);
++		sldns_buffer_write_u16(buf, qinfo->qclass);
++		// faked answer
++		if(sldns_buffer_current(buf) == qinfo->qname)
++			sldns_buffer_skip(buf, (ssize_t)qinfo->qname_len);
++		else	sldns_buffer_write(buf, qinfo->qname, qinfo->qname_len);
++		sldns_buffer_write_u16(buf, qinfo->qtype);
++		sldns_buffer_write_u16(buf, qinfo->qclass);
++		sldns_buffer_write_u16(buf, 0);
++		// TTL. Should we make this configurable too?
++		sldns_buffer_write_u16(buf, 5);
++		sldns_buffer_write_u16(buf, addr_len);
++		sldns_buffer_write(buf, addr_data, addr_len);
++		fflush(stderr);
++	}
++	sldns_buffer_flip(buf);
++	if(edns) {
++		struct edns_data es = *edns;
++		es.edns_version = EDNS_ADVERTISED_VERSION;
++		es.udp_size = EDNS_ADVERTISED_SIZE;
++		es.ext_rcode = 0;
++		es.bits &= EDNS_DO;
++		if(sldns_buffer_limit(buf) + calc_edns_field_size(&es) >
++			edns->udp_size)
++			return;
++		attach_edns_record(buf, &es);
++	}
++}
+Index: util/data/msgencode.h
+===================================================================
+--- util/data/msgencode.h	(revision 4191)
++++ util/data/msgencode.h	(working copy)
+@@ -128,4 +128,20 @@
+ void error_encode(struct sldns_buffer* pkt, int r, struct query_info* qinfo,
+ 	uint16_t qid, uint16_t qflags, struct edns_data* edns);
+ 
++/**
++ * Encode a fixed address response.
++ * This is a fake answer to either an A or AAA query
++ *
++ * It will answer with that address
++ *
++ * @param pkt: where to store the packet.
++ * @param r: RCODE value to encode.
++ * @param qinfo: if not NULL, the query is included.
++ * @param qid: query ID to set in packet. network order.
++ * @param qflags: original query flags (to copy RD and CD bits). host order.
++ * @param edns: if not NULL, this is the query edns info,
++ * 	and an edns reply is attached. Only attached if EDNS record fits reply.
++ */
++void fixed_address_encode(struct sldns_buffer* pkt, int r, struct query_info* qinfo,
++	uint16_t qid, uint16_t qflags, struct edns_data* edns, char* address);
+ #endif /* UTIL_DATA_MSGENCODE_H */

contrib/unbound.service.in

@@ -7,7 +7,7 @@ WantedBy=multi-user.target
 
 [Service]
 ExecReload=/bin/kill -HUP $MAINPID
-ExecStart=/home/vagrant/unbound_systemd/unbound
+ExecStart=@UNBOUND_SBIN_DIR@/unbound
 NotifyAccess=main
 Type=notify
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
@@ -20,7 +20,7 @@ ProtectControlGroups=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectSystem=strict
-ReadWritePaths=/etc/unbound /run
+ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@
 RestrictAddressFamilies=AF_INET AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native

daemon/remote.c

@@ -124,7 +124,7 @@ timeval_subtract(struct timeval* d, const struct timeval* end,
 
 /** divide sum of timers to get average */
 static void
-timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
+timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
 {
 #ifndef S_SPLINT_S
 	size_t leftover;
@@ -260,10 +260,10 @@ daemon_remote_create(struct config_file* cfg)
 		return NULL;
 	}
 #endif
-#ifdef SHA256_DIGEST_LENGTH
+#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
 	/* if we have sha256, set the cipher list to have no known vulns */
 	if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
-		log_crypto_err("coult not set cipher list with SSL_CTX_set_cipher_list");
+		log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
 #endif
 
 	if (cfg->remote_control_use_cert == 0) {
@@ -780,9 +780,9 @@ do_verbosity(SSL* ssl, char* str)
 
 /** print stats from statinfo */
 static int
-print_stats(SSL* ssl, const char* nm, struct stats_info* s)
+print_stats(SSL* ssl, const char* nm, struct ub_stats_info* s)
 {
-	struct timeval avg;
+	struct timeval sumwait, avg;
 	if(!ssl_printf(ssl, "%s.num.queries"SQ"%lu\n", nm, 
 		(unsigned long)s->svr.num_queries)) return 0;
 	if(!ssl_printf(ssl, "%s.num.queries_ip_ratelimited"SQ"%lu\n", nm,
@@ -799,19 +799,19 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
 	if(!ssl_printf(ssl, "%s.num.recursivereplies"SQ"%lu\n", nm, 
 		(unsigned long)s->mesh_replies_sent)) return 0;
 #ifdef USE_DNSCRYPT
-    if(!ssl_printf(ssl, "%s.num.dnscrypt.crypted"SQ"%lu\n", nm,
-        (unsigned long)s->svr.num_query_dnscrypt_crypted)) return 0;
-    if(!ssl_printf(ssl, "%s.num.dnscrypt.cert"SQ"%lu\n", nm,
-        (unsigned long)s->svr.num_query_dnscrypt_cert)) return 0;
-    if(!ssl_printf(ssl, "%s.num.dnscrypt.cleartext"SQ"%lu\n", nm,
-        (unsigned long)s->svr.num_query_dnscrypt_cleartext)) return 0;
-    if(!ssl_printf(ssl, "%s.num.dnscrypt.malformed"SQ"%lu\n", nm,
-        (unsigned long)s->svr.num_query_dnscrypt_crypted_malformed)) return 0;
+	if(!ssl_printf(ssl, "%s.num.dnscrypt.crypted"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_query_dnscrypt_crypted)) return 0;
+	if(!ssl_printf(ssl, "%s.num.dnscrypt.cert"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_query_dnscrypt_cert)) return 0;
+	if(!ssl_printf(ssl, "%s.num.dnscrypt.cleartext"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_query_dnscrypt_cleartext)) return 0;
+	if(!ssl_printf(ssl, "%s.num.dnscrypt.malformed"SQ"%lu\n", nm,
+		(unsigned long)s->svr.num_query_dnscrypt_crypted_malformed)) return 0;
 #endif
 	if(!ssl_printf(ssl, "%s.requestlist.avg"SQ"%g\n", nm,
 		(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
 			(double)s->svr.sum_query_list_size/
-			(s->svr.num_queries_missed_cache+
+			(double)(s->svr.num_queries_missed_cache+
 			s->svr.num_queries_prefetch) : 0.0)) return 0;
 	if(!ssl_printf(ssl, "%s.requestlist.max"SQ"%lu\n", nm,
 		(unsigned long)s->svr.max_query_list_size)) return 0;
@@ -823,7 +823,11 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
 		(unsigned long)s->mesh_num_states)) return 0;
 	if(!ssl_printf(ssl, "%s.requestlist.current.user"SQ"%lu\n", nm,
 		(unsigned long)s->mesh_num_reply_states)) return 0;
-	timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent);
+#ifndef S_SPLINT_S
+	sumwait.tv_sec = s->mesh_replies_sum_wait_sec;
+	sumwait.tv_usec = s->mesh_replies_sum_wait_usec;
+#endif
+	timeval_divide(&avg, &sumwait, s->mesh_replies_sent);
 	if(!ssl_printf(ssl, "%s.recursion.time.avg"SQ ARG_LL "d.%6.6d\n", nm,
 		(long long)avg.tv_sec, (int)avg.tv_usec)) return 0;
 	if(!ssl_printf(ssl, "%s.recursion.time.median"SQ"%g\n", nm, 
@@ -835,7 +839,7 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
 
 /** print stats for one thread */
 static int
-print_thread_stats(SSL* ssl, int i, struct stats_info* s)
+print_thread_stats(SSL* ssl, int i, struct ub_stats_info* s)
 {
 	char nm[16];
 	snprintf(nm, sizeof(nm), "thread%d", i);
@@ -862,46 +866,24 @@ print_longnum(SSL* ssl, const char* desc, size_t x)
 static int
 print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 {
-	int m;
 	size_t msg, rrset, val, iter, respip;
 #ifdef CLIENT_SUBNET
 	size_t subnet = 0;
 #endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+	size_t ipsecmod = 0;
+#endif /* USE_IPSECMOD */
 	msg = slabhash_get_mem(daemon->env->msg_cache);
 	rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
-	val=0;
-	iter=0;
-	respip=0;
-	m = modstack_find(&worker->env.mesh->mods, "validator");
-	if(m != -1) {
-		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
-			mods.mod[m]->get_mem));
-		val = (*worker->env.mesh->mods.mod[m]->get_mem)
-			(&worker->env, m);
-	}
-	m = modstack_find(&worker->env.mesh->mods, "iterator");
-	if(m != -1) {
-		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
-			mods.mod[m]->get_mem));
-		iter = (*worker->env.mesh->mods.mod[m]->get_mem)
-			(&worker->env, m);
-	}
-	m = modstack_find(&worker->env.mesh->mods, "respip");
-	if(m != -1) {
-		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
-			mods.mod[m]->get_mem));
-		respip = (*worker->env.mesh->mods.mod[m]->get_mem)
-			(&worker->env, m);
-	}
+	val = mod_get_mem(&worker->env, "validator");
+	iter = mod_get_mem(&worker->env, "iterator");
+	respip = mod_get_mem(&worker->env, "respip");
 #ifdef CLIENT_SUBNET
-	m = modstack_find(&worker->env.mesh->mods, "subnet");
-	if(m != -1) {
-		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
-			mods.mod[m]->get_mem));
-		subnet = (*worker->env.mesh->mods.mod[m]->get_mem)
-			(&worker->env, m);
-	}
+	subnet = mod_get_mem(&worker->env, "subnet");
 #endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+	ipsecmod = mod_get_mem(&worker->env, "ipsecmod");
+#endif /* USE_IPSECMOD */
 
 	if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
 		return 0;
@@ -917,6 +899,10 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 	if(!print_longnum(ssl, "mem.mod.subnet"SQ, subnet))
 		return 0;
 #endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+	if(!print_longnum(ssl, "mem.mod.ipsecmod"SQ, ipsecmod))
+		return 0;
+#endif /* USE_IPSECMOD */
 	return 1;
 }
 
@@ -941,7 +927,7 @@ print_uptime(SSL* ssl, struct worker* worker, int reset)
 
 /** print extended histogram */
 static int
-print_hist(SSL* ssl, struct stats_info* s)
+print_hist(SSL* ssl, struct ub_stats_info* s)
 {
 	struct timehist* hist;
 	size_t i;
@@ -969,14 +955,14 @@ print_hist(SSL* ssl, struct stats_info* s)
 
 /** print extended stats */
 static int
-print_ext(SSL* ssl, struct stats_info* s)
+print_ext(SSL* ssl, struct ub_stats_info* s)
 {
 	int i;
 	char nm[16];
 	const sldns_rr_descriptor* desc;
 	const sldns_lookup_table* lt;
 	/* TYPE */
-	for(i=0; i<STATS_QTYPE_NUM; i++) {
+	for(i=0; i<UB_STATS_QTYPE_NUM; i++) {
 		if(inhibit_zero && s->svr.qtype[i] == 0)
 			continue;
 		desc = sldns_rr_descript((uint16_t)i);
@@ -1003,7 +989,7 @@ print_ext(SSL* ssl, struct stats_info* s)
 			(unsigned long)s->svr.qtype_big)) return 0;
 	}
 	/* CLASS */
-	for(i=0; i<STATS_QCLASS_NUM; i++) {
+	for(i=0; i<UB_STATS_QCLASS_NUM; i++) {
 		if(inhibit_zero && s->svr.qclass[i] == 0)
 			continue;
 		lt = sldns_lookup_by_id(sldns_rr_classes, i);
@@ -1020,7 +1006,7 @@ print_ext(SSL* ssl, struct stats_info* s)
 			(unsigned long)s->svr.qclass_big)) return 0;
 	}
 	/* OPCODE */
-	for(i=0; i<STATS_OPCODE_NUM; i++) {
+	for(i=0; i<UB_STATS_OPCODE_NUM; i++) {
 		if(inhibit_zero && s->svr.qopcode[i] == 0)
 			continue;
 		lt = sldns_lookup_by_id(sldns_opcodes, i);
@@ -1062,7 +1048,7 @@ print_ext(SSL* ssl, struct stats_info* s)
 		(unsigned long)s->svr.qEDNS_DO)) return 0;
 
 	/* RCODE */
-	for(i=0; i<STATS_RCODE_NUM; i++) {
+	for(i=0; i<UB_STATS_RCODE_NUM; i++) {
 		/* Always include RCODEs 0-5 */
 		if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
 			continue;
@@ -1108,8 +1094,8 @@ static void
 do_stats(SSL* ssl, struct daemon_remote* rc, int reset)
 {
 	struct daemon* daemon = rc->worker->daemon;
-	struct stats_info total;
-	struct stats_info s;
+	struct ub_stats_info total;
+	struct ub_stats_info s;
 	int i;
 	log_assert(daemon->num > 0);
 	/* gather all thread statistics in one place */
@@ -1407,6 +1393,14 @@ do_view_zone_add(SSL* ssl, struct worker* worker, char* arg)
 			ssl_printf(ssl,"error out of memory\n");
 			return;
 		}
+		if(!v->isfirst) {
+			/* Global local-zone is not used for this view,
+			 * therefore add defaults to this view-specic
+			 * local-zone. */
+			struct config_file lz_cfg;
+			memset(&lz_cfg, 0, sizeof(lz_cfg));
+			local_zone_enter_defaults(v->local_zones, &lz_cfg);
+		}
 	}
 	do_zone_add(ssl, v->local_zones, arg2);
 	lock_rw_unlock(&v->lock);

daemon/stats.c

@@ -63,42 +63,42 @@
 
 /** add timers and the values do not overflow or become negative */
 static void
-timeval_add(struct timeval* d, const struct timeval* add)
+stats_timeval_add(long long* d_sec, long long* d_usec, long long add_sec, long long add_usec)
 {
 #ifndef S_SPLINT_S
-	d->tv_sec += add->tv_sec;
-	d->tv_usec += add->tv_usec;
-	if(d->tv_usec > 1000000) {
-		d->tv_usec -= 1000000;
-		d->tv_sec++;
+	(*d_sec) += add_sec;
+	(*d_usec) += add_usec;
+	if((*d_usec) > 1000000) {
+		(*d_usec) -= 1000000;
+		(*d_sec)++;
 	}
 #endif
 }
 
-void server_stats_init(struct server_stats* stats, struct config_file* cfg)
+void server_stats_init(struct ub_server_stats* stats, struct config_file* cfg)
 {
 	memset(stats, 0, sizeof(*stats));
 	stats->extended = cfg->stat_extended;
 }
 
-void server_stats_querymiss(struct server_stats* stats, struct worker* worker)
+void server_stats_querymiss(struct ub_server_stats* stats, struct worker* worker)
 {
 	stats->num_queries_missed_cache++;
 	stats->sum_query_list_size += worker->env.mesh->all.count;
-	if(worker->env.mesh->all.count > stats->max_query_list_size)
-		stats->max_query_list_size = worker->env.mesh->all.count;
+	if((long long)worker->env.mesh->all.count > stats->max_query_list_size)
+		stats->max_query_list_size = (long long)worker->env.mesh->all.count;
 }
 
-void server_stats_prefetch(struct server_stats* stats, struct worker* worker)
+void server_stats_prefetch(struct ub_server_stats* stats, struct worker* worker)
 {
 	stats->num_queries_prefetch++;
 	/* changes the query list size so account that, like a querymiss */
 	stats->sum_query_list_size += worker->env.mesh->all.count;
-	if(worker->env.mesh->all.count > stats->max_query_list_size)
-		stats->max_query_list_size = worker->env.mesh->all.count;
+	if((long long)worker->env.mesh->all.count > stats->max_query_list_size)
+		stats->max_query_list_size = (long long)worker->env.mesh->all.count;
 }
 
-void server_stats_log(struct server_stats* stats, struct worker* worker,
+void server_stats_log(struct ub_server_stats* stats, struct worker* worker,
 	int threadnum)
 {
 	log_info("server stats for thread %d: %u queries, "
@@ -115,7 +115,7 @@ void server_stats_log(struct server_stats* stats, struct worker* worker,
 		(unsigned)stats->max_query_list_size,
 		(stats->num_queries_missed_cache+stats->num_queries_prefetch)?
 			(double)stats->sum_query_list_size/
-			(stats->num_queries_missed_cache+
+			(double)(stats->num_queries_missed_cache+
 			stats->num_queries_prefetch) : 0.0,
 		(unsigned)worker->env.mesh->stats_dropped,
 		(unsigned)worker->env.mesh->stats_jostled);
@@ -140,49 +140,50 @@ get_rrset_bogus(struct worker* worker)
 }
 
 void
-server_stats_compile(struct worker* worker, struct stats_info* s, int reset)
+server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 {
 	int i;
 	struct listen_list* lp;
 
 	s->svr = worker->stats;
-	s->mesh_num_states = worker->env.mesh->all.count;
-	s->mesh_num_reply_states = worker->env.mesh->num_reply_states;
-	s->mesh_jostled = worker->env.mesh->stats_jostled;
-	s->mesh_dropped = worker->env.mesh->stats_dropped;
-	s->mesh_replies_sent = worker->env.mesh->replies_sent;
-	s->mesh_replies_sum_wait = worker->env.mesh->replies_sum_wait;
+	s->mesh_num_states = (long long)worker->env.mesh->all.count;
+	s->mesh_num_reply_states = (long long)worker->env.mesh->num_reply_states;
+	s->mesh_jostled = (long long)worker->env.mesh->stats_jostled;
+	s->mesh_dropped = (long long)worker->env.mesh->stats_dropped;
+	s->mesh_replies_sent = (long long)worker->env.mesh->replies_sent;
+	s->mesh_replies_sum_wait_sec = (long long)worker->env.mesh->replies_sum_wait.tv_sec;
+	s->mesh_replies_sum_wait_usec = (long long)worker->env.mesh->replies_sum_wait.tv_usec;
 	s->mesh_time_median = timehist_quartile(worker->env.mesh->histogram,
 		0.50);
 
 	/* add in the values from the mesh */
-	s->svr.ans_secure += worker->env.mesh->ans_secure;
-	s->svr.ans_bogus += worker->env.mesh->ans_bogus;
-	s->svr.ans_rcode_nodata += worker->env.mesh->ans_nodata;
+	s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
+	s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
+	s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
 	for(i=0; i<16; i++)
-		s->svr.ans_rcode[i] += worker->env.mesh->ans_rcode[i];
+		s->svr.ans_rcode[i] += (long long)worker->env.mesh->ans_rcode[i];
 	timehist_export(worker->env.mesh->histogram, s->svr.hist, 
 		NUM_BUCKETS_HIST);
 	/* values from outside network */
-	s->svr.unwanted_replies = worker->back->unwanted_replies;
-	s->svr.qtcp_outgoing = worker->back->num_tcp_outgoing;
+	s->svr.unwanted_replies = (long long)worker->back->unwanted_replies;
+	s->svr.qtcp_outgoing = (long long)worker->back->num_tcp_outgoing;
 
 	/* get and reset validator rrset bogus number */
-	s->svr.rrset_bogus = get_rrset_bogus(worker);
+	s->svr.rrset_bogus = (long long)get_rrset_bogus(worker);
 
 	/* get cache sizes */
-	s->svr.msg_cache_count = count_slabhash_entries(worker->env.msg_cache);
-	s->svr.rrset_cache_count = count_slabhash_entries(&worker->env.rrset_cache->table);
-	s->svr.infra_cache_count = count_slabhash_entries(worker->env.infra_cache->hosts);
+	s->svr.msg_cache_count = (long long)count_slabhash_entries(worker->env.msg_cache);
+	s->svr.rrset_cache_count = (long long)count_slabhash_entries(&worker->env.rrset_cache->table);
+	s->svr.infra_cache_count = (long long)count_slabhash_entries(worker->env.infra_cache->hosts);
 	if(worker->env.key_cache)
-		s->svr.key_cache_count = count_slabhash_entries(worker->env.key_cache->slab);
+		s->svr.key_cache_count = (long long)count_slabhash_entries(worker->env.key_cache->slab);
 	else	s->svr.key_cache_count = 0;
 
 	/* get tcp accept usage */
 	s->svr.tcp_accept_usage = 0;
 	for(lp = worker->front->cps; lp; lp = lp->next) {
 		if(lp->com->type == comm_tcp_accept)
-			s->svr.tcp_accept_usage += lp->com->cur_tcp_count;
+			s->svr.tcp_accept_usage += (long long)lp->com->cur_tcp_count;
 	}
 
 	if(reset && !worker->env.cfg->stat_cumulative) {
@@ -191,7 +192,7 @@ server_stats_compile(struct worker* worker, struct stats_info* s, int reset)
 }
 
 void server_stats_obtain(struct worker* worker, struct worker* who,
-	struct stats_info* s, int reset)
+	struct ub_stats_info* s, int reset)
 {
 	uint8_t *reply = NULL;
 	uint32_t len = 0;
@@ -217,7 +218,7 @@ void server_stats_obtain(struct worker* worker, struct worker* who,
 
 void server_stats_reply(struct worker* worker, int reset)
 {
-	struct stats_info s;
+	struct ub_stats_info s;
 	server_stats_compile(worker, &s, reset);
 	verbose(VERB_ALGO, "write stats replymsg");
 	if(!tube_write_msg(worker->daemon->workers[0]->cmd, 
@@ -225,7 +226,7 @@ void server_stats_reply(struct worker* worker, int reset)
 		fatal_exit("could not write stat values over cmd channel");
 }
 
-void server_stats_add(struct stats_info* total, struct stats_info* a)
+void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 {
 	total->svr.num_queries += a->svr.num_queries;
 	total->svr.num_queries_ip_ratelimited += a->svr.num_queries_ip_ratelimited;
@@ -233,12 +234,12 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
 	total->svr.num_queries_prefetch += a->svr.num_queries_prefetch;
 	total->svr.sum_query_list_size += a->svr.sum_query_list_size;
 #ifdef USE_DNSCRYPT
-    total->svr.num_query_dnscrypt_crypted += a->svr.num_query_dnscrypt_crypted;
-    total->svr.num_query_dnscrypt_cert += a->svr.num_query_dnscrypt_cert;
-    total->svr.num_query_dnscrypt_cleartext += \
-        a->svr.num_query_dnscrypt_cleartext;
-    total->svr.num_query_dnscrypt_crypted_malformed += \
-        a->svr.num_query_dnscrypt_crypted_malformed;
+	total->svr.num_query_dnscrypt_crypted += a->svr.num_query_dnscrypt_crypted;
+	total->svr.num_query_dnscrypt_cert += a->svr.num_query_dnscrypt_cert;
+	total->svr.num_query_dnscrypt_cleartext += \
+		a->svr.num_query_dnscrypt_cleartext;
+	total->svr.num_query_dnscrypt_crypted_malformed += \
+		a->svr.num_query_dnscrypt_crypted_malformed;
 #endif
 	/* the max size reached is upped to higher of both */
 	if(a->svr.max_query_list_size > total->svr.max_query_list_size)
@@ -269,13 +270,13 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
 		total->svr.unwanted_replies += a->svr.unwanted_replies;
 		total->svr.unwanted_queries += a->svr.unwanted_queries;
 		total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;
-		for(i=0; i<STATS_QTYPE_NUM; i++)
+		for(i=0; i<UB_STATS_QTYPE_NUM; i++)
 			total->svr.qtype[i] += a->svr.qtype[i];
-		for(i=0; i<STATS_QCLASS_NUM; i++)
+		for(i=0; i<UB_STATS_QCLASS_NUM; i++)
 			total->svr.qclass[i] += a->svr.qclass[i];
-		for(i=0; i<STATS_OPCODE_NUM; i++)
+		for(i=0; i<UB_STATS_OPCODE_NUM; i++)
 			total->svr.qopcode[i] += a->svr.qopcode[i];
-		for(i=0; i<STATS_RCODE_NUM; i++)
+		for(i=0; i<UB_STATS_RCODE_NUM; i++)
 			total->svr.ans_rcode[i] += a->svr.ans_rcode[i];
 		for(i=0; i<NUM_BUCKETS_HIST; i++)
 			total->svr.hist[i] += a->svr.hist[i];
@@ -286,22 +287,22 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
 	total->mesh_jostled += a->mesh_jostled;
 	total->mesh_dropped += a->mesh_dropped;
 	total->mesh_replies_sent += a->mesh_replies_sent;
-	timeval_add(&total->mesh_replies_sum_wait, &a->mesh_replies_sum_wait);
+	stats_timeval_add(&total->mesh_replies_sum_wait_sec, &total->mesh_replies_sum_wait_usec, a->mesh_replies_sum_wait_sec, a->mesh_replies_sum_wait_usec);
 	/* the medians are averaged together, this is not as accurate as
 	 * taking the median over all of the data, but is good and fast
 	 * added up here, division later*/
 	total->mesh_time_median += a->mesh_time_median;
 }
 
-void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
+void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
 	uint16_t qtype, uint16_t qclass, struct edns_data* edns,
 	struct comm_reply* repinfo)
 {
 	uint16_t flags = sldns_buffer_read_u16_at(c->buffer, 2);
-	if(qtype < STATS_QTYPE_NUM)
+	if(qtype < UB_STATS_QTYPE_NUM)
 		stats->qtype[qtype]++;
 	else	stats->qtype_big++;
-	if(qclass < STATS_QCLASS_NUM)
+	if(qclass < UB_STATS_QCLASS_NUM)
 		stats->qclass[qclass]++;
 	else	stats->qclass_big++;
 	stats->qopcode[ LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) ]++;
@@ -332,7 +333,7 @@ void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
 	}
 }
 
-void server_stats_insrcode(struct server_stats* stats, sldns_buffer* buf)
+void server_stats_insrcode(struct ub_server_stats* stats, sldns_buffer* buf)
 {
 	if(stats->extended && sldns_buffer_limit(buf) != 0) {
 		int r = (int)LDNS_RCODE_WIRE( sldns_buffer_begin(buf) );

daemon/stats.h

@@ -43,7 +43,6 @@
 #ifndef DAEMON_STATS_H
 #define DAEMON_STATS_H
 #include "util/timehist.h"
-#include "dnscrypt/dnscrypt_config.h"
 struct worker;
 struct config_file;
 struct comm_point;
@@ -51,156 +50,24 @@ struct comm_reply;
 struct edns_data;
 struct sldns_buffer;
 
-/** number of qtype that is stored for in array */
-#define STATS_QTYPE_NUM 256
-/** number of qclass that is stored for in array */
-#define STATS_QCLASS_NUM 256
-/** number of rcodes in stats */
-#define STATS_RCODE_NUM 16
-/** number of opcodes in stats */
-#define STATS_OPCODE_NUM 16
-
-/** per worker statistics */
-struct server_stats {
-	/** number of queries from clients received. */
-	size_t num_queries;
-	/** number of queries that have been dropped/ratelimited by ip. */
-	size_t num_queries_ip_ratelimited;
-	/** number of queries that had a cache-miss. */
-	size_t num_queries_missed_cache;
-	/** number of prefetch queries - cachehits with prefetch */
-	size_t num_queries_prefetch;
-
-	/**
-	 * Sum of the querylistsize of the worker for 
-	 * every query that missed cache. To calculate average.
-	 */
-	size_t sum_query_list_size;
-	/** max value of query list size reached. */
-	size_t max_query_list_size;
-
-	/** Extended stats below (bool) */
-	int extended;
-
-	/** qtype stats */
-	size_t qtype[STATS_QTYPE_NUM];
-	/** bigger qtype values not in array */
-	size_t qtype_big;
-	/** qclass stats */
-	size_t qclass[STATS_QCLASS_NUM];
-	/** bigger qclass values not in array */
-	size_t qclass_big;
-	/** query opcodes */
-	size_t qopcode[STATS_OPCODE_NUM];
-	/** number of queries over TCP */
-	size_t qtcp;
-	/** number of outgoing queries over TCP */
-	size_t qtcp_outgoing;
-	/** number of queries over IPv6 */
-	size_t qipv6;
-	/** number of queries with QR bit */
-	size_t qbit_QR;
-	/** number of queries with AA bit */
-	size_t qbit_AA;
-	/** number of queries with TC bit */
-	size_t qbit_TC;
-	/** number of queries with RD bit */
-	size_t qbit_RD;
-	/** number of queries with RA bit */
-	size_t qbit_RA;
-	/** number of queries with Z bit */
-	size_t qbit_Z;
-	/** number of queries with AD bit */
-	size_t qbit_AD;
-	/** number of queries with CD bit */
-	size_t qbit_CD;
-	/** number of queries with EDNS OPT record */
-	size_t qEDNS;
-	/** number of queries with EDNS with DO flag */
-	size_t qEDNS_DO;
-	/** answer rcodes */
-	size_t ans_rcode[STATS_RCODE_NUM];
-	/** answers with pseudo rcode 'nodata' */
-	size_t ans_rcode_nodata;
-	/** answers that were secure (AD) */
-	size_t ans_secure;
-	/** answers that were bogus (withheld as SERVFAIL) */
-	size_t ans_bogus;
-	/** rrsets marked bogus by validator */
-	size_t rrset_bogus;
-	/** unwanted traffic received on server-facing ports */
-	size_t unwanted_replies;
-	/** unwanted traffic received on client-facing ports */
-	size_t unwanted_queries;
-	/** usage of tcp accept list */
-	size_t tcp_accept_usage;
-	/** answers served from expired cache */
-	size_t zero_ttl_responses;
-	/** histogram data exported to array 
-	 * if the array is the same size, no data is lost, and
-	 * if all histograms are same size (is so by default) then
-	 * adding up works well. */
-	size_t hist[NUM_BUCKETS_HIST];
-	
-	/** number of message cache entries */
-	size_t msg_cache_count;
-	/** number of rrset cache entries */
-	size_t rrset_cache_count;
-	/** number of infra cache entries */
-	size_t infra_cache_count;
-	/** number of key cache entries */
-	size_t key_cache_count;
-#ifdef USE_DNSCRYPT
-    /** number of queries that used dnscrypt */
-    size_t num_query_dnscrypt_crypted;
-    /** number of queries that queried dnscrypt certificates */
-    size_t num_query_dnscrypt_cert;
-    /** number of queries in clear text and not asking for the certificates */
-    size_t num_query_dnscrypt_cleartext;
-    /** number of malformed encrypted queries */
-    size_t num_query_dnscrypt_crypted_malformed;
-#endif
-};
-
-/** 
- * Statistics to send over the control pipe when asked
- * This struct is made to be memcpied, sent in binary.
- */
-struct stats_info {
-	/** the thread stats */
-	struct server_stats svr;
-
-	/** mesh stats: current number of states */
-	size_t mesh_num_states;
-	/** mesh stats: current number of reply (user) states */
-	size_t mesh_num_reply_states;
-	/** mesh stats: number of reply states overwritten with a new one */
-	size_t mesh_jostled;
-	/** mesh stats: number of incoming queries dropped */
-	size_t mesh_dropped;
-	/** mesh stats: replies sent */
-	size_t mesh_replies_sent;
-	/** mesh stats: sum of waiting times for the replies */
-	struct timeval mesh_replies_sum_wait;
-	/** mesh stats: median of waiting times for replies (in sec) */
-	double mesh_time_median;
-};
+/* stats struct */
+#include "libunbound/unbound.h"
 
 /** 
  * Initialize server stats to 0.
  * @param stats: what to init (this is alloced by the caller).
  * @param cfg: with extended statistics option.
  */
-void server_stats_init(struct server_stats* stats, struct config_file* cfg);
+void server_stats_init(struct ub_server_stats* stats, struct config_file* cfg);
 
 /** add query if it missed the cache */
-void server_stats_querymiss(struct server_stats* stats, struct worker* worker);
+void server_stats_querymiss(struct ub_server_stats* stats, struct worker* worker);
 
 /** add query if was cached and also resulted in a prefetch */
-void server_stats_prefetch(struct server_stats* stats, struct worker* worker);
+void server_stats_prefetch(struct ub_server_stats* stats, struct worker* worker);
 
 /** display the stats to the log */
-void server_stats_log(struct server_stats* stats, struct worker* worker,
+void server_stats_log(struct ub_server_stats* stats, struct worker* worker,
 	int threadnum);
 
 /**
@@ -211,7 +78,7 @@ void server_stats_log(struct server_stats* stats, struct worker* worker,
  * @param reset: if stats can be reset.
  */
 void server_stats_obtain(struct worker* worker, struct worker* who,
-	struct stats_info* s, int reset);
+	struct ub_stats_info* s, int reset);
 
 /**
  * Compile stats into structure for this thread worker.
@@ -221,7 +88,7 @@ void server_stats_obtain(struct worker* worker, struct worker* who,
  * @param reset: if true, depending on config stats are reset.
  * 	if false, statistics are not reset.
  */
-void server_stats_compile(struct worker* worker, struct stats_info* s, 
+void server_stats_compile(struct worker* worker, struct ub_stats_info* s, 
 	int reset);
 
 /**
@@ -237,7 +104,7 @@ void server_stats_reply(struct worker* worker, int reset);
  * @param total: sum of the two entries.
  * @param a: to add to it.
  */
-void server_stats_add(struct stats_info* total, struct stats_info* a);
+void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a);
 
 /**
  * Add stats for this query
@@ -248,7 +115,7 @@ void server_stats_add(struct stats_info* total, struct stats_info* a);
  * @param edns: edns record
  * @param repinfo: reply info with remote address
  */
-void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
+void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
 	uint16_t qtype, uint16_t qclass, struct edns_data* edns, 
 	struct comm_reply* repinfo);
 
@@ -257,6 +124,6 @@ void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
  * @param stats: the stats
  * @param buf: buffer with rcode. If buffer is length0: not counted.
  */
-void server_stats_insrcode(struct server_stats* stats, struct sldns_buffer* buf);
+void server_stats_insrcode(struct ub_server_stats* stats, struct sldns_buffer* buf);
 
 #endif /* DAEMON_STATS_H */

daemon/worker.c

@@ -811,7 +811,9 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
 	if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL,
 		LDNS_RCODE_NOERROR, edns, worker->scratchpad))
 			edns->opt_list = NULL;
-	attach_edns_record(pkt, edns);
+	if(sldns_buffer_capacity(pkt) >=
+		sldns_buffer_limit(pkt)+calc_edns_field_size(edns))
+		attach_edns_record(pkt, edns);
 }
 
 /** Reply with one string */
@@ -1014,43 +1016,48 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		return 0;
 	}
 #ifdef USE_DNSCRYPT
-    repinfo->max_udp_size = worker->daemon->cfg->max_udp_size;
-    if(!dnsc_handle_curved_request(worker->daemon->dnscenv, repinfo)) {
-        worker->stats.num_query_dnscrypt_crypted_malformed++;
-        return 0;
-    }
-    if(c->dnscrypt && !repinfo->is_dnscrypted) {
-        char buf[LDNS_MAX_DOMAINLEN+1];
-        // Check if this is unencrypted and asking for certs
-        if(worker_check_request(c->buffer, worker) != 0) {
-            verbose(VERB_ALGO, "dnscrypt: worker check request: bad query.");
-            log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
-            comm_point_drop_reply(repinfo);
-            return 0;
-        }
-        if(!query_info_parse(&qinfo, c->buffer)) {
-            verbose(VERB_ALGO, "dnscrypt: worker parse request: formerror.");
-            log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
-            comm_point_drop_reply(repinfo);
-            return 0;
-        }
-        dname_str(qinfo.qname, buf);
-        if(!(qinfo.qtype == LDNS_RR_TYPE_TXT &&
-             strcasecmp(buf, worker->daemon->dnscenv->provider_name) == 0)) {
-            verbose(VERB_ALGO,
-                    "dnscrypt: not TXT %s. Receive: %s %s",
-                    worker->daemon->dnscenv->provider_name,
-                    sldns_rr_descript(qinfo.qtype)->_name,
-                    buf);
-            comm_point_drop_reply(repinfo);
-            worker->stats.num_query_dnscrypt_cleartext++;
-            return 0;
-        }
-        worker->stats.num_query_dnscrypt_cert++;
-        sldns_buffer_rewind(c->buffer);
-    } else if(c->dnscrypt && repinfo->is_dnscrypted) {
-        worker->stats.num_query_dnscrypt_crypted++;
-    }
+	repinfo->max_udp_size = worker->daemon->cfg->max_udp_size;
+	if(!dnsc_handle_curved_request(worker->daemon->dnscenv, repinfo)) {
+		worker->stats.num_query_dnscrypt_crypted_malformed++;
+		return 0;
+	}
+	if(c->dnscrypt && !repinfo->is_dnscrypted) {
+		char buf[LDNS_MAX_DOMAINLEN+1];
+		/* Check if this is unencrypted and asking for certs */
+		if(worker_check_request(c->buffer, worker) != 0) {
+			verbose(VERB_ALGO,
+				"dnscrypt: worker check request: bad query.");
+			log_addr(VERB_CLIENT,"from",&repinfo->addr,
+				repinfo->addrlen);
+			comm_point_drop_reply(repinfo);
+			return 0;
+		}
+		if(!query_info_parse(&qinfo, c->buffer)) {
+			verbose(VERB_ALGO,
+				"dnscrypt: worker parse request: formerror.");
+			log_addr(VERB_CLIENT, "from", &repinfo->addr,
+				repinfo->addrlen);
+			comm_point_drop_reply(repinfo);
+			return 0;
+		}
+		dname_str(qinfo.qname, buf);
+		if(!(qinfo.qtype == LDNS_RR_TYPE_TXT &&
+			strcasecmp(buf,
+			worker->daemon->dnscenv->provider_name) == 0)) {
+			verbose(VERB_ALGO,
+				"dnscrypt: not TXT %s. Receive: %s %s",
+				worker->daemon->dnscenv->provider_name,
+				sldns_rr_descript(qinfo.qtype)->_name,
+				buf);
+			comm_point_drop_reply(repinfo);
+			worker->stats.num_query_dnscrypt_cleartext++;
+			return 0;
+		}
+		worker->stats.num_query_dnscrypt_cert++;
+		sldns_buffer_rewind(c->buffer);
+	} else if(c->dnscrypt && repinfo->is_dnscrypted) {
+		worker->stats.num_query_dnscrypt_crypted++;
+	}
 #endif
 #ifdef USE_DNSTAP
 	if(worker->dtenv.log_client_query_messages)
@@ -1182,7 +1189,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,
 			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 			sldns_buffer_read_u16_at(c->buffer, 2), NULL);
-		attach_edns_record(c->buffer, &edns);
+		if(sldns_buffer_capacity(c->buffer) >=
+			sldns_buffer_limit(c->buffer)+calc_edns_field_size(&edns))
+			attach_edns_record(c->buffer, &edns);
 		regional_free_all(worker->scratchpad);
 		goto send_reply;
 	}
@@ -1420,9 +1429,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			tv, 1, c->buffer);
 	}
 #ifdef USE_DNSCRYPT
-    if(!dnsc_handle_uncurved_request(repinfo)) {
-        return 0;
-    }
+	if(!dnsc_handle_uncurved_request(repinfo)) {
+		return 0;
+	}
 #endif
 	return rc;
 }
@@ -1664,6 +1673,7 @@ worker_init(struct worker* worker, struct config_file *cfg,
 	worker->env.mesh = mesh_create(&worker->daemon->mods, &worker->env);
 	worker->env.detach_subs = &mesh_detach_subs;
 	worker->env.attach_sub = &mesh_attach_sub;
+	worker->env.add_sub = &mesh_add_sub;
 	worker->env.kill_sub = &mesh_state_delete;
 	worker->env.detect_cycle = &mesh_detect_cycle;
 	worker->env.scratch_buffer = sldns_buffer_new(cfg->msg_buffer_size);

daemon/worker.h

@@ -116,7 +116,7 @@ struct worker {
 	/** allocation cache for this thread */
 	struct alloc_cache alloc;
 	/** per thread statistics */
-	struct server_stats stats;
+	struct ub_server_stats stats;
 	/** thread scratch regional */
 	struct regional* scratchpad;
 

dnscrypt/cert.h

@@ -20,12 +20,12 @@ struct SignedCert {
     uint8_t version_minor[2];
 
