.gitignore

@@ -1 +1 @@
-SOURCES/unbound-1.7.3.tar.gz
+SOURCES/unbound-1.16.2.tar.gz

.unbound.metadata

@@ -1 +1 @@
-106789bdca173d033d769c67be3441b47611612a SOURCES/unbound-1.7.3.tar.gz
+9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz

SOURCES/icannbundle.pem

@@ -1,59 +1,3 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
-        Validity
-            Not Before: Dec 23 04:19:12 2009 GMT
-            Not After : Dec 18 04:19:12 2029 GMT
-        Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
-                    bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
-                    9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
-                    27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
-                    fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
-                    22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
-                    e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
-                    d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
-                    e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
-                    1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
-                    39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
-                    ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
-                    7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
-                    31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
-                    9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
-                    09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
-                    04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
-                    85:41
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
-    Signature Algorithm: sha256WithRSAEncryption
-        0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
-        3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
-        c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
-        b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
-        7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
-        9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
-        90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
-        84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
-        98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
-        5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
-        c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
-        1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
-        90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
-        70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
-        e7:40:61:a4
 -----BEGIN CERTIFICATE-----
 MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
 TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
@@ -75,163 +19,3 @@ DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
 0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
 j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
 -----END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 11 (0xb)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
-        Validity
-            Not Before: Nov  8 23:39:47 2016 GMT
-            Not After : Nov  6 23:39:47 2026 GMT
-        Subject: O=ICANN, CN=ICANN EMAIL CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75:
-                    8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba:
-                    c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9:
-                    57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01:
-                    4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6:
-                    fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e:
-                    a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6:
-                    6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01:
-                    db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95:
-                    d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65:
-                    7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f:
-                    20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78:
-                    b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22:
-                    d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23:
-                    2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21:
-                    fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5:
-                    7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a:
-                    4d:b1
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Authority Key Identifier: 
-                keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
-
-            X509v3 Subject Key Identifier: 
-                7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4
-    Signature Algorithm: sha256WithRSAEncryption
-        0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18:
-        24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87:
-        95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af:
-        41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4:
-        2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d:
-        57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71:
-        e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e:
-        b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd:
-        d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46:
-        ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd:
-        64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff:
-        0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e:
-        2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b:
-        e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf:
-        be:7e:36:be
------BEGIN CERTIFICATE-----
-MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
-TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX
-DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
-IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz
-9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3
-jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6
-LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8
-ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK
-VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI
-QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
-AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
-ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj
-tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr
-SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE
-lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb
-CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0
-DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI
-SMNGv75+Nr4=
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 10 (0xa)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
-        Validity
-            Not Before: Nov  8 23:38:16 2016 GMT
-            Not After : Nov  6 23:38:16 2026 GMT
-        Subject: O=ICANN, CN=ICANN SSL CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60:
-                    7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d:
-                    73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35:
-                    e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89:
-                    81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61:
-                    17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca:
-                    dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28:
-                    9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d:
-                    f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d:
-                    d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68:
-                    f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0:
-                    3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa:
-                    94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40:
-                    3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85:
-                    e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b:
-                    09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b:
-                    20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8:
-                    e2:c5
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Authority Key Identifier: 
-                keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
-
-            X509v3 Subject Key Identifier: 
-                6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8
-    Signature Algorithm: sha256WithRSAEncryption
-        47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4:
-        5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97:
-        cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69:
-        85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54:
-        37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08:
-        2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e:
-        fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81:
-        e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88:
-        f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d:
-        c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a:
-        83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50:
-        80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e:
-        85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a:
-        6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99:
-        2d:70:f2:08
------BEGIN CERTIFICATE-----
-MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
-TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX
-DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
-IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z
-K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3
-VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo
-nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz
-kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4
-yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H
-kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
-qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8
-K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq
-tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR
-Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU
-C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC
-jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur
-T5ktcPII
------END CERTIFICATE-----

SOURCES/remote-control.conf

@@ -0,0 +1,9 @@
+# Remote control config section update.
+# Previous defaults allowed any process to change settings, CVE-2024-1488
+remote-control:
+    # set to an absolute path to use a unix local name pipe, certificates
+    # are not used for that, so key and cert files need not be present.
+    control-interface: "/run/unbound/control"
+
+    # For local sockets this option is ignored, and TLS is not used.
+    control-use-cert: "yes"

SOURCES/unbound-1.15-source-compat.patch

@@ -0,0 +1,85 @@
+From fbde301c2706a5d0c9c3942fe84693f2b7a6b16c Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Sat, 7 May 2022 10:05:33 +0200
+Subject: [PATCH] Use reserved RCODE, fake source version
+
+Use RCODE value assigned for a private use. Previous value were possible
+returned value.
+
+Fake source version to be still 1.7.x. Hide real version into micro
+version component and export it also in a proper way with _REAL
+suffixes. Should workaround any source code detection to support correct
+callback format. Fixes compilation error in libreswan.
+
+Use preprocessed unbound.h to prevent failures
+
+Swig complains about wrong @ variable formats. Make it use preprocessed
+header instead of a template.
+---
+ libunbound/python/libunbound.i |  4 ++--
+ libunbound/unbound.h           | 13 ++++++++++---
+ services/mesh.h                |  2 +-
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
+index c9549bf90..f01e9111e 100644
+--- a/libunbound/python/libunbound.i
++++ b/libunbound/python/libunbound.i
+@@ -53,7 +53,7 @@
+    #ifdef HAVE_ARPA_INET_H
+    #include <arpa/inet.h>
+    #endif
+-   #include "libunbound/unbound.h"
++   #include "unbound.h"
+ %}
+ 
+ %pythoncode %{
+@@ -855,7 +855,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
+   //printf("resolve_stop()\n");
+ %} 
+ 
+-%include "libunbound/unbound.h"
++%include "unbound.h"
+ 
+ %inline %{
+   //SWIG will see the ub_ctx as a class
+diff --git a/libunbound/unbound.h b/libunbound/unbound.h
+index c822d3f89..82660bd51 100644
+--- a/libunbound/unbound.h
++++ b/libunbound/unbound.h
+@@ -102,9 +102,16 @@ extern "C" {
+ #endif
+ 
+ /** the version of this header file */
+-#define UNBOUND_VERSION_MAJOR @UNBOUND_VERSION_MAJOR@
+-#define UNBOUND_VERSION_MINOR @UNBOUND_VERSION_MINOR@
+-#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MICRO@
++/* Because of RHEL compat change, callback type remains at
++ * 1.7.3 version. To prevent source-level incompatibility,
++ * fake still old version. Export real version in _REAL
++ * suffix definitions. */
++#define UNBOUND_VERSION_MAJOR 1
++#define UNBOUND_VERSION_MINOR 7
++#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MAJOR@@UNBOUND_VERSION_MINOR@@UNBOUND_VERSION_MICRO@
++#define UNBOUND_VERSION_MAJOR_REAL @UNBOUND_VERSION_MAJOR@
++#define UNBOUND_VERSION_MINOR_REAL @UNBOUND_VERSION_MINOR@
++#define UNBOUND_VERSION_MICRO_REAL @UNBOUND_VERSION_MICRO@
+ 
+ /**
+  * The validation context is created to hold the resolver status,
+diff --git a/services/mesh.h b/services/mesh.h
+index 9c6f958ff..c0cbf355e 100644
+--- a/services/mesh.h
++++ b/services/mesh.h
+@@ -237,7 +237,7 @@ struct mesh_reply {
+ /* RHEL 8 compatibility layer.
+  * Special rcode to send was_ratelimited to callback without adding
+  * extra parameter. It is ORed to the rcode parameter of the callback. */
+-#define LDNS_RCODE_RATELIMITED 0x100
++#define LDNS_RCODE_RATELIMITED 0xf80
+ #define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
+ #define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
+ 
+-- 
+2.34.1
+

SOURCES/unbound-1.15-soversion2-compat.patch

@@ -0,0 +1,471 @@
+From 605d66f0b6b8f7c308010f455058299d25c1d2ee Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 6 May 2022 16:36:39 +0200
+Subject: [PATCH] Rework ABI breaking change to compatible way
+
+Upstream commit 749d1b9ebc6fcb79824afd0471a1cfc12ca861b1 introduced
+was_ratelimited variable to every async callback. Such change led to ABI
+break and increase of soname of libunbound.
+
+Use rcode to pass that boolean inside rcode variable. Allows keeping
+original callback prototype, but does not lose data. Extra integer bit
+operations should be very small price. Much better than ABI break.
+
+Make current version compatible back to .2 version.
+---
+ unbound-1.16.2/configure.ac               |  2 +-
+ unbound-1.16.2/daemon/worker.c            |  6 ++--
+ unbound-1.16.2/libunbound/libworker.c     | 34 +++++++++++++++--------
+ unbound-1.16.2/libunbound/unbound-event.h |  3 +-
+ unbound-1.16.2/libunbound/unbound.h       | 13 +++++----
+ unbound-1.16.2/libunbound/worker.h        |  6 ++--
+ unbound-1.16.2/services/authzone.c        | 11 ++++----
+ unbound-1.16.2/services/authzone.h        |  9 ++----
+ unbound-1.16.2/services/mesh.c            | 17 ++++++++----
+ unbound-1.16.2/services/mesh.h            |  9 +++++-
+ unbound-1.16.2/smallapp/worker_cb.c       |  6 ++--
+ unbound-1.16.2/validator/autotrust.c      |  2 +-
+ unbound-1.16.2/validator/autotrust.h      |  2 +-
+ 13 files changed, 72 insertions(+), 48 deletions(-)
+
+diff --git a/unbound-1.16.2/configure.ac b/unbound-1.16.2/configure.ac
+index 224501b..71f066c 100644
+--- a/unbound-1.16.2/configure.ac
++++ b/unbound-1.16.2/configure.ac
+@@ -19,7 +19,7 @@ AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
+ 
+ LIBUNBOUND_CURRENT=9
+ LIBUNBOUND_REVISION=18
+-LIBUNBOUND_AGE=1
++LIBUNBOUND_AGE=7
+ # 1.0.0 had 0:12:0
+ # 1.0.1 had 0:13:0
+ # 1.0.2 had 0:14:0
+diff --git a/unbound-1.16.2/daemon/worker.c b/unbound-1.16.2/daemon/worker.c
+index 010c4dc..2b87a41 100644
+--- a/unbound-1.16.2/daemon/worker.c
++++ b/unbound-1.16.2/daemon/worker.c
+@@ -2268,21 +2268,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
+ 
+ void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
+ 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+ 
+ void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
+ 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+ 
+ void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
+ 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+diff --git a/unbound-1.16.2/libunbound/libworker.c b/unbound-1.16.2/libunbound/libworker.c
+index 11bf5f9..6895119 100644
+--- a/unbound-1.16.2/libunbound/libworker.c
++++ b/unbound-1.16.2/libunbound/libworker.c
+@@ -549,9 +549,10 @@ libworker_enter_result(struct ub_result* res, sldns_buffer* buf,
+ /** fillup fg results */
+ static void
+ libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf, 
+-	enum sec_status s, char* why_bogus, int was_ratelimited)
++	enum sec_status s, char* why_bogus)
+ {
+-	q->res->was_ratelimited = was_ratelimited;
++	q->res->was_ratelimited = RCODE_IS_RATELIMITED(rcode);
++	rcode = RCODE_NOT_RATELIMITED(rcode);
+ 	if(why_bogus)
+ 		q->res->why_bogus = strdup(why_bogus);
+ 	if(rcode != 0) {
+@@ -575,13 +576,13 @@ libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf,
+ 
+ void
+ libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
+-	char* why_bogus, int was_ratelimited)
++	char* why_bogus)
+ {
+ 	struct ctx_query* q = (struct ctx_query*)arg;
+ 	/* fg query is done; exit comm base */
+ 	comm_base_exit(q->w->base);
+ 
+-	libworker_fillup_fg(q, rcode, buf, s, why_bogus, was_ratelimited);
++	libworker_fillup_fg(q, rcode, buf, s, why_bogus);
+ }
+ 
+ /** setup qinfo and edns */
+@@ -634,7 +635,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
+ 		NULL, 0, NULL, 0, NULL)) {
+ 		regional_free_all(w->env->scratch);
+ 		libworker_fillup_fg(q, LDNS_RCODE_NOERROR, 
+-			w->back->udp_buff, sec_status_insecure, NULL, 0);
++			w->back->udp_buff, sec_status_insecure, NULL);
+ 		libworker_delete(w);
+ 		free(qinfo.qname);
+ 		return UB_NOERROR;
+@@ -643,7 +644,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
+ 		w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
+ 		regional_free_all(w->env->scratch);
+ 		libworker_fillup_fg(q, LDNS_RCODE_NOERROR, 
+-			w->back->udp_buff, sec_status_insecure, NULL, 0);
++			w->back->udp_buff, sec_status_insecure, NULL);
+ 		libworker_delete(w);
+ 		free(qinfo.qname);
+ 		return UB_NOERROR;
+@@ -665,7 +666,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
+ 
+ void
+ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
+-	enum sec_status s, char* why_bogus, int was_ratelimited)
++	enum sec_status s, char* why_bogus)
+ {
+ 	struct ctx_query* q = (struct ctx_query*)arg;
+ 	ub_event_callback_type cb = q->cb_event;
+@@ -688,7 +689,7 @@ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
+ 		else if(s == sec_status_secure)
+ 			sec = 2;
+ 		(*cb)(cb_arg, rcode, (buf?(void*)sldns_buffer_begin(buf):NULL),
+-			(buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus, was_ratelimited);
++			(buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus);
+ 	}
+ }
+ 
+@@ -715,7 +716,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
+ 		regional_free_all(w->env->scratch);
+ 		free(qinfo.qname);
+ 		libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
+-			w->back->udp_buff, sec_status_insecure, NULL, 0);
++			w->back->udp_buff, sec_status_insecure, NULL);
+ 		return UB_NOERROR;
+ 	}
+ 	if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
+@@ -723,7 +724,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
+ 		regional_free_all(w->env->scratch);
+ 		free(qinfo.qname);
+ 		libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
+-			w->back->udp_buff, sec_status_insecure, NULL, 0);
++			w->back->udp_buff, sec_status_insecure, NULL);
+ 		return UB_NOERROR;
+ 	}
+ 	/* process new query */
+@@ -788,12 +789,23 @@ add_bg_result(struct libworker* w, struct ctx_query* q, sldns_buffer* pkt,
+ 	}
+ }
+ 
++
++void
++libworker_bg_done_cb_compat(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
++	char* why_bogus)
++{
++	rcode = RCODE_NOT_RATELIMITED(rcode);
++	libworker_bg_done_cb(arg, rcode, buf, s, why_bogus);
++}
++
+ void
+ libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
+-	char* why_bogus, int was_ratelimited)
++	char* why_bogus)
+ {
++	int was_ratelimited = RCODE_IS_RATELIMITED(rcode);
+ 	struct ctx_query* q = (struct ctx_query*)arg;
+ 
++	rcode = RCODE_NOT_RATELIMITED(rcode);
+ 	if(q->cancelled || q->w->back->want_to_quit) {
+ 		if(q->w->is_bg_thread) {
+ 			/* delete it now */
+diff --git a/unbound-1.16.2/libunbound/unbound-event.h b/unbound-1.16.2/libunbound/unbound-event.h
+index a5d5c03..70aa4c8 100644
+--- a/unbound-1.16.2/libunbound/unbound-event.h
++++ b/unbound-1.16.2/libunbound/unbound-event.h
+@@ -170,7 +170,8 @@ struct ub_event {
+ 	struct ub_event_vmt* vmt;
+ };
+ 
+-typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*, int);
++/* Uses define LDNS_RCODE_RATELIMITED from services/mesh.h */
++typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*);
+ 
+ /**
+  * Create a resolving and validation context.
+diff --git a/unbound-1.16.2/libunbound/unbound.h b/unbound-1.16.2/libunbound/unbound.h
+index c779d18..f6d5c7c 100644
+--- a/unbound-1.16.2/libunbound/unbound.h
++++ b/unbound-1.16.2/libunbound/unbound.h
+@@ -203,18 +203,19 @@ struct ub_result {
+ 	 */
+ 	char* why_bogus;
+ 
++	/**
++	 * TTL for the result, in seconds.  If the security is bogus, then
++	 * you also cannot trust this value.
++	 */
++	int ttl;
++
+ 	/**
+ 	 * If the query or one of its subqueries was ratelimited.  Useful if
+ 	 * ratelimiting is enabled and answer to the client is SERVFAIL as a
+ 	 * result.
++	 * RHEL8 Change, moved after ttl.
+ 	 */
+ 	int was_ratelimited;
+-
+-	/**
+-	 * TTL for the result, in seconds.  If the security is bogus, then
+-	 * you also cannot trust this value.
+-	 */
+-	int ttl;
+ };
+ 
+ /**
+diff --git a/unbound-1.16.2/libunbound/worker.h b/unbound-1.16.2/libunbound/worker.h
+index 0fa5bfa..8b64b4d 100644
+--- a/unbound-1.16.2/libunbound/worker.h
++++ b/unbound-1.16.2/libunbound/worker.h
+@@ -90,15 +90,15 @@ void libworker_handle_control_cmd(struct tube* tube, uint8_t* msg, size_t len,
+ 
+ /** mesh callback with fg results */
+ void libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf, 
+-	enum sec_status s, char* why_bogus, int was_ratelimited);
++	enum sec_status s, char* why_bogus);
+ 
+ /** mesh callback with bg results */
+ void libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf, 
+-	enum sec_status s, char* why_bogus, int was_ratelimited);
++	enum sec_status s, char* why_bogus);
+ 
+ /** mesh callback with event results */
+ void libworker_event_done_cb(void* arg, int rcode, struct sldns_buffer* buf, 
+-	enum sec_status s, char* why_bogus, int was_ratelimited);
++	enum sec_status s, char* why_bogus);
+ 
+ /**
+  * Worker signal handler function. User argument is the worker itself.
+diff --git a/unbound-1.16.2/services/authzone.c b/unbound-1.16.2/services/authzone.c
+index b9e0b11..c72949f 100644
+--- a/unbound-1.16.2/services/authzone.c
++++ b/unbound-1.16.2/services/authzone.c
+@@ -5656,8 +5656,7 @@ xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset,
+ 
+ /** callback for task_transfer lookup of host name, of A or AAAA */
+ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+-	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
+-	int ATTR_UNUSED(was_ratelimited))
++	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
+ {
+ 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
+ 	struct module_env* env;
+@@ -5669,6 +5668,7 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+ 		return; /* stop on quit */
+ 	}
+ 
++	rcode = RCODE_NOT_RATELIMITED(rcode);
+ 	/* process result */
+ 	if(rcode == LDNS_RCODE_NOERROR) {
+ 		uint16_t wanted_qtype = LDNS_RR_TYPE_A;
+@@ -6717,8 +6717,7 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
+ 
+ /** callback for task_probe lookup of host name, of A or AAAA */
+ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+-	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
+-	int ATTR_UNUSED(was_ratelimited))
++	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
+ {
+ 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
+ 	struct module_env* env;
+@@ -6730,6 +6729,7 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+ 		return; /* stop on quit */
+ 	}
+ 
++	rcode = RCODE_NOT_RATELIMITED(rcode);
+ 	/* process result */
+ 	if(rcode == LDNS_RCODE_NOERROR) {
+ 		uint16_t wanted_qtype = LDNS_RR_TYPE_A;
+@@ -8212,7 +8212,7 @@ auth_zone_verify_zonemd_key_with_ds(struct auth_zone* z,
+ 
+ /** callback for ZONEMD lookup of DNSKEY */
+ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+-	enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited))
++	enum sec_status sec, char* why_bogus)
+ {
+ 	struct auth_zone* z = (struct auth_zone*)arg;
+ 	struct module_env* env;
+@@ -8234,6 +8234,7 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+ 	if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DS)
+ 		typestr = "DS";
+ 	downprot = env->cfg->harden_algo_downgrade;
++	rcode = RCODE_NOT_RATELIMITED(rcode);
+ 
+ 	/* process result */
+ 	if(sec == sec_status_bogus) {
+diff --git a/unbound-1.16.2/services/authzone.h b/unbound-1.16.2/services/authzone.h
+index 07614ed..b339fc1 100644
+--- a/unbound-1.16.2/services/authzone.h
++++ b/unbound-1.16.2/services/authzone.h
+@@ -690,12 +690,10 @@ void auth_xfer_probe_timer_callback(void* arg);
+ void auth_xfer_transfer_timer_callback(void* arg);
+ /** mesh callback for task_probe on lookup of host names */
+ void auth_xfer_probe_lookup_callback(void* arg, int rcode,
+-	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
+-	int was_ratelimited);
++	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
+ /** mesh callback for task_transfer on lookup of host names */
+ void auth_xfer_transfer_lookup_callback(void* arg, int rcode,
+-	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
+-	int was_ratelimited);
++	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
+ 
+ /*
+  * Compares two 32-bit serial numbers as defined in RFC1982.  Returns
+@@ -774,8 +772,7 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
+ 
+ /** mesh callback for zonemd on lookup of dnskey */
+ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode,
+-	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
+-	int was_ratelimited);
++	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
+ 
+ /**
+  * Check the ZONEMD records that need online DNSSEC chain lookups,
+diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
+index 30bcf7c..fc3c690 100644
+--- a/unbound-1.16.2/services/mesh.c
++++ b/unbound-1.16.2/services/mesh.c
+@@ -63,6 +63,7 @@
+ #include "util/data/dname.h"
+ #include "respip/respip.h"
+ #include "services/listen_dnsport.h"
++#include "libunbound/unbound-event.h"
+ 
+ #ifdef CLIENT_SUBNET
+ #include "edns-subnet/subnetmod.h"
+@@ -1012,7 +1013,7 @@ mesh_state_cleanup(struct mesh_state* mstate)
+ 			mstate->cb_list = cb->next;
+ 			fptr_ok(fptr_whitelist_mesh_cb(cb->cb));
+ 			(*cb->cb)(cb->cb_arg, LDNS_RCODE_SERVFAIL, NULL,
+-				sec_status_unchecked, NULL, 0);
++				sec_status_unchecked, NULL);
+ 			log_assert(mesh->num_reply_addrs > 0);
+ 			mesh->num_reply_addrs--;
+ 		}
+@@ -1268,8 +1269,9 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
+ 					r->edns.opt_list_inplace_cb_out = NULL;
+ 		}
+ 		fptr_ok(fptr_whitelist_mesh_cb(r->cb));
+-		(*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL,
+-			was_ratelimited);
++		if (was_ratelimited)
++			rcode |= LDNS_RCODE_RATELIMITED;
++		(*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL);
+ 	} else {
+ 		size_t udp_size = r->edns.udp_size;
+ 		sldns_buffer_clear(r->buf);
+@@ -1287,11 +1289,14 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
+ 		{
+ 			fptr_ok(fptr_whitelist_mesh_cb(r->cb));
+ 			(*r->cb)(r->cb_arg, LDNS_RCODE_SERVFAIL, r->buf,
+-				sec_status_unchecked, NULL, 0);
++				sec_status_unchecked, NULL);
+ 		} else {
+ 			fptr_ok(fptr_whitelist_mesh_cb(r->cb));
+-			(*r->cb)(r->cb_arg, LDNS_RCODE_NOERROR, r->buf,
+-				rep->security, reason, was_ratelimited);
++			rcode = LDNS_RCODE_NOERROR;
++			if (was_ratelimited)
++				rcode |= LDNS_RCODE_RATELIMITED;
++			(*r->cb)(r->cb_arg, rcode, r->buf,
++				rep->security, reason);
+ 		}
+ 	}
+ 	free(reason);
+diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
+index 3be9b63..5050d6c 100644
+--- a/unbound-1.16.2/services/mesh.h
++++ b/unbound-1.16.2/services/mesh.h
+@@ -234,13 +234,20 @@ struct mesh_reply {
+ 	struct http2_stream* h2_stream;
+ };
+ 
++/* RHEL 8 compatibility layer.
++ * Special rcode to send was_ratelimited to callback without adding
++ * extra parameter. It is ORed to the rcode parameter of the callback. */
++#define LDNS_RCODE_RATELIMITED 0x100
++#define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
++#define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
++
+ /** 
+  * Mesh result callback func.
+  * called as func(cb_arg, rcode, buffer_with_reply, security, why_bogus,
+  *		was_ratelimited);
+  */
+ typedef void (*mesh_cb_func_type)(void* cb_arg, int rcode, struct sldns_buffer*,
+-	enum sec_status, char* why_bogus, int was_ratelimited);
++	enum sec_status, char* why_bogus);
+ 
+ /**
+  * Callback to result routine
+diff --git a/unbound-1.16.2/smallapp/worker_cb.c b/unbound-1.16.2/smallapp/worker_cb.c
+index c689817..c7b1653 100644
+--- a/unbound-1.16.2/smallapp/worker_cb.c
++++ b/unbound-1.16.2/smallapp/worker_cb.c
+@@ -159,21 +159,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
+ 
+ void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
+ 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+ 
+ void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
+ 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+ 
+ void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
+ 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	log_assert(0);
+ }
+diff --git a/unbound-1.16.2/validator/autotrust.c b/unbound-1.16.2/validator/autotrust.c
+index 3cdf9ce..40b3e35 100644
+--- a/unbound-1.16.2/validator/autotrust.c
++++ b/unbound-1.16.2/validator/autotrust.c
+@@ -2331,7 +2331,7 @@ autr_debug_print(struct val_anchors* anchors)
+ 
+ void probe_answer_cb(void* arg, int ATTR_UNUSED(rcode), 
+ 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(sec),
+-	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
++	char* ATTR_UNUSED(why_bogus))
+ {
+ 	/* retry was set before the query was done,
+ 	 * re-querytime is set when query succeeded, but that may not
+diff --git a/unbound-1.16.2/validator/autotrust.h b/unbound-1.16.2/validator/autotrust.h
+index 057f2b6..c549798 100644
+--- a/unbound-1.16.2/validator/autotrust.h
++++ b/unbound-1.16.2/validator/autotrust.h
+@@ -206,6 +206,6 @@ void autr_debug_print(struct val_anchors* anchors);
+ 
+ /** callback for query answer to 5011 probe */
+ void probe_answer_cb(void* arg, int rcode, struct sldns_buffer* buf, 
+-	enum sec_status sec, char* errinf, int was_ratelimited);
++	enum sec_status sec, char* errinf);
+ 
+ #endif /* VALIDATOR_AUTOTRUST_H */
+-- 
+2.37.1
+

