Vendor import of Unbound 1.12.0.

.gitignore

@@ -31,6 +31,7 @@
 /unbound.h
 /asynclook
 /delayer
+/dohclient
 /lock-verify
 /memstats
 /perf

Makefile.in

@@ -231,6 +231,10 @@ STREAMTCP_SRC=testcode/streamtcp.c
 STREAMTCP_OBJ=streamtcp.lo
 STREAMTCP_OBJ_LINK=$(STREAMTCP_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
 $(SLDNS_OBJ)
+DOHCLIENT_SRC=testcode/dohclient.c
+DOHCLIENT_OBJ=dohclient.lo
+DOHCLIENT_OBJ_LINK=$(DOHCLIENT_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
+$(SLDNS_OBJ)
 PERF_SRC=testcode/perf.c
 PERF_OBJ=perf.lo
 PERF_OBJ_LINK=$(PERF_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) $(SLDNS_OBJ)
@@ -272,7 +276,8 @@ ALL_SRC=$(COMMON_SRC) $(UNITTEST_SRC) $(DAEMON_SRC) \
 	$(ASYNCLOOK_SRC) $(STREAMTCP_SRC) $(PERF_SRC) $(DELAYER_SRC) \
 	$(CONTROL_SRC) $(UBANCHOR_SRC) $(PETAL_SRC) $(DNSTAP_SOCKET_SRC)\
 	$(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC) \
-	$(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC)
+	$(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC) \
+	$(DOHCLIENT_SRC)
 
 ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
 	$(TESTBOUND_OBJ) $(LOCKVERIFY_OBJ) $(PKTVIEW_OBJ) \
@@ -280,7 +285,8 @@ ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
 	$(ASYNCLOOK_OBJ) $(STREAMTCP_OBJ) $(PERF_OBJ) $(DELAYER_OBJ) \
 	$(CONTROL_OBJ) $(UBANCHOR_OBJ) $(PETAL_OBJ) $(DNSTAP_SOCKET_OBJ)\
 	$(COMPAT_OBJ) $(PYUNBOUND_OBJ) \
-	$(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ)
+	$(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ) \
+	$(DOHCLIENT_OBJ)
 
 COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@
 LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
@@ -317,7 +323,7 @@ rsrc_unbound_checkconf.o:	$(srcdir)/winrc/rsrc_unbound_checkconf.rc config.h
 TEST_BIN=asynclook$(EXEEXT) delayer$(EXEEXT) \
 	lock-verify$(EXEEXT) memstats$(EXEEXT) perf$(EXEEXT) \
 	petal$(EXEEXT) pktview$(EXEEXT) streamtcp$(EXEEXT) \
-	unbound-dnstap-socket$(EXEEXT) \
+	unbound-dnstap-socket$(EXEEXT) dohclient$(EXEEXT) \
 	testbound$(EXEEXT) unittest$(EXEEXT)
 tests:	all $(TEST_BIN)
 
@@ -387,6 +393,9 @@ asynclook$(EXEEXT):	$(ASYNCLOOK_OBJ_LINK) libunbound.la
 streamtcp$(EXEEXT):	$(STREAMTCP_OBJ_LINK)
 	$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
 
+dohclient$(EXEEXT):	$(DOHCLIENT_OBJ_LINK)
+	$(LINK) -o $@ $(DOHCLIENT_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
+
 perf$(EXEEXT):	$(PERF_OBJ_LINK)
 	$(LINK) -o $@ $(PERF_OBJ_LINK) $(SSLLIB) $(LIBS) $(DYNLIBMOD_EXTRALIBS)
 
@@ -672,7 +681,7 @@ dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_de
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
 infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/services/cache/infra.h \
@@ -713,10 +722,11 @@ msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/d
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
  $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/respip/respip.h
-packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
- $(srcdir)/util/net_help.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
+packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
 iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterator/iterator.h \
  $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
@@ -785,7 +795,7 @@ listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h
  $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
   $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
  $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
@@ -808,10 +818,10 @@ mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(s
  $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
  $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/edns.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/dname.h \
- $(srcdir)/services/listen_dnsport.h
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/edns.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/dname.h $(srcdir)/services/listen_dnsport.h
 modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
@@ -1204,7 +1214,8 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
  $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
 unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/parseutil.h
 unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h
 unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
@@ -1310,7 +1321,8 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
  $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
+ $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/dnstap/dtstream.h
 testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
  $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
@@ -1344,7 +1356,8 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
  $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
+ $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h \
+ $(srcdir)/dnstap/dtstream.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
@@ -1507,6 +1520,12 @@ unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c confi
 unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
 petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
+unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h \
+ $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h \
+ $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h
 pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
@@ -1542,6 +1561,10 @@ parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/p
 rrdef.lo rrdef.o: $(srcdir)/sldns/rrdef.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
 str2wire.lo str2wire.o: $(srcdir)/sldns/str2wire.c config.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
  $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h
+dohclient.lo dohclient.o: $(srcdir)/testcode/dohclient.c config.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h
 ctime_r.lo ctime_r.o: $(srcdir)/compat/ctime_r.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 fake-rfc2553.lo fake-rfc2553.o: $(srcdir)/compat/fake-rfc2553.c $(srcdir)/compat/fake-rfc2553.h config.h
 gmtime_r.lo gmtime_r.o: $(srcdir)/compat/gmtime_r.c config.h

README.md

@@ -9,7 +9,7 @@ fast and lean and incorporates modern features based on open standards. If you
 have any feedback, we would love to hear from you. Don’t hesitate to
 [create an issue on Github](https://github.com/NLnetLabs/unbound/issues/new)
 or post a message on the [Unbound mailing list](https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users).
-You can lean more about Unbound by reading our
+You can learn more about Unbound by reading our
 [documentation](https://nlnetlabs.nl/documentation/unbound/).
 
 ## Compiling

acx_nlnetlabs.m4

@@ -2,7 +2,8 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 34
+# Version 35
+# 2020-08-24 Use EVP_sha256 instead of HMAC_Update (for openssl-3.0.0).
 # 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
 # 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
 # 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
@@ -673,16 +674,16 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                 ACX_RUNTIME_PATH_ADD([$ssldir/lib])
             fi
         
-            AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
+            AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
             LIBS="$LIBS -lcrypto"
             LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
             AC_TRY_LINK(, [
-                int HMAC_Update(void);
-                (void)HMAC_Update();
+                int EVP_sha256(void);
+                (void)EVP_sha256();
               ], [
                 AC_MSG_RESULT(yes)
-                AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
-                          [If you have HMAC_Update])
+                AC_DEFINE([HAVE_EVP_SHA256], 1,
+                          [If you have EVP_sha256])
               ], [
                 AC_MSG_RESULT(no)
                 # check if -lwsock32 or -lgdi32 are needed.	
@@ -692,11 +693,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
 		LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32"
                 AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
                 AC_TRY_LINK([], [
-                    int HMAC_Update(void);
-                    (void)HMAC_Update();
+                    int EVP_sha256(void);
+                    (void)EVP_sha256();
                   ],[
-                    AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
-                        [If you have HMAC_Update])
+                    AC_DEFINE([HAVE_EVP_SHA256], 1,
+                        [If you have EVP_sha256])
                     AC_MSG_RESULT(yes) 
                   ],[
                     AC_MSG_RESULT(no)
@@ -706,11 +707,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                     LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
                     AC_MSG_CHECKING([if -lcrypto needs -ldl])
                     AC_TRY_LINK([], [
-                        int HMAC_Update(void);
-                        (void)HMAC_Update();
+                        int EVP_sha256(void);
+                        (void)EVP_sha256();
                       ],[
-                        AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
-                            [If you have HMAC_Update])
+                        AC_DEFINE([HAVE_EVP_SHA256], 1,
+                            [If you have EVP_sha256])
                         AC_MSG_RESULT(yes) 
                       ],[
                         AC_MSG_RESULT(no)
@@ -720,11 +721,11 @@ AC_DEFUN([ACX_SSL_CHECKS], [
                         LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
                         AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
                         AC_TRY_LINK([], [
-                            int HMAC_Update(void);
-                            (void)HMAC_Update();
+                            int EVP_sha256(void);
+                            (void)EVP_sha256();
                           ],[
-                            AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
-                                [If you have HMAC_Update])
+                            AC_DEFINE([HAVE_EVP_SHA256], 1,
+                                [If you have EVP_sha256])
                             AC_MSG_RESULT(yes) 
                           ],[
                             AC_MSG_RESULT(no)

config.guess

@@ -2,7 +2,7 @@
 # Attempt to guess a canonical system name.
 #   Copyright 1992-2020 Free Software Foundation, Inc.
 
-timestamp='2020-07-12'
+timestamp='2020-09-19'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -150,17 +150,15 @@ Linux|GNU|GNU/*)
 	#elif defined(__dietlibc__)
 	LIBC=dietlibc
 	#else
+	#include <stdarg.h>
+	#ifdef __DEFINED_va_list
+	LIBC=musl
+	#else
 	LIBC=gnu
 	#endif
+	#endif
 	EOF
 	eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`"
-
-	# If ldd exists, use it to detect musl libc.
-	if command -v ldd >/dev/null && \
-		ldd --version 2>&1 | grep -q ^musl
-	then
-	    LIBC=musl
-	fi
 	;;
 esac
 
@@ -404,7 +402,7 @@ case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in
 	# If there is a compiler, see if it is configured for 64-bit objects.
 	# Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
 	# This test works for both compilers.
-	if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
+	if test "$CC_FOR_BUILD" != no_compiler_found; then
 	    if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
 		(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
 		grep IS_64BIT_ARCH >/dev/null
@@ -544,10 +542,10 @@ EOF
     AViiON:dgux:*:*)
 	# DG/UX returns AViiON for all architectures
 	UNAME_PROCESSOR=`/usr/bin/uname -p`
-	if [ "$UNAME_PROCESSOR" = mc88100 ] || [ "$UNAME_PROCESSOR" = mc88110 ]
+	if test "$UNAME_PROCESSOR" = mc88100 || test "$UNAME_PROCESSOR" = mc88110
 	then
-	    if [ "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx ] || \
-	       [ "$TARGET_BINARY_INTERFACE"x = x ]
+	    if test "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx || \
+	       test "$TARGET_BINARY_INTERFACE"x = x
 	    then
 		echo m88k-dg-dgux"$UNAME_RELEASE"
 	    else
@@ -580,7 +578,7 @@ EOF
 	echo i386-ibm-aix
 	exit ;;
     ia64:AIX:*:*)
-	if [ -x /usr/bin/oslevel ] ; then
+	if test -x /usr/bin/oslevel ; then
 		IBM_REV=`/usr/bin/oslevel`
 	else
 		IBM_REV="$UNAME_VERSION.$UNAME_RELEASE"
@@ -620,7 +618,7 @@ EOF
 	else
 		IBM_ARCH=powerpc
 	fi
-	if [ -x /usr/bin/lslpp ] ; then
+	if test -x /usr/bin/lslpp ; then
 		IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc |
 			   awk -F: '{ print $3 }' | sed s/[0-9]*$/0/`
 	else
@@ -655,7 +653,7 @@ EOF
 	    9000/31?)            HP_ARCH=m68000 ;;
 	    9000/[34]??)         HP_ARCH=m68k ;;
 	    9000/[678][0-9][0-9])
-		if [ -x /usr/bin/getconf ]; then
+		if test -x /usr/bin/getconf; then
 		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
 		    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
 		    case "$sc_cpu_version" in
@@ -669,7 +667,7 @@ EOF
 			esac ;;
 		    esac
 		fi
-		if [ "$HP_ARCH" = "" ]; then
+		if test "$HP_ARCH" = ""; then
 		    set_cc_for_build
 		    sed 's/^		//' << EOF > "$dummy.c"
 
@@ -708,7 +706,7 @@ EOF
 		    test -z "$HP_ARCH" && HP_ARCH=hppa
 		fi ;;
 	esac
-	if [ "$HP_ARCH" = hppa2.0w ]
+	if test "$HP_ARCH" = hppa2.0w
 	then
 	    set_cc_for_build
 
@@ -782,7 +780,7 @@ EOF
 	echo hppa1.0-hp-osf
 	exit ;;
     i*86:OSF1:*:*)
-	if [ -x /usr/sbin/sysversion ] ; then
+	if test -x /usr/sbin/sysversion ; then
 	    echo "$UNAME_MACHINE"-unknown-osf1mk
 	else
 	    echo "$UNAME_MACHINE"-unknown-osf1
@@ -1097,7 +1095,7 @@ EOF
     x86_64:Linux:*:*)
 	set_cc_for_build
 	LIBCABI=$LIBC
-	if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
+	if test "$CC_FOR_BUILD" != no_compiler_found; then
 	    if (echo '#ifdef __ILP32__'; echo IS_X32; echo '#endif') | \
 		(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
 		grep IS_X32 >/dev/null
@@ -1294,7 +1292,7 @@ EOF
 	echo mips-sony-newsos6
 	exit ;;
     R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
-	if [ -d /usr/nec ]; then
+	if test -d /usr/nec; then
 		echo mips-nec-sysv"$UNAME_RELEASE"
 	else
 		echo mips-unknown-sysv"$UNAME_RELEASE"
@@ -1359,7 +1357,7 @@ EOF
 	else
 	    set_cc_for_build
 	fi
-	if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
+	if test "$CC_FOR_BUILD" != no_compiler_found; then
 	    if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
 		   (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
 		   grep IS_64BIT_ARCH >/dev/null

config.h.in

@@ -113,6 +113,10 @@
    don't. */
 #undef HAVE_DECL_INET_PTON
 
+/* Define to 1 if you have the declaration of `nghttp2_session_server_new',
+   and to 0 if you don't. */
+#undef HAVE_DECL_NGHTTP2_SESSION_SERVER_NEW
+
 /* Define to 1 if you have the declaration of `NID_ED25519', and to 0 if you
    don't. */
 #undef HAVE_DECL_NID_ED25519
@@ -221,6 +225,9 @@
 /* Define to 1 if you have the `EVP_EncryptInit_ex' function. */
 #undef HAVE_EVP_ENCRYPTINIT_EX
 
+/* Define to 1 if you have the `EVP_MAC_CTX_set_params' function. */
+#undef HAVE_EVP_MAC_CTX_SET_PARAMS
+
 /* Define to 1 if you have the `EVP_MD_CTX_new' function. */
 #undef HAVE_EVP_MD_CTX_NEW
 
@@ -269,6 +276,9 @@
 /* Define to 1 if you have the `getentropy' function. */
 #undef HAVE_GETENTROPY
 
+/* Define to 1 if you have the `getifaddrs' function. */
+#undef HAVE_GETIFADDRS
+
 /* Define to 1 if you have the <getopt.h> header file. */
 #undef HAVE_GETOPT_H
 
@@ -296,12 +306,12 @@
 /* Define to 1 if you have the `HMAC_Init_ex' function. */
 #undef HAVE_HMAC_INIT_EX
 
-/* If you have HMAC_Update */
-#undef HAVE_HMAC_UPDATE
-
 /* If we have htobe64 */
 #undef HAVE_HTOBE64
 
+/* Define to 1 if you have the <ifaddrs.h> header file. */
+#undef HAVE_IFADDRS_H
+
 /* Define to 1 if you have the `inet_aton' function. */
 #undef HAVE_INET_ATON
 
@@ -371,6 +381,15 @@
 /* Define to 1 if you have the <nettle/eddsa.h> header file. */
 #undef HAVE_NETTLE_EDDSA_H
 
+/* Define to 1 if you have the <net/if.h> header file. */
+#undef HAVE_NET_IF_H
+
+/* Define this to use nghttp2 client. */
+#undef HAVE_NGHTTP2
+
+/* Define to 1 if you have the <nghttp2/nghttp2.h> header file. */
+#undef HAVE_NGHTTP2_NGHTTP2_H
+
 /* Use libnss for crypto */
 #undef HAVE_NSS
 
@@ -497,6 +516,9 @@
 /* Define if you have the SSL libraries installed. */
 #undef HAVE_SSL
 
+/* Define to 1 if you have the `SSL_CTX_set_alpn_select_cb' function. */
+#undef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
+
 /* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
 #undef HAVE_SSL_CTX_SET_CIPHERSUITES
 
@@ -573,6 +595,9 @@
 /* Define to 1 if you have the <sys/resource.h> header file. */
 #undef HAVE_SYS_RESOURCE_H
 
+/* Define to 1 if you have the <sys/select.h> header file. */
+#undef HAVE_SYS_SELECT_H
+
 /* Define to 1 if you have the <sys/sha2.h> header file. */
 #undef HAVE_SYS_SHA2_H
 
@@ -1358,6 +1383,8 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
 #define UNBOUND_DNS_PORT 53
 /** default port for DNS over TLS traffic. */
 #define UNBOUND_DNS_OVER_TLS_PORT 853
+/** default port for DNS over HTTPS traffic. */
+#define UNBOUND_DNS_OVER_HTTPS_PORT 443
 /** default port for unbound control traffic, registered port with IANA,
     ub-dns-control  8953/tcp    unbound dns nameserver control */
 #define UNBOUND_CONTROL_PORT 8953

config.sub

@@ -2,7 +2,7 @@
 # Configuration validation subroutine script.
 #   Copyright 1992-2020 Free Software Foundation, Inc.
 
-timestamp='2020-07-10'
+timestamp='2020-09-08'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -1278,7 +1278,7 @@ esac
 
 # Decode manufacturer-specific aliases for certain operating systems.
 
-if [ x$basic_os != x ]
+if test x$basic_os != x
 then
 
 # First recognize some ad-hoc caes, or perhaps split kernel-os, or else just
@@ -1367,13 +1367,7 @@ case $os in
 		os=psos
 		;;
 	qnx*)
-		case $cpu in
-		    x86 | i*86)
-			;;
-		    *)
-			os=nto-$os
-			;;
-		esac
+		os=qnx
 		;;
 	hiux*)
 		os=hiuxwe2
@@ -1722,7 +1716,7 @@ case $os in
 	     | skyos* | haiku* | rdos* | toppers* | drops* | es* \
 	     | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \
 	     | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \
-	     | nsk* | powerunix* | genode* | zvmoe* )
+	     | nsk* | powerunix* | genode* | zvmoe* | qnx* )
 		;;
 	# This one is extra strict with allowed versions
 	sco3.2v2 | sco3.2v[4-9]* | sco5v6*)
@@ -1741,6 +1735,8 @@ esac
 case $kernel-$os in
 	linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* | linux-musl* | linux-uclibc* )
 		;;
+	uclinux-uclibc* )
+		;;
 	-dietlibc* | -newlib* | -musl* | -uclibc* )
 		# These are just libc implementations, not actual OSes, and thus
 		# require a kernel.

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.11.0.
+# Generated by GNU Autoconf 2.69 for unbound 1.12.0.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.11.0'
-PACKAGE_STRING='unbound 1.11.0'
+PACKAGE_VERSION='1.12.0'
+PACKAGE_STRING='unbound 1.12.0'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -882,6 +882,7 @@ enable_tfo_server
 with_libevent
 with_libexpat
 with_libhiredis
+with_libnghttp2
 enable_static_exe
 enable_fully_static
 enable_lock_checks
@@ -1458,7 +1459,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.11.0 to adapt to many kinds of systems.
+\`configure' configures unbound 1.12.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1523,7 +1524,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.11.0:";;
+     short | recursive ) echo "Configuration of unbound 1.12.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1642,6 +1643,7 @@ Optional Packages:
                           outgoing port ranges.
   --with-libexpat=path    specify explicit path for libexpat.
   --with-libhiredis=path  specify explicit path for libhiredis.
+  --with-libnghttp2=path  specify explicit path for libnghttp2.
   --with-dnstap-socket-path=pathname
                           set default dnstap socket path
   --with-protobuf-c=path  Path where protobuf-c is installed, for dnstap
@@ -1750,7 +1752,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.11.0
+unbound configure 1.12.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2459,7 +2461,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.11.0, which was
+It was created by unbound $as_me 1.12.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2809,13 +2811,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 UNBOUND_VERSION_MAJOR=1
 
-UNBOUND_VERSION_MINOR=11
+UNBOUND_VERSION_MINOR=12
 
 UNBOUND_VERSION_MICRO=0
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=9
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2892,6 +2894,7 @@ LIBUNBOUND_AGE=1
 # 1.10.0 had 9:7:1
 # 1.10.1 had 9:8:1
 # 1.11.0 had 9:9:1
+# 1.12.0 had 9:10:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -14725,7 +14728,7 @@ $as_echo "no" >&6; }
 fi
 
 # Checks for header files.
-for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h
+for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@@ -17942,8 +17945,8 @@ $as_echo "found in $ssldir" >&6; }
 
             fi
 
-            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_Update in -lcrypto" >&5
-$as_echo_n "checking for HMAC_Update in -lcrypto... " >&6; }
+            { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 in -lcrypto" >&5
+$as_echo_n "checking for EVP_sha256 in -lcrypto... " >&6; }
             LIBS="$LIBS -lcrypto"
             LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
             cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -17953,8 +17956,8 @@ int
 main ()
 {
 
-                int HMAC_Update(void);
-                (void)HMAC_Update();
+                int EVP_sha256(void);
+                (void)EVP_sha256();
 
   ;
   return 0;
@@ -17965,7 +17968,7 @@ if ac_fn_c_try_link "$LINENO"; then :
                 { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
 
 
 else
@@ -17986,8 +17989,8 @@ int
 main ()
 {
 
-                    int HMAC_Update(void);
-                    (void)HMAC_Update();
+                    int EVP_sha256(void);
+                    (void)EVP_sha256();
 
   ;
   return 0;
@@ -17996,7 +17999,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
 
 
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
 
                     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@@ -18018,8 +18021,8 @@ int
 main ()
 {
 
-                        int HMAC_Update(void);
-                        (void)HMAC_Update();
+                        int EVP_sha256(void);
+                        (void)EVP_sha256();
 
   ;
   return 0;
@@ -18028,7 +18031,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
 
 
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
 
                         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@@ -18050,8 +18053,8 @@ int
 main ()
 {
 
-                            int HMAC_Update(void);
-                            (void)HMAC_Update();
+                            int EVP_sha256(void);
+                            (void)EVP_sha256();
 
   ;
   return 0;
@@ -18060,7 +18063,7 @@ _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
 
 
-$as_echo "#define HAVE_HMAC_UPDATE 1" >>confdefs.h
+$as_echo "#define HAVE_EVP_SHA256 1" >>confdefs.h
 
                             { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
@@ -18245,11 +18248,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char HMAC_Update ();
+char EVP_sha256 ();
 int
 main ()
 {
-return HMAC_Update ();
+return EVP_sha256 ();
   ;
   return 0;
 }
@@ -18340,7 +18343,7 @@ fi
 
 done
 
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -18356,7 +18359,7 @@ done
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb
+for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -19668,6 +19671,70 @@ _ACEOF
 
 fi
 
+# nghttp2
+
+# Check whether --with-libnghttp2 was given.
+if test "${with_libnghttp2+set}" = set; then :
+  withval=$with_libnghttp2;
+else
+   withval="no"
+fi
+
+found_libnghttp2="no"
+if test x_$withval = x_yes -o x_$withval != x_no; then
+   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnghttp2" >&5
+$as_echo_n "checking for libnghttp2... " >&6; }
+   if test x_$withval = x_ -o x_$withval = x_yes; then
+            withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
+   fi
+   for dir in $withval ; do
+            if test -f "$dir/include/nghttp2/nghttp2.h"; then
+		found_libnghttp2="yes"
+				if test "$dir" != "/usr"; then
+                    CPPFLAGS="$CPPFLAGS -I$dir/include"
+		    LDFLAGS="$LDFLAGS -L$dir/lib"
+		fi
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $dir" >&5
+$as_echo "found in $dir" >&6; }
+
+$as_echo "#define HAVE_NGHTTP2 1" >>confdefs.h
+
+		LIBS="$LIBS -lnghttp2"
+                break;
+            fi
+    done
+    if test x_$found_libnghttp2 != x_yes; then
+	as_fn_error $? "Could not find libnghttp2, nghttp2.h" "$LINENO" 5
+    fi
+    for ac_header in nghttp2/nghttp2.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "nghttp2/nghttp2.h" "ac_cv_header_nghttp2_nghttp2_h" "$ac_includes_default
+"
+if test "x$ac_cv_header_nghttp2_nghttp2_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_NGHTTP2_NGHTTP2_H 1
+_ACEOF
+
+fi
+
+done
+
+    ac_fn_c_check_decl "$LINENO" "nghttp2_session_server_new" "ac_cv_have_decl_nghttp2_session_server_new" "$ac_includes_default
+    #include <nghttp2/nghttp2.h>
+
+"
+if test "x$ac_cv_have_decl_nghttp2_session_server_new" = xyes; then :
+  ac_have_decl=1
+else
+  ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_NGHTTP2_SESSION_SERVER_NEW $ac_have_decl
+_ACEOF
+
+fi
+
 # set static linking for uninstalled libraries if requested
 
 staticexe=""
@@ -20223,7 +20290,7 @@ if test "$ac_res" != no; then :
 
 fi
 
-for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4
+for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -21619,7 +21686,7 @@ _ACEOF
 
 
 
-version=1.11.0
+version=1.12.0
 
 date=`date +'%b %e, %Y'`
 
@@ -22138,7 +22205,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.11.0, which was
+This file was extended by unbound $as_me 1.12.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22204,7 +22271,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.11.0
+unbound config.status 1.12.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -10,7 +10,7 @@ sinclude(dnscrypt/dnscrypt.m4)
 
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[11])
+m4_define([VERSION_MINOR],[12])
 m4_define([VERSION_MICRO],[0])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
@@ -18,7 +18,7 @@ AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=9
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -95,6 +95,7 @@ LIBUNBOUND_AGE=1
 # 1.10.0 had 9:7:1
 # 1.10.1 had 9:8:1
 # 1.11.0 had 9:9:1
+# 1.12.0 had 9:10:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -398,7 +399,7 @@ ACX_LIBTOOL_C_ONLY
 PKG_PROG_PKG_CONFIG
 
 # Checks for header files.
-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h],,, [AC_INCLUDES_DEFAULT])
 
 # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
 AC_CHECK_HEADERS([TargetConditionals.h])
@@ -831,7 +832,7 @@ AC_SUBST(PC_CRYPTO_DEPENDENCY)
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
 AC_MSG_CHECKING([if libssl needs -lcrypt32])
-AC_TRY_LINK_FUNC([HMAC_Update], [
+AC_TRY_LINK_FUNC([EVP_sha256], [
 	AC_MSG_RESULT([no])
 	LIBS="$BAKLIBS"
 ], [
@@ -851,12 +852,12 @@ else
 	AC_MSG_RESULT([no])
 fi
 AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params])
 
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb])
+AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb])
 LIBS="$BAKLIBS"
 
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
@@ -1395,6 +1396,39 @@ if test x_$withval = x_yes -o x_$withval != x_no; then
     ])
 fi
 
+# nghttp2
+AC_ARG_WITH(libnghttp2, AC_HELP_STRING([--with-libnghttp2=path],
+    [specify explicit path for libnghttp2.]),
+    [ ],[ withval="no" ])
+found_libnghttp2="no"
+if test x_$withval = x_yes -o x_$withval != x_no; then
+   AC_MSG_CHECKING(for libnghttp2)
+   if test x_$withval = x_ -o x_$withval = x_yes; then
+            withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
+   fi
+   for dir in $withval ; do
+            if test -f "$dir/include/nghttp2/nghttp2.h"; then
+		found_libnghttp2="yes"
+		dnl assume /usr is in default path.
+		if test "$dir" != "/usr"; then
+                    CPPFLAGS="$CPPFLAGS -I$dir/include"
+		    LDFLAGS="$LDFLAGS -L$dir/lib"
+		fi
+		AC_MSG_RESULT(found in $dir)
+		AC_DEFINE([HAVE_NGHTTP2], [1], [Define this to use nghttp2 client.])
+		LIBS="$LIBS -lnghttp2"
+                break;
+            fi
+    done
+    if test x_$found_libnghttp2 != x_yes; then
+	AC_ERROR([Could not find libnghttp2, nghttp2.h])
+    fi
+    AC_CHECK_HEADERS([nghttp2/nghttp2.h],,, [AC_INCLUDES_DEFAULT])
+    AC_CHECK_DECLS([nghttp2_session_server_new], [], [], [AC_INCLUDES_DEFAULT
+    #include <nghttp2/nghttp2.h>
+    ])
+fi
+
 # set static linking for uninstalled libraries if requested
 AC_SUBST(staticexe)
 staticexe=""
@@ -1551,7 +1585,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
   AC_MSG_RESULT(no))
 
 AC_SEARCH_LIBS([setusercontext], [util])
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs])
 AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
 AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
 