     // Signed Content
+    uint8_t signed_content[64];
     uint8_t server_publickey[crypto_box_PUBLICKEYBYTES];
     uint8_t magic_query[8];
     uint8_t serial[4];
     uint8_t ts_begin[4];
     uint8_t ts_end[4];
-    uint8_t end[64];
 };
 
 

dnscrypt/dnscrypt.c

@@ -15,6 +15,7 @@
 
 #include "dnscrypt/cert.h"
 #include "dnscrypt/dnscrypt.h"
+#include "dnscrypt/dnscrypt_config.h"
 
 #include <ctype.h>
 
@@ -35,18 +36,18 @@
     (DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES + crypto_box_HALF_NONCEBYTES)
 
 /**
- * Decrypt a query using the keypair that was found using dnsc_find_keypair.
+ * Decrypt a query using the dnsccert that was found using dnsc_find_cert.
  * The client nonce will be extracted from the encrypted query and stored in
  * client_nonce, a shared secret will be computed and stored in nmkey and the
  * buffer will be decrypted inplace.
- * \param[in] keypair the keypair that matches this encrypted query.
+ * \param[in] cert the cert that matches this encrypted query.
  * \param[in] client_nonce where the client nonce will be stored.
  * \param[in] nmkey where the shared secret key will be written.
  * \param[in] buffer the encrypted buffer.
  * \return 0 on success.
  */
 static int
-dnscrypt_server_uncurve(const KeyPair *keypair,
+dnscrypt_server_uncurve(const dnsccert *cert,
                         uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
                         uint8_t nmkey[crypto_box_BEFORENMBYTES],
                         struct sldns_buffer* buffer)
@@ -62,25 +63,48 @@ dnscrypt_server_uncurve(const KeyPair *keypair,
 
     query_header = (struct dnscrypt_query_header *)buf;
     memcpy(nmkey, query_header->publickey, crypto_box_PUBLICKEYBYTES);
-    if (crypto_box_beforenm(nmkey, nmkey, keypair->crypt_secretkey) != 0) {
+    if(cert->es_version[1] == 2) {
+#ifdef USE_DNSCRYPT_XCHACHA20
+        if (crypto_box_curve25519xchacha20poly1305_beforenm(
+                nmkey, nmkey, cert->keypair->crypt_secretkey) != 0) {
+            return -1;
+        }
+#else
         return -1;
+#endif
+    } else {
+        if (crypto_box_beforenm(nmkey, nmkey, cert->keypair->crypt_secretkey) != 0) {
+            return -1;
+        }
     }
 
     memcpy(nonce, query_header->nonce, crypto_box_HALF_NONCEBYTES);
     memset(nonce + crypto_box_HALF_NONCEBYTES, 0, crypto_box_HALF_NONCEBYTES);
 
-    sldns_buffer_set_at(buffer,
-                        DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
-                        0, crypto_box_BOXZEROBYTES);
-
-    if (crypto_box_open_afternm
-        (buf + DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
-         buf + DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
-         len - DNSCRYPT_QUERY_BOX_OFFSET + crypto_box_BOXZEROBYTES, nonce,
-         nmkey) != 0) {
+    if(cert->es_version[1] == 2) {
+#ifdef USE_DNSCRYPT_XCHACHA20
+        if (crypto_box_curve25519xchacha20poly1305_open_easy_afternm
+                (buf,
+                buf + DNSCRYPT_QUERY_BOX_OFFSET,
+                len - DNSCRYPT_QUERY_BOX_OFFSET, nonce,
+                nmkey) != 0) {
+            return -1;
+        }
+#else
         return -1;
+#endif
+    } else {
+        if (crypto_box_open_easy_afternm
+            (buf,
+             buf + DNSCRYPT_QUERY_BOX_OFFSET,
+             len - DNSCRYPT_QUERY_BOX_OFFSET, nonce,
+             nmkey) != 0) {
+            return -1;
+        }
     }
 
+    len -= DNSCRYPT_QUERY_HEADER_SIZE;
+
     while (*sldns_buffer_at(buffer, --len) == 0)
 	    ;
 
@@ -89,12 +113,9 @@ dnscrypt_server_uncurve(const KeyPair *keypair,
     }
 
     memcpy(client_nonce, nonce, crypto_box_HALF_NONCEBYTES);
-    memmove(sldns_buffer_begin(buffer),
-            sldns_buffer_at(buffer, DNSCRYPT_QUERY_HEADER_SIZE),
-            len - DNSCRYPT_QUERY_HEADER_SIZE);
 
     sldns_buffer_set_position(buffer, 0);
-    sldns_buffer_set_limit(buffer, len - DNSCRYPT_QUERY_HEADER_SIZE);
+    sldns_buffer_set_limit(buffer, len);
 
     return 0;
 }
@@ -182,10 +203,10 @@ add_server_nonce(uint8_t *nonce)
 }
 
 /**
- * Encrypt a reply using the keypair that was used with the query.
+ * Encrypt a reply using the dnsccert that was used with the query.
  * The client nonce will be extracted from the encrypted query and stored in
  * The buffer will be encrypted inplace.
- * \param[in] keypair the keypair that matches this encrypted query.
+ * \param[in] cert the dnsccert that matches this encrypted query.
  * \param[in] client_nonce client nonce used during the query
  * \param[in] nmkey shared secret key used during the query.
  * \param[in] buffer the buffer where to encrypt the reply.
@@ -194,7 +215,7 @@ add_server_nonce(uint8_t *nonce)
  * \return 0 on success.
  */
 static int
-dnscrypt_server_curve(const KeyPair *keypair,
+dnscrypt_server_curve(const dnsccert *cert,
                       uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
                       uint8_t nmkey[crypto_box_BEFORENMBYTES],
                       struct sldns_buffer* buffer,
@@ -223,7 +244,7 @@ dnscrypt_server_curve(const KeyPair *keypair,
     memmove(boxed + crypto_box_MACBYTES, buf, len);
     len = dnscrypt_pad(boxed + crypto_box_MACBYTES, len,
                        max_len - DNSCRYPT_REPLY_HEADER_SIZE, nonce,
-                       keypair->crypt_secretkey);
+                       cert->keypair->crypt_secretkey);
     sldns_buffer_set_at(buffer,
                         DNSCRYPT_REPLY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
                         0, crypto_box_ZEROBYTES);
@@ -231,10 +252,20 @@ dnscrypt_server_curve(const KeyPair *keypair,
     // add server nonce extension
     add_server_nonce(nonce);
 
-    if (crypto_box_afternm
-        (boxed - crypto_box_BOXZEROBYTES, boxed - crypto_box_BOXZEROBYTES,
-         len + crypto_box_ZEROBYTES, nonce, nmkey) != 0) {
+    if(cert->es_version[1] == 2) {
+#ifdef USE_DNSCRYPT_XCHACHA20
+        if (crypto_box_curve25519xchacha20poly1305_easy_afternm
+            (boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) {
+            return -1;
+        }
+#else
         return -1;
+#endif
+    } else {
+        if (crypto_box_easy_afternm
+            (boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) {
+            return -1;
+        }
     }
 
     sldns_buffer_write_at(buffer, 0, DNSCRYPT_MAGIC_RESPONSE, DNSCRYPT_MAGIC_HEADER_LEN);
@@ -266,6 +297,25 @@ dnsc_read_from_file(char *fname, char *buf, size_t count)
 	return 0;
 }
 
+/**
+ * Given an absolute path on the original root, returns the absolute path
+ * within the chroot. If chroot is disabled, the path is not modified.
+ * No char * is malloced so there is no need to free this.
+ * \param[in] cfg the configuration.
+ * \param[in] path the path from the original root.
+ * \return the path from inside the chroot.
+ */
+static char *
+dnsc_chroot_path(struct config_file *cfg, char *path)
+{
+	char *nm;
+	nm = path;
+	if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
+		cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
+		nm += strlen(cfg->chrootdir);
+	return nm;
+}
+
 /**
  * Parse certificates files provided by the configuration and load them into
  * dnsc_env.
@@ -278,6 +328,7 @@ dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
 {
 	struct config_strlist *head;
 	size_t signed_cert_id;
+	char *nm;
 
 	env->signed_certs_count = 0U;
 	for (head = cfg->dnscrypt_provider_cert; head; head = head->next) {
@@ -288,8 +339,9 @@ dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
 
 	signed_cert_id = 0U;
 	for(head = cfg->dnscrypt_provider_cert; head; head = head->next, signed_cert_id++) {
+		nm = dnsc_chroot_path(cfg, head->str);
 		if(dnsc_read_from_file(
-				head->str,
+				nm,
 				(char *)(env->signed_certs + signed_cert_id),
 				sizeof(struct SignedCert)) != 0) {
 			fatal_exit("dnsc_parse_certs: failed to load %s: %s", head->str, strerror(errno));
@@ -326,16 +378,17 @@ dnsc_key_to_fingerprint(char fingerprint[80U], const uint8_t * const key)
 }
 
 /**
- * Find the keypair matching a DNSCrypt query.
- * \param[in] dnscenv The DNSCrypt enviroment, which contains the list of keys
+ * Find the cert matching a DNSCrypt query.
+ * \param[in] dnscenv The DNSCrypt enviroment, which contains the list of certs
  * supported by the server.
  * \param[in] buffer The encrypted DNS query.
- * \return a KeyPair * if we found a key pair matching the query, NULL otherwise.
+ * \return a dnsccert * if we found a cert matching the magic_number of the
+ * query, NULL otherwise.
  */
-static const KeyPair *
-dnsc_find_keypair(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
+static const dnsccert *
+dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
 {
-	const KeyPair *keypairs = dnscenv->keypairs;
+	const dnsccert *certs = dnscenv->certs;
 	struct dnscrypt_query_header *dnscrypt_header;
 	size_t i;
 
@@ -343,10 +396,10 @@ dnsc_find_keypair(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
 		return NULL;
 	}
 	dnscrypt_header = (struct dnscrypt_query_header *)sldns_buffer_begin(buffer);
-	for (i = 0U; i < dnscenv->keypairs_count; i++) {
-		if (memcmp(keypairs[i].crypt_publickey, dnscrypt_header->magic_query,
+	for (i = 0U; i < dnscenv->signed_certs_count; i++) {
+		if (memcmp(certs[i].magic_query, dnscrypt_header->magic_query,
                    DNSCRYPT_MAGIC_HEADER_LEN) == 0) {
-			return &keypairs[i];
+			return &certs[i];
 		}
 	}
 	return NULL;
@@ -404,9 +457,33 @@ dnsc_load_local_data(struct dnsc_env* dnscenv, struct config_file *cfg)
     return dnscenv->signed_certs_count;
 }
 
+static const char *
+key_get_es_version(uint8_t version[2])
+{
+    struct es_version {
+        uint8_t es_version[2];
+        const char *name;
+    };
+
+    struct es_version es_versions[] = {
+        {{0x00, 0x01}, "X25519-XSalsa20Poly1305"},
+        {{0x00, 0x02}, "X25519-XChacha20Poly1305"},
+    };
+    int i;
+    for(i=0; i < (int)sizeof(es_versions); i++){
+        if(es_versions[i].es_version[0] == version[0] &&
+           es_versions[i].es_version[1] == version[1]){
+            return es_versions[i].name;
+        }
+    }
+    return NULL;
+}
+
+
 /**
  * Parse the secret key files from `dnscrypt-secret-key` config and populates
- * a list of secret/public keys supported by dnscrypt listener.
+ * a list of dnsccert with es_version, magic number and secret/public keys
+ * supported by dnscrypt listener.
  * \param[in] env The dnsc_env structure which will hold the keypairs.
  * \param[in] cfg The config with the secret key file paths.
  */
@@ -414,33 +491,76 @@ static int
 dnsc_parse_keys(struct dnsc_env *env, struct config_file *cfg)
 {
 	struct config_strlist *head;
-	size_t keypair_id;
+	size_t cert_id, keypair_id;
+	size_t c;
+	char *nm;
 
 	env->keypairs_count = 0U;
 	for (head = cfg->dnscrypt_secret_key; head; head = head->next) {
 		env->keypairs_count++;
 	}
-	env->keypairs = sodium_allocarray(env->keypairs_count,
-										  sizeof *env->keypairs);
 
+	env->keypairs = sodium_allocarray(env->keypairs_count,
+		sizeof *env->keypairs);
+	env->certs = sodium_allocarray(env->signed_certs_count, 
+		sizeof *env->certs);
+
+	cert_id = 0U;
 	keypair_id = 0U;
 	for(head = cfg->dnscrypt_secret_key; head; head = head->next, keypair_id++) {
 		char fingerprint[80];
+		int found_cert = 0;
+		KeyPair *current_keypair = &env->keypairs[keypair_id];
+		nm = dnsc_chroot_path(cfg, head->str);
 		if(dnsc_read_from_file(
-				head->str,
-				(char *)(env->keypairs[keypair_id].crypt_secretkey),
+				nm,
+				(char *)(current_keypair->crypt_secretkey),
 				crypto_box_SECRETKEYBYTES) != 0) {
 			fatal_exit("dnsc_parse_keys: failed to load %s: %s", head->str, strerror(errno));
 		}
 		verbose(VERB_OPS, "Loaded key %s", head->str);
-		if (crypto_scalarmult_base(env->keypairs[keypair_id].crypt_publickey,
-								   env->keypairs[keypair_id].crypt_secretkey) != 0) {
+		if (crypto_scalarmult_base(current_keypair->crypt_publickey,
+			current_keypair->crypt_secretkey) != 0) {
 			fatal_exit("dnsc_parse_keys: could not generate public key from %s", head->str);
 		}
-		dnsc_key_to_fingerprint(fingerprint, env->keypairs[keypair_id].crypt_publickey);
+		dnsc_key_to_fingerprint(fingerprint, current_keypair->crypt_publickey);
 		verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s", head->str, fingerprint);
+		// find the cert matching this key
+		for(c = 0; c < env->signed_certs_count; c++) {
+			if(memcmp(current_keypair->crypt_publickey,
+				env->signed_certs[c].server_publickey,
+				crypto_box_PUBLICKEYBYTES) == 0) {
+				dnsccert *current_cert = &env->certs[cert_id++];
+				found_cert = 1;
+				current_cert->keypair = current_keypair;
+				memcpy(current_cert->magic_query,
+				       env->signed_certs[c].magic_query,
+					sizeof env->signed_certs[c].magic_query);
+				memcpy(current_cert->es_version,
+				       env->signed_certs[c].version_major,
+				       sizeof env->signed_certs[c].version_major
+				);
+				dnsc_key_to_fingerprint(fingerprint,
+							current_cert->keypair->crypt_publickey);
+				verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s",
+					head->str, fingerprint);
+				verbose(VERB_OPS, "Using %s",
+					key_get_es_version(current_cert->es_version));
+#ifndef USE_DNSCRYPT_XCHACHA20
+				if (current_cert->es_version[1] == 0x02) {
+				    fatal_exit("Certificate for XChacha20 but libsodium does not support it.");
+				}
+#endif
+
+            		}
+        	}
+		if (!found_cert) {
+		    fatal_exit("dnsc_parse_keys: could not match certificate for key "
+			       "%s. Unable to determine ES version.",
+			       head->str);
+		}
 	}
-	return keypair_id;
+	return cert_id;
 }
 
 
@@ -463,8 +583,8 @@ dnsc_handle_curved_request(struct dnsc_env* dnscenv,
     // Attempt to decrypt the query. If it is not crypted, we may still need
     // to serve the certificate.
     verbose(VERB_ALGO, "handle request called on DNSCrypt socket");
-    if ((repinfo->keypair = dnsc_find_keypair(dnscenv, c->buffer)) != NULL) {
-        if(dnscrypt_server_uncurve(repinfo->keypair,
+    if ((repinfo->dnsc_cert = dnsc_find_cert(dnscenv, c->buffer)) != NULL) {
+        if(dnscrypt_server_uncurve(repinfo->dnsc_cert,
                                    repinfo->client_nonce,
                                    repinfo->nmkey,
                                    c->buffer) != 0){
@@ -488,7 +608,7 @@ dnsc_handle_uncurved_request(struct comm_reply *repinfo)
     if(!repinfo->is_dnscrypted) {
         return 1;
     }
-	if(dnscrypt_server_curve(repinfo->keypair,
+	if(dnscrypt_server_curve(repinfo->dnsc_cert,
                              repinfo->client_nonce,
                              repinfo->nmkey,
                              repinfo->c->dnscrypt_buffer,

dnscrypt/dnscrypt.h

@@ -44,8 +44,15 @@ typedef struct KeyPair_ {
     uint8_t crypt_secretkey[crypto_box_SECRETKEYBYTES];
 } KeyPair;
 
+typedef struct cert_ {
+    uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
+    uint8_t es_version[2];
+    KeyPair *keypair;
+} dnsccert;
+
 struct dnsc_env {
 	struct SignedCert *signed_certs;
+    dnsccert *certs;
 	size_t signed_certs_count;
 	uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES];
 	uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES];

dnscrypt/dnscrypt.m4

@@ -18,8 +18,19 @@ AC_DEFUN([dnsc_DNSCRYPT],
     ])
     AC_SEARCH_LIBS([sodium_init], [sodium], [],
       AC_MSG_ERROR([The sodium library was not found. Please install sodium!]))
+    AC_SEARCH_LIBS([crypto_box_curve25519xchacha20poly1305_beforenm], [sodium],
+        [
+            AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [1])
+            AC_DEFINE(
+                [USE_DNSCRYPT_XCHACHA20], [1],
+                [Define to 1 to enable dnscrypt with xchacha20 support])
+        ],
+        [
+            AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [0])
+        ])
     $1
   else
+    AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [0])
     $2
   fi
 ])

doc/Changelog

@@ -1,12 +1,198 @@
+22 June 2017: Wouter
+	- Tag 1.6.4rc2
+
+22 June 2017: Ralph
+	- Added fastrpz patch to contrib
+
+21 June 2017: Wouter
+	- Fix #1316: heap read buffer overflow in parse_edns_options.
+
+20 June 2017: Wouter
+	- Fix warning in pythonmod under clang compiler.
+	- Tag 1.6.4rc1
+	- Fix lintian typo.
+
+16 June 2017: Ralph
+	- Fix #1277: disable domain ratelimit by setting value to 0.
+
+16 June 2017: Wouter
+	- Fix #1301: memory leak in respip and tests.
+	- Free callback in edns-subnetmod on exit and restart.
+	- Fix memory leak in sldns_buffer_new_frm_data.
+	- Fix memory leak in dnscrypt config read.
+	- Fix dnscrypt chacha cert support ifdefs.
+	- Fix dnscrypt chacha cert unit test escapes in grep.
+	- Remove asynclook tests that cause test and purifier problems.
+	- Fix to unlock view in view test.
+
+15 June 2017: Wouter
+	- Fix stub zone queries leaking to the internet for
+	  harden-referral-path ns checks.
+	- Fix query for refetch_glue of stub leaking to internet.
+
 13 June 2017: Wouter
+	- Fix #1279: Memory leak on reload when python module is enabled.
 	- Fix #1280: Unbound fails assert when response from authoritative
 	  contains malformed qname.  When 0x20 caps-for-id is enabled, when
 	  assertions are not enabled the malformed qname is handled correctly.
-	- tag for 1.6.3
+	- 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
+	- More fixes in depth for buffer checks in 0x20 qname checks.
+
+12 June 2017: Wouter
+	- Fix #1278: Incomplete wildcard proof.
+
+8 June 2017: Ralph
+	- Added domain name based ECS whitelist.
+
+8 June 2017: Wouter
+	- Detect chacha for dnscrypt at configure time.
+	- dnscrypt unit tests with chacha.
+
+7 June 2017: Wouter
+	- Fix that unbound-control can set val_clean_additional and val_permissive_mode.
+	- Add dnscrypt XChaCha20 tests.
+
+6 June 2017: Wouter
+	- Add an explicit type cast for TCP FASTOPEN fix.
+	- renumbering B-Root's IPv6 address to 2001:500:200::b.
+	- Fix #1275: cached data in cachedb is never used.
+	- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
+
+1 June 2017: Ralph
+	- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
+	  (from Manu Bretelle).
+
+1 June 2017: Wouter
+	- Fix fastopen EPIPE fallthrough to perform connect.
+
+31 May 2017: Ralph
+	- Also use global local-zones when there is a matching view that does
+	  not have any local-zone specified.
+
+31 May 2017: Wouter
+	- Fix #1273: cachedb.c doesn't compile with -Wextra.
+	- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
+
+30 May 2017: Ralph
+	- Fix #1269: inconsistent use of built-in local zones with views.
+	- Add defaults for new local-zone trees added to views using
+	  unbound-control.
+
+30 May 2017: Wouter
+	- Support for openssl EVP_DigestVerify.
+	- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
+
+29 May 2017: Wouter
+	- Fix assertion for low buffer size and big edns payload when worker
+	  overrides udpsize.
+
+26 May 2017: Ralph
+	- Added redirect-bogus.patch to contrib directory.
+
+26 May 2017: Wouter
+	- Fix #1270: unitauth.c doesn't compile with higher warning level
+	  and optimization
+	- exec_prefix is by default equal to prefix.
+	- printout localzone for duplicate local-zone warnings.
+
+24 May 2017: Wouter
+	- authzone cname chain, no rrset duplicates, wildcard doesn't change
+	  rrsets added for cname chain.
+
+23 May 2017: Wouter
+	- first services/authzone check in, it compiles and reads and writes
+	  zonefiles.
+	- iana portlist update
+
+22 May 2017: Wouter
+	- Fix #1268: SIGSEGV after log_reopen.
+
+18 May 2017: Wouter
+	- Fix #1265 to use /bin/kill.
+	- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
+	  and compatibility with BoringSSL.
+
+17 May 2017: Wouter
+	- Fix #1265: contrib/unbound.service contains hardcoded path.
+
+17 May 2017: George
+	- Use qstate's region for IPSECKEY rrset (ipsecmod).
+
+16 May 2017: George
+	- Implemented opportunistic IPsec support module (ipsecmod).
+	- Some whitespace fixup.
+
+16 May 2017: Wouter
+	- updated dependencies in the makefile.
+	- document trust-anchor-signaling in example config file.
+	- updated configure, dependencies and flex output.
+	- better module memory lookup, fix of unbound-control shm names for
+	  module memory printout of statistics.
+	- Fix type AVC sldns rrdef.
+
+12 May 2017: Wouter
+	- Adjust servfail by iterator to not store in cache when serve-expired
+	  is enabled, to avoid overwriting useful information there.
+	- Fix queries for nameservers under a stub leaking to the internet.
+
+9 May 2017: Ralph
+	- Add 'c' to getopt() in testbound.
+	- iana portlist update
+
+8 May 2017: Wouter
+	- Fix tcp-mss failure printout text.
+	- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
+	  connect limited tcp connections.  With the option tcp connections
+	  can share the same source port (for different destinations).
+
+2 May 2017: Ralph
+	- Added mesh_add_sub to add detached mesh entries.
+	- Use mesh_add_sub for key tag signaling query.
+
+2 May 2017: Wouter
+	- Added test for leak of stub information.
+	- Fix sldns wire2str printout of RR type CAA tags.
+	- Fix sldns int16_data parse.
+	- Fix sldns parse and printout of TSIG RRs.
+	- sldns SMIMEA and AVC definitions, same as getdns definitions.
+
+1 May 2017: Wouter
+	- Fix #1259: "--disable-ecdsa" argument overwritten 
+	  by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
+	- iana portlist update
+	- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
+	  and fix that 64bit getting installed in C:\Program Files (x86).
+
+26 April 2017: Ralph
+	- Implemented trust anchor signaling using key tag query.
+
+26 April 2017: Wouter
+	- Based on #1257: check parse limit before t increment in sldns RR
+	  string parse routine.
+
+24 April 2017: Wouter
+	- unbound-checkconf -o allows query of dnstap config variables.
+	  Also unbound-control get_option.  Also for dnscrypt.
+	- trunk contains 1.6.3 version number (changes from 1.6.2 back from
+	  when the 1.6.2rc1 tag has been created).
+
+21 April 2017: Ralph
+	- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
+	- iana portlist update
+	
+18 April 2017: Ralph
+	- Fix #1252: more indentation inconsistencies.
+	- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
+
+13 April 2017: Ralph
+	- Added ECS unit test (from Manu Bretelle).
+	- ECS documentation fix (from Manu Bretelle).
 
 13 April 2017: Wouter
 	- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
 	- tag for 1.6.2rc1
+	- (for 1.6.3:) unbound.h exports the shm stats structures.  They use
+	  type long long and no ifdefs, and ub_ before the typenames.
 
 12 April 2017: Wouter
 	- subnet mem value is available in shm, also when not enabled,
@@ -243,7 +429,7 @@
 	- Fix #1184: Log DNS replies. This includes the same logging
 	  information that DNS queries and response code and response size,
 	  patch from Larissa Feng.
-	- Fix #1185: Source IP rate limiting, patch from Larissa Feng.
+	- Fix #1187: Source IP rate limiting, patch from Larissa Feng.
 
 3 January 2017: Wouter
 	- configure --enable-systemd and lets unbound use systemd sockets if

doc/README

@@ -1,4 +1,4 @@
-README for Unbound 1.6.3
+README for Unbound 1.6.4
 Copyright 2007 NLnet Labs
 http://unbound.net
 

doc/example.conf.in

@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.6.3.
+# See unbound.conf(5) man page, version 1.6.4.
 #
 # this is a comment.
 
@@ -448,6 +448,9 @@ server:
 	# and under the terms of our LICENSE (see that file in the source).
 	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
 
+	# trust anchor signaling sends a RFC8145 key tag query after priming.
+	# trust-anchor-signaling: no
+
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
 	# DLV is going to be decommissioned.  Please do not use it any more.
@@ -698,6 +701,34 @@ server:
 	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
 	# ip-ratelimit-factor: 10
 
+	# Specific options for ipsecmod. unbound needs to be configured with
+	# --enable-ipsecmod for these to take effect.
+	#
+	# Enable or disable ipsecmod (it still needs to be defined in
+	# module-config above). Can be used when ipsecmod needs to be
+	# enabled/disabled via remote-control(below).
+	# ipsecmod-enabled: yes
+	#
+	# Path to executable external hook. It must be defined when ipsecmod is
+	# listed in module-config (above).
+	# ipsecmod-hook: "./my_executable"
+	#
+	# When enabled unbound will reply with SERVFAIL if the return value of
+	# the ipsecmod-hook is not 0.
+	# ipsecmod-strict: no
+	#
+	# Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
+	# ipsecmod-max-ttl: 3600
+	#
+	# Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
+	# testing.
+	# ipsecmod-ignore-bogus: no
+	#
+	# Domains for which ipsecmod will be triggered. If not defined (default)
+	# all domains are treated as being whitelisted.
+	# ipsecmod-whitelist: "example.com"
+	# ipsecmod-whitelist: "nlnetlabs.nl"
+
 
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.

doc/libunbound.3.in

@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "libunbound" "3" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.6.3 functions.
+\- Unbound DNS validating resolver 1.6.4 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

doc/unbound-anchor.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-anchor" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

doc/unbound-checkconf.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-checkconf" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"

doc/unbound-control.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-control" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"

doc/unbound-host.1.in

@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound\-host" "1" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

doc/unbound.8.in

@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.6.3.
+\- Unbound DNS validating resolver 1.6.4.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