SOURCES/unbound-1.16-CVE-2022-3204.patch

@@ -0,0 +1,218 @@
+From 7af485f0fc9926425681ba0280ab6c2c8dd04530 Mon Sep 17 00:00:00 2001
+From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
+Date: Wed, 21 Sep 2022 11:10:38 +0200
+Subject: [PATCH] - Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
+
+---
+ unbound-1.16.2/iterator/iter_delegpt.c |  3 +++
+ unbound-1.16.2/iterator/iter_delegpt.h |  2 ++
+ unbound-1.16.2/iterator/iter_utils.c   |  3 +++
+ unbound-1.16.2/iterator/iter_utils.h   |  9 +++++++
+ unbound-1.16.2/iterator/iterator.c     | 36 +++++++++++++++++++++++++-
+ unbound-1.16.2/services/cache/dns.c    |  3 +++
+ unbound-1.16.2/services/mesh.c         |  7 +++++
+ unbound-1.16.2/services/mesh.h         | 11 ++++++++
+ 8 files changed, 73 insertions(+), 1 deletion(-)
+
+diff --git a/unbound-1.16.2/iterator/iter_delegpt.c b/unbound-1.16.2/iterator/iter_delegpt.c
+index 4bffa1b..fd07aaa 100644
+--- a/unbound-1.16.2/iterator/iter_delegpt.c
++++ b/unbound-1.16.2/iterator/iter_delegpt.c
+@@ -78,6 +78,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
+ 		if(!delegpt_add_ns(copy, region, ns->name, ns->lame,
+ 			ns->tls_auth_name, ns->port))
+ 			return NULL;
++		copy->nslist->cache_lookup_count = ns->cache_lookup_count;
+ 		copy->nslist->resolved = ns->resolved;
+ 		copy->nslist->got4 = ns->got4;
+ 		copy->nslist->got6 = ns->got6;
+@@ -121,6 +122,7 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
+ 	ns->namelen = len;
+ 	dp->nslist = ns;
+ 	ns->name = regional_alloc_init(region, name, ns->namelen);
++	ns->cache_lookup_count = 0;
+ 	ns->resolved = 0;
+ 	ns->got4 = 0;
+ 	ns->got6 = 0;
+@@ -620,6 +622,7 @@ int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame,
+ 	}
+ 	ns->next = dp->nslist;
+ 	dp->nslist = ns;
++	ns->cache_lookup_count = 0;
+ 	ns->resolved = 0;
+ 	ns->got4 = 0;
+ 	ns->got6 = 0;
+diff --git a/unbound-1.16.2/iterator/iter_delegpt.h b/unbound-1.16.2/iterator/iter_delegpt.h
+index 62c8edc..586597a 100644
+--- a/unbound-1.16.2/iterator/iter_delegpt.h
++++ b/unbound-1.16.2/iterator/iter_delegpt.h
+@@ -101,6 +101,8 @@ struct delegpt_ns {
+ 	uint8_t* name;
+ 	/** length of name */
+ 	size_t namelen;
++	/** number of cache lookups for the name */
++	int cache_lookup_count;
+ 	/** 
+ 	 * If the name has been resolved. false if not queried for yet.
+ 	 * true if the A, AAAA queries have been generated.
+diff --git a/unbound-1.16.2/iterator/iter_utils.c b/unbound-1.16.2/iterator/iter_utils.c
+index 3e13e59..56b184a 100644
+--- a/unbound-1.16.2/iterator/iter_utils.c
++++ b/unbound-1.16.2/iterator/iter_utils.c
+@@ -1209,6 +1209,9 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
+ 	struct delegpt_ns* ns;
+ 	size_t num = delegpt_count_targets(dp);
+ 	for(ns = dp->nslist; ns; ns = ns->next) {
++		if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE)
++			continue;
++		ns->cache_lookup_count++;
+ 		/* get cached parentside A */
+ 		akey = rrset_cache_lookup(env->rrset_cache, ns->name,
+ 			ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass,
+diff --git a/unbound-1.16.2/iterator/iter_utils.h b/unbound-1.16.2/iterator/iter_utils.h
+index 8583fde..850be96 100644
+--- a/unbound-1.16.2/iterator/iter_utils.h
++++ b/unbound-1.16.2/iterator/iter_utils.h
+@@ -62,6 +62,15 @@ struct ub_packed_rrset_key;
+ struct module_stack;
+ struct outside_network;
+ 
++/* max number of lookups in the cache for target nameserver names.
++ * This stops, for large delegations, N*N lookups in the cache. */
++#define ITERATOR_NAME_CACHELOOKUP_MAX	3
++/* max number of lookups in the cache for parentside glue for nameserver names
++ * This stops, for larger delegations, N*N lookups in the cache.
++ * It is a little larger than the nonpside max, so it allows a couple extra
++ * lookups of parent side glue. */
++#define ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE	5
++
+ /**
+  * Process config options and set iterator module state.
+  * Sets default values if no config is found.
+diff --git a/unbound-1.16.2/iterator/iterator.c b/unbound-1.16.2/iterator/iterator.c
+index 25e5cfe..da9b799 100644
+--- a/unbound-1.16.2/iterator/iterator.c
++++ b/unbound-1.16.2/iterator/iterator.c
+@@ -1218,6 +1218,15 @@ generate_dnskey_prefetch(struct module_qstate* qstate,
+ 		(qstate->query_flags&BIT_RD) && !(qstate->query_flags&BIT_CD)){
+ 		return;
+ 	}
++	/* we do not generate this prefetch when the query list is full,
++	 * the query is fetched, if needed, when the validator wants it.
++	 * At that time the validator waits for it, after spawning it.
++	 * This means there is one state that uses cpu and a socket, the
++	 * spawned while this one waits, and not several at the same time,
++	 * if we had created the lookup here. And this helps to keep
++	 * the total load down, but the query still succeeds to resolve. */
++	if(mesh_jostle_exceeded(qstate->env->mesh))
++		return;
+ 
+ 	/* if the DNSKEY is in the cache this lookup will stop quickly */
+ 	log_nametypeclass(VERB_ALGO, "schedule dnskey prefetch", 
+@@ -1911,6 +1920,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
+ 				return 0;
+ 			}
+ 			query_count++;
++			/* If the mesh query list is full, exit the loop here.
++			 * This makes the routine spawn one query at a time,
++			 * and this means there is no query state load
++			 * increase, because the spawned state uses cpu and a
++			 * socket while this state waits for that spawned
++			 * state. Next time we can look up further targets */
++			if(mesh_jostle_exceeded(qstate->env->mesh))
++				break;
+ 		}
+ 		/* Send the A request. */
+ 		if(ie->supports_ipv4 &&
+@@ -1925,6 +1942,9 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
+ 				return 0;
+ 			}
+ 			query_count++;
++			/* If the mesh query list is full, exit the loop. */
++			if(mesh_jostle_exceeded(qstate->env->mesh))
++				break;
+ 		}
+ 
+ 		/* mark this target as in progress. */
+@@ -2085,6 +2105,15 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
+ 			}
+ 			ns->done_pside6 = 1;
+ 			query_count++;
++			if(mesh_jostle_exceeded(qstate->env->mesh)) {
++				/* Wait for the lookup; do not spawn multiple
++				 * lookups at a time. */
++				verbose(VERB_ALGO, "try parent-side glue lookup");
++				iq->num_target_queries += query_count;
++				target_count_increase(iq, query_count);
++				qstate->ext_state[id] = module_wait_subquery;
++				return 0;
++			}
+ 		}
+ 		if(ie->supports_ipv4 && !ns->done_pside4) {
+ 			/* Send the A request. */
+@@ -2560,7 +2589,12 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+ 	if(iq->depth < ie->max_dependency_depth
+ 		&& iq->num_target_queries == 0
+ 		&& (!iq->target_count || iq->target_count[TARGET_COUNT_NX]==0)
+-		&& iq->sent_count < TARGET_FETCH_STOP) {
++		&& iq->sent_count < TARGET_FETCH_STOP
++		/* if the mesh query list is full, then do not waste cpu
++		 * and sockets to fetch promiscuous targets. They can be
++		 * looked up when needed. */
++		&& !mesh_jostle_exceeded(qstate->env->mesh)
++		) {
+ 		tf_policy = ie->target_fetch_policy[iq->depth];
+ 	}
+ 
+diff --git a/unbound-1.16.2/services/cache/dns.c b/unbound-1.16.2/services/cache/dns.c
+index 6bca8d8..b6e5697 100644
+--- a/unbound-1.16.2/services/cache/dns.c
++++ b/unbound-1.16.2/services/cache/dns.c
+@@ -404,6 +404,9 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
+ 	struct ub_packed_rrset_key* akey;
+ 	time_t now = *env->now;
+ 	for(ns = dp->nslist; ns; ns = ns->next) {
++		if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX)
++			continue;
++		ns->cache_lookup_count++;
+ 		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
+ 			ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
+ 		if(akey) {
+diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
+index 30bcf7c..2a41194 100644
+--- a/unbound-1.16.2/services/mesh.c
++++ b/unbound-1.16.2/services/mesh.c
+@@ -2240,3 +2240,10 @@ mesh_serve_expired_callback(void* arg)
+ 		mesh_do_callback(mstate, LDNS_RCODE_NOERROR, msg->rep, c, &tv);
+ 	}
+ }
++
++int mesh_jostle_exceeded(struct mesh_area* mesh)
++{
++	if(mesh->all.count < mesh->max_reply_states)
++		return 0;
++	return 1;
++}
+diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
+index 3be9b63..25121a6 100644
+--- a/unbound-1.16.2/services/mesh.h
++++ b/unbound-1.16.2/services/mesh.h
+@@ -685,4 +685,15 @@ struct dns_msg*
+ mesh_serve_expired_lookup(struct module_qstate* qstate,
+ 	struct query_info* lookup_qinfo);
+ 
++/**
++ * See if the mesh has space for more queries. You can allocate queries
++ * anyway, but this checks for the allocated space.
++ * @param mesh: mesh area.
++ * @return true if the query list is full.
++ * 	It checks the number of all queries, not just number of reply states,
++ * 	that have a client address. So that spawned queries count too,
++ * 	that were created by the iterator, or other modules.
++ */
++int mesh_jostle_exceeded(struct mesh_area* mesh);
++
+ #endif /* SERVICES_MESH_H */
+-- 
+2.37.3
+