@@ -2131,6 +2165,8 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
 #define UNBOUND_DNS_PORT 53
 /** default port for DNS over TLS traffic. */
 #define UNBOUND_DNS_OVER_TLS_PORT 853
+/** default port for DNS over HTTPS traffic. */
+#define UNBOUND_DNS_OVER_HTTPS_PORT 443
 /** default port for unbound control traffic, registered port with IANA,
     ub-dns-control  8953/tcp    unbound dns nameserver control */
 #define UNBOUND_CONTROL_PORT 8953

contrib/aaaa-filter-iterator.patch

@@ -1,10 +1,10 @@
-Index: trunk/doc/unbound.conf.5.in
-===================================================================
---- trunk/doc/unbound.conf.5.in	(revision 4357)
-+++ trunk/doc/unbound.conf.5.in	(working copy)
-@@ -701,6 +701,13 @@
+diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
+index f426ac5f..147fbfa9 100644
+--- a/doc/unbound.conf.5.in
++++ b/doc/unbound.conf.5.in
+@@ -872,6 +872,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
  this option in enabled. Only use if you know what you are doing.
- This option only has effect when qname-minimisation is enabled. Default is off.
+ This option only has effect when qname-minimisation is enabled. Default is no.
  .TP
 +.B aaaa\-filter: \fI<yes or no>
 +Activate behavior similar to BIND's AAAA-filter.
@@ -16,14 +16,15 @@ Index: trunk/doc/unbound.conf.5.in
  .B aggressive\-nsec: \fI<yes or no>
  Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
  and other denials, using information from previous NXDOMAINs answers.
-Index: trunk/iterator/iter_scrub.c
-===================================================================
---- trunk/iterator/iter_scrub.c	(revision 4357)
-+++ trunk/iterator/iter_scrub.c	(working copy)
-@@ -617,6 +617,32 @@
+diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
+index aae934dd..55c55de0 100644
+--- a/iterator/iter_scrub.c
++++ b/iterator/iter_scrub.c
+@@ -667,6 +667,32 @@ static int sanitize_nsec_is_overreach(struct rrset_parse* rrset,
+ 	return 0;
  }
  
- /**
++/**
 + * ASN: Lookup A records from rrset cache.
 + * @param qinfo: the question originally asked.
 + * @param env: module environment with config and cache.
@@ -49,11 +50,10 @@ Index: trunk/iterator/iter_scrub.c
 +	return 0;
 +}
 +
-+/**
+ /**
   * Given a response event, remove suspect RRsets from the response.
   * "Suspect" rrsets are potentially poison. Note that this routine expects
-  * the response to be in a "normalized" state -- that is, all "irrelevant"
-@@ -635,6 +661,7 @@
+@@ -686,6 +712,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  	struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
  	struct iter_env* ie)
  {
@@ -61,7 +61,7 @@ Index: trunk/iterator/iter_scrub.c
  	int del_addi = 0; /* if additional-holding rrsets are deleted, we
  		do not trust the normalized additional-A-AAAA any more */
  	struct rrset_parse* rrset, *prev;
-@@ -670,6 +697,13 @@
+@@ -721,6 +748,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  		rrset = rrset->rrset_all_next;
  	}
  
@@ -75,11 +75,10 @@ Index: trunk/iterator/iter_scrub.c
  	/* At this point, we brutally remove ALL rrsets that aren't 
  	 * children of the originating zone. The idea here is that, 
  	 * as far as we know, the server that we contacted is ONLY 
-@@ -680,6 +714,24 @@
- 	prev = NULL;
+@@ -732,6 +766,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  	rrset = msg->rrset_first;
  	while(rrset) {
-+
+ 
 +		/* ASN: For AAAA records only... */
 +		if((ie->aaaa_filter) && (rrset->type == LDNS_RR_TYPE_AAAA)) {
 +			/* ASN: If this is not a AAAA query, then remove AAAA
@@ -97,14 +96,15 @@ Index: trunk/iterator/iter_scrub.c
 +				LDNS_RR_TYPE_AAAA, qinfo->qclass);
 +		}
 +		/* ASN: End of added code */
- 
++
  		/* remove private addresses */
  		if( (rrset->type == LDNS_RR_TYPE_A || 
-Index: trunk/iterator/iter_utils.c
-===================================================================
---- trunk/iterator/iter_utils.c	(revision 4357)
-+++ trunk/iterator/iter_utils.c	(working copy)
-@@ -175,6 +175,7 @@
+ 			rrset->type == LDNS_RR_TYPE_AAAA)) {
+diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
+index 7bc67da6..e10f547a 100644
+--- a/iterator/iter_utils.c
++++ b/iterator/iter_utils.c
+@@ -175,6 +175,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
  	}
  	iter_env->supports_ipv6 = cfg->do_ip6;
  	iter_env->supports_ipv4 = cfg->do_ip4;
@@ -112,11 +112,11 @@ Index: trunk/iterator/iter_utils.c
  	return 1;
  }
  
-Index: trunk/iterator/iterator.c
-===================================================================
---- trunk/iterator/iterator.c	(revision 4357)
-+++ trunk/iterator/iterator.c	(working copy)
-@@ -1847,6 +1847,53 @@
+diff --git a/iterator/iterator.c b/iterator/iterator.c
+index 23b07ea9..ca29b48c 100644
+--- a/iterator/iterator.c
++++ b/iterator/iterator.c
+@@ -2127,6 +2127,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
  
  	return 0;
  }
@@ -170,7 +170,7 @@ Index: trunk/iterator/iterator.c
  	
  /** 
   * This is the request event state where the request will be sent to one of
-@@ -1894,6 +1941,13 @@
+@@ -2186,6 +2233,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
  		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
  	}
  	
@@ -184,7 +184,7 @@ Index: trunk/iterator/iterator.c
  	/* Make sure we have a delegation point, otherwise priming failed
  	 * or another failure occurred */
  	if(!iq->dp) {
-@@ -3095,6 +3149,61 @@
+@@ -3574,6 +3628,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
  	return 0;
  }
  
@@ -246,7 +246,7 @@ Index: trunk/iterator/iterator.c
  /*
   * Return priming query results to interested super querystates.
   * 
-@@ -3114,6 +3223,9 @@
+@@ -3593,6 +3702,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
  	else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
  		super->minfo[id])->state == DSNS_FIND_STATE)
  		processDSNSResponse(qstate, id, super);
@@ -256,7 +256,7 @@ Index: trunk/iterator/iterator.c
  	else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
  		error_supers(qstate, id, super);
  	else if(qstate->is_priming)
-@@ -3151,6 +3263,9 @@
+@@ -3630,6 +3742,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
  			case INIT_REQUEST_3_STATE:
  				cont = processInitRequest3(qstate, iq, id);
  				break;
@@ -266,7 +266,7 @@ Index: trunk/iterator/iterator.c
  			case QUERYTARGETS_STATE:
  				cont = processQueryTargets(qstate, iq, ie, id);
  				break;
-@@ -3460,6 +3575,8 @@
+@@ -3961,6 +4076,8 @@ iter_state_to_string(enum iter_state state)
  		return "INIT REQUEST STATE (stage 2)";
  	case INIT_REQUEST_3_STATE:
  		return "INIT REQUEST STATE (stage 3)";
@@ -275,7 +275,7 @@ Index: trunk/iterator/iterator.c
  	case QUERYTARGETS_STATE :
  		return "QUERY TARGETS STATE";
  	case PRIME_RESP_STATE :
-@@ -3484,6 +3601,7 @@
+@@ -3985,6 +4102,7 @@ iter_state_is_responsestate(enum iter_state s)
  		case INIT_REQUEST_STATE :
  		case INIT_REQUEST_2_STATE :
  		case INIT_REQUEST_3_STATE :
@@ -283,11 +283,11 @@ Index: trunk/iterator/iterator.c
  		case QUERYTARGETS_STATE :
  		case COLLECT_CLASS_STATE :
  			return 0;
-Index: trunk/iterator/iterator.h
-===================================================================
---- trunk/iterator/iterator.h	(revision 4357)
-+++ trunk/iterator/iterator.h	(working copy)
-@@ -130,6 +130,9 @@
+diff --git a/iterator/iterator.h b/iterator/iterator.h
+index 342ac207..731948d1 100644
+--- a/iterator/iterator.h
++++ b/iterator/iterator.h
+@@ -135,6 +135,9 @@ struct iter_env {
  	 */
  	int* target_fetch_policy;
  
@@ -297,10 +297,11 @@ Index: trunk/iterator/iterator.h
  	/** lock on ratelimit counter */
  	lock_basic_type queries_ratelimit_lock;
  	/** number of queries that have been ratelimited */
-@@ -182,6 +185,14 @@
+@@ -186,6 +189,14 @@ enum iter_state {
+ 	 */
  	INIT_REQUEST_3_STATE,
  
- 	/**
++	/**
 +	 * This state is responsible for intercepting AAAA queries,
 +	 * and launch a A subquery on the same target, to populate the
 +	 * cache with A records, so the AAAA filter scrubbing logic can
@@ -308,29 +309,28 @@ Index: trunk/iterator/iterator.h
 +	 */
 +	ASN_FETCH_A_FOR_AAAA_STATE,
 +
-+	/**
+ 	/**
  	 * Each time a delegation point changes for a given query or a 
  	 * query times out and/or wakes up, this state is (re)visited. 
- 	 * This state is responsible for iterating through a list of 
-@@ -364,6 +375,13 @@
- 	 * be used when creating the state. A higher one will be attempted.
+@@ -375,6 +386,13 @@ struct iter_qstate {
  	 */
  	int refetch_glue;
-+
+ 
 +	/**
 +	 * ASN: This is a flag that, if true, means that this query is
 +	 * for fetching A records to populate cache and determine if we must
 +	 * return AAAA records or not.
 +	 */
 +	int fetch_a_for_aaaa;
- 
++
  	/** list of pending queries to authoritative servers. */
  	struct outbound_list outlist;
-Index: trunk/pythonmod/interface.i
-===================================================================
---- trunk/pythonmod/interface.i	(revision 4357)
-+++ trunk/pythonmod/interface.i	(working copy)
-@@ -851,6 +851,7 @@
+ 
+diff --git a/pythonmod/interface.i b/pythonmod/interface.i
+index f08b575d..47f1bb2e 100644
+--- a/pythonmod/interface.i
++++ b/pythonmod/interface.i
+@@ -975,6 +975,7 @@ struct config_file {
     int harden_dnssec_stripped;
     int harden_referral_path;
     int use_caps_bits_for_id;
@@ -338,11 +338,11 @@ Index: trunk/pythonmod/interface.i
     struct config_strlist* private_address;
     struct config_strlist* private_domain;
     size_t unwanted_threshold;
-Index: trunk/util/config_file.c
-===================================================================
---- trunk/util/config_file.c	(revision 4357)
-+++ trunk/util/config_file.c	(working copy)
-@@ -195,6 +195,7 @@
+diff --git a/util/config_file.c b/util/config_file.c
+index 0ab8614a..729fb147 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -218,6 +218,7 @@ config_create(void)
  	cfg->harden_referral_path = 0;
  	cfg->harden_algo_downgrade = 0;
  	cfg->use_caps_bits_for_id = 0;
@@ -350,11 +350,11 @@ Index: trunk/util/config_file.c
  	cfg->caps_whitelist = NULL;
  	cfg->private_address = NULL;
  	cfg->private_domain = NULL;
-Index: trunk/util/config_file.h
-===================================================================
---- trunk/util/config_file.h	(revision 4357)
-+++ trunk/util/config_file.h	(working copy)
-@@ -209,6 +209,8 @@
+diff --git a/util/config_file.h b/util/config_file.h
+index e61257a3..dabaa7bb 100644
+--- a/util/config_file.h
++++ b/util/config_file.h
+@@ -260,6 +260,8 @@ struct config_file {
  	int harden_algo_downgrade;
  	/** use 0x20 bits in query as random ID bits */
  	int use_caps_bits_for_id;
@@ -363,11 +363,11 @@ Index: trunk/util/config_file.h
  	/** 0x20 whitelist, domains that do not use capsforid */
  	struct config_strlist* caps_whitelist;
  	/** strip away these private addrs from answers, no DNS Rebinding */
-Index: trunk/util/configlexer.lex
-===================================================================
---- trunk/util/configlexer.lex	(revision 4357)
-+++ trunk/util/configlexer.lex	(working copy)
-@@ -279,6 +279,7 @@
+diff --git a/util/configlexer.lex b/util/configlexer.lex
+index 79a0edca..4eaec678 100644
+--- a/util/configlexer.lex
++++ b/util/configlexer.lex
+@@ -304,6 +304,7 @@ harden-algo-downgrade{COLON}	{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
  use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
  caps-whitelist{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
  unwanted-reply-threshold{COLON}	{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
@@ -375,11 +375,11 @@ Index: trunk/util/configlexer.lex
  private-address{COLON}		{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
  private-domain{COLON}		{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
  prefetch-key{COLON}		{ YDVAR(1, VAR_PREFETCH_KEY) }
-Index: trunk/util/configparser.y
-===================================================================
---- trunk/util/configparser.y	(revision 4357)
-+++ trunk/util/configparser.y	(working copy)
-@@ -95,6 +95,7 @@
+diff --git a/util/configparser.y b/util/configparser.y
+index 1d0e8658..f284dd43 100644
+--- a/util/configparser.y
++++ b/util/configparser.y
+@@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser;
  %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
  %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
  %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
@@ -387,7 +387,7 @@ Index: trunk/util/configparser.y
  %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
  %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
  %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
-@@ -203,6 +204,7 @@
+@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port |
  	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
  	server_harden_referral_path | server_private_address |
  	server_private_domain | server_extended_statistics | 
@@ -395,12 +395,10 @@ Index: trunk/util/configparser.y
  	server_local_data_ptr | server_jostle_timeout | 
  	server_unwanted_reply_threshold | server_log_time_ascii | 
  	server_domain_insecure | server_val_sig_skew_min | 
-@@ -1183,6 +1185,15 @@
- 		OUTYY(("P(server_caps_whitelist:%s)\n", $2));
- 		if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, $2))
+@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
  			yyerror("out of memory");
-+	}
-+	;
+ 	}
+ 	;
 +server_aaaa_filter: VAR_AAAA_FILTER STRING_ARG
 +	{
 +		OUTYY(("P(server_aaaa_filter:%s)\n", $2));
@@ -408,6 +406,8 @@ Index: trunk/util/configparser.y
 +			yyerror("expected yes or no.");
 +		else cfg_parser->cfg->aaaa_filter = (strcmp($2, "yes")==0);
 +		free($2);
- 	}
- 	;
++	}
++	;
  server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG
+ 	{
+ 		OUTYY(("P(server_private_address:%s)\n", $2));

contrib/unbound.service.in

@@ -42,9 +42,9 @@
 [Unit]
 Description=Validating, recursive, and caching DNS resolver
 Documentation=man:unbound(8)
-After=network.target
-Before=network-online.target nss-lookup.target
-Wants=nss-lookup.target
+After=network-online.target
+Before=nss-lookup.target
+Wants=network-online.target nss-lookup.target
 
 [Install]
 WantedBy=multi-user.target

contrib/unbound_munin_

@@ -174,11 +174,11 @@ get_state ( ) {
 if test "$1" = "autoconf" ; then
 	if test ! -f $conf; then
 		echo no "($conf does not exist)"
-		exit 1
+		exit 0
 	fi
 	if test ! -d `dirname $state`; then
 		echo no "(`dirname $state` directory does not exist)"
-		exit 1
+		exit 0
 	fi
 	echo yes
 	exit 0

daemon/daemon.c

@@ -77,6 +77,7 @@
 #include "util/storage/lookup3.h"
 #include "util/storage/slabhash.h"
 #include "util/tcp_conn_limit.h"
+#include "util/edns.h"
 #include "services/listen_dnsport.h"
 #include "services/cache/rrset.h"
 #include "services/cache/infra.h"
@@ -290,6 +291,15 @@ daemon_init(void)
 		free(daemon);
 		return NULL;
 	}
+	if(!(daemon->env->edns_tags = edns_tags_create())) {
+		auth_zones_delete(daemon->env->auth_zones);
+		acl_list_delete(daemon->acl);
+		tcl_list_delete(daemon->tcl);
+		edns_known_options_delete(daemon->env);
+		free(daemon->env);
+		free(daemon);
+		return NULL;
+	}
 	return daemon;	
 }
 
@@ -298,6 +308,8 @@ daemon_open_shared_ports(struct daemon* daemon)
 {
 	log_assert(daemon);
 	if(daemon->cfg->port != daemon->listening_port) {
+		char** resif = NULL;
+		int num_resif = 0;
 		size_t i;
 		struct listen_port* p0;
 		daemon->reuseport = 0;
@@ -308,15 +320,18 @@ daemon_open_shared_ports(struct daemon* daemon)
 			free(daemon->ports);
 			daemon->ports = NULL;
 		}
+		if(!resolve_interface_names(daemon->cfg, &resif, &num_resif))
+			return 0;
 		/* see if we want to reuseport */
 #ifdef SO_REUSEPORT
 		if(daemon->cfg->so_reuseport && daemon->cfg->num_threads > 0)
 			daemon->reuseport = 1;
 #endif
 		/* try to use reuseport */
-		p0 = listening_ports_open(daemon->cfg, &daemon->reuseport);
+		p0 = listening_ports_open(daemon->cfg, resif, num_resif, &daemon->reuseport);
 		if(!p0) {
 			listening_ports_free(p0);
+			config_del_strarray(resif, num_resif);
 			return 0;
 		}
 		if(daemon->reuseport) {
@@ -330,6 +345,7 @@ daemon_open_shared_ports(struct daemon* daemon)
 		if(!(daemon->ports = (struct listen_port**)calloc(
 			daemon->num_ports, sizeof(*daemon->ports)))) {
 			listening_ports_free(p0);
+			config_del_strarray(resif, num_resif);
 			return 0;
 		}
 		daemon->ports[0] = p0;
@@ -338,16 +354,19 @@ daemon_open_shared_ports(struct daemon* daemon)
 			for(i=1; i<daemon->num_ports; i++) {
 				if(!(daemon->ports[i]=
 					listening_ports_open(daemon->cfg,
+						resif, num_resif,
 						&daemon->reuseport))
 					|| !daemon->reuseport ) {
 					for(i=0; i<daemon->num_ports; i++)
 						listening_ports_free(daemon->ports[i]);
 					free(daemon->ports);
 					daemon->ports = NULL;
+					config_del_strarray(resif, num_resif);
 					return 0;
 				}
 			}
 		}
+		config_del_strarray(resif, num_resif);
 		daemon->listening_port = daemon->cfg->port;
 	}
 	if(!daemon->cfg->remote_control_enable && daemon->rc_port) {
@@ -619,6 +638,10 @@ daemon_fork(struct daemon* daemon)
 		&daemon->use_rpz))
 		fatal_exit("auth_zones could not be setup");
 
+	/* Set-up EDNS tags */
+	if(!edns_tags_apply_cfg(daemon->env->edns_tags, daemon->cfg))
+		fatal_exit("Could not set up EDNS tags");
+
 	/* setup modules */
 	daemon_setup_modules(daemon);
 
@@ -750,6 +773,7 @@ daemon_delete(struct daemon* daemon)
 		rrset_cache_delete(daemon->env->rrset_cache);
 		infra_delete(daemon->env->infra_cache);
 		edns_known_options_delete(daemon->env);
+		edns_tags_delete(daemon->env->edns_tags);
 		auth_zones_delete(daemon->env->auth_zones);
 	}
 	ub_randfree(daemon->rand);

daemon/remote.c

@@ -329,7 +329,8 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 
 		/* open fd */
 		fd = create_tcp_accept_sock(res, 1, &noproto, 0,
-			cfg->ip_transparent, 0, cfg->ip_freebind, cfg->use_systemd, cfg->ip_dscp);
+			cfg->ip_transparent, 0, 0, cfg->ip_freebind,
+			cfg->use_systemd, cfg->ip_dscp);
 		freeaddrinfo(res);
 	}
 
@@ -348,11 +349,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 	/* alloc */
 	n = (struct listen_port*)calloc(1, sizeof(*n));
 	if(!n) {
-#ifndef USE_WINSOCK
-		close(fd);
-#else
-		closesocket(fd);
-#endif
+		sock_close(fd);
 		log_err("out of memory");
 		return 0;
 	}
@@ -461,11 +458,7 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err,
 	if(rc->active >= rc->max_active) {
 		log_warn("drop incoming remote control: too many connections");
 	close_exit:
-#ifndef USE_WINSOCK
-		close(newfd);
-#else
-		closesocket(newfd);
-#endif
+		sock_close(newfd);
 		return 0;
 	}
 
@@ -574,11 +567,8 @@ ssl_print_text(RES* res, const char* text)
 			if(r == -1) {
 				if(errno == EAGAIN || errno == EINTR)
 					continue;
-#ifndef USE_WINSOCK
-				log_err("could not send: %s", strerror(errno));
-#else
-				log_err("could not send: %s", wsa_strerror(WSAGetLastError()));
-#endif
+				log_err("could not send: %s",
+					sock_strerror(errno));
 				return 0;
 			}
 			at += r;
@@ -635,11 +625,8 @@ ssl_read_line(RES* res, char* buf, size_t max)
 					}
 					if(errno == EINTR || errno == EAGAIN)
 						continue;
-#ifndef USE_WINSOCK
-					log_err("could not recv: %s", strerror(errno));
-#else
-					log_err("could not recv: %s", wsa_strerror(WSAGetLastError()));
-#endif
+					log_err("could not recv: %s",
+						sock_strerror(errno));
 					return 0;
 				}
 				break;
@@ -862,6 +849,12 @@ print_mem(RES* ssl, struct worker* worker, struct daemon* daemon,
 	if(!print_longnum(ssl, "mem.streamwait"SQ,
 		(size_t)s->svr.mem_stream_wait))
 		return 0;
+	if(!print_longnum(ssl, "mem.http.query_buffer"SQ,
+		(size_t)s->svr.mem_http2_query_buffer))
+		return 0;
+	if(!print_longnum(ssl, "mem.http.response_buffer"SQ,
+		(size_t)s->svr.mem_http2_response_buffer))
+		return 0;
 	return 1;
 }
 
@@ -988,6 +981,8 @@ print_ext(RES* ssl, struct ub_stats_info* s)
 		(unsigned long)s->svr.qtls_resume)) return 0;
 	if(!ssl_printf(ssl, "num.query.ipv6"SQ"%lu\n", 
 		(unsigned long)s->svr.qipv6)) return 0;
+	if(!ssl_printf(ssl, "num.query.https"SQ"%lu\n",
+		(unsigned long)s->svr.qhttps)) return 0;
 	/* flags */
 	if(!ssl_printf(ssl, "num.query.flags.QR"SQ"%lu\n", 
 		(unsigned long)s->svr.qbit_QR)) return 0;
@@ -3116,11 +3111,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, RES* res)
 				if(rr == 0) return;
 				if(errno == EINTR || errno == EAGAIN)
 					continue;
-#ifndef USE_WINSOCK
-				log_err("could not recv: %s", strerror(errno));
-#else
-				log_err("could not recv: %s", wsa_strerror(WSAGetLastError()));
-#endif
+				log_err("could not recv: %s", sock_strerror(errno));
 				return;
 			}
 			r = (int)rr;

daemon/stats.c

@@ -271,6 +271,7 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
 	s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
 	s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
+	s->svr.ans_expired += (long long)worker->env.mesh->ans_expired;
 	for(i=0; i<UB_STATS_RCODE_NUM; i++)
 		s->svr.ans_rcode[i] += (long long)worker->env.mesh->ans_rcode[i];
 	for(i=0; i<UB_STATS_RPZ_ACTION_NUM; i++)
@@ -335,6 +336,10 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	}
 	s->svr.mem_stream_wait =
 		(long long)tcp_req_info_get_stream_buffer_size();
+	s->svr.mem_http2_query_buffer =
+		(long long)http2_get_query_buffer_size();
+	s->svr.mem_http2_response_buffer =
+		(long long)http2_get_response_buffer_size();
 
 	/* Set neg cache usage numbers */
 	set_neg_cache_stats(worker, &s->svr, reset);
@@ -421,6 +426,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 		total->svr.qtcp_outgoing += a->svr.qtcp_outgoing;
 		total->svr.qtls += a->svr.qtls;
 		total->svr.qtls_resume += a->svr.qtls_resume;
+		total->svr.qhttps += a->svr.qhttps;
 		total->svr.qipv6 += a->svr.qipv6;
 		total->svr.qbit_QR += a->svr.qbit_QR;
 		total->svr.qbit_AA += a->svr.qbit_AA;
@@ -484,6 +490,8 @@ void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
 			if(SSL_session_reused(c->ssl)) 
 				stats->qtls_resume++;
 #endif
+			if(c->type == comm_http)
+				stats->qhttps++;
 		}
 	}
 	if(repinfo && addr_is_ip6(&repinfo->addr, repinfo->addrlen))

daemon/unbound.c

@@ -92,7 +92,7 @@
 #include <TargetConditionals.h>
 #endif
 
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 #undef HAVE_FORK
 #endif
 

daemon/worker.c

@@ -1109,7 +1109,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	struct respip_client_info* cinfo = NULL, cinfo_tmp;
 	memset(&qinfo, 0, sizeof(qinfo));
 
-	if(error != NETEVENT_NOERROR || !repinfo) {
+	if((error != NETEVENT_NOERROR && error != NETEVENT_DONE)|| !repinfo) {
 		/* some bad tcp query DNS formats give these error calls */
 		verbose(VERB_ALGO, "handle request called with err=%d", error);
 		return 0;
@@ -1219,7 +1219,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
 		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), 
 			LDNS_RCODE_FORMERR);
-		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(worker->env.cfg->log_queries) {
@@ -1237,7 +1236,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			LDNS_RCODE_REFUSED);
 		if(worker->stats.extended) {
 			worker->stats.qtype[qinfo.qtype]++;
-			server_stats_insrcode(&worker->stats, c->buffer);
 		}
 		goto send_reply;
 	}
@@ -1259,7 +1257,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			LDNS_RCODE_FORMERR);
 		if(worker->stats.extended) {
 			worker->stats.qtype[qinfo.qtype]++;
-			server_stats_insrcode(&worker->stats, c->buffer);
 		}
 		goto send_reply;
 	}
@@ -1275,7 +1272,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 			sldns_buffer_read_u16_at(c->buffer, 2), &reply_edns);
 		regional_free_all(worker->scratchpad);
-		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(edns.edns_present) {
@@ -1354,7 +1350,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		edns.udp_size = 65535; /* max size for TCP replies */
 	if(qinfo.qclass == LDNS_RR_CLASS_CH && answer_chaos(worker, &qinfo,
 		&edns, repinfo, c->buffer)) {
-		server_stats_insrcode(&worker->stats, c->buffer);
 		regional_free_all(worker->scratchpad);
 		goto send_reply;
 	}
@@ -1375,7 +1370,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			comm_point_drop_reply(repinfo);
 			return 0;
 		}
-		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(worker->env.auth_zones &&
@@ -1387,7 +1381,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			comm_point_drop_reply(repinfo);
 			return 0;
 		}
-		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 	if(worker->env.auth_zones &&
@@ -1403,7 +1396,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		if(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer)) &&
 		   acl != acl_deny_non_local && acl != acl_refuse_non_local)
 			LDNS_RA_SET(sldns_buffer_begin(c->buffer));
-		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
 
@@ -1432,7 +1424,6 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 			sldns_buffer_read_u16_at(c->buffer, 2), NULL);
 		regional_free_all(worker->scratchpad);
-		server_stats_insrcode(&worker->stats, c->buffer);
 		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
 			&repinfo->addr, repinfo->addrlen);
 		goto send_reply;
@@ -1588,9 +1579,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	if(is_expired_answer) {
 		worker->stats.ans_expired++;
 	}
+	server_stats_insrcode(&worker->stats, c->buffer);
 	if(worker->stats.extended) {
 		if(is_secure_answer) worker->stats.ans_secure++;
-		server_stats_insrcode(&worker->stats, repinfo->c->buffer);
 	}
 #ifdef USE_DNSTAP
 	if(worker->dtenv.log_client_response_messages)
@@ -1726,14 +1717,6 @@ worker_create(struct daemon* daemon, int id, int* ports, int n)
 		return NULL;
 	}
 	explicit_bzero(&seed, sizeof(seed));
-#ifdef USE_DNSTAP
-	if(daemon->cfg->dnstap) {
-		log_assert(daemon->dtenv != NULL);
-		memcpy(&worker->dtenv, daemon->dtenv, sizeof(struct dt_env));
-		if(!dt_init(&worker->dtenv))
-			fatal_exit("dt_init failed");
-	}
-#endif
 	return worker;
 }
 
@@ -1792,12 +1775,21 @@ worker_init(struct worker* worker, struct config_file *cfg,
 	} else { /* !do_sigs */
 		worker->comsig = NULL;
 	}
+#ifdef USE_DNSTAP
+	if(cfg->dnstap) {
+		log_assert(worker->daemon->dtenv != NULL);
+		memcpy(&worker->dtenv, worker->daemon->dtenv, sizeof(struct dt_env));
+		if(!dt_init(&worker->dtenv, worker->base))
+			fatal_exit("dt_init failed");
+	}
+#endif
 	worker->front = listen_create(worker->base, ports,
 		cfg->msg_buffer_size, (int)cfg->incoming_num_tcp,
 		cfg->do_tcp_keepalive
 			? cfg->tcp_keepalive_timeout
 			: cfg->tcp_idle_timeout,
-			worker->daemon->tcl,
+		cfg->harden_large_queries, cfg->http_max_streams,
+		cfg->http_endpoint, worker->daemon->tcl,
 		worker->daemon->listen_sslctx,
 		dtenv, worker_handle_request, worker);
 	if(!worker->front) {

dnstap/dnstap.c

@@ -134,9 +134,15 @@ dt_create(struct config_file* cfg)
 
 	if(cfg->dnstap && cfg->dnstap_socket_path && cfg->dnstap_socket_path[0] &&
 		(cfg->dnstap_ip==NULL || cfg->dnstap_ip[0]==0)) {
+		char* p = fname_after_chroot(cfg->dnstap_socket_path, cfg, 1);
+		if(!p) {
+			log_err("malloc failure");
+			return NULL;
+		}
 		verbose(VERB_OPS, "attempting to connect to dnstap socket %s",
-			cfg->dnstap_socket_path);
-		check_socket_file(cfg->dnstap_socket_path);
+			p);
+		check_socket_file(p);
+		free(p);
 	}
 
 	env = (struct dt_env *) calloc(1, sizeof(struct dt_env));
@@ -240,9 +246,9 @@ dt_apply_cfg(struct dt_env *env, struct config_file *cfg)
 }
 
 int
-dt_init(struct dt_env *env)
+dt_init(struct dt_env *env, struct comm_base* base)
 {
-	env->msgqueue = dt_msg_queue_create();
+	env->msgqueue = dt_msg_queue_create(base);
 	if(!env->msgqueue) {
 		log_err("malloc failure");
 		return 0;

dnstap/dnstap.h

@@ -101,10 +101,11 @@ dt_apply_cfg(struct dt_env *env, struct config_file *cfg);
 /**
  * Initialize per-worker state in dnstap environment object.
  * @param env: dnstap environment object to initialize, created with dt_create().
+ * @param base: event base for wakeup timer.
  * @return: true on success, false on failure.
  */
 int
-dt_init(struct dt_env *env);
+dt_init(struct dt_env *env, struct comm_base* base);
 