doc/unbound.conf.5.in

@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound.conf" "5" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -16,13 +16,14 @@
 .B unbound.conf
 is used to configure
 \fIunbound\fR(8).
-The file format has attributes and values. Some attributes have attributes inside them.
+The file format has attributes and values. Some attributes have attributes
+inside them.
 The notation is: attribute: value.
 .P
 Comments start with # and last to the end of line. Empty lines are
 ignored as is whitespace at the beginning of a line.
 .P
-The utility 
+The utility
 \fIunbound\-checkconf\fR(8)
 can be used to check unbound.conf prior to usage.
 .SH "EXAMPLE"
@@ -30,7 +31,7 @@ An example config file is shown below. Copy this to /etc/unbound/unbound.conf
 and start the server with:
 .P
 .nf
-	$ unbound \-c /etc/unbound/unbound.conf 
+	$ unbound \-c /etc/unbound/unbound.conf
 .fi
 .P
 Most settings are the defaults. Stop the server with:
@@ -62,8 +63,8 @@ server:
 	access\-control: 2001:DB8::/64 allow
 .fi
 .SH "FILE FORMAT"
-There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
-is followed by its containing attributes, or a value.
+There must be whitespace between keywords. Attribute keywords end with a colon ':'.
+An attribute is followed by its containing attributes, or a value.
 .P
 Files can be included using the
 .B include:
@@ -71,7 +72,7 @@ directive. It can appear anywhere, it accepts a single file name as argument.
 Processing continues as if the text from the included file was copied into
 the config file at that point.  If also using chroot, using full path names
 for the included files works, relative pathnames for the included names work
-if the directory where the daemon is started equals its chroot/working 
+if the directory where the daemon is started equals its chroot/working
 directory or is specified before the include statement with directory: dir.
 Wildcards can be used to include multiple files, see \fIglob\fR(7).
 .SS "Server Options"
@@ -80,17 +81,17 @@ These options are part of the
 clause.
 .TP
 .B verbosity: \fI<number>
-The verbosity number, level 0 means no verbosity, only errors. Level 1 
+The verbosity number, level 0 means no verbosity, only errors. Level 1
 gives operational information. Level 2 gives detailed operational
-information. Level 3 gives query level information, output per query. 
-Level 4 gives algorithm level information.  Level 5 logs client 
-identification for cache misses.  Default is level 1. 
+information. Level 3 gives query level information, output per query.
+Level 4 gives algorithm level information.  Level 5 logs client
+identification for cache misses.  Default is level 1.
 The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
 .TP
 .B statistics\-interval: \fI<seconds>
 The number of seconds between printing statistics to the log for every thread.
 Disable with value 0 or "". Default is disabled.  The histogram statistics
-are only printed if replies were sent during the statistics interval, 
+are only printed if replies were sent during the statistics interval,
 requestlist statistics are printed for every interval (but can be 0).
 This is because the median calculation requires data to be present.
 .TP
@@ -99,7 +100,7 @@ If enabled, statistics are cumulative since starting unbound, without clearing
 the statistics counters after logging the statistics. Default is no.
 .TP
 .B extended\-statistics: \fI<yes or no>
-If enabled, extended statistics are printed from \fIunbound\-control\fR(8). 
+If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
 Default is off, because keeping track of more statistics takes time.  The
 counters are listed in \fIunbound\-control\fR(8).
 .TP
@@ -112,7 +113,7 @@ The port number, default 53, on which the server responds to queries.
 .B interface: \fI<ip address[@port]>
 Interface to use to connect to the network. This interface is listened to
 for queries from clients, and answers to clients are given from it.
-Can be given multiple times to work on several interfaces. If none are 
+Can be given multiple times to work on several interfaces. If none are
 given the default is to listen to localhost.
 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
 A port number can be specified with @port (without spaces between
@@ -123,19 +124,19 @@ interface and port number), if not specified the default port (from
 Same as interface: (for easy of compatibility with nsd.conf).
 .TP
 .B interface\-automatic: \fI<yes or no>
-Detect source interface on UDP queries and copy them to replies.  This 
+Detect source interface on UDP queries and copy them to replies.  This
 feature is experimental, and needs support in your OS for particular socket
 options.  Default value is no.
 .TP
 .B outgoing\-interface: \fI<ip address or ip6 netblock>
 Interface to use to connect to the network. This interface is used to send
-queries to authoritative servers and receive their replies. Can be given 
-multiple times to work on several interfaces. If none are given the 
-default (all) is used. You can specify the same interfaces in 
+queries to authoritative servers and receive their replies. Can be given
+multiple times to work on several interfaces. If none are given the
+default (all) is used. You can specify the same interfaces in
 .B interface:
 and
 .B outgoing\-interface:
-lines, the interfaces are then used for both purposes. Outgoing queries are 
+lines, the interfaces are then used for both purposes. Outgoing queries are
 sent via a random outgoing interface to counter spoofing.
 .IP
 If an IPv6 netblock is specified instead of an individual IPv6 address,
@@ -155,26 +156,26 @@ ip \-6 addr add mynetblock/64 dev lo &&
 ip \-6 route add local mynetblock/64 dev lo
 .TP
 .B outgoing\-range: \fI<number>
-Number of ports to open. This number of file descriptors can be opened per 
-thread. Must be at least 1. Default depends on compile options. Larger 
+Number of ports to open. This number of file descriptors can be opened per
+thread. Must be at least 1. Default depends on compile options. Larger
 numbers need extra resources from the operating system.  For performance a
 very large value is best, use libevent to make this possible.
 .TP
 .B outgoing\-port\-permit: \fI<port number or range>
 Permit unbound to open this port or range of ports for use to send queries.
 A larger number of permitted outgoing ports increases resilience against
-spoofing attempts. Make sure these ports are not needed by other daemons. 
+spoofing attempts. Make sure these ports are not needed by other daemons.
 By default only ports above 1024 that have not been assigned by IANA are used.
 Give a port number or a range of the form "low\-high", without spaces.
 .IP
-The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements 
-are processed in the line order of the config file, adding the permitted ports 
-and subtracting the avoided ports from the set of allowed ports.  The 
-processing starts with the non IANA allocated ports above 1024 in the set 
+The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
+are processed in the line order of the config file, adding the permitted ports
+and subtracting the avoided ports from the set of allowed ports.  The
+processing starts with the non IANA allocated ports above 1024 in the set
 of allowed ports.
 .TP
 .B outgoing\-port\-avoid: \fI<port number or range>
-Do not permit unbound to open this port or range of ports for use to send 
+Do not permit unbound to open this port or range of ports for use to send
 queries. Use this to make sure unbound does not grab a port that another
 daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
 By default only ports above 1024 that have not been assigned by IANA are used.
@@ -204,13 +205,13 @@ consider tuning the outgoing tcp number).
 .B max\-udp\-size: \fI<number>
 Maximum UDP response size (not applied to TCP response).  65536 disables the
 udp response size maximum, and uses the choice from the client, always.
-Suggested values are 512 to 4096. Default is 4096. 
+Suggested values are 512 to 4096. Default is 4096.
 .TP
 .B msg\-buffer\-size: \fI<number>
 Number of bytes size of the message buffers. Default is 65552 bytes, enough
 for 64 Kb packets, the maximum DNS message size. No message larger than this
 can be sent or received. Can be reduced to use less memory, but some requests
-for DNS data, such as for huge resource records, will result in a SERVFAIL 
+for DNS data, such as for huge resource records, will result in a SERVFAIL
 reply to the client.
 .TP
 .B msg\-cache\-size: \fI<number>
@@ -220,7 +221,7 @@ or gigabytes (1024*1024 bytes in a megabyte).
 .TP
 .B msg\-cache\-slabs: \fI<number>
 Number of slabs in the message cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2. Setting (close) to the number of cpus is a 
+Must be set to a power of 2. Setting (close) to the number of cpus is a
 reasonable guess.
 .TP
 .B num\-queries\-per\-thread: \fI<number>
@@ -232,12 +233,12 @@ the existing queries. Default depends on compile options, 512 or 1024.
 .TP
 .B jostle\-timeout: \fI<msec>
 Timeout used when the server is very busy.  Set to a value that usually
-results in one roundtrip to the authority servers.  If too many queries 
+results in one roundtrip to the authority servers.  If too many queries
 arrive, then 50% of the queries are allowed to run to completion, and
-the other 50% are replaced with the new incoming query if they have already 
-spent more than their allowed time.  This protects against denial of 
+the other 50% are replaced with the new incoming query if they have already
+spent more than their allowed time.  This protects against denial of
 service by slow queries or high query rates.  Default 200 milliseconds.
-The effect is that the qps for long-lasting queries is about 
+The effect is that the qps for long-lasting queries is about
 (numqueriesperthread / 2) / (average time for such long queries) qps.
 The qps for short queries can be about (numqueriesperthread / 2)
 / (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
@@ -308,12 +309,12 @@ or gigabytes (1024*1024 bytes in a megabyte).
 .TP
 .B rrset\-cache\-slabs: \fI<number>
 Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2. 
+Must be set to a power of 2.
 .TP
 .B cache\-max\-ttl: \fI<seconds>
-Time to live maximum for RRsets and messages in the cache. Default is 
-86400 seconds (1 day). If the maximum kicks in, responses to clients 
-still get decrementing TTLs based on the original (larger) values. 
+Time to live maximum for RRsets and messages in the cache. Default is
+86400 seconds (1 day). If the maximum kicks in, responses to clients
+still get decrementing TTLs based on the original (larger) values.
 When the internal TTL expires, the cache item has expired.
 Can be set lower to force the resolver to query for data often, and not
 trust (very large) TTL values.
@@ -323,7 +324,7 @@ Time to live minimum for RRsets and messages in the cache. Default is 0.
 If the minimum kicks in, the data is cached for longer than the domain
 owner intended, and thus less queries are made to look up the data.
 Zero makes sure the data in the cache is as the domain owner intended,
-higher values, especially more than an hour or so, can lead to trouble as 
+higher values, especially more than an hour or so, can lead to trouble as
 the data in the cache does not match up with the actual data any more.
 .TP
 .B cache\-max\-negative\-ttl: \fI<seconds>
@@ -331,12 +332,12 @@ Time to live maximum for negative responses, these have a SOA in the
 authority section that is limited in time.  Default is 3600.
 .TP
 .B infra\-host\-ttl: \fI<seconds>
-Time to live for entries in the host cache. The host cache contains 
+Time to live for entries in the host cache. The host cache contains
 roundtrip timing, lameness and EDNS support information. Default is 900.
 .TP
 .B infra\-cache\-slabs: \fI<number>
-Number of slabs in the infrastructure cache. Slabs reduce lock contention 
-by threads. Must be set to a power of 2. 
+Number of slabs in the infrastructure cache. Slabs reduce lock contention
+by threads. Must be set to a power of 2.
 .TP
 .B infra\-cache\-numhosts: \fI<number>
 Number of hosts for which information is cached. Default is 10000.
@@ -372,7 +373,7 @@ Enable or disable whether TCP queries are answered or issued. Default is yes.
 .TP
 .B tcp\-mss: \fI<number>
 Maximum segment size (MSS) of TCP socket on which the server responds
-to queries. Value lower than common MSS on Ethernet 
+to queries. Value lower than common MSS on Ethernet
 (1220 for example) will address path MTU problem.
 Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
 Default is system default MSS determined by interface MTU and
@@ -393,7 +394,8 @@ Default is no.  Useful in tunneling scenarios.
 .B ssl\-upstream: \fI<yes or no>
 Enabled or disable whether the upstream queries use SSL only for transport.
 Default is no.  Useful in tunneling scenarios.  The SSL contains plain DNS in
-TCP wireformat.  The other server must support this (see \fBssl\-service\-key\fR).
+TCP wireformat.  The other server must support this (see
+\fBssl\-service\-key\fR).
 .TP
 .B ssl\-service-key: \fI<file>
 If enabled, the server provider SSL service on its TCP sockets.  The clients
@@ -423,37 +425,37 @@ a daemon.  Set the value to \fIno\fR when unbound runs as systemd service.
 Default is yes.
 .TP
 .B access\-control: \fI<IP netblock> <action>
-The netblock is given as an IP4 or IP6 address with /size appended for a 
-classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, 
+The netblock is given as an IP4 or IP6 address with /size appended for a
+classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
 \fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
 The most specific netblock match is used, if none match \fIdeny\fR is used.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
 .IP
-The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED 
+The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
 error message back.
 .IP
-The action \fIallow\fR gives access to clients from that netblock.  
-It gives only access for recursion clients (which is 
+The action \fIallow\fR gives access to clients from that netblock.
+It gives only access for recursion clients (which is
 what almost all clients need).  Nonrecursive queries are refused.
 .IP
-The \fIallow\fR action does allow nonrecursive queries to access the 
+The \fIallow\fR action does allow nonrecursive queries to access the
 local\-data that is configured.  The reason is that this does not involve
-the unbound server recursive lookup algorithm, and static data is served 
-in the reply.  This supports normal operations where nonrecursive queries 
-are made for the authoritative data.  For nonrecursive queries any replies 
+the unbound server recursive lookup algorithm, and static data is served
+in the reply.  This supports normal operations where nonrecursive queries
+are made for the authoritative data.  For nonrecursive queries any replies
 from the dynamic cache are refused.
 .IP
-The action \fIallow_snoop\fR gives nonrecursive access too.  This give 
-both recursive and non recursive access.  The name \fIallow_snoop\fR refers 
+The action \fIallow_snoop\fR gives nonrecursive access too.  This give
+both recursive and non recursive access.  The name \fIallow_snoop\fR refers
 to cache snooping, a technique to use nonrecursive queries to examine
-the cache contents (for malicious acts).  However, nonrecursive queries can 
-also be a valuable debugging tool (when you want to examine the cache 
+the cache contents (for malicious acts).  However, nonrecursive queries can
+also be a valuable debugging tool (when you want to examine the cache
 contents). In that case use \fIallow_snoop\fR for your administration host.
 .IP
 By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
-The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS 
-protocol is not designed to handle dropped packets due to policy, and 
+The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
+protocol is not designed to handle dropped packets due to policy, and
 dropping may result in (possibly excessive) retried queries.
 .IP
 The deny_non_local and refuse_non_local settings are for hosts that are
@@ -485,8 +487,8 @@ Set view for given access control element.
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
 commandline) as a full path from the original root. After the
-chroot has been performed the now defunct portion of the config 
-file path is removed to be able to reread the config after a reload. 
+chroot has been performed the now defunct portion of the config
+file path is removed to be able to reread the config after a reload.
 .IP
 All other file paths (working dir, logfile, roothints, and
 key files) can be specified in several ways:
@@ -497,22 +499,22 @@ In the last case the path is adjusted to remove the unused portion.
 .IP
 The pidfile can be either a relative path to the working directory, or
 an absolute path relative to the original root. It is written just prior
-to chroot and dropping permissions. This allows the pidfile to be 
+to chroot and dropping permissions. This allows the pidfile to be
 /var/run/unbound.pid and the chroot to be /var/unbound, for example.
 .IP
 Additionally, unbound may need to access /dev/random (for entropy)
 from inside the chroot.
 .IP
-If given a chroot is done to the given directory. The default is 
+If given a chroot is done to the given directory. The default is
 "@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed.
 .TP
 .B username: \fI<name>
 If given, after binding the port the user privileges are dropped. Default is
-"@UNBOUND_USERNAME@". If you give username: "" no user change is performed. 
+"@UNBOUND_USERNAME@". If you give username: "" no user change is performed.
 .IP
 If this user is not capable of binding the
 port, reloads (by signal HUP) will still retain the opened ports.
-If you change the port number in the config file, and that new port number 
+If you change the port number in the config file, and that new port number
 requires privileges, then a reload will fail; a restart is needed.
 .TP
 .B directory: \fI<directory>
@@ -524,17 +526,17 @@ then those includes can be relative to the working directory.
 .TP
 .B logfile: \fI<filename>
 If "" is given, logging goes to stderr, or nowhere once daemonized.
-The logfile is appended to, in the following format: 
+The logfile is appended to, in the following format:
 .nf
-[seconds since 1970] unbound[pid:tid]: type: message. 
+[seconds since 1970] unbound[pid:tid]: type: message.
 .fi
 If this option is given, the use\-syslog is option is set to "no".
-The logfile is reopened (for append) when the config file is reread, on 
+The logfile is reopened (for append) when the config file is reread, on
 SIGHUP.
 .TP
 .B use\-syslog: \fI<yes or no>
-Sets unbound to send log messages to the syslogd, using 
-\fIsyslog\fR(3). 
+Sets unbound to send log messages to the syslogd, using
+\fIsyslog\fR(3).
 The log facility LOG_DAEMON is used, with identity "unbound".
 The logfile setting is overridden when use\-syslog is turned on.
 The default is to log to syslog.
@@ -565,20 +567,20 @@ lines which makes the server (significantly) slower.  Odd (nonprintable)
 characters in names are printed as '?'.
 .TP
 .B pidfile: \fI<filename>
-The process id is written to the file. Default is "@UNBOUND_PIDFILE@". 
+The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
 So,
 .nf
-kill \-HUP `cat @UNBOUND_PIDFILE@` 
+kill \-HUP `cat @UNBOUND_PIDFILE@`
 .fi
 triggers a reload,
 .nf
-kill \-TERM `cat @UNBOUND_PIDFILE@` 
+kill \-TERM `cat @UNBOUND_PIDFILE@`
 .fi
 gracefully terminates.
 .TP
 .B root\-hints: \fI<filename>
 Read the root hints from this file. Default is nothing, using builtin hints
-for the IN class. The file has the format of zone files, with root 
+for the IN class. The file has the format of zone files, with root
 nameserver names and addresses only. The default may become outdated,
 when servers change, therefore it is good practice to use a root\-hints file.
 .TP
@@ -602,22 +604,22 @@ If enabled trustanchor.unbound queries are refused.
 .B target\-fetch\-policy: \fI<"list of numbers">
 Set the target fetch policy used by unbound to determine if it should fetch
 nameserver target addresses opportunistically. The policy is described per
-dependency depth. 
+dependency depth.
 .IP
 The number of values determines the maximum dependency depth
-that unbound will pursue in answering a query.  
+that unbound will pursue in answering a query.
 A value of \-1 means to fetch all targets opportunistically for that dependency
 depth. A value of 0 means to fetch on demand only. A positive value fetches
-that many targets opportunistically. 
+that many targets opportunistically.
 .IP
 Enclose the list between quotes ("") and put spaces between numbers.
 The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
-closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour 
+closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
 rumoured to be closer to that of BIND 8.
 .TP
 .B harden\-short\-bufsize: \fI<yes or no>
 Very small EDNS buffer sizes from queries are ignored. Default is off, since
-it is legal protocol wise to send these, and unbound tries to give very 
+it is legal protocol wise to send these, and unbound tries to give very
 small answers to these queries, where possible.
 .TP
 .B harden\-large\-queries: \fI<yes or no>
@@ -631,11 +633,11 @@ Will trust glue only if it is within the servers authority. Default is on.
 .B harden\-dnssec\-stripped: \fI<yes or no>
 Require DNSSEC data for trust\-anchored zones, if such data is absent,
 the zone becomes bogus. If turned off, and no DNSSEC data is received
-(or the DNSKEY data fails to validate), then the zone is made insecure, 
-this behaves like there is no trust anchor. You could turn this off if 
-you are sometimes behind an intrusive firewall (of some sort) that 
-removes DNSSEC data from packets, or a zone changes from signed to 
-unsigned to badly signed often. If turned off you run the risk of a 
+(or the DNSKEY data fails to validate), then the zone is made insecure,
+this behaves like there is no trust anchor. You could turn this off if
+you are sometimes behind an intrusive firewall (of some sort) that
+removes DNSSEC data from packets, or a zone changes from signed to
+unsigned to badly signed often. If turned off you run the risk of a
 downgrade attack that disables security for a zone. Default is on.
 .TP
 .B harden\-below\-nxdomain: \fI<yes or no>
@@ -653,7 +655,7 @@ The nxdomain must be secure, this means nsec3 with optout is insufficient.
 Harden the referral path by performing additional queries for
 infrastructure data.  Validates the replies if trust anchors are configured
 and the zones are signed.  This enforces DNSSEC validation on nameserver
-NS sets and the nameserver addresses that are encountered on the referral 
+NS sets and the nameserver addresses that are encountered on the referral
 path to the answer.
 Default off, because it burdens the authority servers, and it is
 not RFC standard, and could lead to performance problems because of the
@@ -670,9 +672,9 @@ this option off avoids that validation failure.
 .TP
 .B use\-caps\-for\-id: \fI<yes or no>
 Use 0x20\-encoded random bits in the query to foil spoof attempts.
-This perturbs the lowercase and uppercase of query names sent to 
-authority servers and checks if the reply still has the correct casing. 
-Disabled by default. 
+This perturbs the lowercase and uppercase of query names sent to
+authority servers and checks if the reply still has the correct casing.
+Disabled by default.
 This feature is an experimental implementation of draft dns\-0x20.
 .TP
 .B caps\-whitelist: \fI<domain>
@@ -683,7 +685,7 @@ Can be given multiple times, for different domains.
 .TP
 .B qname\-minimisation: \fI<yes or no>
 Send minimum amount of information to upstream servers to enhance privacy.
-Only sent minimum required labels of the QNAME and set QTYPE to NS when 
+Only sent minimum required labels of the QNAME and set QTYPE to NS when
 possible. Best effort approach; full QNAME and original QTYPE will be sent when
 upstream replies with a RCODE other than NOERROR, except when receiving
 NXDOMAIN from a DNSSEC signed zone. Default is off.
@@ -715,7 +717,7 @@ stops IPv4-mapped IPv6 addresses from bypassing the filter.
 .TP
 .B private\-domain: \fI<domain name>
 Allow this domain, and all its subdomains to contain private addresses.
-Give multiple times to allow multiple domain names to contain private 
+Give multiple times to allow multiple domain names to contain private
 addresses. Default is none.
 .TP
 .B unwanted\-reply\-threshold: \fI<number>
@@ -726,7 +728,7 @@ message caches, hopefully flushing away any poison.  A value of 10 million
 is suggested.  Default is 0 (turned off).
 .TP
 .B do\-not\-query\-address: \fI<IP address>
-Do not query the given IP address. Can be IP4 or IP6. Append /num to 
+Do not query the given IP address. Can be IP4 or IP6. Append /num to
 indicate a classless delegation netblock, for example like
 10.2.3.4/24 or 2001::11/64.
 .TP
@@ -793,17 +795,20 @@ A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
 given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
 The resource record is entered in the same format as 'dig' or 'drill' prints
 them, the same format as in the zone file. Has to be on a single line, with
-"" around it. A TTL can be specified for ease of cut and paste, but is ignored. 
+"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
 A class can be specified, but class IN is default.
 .TP
 .B trusted\-keys\-file: \fI<filename>
 File with trusted keys for validation. Specify more than one file
 with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
-but has a different file format. Format is BIND\-9 style format, 
+but has a different file format. Format is BIND\-9 style format,
 the trusted\-keys { name flag proto algo "key"; }; clauses are read.
 It is possible to use wildcards with this statement, the wildcard is
 expanded on start and on reload.
 .TP
+.B trust\-anchor\-signaling: \fI<yes or no>
+Send RFC8145 key tag query after trust anchor priming. Default is off.
+.TP
 .B dlv\-anchor\-file: \fI<filename>
 This option was used during early days DNSSEC deployment when no parent-side
 DS record registrations were easily available.  Nowadays, it is best to have
@@ -811,9 +816,9 @@ DS records registered with the parent zone (many top level zones are signed).
 File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
 DNSKEY entries can be used in the file, in the same format as for
 \fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
-would be slow. The DLV configured is used as a root trusted DLV, this 
-means that it is a lookaside for the root. Default is "", or no dlv anchor file.
-DLV is going to be decommissioned.  Please do not use it any more.
+would be slow. The DLV configured is used as a root trusted DLV, this
+means that it is a lookaside for the root. Default is "", or no dlv anchor
+file. DLV is going to be decommissioned.  Please do not use it any more.
 .TP
 .B dlv\-anchor: \fI<"Resource Record">
 Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
@@ -825,17 +830,17 @@ the domain name.  So a trust anchor above the domain name can not make the
 domain secure with a DS record, such a DS record is then ignored.
 Also keys from DLV are ignored for the domain.  Can be given multiple times
 to specify multiple domains that are treated as if unsigned.  If you set
-trust anchors for the domain they override this setting (and the domain 
+trust anchors for the domain they override this setting (and the domain
 is secured).
 .IP
 This can be useful if you want to make sure a trust anchor for external
-lookups does not affect an (unsigned) internal domain.  A DS record 
+lookups does not affect an (unsigned) internal domain.  A DS record
 externally can create validation failures for that internal domain.
 .TP
 .B val\-override\-date: \fI<rrsig\-style date spec>
 Default is "" or "0", which disables this debugging feature. If enabled by
 giving a RRSIG style date, that date is used for verifying RRSIG inception
-and expiration dates, instead of the current date. Do not set this unless 
+and expiration dates, instead of the current date. Do not set this unless
 you are debugging signature inception and expiration. The value \-1 ignores
 the date altogether, useful for some special applications.
 .TP
@@ -865,7 +870,7 @@ The time interval prevents repeated revalidation of bogus data.
 Instruct the validator to remove data from the additional section of secure
 messages that are not signed properly. Messages that are insecure, bogus,
 indeterminate or unchecked are not affected. Default is yes. Use this setting
-to protect the users that rely on this validator for authentication from 
+to protect the users that rely on this validator for authentication from
 potentially bad data in the additional section.
 .TP
 .B val\-log\-level: \fI<number>
@@ -880,10 +885,10 @@ it was wrong and which server sent the faulty data.
 .B val\-permissive\-mode: \fI<yes or no>
 Instruct the validator to mark bogus messages as indeterminate. The security
 checks are performed, but if the result is bogus (failed security), the
-reply is not withheld from the client with SERVFAIL as usual. The client 
-receives the bogus data. For messages that are found to be secure the AD bit 
+reply is not withheld from the client with SERVFAIL as usual. The client
+receives the bogus data. For messages that are found to be secure the AD bit
 is set in replies. Also logging is performed as for full validation.
-The default value is "no". 
+The default value is "no".
 .TP
 .B ignore\-cd\-flag: \fI<yes or no>
 Instruct unbound to ignore the CD flag from clients and refuse to
@@ -903,7 +908,7 @@ List of keysize and iteration count values, separated by spaces, surrounded
 by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
 maximum allowed NSEC3 iteration count before a message is simply marked
 insecure instead of performing the many hashing iterations. The list must
-be in ascending order and have at least one entry. If you set it to 
+be in ascending order and have at least one entry. If you set it to
 "1024 65535" there is no restriction to NSEC3 iteration values.
 This table must be kept short; a very long list could cause slower operation.
 .TP
@@ -938,7 +943,7 @@ or gigabytes (1024*1024 bytes in a megabyte).
 .TP
 .B key\-cache\-slabs: \fI<number>
 Number of slabs in the key cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2. Setting (close) to the number of cpus is a 
+Must be set to a power of 2. Setting (close) to the number of cpus is a
 reasonable guess.
 .TP
 .B neg\-cache\-size: \fI<number>
@@ -989,7 +994,7 @@ Otherwise, the query is answered with nodata or nxdomain.
 For a negative answer a SOA is included in the answer if present
 as local\-data for the zone apex domain.
 .TP 10
-\h'5'\fItransparent\fR 
+\h'5'\fItransparent\fR
 If there is a match from local data, the query is answered.
 Otherwise if the query has a different name, the query is resolved normally.
 If the query is for a name given in localdata but no such type of data is
@@ -997,49 +1002,49 @@ given in localdata, then a noerror nodata answer is returned.
 If no local\-zone is given local\-data causes a transparent zone
 to be created by default.
 .TP 10
-\h'5'\fItypetransparent\fR 
+\h'5'\fItypetransparent\fR
 If there is a match from local data, the query is answered.  If the query
 is for a different name, or for the same name but for a different type,
 the query is resolved normally.  So, similar to transparent but types
 that are not listed in local data are resolved normally, so if an A record
 is in the local data that does not cause a nodata reply for AAAA queries.
 .TP 10
-\h'5'\fIredirect\fR 
+\h'5'\fIredirect\fR
 The query is answered from the local data for the zone name.
 There may be no local data beneath the zone name.
 This answers queries for the zone, and all subdomains of the zone
 with the local data for the zone.
 It can be used to redirect a domain to return a different address record
-to the end user, with 
-local\-zone: "example.com." redirect and 
+to the end user, with
+local\-zone: "example.com." redirect and
 local\-data: "example.com. A 127.0.0.1"
 queries for www.example.com and www.foo.example.com are redirected, so
 that users with web browsers cannot access sites with suffix example.com.
 .TP 10
-\h'5'\fIinform\fR 
+\h'5'\fIinform\fR
 The query is answered normally, same as transparent.  The client IP
 address (@portnumber) is printed to the logfile.  The log message is:
 timestamp, unbound-pid, info: zonename inform IP@port queryname type
 class.  This option can be used for normal resolution, but machines
 looking up infected names are logged, eg. to run antivirus on them.
 .TP 10
-\h'5'\fIinform_deny\fR 
+\h'5'\fIinform_deny\fR
 The query is dropped, like 'deny', and logged, like 'inform'.  Ie. find
 infected machines without answering the queries.
 .TP 10
-\h'5'\fIalways_transparent\fR 
+\h'5'\fIalways_transparent\fR
 Like transparent, but ignores local data and resolves normally.
 .TP 10
-\h'5'\fIalways_refuse\fR 
+\h'5'\fIalways_refuse\fR
 Like refuse, but ignores local data and refuses the query.
 .TP 10
-\h'5'\fIalways_nxdomain\fR 
+\h'5'\fIalways_nxdomain\fR
 Like static, but ignores local data and returns nxdomain for the query.
 .TP 10
-\h'5'\fInodefault\fR 
+\h'5'\fInodefault\fR
 Used to turn off default contents for AS112 zones. The other types
-also turn off default contents for the zone. The 'nodefault' option 
-has no other effect than turning off default contents for the 
+also turn off default contents for the zone. The 'nodefault' option
+has no other effect than turning off default contents for the
 given zone.  Use \fInodefault\fR if you use exactly that zone, if you want to
 use a subzone, use \fItransparent\fR.
 .P
@@ -1048,71 +1053,71 @@ the AS112 zones. The AS112 zones are reverse DNS zones for private use and
 reserved IP addresses for which the servers on the internet cannot provide
 correct answers. They are configured by default to give nxdomain (no reverse
 information) answers. The defaults can be turned off by specifying your
-own local\-zone of that name, or using the 'nodefault' type. Below is a 
+own local\-zone of that name, or using the 'nodefault' type. Below is a
 list of the default zone contents.
 .TP 10
-\h'5'\fIlocalhost\fR 
+\h'5'\fIlocalhost\fR
 The IP4 and IP6 localhost information is given. NS and SOA records are provided
 for completeness and to satisfy some DNS update tools. Default content:
 .nf
 local\-zone: "localhost." static
 local\-data: "localhost. 10800 IN NS localhost."
-local\-data: "localhost. 10800 IN 
+local\-data: "localhost. 10800 IN
     SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
 local\-data: "localhost. 10800 IN A 127.0.0.1"
 local\-data: "localhost. 10800 IN AAAA ::1"
 .fi
 .TP 10
-\h'5'\fIreverse IPv4 loopback\fR 
+\h'5'\fIreverse IPv4 loopback\fR
 Default content:
 .nf
 local\-zone: "127.in\-addr.arpa." static
 local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
-local\-data: "127.in\-addr.arpa. 10800 IN 
+local\-data: "127.in\-addr.arpa. 10800 IN
     SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
-local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN 
+local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
     PTR localhost."
 .fi
 .TP 10
-\h'5'\fIreverse IPv6 loopback\fR 
+\h'5'\fIreverse IPv6 loopback\fR
 Default content:
 .nf
 local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
     0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
-    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 
+    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
     NS localhost."
 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
-    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 
+    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
     SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
 local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
-    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 
+    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
     PTR localhost."
 .fi
 .TP 10
-\h'5'\fIonion (RFC 7686)\fR 
+\h'5'\fIonion (RFC 7686)\fR
 Default content:
 .nf
 local\-zone: "onion." static
 local\-data: "onion. 10800 IN NS localhost."
-local\-data: "onion. 10800 IN 
+local\-data: "onion. 10800 IN
     SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
 .fi
 .TP 10
-\h'5'\fIreverse RFC1918 local use zones\fR 
-Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to 
+\h'5'\fIreverse RFC1918 local use zones\fR
+Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
 31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
-The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS 
+The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
 records are provided.
 .TP 10
-\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR 
-Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, 
+\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
+Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
 And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
 .TP 10
 \h'5'\fIreverse RFC4291 IP6 unspecified\fR
-Reverse data for zone 
+Reverse data for zone
 .nf
 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
@@ -1137,11 +1142,11 @@ This also works with the other default zones.
 .TP 5
 .B local\-data: \fI"<resource record string>"
 Configure local data, which is served in reply to queries for it.
-The query has to match exactly unless you configure the local\-zone as 
+The query has to match exactly unless you configure the local\-zone as
 redirect. If not matched exactly, the local\-zone type determines
 further processing. If local\-data is configured that is not a subdomain of
-a local\-zone, a transparent local\-zone is configured. 
-For record types such as TXT, use single quotes, as in 
+a local\-zone, a transparent local\-zone is configured.
+For record types such as TXT, use single quotes, as in
 local\-data: 'example. TXT "text"'.
 .IP
 If you need more complicated authoritative data, with referrals, wildcards,
@@ -1160,7 +1165,7 @@ used access-control element has a matching tag. Tags must be defined in
 tags.
 .TP 5
 .B local\-zone\-override: \fI<zone> <IP netblock> <type>
-Override the localzone type for queries from addresses matching netblock. 
+Override the localzone type for queries from addresses matching netblock.
 Use this localzone type, regardless the type configured for the local-zone
 (both tagged and untagged) and regardless the type configured using
 access\-control\-tag\-action.
@@ -1197,18 +1202,20 @@ This can make ordinary queries complete (if repeatedly queried for),
 and enter the cache, whilst also mitigating the traffic flow by the
 factor given.
 .TP 5
-.B ratelimit\-for\-domain: \fI<domain> <number qps>
+.B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
 Override the global ratelimit for an exact match domain name with the listed
 number.  You can give this for any number of names.  For example, for
 a top\-level\-domain you may want to have a higher limit than other names.
+A value of 0 will disable ratelimiting for that domain.
 .TP 5
-.B ratelimit\-below\-domain: \fI<domain> <number qps>
+.B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
 Override the global ratelimit for a domain name that ends in this name.
 You can give this multiple times, it then describes different settings
 in different parts of the namespace.  The closest matching suffix is used
 to determine the qps limit.  The rate for the exact matching domain name
 is not changed, use ratelimit\-for\-domain to set that, you might want
 to use different settings for a top\-level\-domain and subdomains.
+A value of 0 will disable ratelimiting for domain names that end in this name.
 .TP 5
 .B ip\-ratelimit: \fI<number or 0>
 Enable global ratelimiting of queries accepted per ip address.
@@ -1304,21 +1311,21 @@ the recursive processing itself for stub zones.
 .P
 The stub zone can be used to configure authoritative data to be used
 by the resolver that cannot be accessed using the public internet servers.
-This is useful for company\-local data or private zones. Setup an 
-authoritative server on a different host (or different port). Enter a config 
-entry for unbound with 
+This is useful for company\-local data or private zones. Setup an
+authoritative server on a different host (or different port). Enter a config
+entry for unbound with
 .B stub\-addr:
-<ip address of host[@port]>. 
-The unbound resolver can then access the data, without referring to the 
-public internet for it. 
+<ip address of host[@port]>.
+The unbound resolver can then access the data, without referring to the
+public internet for it.
 .P
-This setup allows DNSSEC signed zones to be served by that 
+This setup allows DNSSEC signed zones to be served by that
 authoritative server, in which case a trusted key entry with the public key
-can be put in config, so that unbound can validate the data and set the AD 
-bit on replies for the private zone (authoritative servers do not set the 
-AD bit).  This setup makes unbound capable of answering queries for the 
-private zone, and can even set the AD bit ('authentic'), but the AA 
-('authoritative') bit is not set on these replies. 
+can be put in config, so that unbound can validate the data and set the AD
+bit on replies for the private zone (authoritative servers do not set the
+AD bit).  This setup makes unbound capable of answering queries for the
+private zone, and can even set the AD bit ('authentic'), but the AA
+('authoritative') bit is not set on these replies.
 .P
 Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
 for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
@@ -1337,8 +1344,8 @@ IP address of stub zone nameserver. Can be IP 4 or IP 6.
 To use a nondefault port for DNS communication append '@' with the port number.
 .TP
 .B stub\-prime: \fI<yes or no>
-This option is by default off.  If enabled it performs NS set priming, 
-which is similar to root hints, where it starts using the list of nameservers 
+This option is by default off.  If enabled it performs NS set priming,
+which is similar to root hints, where it starts using the list of nameservers
 currently published by the zone.  Thus, if the hint list is slightly outdated,
 the resolver picks up a correct list online.
 .TP
@@ -1390,10 +1397,10 @@ Default is no.
 There may be multiple
 .B view:
 clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
-\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view
-name in an \fBaccess\-control\-view\fR element. Options from matching views will
-override global options. Global options will be used if no matching view
-is found.
+\fBlocal\-data\fR elements. View can be mapped to requests by specifying the
+view name in an \fBaccess\-control\-view\fR element. Options from matching
+views will override global options. Global options will be used if no matching
+view is found, or when the matching view does not have the option specified.
 .TP
 .B name: \fI<view name>
 Name of the view. Must be unique. This name is used in access\-control\-view
@@ -1401,7 +1408,11 @@ elements.
 .TP
 .B local\-zone: \fI<zone> <type>
 View specific local\-zone elements. Has the same types and behaviour as the
-global local\-zone elements.
+global local\-zone elements. When there is at least one local\-zone specified
+and view\-first is no, the default local-zones will be added to this view.
+Defaults can be disabled using the nodefault type. When view\-first is yes or
+when a view does not have a local\-zone, the global local\-zone will be used
+including it's default zones.
 .TP
 .B local\-data: \fI"<resource record string>"
 View specific local\-data elements. Has the same behaviour as the global
@@ -1454,7 +1465,8 @@ clause give the settings of the dnscrypt channel. While those options are
 available, they are only meaningful if unbound was compiled with
 \fB\-\-enable\-dnscrypt\fR.
 Currently certificate and secret/public keys cannot be generated by unbound.
-You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
+You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
+dnscrypt-wrapper/blob/master/README.md#usage
 .TP
 .B dnscrypt\-enable: \fI<yes or no>\fR
 Whether or not the \fBdnscrypt\fR config should be enabled. You may define
@@ -1475,23 +1487,24 @@ Path to the time limited secret key file. This option may be specified multiple
 times.
 .TP
 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
-Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option
-may be specified multiple times.
+Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
+This option may be specified multiple times.
 .SS "EDNS Client Subnet Module Options"
 .LP
 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
 validator iterator" directive and be compiled into the daemon to be
 enabled.  These settings go in the \fBserver:\fR section.
 .LP
-If the destination address is whitelisted with Unbound will add the EDNS0 option
-to the query containing the relevant part of the client's address. When an
-answer contains the ECS option the response and the option are placed in a
-specialized cache. If the authority indicated no support, the response is stored
-in the regular cache.
+If the destination address is whitelisted with Unbound will add the EDNS0
+option to the query containing the relevant part of the client's address. When
+an answer contains the ECS option the response and the option are placed in a
+specialized cache. If the authority indicated no support, the response is
+stored in the regular cache.
 .LP
 Additionally, when a client includes the option in its queries, Unbound will
-forward the option to the authority regardless of the authorities presence in
-the whitelist. In this case the lookup in the regular cache is skipped.
+forward the option to the authority if prensent in the whitelist, or
+\fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
+the regular cache is skipped.
 .LP
 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
 configuration file. On top of that, for each query only 100 different subnets
@@ -1502,7 +1515,12 @@ entries will be purged from cache.
 Send client source address to this authority. Append /num to indicate a
 classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can
 be given multiple times. Authorities not listed will not receive edns-subnet
-information.
+information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
+.TP
+.B client\-subnet\-zone: \fI<domain>\fR
+Send client source address in queries for this domain and its subdomains. Can be
+given multiple times. Zones not listed will not receive edns-subnet information,
+unless hosted by authority specified in \fBsend\-client\-subnet\fR.
 .TP
 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
 Specify whether the ECS whitelist check (configured using
@@ -1519,6 +1537,72 @@ to expose to third parties for IPv6.  Defaults to 56.
 .B max\-client\-subnet\-ipv4: \fI<number>\fR
 Specifies the maximum prefix length of the client source address we are willing
 to expose to third parties for IPv4. Defaults to 24.
+.SS "Opportunistic IPsec Support Module Options"
+.LP
+The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
+validator iterator" directive and be compiled into the daemon to be
+enabled.  These settings go in the \fBserver:\fR section.
+.LP
+When unbound receives an A/AAAA query that is not in the cache and finds a
+valid answer, it will withhold returning the answer and instead will generate
+an IPSECKEY subquery for the same domain name.  If an answer was found, unbound
+will call an external hook passing the following arguments:
+.TP 10
+\h'5'\fIQNAME\fR
+Domain name of the A/AAAA and IPSECKEY query.  In string format.
+.TP 10
+\h'5'\fIIPSECKEY TTL\fR
+TTL of the IPSECKEY RRset.
+.TP 10
+\h'5'\fIA/AAAA\fR
+String of space separated IP addresses present in the A/AAAA RRset.  The IP
+addresses are in string format.
+.TP 10
+\h'5'\fIIPSECKEY\fR
+String of space separated IPSECKEY RDATA present in the IPSECKEY RRset.  The
+IPSECKEY RDATA are in DNS presentation format.
+.LP
+The A/AAAA answer is then cached and returned to the client.  If the external
+hook was called the TTL changes to ensure it doesn't surpass
+\fBipsecmod-max-ttl\fR.
+.LP
+The same procedure is also followed when \fBprefetch:\fR is used, but the
+A/AAAA answer is given to the client before the hook is called.
+\fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
+relevant for opportunistic IPsec.
+.TP
+.B ipsecmod-enabled: \fI<yes or no>\fR
+Specifies whether the IPsec module is enabled or not.  The IPsec module still
+needs to be defined in the \fBmodule\-config:\fR directive.  This option
+facilitates turning on/off the module without restarting/reloading unbound.
+Defaults to yes.
+.TP
+.B ipsecmod\-hook: \fI<filename>\fR
+Specifies the external hook that unbound will call with \fIsystem\fR(3).  The
+file can be specified as an absolute/relative path.  The file needs the proper
+permissions to be able to be executed by the same user that runs unbound.  It
+must be present when the IPsec module is defined in the \fBmodule\-config:\fR
+directive.
+.TP
+.B ipsecmod-strict: \fI<yes or no>\fR
+If enabled unbound requires the external hook to return a success value of 0.
+Failing to do so unbound will reply with SERVFAIL.  The A/AAAA answer will also
+not be cached.  Defaults to no.
+.TP
+.B ipsecmod\-max-ttl: \fI<seconds>\fR
+Time to live maximum for A/AAAA cached records after calling the external hook.
+Defaults to 3600.
+.TP
+.B ipsecmod-ignore-bogus: \fI<yes or no>\fR
+Specifies the behaviour of unbound when the IPSECKEY answer is bogus.  If set
+to yes, the hook will be called and the A/AAAA answer will be returned to the
+client.  If set to no, the hook will not be called and the answer to the
+A/AAAA query will be SERVFAIL.  Mainly used for testing.  Defaults to no.
+.TP
+.B ipsecmod\-whitelist: \fI<domain>\fR
+Whitelist the domain so that the module logic will be executed.  Can
+be given multiple times, for different domains.  If the option is not
+specified, all domains are treated as being whitelisted (default).
 .SH "MEMORY CONTROL EXAMPLE"
 In the example config settings below memory usage is reduced. Some service
 levels are lower, notable very large data and a high TCP load are no longer
@@ -1526,7 +1610,7 @@ supported. Very large data and high TCP loads are exceptional for the DNS.
 DNSSEC validation is enabled, just add trust anchors.
 If you do not have to worry about programs using more than 3 Mb of memory,
 the below example is not for you. Use the defaults to receive full service,
-which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. 
+which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
 .P
 .nf
 # example settings that reduce memory usage
@@ -1567,12 +1651,12 @@ unbound configuration file.
 default unbound pidfile with process ID of the running daemon.
 .TP
 .I unbound.log
-unbound log file. default is to log to 
-\fIsyslog\fR(3). 
+unbound log file. default is to log to
+\fIsyslog\fR(3).
 .SH "SEE ALSO"
-\fIunbound\fR(8), 
+\fIunbound\fR(8),
 \fIunbound\-checkconf\fR(8).
 .SH "AUTHORS"
-.B Unbound 
+.B Unbound
 was written by NLnet Labs. Please see CREDITS file
 in the distribution for further details.

edns-subnet/addrtree.c

@@ -302,6 +302,7 @@ static int
 getbit(const addrkey_t *addr, addrlen_t addrlen, addrlen_t n)
 {
 	log_assert(addrlen > n);
+	(void)addrlen;
 	return (int)(addr[n/KEYWIDTH]>>((KEYWIDTH-1)-(n%KEYWIDTH))) & 1;
 }
 

edns-subnet/subnet-whitelist.c

@@ -50,42 +50,44 @@
 #include "util/config_file.h"
 #include "util/net_help.h"
 #include "util/storage/dnstree.h"
+#include "sldns/str2wire.h"
+#include "util/data/dname.h"
 
-struct ednssubnet_upstream* 
-upstream_create(void)
+struct ecs_whitelist* 
+ecs_whitelist_create(void)
 {
-	struct ednssubnet_upstream* upstream = 
-		(struct ednssubnet_upstream*)calloc(1,
-		sizeof(struct ednssubnet_upstream));
-	if(!upstream)
+	struct ecs_whitelist* whitelist = 
+		(struct ecs_whitelist*)calloc(1,
+		sizeof(struct ecs_whitelist));
+	if(!whitelist)
 		return NULL;
-	upstream->region = regional_create();
-	if(!upstream->region) {
-		upstream_delete(upstream);
+	whitelist->region = regional_create();
+	if(!whitelist->region) {
+		ecs_whitelist_delete(whitelist);
 		return NULL;
 	}
-	return upstream;
+	return whitelist;
 }
 
 void 
-upstream_delete(struct ednssubnet_upstream* upstream)
+ecs_whitelist_delete(struct ecs_whitelist* whitelist)
 {
-	if(!upstream) 
+	if(!whitelist) 
 		return;
-	regional_destroy(upstream->region);
-	free(upstream);
+	regional_destroy(whitelist->region);
+	free(whitelist);
 }
 
-/** insert new address into upstream structure */
+/** insert new address into whitelist structure */
 static int
-upstream_insert(struct ednssubnet_upstream* upstream, 
+upstream_insert(struct ecs_whitelist* whitelist, 
 	struct sockaddr_storage* addr, socklen_t addrlen, int net)
 {
 	struct addr_tree_node* node = (struct addr_tree_node*)regional_alloc(
-		upstream->region, sizeof(*node));
+		whitelist->region, sizeof(*node));
 	if(!node)
 		return 0;
-	if(!addr_tree_insert(&upstream->tree, node, addr, addrlen, net)) {
+	if(!addr_tree_insert(&whitelist->upstream, node, addr, addrlen, net)) {
 		verbose(VERB_QUERY,
 			"duplicate send-client-subnet address ignored.");
 	}
@@ -94,7 +96,7 @@ upstream_insert(struct ednssubnet_upstream* upstream,
 
 /** apply edns-subnet string */
 static int
-upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
+upstream_str_cfg(struct ecs_whitelist* whitelist, const char* str)
 {
 	struct sockaddr_storage addr;
 	int net;
@@ -104,7 +106,7 @@ upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
 		log_err("cannot parse send-client-subnet netblock: %s", str);
 		return 0;
 	}
-	if(!upstream_insert(upstream, &addr, addrlen, net)) {
+	if(!upstream_insert(whitelist, &addr, addrlen, net)) {
 		log_err("out of memory");
 		return 0;
 	}
@@ -113,41 +115,93 @@ upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
 
 /** read client_subnet config */
 static int 
-read_upstream(struct ednssubnet_upstream* upstream, struct config_file* cfg)
+read_upstream(struct ecs_whitelist* whitelist, struct config_file* cfg)
 {
 	struct config_strlist* p;
 	for(p = cfg->client_subnet; p; p = p->next) {
 		log_assert(p->str);
-		if(!upstream_str_cfg(upstream, p->str))
+		if(!upstream_str_cfg(whitelist, p->str))
 			return 0;
 	}
 	return 1;
 }
 
-int 
-upstream_apply_cfg(struct ednssubnet_upstream* upstream,
-	struct config_file* cfg)
+/** read client_subnet_zone config */
+static int 
+read_names(struct ecs_whitelist* whitelist, struct config_file* cfg)
 {
-	regional_free_all(upstream->region);
-	addr_tree_init(&upstream->tree);
-	if(!read_upstream(upstream, cfg))
-		return 0;
-	addr_tree_init_parents(&upstream->tree);
+	/* parse names, report errors, insert into tree */
+	struct config_strlist* p;
+	struct name_tree_node* n;
+	uint8_t* nm, *nmr;
+	size_t nm_len;
+	int nm_labs;
+
+	for(p = cfg->client_subnet_zone; p; p = p->next) {
+		log_assert(p->str);
+		nm = sldns_str2wire_dname(p->str, &nm_len);
+		if(!nm) {
+			log_err("cannot parse client-subnet-zone: %s", p->str);
+			return 0;
+		}
+		nm_labs = dname_count_size_labels(nm, &nm_len);
+		nmr = (uint8_t*)regional_alloc_init(whitelist->region, nm,
+			nm_len);
+		free(nm);
+		if(!nmr) {
+			log_err("out of memory");
+			return 0;
+		}
+		n = (struct name_tree_node*)regional_alloc(whitelist->region,
+			sizeof(*n));
+		if(!n) {
+			log_err("out of memory");
+			return 0;
+		}
+		if(!name_tree_insert(&whitelist->dname, n, nmr, nm_len, nm_labs,
+			LDNS_RR_CLASS_IN)) {
+			verbose(VERB_QUERY, "ignoring duplicate "
+				"client-subnet-zone: %s", p->str);
+		}
+	}
 	return 1;
 }
 
 int 
-upstream_is_whitelisted(struct ednssubnet_upstream* upstream,
-	struct sockaddr_storage* addr, socklen_t addrlen)
+ecs_whitelist_apply_cfg(struct ecs_whitelist* whitelist,
+	struct config_file* cfg)
 {
-	return addr_tree_lookup(&upstream->tree, addr, addrlen) != NULL;
+	regional_free_all(whitelist->region);
+	addr_tree_init(&whitelist->upstream);
+	name_tree_init(&whitelist->dname);
+	if(!read_upstream(whitelist, cfg))
+		return 0;
+	if(!read_names(whitelist, cfg))
+		return 0;
+	addr_tree_init_parents(&whitelist->upstream);
+	name_tree_init_parents(&whitelist->dname);
+	return 1;
+}
+
+int 
+ecs_is_whitelisted(struct ecs_whitelist* whitelist,
+	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* qname,
+	size_t qname_len, uint16_t qclass)
+{
+	int labs;
+	if(addr_tree_lookup(&whitelist->upstream, addr, addrlen))
+		return 1;
+	/* Not in upstream whitelist, check dname whitelist. */
+	labs = dname_count_labels(qname);
+	return name_tree_lookup(&whitelist->dname, qname, qname_len, labs,
+		qclass) != NULL;
 }
 
 size_t 
-upstream_get_mem(struct ednssubnet_upstream* upstream)
+ecs_whitelist_get_mem(struct ecs_whitelist* whitelist)
 {
-	if(!upstream) return 0;
-	return sizeof(*upstream) + regional_get_mem(upstream->region);
+	if(!whitelist) return 0;
+	return sizeof(*whitelist) + regional_get_mem(whitelist->region);
 }
 