SOURCES/unbound-1.16.2.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmLnudYACgkQn28cLX4E
+X43GmRAAoROXbktLR2AXGEECgPCFlHag9oNZosa3J5yR2vaV4e8eA6AMzPyZbl7P
+LnLon8PZZR+pTW+dDRqakvzJIwXkLeONFgEdvd0cAghWAtPrKCDZIkCyeQj0OOv3
+wt1pRRl2PXUKNZZf0bzpTUIhVsHF/w5f5T/mFAZm49rUDboj77xgokmaFK4kei0I
+Gz4W8Vx3TIwwJc8nea8GtCYIg3UKmR/TMznMFExAoKdMllzKuJnGx5lR/eU0+NRc
+uwWEQhNJrHXZyWethp9swLCrOmDHcgBJOd04TqcDwSIZrw9VuT3/Uza3Tw73N7kr
+PZvF2xSOASL+i91QP6tnkmQD5pAORVpUFN3NePEWV5922iG/pVipaYBbEyV3dfph
+Y4QGwj8G6ppcfjV7gmlxsAOM2gnhD3rDqFmkxau6zB1kktHnV2aqlzIQo396ZBJQ
+hKyIAJlNvpTiFaACD7/cFkE80awJnCD/qvXATN//BWHKytgO8eYg7fZGrxjbpIQk
+XV/vVlOJWRXPyPBnp8MQyCIDe2eq2ELlMfYw62/TNDuj2qKsM/W03cem3GlveOa6
+tw8RVfFFjwZlCLbXSbmsKo+mWJ3jCAvb3/gql52vJDE5FuRz7MvptIVU6DVE1O+J
+mQ3AoQ2Mq9iHsZePfze4sq531DMlWTgBMwqfBTWqMaTC/8VH5rg=
+=Ax9n
+-----END PGP SIGNATURE-----

SOURCES/unbound-1.21-CVE-2024-8508.patch

@@ -0,0 +1,249 @@
+From 34de24d58bb5aa6fe3551512fc17cac08f65d93e Mon Sep 17 00:00:00 2001
+From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
+Date: Thu, 3 Oct 2024 14:46:57 +0200
+Subject: [PATCH] - Fix CVE-2024-8508, unbounded name compression could lead to
+ denial of service.
+
+---
+ unbound-1.16.2/util/data/msgencode.c | 77 +++++++++++++++++-----------
+ 1 file changed, 46 insertions(+), 31 deletions(-)
+
+diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
+index fe21cfb..f9e95e6 100644
+--- a/unbound-1.16.2/util/data/msgencode.c
++++ b/unbound-1.16.2/util/data/msgencode.c
+@@ -62,6 +62,10 @@
+ #define RETVAL_TRUNC	-4
+ /** return code that means all is peachy keen. Equal to DNS rcode NOERROR */
+ #define RETVAL_OK	0
++/** Max compressions we are willing to perform; more than that will result
++ *  in semi-compressed messages, or truncated even on TCP for huge messages, to
++ *  avoid locking the CPU for long */
++#define MAX_COMPRESSION_PER_MESSAGE 120
+ 
+ /**
+  * Data structure to help domain name compression in outgoing messages.
+@@ -284,15 +288,17 @@ write_compressed_dname(sldns_buffer* pkt, uint8_t* dname, int labs,
+ 
+ /** compress owner name of RR, return RETVAL_OUTMEM RETVAL_TRUNC */
+ static int
+-compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
+-	struct regional* region, struct compress_tree_node** tree, 
+-	size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
++compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
++	struct regional* region, struct compress_tree_node** tree,
++	size_t owner_pos, uint16_t* owner_ptr, int owner_labs,
++	size_t* compress_count)
+ {
+ 	struct compress_tree_node* p;
+ 	struct compress_tree_node** insertpt = NULL;
+ 	if(!*owner_ptr) {
+ 		/* compress first time dname */
+-		if((p = compress_tree_lookup(tree, key->rk.dname, 
++		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++			(p = compress_tree_lookup(tree, key->rk.dname,
+ 			owner_labs, &insertpt))) {
+ 			if(p->labs == owner_labs) 
+ 				/* avoid ptr chains, since some software is
+@@ -301,6 +307,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			if(!write_compressed_dname(pkt, key->rk.dname, 
+ 				owner_labs, p))
+ 				return RETVAL_TRUNC;
++			(*compress_count)++;
+ 			/* check if typeclass+4 ttl + rdatalen is available */
+ 			if(sldns_buffer_remaining(pkt) < 4+4+2)
+ 				return RETVAL_TRUNC;
+@@ -313,7 +320,8 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			if(owner_pos <= PTR_MAX_OFFSET)
+ 				*owner_ptr = htons(PTR_CREATE(owner_pos));
+ 		}
+-		if(!compress_tree_store(key->rk.dname, owner_labs, 
++		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++			!compress_tree_store(key->rk.dname, owner_labs,
+ 			owner_pos, region, p, insertpt))
+ 			return RETVAL_OUTMEM;
+ 	} else {
+@@ -333,20 +341,24 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 
+ /** compress any domain name to the packet, return RETVAL_* */
+ static int
+-compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, 
+-	struct regional* region, struct compress_tree_node** tree)
++compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
++	struct regional* region, struct compress_tree_node** tree,
++	size_t* compress_count)
+ {
+ 	struct compress_tree_node* p;
+ 	struct compress_tree_node** insertpt = NULL;
+ 	size_t pos = sldns_buffer_position(pkt);
+-	if((p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
++	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++		(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
+ 		if(!write_compressed_dname(pkt, dname, labs, p))
+ 			return RETVAL_TRUNC;
++		(*compress_count)++;
+ 	} else {
+ 		if(!dname_buffer_write(pkt, dname))
+ 			return RETVAL_TRUNC;
+ 	}
+-	if(!compress_tree_store(dname, labs, pos, region, p, insertpt))
++	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++		!compress_tree_store(dname, labs, pos, region, p, insertpt))
+ 		return RETVAL_OUTMEM;
+ 	return RETVAL_OK;
+ }
+@@ -364,9 +376,9 @@ type_rdata_compressable(struct ub_packed_rrset_key* key)
+ 
+ /** compress domain names in rdata, return RETVAL_* */
+ static int
+-compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen, 
+-	struct regional* region, struct compress_tree_node** tree, 
+-	const sldns_rr_descriptor* desc)
++compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
++	struct regional* region, struct compress_tree_node** tree,
++	const sldns_rr_descriptor* desc, size_t* compress_count)
+ {
+ 	int labs, r, rdf = 0;
+ 	size_t dname_len, len, pos = sldns_buffer_position(pkt);
+@@ -380,8 +392,8 @@ compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
+ 		switch(desc->_wireformat[rdf]) {
+ 		case LDNS_RDF_TYPE_DNAME:
+ 			labs = dname_count_size_labels(rdata, &dname_len);
+-			if((r=compress_any_dname(rdata, pkt, labs, region, 
+-				tree)) != RETVAL_OK)
++			if((r=compress_any_dname(rdata, pkt, labs, region,
++				tree, compress_count)) != RETVAL_OK)
+ 				return r;
+ 			rdata += dname_len;
+ 			todolen -= dname_len;
+@@ -449,7 +461,8 @@ static int
+ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
+ 	uint16_t* num_rrs, time_t timenow, struct regional* region,
+ 	int do_data, int do_sig, struct compress_tree_node** tree,
+-	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
++	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
++	size_t* compress_count)
+ {
+ 	size_t i, j, owner_pos;
+ 	int r, owner_labs;
+@@ -477,9 +490,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 		for(i=0; i<data->count; i++) {
+ 			/* rrset roundrobin */
+ 			j = (i + rr_offset) % data->count;
+-			if((r=compress_owner(key, pkt, region, tree, 
+-				owner_pos, &owner_ptr, owner_labs))
+-				!= RETVAL_OK)
++			if((r=compress_owner(key, pkt, region, tree,
++				owner_pos, &owner_ptr, owner_labs,
++				compress_count)) != RETVAL_OK)
+ 				return r;
+ 			sldns_buffer_write(pkt, &key->rk.type, 2);
+ 			sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
+@@ -489,8 +502,8 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			else	sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
+ 			if(c) {
+ 				if((r=compress_rdata(pkt, data->rr_data[j],
+-					data->rr_len[j], region, tree, c))
+-					!= RETVAL_OK)
++					data->rr_len[j], region, tree, c,
++					compress_count)) != RETVAL_OK)
+ 					return r;
+ 			} else {
+ 				if(sldns_buffer_remaining(pkt) < data->rr_len[j])
+@@ -510,9 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 					return RETVAL_TRUNC;
+ 				sldns_buffer_write(pkt, &owner_ptr, 2);
+ 			} else {
+-				if((r=compress_any_dname(key->rk.dname, 
+-					pkt, owner_labs, region, tree))
+-					!= RETVAL_OK)
++				if((r=compress_any_dname(key->rk.dname,
++					pkt, owner_labs, region, tree,
++					compress_count)) != RETVAL_OK)
+ 					return r;
+ 				if(sldns_buffer_remaining(pkt) < 
+ 					4+4+data->rr_len[i])
+@@ -544,7 +557,8 @@ static int
+ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 	sldns_buffer* pkt, size_t rrsets_before, time_t timenow, 
+ 	struct regional* region, struct compress_tree_node** tree,
+-	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
++	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
++	size_t* compress_count)
+ {
+ 	int r;
+ 	size_t i, setstart;
+@@ -560,7 +574,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 1, 1, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				/* Bad, but if due to size must set TC bit */
+ 				/* trim off the rrset neatly. */
+@@ -573,7 +587,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 1, 0, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				sldns_buffer_set_position(pkt, setstart);
+ 				return r;
+@@ -584,7 +598,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 0, 1, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				sldns_buffer_set_position(pkt, setstart);
+ 				return r;
+@@ -677,6 +691,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 	struct compress_tree_node* tree = 0;
+ 	int r;
+ 	size_t rr_offset;
++	size_t compress_count=0;
+ 
+ 	sldns_buffer_clear(buffer);
+ 	if(udpsize < sldns_buffer_limit(buffer))
+@@ -723,7 +738,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 		arep.rrsets = &qinfo->local_alias->rrset;
+ 		if((r=insert_section(&arep, 1, &ancount, buffer, 0,
+ 			timezero, region, &tree, LDNS_SECTION_ANSWER,
+-			qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) {
++			qinfo->qtype, dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 			if(r == RETVAL_TRUNC) {
+ 				/* create truncated message */
+ 				sldns_buffer_write_u16_at(buffer, 6, ancount);
+@@ -738,7 +753,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 	/* insert answer section */
+ 	if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
+ 		0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
+-		dnssec, rr_offset)) != RETVAL_OK) {
++		dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 		if(r == RETVAL_TRUNC) {
+ 			/* create truncated message */
+ 			sldns_buffer_write_u16_at(buffer, 6, ancount);
+@@ -756,7 +771,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 		if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
+ 			rep->an_numrrsets, timenow, region, &tree,
+ 			LDNS_SECTION_AUTHORITY, qinfo->qtype,
+-			dnssec, rr_offset)) != RETVAL_OK) {
++			dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 			if(r == RETVAL_TRUNC) {
+ 				/* create truncated message */
+ 				sldns_buffer_write_u16_at(buffer, 8, nscount);
+@@ -773,7 +788,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 			if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
+ 				rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
+ 				&tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
+-				dnssec, rr_offset)) != RETVAL_OK) {
++				dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 				if(r == RETVAL_TRUNC) {
+ 					/* no need to set TC bit, this is the additional */
+ 					sldns_buffer_write_u16_at(buffer, 10, arcount);
+-- 
+2.47.0
+

SOURCES/unbound-1.7.2-python3-devel.patch

@@ -1,320 +0,0 @@
-From b5aab36d41f374eddb0f66f28f251588f53a1e1e Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Wed, 27 Jun 2018 05:46:36 +0000
-Subject: [PATCH 1/2] - #4109: Fix that package config depends on python
- unconditionally.
-
-git-svn-id: file:///svn/unbound/trunk@4757 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- configure    | 257 +++++++++++++++++++++++++++++++----------------------------
- configure.ac |   5 +-
- 2 files changed, 137 insertions(+), 125 deletions(-)
-
-diff --git a/configure b/configure
-index 3f1c372a..2a1687ae 100755
---- a/configure
-+++ b/configure
-@@ -670,9 +670,6 @@ SYSTEMD_DAEMON_LIBS
- SYSTEMD_DAEMON_CFLAGS
- SYSTEMD_LIBS
- SYSTEMD_CFLAGS
--PKG_CONFIG_LIBDIR
--PKG_CONFIG_PATH
--PKG_CONFIG
- staticexe
- PC_LIBEVENT_DEPENDENCY
- UNBOUND_EVENT_UNINSTALL
-@@ -697,6 +694,9 @@ swig
- SWIG_LIB
- SWIG
- PC_PY_DEPENDENCY
-+PKG_CONFIG_LIBDIR
-+PKG_CONFIG_PATH
-+PKG_CONFIG
- PY_MAJOR_VERSION
- PYTHON_SITE_PKG
- PYTHON_LDFLAGS
-@@ -16930,7 +16930,136 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h
-         CPPFLAGS="$PYTHON_CPPFLAGS"
-       fi
-       ub_have_python=yes
--      PC_PY_DEPENDENCY="python"
-+
-+
-+
-+
-+
-+
-+
-+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
-+	if test -n "$ac_tool_prefix"; then
-+  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
-+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if ${ac_cv_path_PKG_CONFIG+:} false; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  case $PKG_CONFIG in
-+  [\\/]* | ?:[\\/]*)
-+  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
-+  ;;
-+  *)
-+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH
-+do
-+  IFS=$as_save_IFS
-+  test -z "$as_dir" && as_dir=.
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-+    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    break 2
-+  fi
-+done
-+  done
-+IFS=$as_save_IFS
-+
-+  ;;
-+esac
-+fi
-+PKG_CONFIG=$ac_cv_path_PKG_CONFIG
-+if test -n "$PKG_CONFIG"; then
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
-+$as_echo "$PKG_CONFIG" >&6; }
-+else
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+fi
-+
-+
-+fi
-+if test -z "$ac_cv_path_PKG_CONFIG"; then
-+  ac_pt_PKG_CONFIG=$PKG_CONFIG
-+  # Extract the first word of "pkg-config", so it can be a program name with args.
-+set dummy pkg-config; ac_word=$2
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-+$as_echo_n "checking for $ac_word... " >&6; }
-+if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  case $ac_pt_PKG_CONFIG in
-+  [\\/]* | ?:[\\/]*)
-+  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
-+  ;;
-+  *)
-+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-+for as_dir in $PATH
-+do
-+  IFS=$as_save_IFS
-+  test -z "$as_dir" && as_dir=.
-+    for ac_exec_ext in '' $ac_executable_extensions; do
-+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-+    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-+    break 2
-+  fi
-+done
-+  done
-+IFS=$as_save_IFS
-+
-+  ;;
-+esac
-+fi
-+ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
-+if test -n "$ac_pt_PKG_CONFIG"; then
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
-+$as_echo "$ac_pt_PKG_CONFIG" >&6; }
-+else
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+fi
-+
-+  if test "x$ac_pt_PKG_CONFIG" = x; then
-+    PKG_CONFIG=""
-+  else
-+    case $cross_compiling:$ac_tool_warned in
-+yes:)
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
-+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
-+ac_tool_warned=yes ;;
-+esac
-+    PKG_CONFIG=$ac_pt_PKG_CONFIG
-+  fi
-+else
-+  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
-+fi
-+
-+fi
-+if test -n "$PKG_CONFIG"; then
-+	_pkg_min_version=0.9.0
-+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
-+$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
-+	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
-+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-+$as_echo "yes" >&6; }
-+	else
-+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-+$as_echo "no" >&6; }
-+		PKG_CONFIG=""
-+	fi
-+fi
-+      if test -n "$PKG_CONFIG" && \
-+    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\"python\${PY_MAJOR_VERSION}\"\""; } >&5
-+  ($PKG_CONFIG --exists --print-errors ""python${PY_MAJOR_VERSION}"") 2>&5
-+  ac_status=$?
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }; then
-+  PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"
-+else
-+  PC_PY_DEPENDENCY="python"
-+fi
- 
- 
-       # Check for SWIG
-@@ -18960,126 +19089,6 @@ else
- fi
- 
- have_systemd=no
--
--
--
--
--
--
--
--if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
--	if test -n "$ac_tool_prefix"; then
--  # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
--set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
--$as_echo_n "checking for $ac_word... " >&6; }
--if ${ac_cv_path_PKG_CONFIG+:} false; then :
--  $as_echo_n "(cached) " >&6
--else
--  case $PKG_CONFIG in
--  [\\/]* | ?:[\\/]*)
--  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
--  ;;
--  *)
--  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
--for as_dir in $PATH
--do
--  IFS=$as_save_IFS
--  test -z "$as_dir" && as_dir=.
--    for ac_exec_ext in '' $ac_executable_extensions; do
--  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
--    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
--    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
--    break 2
--  fi
--done
--  done
--IFS=$as_save_IFS
--
--  ;;
--esac
--fi
--PKG_CONFIG=$ac_cv_path_PKG_CONFIG
--if test -n "$PKG_CONFIG"; then
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
--$as_echo "$PKG_CONFIG" >&6; }
--else
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--fi
--
--
--fi
--if test -z "$ac_cv_path_PKG_CONFIG"; then
--  ac_pt_PKG_CONFIG=$PKG_CONFIG
--  # Extract the first word of "pkg-config", so it can be a program name with args.
--set dummy pkg-config; ac_word=$2
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
--$as_echo_n "checking for $ac_word... " >&6; }
--if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then :
--  $as_echo_n "(cached) " >&6
--else
--  case $ac_pt_PKG_CONFIG in
--  [\\/]* | ?:[\\/]*)
--  ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path.
--  ;;
--  *)
--  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
--for as_dir in $PATH
--do
--  IFS=$as_save_IFS
--  test -z "$as_dir" && as_dir=.
--    for ac_exec_ext in '' $ac_executable_extensions; do
--  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
--    ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
--    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
--    break 2
--  fi
--done
--  done
--IFS=$as_save_IFS
--
--  ;;
--esac
--fi
--ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG
--if test -n "$ac_pt_PKG_CONFIG"; then
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5
--$as_echo "$ac_pt_PKG_CONFIG" >&6; }
--else
--  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--fi
--
--  if test "x$ac_pt_PKG_CONFIG" = x; then
--    PKG_CONFIG=""
--  else
--    case $cross_compiling:$ac_tool_warned in
--yes:)
--{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
--$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
--ac_tool_warned=yes ;;
--esac
--    PKG_CONFIG=$ac_pt_PKG_CONFIG
--  fi
--else
--  PKG_CONFIG="$ac_cv_path_PKG_CONFIG"
--fi
--
--fi
--if test -n "$PKG_CONFIG"; then
--	_pkg_min_version=0.9.0
--	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5
--$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; }
--	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
--		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
--$as_echo "yes" >&6; }
--	else
--		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--		PKG_CONFIG=""
--	fi
--fi
- if test "x$enable_systemd" != xno; then :
- 
- 
-diff --git a/configure.ac b/configure.ac
-index 1828253c..b2c95d1a 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -586,7 +586,10 @@ if test x_$ub_test_python != x_no; then
-         CPPFLAGS="$PYTHON_CPPFLAGS"
-       fi
-       ub_have_python=yes
--      PC_PY_DEPENDENCY="python"
-+      PKG_PROG_PKG_CONFIG
-+      PKG_CHECK_EXISTS(["python${PY_MAJOR_VERSION}"],
-+                       [PC_PY_DEPENDENCY="python${PY_MAJOR_VERSION}"],
-+                       [PC_PY_DEPENDENCY="python"])
-       AC_SUBST(PC_PY_DEPENDENCY)
- 
-       # Check for SWIG
--- 
-2.14.4
-