 /**
  * Deletes the per-worker state created by dt_init

dnstap/dtstream.c

@@ -68,6 +68,8 @@
 #define DTIO_RECONNECT_TIMEOUT_MAX 1000
 /** the msec to wait for reconnect slow, to stop busy spinning on reconnect */
 #define DTIO_RECONNECT_TIMEOUT_SLOW 1000
+/** number of messages before wakeup of thread */
+#define DTIO_MSG_FOR_WAKEUP 32
 
 /** maximum length of received frame */
 #define DTIO_RECV_FRAME_MAX_LEN 1000
@@ -99,13 +101,18 @@ static int dtio_enable_brief_write(struct dt_io_thread* dtio);
 #endif
 
 struct dt_msg_queue*
-dt_msg_queue_create(void)
+dt_msg_queue_create(struct comm_base* base)
 {
 	struct dt_msg_queue* mq = calloc(1, sizeof(*mq));
 	if(!mq) return NULL;
 	mq->maxsize = 1*1024*1024; /* set max size of buffer, per worker,
 		about 1 M should contain 64K messages with some overhead,
 		or a whole bunch smaller ones */
+	mq->wakeup_timer = comm_timer_create(base, mq_wakeup_cb, mq);
+	if(!mq->wakeup_timer) {
+		free(mq);
+		return NULL;
+	}
 	lock_basic_init(&mq->lock);
 	lock_protect(&mq->lock, mq, sizeof(*mq));
 	return mq;
@@ -125,6 +132,7 @@ dt_msg_queue_clear(struct dt_msg_queue* mq)
 	mq->first = NULL;
 	mq->last = NULL;
 	mq->cursize = 0;
+	mq->msgcount = 0;
 }
 
 void
@@ -133,6 +141,7 @@ dt_msg_queue_delete(struct dt_msg_queue* mq)
 	if(!mq) return;
 	lock_basic_destroy(&mq->lock);
 	dt_msg_queue_clear(mq);
+	comm_timer_delete(mq->wakeup_timer);
 	free(mq);
 }
 
@@ -149,25 +158,71 @@ static void dtio_wakeup(struct dt_io_thread* dtio)
 #ifndef USE_WINSOCK
 			if(errno == EINTR || errno == EAGAIN)
 				continue;
-			log_err("dnstap io wakeup: write: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEINPROGRESS)
 				continue;
 			if(WSAGetLastError() == WSAEWOULDBLOCK)
 				continue;
-			log_err("dnstap io stop: write: %s",
-				wsa_strerror(WSAGetLastError()));
 #endif
+			log_err("dnstap io wakeup: write: %s",
+				sock_strerror(errno));
 			break;
 		}
 		break;
 	}
 }
 
+void
+mq_wakeup_cb(void* arg)
+{
+	struct dt_msg_queue* mq = (struct dt_msg_queue*)arg;
+	/* even if the dtio is already active, because perhaps much
+	 * traffic suddenly, we leave the timer running to save on
+	 * managing it, the once a second timer is less work then
+	 * starting and stopping the timer frequently */
+	lock_basic_lock(&mq->dtio->wakeup_timer_lock);
+	mq->dtio->wakeup_timer_enabled = 0;
+	lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
+	dtio_wakeup(mq->dtio);
+}
+
+/** start timer to wakeup dtio because there is content in the queue */
+static void
+dt_msg_queue_start_timer(struct dt_msg_queue* mq)
+{
+	struct timeval tv;
+	/* Start a timer to process messages to be logged.
+	 * If we woke up the dtio thread for every message, the wakeup
+	 * messages take up too much processing power.  If the queue
+	 * fills up the wakeup happens immediately.  The timer wakes it up
+	 * if there are infrequent messages to log. */
+
+	/* we cannot start a timer in dtio thread, because it is a different
+	 * thread and its event base is in use by the other thread, it would
+	 * give race conditions if we tried to modify its event base,
+	 * and locks would wait until it woke up, and this is what we do. */
+
+	/* do not start the timer if a timer already exists, perhaps
+	 * in another worker.  So this variable is protected by a lock in
+	 * dtio */
+	lock_basic_lock(&mq->dtio->wakeup_timer_lock);
+	if(mq->dtio->wakeup_timer_enabled) {
+		lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
+		return;
+	}
+	mq->dtio->wakeup_timer_enabled = 1; /* we are going to start one */
+	lock_basic_unlock(&mq->dtio->wakeup_timer_lock);
+
+	/* start the timer, in mq, in the event base of our worker */
+	tv.tv_sec = 1;
+	tv.tv_usec = 0;
+	comm_timer_set(mq->wakeup_timer, &tv);
+}
+
 void
 dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 {
-	int wakeup = 0;
+	int wakeupnow = 0, wakeupstarttimer = 0;
 	struct dt_msg_entry* entry;
 
 	/* check conditions */
@@ -198,9 +253,15 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 
 	/* aqcuire lock */
 	lock_basic_lock(&mq->lock);
-	/* list was empty, wakeup dtio */
+	/* if list was empty, start timer for (eventual) wakeup */
 	if(mq->first == NULL)
-		wakeup = 1;
+		wakeupstarttimer = 1;
+	/* if list contains more than wakeupnum elements, wakeup now,
+	 * or if list is (going to be) almost full */
+	if(mq->msgcount == DTIO_MSG_FOR_WAKEUP ||
+		(mq->cursize < mq->maxsize * 9 / 10 &&
+		mq->cursize+len >= mq->maxsize * 9 / 10))
+		wakeupnow = 1;
 	/* see if it is going to fit */
 	if(mq->cursize + len > mq->maxsize) {
 		/* buffer full, or congested. */
@@ -211,6 +272,7 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 		return;
 	}
 	mq->cursize += len;
+	mq->msgcount ++;
 	/* append to list */
 	if(mq->last) {
 		mq->last->next = entry;
@@ -221,13 +283,19 @@ dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len)
 	/* release lock */
 	lock_basic_unlock(&mq->lock);
 
-	if(wakeup)
+	if(wakeupnow) {
 		dtio_wakeup(mq->dtio);
+	} else if(wakeupstarttimer) {
+		dt_msg_queue_start_timer(mq);
+	}
 }
 
 struct dt_io_thread* dt_io_thread_create(void)
 {
 	struct dt_io_thread* dtio = calloc(1, sizeof(*dtio));
+	lock_basic_init(&dtio->wakeup_timer_lock);
+	lock_protect(&dtio->wakeup_timer_lock, &dtio->wakeup_timer_enabled,
+		sizeof(dtio->wakeup_timer_enabled));
 	return dtio;
 }
 
@@ -235,6 +303,7 @@ void dt_io_thread_delete(struct dt_io_thread* dtio)
 {
 	struct dt_io_list_item* item, *nextitem;
 	if(!dtio) return;
+	lock_basic_destroy(&dtio->wakeup_timer_lock);
 	item=dtio->io_list;
 	while(item) {
 		nextitem = item->next;
@@ -279,7 +348,8 @@ int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg)
 			return 0;
 		}
 		free(dtio->socket_path);
-		dtio->socket_path = strdup(cfg->dnstap_socket_path);
+		dtio->socket_path = fname_after_chroot(cfg->dnstap_socket_path,
+			cfg, 1);
 		if(!dtio->socket_path) {
 			log_err("dnstap setup: malloc failure");
 			return 0;
@@ -416,6 +486,7 @@ static int dt_msg_queue_pop(struct dt_msg_queue* mq, void** buf,
 		mq->first = entry->next;
 		if(!entry->next) mq->last = NULL;
 		mq->cursize -= entry->len;
+		mq->msgcount --;
 		lock_basic_unlock(&mq->lock);
 
 		*buf = entry->buf;
@@ -587,11 +658,7 @@ static void dtio_del_output_event(struct dt_io_thread* dtio)
 /** close dtio socket and set it to -1 */
 static void dtio_close_fd(struct dt_io_thread* dtio)
 {
-#ifndef USE_WINSOCK
-	close(dtio->fd);
-#else
-	closesocket(dtio->fd);
-#endif
+	sock_close(dtio->fd);
 	dtio->fd = -1;
 }
 
@@ -659,13 +726,8 @@ static int dtio_check_nb_connect(struct dt_io_thread* dtio)
 		char* to = dtio->socket_path;
 		if(!to) to = dtio->ip_str;
 		if(!to) to = "";
-#ifndef USE_WINSOCK
 		log_err("dnstap io: failed to connect to \"%s\": %s",
-			to, strerror(error));
-#else
-		log_err("dnstap io: failed to connect to \"%s\": %s",
-			to, wsa_strerror(error));
-#endif
+			to, sock_strerror(error));
 		return -1; /* error, close it */
 	}
 
@@ -742,7 +804,6 @@ static int dtio_write_buf(struct dt_io_thread* dtio, uint8_t* buf,
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return 0;
-		log_err("dnstap io: failed send: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return 0;
@@ -752,9 +813,8 @@ static int dtio_write_buf(struct dt_io_thread* dtio, uint8_t* buf,
 				UB_EV_WRITE);
 			return 0;
 		}
-		log_err("dnstap io: failed send: %s",
-			wsa_strerror(WSAGetLastError()));
 #endif
+		log_err("dnstap io: failed send: %s", sock_strerror(errno));
 		return -1;
 	}
 	return ret;
@@ -778,7 +838,6 @@ static int dtio_write_with_writev(struct dt_io_thread* dtio)
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return 0;
-		log_err("dnstap io: failed writev: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return 0;
@@ -788,9 +847,8 @@ static int dtio_write_with_writev(struct dt_io_thread* dtio)
 				UB_EV_WRITE);
 			return 0;
 		}
-		log_err("dnstap io: failed writev: %s",
-			wsa_strerror(WSAGetLastError()));
 #endif
+		log_err("dnstap io: failed writev: %s", sock_strerror(errno));
 		/* close the channel */
 		dtio_del_output_event(dtio);
 		dtio_close_output(dtio);
@@ -1115,6 +1173,8 @@ static int dtio_read_accept_frame(struct dt_io_thread* dtio)
 					goto close_connection;
 				}
 				dtio->accept_frame_received = 1;
+				if(!dtio_add_output_event_write(dtio))
+					goto close_connection;
 				return 1;
 			} else {
 				/* unknow content type */
@@ -1482,15 +1542,13 @@ void dtio_cmd_cb(int fd, short ATTR_UNUSED(bits), void* arg)
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return; /* ignore this */
-		log_err("dnstap io: failed to read: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return;
 		if(WSAGetLastError() == WSAEWOULDBLOCK)
 			return;
-		log_err("dnstap io: failed to read: %s",
-			wsa_strerror(WSAGetLastError()));
 #endif
+		log_err("dnstap io: failed to read: %s", sock_strerror(errno));
 		/* and then fall through to quit the thread */
 	} else if(r == 0) {
 		verbose(VERB_ALGO, "dnstap io: cmd channel closed");
@@ -1852,13 +1910,8 @@ static int dtio_open_output_local(struct dt_io_thread* dtio)
 	struct sockaddr_un s;
 	dtio->fd = socket(AF_LOCAL, SOCK_STREAM, 0);
 	if(dtio->fd == -1) {
-#ifndef USE_WINSOCK
 		log_err("dnstap io: failed to create socket: %s",
-			strerror(errno));
-#else
-		log_err("dnstap io: failed to create socket: %s",
-			wsa_strerror(WSAGetLastError()));
-#endif
+			sock_strerror(errno));
 		return 0;
 	}
 	memset(&s, 0, sizeof(s));
@@ -1873,13 +1926,13 @@ static int dtio_open_output_local(struct dt_io_thread* dtio)
 	if(connect(dtio->fd, (struct sockaddr*)&s, (socklen_t)sizeof(s))
 		== -1) {
 		char* to = dtio->socket_path;
-#ifndef USE_WINSOCK
+		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
+			verbosity < 4) {
+			dtio_close_fd(dtio);
+			return 0; /* no log retries on low verbosity */
+		}
 		log_err("dnstap io: failed to connect to \"%s\": %s",
-			to, strerror(errno));
-#else
-		log_err("dnstap io: failed to connect to \"%s\": %s",
-			to, wsa_strerror(WSAGetLastError()));
-#endif
+			to, sock_strerror(errno));
 		dtio_close_fd(dtio);
 		return 0;
 	}
@@ -1904,18 +1957,18 @@ static int dtio_open_output_tcp(struct dt_io_thread* dtio)
 	}
 	dtio->fd = socket(addr.ss_family, SOCK_STREAM, 0);
 	if(dtio->fd == -1) {
-#ifndef USE_WINSOCK
-		log_err("can't create socket: %s", strerror(errno));
-#else
-		log_err("can't create socket: %s",
-			wsa_strerror(WSAGetLastError()));
-#endif
+		log_err("can't create socket: %s", sock_strerror(errno));
 		return 0;
 	}
 	fd_set_nonblock(dtio->fd);
 	if(connect(dtio->fd, (struct sockaddr*)&addr, addrlen) == -1) {
 		if(errno == EINPROGRESS)
 			return 1; /* wait until connect done*/
+		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
+			verbosity < 4) {
+			dtio_close_fd(dtio);
+			return 0; /* no log retries on low verbosity */
+		}
 #ifndef USE_WINSOCK
 		if(tcp_connect_errno_needs_log(
 			(struct sockaddr *)&addr, addrlen)) {
@@ -2097,15 +2150,14 @@ void dt_io_thread_stop(struct dt_io_thread* dtio)
 #ifndef USE_WINSOCK
 			if(errno == EINTR || errno == EAGAIN)
 				continue;
-			log_err("dnstap io stop: write: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEINPROGRESS)
 				continue;
 			if(WSAGetLastError() == WSAEWOULDBLOCK)
 				continue;
-			log_err("dnstap io stop: write: %s",
-				wsa_strerror(WSAGetLastError()));
 #endif
+			log_err("dnstap io stop: write: %s",
+				sock_strerror(errno));
 			break;
 		}
 		break;

dnstap/dtstream.h

@@ -49,6 +49,7 @@ struct dt_msg_entry;
 struct dt_io_list_item;
 struct dt_io_thread;
 struct config_file;
+struct comm_base;
 
 /**
  * A message buffer with dnstap messages queued up.  It is per-worker.
@@ -68,11 +69,15 @@ struct dt_msg_queue {
 	/** current size of the buffer, in bytes.  data bytes of messages.
 	 * If a new message make it more than maxsize, the buffer is full */
 	size_t cursize;
+	/** number of messages in the queue */
+	int msgcount;
 	/** list of messages.  The messages are added to the back and taken
 	 * out from the front. */
 	struct dt_msg_entry* first, *last;
 	/** reference to the io thread to wakeup */
 	struct dt_io_thread* dtio;
+	/** the wakeup timer for dtio, on worker event base */
+	struct comm_timer* wakeup_timer;
 };
 
 /**
@@ -166,6 +171,10 @@ struct dt_io_thread {
 	 * for the current message length that precedes the frame */
 	size_t cur_msg_len_done;
 
+	/** lock on wakeup_timer_enabled */
+	lock_basic_type wakeup_timer_lock;
+	/** if wakeup timer is enabled in some thread */
+	int wakeup_timer_enabled;
 	/** command pipe that stops the pipe if closed.  Used to quit
 	 * the program. [0] is read, [1] is written to. */
 	int commandpipe[2];
@@ -233,9 +242,10 @@ struct dt_io_list_item {
 
 /**
  * Create new (empty) worker message queue. Limit set to default on max.
+ * @param base: event base for wakeup timer.
  * @return NULL on malloc failure or a new queue (not locked).
  */
-struct dt_msg_queue* dt_msg_queue_create(void);
+struct dt_msg_queue* dt_msg_queue_create(struct comm_base* base);
 
 /**
  * Delete a worker message queue.  It has to be unlinked from access,
@@ -258,6 +268,9 @@ void dt_msg_queue_delete(struct dt_msg_queue* mq);
  */
 void dt_msg_queue_submit(struct dt_msg_queue* mq, void* buf, size_t len);
 
+/** timer callback to wakeup dtio thread to process messages */
+void mq_wakeup_cb(void* arg);
+
 /**
  * Create IO thread.
  * @return new io thread object. not yet started. or NULL malloc failure.

dnstap/unbound-dnstap-socket.c

@@ -278,57 +278,31 @@ static int make_tcp_accept(char* ip)
 	}
 
 	if((s = socket(addr.ss_family, SOCK_STREAM, 0)) == -1) {
-#ifndef USE_WINSOCK
-		log_err("can't create socket: %s", strerror(errno));
-#else
-		log_err("can't create socket: %s",
-			wsa_strerror(WSAGetLastError()));
-#endif
+		log_err("can't create socket: %s", sock_strerror(errno));
 		return -1;
 	}
 #ifdef SO_REUSEADDR
 	if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
 		(socklen_t)sizeof(on)) < 0) {
-#ifndef USE_WINSOCK
 		log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
-			strerror(errno));
-		close(s);
-#else
-		log_err("setsockopt(.. SO_REUSEADDR ..) failed: %s",
-			wsa_strerror(WSAGetLastError()));
-		closesocket(s);
-#endif
+			sock_strerror(errno));
+		sock_close(s);
 		return -1;
 	}
 #endif /* SO_REUSEADDR */
 	if(bind(s, (struct sockaddr*)&addr, len) != 0) {
-#ifndef USE_WINSOCK
-		log_err_addr("can't bind socket", strerror(errno),
+		log_err_addr("can't bind socket", sock_strerror(errno),
 			&addr, len);
-		close(s);
-#else
-		log_err_addr("can't bind socket",
-			wsa_strerror(WSAGetLastError()), &addr, len);
-		closesocket(s);
-#endif
+		sock_close(s);
 		return -1;
 	}
 	if(!fd_set_nonblock(s)) {
-#ifndef USE_WINSOCK
-		close(s);
-#else
-		closesocket(s);
-#endif
+		sock_close(s);
 		return -1;
 	}
 	if(listen(s, LISTEN_BACKLOG) == -1) {
-#ifndef USE_WINSOCK
-		log_err("can't listen: %s", strerror(errno));
-		close(s);
-#else
-		log_err("can't listen: %s", wsa_strerror(WSAGetLastError()));
-		closesocket(s);
-#endif
+		log_err("can't listen: %s", sock_strerror(errno));
+		sock_close(s);
 		return -1;
 	}
 	return s;
@@ -654,7 +628,6 @@ static ssize_t receive_bytes(struct tap_data* data, int fd, void* buf,
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return -1;
-		log_err("could not recv: %s", strerror(errno));
 #else /* USE_WINSOCK */
 		if(WSAGetLastError() == WSAEINPROGRESS)
 			return -1;
@@ -662,9 +635,8 @@ static ssize_t receive_bytes(struct tap_data* data, int fd, void* buf,
 			ub_winsock_tcp_wouldblock(data->ev, UB_EV_READ);
 			return -1;
 		}
-		log_err("could not recv: %s",
-			wsa_strerror(WSAGetLastError()));
 #endif
+		log_err("could not recv: %s", sock_strerror(errno));
 		if(verbosity) log_info("dnstap client stream closed from %s",
 			(data->id?data->id:""));
 		return 0;
@@ -796,12 +768,7 @@ static int reply_with_accept(struct tap_data* data)
 		}
 	} else {
 		if(send(data->fd, acceptframe, len, 0) == -1) {
-#ifndef USE_WINSOCK
-			log_err("send failed: %s", strerror(errno));
-#else
-			log_err("send failed: %s",
-				wsa_strerror(WSAGetLastError()));
-#endif
+			log_err("send failed: %s", sock_strerror(errno));
 			fd_set_nonblock(data->fd);
 			free(acceptframe);
 			return 0;
@@ -834,11 +801,7 @@ static int reply_with_finish(int fd)
 
 	fd_set_block(fd);
 	if(send(fd, finishframe, len, 0) == -1) {
-#ifndef USE_WINSOCK
-		log_err("send failed: %s", strerror(errno));
-#else
-		log_err("send failed: %s", wsa_strerror(WSAGetLastError()));
-#endif
+		log_err("send failed: %s", sock_strerror(errno));
 		fd_set_nonblock(fd);
 		free(finishframe);
 		return 0;
@@ -1094,7 +1057,6 @@ void dtio_mainfdcallback(int fd, short ATTR_UNUSED(bits), void* arg)
 #endif /* EPROTO */
 			)
 			return;
-		log_err_addr("accept failed", strerror(errno), &addr, addrlen);
 #else /* USE_WINSOCK */
 		if(WSAGetLastError() == WSAEINPROGRESS ||
 			WSAGetLastError() == WSAECONNRESET)
@@ -1103,9 +1065,9 @@ void dtio_mainfdcallback(int fd, short ATTR_UNUSED(bits), void* arg)
 			ub_winsock_tcp_wouldblock(maindata->ev, UB_EV_READ);
 			return;
 		}
-		log_err_addr("accept failed", wsa_strerror(WSAGetLastError()),
-			&addr, addrlen);
 #endif
+		log_err_addr("accept failed", sock_strerror(errno), &addr,
+			addrlen);
 		return;
 	}
 	fd_set_nonblock(s);
@@ -1205,8 +1167,10 @@ int sig_quit = 0;
 static RETSIGTYPE main_sigh(int sig)
 {
 	verbose(VERB_ALGO, "exit on signal %d\n", sig);
-	if(sig_base)
+	if(sig_base) {
 		ub_event_base_loopexit(sig_base);
+		sig_base = NULL;
+	}
 	sig_quit = 1;
 }
 
@@ -1247,9 +1211,9 @@ setup_and_run(struct config_strlist_head* local_list,
 	if(verbosity) log_info("start of service");
 
 	ub_event_base_dispatch(base);
+	sig_base = NULL;
 
 	if(verbosity) log_info("end of service");
-	sig_base = NULL;
 	tap_socket_list_delete(maindata->acceptlist);
 	ub_event_base_free(base);
 	free(maindata);

doc/Changelog

@@ -1,3 +1,133 @@
+1 October 2020: Wouter
+	- Current repo is version 1.12.0 for release.  Tag for 1.12.0rc1.
+
+30 September 2020: Wouter
+	- Fix doh tests when not compiled in.
+	- Add dohclient test executable to gitignore.
+	- Fix stream_ssl, ssl_req_order and ssl_req_timeout tests for
+	  alloc check debug output.
+	- Easier kill of unbound-dnstap-socket tool in test.
+	- Fix memory leak of edns tags at libunbound context delete.
+	- Fix double loopexit for unbound-dnstap-socket after sigterm.
+
+29 September 2020: Ralph
+	- DNS Flag Day 2020: change edns-buffer-size default to 1232.
+
+28 September 2020: Wouter
+	- Fix unit test for dnstap changes, so that it waits for the timer.
+
+23 September 2020: Wouter
+	- Fix #305: dnstap logging significantly affects unbound performance
+	  (regression in 1.11).
+	- Fix #305: only wake up thread when threshold reached.
+	- Fix to ifdef fptr wlist item for dnstap.
+
+23 September 2020: Ralph
+	- Fix edns-client-tags get_option typo
+	- Add edns-client-tag-opcode option
+	- Use inclusive language in configuration
+
+21 September 2020: Ralph
+	- Fix #304: dnstap logging not recovering after dnstap process restarts
+
+21 September 2020: Wouter
+	- Merge PR #311 by luismerino: Dynlibmod leak.
+	- Error message is logged for dynlibmod malloc failures.
+	- iana portlist updated.
+
+18 September 2020: Wouter
+	- Fix that prefer-ip4 and prefer-ip6 can be get and set with
+	  unbound-control, with libunbound and the unbound-checkconf option
+	  output function.
+	- iana portlist updated.
+
+15 September 2020: George
+	- Introduce test for statistics.
+
+15 September 2020: Wouter
+	- Spelling fix.
+
+11 September 2020: Wouter
+	- Remove x file mode on ipset/ipset.c and h files.
+
+9 September 2020: Wouter
+	- Fix num.expired statistics output.
+
+31 August 2020: Wouter
+	- Merge PR #293: Add missing prototype.  Also refactor to use the new
+	  shorthand function to clean up the code.
+	- Refactor to use sock_strerr shorthand function.
+	- Fix #296: systemd nss-lookup.target is reached before unbound can
+	  successfully answer queries. Changed contrib/unbound.service.in.
+
+27 August 2020: Wouter
+	- Similar to NSD PR#113, implement that interface names can be used,
+	  eg. something like interface: eth0 is resolved at server start and
+	  uses the IP addresses for that named interface.
+	- Review fix, doxygen and assign null in case of error free.
+
+26 August 2020: George
+	- Update documentation in python example code.
+
+24 August 2020: Wouter
+	- Fix that dnstap reconnects do not spam the log with the repeated
+	  attempts.  Attempts on the timer are only logged on high verbosity,
+	  if they produce a connection failure error.
+	- Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
+	- Change configure to use EVP_sha256 instead of HMAC_Update for
+	  openssl-3.0.0.
+
+20 August 2020: Ralph
+	- Fix stats double count issue (#289).
+
+13 August 2020: Ralph
+	- Create and init edns tags data for libunbound.
+
+10 August 2020: Ralph
+	- Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
+	  by Vítězslav Čížek.
+
+10 August 2020: Wouter
+	- Fix #287: doc typo: "Additionaly".
+	- Rerun autoconf
+
+6 August 2020: Wouter
+	- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
+	  The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
+	  was advise to stop using it.  The current code base does not contain
+	  DLV code any more.  The use of dlv options displays a warning.
+
+5 August 2020: Wouter
+	- contrib/aaaa-filter-iterator.patch file renewed diff content to
+	  apply cleanly to the current coderepo for the current code version.
+
+5 August 2020: Ralph
+	- Merge PR #272: Add EDNS client tag functionality.
+
+4 August 2020: George
+	- Improve error log message when inserting rpz RR.
+	- Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
+	  definedness, by Felipe Gasper.
+
+4 August 2020: Wouter
+	- Fix mini_event.h on OpenBSD cannot find fd_set.
+
+31 July 2020: Wouter
+	- Fix doxygen comment for no ssl for tls session ticket key callback
+	  routine.
+
+27 July 2020: George
+	- Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
+	  March 2020, by and0x000.
+
+27 July 2020: Ralph
+	- Merge PR #269, Fix python module len() implementations, by Torbjörn
+	  Lönnemark
+
+27 July 2020: Wouter
+	- branch now named 1.11.1.  1.11.0rc1 became the 1.11.0 release.
+	- Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
+
 20 July 2020: Wouter
 	- Fix streamtcp to print packet data to stdout.  This makes the
 	  stdout and stderr not mix together lines, when parsing its output.

doc/README

@@ -1,4 +1,4 @@
-README for Unbound 1.11.0
+README for Unbound 1.12.0
 Copyright 2007 NLnet Labs
 http://unbound.net
 

doc/example.conf.in

@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.11.0.
+# See unbound.conf(5) man page, version 1.12.0.
 #
 # this is a comment.
 