 #endif /* CLIENT_SUBNET */

edns-subnet/subnet-whitelist.h

@@ -36,8 +36,8 @@
 /**
  * \file
  *
- * Keep track of the white listed servers for subnet option. Based
- * on acl_list.c|h
+ * Keep track of the white listed servers and domain names for subnet option.
+ * Based on acl_list.c|h
  */
 
 #ifndef EDNSSUBNET_WHITELIST_H
@@ -48,9 +48,9 @@ struct config_file;
 struct regional;
 
 /**
- * ednssubnet_upstream structure
+ * ecs_whitelist structure
  */
-struct ednssubnet_upstream {
+struct ecs_whitelist {
 	/** regional for allocation */
 	struct regional* region;
 	/** 
@@ -58,45 +58,54 @@ struct ednssubnet_upstream {
 	 * contents of type addr_tree_node. Each node is an address span 
 	 * Unbound will append subnet option for.
 	 */
-	rbtree_type tree;
+	rbtree_type upstream;
+	/**
+	 * Tree of domain names for which Unbound will append an ECS option.
+	 * rbtree of struct name_tree_node.
+	 */
+	rbtree_type dname;
 };
 
 /**
- * Create ednssubnet_upstream structure 
+ * Create ecs_whitelist structure 
  * @return new structure or NULL on error.
  */
-struct ednssubnet_upstream* upstream_create(void);
+struct ecs_whitelist* ecs_whitelist_create(void);
 
 /**
- * Delete ednssubnet_upstream structure.
- * @param upstream: to delete.
+ * Delete ecs_whitelist structure.
+ * @param whitelist: to delete.
  */
-void upstream_delete(struct ednssubnet_upstream* upstream);
+void ecs_whitelist_delete(struct ecs_whitelist* whitelist);
 
 /**
- * Process ednssubnet_upstream config.
- * @param upstream: where to store.
+ * Process ecs_whitelist config.
+ * @param whitelist: where to store.
  * @param cfg: config options.
  * @return 0 on error.
  */
-int upstream_apply_cfg(struct ednssubnet_upstream* upstream,
+int ecs_whitelist_apply_cfg(struct ecs_whitelist* whitelist,
 	struct config_file* cfg);
 
 /**
- * See if an address is whitelisted.
- * @param upstream: structure for address storage.
+ * See if an address or domain is whitelisted.
+ * @param whitelist: structure for address storage.
  * @param addr: address to check
  * @param addrlen: length of addr.
+ * @param qname: dname in query
+ * @param qname_len: length of dname
+ * @param qclass: class in query
  * @return: true if the address is whitelisted for subnet option. 
  */
-int upstream_is_whitelisted(struct ednssubnet_upstream* upstream,
-	struct sockaddr_storage* addr, socklen_t addrlen);
+int ecs_is_whitelisted(struct ecs_whitelist* whitelist,
+	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* qname,
+	size_t qname_len, uint16_t qclass);
 
 /**
- * Get memory used by ednssubnet_upstream structure.
- * @param upstream: structure for address storage.
+ * Get memory used by ecs_whitelist structure.
+ * @param whitelist: structure for address storage.
  * @return bytes in use.
  */
-size_t upstream_get_mem(struct ednssubnet_upstream* upstream);
+size_t ecs_whitelist_get_mem(struct ecs_whitelist* whitelist);
 
 #endif /* EDNSSUBNET_WHITELIST_H */

edns-subnet/subnetmod.c

@@ -135,7 +135,7 @@ ecs_opt_list_append(struct ecs_data* ecs, struct edns_option** list,
 	}
 }
 
-int ecs_whitelist_check(struct query_info* ATTR_UNUSED(qinfo),
+int ecs_whitelist_check(struct query_info* qinfo,
 	uint16_t ATTR_UNUSED(flags), struct module_qstate* qstate,
 	struct sockaddr_storage* addr, socklen_t addrlen,
 	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
@@ -154,8 +154,9 @@ int ecs_whitelist_check(struct query_info* ATTR_UNUSED(qinfo),
 
 	if(sq->ecs_server_out.subnet_validdata && ((sq->subnet_downstream &&
 		qstate->env->cfg->client_subnet_always_forward) ||
-		upstream_is_whitelisted(sn_env->edns_subnet_upstreams, 
-		addr, addrlen))) {
+		ecs_is_whitelisted(sn_env->whitelist, 
+		addr, addrlen, qinfo->qname, qinfo->qname_len,
+		qinfo->qclass))) {
 		/* Address on whitelist or client query contains ECS option, we
 		 * want to sent out ECS. Only add option if it is not already
 		 * set. */
@@ -199,9 +200,9 @@ subnetmod_init(struct module_env *env, int id)
 		return 0;
 	}
 	/* whitelist for edns subnet capable servers */
-	sn_env->edns_subnet_upstreams = upstream_create();
-	if(!sn_env->edns_subnet_upstreams ||
-		!upstream_apply_cfg(sn_env->edns_subnet_upstreams, env->cfg)) {
+	sn_env->whitelist = ecs_whitelist_create();
+	if(!sn_env->whitelist ||
+		!ecs_whitelist_apply_cfg(sn_env->whitelist, env->cfg)) {
 		log_err("subnet: could not create ECS whitelist");
 		slabhash_delete(sn_env->subnet_msg_cache);
 		free(sn_env);
@@ -217,7 +218,7 @@ subnetmod_init(struct module_env *env, int id)
 		env->cfg->client_subnet_always_forward /* bypass cache */,
 		0 /* no aggregation */, env)) {
 		log_err("subnet: could not register opcode");
-		upstream_delete(sn_env->edns_subnet_upstreams);
+		ecs_whitelist_delete(sn_env->whitelist);
 		slabhash_delete(sn_env->subnet_msg_cache);
 		free(sn_env);
 		env->modinfo[id] = NULL;
@@ -243,7 +244,8 @@ subnetmod_deinit(struct module_env *env, int id)
 	lock_rw_destroy(&sn_env->biglock);
 	inplace_cb_delete(env, inplace_cb_edns_back_parsed, id);
 	inplace_cb_delete(env, inplace_cb_query, id);
-	upstream_delete(sn_env->edns_subnet_upstreams);
+	inplace_cb_delete(env, inplace_cb_query_response, id);
+	ecs_whitelist_delete(sn_env->whitelist);
 	slabhash_delete(sn_env->subnet_msg_cache);
 	alloc_clear(&sn_env->alloc);
 	free(sn_env);
@@ -781,7 +783,7 @@ subnetmod_get_mem(struct module_env *env, int id)
 	if (!sn_env) return 0;
 	return sizeof(*sn_env) + 
 		slabhash_get_mem(sn_env->subnet_msg_cache) +
-		upstream_get_mem(sn_env->edns_subnet_upstreams);
+		ecs_whitelist_get_mem(sn_env->whitelist);
 }
 
 /**

edns-subnet/subnetmod.h

@@ -57,7 +57,7 @@ struct subnet_env {
 	 * data: struct subnet_msg_cache_data* */
 	struct slabhash* subnet_msg_cache;
 	/** access control, which upstream servers we send client address */
-	struct ednssubnet_upstream* edns_subnet_upstreams;
+	struct ecs_whitelist* whitelist;
 	/** allocation service */
 	struct alloc_cache alloc;
 	lock_rw_type biglock;

ipsecmod/ipsecmod-whitelist.c

@@ -0,0 +1,158 @@
+/*
+ * ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to
+ * operate on.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ *
+ * Keep track of the white listed domains for ipsecmod.
+ */
+
+#include "config.h"
+
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#include "ipsecmod/ipsecmod-whitelist.h"
+#include "util/regional.h"
+#include "util/log.h"
+#include "util/config_file.h"
+#include "util/rbtree.h"
+#include "util/data/dname.h"
+#include "util/storage/dnstree.h"
+#include "sldns/str2wire.h"
+
+/** Apply ipsecmod-whitelist string. */
+static int
+whitelist_str_cfg(rbtree_type* whitelist, const char* name)
+{
+    struct name_tree_node* n;
+    size_t len;
+    uint8_t* nm = sldns_str2wire_dname(name, &len);
+    if(!nm) {
+        log_err("ipsecmod: could not parse %s for whitelist.", name);
+        return 0;
+    }
+    n = (struct name_tree_node*)calloc(1, sizeof(*n));
+    if(!n) {
+        log_err("ipsecmod: out of memory while creating whitelist.");
+        free(nm);
+        return 0;
+    }
+    n->node.key = n;
+    n->name = nm;
+    n->len = len;
+    n->labs = dname_count_labels(nm);
+    n->dclass = LDNS_RR_CLASS_IN;
+    if(!name_tree_insert(whitelist, n, nm, len, n->labs, n->dclass)) {
+        /* duplicate element ignored, idempotent */
+        free(n->name);
+        free(n);
+    }
+    return 1;
+}
+
+/** Read ipsecmod-whitelist config. */
+static int
+read_whitelist(rbtree_type* whitelist, struct config_file* cfg)
+{
+	struct config_strlist* p;
+	for(p = cfg->ipsecmod_whitelist; p; p = p->next) {
+		log_assert(p->str);
+		if(!whitelist_str_cfg(whitelist, p->str))
+			return 0;
+	}
+	return 1;
+}
+
+int
+ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie,
+	struct config_file* cfg)
+{
+	ie->whitelist = rbtree_create(name_tree_compare);
+	if(!read_whitelist(ie->whitelist, cfg))
+		return 0;
+	name_tree_init_parents(ie->whitelist);
+	return 1;
+}
+
+/** Delete ipsecmod_env->whitelist element. */
+static void
+whitelist_free(struct rbnode_type* n, void* ATTR_UNUSED(d))
+{
+	if(n) {
+		free(((struct name_tree_node*)n)->name);
+		free(n);
+	}
+}
+
+/** Get memory usage of ipsecmod_env->whitelist element. */
+static void
+whitelist_get_mem(struct rbnode_type* n, void* arg)
+{
+	struct name_tree_node* node = (struct name_tree_node*)n;
+	size_t* size = (size_t*) arg;
+	if(node) {
+		*size += sizeof(node) + node->len;
+	}
+}
+
+void
+ipsecmod_whitelist_delete(rbtree_type* whitelist)
+{
+	if(whitelist) {
+		traverse_postorder(whitelist, whitelist_free, NULL);
+		free(whitelist);
+	}
+}
+
+int
+ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname,
+	size_t dname_len, uint16_t qclass)
+{
+	if(!ie->whitelist) return 1; /* No whitelist, treat as whitelisted. */
+	return name_tree_lookup(ie->whitelist, dname, dname_len,
+		dname_count_labels(dname), qclass) != NULL;
+}
+
+size_t
+ipsecmod_whitelist_get_mem(rbtree_type* whitelist)
+{
+	size_t size = 0;
+	if(whitelist) {
+		traverse_postorder(whitelist, whitelist_get_mem, &size);
+	}
+	return size;
+}
+
+#endif /* USE_IPSECMOD */

ipsecmod/ipsecmod-whitelist.h

@@ -0,0 +1,82 @@
+/*
+ * ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to
+ * operate on.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ *
+ * Keep track of the white listed domains for ipsecmod.
+ */
+
+#ifndef IPSECMOD_WHITELIST_H
+#define IPSECMOD_WHITELIST_H
+#include "util/storage/dnstree.h"
+
+struct config_file;
+struct regional;
+
+/**
+ * Process ipsecmod_whitelist config.
+ * @param ie: ipsecmod environment.
+ * @param cfg: config options.
+ * @return 0 on error.
+ */
+int ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie,
+	struct config_file* cfg);
+
+/**
+ * Delete the ipsecmod whitelist.
+ * @param whitelist: ipsecmod whitelist.
+ */
+void ipsecmod_whitelist_delete(rbtree_type* whitelist);
+
+/**
+ * See if a domain is whitelisted.
+ * @param ie: ipsecmod environment.
+ * @param dname: domain name to check.
+ * @param dname_len: length of domain name.
+ * @param qclass: query CLASS.
+ * @return: true if the domain is whitelisted for the ipsecmod.
+ */
+int ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname,
+	size_t dname_len, uint16_t qclass);
+
+/**
+ * Get memory used by ipsecmod whitelist.
+ * @param whitelist: structure for domain storage.
+ * @return bytes in use.
+ */
+size_t ipsecmod_whitelist_get_mem(rbtree_type* whitelist);
+
+#endif /* IPSECMOD_WHITELIST_H */

ipsecmod/ipsecmod.c

@@ -0,0 +1,515 @@
+/*
+ * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains a module that facilitates opportunistic IPsec. It does so
+ * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * configurable hook (eg. signaling an IKE daemon) before replying.
+ */
+
+#include "config.h"
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#include "ipsecmod/ipsecmod-whitelist.h"
+#include "util/fptr_wlist.h"
+#include "util/regional.h"
+#include "util/net_help.h"
+#include "util/config_file.h"
+#include "services/cache/dns.h"
+#include "sldns/wire2str.h"
+
+/** Apply configuration to ipsecmod module 'global' state. */
+static int
+ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg)
+{
+	if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) {
+		log_err("ipsecmod: missing ipsecmod-hook.");
+		return 0;
+	}
+	if(cfg->ipsecmod_whitelist &&
+		!ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg))
+		return 0;
+	return 1;
+}
+
+int
+ipsecmod_init(struct module_env* env, int id)
+{
+	struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1,
+		sizeof(struct ipsecmod_env));
+	if(!ipsecmod_env) {
+		log_err("malloc failure");
+		return 0;
+	}
+	env->modinfo[id] = (void*)ipsecmod_env;
+	ipsecmod_env->whitelist = NULL;
+	if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) {
+		log_err("ipsecmod: could not apply configuration settings.");
+		return 0;
+	}
+	return 1;
+}
+
+void
+ipsecmod_deinit(struct module_env* env, int id)
+{
+	struct ipsecmod_env* ipsecmod_env;
+	if(!env || !env->modinfo[id])
+		return;
+	ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id];
+	/* Free contents. */
+	ipsecmod_whitelist_delete(ipsecmod_env->whitelist);
+	free(ipsecmod_env);
+	env->modinfo[id] = NULL;
+}
+
+/** New query for ipsecmod. */
+static int
+ipsecmod_new(struct module_qstate* qstate, int id)
+{
+	struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc(
+		qstate->region, sizeof(struct ipsecmod_qstate));
+	memset(iq, 0, sizeof(*iq));
+	qstate->minfo[id] = iq;
+	if(!iq)
+		return 0;
+	/* Initialise it. */
+	iq->enabled = qstate->env->cfg->ipsecmod_enabled;
+	iq->is_whitelisted = ipsecmod_domain_is_whitelisted(
+		(struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname,
+		qstate->qinfo.qname_len, qstate->qinfo.qclass);
+	return 1;
+}
+
+/**
+ * Exit module with an error status.
+ * @param qstate: query state
+ * @param id: module id.
+ */
+static void
+ipsecmod_error(struct module_qstate* qstate, int id)
+{
+	qstate->ext_state[id] = module_error;
+	qstate->return_rcode = LDNS_RCODE_SERVFAIL;
+}
+
+/**
+ * Generate a request for the IPSECKEY.
+ *
+ * @param qstate: query state that is the parent.
+ * @param id: module id.
+ * @param name: what name to query for.
+ * @param namelen: length of name.
+ * @param qtype: query type.
+ * @param qclass: query class.
+ * @param flags: additional flags, such as the CD bit (BIT_CD), or 0.
+ * @return false on alloc failure.
+ */
+static int
+generate_request(struct module_qstate* qstate, int id, uint8_t* name,
+	size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
+{
+	struct module_qstate* newq;
+	struct query_info ask;
+	ask.qname = name;
+	ask.qname_len = namelen;
+	ask.qtype = qtype;
+	ask.qclass = qclass;
+	ask.local_alias = NULL;
+	log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask);
+	fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
+	if(!(*qstate->env->attach_sub)(qstate, &ask,
+		(uint16_t)(BIT_RD|flags), 0, 0, &newq)){
+		log_err("Could not generate request: out of memory");
+		return 0;
+	}
+	qstate->ext_state[id] = module_wait_subquery;
+	return 1;
+}
+
+/**
+ *  Prepare the data and call the hook.
+ *
+ *  @param qstate: query state.
+ *  @param iq: ipsecmod qstate.
+ *  @param ie: ipsecmod environment.
+ *  @return true on success, false otherwise.
+ */
+static int
+call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
+	struct ipsecmod_env* ATTR_UNUSED(ie))
+{
+	size_t slen, tempdata_len, tempstring_len, i;
+	char str[65535], *s, *tempstring;
+	int w;
+	struct ub_packed_rrset_key* rrset_key;
+	struct packed_rrset_data* rrset_data;
+	uint8_t *tempdata;
+
+	/* Check if a shell is available */
+	if(system(NULL) == 0) {
+		log_err("ipsecmod: no shell available for ipsecmod-hook");
+		return 0;
+	}
+
+	/* Zero the buffer. */
+	s = str;
+	slen = sizeof(str);
+	memset(s, 0, slen);
+
+	/* Copy the hook into the buffer. */
+	sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
+	/* Put space into the buffer. */
+	sldns_str_print(&s, &slen, " ");
+	/* Copy the qname into the buffer. */
+	tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
+		qstate->qinfo.qname_len);
+	if(!tempstring) {
+		log_err("ipsecmod: out of memory when calling the hook");
+		return 0;
+	}
+	sldns_str_print(&s, &slen, "\"%s\"", tempstring);
+	free(tempstring);
+	/* Put space into the buffer. */
+	sldns_str_print(&s, &slen, " ");
+	/* Copy the IPSECKEY TTL into the buffer. */
+	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+	sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
+	/* Put space into the buffer. */
+	sldns_str_print(&s, &slen, " ");
+	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
+	 * with a double quote. */
+	rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
+		qstate->return_msg->rep);
+	rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
+	sldns_str_print(&s, &slen, "\"");
+	for(i=0; i<rrset_data->count; i++) {
+		if(i > 0) {
+			/* Put space into the buffer. */
+			sldns_str_print(&s, &slen, " ");
+		}
+		/* Ignore the first two bytes, they are the rr_data len. */
+		w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
+			rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
+		if(w < 0) {
+			/* Error in printout. */
+			return -1;
+		} else if((size_t)w >= slen) {
+			s = NULL; /* We do not want str to point outside of buffer. */
+			slen = 0;
+			return -1;
+		} else {
+			s += w;
+			slen -= w;
+		}
+	}
+	sldns_str_print(&s, &slen, "\"");
+	/* Put space into the buffer. */
+	sldns_str_print(&s, &slen, " ");
+	/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
+	 * with a double quote. */
+	sldns_str_print(&s, &slen, "\"");
+	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+	for(i=0; i<rrset_data->count; i++) {
+		if(i > 0) {
+			/* Put space into the buffer. */
+			sldns_str_print(&s, &slen, " ");
+		}
+		/* Ignore the first two bytes, they are the rr_data len. */
+		tempdata = rrset_data->rr_data[i] + 2;
+		tempdata_len = rrset_data->rr_len[i] - 2;
+		/* Save the buffer pointers. */
+		tempstring = s; tempstring_len = slen;
+		w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
+			NULL, 0);
+		/* There was an error when parsing the IPSECKEY; reset the buffer
+		 * pointers to their previous values. */
+		if(w == -1){
+			s = tempstring; slen = tempstring_len;
+		}
+	}
+	sldns_str_print(&s, &slen, "\"");
+	verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
+	/* ipsecmod-hook should return 0 on success. */
+	if(system(str) != 0)
+		return 0;
+	return 1;
+}
+
+/**
+ * Handle an ipsecmod module event with a query
+ * @param qstate: query state (from the mesh), passed between modules.
+ * 	contains qstate->env module environment with global caches and so on.
+ * @param iq: query state specific for this module.  per-query.
+ * @param ie: environment specific for this module.  global.
+ * @param id: module id.
+ */
+static void
+ipsecmod_handle_query(struct module_qstate* qstate,
+	struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id)
+{
+	struct ub_packed_rrset_key* rrset_key;
+	struct packed_rrset_data* rrset_data;
+	size_t i;
+	/* Pass to next module if we are not enabled and whitelisted. */
+	if(!(iq->enabled && iq->is_whitelisted)) {
+		qstate->ext_state[id] = module_wait_module;
+		return;
+	}
+	/* New query, check if the query is for an A/AAAA record and disable
+	 * caching for other modules. */
+	if(!iq->ipseckey_done) {
+		if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
+			qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
+			char type[16];
+			sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
+				sizeof(type));
+			verbose(VERB_ALGO, "ipsecmod: query for %s; engaging",
+				type);
+			qstate->no_cache_store = 1;
+		}
+		/* Pass request to next module. */
+		qstate->ext_state[id] = module_wait_module;
+		return;
+	}
+	/* IPSECKEY subquery is finished. */
+	/* We have an IPSECKEY answer. */
+	if(iq->ipseckey_rrset) {
+		rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+		if(rrset_data) {
+			/* If bogus return SERVFAIL. */
+			if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
+				rrset_data->security == sec_status_bogus) {
+				log_err("ipsecmod: bogus IPSECKEY");
+				ipsecmod_error(qstate, id);
+				return;
+			}
+			/* We have a valid IPSECKEY reply, call hook. */
+			if(!call_hook(qstate, iq, ie) &&
+				qstate->env->cfg->ipsecmod_strict) {
+				log_err("ipsecmod: ipsecmod-hook failed");
+				ipsecmod_error(qstate, id);
+				return;
+			}
+			/* Make sure the A/AAAA's TTL is equal/less than the
+			 * ipsecmod_max_ttl. */
+			rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
+				qstate->return_msg->rep);
+			rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
+			if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
+				/* Update TTL for rrset to fixed value. */
+				rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl;
+				for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++)
+					rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl;
+				/* Also update reply_info's TTL */
+				if(qstate->return_msg->rep->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
+					qstate->return_msg->rep->ttl =
+						qstate->env->cfg->ipsecmod_max_ttl;
+					qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(
+						qstate->return_msg->rep->ttl);
+				}
+			}
+		}
+	}
+	/* Store A/AAAA in cache. */
+	if(!dns_cache_store(qstate->env, &qstate->qinfo,
+		qstate->return_msg->rep, 0, qstate->prefetch_leeway,
+		0, qstate->region, qstate->query_flags)) {
+		log_err("ipsecmod: out of memory caching record");
+	}
+	qstate->ext_state[id] = module_finished;
+}
+
+/**
+ * Handle an ipsecmod module event with a response from the iterator.
+ * @param qstate: query state (from the mesh), passed between modules.
+ * 	contains qstate->env module environment with global caches and so on.
+ * @param iq: query state specific for this module.  per-query.
+ * @param ie: environment specific for this module.  global.
+ * @param id: module id.
+ */
+static void
+ipsecmod_handle_response(struct module_qstate* qstate,
+	struct ipsecmod_qstate* ATTR_UNUSED(iq),
+	struct ipsecmod_env* ATTR_UNUSED(ie), int id)
+{
+	/* Pass to previous module if we are not enabled and whitelisted. */
+	if(!(iq->enabled && iq->is_whitelisted)) {
+		qstate->ext_state[id] = module_finished;
+		return;
+	}
+	/* check if the response is for an A/AAAA query. */
+	if((qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
+		qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) &&
+		/* check that we had an answer for the A/AAAA query. */
+		qstate->return_msg &&
+		reply_find_answer_rrset(&qstate->return_msg->qinfo,
+		qstate->return_msg->rep) &&
+		/* check that another module didn't SERVFAIL. */
+		qstate->return_rcode == LDNS_RCODE_NOERROR) {
+		char type[16];
+		sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
+			sizeof(type));
+		verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY "
+			"subquery", type);
+		/* generate an IPSECKEY query. */
+		if(!generate_request(qstate, id, qstate->qinfo.qname,
+			qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
+			qstate->qinfo.qclass, 0)) {
+			log_err("ipsecmod: could not generate subquery.");
+			ipsecmod_error(qstate, id);
+		}
+		return;
+	}
+	/* we are done with the query. */
+	qstate->ext_state[id] = module_finished;
+}
+
+void
+ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
+	struct outbound_entry* outbound)
+{
+	struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id];
+	struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id];
+	verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s",
+		id, strextstate(qstate->ext_state[id]), strmodulevent(event));
+	if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query",
+		&qstate->qinfo);
+
+	/* create ipsecmod_qstate. */
+	if((event == module_event_new || event == module_event_pass) &&
+		iq == NULL) {
+		if(!ipsecmod_new(qstate, id)) {
+			ipsecmod_error(qstate, id);
+			return;
+		}
+		iq = (struct ipsecmod_qstate*)qstate->minfo[id];
+	}
+	if(iq && (event == module_event_pass || event == module_event_new)) {
+		ipsecmod_handle_query(qstate, iq, ie, id);
+		return;
+	}
+	if(iq && (event == module_event_moddone)) {
+		ipsecmod_handle_response(qstate, iq, ie, id);
+		return;
+	}
+	if(iq && outbound) {
+		/* cachedb does not need to process responses at this time
+		 * ignore it.
+		cachedb_process_response(qstate, iq, ie, id, outbound, event);
+		*/
+		return;
+	}
+	if(event == module_event_error) {
+		verbose(VERB_ALGO, "got called with event error, giving up");
+		ipsecmod_error(qstate, id);
+		return;
+	}
+	if(!iq && (event == module_event_moddone)) {
+		/* during priming, module done but we never started. */
+		qstate->ext_state[id] = module_finished;
+		return;
+	}
+
+	log_err("ipsecmod: bad event %s", strmodulevent(event));
+	ipsecmod_error(qstate, id);
+	return;
+}
+
+void
+ipsecmod_inform_super(struct module_qstate* qstate, int id,
+	struct module_qstate* super)
+{
+	struct ipsecmod_qstate* siq;
+	log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is",
+		&qstate->qinfo);
+	log_query_info(VERB_ALGO, "super is", &super->qinfo);
+	siq = (struct ipsecmod_qstate*)super->minfo[id];
+	if(!siq) {
+		verbose(VERB_ALGO, "super has no ipsecmod state");
+		return;
+	}
+
+	if(qstate->return_msg) {
+		struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset(
+			&qstate->return_msg->qinfo, qstate->return_msg->rep);
+		if(rrset_key) {
+			/* We have an answer. */
+			/* Copy to super's region. */
+			rrset_key = packed_rrset_copy_region(rrset_key, super->region, 0);
+			siq->ipseckey_rrset = rrset_key;
+			if(!rrset_key) {
+				log_err("ipsecmod: out of memory.");
+			}
+		}
+	}
+	/* Notify super to proceed. */
+	siq->ipseckey_done = 1;
+}
+
+void
+ipsecmod_clear(struct module_qstate* qstate, int id)
+{
+	if(!qstate)
+		return;
+	qstate->minfo[id] = NULL;
+}
+
+size_t
+ipsecmod_get_mem(struct module_env* env, int id)
+{
+	struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id];
+	if(!ie)
+		return 0;
+	return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist);
+}
+
+/**
+ * The ipsecmod function block
+ */
+static struct module_func_block ipsecmod_block = {
+	"ipsecmod",
+	&ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate,
+	&ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem
+};
+
+struct module_func_block*
+ipsecmod_get_funcblock(void)
+{
+	return &ipsecmod_block;
+}
+#endif /* USE_IPSECMOD */

ipsecmod/ipsecmod.h

@@ -0,0 +1,97 @@
+/*
+ * ipsecmod/ipsecmod.h - facilitate opportunistic IPsec module
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains a module that facilitates opportunistic IPsec. It does so
+ * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * configurable hook (eg. signaling an IKE daemon) before replying.
+ */
+
+#ifndef IPSECMOD_H
+#define IPSECMOD_H
+#include "util/module.h"
+#include "util/rbtree.h"
+
+/**
+ * The global variable environment contents for the ipsecmod
+ * Shared between threads, this represents long term information.
+ */
+struct ipsecmod_env {
+	/** White listed domains for ipsecmod. */
+	rbtree_type* whitelist;
+};
+
+/**
+ * Per query state for the ipsecmod module.
+ */
+struct ipsecmod_qstate {
+	/** State of the IPsec module. */
+	/** NOTE: This value is copied here from the configuration so that a change
+	 *  with unbound-control would not complicate an already running mesh. */
+	int enabled;
+	/** If the qname is whitelisted or not. */
+	/** NOTE: No whitelist means all qnames are whitelisted. */
+	int is_whitelisted;
+	/** Pointer to IPSECKEY rrset allocated in the qstate region. NULL if there
+	 *  was no IPSECKEY reply from the subquery. */
+	struct ub_packed_rrset_key* ipseckey_rrset;
+	/** If the IPSECKEY subquery has finished. */
+	int ipseckey_done;
+};
+
+/** Init the ipsecmod module */
+int ipsecmod_init(struct module_env* env, int id);
+/** Deinit the ipsecmod module */
+void ipsecmod_deinit(struct module_env* env, int id);
+/** Operate on an event on a query (in qstate). */
+void ipsecmod_operate(struct module_qstate* qstate, enum module_ev event,
+	int id, struct outbound_entry* outbound);
+/** Subordinate query done, inform this super request of its conclusion */
+void ipsecmod_inform_super(struct module_qstate* qstate, int id,
+	struct module_qstate* super);
+/** clear the ipsecmod query-specific contents out of qstate */
+void ipsecmod_clear(struct module_qstate* qstate, int id);
+/** return memory estimate for the ipsecmod module */
+size_t ipsecmod_get_mem(struct module_env* env, int id);
+
+/**
+ * Get the function block with pointers to the ipsecmod functions
+ * @return the function block for "ipsecmod".
+ */
+struct module_func_block* ipsecmod_get_funcblock(void);
+
+#endif /* IPSECMOD_H */

iterator/iter_hints.c

@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
       }
       if(do_ip6) {
 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
-	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:84::b")) goto failed;
+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;

iterator/iterator.c

@@ -288,6 +288,22 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
 				return error_response(qstate, id, rcode);
 			/* if that fails (not in cache), fall through to store err */
 		}
+		if(qstate->env->cfg->serve_expired) {
+			/* if serving expired contents, and such content is
+			 * already available, don't overwrite this servfail */
+			struct msgreply_entry* msg;
+			if((msg=msg_cache_lookup(qstate->env,
+				qstate->qinfo.qname, qstate->qinfo.qname_len,
+				qstate->qinfo.qtype, qstate->qinfo.qclass,
+				qstate->query_flags, 0, 0))
+				!= NULL) {
+				lock_rw_unlock(&msg->entry.lock);
+				return error_response(qstate, id, rcode);
+			}
+			/* serving expired contents, but nothing is cached
+			 * at all, so the servfail cache entry is useful
+			 * (stops waste of time on this servfail NORR_TTL) */
+		}
 		memset(&err, 0, sizeof(err));
 		err.flags = (uint16_t)(BIT_QR | BIT_RA);
 		FLAGS_SET_RCODE(err.flags, rcode);
@@ -509,6 +525,33 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	return 1;
 }
 
+/** see if last resort is possible - does config allow queries to parent */
+static int
+can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen,
+	uint16_t qclass)
+{
+	struct delegpt* fwddp;
+	struct iter_hints_stub* stub;
+	int labs = dname_count_labels(nm);
+	/* do not process a last resort (the parent side) if a stub
+	 * or forward is configured, because we do not want to go 'above'
+	 * the configured servers */
+	if(!dname_is_root(nm) && (stub = (struct iter_hints_stub*)
+		name_tree_find(&env->hints->tree, nm, nmlen, labs, qclass)) &&
+		/* has_parent side is turned off for stub_first, where we
+		 * are allowed to go to the parent */
+		stub->dp->has_parent_side_NS) {
+		return 0;
+	}
+	if((fwddp = forwards_find(env->fwds, nm, qclass)) &&
+		/* has_parent_side is turned off for forward_first, where
+		 * we are allowed to go to the parent */
+		fwddp->has_parent_side_NS) {
+		return 0;
+	}
+	return 1;
+}
+
 /** see if target name is caps-for-id whitelisted */
 static int
 is_caps_whitelisted(struct iter_env* ie, struct iter_qstate* iq)
@@ -853,6 +896,9 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
 
 	if(iq->depth == ie->max_dependency_depth)
 		return;
+	if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen,
+		iq->qchase.qclass))
+		return;
 	/* is this query the same as the nscheck? */
 	if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
 		query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&
@@ -1025,6 +1071,20 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 		return next_state(iq, COLLECT_CLASS_STATE);
 	}
 
+	/*
+	 * If we are restricted by a forward-zone or a stub-zone, we
+	 * can't re-fetch glue for this delegation point.
+	 * we won’t try to re-fetch glue if the iq->dp is null.
+	 */
+	if (iq->refetch_glue &&
+	        iq->dp &&
+	        !can_have_last_resort(qstate->env,
+	                              iq->dp->name,
+	                              iq->dp->namelen,
+	                              iq->qchase.qclass)) {
+	    iq->refetch_glue = 0;
+	}
+
 	/* Resolver Algorithm Step 1 -- Look for the answer in local data. */
 
 	/* This either results in a query restart (CNAME cache response), a
@@ -1558,35 +1618,6 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
 	return 1;
 }
 
-/** see if last resort is possible - does config allow queries to parent */
-static int
-can_have_last_resort(struct module_env* env, struct delegpt* dp,
-	struct iter_qstate* iq)
-{
-	struct delegpt* fwddp;
-	struct iter_hints_stub* stub;
-	/* do not process a last resort (the parent side) if a stub
-	 * or forward is configured, because we do not want to go 'above'
-	 * the configured servers */
-	if(!dname_is_root(dp->name) && (stub = (struct iter_hints_stub*)
-		name_tree_find(&env->hints->tree, dp->name, dp->namelen,
-		dp->namelabs, iq->qchase.qclass)) &&
-		/* has_parent side is turned off for stub_first, where we
-		 * are allowed to go to the parent */
-		stub->dp->has_parent_side_NS) {
-		verbose(VERB_QUERY, "configured stub servers failed -- returning SERVFAIL");
-		return 0;
-	}
-	if((fwddp = forwards_find(env->fwds, dp->name, iq->qchase.qclass)) &&
-		/* has_parent_side is turned off for forward_first, where
-		 * we are allowed to go to the parent */
-		fwddp->has_parent_side_NS) {
-		verbose(VERB_QUERY, "configured forward servers failed -- returning SERVFAIL");
-		return 0;
-	}
-	return 1;
-}
-
 /**
  * Called by processQueryTargets when it would like extra targets to query
  * but it seems to be out of options.  At last resort some less appealing
@@ -1608,9 +1639,11 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 	verbose(VERB_ALGO, "No more query targets, attempting last resort");
 	log_assert(iq->dp);
 
-	if(!can_have_last_resort(qstate->env, iq->dp, iq)) {
+	if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen,
+		iq->qchase.qclass)) {
 		/* fail -- no more targets, no more hope of targets, no hope 
 		 * of a response. */
+		verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
 		return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
 	}
 	if(!iq->dp->has_parent_side_NS && dname_is_root(iq->dp->name)) {
@@ -1695,6 +1728,19 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* see if we can issue queries to get nameserver addresses */
 	/* this lookup is not randomized, but sequential. */
 	for(ns = iq->dp->nslist; ns; ns = ns->next) {
+		/* if this nameserver is at a delegation point, but that
+		 * delegation point is a stub and we cannot go higher, skip*/
+		if( ((ie->supports_ipv6 && !ns->done_pside6) ||
+		    (ie->supports_ipv4 && !ns->done_pside4)) &&
+		    !can_have_last_resort(qstate->env, ns->name, ns->namelen,
+			iq->qchase.qclass)) {
+			log_nametypeclass(VERB_ALGO, "cannot pside lookup ns "
+				"because it is also a stub/forward,",
+				ns->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
+			if(ie->supports_ipv6) ns->done_pside6 = 1;
+			if(ie->supports_ipv4) ns->done_pside4 = 1;
+			continue;
+		}
 		/* query for parent-side A and AAAA for nameservers */
 		if(ie->supports_ipv6 && !ns->done_pside6) {
 			/* Send the AAAA request. */

libunbound/unbound.h

@@ -601,6 +601,167 @@ int ub_ctx_data_remove(struct ub_ctx* ctx, const char *data);
  */
 const char* ub_version(void);
 