SOURCES/unbound-1.7.2-python3-pkgconfig.patch

@@ -1,31 +0,0 @@
-From bca54a8b252d4a75e940424dc761c6a4e487eb84 Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Wed, 27 Jun 2018 06:07:31 +0000
-Subject: [PATCH 2/2] =?UTF-8?q?-=20Patch,=20do=20not=20export=20python=20f?=
- =?UTF-8?q?rom=20pkg-config,=20from=20Petr=20Men=C5=A1=C3=ADk.?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-git-svn-id: file:///svn/unbound/trunk@4758 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- contrib/libunbound.pc.in | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/contrib/libunbound.pc.in b/contrib/libunbound.pc.in
-index 0cb9f875..810c5713 100644
---- a/contrib/libunbound.pc.in
-+++ b/contrib/libunbound.pc.in
-@@ -7,7 +7,8 @@ Name: unbound
- Description: Library with validating, recursive, and caching DNS resolver
- URL: http://www.unbound.net
- Version: @PACKAGE_VERSION@
--Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
-+Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@
-+Requires.private: @PC_PY_DEPENDENCY@
- Libs: -L${libdir} -lunbound -lssl -lcrypto
- Libs.private: @SSLLIB@ @LIBS@
- Cflags: -I${includedir} 
--- 
-2.14.4
-

SOURCES/unbound-1.7.3-DNS-over-TLS-memory-leak.patch

@@ -1,36 +0,0 @@
-From 377d5b426a30fc915cf7905786f93c0ec89845b7 Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Tue, 25 Sep 2018 09:01:13 +0000
-Subject: [PATCH] - Add SSL cleanup for tcp timeout.
-
-git-svn-id: file:///svn/unbound/trunk@4915 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- services/outside_network.c | 11 +++++++++++
- 1 files changed, 9 insertions(+)
-diff --git a/services/outside_network.c b/services/outside_network.c
-index 5700ef8..b52cdab 100644
---- a/services/outside_network.c
-+++ b/services/outside_network.c
-@@ -373,6 +373,8 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
-                         if(!SSL_set1_host(pend->c->ssl, w->tls_auth_name)) {
-                                 log_err("SSL_set1_host failed");
- 				pend->c->fd = s;
-+				SSL_free(pend->c->ssl);
-+				pend->c->ssl = NULL;
- 				comm_point_close(pend->c);
- 				return 0;
- 			}
-@@ -1258,6 +1260,13 @@ outnet_tcptimer(void* arg)
- 	} else {
- 		/* it was in use */
- 		struct pending_tcp* pend=(struct pending_tcp*)w->next_waiting;
-+		if(pend->c->ssl) {
-+#ifdef HAVE_SSL
-+			SSL_shutdown(pend->c->ssl);
-+			SSL_free(pend->c->ssl);
-+			pend->c->ssl = NULL;
-+#endif
-+		}
- 		comm_point_close(pend->c);
- 		pend->query = NULL;
- 		pend->next_free = outnet->tcp_free;

SOURCES/unbound-1.7.3-additional-logging.patch

@@ -1,553 +0,0 @@
-diff --git a/daemon/worker.c b/daemon/worker.c
-index 44a989a..3acecc1 100644
---- a/daemon/worker.c
-+++ b/daemon/worker.c
-@@ -1193,7 +1193,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
- 	if(worker->env.cfg->log_queries) {
- 		char ip[128];
- 		addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
--		log_nametypeclass(0, ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
-+		log_query_in(ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
- 	}
- 	if(qinfo.qtype == LDNS_RR_TYPE_AXFR || 
- 		qinfo.qtype == LDNS_RR_TYPE_IXFR) {
-diff --git a/doc/Changelog b/doc/Changelog
-index 3d05ae5..bb74461 100644
---- a/doc/Changelog
-+++ b/doc/Changelog
-@@ -1,3 +1,15 @@
-+30 November 2018: Wouter
-+	- log-tag-queryreply: yes in unbound.conf tags the log-queries and
-+	  log-replies in the log file for easier log filter maintenance.
-+
-+21 August 2018: Wouter
-+	- log-local-actions: yes option for unbound.conf that logs all the
-+	  local zone actions, a patch from Saksham Manchanda (Secure64).
-+
-+17 August 2018: Wouter
-+	- log-servfail: yes prints log lines that say why queries are
-+	  returning SERVFAIL to clients.
-+
- 19 June 2018: Wouter
- 	- Fix for unbound-control on Windows and set TCP socket parameters
- 	  more closely.
-diff --git a/doc/example.conf.in b/doc/example.conf.in
-index be83bda..aa06cee 100644
---- a/doc/example.conf.in
-+++ b/doc/example.conf.in
-@@ -309,6 +309,17 @@ server:
- 	# timetoresolve, fromcache and responsesize.
- 	# log-replies: no
- 
-+	# log with tag 'query' and 'reply' instead of 'info' for
-+	# filtering log-queries and log-replies from the log.
-+	# log-tag-queryreply: no
-+
-+	# log the local-zone actions, like local-zone type inform is enabled
-+	# also for the other local zone types.
-+	# log-local-actions: no
-+
-+	# print log lines that say why queries return SERVFAIL to clients.
-+	# log-servfail: no
-+
- 	# the pid file. Can be an absolute path outside of chroot/work dir.
- 	# pidfile: "@UNBOUND_PIDFILE@"
- 
-diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
-index 9167a5a..b73bc70 100644
---- a/doc/unbound.conf.5.in
-+++ b/doc/unbound.conf.5.in
-@@ -618,6 +618,21 @@ Default is no.  Note that it takes time to print these
- lines which makes the server (significantly) slower.  Odd (nonprintable)
- characters in names are printed as '?'.
- .TP
-+.B log\-tag\-queryreply: \fI<yes or no>
-+Prints the word 'query' and 'reply' with log\-queries and log\-replies.
-+This makes filtering logs easier.  The default is off (for backwards
-+compatibility).
-+.TP
-+.B log\-local\-actions: \fI<yes or no>
-+Print log lines to inform about local zone actions.  These lines are like the
-+local\-zone type inform prints out, but they are also printed for the other
-+types of local zones.
-+.TP
-+.B log\-servfail: \fI<yes or no>
-+Print log lines that say why queries return SERVFAIL to clients.
-+This is separate from the verbosity debug logs, much smaller, and printed
-+at the error level, not the info level of debug info from verbosity.
-+.TP
- .B pidfile: \fI<filename>
- The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
- So,
-diff --git a/services/localzone.c b/services/localzone.c
-index 0f60817..a85619b 100644
---- a/services/localzone.c
-+++ b/services/localzone.c
-@@ -1459,7 +1459,7 @@ lz_inform_print(struct local_zone* z, struct query_info* qinfo,
- 	uint16_t port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port);
- 	dname_str(z->name, zname);
- 	addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
--	snprintf(txt, sizeof(txt), "%s inform %s@%u", zname, ip,
-+	snprintf(txt, sizeof(txt), "%s %s %s@%u", zname, local_zone_type2str(z->type), ip,
- 		(unsigned)port);
- 	log_nametypeclass(0, txt, qinfo->qname, qinfo->qtype, qinfo->qclass);
- }
-@@ -1576,7 +1576,8 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
- 			z->override_tree, &tag, tagname, num_tags);
- 		lock_rw_unlock(&zones->lock);
- 	}
--	if((lzt == local_zone_inform || lzt == local_zone_inform_deny)
-+	if((env->cfg->log_local_actions ||
-+		lzt == local_zone_inform || lzt == local_zone_inform_deny)
- 		&& repinfo)
- 		lz_inform_print(z, qinfo, repinfo);
- 
-diff --git a/services/mesh.c b/services/mesh.c
-index 41aba74..55c1947 100644
---- a/services/mesh.c
-+++ b/services/mesh.c
-@@ -977,7 +977,7 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
- 		rcode = LDNS_RCODE_SERVFAIL;
- 	if(!rcode && (rep->security == sec_status_bogus ||
- 		rep->security == sec_status_secure_sentinel_fail)) {
--		if(!(reason = errinf_to_str(&m->s)))
-+		if(!(reason = errinf_to_str_bogus(&m->s)))
- 			rcode = LDNS_RCODE_SERVFAIL;
- 	}
- 	/* send the reply */
-@@ -1148,6 +1148,15 @@ void mesh_query_done(struct mesh_state* mstate)
- 	struct mesh_cb* c;
- 	struct reply_info* rep = (mstate->s.return_msg?
- 		mstate->s.return_msg->rep:NULL);
-+	if((mstate->s.return_rcode == LDNS_RCODE_SERVFAIL ||
-+		(rep && FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_SERVFAIL))
-+		&& mstate->s.env->cfg->log_servfail
-+		&& !mstate->s.env->cfg->val_log_squelch) {
-+			char* err = errinf_to_str_servfail(&mstate->s);
-+			if(err)
-+				log_err("%s", err);
-+			free(err);
-+	}
- 	for(r = mstate->reply_list; r; r = r->next) {
- 		/* if a response-ip address block has been stored the
- 		 *  information should be logged for each client. */
-diff --git a/util/config_file.c b/util/config_file.c
-index b061760..68a0a15 100644
---- a/util/config_file.c
-+++ b/util/config_file.c
-@@ -115,6 +115,9 @@ config_create(void)
- 	cfg->log_time_ascii = 0;
- 	cfg->log_queries = 0;
- 	cfg->log_replies = 0;
-+	cfg->log_tag_queryreply = 0;
-+	cfg->log_local_actions = 0;
-+	cfg->log_servfail = 0;
- #ifndef USE_WINSOCK
- #  ifdef USE_MINI_EVENT
- 	/* select max 1024 sockets */
-@@ -540,6 +543,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
- 	else S_YNO("val-log-squelch:", val_log_squelch)
- 	else S_YNO("log-queries:", log_queries)
- 	else S_YNO("log-replies:", log_replies)
-+	else S_YNO("log-tag-queryreply:", log_tag_queryreply)
-+	else S_YNO("log-local-actions:", log_local_actions)
-+	else S_YNO("log-servfail:", log_servfail)
- 	else S_YNO("val-permissive-mode:", val_permissive_mode)
- 	else S_YNO("aggressive-nsec:", aggressive_nsec)
- 	else S_YNO("ignore-cd-flag:", ignore_cd)
-@@ -893,6 +899,9 @@ config_get_option(struct config_file* cfg, const char* opt,
- 	else O_STR(opt, "logfile", logfile)
- 	else O_YNO(opt, "log-queries", log_queries)
- 	else O_YNO(opt, "log-replies", log_replies)
-+	else O_YNO(opt, "log-tag-queryreply", log_tag_queryreply)
-+	else O_YNO(opt, "log-local-actions", log_local_actions)
-+	else O_YNO(opt, "log-servfail", log_servfail)
- 	else O_STR(opt, "pidfile", pidfile)
- 	else O_YNO(opt, "hide-identity", hide_identity)
- 	else O_YNO(opt, "hide-version", hide_version)
-@@ -1845,6 +1854,7 @@ config_apply(struct config_file* config)
- 	EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size;
- 	MINIMAL_RESPONSES = config->minimal_responses;
- 	RRSET_ROUNDROBIN = config->rrset_roundrobin;
-+	LOG_TAG_QUERYREPLY = config->log_tag_queryreply;
- 	log_set_time_asc(config->log_time_ascii);
- 	autr_permit_small_holddown = config->permit_small_holddown;
- }
-@@ -2220,7 +2230,7 @@ void errinf_origin(struct module_qstate* qstate, struct sock_list *origin)
- 	}
- }
- 
--char* errinf_to_str(struct module_qstate* qstate)
-+char* errinf_to_str_bogus(struct module_qstate* qstate)
- {
- 	char buf[20480];
- 	char* p = buf;
-@@ -2245,6 +2255,31 @@ char* errinf_to_str(struct module_qstate* qstate)
- 	return p;
- }
- 
-+char* errinf_to_str_servfail(struct module_qstate* qstate)
-+{
-+    char buf[20480];
-+    char* p = buf;
-+    size_t left = sizeof(buf);
-+    struct config_strlist* s;
-+    char dname[LDNS_MAX_DOMAINLEN+1];
-+    char t[16], c[16];
-+    sldns_wire2str_type_buf(qstate->qinfo.qtype, t, sizeof(t));
-+    sldns_wire2str_class_buf(qstate->qinfo.qclass, c, sizeof(c));
-+    dname_str(qstate->qinfo.qname, dname);
-+    snprintf(p, left, "SERVFAIL <%s %s %s>:", dname, t, c);
-+    left -= strlen(p); p += strlen(p);
-+    if(!qstate->errinf)
-+        snprintf(p, left, " misc failure");
-+    else for(s=qstate->errinf; s; s=s->next) {
-+        snprintf(p, left, " %s", s->str);
-+        left -= strlen(p); p += strlen(p);
-+    }
-+    p = strdup(buf);
-+    if(!p)
-+        log_err("malloc failure in errinf_to_str");
-+    return p;
-+}
-+
- void errinf_rrset(struct module_qstate* qstate, struct ub_packed_rrset_key *rr)
- {
- 	char buf[1024];
-diff --git a/util/config_file.h b/util/config_file.h
-index 4206eb9..1e7f402 100644
---- a/util/config_file.h
-+++ b/util/config_file.h
-@@ -268,6 +268,12 @@ struct config_file {
- 	int log_queries;
- 	/** log replies with one line per reply */
- 	int log_replies;
-+	/** tag log_queries and log_replies for filtering */
-+	int log_tag_queryreply;
-+	/** log every local-zone hit **/
-+	int log_local_actions;
-+	/** log servfails with a reason */
-+	int log_servfail;
- 	/** log identity to report */
- 	char* log_identity;
- 
-@@ -1070,7 +1076,15 @@ void errinf_dname(struct module_qstate* qstate, const char* str,
-  * @return string or NULL on malloc failure (already logged).
-  *    This string is malloced and has to be freed by caller.
-  */
--char* errinf_to_str(struct module_qstate* qstate);
-+char* errinf_to_str_bogus(struct module_qstate* qstate);
-+
-+/**
-+ * Create error info in string.  For other servfails.
-+ * @param qstate: query state.
-+ * @return string or NULL on malloc failure (already logged).