@@ -129,8 +129,8 @@ server:
 	# ip-dscp: 0
 
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
-	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
-	# edns-buffer-size: 4096
+	# is set with msg-buffer-size).
+	# edns-buffer-size: 1232
 
 	# Maximum UDP response size (not applied to TCP response).
 	# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
@@ -431,8 +431,8 @@ server:
 
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
-	# caps-whitelist: "licdn.com"
-	# caps-whitelist: "senderbase.org"
+	# caps-exempt: "licdn.com"
+	# caps-exempt: "senderbase.org"
 
 	# Enforce privacy of these addresses. Strips them away from answers.
 	# It may cause DNSSEC validation to additionally mark it as bogus.
@@ -509,11 +509,6 @@ server:
 	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
 	# root-key-sentinel: yes
 
-	# File with DLV trusted keys. Same format as trust-anchor-file.
-	# There can be only one DLV configured, it is trusted from root down.
-	# DLV is going to be decommissioned.  Please do not use it any more.
-	# dlv-anchor-file: "dlv.isc.org.key"
-
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.
 	# Zone file format, with DS and DNSKEY entries.
@@ -589,7 +584,7 @@ server:
 	#
 	# Time in milliseconds before replying to the client with expired data.
 	# This essentially enables the serve-stale behavior as specified in
-	# draft-ietf-dnsop-serve-stale-10 that first tries to resolve before
+	# RFC 8767 that first tries to resolve before
 	# immediately responding with expired data.  0 disables this behavior.
 	# A recommended value is 1800.
 	# serve-expired-client-timeout: 0
@@ -627,7 +622,7 @@ server:
 	# more slabs reduce lock contention, but fragment memory usage.
 	# key-cache-slabs: 4
 
-	# the amount of memory to use for the negative cache (used for DLV).
+	# the amount of memory to use for the negative cache.
 	# plain value in bytes or you can append k, m or G. default is "1Mb".
 	# neg-cache-size: 1m
 
@@ -738,12 +733,14 @@ server:
 	# add a netblock specific override to a localzone, with zone type
 	# local-zone-override: "example.com" 192.0.2.0/24 refuse
 
-	# service clients over TLS (on the TCP sockets), with plain DNS inside
-	# the TLS stream.  Give the certificate to use and private key.
+	# service clients over TLS (on the TCP sockets) with plain DNS inside
+	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
+	# Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# tls-service-key: "path/to/privatekeyfile.key"
 	# tls-service-pem: "path/to/publiccertfile.pem"
 	# tls-port: 853
+	# https-port: 443
 
 	# cipher setting for TLSv1.2
 	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
@@ -775,6 +772,22 @@ server:
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
 	# tls-additional-port: portno for each of the port numbers.
 
+	# HTTP endpoint to provide DNS-over-HTTPS service on.
+	# http-endpoint: "/dns-query"
+
+	# HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use.
+	# http-max-streams: 100
+
+	# Maximum number of bytes used for all HTTP/2 query buffers.
+	# http-query-buffer-size: 4m
+
+	# Maximum number of bytes used for all HTTP/2 response buffers.
+	# http-response-buffer-size: 4m
+
+	# Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
+	# service.
+	# http-nodelay: yes
+
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96
@@ -848,9 +861,9 @@ server:
 	# ipsecmod-ignore-bogus: no
 	#
 	# Domains for which ipsecmod will be triggered. If not defined (default)
-	# all domains are treated as being whitelisted.
-	# ipsecmod-whitelist: "example.com"
-	# ipsecmod-whitelist: "nlnetlabs.nl"
+	# all domains are treated as being allowed.
+	# ipsecmod-allow: "example.com"
+	# ipsecmod-allow: "nlnetlabs.nl"
 
 
 # Python config section. To enable:
@@ -948,27 +961,27 @@ remote-control:
 # upstream (which saves a lookup to the upstream).  The first example
 # has a copy of the root for local usage.  The second serves example.org
 # authoritatively.  zonefile: reads from file (and writes to it if you also
-# download it), master: fetches with AXFR and IXFR, or url to zonefile.
-# With allow-notify: you can give additional (apart from masters) sources of
+# download it), primary: fetches with AXFR and IXFR, or url to zonefile.
+# With allow-notify: you can give additional (apart from primaries) sources of
 # notifies.
 # auth-zone:
 #	name: "."
-#	master: 199.9.14.201         # b.root-servers.net
-#	master: 192.33.4.12          # c.root-servers.net
-#	master: 199.7.91.13          # d.root-servers.net
-#	master: 192.5.5.241          # f.root-servers.net
-#	master: 192.112.36.4         # g.root-servers.net
-#	master: 193.0.14.129         # k.root-servers.net
-#	master: 192.0.47.132         # xfr.cjr.dns.icann.org
-#	master: 192.0.32.132         # xfr.lax.dns.icann.org
-#	master: 2001:500:200::b      # b.root-servers.net
-#	master: 2001:500:2::c        # c.root-servers.net
-#	master: 2001:500:2d::d       # d.root-servers.net
-#	master: 2001:500:2f::f       # f.root-servers.net
-#	master: 2001:500:12::d0d     # g.root-servers.net
-#	master: 2001:7fd::1          # k.root-servers.net
-#	master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-#	master: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+#	primary: 199.9.14.201         # b.root-servers.net
+#	primary: 192.33.4.12          # c.root-servers.net
+#	primary: 199.7.91.13          # d.root-servers.net
+#	primary: 192.5.5.241          # f.root-servers.net
+#	primary: 192.112.36.4         # g.root-servers.net
+#	primary: 193.0.14.129         # k.root-servers.net
+#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+#	primary: 2001:500:200::b      # b.root-servers.net
+#	primary: 2001:500:2::c        # c.root-servers.net
+#	primary: 2001:500:2d::d       # d.root-servers.net
+#	primary: 2001:500:2f::f       # f.root-servers.net
+#	primary: 2001:500:12::d0d     # g.root-servers.net
+#	primary: 2001:7fd::1          # k.root-servers.net
+#	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+#	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
 #	fallback-enabled: yes
 #	for-downstream: no
 #	for-upstream: yes
@@ -1088,7 +1101,7 @@ remote-control:
 # rpz:
 #     name: "rpz.example.com"
 #     zonefile: "rpz.example.com"
-#     master: 192.0.2.0
+#     primary: 192.0.2.0
 #     allow-notify: 192.0.2.0/32
 #     url: http://www.example.com/rpz.example.org.zone
 #     rpz-action-override: cname

doc/libunbound.3.in

@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "libunbound" "3" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -44,7 +44,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.11.0 functions.
+\- Unbound DNS validating resolver 1.12.0 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

doc/unbound-anchor.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound-anchor" "8" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

doc/unbound-checkconf.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound-checkconf" "8" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"

doc/unbound-control.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound-control" "8" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -506,6 +506,14 @@ negative cache.
 Memory in bytes in used by the TCP and TLS stream wait buffers.  These are
 answers waiting to be written back to the clients.
 .TP
+.I mem.http.query_buffer
+Memory in bytes used by the HTTP/2 query buffers. Containing (partial) DNS
+queries waiting for request stream completion.
+.TP
+.I mem.http.response_buffer
+Memory in bytes used by the HTTP/2 response buffers. Containing DNS responses
+waiting to be written back to the clients.
+.TP
 .I histogram.<sec>.<usec>.to.<sec>.<usec>
 Shows a histogram, summed over all threads. Every element counts the
 recursive queries whose reply time fit between the lower and upper bound.
@@ -545,6 +553,11 @@ These are also counted in num.query.tcp, because TLS uses TCP.
 Number of TLS session resumptions, these are queries over TLS towards
 the unbound server where the client negotiated a TLS session resumption key.
 .TP
+.I num.query.https
+Number of queries that were made using HTTPS towards the unbound server.
+These are also counted in num.query.tcp and num.query.tls, because HTTPS
+uses TLS and TCP.
+.TP
 .I num.query.ipv6
 Number of queries that were made using IPv6 towards the unbound server.
 .TP

doc/unbound-host.1.in

@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound\-host" "1" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

doc/unbound.8.in

@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound" "8" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.11.0.
+\- Unbound DNS validating resolver 1.12.0.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

doc/unbound.conf.5.in

@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound.conf" "5" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -122,7 +122,8 @@ The port number, default 53, on which the server responds to queries.
 Interface to use to connect to the network. This interface is listened to
 for queries from clients, and answers to clients are given from it.
 Can be given multiple times to work on several interfaces. If none are
-given the default is to listen to localhost.
+given the default is to listen to localhost.  If an interface name is used
+instead of an ip address, the list of ip addresses on that interface are used.
 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
 A port number can be specified with @port (without spaces between
 interface and port number), if not specified the default port (from
@@ -206,12 +207,11 @@ accepted. For larger installations increasing this value is a good idea.
 Number of bytes size to advertise as the EDNS reassembly buffer size.
 This is the value put into datagrams over UDP towards peers.  The actual
 buffer size is determined by msg\-buffer\-size (both for TCP and UDP).  Do
-not set higher than that value.  Default is 4096 which is RFC recommended.
-If you have fragmentation reassembly problems, usually seen as timeouts,
-then a value of 1472 can fix it.  Setting to 512 bypasses even the most
-stringent path MTU problems, but is seen as extreme, since the amount
-of TCP fallback generated is excessive (probably also for this resolver,
-consider tuning the outgoing tcp number).
+not set higher than that value.  Default is 1232 which is the DNS Flag Day 2020
+recommendation. Setting to 512 bypasses even the most stringent path MTU
+problems, but is seen as extreme, since the amount of TCP fallback generated is
+excessive (probably also for this resolver, consider tuning the outgoing tcp
+number).
 .TP
 .B max\-udp\-size: \fI<number>
 Maximum UDP response size (not applied to TCP response).  65536 disables the
@@ -484,15 +484,16 @@ Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config
 file the last is used.
 .TP
 .B tls\-service\-key: \fI<file>
-If enabled, the server provides TLS service on the TCP ports marked
-implicitly or explicitly for TLS service with tls\-port.  The file must
-contain the private key for the TLS session, the public certificate is in
-the tls\-service\-pem file and it must also be specified if tls\-service\-key
-is specified.  The default is "", turned off.  Enabling or disabling
-this service requires a restart (a reload is not enough), because the
-key is read while root permissions are held and before chroot (if any).
-The ports enabled implicitly or explicitly via \fBtls\-port:\fR do not provide
-normal DNS TCP service.
+If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
+TCP ports marked implicitly or explicitly for these services with tls\-port or
+https\-port. The file must contain the private key for the TLS session, the
+public certificate is in the tls\-service\-pem file and it must also be
+specified if tls\-service\-key is specified.  The default is "", turned off.
+Enabling or disabling this service requires a restart (a reload is not enough),
+because the key is read while root permissions are held and before chroot (if any).
+The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
+\fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
+compiled with libnghttp2 in order to provide DNS-over-HTTPS.
 .TP
 .B ssl\-service\-key: \fI<file>
 Alternate syntax for \fBtls\-service\-key\fR.
@@ -557,6 +558,35 @@ Enable or disable sending the SNI extension on TLS connections.
 Default is yes.
 Changing the value requires a reload.
 .TP
+.B https\-port: \fI<number>
+The port number on which to provide DNS-over-HTTPS service, default 443, only
+interfaces configured with that port number as @number get the HTTPS service.
+.TP
+.B http\-endpoint: \fI<endpoint string>
+The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
+.TP
+.B http\-max\-streams: \fI<number of streams>
+Number used in the SETTINGS_MAX_CONCURRENT_STREAMS parameter in the HTTP/2
+SETTINGS frame for DNS-over-HTTPS connections. Default 100.
+.TP
+.B http\-query\-buffer\-size: \fI<size in bytes>
+Maximum number of bytes used for all HTTP/2 query buffers combined. These
+buffers contain (partial) DNS queries waiting for request stream completion.
+An RST_STREAM frame will be send to streams exceeding this limit. Default is 4
+megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
+megabytes or gigabytes (1024*1024 bytes in a megabyte).
+.TP
+.B http\-response\-buffer\-size: \fI<size in bytes>
+Maximum number of bytes used for all HTTP/2 response buffers combined. These
+buffers contain DNS responses waiting to be written back to the clients.
+An RST_STREAM frame will be send to streams exceeding this limit. Default is 4
+megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
+megabytes or gigabytes (1024*1024 bytes in a megabyte).
+.TP
+.B http\-nodelay: \fI<yes or no>
+Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
+Ignored if the option is not available. Default is yes.
+.TP
 .B use\-systemd: \fI<yes or no>
 Enable or disable systemd socket activation.
 Default is no.
@@ -853,12 +883,15 @@ authority servers and checks if the reply still has the correct casing.
 Disabled by default.
 This feature is an experimental implementation of draft dns\-0x20.
 .TP
-.B caps\-whitelist: \fI<domain>
-Whitelist the domain so that it does not receive caps\-for\-id perturbed
+.B caps\-exempt: \fI<domain>
+Exempt the domain so that it does not receive caps\-for\-id perturbed
 queries.  For domains that do not support 0x20 and also fail with fallback
 because they keep sending different answers, like some load balancers.
 Can be given multiple times, for different domains.
 .TP
+.B caps\-whitelist: \fI<yes or no>
+Alternate syntax for \fBcaps\-exempt\fR.
+.TP
 .B qname\-minimisation: \fI<yes or no>
 Send minimum amount of information to upstream servers to enhance privacy.
 Only send minimum required labels of the QNAME and set QTYPE to A when
@@ -1010,26 +1043,11 @@ Send RFC8145 key tag query after trust anchor priming. Default is yes.
 .B root\-key\-sentinel: \fI<yes or no>
 Root key trust anchor sentinel. Default is yes.
 .TP
-.B dlv\-anchor\-file: \fI<filename>
-This option was used during early days DNSSEC deployment when no parent-side
-DS record registrations were easily available.  Nowadays, it is best to have
-DS records registered with the parent zone (many top level zones are signed).
-File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
-DNSKEY entries can be used in the file, in the same format as for
-\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
-would be slow. The DLV configured is used as a root trusted DLV, this
-means that it is a lookaside for the root. Default is "", or no dlv anchor
-file. DLV is going to be decommissioned.  Please do not use it any more.
-.TP
-.B dlv\-anchor: \fI<"Resource Record">
-Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
-DLV is going to be decommissioned.  Please do not use it any more.
-.TP
 .B domain\-insecure: \fI<domain name>
 Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
 the domain name.  So a trust anchor above the domain name can not make the
 domain secure with a DS record, such a DS record is then ignored.
-Also keys from DLV are ignored for the domain.  Can be given multiple times
+Can be given multiple times
 to specify multiple domains that are treated as if unsigned.  If you set
 trust anchors for the domain they override this setting (and the domain
 is secured).
@@ -1108,7 +1126,7 @@ later on.  Default is "no".
 .B serve\-expired\-ttl: \fI<seconds>
 Limit serving of expired responses to configured seconds after expiration. 0
 disables the limit.  This option only applies when \fBserve\-expired\fR is
-enabled.  A suggested value per draft-ietf-dnsop-serve-stale-10 is between
+enabled.  A suggested value per RFC 8767 is between
 86400 (1 day) and 259200 (3 days).  The default is 0.
 .TP
 .B serve\-expired\-ttl\-reset: \fI<yes or no>
@@ -1120,14 +1138,14 @@ expired records will be served as long as there are queries for it.  Default is
 .B serve\-expired\-reply\-ttl: \fI<seconds>
 TTL value to use when replying with expired data.  If
 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
-use 30 as the value (draft-ietf-dnsop-serve-stale-10).  The default is 30.
+use 30 as the value (RFC 8767).  The default is 30.
 .TP
 .B serve\-expired\-client\-timeout: \fI<msec>
 Time in milliseconds before replying to the client with expired data.  This
 essentially enables the serve-stale behavior as specified in
-draft-ietf-dnsop-serve-stale-10 that first tries to resolve before immediately
+RFC 8767 that first tries to resolve before immediately
 responding with expired data.  A recommended value per
-draft-ietf-dnsop-serve-stale-10 is 1800.  Setting this to 0 will disable this
+RFC 8767 is 1800.  Setting this to 0 will disable this
 behavior.  Default is 0.
 .TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
@@ -1516,6 +1534,16 @@ servers set. The default for fast\-server\-permil is 0.
 Set the number of servers that should be used for fast server selection. Only
 use the fastest specified number of servers with the fast\-server\-permil
 option, that turns this on or off. The default is to use the fastest 3 servers.
+.TP 5
+.B edns\-client\-tag: \fI<IP netblock> <tag data>
+Include an edns-client-tag option in queries with destination address matching
+the configured IP netblock. This configuration option can be used multiple
+times. The most specific match will be used. The tag data is configured in
+decimal format, from 0 to 65535.
+.TP 5
+.B edns\-client\-tag\-opcode: \fI<opcode>
+EDNS0 option code for the edns-client-tag option, from 0 to 65535. Default is
+16, as assigned by IANA.
 .SS "Remote Control Options"
 In the
 .B remote\-control:
@@ -1718,16 +1746,16 @@ uses the SOA timer values and performs SOA UDP queries to detect zone changes.
 If the update fetch fails, the timers in the SOA record are used to time
 another fetch attempt.  Until the SOA expiry timer is reached.  Then the
 zone is expired.  When a zone is expired, queries are SERVFAIL, and
-any new serial number is accepted from the master (even if older), and if
+any new serial number is accepted from the primary (even if older), and if
 fallback is enabled, the fallback activates to fetch from the upstream instead
 of the SERVFAIL.
 .TP
 .B name: \fI<zone name>
 Name of the authority zone.
 .TP
-.B master: \fI<IP address or host name>
+.B primary: \fI<IP address or host name>
 Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
-masters can be specified.  They are all tried if one fails.
+primaries can be specified.  They are all tried if one fails.
 With the "ip#name" notation a AXFR over TLS can be used.
 If you point it at another Unbound instance, it would not work because
 that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
@@ -1736,27 +1764,31 @@ If you specify the hostname, you cannot use the domain from the zonefile,
 because it may not have that when retrieving that data, instead use a plain
 IP address to avoid a circular dependency on retrieving that IP address.
 .TP
+.B master: \fI<IP address or host name>
+Alternate syntax for \fBprimary\fR.
+.TP
 .B url: \fI<url to zonefile>
 Where to download a zonefile for the zone.  With http or https.  An example
 for the url is "http://www.example.com/example.org.zone".  Multiple url
 statements can be given, they are tried in turn.  If only urls are given
 the SOA refresh timer is used to wait for making new downloads.  If also
-masters are listed, the masters are first probed with UDP SOA queries to
+primaries are listed, the primaries are first probed with UDP SOA queries to
 see if the SOA serial number has changed, reducing the number of downloads.
-If none of the urls work, the masters are tried with IXFR and AXFR.
+If none of the urls work, the primaries are tried with IXFR and AXFR.
 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
 to authenticate the connection.
 If you specify a hostname in the URL, you cannot use the domain from the
 zonefile, because it may not have that when retrieving that data, instead
 use a plain IP address to avoid a circular dependency on retrieving that IP
-address.  Avoid dependencies on name lookups by using a notation like "http://192.0.2.1/unbound-master/example.com.zone", with an explicit IP address.
+address.  Avoid dependencies on name lookups by using a notation like
+"http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
 .TP
 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
 With allow\-notify you can specify additional sources of notifies.
 When notified, the server attempts to first probe and then zone transfer.
-If the notify is from a master, it first attempts that master.  Otherwise
-other masters are attempted.  If there are no masters, but only urls, the
-file is downloaded when notified.  The masters from master: statements are
+If the notify is from a primary, it first attempts that primary.  Otherwise
+other primaries are attempted.  If there are no primaries, but only urls, the
+file is downloaded when notified.  The primaries from primary: statements are
 allowed notify by default.
 .TP
 .B fallback\-enabled: \fI<yes or no>
@@ -1784,7 +1816,7 @@ downstream clients, and use the zone data as a local copy to speed up lookups.
 .B zonefile: \fI<filename>
 The filename where the zone is stored.  If not given then no zonefile is used.
 If the file does not exist or is empty, unbound will attempt to fetch zone
-data (eg. from the master servers).
+data (eg. from the primary servers).
 .SS "View Options"
 .LP
 There may be multiple
@@ -1951,14 +1983,16 @@ The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
 validator iterator" directive and be compiled into the daemon to be
 enabled.  These settings go in the \fBserver:\fR section.
 .LP
-If the destination address is whitelisted with Unbound will add the EDNS0
-option to the query containing the relevant part of the client's address. When
-an answer contains the ECS option the response and the option are placed in a
-specialized cache. If the authority indicated no support, the response is
+If the destination address is allowed in the configuration Unbound will add the
+EDNS0 option to the query containing the relevant part of the client's address.
+When an answer contains the ECS option the response and the option are placed in
+a specialized cache. If the authority indicated no support, the response is
 stored in the regular cache.
 .LP
 Additionally, when a client includes the option in its queries, Unbound will
-forward the option to the authority if present in the whitelist, or
+forward the option when sending the query to addresses that are explicitly
+allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
+always be forwarded, regardless the allowed addresses, if
 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
 the regular cache is skipped.
 .LP
@@ -1979,11 +2013,11 @@ given multiple times. Zones not listed will not receive edns-subnet information,
 unless hosted by authority specified in \fBsend\-client\-subnet\fR.
 .TP
 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
-Specify whether the ECS whitelist check (configured using
+Specify whether the ECS address check (configured using
 \fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
 query contains an ECS record, or only for queries for which the ECS record is
 generated using the querier address (and therefore did not contain ECS data in
-the client query). If enabled, the whitelist check is skipped when the client
+the client query). If enabled, the address check is skipped when the client
 query contains an ECS record. Default is no.
 .TP
 .B max\-client\-subnet\-ipv6: \fI<number>\fR
@@ -2073,10 +2107,13 @@ to yes, the hook will be called and the A/AAAA answer will be returned to the
 client.  If set to no, the hook will not be called and the answer to the
 A/AAAA query will be SERVFAIL.  Mainly used for testing.  Defaults to no.
 .TP
-.B ipsecmod\-whitelist: \fI<domain>\fR
-Whitelist the domain so that the module logic will be executed.  Can
-be given multiple times, for different domains.  If the option is not
-specified, all domains are treated as being whitelisted (default).
+.B ipsecmod\-allow: \fI<domain>\fR
+Allow the ipsecmod functionality for the domain so that the module logic will be
+executed.  Can be given multiple times, for different domains.  If the option is
+not specified, all domains are treated as being allowed (default).
+.TP
+.B ipsecmod\-whitelist: \fI<yes or no>
+Alternate syntax for \fBipsecmod\-allow\fR.
 .SS "Cache DB Module Options"
 .LP
 The Cache DB module must be configured in the \fBmodule\-config:\fR
@@ -2110,7 +2147,7 @@ even if some data have expired in terms of DNS TTL or the Redis server has
 cached too much data;
 if necessary the Redis server must be configured to limit the cache size,
 preferably with some kind of least-recently-used eviction policy.
-Additionaly, the \fBredis\-expire\-records\fR option can be used in order to
+Additionally, the \fBredis\-expire\-records\fR option can be used in order to
 set the relative DNS TTL of the message as timeout to the Redis records; keep
 in mind that some additional memory is used per key and that the expire
 information is stored as absolute Unix timestamps in Redis (computer time must
@@ -2273,33 +2310,36 @@ are applied after
 .B name: \fI<zone name>
 Name of the authority zone.
 .TP
-.B master: \fI<IP address or host name>
+.B primary: \fI<IP address or host name>
 Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
-masters can be specified.  They are all tried if one fails.
+primaries can be specified.  They are all tried if one fails.
+.TP
+.B master: \fI<IP address or host name>
+Alternate syntax for \fBprimary\fR.
 .TP
 .B url: \fI<url to zonefile>
 Where to download a zonefile for the zone.  With http or https.  An example
 for the url is "http://www.example.com/example.org.zone".  Multiple url
 statements can be given, they are tried in turn.  If only urls are given
 the SOA refresh timer is used to wait for making new downloads.  If also
-masters are listed, the masters are first probed with UDP SOA queries to
+primaries are listed, the primaries are first probed with UDP SOA queries to
 see if the SOA serial number has changed, reducing the number of downloads.
-If none of the urls work, the masters are tried with IXFR and AXFR.
+If none of the urls work, the primaries are tried with IXFR and AXFR.
 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
 to authenticate the connection.
 .TP
 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
 With allow\-notify you can specify additional sources of notifies.
 When notified, the server attempts to first probe and then zone transfer.
-If the notify is from a master, it first attempts that master.  Otherwise
-other masters are attempted.  If there are no masters, but only urls, the
-file is downloaded when notified.  The masters from master: statements are
+If the notify is from a primary, it first attempts that primary.  Otherwise
+other primaries are attempted.  If there are no primaries, but only urls, the
+file is downloaded when notified.  The primaries from primary: statements are
 allowed notify by default.
 .TP
 .B zonefile: \fI<filename>
 The filename where the zone is stored.  If not given then no zonefile is used.
 If the file does not exist or is empty, unbound will attempt to fetch zone
-data (eg. from the master servers).
+data (eg. from the primary servers).
 .TP
 .B rpz\-action\-override: \fI<action>
 Always use this RPZ action for matching triggers from this zone. Possible action

dynlibmod/dynlibmod.c

@@ -242,6 +242,10 @@ int
 inplace_cb_register_wrapped(void* cb, enum inplace_cb_list_type type, void* cbarg,
     struct module_env* env, int id) {
     struct cb_pair* cb_pair = malloc(sizeof(struct cb_pair));
+    if(cb_pair == NULL) {
+	log_err("dynlibmod[%d]: malloc failure", id);
+        return 0;
+    }
     cb_pair->cb = cb;
     cb_pair->cb_arg = cbarg;
     if(type >= inplace_cb_reply && type <= inplace_cb_reply_servfail) {
@@ -253,6 +257,7 @@ inplace_cb_register_wrapped(void* cb, enum inplace_cb_list_type type, void* cbar
     } else if(type == inplace_cb_edns_back_parsed) {
         return inplace_cb_register(&dynlib_inplace_cb_edns_back_parsed, type, (void*) cb_pair, env, id);
     } else {
+        free(cb_pair);
         return 0;
     }
 }

iterator/iterator.c

@@ -3191,7 +3191,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
 	/* validate the root or stub after priming (if enabled).
 	 * This is the same query as the prime query, but with validation.
 	 * Now that we are primed, the additional queries that validation
-	 * may need can be resolved, such as DLV. */
+	 * may need can be resolved. */
 	if(qstate->env->cfg->harden_referral_path) {
 		struct module_qstate* subq = NULL;
 		log_nametypeclass(VERB_ALGO, "schedule prime validation", 

libunbound/context.c

@@ -50,6 +50,7 @@
 #include "services/authzone.h"
 #include "util/data/msgreply.h"
 #include "util/storage/slabhash.h"
+#include "util/edns.h"
 #include "sldns/sbuffer.h"
 
 int 
@@ -79,6 +80,8 @@ context_finalize(struct ub_ctx* ctx)
 		return UB_INITFAIL;
 	if(!auth_zones_apply_cfg(ctx->env->auth_zones, cfg, 1, &is_rpz))
 		return UB_INITFAIL;
+	if(!edns_tags_apply_cfg(ctx->env->edns_tags, cfg))
+		return UB_INITFAIL;
 	if(!slabhash_is_size(ctx->env->msg_cache, cfg->msg_cache_size,
 		cfg->msg_cache_slabs)) {
 		slabhash_delete(ctx->env->msg_cache);

libunbound/libunbound.c

@@ -58,6 +58,7 @@
 #include "util/net_help.h"
 #include "util/tube.h"
 #include "util/ub_event.h"
+#include "util/edns.h"
 #include "services/modstack.h"
 #include "services/localzone.h"
 #include "services/cache/infra.h"
@@ -153,6 +154,18 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
 		errno = ENOMEM;
 		return NULL;
 	}
+	ctx->env->edns_tags = edns_tags_create();
+	if(!ctx->env->edns_tags) {
+		auth_zones_delete(ctx->env->auth_zones);
+		edns_known_options_delete(ctx->env);
+		config_delete(ctx->env->cfg);
+		free(ctx->env);
+		ub_randfree(ctx->seed_rnd);
+		free(ctx);
+		errno = ENOMEM;
+		return NULL;
+	}
+
 	ctx->env->alloc = &ctx->superalloc;
 	ctx->env->worker = NULL;
 	ctx->env->need_to_validate = 0;
@@ -173,6 +186,7 @@ ub_ctx_create(void)
 		config_delete(ctx->env->cfg);
 		modstack_desetup(&ctx->mods, ctx->env);
 		edns_known_options_delete(ctx->env);
+		edns_tags_delete(ctx->env->edns_tags);
 		free(ctx->env);
 		free(ctx);
 		errno = e;
@@ -185,6 +199,7 @@ ub_ctx_create(void)
 		config_delete(ctx->env->cfg);
 		modstack_desetup(&ctx->mods, ctx->env);
 		edns_known_options_delete(ctx->env);
+		edns_tags_delete(ctx->env->edns_tags);
 		free(ctx->env);
 		free(ctx);
 		errno = e;
@@ -323,6 +338,7 @@ ub_ctx_delete(struct ub_ctx* ctx)
 		infra_delete(ctx->env->infra_cache);
 		config_delete(ctx->env->cfg);
 		edns_known_options_delete(ctx->env);
+		edns_tags_delete(ctx->env->edns_tags);
 		auth_zones_delete(ctx->env->auth_zones);
 		free(ctx->env);
 	}

libunbound/libworker.c

@@ -78,7 +78,7 @@
 #include <TargetConditionals.h>
 #endif
 
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 #undef HAVE_FORK
 #endif
 

libunbound/unbound.h

@@ -697,6 +697,8 @@ struct ub_server_stats {
 	long long qtcp_outgoing;
 	/** number of queries over (DNS over) TLS */
 	long long qtls;
+	/** number of queries over (DNS over) HTTPS */
+	long long qhttps;
 	/** number of queries over IPv6 */
 	long long qipv6;
 	/** number of queries with QR bit */
@@ -787,6 +789,10 @@ struct ub_server_stats {
 	long long num_query_subnet_cache;
 	/** number of bytes in the stream wait buffers */
 	long long mem_stream_wait;
+	/** number of bytes in the HTTP2 query buffers */
+	long long mem_http2_query_buffer;
+	/** number of bytes in the HTTP2 response buffers */
+	long long mem_http2_response_buffer;
 	/** number of TLS connection resume */
 	long long qtls_resume;
 	/** RPZ action stats */

pythonmod/doc/modules/config.rst

@@ -256,14 +256,6 @@ config_file
    
       Files with trusted DNSKEYs in named.conf format, list.
    