+/** 
+ * Some global statistics that are not in struct stats_info,
+ * this struct is shared on a shm segment (shm-key in unbound.conf)
+ */
+struct ub_shm_stat_info {
+	int num_threads;
+
+	struct {
+		long long now_sec, now_usec;
+		long long up_sec, up_usec;
+		long long elapsed_sec, elapsed_usec;
+	} time;
+
+	struct {
+		long long msg;
+		long long rrset;
+		long long val;
+		long long iter;
+		long long subnet;
+		long long ipsecmod;
+		long long respip;
+	} mem;
+};
+
+/** number of qtype that is stored for in array */
+#define UB_STATS_QTYPE_NUM 256
+/** number of qclass that is stored for in array */
+#define UB_STATS_QCLASS_NUM 256
+/** number of rcodes in stats */
+#define UB_STATS_RCODE_NUM 16
+/** number of opcodes in stats */
+#define UB_STATS_OPCODE_NUM 16
+/** number of histogram buckets */
+#define UB_STATS_BUCKET_NUM 40
+
+/** per worker statistics. */
+struct ub_server_stats {
+	/** number of queries from clients received. */
+	long long num_queries;
+	/** number of queries that have been dropped/ratelimited by ip. */
+	long long num_queries_ip_ratelimited;
+	/** number of queries that had a cache-miss. */
+	long long num_queries_missed_cache;
+	/** number of prefetch queries - cachehits with prefetch */
+	long long num_queries_prefetch;
+
+	/**
+	 * Sum of the querylistsize of the worker for 
+	 * every query that missed cache. To calculate average.
+	 */
+	long long sum_query_list_size;
+	/** max value of query list size reached. */
+	long long max_query_list_size;
+
+	/** Extended stats below (bool) */
+	int extended;
+
+	/** qtype stats */
+	long long qtype[UB_STATS_QTYPE_NUM];
+	/** bigger qtype values not in array */
+	long long qtype_big;
+	/** qclass stats */
+	long long qclass[UB_STATS_QCLASS_NUM];
+	/** bigger qclass values not in array */
+	long long qclass_big;
+	/** query opcodes */
+	long long qopcode[UB_STATS_OPCODE_NUM];
+	/** number of queries over TCP */
+	long long qtcp;
+	/** number of outgoing queries over TCP */
+	long long qtcp_outgoing;
+	/** number of queries over IPv6 */
+	long long qipv6;
+	/** number of queries with QR bit */
+	long long qbit_QR;
+	/** number of queries with AA bit */
+	long long qbit_AA;
+	/** number of queries with TC bit */
+	long long qbit_TC;
+	/** number of queries with RD bit */
+	long long qbit_RD;
+	/** number of queries with RA bit */
+	long long qbit_RA;
+	/** number of queries with Z bit */
+	long long qbit_Z;
+	/** number of queries with AD bit */
+	long long qbit_AD;
+	/** number of queries with CD bit */
+	long long qbit_CD;
+	/** number of queries with EDNS OPT record */
+	long long qEDNS;
+	/** number of queries with EDNS with DO flag */
+	long long qEDNS_DO;
+	/** answer rcodes */
+	long long ans_rcode[UB_STATS_RCODE_NUM];
+	/** answers with pseudo rcode 'nodata' */
+	long long ans_rcode_nodata;
+	/** answers that were secure (AD) */
+	long long ans_secure;
+	/** answers that were bogus (withheld as SERVFAIL) */
+	long long ans_bogus;
+	/** rrsets marked bogus by validator */
+	long long rrset_bogus;
+	/** unwanted traffic received on server-facing ports */
+	long long unwanted_replies;
+	/** unwanted traffic received on client-facing ports */
+	long long unwanted_queries;
+	/** usage of tcp accept list */
+	long long tcp_accept_usage;
+	/** answers served from expired cache */
+	long long zero_ttl_responses;
+	/** histogram data exported to array 
+	 * if the array is the same size, no data is lost, and
+	 * if all histograms are same size (is so by default) then
+	 * adding up works well. */
+	long long hist[UB_STATS_BUCKET_NUM];
+	
+	/** number of message cache entries */
+	long long msg_cache_count;
+	/** number of rrset cache entries */
+	long long rrset_cache_count;
+	/** number of infra cache entries */
+	long long infra_cache_count;
+	/** number of key cache entries */
+	long long key_cache_count;
+
+	/** number of queries that used dnscrypt */
+	long long num_query_dnscrypt_crypted;
+	/** number of queries that queried dnscrypt certificates */
+	long long num_query_dnscrypt_cert;
+	/** number of queries in clear text and not asking for the certificates */
+	long long num_query_dnscrypt_cleartext;
+	/** number of malformed encrypted queries */
+	long long num_query_dnscrypt_crypted_malformed;
+};
+
+/** 
+ * Statistics to send over the control pipe when asked
+ * This struct is made to be memcpied, sent in binary.
+ * shm mapped with (number+1) at num_threads+1, with first as total
+ */
+struct ub_stats_info {
+	/** the thread stats */
+	struct ub_server_stats svr;
+
+	/** mesh stats: current number of states */
+	long long mesh_num_states;
+	/** mesh stats: current number of reply (user) states */
+	long long mesh_num_reply_states;
+	/** mesh stats: number of reply states overwritten with a new one */
+	long long mesh_jostled;
+	/** mesh stats: number of incoming queries dropped */
+	long long mesh_dropped;
+	/** mesh stats: replies sent */
+	long long mesh_replies_sent;
+	/** mesh stats: sum of waiting times for the replies */
+	long long mesh_replies_sum_wait_sec, mesh_replies_sum_wait_usec;
+	/** mesh stats: median of waiting times for replies (in sec) */
+	double mesh_time_median;
+};
+
 #ifdef __cplusplus
 }
 #endif

pythonmod/pythonmod.c

@@ -41,8 +41,10 @@
 /* ignore the varargs unused warning from SWIGs internal vararg support */
 #ifdef __GNUC__
 #pragma GCC diagnostic ignored "-Wunused-parameter"
+#ifndef __clang__
 #pragma GCC diagnostic ignored "-Wunused-but-set-variable"
 #endif
+#endif
 
 #include "config.h"
 #include "sldns/sbuffer.h"

respip/respip.c

@@ -261,6 +261,7 @@ respip_enter_rr(struct regional* region, struct resp_addr* raddr,
 		log_err("bad response-ip-data: %s", rrstr);
 		return 0;
 	}
+	free(nm);
 	sa = (struct sockaddr*)&raddr->node.addr;
 	if (rrtype == LDNS_RR_TYPE_CNAME && raddr->data) {
 		log_err("CNAME response-ip data (%s) can not co-exist with other "

services/authzone.h

@@ -0,0 +1,209 @@
+/*
+ * services/authzone.h - authoritative zone that is locally hosted.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains the functions for an authority zone.  This zone
+ * is queried by the iterator, just like a stub or forward zone, but then
+ * the data is locally held.
+ */
+
+#ifndef SERVICES_AUTHZONE_H
+#define SERVICES_AUTHZONE_H
+#include "util/rbtree.h"
+#include "util/locks.h"
+struct ub_packed_rrset_key;
+struct regional;
+struct config_file;
+struct query_info;
+struct dns_msg;
+
+/**
+ * Authoritative zones, shared.
+ */
+struct auth_zones {
+	/** lock on the authzone tree */
+	lock_rw_type lock;
+	/** rbtree of struct auth_zone */
+	rbtree_type ztree;
+};
+
+/**
+ * Auth zone.  Authoritative data, that is fetched from instead of sending
+ * packets to the internet.
+ */
+struct auth_zone {
+	/** rbtree node, key is name and class */
+	rbnode_type node;
+
+	/** zone name, in uncompressed wireformat */
+	uint8_t* name;
+	/** length of zone name */
+	size_t namelen;
+	/** number of labels in zone name */
+	int namelabs;
+	/** the class of this zone, in host byteorder.
+	 * uses 'dclass' to not conflict with c++ keyword class. */
+	uint16_t dclass;
+
+	/** lock on the data in the structure
+	 * For the node, parent, name, namelen, namelabs, dclass, you
+	 * need to also hold the zones_tree lock to change them (or to
+	 * delete this zone) */
+	lock_rw_type lock;
+
+	/** auth data for this zone
+	 * rbtree of struct auth_data */
+	rbtree_type data;
+
+	/* zonefile name (or NULL for no zonefile) */
+	char* zonefile;
+	/* fallback to the internet on failure or ttl-expiry of auth zone */
+	int fallback_enabled;
+};
+
+/**
+ * Auth data. One domain name, and the RRs to go with it.
+ */
+struct auth_data {
+	/** rbtree node, key is name only */
+	rbnode_type node;
+	/** domain name */
+	uint8_t* name;
+	/** length of name */
+	size_t namelen;
+	/** number of labels in name */
+	int namelabs;
+	/** the data rrsets, with different types, linked list.
+	 * if the list if NULL the node would be an empty non-terminal,
+	 * but in this data structure such nodes that represent an empty
+	 * non-terminal are not needed; they just don't exist.
+	 */
+	struct auth_rrset* rrsets;
+};
+
+/**
+ * A auth data RRset
+ */
+struct auth_rrset {
+	/** next in list */
+	struct auth_rrset* next;
+	/** RR type in host byteorder */
+	uint16_t type;
+	/** RRset data item */
+	struct packed_rrset_data* data;
+};
+
+/**
+ * Create auth zones structure
+ */
+struct auth_zones* auth_zones_create(void);
+
+/**
+ * Apply configuration to auth zones.  Reads zonefiles.
+ */
+int auth_zones_apply_config(struct auth_zones* az, struct config_file* cfg);
+
+/**
+ * Delete auth zones structure
+ */
+void auth_zones_delete(struct auth_zones* az);
+
+/**
+ * Write auth zone data to file, in zonefile format.
+ */
+int auth_zone_write_file(struct auth_zone* z, const char* fname);
+
+/**
+ * Use auth zones to lookup the answer to a query.
+ * The query is from the iterator.  And the auth zones attempts to provide
+ * the answer instead of going to the internet.
+ *
+ * @param az: auth zones structure.
+ * @param qinfo: query info to lookup.
+ * @param region: region to use to allocate the reply in.
+ * @param msg: reply is stored here (if one).
+ * @param fallback: if true, fallback to making a query to the internet.
+ * @param dp_nm: name of delegation point to look for.  This zone is used
+ *	to answer the query.
+ *	If the dp_nm is not found, fallback is set to true and false returned.
+ * @param dp_nmlen: length of dp_nm.
+ * @return 0: failure (an error of some sort, like servfail).
+ *         if 0 and fallback is true, fallback to the internet.
+ *         if 0 and fallback is false, like getting servfail.
+ *         If true, an answer is available.
+ */
+int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo,
+	struct regional* region, struct dns_msg** msg, int* fallback,
+	uint8_t* dp_nm, size_t dp_nmlen);
+
+/** 
+ * Find the auth zone that is above the given qname.
+ * Return NULL when there is no auth_zone above the give name, otherwise
+ * returns the closest auth_zone above the qname that pertains to it.
+ * @param az: auth zones structure.
+ * @param qinfo: query info to lookup.
+ * @return NULL or auth_zone that pertains to the query.
+ */
+struct auth_zone* auth_zones_find_zone(struct auth_zones* az,
+	struct query_info* qinfo);
+
+/** find an auth zone by name (exact match by name or NULL returned) */
+struct auth_zone* auth_zone_find(struct auth_zones* az, uint8_t* nm,
+	size_t nmlen, uint16_t dclass);
+
+/** create an auth zone. returns wrlocked zone. caller must have wrlock
+ * on az. returns NULL on malloc failure */
+struct auth_zone* auth_zone_create(struct auth_zones* az, uint8_t* nm,
+	size_t nmlen, uint16_t dclass);
+
+/** set auth zone zonefile string. caller must have lock on zone */
+int auth_zone_set_zonefile(struct auth_zone* z, char* zonefile);
+
+/** set auth zone fallback. caller must have lock on zone.
+ * fallbackstr is "yes" or "no". false on parse failure. */
+int auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr);
+
+/** read auth zone from zonefile. caller must lock zone. false on failure */
+int auth_zone_read_zonefile(struct auth_zone* z);
+
+/** compare auth_zones for sorted rbtree */
+int auth_zone_cmp(const void* z1, const void* z2);
+
+/** compare auth_data for sorted rbtree */
+int auth_data_cmp(const void* z1, const void* z2);
+
+#endif /* SERVICES_AUTHZONE_H */

services/cache/dns.c

@@ -41,6 +41,7 @@
 #include "config.h"
 #include "iterator/iter_delegpt.h"
 #include "validator/val_nsec.h"
+#include "validator/val_utils.h"
 #include "services/cache/dns.h"
 #include "services/cache/rrset.h"
 #include "util/data/msgreply.h"
@@ -182,7 +183,7 @@ addr_to_additional(struct ub_packed_rrset_key* rrset, struct regional* region,
 }
 
 /** lookup message in message cache */
-static struct msgreply_entry* 
+struct msgreply_entry* 
 msg_cache_lookup(struct module_env* env, uint8_t* qname, size_t qnamelen, 
 	uint16_t qtype, uint16_t qclass, uint16_t flags, time_t now, int wr)
 {
@@ -755,10 +756,16 @@ dns_cache_lookup(struct module_env* env,
 	if( qtype != LDNS_RR_TYPE_DS &&
 	   (rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen, 
 		LDNS_RR_TYPE_CNAME, qclass, 0, now, 0))) {
-		struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
-		if(msg) {
-			lock_rw_unlock(&rrset->entry.lock);
-			return msg;
+		uint8_t* wc = NULL;
+		/* if the rrset is not a wildcard expansion, with wcname */
+		/* because, if we return that CNAME rrset on its own, it is
+		 * missing the NSEC or NSEC3 proof */
+		if(!(val_rrset_wildcard(rrset, &wc) && wc != NULL)) {
+			struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
+			if(msg) {
+				lock_rw_unlock(&rrset->entry.lock);
+				return msg;
+			}
 		}
 		lock_rw_unlock(&rrset->entry.lock);
 	}

services/cache/dns.h

@@ -208,4 +208,10 @@ int dns_msg_authadd(struct dns_msg* msg, struct regional* region,
 int dns_cache_prefetch_adjust(struct module_env* env, struct query_info* qinfo,
         time_t adjust, uint16_t flags);
 
+/** lookup message in message cache
+ * the returned nonNULL entry is locked and has to be unlocked by the caller */
+struct msgreply_entry* msg_cache_lookup(struct module_env* env,
+	uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
+	uint16_t flags, time_t now, int wr);
+
 #endif /* SERVICES_CACHE_DNS_H */

services/cache/infra.c

@@ -893,6 +893,8 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
 
 	/* find ratelimit */
 	lim = infra_find_ratelimit(infra, name, namelen);
+	if(!lim)
+		return 1; /* disabled for this domain */
 	
 	/* find or insert ratedata */
 	entry = infra_find_ratedata(infra, name, namelen, 1);
@@ -941,6 +943,8 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
 
 	/* find ratelimit */
 	lim = infra_find_ratelimit(infra, name, namelen);
+	if(!lim)
+		return 0; /* disabled for this domain */
 
 	/* find current rate */
 	entry = infra_find_ratedata(infra, name, namelen, 0);

services/cache/infra.h

@@ -401,7 +401,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
 /** find the maximum rate stored, not too old. 0 if no information. */
 int infra_rate_max(void* data, time_t now);
 
-/** find the ratelimit in qps for a domain */
+/** find the ratelimit in qps for a domain. 0 if no limit for domain. */
 int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
 	size_t namelen);
 

services/listen_dnsport.c

@@ -1223,15 +1223,15 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 			ports->ftype == listen_type_tcp_dnscrypt ||
 			ports->ftype == listen_type_udpancil_dnscrypt) {
 			cp->dnscrypt = 1;
-            cp->dnscrypt_buffer = sldns_buffer_new(bufsize);
-            if(!cp->dnscrypt_buffer) {
-                log_err("can't alloc dnscrypt_buffer");
-                comm_point_delete(cp);
-                listen_delete(front);
-                return NULL;
-            }
-            front->dnscrypt_udp_buff = cp->dnscrypt_buffer;
-        }
+			cp->dnscrypt_buffer = sldns_buffer_new(bufsize);
+			if(!cp->dnscrypt_buffer) {
+				log_err("can't alloc dnscrypt_buffer");
+				comm_point_delete(cp);
+				listen_delete(front);
+				return NULL;
+			}
+			front->dnscrypt_udp_buff = cp->dnscrypt_buffer;
+		}
 #endif
 		if(!listen_cp_insert(cp, front)) {
 			log_err("malloc failed");
@@ -1269,10 +1269,10 @@ listen_delete(struct listen_dnsport* front)
 		return;
 	listen_list_delete(front->cps);
 #ifdef USE_DNSCRYPT
-    if(front->dnscrypt_udp_buff &&
-       front->udp_buff != front->dnscrypt_udp_buff) {
-        sldns_buffer_free(front->dnscrypt_udp_buff);
-    }
+	if(front->dnscrypt_udp_buff &&
+		front->udp_buff != front->dnscrypt_udp_buff) {
+		sldns_buffer_free(front->dnscrypt_udp_buff);
+	}
 #endif
 	sldns_buffer_free(front->udp_buff);
 	free(front);

services/localzone.c

@@ -187,7 +187,9 @@ lz_enter_zone_dname(struct local_zones* zones, uint8_t* nm, size_t len,
 	lock_rw_wrlock(&z->lock);
 	if(!rbtree_insert(&zones->ztree, &z->node)) {
 		struct local_zone* oldz;
-		log_warn("duplicate local-zone");
+		char str[256];
+		dname_str(nm, str);
+		log_warn("duplicate local-zone %s", str);
 		lock_rw_unlock(&z->lock);
 		/* save zone name locally before deallocation,
 		 * otherwise, nm is gone if we zone_delete now. */
@@ -744,12 +746,15 @@ add_as112_default(struct local_zones* zones, struct config_file* cfg,
 }
 
 /** enter default zones */
-static int
-lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
+int local_zone_enter_defaults(struct local_zones* zones, struct config_file* cfg)
 {
 	struct local_zone* z;
 	const char** zstr;
 
+	/* Do not add any default */
+	if(cfg->local_zones_disable_default)
+		return 1;
+
 	/* this list of zones is from RFC 6303 and RFC 7686 */
 
 	/* block localhost level zones first, then onion and later the LAN zones */
@@ -1019,7 +1024,7 @@ local_zones_apply_cfg(struct local_zones* zones, struct config_file* cfg)
 		return 0;
 	}
 	/* apply default zones+content (unless disabled, or overridden) */
-	if(!lz_enter_defaults(zones, cfg)) {
+	if(!local_zone_enter_defaults(zones, cfg)) {
 		return 0;
 	}
 	/* enter local zone overrides */
@@ -1585,7 +1590,7 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
 			lock_rw_rdlock(&z->lock);
 			lzt = z->type;
 		}
-		if(!z && !view->isfirst){
+		if(view->local_zones && !z && !view->isfirst){
 			lock_rw_unlock(&view->lock);
 			return 0;
 		}
@@ -1670,6 +1675,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
 		*t = local_zone_always_refuse;
 	else if(strcmp(type, "always_nxdomain") == 0)
 		*t = local_zone_always_nxdomain;
+	else if(strcmp(type, "nodefault") == 0)
+		*t = local_zone_nodefault;
 	else return 0;
 	return 1;
 }

services/localzone.h

@@ -427,6 +427,15 @@ enum localzone_type local_data_find_tag_action(const uint8_t* taglist,
 	const uint8_t* tagactions, size_t tagactionssize,
 	enum localzone_type lzt, int* tag, char* const* tagname, int num_tags);
 
+/**
+ * Enter defaults to local zone.
+ * @param zones: to add defaults to
+ * @param cfg: containing list of zones to exclude from default set.
+ * @return 1 on success; 0 otherwise.
+ */
+int local_zone_enter_defaults(struct local_zones* zones,
+	struct config_file* cfg);
+
 /**
   * Parses resource record string into wire format, also returning its field values.
   * @param str: input resource record

services/mesh.c

@@ -174,7 +174,7 @@ client_info_compare(const struct respip_client_info* ci_a,
 	 * but we check that just in case. */
 	if(ci_a->respip_set != ci_b->respip_set)
 		return ci_a->respip_set < ci_b->respip_set ? -1 : 1;
-        return 0;
+	return 0;
 }
 
 int
@@ -821,26 +821,26 @@ void mesh_detach_subs(struct module_qstate* qstate)
 	rbtree_init(&qstate->mesh_info->sub_set, &mesh_state_ref_compare);
 }
 
-int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
-        uint16_t qflags, int prime, int valrec, struct module_qstate** newq)
+int mesh_add_sub(struct module_qstate* qstate, struct query_info* qinfo,
+        uint16_t qflags, int prime, int valrec, struct module_qstate** newq,
+	struct mesh_state** sub)
 {
 	/* find it, if not, create it */
 	struct mesh_area* mesh = qstate->env->mesh;
-	struct mesh_state* sub = mesh_area_find(mesh, NULL, qinfo, qflags,
+	*sub = mesh_area_find(mesh, NULL, qinfo, qflags,
 		prime, valrec);
-	int was_detached;
-	if(mesh_detect_cycle_found(qstate, sub)) {
+	if(mesh_detect_cycle_found(qstate, *sub)) {
 		verbose(VERB_ALGO, "attach failed, cycle detected");
 		return 0;
 	}
-	if(!sub) {
+	if(!*sub) {
 #ifdef UNBOUND_DEBUG
 		struct rbnode_type* n;
 #endif
 		/* create a new one */
-		sub = mesh_state_create(qstate->env, qinfo, NULL, qflags, prime,
+		*sub = mesh_state_create(qstate->env, qinfo, NULL, qflags, prime,
 			valrec);
-		if(!sub) {
+		if(!*sub) {
 			log_err("mesh_attach_sub: out of memory");
 			return 0;
 		}
@@ -849,7 +849,7 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
 #else
 		(void)
 #endif
-		rbtree_insert(&mesh->all, &sub->node);
+		rbtree_insert(&mesh->all, &(*sub)->node);
 		log_assert(n != NULL);
 		/* set detached (it is now) */
 		mesh->num_detached_states++;
@@ -859,11 +859,22 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
 #else
 		(void)
 #endif
-		rbtree_insert(&mesh->run, &sub->run_node);
+		rbtree_insert(&mesh->run, &(*sub)->run_node);
 		log_assert(n != NULL);
-		*newq = &sub->s;
+		*newq = &(*sub)->s;
 	} else
 		*newq = NULL;
+	return 1;
+}
+
+int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
+        uint16_t qflags, int prime, int valrec, struct module_qstate** newq)
+{
+	struct mesh_area* mesh = qstate->env->mesh;
+	struct mesh_state* sub = NULL;
+	int was_detached;
+	if(!mesh_add_sub(qstate, qinfo, qflags, prime, valrec, newq, &sub))
+		return 0;
 	was_detached = (sub->super_set.count == 0);
 	if(!mesh_state_attachment(qstate->mesh_info, sub))
 		return 0;

services/mesh.h

@@ -370,6 +370,35 @@ void mesh_detach_subs(struct module_qstate* qstate);
 int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
 	uint16_t qflags, int prime, int valrec, struct module_qstate** newq);
 
+/**
+ * Add detached query.
+ * Creates it if it does not exist already.
+ * Does not make super/sub references.
+ * Performs a cycle detection - for double check - and fails if there is one.
+ * Updates stat items in mesh_area structure.
+ * Pass if it is priming query or not.
+ * return:
+ * 	o if error (malloc) happened.
+ * 	o need to initialise the new state (module init; it is a new state).
+ * 	  so that the next run of the query with this module is successful.
+ * 	o no init needed, attachment successful.
+ * 	o added subquery, created if it did not exist already.
+ *
+ * @param qstate: the state to find mesh state, and that wants to receive
+ * 	the results from the new subquery.
+ * @param qinfo: what to query for (copied).
+ * @param qflags: what flags to use (RD / CD flag or not).
+ * @param prime: if it is a (stub) priming query.
+ * @param valrec: if it is a validation recursion query (lookup of key, DS).
+ * @param newq: If the new subquery needs initialisation, it is returned,
+ * 	otherwise NULL is returned.
+ * @param sub: The added mesh state, created if it did not exist already.
+ * @return: false on error, true if success (and init may be needed).
+ */
+int mesh_add_sub(struct module_qstate* qstate, struct query_info* qinfo,
+        uint16_t qflags, int prime, int valrec, struct module_qstate** newq,
+	struct mesh_state** sub);
+
 /**
  * Query state is done, send messages to reply entries.
  * Encode messages using reply entry values and the querystate (with original

services/modstack.c

@@ -54,6 +54,9 @@
 #ifdef USE_CACHEDB
 #include "cachedb/cachedb.h"
 #endif
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#endif
 #ifdef CLIENT_SUBNET
 #include "edns-subnet/subnetmod.h"
 #endif
@@ -126,17 +129,20 @@ module_list_avail(void)
         static const char* names[] = {
 		"dns64",
 #ifdef WITH_PYTHONMODULE
-		"python", 
+		"python",
 #endif
 #ifdef USE_CACHEDB
 		"cachedb",
 #endif
+#ifdef USE_IPSECMOD
+		"ipsecmod",
+#endif
 #ifdef CLIENT_SUBNET
-		"subnetcache", 
+		"subnetcache",
 #endif
 		"respip",
-		"validator", 
-		"iterator", 
+		"validator",
+		"iterator",
 		NULL};
 	return names;
 }
@@ -151,22 +157,25 @@ module_funcs_avail(void)
         static struct module_func_block* (*fb[])(void) = {
 		&dns64_get_funcblock,
 #ifdef WITH_PYTHONMODULE
-		&pythonmod_get_funcblock, 
+		&pythonmod_get_funcblock,
 #endif
 #ifdef USE_CACHEDB
 		&cachedb_get_funcblock,
 #endif
+#ifdef USE_IPSECMOD
+		&ipsecmod_get_funcblock,
+#endif
 #ifdef CLIENT_SUBNET
-		&subnetmod_get_funcblock, 
+		&subnetmod_get_funcblock,
 #endif
 		&respip_get_funcblock,
-		&val_get_funcblock, 
-		&iter_get_funcblock, 
+		&val_get_funcblock,
+		&iter_get_funcblock,
 		NULL};
 	return fb;
 }
 
-struct 
+struct
 module_func_block* module_factory(const char** str)
 {
         int i = 0;
@@ -234,3 +243,15 @@ modstack_find(struct module_stack* stack, const char* name)
 	}
 	return -1;
 }
+
+size_t
+mod_get_mem(struct module_env* env, const char* name)
+{
+	int m = modstack_find(&env->mesh->mods, name);
+	if(m != -1) {
+		fptr_ok(fptr_whitelist_mod_get_mem(env->mesh->
+			mods.mod[m]->get_mem));
+		return (*env->mesh->mods.mod[m]->get_mem)(env, m);
+	}
+	return 0;
+}

services/modstack.h

@@ -110,4 +110,7 @@ void modstack_desetup(struct module_stack* stack, struct module_env* env);
  */
 int modstack_find(struct module_stack* stack, const char* name);
 
+/** fetch memory for a module by name, returns 0 if module not there */
+size_t mod_get_mem(struct module_env* env, const char* name);
+
 #endif /* SERVICES_MODSTACK_H */

services/outside_network.c

@@ -204,6 +204,9 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
 {
 	struct pending_tcp* pend = w->outnet->tcp_free;
 	int s;
+#ifdef SO_REUSEADDR
+	int on = 1;
+#endif
 	log_assert(pend);
 	log_assert(pkt);
 	log_assert(w->addrlen > 0);
@@ -225,13 +228,20 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
 		return 0;
 	}
 
+#ifdef SO_REUSEADDR
+	if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
+		(socklen_t)sizeof(on)) < 0) {
+		verbose(VERB_ALGO, "outgoing tcp:"
+			" setsockopt(.. SO_REUSEADDR ..) failed");
+	}
+#endif
 	if (w->outnet->tcp_mss > 0) {
 #if defined(IPPROTO_TCP) && defined(TCP_MAXSEG)
 		if(setsockopt(s, IPPROTO_TCP, TCP_MAXSEG,
 			(void*)&w->outnet->tcp_mss,
 			(socklen_t)sizeof(w->outnet->tcp_mss)) < 0) {
 			verbose(VERB_ALGO, "outgoing tcp:"
-				" setsockopt(.. SO_REUSEADDR ..) failed");
+				" setsockopt(.. TCP_MAXSEG ..) failed");
 		}
 #else
 		verbose(VERB_ALGO, "outgoing tcp:"
@@ -1538,18 +1548,22 @@ serviced_udp_send(struct serviced_query* sq, sldns_buffer* buff)
 static int
 serviced_check_qname(sldns_buffer* pkt, uint8_t* qbuf, size_t qbuflen)
 {
-	uint8_t* d1 = sldns_buffer_at(pkt, 12);
+	uint8_t* d1 = sldns_buffer_begin(pkt)+12;
 	uint8_t* d2 = qbuf+10;
 	uint8_t len1, len2;
 	int count = 0;
+	if(sldns_buffer_limit(pkt) < 12+1+4) /* packet too small for qname */
+		return 0;
 	log_assert(qbuflen >= 15 /* 10 header, root, type, class */);
 	len1 = *d1++;
 	len2 = *d2++;
-	if(sldns_buffer_limit(pkt) < 12+1+4) /* packet too small for qname */
-		return 0;
 	while(len1 != 0 || len2 != 0) {
 		if(LABEL_IS_PTR(len1)) {
+			/* check if we can read *d1 with compression ptr rest */
+			if(d1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
+				return 0;
 			d1 = sldns_buffer_begin(pkt)+PTR_OFFSET(len1, *d1);
+			/* check if we can read the destination *d1 */
 			if(d1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
 				return 0;
 			len1 = *d1++;
@@ -1563,6 +1577,9 @@ serviced_check_qname(sldns_buffer* pkt, uint8_t* qbuf, size_t qbuflen)
 			return 0;
 		if(len1 > LDNS_MAX_LABELLEN)
 			return 0;
+		/* check len1 + 1(next length) are okay to read */
+		if(d1+len1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
+			return 0;
 		log_assert(len1 <= LDNS_MAX_LABELLEN);
 		log_assert(len2 <= LDNS_MAX_LABELLEN);
 		log_assert(len1 == len2 && len1 != 0);

services/view.c

@@ -167,6 +167,44 @@ views_apply_cfg(struct views* vs, struct config_file* cfg)
 			lz_cfg.local_data = cv->local_data;
 			lz_cfg.local_zones_nodefault =
 				cv->local_zones_nodefault;
+			if(v->isfirst) {
+				/* Do not add defaults to view-specific
+				 * local-zone when global local zone will be
+				 * used. */
+				struct config_strlist* nd;
+				lz_cfg.local_zones_disable_default = 1;
+				/* Add nodefault zones to list of zones to add,
+				 * so they will be used as if they are
+				 * configured as type transparent */
+				for(nd = cv->local_zones_nodefault; nd;
+					nd = nd->next) {
+					char* nd_str, *nd_type;
+					nd_str = strdup(nd->str);
+					if(!nd_str) {
+						log_err("out of memory");
+						lock_rw_unlock(&v->lock);
+						return 0;
+					}
+					nd_type = strdup("nodefault");
+					if(!nd_type) {
+						log_err("out of memory");
+						free(nd_str);
+						lock_rw_unlock(&v->lock);
+						return 0;
+					}
+					if(!cfg_str2list_insert(
+						&lz_cfg.local_zones, nd_str,
+						nd_type)) {
+						log_err("failed to insert "
+							"default zones into "
+							"local-zone list");
+						free(nd_str);
+						free(nd_type);
+						lock_rw_unlock(&v->lock);
+						return 0;
+					}
+				}
+			}
 			if(!local_zones_apply_cfg(v->local_zones, &lz_cfg)){
 				lock_rw_unlock(&v->lock);
 				return 0;

sldns/keyraw.c

@@ -388,6 +388,27 @@ sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
 }
 #endif /* USE_ECDSA */
 
+#ifdef USE_ED25519
+EVP_PKEY*
+sldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
+{
+	/* ASN1 for ED25519 is 302a300506032b6570032100 <32byteskey> */
+	uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+		0x70, 0x03, 0x21, 0x00};
+	int pre_len = 12;
+	uint8_t buf[256];
+	EVP_PKEY *evp_key;
+	/* pp gets modified by d2i() */
+	const unsigned char* pp = (unsigned char*)buf;
+	if(keylen != 32 || keylen + pre_len > sizeof(buf))
+		return NULL; /* wrong length */
+	memmove(buf, pre, pre_len);
+	memmove(buf+pre_len, key, keylen);
+	evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
+	return evp_key;
+}
+#endif /* USE_ED25519 */
+
 int
 sldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
 	const EVP_MD* md)

sldns/keyraw.h

@@ -92,6 +92,15 @@ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
  */
 RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len);
 
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with ED25519.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* sldns_ed255192pkey_raw(const unsigned char* key, size_t len);
+
 /**
  * Utility function to calculate hash using generic EVP_MD pointer.
  * \param[in] data the data to hash.

sldns/parse.c

@@ -120,6 +120,10 @@ sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 			if (line_nr) {
 				*line_nr = *line_nr + 1;
 			}
+			if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+				*t = '\0';
+				return -1;
+			}
 			*t++ = ' ';
 			prev_c = c;
 			continue;

sldns/rrdef.c

@@ -175,7 +175,7 @@ static const sldns_rdf_type type_tkey_wireformat[] = {
 	LDNS_RDF_TYPE_TIME,
 	LDNS_RDF_TYPE_TIME,
 	LDNS_RDF_TYPE_INT16,
-	LDNS_RDF_TYPE_INT16,
+	LDNS_RDF_TYPE_TSIGERROR,
 	LDNS_RDF_TYPE_INT16_DATA,
 	LDNS_RDF_TYPE_INT16_DATA,
 };
@@ -185,7 +185,7 @@ static const sldns_rdf_type type_tsig_wireformat[] = {
 	LDNS_RDF_TYPE_INT16,
 	LDNS_RDF_TYPE_INT16_DATA,
 	LDNS_RDF_TYPE_INT16,
-	LDNS_RDF_TYPE_INT16,
+	LDNS_RDF_TYPE_TSIGERROR,
 	LDNS_RDF_TYPE_INT16_DATA
 };
 static const sldns_rdf_type type_tlsa_wireformat[] = {
@@ -341,8 +341,12 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
 	{LDNS_RR_TYPE_NSEC3PARAM, "NSEC3PARAM", 4, 4, type_nsec3param_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
 	/* 52 */
 	{LDNS_RR_TYPE_TLSA, "TLSA", 4, 4, type_tlsa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
-
+	/*53 */
+#ifdef DRAFT_RRTYPES
+	{LDNS_RR_TYPE_SMIMEA, "SMIMEA", 4, 4, type_tlsa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#else
 {LDNS_RR_TYPE_NULL, "TYPE53", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#endif
 {LDNS_RR_TYPE_NULL, "TYPE54", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
         /* 55
 	 * Hip ends with 0 or more Rendezvous Servers represented as dname's.
@@ -600,6 +604,12 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
 	{LDNS_RR_TYPE_URI, "URI", 3, 3, type_uri_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
 	/* 257 */
 	{LDNS_RR_TYPE_CAA, "CAA", 3, 3, type_caa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#ifdef DRAFT_RRTYPES
+	/* 258 */
+	{LDNS_RR_TYPE_AVC, "AVC", 1, 0, NULL, LDNS_RDF_TYPE_STR, LDNS_RR_NO_COMPRESS, 0 },
+#else
+{LDNS_RR_TYPE_NULL, "TYPE258", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#endif
 
 /* split in array, no longer contiguous */
 

sldns/rrdef.h

@@ -38,7 +38,7 @@ extern "C" {
 #define LDNS_KEY_REVOKE_KEY 0x0080 /* used to revoke KSK, rfc 5011 */
 
 /* The first fields are contiguous and can be referenced instantly */
-#define LDNS_RDATA_FIELD_DESCRIPTORS_COMMON 258
+#define LDNS_RDATA_FIELD_DESCRIPTORS_COMMON 259
 
 /** lookuptable for rr classes  */
 extern struct sldns_struct_lookup_table* sldns_rr_classes;
@@ -226,6 +226,7 @@ enum sldns_enum_rr_type
 	LDNS_RR_TYPE_ANY = 255,
 	LDNS_RR_TYPE_URI = 256, /* RFC 7553 */
 	LDNS_RR_TYPE_CAA = 257, /* RFC 6844 */
+	LDNS_RR_TYPE_AVC = 258,
 
 	/** DNSSEC Trust Authorities */
 	LDNS_RR_TYPE_TA = 32768,
@@ -350,6 +351,9 @@ enum sldns_enum_rdf_type
          */
         LDNS_RDF_TYPE_LONG_STR,
 
+	/** TSIG extended 16bit error value */
+	LDNS_RDF_TYPE_TSIGERROR,
+
         /* Aliases */
         LDNS_RDF_TYPE_BITMAP = LDNS_RDF_TYPE_NSEC
 };
@@ -430,6 +434,15 @@ typedef enum sldns_enum_edns_option sldns_edns_option;
 
 #define LDNS_EDNS_MASK_DO_BIT 0x8000
 
+/** TSIG and TKEY extended rcodes (16bit), 0-15 are the normal rcodes. */
+#define LDNS_TSIG_ERROR_NOERROR  0
+#define LDNS_TSIG_ERROR_BADSIG   16
+#define LDNS_TSIG_ERROR_BADKEY   17
+#define LDNS_TSIG_ERROR_BADTIME  18
+#define LDNS_TSIG_ERROR_BADMODE  19
+#define LDNS_TSIG_ERROR_BADNAME  20
+#define LDNS_TSIG_ERROR_BADALG   21
+
 /**
  * Contains all information about resource record types.
  *

sldns/sbuffer.c

@@ -50,6 +50,8 @@ sldns_buffer_new_frm_data(sldns_buffer *buffer, void *data, size_t size)
 	buffer->_limit = buffer->_capacity = size;
 	buffer->_fixed = 0;
 	buffer->_vfixed = 0;
+	if (!buffer->_fixed && buffer->_data)
+		free(buffer->_data);
 	buffer->_data = malloc(size);
 	if(!buffer->_data) {
 		buffer->_status_err = 1;

sldns/str2wire.c

@@ -664,6 +664,14 @@ rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
 					&pre_data_pos, delimiters,
 					rdftype, &token_strlen))
 					break;
+			} else if(rdftype == LDNS_RDF_TYPE_INT16_DATA &&
+				strcmp(token, "0")!=0) {
+				/* affix len and b64 fields */
+				if(!sldns_affix_token(strbuf, token,
+					&token_len, &quoted, &parens,
+					&pre_data_pos, delimiters,
+					rdftype, &token_strlen))
+					break;
 			}
 
 			/* normal RR */
@@ -861,6 +869,8 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 	/* we can have the situation, where we've read ok, but still got
 	 * no bytes to play with, in this case size is 0 */
 	if(size == 0) {
+		if(*len > 0)
+			rr[0] = 0;
 		*len = 0;
 		*dname_len = 0;
 		return LDNS_WIREPARSE_ERR_OK;
@@ -868,6 +878,7 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 
 	if(strncmp(line, "$ORIGIN", 7) == 0 && isspace((unsigned char)line[7])) {
 		int s;
+		strlcpy((char*)rr, line, *len);
 		*len = 0;
 		*dname_len = 0;
 		if(!parse_state) return LDNS_WIREPARSE_ERR_OK;
@@ -878,12 +889,19 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 		return s;
 	} else if(strncmp(line, "$TTL", 4) == 0 && isspace((unsigned char)line[4])) {
 		const char* end = NULL;
+		strlcpy((char*)rr, line, *len);
 		*len = 0;
 		*dname_len = 0;
 		if(!parse_state) return LDNS_WIREPARSE_ERR_OK;
 		parse_state->default_ttl = sldns_str2period(
 			sldns_strip_ws(line+5), &end);
 	} else if (strncmp(line, "$INCLUDE", 8) == 0) {
+		strlcpy((char*)rr, line, *len);
+		*len = 0;
+		*dname_len = 0;
+		return LDNS_WIREPARSE_ERR_INCLUDE;
+	} else if (strncmp(line, "$", 1) == 0) {
+		strlcpy((char*)rr, line, *len);
 		*len = 0;
 		*dname_len = 0;
 		return LDNS_WIREPARSE_ERR_INCLUDE;
@@ -940,6 +958,8 @@ int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
 		return sldns_str2wire_time_buf(str, rd, len);
 	case LDNS_RDF_TYPE_PERIOD:
 		return sldns_str2wire_period_buf(str, rd, len);
+	case LDNS_RDF_TYPE_TSIGTIME:
+		return sldns_str2wire_tsigtime_buf(str, rd, len);
 	case LDNS_RDF_TYPE_LOC:
 		return sldns_str2wire_loc_buf(str, rd, len);
 	case LDNS_RDF_TYPE_WKS:
@@ -964,6 +984,8 @@ int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
 		return sldns_str2wire_tag_buf(str, rd, len);
 	case LDNS_RDF_TYPE_LONG_STR:
 		return sldns_str2wire_long_str_buf(str, rd, len);
+	case LDNS_RDF_TYPE_TSIGERROR:
+		return sldns_str2wire_tsigerror_buf(str, rd, len);
 	case LDNS_RDF_TYPE_HIP:
 		return sldns_str2wire_hip_buf(str, rd, len);
 	case LDNS_RDF_TYPE_INT16_DATA:
@@ -1341,6 +1363,21 @@ int sldns_str2wire_alg_buf(const char* str, uint8_t* rd, size_t* len)
 	return LDNS_WIREPARSE_ERR_OK;
 }
 
+int sldns_str2wire_tsigerror_buf(const char* str, uint8_t* rd, size_t* len)
+{
+	sldns_lookup_table *lt = sldns_lookup_by_name(sldns_tsig_errors, str);
+	if(*len < 2)
+		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+	if(lt) {
+		sldns_write_uint16(rd, (uint16_t)lt->id);
+		*len = 2;
+	} else {
+		/* try as-is (a number) */
+		return sldns_str2wire_int16_buf(str, rd, len);
+	}
+	return LDNS_WIREPARSE_ERR_OK;
+}
+
 int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len)
 {
 	/* convert a time YYYYDDMMHHMMSS to wireformat */
@@ -1383,6 +1420,24 @@ int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len)
 	return LDNS_WIREPARSE_ERR_OK;
 }
 