-+ *    This string is malloced and has to be freed by caller.
-+ */
-+char* errinf_to_str_servfail(struct module_qstate* qstate);
- 
- /**
-  * Used during options parsing
-diff --git a/util/configlexer.lex b/util/configlexer.lex
-index 6124e32..9b22db1 100644
---- a/util/configlexer.lex
-+++ b/util/configlexer.lex
-@@ -366,6 +366,9 @@ log-identity{COLON}		{ YDVAR(1, VAR_LOG_IDENTITY) }
- log-time-ascii{COLON}		{ YDVAR(1, VAR_LOG_TIME_ASCII) }
- log-queries{COLON}		{ YDVAR(1, VAR_LOG_QUERIES) }
- log-replies{COLON}		{ YDVAR(1, VAR_LOG_REPLIES) }
-+log-tag-queryreply{COLON}      { YDVAR(1, VAR_LOG_TAG_QUERYREPLY) }
-+log-local-actions{COLON}       { YDVAR(1, VAR_LOG_LOCAL_ACTIONS) }
-+log-servfail{COLON}            { YDVAR(1, VAR_LOG_SERVFAIL) }
- local-zone{COLON}		{ YDVAR(2, VAR_LOCAL_ZONE) }
- local-data{COLON}		{ YDVAR(1, VAR_LOCAL_DATA) }
- local-data-ptr{COLON}		{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
-diff --git a/util/configparser.y b/util/configparser.y
-index e34665a..4b23a71 100644
---- a/util/configparser.y
-+++ b/util/configparser.y
-@@ -106,7 +106,7 @@ extern struct config_parser_state* cfg_parser;
- %token VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING VAR_ADD_HOLDDOWN 
- %token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
- %token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT VAR_HARDEN_BELOW_NXDOMAIN
--%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_LOG_REPLIES
-+%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS
- %token VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
- %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
- %token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
-@@ -158,6 +158,8 @@ extern struct config_parser_state* cfg_parser;
- %token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
- %token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
- %token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT
-+%token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL
-+%token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
- 
- %%
- toplevelvars: /* empty */ | toplevelvars toplevelvar ;
-@@ -217,6 +219,7 @@ content_server: server_num_threads | server_verbosity | server_port |
- 	server_edns_buffer_size | server_prefetch | server_prefetch_key |
- 	server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
- 	server_log_queries | server_log_replies | server_tcp_upstream | server_ssl_upstream |
-+	server_log_local_actions |
- 	server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
- 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
- 	server_so_reuseport | server_delay_close |
-@@ -249,7 +252,9 @@ content_server: server_num_threads | server_verbosity | server_port |
- 	server_ipsecmod_whitelist | server_ipsecmod_strict |
- 	server_udp_upstream_without_downstream | server_aggressive_nsec |
- 	server_tls_cert_bundle | server_tls_additional_port | server_low_rtt |
--	server_low_rtt_permil | server_tls_win_cert
-+	server_low_rtt_permil | server_tls_win_cert |
-+	server_tcp_connection_limit | server_log_servfail |
-+	server_unknown_server_time_limit | server_log_tag_queryreply
- 	;
- stubstart: VAR_STUB_ZONE
- 	{
-@@ -764,6 +769,33 @@ server_log_replies: VAR_LOG_REPLIES STRING_ARG
-   	free($2);
-   }
-   ;
-+server_log_tag_queryreply: VAR_LOG_TAG_QUERYREPLY STRING_ARG
-+  {
-+    OUTYY(("P(server_log_tag_queryreply:%s)\n", $2));
-+    if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-+        yyerror("expected yes or no.");
-+    else cfg_parser->cfg->log_tag_queryreply = (strcmp($2, "yes")==0);
-+    free($2);
-+  }
-+  ;
-+server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG
-+  {
-+	OUTYY(("P(server_log_servfail:%s)\n", $2));
-+	if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-+		yyerror("expected yes or no.");
-+	else cfg_parser->cfg->log_servfail = (strcmp($2, "yes")==0);
-+	free($2);
-+  }
-+  ;
-+server_log_local_actions: VAR_LOG_LOCAL_ACTIONS STRING_ARG
-+  {
-+	OUTYY(("P(server_log_local_actions:%s)\n", $2));
-+	if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-+		yyerror("expected yes or no.");
-+	else cfg_parser->cfg->log_local_actions = (strcmp($2, "yes")==0);
-+	free($2);
-+  }
-+  ;
- server_chroot: VAR_CHROOT STRING_ARG
- 	{
- 		OUTYY(("P(server_chroot:%s)\n", $2));
-diff --git a/util/data/msgreply.c b/util/data/msgreply.c
-index 772f5d1..df2131c 100644
---- a/util/data/msgreply.c
-+++ b/util/data/msgreply.c
-@@ -844,7 +844,9 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
- 	addr_to_str(addr, addrlen, clientip_buf, sizeof(clientip_buf));
- 	if(rcode == LDNS_RCODE_FORMERR)
- 	{
--		log_info("%s - - - %s - - - ", clientip_buf, rcode_buf);
-+		if(LOG_TAG_QUERYREPLY)
-+			log_reply("%s - - - %s - - - ", clientip_buf, rcode_buf);
-+		else log_info("%s - - - %s - - - ", clientip_buf, rcode_buf);
- 	} else {
- 		if(qinf->qname)
- 			dname_str(qinf->qname, qname_buf);
-@@ -852,7 +854,11 @@ log_reply_info(enum verbosity_value v, struct query_info *qinf,
- 		pktlen = sldns_buffer_limit(rmsg);
- 		sldns_wire2str_type_buf(qinf->qtype, type_buf, sizeof(type_buf));
- 		sldns_wire2str_class_buf(qinf->qclass, class_buf, sizeof(class_buf));
--		log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
-+		if(LOG_TAG_QUERYREPLY)
-+			log_reply("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
-+				clientip_buf, qname_buf, type_buf, class_buf,
-+				rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
-+		else log_info("%s %s %s %s %s " ARG_LL "d.%6.6d %d %d",
- 			clientip_buf, qname_buf, type_buf, class_buf,
- 			rcode_buf, (long long)dur.tv_sec, (int)dur.tv_usec, cached, (int)pktlen);
- 	}
-diff --git a/util/log.c b/util/log.c
-index 43dd572..fff4319 100644
---- a/util/log.c
-+++ b/util/log.c
-@@ -391,6 +391,24 @@ log_hex(const char* msg, void* data, size_t length)
- 	log_hex_f(verbosity, msg, data, length);
- }
- 
-+void
-+log_query(const char *format, ...)
-+{
-+	va_list args;
-+	va_start(args, format);
-+	log_vmsg(LOG_INFO, "query", format, args);
-+	va_end(args);
-+}
-+
-+void
-+log_reply(const char *format, ...)
-+{
-+	va_list args;
-+	va_start(args, format);
-+	log_vmsg(LOG_INFO, "reply", format, args);
-+	va_end(args);
-+}
-+
- void log_buf(enum verbosity_value level, const char* msg, sldns_buffer* buf)
- {
- 	if(verbosity < level)
-diff --git a/util/log.h b/util/log.h
-index 7bc3d9e..172cd01 100644
---- a/util/log.h
-+++ b/util/log.h
-@@ -160,6 +160,20 @@ void log_warn(const char* format, ...) ATTR_FORMAT(printf, 1, 2);
-  */
- void log_hex(const char* msg, void* data, size_t length);
- 
-+/**
-+ * Log query.
-+ * Pass printf formatted arguments. No trailing newline is needed.
-+ * @param format: printf-style format string. Arguments follow.
-+ */
-+void log_query(const char* format, ...) ATTR_FORMAT(printf, 1, 2);
-+
-+/**
-+ * Log reply.
-+ * Pass printf formatted arguments. No trailing newline is needed.
-+ * @param format: printf-style format string. Arguments follow.
-+ */
-+void log_reply(const char* format, ...) ATTR_FORMAT(printf, 1, 2);
-+
- /**
-  * Easy alternative for log_hex, takes a sldns_buffer.
-  * @param level: verbosity level for this message, compared to global 
-diff --git a/util/net_help.c b/util/net_help.c
-index a193c36..617a896 100644
---- a/util/net_help.c
-+++ b/util/net_help.c
-@@ -67,6 +67,9 @@ int MINIMAL_RESPONSES = 0;
- /** rrset order roundrobin: default is no */
- int RRSET_ROUNDROBIN = 0;
- 
-+/** log tag queries with name instead of 'info' for filtering */
-+int LOG_TAG_QUERYREPLY = 0;
-+
- /* returns true is string addr is an ip6 specced address */
- int
- str_is_ip6(const char* str)
-@@ -335,7 +338,7 @@ log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
- {
- 	char buf[LDNS_MAX_DOMAINLEN+1];
- 	char t[12], c[12];
--	const char *ts, *cs; 
-+	const char *ts, *cs;
- 	if(verbosity < v)
- 		return;
- 	dname_str(name, buf);
-@@ -361,6 +364,37 @@ log_nametypeclass(enum verbosity_value v, const char* str, uint8_t* name,
- 	log_info("%s %s %s %s", str, buf, ts, cs);
- }
- 
-+void
-+log_query_in(const char* str, uint8_t* name, uint16_t type, uint16_t dclass)
-+{
-+    char buf[LDNS_MAX_DOMAINLEN+1];
-+    char t[12], c[12];
-+    const char *ts, *cs;
-+    dname_str(name, buf);
-+    if(type == LDNS_RR_TYPE_TSIG) ts = "TSIG";
-+    else if(type == LDNS_RR_TYPE_IXFR) ts = "IXFR";
-+    else if(type == LDNS_RR_TYPE_AXFR) ts = "AXFR";
-+    else if(type == LDNS_RR_TYPE_MAILB) ts = "MAILB";
-+    else if(type == LDNS_RR_TYPE_MAILA) ts = "MAILA";
-+    else if(type == LDNS_RR_TYPE_ANY) ts = "ANY";
-+    else if(sldns_rr_descript(type) && sldns_rr_descript(type)->_name)
-+        ts = sldns_rr_descript(type)->_name;
-+    else {
-+        snprintf(t, sizeof(t), "TYPE%d", (int)type);
-+        ts = t;
-+    }
-+    if(sldns_lookup_by_id(sldns_rr_classes, (int)dclass) &&
-+        sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name)
-+        cs = sldns_lookup_by_id(sldns_rr_classes, (int)dclass)->name;
-+    else {
-+        snprintf(c, sizeof(c), "CLASS%d", (int)dclass);
-+        cs = c;
-+    }
-+    if(LOG_TAG_QUERYREPLY)
-+            log_query("%s %s %s %s", str, buf, ts, cs);
-+    else    log_info("%s %s %s %s", str, buf, ts, cs);
-+}
-+
- void log_name_addr(enum verbosity_value v, const char* str, uint8_t* zone, 
- 	struct sockaddr_storage* addr, socklen_t addrlen)
- {
-diff --git a/util/net_help.h b/util/net_help.h
-index de2e1ac..f2e0e43 100644
---- a/util/net_help.h
-+++ b/util/net_help.h
-@@ -99,6 +99,9 @@ extern int MINIMAL_RESPONSES;
- /** rrset order roundrobin */
- extern int RRSET_ROUNDROBIN;
- 
-+/** log tag queries with name instead of 'info' for filtering */
-+extern int LOG_TAG_QUERYREPLY;
-+
- /**
-  * See if string is ip4 or ip6.
-  * @param str: IP specification.
-@@ -235,6 +238,12 @@ void sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen,
- void log_nametypeclass(enum verbosity_value v, const char* str, 
- 	uint8_t* name, uint16_t type, uint16_t dclass);
- 
-+/**
-+ * Like log_nametypeclass, but logs with log_query for query logging
-+ */
-+void log_query_in(const char* str, uint8_t* name, uint16_t type,
-+       uint16_t dclass);
-+
- /**
-  * Compare two sockaddrs. Imposes an ordering on the addresses.
-  * Compares address and port.
-diff --git a/validator/val_kcache.c b/validator/val_kcache.c
-index 22070cc..e0b88b6 100644
---- a/validator/val_kcache.c
-+++ b/validator/val_kcache.c
-@@ -89,7 +89,7 @@ key_cache_insert(struct key_cache* kcache, struct key_entry_key* kkey,
- 	if(key_entry_isbad(k) && qstate->errinf &&
- 		qstate->env->cfg->val_log_level >= 2) {
- 		/* on malloc failure there is simply no reason string */
--		key_entry_set_reason(k, errinf_to_str(qstate));
-+		key_entry_set_reason(k, errinf_to_str_bogus(qstate));
- 	}
- 	key_entry_hash(k);
- 	slabhash_insert(kcache->slab, k->entry.hash, &k->entry, 
-diff --git a/validator/validator.c b/validator/validator.c
-index 5777b29..2d9cc17 100644
---- a/validator/validator.c
-+++ b/validator/validator.c
-@@ -2227,13 +2227,15 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
- 		vq->orig_msg->rep->ttl = ve->bogus_ttl;
- 		vq->orig_msg->rep->prefetch_ttl = 
- 			PREFETCH_TTL_CALC(vq->orig_msg->rep->ttl);
--		if(qstate->env->cfg->val_log_level >= 1 &&
-+		if((qstate->env->cfg->val_log_level >= 1 ||
-+			qstate->env->cfg->log_servfail) &&
- 			!qstate->env->cfg->val_log_squelch) {
--			if(qstate->env->cfg->val_log_level < 2)
-+            if(qstate->env->cfg->val_log_level < 2 &&
-+				!qstate->env->cfg->log_servfail)
- 				log_query_info(0, "validation failure",
- 					&qstate->qinfo);
- 			else {
--				char* err = errinf_to_str(qstate);
-+				char* err = errinf_to_str_bogus(qstate);
- 				if(err) log_info("%s", err);
- 				free(err);
- 			}
-@@ -2332,6 +2334,7 @@ processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq,
- 
- 	if(vq->dlv_status == dlv_error) {
- 		verbose(VERB_QUERY, "failed DLV lookup");
-+		errinf(qstate, "failed DLV lookup");
- 		return val_error(qstate, id);
- 	} else if(vq->dlv_status == dlv_success) {
- 		uint8_t* nm;