-   .. attribute:: dlv_anchor_file
-   
-      DLV anchor file.
-   
-   .. attribute:: dlv_anchor_list
-   
-      DLV anchor inline.
-
    .. attribute:: max_ttl
    
       The number of seconds maximal TTL used for RRsets and messages.

pythonmod/examples/avahi-resolver.py

@@ -59,6 +59,8 @@
 # |   num-threads: 32
 # |   cache-max-negative-ttl: 60
 # |   cache-max-ttl: 60
+# | python:
+# |   python-script: path/to/this/file
 #
 #
 # The plugin can also be run interactively. Provide the name and

pythonmod/interface.i

@@ -314,16 +314,16 @@ struct packed_rrset_data {
     class RRSetData_RRLen:
         def __init__(self, obj): self.obj = obj
         def __getitem__(self, index): return _unboundmodule._get_data_rr_len(self.obj, index)
-        def __len__(self): return obj.count + obj.rrsig_count
+        def __len__(self): return self.obj.count + self.obj.rrsig_count
     class RRSetData_RRTTL:
         def __init__(self, obj): self.obj = obj
         def __getitem__(self, index): return _unboundmodule._get_data_rr_ttl(self.obj, index)
         def __setitem__(self, index, value): _unboundmodule._set_data_rr_ttl(self.obj, index, value)
-        def __len__(self): return obj.count + obj.rrsig_count
+        def __len__(self): return self.obj.count + self.obj.rrsig_count
     class RRSetData_RRData:
         def __init__(self, obj): self.obj = obj
         def __getitem__(self, index): return _unboundmodule._get_data_rr_data(self.obj, index)
-        def __len__(self): return obj.count + obj.rrsig_count
+        def __len__(self): return self.obj.count + self.obj.rrsig_count
 %}
 
 %inline %{
@@ -404,12 +404,12 @@ struct dns_msg {
     class ReplyInfo_RRSet:
         def __init__(self, obj): self.obj = obj
         def __getitem__(self, index): return _unboundmodule._rrset_rrsets_get(self.obj, index)
-        def __len__(self): return obj.rrset_count
+        def __len__(self): return self.obj.rrset_count
 
     class ReplyInfo_Ref:
         def __init__(self, obj): self.obj = obj
         def __getitem__(self, index): return _unboundmodule._rrset_ref_get(self.obj, index)
-        def __len__(self): return obj.rrset_count
+        def __len__(self): return self.obj.rrset_count
 %}
 
 %inline %{
@@ -992,8 +992,6 @@ struct config_file {
    struct config_strlist* trust_anchor_file_list;
    struct config_strlist* trust_anchor_list;
    struct config_strlist* trusted_keys_file_list;
-   char* dlv_anchor_file;
-   struct config_strlist* dlv_anchor_list;
    int max_ttl;
    int32_t val_date_override;
    int bogus_ttl;

services/cache/dns.c

@@ -890,9 +890,8 @@ dns_cache_lookup(struct module_env* env,
 		lock_rw_unlock(&rrset->entry.lock);
 	}
 
-	/* construct DS, DNSKEY, DLV messages from rrset cache. */
-	if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY ||
-		qtype == LDNS_RR_TYPE_DLV) &&
+	/* construct DS, DNSKEY messages from rrset cache. */
+	if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY) &&
 		(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen, 
 		qtype, qclass, 0, now, 0))) {
 		/* if the rrset is from the additional section, and the

services/listen_dnsport.h

@@ -43,6 +43,9 @@
 #define LISTEN_DNSPORT_H
 
 #include "util/netevent.h"
+#ifdef HAVE_NGHTTP2_NGHTTP2_H
+#include <nghttp2/nghttp2.h>
+#endif
 struct listen_list;
 struct config_file;
 struct addrinfo;
@@ -94,8 +97,9 @@ enum listen_type {
 	/** tcp type + dnscrypt */
 	listen_type_tcp_dnscrypt,
 	/** udp ipv6 (v4mapped) for use with ancillary data + dnscrypt*/
-	listen_type_udpancil_dnscrypt
-
+	listen_type_udpancil_dnscrypt,
+	/** HTTP(2) over TLS over TCP */
+	listen_type_http
 };
 
 /**
@@ -117,19 +121,32 @@ struct listen_port {
  * interfaces for IP4 and/or IP6, for UDP and/or TCP.
  * On the given port number. It creates the sockets.
  * @param cfg: settings on what ports to open.
+ * @param ifs: interfaces to open, array of IP addresses, "ip[@port]".
+ * @param num_ifs: length of ifs.
  * @param reuseport: set to true if you want reuseport, or NULL to not have it,
  *   set to false on exit if reuseport failed to apply (because of no
  *   kernel support).
  * @return: linked list of ports or NULL on error.
  */
 struct listen_port* listening_ports_open(struct config_file* cfg,
-	int* reuseport);
+	char** ifs, int num_ifs, int* reuseport);
 
 /**
  * Close and delete the (list of) listening ports.
  */
 void listening_ports_free(struct listen_port* list);
 
+/**
+ * Resolve interface names in config and store result IP addresses
+ * @param cfg: config
+ * @param resif: string array (malloced array of malloced strings) with
+ * 	result.  NULL if cfg has none.
+ * @param num_resif: length of resif.  Zero if cfg has zero num_ifs.
+ * @return 0 on failure.
+ */
+int resolve_interface_names(struct config_file* cfg, char*** resif,
+	int* num_resif);
+
 /**
  * Create commpoints with for this thread for the shared ports.
  * @param base: the comm_base that provides event functionality.
@@ -139,6 +156,9 @@ void listening_ports_free(struct listen_port* list);
  * @param tcp_accept_count: max number of simultaneous TCP connections 
  * 	from clients.
  * @param tcp_idle_timeout: idle timeout for TCP connections in msec.
+ * @param harden_large_queries: whether query size should be limited.
+ * @param http_max_streams: maximum number of HTTP/2 streams per connection.
+ * @param http_endpoint: HTTP endpoint to service queries on
  * @param tcp_conn_limit: TCP connection limit info.
  * @param sslctx: nonNULL if ssl context.
  * @param dtenv: nonNULL if dnstap enabled.
@@ -147,11 +167,12 @@ void listening_ports_free(struct listen_port* list);
  * @param cb_arg: user data argument for callback function.
  * @return: the malloced listening structure, ready for use. NULL on error.
  */
-struct listen_dnsport* listen_create(struct comm_base* base,
-	struct listen_port* ports, size_t bufsize,
-	int tcp_accept_count, int tcp_idle_timeout,
-	struct tcl_list* tcp_conn_limit, void* sslctx,
-	struct dt_env *dtenv, comm_point_callback_type* cb, void* cb_arg);
+struct listen_dnsport*
+listen_create(struct comm_base* base, struct listen_port* ports,
+	size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
+	int harden_large_queries, uint32_t http_max_streams,
+	char* http_endpoint, struct tcl_list* tcp_conn_limit, void* sslctx,
+	struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg);
 
 /**
  * delete the listening structure
@@ -221,13 +242,15 @@ int create_udp_sock(int family, int socktype, struct sockaddr* addr,
  * 	listening UDP port.  Set to false on return if it failed to do so.
  * @param transparent: set IP_TRANSPARENT socket option.
  * @param mss: maximum segment size of the socket. if zero, leaves the default. 
+ * @param nodelay: if true set TCP_NODELAY and TCP_QUICKACK socket options.
  * @param freebind: set IP_FREEBIND socket option.
  * @param use_systemd: if true, fetch sockets from systemd.
  * @param dscp: DSCP to use.
  * @return: the socket. -1 on error.
  */
 int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
-	int* reuseport, int transparent, int mss, int freebind, int use_systemd, int dscp);
+	int* reuseport, int transparent, int mss, int nodelay, int freebind,
+	int use_systemd, int dscp);
 
 /**
  * Create and bind local listening socket
@@ -369,7 +392,34 @@ int tcp_req_info_handle_read_close(struct tcp_req_info* req);
 /** get the size of currently used tcp stream wait buffers (in bytes) */
 size_t tcp_req_info_get_stream_buffer_size(void);
 
+/** get the size of currently used HTTP2 query buffers (in bytes) */
+size_t http2_get_query_buffer_size(void);
+/** get the size of currently used HTTP2 response buffers (in bytes) */
+size_t http2_get_response_buffer_size(void);
+
+#ifdef HAVE_NGHTTP2
+/** 
+ * Create nghttp2 callbacks to handle HTTP2 requests.
+ * @return malloc'ed struct, NULL on failure
+ */
+nghttp2_session_callbacks* http2_req_callbacks_create();
+
+/** Free http2 stream buffers and decrease buffer counters */
+void http2_req_stream_clear(struct http2_stream* h2_stream);
+
+/**
+ * DNS response ready to be submitted to nghttp2, to be prepared for sending
+ * out. Response is stored in c->buffer. Copy to rbuffer because the c->buffer
+ * might be used before this will be send out.
+ * @param h2_session: http2 session, containing c->buffer which contains answer
+ * @param h2_stream: http2 stream, containing buffer to store answer in
+ * @return 0 on error, 1 otherwise
+ */
+int http2_submit_dns_response(struct http2_session* h2_session);
+#else
+int http2_submit_dns_response(void* v);
+#endif /* HAVE_NGHTTP2 */
+
 char* set_ip_dscp(int socket, int addrfamily, int ds);
-char* sock_strerror(int errn);
 
 #endif /* LISTEN_DNSPORT_H */

services/mesh.c

@@ -551,6 +551,9 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 			goto servfail_mem;
 		}
 	}
+	if(rep->c->use_h2) {
+		http2_stream_add_meshstate(rep->c->h2_stream, mesh, s);
+	}
 	/* add serve expired timer if required and not already there */
 	if(timeout && !mesh_serve_expired_init(s, timeout)) {
 		log_err("mesh_new_client: out of memory initializing serve expired");
@@ -1207,6 +1210,13 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	else	secure = 0;
 	if(!rep && rcode == LDNS_RCODE_NOERROR)
 		rcode = LDNS_RCODE_SERVFAIL;
+	if(r->query_reply.c->use_h2) {
+		r->query_reply.c->h2_stream = r->h2_stream;
+		/* Mesh reply won't exist for long anymore. Make it impossible
+		 * for HTTP/2 stream to refer to mesh state, in case
+		 * connection gets cleanup before HTTP/2 stream close. */
+		r->h2_stream->mesh_state = NULL;
+	}
 	/* send the reply */
 	/* We don't reuse the encoded answer if either the previous or current
 	 * response has a local alias.  We could compare the alias records
@@ -1495,6 +1505,8 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
 		s->s.qinfo.qname_len);
 	if(!r->qname)
 		return 0;
+	if(rep->c->use_h2)
+		r->h2_stream = rep->c->h2_stream;
 
 	/* Data related to local alias stored in 'qinfo' (if any) is ephemeral
 	 * and can be different for different original queries (even if the

services/mesh.h

@@ -230,6 +230,8 @@ struct mesh_reply {
 	uint8_t* qname;
 	/** same as that in query_info. */
 	struct local_rrset* local_alias;
+	/** send query to this http2 stream, if set */
+	struct http2_stream* h2_stream;
 };
 
 /** 

services/outside_network.c

@@ -58,6 +58,7 @@
 #include "util/net_help.h"
 #include "util/random.h"
 #include "util/fptr_wlist.h"
+#include "util/edns.h"
 #include "sldns/sbuffer.h"
 #include "dnstap/dnstap.h"
 #ifdef HAVE_OPENSSL_SSL_H
@@ -165,11 +166,7 @@ pick_outgoing_tcp(struct waiting_tcp* w, int s)
 	if(num == 0) {
 		log_err("no TCP outgoing interfaces of family");
 		log_addr(VERB_OPS, "for addr", &w->addr, w->addrlen);
-#ifndef USE_WINSOCK
-		close(s);
-#else
-		closesocket(s);
-#endif
+		sock_close(s);
 		return 0;
 	}
 #ifdef INET6
@@ -188,14 +185,8 @@ pick_outgoing_tcp(struct waiting_tcp* w, int s)
 		((struct sockaddr_in6*)&pi->addr)->sin6_port = 0;
 	else	((struct sockaddr_in*)&pi->addr)->sin_port = 0;
 	if(bind(s, (struct sockaddr*)&pi->addr, pi->addrlen) != 0) {
-#ifndef USE_WINSOCK
-		log_err("outgoing tcp: bind: %s", strerror(errno));
-		close(s);
-#else
-		log_err("outgoing tcp: bind: %s", 
-			wsa_strerror(WSAGetLastError()));
-		closesocket(s);
-#endif
+		log_err("outgoing tcp: bind: %s", sock_strerror(errno));
+		sock_close(s);
 		return 0;
 	}
 	log_addr(VERB_ALGO, "tcp bound to src", &pi->addr, pi->addrlen);
@@ -225,13 +216,8 @@ outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss,
 		s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
 	}
 	if(s == -1) {
-#ifndef USE_WINSOCK
-		log_err_addr("outgoing tcp: socket", strerror(errno),
+		log_err_addr("outgoing tcp: socket", sock_strerror(errno),
 			addr, addrlen);
-#else
-		log_err_addr("outgoing tcp: socket", 
-			wsa_strerror(WSAGetLastError()), addr, addrlen);
-#endif
 		return -1;
 	}
 
@@ -2111,9 +2097,20 @@ outnet_serviced_query(struct outside_network* outnet,
 {
 	struct serviced_query* sq;
 	struct service_callback* cb;
+	struct edns_tag_addr* client_tag_addr;
+
 	if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone, zonelen,
 		qstate, qstate->region))
 			return NULL;
+
+	if((client_tag_addr = edns_tag_addr_lookup(&env->edns_tags->client_tags,
+		addr, addrlen))) {
+		uint16_t client_tag = htons(client_tag_addr->tag_data);
+		edns_opt_list_append(&qstate->edns_opts_back_out,
+			env->edns_tags->client_tag_opcode, 2,
+			(uint8_t*)&client_tag, qstate->region);
+	}
+
 	serviced_gen_query(buff, qinfo->qname, qinfo->qname_len, qinfo->qtype,
 		qinfo->qclass, flags);
 	sq = lookup_serviced(outnet, buff, dnssec, addr, addrlen,

services/rpz.c

@@ -597,8 +597,18 @@ rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
 	uint8_t* policydname;
 
 	if(!dname_subdomain_c(dname, azname)) {
-		log_err("RPZ: name of record to insert into RPZ is not a "
-			"subdomain of the configured name of the RPZ zone");
+		char* dname_str = sldns_wire2str_dname(dname, dnamelen);
+		char* azname_str = sldns_wire2str_dname(azname, aznamelen);
+		if(dname_str && azname_str) {
+			log_err("RPZ: name of record (%s) to insert into RPZ is not a "
+				"subdomain of the configured name of the RPZ zone (%s)",
+				dname_str, azname_str);
+		} else {
+			log_err("RPZ: name of record to insert into RPZ is not a "
+				"subdomain of the configured name of the RPZ zone");
+		}
+		free(dname_str);
+		free(azname_str);
 		return 0;
 	}
 

sldns/parseutil.c

@@ -619,13 +619,18 @@ size_t sldns_b64_ntop_calculate_size(size_t srcsize)
  *
  * This routine does not insert spaces or linebreaks after 76 characters.
  */
-int sldns_b64_ntop(uint8_t const *src, size_t srclength,
-	char *target, size_t targsize)
+static int sldns_b64_ntop_base(uint8_t const *src, size_t srclength,
+	char *target, size_t targsize, int base64url, int padding)
 {
-	const char* b64 =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+	char* b64;
 	const char pad64 = '=';
 	size_t i = 0, o = 0;
+	if(base64url)
+		b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123"
+			"456789-_";
+	else
+		b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123"
+			"456789+/";
 	if(targsize < sldns_b64_ntop_calculate_size(srclength))
 		return -1;
 	/* whole chunks: xxxxxxyy yyyyzzzz zzwwwwww */
@@ -645,18 +650,26 @@ int sldns_b64_ntop(uint8_t const *src, size_t srclength,
 		target[o] = b64[src[i] >> 2];
 		target[o+1] = b64[ ((src[i]&0x03)<<4) | (src[i+1]>>4) ];
 		target[o+2] = b64[ ((src[i+1]&0x0f)<<2) ];
-		target[o+3] = pad64;
-		/* i += 2; */
-		o += 4;
+		if(padding) {
+			target[o+3] = pad64;
+			/* i += 2; */
+			o += 4;
+		} else {
+			o += 3;
+		}
 		break;
 	case 1:
 		/* one at end, converted into A B = = */
 		target[o] = b64[src[i] >> 2];
 		target[o+1] = b64[ ((src[i]&0x03)<<4) ];
-		target[o+2] = pad64;
-		target[o+3] = pad64;
-		/* i += 1; */
-		o += 4;
+		if(padding) {
+			target[o+2] = pad64;
+			target[o+3] = pad64;
+			/* i += 1; */
+			o += 4;
+		} else {
+			o += 2;
+		}
 		break;
 	case 0:
 	default:
@@ -669,19 +682,36 @@ int sldns_b64_ntop(uint8_t const *src, size_t srclength,
 	return (int)o;
 }
 
+int sldns_b64_ntop(uint8_t const *src, size_t srclength, char *target,
+	size_t targsize)
+{
+	return sldns_b64_ntop_base(src, srclength, target, targsize,
+		0 /* no base64url */, 1 /* padding */);
+}
+
+int sldns_b64url_ntop(uint8_t const *src, size_t srclength, char *target,
+	size_t targsize)
+{
+	return sldns_b64_ntop_base(src, srclength, target, targsize,
+		1 /* base64url */, 0 /* no padding */);
+}
+
 size_t sldns_b64_pton_calculate_size(size_t srcsize)
 {
 	return (((((srcsize + 3) / 4) * 3)) + 1);
 }
 
-int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
+/* padding not required if srcsize is set */
+static int sldns_b64_pton_base(char const *src, size_t srcsize, uint8_t *target,
+	size_t targsize, int base64url)
 {
 	const uint8_t pad64 = 64; /* is 64th in the b64 array */
 	const char* s = src;
 	uint8_t in[4];
 	size_t o = 0, incount = 0;
+	int check_padding = (srcsize) ? 0 : 1;
 
-	while(*s) {
+	while(*s && (check_padding || srcsize)) {
 		/* skip any character that is not base64 */
 		/* conceptually we do:
 		const char* b64 =      pad'=' is appended to array
@@ -690,30 +720,43 @@ int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
 		and use d-b64;
 		*/
 		char d = *s++;
+		srcsize--;
 		if(d <= 'Z' && d >= 'A')
 			d -= 'A';
 		else if(d <= 'z' && d >= 'a')
 			d = d - 'a' + 26;
 		else if(d <= '9' && d >= '0')
 			d = d - '0' + 52;
-		else if(d == '+')
+		else if(!base64url && d == '+')
 			d = 62;
-		else if(d == '/')
+		else if(base64url && d == '-')
+			d = 62;
+		else if(!base64url && d == '/')
 			d = 63;
-		else if(d == '=')
+		else if(base64url && d == '_')
+			d = 63;
+		else if(d == '=') {
+			if(!check_padding)
+				continue;
 			d = 64;
-		else	continue;
+		} else	continue;
+
 		in[incount++] = (uint8_t)d;
-		if(incount != 4)
+		/* work on block of 4, unless padding is not used and there are
+		 * less than 4 chars left */
+		if(incount != 4 && (check_padding || srcsize))
 			continue;
+		assert(!check_padding || incount==4);
 		/* process whole block of 4 characters into 3 output bytes */
-		if(in[3] == pad64 && in[2] == pad64) { /* A B = = */
+		if((incount == 2 ||
+			(incount == 4 && in[3] == pad64 && in[2] == pad64))) { /* A B = = */
 			if(o+1 > targsize)
 				return -1;
 			target[o] = (in[0]<<2) | ((in[1]&0x30)>>4);
 			o += 1;
 			break; /* we are done */
-		} else if(in[3] == pad64) { /* A B C = */
+		} else if(incount == 3 ||
+			(incount == 4 && in[3] == pad64)) { /* A B C = */
 			if(o+2 > targsize)
 				return -1;
 			target[o] = (in[0]<<2) | ((in[1]&0x30)>>4);
@@ -721,7 +764,7 @@ int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
 			o += 2;
 			break; /* we are done */
 		} else {
-			if(o+3 > targsize)
+			if(incount != 4 || o+3 > targsize)
 				return -1;
 			/* write xxxxxxyy yyyyzzzz zzwwwwww */
 			target[o] = (in[0]<<2) | ((in[1]&0x30)>>4);
@@ -733,3 +776,17 @@ int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
 	}
 	return (int)o;
 }
+
+int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
+{
+	return sldns_b64_pton_base(src, 0, target, targsize, 0);
+}
+
+int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
+	size_t targsize)
+{
+	if(!srcsize) {
+		return 0;
+	}
+	return sldns_b64_pton_base(src, srcsize, target, targsize, 1);
+}

sldns/parseutil.h

@@ -92,13 +92,16 @@ size_t sldns_b64_ntop_calculate_size(size_t srcsize);
 
 int sldns_b64_ntop(uint8_t const *src, size_t srclength,
 	char *target, size_t targsize);
+int sldns_b64url_ntop(uint8_t const *src, size_t srclength, char *target,
+	size_t targsize);
 
 /**
  * calculates the size needed to store the result of sldns_b64_pton
  */
 size_t sldns_b64_pton_calculate_size(size_t srcsize);
-
 int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize);
+int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
+	size_t targsize);
 
 /**
  * calculates the size needed to store the result of b32_ntop

sldns/rrdef.h

@@ -426,7 +426,8 @@ enum sldns_enum_edns_option
 	LDNS_EDNS_N3U = 7, /* RFC6975 */
 	LDNS_EDNS_CLIENT_SUBNET = 8, /* RFC7871 */
 	LDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
-	LDNS_EDNS_PADDING = 12 /* RFC7830 */
+	LDNS_EDNS_PADDING = 12, /* RFC7830 */
+	LDNS_EDNS_CLIENT_TAG = 16 /* draft-bellis-dnsop-edns-tags-01 */
 };
 typedef enum sldns_enum_edns_option sldns_edns_option;
 

smallapp/unbound-checkconf.c

@@ -624,8 +624,6 @@ morechecks(struct config_file* cfg)
 		cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
 	check_chroot_filelist_wild("trusted-keys-file",
 		cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
-	check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
-		cfg->chrootdir, cfg);
 #ifdef USE_IPSECMOD
 	if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) {
 		/* only check hook if enabled */

smallapp/unbound-control.c

@@ -278,6 +278,8 @@ static void print_mem(struct ub_shm_stat_info* shm_stat,
 		shm_stat->mem.dnscrypt_nonce);
 #endif
 	PR_LL("mem.streamwait", s->svr.mem_stream_wait);
+	PR_LL("mem.http.query_buffer", s->svr.mem_http2_query_buffer);
+	PR_LL("mem.http.response_buffer", s->svr.mem_http2_response_buffer);
 }
 
 /** print histogram */
@@ -342,6 +344,7 @@ static void print_extended(struct ub_stats_info* s)
 	PR_UL("num.query.tls", s->svr.qtls);
 	PR_UL("num.query.tls_resume", s->svr.qtls_resume);
 	PR_UL("num.query.ipv6", s->svr.qipv6);
+	PR_UL("num.query.https", s->svr.qhttps);
 
 	/* flags */
 	PR_UL("num.query.flags.QR", s->svr.qbit_QR);
@@ -593,11 +596,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
 		addrfamily = addr_is_ip6(&addr, addrlen)?PF_INET6:PF_INET;
 	fd = socket(addrfamily, SOCK_STREAM, proto);
 	if(fd == -1) {
-#ifndef USE_WINSOCK
-		fatal_exit("socket: %s", strerror(errno));
-#else
-		fatal_exit("socket: %s", wsa_strerror(WSAGetLastError()));
-#endif
+		fatal_exit("socket: %s", sock_strerror(errno));
 	}
 	if(connect(fd, (struct sockaddr*)&addr, addrlen) < 0) {
 #ifndef USE_WINSOCK
@@ -681,11 +680,7 @@ remote_read(SSL* ssl, int fd, char* buf, size_t len)
 				/* EOF */
 				return 0;
 			}
-#ifndef USE_WINSOCK
-			fatal_exit("could not recv: %s", strerror(errno));
-#else
-			fatal_exit("could not recv: %s", wsa_strerror(WSAGetLastError()));
-#endif
+			fatal_exit("could not recv: %s", sock_strerror(errno));
 		}
 		buf[rr] = 0;
 	}
@@ -701,11 +696,7 @@ remote_write(SSL* ssl, int fd, const char* buf, size_t len)
 			ssl_err("could not SSL_write");
 	} else {
 		if(send(fd, buf, len, 0) < (ssize_t)len) {
-#ifndef USE_WINSOCK
-			fatal_exit("could not send: %s", strerror(errno));
-#else
-			fatal_exit("could not send: %s", wsa_strerror(WSAGetLastError()));
-#endif
+			fatal_exit("could not send: %s", sock_strerror(errno));
 		}
 	}
 }
@@ -824,11 +815,7 @@ go(const char* cfgfile, char* svr, int quiet, int argc, char* argv[])
 	ret = go_cmd(ssl, fd, quiet, argc, argv);
 
 	if(ssl) SSL_free(ssl);
-#ifndef USE_WINSOCK
-	close(fd);
-#else
-	closesocket(fd);
-#endif
+	sock_close(fd);
 	if(ctx) SSL_CTX_free(ctx);
 	config_delete(cfg);
 	return ret;
@@ -886,7 +873,7 @@ int main(int argc, char* argv[])
 	if(argc == 0)
 		usage();
 	if(argc >= 1 && strcmp(argv[0], "start")==0) {
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 		fatal_exit("could not exec unbound: %s",
 			strerror(ENOSYS));
 #else

testcode/delayer.c

@@ -372,11 +372,7 @@ service_send(struct ringbuf* ring, struct timeval* now, sldns_buffer* pkt,
 			sldns_buffer_limit(pkt), 0, 
 			(struct sockaddr*)srv_addr, srv_len);
 		if(sent == -1) {
-#ifndef USE_WINSOCK
-			log_err("sendto: %s", strerror(errno));
-#else
-			log_err("sendto: %s", wsa_strerror(WSAGetLastError()));
-#endif
+			log_err("sendto: %s", sock_strerror(errno));
 		} else if(sent != (ssize_t)sldns_buffer_limit(pkt)) {
 			log_err("sendto: partial send");
 		}
@@ -398,13 +394,12 @@ do_proxy(struct proxy* p, int retsock, sldns_buffer* pkt)
 #ifndef USE_WINSOCK
 			if(errno == EAGAIN || errno == EINTR)
 				return;
-			log_err("recv: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEINPROGRESS ||
 				WSAGetLastError() == WSAEWOULDBLOCK)
 				return;
-			log_err("recv: %s", wsa_strerror(WSAGetLastError()));
 #endif
+			log_err("recv: %s", sock_strerror(errno));
 			return;
 		}
 		sldns_buffer_set_limit(pkt, (size_t)r);
@@ -414,11 +409,7 @@ do_proxy(struct proxy* p, int retsock, sldns_buffer* pkt)
 		r = sendto(retsock, (void*)sldns_buffer_begin(pkt), (size_t)r, 
 			0, (struct sockaddr*)&p->addr, p->addr_len);
 		if(r == -1) {
-#ifndef USE_WINSOCK
-			log_err("sendto: %s", strerror(errno));
-#else
-			log_err("sendto: %s", wsa_strerror(WSAGetLastError()));
-#endif
+			log_err("sendto: %s", sock_strerror(errno));
 		}
 	}
 }
@@ -469,11 +460,7 @@ find_create_proxy(struct sockaddr_storage* from, socklen_t from_len,
 	if(!p) fatal_exit("out of memory");
 	p->s = socket(serv_ip6?AF_INET6:AF_INET, SOCK_DGRAM, 0);
 	if(p->s == -1) {
-#ifndef USE_WINSOCK
-		fatal_exit("socket: %s", strerror(errno));
-#else
-		fatal_exit("socket: %s", wsa_strerror(WSAGetLastError()));
-#endif
+		fatal_exit("socket: %s", sock_strerror(errno));
 	}
 	fd_set_nonblock(p->s);
 	memmove(&p->addr, from, from_len);
@@ -507,14 +494,12 @@ service_recv(int s, struct ringbuf* ring, sldns_buffer* pkt,
 #ifndef USE_WINSOCK
 			if(errno == EAGAIN || errno == EINTR)
 				return;
-			fatal_exit("recvfrom: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEWOULDBLOCK || 
 				WSAGetLastError() == WSAEINPROGRESS)
 				return;
-			fatal_exit("recvfrom: %s", 
-				wsa_strerror(WSAGetLastError()));
 #endif
+			fatal_exit("recvfrom: %s", sock_strerror(errno));
 		}
 		sldns_buffer_set_limit(pkt, (size_t)len);
 		/* find its proxy element */
@@ -550,15 +535,9 @@ tcp_proxy_delete(struct tcp_proxy* p)
 		free(s);
 		s = sn;
 	}
-#ifndef USE_WINSOCK
-	close(p->client_s);
+	sock_close(p->client_s);
 	if(p->server_s != -1)
-		close(p->server_s);
-#else
-	closesocket(p->client_s);
-	if(p->server_s != -1)
-		closesocket(p->server_s);
-#endif
+		sock_close(p->server_s);
 	free(p);
 }
 