+int sldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len)
+{
+	char* end;
+	uint64_t t = (uint64_t)strtol((char*)str, &end, 10);
+	uint16_t high;
+	uint32_t low;
+	if(*end != 0)
+		return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_TIME, end-str);
+	if(*len < 6)
+		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+	high = (uint16_t)(t>>32);
+	low = (uint32_t)(t);
+	sldns_write_uint16(rd, high);
+	sldns_write_uint32(rd+2, low);
+	*len = 6;
+	return LDNS_WIREPARSE_ERR_OK;
+}
+
 int sldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len)
 {
 	const char* end;
@@ -2008,16 +2063,29 @@ int sldns_str2wire_hip_buf(const char* str, uint8_t* rd, size_t* len)
 
 int sldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len)
 {
-	size_t sz = sldns_b64_pton_calculate_size(strlen(str));
+	char* s;
 	int n;
-	if(*len < sz+2)
+	n = strtol(str, &s, 10);
+	if(*len < ((size_t)n)+2)
 		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
-	if(sz > 65535)
+	if(n > 65535)
 		return LDNS_WIREPARSE_ERR_LABEL_OVERFLOW;
-	n = sldns_b64_pton(str, rd+2, (*len)-2);
+
+	if(n == 0) {
+		sldns_write_uint16(rd, 0);
+		*len = 2;
+		return LDNS_WIREPARSE_ERR_OK;
+	}
+	if(*s != ' ')
+		return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_INT, s-(char*)str);
+	s++;
+	while(*s == ' ')
+		s++;
+
+	n = sldns_b64_pton(s, rd+2, (*len)-2);
 	if(n < 0)
 		return LDNS_WIREPARSE_ERR_SYNTAX_B64;
 	sldns_write_uint16(rd, (uint16_t)n);
-	*len = (size_t)n;
+	*len = ((size_t)n)+2;
 	return LDNS_WIREPARSE_ERR_OK;
 }

sldns/str2wire.h

@@ -237,6 +237,8 @@ struct sldns_file_parse_state {
  * @param rr: this is malloced by the user and the result is stored here,
  * 	if an RR is read.  If no RR is read this is signalled with the
  * 	return len set to 0 (for ORIGIN, TTL directives).
+ * 	The read line is available in the rr_buf (zero terminated), for
+ * 	$DIRECTIVE style elements.
  * @param len: on input, the length of the rr buffer.  on output the rr len.
  * 	Buffer size of 64k should be enough.
  * @param dname_len: returns the length of the dname initial part of the rr.
@@ -417,6 +419,24 @@ int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len);
  */
 int sldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len);
 
+/**
+ * Convert rdf of type LDNS_RDF_TYPE_TSIGTIME from string to wireformat.
+ * @param str: the text to convert for this rdata element.
+ * @param rd: rdata buffer for the wireformat.
+ * @param len: length of rd buffer on input, used length on output.
+ * @return 0 on success, error on failure.
+ */
+int sldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len);
+
+/**
+ * Convert rdf of type LDNS_RDF_TYPE_TSIGERROR from string to wireformat.
+ * @param str: the text to convert for this rdata element.
+ * @param rd: rdata buffer for the wireformat.
+ * @param len: length of rd buffer on input, used length on output.
+ * @return 0 on success, error on failure.
+ */
+int sldns_str2wire_tsigerror_buf(const char* str, uint8_t* rd, size_t* len);
+
 /**
  * Convert rdf of type LDNS_RDF_TYPE_LOC from string to wireformat.
  * @param str: the text to convert for this rdata element.

sldns/wire2str.c

@@ -173,6 +173,28 @@ static sldns_lookup_table sldns_edns_options_data[] = {
 };
 sldns_lookup_table* sldns_edns_options = sldns_edns_options_data;
 
+static sldns_lookup_table sldns_tsig_errors_data[] = {
+	{ LDNS_TSIG_ERROR_NOERROR, "NOERROR" },
+	{ LDNS_RCODE_FORMERR, "FORMERR" },
+	{ LDNS_RCODE_SERVFAIL, "SERVFAIL" },
+	{ LDNS_RCODE_NXDOMAIN, "NXDOMAIN" },
+	{ LDNS_RCODE_NOTIMPL, "NOTIMPL" },
+	{ LDNS_RCODE_REFUSED, "REFUSED" },
+	{ LDNS_RCODE_YXDOMAIN, "YXDOMAIN" },
+	{ LDNS_RCODE_YXRRSET, "YXRRSET" },
+	{ LDNS_RCODE_NXRRSET, "NXRRSET" },
+	{ LDNS_RCODE_NOTAUTH, "NOTAUTH" },
+	{ LDNS_RCODE_NOTZONE, "NOTZONE" },
+	{ LDNS_TSIG_ERROR_BADSIG, "BADSIG" },
+	{ LDNS_TSIG_ERROR_BADKEY, "BADKEY" },
+	{ LDNS_TSIG_ERROR_BADTIME, "BADTIME" },
+	{ LDNS_TSIG_ERROR_BADMODE, "BADMODE" },
+	{ LDNS_TSIG_ERROR_BADNAME, "BADNAME" },
+	{ LDNS_TSIG_ERROR_BADALG, "BADALG" },
+	{ 0, NULL }
+};
+sldns_lookup_table* sldns_tsig_errors = sldns_tsig_errors_data;
+
 char* sldns_wire2str_pkt(uint8_t* data, size_t len)
 {
 	size_t slen = (size_t)sldns_wire2str_pkt_buf(data, len, NULL, 0);
@@ -976,6 +998,8 @@ int sldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 		return sldns_wire2str_tag_scan(d, dlen, s, slen);
 	case LDNS_RDF_TYPE_LONG_STR:
 		return sldns_wire2str_long_str_scan(d, dlen, s, slen);
+	case LDNS_RDF_TYPE_TSIGERROR:
+		return sldns_wire2str_tsigerror_scan(d, dlen, s, slen);
 	}
 	/* unknown rdf type */
 	return -1;
@@ -1574,6 +1598,7 @@ int sldns_wire2str_hip_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 
 int sldns_wire2str_int16_data_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 {
+	int w;
 	uint16_t n;
 	if(*dl < 2)
 		return -1;
@@ -1582,7 +1607,12 @@ int sldns_wire2str_int16_data_scan(uint8_t** d, size_t* dl, char** s, size_t* sl
 		return -1;
 	(*d)+=2;
 	(*dl)-=2;
-	return sldns_wire2str_b64_scan_num(d, dl, s, sl, n);
+	if(n == 0) {
+		return sldns_str_print(s, sl, "0");
+	}
+	w = sldns_str_print(s, sl, "%u ", (unsigned)n);
+	w += sldns_wire2str_b64_scan_num(d, dl, s, sl, n);
+	return w;
 }
 
 int sldns_wire2str_nsec3_next_owner_scan(uint8_t** d, size_t* dl, char** s,
@@ -1639,10 +1669,10 @@ int sldns_wire2str_tag_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 	if(*dl < 1+n)
 		return -1;
 	for(i=0; i<n; i++)
-		if(!isalnum((unsigned char)(*d)[i]))
+		if(!isalnum((unsigned char)(*d)[i+1]))
 			return -1;
 	for(i=0; i<n; i++)
-		w += sldns_str_print(s, sl, "%c", (char)(*d)[i]);
+		w += sldns_str_print(s, sl, "%c", (char)(*d)[i+1]);
 	(*d)+=n+1;
 	(*dl)-=(n+1);
 	return w;
@@ -1661,6 +1691,21 @@ int sldns_wire2str_long_str_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 	return w;
 }
 
+int sldns_wire2str_tsigerror_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
+{
+	sldns_lookup_table *lt;
+	int data, w;
+	if(*dl < 2) return -1;
+	data = (int)sldns_read_uint16(*d);
+	lt = sldns_lookup_by_id(sldns_tsig_errors, data);
+	if(lt && lt->name)
+		w = sldns_str_print(s, sl, "%s", lt->name);
+	else 	w = sldns_str_print(s, sl, "%d", data);
+	(*dl)-=2;
+	(*d)+=2;
+	return w;
+}
+
 int sldns_wire2str_edns_llq_print(char** s, size_t* sl, uint8_t* data,
 	size_t len)
 {

sldns/wire2str.h

@@ -38,6 +38,8 @@ extern struct sldns_struct_lookup_table* sldns_edns_flags;
 extern struct sldns_struct_lookup_table* sldns_edns_options;
 /** error string from wireparse */
 extern struct sldns_struct_lookup_table* sldns_wireparse_errors;
+/** tsig errors are the rcodes with extra (higher) values */
+extern struct sldns_struct_lookup_table* sldns_tsig_errors;
 
 /**
  * Convert wireformat packet to a string representation
@@ -807,6 +809,19 @@ int sldns_wire2str_hip_scan(uint8_t** data, size_t* data_len, char** str,
 int sldns_wire2str_int16_data_scan(uint8_t** data, size_t* data_len, char** str,
 	size_t* str_len);
 
+/**
+ * Scan wireformat tsigerror field to string, with user buffers.
+ * It shifts the arguments to move along (see sldns_wire2str_pkt_scan).
+ * @param data: wireformat data.
+ * @param data_len: length of data buffer.
+ * @param str: string buffer.
+ * @param str_len: length of string buffer.
+ * @return number of characters (except null) needed to print.
+ * 	Can return -1 on failure.
+ */
+int sldns_wire2str_tsigerror_scan(uint8_t** data, size_t* data_len, char** str,
+	size_t* str_len);
+
 /**
  * Scan wireformat nsec3_next_owner field to string, with user buffers.
  * It shifts the arguments to move along (see sldns_wire2str_pkt_scan).

smallapp/unbound-anchor.c

@@ -241,6 +241,8 @@ static const char*
 get_builtin_ds(void)
 {
 	return
+/* The anchors must start on a new line with ". IN DS and end with \n"[;]
+ * because the makedist script greps on the source here */
 /* anchor 19036 is from 2010 */
 /* anchor 20326 is from 2017 */
 ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"

smallapp/unbound-checkconf.c

@@ -4,22 +4,22 @@
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
  * This software is open source.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 
+ *
  * Redistributions of source code must retain the above copyright notice,
  * this list of conditions and the following disclaimer.
- * 
+ *
  * Redistributions in binary form must reproduce the above copyright notice,
  * this list of conditions and the following disclaimer in the documentation
  * and/or other materials provided with the distribution.
- * 
+ *
  * Neither the name of the NLNET LABS nor the names of its contributors may
  * be used to endorse or promote products derived from this software without
  * specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
@@ -88,10 +88,10 @@ usage(void)
 	exit(1);
 }
 
-/** 
- * Print given option to stdout 
+/**
+ * Print given option to stdout
  * @param cfg: config
- * @param opt: option name without trailing :. 
+ * @param opt: option name without trailing :.
  *	This is different from config_set_option.
  * @param final: if final pathname with chroot applied has to be printed.
  */
@@ -156,9 +156,9 @@ view_and_respipchecks(struct config_file* cfg)
 		fatal_exit("Could not create respip set: out of memory");
 	if(!views_apply_cfg(views, cfg))
 		fatal_exit("Could not set up views");
-        if(!respip_global_apply_cfg(respip, cfg))
+	if(!respip_global_apply_cfg(respip, cfg))
 		fatal_exit("Could not setup respip set");
-        if(!respip_views_apply_cfg(views, cfg, &ignored))
+	if(!respip_views_apply_cfg(views, cfg, &ignored))
 		fatal_exit("Could not setup per-view respip sets");
 	views_delete(views);
 	respip_set_delete(respip);
@@ -178,7 +178,7 @@ warn_hosts(const char* typ, struct config_stub* list)
 				fprintf(stderr, "unbound-checkconf: warning:"
 				  " %s %s: \"%s\" is an IP%s address, "
 				  "and when looked up as a host name "
-				  "during use may not resolve.\n", 
+				  "during use may not resolve.\n",
 				  s->name, typ, h->str,
 				  addr_is_ip6(&a, alen)?"6":"4");
 			}
@@ -230,7 +230,7 @@ aclchecks(struct config_file* cfg)
 	socklen_t alen;
 	struct config_str2list* acl;
 	for(acl=cfg->acls; acl; acl = acl->next) {
-		if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen, 
+		if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
 			&d)) {
 			fatal_exit("cannot parse access control address %s %s",
 				acl->str, acl->str2);
@@ -240,7 +240,7 @@ aclchecks(struct config_file* cfg)
 
 /** true if fname is a file */
 static int
-is_file(const char* fname) 
+is_file(const char* fname)
 {
 	struct stat buf;
 	if(stat(fname, &buf) < 0) {
@@ -260,7 +260,7 @@ is_file(const char* fname)
 
 /** true if fname is a directory */
 static int
-is_dir(const char* fname) 
+is_dir(const char* fname)
 {
 	struct stat buf;
 	if(stat(fname, &buf) < 0) {
@@ -305,7 +305,7 @@ check_chroot_string(const char* desc, char** ss,
 				fatal_exit("%s: \"%s\" does not exist in "
 					"chrootdir %s", desc, str, chrootdir);
 			else
-				fatal_exit("%s: \"%s\" does not exist", 
+				fatal_exit("%s: \"%s\" does not exist",
 					desc, str);
 		}
 		/* put in a new full path for continued checking */
@@ -332,8 +332,8 @@ check_chroot_filelist_wild(const char* desc, struct config_strlist* list,
 	struct config_strlist* p;
 	for(p=list; p; p=p->next) {
 #ifdef HAVE_GLOB
-		if(strchr(p->str, '*') || strchr(p->str, '[') || 
-			strchr(p->str, '?') || strchr(p->str, '{') || 
+		if(strchr(p->str, '*') || strchr(p->str, '[') ||
+			strchr(p->str, '?') || strchr(p->str, '{') ||
 			strchr(p->str, '~')) {
 			char* s = p->str;
 			/* adjust whole pattern for chroot and check later */
@@ -370,11 +370,11 @@ morechecks(struct config_file* cfg, const char* fname)
 #ifdef UB_ON_WINDOWS
 	w_config_adjust_directory(cfg);
 #endif
-	if(cfg->chrootdir && cfg->chrootdir[0] && 
+	if(cfg->chrootdir && cfg->chrootdir[0] &&
 		cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
 		fatal_exit("chootdir %s has trailing slash '/' please remove.",
 			cfg->chrootdir);
-	if(cfg->chrootdir && cfg->chrootdir[0] && 
+	if(cfg->chrootdir && cfg->chrootdir[0] &&
 		!is_dir(cfg->chrootdir)) {
 		fatal_exit("bad chroot directory");
 	}
@@ -416,16 +416,20 @@ morechecks(struct config_file* cfg, const char* fname)
 		}
 	}
 
-	check_chroot_filelist("file with root-hints", 
+	check_chroot_filelist("file with root-hints",
 		cfg->root_hints, cfg->chrootdir, cfg);
-	check_chroot_filelist("trust-anchor-file", 
+	check_chroot_filelist("trust-anchor-file",
 		cfg->trust_anchor_file_list, cfg->chrootdir, cfg);
-	check_chroot_filelist("auto-trust-anchor-file", 
+	check_chroot_filelist("auto-trust-anchor-file",
 		cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
-	check_chroot_filelist_wild("trusted-keys-file", 
+	check_chroot_filelist_wild("trusted-keys-file",
 		cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
-	check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file, 
+	check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
 		cfg->chrootdir, cfg);
+#ifdef USE_IPSECMOD
+	check_chroot_string("ipsecmod-hook", &cfg->ipsecmod_hook, cfg->chrootdir,
+		cfg);
+#endif
 	/* remove chroot setting so that modules are not stripping pathnames*/
 	free(cfg->chrootdir);
 	cfg->chrootdir = NULL;
@@ -434,21 +438,21 @@ morechecks(struct config_file* cfg, const char* fname)
 	 * dns64, but it's not explicitly confirmed,  so the combination is
 	 * excluded below.   It's simply unknown yet for the combination of
 	 * respip and other modules. */
-	if(strcmp(cfg->module_conf, "iterator") != 0 
+	if(strcmp(cfg->module_conf, "iterator") != 0
 		&& strcmp(cfg->module_conf, "validator iterator") != 0
 		&& strcmp(cfg->module_conf, "dns64 validator iterator") != 0
 		&& strcmp(cfg->module_conf, "dns64 iterator") != 0
 		&& strcmp(cfg->module_conf, "respip iterator") != 0
 		&& strcmp(cfg->module_conf, "respip validator iterator") != 0
 #ifdef WITH_PYTHONMODULE
-		&& strcmp(cfg->module_conf, "python iterator") != 0 
-		&& strcmp(cfg->module_conf, "python validator iterator") != 0 
+		&& strcmp(cfg->module_conf, "python iterator") != 0
+		&& strcmp(cfg->module_conf, "python validator iterator") != 0
 		&& strcmp(cfg->module_conf, "validator python iterator") != 0
-		&& strcmp(cfg->module_conf, "dns64 python iterator") != 0 
-		&& strcmp(cfg->module_conf, "dns64 python validator iterator") != 0 
+		&& strcmp(cfg->module_conf, "dns64 python iterator") != 0
+		&& strcmp(cfg->module_conf, "dns64 python validator iterator") != 0
 		&& strcmp(cfg->module_conf, "dns64 validator python iterator") != 0
-		&& strcmp(cfg->module_conf, "python dns64 iterator") != 0 
-		&& strcmp(cfg->module_conf, "python dns64 validator iterator") != 0 
+		&& strcmp(cfg->module_conf, "python dns64 iterator") != 0
+		&& strcmp(cfg->module_conf, "python dns64 validator iterator") != 0
 #endif
 #ifdef USE_CACHEDB
 		&& strcmp(cfg->module_conf, "validator cachedb iterator") != 0
@@ -468,16 +472,28 @@ morechecks(struct config_file* cfg, const char* fname)
 		&& strcmp(cfg->module_conf, "validator python cachedb iterator") != 0
 #endif
 #ifdef CLIENT_SUBNET
-		&& strcmp(cfg->module_conf, "subnetcache iterator") != 0 
+		&& strcmp(cfg->module_conf, "subnetcache iterator") != 0
 		&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
 #endif
 #if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET)
 		&& strcmp(cfg->module_conf, "python subnetcache iterator") != 0
-		&& strcmp(cfg->module_conf, "subnetcache python iterator") != 0 
+		&& strcmp(cfg->module_conf, "subnetcache python iterator") != 0
 		&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
 		&& strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0
 		&& strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0
 		&& strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0
+#endif
+#ifdef USE_IPSECMOD
+		&& strcmp(cfg->module_conf, "ipsecmod iterator") != 0
+		&& strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
+#endif
+#if defined(WITH_PYTHONMODULE) && defined(USE_IPSECMOD)
+		&& strcmp(cfg->module_conf, "python ipsecmod iterator") != 0
+		&& strcmp(cfg->module_conf, "ipsecmod python iterator") != 0
+		&& strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
+		&& strcmp(cfg->module_conf, "python ipsecmod validator iterator") != 0
+		&& strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0
+		&& strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0
 #endif
 		) {
 		fatal_exit("module conf '%s' is not known to work",

smallapp/unbound-control.c

@@ -161,7 +161,7 @@ usage(void)
 static const int inhibit_zero = 1;
 /** divide sum of timers to get average */
 static void
-timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
+timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
 {
 #ifndef S_SPLINT_S
 	size_t leftover;
@@ -184,12 +184,14 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
 #define PR_UL_SUB(str, nm, var) printf(str".%s"SQ"%lu\n", nm, (unsigned long)(var));
 #define PR_TIMEVAL(str, var) printf(str SQ ARG_LL "d.%6.6d\n", \
 	(long long)var.tv_sec, (int)var.tv_usec);
+#define PR_STATSTIME(str, var) printf(str SQ ARG_LL "d.%6.6d\n", \
+	(long long)var ## _sec, (int)var ## _usec);
 #define PR_LL(str, var) printf(str SQ ARG_LL"d\n", (long long)(var));
 
 /** print stat block */
-static void pr_stats(const char* nm, struct stats_info* s)
+static void pr_stats(const char* nm, struct ub_stats_info* s)
 {
-	struct timeval avg;
+	struct timeval sumwait, avg;
 	PR_UL_NM("num.queries", s->svr.num_queries);
 	PR_UL_NM("num.queries_ip_ratelimited", 
 		s->svr.num_queries_ip_ratelimited);
@@ -209,14 +211,18 @@ static void pr_stats(const char* nm, struct stats_info* s)
 	printf("%s.requestlist.avg"SQ"%g\n", nm,
 		(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
 			(double)s->svr.sum_query_list_size/
-			(s->svr.num_queries_missed_cache+
+			(double)(s->svr.num_queries_missed_cache+
 			s->svr.num_queries_prefetch) : 0.0);
 	PR_UL_NM("requestlist.max", s->svr.max_query_list_size);
 	PR_UL_NM("requestlist.overwritten", s->mesh_jostled);
 	PR_UL_NM("requestlist.exceeded", s->mesh_dropped);
 	PR_UL_NM("requestlist.current.all", s->mesh_num_states);
 	PR_UL_NM("requestlist.current.user", s->mesh_num_reply_states);
-	timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent);
+#ifndef S_SPLINT_S
+	sumwait.tv_sec = s->mesh_replies_sum_wait_sec;
+	sumwait.tv_usec = s->mesh_replies_sum_wait_usec;
+#endif
+	timeval_divide(&avg, &sumwait, s->mesh_replies_sent);
 	printf("%s.", nm);
 	PR_TIMEVAL("recursion.time.avg", avg);
 	printf("%s.recursion.time.median"SQ"%g\n", nm, s->mesh_time_median);
@@ -224,27 +230,31 @@ static void pr_stats(const char* nm, struct stats_info* s)
 }
 
 /** print uptime */
-static void print_uptime(struct shm_stat_info* shm_stat)
+static void print_uptime(struct ub_shm_stat_info* shm_stat)
 {
-	PR_TIMEVAL("time.now", shm_stat->time.now);
-	PR_TIMEVAL("time.up", shm_stat->time.up);
-	PR_TIMEVAL("time.elapsed", shm_stat->time.elapsed);
+	PR_STATSTIME("time.now", shm_stat->time.now);
+	PR_STATSTIME("time.up", shm_stat->time.up);
+	PR_STATSTIME("time.elapsed", shm_stat->time.elapsed);
 }
 
 /** print memory usage */
-static void print_mem(struct shm_stat_info* shm_stat)
+static void print_mem(struct ub_shm_stat_info* shm_stat)
 {
 	PR_LL("mem.cache.rrset", shm_stat->mem.rrset);
 	PR_LL("mem.cache.message", shm_stat->mem.msg);
-	PR_LL("mem.cache.iterator", shm_stat->mem.iter);
-	PR_LL("mem.cache.validator", shm_stat->mem.val);
+	PR_LL("mem.mod.iterator", shm_stat->mem.iter);
+	PR_LL("mem.mod.validator", shm_stat->mem.val);
+	PR_LL("mem.mod.respip", shm_stat->mem.respip);
 #ifdef CLIENT_SUBNET
-	PR_LL("mem.cache.subnet", shm_stat->mem.subnet);
+	PR_LL("mem.mod.subnet", shm_stat->mem.subnet);
+#endif
+#ifdef USE_IPSECMOD
+	PR_LL("mem.mod.ipsecmod", shm_stat->mem.ipsecmod);
 #endif
 }
 
 /** print histogram */
-static void print_hist(struct stats_info* s)
+static void print_hist(struct ub_stats_info* s)
 {
 	struct timehist* hist;
 	size_t i;
@@ -264,13 +274,13 @@ static void print_hist(struct stats_info* s)
 }
 
 /** print extended */
-static void print_extended(struct stats_info* s)
+static void print_extended(struct ub_stats_info* s)
 {
 	int i;
 	char nm[16];
 
 	/* TYPE */
-	for(i=0; i<STATS_QTYPE_NUM; i++) {
+	for(i=0; i<UB_STATS_QTYPE_NUM; i++) {
 		if(inhibit_zero && s->svr.qtype[i] == 0)
 			continue;
 		sldns_wire2str_type_buf((uint16_t)i, nm, sizeof(nm));
@@ -281,7 +291,7 @@ static void print_extended(struct stats_info* s)
 	}
 
 	/* CLASS */
-	for(i=0; i<STATS_QCLASS_NUM; i++) {
+	for(i=0; i<UB_STATS_QCLASS_NUM; i++) {
 		if(inhibit_zero && s->svr.qclass[i] == 0)
 			continue;
 		sldns_wire2str_class_buf((uint16_t)i, nm, sizeof(nm));
@@ -292,7 +302,7 @@ static void print_extended(struct stats_info* s)
 	}
 
 	/* OPCODE */
-	for(i=0; i<STATS_OPCODE_NUM; i++) {
+	for(i=0; i<UB_STATS_OPCODE_NUM; i++) {
 		if(inhibit_zero && s->svr.qopcode[i] == 0)
 			continue;
 		sldns_wire2str_opcode_buf(i, nm, sizeof(nm));
@@ -317,7 +327,7 @@ static void print_extended(struct stats_info* s)
 	PR_UL("num.query.edns.DO", s->svr.qEDNS_DO);
 
 	/* RCODE */
-	for(i=0; i<STATS_RCODE_NUM; i++) {
+	for(i=0; i<UB_STATS_RCODE_NUM; i++) {
 		/* Always include RCODEs 0-5 */
 		if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
 			continue;
@@ -342,8 +352,8 @@ static void print_extended(struct stats_info* s)
 }
 
 /** print statistics out of memory structures */
-static void do_stats_shm(struct config_file* cfg, struct stats_info* stats,
-	struct shm_stat_info* shm_stat)
+static void do_stats_shm(struct config_file* cfg, struct ub_stats_info* stats,
+	struct ub_shm_stat_info* shm_stat)
 {
 	int i;
 	char nm[16];
@@ -366,8 +376,8 @@ static void print_stats_shm(const char* cfgfile)
 {
 #ifdef HAVE_SHMGET
 	struct config_file* cfg;
-	struct stats_info* stats;
-	struct shm_stat_info* shm_stat;
+	struct ub_stats_info* stats;
+	struct ub_shm_stat_info* shm_stat;
 	int id_ctl, id_arr;
 	/* read config */
 	if(!(cfg = config_create()))
@@ -383,11 +393,11 @@ static void print_stats_shm(const char* cfgfile)
 	if(id_arr == -1) {
 		fatal_exit("shmget(%d): %s", cfg->shm_key+1, strerror(errno));
 	}
-	shm_stat = (struct shm_stat_info*)shmat(id_ctl, NULL, 0);
+	shm_stat = (struct ub_shm_stat_info*)shmat(id_ctl, NULL, 0);
 	if(shm_stat == (void*)-1) {
 		fatal_exit("shmat(%d): %s", id_ctl, strerror(errno));
 	}
-	stats = (struct stats_info*)shmat(id_arr, NULL, 0);
+	stats = (struct ub_stats_info*)shmat(id_arr, NULL, 0);
 	if(stats == (void*)-1) {
 		fatal_exit("shmat(%d): %s", id_arr, strerror(errno));
 	}

testcode/do-tests.sh

@@ -9,7 +9,7 @@ NEED_CURL='06-ianaports.tpkg root_anchor.tpkg'
 NEED_WHOAMI='07-confroot.tpkg'
 NEED_IPV6='fwd_ancil.tpkg fwd_tcp_tc6.tpkg stub_udp6.tpkg edns_cache.tpkg'
 NEED_NOMINGW='tcp_sigpipe.tpkg 07-confroot.tpkg 08-host-lib.tpkg fwd_ancil.tpkg'
-NEED_DNSCRYPT_PROXY='dnscrypt_queries.tpkg'
+NEED_DNSCRYPT_PROXY='dnscrypt_queries.tpkg dnscrypt_queries_chacha.tpkg'
 
 # test if dig and ldns-testns are available.
 test_tool_avail "dig"

testcode/replay.c

@@ -488,6 +488,7 @@ replay_scenario_read(FILE* in, const char* name, int* lineno)
 			return scen;
 		}
 	}
+	log_err("scenario read failed at line %d (no SCENARIO_END?)", *lineno);
 	replay_scenario_delete(scen);
 	return NULL;
 }

testcode/streamtcp.c

@@ -143,7 +143,9 @@ write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id,
 		edns.edns_present = 1;
 		edns.bits = EDNS_DO;
 		edns.udp_size = 4096;
-		attach_edns_record(buf, &edns);
+		if(sldns_buffer_capacity(buf) >=
+			sldns_buffer_limit(buf)+calc_edns_field_size(&edns))
+			attach_edns_record(buf, &edns);
 	}
 
 	/* send it */

testcode/testbound.c

@@ -78,6 +78,7 @@ testbound_usage(void)
 	printf("-g 	detect GOST support (exit code 0 or 1)\n");
 	printf("-e 	detect ECDSA support (exit code 0 or 1)\n");
 	printf("-c 	detect CLIENT_SUBNET support (exit code 0 or 1)\n");
+	printf("-i 	detect IPSECMOD support (exit code 0 or 1)\n");
 	printf("-s 	testbound self-test - unit test of testbound parts.\n");
 	printf("-o str  unbound commandline options separated by spaces.\n");
 	printf("Version %s\n", PACKAGE_VERSION);
@@ -281,7 +282,7 @@ main(int argc, char* argv[])
 	pass_argc = 1;
 	pass_argv[0] = "unbound";
 	add_opts("-d", &pass_argc, pass_argv);
-	while( (c=getopt(argc, argv, "12egho:p:s")) != -1) {
+	while( (c=getopt(argc, argv, "12egciho:p:s")) != -1) {
 		switch(c) {
 		case 's':
 			free(pass_argv[1]);
@@ -335,6 +336,15 @@ main(int argc, char* argv[])
 #else
 			printf("CLIENT_SUBNET not supported\n");
 			exit(1);
+#endif
+			break;
+		case 'i':
+#ifdef USE_IPSECMOD
+			printf("IPSECMOD supported\n");
+			exit(0);
+#else
+			printf("IPSECMOD not supported\n");
+			exit(1);
 #endif
 			break;
 		case 'p':