SOURCES/unbound-1.7.3-amplifying-an-incoming-query.patch

@@ -1,944 +0,0 @@
-diff --git a/iterator/iter_delegpt.c b/iterator/iter_delegpt.c
-index f88b3e1..522e0e9 100644
---- a/iterator/iter_delegpt.c
-+++ b/iterator/iter_delegpt.c
-@@ -84,7 +84,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
- 	}
- 	for(a = dp->target_list; a; a = a->next_target) {
- 		if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen, 
--			a->bogus, a->lame, a->tls_auth_name))
-+           a->bogus, a->lame, a->tls_auth_name, NULL))
- 			return NULL;
- 	}
- 	return copy;
-@@ -161,7 +161,7 @@ delegpt_find_addr(struct delegpt* dp, struct sockaddr_storage* addr,
- int 
- delegpt_add_target(struct delegpt* dp, struct regional* region, 
- 	uint8_t* name, size_t namelen, struct sockaddr_storage* addr, 
--	socklen_t addrlen, uint8_t bogus, uint8_t lame)
-+   socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions)
- {
- 	struct delegpt_ns* ns = delegpt_find_ns(dp, name, namelen);
- 	log_assert(!dp->dp_type_mlc);
-@@ -176,13 +176,14 @@ delegpt_add_target(struct delegpt* dp, struct regional* region,
- 		if(ns->got4 && ns->got6)
- 			ns->resolved = 1;
- 	}
--	return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL);
-+	return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL,
-+        additions);
- }
- 
- int 
- delegpt_add_addr(struct delegpt* dp, struct regional* region, 
- 	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus, 
--	uint8_t lame, char* tls_auth_name)
-+	uint8_t lame, char* tls_auth_name, int* additions)
- {
- 	struct delegpt_addr* a;
- 	log_assert(!dp->dp_type_mlc);
-@@ -195,6 +196,9 @@ delegpt_add_addr(struct delegpt* dp, struct regional* region,
- 		return 1;
- 	}
- 
-+    if(additions)
-+        *additions = 1;
-+
- 	a = (struct delegpt_addr*)regional_alloc(region,
- 		sizeof(struct delegpt_addr));
- 	if(!a)
-@@ -382,10 +386,10 @@ delegpt_from_message(struct dns_msg* msg, struct regional* region)
- 			continue;
- 
- 		if(ntohs(s->rk.type) == LDNS_RR_TYPE_A) {
--			if(!delegpt_add_rrset_A(dp, region, s, 0))
-+			if(!delegpt_add_rrset_A(dp, region, s, 0, NULL))
- 				return NULL;
- 		} else if(ntohs(s->rk.type) == LDNS_RR_TYPE_AAAA) {
--			if(!delegpt_add_rrset_AAAA(dp, region, s, 0))
-+			if(!delegpt_add_rrset_AAAA(dp, region, s, 0, NULL))
- 				return NULL;
- 		}
- 	}
-@@ -416,7 +420,7 @@ delegpt_rrset_add_ns(struct delegpt* dp, struct regional* region,
- 
- int 
- delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
--	struct ub_packed_rrset_key* ak, uint8_t lame)
-+	struct ub_packed_rrset_key* ak, uint8_t lame, int* additions)
- {
-         struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data;
-         size_t i;
-@@ -432,7 +436,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
-                 memmove(&sa.sin_addr, d->rr_data[i]+2, INET_SIZE);
-                 if(!delegpt_add_target(dp, region, ak->rk.dname,
-                         ak->rk.dname_len, (struct sockaddr_storage*)&sa,
--                        len, (d->security==sec_status_bogus), lame))
-+                        len, (d->security==sec_status_bogus), lame, additions))
-                         return 0;
-         }
-         return 1;
-@@ -440,7 +444,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
- 
- int 
- delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
--	struct ub_packed_rrset_key* ak, uint8_t lame)
-+	struct ub_packed_rrset_key* ak, uint8_t lame, int* additions)
- {
-         struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data;
-         size_t i;
-@@ -456,7 +460,7 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
-                 memmove(&sa.sin6_addr, d->rr_data[i]+2, INET6_SIZE);
-                 if(!delegpt_add_target(dp, region, ak->rk.dname,
-                         ak->rk.dname_len, (struct sockaddr_storage*)&sa,
--                        len, (d->security==sec_status_bogus), lame))
-+                        len, (d->security==sec_status_bogus), lame, additions))
-                         return 0;
-         }
-         return 1;
-@@ -464,20 +468,32 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
- 
- int 
- delegpt_add_rrset(struct delegpt* dp, struct regional* region,
--        struct ub_packed_rrset_key* rrset, uint8_t lame)
-+        struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions)
- {
- 	if(!rrset)
- 		return 1;
- 	if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_NS)
- 		return delegpt_rrset_add_ns(dp, region, rrset, lame);
- 	else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_A)
--		return delegpt_add_rrset_A(dp, region, rrset, lame);
-+		return delegpt_add_rrset_A(dp, region, rrset, lame, additions);
- 	else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_AAAA)
--		return delegpt_add_rrset_AAAA(dp, region, rrset, lame);
-+		return delegpt_add_rrset_AAAA(dp, region, rrset, lame, additions);
- 	log_warn("Unknown rrset type added to delegpt");
- 	return 1;
- }
- 
-+void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype)
-+{
-+    if(ns) {
-+        if(qtype == LDNS_RR_TYPE_A)
-+            ns->got4 = 2;
-+        else if(qtype == LDNS_RR_TYPE_AAAA)
-+            ns->got6 = 2;
-+        if(ns->got4 && ns->got6)
-+            ns->resolved = 1;
-+    }
-+}
-+
- void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg)
- {
- 	struct reply_info* rep = (struct reply_info*)msg->entry.data;
-@@ -487,14 +503,7 @@ void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg)
- 	if(FLAGS_GET_RCODE(rep->flags) != 0 || rep->an_numrrsets == 0) {
- 		struct delegpt_ns* ns = delegpt_find_ns(dp, msg->key.qname, 
- 			msg->key.qname_len);
--		if(ns) {
--			if(msg->key.qtype == LDNS_RR_TYPE_A)
--				ns->got4 = 1;
--			else if(msg->key.qtype == LDNS_RR_TYPE_AAAA)
--				ns->got6 = 1;
--			if(ns->got4 && ns->got6)
--				ns->resolved = 1;
--		}
-+        delegpt_mark_neg(ns, msg->key.qtype);
- 	}
- }
- 
-diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h
-index 354bd61..3aded22 100644
---- a/iterator/iter_delegpt.h
-+++ b/iterator/iter_delegpt.h
-@@ -104,9 +104,10 @@ struct delegpt_ns {
- 	 * and marked true if got4 and got6 are both true.
- 	 */
- 	int resolved;
--	/** if the ipv4 address is in the delegpt */
-+	/** if the ipv4 address is in the delegpt, 0=not, 1=yes 2=negative,
-+     * negative means it was done, but no content. */
- 	uint8_t got4;
--	/** if the ipv6 address is in the delegpt */
-+	/** if the ipv6 address is in the delegpt, 0=not, 1=yes 2=negative */
- 	uint8_t got6;
- 	/**
- 	 * If the name is parent-side only and thus dispreferred.
-@@ -213,11 +214,12 @@ int delegpt_rrset_add_ns(struct delegpt* dp, struct regional* regional,
-  * @param addrlen: the length of addr.
-  * @param bogus: security status for the address, pass true if bogus.
-  * @param lame: address is lame.
-+ * @param additions: will be set to 1 if a new address is added
-  * @return false on error.
-  */
- int delegpt_add_target(struct delegpt* dp, struct regional* regional, 
- 	uint8_t* name, size_t namelen, struct sockaddr_storage* addr, 
--	socklen_t addrlen, uint8_t bogus, uint8_t lame);
-+	socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions);
- 
- /**
-  * Add A RRset to delegpt.
-@@ -225,10 +227,11 @@ int delegpt_add_target(struct delegpt* dp, struct regional* regional,
-  * @param regional: where to allocate the info.
-  * @param rrset: RRset A to add.
-  * @param lame: rrset is lame, disprefer it.
-+ * @param additions: will be set to 1 if a new address is added
-  * @return 0 on alloc error.
-  */
- int delegpt_add_rrset_A(struct delegpt* dp, struct regional* regional, 
--	struct ub_packed_rrset_key* rrset, uint8_t lame);
-+	struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
- 
- /**
-  * Add AAAA RRset to delegpt.
-@@ -236,10 +239,11 @@ int delegpt_add_rrset_A(struct delegpt* dp, struct regional* regional,
-  * @param regional: where to allocate the info.
-  * @param rrset: RRset AAAA to add.
-  * @param lame: rrset is lame, disprefer it.
-+ * @param additions: will be set to 1 if a new address is added
-  * @return 0 on alloc error.
-  */
- int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional, 
--	struct ub_packed_rrset_key* rrset, uint8_t lame);
-+	struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
- 
- /**
-  * Add any RRset to delegpt.
-@@ -248,10 +252,11 @@ int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional,
-  * @param regional: where to allocate the info.
-  * @param rrset: RRset to add, NS, A, AAAA.
-  * @param lame: rrset is lame, disprefer it.
-+ * @param additions: will be set to 1 if a new address is added
-  * @return 0 on alloc error.
-  */
- int delegpt_add_rrset(struct delegpt* dp, struct regional* regional, 
--	struct ub_packed_rrset_key* rrset, uint8_t lame);
-+	struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
- 
- /**
-  * Add address to the delegation point. No servername is associated or checked.
-@@ -262,11 +267,13 @@ int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
-  * @param bogus: if address is bogus.
-  * @param lame: if address is lame.
-  * @param tls_auth_name: TLS authentication name (or NULL).
-+ * @param additions: will be set to 1 if a new address is added
-+ * @return 0 on alloc error.
-  * @return false on error.
-  */
- int delegpt_add_addr(struct delegpt* dp, struct regional* regional, 
- 	struct sockaddr_storage* addr, socklen_t addrlen,
--	uint8_t bogus, uint8_t lame, char* tls_auth_name);
-+	uint8_t bogus, uint8_t lame, char* tls_auth_name, int* additions);
- 
- /** 
-  * Find NS record in name list of delegation point.
-@@ -339,6 +346,14 @@ size_t delegpt_count_targets(struct delegpt* dp);
- struct delegpt* delegpt_from_message(struct dns_msg* msg, 
- 	struct regional* regional);
- 
-+/**
-+* Mark negative return in delegation point for specific nameserver.
-+* sets the got4 or got6 to negative, updates the ns->resolved.
-+* @param ns: the nameserver in the delegpt.
-+* @param qtype: A or AAAA (host order).
-+*/
-+void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype);
-+
- /**
-  * Add negative message to delegation point.
-  * @param dp: delegation point.
-diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
-index 12580dc..8230d17 100644
---- a/iterator/iter_scrub.c
-+++ b/iterator/iter_scrub.c
-@@ -185,8 +185,9 @@ mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg,
- /** Get target name of a CNAME */
- static int
- parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname, 
--	size_t* snamelen)
-+	size_t* snamelen, sldns_buffer* pkt)
- {
-+    size_t oldpos, dlen;
- 	if(rrset->rr_count != 1) {
- 		struct rr_parse* sig;
- 		verbose(VERB_ALGO, "Found CNAME rrset with "
-@@ -204,6 +205,19 @@ parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
- 	*sname = rrset->rr_first->ttl_data + sizeof(uint32_t)
- 		+ sizeof(uint16_t); /* skip ttl, rdatalen */
- 	*snamelen = rrset->rr_first->size - sizeof(uint16_t);
-+
-+    if(rrset->rr_first->outside_packet) {
-+        if(!dname_valid(*sname, *snamelen))
-+            return 0;
-+        return 1;
-+    }
-+    oldpos = sldns_buffer_position(pkt);
-+    sldns_buffer_set_position(pkt, (size_t)(*sname - sldns_buffer_begin(pkt)));
-+    dlen = pkt_dname_len(pkt);
-+    sldns_buffer_set_position(pkt, oldpos);
-+    if(dlen == 0)
-+        return 0; /* parse fail on the rdata name */
-+    *snamelen = dlen;
- 	return 1;
- }
- 
-@@ -215,7 +229,7 @@ synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
- 	/* we already know that sname is a strict subdomain of DNAME owner */
- 	uint8_t* dtarg = NULL;
- 	size_t dtarglen;
--	if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen))
-+	if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt))
- 		return 0; 
- 	log_assert(qnamelen > dname_rrset->dname_len);
- 	/* DNAME from com. to net. with qname example.com. -> example.net. */
-@@ -372,7 +386,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
- 				/* check next cname */
- 				uint8_t* t = NULL;
- 				size_t tlen = 0;
--				if(!parse_get_cname_target(nx, &t, &tlen))
-+				if(!parse_get_cname_target(nx, &t, &tlen, pkt))
- 					return 0;
- 				if(dname_pkt_compare(pkt, alias, t) == 0) {
- 					/* it's OK and better capitalized */
-@@ -423,7 +437,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
- 				size_t tlen = 0;
- 				if(synth_cname(sname, snamelen, nx, alias,
- 					&aliaslen, pkt) &&
--					parse_get_cname_target(rrset, &t, &tlen) &&
-+					parse_get_cname_target(rrset, &t, &tlen, pkt) &&
- 			   		dname_pkt_compare(pkt, alias, t) == 0) {
- 					/* the synthesized CNAME equals the
- 					 * current CNAME.  This CNAME is the
-@@ -442,7 +456,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
- 			}
- 
- 			/* move to next name in CNAME chain */
--			if(!parse_get_cname_target(rrset, &sname, &snamelen))
-+			if(!parse_get_cname_target(rrset, &sname, &snamelen, pkt))
- 				return 0;
- 			prev = rrset;
- 			rrset = rrset->rrset_all_next;
-diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
-index 0a8f770..a107bee 100644
---- a/iterator/iter_utils.c
-+++ b/iterator/iter_utils.c
-@@ -1008,7 +1008,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
- 			log_rrset_key(VERB_ALGO, "found parent-side", akey);
- 			ns->done_pside4 = 1;
- 			/* a negative-cache-element has no addresses it adds */
--			if(!delegpt_add_rrset_A(dp, region, akey, 1))
-+			if(!delegpt_add_rrset_A(dp, region, akey, 1, NULL))
- 				log_err("malloc failure in lookup_parent_glue");
- 			lock_rw_unlock(&akey->entry.lock);
- 		}
-@@ -1020,7 +1020,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
- 			log_rrset_key(VERB_ALGO, "found parent-side", akey);
- 			ns->done_pside6 = 1;
- 			/* a negative-cache-element has no addresses it adds */
--			if(!delegpt_add_rrset_AAAA(dp, region, akey, 1))
-+			if(!delegpt_add_rrset_AAAA(dp, region, akey, 1, NULL))
- 				log_err("malloc failure in lookup_parent_glue");
- 			lock_rw_unlock(&akey->entry.lock);
- 		}
-diff --git a/iterator/iterator.c b/iterator/iterator.c
-index 58a9bff..a4ad319 100644
---- a/iterator/iterator.c
-+++ b/iterator/iterator.c
-@@ -69,6 +69,8 @@
- #include "sldns/parseutil.h"
- #include "sldns/sbuffer.h"
- 
-+static void target_count_increase_nx(struct iter_qstate* iq, int num);
-+
- int 
- iter_init(struct module_env* env, int id)
- {
-@@ -147,6 +149,7 @@ iter_new(struct module_qstate* qstate, int id)
- 	iq->sent_count = 0;
- 	iq->ratelimit_ok = 0;
- 	iq->target_count = NULL;
-+    iq->dp_target_count = 0;
- 	iq->wait_priming_stub = 0;
- 	iq->refetch_glue = 0;
- 	iq->dnssec_expected = 0;
-@@ -218,6 +221,7 @@ final_state(struct iter_qstate* iq)
- static void
- error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
- {
-+    struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
- 	struct iter_qstate* super_iq = (struct iter_qstate*)super->minfo[id];
- 
- 	if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
-@@ -242,7 +246,11 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
- 				super->region, super_iq->dp))
- 				log_err("out of memory adding missing");
- 		}
-+        delegpt_mark_neg(dpns, qstate->qinfo.qtype);
- 		dpns->resolved = 1; /* mark as failed */
-+        if((dpns->got4 == 2 || !ie->supports_ipv4) &&
-+            (dpns->got6 == 2 || !ie->supports_ipv6))
-+            target_count_increase_nx(super_iq, 1);
- 	}
- 	if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS) {
- 		/* prime failed to get delegation */
-@@ -577,7 +585,7 @@ static void
- target_count_create(struct iter_qstate* iq)
- {
- 	if(!iq->target_count) {
--		iq->target_count = (int*)calloc(2, sizeof(int));
-+		iq->target_count = (int*)calloc(3, sizeof(int));
- 		/* if calloc fails we simply do not track this number */
- 		if(iq->target_count)
- 			iq->target_count[0] = 1;
-@@ -590,6 +598,15 @@ target_count_increase(struct iter_qstate* iq, int num)
- 	target_count_create(iq);
- 	if(iq->target_count)
- 		iq->target_count[1] += num;
-+    iq->dp_target_count++;
-+}
-+
-+static void
-+target_count_increase_nx(struct iter_qstate* iq, int num)
-+{
-+   target_count_create(iq);
-+   if(iq->target_count)
-+       iq->target_count[2] += num;
- }
- 
- /**
-@@ -612,13 +629,15 @@ target_count_increase(struct iter_qstate* iq, int num)
-  * @param subq_ret: if newly allocated, the subquerystate, or NULL if it does
-  * 	not need initialisation.
-  * @param v: if true, validation is done on the subquery.
-+ * @param detached: true if this qstate should not attach to the subquery
-  * @return false on error (malloc).
-  */
- static int
- generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype, 
- 	uint16_t qclass, struct module_qstate* qstate, int id,
- 	struct iter_qstate* iq, enum iter_state initial_state, 
--	enum iter_state finalstate, struct module_qstate** subq_ret, int v)
-+	enum iter_state finalstate, struct module_qstate** subq_ret, int v,
-+    int detached)
- {
- 	struct module_qstate* subq = NULL;
- 	struct iter_qstate* subiq = NULL;
-@@ -645,12 +664,24 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
- 		valrec = 1;
- 	}
- 	
--	/* attach subquery, lookup existing or make a new one */
--	fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
--	if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime, valrec,
--		&subq)) {
--		return 0;
--	}
-+    if(detached) {
-+        struct mesh_state* sub = NULL;
-+        fptr_ok(fptr_whitelist_modenv_add_sub(
-+            qstate->env->add_sub));
-+        if(!(*qstate->env->add_sub)(qstate, &qinf,
-+            qflags, prime, valrec, &subq, &sub)){
-+            return 0;
-+        }
-+    }
-+    else {
-+        /* attach subquery, lookup existing or make a new one */
-+        fptr_ok(fptr_whitelist_modenv_attach_sub(
-+            qstate->env->attach_sub));
-+        if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime,
-+            valrec, &subq)) {
-+            return 0;
-+        }
-+    }
- 	*subq_ret = subq;
- 	if(subq) {
- 		/* initialise the new subquery */
-@@ -672,6 +703,7 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
- 		subiq->target_count = iq->target_count;
- 		if(iq->target_count)
- 			iq->target_count[0] ++; /* extra reference */
-+        subiq->dp_target_count = 0;
- 		subiq->num_current_queries = 0;
- 		subiq->depth = iq->depth+1;
- 		outbound_list_init(&subiq->outlist);
-@@ -715,7 +747,7 @@ prime_root(struct module_qstate* qstate, struct iter_qstate* iq, int id,
- 	 * the normal INIT state logic (which would cause an infloop). */
- 	if(!generate_sub_request((uint8_t*)"\000", 1, LDNS_RR_TYPE_NS, 
- 		qclass, qstate, id, iq, QUERYTARGETS_STATE, PRIME_RESP_STATE,
--		&subq, 0)) {
-+		&subq, 0, 0)) {
- 		verbose(VERB_ALGO, "could not prime root");
- 		return 0;
- 	}
-@@ -805,7 +837,7 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq, int id,
- 	 * redundant INIT state processing. */
- 	if(!generate_sub_request(stub_dp->name, stub_dp->namelen, 
- 		LDNS_RR_TYPE_NS, qclass, qstate, id, iq,
--		QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0)) {
-+		QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0, 0)) {
- 		verbose(VERB_ALGO, "could not prime stub");
- 		(void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