@@ -577,14 +556,13 @@ service_tcp_listen(int s, fd_set* rorig, int* max, struct tcp_proxy** proxies,
 #ifndef USE_WINSOCK
 		if(errno == EAGAIN || errno == EINTR)
 			return;
-		fatal_exit("accept: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEWOULDBLOCK || 
 			WSAGetLastError() == WSAEINPROGRESS ||
 			WSAGetLastError() == WSAECONNRESET)
 			return;
-		fatal_exit("accept: %s", wsa_strerror(WSAGetLastError()));
 #endif
+		fatal_exit("accept: %s", sock_strerror(errno));
 	}
 	p = (struct tcp_proxy*)calloc(1, sizeof(*p));
 	if(!p) fatal_exit("out of memory");
@@ -595,11 +573,7 @@ service_tcp_listen(int s, fd_set* rorig, int* max, struct tcp_proxy** proxies,
 	p->server_s = socket(addr_is_ip6(srv_addr, srv_len)?AF_INET6:AF_INET,
 		SOCK_STREAM, 0);
 	if(p->server_s == -1) {
-#ifndef USE_WINSOCK
-		fatal_exit("tcp socket: %s", strerror(errno));
-#else
-		fatal_exit("tcp socket: %s", wsa_strerror(WSAGetLastError()));
-#endif
+		fatal_exit("tcp socket: %s", sock_strerror(errno));
 	}
 	fd_set_nonblock(p->client_s);
 	fd_set_nonblock(p->server_s);
@@ -607,16 +581,14 @@ service_tcp_listen(int s, fd_set* rorig, int* max, struct tcp_proxy** proxies,
 #ifndef USE_WINSOCK
 		if(errno != EINPROGRESS) {
 			log_err("tcp connect: %s", strerror(errno));
-			close(p->server_s);
-			close(p->client_s);
 #else
 		if(WSAGetLastError() != WSAEWOULDBLOCK &&
 			WSAGetLastError() != WSAEINPROGRESS) {
 			log_err("tcp connect: %s", 
 				wsa_strerror(WSAGetLastError()));
-			closesocket(p->server_s);
-			closesocket(p->client_s);
 #endif
+			sock_close(p->server_s);
+			sock_close(p->client_s);
 			free(p);
 			return;
 		}
@@ -650,13 +622,12 @@ tcp_relay_read(int s, struct tcp_send_list** first,
 #ifndef USE_WINSOCK
 		if(errno == EINTR || errno == EAGAIN)
 			return 1;
-		log_err("tcp read: %s", strerror(errno));
 #else
 		if(WSAGetLastError() == WSAEINPROGRESS || 
 			WSAGetLastError() == WSAEWOULDBLOCK)
 			return 1;
-		log_err("tcp read: %s", wsa_strerror(WSAGetLastError()));
 #endif
+		log_err("tcp read: %s", sock_strerror(errno));
 		return 0;
 	} else if(r == 0) {
 		/* connection closed */
@@ -708,14 +679,12 @@ tcp_relay_write(int s, struct tcp_send_list** first,
 #ifndef USE_WINSOCK
 			if(errno == EAGAIN || errno == EINTR)
 				return 1;
-			log_err("tcp write: %s", strerror(errno));
 #else
 			if(WSAGetLastError() == WSAEWOULDBLOCK || 
 				WSAGetLastError() == WSAEINPROGRESS)
 				return 1;
-			log_err("tcp write: %s", 
-				wsa_strerror(WSAGetLastError()));
 #endif
+			log_err("tcp write: %s", sock_strerror(errno));
 			return 0;
 		} else if(r == 0) {
 			/* closed */
@@ -769,11 +738,7 @@ service_tcp_relay(struct tcp_proxy** tcp_proxies, struct timeval* now,
 			log_addr(1, "read tcp answer", &p->addr, p->addr_len);
 			if(!tcp_relay_read(p->server_s, &p->answerlist, 
 				&p->answerlast, now, delay, pkt)) {
-#ifndef USE_WINSOCK
-				close(p->server_s);
-#else
-				closesocket(p->server_s);
-#endif
+				sock_close(p->server_s);
 				FD_CLR(FD_SET_T p->server_s, worig);
 				FD_CLR(FD_SET_T p->server_s, rorig);
 				p->server_s = -1;
@@ -901,11 +866,7 @@ proxy_list_clear(struct proxy* p)
 			"%u returned\n", i++, from, port, (int)p->numreuse+1,
 			(unsigned)p->numwait, (unsigned)p->numsent, 
 			(unsigned)p->numreturn);
-#ifndef USE_WINSOCK
-		close(p->s);
-#else
-		closesocket(p->s);
-#endif
+		sock_close(p->s);
 		free(p);
 		p = np;
 	}
@@ -1034,11 +995,7 @@ service(const char* bind_str, int bindport, const char* serv_str,
 	/* bind UDP port */
 	if((s = socket(str_is_ip6(bind_str)?AF_INET6:AF_INET,
 		SOCK_DGRAM, 0)) == -1) {
-#ifndef USE_WINSOCK
-		fatal_exit("socket: %s", strerror(errno));
-#else
-		fatal_exit("socket: %s", wsa_strerror(WSAGetLastError()));
-#endif
+		fatal_exit("socket: %s", sock_strerror(errno));
 	}
 	i=0;
 	if(bindport == 0) {
@@ -1051,11 +1008,7 @@ service(const char* bind_str, int bindport, const char* serv_str,
 			exit(1);
 		}
 		if(bind(s, (struct sockaddr*)&bind_addr, bind_len) == -1) {
-#ifndef USE_WINSOCK
-			log_err("bind: %s", strerror(errno));
-#else
-			log_err("bind: %s", wsa_strerror(WSAGetLastError()));
-#endif
+			log_err("bind: %s", sock_strerror(errno));
 			if(i--==0)
 				fatal_exit("cannot bind any port");
 			bindport = 1024 + ((int)arc4random())%64000;
@@ -1065,39 +1018,22 @@ service(const char* bind_str, int bindport, const char* serv_str,
 	/* and TCP port */
 	if((listen_s = socket(str_is_ip6(bind_str)?AF_INET6:AF_INET,
 		SOCK_STREAM, 0)) == -1) {
-#ifndef USE_WINSOCK
-		fatal_exit("tcp socket: %s", strerror(errno));
-#else
-		fatal_exit("tcp socket: %s", wsa_strerror(WSAGetLastError()));
-#endif
+		fatal_exit("tcp socket: %s", sock_strerror(errno));
 	}
 #ifdef SO_REUSEADDR
 	if(1) {
 		int on = 1;
 		if(setsockopt(listen_s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
 			(socklen_t)sizeof(on)) < 0)
-#ifndef USE_WINSOCK
 			fatal_exit("setsockopt(.. SO_REUSEADDR ..) failed: %s",
-				strerror(errno));
-#else
-			fatal_exit("setsockopt(.. SO_REUSEADDR ..) failed: %s",
-				wsa_strerror(WSAGetLastError()));
-#endif
+				sock_strerror(errno));
 	}
 #endif
 	if(bind(listen_s, (struct sockaddr*)&bind_addr, bind_len) == -1) {
-#ifndef USE_WINSOCK
-		fatal_exit("tcp bind: %s", strerror(errno));
-#else
-		fatal_exit("tcp bind: %s", wsa_strerror(WSAGetLastError()));
-#endif
+		fatal_exit("tcp bind: %s", sock_strerror(errno));
 	}
 	if(listen(listen_s, 5) == -1) {
-#ifndef USE_WINSOCK
-		fatal_exit("tcp listen: %s", strerror(errno));
-#else
-		fatal_exit("tcp listen: %s", wsa_strerror(WSAGetLastError()));
-#endif
+		fatal_exit("tcp listen: %s", sock_strerror(errno));
 	}
 	fd_set_nonblock(listen_s);
 	printf("listening on port: %d\n", bindport);
@@ -1109,13 +1045,8 @@ service(const char* bind_str, int bindport, const char* serv_str,
 
 	/* cleanup */
 	verbose(1, "cleanup");
-#ifndef USE_WINSOCK
-	close(s);
-	close(listen_s);
-#else
-	closesocket(s);
-	closesocket(listen_s);
-#endif
+	sock_close(s);
+	sock_close(listen_s);
 	sldns_buffer_free(pkt);
 	ring_delete(ring);
 }

testcode/dohclient.c

@@ -0,0 +1,586 @@
+/*
+ * testcode/dohclient.c - debug program. Perform multiple DNS queries using DoH.
+ *
+ * Copyright (c) 2020, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** 
+ * \file
+ *
+ * Simple DNS-over-HTTPS client. For testing and debugging purposes.
+ * No authentication of TLS cert.
+ */
+
+#include "config.h"
+#ifdef HAVE_GETOPT_H
+#include <getopt.h>
+#endif
+#include "sldns/wire2str.h"
+#include "sldns/sbuffer.h"
+#include "sldns/str2wire.h"
+#include "sldns/parseutil.h"
+#include "util/data/msgencode.h"
+#include "util/data/msgreply.h"
+#include "util/data/msgparse.h"
+#include "util/net_help.h"
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#ifdef HAVE_NGHTTP2
+#include <nghttp2/nghttp2.h>
+
+struct http2_session {
+	nghttp2_session* session;
+	SSL* ssl;
+	int fd;
+	int query_count;
+	/* Use POST :method if 1 */
+	int post;
+	int block_select;
+	const char* authority;
+	const char* endpoint;
+	const char* content_type;
+};
+
+struct http2_stream {
+	int32_t stream_id;
+	int res_status;
+	struct sldns_buffer* buf;
+	char* path;
+};
+
+static void usage(char* argv[])
+{
+	printf("usage: %s [options] name type class ...\n", argv[0]);
+	printf("	sends the name-type-class queries over "
+			"DNS-over-HTTPS.\n");
+	printf("-s server	IP address to send the queries to, "
+			"default: 127.0.0.1\n");
+	printf("-p		Port to connect to, default: %d\n",
+		UNBOUND_DNS_OVER_HTTPS_PORT);
+	printf("-P		Use POST method instead of default GET\n");
+	printf("-e		HTTP endpoint, default: /dns-query\n");
+	printf("-c		Content-type in request, default: "
+		"application/dns-message\n");
+	printf("-h 		This help text\n");
+	exit(1);
+}
+
+/** open TCP socket to svr */
+static int
+open_svr(const char* svr, int port)
+{
+	struct sockaddr_storage addr;
+	socklen_t addrlen;
+	int fd = -1;
+	int r;
+	if(!ipstrtoaddr(svr, port, &addr, &addrlen)) {
+		printf("fatal: bad server specs '%s'\n", svr);
+		exit(1);
+	}
+
+	fd = socket(addr_is_ip6(&addr, addrlen)?PF_INET6:PF_INET,
+		SOCK_STREAM, 0);
+	if(fd == -1) {
+		perror("socket() error");
+		exit(1);
+	}
+	r = connect(fd, (struct sockaddr*)&addr, addrlen);
+	if(r < 0 && r != EINPROGRESS) {
+		perror("connect() error");
+		exit(1);
+	}
+	return fd;
+}
+
+static ssize_t http2_submit_request_read_cb(
+	nghttp2_session* ATTR_UNUSED(session),
+	int32_t ATTR_UNUSED(stream_id), uint8_t* buf, size_t length,
+	uint32_t* data_flags, nghttp2_data_source* source,
+	void* ATTR_UNUSED(cb_arg))
+{
+	if(length > sldns_buffer_remaining(source->ptr))
+		length = sldns_buffer_remaining(source->ptr);
+
+	memcpy(buf, sldns_buffer_current(source->ptr), length);
+	sldns_buffer_skip(source->ptr, length);
+
+	if(sldns_buffer_remaining(source->ptr) == 0) {
+		*data_flags |= NGHTTP2_DATA_FLAG_EOF;
+	}
+
+	return length;
+}
+
+static void
+submit_query(struct http2_session* h2_session, struct sldns_buffer* buf)
+{
+	int32_t stream_id;
+	struct http2_stream* h2_stream;
+	nghttp2_nv headers[5];
+	char* qb64;
+	size_t qb64_size;
+	size_t qb64_expected_size;
+	size_t i;
+	nghttp2_data_provider data_prd;
+
+	h2_stream = calloc(1,  sizeof(*h2_stream));
+	if(!h2_stream)
+		fatal_exit("could not malloc http2 stream");
+	h2_stream->buf = buf;
+
+	if(h2_session->post) {
+		data_prd.source.ptr = buf;
+		data_prd.read_callback = http2_submit_request_read_cb;
+		h2_stream->path = (char*)h2_session->endpoint;
+	} else {
+		qb64_expected_size = sldns_b64_ntop_calculate_size(
+				sldns_buffer_remaining(buf));
+		qb64 = malloc(qb64_expected_size);
+		if(!qb64) fatal_exit("out of memory");
+		qb64_size = sldns_b64url_ntop(sldns_buffer_begin(buf),
+			sldns_buffer_remaining(buf), qb64, qb64_expected_size);
+		h2_stream->path = malloc(strlen(
+			h2_session->endpoint)+strlen("?dns=")+qb64_size+1);
+		if(!h2_stream->path) fatal_exit("out of memory");
+		snprintf(h2_stream->path, strlen(h2_session->endpoint)+
+			strlen("?dns=")+qb64_size+1, "%s?dns=%s",
+			h2_session->endpoint, qb64);
+		free(qb64);
+	}
+
+	headers[0].name = (uint8_t*)":method";
+	if(h2_session->post)
+		headers[0].value = (uint8_t*)"POST";
+	else
+		headers[0].value = (uint8_t*)"GET";
+	headers[1].name = (uint8_t*)":path";
+	headers[1].value = (uint8_t*)h2_stream->path;
+	headers[2].name = (uint8_t*)":scheme";
+	headers[2].value = (uint8_t*)"https";
+	headers[3].name = (uint8_t*)":authority";
+	headers[3].value = (uint8_t*)h2_session->authority;
+	headers[4].name = (uint8_t*)"content-type";
+	headers[4].value = (uint8_t*)h2_session->content_type;
+
+	printf("Request headers\n");
+	for(i=0; i<sizeof(headers)/sizeof(headers[0]); i++) {
+		headers[i].namelen = strlen((char*)headers[i].name);
+		headers[i].valuelen = strlen((char*)headers[i].value);
+		headers[i].flags = NGHTTP2_NV_FLAG_NONE;
+		printf("%s: %s\n", headers[i].name, headers[i].value);
+	}
+
+	stream_id = nghttp2_submit_request(h2_session->session, NULL, headers,
+		sizeof(headers)/sizeof(headers[0]),
+		(h2_session->post) ? &data_prd : NULL, h2_stream);
+	if(stream_id < 0) {
+		printf("Failed to submit nghttp2 request");
+		exit(1);
+	}
+	h2_session->query_count++;
+	h2_stream->stream_id = stream_id;
+}
+
+static sldns_buffer*
+make_query(char* qname, char* qtype, char* qclass)
+{
+	struct query_info qinfo;
+	struct edns_data edns;
+	sldns_buffer* buf = sldns_buffer_new(65553);
+	if(!buf) fatal_exit("out of memory");
+	qinfo.qname = sldns_str2wire_dname(qname, &qinfo.qname_len);
+	if(!qinfo.qname) {
+		printf("cannot parse query name: '%s'\n", qname);
+		exit(1);
+	}
+
+	qinfo.qtype = sldns_get_rr_type_by_name(qtype);
+	qinfo.qclass = sldns_get_rr_class_by_name(qclass);
+	qinfo.local_alias = NULL;
+
+	qinfo_query_encode(buf, &qinfo); /* flips buffer */
+	free(qinfo.qname);
+	sldns_buffer_write_u16_at(buf, 0, 0x0000);
+	sldns_buffer_write_u16_at(buf, 2, BIT_RD);
+	memset(&edns, 0, sizeof(edns));
+	edns.edns_present = 1;
+	edns.bits = EDNS_DO;
+	edns.udp_size = 4096;
+	if(sldns_buffer_capacity(buf) >=
+		sldns_buffer_limit(buf)+calc_edns_field_size(&edns))
+		attach_edns_record(buf, &edns);
+	return buf;
+}
+
+static ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session),
+	uint8_t* buf, size_t len, int ATTR_UNUSED(flags), void* cb_arg)
+{
+	struct http2_session* h2_session = (struct http2_session*)cb_arg;
+	int r;
+	struct timeval tv, *waittv;
+	fd_set rfd;
+	ERR_clear_error();
+
+	memset(&tv, 0, sizeof(tv));
+
+	if(h2_session->block_select && h2_session->query_count <= 0) {
+		return NGHTTP2_ERR_WOULDBLOCK;
+	}
+	if(h2_session->block_select)
+		waittv = NULL;
+	else
+		waittv = &tv;
+	memset(&rfd, 0, sizeof(rfd));
+	FD_ZERO(&rfd);
+	FD_SET(h2_session->fd, &rfd);
+	r = select(h2_session->fd+1, &rfd, NULL, NULL, waittv);
+	if(r <= 0) {
+		return NGHTTP2_ERR_WOULDBLOCK;
+	}
+
+	r = SSL_read(h2_session->ssl, buf, len);
+	if(r <= 0) {
+		int want = SSL_get_error(h2_session->ssl, r);
+		if(want == SSL_ERROR_ZERO_RETURN) {
+			return NGHTTP2_ERR_EOF;
+		}
+		log_crypto_err("could not SSL_read");
+		return NGHTTP2_ERR_EOF;
+	}
+	return r;
+}
+
+static ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session),
+	const uint8_t* buf, size_t len, int ATTR_UNUSED(flags), void* cb_arg)
+{
+	struct http2_session* h2_session = (struct http2_session*)cb_arg;
+
+	int r;
+	ERR_clear_error();
+	r = SSL_write(h2_session->ssl, buf, len);
+	if(r <= 0) {
+		int want = SSL_get_error(h2_session->ssl, r);
+		if(want == SSL_ERROR_ZERO_RETURN) {
+			return NGHTTP2_ERR_CALLBACK_FAILURE;
+		}
+		log_crypto_err("could not SSL_write");
+		return NGHTTP2_ERR_CALLBACK_FAILURE;
+	}
+	return r;
+}
+
+static int http2_stream_close_cb(nghttp2_session* ATTR_UNUSED(session),
+	int32_t ATTR_UNUSED(stream_id),
+	nghttp2_error_code ATTR_UNUSED(error_code), void *cb_arg)
+{
+	struct http2_session* h2_session = (struct http2_session*)cb_arg;
+	struct http2_stream* h2_stream;
+	if(!(h2_stream = nghttp2_session_get_stream_user_data(
+		h2_session->session, stream_id))) {
+		return 0;
+	}
+	h2_session->query_count--;
+	sldns_buffer_free(h2_stream->buf);
+	if(!h2_session->post)
+		free(h2_stream->path);
+	free(h2_stream);
+	h2_stream = NULL;
+	return 0;
+}
+
+static int http2_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
+	uint8_t ATTR_UNUSED(flags), int32_t stream_id, const uint8_t* data,
+	size_t len, void* cb_arg)
+{
+	struct http2_session* h2_session = (struct http2_session*)cb_arg;
+	struct http2_stream* h2_stream;
+
+	if(!(h2_stream = nghttp2_session_get_stream_user_data(
+		h2_session->session, stream_id))) {
+		return 0;
+	}
+
+	if(sldns_buffer_remaining(h2_stream->buf) < len) {
+		log_err("received data chunck does not fit into buffer");
+		return NGHTTP2_ERR_CALLBACK_FAILURE;
+	}
+
+	sldns_buffer_write(h2_stream->buf, data, len);
+
+	return 0;
+}
+
+static int http2_frame_recv_cb(nghttp2_session *session,
+	const nghttp2_frame *frame, void* ATTR_UNUSED(cb_arg))
+{
+	struct http2_stream* h2_stream;
+
+	if(!(h2_stream = nghttp2_session_get_stream_user_data(
+		session, frame->hd.stream_id)))
+		return 0;
+	if(frame->hd.type == NGHTTP2_HEADERS &&
+		frame->headers.cat == NGHTTP2_HCAT_RESPONSE) {
+		sldns_buffer_clear(h2_stream->buf);
+	}
+	if(((frame->hd.type != NGHTTP2_DATA &&
+		frame->hd.type != NGHTTP2_HEADERS) ||
+		frame->hd.flags & NGHTTP2_FLAG_END_STREAM) &&
+			h2_stream->res_status == 200) {
+			char* pktstr;
+			sldns_buffer_flip(h2_stream->buf);
+			pktstr = sldns_wire2str_pkt(
+				sldns_buffer_begin(h2_stream->buf),
+				sldns_buffer_limit(h2_stream->buf));
+			printf("%s\n", pktstr);
+			free(pktstr);
+			return 0;
+	}
+	return 0;
+}
+static int http2_header_cb(nghttp2_session* ATTR_UNUSED(session),
+	const nghttp2_frame* frame, const uint8_t* name, size_t namelen,
+	const uint8_t* value, size_t ATTR_UNUSED(valuelen),
+	uint8_t ATTR_UNUSED(flags), void* cb_arg)
+{
+	struct http2_stream* h2_stream;
+	struct http2_session* h2_session = (struct http2_session*)cb_arg;
+	printf("%s %s\n", name, value);
+	if(namelen == 7 && memcmp(":status", name, namelen) == 0) {
+		if(!(h2_stream = nghttp2_session_get_stream_user_data(
+			h2_session->session, frame->hd.stream_id))) {
+			return 0;
+		}
+		h2_stream->res_status = atoi((char*)value);
+	}
+	return 0;
+}
+
+static struct http2_session*
+http2_session_create()
+{
+	struct http2_session* h2_session = calloc(1,
+		sizeof(struct http2_session));
+	nghttp2_session_callbacks* callbacks;
+	if(!h2_session)
+		fatal_exit("out of memory");
+
+	if(nghttp2_session_callbacks_new(&callbacks) == NGHTTP2_ERR_NOMEM) {
+		log_err("failed to initialize nghttp2 callback");
+		return NULL;
+	}
+	nghttp2_session_callbacks_set_recv_callback(callbacks, http2_recv_cb);
+	nghttp2_session_callbacks_set_send_callback(callbacks, http2_send_cb);
+	nghttp2_session_callbacks_set_on_stream_close_callback(callbacks,
+		http2_stream_close_cb);
+	nghttp2_session_callbacks_set_on_data_chunk_recv_callback(callbacks,
+		http2_data_chunk_recv_cb);
+	nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks,
+		http2_frame_recv_cb);
+	nghttp2_session_callbacks_set_on_header_callback(callbacks,
+		http2_header_cb);
+	nghttp2_session_client_new(&h2_session->session, callbacks, h2_session);
+	nghttp2_session_callbacks_del(callbacks);
+	return h2_session;
+}
+
+static void
+http2_session_delete(struct http2_session* h2_session)
+{
+	nghttp2_session_del(h2_session->session);
+	free(h2_session);
+}
+
+static void
+http2_submit_setting(struct http2_session* h2_session)
+{
+	int ret;
+	nghttp2_settings_entry settings[1] = {
+		{NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS,
+		 100}};
+
+	ret = nghttp2_submit_settings(h2_session->session, NGHTTP2_FLAG_NONE,
+		settings, 1);
+	if(ret) {
+		printf("http2: submit_settings failed, "
+			"error: %s\n", nghttp2_strerror(ret));
+		exit(1);
+	}
+}
+
+static void
+http2_write(struct http2_session* h2_session)
+{
+	if(nghttp2_session_want_write(h2_session->session)) {
+		if(nghttp2_session_send(h2_session->session)) {
+			printf("nghttp2 session send failed\n");
+			exit(1);
+		}
+	}
+}
+
+static void
+http2_read(struct http2_session* h2_session)
+{
+	if(nghttp2_session_want_read(h2_session->session)) {
+		if(nghttp2_session_recv(h2_session->session)) {
+			printf("nghttp2 session mem_recv failed\n");
+			exit(1);
+		}
+	}
+}
+
+static void
+run(struct http2_session* h2_session, int port, int count, char** q)
+{
+	int i;
+	SSL_CTX* ctx = NULL;
+	SSL* ssl = NULL;
+	int fd;
+	struct sldns_buffer* buf = NULL;
+
+	fd = open_svr(h2_session->authority, port);
+	h2_session->fd = fd;
+
+	ctx = connect_sslctx_create(NULL, NULL, NULL, 0);
+	if(!ctx) fatal_exit("cannot create ssl ctx");
+	SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)"\x02h2", 3);
+	ssl = outgoing_ssl_fd(ctx, fd);
+	if(!ssl) {
+		printf("cannot create ssl\n");
+		exit(1);
+	}
+	h2_session->ssl = ssl;
+	while(1) {
+		int r;
+		ERR_clear_error();
+		if( (r=SSL_do_handshake(ssl)) == 1)
+			break;
+		r = SSL_get_error(ssl, r);
+		if(r != SSL_ERROR_WANT_READ &&
+			r != SSL_ERROR_WANT_WRITE) {
+			log_crypto_err("could not ssl_handshake");
+			exit(1);
+		}
+	}
+
+	http2_submit_setting(h2_session);
+	http2_write(h2_session);
+	http2_read(h2_session); /* Read setting from remote peer */
+
+	h2_session->block_select = 1;
+
+	/* hande query */
+	for(i=0; i<count; i+=3) {
+		buf = make_query(q[i], q[i+1], q[i+2]);
+		submit_query(h2_session, buf);
+	}
+	http2_write(h2_session);
+	while(h2_session->query_count) {
+		http2_read(h2_session);
+		http2_write(h2_session);
+	}
+
+	/* shutdown */
+	http2_session_delete(h2_session);
+	SSL_shutdown(ssl);
+	SSL_free(ssl);
+	SSL_CTX_free(ctx);
+	close(fd);
+}
+
+/** getopt global, in case header files fail to declare it. */
+extern int optind;
+/** getopt global, in case header files fail to declare it. */
+extern char* optarg;
+int main(int argc, char** argv)
+{
+	int c;
+	int port = UNBOUND_DNS_OVER_HTTPS_PORT;
+	struct http2_session* h2_session = http2_session_create();
+	if(!h2_session) fatal_exit("out of memory");
+
+	if(argc == 1) {
+		usage(argv);
+	}
+	
+	h2_session->authority = "127.0.0.1";
+	h2_session->post = 0;
+	h2_session->endpoint = "/dns-query";
+	h2_session->content_type = "application/dns-message";
+
+	while((c=getopt(argc, argv, "c:e:hs:p:P")) != -1) {
+		switch(c) {
+			case 'c':
+				h2_session->content_type = optarg;
+				break;
+			case 'e':
+				h2_session->endpoint = optarg;
+				break;
+			case 'p':
+				if(atoi(optarg)==0 && strcmp(optarg,"0")!=0) {
+					printf("error parsing port, "
+					    "number expected: %s\n", optarg);
+					return 1;
+				}
+				port = atoi(optarg);
+				break;
+			case 'P':
+				h2_session->post = 1;
+				break;
+			case 's':
+				h2_session->authority = optarg;
+				break;
+			case 'h':
+			case '?':
+			default:
+				usage(argv);
+		}
+	}
+	argc -= optind;
+	argv += optind;
+	if(argc%3!=0) {
+		printf("Invalid input. Specify qname, qtype, and qclass.\n");
+		return 1;
+	}
+
+
+	run(h2_session, port, argc, argv);
+
+	return 0;
+}
+#else
+int main(int ATTR_UNUSED(argc), char** ATTR_UNUSED(argv))
+{
+	printf("Compiled without nghttp2, cannot run test.\n");
+	return 1;
+}
+#endif /*  HAVE_NGHTTP2 */

testcode/fake_event.c

@@ -52,6 +52,7 @@
 #include "util/data/msgreply.h"
 #include "util/data/msgencode.h"
 #include "util/data/dname.h"
+#include "util/edns.h"
 #include "util/config_file.h"
 #include "services/listen_dnsport.h"
 #include "services/outside_network.h"
@@ -868,9 +869,12 @@ struct listen_dnsport*
 listen_create(struct comm_base* base, struct listen_port* ATTR_UNUSED(ports),
 	size_t bufsize, int ATTR_UNUSED(tcp_accept_count),
 	int ATTR_UNUSED(tcp_idle_timeout),
+	int ATTR_UNUSED(harden_large_queries),
+	uint32_t ATTR_UNUSED(http_max_streams),
+	char* ATTR_UNUSED(http_endpoint),
 	struct tcl_list* ATTR_UNUSED(tcp_conn_limit),
 	void* ATTR_UNUSED(sslctx), struct dt_env* ATTR_UNUSED(dtenv),
-	comm_point_callback_type* cb, void* cb_arg)
+	comm_point_callback_type* cb, void *cb_arg)
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)base;
 	struct listen_dnsport* l= calloc(1, sizeof(struct listen_dnsport));
@@ -1180,7 +1184,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	socklen_t addrlen, uint8_t* zone, size_t zonelen,
 	struct module_qstate* qstate, comm_point_callback_type* callback,
 	void* callback_arg, sldns_buffer* ATTR_UNUSED(buff),
-	struct module_env* ATTR_UNUSED(env))
+	struct module_env* env)
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)outnet->base;
 	struct fake_pending* pend = (struct fake_pending*)calloc(1,
@@ -1209,6 +1213,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	sldns_buffer_flip(pend->buffer);
 	if(1) {
 		struct edns_data edns;
+		struct edns_tag_addr* client_tag_addr;
 		if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen,
 			zone, zonelen, qstate, qstate->region)) {
 			free(pend);
@@ -1220,9 +1225,17 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 		edns.edns_version = EDNS_ADVERTISED_VERSION;
 		edns.udp_size = EDNS_ADVERTISED_SIZE;
 		edns.bits = 0;
-		edns.opt_list = qstate->edns_opts_back_out;
 		if(dnssec)
 			edns.bits = EDNS_DO;
+		if((client_tag_addr = edns_tag_addr_lookup(
+			&env->edns_tags->client_tags,
+			addr, addrlen))) {
+			uint16_t client_tag = htons(client_tag_addr->tag_data);
+			edns_opt_list_append(&qstate->edns_opts_back_out,
+				env->edns_tags->client_tag_opcode, 2,
+				(uint8_t*)&client_tag, qstate->region);
+		}
+		edns.opt_list = qstate->edns_opts_back_out;
 		attach_edns_record(pend->buffer, &edns);
 	}
 	memcpy(&pend->addr, addr, addrlen);
@@ -1290,7 +1303,14 @@ void outnet_serviced_query_stop(struct serviced_query* sq, void* cb_arg)
 	log_info("double delete of pending serviced query");
 }
 