testcode/unitauth.c

@@ -0,0 +1,858 @@
+/*
+ * testcode/unitauth.c - unit test for authzone authoritative zone code.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+/**
+ * \file
+ * Unit test for auth zone code.
+ */
+#include "config.h"
+#include "services/authzone.h"
+#include "testcode/unitmain.h"
+#include "util/regional.h"
+#include "util/net_help.h"
+#include "util/data/msgreply.h"
+#include "services/cache/dns.h"
+#include "sldns/str2wire.h"
+#include "sldns/wire2str.h"
+#include "sldns/sbuffer.h"
+
+/** verbosity for this test */
+static int vbmp = 0;
+
+/** struct for query and answer checks */
+struct q_ans {
+	/** zone to query (delegpt) */
+	const char* zone;
+	/** query name, class, type */
+	const char* query;
+	/** additional flags or "" */
+	const char* flags;
+	/** expected answer to check against, multi-line string */
+	const char* answer;
+};
+
+/** auth zone for test */
+static const char* zone_example_com =
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+"example.com.	3600	IN	A	10.0.0.1\n"
+"example.com.	3600	IN	NS	ns.example.com.\n"
+"example.com.	3600	IN	MX	50 mail.example.com.\n"
+"deep.ent.example.com.	3600	IN	A	10.0.0.9\n"
+"mail.example.com.	3600	IN	A	10.0.0.4\n"
+"ns.example.com.	3600	IN	A	10.0.0.5\n"
+"out.example.com.	3600	IN	CNAME	www.example.com.\n"
+"plan.example.com.	3600	IN	CNAME	nonexist.example.com.\n"
+"redir.example.com.	3600	IN	DNAME	redir.example.org.\n"
+"sub.example.com.	3600	IN	NS	ns1.sub.example.com.\n"
+"sub.example.com.	3600	IN	NS	ns2.sub.example.com.\n"
+"ns1.sub.example.com.	3600	IN	A	10.0.0.6\n"
+"ns2.sub.example.com.	3600	IN	AAAA	2001::7\n"
+"*.wild.example.com.	3600	IN	A	10.0.0.8\n"
+"*.wild2.example.com.	3600	IN	CNAME	www.example.com.\n"
+"*.wild3.example.com.	3600	IN	A	10.0.0.8\n"
+"*.wild3.example.com.	3600	IN	MX	50 mail.example.com.\n"
+"www.example.com.	3600	IN	A	10.0.0.2\n"
+"www.example.com.	3600	IN	A	10.0.0.3\n"
+"yy.example.com.	3600	IN	TXT	\"a\"\n"
+"yy.example.com.	3600	IN	TXT	\"b\"\n"
+"yy.example.com.	3600	IN	TXT	\"c\"\n"
+"yy.example.com.	3600	IN	TXT	\"d\"\n"
+"yy.example.com.	3600	IN	TXT	\"e\"\n"
+"yy.example.com.	3600	IN	TXT	\"f\"\n"
+
+/* and some tests for RRSIGs (rrsig is www.nlnetlabs.nl copy) */
+/* normal: domain and 1 rrsig */
+"z1.example.com.	3600	IN	A	10.0.0.10\n"
+"z1.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+/* normal: domain and 2 rrsigs */
+"z2.example.com.	3600	IN	A	10.0.0.10\n"
+"z2.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z2.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 12345 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12345}\n"
+/* normal: domain and 3 rrsigs */
+"z3.example.com.	3600	IN	A	10.0.0.10\n"
+"z3.example.com.	3600	IN	A	10.0.0.11\n"
+"z3.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z3.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 12345 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12345}\n"
+"z3.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 12356 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12356}\n"
+/* just an RRSIG rrset with nothing else */
+"z4.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+/* just an RRSIG rrset with nothing else, 2 rrsigs */
+"z5.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z5.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 12345 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12345}\n"
+#if 0 /* comparison of file does not work on this part because duplicates */
+      /* are removed and the rrsets are reordered */
+/* first rrsig, then A record */
+"z6.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z6.example.com.	3600	IN	A	10.0.0.10\n"
+/* first two rrsigs, then A record */
+"z7.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z7.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 12345 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12345}\n"
+"z7.example.com.	3600	IN	A	10.0.0.10\n"
+/* first two rrsigs, then two A records */
+"z8.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z8.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 12345 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12345}\n"
+"z8.example.com.	3600	IN	A	10.0.0.10\n"
+"z8.example.com.	3600	IN	A	10.0.0.11\n"
+/* duplicate RR, duplicate RRsig */
+"z9.example.com.	3600	IN	A	10.0.0.10\n"
+"z9.example.com.	3600	IN	A	10.0.0.11\n"
+"z9.example.com.	3600	IN	A	10.0.0.10\n"
+"z9.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z9.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+#endif /* if0 for duplicates and reordering */
+;
+
+/** queries for example.com: zone, query, flags, answer. end with NULL */
+static struct q_ans example_com_queries[] = {
+	{ "example.com", "www.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"www.example.com.	3600	IN	A	10.0.0.2\n"
+"www.example.com.	3600	IN	A	10.0.0.3\n"
+	},
+
+	{ "example.com", "example.com. SOA", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"example.com.	3600	IN	A	10.0.0.1\n"
+	},
+
+	{ "example.com", "example.com. AAAA", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "example.com. NS", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"example.com.	3600	IN	NS	ns.example.com.\n"
+";additional section\n"
+"ns.example.com.	3600	IN	A	10.0.0.5\n"
+	},
+
+	{ "example.com", "example.com. MX", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"example.com.	3600	IN	MX	50 mail.example.com.\n"
+";additional section\n"
+"mail.example.com.	3600	IN	A	10.0.0.4\n"
+	},
+
+	{ "example.com", "example.com. IN ANY", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+"example.com.	3600	IN	MX	50 mail.example.com.\n"
+"example.com.	3600	IN	A	10.0.0.1\n"
+	},
+
+	{ "example.com", "nonexist.example.com. A", "",
+";flags QR AA rcode NXDOMAIN\n"
+";authority section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "deep.ent.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"deep.ent.example.com.	3600	IN	A	10.0.0.9\n"
+	},
+
+	{ "example.com", "ent.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "below.deep.ent.example.com. A", "",
+";flags QR AA rcode NXDOMAIN\n"
+";authority section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "mail.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"mail.example.com.	3600	IN	A	10.0.0.4\n"
+	},
+
+	{ "example.com", "ns.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"ns.example.com.	3600	IN	A	10.0.0.5\n"
+	},
+
+	{ "example.com", "out.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"out.example.com.	3600	IN	CNAME	www.example.com.\n"
+"www.example.com.	3600	IN	A	10.0.0.2\n"
+"www.example.com.	3600	IN	A	10.0.0.3\n"
+	},
+
+	{ "example.com", "out.example.com. CNAME", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"out.example.com.	3600	IN	CNAME	www.example.com.\n"
+	},
+
+	{ "example.com", "plan.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"plan.example.com.	3600	IN	CNAME	nonexist.example.com.\n"
+	},
+
+	{ "example.com", "plan.example.com. CNAME", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"plan.example.com.	3600	IN	CNAME	nonexist.example.com.\n"
+	},
+
+	{ "example.com", "redir.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "redir.example.com. DNAME", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"redir.example.com.	3600	IN	DNAME	redir.example.org.\n"
+	},
+
+	{ "example.com", "abc.redir.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"redir.example.com.	3600	IN	DNAME	redir.example.org.\n"
+"abc.redir.example.com.	0	IN	CNAME	abc.redir.example.org.\n"
+	},
+
+	{ "example.com", "foo.abc.redir.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"redir.example.com.	3600	IN	DNAME	redir.example.org.\n"
+"foo.abc.redir.example.com.	0	IN	CNAME	foo.abc.redir.example.org.\n"
+	},
+
+	{ "example.com", "sub.example.com. NS", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com.	3600	IN	NS	ns1.sub.example.com.\n"
+"sub.example.com.	3600	IN	NS	ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com.	3600	IN	A	10.0.0.6\n"
+"ns2.sub.example.com.	3600	IN	AAAA	2001::7\n"
+	},
+
+	{ "example.com", "sub.example.com. DS", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "www.sub.example.com. NS", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com.	3600	IN	NS	ns1.sub.example.com.\n"
+"sub.example.com.	3600	IN	NS	ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com.	3600	IN	A	10.0.0.6\n"
+"ns2.sub.example.com.	3600	IN	AAAA	2001::7\n"
+	},
+
+	{ "example.com", "foo.abc.sub.example.com. NS", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com.	3600	IN	NS	ns1.sub.example.com.\n"
+"sub.example.com.	3600	IN	NS	ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com.	3600	IN	A	10.0.0.6\n"
+"ns2.sub.example.com.	3600	IN	AAAA	2001::7\n"
+	},
+
+	{ "example.com", "ns1.sub.example.com. A", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com.	3600	IN	NS	ns1.sub.example.com.\n"
+"sub.example.com.	3600	IN	NS	ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com.	3600	IN	A	10.0.0.6\n"
+"ns2.sub.example.com.	3600	IN	AAAA	2001::7\n"
+	},
+
+	{ "example.com", "ns1.sub.example.com. AAAA", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com.	3600	IN	NS	ns1.sub.example.com.\n"
+"sub.example.com.	3600	IN	NS	ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com.	3600	IN	A	10.0.0.6\n"
+"ns2.sub.example.com.	3600	IN	AAAA	2001::7\n"
+	},
+
+	{ "example.com", "ns2.sub.example.com. A", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com.	3600	IN	NS	ns1.sub.example.com.\n"
+"sub.example.com.	3600	IN	NS	ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com.	3600	IN	A	10.0.0.6\n"
+"ns2.sub.example.com.	3600	IN	AAAA	2001::7\n"
+	},
+
+	{ "example.com", "ns2.sub.example.com. AAAA", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com.	3600	IN	NS	ns1.sub.example.com.\n"
+"sub.example.com.	3600	IN	NS	ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com.	3600	IN	A	10.0.0.6\n"
+"ns2.sub.example.com.	3600	IN	AAAA	2001::7\n"
+	},
+
+	{ "example.com", "wild.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "*.wild.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"*.wild.example.com.	3600	IN	A	10.0.0.8\n"
+	},
+
+	{ "example.com", "*.wild.example.com. AAAA", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "abc.wild.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"abc.wild.example.com.	3600	IN	A	10.0.0.8\n"
+	},
+
+	{ "example.com", "abc.wild.example.com. AAAA", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "foo.abc.wild.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"foo.abc.wild.example.com.	3600	IN	A	10.0.0.8\n"
+	},
+
+	{ "example.com", "foo.abc.wild.example.com. AAAA", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "wild2.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com.	3600	IN	SOA	ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+	},
+
+	{ "example.com", "*.wild2.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"*.wild2.example.com.	3600	IN	CNAME	www.example.com.\n"
+"www.example.com.	3600	IN	A	10.0.0.2\n"
+"www.example.com.	3600	IN	A	10.0.0.3\n"
+	},
+
+	{ "example.com", "abc.wild2.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"abc.wild2.example.com.	3600	IN	CNAME	www.example.com.\n"
+"www.example.com.	3600	IN	A	10.0.0.2\n"
+"www.example.com.	3600	IN	A	10.0.0.3\n"
+	},
+
+	{ "example.com", "foo.abc.wild2.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"foo.abc.wild2.example.com.	3600	IN	CNAME	www.example.com.\n"
+"www.example.com.	3600	IN	A	10.0.0.2\n"
+"www.example.com.	3600	IN	A	10.0.0.3\n"
+	},
+
+	{ "example.com", "abc.wild2.example.com. CNAME", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"abc.wild2.example.com.	3600	IN	CNAME	www.example.com.\n"
+	},
+
+	{ "example.com", "abc.wild3.example.com. IN ANY", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"abc.wild3.example.com.	3600	IN	MX	50 mail.example.com.\n"
+"abc.wild3.example.com.	3600	IN	A	10.0.0.8\n"
+	},
+
+	{ "example.com", "yy.example.com. TXT", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"yy.example.com.	3600	IN	TXT	\"a\"\n"
+"yy.example.com.	3600	IN	TXT	\"b\"\n"
+"yy.example.com.	3600	IN	TXT	\"c\"\n"
+"yy.example.com.	3600	IN	TXT	\"d\"\n"
+"yy.example.com.	3600	IN	TXT	\"e\"\n"
+"yy.example.com.	3600	IN	TXT	\"f\"\n"
+	},
+
+	{NULL, NULL, NULL, NULL}
+};
+
+/** number of tmpfiles */
+static int tempno = 0;
+/** number of deleted files */
+static int delno = 0;
+
+/** cleanup tmp files at exit */
+static void
+tmpfilecleanup(void)
+{
+	int i;
+	char buf[256];
+	for(i=0; i<tempno; i++) {
+		snprintf(buf, sizeof(buf), "/tmp/unbound.unittest.%u.%d",
+			(unsigned)getpid(), i);
+		if(vbmp) printf("cleanup: unlink %s\n", buf);
+		unlink(buf);
+	}
+}
+
+/** create temp file, return (malloced) name string, write contents to it */
+static char*
+create_tmp_file(const char* s)
+{
+	char buf[256];
+	char *fname;
+	FILE *out;
+	size_t r;
+	snprintf(buf, sizeof(buf), "/tmp/unbound.unittest.%u.%d",
+		(unsigned)getpid(), tempno++);
+	fname = strdup(buf);
+	if(!fname) fatal_exit("out of memory");
+	/* if no string, just make the name */
+	if(!s) return fname;
+	/* if string, write to file */
+	out = fopen(fname, "w");
+	if(!out) fatal_exit("cannot open %s: %s", fname, strerror(errno));
+	r = fwrite(s, 1, strlen(s), out);
+	if(r == 0) {
+		fatal_exit("write failed: %s", strerror(errno));
+	} else if(r < strlen(s)) {
+		fatal_exit("write failed: too short (disk full?)");
+	}
+	fclose(out);
+	return fname;
+}
+
+/** delete temp file and free name string */
+static void
+del_tmp_file(char* fname)
+{
+	unlink(fname);
+	free(fname);
+	delno++;
+	if(delno == tempno) {
+		/* deleted all outstanding files, back to start condition */
+		tempno = 0;
+		delno = 0;
+	}
+}
+
+/** Add zone from file for testing */
+static struct auth_zone*
+addzone(struct auth_zones* az, const char* name, char* fname)
+{
+	struct auth_zone* z;
+	size_t nmlen;
+	uint8_t* nm = sldns_str2wire_dname(name, &nmlen);
+	if(!nm) fatal_exit("out of memory");
+	lock_rw_wrlock(&az->lock);
+	z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN);
+	lock_rw_unlock(&az->lock);
+	if(!z) fatal_exit("cannot find zone");
+	auth_zone_set_zonefile(z, fname);
+
+	if(!auth_zone_read_zonefile(z)) {
+		fatal_exit("parse failure for auth zone %s", name);
+	}
+	lock_rw_unlock(&z->lock);
+	free(nm);
+	return z;
+}
+
+/** check that file is the same as other file */
+static void
+checkfile(char* f1, char *f2)
+{
+	char buf1[10240], buf2[10240];
+	int line = 0;
+	FILE* i1, *i2;
+	i1 = fopen(f1, "r");
+	if(!i1) fatal_exit("cannot open %s: %s", f1, strerror(errno));
+	i2 = fopen(f2, "r");
+	if(!i2) fatal_exit("cannot open %s: %s", f2, strerror(errno));
+
+	while(!feof(i1) && !feof(i2)) {
+		char* cp1, *cp2;
+		line++;
+		cp1 = fgets(buf1, (int)sizeof(buf1), i1);
+		cp2 = fgets(buf2, (int)sizeof(buf2), i2);
+		if((!cp1 && !feof(i1)) || (!cp2 && !feof(i2)))
+			fatal_exit("fgets failed: %s", strerror(errno));
+		if(strcmp(buf1, buf2) != 0) {
+			log_info("in files %s and %s:%d", f1, f2, line);
+			log_info("'%s'", buf1);
+			log_info("'%s'", buf2);
+			fatal_exit("files are not eqaul");
+		}
+	}
+	unit_assert(feof(i1) && feof(i2));
+
+	fclose(i1);
+	fclose(i2);
+}
+
+/** check that a zone (in string) can be read and reproduced */
+static void
+check_read_exact(const char* name, const char* zone)
+{
+	struct auth_zones* az;
+	struct auth_zone* z;
+	char* fname, *outf;
+	if(vbmp) printf("check read zone %s\n", name);
+	fname = create_tmp_file(zone);
+
+	az = auth_zones_create();
+	unit_assert(az);
+	z = addzone(az, name, fname);
+	unit_assert(z);
+	outf = create_tmp_file(NULL);
+	if(!auth_zone_write_file(z, outf)) {
+		fatal_exit("write file failed for %s", fname);
+	}
+	checkfile(fname, outf);
+
+	del_tmp_file(fname);
+	del_tmp_file(outf);
+	auth_zones_delete(az);
+}
+
+/** parse q_ans structure for making query */
+static void
+q_ans_parse(struct q_ans* q, struct regional* region,
+	struct query_info** qinfo, int* fallback, uint8_t** dp_nm,
+	size_t* dp_nmlen)
+{
+	int ret;
+	uint8_t buf[65535];
+	size_t len, dname_len;
+
+	/* parse flags */
+	*fallback = 0; /* default fallback value */
+	if(strstr(q->flags, "fallback"))
+		*fallback = 1;
+	
+	/* parse zone */
+	*dp_nmlen = sizeof(buf);
+	if((ret=sldns_str2wire_dname_buf(q->zone, buf, dp_nmlen))!=0)
+		fatal_exit("cannot parse query dp zone %s : %s", q->zone,
+			sldns_get_errorstr_parse(ret));
+	*dp_nm = regional_alloc_init(region, buf, *dp_nmlen);
+	if(!dp_nm) fatal_exit("out of memory");
+
+	/* parse query */
+	len = sizeof(buf);
+	dname_len = 0;
+	if((ret=sldns_str2wire_rr_question_buf(q->query, buf, &len, &dname_len,
+		*dp_nm, *dp_nmlen, NULL, 0))!=0)
+		fatal_exit("cannot parse query %s : %s", q->query,
+			sldns_get_errorstr_parse(ret));
+	*qinfo = (struct query_info*)regional_alloc_zero(region,
+		sizeof(**qinfo));
+	if(!*qinfo) fatal_exit("out of memory");
+	(*qinfo)->qname = regional_alloc_init(region, buf, dname_len);
+	if(!(*qinfo)->qname) fatal_exit("out of memory");
+	(*qinfo)->qname_len = dname_len;
+	(*qinfo)->qtype = sldns_wirerr_get_type(buf, len, dname_len);
+	(*qinfo)->qclass = sldns_wirerr_get_class(buf, len, dname_len);
+}
+
+/** print flags to string */
+static void
+pr_flags(sldns_buffer* buf, uint16_t flags)
+{
+	char rcode[32];
+	sldns_buffer_printf(buf, ";flags");
+	if((flags&BIT_QR)!=0) sldns_buffer_printf(buf, " QR");
+	if((flags&BIT_AA)!=0) sldns_buffer_printf(buf, " AA");
+	if((flags&BIT_TC)!=0) sldns_buffer_printf(buf, " TC");
+	if((flags&BIT_RD)!=0) sldns_buffer_printf(buf, " RD");
+	if((flags&BIT_CD)!=0) sldns_buffer_printf(buf, " CD");
+	if((flags&BIT_RA)!=0) sldns_buffer_printf(buf, " RA");
+	if((flags&BIT_AD)!=0) sldns_buffer_printf(buf, " AD");
+	if((flags&BIT_Z)!=0) sldns_buffer_printf(buf, " Z");
+	sldns_wire2str_rcode_buf((int)(FLAGS_GET_RCODE(flags)),
+		rcode, sizeof(rcode));
+	sldns_buffer_printf(buf, " rcode %s", rcode);
+	sldns_buffer_printf(buf, "\n");
+}
+
+/** print RRs to string */
+static void
+pr_rrs(sldns_buffer* buf, struct reply_info* rep)
+{
+	char s[65536];
+	size_t i, j;
+	struct packed_rrset_data* d;
+	log_assert(rep->rrset_count == rep->an_numrrsets + rep->ns_numrrsets
+		+ rep->ar_numrrsets);
+	for(i=0; i<rep->rrset_count; i++) {
+		/* section heading */
+		if(i == 0 && rep->an_numrrsets != 0)
+			sldns_buffer_printf(buf, ";answer section\n");
+		else if(i == rep->an_numrrsets && rep->ns_numrrsets != 0)
+			sldns_buffer_printf(buf, ";authority section\n");
+		else if(i == rep->an_numrrsets+rep->ns_numrrsets &&
+			rep->ar_numrrsets != 0)
+			sldns_buffer_printf(buf, ";additional section\n");
+		/* spool RRset */
+		d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
+		for(j=0; j<d->count+d->rrsig_count; j++) {
+			if(!packed_rr_to_string(rep->rrsets[i], j, 0,
+				s, sizeof(s))) {
+				fatal_exit("could not rr_to_string %d",
+					(int)i);
+			}
+			sldns_buffer_printf(buf, "%s", s);
+		}
+	}
+}
+
+/** create string for message */
+static char*
+msgtostr(struct dns_msg* msg)
+{
+	char* str;
+	sldns_buffer* buf = sldns_buffer_new(65535);
+	if(!buf) fatal_exit("out of memory");
+	pr_flags(buf, msg->rep->flags);
+	pr_rrs(buf, msg->rep);
+
+	str = strdup((char*)sldns_buffer_begin(buf));
+	if(!str) fatal_exit("out of memory");
+	sldns_buffer_free(buf);
+	return str;
+}
+
+/** find line diff between strings */
+static void
+line_diff(const char* p, const char* q, const char* pdesc, const char* qdesc)
+{
+	char* pdup, *qdup, *pl, *ql;
+	int line = 1;
+	pdup = strdup(p);
+	qdup = strdup(q);
+	if(!pdup || !qdup) fatal_exit("out of memory");
+	pl=pdup;
+	ql=qdup;
+	printf("linediff (<%s, >%s)\n", pdesc, qdesc);
+	while(pl && ql && *pl && *ql) {
+		char* ep = strchr(pl, '\n');
+		char* eq = strchr(ql, '\n');
+		/* terminate lines */
+		if(ep) *ep = 0;
+		if(eq) *eq = 0;
+		/* printout */
+		if(strcmp(pl, ql) == 0) {
+			printf("%3d   %s\n", line, pl);
+		} else {
+			printf("%3d < %s\n", line, pl);
+			printf("%3d > %s\n", line, ql);
+		}
+		if(ep) *ep = '\n';
+		if(eq) *eq = '\n';
+		if(ep) pl = ep+1;
+		else pl = NULL;
+		if(eq) ql = eq+1;
+		else ql = NULL;
+		line++;
+	}
+	if(pl && *pl) {
+		printf("%3d < %s\n", line, pl);
+	}
+	if(ql && *ql) {
+		printf("%3d > %s\n", line, ql);
+	}
+	free(pdup);
+	free(qdup);
+}
+
+/** make q_ans query */
+static void
+q_ans_query(struct q_ans* q, struct auth_zones* az, struct query_info* qinfo,
+	struct regional* region, int expected_fallback, uint8_t* dp_nm,
+	size_t dp_nmlen)
+{
+	int ret, fallback = 0;
+	struct dns_msg* msg = NULL;
+	char* ans_str;
+	int oldv = verbosity;
+	/* increase verbosity to printout logic in authzone */
+	if(vbmp) verbosity = 4;
+	ret = auth_zones_lookup(az, qinfo, region, &msg, &fallback, dp_nm,
+		dp_nmlen);
+	if(vbmp) verbosity = oldv;
+
+	/* check the answer */
+	ans_str = msgtostr(msg);
+	/* printout if vbmp */
+	if(vbmp) printf("got (ret=%s%s):\n%s",
+		(ret?"ok":"fail"), (fallback?" fallback":""), ans_str);
+	/* check expected value for ret */
+	if(expected_fallback && ret != 0) {
+		/* ret is zero on fallback */
+		if(vbmp) printf("fallback expected, but "
+			"return value is not false\n");
+		unit_assert(expected_fallback && ret == 0);
+	}
+	if(ret == 0) {
+		if(!expected_fallback) {
+			if(vbmp) printf("return value is false, "
+				"(unexpected)\n");
+		}
+		unit_assert(expected_fallback);
+	}
+	/* check expected value for fallback */
+	if(expected_fallback && !fallback) {
+		if(vbmp) printf("expected fallback, but fallback is no\n");
+	} else if(!expected_fallback && fallback) {
+		if(vbmp) printf("expected no fallback, but fallback is yes\n");
+	}
+	unit_assert( (expected_fallback&&fallback) ||
+		(!expected_fallback&&!fallback));
+	/* check answer string */
+	if(strcmp(q->answer, ans_str) != 0) {
+		if(vbmp) printf("wanted:\n%s", q->answer);
+		line_diff(q->answer, ans_str, "wanted", "got");
+	}
+	unit_assert(strcmp(q->answer, ans_str) == 0);
+	if(vbmp) printf("query ok\n\n");
+	free(ans_str);
+}
+
+/** check queries on a loaded zone */
+static void
+check_az_q_ans(struct auth_zones* az, struct q_ans* queries)
+{
+	struct q_ans* q;
+	struct regional* region = regional_create();
+	struct query_info* qinfo;
+	int fallback;
+	uint8_t* dp_nm;
+	size_t dp_nmlen;
+	for(q=queries; q->zone; q++) {
+		if(vbmp) printf("query %s: %s %s\n", q->zone, q->query,
+			q->flags);
+		q_ans_parse(q, region, &qinfo, &fallback, &dp_nm, &dp_nmlen);
+		q_ans_query(q, az, qinfo, region, fallback, dp_nm, dp_nmlen);
+		regional_free_all(region);
+	}
+	regional_destroy(region);
+}
+
+/** check queries for a zone are returned as specified */
+static void
+check_queries(const char* name, const char* zone, struct q_ans* queries)
+{
+	struct auth_zones* az;
+	struct auth_zone* z;
+	char* fname;
+	if(vbmp) printf("check queries %s\n", name);
+	fname = create_tmp_file(zone);
+	az = auth_zones_create();
+	if(!az) fatal_exit("out of memory");
+	z = addzone(az, name, fname);
+	if(!z) fatal_exit("could not read zone for queries test");
+	del_tmp_file(fname);
+
+	/* run queries and test them */
+	check_az_q_ans(az, queries);
+
+	auth_zones_delete(az);
+}
+
+/** Test authzone read from file */
+static void
+authzone_read_test(void)
+{
+	if(vbmp) printf("Testing read auth zone\n");
+	check_read_exact("example.com", zone_example_com);
+}
+
+/** Test authzone query from zone */
+static void
+authzone_query_test(void)
+{
+	if(vbmp) printf("Testing query auth zone\n");
+	check_queries("example.com", zone_example_com, example_com_queries);
+}
+
+/** test authzone code */
+void 
+authzone_test(void)
+{
+	unit_show_feature("authzone");
+	atexit(tmpfilecleanup);
+	authzone_read_test();
+	authzone_query_test();
+}

testcode/unitmain.c

@@ -403,6 +403,8 @@ config_tag_test(void)
 }
 	
 #include "util/rtt.h"
+#include "util/timehist.h"
+#include "libunbound/unbound.h"
 /** test RTT code */
 static void
 rtt_test(void)
@@ -426,6 +428,8 @@ rtt_test(void)
 		unit_assert( rtt_timeout(&r) > RTT_MIN_TIMEOUT-1);
 		unit_assert( rtt_timeout(&r) < RTT_MAX_TIMEOUT+1);
 	}
+	/* must be the same, timehist bucket is used in stats */
+	unit_assert(UB_STATS_BUCKET_NUM == NUM_BUCKETS_HIST);
 }
 
 #include "services/cache/infra.h"
@@ -623,6 +627,9 @@ respip_conf_actions_test(void)
 	}
 	unit_assert(respip_global_apply_cfg(set, &cfg));
 	verify_respip_set_actions(set, config_response_ip, clen);
+
+	respip_set_delete(set);
+	config_deldblstrlist(cfg.respip_actions);
 }
 
 /** Per-view respip actions test; apply raw configuration with two views
@@ -690,6 +697,12 @@ respip_view_conf_actions_test(void)
 	unit_assert(v);
 	verify_respip_set_actions(v->respip_set, config_response_ip_view2, clen2);
 	lock_rw_unlock(&v->lock);
+
+	views_delete(views);
+	free(cv1->name);
+	free(cv1);
+	free(cv2->name);
+	free(cv2);
 }
 
 typedef struct addr_data {char* ip; char* data;} addr_data_t;
@@ -774,6 +787,8 @@ respip_conf_data_test(void)
 	verify_rrset(set, "192.0.1.0/24", "11.12.13.14", 1, LDNS_RR_TYPE_A);
 	verify_rrset(set, "192.0.2.0/24", "www.example.com", 0, LDNS_RR_TYPE_CNAME);
 	verify_rrset(set, "2001:db8:1::/48", "2001:db8:1::2:1", 0, LDNS_RR_TYPE_AAAA);
+
+	respip_set_delete(set);
 }
 
 /** Test per-view respip redirect w/ data directives */
@@ -810,6 +825,11 @@ respip_view_conf_data_test(void)
 		0, LDNS_RR_TYPE_CNAME);
 	verify_rrset(v->respip_set, "2001:db8:1::/48", "2001:db8:1::2:1",
 		0, LDNS_RR_TYPE_AAAA);
+	lock_rw_unlock(&v->lock);
+
+	views_delete(views);
+	free(cv->name);
+	free(cv);
 }
 
 /** respip unit tests */
@@ -865,6 +885,7 @@ main(int argc, char* argv[])
 		fatal_exit("could not init NSS");
 #endif /* HAVE_SSL or HAVE_NSS*/
 	checklock_start();
+	authzone_test();
 	neg_test();
 	rnd_test();
 	respip_test();

testcode/unitmain.h

@@ -78,5 +78,7 @@ void ecs_test(void);
 #endif /* CLIENT_SUBNET */
 /** unit test for ldns functions */
 void ldns_test(void);
+/** unit test for auth zone functions */
+void authzone_test(void);
 
 #endif /* TESTCODE_UNITMAIN_H */

testcode/unitverify.c

@@ -537,6 +537,11 @@ verify_test(void)
 	}
 	dstest_file("testdata/test_ds.sha384");
 #endif
+#ifdef USE_ED25519
+	if(dnskey_algo_id_is_supported(LDNS_ED25519)) {
+		verifytest_file("testdata/test_sigs.ed25519", "20170530140439");
+	}
+#endif
 #ifdef USE_SHA1
 	dstest_file("testdata/test_ds.sha1");
 #endif

testdata/ipsecmod_bogus_ipseckey.crpl

@@ -0,0 +1,236 @@
+; Test ipsecmod with bogus IPSECKEY
+
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    IN      DS      48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a"
+	val-override-date: "-1"
+	target-fetch-policy: "0 0 0 0 0"
+	# test that default value of harden-dnssec-stripped is still yes.
+	fake-sha1: yes
+	access-control: 127.0.0.1 allow_snoop
+	module-config: "ipsecmod validator iterator"
+	; ../../ is there because the test runs from testdata/03-testbound.dir
+	ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+	ipsecmod-strict: no
+	ipsecmod-max-ttl: 200
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod with bogus IPSECKEY
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we don't get the IPSECKEY answer from cache (bogus)
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			a.gtld-servers.net.	IN AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			K.ROOT-SERVERS.NET.	IN	AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN A
+		SECTION AUTHORITY
+			com. IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN NS
+		SECTION ANSWER
+			com.    IN NS   a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.     IN      A       192.5.6.30
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			ns.example.com. IN AAAA
+		SECTION AUTHORITY
+			example.com.    86400   IN      SOA     ns.example.com. example.com. 2002022401 10800 15 604800 10800
+			example.com.    86400   IN      RRSIG   SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s=
+	ENTRY_END
+
+	; response to A query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com.    3600	IN      A       5.6.7.8
+			example.com.    3600    IN      RRSIG   A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ=
+		SECTION AUTHORITY
+			example.com.    IN NS   ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+	ENTRY_END
+
+	; response to IPSECKEY query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN IPSECKEY
+		SECTION ANSWER
+			example.com.    3600    IN      IPSECKEY        10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+			;(correct answer) example.com.    3600    IN      RRSIG   IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+			; (bogus answer)
+			example.com.    3600    IN      RRSIG   IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+		SECTION AUTHORITY
+			example.com.    IN NS   ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+	ENTRY_END
+
+; response to DNSKEY priming query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			example.com. IN DNSKEY
+		SECTION ANSWER
+			example.com.    86400   IN      DNSKEY  256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b}
+			example.com.    86400   IN      RRSIG   DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI=
+		SECTION AUTHORITY
+			example.com.    IN NS   ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+	ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+	MATCH qname qtype opcode
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+	ENTRY_BEGIN
+	MATCH all
+	REPLY QR RD RA SERVFAIL
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+ENTRY_END
+
+; Query without RD, check if not cached
+STEP 11 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+	ENTRY_BEGIN
+	MATCH all
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+SCENARIO_END

testdata/ipsecmod_enabled.crpl

@@ -0,0 +1,219 @@
+; Test ipsecmod-enabled option.
+
+; config options
+server:
+	access-control: 127.0.0.1 allow_snoop
+	module-config: "ipsecmod validator iterator"
+	; ../../ is there because the test runs from testdata/03-testbound.dir
+	ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+	ipsecmod-strict: no
+	ipsecmod-max-ttl: 200
+	ipsecmod-enabled: no
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-enabled option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we don't get the IPSECKEY answer from cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			a.gtld-servers.net.	IN AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			K.ROOT-SERVERS.NET.	IN	AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN A
+		SECTION AUTHORITY
+			com. IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN NS
+		SECTION ANSWER
+			com.    IN NS   a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.     IN      A       192.5.6.30
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			ns.example.com. IN AAAA
+		SECTION AUTHORITY
+			example.com. 10 IN SOA . . 15 28800 7200 604800 10
+	ENTRY_END
+
+	; response to A query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com.    3600 IN      A       5.6.7.8
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+
+	; response to IPSECKEY query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN IPSECKEY
+		SECTION ANSWER
+			example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  3600 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+; Query without RD, check if cached and with correct TTL
+STEP 11 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  3600 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+; Query without RD, check if IPSECKEY cached
+STEP 21 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+SCENARIO_END

testdata/ipsecmod_hook.sh

@@ -0,0 +1,2 @@
+echo " ---[ IPsec external hook FAIL; only care if ipsecmod-strict: yes ]---"
+exit 1

testdata/ipsecmod_ignore_bogus_ipseckey.crpl

@@ -0,0 +1,257 @@
+; Test ipsecmod-ignore-bogus option
+
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    IN      DS      48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a"
+	val-override-date: "-1"
+	target-fetch-policy: "0 0 0 0 0"
+	# test that default value of harden-dnssec-stripped is still yes.
+	fake-sha1: yes
+	access-control: 127.0.0.1 allow_snoop
+	module-config: "ipsecmod validator iterator"
+	; ../../ is there because the test runs from testdata/03-testbound.dir
+	ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+	ipsecmod-strict: no
+	ipsecmod-max-ttl: 200
+	ipsecmod-ignore-bogus: yes
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-ignore-bogus option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we don't get the IPSECKEY answer from cache (bogus)
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			a.gtld-servers.net.	IN AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			K.ROOT-SERVERS.NET.	IN	AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN A
+		SECTION AUTHORITY
+			com. IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN NS
+		SECTION ANSWER
+			com.    IN NS   a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.     IN      A       192.5.6.30
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			ns.example.com. IN AAAA
+		SECTION AUTHORITY
+			example.com.    86400   IN      SOA     ns.example.com. example.com. 2002022401 10800 15 604800 10800
+			example.com.    86400   IN      RRSIG   SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s=
+	ENTRY_END
+
+	; response to A query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com.    3600	IN      A       5.6.7.8
+			example.com.    3600    IN      RRSIG   A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ=
+		SECTION AUTHORITY
+			example.com.    IN NS   ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+	ENTRY_END
+
+	; response to IPSECKEY query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN IPSECKEY
+		SECTION ANSWER
+			example.com.    3600    IN      IPSECKEY        10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+			;(correct answer) example.com.    3600    IN      RRSIG   IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+			; (bogus answer)
+			example.com.    3600    IN      RRSIG   IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+		SECTION AUTHORITY
+			example.com.    IN NS   ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+	ENTRY_END
+
+; response to DNSKEY priming query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			example.com. IN DNSKEY
+		SECTION ANSWER
+			example.com.    86400   IN      DNSKEY  256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b}
+			example.com.    86400   IN      RRSIG   DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI=
+		SECTION AUTHORITY
+			example.com.    IN NS   ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+	ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+	MATCH qname qtype opcode
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  200 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+; Query without RD, check if cached and with correct TTL
+STEP 11 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  200 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+; Query without RD, check if IPSECKEY is not cached
+STEP 21 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RA SERVFAIL
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+ENTRY_END
+
+SCENARIO_END

testdata/ipsecmod_max_ttl.crpl

@@ -0,0 +1,228 @@
+; Test ipsecmod-max-ttl option.
+
+; config options
+server:
+	access-control: 127.0.0.1 allow_snoop
+	module-config: "ipsecmod validator iterator"
+	; ../../ is there because the test runs from testdata/03-testbound.dir
+	ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+	ipsecmod-strict: no
+	ipsecmod-max-ttl: 200
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-max-ttl option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we get the IPSECKEY answer from cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			a.gtld-servers.net.	IN AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			K.ROOT-SERVERS.NET.	IN	AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN A
+		SECTION AUTHORITY
+			com. IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN NS
+		SECTION ANSWER
+			com.    IN NS   a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.     IN      A       192.5.6.30
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			ns.example.com. IN AAAA
+		SECTION AUTHORITY
+			example.com. 10 IN SOA . . 15 28800 7200 604800 10
+	ENTRY_END
+
+	; response to A query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com.    3600 IN      A       5.6.7.8
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+
+	; response to IPSECKEY query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN IPSECKEY
+		SECTION ANSWER
+			example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+	MATCH qname qtype opcode
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  200 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+; Query without RD, check if cached and with correct TTL
+STEP 11 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  200 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+; Query without RD, check if IPSECKEY cached
+STEP 21 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+	SECTION ANSWER
+		example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+SCENARIO_END

testdata/ipsecmod_strict.crpl

@@ -0,0 +1,217 @@
+; Test ipsecmod-strict option
+
+; config options
+server:
+	access-control: 127.0.0.1 allow_snoop
+	module-config: "ipsecmod validator iterator"
+	; ../../ is there because the test runs from testdata/03-testbound.dir
+	ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+	ipsecmod-strict: yes
+	ipsecmod-max-ttl: 200
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-strict option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get SERVFAIL as answer (the hook failed)
+; - check that the example.com. IN A answer is not cached
+; - check that the example.com. IN IPSECKEY answer is cached
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			a.gtld-servers.net.	IN AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			K.ROOT-SERVERS.NET.	IN	AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN A
+		SECTION AUTHORITY
+			com. IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN NS
+		SECTION ANSWER
+			com.    IN NS   a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.     IN      A       192.5.6.30
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			ns.example.com. IN AAAA
+		SECTION AUTHORITY
+			example.com. 10 IN SOA . . 15 28800 7200 604800 10
+	ENTRY_END
+
+	; response to A query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com.    3600 IN      A       5.6.7.8
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+
+	; response to IPSECKEY query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN IPSECKEY
+		SECTION ANSWER
+			example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+	MATCH qname qtype opcode
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RD RA SERVFAIL
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+STEP 21 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN IPSECKEY
+	SECTION ANSWER
+		example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+SCENARIO_END

testdata/ipsecmod_whitelist.crpl

@@ -0,0 +1,294 @@
+; Test ipsecmod-whitelist option.
+
+; config options
+server:
+	access-control: 127.0.0.1 allow_snoop
+	module-config: "ipsecmod validator iterator"
+	; ../../ is there because the test runs from testdata/03-testbound.dir
+	ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+	ipsecmod-strict: no
+	ipsecmod-max-ttl: 200
+	ipsecmod-whitelist: white.example.com
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-whitelist option
+; Scenario overview:
+; - query for black.example.com. IN A
+; - check that we get an answer for black.example.com. IN A with the correct TTL
+; - check that an answer for black.example.com. IN IPSECKEY is not cached (not given)
+; - query for white.example.com. IN A
+; - check that query for white.example.com. IN IPSECKEY is generated
+; - check that we get an answer for white.example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we get the IPSECKEY answer from cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			a.gtld-servers.net.	IN AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			K.ROOT-SERVERS.NET.	IN	AAAA
+		SECTION AUTHORITY
+			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN A
+		SECTION AUTHORITY
+			com. IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN NS
+		SECTION ANSWER
+			com.    IN NS   a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.     IN      A       192.5.6.30
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.         IN      A       1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA NOERROR
+		SECTION QUESTION
+			ns.example.com. IN AAAA
+		SECTION AUTHORITY
+			example.com. 10 IN SOA . . 15 28800 7200 604800 10
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			white.example.com. IN A
+		SECTION ANSWER
+			white.example.com.    3600 IN      A       5.6.7.8
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			white.example.com. IN IPSECKEY
+		SECTION ANSWER
+			white.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			black.example.com. IN A
+		SECTION ANSWER
+			black.example.com.    3600 IN      A       5.6.7.8
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			black.example.com. IN IPSECKEY
+		SECTION ANSWER
+			black.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		black.example.com. IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		black.example.com. IN A
+	SECTION ANSWER
+		black.example.com.  3600 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		black.example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		black.example.com. IN IPSECKEY
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		white.example.com. IN A
+ENTRY_END
+
+STEP 21 CHECK_OUT_QUERY
+ENTRY_BEGIN
+	MATCH qname qtype opcode
+	SECTION QUESTION
+		white.example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		white.example.com. IN A
+	SECTION ANSWER
+		white.example.com.  200 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+STEP 31 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		white.example.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		white.example.com. IN A
+	SECTION ANSWER
+		white.example.com.  200 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+STEP 41 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		white.example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		white.example.com. IN IPSECKEY
+	SECTION ANSWER
+		white.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+SCENARIO_END

testdata/iter_stub_leak.rpl

@@ -0,0 +1,220 @@
+; config options
+server:
+        target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+        name: "."
+	stub-addr: 193.0.14.129
+stub-zone:
+	name: "example.com"
+	stub-addr: 10.0.1.1
+stub-zone:
+	name: "example.net"
+	stub-addr: 10.0.5.1
+CONFIG_END
+
+SCENARIO_BEGIN Test stub zone leaking to the internet on last resort fallback
+
+; root server
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129
+
+; root prime
+ENTRY_BEGIN
+MATCH qname qtype
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS k.root-servers.net.
+SECTION ADDITIONAL
+k.root-servers.net. IN A 193.0.14.129
+ENTRY_END
+
+RANGE_END
+
+; stub server for example.com
+RANGE_BEGIN 0 100
+	ADDRESS 10.0.1.1
+
+; subzone is delegated
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+subzone.example.com. IN A
+SECTION AUTHORITY
+subzone.example.com. IN NS sub-ns1.example.com.
+subzone.example.com. IN NS sub-ns2.example.com.
+subzone.example.com. IN NS example.net.
+SECTION ADDITIONAL
+sub-ns1.example.com. IN A 10.0.2.3
+sub-ns2.example.com. IN A 10.0.2.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns1.example.com. IN A
+SECTION ANSWER
+sub-ns1.example.com. IN A 10.0.2.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns2.example.com. IN A
+SECTION ANSWER
+sub-ns2.example.com. IN A 10.0.2.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns1.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. 300 SOA master.example.com etc 1 2 3 4 300
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns2.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. 300 SOA master.example.com etc 1 2 3 4 300
+ENTRY_END
+
+RANGE_END
+
+; stub server for example.net
+RANGE_BEGIN 0 100
+	ADDRESS 10.0.5.1
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net. IN NS ns.example.net.
+SECTION ADDITIONAL
+ns.example.net. IN A 10.0.5.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.net. IN A
+SECTION ANSWER
+example.net. IN A 10.0.5.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.net. IN AAAA
+SECTION AUTHORITY
+example.net. 300 SOA master.example.net etc 1 2 3 4 300
+ENTRY_END
+
+RANGE_END
+
+; stub server for subzone.example.com
+RANGE_BEGIN 0 100
+	ADDRESS 10.0.2.3
+; match anything, servfail
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+subzone.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+RANGE_END
+
+; stub server for subzone.example.com
+RANGE_BEGIN 0 100
+	ADDRESS 10.0.2.4
+; match anything, servfail
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+subzone.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+RANGE_END
+
+; stub server for subzone.example.com
+RANGE_BEGIN 0 100
+	ADDRESS 10.0.5.4
+; match anything, servfail
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+subzone.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+RANGE_END
+
+
+; fetch the delegation point for example.net in cache.
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.net. IN NS
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net. IN NS ns.example.net.
+SECTION ADDITIONAL
+ns.example.net. IN A 10.0.5.1
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+whatever.subzone.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+; the query should not leak subzone ns queries to the internet
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+whatever.subzone.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+ENTRY_END
+
+SCENARIO_END

testdata/subnet_max_source.crpl

@@ -0,0 +1,231 @@
+; When the triggering query includes ECS option, source prefix-length should
+; be set to the shorter of the incoming query or server maximum cacheable prefix
+; length
+
+server:
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+	send-client-subnet: 1.2.3.4
+	max-client-subnet-ipv4: 17
+	module-config: "subnetcache validator iterator"
+	verbosity: 3
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test shortest source prefix-length
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			com.	IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN NS
+		SECTION ANSWER
+			com.    IN NS   a.gtld-servers.net.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			a.gtld-servers.net.     IN      A       192.5.6.30
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id copy_ednsdata_assume_clientsubnet
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.         IN      A       1.2.3.4
+	ENTRY_END
+
+	; response to query of interest
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id copy_ednsdata_assume_clientsubnet
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com. IN A	10.20.30.40
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.0.0.1
+				00 08 		; OPC
+				00 06 		; option length
+				00 01 		; Family
+				10 00 		; source mask, scopemask
+				7f 00    	; address
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+
+	; client send /18, we expect /17
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id copy_ednsdata_assume_clientsubnet
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com. IN A	10.20.30.50
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.1.0.1
+				00 08 		; OPC
+				00 07 		; option length
+				00 01 		; Family
+				11 00 		; source mask, scopemask
+				7f 01 00   	; address
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+	HEX_ANSWER_BEGIN;
+		00 00 01 00 00 01 00 00		;ID 0
+		00 00 00 01 03 77 77 77		; www.example.com A? (DO)
+		07 65 78 61 6d 70 6c 65 
+		03 63 6f 6d 00 00 01 00
+		01 00 00 29 10 00 00 00 
+		80 00 00 0a
+		
+		00 08 00 06			; OPC, optlen
+		00 01 10 00			; ip4, scope 16, source 0
+		7f 00   			;127.0.0.0/16
+	HEX_ANSWER_END
+ENTRY_END
+
+
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ednsdata
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		www.example.com. IN A
+	SECTION ANSWER
+		www.example.com. IN A	10.20.30.40
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		HEX_EDNSDATA_BEGIN
+						; client is 127.0.0.1
+			00 08 		; OPC
+			00 06 		; option length
+			00 01 		; Family
+			10 10 		; source mask, scopemask
+			7f 00 	; address
+		HEX_EDNSDATA_END
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+	HEX_ANSWER_BEGIN;
+		00 00 01 00 00 01 00 00		;ID 0
+		00 00 00 01 03 77 77 77		; www.example.com A? (DO)
+		07 65 78 61 6d 70 6c 65 
+		03 63 6f 6d 00 00 01 00
+		01 00 00 29 10 00 00 00 
+		80 00 00 0b
+		
+		00 08 00 07			; OPC, optlen
+		00 01 12 00			; ip4, scope 18, source 0
+		7f 01 00  			;127.1.0.0/18
+	HEX_ANSWER_END
+ENTRY_END
+
+
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ednsdata
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		www.example.com. IN A
+	SECTION ANSWER
+		www.example.com. IN A	10.20.30.50
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		HEX_EDNSDATA_BEGIN
+						; client is 127.1.0.1
+			00 08 		; OPC
+			00 07 		; option length
+			00 01 		; Family
+			12 11 		; source mask, scopemask
+			7f 01 00 	; address
+		HEX_EDNSDATA_END
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+
+SCENARIO_END

testdata/test_ldnsrr.5

@@ -145,3 +145,9 @@ txt6       IN      TXT     ("v=DKIM1; k=rsa; g=*; s=email; h=sha1; t=s; p=MIGfMA
 