- 		return 1; /* return 1 to make module stop, with error */
-@@ -976,7 +1008,7 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
- 		if(!generate_sub_request(s->rk.dname, s->rk.dname_len, 
- 			ntohs(s->rk.type), ntohs(s->rk.rrset_class),
- 			qstate, id, iq,
--			INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
-+			INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
- 			verbose(VERB_ALGO, "could not generate addr check");
- 			return;
- 		}
-@@ -1020,7 +1052,7 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
- 		iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
- 	if(!generate_sub_request(iq->dp->name, iq->dp->namelen, 
- 		LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
--		INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
-+		INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
- 		verbose(VERB_ALGO, "could not generate ns check");
- 		return;
- 	}
-@@ -1077,7 +1109,7 @@ generate_dnskey_prefetch(struct module_qstate* qstate,
- 		iq->dp->name, LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass);
- 	if(!generate_sub_request(iq->dp->name, iq->dp->namelen, 
- 		LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass, qstate, id, iq,
--		INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) {
-+		INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) {
- 		/* we'll be slower, but it'll work */
- 		verbose(VERB_ALGO, "could not generate dnskey prefetch");
- 		return;
-@@ -1251,6 +1283,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
- 			iq->refetch_glue = 0;
- 			iq->query_restart_count++;
- 			iq->sent_count = 0;
-+            iq->dp_target_count = 0;
- 			sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
- 			if(qstate->env->cfg->qname_minimisation)
- 				iq->minimisation_state = INIT_MINIMISE_STATE;
-@@ -1613,7 +1646,7 @@ generate_parentside_target_query(struct module_qstate* qstate,
- {
- 	struct module_qstate* subq;
- 	if(!generate_sub_request(name, namelen, qtype, qclass, qstate, 
--		id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0))
-+		id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0))
- 		return 0;
- 	if(subq) {
- 		struct iter_qstate* subiq = 
-@@ -1664,7 +1697,7 @@ generate_target_query(struct module_qstate* qstate, struct iter_qstate* iq,
- {
- 	struct module_qstate* subq;
- 	if(!generate_sub_request(name, namelen, qtype, qclass, qstate, 
--		id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0))
-+		id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0))
- 		return 0;
- 	log_nametypeclass(VERB_QUERY, "new target", name, qtype, qclass);
- 	return 1;
-@@ -1703,6 +1736,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
- 			"number of glue fetches %d", s, iq->target_count[1]);
- 		return 0;
- 	}
-+    if(iq->dp_target_count > MAX_DP_TARGET_COUNT) {
-+        char s[LDNS_MAX_DOMAINLEN+1];
-+        dname_str(qstate->qinfo.qname, s);
-+        verbose(VERB_QUERY, "request %s has exceeded the maximum "
-+            "number of glue fetches %d to a single delegation point",
-+            s, iq->dp_target_count);
-+        return 0;
-+    }
- 
- 	iter_mark_cycle_targets(qstate, iq->dp);
- 	missing = (int)delegpt_count_missing_targets(iq->dp);
-@@ -1815,7 +1856,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
- 			for(a = p->target_list; a; a=a->next_target) {
- 				(void)delegpt_add_addr(iq->dp, qstate->region,
- 					&a->addr, a->addrlen, a->bogus,
--					a->lame, a->tls_auth_name);
-+					a->lame, a->tls_auth_name, NULL);
- 			}
- 		}
- 		iq->dp->has_parent_side_NS = 1;
-@@ -1832,6 +1873,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
- 			iq->refetch_glue = 1;
- 			iq->query_restart_count++;
- 			iq->sent_count = 0;
-+            iq->dp_target_count = 0;
- 			if(qstate->env->cfg->qname_minimisation)
- 				iq->minimisation_state = INIT_MINIMISE_STATE;
- 			return next_state(iq, INIT_REQUEST_STATE);
-@@ -1986,7 +2028,7 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
- 		iq->dsns_point, LDNS_RR_TYPE_NS, iq->qchase.qclass);
- 	if(!generate_sub_request(iq->dsns_point, iq->dsns_point_len, 
- 		LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
--		INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) {
-+		INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) {
- 		return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
- 	}
- 
-@@ -2039,7 +2081,14 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
- 			"number of sends with %d", iq->sent_count);
- 		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
- 	}
--	
-+    if(iq->target_count && iq->target_count[2] > MAX_TARGET_NX) {
-+        verbose(VERB_QUERY, "request has exceeded the maximum "
-+            " number of nxdomain nameserver lookups with %d",
-+            iq->target_count[2]);
-+        errinf(qstate, "exceeded the maximum nameserver nxdomains");
-+        return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
-+    }
-+
- 	/* Make sure we have a delegation point, otherwise priming failed
- 	 * or another failure occurred */
- 	if(!iq->dp) {
-@@ -2139,12 +2188,41 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
- 				iq->qinfo_out.qtype, iq->qinfo_out.qclass, 
- 				qstate->query_flags, qstate->region, 
- 				qstate->env->scratch, 0);
--			if(msg && msg->rep->an_numrrsets == 0
--				&& FLAGS_GET_RCODE(msg->rep->flags) == 
-+            if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
- 				LDNS_RCODE_NOERROR)
- 				/* no need to send query if it is already 
--				 * cached as NOERROR/NODATA */
-+				 * cached as NOERROR */
- 				return 1;
-+            if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
-+                LDNS_RCODE_NXDOMAIN &&
-+                qstate->env->need_to_validate &&
-+                qstate->env->cfg->harden_below_nxdomain) {
-+                if(msg->rep->security == sec_status_secure) {
-+                    iq->response = msg;
-+                    return final_state(iq);
-+                }
-+                if(msg->rep->security == sec_status_unchecked) {
-+                    struct module_qstate* subq = NULL;
-+                    if(!generate_sub_request(
-+                        iq->qinfo_out.qname,
-+                        iq->qinfo_out.qname_len,
-+                        iq->qinfo_out.qtype,
-+                        iq->qinfo_out.qclass,
-+                        qstate, id, iq,
-+                        INIT_REQUEST_STATE,
-+                        FINISHED_STATE, &subq, 1, 1))
-+                        verbose(VERB_ALGO,
-+                        "could not validate NXDOMAIN "
-+                        "response");
-+                }
-+            }
-+            if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
-+                LDNS_RCODE_NXDOMAIN) {
-+                /* return and add a label in the next
-+                 * minimisation iteration.
-+                 */
-+                return 1;
-+            }
- 		}
- 	}
- 	if(iq->minimisation_state == SKIP_MINIMISE_STATE) {
-@@ -2219,6 +2297,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
- 	 * generated query will immediately be discarded due to depth and
- 	 * that servfail is cached, which is not good as opportunism goes. */
- 	if(iq->depth < ie->max_dependency_depth
-+        && iq->num_target_queries == 0
-+        && (!iq->target_count || iq->target_count[2]==0)
- 		&& iq->sent_count < TARGET_FETCH_STOP) {
- 		tf_policy = ie->target_fetch_policy[iq->depth];
- 	}
-@@ -2256,6 +2336,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
- 			iq->num_current_queries++; /* RespState decrements it*/
- 			iq->referral_count++; /* make sure we don't loop */
- 			iq->sent_count = 0;
-+            iq->dp_target_count = 0;
- 			iq->state = QUERY_RESP_STATE;
- 			return 1;
- 		}
-@@ -2341,6 +2422,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
- 					iq->num_current_queries++; /* RespState decrements it*/
- 					iq->referral_count++; /* make sure we don't loop */
- 					iq->sent_count = 0;
-+                    iq->dp_target_count = 0;
- 					iq->state = QUERY_RESP_STATE;
- 					return 1;
- 				}
-@@ -2607,7 +2689,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
- 				/* Make subrequest to validate intermediate
- 				 * NXDOMAIN if harden-below-nxdomain is
- 				 * enabled. */
--				if(qstate->env->cfg->harden_below_nxdomain) {
-+				if(qstate->env->cfg->harden_below_nxdomain &&
-+                    qstate->env->need_to_validate) {
- 					struct module_qstate* subq = NULL;
- 					log_query_info(VERB_QUERY,
- 						"schedule NXDOMAIN validation:",
-@@ -2619,7 +2702,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
- 						iq->response->qinfo.qclass,
- 						qstate, id, iq,
- 						INIT_REQUEST_STATE,
--						FINISHED_STATE, &subq, 1))
-+						FINISHED_STATE, &subq, 1, 1))
- 						verbose(VERB_ALGO,
- 						"could not validate NXDOMAIN "
- 						"response");
-@@ -2702,6 +2785,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
- 		/* Count this as a referral. */
- 		iq->referral_count++;
- 		iq->sent_count = 0;
-+        iq->dp_target_count = 0;
- 		/* see if the next dp is a trust anchor, or a DS was sent
- 		 * along, indicating dnssec is expected for next zone */
- 		iq->dnssec_expected = iter_indicates_dnssec(qstate->env, 
-@@ -2776,6 +2860,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
- 		iq->dsns_point = NULL;
- 		iq->auth_zone_response = 0;
- 		iq->sent_count = 0;
-+        iq->dp_target_count = 0;
- 		if(iq->minimisation_state != MINIMISE_STATE)
- 			/* Only count as query restart when it is not an extra
- 			 * query as result of qname minimisation. */
-@@ -2964,7 +3049,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
- 		if(!generate_sub_request(qstate->qinfo.qname, 
- 			qstate->qinfo.qname_len, qstate->qinfo.qtype,
- 			qstate->qinfo.qclass, qstate, id, iq,
--			INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
-+			INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
- 			verbose(VERB_ALGO, "could not generate prime check");
- 		}
- 		generate_a_aaaa_check(qstate, iq, id);
-@@ -2992,6 +3077,7 @@ static void
- processTargetResponse(struct module_qstate* qstate, int id,
- 	struct module_qstate* forq)
- {
-+    struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
- 	struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];
- 	struct iter_qstate* foriq = (struct iter_qstate*)forq->minfo[id];
- 	struct ub_packed_rrset_key* rrset;
-@@ -3029,7 +3115,7 @@ processTargetResponse(struct module_qstate* qstate, int id,
- 		log_rrset_key(VERB_ALGO, "add parentside glue to dp", 
- 			iq->pside_glue);
- 		if(!delegpt_add_rrset(foriq->dp, forq->region, 
--			iq->pside_glue, 1))
-+			iq->pside_glue, 1, NULL))
- 			log_err("out of memory adding pside glue");
- 	}
- 
-@@ -3040,6 +3126,7 @@ processTargetResponse(struct module_qstate* qstate, int id,
- 	 * response type was ANSWER. */
- 	rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep);
- 	if(rrset) {
-+        int additions = 0;
- 		/* if CNAMEs have been followed - add new NS to delegpt. */
- 		/* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */
- 		if(!delegpt_find_ns(foriq->dp, rrset->rk.dname, 
-@@ -3051,13 +3138,23 @@ processTargetResponse(struct module_qstate* qstate, int id,
- 		}
- 		/* if dpns->lame then set the address(es) lame too */
- 		if(!delegpt_add_rrset(foriq->dp, forq->region, rrset, 
--			dpns->lame))
-+			dpns->lame, &additions))
- 			log_err("out of memory adding targets");
-+        if(!additions) {
-+            /* no new addresses, increase the nxns counter, like
-+             * this could be a list of wildcards with no new
-+             * addresses */
-+            target_count_increase_nx(foriq, 1);
-+        }
- 		verbose(VERB_ALGO, "added target response");
- 		delegpt_log(VERB_ALGO, foriq->dp);
- 	} else {
- 		verbose(VERB_ALGO, "iterator TargetResponse failed");
-+        delegpt_mark_neg(dpns, qstate->qinfo.qtype);
- 		dpns->resolved = 1; /* fail the target */
-+        if((dpns->got4 == 2 || !ie->supports_ipv4) &&
-+            (dpns->got6 == 2 || !ie->supports_ipv6))
-+            target_count_increase_nx(foriq, 1);
- 	}
- }
- 
-@@ -3228,7 +3325,7 @@ processCollectClass(struct module_qstate* qstate, int id)
- 				qstate->qinfo.qname_len, qstate->qinfo.qtype,
- 				c, qstate, id, iq, INIT_REQUEST_STATE,
- 				FINISHED_STATE, &subq, 
--				(int)!(qstate->query_flags&BIT_CD))) {
-+				(int)!(qstate->query_flags&BIT_CD), 0)) {
- 				return error_response(qstate, id, 
- 					LDNS_RCODE_SERVFAIL);
- 			}
-diff --git a/iterator/iterator.h b/iterator/iterator.h
-index 67ffeb1..4b325b5 100644
---- a/iterator/iterator.h
-+++ b/iterator/iterator.h
-@@ -55,6 +55,11 @@ struct rbtree_type;
- 
- /** max number of targets spawned for a query and its subqueries */
- #define MAX_TARGET_COUNT	64
-+/** max number of target lookups per qstate, per delegation point */
-+#define MAX_DP_TARGET_COUNT    16
-+/** max number of nxdomains allowed for target lookups for a query and
-+ * its subqueries */
-+#define MAX_TARGET_NX      5
- /** max number of query restarts. Determines max number of CNAME chain. */
- #define MAX_RESTART_COUNT       8
- /** max number of referrals. Makes sure resolver does not run away */
-@@ -305,9 +310,14 @@ struct iter_qstate {
- 	int sent_count;
- 	
- 	/** number of target queries spawned in [1], for this query and its
--	 * subqueries, the malloced-array is shared, [0] refcount. */
-+	 * subqueries, the malloced-array is shared, [0] refcount.
-+	 * in [2] the number of nxdomains is counted. */
- 	int* target_count;
- 
-+    /** number of target lookups per delegation point. Reset to 0 after
-+     * receiving referral answer. Not shared with subqueries. */
-+    int dp_target_count;
-+
- 	/** if true, already tested for ratelimiting and passed the test */
- 	int ratelimit_ok;
- 
-diff --git a/services/cache/dns.c b/services/cache/dns.c
-index 35adc35..23ec68e 100644
---- a/services/cache/dns.c
-+++ b/services/cache/dns.c
-@@ -271,7 +271,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass,
- 		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
- 			ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
- 		if(akey) {
--			if(!delegpt_add_rrset_A(dp, region, akey, 0)) {
-+			if(!delegpt_add_rrset_A(dp, region, akey, 0, NULL)) {
- 				lock_rw_unlock(&akey->entry.lock);
- 				return 0;
- 			}
-@@ -291,7 +291,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass,
- 		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
- 			ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0);
- 		if(akey) {
--			if(!delegpt_add_rrset_AAAA(dp, region, akey, 0)) {
-+			if(!delegpt_add_rrset_AAAA(dp, region, akey, 0, NULL)) {
- 				lock_rw_unlock(&akey->entry.lock);
- 				return 0;
- 			}
-@@ -325,7 +325,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
- 		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
- 			ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
- 		if(akey) {
--			if(!delegpt_add_rrset_A(dp, region, akey, ns->lame)) {
-+			if(!delegpt_add_rrset_A(dp, region, akey, ns->lame,
-+                NULL)) {
- 				lock_rw_unlock(&akey->entry.lock);
- 				return 0;
- 			}
-@@ -345,7 +346,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
- 		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
- 			ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0);
- 		if(akey) {
--			if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame)) {
-+			if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame,
-+                NULL)) {
- 				lock_rw_unlock(&akey->entry.lock);
- 				return 0;
- 			}
-diff --git a/util/data/dname.c b/util/data/dname.c
-index c7360f7..b744f06 100644
---- a/util/data/dname.c
-+++ b/util/data/dname.c
-@@ -231,17 +231,28 @@ int
- dname_pkt_compare(sldns_buffer* pkt, uint8_t* d1, uint8_t* d2)
- {
- 	uint8_t len1, len2;
-+    int count1 = 0, count2 = 0;
- 	log_assert(pkt && d1 && d2);
- 	len1 = *d1++;
- 	len2 = *d2++;
- 	while( len1 != 0 || len2 != 0 ) {
- 		/* resolve ptrs */
- 		if(LABEL_IS_PTR(len1)) {
-+            if((size_t)PTR_OFFSET(len1, *d1)
-+                >= sldns_buffer_limit(pkt))
-+                return -1;
-+            if(count1++ > MAX_COMPRESS_PTRS)
-+                return -1;
- 			d1 = sldns_buffer_at(pkt, PTR_OFFSET(len1, *d1));
- 			len1 = *d1++;
- 			continue;
- 		}
- 		if(LABEL_IS_PTR(len2)) {
-+            if((size_t)PTR_OFFSET(len2, *d2)
-+                >= sldns_buffer_limit(pkt))
-+                return 1;
-+            if(count2++ > MAX_COMPRESS_PTRS)
-+                return 1;
- 			d2 = sldns_buffer_at(pkt, PTR_OFFSET(len2, *d2));
- 			len2 = *d2++;
- 			continue;
-@@ -300,12 +311,19 @@ dname_pkt_hash(sldns_buffer* pkt, uint8_t* dname, hashvalue_type h)
- 	uint8_t labuf[LDNS_MAX_LABELLEN+1];
- 	uint8_t lablen;
- 	int i;
-+    int count = 0;
- 
- 	/* preserve case of query, make hash label by label */
- 	lablen = *dname++;
- 	while(lablen) {
- 		if(LABEL_IS_PTR(lablen)) {
- 			/* follow pointer */
-+            if((size_t)PTR_OFFSET(lablen, *dname)
-+                >= sldns_buffer_limit(pkt))
-+                return h;
-+            if(count++ > MAX_COMPRESS_PTRS)
-+                return h;
-+
- 			dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
- 			lablen = *dname++;
- 			continue;
-@@ -333,6 +351,9 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
- 	while(lablen) {
- 		if(LABEL_IS_PTR(lablen)) {
- 			/* follow pointer */
-+            if((size_t)PTR_OFFSET(lablen, *dname)
-+                >= sldns_buffer_limit(pkt))
-+                return;
- 			dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
- 			lablen = *dname++;
- 			continue;
-@@ -357,6 +378,7 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
- void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname)
- {
- 	uint8_t lablen;
-+    int count = 0;
- 	if(!out) out = stdout;
- 	if(!dname) return;
- 
-@@ -370,6 +392,15 @@ void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname)
- 				fputs("??compressionptr??", out);
- 				return;
- 			}
-+            if((size_t)PTR_OFFSET(lablen, *dname)
-+                >= sldns_buffer_limit(pkt)) {
-+                fputs("??compressionptr??", out);
-+                return;
-+            }
-+            if(count++ > MAX_COMPRESS_PTRS) {
-+                fputs("??compressionptr??", out);
-+                return;
-+            }
- 			dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
- 			lablen = *dname++;
- 			continue;
-diff --git a/util/data/msgparse.c b/util/data/msgparse.c
-index 13cad8a..c8a5384 100644
---- a/util/data/msgparse.c
-+++ b/util/data/msgparse.c
-@@ -55,7 +55,11 @@ smart_compare(sldns_buffer* pkt, uint8_t* dnow,
- {
- 	if(LABEL_IS_PTR(*dnow)) {
- 		/* ptr points to a previous dname */
--		uint8_t* p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1]));
-+       uint8_t* p;
-+       if((size_t)PTR_OFFSET(dnow[0], dnow[1])
-+           >= sldns_buffer_limit(pkt))
-+           return -1;
-+       p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1]));
- 		if( p == dprfirst || p == dprlast )
- 			return 0;
- 		/* prev dname is also a ptr, both ptrs are the same. */