+int resolve_interface_names(struct config_file* ATTR_UNUSED(cfg),
+	char*** ATTR_UNUSED(resif), int* ATTR_UNUSED(num_resif))
+{
+	return 1;
+}
+
 struct listen_port* listening_ports_open(struct config_file* ATTR_UNUSED(cfg),
+	char** ATTR_UNUSED(ifs), int ATTR_UNUSED(num_ifs),
 	int* ATTR_UNUSED(reuseport))
 {
 	return calloc(1, 1);
@@ -1825,4 +1845,21 @@ tcp_req_info_get_stream_buffer_size(void)
 	return 0;
 }
 
+size_t
+http2_get_query_buffer_size(void)
+{
+	return 0;
+}
+
+size_t
+http2_get_response_buffer_size(void)
+{
+	return 0;
+}
+
+void http2_stream_add_meshstate(struct http2_stream* ATTR_UNUSED(h2_stream),
+	struct mesh_area* ATTR_UNUSED(mesh), struct mesh_state* ATTR_UNUSED(m))
+{
+}
+
 /*********** End of Dummy routines ***********/

testcode/perf.c

@@ -233,12 +233,7 @@ perfsetup(struct perfinfo* info)
 			addr_is_ip6(&info->dest, info->destlen)?
 			AF_INET6:AF_INET, SOCK_DGRAM, 0);
 		if(info->io[i].fd == -1) {
-#ifndef USE_WINSOCK
-			fatal_exit("socket: %s", strerror(errno));
-#else
-			fatal_exit("socket: %s", 
-				wsa_strerror(WSAGetLastError()));
-#endif
+			fatal_exit("socket: %s", sock_strerror(errno));
 		}
 		if(info->io[i].fd > info->maxfd)
 			info->maxfd = info->io[i].fd;
@@ -260,11 +255,7 @@ perffree(struct perfinfo* info)
 	if(!info) return;
 	if(info->io) {
 		for(i=0; i<info->io_num; i++) {
-#ifndef USE_WINSOCK
-			close(info->io[i].fd);
-#else
-			closesocket(info->io[i].fd);
-#endif
+			sock_close(info->io[i].fd);
 		}
 		free(info->io);
 	}
@@ -285,11 +276,7 @@ perfsend(struct perfinfo* info, size_t n, struct timeval* now)
 	/*log_hex("send", info->qlist_data[info->qlist_idx],
 		info->qlist_len[info->qlist_idx]);*/
 	if(r == -1) {
-#ifndef USE_WINSOCK
-		log_err("sendto: %s", strerror(errno));
-#else
-		log_err("sendto: %s", wsa_strerror(WSAGetLastError()));
-#endif
+		log_err("sendto: %s", sock_strerror(errno));
 	} else if(r != (ssize_t)info->qlist_len[info->qlist_idx]) {
 		log_err("partial sendto");
 	}
@@ -309,11 +296,7 @@ perfreply(struct perfinfo* info, size_t n, struct timeval* now)
 	r = recv(info->io[n].fd, (void*)sldns_buffer_begin(info->buf),
 		sldns_buffer_capacity(info->buf), 0);
 	if(r == -1) {
-#ifndef USE_WINSOCK
-		log_err("recv: %s", strerror(errno));
-#else
-		log_err("recv: %s", wsa_strerror(WSAGetLastError()));
-#endif
+		log_err("recv: %s", sock_strerror(errno));
 	} else {
 		info->by_rcode[LDNS_RCODE_WIRE(sldns_buffer_begin(
 			info->buf))]++;

testcode/streamtcp.c

@@ -388,11 +388,7 @@ send_em(const char* svr, int udp, int usessl, int noanswer, int onarrival,
 		SSL_free(ssl);
 		SSL_CTX_free(ctx);
 	}
-#ifndef USE_WINSOCK
-	close(fd);
-#else
-	closesocket(fd);
-#endif
+	sock_close(fd);
 	sldns_buffer_free(buf);
 	printf("orderly exit\n");
 }

testcode/testpkts.c

@@ -501,7 +501,7 @@ add_edns(uint8_t* pktbuf, size_t pktsize, int do_flag, uint8_t *ednsdata,
 {
 	uint8_t edns[] = {0x00, /* root label */
 		0x00, LDNS_RR_TYPE_OPT, /* type */
-		0x10, 0x00, /* class is UDPSIZE 4096 */
+		0x04, 0xD0, /* class is UDPSIZE 1232 */
 		0x00, /* TTL[0] is ext rcode */
 		0x00, /* TTL[1] is edns version */
 		(uint8_t)(do_flag?0x80:0x00), 0x00, /* TTL[2-3] is edns flags, DO */

testcode/unitldns.c

@@ -44,6 +44,7 @@
 #include "sldns/sbuffer.h"
 #include "sldns/str2wire.h"
 #include "sldns/wire2str.h"
+#include "sldns/parseutil.h"
 
 /** verbose this unit test */
 static int vbmp = 0; 
@@ -220,9 +221,60 @@ rr_tests(void)
 		SRCDIRSTR "/testdata/test_ldnsrr.c5");
 }
 
+/** test various base64 decoding options */
+static void
+b64_test(void)
+{
+	/* "normal" b64 alphabet, with padding */
+	char* p1 = "aGVsbG8="; /* "hello" */
+	char* p2 = "aGVsbG8+"; /* "hello>" */
+	char* p3 = "aGVsbG8/IQ=="; /* "hello?!" */
+	char* p4 = "aGVsbG8"; /* "hel" + extra garbage */
+
+	/* base64 url, without padding */
+	char* u1 = "aGVsbG8"; /* "hello" */
+	char* u2 = "aGVsbG8-"; /* "hello>" */
+	char* u3 = "aGVsbG8_IQ"; /* "hello?!" */
+	char* u4 = "aaaaa"; /* garbage */
+
+	char target[128];
+	size_t tarsize = 128;
+	int result;
+
+	memset(target, 0, sizeof(target));
+	result = sldns_b64_pton(p1, (uint8_t*)target, tarsize);
+	unit_assert(result == strlen("hello") && strcmp(target, "hello") == 0);
+	memset(target, 0, sizeof(target));
+	result = sldns_b64_pton(p2, (uint8_t*)target, tarsize);
+	unit_assert(result == strlen("hello>") && strcmp(target, "hello>") == 0);
+	memset(target, 0, sizeof(target));
+	result = sldns_b64_pton(p3, (uint8_t*)target, tarsize);
+	unit_assert(result == strlen("hello?!") && strcmp(target, "hello?!") == 0);
+	memset(target, 0, sizeof(target));
+	result = sldns_b64_pton(p4, (uint8_t*)target, tarsize);
+	/* when padding is used everything that is not a block of 4 will be
+	 * ignored */
+	unit_assert(result == strlen("hel") && strcmp(target, "hel") == 0);
+
+	memset(target, 0, sizeof(target));
+	result = sldns_b64url_pton(u1, strlen(u1), (uint8_t*)target, tarsize);
+	unit_assert(result == strlen("hello") && strcmp(target, "hello") == 0);
+	memset(target, 0, sizeof(target));
+	result = sldns_b64url_pton(u2, strlen(u2), (uint8_t*)target, tarsize);
+	unit_assert(result == strlen("hello>") && strcmp(target, "hello>") == 0);
+	memset(target, 0, sizeof(target));
+	result = sldns_b64url_pton(u3, strlen(u3), (uint8_t*)target, tarsize);
+	unit_assert(result == strlen("hello+/") && strcmp(target, "hello?!") == 0);
+	/* one item in block of four is not allowed */
+	memset(target, 0, sizeof(target));
+	result = sldns_b64url_pton(u4, strlen(u4), (uint8_t*)target, tarsize);
+	unit_assert(result == -1);
+}
+
 void
 ldns_test(void)
 {
 	unit_show_feature("sldns");
 	rr_tests();
+	b64_test();
 }

testdata/dlv_anchor.rpl

@@ -1,279 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with DLV anchor
-; positive response for DLV.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; DLV query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net.example.com. IN DLV
-SECTION ANSWER
-example.net.example.com.	3600	IN	DLV	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 example.com. ACK48Q/oKwh/SM9yRiKjZYuc+AtEZ2yCPNJ15kKCN8nsVcv7xigmNTY= ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; www.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AD DO NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_ask_higher.rpl

@@ -1,354 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with DLV where it needs to ask higher up in dlv.
-; at first negative DLV response, it needs to ask higher.
-; the SOA record in that negative response has a big span (if interpreted as NSEC)
-; then a positive response for DLV.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; failed DLV query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NXDOMAIN
-SECTION QUESTION
-sub.example.net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.net.example.com IN NSEC not.example.com. RRSIG NSEC DLV
-example.net.example.com.	3600	IN	RRSIG	NSEC 3 4 3600 20070926134150 20070829134150 2854 example.com. AKz/e6KOw8gCx6wnpIatBwKb0WOPBTWmNNMg91XR/wlJQ9Z2+qICPmA= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-SECTION ADDITIONAL
-ENTRY_END
-
-; DLV query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net.example.com. IN DLV
-SECTION ANSWER
-example.net.example.com.	3600	IN	DLV	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 example.com. ACK48Q/oKwh/SM9yRiKjZYuc+AtEZ2yCPNJ15kKCN8nsVcv7xigmNTY= ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; www.sub.example.net query
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-sub.example.net. IN A
-SECTION ANSWER
-SECTION AUTHORITY
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	3600	IN	DS	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
-sub.example.net.	3600	IN	RRSIG	DS 5 3 3600 20070926134150 20070829134150 30899 example.net. nM5HAlRsrLurc5mUNKwCye5X6LSH53pLgSeyni4wb6Jd2J48ZRWwrVvy7IpyvI75+Wlu3aGOjv/kEyVaizChRQ== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ENTRY_END
-
-RANGE_END
-
-; ns.sub.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.6
-; DS
-; sub.example.net.	3600	IN	DS	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-sub.example.net. IN DNSKEY
-SECTION ANSWER
-sub.example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-sub.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. PATh0K1jz9QeN02C79noX9gwK+Nr5VznWPQwygm/pYDsOb0z3EsaiOrzyoreegDKgoNn3kN0CywS+usCWM6hrw== ;{id = 30899}
-SECTION AUTHORITY
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-sub.example.net. IN NS
-SECTION ANSWER
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
-ENTRY_END
-
-; www.sub.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.sub.example.net. IN A
-SECTION ANSWER
-www.sub.example.net.	3600	IN	A	10.20.30.40
-www.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. Q+88AIM3K8q6S0bHeFVT742EepZFxOxgtaL1V68DEkP4NePKzL4zttWQD3uI/5ALw/fIrC7G43Eo+epWn2ZGCA== ;{id = 30899}
-SECTION AUTHORITY
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
-ENTRY_END
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.sub.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AD DO NOERROR
-SECTION QUESTION
-www.sub.example.net. IN A
-SECTION ANSWER
-www.sub.example.net.	3600	IN	A	10.20.30.40
-www.sub.example.net.    3600    IN      RRSIG   A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. Q+88AIM3K8q6S0bHeFVT742EepZFxOxgtaL1V68DEkP4NePKzL4zttWQD3uI/5ALw/fIrC7G43Eo+epWn2ZGCA== ;{id = 30899}
-SECTION AUTHORITY
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.        3600    IN      RRSIG   NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ns.sub.example.net.     3600    IN      RRSIG   A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_below_ta.rpl

@@ -1,355 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	trust-anchor: "example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator, use DLV for nonDSed zone below trustanchor.
-; DLV example.com.
-; trust anchor at example.net but no secure delegation to
-; sub.example.net  signed with DLV but not by parent.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; DLV query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-sub.example.net.example.com. IN DLV
-SECTION ANSWER
-sub.example.net.example.com.	3600	IN	DLV	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
-sub.example.net.example.com.	3600	IN	RRSIG	DLV 3 5 3600 20070926135752 20070829135752 2854 example.com. AAdhy87nuDEaxmc+k9pJHYnhKiEYL++OLPxzOdwEQOtsHi7jeD3lRDU= ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC sub.example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. ALITtZY03PDWnuAeEL/5VwMIXY3iC2y7Qkeq5DgAHmPbNyWiOmJNEKg= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC sub.example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. ALITtZY03PDWnuAeEL/5VwMIXY3iC2y7Qkeq5DgAHmPbNyWiOmJNEKg= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; no DS to sub.example.net, securely insecure.
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id 
-REPLY QR NOERROR
-SECTION QUESTION
-sub.example.net. IN DS
-SECTION ANSWER
-SECTION AUTHORITY
-example.net. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.net.	3600	IN	RRSIG	SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. ELVULZHTRc0Qk06rSBRnB/T6sm1+AbAtdEJHN6PCsz2Z3s3E5A8NH7Krz0VzRaYIEUStnbAtuE3oP8XHWHBnyQ== ;{id = 30899}
-sub.example.net.	IN NSEC tut.example.net. NS NSEC
-sub.example.net.	3600	IN	RRSIG	NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. eNJ2OPjMhGKvg70aYT9l9Uo1lJsqmDqVRMlHibv6t+CNjljytI9Vwbao17oV0cjIksmESAewReb73x9fmVIgEQ== ;{id = 30899}
-SECTION ADDITIONAL
-ENTRY_END
-
-; delegation to sub.example.net, securely insecure.
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-sub.example.net. IN NS
-SECTION ANSWER
-SECTION AUTHORITY
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	IN NSEC tut.example.net. NS NSEC
-sub.example.net.	3600	IN	RRSIG	NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. eNJ2OPjMhGKvg70aYT9l9Uo1lJsqmDqVRMlHibv6t+CNjljytI9Vwbao17oV0cjIksmESAewReb73x9fmVIgEQ== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ENTRY_END
-
-
-RANGE_END
-
-; ns.sub.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.6
-; DS is
-; sub.example.net.	3600	IN	DS	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
-; DNSKEY query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-sub.example.net. IN DNSKEY
-SECTION ANSWER
-sub.example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-sub.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. PATh0K1jz9QeN02C79noX9gwK+Nr5VznWPQwygm/pYDsOb0z3EsaiOrzyoreegDKgoNn3kN0CywS+usCWM6hrw== ;{id = 30899}
-SECTION AUTHORITY
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-sub.example.net. IN NS
-SECTION ANSWER
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
-ENTRY_END
-
-; www.sub.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-www.sub.example.net. IN A
-SECTION ANSWER
-www.sub.example.net. IN A 10.20.30.40
-www.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. Q+88AIM3K8q6S0bHeFVT742EepZFxOxgtaL1V68DEkP4NePKzL4zttWQD3uI/5ALw/fIrC7G43Eo+epWn2ZGCA== ;{id = 30899}
-SECTION AUTHORITY
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
-ENTRY_END
-
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.sub.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AD DO NOERROR
-SECTION QUESTION
-www.sub.example.net. IN A
-SECTION ANSWER
-www.sub.example.net. IN A 10.20.30.40
-www.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. Q+88AIM3K8q6S0bHeFVT742EepZFxOxgtaL1V68DEkP4NePKzL4zttWQD3uI/5ALw/fIrC7G43Eo+epWn2ZGCA== ;{id = 30899}
-SECTION AUTHORITY
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_delegation.rpl

@@ -1,335 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with delegation in DLV repository
-; positive response for DLV.
-; but the DLV repository has a (secure) delegation inside it.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; referral to the net.example.com DLV server
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-net.example.com. NS ns.net.example.com.
-net.example.com.	3600	IN	DS	2854 3 1 24d80cd822bc4083cf491b7f055890345a77dd9b ; xenat-myfat-memir-sabym-fefig-nakol-zucyh-megef-gakel-lolyn-ruxox
-net.example.com.	3600	IN	RRSIG	DS 3 3 3600 20070926134150 20070829134150 2854 example.com. AA0APyTN12wzj1XmDEZe+wrPE1hkLAINKT8cT9zGup7zX3O8R4Ki2N8= ;{id = 2854}
-SECTION ADDITIONAL
-ns.net.example.com. A 1.2.3.6
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AJEvfI+tX6Y1OF0h1CNHERJjXaaTsmLWTMLgXk4UYJl8JjAikCpsf9Q= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.net.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.6
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN NS
-SECTION ANSWER
-net.example.com. NS ns.net.example.com.
-net.example.com.	3600	IN	RRSIG	NS 3 3 3600 20070926134150 20070829134150 2854 net.example.com. AHjTvB20SzZVV9P3LXJ6lVzFWCoDk7T71VHllOwmom3a/EutlUpsgNM= ;{id = 2854}
-SECTION ADDITIONAL
-ns.net.example.com. A 1.2.3.6
-ns.net.example.com.	3600	IN	RRSIG	A 3 4 3600 20070926134150 20070829134150 2854 net.example.com. AE2wjNCJayCBi6e8QAGwgujdMC2LbVWQVbQCuQx+grjoQJXQxxpFB5I= ;{id = 2854}
-ENTRY_END
-
-; DNSKEY query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DNSKEY
-SECTION ANSWER
-net.example.com.        3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-net.example.com.	3600	IN	RRSIG	DNSKEY 3 3 3600 20070926134150 20070829134150 2854 net.example.com. ADgKDV1Yi2iFOXFUN1XkvBU7KW/rdtGcOEdc9VMIxfIKDo5h24E5fqs= ;{id = 2854}
-SECTION AUTHORITY
-net.example.com. NS ns.net.example.com.
-net.example.com.	3600	IN	RRSIG	NS 3 3 3600 20070926134150 20070829134150 2854 net.example.com. AHjTvB20SzZVV9P3LXJ6lVzFWCoDk7T71VHllOwmom3a/EutlUpsgNM= ;{id = 2854}
-SECTION ADDITIONAL
-ns.net.example.com. A 1.2.3.6
-ns.net.example.com.	3600	IN	RRSIG	A 3 4 3600 20070926134150 20070829134150 2854 net.example.com. AE2wjNCJayCBi6e8QAGwgujdMC2LbVWQVbQCuQx+grjoQJXQxxpFB5I= ;{id = 2854}
-ENTRY_END
-
-; DLV apex
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-net.example.com. SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-net.example.com.	3600	IN	RRSIG	SOA 3 3 3600 20070926134150 20070829134150 2854 net.example.com. AKAjedAeGWRHaqhDhNhbTvVUQMgCspiD4GNC7dMVbEZSd87AFcqwg1Y= ;{id = 2854}
-net.example.com. NSEC example.net.example.com. SOA NS DNSKEY RRSIG NSEC
-net.example.com.	3600	IN	RRSIG	NSEC 3 3 3600 20070926134150 20070829134150 2854 net.example.com. AAHqj3xDqng7ZuNFn89sTjTo2qfuXTv0yR6v8mZ1+L5mCsOwjpGXrJw= ;{id = 2854}
-SECTION ADDITIONAL
-ENTRY_END
-
-; DLV of interest
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net.example.com. IN DLV
-SECTION ANSWER
-example.net.example.com.        3600    IN      DLV     30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 net.example.com. AIZmoTbAlXYwLknm84i7sbglbHr1Iq7t0yyTENO/MsPj7K/mvEQAI/g= ;{id = 2854}
-SECTION AUTHORITY
-net.example.com. NS ns.net.example.com.
-net.example.com.	3600	IN	RRSIG	NS 3 3 3600 20070926134150 20070829134150 2854 net.example.com. AHjTvB20SzZVV9P3LXJ6lVzFWCoDk7T71VHllOwmom3a/EutlUpsgNM= ;{id = 2854}
-SECTION ADDITIONAL
-ns.net.example.com. A 1.2.3.6
-ns.net.example.com.	3600	IN	RRSIG	A 3 4 3600 20070926134150 20070829134150 2854 net.example.com. AE2wjNCJayCBi6e8QAGwgujdMC2LbVWQVbQCuQx+grjoQJXQxxpFB5I= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; www.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AD DO NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_ds_lookup.rpl

@@ -1,281 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with DLV anchor for a DS lookup.
-; positive response for DLV.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DS
-SECTION AUTHORITY
-net.			900	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1251367385 1800 900 604800 86400
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; DLV query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net.example.com. IN DLV
-SECTION ANSWER
-example.net.example.com.	3600	IN	DLV	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 example.com. ACK48Q/oKwh/SM9yRiKjZYuc+AtEZ2yCPNJ15kKCN8nsVcv7xigmNTY= ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; www.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-example.net. IN DS
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA DO NOERROR
-SECTION QUESTION
-example.net. IN DS
-SECTION AUTHORITY
-net.			900	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1251367385 1800 900 604800 86400
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_insecure.rpl

@@ -1,254 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	harden-referral-path: no
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with insecure zone with no DLV 
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; DLV query
-; could be picked out of the negative cache due to NS queries in between.
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-www.example.net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ENTRY_END
-
-; www.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ENTRY_END
-
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA DO NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_insecure_negcache.rpl

@@ -1,311 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	harden-referral-path: no
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with insecure zone, no DLV from negative cache
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 300
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; DLV query
-; could be picked out of the negative cache due to NS queries in between.
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-www.example.net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-zoink.name.example.com IN NSEC zazz.net.example.com. RRSIG NSEC DLV
-zoink.name.example.com. 3600    IN      RRSIG   NSEC 3 4 3600 20070926134150 20070829134150 2854 example.com. AHipxvshRHglCEN4nZCT4m/4RIj8TrCOE2AsqEoH9e+6OYSo+yuNzzo= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-zoink.name.example.com IN NSEC zazz.net.example.com. RRSIG NSEC DLV
-zoink.name.example.com. 3600    IN      RRSIG   NSEC 3 4 3600 20070926134150 20070829134150 2854 example.com. AHipxvshRHglCEN4nZCT4m/4RIj8TrCOE2AsqEoH9e+6OYSo+yuNzzo= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC frump.aqua.example.com. SOA NS RRSIG NSEC DNSKEY
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AAscY9DfNm3Uy8f8Q4WX6AzR0flHYNSr3fKfgQ0Xc20fzj1lGP9ebfk= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 300
-	ADDRESS 1.2.3.5
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ENTRY_END
-
-; www.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	10	IN	A	10.20.30.40
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ENTRY_END
-
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA DO NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	10	IN	A	10.20.30.40
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ENTRY_END
-
-STEP 150 TIME_PASSES ELAPSE 30
-
-; no more DLV authority reachable
-STEP 200 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.net. IN A
-ENTRY_END
-
-STEP 210 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA DO NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	10	IN	A	10.20.30.40
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ENTRY_END
-
-STEP 220 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-net. IN NS
-ENTRY_END
-
-STEP 230 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA DO NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_keyretry.rpl

@@ -1,287 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with DLV anchor and subsequently key retries
-; positive response for DLV.  But the DNSKEY for the target fails validation.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; DLV query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net.example.com. IN DLV
-SECTION ANSWER
-example.net.example.com.	3600	IN	DLV	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 example.com. ACK48Q/oKwh/SM9yRiKjZYuc+AtEZ2yCPNJ15kKCN8nsVcv7xigmNTY= ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-; expired signature
-example.net.	3600	IN	RRSIG	DNSKEY 5 2 3600 20050926134150 20050829134150 30899 example.net. ydM0/eWMqFn4RxMTbscdSLU7bJNoPuzjCa0eI7HSV/r/54slSGvkl0fmwqrROl1tpc0YMV6kAzgB1T5lJbvdsA== ;{id = 30899}
-; good signature:
-;example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; AAAA for nameserver (for dnssec retry) query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN SOA . . 2007091300 28800 7200 604800 3600
-example.net.	3600	IN	RRSIG	SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. MrpP4svNpbN/YKhuYRlNbvNg0yVxn4ywW1tyEFA9v6F7BR6k1pP8iPfN5XV+XWPAmbss9h3fwKq8zNs4F/SPkg== ;{id = 30899}
-ns.example.net. IN NSEC ppp.example.net. A RRSIG NSEC
-ns.example.net.	3600	IN	RRSIG	NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. freWP6rXWsU5iyRE2gIM9rICuBxCYlQSW01GkLPez5czqtEL0hHN8vtjTlfoNxjJjiZj3vAavZDIQGgOOOMIsA== ;{id = 30899}
-ENTRY_END
-
-; www.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA DO SERVFAIL
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_negnx.rpl