 example.com. 3600 IN CSYNC 66 3 A NS AAAA
 9fe6cbb9e933ad0b8b4fa94066474e091ee8be696c224b1c1678fcec._openpgpkey 3600 IN OPENPGPKEY \# 2221 ( 99020d044d6cf351011000ae2731a071cae66040331dcfffbc1abaea01fba2b3 341ad29f4191e1e2e47514cc595e5d3b59ebd460db81cb04e98a753dae963543 74b8c3a420364960a6c6875e66cea7216327c16996557c4d13e25e236b3714e9 32795be889e8b33a295faf6d9015474cfe9c2643603f1e91e01334011a841909 8e2fc9807285b2195cdbb1a9ae1916a26b9e33b3f91cde2f728aa133464a1099 fc2beecaf8f67ee03a999aa97be89ce4a252f804ce27a9efb7a631ca956bfa99 c51d6beca52af39a93353aac43097671074a4bb5b039eb86e99209989d5b6a4a e22b32c1605e712072926095b4640db4b4d16b54a8139048e25ef0098781e524 4222df9b6a6bf2335942527356a29e1063c5bc1297c051ab969a3e0c01fb15e2 0ea63a06b416d6c96f9794c5d80e97afb249d2b907dc46605f1001019dd62774 4bc2ad73f239cd623f945bf9922ec6ceb607ce8818455173199de1ef555bf3e8 5e9702dcab7a30e5e6c0f6827ce6d550df2ba4fa6ef2ed47bceb916aded25a72 7039a09942a0684897cdf2efc13f5169693c19da94d861be40e8b07fe853d297 8389eba876332be7db146f1ec6a957bfe39ac90514b1f870a5d899bb4e1d97af 49294ad09dede6d5a04abdc29332bbe74cf70393b626c0f4fdfef6ee2b01d8a6 a40750c446e159b44d0a783611585385ba912b771364b6eda8a69680026a6bf2 105692fd6f9a6cf19e09550011010001b42357696c6c656d20546f6f726f7020 3c77696c6c656d406e6c6e65746c6162732e6e6c3e89023e0413010200280502 4d6cf351021b23050909660180060b090807030206150802090a0b0416020301 021e01021780000a0910e5f8f8212f77a4985d5b0ffe289b97f7d8e4e5abc537 8b7d6db7c395f98c3d787e3fb598638c41e889aea40cbe5b3001d947c7184c92 9efe6ad1e32ae9acb0802823870bb149c3a7bdfbb591601d8c099b3bdd3b3ddc cb03b4d611dc741d9c49c3b5b87654a21dfb618cfe6087f172b3dc663a9f4c0d ad81476ebe5b6fd966164383bc39303a66272a3fe6a0b9a813d4e249c6b9dacf 748a49a979b3fa24036e47099e1d24ed3310cc04341e0bf3afd4e365a04cd075 b7d1dff607a3b8738abf885a7dc959251785ca626b8c9b476f44439653615437 c715b1a586236132e1f89b0e4a9d2d84e403e6733c90a96ec041d14994b19ec0 d23153bb94d9059851901353ddb60b9c42edf715af6ee4ef111e5afd56092a1f 7662a72af80f8768425324a8a7335c805a49b1c4d3dc279b69114a5c592638ff 22a963bd34d2d4bcc319972b99c197fa31c21b89e627f36ce811297ff707f53e 6c258dab407b7d618ec296317a565c2c8b740a39244d8f82095842f6f84448dc e29bb292c7e15072b00c04f2a0f4cd700f2e7348b703f74bcb8d5f4235fbd282 4f515852ea9be06255f88d81a5046d1f730e9bf103b3335f5f03d74ac2ec6581 4dd920e985b57a3b4e0c699f3103ab033ccf36a5b037b3668365484b58a4462d 79414d27170c9db4285bec72d24a9654354b996d13c14b2994f6725e36fb766d 57a79ed721c3ca248221390d7d6fa65f867fa6fa1369b9020d044d6cf3510110 00a4ece215b3f782bae8fb6c1e3fdc06d1e6242271f41b073fc7a85237788814 7b7168134e0b753c608d07308f188b9489af34f1dab1bb52fc3968d0a705c30a 35ea0226e7d2608931138d56ccf124a9236276462863a8f1c83b3a640167211d eaaadfc557ff7701cbb1d413259cf3f5b18ec6e615000bb4ab73c75b980615cf a9a7778de3bab318cc448eca044e3fdc95ac63aa2b28846d77fe190fe8fbc3a0 3ece39d38675040ff1be064410faad9fc5a8c2efe02f34cc39f3087d6b2e9346 42995fd5a9f2d3a59302c0cbe1fea01002c7eb64c8c4e5f853b5b17aebc7c722 97380b8df9ec7f32f1766b3d76e186dc582eedd5da955b7cacdb4cca69e99e9b 25d22b157a68c9f828170917709d335a000590f2be22fd7a5ed0ff2432969642 e84978428c1a3c8380bb339d21ce9cb8ce8f4d6bc102b70a56042159f26c85f7 8599f931a73fe159cf4ae34c828e66fe84f648af745b5d2b1022d514901a8e48 c1cdae82205fe21a58cab77bbc8c1dd32a94aaf4954e7695f05b7c40a395e07f 34ee0add218904fcd380bb737be2ec5b148942840c58abfa212c10ad6debb265 23aa040dad2191397deb472f0dbeeceb6afb386b7166754a47216c3629f63633 a02c5fd1c116e46c8a682a163426e556ea5c0ecdb472429c0d51bea5e583f889 e70f831251e8b31c231d2f946de8c31a6550f884ea961dfdf75a2c3e366ad48c b5001101000189022404180102000f05024d6cf351021b0c050909660180000a 0910e5f8f8212f77a498ed740ff8e1cd5baa631d75dff18a2aa27def9c416118 d178092a1c327c3cc641fd74bc976f3a1b5da52b95cfea68618b31f2aaee6f82 f30ed934eb98de0105878a4814fc811139ed4b3aa356e3c962c422f0be4d3d59 f8e9e64913964287282a6519cd0b1f3f03615aea223b276efcbc5cd4921787c1 7f70b0967aefdcc5462344399b4180efd75c1185a83d6b691e660f8210e76624 f1a87d988baf9367d26b84dcb5df8c7303c2947c4c238734addccb7970f6c192 f3f5dd5f75127e289f26b2fda0562b44a032ed45ae1fc855dca67d54125ccd36 c16f207e4389b0f4e5ff45fe60328a53b322534868ff0d3d8aca0bb0781ee1fe 62f2c0e6fc468f57ccf795ced9f2b27e3cb6d16fc417bd4ca969a364dc649ea5 c57f0325205eaa77fd9df84431c3be5329773828d0e32c0011cbb885e7131b44 b1fc5267b0b3ff125e7255c233239fc6e8c8844d613dab76833e49a7d947fae6 b3ceb35b2ddce2a0f71f384f74fecda521ae07ce3332e5eb2c79d100ad8f9ace 2a0067c1b590f61dd18ab021d66605aa745b5944d830de4c9f61dcc889354b1a 6203d918a5c2317b6d5f188d8d0cf6dab11c9578f6f41d3089871bbb2963b114 59ab0b4c4220ddafb14c20ecbacab1cec60a522ecc883bd1d539ca61cdd4933c 412fafd631d03eff23b23a4164729e32236947f622fe79a17493154e9a30b257 e3fdf97f0b2e1b8c65fc85bd98)
+
+test.add.1.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1480584899 300 16 lkEJsjwBeAdfv9RGs6zZrg== 15355 NOERROR 0
+blabla.		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1480585012 300 16 k9mSMs2t5vq5FV2DvQvR6g== 59231 NOERROR 0
+blabla.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1480523776  300 16 sBfx00GRs+tfRTm4uRCjyQ== 25791 0 0
+blabla.		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1480585449 300 0  59692 BADSIG 0
+blabla.		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1480585462 300 16 6wvlG82sEVHyqsTtBLvRQw== 26044 NOERROR 0

testdata/test_ldnsrr.c5

@@ -111,19 +111,19 @@ host1.blaat.nl.	3600	IN	L64	10 2001:0db8:1140:1000
 05686F73743105626C616174026E6C00006B000100000E100018000A0B6C36342D7375626E65743105626C616174026E6C00
 host1.blaat.nl.	3600	IN	LP	10 l64-subnet1.blaat.nl.
 03636161000101000100000E1000150005697373756563612E6578616D706C652E6E6574
-caa.	3600	IN	CAA	\# 21 0005697373756563612E6578616D706C652E6E6574
+caa.	3600	IN	CAA	0 issue "ca.example.net"
 03636161000101000100000E1000220005696F6465666D61696C746F3A7365637572697479406578616D706C652E636F6D
-caa.	3600	IN	CAA	\# 34 0005696F6465666D61696C746F3A7365637572697479406578616D706C652E636F6D
+caa.	3600	IN	CAA	0 iodef "mailto:security@example.com"
 03636161000101000100000E1000200005696F646566687474703A2F2F696F6465662E6578616D706C652E636F6D2F
-caa.	3600	IN	CAA	\# 32 0005696F646566687474703A2F2F696F6465662E6578616D706C652E636F6D2F
+caa.	3600	IN	CAA	0 iodef "http://iodef.example.com/"
 03636161000101000100000E1000250005697373756563612E6578616D706C652E6E65743B206163636F756E743D323330313233
-caa.	3600	IN	CAA	\# 37 0005697373756563612E6578616D706C652E6E65743B206163636F756E743D323330313233
+caa.	3600	IN	CAA	0 issue "ca.example.net; account=230123"
 03636161000101000100000E1000200005697373756563612E6578616D706C652E6E65743B20706F6C6963793D6576
-caa.	3600	IN	CAA	\# 32 0005697373756563612E6578616D706C652E6E65743B20706F6C6963793D6576
+caa.	3600	IN	CAA	0 issue "ca.example.net; policy=ev"
 03636161000101000100000E10000C8003746273556E6B6E6F776E
-caa.	3600	IN	CAA	\# 12 8003746273556E6B6E6F776E
+caa.	3600	IN	CAA	128 tbs "Unknown"
 03636161000101000100000E100046020461757468303E3039060A2B06010401D67902030106096086480165030402010420614829C81B958911F81164D40DCDBFD49D66CEB3B3442FF6C9C3A912F9497566020100
-caa.	3600	IN	CAA	\# 70 020461757468303E3039060A2B06010401D67902030106096086480165030402010420614829C81B958911F81164D40DCDBFD49D66CEB3B3442FF6C9C3A912F9497566020100
+caa.	3600	IN	CAA	2 auth "0>09\006\010+\006\001\004\001\214y\002\003\001\006	`\134H\001e\003\004\002\001\004 aH)\200\027\149\137\017\248\017d\212\013\205\191\212\157f\206\179\179D/\246\201\195\169\018\249Iuf\002\001\000"
 05657569343800006C000100000E10000600005E90012A
 eui48.	3600	IN	EUI48	00-00-5e-90-01-2a
 05657569363400006D000100000E10000800005EEF0000002A
@@ -178,3 +178,13 @@ txt6.	3600	IN	TXT	"v=DKIM1; k=rsa; g=*; s=email; h=sha1; t=s; p=MIGfMA0GCSqGSIb3
 example.com.	3600	IN	CSYNC	66 3 A NS AAAA
 3839666536636262396539333361643062386234666139343036363437346530393165653862653639366332323462316331363738666365630B5F6F70656E7067706B657900003D000100000E1008AD99020D044D6CF351011000AE2731A071CAE66040331DCFFFBC1ABAEA01FBA2B3341AD29F4191E1E2E47514CC595E5D3B59EBD460DB81CB04E98A753DAE96354374B8C3A420364960A6C6875E66CEA7216327C16996557C4D13E25E236B3714E932795BE889E8B33A295FAF6D9015474CFE9C2643603F1E91E01334011A8419098E2FC9807285B2195CDBB1A9AE1916A26B9E33B3F91CDE2F728AA133464A1099FC2BEECAF8F67EE03A999AA97BE89CE4A252F804CE27A9EFB7A631CA956BFA99C51D6BECA52AF39A93353AAC43097671074A4BB5B039EB86E99209989D5B6A4AE22B32C1605E712072926095B4640DB4B4D16B54A8139048E25EF0098781E5244222DF9B6A6BF2335942527356A29E1063C5BC1297C051AB969A3E0C01FB15E20EA63A06B416D6C96F9794C5D80E97AFB249D2B907DC46605F1001019DD627744BC2AD73F239CD623F945BF9922EC6CEB607CE8818455173199DE1EF555BF3E85E9702DCAB7A30E5E6C0F6827CE6D550DF2BA4FA6EF2ED47BCEB916ADED25A727039A09942A0684897CDF2EFC13F5169693C19DA94D861BE40E8B07FE853D2978389EBA876332BE7DB146F1EC6A957BFE39AC90514B1F870A5D899BB4E1D97AF49294AD09DEDE6D5A04ABDC29332BBE74CF70393B626C0F4FDFEF6EE2B01D8A6A40750C446E159B44D0A783611585385BA912B771364B6EDA8A69680026A6BF2105692FD6F9A6CF19E09550011010001B42357696C6C656D20546F6F726F70203C77696C6C656D406E6C6E65746C6162732E6E6C3E89023E04130102002805024D6CF351021B23050909660180060B090807030206150802090A0B0416020301021E01021780000A0910E5F8F8212F77A4985D5B0FFE289B97F7D8E4E5ABC5378B7D6DB7C395F98C3D787E3FB598638C41E889AEA40CBE5B3001D947C7184C929EFE6AD1E32AE9ACB0802823870BB149C3A7BDFBB591601D8C099B3BDD3B3DDCCB03B4D611DC741D9C49C3B5B87654A21DFB618CFE6087F172B3DC663A9F4C0DAD81476EBE5B6FD966164383BC39303A66272A3FE6A0B9A813D4E249C6B9DACF748A49A979B3FA24036E47099E1D24ED3310CC04341E0BF3AFD4E365A04CD075B7D1DFF607A3B8738ABF885A7DC959251785CA626B8C9B476F44439653615437C715B1A586236132E1F89B0E4A9D2D84E403E6733C90A96EC041D14994B19EC0D23153BB94D9059851901353DDB60B9C42EDF715AF6EE4EF111E5AFD56092A1F7662A72AF80F8768425324A8A7335C805A49B1C4D3DC279B69114A5C592638FF22A963BD34D2D4BCC319972B99C197FA31C21B89E627F36CE811297FF707F53E6C258DAB407B7D618EC296317A565C2C8B740A39244D8F82095842F6F84448DCE29BB292C7E15072B00C04F2A0F4CD700F2E7348B703F74BCB8D5F4235FBD2824F515852EA9BE06255F88D81A5046D1F730E9BF103B3335F5F03D74AC2EC65814DD920E985B57A3B4E0C699F3103AB033CCF36A5B037B3668365484B58A4462D79414D27170C9DB4285BEC72D24A9654354B996D13C14B2994F6725E36FB766D57A79ED721C3CA248221390D7D6FA65F867FA6FA1369B9020D044D6CF351011000A4ECE215B3F782BAE8FB6C1E3FDC06D1E6242271F41B073FC7A852377888147B7168134E0B753C608D07308F188B9489AF34F1DAB1BB52FC3968D0A705C30A35EA0226E7D2608931138D56CCF124A9236276462863A8F1C83B3A640167211DEAAADFC557FF7701CBB1D413259CF3F5B18EC6E615000BB4AB73C75B980615CFA9A7778DE3BAB318CC448ECA044E3FDC95AC63AA2B28846D77FE190FE8FBC3A03ECE39D38675040FF1BE064410FAAD9FC5A8C2EFE02F34CC39F3087D6B2E934642995FD5A9F2D3A59302C0CBE1FEA01002C7EB64C8C4E5F853B5B17AEBC7C72297380B8DF9EC7F32F1766B3D76E186DC582EEDD5DA955B7CACDB4CCA69E99E9B25D22B157A68C9F828170917709D335A000590F2BE22FD7A5ED0FF2432969642E84978428C1A3C8380BB339D21CE9CB8CE8F4D6BC102B70A56042159F26C85F78599F931A73FE159CF4AE34C828E66FE84F648AF745B5D2B1022D514901A8E48C1CDAE82205FE21A58CAB77BBC8C1DD32A94AAF4954E7695F05B7C40A395E07F34EE0ADD218904FCD380BB737BE2EC5B148942840C58ABFA212C10AD6DEBB26523AA040DAD2191397DEB472F0DBEECEB6AFB386B7166754A47216C3629F63633A02C5FD1C116E46C8A682A163426E556EA5C0ECDB472429C0D51BEA5E583F889E70F831251E8B31C231D2F946DE8C31A6550F884EA961DFDF75A2C3E366AD48CB5001101000189022404180102000F05024D6CF351021B0C050909660180000A0910E5F8F8212F77A498ED740FF8E1CD5BAA631D75DFF18A2AA27DEF9C416118D178092A1C327C3CC641FD74BC976F3A1B5DA52B95CFEA68618B31F2AAEE6F82F30ED934EB98DE0105878A4814FC811139ED4B3AA356E3C962C422F0BE4D3D59F8E9E64913964287282A6519CD0B1F3F03615AEA223B276EFCBC5CD4921787C17F70B0967AEFDCC5462344399B4180EFD75C1185A83D6B691E660F8210E76624F1A87D988BAF9367D26B84DCB5DF8C7303C2947C4C238734ADDCCB7970F6C192F3F5DD5F75127E289F26B2FDA0562B44A032ED45AE1FC855DCA67D54125CCD36C16F207E4389B0F4E5FF45FE60328A53B322534868FF0D3D8ACA0BB0781EE1FE62F2C0E6FC468F57CCF795CED9F2B27E3CB6D16FC417BD4CA969A364DC649EA5C57F0325205EAA77FD9DF84431C3BE5329773828D0E32C0011CBB885E7131B44B1FC5267B0B3FF125E7255C233239FC6E8C8844D613DAB76833E49A7D947FAE6B3CEB35B2DDCE2A0F71F384F74FECDA521AE07CE3332E5EB2C79D100AD8F9ACE2A0067C1B590F61DD18AB021D66605AA745B5944D830DE4C9F61DCC889354B1A6203D918A5C2317B6D5F188D8D0CF6DAB11C9578F6F41D3089871BBB2963B11459AB0B4C4220DDAFB14C20ECBACAB1CEC60A522ECC883BD1D539CA61CDD4933C412FAFD631D03EFF23B23A4164729E32236947F622FE79A17493154E9A30B257E3FDF97F0B2E1B8C65FC85BD98
 9fe6cbb9e933ad0b8b4fa94066474e091ee8be696c224b1c1678fcec._openpgpkey.	3600	IN	OPENPGPKEY	mQINBE1s81EBEACuJzGgccrmYEAzHc//vBq66gH7orM0GtKfQZHh4uR1FMxZXl07WevUYNuBywTpinU9rpY1Q3S4w6QgNklgpsaHXmbOpyFjJ8FpllV8TRPiXiNrNxTpMnlb6InoszopX69tkBVHTP6cJkNgPx6R4BM0ARqEGQmOL8mAcoWyGVzbsamuGRaia54zs/kc3i9yiqEzRkoQmfwr7sr49n7gOpmaqXvonOSiUvgEziep77emMcqVa/qZxR1r7KUq85qTNTqsQwl2cQdKS7WwOeuG6ZIJmJ1bakriKzLBYF5xIHKSYJW0ZA20tNFrVKgTkEjiXvAJh4HlJEIi35tqa/IzWUJSc1ainhBjxbwSl8BRq5aaPgwB+xXiDqY6BrQW1slvl5TF2A6Xr7JJ0rkH3EZgXxABAZ3WJ3RLwq1z8jnNYj+UW/mSLsbOtgfOiBhFUXMZneHvVVvz6F6XAtyrejDl5sD2gnzm1VDfK6T6bvLtR7zrkWre0lpycDmgmUKgaEiXzfLvwT9RaWk8GdqU2GG+QOiwf+hT0peDieuodjMr59sUbx7GqVe/45rJBRSx+HCl2Jm7Th2Xr0kpStCd7ebVoEq9wpMyu+dM9wOTtibA9P3+9u4rAdimpAdQxEbhWbRNCng2EVhThbqRK3cTZLbtqKaWgAJqa/IQVpL9b5ps8Z4JVQARAQABtCNXaWxsZW0gVG9vcm9wIDx3aWxsZW1AbmxuZXRsYWJzLm5sPokCPgQTAQIAKAUCTWzzUQIbIwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ5fj4IS93pJhdWw/+KJuX99jk5avFN4t9bbfDlfmMPXh+P7WYY4xB6ImupAy+WzAB2UfHGEySnv5q0eMq6aywgCgjhwuxScOnvfu1kWAdjAmbO907PdzLA7TWEdx0HZxJw7W4dlSiHfthjP5gh/Fys9xmOp9MDa2BR26+W2/ZZhZDg7w5MDpmJyo/5qC5qBPU4knGudrPdIpJqXmz+iQDbkcJnh0k7TMQzAQ0Hgvzr9TjZaBM0HW30d/2B6O4c4q/iFp9yVklF4XKYmuMm0dvREOWU2FUN8cVsaWGI2Ey4fibDkqdLYTkA+ZzPJCpbsBB0UmUsZ7A0jFTu5TZBZhRkBNT3bYLnELt9xWvbuTvER5a/VYJKh92Yqcq+A+HaEJTJKinM1yAWkmxxNPcJ5tpEUpcWSY4/yKpY7000tS8wxmXK5nBl/oxwhuJ5ifzbOgRKX/3B/U+bCWNq0B7fWGOwpYxelZcLIt0CjkkTY+CCVhC9vhESNzim7KSx+FQcrAMBPKg9M1wDy5zSLcD90vLjV9CNfvSgk9RWFLqm+BiVfiNgaUEbR9zDpvxA7MzX18D10rC7GWBTdkg6YW1ejtODGmfMQOrAzzPNqWwN7Nmg2VIS1ikRi15QU0nFwydtChb7HLSSpZUNUuZbRPBSymU9nJeNvt2bVenntchw8okgiE5DX1vpl+Gf6b6E2m5Ag0ETWzzUQEQAKTs4hWz94K66PtsHj/cBtHmJCJx9BsHP8eoUjd4iBR7cWgTTgt1PGCNBzCPGIuUia808dqxu1L8OWjQpwXDCjXqAibn0mCJMRONVszxJKkjYnZGKGOo8cg7OmQBZyEd6qrfxVf/dwHLsdQTJZzz9bGOxuYVAAu0q3PHW5gGFc+pp3eN47qzGMxEjsoETj/claxjqisohG13/hkP6PvDoD7OOdOGdQQP8b4GRBD6rZ/FqMLv4C80zDnzCH1rLpNGQplf1any06WTAsDL4f6gEALH62TIxOX4U7WxeuvHxyKXOAuN+ex/MvF2az124YbcWC7t1dqVW3ys20zKaememyXSKxV6aMn4KBcJF3CdM1oABZDyviL9el7Q/yQylpZC6El4QowaPIOAuzOdIc6cuM6PTWvBArcKVgQhWfJshfeFmfkxpz/hWc9K40yCjmb+hPZIr3RbXSsQItUUkBqOSMHNroIgX+IaWMq3e7yMHdMqlKr0lU52lfBbfECjleB/NO4K3SGJBPzTgLtze+LsWxSJQoQMWKv6ISwQrW3rsmUjqgQNrSGROX3rRy8Nvuzravs4a3FmdUpHIWw2KfY2M6AsX9HBFuRsimgqFjQm5VbqXA7NtHJCnA1RvqXlg/iJ5w+DElHosxwjHS+UbejDGmVQ+ITqlh3991osPjZq1Iy1ABEBAAGJAiQEGAECAA8FAk1s81ECGwwFCQlmAYAACgkQ5fj4IS93pJjtdA/44c1bqmMddd/xiiqife+cQWEY0XgJKhwyfDzGQf10vJdvOhtdpSuVz+poYYsx8qrub4LzDtk065jeAQWHikgU/IEROe1LOqNW48lixCLwvk09Wfjp5kkTlkKHKCplGc0LHz8DYVrqIjsnbvy8XNSSF4fBf3Cwlnrv3MVGI0Q5m0GA79dcEYWoPWtpHmYPghDnZiTxqH2Yi6+TZ9JrhNy134xzA8KUfEwjhzSt3Mt5cPbBkvP13V91En4onyay/aBWK0SgMu1Frh/IVdymfVQSXM02wW8gfkOJsPTl/0X+YDKKU7MiU0ho/w09isoLsHge4f5i8sDm/EaPV8z3lc7Z8rJ+PLbRb8QXvUypaaNk3GSepcV/AyUgXqp3/Z34RDHDvlMpdzgo0OMsABHLuIXnExtEsfxSZ7Cz/xJeclXCMyOfxujIhE1hPat2gz5Jp9lH+uazzrNbLdzioPcfOE90/s2lIa4HzjMy5essedEArY+azioAZ8G1kPYd0YqwIdZmBap0W1lE2DDeTJ9h3MiJNUsaYgPZGKXCMXttXxiNjQz22rEclXj29B0wiYcbuyljsRRZqwtMQiDdr7FMIOy6yrHOxgpSLsyIO9HVOcphzdSTPEEvr9Yx0D7/I7I6QWRynjIjaUf2Iv55oXSTFU6aMLJX4/35fwsuG4xl/IW9mA==
+04746573740361646401310000FA00FF00000000003A08686D61632D6D6435077369672D616C670372656703696E74000000583FEEC3012C0010964109B23C0178075FBFD446B3ACD9AE3BFB00000000
+test.add.1.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1480584899 300 16 lkEJsjwBeAdfv9RGs6zZrg== 15355 NOERROR 0
+06626C61626C610000FA00FF00000000003A08686D61632D6D6435077369672D616C670372656703696E74000000583FEF34012C001093D99232CDADE6FAB9155D83BD0BD1EAE75F00000000
+blabla.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1480585012 300 16 k9mSMs2t5vq5FV2DvQvR6g== 59231 NOERROR 0
+06626C61626C610000FA00FF00000000003A08686D61632D6D6435077369672D616C670372656703696E74000000583F0000012C0010B017F1D34191B3EB5F4539B8B910A3C964BF00000000
+blabla.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1480523776 300 16 sBfx00GRs+tfRTm4uRCjyQ== 25791 NOERROR 0
+06626C61626C610000FA00FF00000000002A08686D61632D6D6435077369672D616C670372656703696E74000000583FF0E9012C0000E92C00100000
+blabla.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1480585449 300 0 59692 BADSIG 0
+06626C61626C610000FA00FF00000000003A08686D61632D6D6435077369672D616C670372656703696E74000000583FF0F6012C0010EB0BE51BCDAC1151F2AAC4ED04BBD14365BC00000000
+blabla.	0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1480585462 300 16 6wvlG82sEVHyqsTtBLvRQw== 26044 NOERROR 0

testdata/test_sigs.ed25519

@@ -0,0 +1,21 @@
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. 
+; later entries are verified with it.
+
+ENTRY_BEGIN
+SECTION QUESTION
+example.com.	IN DNSKEY
+SECTION ANSWER
+example.com.	3600	IN	DNSKEY	256 3 15 +sZnc8HII6xxA9Ili5bboiKH0Ipv/Ap1aucIt/CVF2M= ;{id = 57147 (zsk), size = 256b}
+ENTRY_END
+
+; entry to test
+ENTRY_BEGIN
+SECTION QUESTION
+www.example.com.    IN      A 
+SECTION ANSWER
+www.example.com.	3600	IN	A	10.0.0.1
+www.example.com.	3600	IN	RRSIG	A 15 3 3600 20170627103620 20170530103620 57147 example.com. daYG6zZJ3BJwGOS4PC0tDnxssVNYoenOHocoIfx0GeXNkKHSyXF+XHgD5LKbG3ZN0dZJ/4To5eni9QXOXiR4CA==
+ENTRY_END
+

util/config_file.c

@@ -178,6 +178,7 @@ config_create(void)
 	cfg->forwards = NULL;
 #ifdef CLIENT_SUBNET
 	cfg->client_subnet = NULL;
+	cfg->client_subnet_zone = NULL;
 	cfg->client_subnet_opcode = LDNS_EDNS_CLIENT_SUBNET;
 	cfg->client_subnet_always_forward = 0;
 	cfg->max_client_subnet_ipv4 = 24;
@@ -206,6 +207,7 @@ config_create(void)
 	cfg->trust_anchor_file_list = NULL;
 	cfg->trust_anchor_list = NULL;
 	cfg->trusted_keys_file_list = NULL;
+	cfg->trust_anchor_signaling = 0;
 	cfg->dlv_anchor_file = NULL;
 	cfg->dlv_anchor_list = NULL;
 	cfg->domain_insecure = NULL;
@@ -227,6 +229,7 @@ config_create(void)
 	cfg->neg_cache_size = 1 * 1024 * 1024;
 	cfg->local_zones = NULL;
 	cfg->local_zones_nodefault = NULL;
+	cfg->local_zones_disable_default = 0;
 	cfg->local_data = NULL;
 	cfg->local_zone_overrides = NULL;
 	cfg->unblock_lan_zones = 0;
@@ -279,6 +282,14 @@ config_create(void)
 	cfg->dnscrypt_provider = NULL;
 	cfg->dnscrypt_provider_cert = NULL;
 	cfg->dnscrypt_secret_key = NULL;
+#ifdef USE_IPSECMOD
+	cfg->ipsecmod_enabled = 1;
+	cfg->ipsecmod_ignore_bogus = 0;
+	cfg->ipsecmod_hook = NULL;
+	cfg->ipsecmod_max_ttl = 3600;
+	cfg->ipsecmod_whitelist = NULL;
+	cfg->ipsecmod_strict = 0;
+#endif
 	return cfg;
 error_exit:
 	config_delete(cfg); 
@@ -480,6 +491,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STRLIST("trust-anchor-file:", trust_anchor_file_list)
 	else S_STRLIST("trust-anchor:", trust_anchor_list)
 	else S_STRLIST("trusted-keys-file:", trusted_keys_file_list)
+	else S_YNO("trust-anchor-signaling:", trust_anchor_signaling)
 	else S_STR("dlv-anchor-file:", dlv_anchor_file)
 	else S_STRLIST("dlv-anchor:", dlv_anchor_list)
 	else S_STRLIST("domain-insecure:", domain_insecure)
@@ -522,6 +534,33 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	 * generating the address tree. */
 	/* No client-subnet-always-forward here, module registration depends on
 	 * this option. */
+#endif
+#ifdef USE_DNSTAP
+	else S_YNO("dnstap-enable:", dnstap)
+	else S_STR("dnstap-socket-path:", dnstap_socket_path)
+	else S_YNO("dnstap-send-identity:", dnstap_send_identity)
+	else S_YNO("dnstap-send-version:", dnstap_send_version)
+	else S_STR("dnstap-identity:", dnstap_identity)
+	else S_STR("dnstap-version:", dnstap_version)
+	else S_YNO("dnstap-log-resolver-query-messages:",
+		dnstap_log_resolver_query_messages)
+	else S_YNO("dnstap-log-resolver-response-messages:",
+		dnstap_log_resolver_response_messages)
+	else S_YNO("dnstap-log-client-query-messages:",
+		dnstap_log_client_query_messages)
+	else S_YNO("dnstap-log-client-response-messages:",
+		dnstap_log_client_response_messages)
+	else S_YNO("dnstap-log-forwarder-query-messages:",
+		dnstap_log_forwarder_query_messages)
+	else S_YNO("dnstap-log-forwarder-response-messages:",
+		dnstap_log_forwarder_response_messages)
+#endif
+#ifdef USE_DNSCRYPT
+	else S_YNO("dnscrypt-enable:", dnscrypt)
+	else S_NUMBER_NONZERO("dnscrypt-port:", dnscrypt_port)
+	else S_STR("dnscrypt-provider:", dnscrypt_provider)
+	else S_STRLIST("dnscrypt-provider-cert:", dnscrypt_provider_cert)
+	else S_STRLIST("dnscrypt-secret-key:", dnscrypt_secret_key)
 #endif
 	else if(strcmp(opt, "ip-ratelimit:") == 0) {
 	    IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
@@ -539,6 +578,13 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
 	else S_YNO("qname-minimisation:", qname_minimisation)
 	else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
+#ifdef USE_IPSECMOD
+	else S_YNO("ipsecmod-enabled:", ipsecmod_enabled)
+	else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus)
+	else if(strcmp(opt, "ipsecmod-max-ttl:") == 0)
+	{ IS_NUMBER_OR_ZERO; cfg->ipsecmod_max_ttl = atoi(val); }
+	else S_YNO("ipsecmod-strict:", ipsecmod_strict)
+#endif
 	else if(strcmp(opt, "define-tag:") ==0) {
 		return config_add_tag(cfg, val);
 	/* val_sig_skew_min and max are copied into val_env during init,
@@ -560,15 +606,16 @@ int config_set_option(struct config_file* cfg, const char* opt,
 		cfg->out_ifs = oi;
 	} else {
 		/* unknown or unsupported (from the set_option interface):
-		 * interface, outgoing-interface, access-control, 
+		 * interface, outgoing-interface, access-control,
 		 * stub-zone, name, stub-addr, stub-host, stub-prime
 		 * forward-first, stub-first, forward-ssl-upstream,
 		 * stub-ssl-upstream, forward-zone,
 		 * name, forward-addr, forward-host,
 		 * ratelimit-for-domain, ratelimit-below-domain,
-		 * local-zone-tag, access-control-view 
-		 * send-client-subnet client-subnet-always-forward
-		 * max-client-subnet-ipv4 max-client-subnet-ipv6 */
+		 * local-zone-tag, access-control-view,
+		 * send-client-subnet, client-subnet-always-forward,
+		 * max-client-subnet-ipv4, max-client-subnet-ipv6, ipsecmod_hook,
+		 * ipsecmod_whitelist. */
 		return 0;
 	}
 	return 1;
@@ -834,6 +881,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LST(opt, "trust-anchor-file", trust_anchor_file_list)
 	else O_LST(opt, "trust-anchor", trust_anchor_list)
 	else O_LST(opt, "trusted-keys-file", trusted_keys_file_list)
+	else O_YNO(opt, "trust-anchor-signaling", trust_anchor_signaling)
 	else O_LST(opt, "dlv-anchor", dlv_anchor_list)
 	else O_LST(opt, "control-interface", control_ifs)
 	else O_LST(opt, "domain-insecure", domain_insecure)
@@ -842,10 +890,38 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
 #ifdef CLIENT_SUBNET
 	else O_LST(opt, "send-client-subnet", client_subnet)
+	else O_LST(opt, "client-subnet-zone", client_subnet_zone)
 	else O_DEC(opt, "max-client-subnet-ipv4", max_client_subnet_ipv4)
 	else O_DEC(opt, "max-client-subnet-ipv6", max_client_subnet_ipv6)
 	else O_YNO(opt, "client-subnet-always-forward:",
 		client_subnet_always_forward)
+#endif
+#ifdef USE_DNSTAP
+	else O_YNO(opt, "dnstap-enable", dnstap)
+	else O_STR(opt, "dnstap-socket-path", dnstap_socket_path)
+	else O_YNO(opt, "dnstap-send-identity", dnstap_send_identity)
+	else O_YNO(opt, "dnstap-send-version", dnstap_send_version)
+	else O_STR(opt, "dnstap-identity", dnstap_identity)
+	else O_STR(opt, "dnstap-version", dnstap_version)
+	else O_YNO(opt, "dnstap-log-resolver-query-messages",
+		dnstap_log_resolver_query_messages)
+	else O_YNO(opt, "dnstap-log-resolver-response-messages",
+		dnstap_log_resolver_response_messages)
+	else O_YNO(opt, "dnstap-log-client-query-messages",
+		dnstap_log_client_query_messages)
+	else O_YNO(opt, "dnstap-log-client-response-messages",
+		dnstap_log_client_response_messages)
+	else O_YNO(opt, "dnstap-log-forwarder-query-messages",
+		dnstap_log_forwarder_query_messages)
+	else O_YNO(opt, "dnstap-log-forwarder-response-messages",
+		dnstap_log_forwarder_response_messages)
+#endif
+#ifdef USE_DNSCRYPT
+	else O_YNO(opt, "dnscrypt-enable", dnscrypt)
+	else O_DEC(opt, "dnscrypt-port", dnscrypt_port)
+	else O_STR(opt, "dnscrypt-provider", dnscrypt_provider)
+	else O_LST(opt, "dnscrypt-provider-cert", dnscrypt_provider_cert)
+	else O_LST(opt, "dnscrypt-secret-key", dnscrypt_secret_key)
 #endif
 	else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
 	else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
@@ -874,6 +950,14 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
 	else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
 	else O_LS2(opt, "access-control-view", acl_view)
+#ifdef USE_IPSECMOD
+	else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)
+	else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus)
+	else O_STR(opt, "ipsecmod-hook", ipsecmod_hook)
+	else O_DEC(opt, "ipsecmod-max-ttl", ipsecmod_max_ttl)
+	else O_LST(opt, "ipsecmod-whitelist", ipsecmod_whitelist)
+	else O_YNO(opt, "ipsecmod-strict", ipsecmod_strict)
+#endif
 	/* not here:
 	 * outgoing-permit, outgoing-avoid - have list of ports
 	 * local-zone - zones and nodefault variables
@@ -1131,11 +1215,13 @@ config_delete(struct config_file* cfg)
 	config_delstrlist(cfg->root_hints);
 #ifdef CLIENT_SUBNET
 	config_delstrlist(cfg->client_subnet);
+	config_delstrlist(cfg->client_subnet_zone);
 #endif
 	free(cfg->identity);
 	free(cfg->version);
 	free(cfg->module_conf);
 	free(cfg->outgoing_avail_ports);
+	free(cfg->python_script);
 	config_delstrlist(cfg->caps_whitelist);
 	config_delstrlist(cfg->private_address);
 	config_delstrlist(cfg->private_domain);
@@ -1169,6 +1255,10 @@ config_delete(struct config_file* cfg)
 	free(cfg->dnstap_version);
 	config_deldblstrlist(cfg->ratelimit_for_domain);
 	config_deldblstrlist(cfg->ratelimit_below_domain);
+#ifdef USE_IPSECMOD
+	free(cfg->ipsecmod_hook);
+	config_delstrlist(cfg->ipsecmod_whitelist);
+#endif
 	free(cfg);
 }
 

util/config_file.h

@@ -176,6 +176,8 @@ struct config_file {
 	/** list of servers we send edns-client-subnet option to and 
 	 * accept option from, linked list */
 	struct config_strlist* client_subnet;
+	/** list of zones we send edns-client-subnet option for */
+	struct config_strlist* client_subnet_zone;
 	/** opcode assigned by IANA for edns0-client-subnet option */
 	uint16_t client_subnet_opcode;
 	/** Do not check whitelist if incoming query contains an ECS record */
@@ -274,6 +276,8 @@ struct config_file {
 	struct config_strlist* dlv_anchor_list;
 	/** insecure domain list */
 	struct config_strlist* domain_insecure;
+	/** send key tag query */
+	int trust_anchor_signaling;
 
 	/** if not 0, this value is the validation date for RRSIGs */
 	int32_t val_date_override;
@@ -317,6 +321,8 @@ struct config_file {
 	struct config_str2list* local_zones;
 	/** local zones nodefault list */
 	struct config_strlist* local_zones_nodefault;
+	/** do not add any default local zone */
+	int local_zones_disable_default;
 	/** local data RRs configured */
 	struct config_strlist* local_data;
 	/** local zone override types per netblock */
@@ -458,6 +464,22 @@ struct config_file {
 	struct config_strlist* dnscrypt_secret_key;
 	/** dnscrypt provider certs 1.cert */
 	struct config_strlist* dnscrypt_provider_cert;
+
+	/** IPsec module */
+#ifdef USE_IPSECMOD
+	/** false to bypass the IPsec module */
+	int ipsecmod_enabled;
+	/** whitelisted domains for ipsecmod */
+	struct config_strlist* ipsecmod_whitelist;
+	/** path to external hook */
+	char* ipsecmod_hook;
+	/** true to proceed even with a bogus IPSECKEY */
+	int ipsecmod_ignore_bogus;
+	/** max TTL for the A/AAAA records that call the hook */
+	int ipsecmod_max_ttl;
+	/** false to proceed even when ipsecmod_hook fails */
+	int ipsecmod_strict;
+#endif
 };
 
 /** from cfg username, after daemonise setup performed */