@@ -1,405 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with DLV anchor for negcache nxdomain proof
-; put a DLV in the negcache.
-; then test ask-higher with that in the cache.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; DLV query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net.example.com. IN DLV
-SECTION ANSWER
-example.net.example.com.	3600	IN	DLV	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-example.net.example.com.	3600	IN	RRSIG	DLV 3 4 3600 20070926134150 20070829134150 2854 example.com. ACK48Q/oKwh/SM9yRiKjZYuc+AtEZ2yCPNJ15kKCN8nsVcv7xigmNTY= ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; under example.net in DLV
-ENTRY_BEGIN
-MATCH opcode qtype subdomain
-ADJUST copy_id copy_query
-REPLY QR NXDOMAIN
-SECTION QUESTION
-example.net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.net.example.com.	3600	IN 	NSEC fru.net.example.com. RRSIG NSEC DLV
-example.net.example.com.	3600	IN	RRSIG	NSEC 3 4 3600 20070926134150 20070829134150 2854 example.com. AI6NNKt4dGcAdCrW73GYwyoqelsdj1dd8mBNPpHRQIL0yp7yYFZ7kXU= ;{id = 2854}
-example.com. IN SOA . . 1 2 3 4 5
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AIkRPbv+kZaiG61pH/wQy8fX2UqQS5YRwHaxe4yjEUXk59fgO71Db3s= ;{id = 2854}
-SECTION ADDITIONAL
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-; have it flushed out of the cache quickly.
-example.net.    0    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-example.net.    0    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; www.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; subzone
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-sub1.example.net. IN A
-SECTION ANSWER
-SECTION AUTHORITY
-sub1.example.net.	3600	IN	DS	30899 5 1 8916603e54c6f7edcfd885602e3b7b8dc475ba5c ; xodec-komif-vehis-kotav-tefot-mecyk-biryf-rivym-ticol-huvyh-saxox
-sub1.example.net.	3600	IN	RRSIG	DS 5 3 3600 20070926134150 20070829134150 30899 example.net. A3vVrEY3+oIUqdbAa3tkKaU3o47eBD01hVXfAEAue1M+Uci2PA5YyiulLzStyiP75XUXkvubLQ2+ltKMTtfdag== ;{id = 30899}
-sub1.example.net. IN NS ns.sub1.example.net.
-SECTION ADDITIONAL
-ns.sub1.example.net. IN A 1.2.3.10
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-sub2.example.net. IN A
-SECTION ANSWER
-SECTION AUTHORITY
-sub2.example.net.	3600	IN	DS	30899 5 1 627f7a51f1545133fec3ecbd19b85b92b15679c9 ; ximil-zovah-casuh-gygef-fyzas-farir-tikir-mukon-disih-kavus-nyxex
-sub2.example.net.	3600	IN	RRSIG	DS 5 3 3600 20070926134150 20070829134150 30899 example.net. azMXKt4VPHj2hk5MDU6h8E/HOtNnHnIVS6Le3BV43wtJcHG5wlCxOksOZBOpXMkpbWLvbCJOOMPOnh31nlbjgg== ;{id = 30899}
-sub2.example.net. IN NS ns.sub2.example.net.
-SECTION ADDITIONAL
-ns.sub2.example.net. IN A 1.2.3.12
-ENTRY_END
-RANGE_END
-
-; sub1.example.net.
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.10
-; DNSKEY query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-sub1.example.net. IN DNSKEY
-SECTION ANSWER
-sub1.example.net.       3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-sub1.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub1.example.net. E200eTdRnkL7/fk54i1nXEE9a/rC2GxZfVkWMU044tpwV6d4XRxVhlFBzY4FytbRFFBUDhz7L3B0qC6BXJM8rg== ;{id = 30899}
-ENTRY_END
-
-; www query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.sub1.example.net. IN A
-SECTION ANSWER
-www.sub1.example.net. IN A 192.168.1.1
-www.sub1.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub1.example.net. JKxcjPjc/TsQmUmCYHLQa3cBk1c+SbDPtVml69nDWC167NNWG8OLjLrLtUBVCfbTzCmqOWXq2qhrGPxjO65GCQ== ;{id = 30899}
-ENTRY_END
-
-RANGE_END
-
-; sub2.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.12
-; DNSKEY query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-sub2.example.net. IN DNSKEY
-SECTION ANSWER
-sub2.example.net.       3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-sub2.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub2.example.net. VcNaPuz9Mmjj5ofZqOa4FsixBomFJTjd/9wxhZOVdxf1LsNR5L++8k09gQvnjtCvqSPfNer/uv0xl+9sRr8Wmw== ;{id = 30899}
-ENTRY_END
-
-; www query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.sub2.example.net. IN A
-SECTION ANSWER
-www.sub2.example.net. IN A 192.168.1.12
-www.sub2.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub2.example.net. PsWY6+5/0+hsTOhNak/jdSeG44hvHgX5az1Q5XY/YkIchsflH9rmvP1EruFhflNhRR+22M7POiljYOoD5ylQXQ== ;{id = 30899}
-ENTRY_END
-
-RANGE_END
-
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.sub1.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AD DO NOERROR
-SECTION QUESTION
-www.sub1.example.net. IN A
-SECTION ANSWER
-www.sub1.example.net. IN A 192.168.1.1
-www.sub1.example.net.   3600    IN      RRSIG   A 5 4 3600 20070926134150 20070829134150 30899 sub1.example.net. JKxcjPjc/TsQmUmCYHLQa3cBk1c+SbDPtVml69nDWC167NNWG8OLjLrLtUBVCfbTzCmqOWXq2qhrGPxjO65GCQ== ;{id = 30899}
-SECTION AUTHORITY
-SECTION ADDITIONAL
-ENTRY_END
-
-; have example.net DNSKEY time out
-STEP 14 TIME_PASSES ELAPSE 1.0
-
-STEP 20 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.sub2.example.net. IN A
-ENTRY_END
-
-STEP 30 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AD DO NOERROR
-SECTION QUESTION
-www.sub2.example.net. IN A
-SECTION ANSWER
-www.sub2.example.net. IN A 192.168.1.12
-www.sub2.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub2.example.net. PsWY6+5/0+hsTOhNak/jdSeG44hvHgX5az1Q5XY/YkIchsflH9rmvP1EruFhflNhRR+22M7POiljYOoD5ylQXQ== ;{id = 30899}
-SECTION AUTHORITY
-SECTION ADDITIONAL
-ENTRY_END
-
-
-SCENARIO_END

testdata/dlv_optout.rpl

@@ -1,440 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	trust-anchor: "example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator, DLV to zone below optout, check negative cache.
-; DLV example.com.
-; trust anchor at example.net but no secure delegation to
-; sub.example.net  signed with DLV but not by parent.
-; parent uses optout NSEC3.
-; then a signed delegation to down.sub.example.net.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; DLV query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-sub.example.net.example.com. IN DLV
-SECTION ANSWER
-sub.example.net.example.com.	3600	IN	DLV	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
-sub.example.net.example.com.	3600	IN	RRSIG	DLV 3 5 3600 20070926135752 20070829135752 2854 example.com. AAdhy87nuDEaxmc+k9pJHYnhKiEYL++OLPxzOdwEQOtsHi7jeD3lRDU= ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-down.sub.example.net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-sub.example.net.example.com. IN NSEC zzz.example.net.example.com. RRSIG NSEC DLV
-sub.example.net.example.com.	3600	IN	RRSIG	NSEC 3 5 3600 20070926134150 20070829134150 2854 example.com. AG/M+H/lex1CMTIuO+JpdmTjCzt7XBsLtRLPDfYTykhxnnECzZwkMnQ= ;{id = 2854}
-SECTION ADDITIONAL
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC sub.example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. ALITtZY03PDWnuAeEL/5VwMIXY3iC2y7Qkeq5DgAHmPbNyWiOmJNEKg= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC sub.example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. ALITtZY03PDWnuAeEL/5VwMIXY3iC2y7Qkeq5DgAHmPbNyWiOmJNEKg= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; no DS to sub.example.net, optout NSEC3.
-; NSEC3PARAM 1 1 31 DE15C001
-; example.net. 		-> hk4jq0lg6q3bt992urc88dqten1k2be8.
-; sub.example.net. 	-> ecs17hqd0kf7dk9g1cjvevj25pginrf2.
-; *.example.net. 	-> 1tgbedpeeuubbsejh2dqvso62f8n4dk1.
-; down.sub.example.net. -> 9j1r8re9b1238vd907tilclgat1i0fre.
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id 
-REPLY QR NOERROR
-SECTION QUESTION
-sub.example.net. IN DS
-SECTION ANSWER
-SECTION AUTHORITY
-example.net. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.net.	3600	IN	RRSIG	SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. ELVULZHTRc0Qk06rSBRnB/T6sm1+AbAtdEJHN6PCsz2Z3s3E5A8NH7Krz0VzRaYIEUStnbAtuE3oP8XHWHBnyQ== ;{id = 30899}
-; CE is example.net
-hk4jq0lg6q3bt992urc88dqten1k2be8.example.net. IN NSEC3 1 1 31 DE15C001 hl4jq0lg6q3bt992urc88dqten1k2be8 NS SOA NAPTR RRSIG DNSKEY NSEC3PARAM
-hk4jq0lg6q3bt992urc88dqten1k2be8.example.net.	3600	IN	RRSIG	NSEC3 5 3 3600 20070926134150 20070829134150 30899 example.net. n1dQKbRoB+X4K003RAhdUp6ZUP5dCiwQi+apGfLII8wmCUmw/cKiz7/Ijhs/+88hZwq/7yhlZM0D/yqAUKUiAA== ;{id = 30899}
-; NC covers sub.example.net
-ebs17hqd0kf7dk9g1cjvevj25pginrf2.example.net. IN NSEC3 1 1 31 de15c001 efs17hqd0kf7dk9g1cjvevj25pginrf2 A RRSIG
-ebs17hqd0kf7dk9g1cjvevj25pginrf2.example.net.	3600	IN	RRSIG	NSEC3 5 3 3600 20070926134150 20070829134150 30899 example.net. oSVB7Dyp7/yaOlT8AFwBJZdqwRRSQ8XFzCpu1AP51JPIuhCg5byepdvY6UC3xXc7YVO6h74tpxFCGqLpRXwDoQ== ;{id = 30899}
-SECTION ADDITIONAL
-ENTRY_END
-
-; delegation to sub.example.net, optout NSEC3.
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-sub.example.net. IN NS
-SECTION ANSWER
-SECTION AUTHORITY
-sub.example.net.    IN NS   ns.sub.example.net.
-hk4jq0lg6q3bt992urc88dqten1k2be8.example.net. IN NSEC3 1 1 31 DE15C001 hl4jq0lg6q3bt992urc88dqten1k2be8 NS SOA NAPTR RRSIG DNSKEY NSEC3PARAM
-hk4jq0lg6q3bt992urc88dqten1k2be8.example.net.	3600	IN	RRSIG	NSEC3 5 3 3600 20070926134150 20070829134150 30899 example.net. n1dQKbRoB+X4K003RAhdUp6ZUP5dCiwQi+apGfLII8wmCUmw/cKiz7/Ijhs/+88hZwq/7yhlZM0D/yqAUKUiAA== ;{id = 30899}
-ebs17hqd0kf7dk9g1cjvevj25pginrf2.example.net. IN NSEC3 1 1 31 de15c001 efs17hqd0kf7dk9g1cjvevj25pginrf2 A RRSIG
-ebs17hqd0kf7dk9g1cjvevj25pginrf2.example.net.	3600	IN	RRSIG	NSEC3 5 3 3600 20070926134150 20070829134150 30899 example.net. oSVB7Dyp7/yaOlT8AFwBJZdqwRRSQ8XFzCpu1AP51JPIuhCg5byepdvY6UC3xXc7YVO6h74tpxFCGqLpRXwDoQ== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ENTRY_END
-
-
-RANGE_END
-
-; ns.sub.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.6
-; DS is
-; sub.example.net.	3600	IN	DS	30899 5 1 36b39460f94a807cbbbf3b31cc9db955081b2b36 ; xetir-fahok-bovug-pebyl-sovur-zyvaf-cufan-tivih-hadec-rypof-kixox
-; DNSKEY query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-sub.example.net. IN DNSKEY
-SECTION ANSWER
-sub.example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-sub.example.net.	3600	IN	RRSIG	DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. PATh0K1jz9QeN02C79noX9gwK+Nr5VznWPQwygm/pYDsOb0z3EsaiOrzyoreegDKgoNn3kN0CywS+usCWM6hrw== ;{id = 30899}
-SECTION AUTHORITY
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-sub.example.net. IN NS
-SECTION ANSWER
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
-ENTRY_END
-
-; www.sub.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-www.sub.example.net. IN A
-SECTION ANSWER
-www.sub.example.net. IN A 10.20.30.40
-www.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. Q+88AIM3K8q6S0bHeFVT742EepZFxOxgtaL1V68DEkP4NePKzL4zttWQD3uI/5ALw/fIrC7G43Eo+epWn2ZGCA== ;{id = 30899}
-SECTION AUTHORITY
-sub.example.net.    IN NS   ns.sub.example.net.
-sub.example.net.	3600	IN	RRSIG	NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.net. JZUK303aE7R428S5XXLaowpM79YSc2g7wy2rDOH+6Ts2UefZInv6X5cjJU4+qBrS8i9XhdllqG7SEnPKZ0GtAw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.sub.example.net.         IN      A       1.2.3.6
-ns.sub.example.net.	3600	IN	RRSIG	A 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AluXPa4XdlCysQMVrt0YairoOug4GMvy8rNUeKLCfQ5xVqRMqkTisbzJXBQPgYEVA0DJR74eEpgLrcz5ztb1aA== ;{id = 30899}
-ENTRY_END
-
-; DS for down.sub.example.net
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-down.sub.example.net. IN DS
-SECTION ANSWER
-down.sub.example.net.   3600    IN      DS      60946 5 1 c636304ab7cdb6272215aceac95a8d312ac7a4f6 
-down.sub.example.net.	3600	IN	RRSIG	DS 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AMc8J534UF2+0PtPSNBw6RzN4Q5gXfnBXiUfpuT/MR1YtOE/5AP/0dTgvqvKRiFZx3NjOPeZmRnaabxkw0Qzrw== ;{id = 30899}
-SECTION AUTHORITY
-SECTION ADDITIONAL
-ENTRY_END
-
-; delegation to down.sub.example.net
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-down.sub.example.net. IN NS
-SECTION ANSWER
-SECTION AUTHORITY
-down.sub.example.net. IN NS ns.down.sub.example.net.
-; the DS record is not given (like it was parent and child hosted on the same
-; server)
-;down.sub.example.net.   3600    IN      DS      60946 5 1 c636304ab7cdb6272215aceac95a8d312ac7a4f6 
-;down.sub.example.net.	3600	IN	RRSIG	DS 5 4 3600 20070926134150 20070829134150 30899 sub.example.net. AMc8J534UF2+0PtPSNBw6RzN4Q5gXfnBXiUfpuT/MR1YtOE/5AP/0dTgvqvKRiFZx3NjOPeZmRnaabxkw0Qzrw== ;{id = 30899}
-SECTION ADDITIONAL
-ns.down.sub.example.net. IN A 1.2.3.7
-ENTRY_END
-
-RANGE_END
-
-; ns.down.sub.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.7
-; DNSKEY query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-down.sub.example.net. IN DNSKEY
-SECTION ANSWER
-down.sub.example.net.	3600	IN	DNSKEY	257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b}
-down.sub.example.net.	3600	IN	RRSIG	DNSKEY 5 4 3600 20070926134150 20070829134150 60946 down.sub.example.net. lK5HNva/IPw0CS9BfBd16fqm5y9bgCSwGsBLBAA1d5SCcKep6AVrv6NFuXl12d1G3MdQ4ruHi6eDDO5dhtkfrw== ;{id = 60946}
-SECTION AUTHORITY
-SECTION ADDITIONAL
-ENTRY_END
-
-; www.down.sub.example.net.
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-www.down.sub.example.net. IN A
-SECTION ANSWER
-www.down.sub.example.net. IN A 10.20.30.44
-www.down.sub.example.net.	3600	IN	RRSIG	A 5 5 3600 20070926134150 20070829134150 60946 down.sub.example.net. Hg5WF/xW8PRth2rl1mZcYK8/pgGpM73e/fD+mH/XElEKgL9zq0ou8psA0I6OvMLGBN6RQeknQHRAy3D2/5k/Wg== ;{id = 60946}
-SECTION AUTHORITY
-SECTION ADDITIONAL
-ENTRY_END
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.down.sub.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AD DO NOERROR
-SECTION QUESTION
-www.down.sub.example.net. IN A
-SECTION ANSWER
-www.down.sub.example.net. IN A 10.20.30.44
-www.down.sub.example.net.	3600	IN	RRSIG	A 5 5 3600 20070926134150 20070829134150 60946 down.sub.example.net. Hg5WF/xW8PRth2rl1mZcYK8/pgGpM73e/fD+mH/XElEKgL9zq0ou8psA0I6OvMLGBN6RQeknQHRAy3D2/5k/Wg== ;{id = 60946}
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_remove.rpl

@@ -1,198 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	fake-sha1: yes
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with DLV anchor but DLV domain is down
-; so DLV has been decommissioned.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-
-ENTRY_BEGIN
-MATCH opcode
-ADJUST copy_id copy_query
-REPLY QR SERVFAIL
-SECTION QUESTION
-example.com. IN NS
-ENTRY_END
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; www.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA DO SERVFAIL
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_remove_empty.rpl

@@ -1,272 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	fake-sha1: yes
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with DLV and DLV repository is empty.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; DLV query, everything is NXDOMAIN
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR AA NXDOMAIN
-SECTION QUESTION
-example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com.	3600	IN	NSEC	example.com. NS SOA RRSIG NSEC DNSKEY 
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AH++lP1qhsBw6zO1g3JVPZeQIpDhL9xT8V9xdgjXvCjIGQ1BUUlfQkA=
-SECTION ADDITIONAL
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; www.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA DO NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_remove_nodel.rpl

@@ -1,276 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "dlv.example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	fake-sha1: yes
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with DLV and DLV is removed and not delegated
-; so the response is that the dlv domain itself does not exist, but it's
-; parent domain does exist (securely).
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; DLV query, everything is NXDOMAIN
-; thus, no delegation to the dlv repository in dlv.example.com
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR AA NXDOMAIN
-SECTION QUESTION
-example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com.	3600	IN	NSEC	example.com. NS SOA RRSIG NSEC DNSKEY 
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AH++lP1qhsBw6zO1g3JVPZeQIpDhL9xT8V9xdgjXvCjIGQ1BUUlfQkA=
-SECTION ADDITIONAL
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC example.net.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. AIoUkJ04/7/kJFDLocoqksqt9UL2RHHwlRfXAMxGdBHcNO+GSpG47Uk= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; www.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA DO NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_remove_pos.rpl

@@ -1,167 +0,0 @@
-; config options
-; The island of trust is at example.com
-server:
-	dlv-anchor: "dlv.example.net.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator with DLV removed for positive anchored response
-; So the destination has a valid DNSSEC chain of trust to the root,
-; but the configured dlv anchor fails.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-; this covers dlv.example.net and thus makes it servfail (unusable).
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR SERVFAIL
-SECTION QUESTION
-net. IN NS
-ENTRY_END
-
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to query of interest
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A	10.20.30.40
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AD DO NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A	10.20.30.40
-www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
-ENTRY_END
-
-SCENARIO_END

testdata/dlv_unused.rpl

@@ -1,277 +0,0 @@
-; config options
-; The island of trust is at example.com (the DLV repository)
-server:
-	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
-	trust-anchor: "example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix"
-	val-override-date: "20070916134226"
-	target-fetch-policy: "0 0 0 0 0"
-	fake-sha1: yes
-	trust-anchor-signaling: no
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test validator, DLV anchor unused because trustanchor works.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN A
-SECTION AUTHORITY
-net.	IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	IN 	A	192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-net. IN NS
-SECTION ANSWER
-net.    IN NS   a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.     IN      A       192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN A
-SECTION AUTHORITY
-example.net.	IN NS	ns.example.net.
-SECTION ADDITIONAL
-ns.example.net.		IN 	A	1.2.3.5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.    IN NS   ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.         IN      A       1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; response to DNSKEY priming query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN DNSKEY
-SECTION ANSWER
-example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
-example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-; DLV query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-example.net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-com.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
-example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
-example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-; DS RR is
-; example.net.	3600	IN	DS	30899 5 1 14188c885f20623ad1d3bec42798f3f951793e4c ; xehac-mofum-malyd-bomaf-pegit-fuzes-ganin-misiz-nigel-nozog-soxix
-; DNSKEY prime query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN DNSKEY
-SECTION ANSWER
-example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
-example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; NS query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-; www.example.net query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD DO
-SECTION QUESTION
-www.example.net. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 10 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AD DO NOERROR
-SECTION QUESTION
-www.example.net. IN A
-SECTION ANSWER
-www.example.net.	3600	IN	A	10.20.30.40
-www.example.net.	3600	IN	RRSIG	A 5 3 3600 20070926135752 20070829135752 30899 example.net. ACvv4RQVC7TbI57ewqFImRaVoymktJ5Cxn/FaCodIENt82LVM92nivbP2WtwWCsQHWp7FkrMxTlQTJwyAeXFyg== ;{id = 30899}
-SECTION AUTHORITY
-example.net.    IN NS   ns.example.net.
-example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
-SECTION ADDITIONAL
-ns.example.net.         IN      A       1.2.3.5
-ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
-ENTRY_END
-
-SCENARIO_END

testdata/dnstap.tdir/dnstap.test

@@ -24,6 +24,8 @@ else
 	exit 1
 fi
 
+echo "> wait for log to happen on timer"
+sleep 3
 echo "> check tap.log for dnstap info"
 # see if it logged the information in tap.log
 # wait for a moment for filesystem to catch up.

testdata/dnstap_reconnect.tdir/dnstap_reconnect.post

@@ -13,4 +13,6 @@ kill_pid $FWD_PID
 kill $UNBOUND_PID
 kill $UNBOUND_PID >/dev/null 2>&1
 cat unbound.log
+cat tap.log
+cat tap.errlog
 exit 0

testdata/doh_downstream.tdir/doh_downstream.conf

@@ -0,0 +1,27 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1@@PORT@
+	https-port: @PORT@
+	tls-service-key: "unbound_server.key"
+	tls-service-pem: "unbound_server.pem"
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	http-query-buffer-size: 1G
+	http-response-buffer-size: 1G
+	http-max-streams: 200
+
+	local-zone: "example.net" static
+	local-data: "www1.example.net. IN A 1.2.3.1"
+	local-data: "www2.example.net. IN A 1.2.3.2"
+	local-data: "www3.example.net. IN A 1.2.3.3"
+	local-zone: "drop.net" deny
+	tcp-upstream: yes
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"

testdata/doh_downstream.tdir/doh_downstream.dsc

@@ -0,0 +1,16 @@
+BaseName: doh_downstream
+Version: 1.0
+Description: Test DNS-over-HTTPS query processing
+CreationDate: Mon Jun 12 12:00:00 CET 2020
+Maintainer:
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: doh_downstream.pre
+Post: doh_downstream.post
+Test: doh_downstream.test
+AuxFiles: 
+Passed:
+Failure:

testdata/doh_downstream.tdir/doh_downstream.post

@@ -0,0 +1,13 @@
+# #-- doh_downstream.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+cat unbound.log

testdata/doh_downstream.tdir/doh_downstream.pre

@@ -0,0 +1,33 @@
+# #-- doh_downstream.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT doh_downstream.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < doh_downstream.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -vvvv -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+

testdata/doh_downstream.tdir/doh_downstream.test

@@ -0,0 +1,339 @@
+# #-- doh_downstream.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+get_make
+(cd $PRE; $MAKE dohclient)
+
+
+# this test query should just work (server is up)
+echo "> query www1.example.net."
+$PRE/dohclient -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+echo "OK"
+
+# multiple requests (from localdata)
+echo "> query www1.example.net. www2.example.net. www3.example.net."
+$PRE/dohclient -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www2.example.net A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+echo ""
+echo "> query www1.example.net. www.example.com. www2.example.net. www2.example.com. www3.example.net."
+$PRE/dohclient -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www.example.com. A IN www2.example.net A IN www2.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www.example.com" outfile | grep "10.20.30.40"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.com" outfile | grep "10.20.30.42"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+# www.example.com present twice, answered twice.
+echo ""
+echo "> query www1.example.net. www.example.com. www2.example.net. www.example.com. www3.example.net."
+$PRE/dohclient -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www.example.com. A IN www2.example.net A IN www.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www.example.com" outfile | grep "10.20.30.40"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+# www3.example.com present twice, answered twice.
+echo ""
+echo "> query www1.example.net. www3.example.com. www2.example.net. www3.example.com. www3.example.net."
+$PRE/dohclient -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www3.example.com. A IN www2.example.net A IN www3.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.com" outfile | grep "10.20.30.43"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+echo ""
+echo "> query www4.example.com. www3.example.net."
+$PRE/dohclient -s 127.0.0.1 -p $UNBOUND_PORT www4.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www4.example.com" outfile | grep "10.20.30.44"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+
+echo ""
+echo "> query a1.example.com. - a90.example.com."
+$PRE/dohclient -s 127.0.0.1 -p $UNBOUND_PORT www6.example.com. A IN a1.a.example.com. A IN a2.a.example.com. A IN a3.a.example.com. A IN a4.a.example.com. A IN a5.a.example.com. A IN a6.a.example.com. A IN a7.a.example.com. A IN a8.a.example.com. A IN a9.a.example.com. A IN a10.a.example.com. A IN a11.a.example.com. A IN a12.a.example.com. A IN a13.a.example.com. A IN a14.a.example.com. A IN a15.a.example.com. A IN a16.a.example.com. A IN a17.a.example.com. A IN a18.a.example.com. A IN a19.a.example.com. A IN a20.a.example.com. A IN a21.a.example.com. A IN a22.a.example.com. A IN a23.a.example.com. A IN a24.a.example.com. A IN a25.a.example.com. A IN a26.a.example.com. A IN a27.a.example.com. A IN a28.a.example.com. A IN a29.a.example.com. A IN a30.a.example.com. A IN a31.a.example.com. A IN a32.a.example.com. A IN a33.a.example.com. A IN a34.a.example.com. A IN a35.a.example.com. A IN a36.a.example.com. A IN a37.a.example.com. A IN a38.a.example.com. A IN a39.a.example.com. A IN a40.a.example.com. A IN a41.a.example.com. A IN a42.a.example.com. A IN a43.a.example.com. A IN a44.a.example.com. A IN a45.a.example.com. A IN a46.a.example.com. A IN a47.a.example.com. A IN a48.a.example.com. A IN a49.a.example.com. A IN a50.a.example.com. A IN a51.a.example.com. A IN a52.a.example.com. A IN a53.a.example.com. A IN a54.a.example.com. A IN a55.a.example.com. A IN a56.a.example.com. A IN a57.a.example.com. A IN a58.a.example.com. A IN a59.a.example.com. A IN a60.a.example.com. A IN a61.a.example.com. A IN a62.a.example.com. A IN a63.a.example.com. A IN a64.a.example.com. A IN a65.a.example.com. A IN a66.a.example.com. A IN a67.a.example.com. A IN a68.a.example.com. A IN a69.a.example.com. A IN a70.a.example.com. A IN a71.a.example.com. A IN a72.a.example.com. A IN a73.a.example.com. A IN a74.a.example.com. A IN a75.a.example.com. A IN a76.a.example.com. A IN a77.a.example.com. A IN a78.a.example.com. A IN a79.a.example.com. A IN a80.a.example.com. A IN a81.a.example.com. A IN a82.a.example.com. A IN a83.a.example.com. A IN a84.a.example.com. A IN a85.a.example.com. A IN a86.a.example.com. A IN a87.a.example.com. A IN a88.a.example.com. A IN a89.a.example.com. A IN a90.a.example.com. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+num_ans=$(grep -B 3 "a.example.com.	IN	A" outfile | grep "rcode: NOERROR" | wc -l )
+if test "$num_ans" -ne 90; then
+	echo "number of answers not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "OK"
+exit 0

testdata/doh_downstream.tdir/doh_downstream.testns

@@ -0,0 +1,74 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.43
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.45
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www6	IN	A
+SECTION ANSWER
+www6	IN	A	10.20.30.46
+ENTRY_END
+
+; lots of noerror/nodata answers for other queries (a.. queries)
+ENTRY_BEGIN
+MATCH opcode qtype subdomain
+REPLY QR AA NOERROR
+ADJUST copy_id copy_query
+SECTION QUESTION
+a.example.com.	IN	A
+SECTION AUTHORITY
+example.com.	IN SOA ns hostmaster 2019 28800 7200 604800 3600
+ENTRY_END

testdata/doh_downstream.tdir/unbound_server.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----

testdata/doh_downstream.tdir/unbound_server.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----

testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.conf

@@ -0,0 +1,17 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1@@PORT@
+	https-port: @PORT@
+	tls-service-key: "unbound_server.key"
+	tls-service-pem: "unbound_server.pem"
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	http-response-buffer-size: 500
+
+	local-zone: "example.net" redirect
+	local-data: "example.net. IN A 1.2.3.1"

testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.dsc

@@ -0,0 +1,16 @@
+BaseName: doh_downstream_buffer_size
+Version: 1.0
+Description: Test DNS-over-HTTPS http-response-buffer-size
+CreationDate: Mon Jun 12 12:00:00 CET 2020
+Maintainer:
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: doh_downstream_buffer_size.pre
+Post: doh_downstream_buffer_size.post
+Test: doh_downstream_buffer_size.test
+AuxFiles: 
+Passed:
+Failure:

testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.post

@@ -0,0 +1,12 @@
+# #-- doh_downstream.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+. ../common.sh
+kill_pid $UNBOUND_PID
+cat unbound.log

testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.pre

@@ -0,0 +1,24 @@
+# #-- doh_downstream.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+get_random_port 1
+UNBOUND_PORT=$RND_PORT
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < doh_downstream_buffer_size.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -vvvv -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_unbound_up unbound.log
+

testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.test

@@ -0,0 +1,39 @@
+# #-- doh_downstream.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+get_make
+(cd $PRE; $MAKE dohclient)
+
+
+echo "> query www.example.net. endpoint /dns-query"
+$PRE/dohclient -s 127.0.0.1 -p $UNBOUND_PORT 1.example.net. A IN 2.example.net. A IN 3.example.net. A IN 4.example.net. A IN 5.example.net. A IN 6.example.net. A IN 7.example.net. A IN 8.example.net. A IN 9.example.net. A IN 10.example.net. A IN  >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+num=$(grep "ANSWER SEC" outfile | wc -l)
+# 58 byte answers, 500 byte max response buffer -> 8 answers
+if [ $num -eq 8 ]; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+echo "OK"
+
+exit 0

testdata/doh_downstream_buffer_size.tdir/unbound_server.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----

testdata/doh_downstream_buffer_size.tdir/unbound_server.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----

testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.conf

@@ -0,0 +1,17 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1@@PORT@
+	https-port: @PORT@
+	tls-service-key: "unbound_server.key"
+	tls-service-pem: "unbound_server.pem"
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	http-endpoint: "/abc"
+
+	local-zone: "example.net" static
+	local-data: "www.example.net. IN A 1.2.3.1"

testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.dsc

@@ -0,0 +1,16 @@
+BaseName: doh_downstream
+Version: 1.0
+Description: Test DNS-over-HTTPS query processing, endpoint setting
+CreationDate: Mon Jun 12 12:00:00 CET 2020
+Maintainer:
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: doh_downstream_endpoint.pre
+Post: doh_downstream_endpoint.post
+Test: doh_downstream_endpoint.test
+AuxFiles: 
+Passed:
+Failure:

testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.post

@@ -0,0 +1,12 @@
+# #-- doh_downstream.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+. ../common.sh
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+kill_pid $UNBOUND_PID
+cat unbound.log

testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.pre

@@ -0,0 +1,23 @@
+# #-- doh_downstream.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+get_random_port 1
+UNBOUND_PORT=$RND_PORT
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < doh_downstream_endpoint.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -vvvv -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_unbound_up unbound.log
+

testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.test

@@ -0,0 +1,59 @@
+# #-- doh_downstream.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+get_make
+(cd $PRE; $MAKE dohclient)
+
+
+echo "> query www.example.net. endpoint /dns-query"
+$PRE/dohclient -s 127.0.0.1 -p $UNBOUND_PORT www.example.net. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "status 404" outfile; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+echo "OK"
+
+echo "> query www.example.net. endpoint /abc"
+$PRE/dohclient -e /abc -s 127.0.0.1 -p $UNBOUND_PORT www.example.net. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep ":status 200" outfile; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+echo "OK"
+exit 0

testdata/doh_downstream_endpoint.tdir/unbound_server.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----

testdata/doh_downstream_endpoint.tdir/unbound_server.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----

testdata/doh_downstream_post.tdir/doh_downstream_post.conf

@@ -0,0 +1,27 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1@@PORT@
+	https-port: @PORT@
+	tls-service-key: "unbound_server.key"
+	tls-service-pem: "unbound_server.pem"
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	http-query-buffer-size: 1G
+	http-response-buffer-size: 1G
+	http-max-streams: 200
+
+	local-zone: "example.net" static
+	local-data: "www1.example.net. IN A 1.2.3.1"
+	local-data: "www2.example.net. IN A 1.2.3.2"
+	local-data: "www3.example.net. IN A 1.2.3.3"
+	local-zone: "drop.net" deny
+	tcp-upstream: yes
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"