SOURCES/unbound-1.7.3-anchor-fallback.patch

@@ -1,182 +0,0 @@
-From 81e9f82a8ddd811d7ebafe2fd0ee5af836d0b405 Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Wed, 4 Jul 2018 10:02:16 +0000
-Subject: [PATCH] - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will
- not pass   if DNSSEC is not enabled.  New option -R allows fallback from  
- resolv.conf to direct queries.
-
-git-svn-id: file:///svn/unbound/trunk@4770 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- doc/unbound-anchor.8.in   |  5 ++++
- smallapp/unbound-anchor.c | 66 ++++++++++++++++++++++++++++++++++-------------
- 2 files changed, 53 insertions(+), 18 deletions(-)
-
-diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
-index 02a3e781..e114eb25 100644
---- a/doc/unbound-anchor.8.in
-+++ b/doc/unbound-anchor.8.in
-@@ -109,6 +109,11 @@ It does so, because the tool when used for bootstrapping the recursive
- resolver, cannot use that recursive resolver itself because it is bootstrapping
- that server.
- .TP
-+.B \-R
-+Allow fallback from \-f resolv.conf file to direct root servers query.
-+It allows you to prefer local resolvers, but fallback automatically
-+to direct root query if they do not respond or do not support DNSSEC.
-+.TP
- .B \-v
- More verbose. Once prints informational messages, multiple times may enable
- large debug amounts (such as full certificates or byte\-dumps of downloaded
-diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
-index b3009108..f3985090 100644
---- a/smallapp/unbound-anchor.c
-+++ b/smallapp/unbound-anchor.c
-@@ -192,9 +192,10 @@ usage(void)
- 	printf("-n name		signer's subject emailAddress, default %s\n", P7SIGNER);
- 	printf("-4		work using IPv4 only\n");
- 	printf("-6		work using IPv6 only\n");
--	printf("-f resolv.conf	use given resolv.conf to resolve -u name\n");
--	printf("-r root.hints	use given root.hints to resolve -u name\n"
-+	printf("-f resolv.conf	use given resolv.conf\n");
-+	printf("-r root.hints	use given root.hints\n"
- 		"		builtin root hints are used by default\n");
-+	printf("-R		fallback from -f to root query on error\n");
- 	printf("-v		more verbose\n");
- 	printf("-C conf		debug, read config\n");
- 	printf("-P port		use port for https connect, default 443\n");
-@@ -1920,8 +1921,7 @@ static int
- do_certupdate(const char* root_anchor_file, const char* root_cert_file,
- 	const char* urlname, const char* xmlname, const char* p7sname,
- 	const char* p7signer, const char* res_conf, const char* root_hints,
--	const char* debugconf, int ip4only, int ip6only, int port,
--	struct ub_result* dnskey)
-+	const char* debugconf, int ip4only, int ip6only, int port)
- {
- 	STACK_OF(X509)* cert;
- 	BIO *xml, *p7s;
-@@ -1961,7 +1961,6 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file,
- #ifndef S_SPLINT_S
- 	sk_X509_pop_free(cert, X509_free);
- #endif
--	ub_resolve_free(dnskey);
- 	ip_list_free(ip_list);
- 	return 1;
- }
-@@ -2199,16 +2198,33 @@ probe_date_allows_certupdate(const char* root_anchor_file)
- 	return 0;
- }
- 
-+static struct ub_result *
-+fetch_root_key(const char* root_anchor_file, const char* res_conf,
-+	const char* root_hints, const char* debugconf,
-+	int ip4only, int ip6only)
-+{
-+	struct ub_ctx* ctx;
-+	struct ub_result* dnskey;
-+
-+	ctx = create_unbound_context(res_conf, root_hints, debugconf,
-+		ip4only, ip6only);
-+	add_5011_probe_root(ctx, root_anchor_file);
-+	dnskey = prime_root_key(ctx);
-+	ub_ctx_delete(ctx);
-+	return dnskey;
-+}
-+
- /** perform the unbound-anchor work */
- static int
- do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
- 	const char* urlname, const char* xmlname, const char* p7sname,
- 	const char* p7signer, const char* res_conf, const char* root_hints,
--	const char* debugconf, int ip4only, int ip6only, int force, int port)
-+	const char* debugconf, int ip4only, int ip6only, int force,
-+	int res_conf_fallback, int port)
- {
--	struct ub_ctx* ctx;
- 	struct ub_result* dnskey;
- 	int used_builtin = 0;
-+	int rcode;
- 
- 	/* see if builtin rootanchor needs to be provided, or if
- 	 * rootanchor is 'revoked-trust-point' */
-@@ -2217,12 +2233,22 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
- 
- 	/* make unbound context with 5011-probe for root anchor,
- 	 * and probe . DNSKEY */
--	ctx = create_unbound_context(res_conf, root_hints, debugconf,
--		ip4only, ip6only);
--	add_5011_probe_root(ctx, root_anchor_file);
--	dnskey = prime_root_key(ctx);
--	ub_ctx_delete(ctx);
--	
-+	dnskey = fetch_root_key(root_anchor_file, res_conf,
-+		root_hints, debugconf, ip4only, ip6only);
-+	rcode = dnskey->rcode;
-+
-+	if (res_conf_fallback && res_conf && !dnskey->secure) {
-+		if (verb) printf("%s failed, retrying direct\n", res_conf);
-+		ub_resolve_free(dnskey);
-+		/* try direct query without res_conf */
-+		dnskey = fetch_root_key(root_anchor_file, NULL,
-+			root_hints, debugconf, ip4only, ip6only);
-+		if (rcode != 0 && dnskey->rcode == 0) {
-+			res_conf = NULL;
-+			rcode = 0;
-+		}
-+	}
-+
- 	/* if secure: exit */
- 	if(dnskey->secure && !force) {
- 		if(verb) printf("success: the anchor is ok\n");
-@@ -2230,18 +2256,18 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file,
- 		return used_builtin;
- 	}
- 	if(force && verb) printf("debug cert update forced\n");
-+	ub_resolve_free(dnskey);
- 
- 	/* if not (and NOERROR): check date and do certupdate */
--	if((dnskey->rcode == 0 &&
-+	if((rcode == 0 &&
- 		probe_date_allows_certupdate(root_anchor_file)) || force) {
- 		if(do_certupdate(root_anchor_file, root_cert_file, urlname,
- 			xmlname, p7sname, p7signer, res_conf, root_hints,
--			debugconf, ip4only, ip6only, port, dnskey))
-+			debugconf, ip4only, ip6only, port))
- 			return 1;
- 		return used_builtin;
- 	}
- 	if(verb) printf("fail: the anchor is NOT ok and could not be fixed\n");
--	ub_resolve_free(dnskey);
- 	return used_builtin;
- }
- 
-@@ -2264,8 +2290,9 @@ int main(int argc, char* argv[])
- 	const char* root_hints = NULL;
- 	const char* debugconf = NULL;
- 	int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
-+	int res_conf_fallback = 0;
- 	/* parse the options */
--	while( (c=getopt(argc, argv, "46C:FP:a:c:f:hln:r:s:u:vx:")) != -1) {
-+	while( (c=getopt(argc, argv, "46C:FRP:a:c:f:hln:r:s:u:vx:")) != -1) {
- 		switch(c) {
- 		case 'l':
- 			dolist = 1;
-@@ -2300,6 +2327,9 @@ int main(int argc, char* argv[])
- 		case 'r':
- 			root_hints = optarg;
- 			break;
-+		case 'R':
-+			res_conf_fallback = 1;
-+			break;
- 		case 'C':
- 			debugconf = optarg;
- 			break;
-@@ -2346,5 +2376,5 @@ int main(int argc, char* argv[])
- 
- 	return do_root_update_work(root_anchor_file, root_cert_file, urlname,
- 		xmlname, p7sname, p7signer, res_conf, root_hints, debugconf,
--		ip4only, ip6only, force, port);
-+		ip4only, ip6only, force, res_conf_fallback, port);
- }
--- 
-2.14.4
-

SOURCES/unbound-1.7.3-auth-callback.patch

@@ -1,65 +0,0 @@
---- a/services/authzone.c	2018-06-14 09:09:01.000000000 +0200
-+++ b/services/authzone.c	2020-04-16 18:55:50.806693241 +0200
-@@ -5139,7 +5139,7 @@
- 	log_assert(xfr->task_transfer);
- 	lock_basic_lock(&xfr->lock);
- 	env = xfr->task_transfer->env;
--	if(env->outnet->want_to_quit) {
-+	if(!env || env->outnet->want_to_quit) {
- 		lock_basic_unlock(&xfr->lock);
- 		return; /* stop on quit */
- 	}
-@@ -5558,7 +5558,7 @@
- 	log_assert(xfr->task_transfer);
- 	lock_basic_lock(&xfr->lock);
- 	env = xfr->task_transfer->env;
--	if(env->outnet->want_to_quit) {
-+	if(!env || env->outnet->want_to_quit) {
- 		lock_basic_unlock(&xfr->lock);
- 		return 0; /* stop on quit */
- 	}
-@@ -5619,7 +5619,7 @@
- 	log_assert(xfr->task_transfer);
- 	lock_basic_lock(&xfr->lock);
- 	env = xfr->task_transfer->env;
--	if(env->outnet->want_to_quit) {
-+	if(!env || env->outnet->want_to_quit) {
- 		lock_basic_unlock(&xfr->lock);
- 		return 0; /* stop on quit */
- 	}
-@@ -5798,7 +5798,7 @@
- 	log_assert(xfr->task_probe);
- 	lock_basic_lock(&xfr->lock);
- 	env = xfr->task_probe->env;
--	if(env->outnet->want_to_quit) {
-+	if(!env || env->outnet->want_to_quit) {
- 		lock_basic_unlock(&xfr->lock);
- 		return; /* stop on quit */
- 	}
-@@ -5829,7 +5829,7 @@
- 	log_assert(xfr->task_probe);
- 	lock_basic_lock(&xfr->lock);
- 	env = xfr->task_probe->env;
--	if(env->outnet->want_to_quit) {
-+	if(!env || env->outnet->want_to_quit) {
- 		lock_basic_unlock(&xfr->lock);
- 		return 0; /* stop on quit */
- 	}
-@@ -6030,7 +6030,7 @@
- 	log_assert(xfr->task_probe);
- 	lock_basic_lock(&xfr->lock);
- 	env = xfr->task_probe->env;
--	if(env->outnet->want_to_quit) {
-+	if(!env || env->outnet->want_to_quit) {
- 		lock_basic_unlock(&xfr->lock);
- 		return; /* stop on quit */
- 	}
-@@ -6089,7 +6089,7 @@
- 	log_assert(xfr->task_nextprobe);
- 	lock_basic_lock(&xfr->lock);
- 	env = xfr->task_nextprobe->env;
--	if(env->outnet->want_to_quit) {
-+	if(!env || env->outnet->want_to_quit) {
- 		lock_basic_unlock(&xfr->lock);
- 		return; /* stop on quit */
- 	}

SOURCES/unbound-1.7.3-crypto-policy-non-compliance-openssl.patch

@@ -1,13 +0,0 @@
-diff --git a/util/net_help.c b/util/net_help.c
-index a5059b0..a193c36 100644
---- a/util/net_help.c
-+++ b/util/net_help.c
-@@ -703,7 +703,7 @@ listen_sslctx_setup(void* ctxt)
- #endif
- #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
- 	/* if we have sha256, set the cipher list to have no known vulns */
--	if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
-+	if(!SSL_CTX_set_cipher_list(ctx, "PROFILE=SYSTEM"))
- 		log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
- #endif
- 

SOURCES/unbound-1.7.3-host-any.patch

@@ -1,12 +0,0 @@
-diff --git a/smallapp/unbound-host.c b/smallapp/unbound-host.c
-index 53bf3277..f02511fe 100644
---- a/smallapp/unbound-host.c
-+++ b/smallapp/unbound-host.c
-@@ -340,6 +340,7 @@ pretty_output(char* q, int t, int c, struct ub_result* result, int docname)
- 					exit(1);
- 				}
- 				printf("%s\n", s);
-+				free(s);
- 			} else	printf(" has no %s record", tstr);
- 			printf(" %s\n", secstatus);
- 		}

SOURCES/unbound-1.7.3-ipsec-hook.patch

@@ -1,218 +0,0 @@
-diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
-index c8400c6..9e916d6 100644
---- a/ipsecmod/ipsecmod.c
-+++ b/ipsecmod/ipsecmod.c
-@@ -162,6 +162,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
- }
- 
- /**
-+ * Check if the string passed is a valid domain name with safe characters to
-+ * pass to a shell.
-+ * This will only allow:
-+ *  - digits
-+ *  - alphas
-+ *  - hyphen (not at the start)
-+ *  - dot (not at the start, or the only character)
-+ *  - underscore
-+ * @param s: pointer to the string.
-+ * @param slen: string's length.
-+ * @return true if s only contains safe characters; false otherwise.
-+ */
-+static int
-+domainname_has_safe_characters(char* s, size_t slen) {
-+	size_t i;
-+	for(i = 0; i < slen; i++) {
-+		if(s[i] == '\0') return 1;
-+		if((s[i] == '-' && i != 0)
-+			|| (s[i] == '.' && (i != 0 || s[1] == '\0'))
-+			|| (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
-+			|| (s[i] >= 'A' && s[i] <= 'Z')
-+			|| (s[i] >= 'a' && s[i] <= 'z')) {
-+			continue;
-+		}
-+		return 0;
-+	}
-+	return 1;
-+}
-+
-+/**
-+ * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
-+ * a shell.
-+ * This is only relevant for checking the gateway when the gateway type is 3
-+ * (domainname).
-+ * @param s: pointer to the string.
-+ * @param slen: string's length.
-+ * @return true if s contains only safe characters; false otherwise.
-+ */
-+static int
-+ipseckey_has_safe_characters(char* s, size_t slen) {
-+	int precedence, gateway_type, algorithm;
-+	char* gateway;
-+	gateway = (char*)calloc(slen, sizeof(char));
-+	if(!gateway) {
-+		log_err("ipsecmod: out of memory when calling the hook");
-+		return 0;
-+	}
-+	if(sscanf(s, "%d %d %d %s ",
-+			&precedence, &gateway_type, &algorithm, gateway) != 4) {
-+		free(gateway);
-+		return 0;
-+	}
-+	if(gateway_type != 3) {
-+		free(gateway);
-+		return 1;
-+	}
-+	if(domainname_has_safe_characters(gateway, slen)) {
-+		free(gateway);
-+		return 1;
-+	}
-+	free(gateway);
-+	return 0;
-+}
-+
-+/**
-  *  Prepare the data and call the hook.
-  *
-  *  @param qstate: query state.
-@@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
- {
- 	size_t slen, tempdata_len, tempstring_len, i;
- 	char str[65535], *s, *tempstring;
--	int w;
-+	int w = 0, w_temp, qtype;
- 	struct ub_packed_rrset_key* rrset_key;
- 	struct packed_rrset_data* rrset_data;
- 	uint8_t *tempdata;
-@@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
- 	memset(s, 0, slen);
- 
- 	/* Copy the hook into the buffer. */
--	sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
-+	w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
- 	/* Put space into the buffer. */
--	sldns_str_print(&s, &slen, " ");
-+	w += sldns_str_print(&s, &slen, " ");
- 	/* Copy the qname into the buffer. */
- 	tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
- 		qstate->qinfo.qname_len);
-@@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
- 		log_err("ipsecmod: out of memory when calling the hook");
- 		return 0;
- 	}
--	sldns_str_print(&s, &slen, "\"%s\"", tempstring);
-+	if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
-+		log_err("ipsecmod: qname has unsafe characters");
-+		free(tempstring);
-+		return 0;
-+	}
-+	w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
- 	free(tempstring);
- 	/* Put space into the buffer. */
--	sldns_str_print(&s, &slen, " ");
-+	w += sldns_str_print(&s, &slen, " ");
- 	/* Copy the IPSECKEY TTL into the buffer. */
- 	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
--	sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
-+	w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
- 	/* Put space into the buffer. */
--	sldns_str_print(&s, &slen, " ");
--	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
--	 * with a double quote. */
-+	w += sldns_str_print(&s, &slen, " ");
- 	rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
- 		qstate->return_msg->rep);
-+	/* Double check that the records are indeed A/AAAA.
-+	 * This should never happen as this function is only executed for A/AAAA
-+	 * queries but make sure we don't pass anything other than A/AAAA to the
-+	 * shell. */
-+	qtype = ntohs(rrset_key->rk.type);
-+	if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
-+		log_err("ipsecmod: Answer is not of A or AAAA type");
-+		return 0;
-+	}
- 	rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
--	sldns_str_print(&s, &slen, "\"");
-+	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
-+	 * with a double quote. */
-+	w += sldns_str_print(&s, &slen, "\"");
- 	for(i=0; i<rrset_data->count; i++) {
- 		if(i > 0) {
- 			/* Put space into the buffer. */
--			sldns_str_print(&s, &slen, " ");
-+			w += sldns_str_print(&s, &slen, " ");
- 		}
- 		/* Ignore the first two bytes, they are the rr_data len. */
--		w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
-+		w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
- 			rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
--		if(w < 0) {
-+		if(w_temp < 0) {
- 			/* Error in printout. */
--			return -1;
--		} else if((size_t)w >= slen) {
-+			log_err("ipsecmod: Error in printing IP address");
-+			return 0;
-+		} else if((size_t)w_temp >= slen) {
- 			s = NULL; /* We do not want str to point outside of buffer. */
- 			slen = 0;
--			return -1;
-+			log_err("ipsecmod: shell command too long");
-+			return 0;
- 		} else {
--			s += w;
--			slen -= w;
-+			s += w_temp;
-+			slen -= w_temp;
-+			w += w_temp;
- 		}
- 	}
--	sldns_str_print(&s, &slen, "\"");
-+	w += sldns_str_print(&s, &slen, "\"");
- 	/* Put space into the buffer. */
--	sldns_str_print(&s, &slen, " ");
-+	w += sldns_str_print(&s, &slen, " ");
- 	/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
- 	 * with a double quote. */
--	sldns_str_print(&s, &slen, "\"");
-+	w += sldns_str_print(&s, &slen, "\"");
- 	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
- 	for(i=0; i<rrset_data->count; i++) {
- 		if(i > 0) {
- 			/* Put space into the buffer. */
--			sldns_str_print(&s, &slen, " ");
-+			w += sldns_str_print(&s, &slen, " ");
- 		}
- 		/* Ignore the first two bytes, they are the rr_data len. */
- 		tempdata = rrset_data->rr_data[i] + 2;
- 		tempdata_len = rrset_data->rr_len[i] - 2;
- 		/* Save the buffer pointers. */
- 		tempstring = s; tempstring_len = slen;
--		w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
--			NULL, 0);
-+		w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
-+			&slen, NULL, 0);
- 		/* There was an error when parsing the IPSECKEY; reset the buffer
- 		 * pointers to their previous values. */
--		if(w == -1){
-+		if(w_temp == -1) {
- 			s = tempstring; slen = tempstring_len;
-+		} else if(w_temp > 0) {
-+			if(!ipseckey_has_safe_characters(
-+					tempstring, tempstring_len - slen)) {
-+				log_err("ipsecmod: ipseckey has unsafe characters");
-+				return 0;
-+			}
-+			w += w_temp;
- 		}
- 	}
--	sldns_str_print(&s, &slen, "\"");
--	verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
-+	w += sldns_str_print(&s, &slen, "\"");
-+	if(w >= (int)sizeof(str)) {
-+		log_err("ipsecmod: shell command too long");
-+		return 0;
-+	}
-+	verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
- 	/* ipsecmod-hook should return 0 on success. */
- 	if(system(str) != 0)
- 		return 0;

SOURCES/unbound-1.7.3-ksk-2010-revoked.patch

@@ -1,14 +0,0 @@
-diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
-index 2bf5b3ab..a30523c7 100644
---- a/smallapp/unbound-anchor.c
-+++ b/smallapp/unbound-anchor.c
-@@ -246,9 +246,7 @@ get_builtin_ds(void)
- 	return
- /* The anchors must start on a new line with ". IN DS and end with \n"[;]
-  * because the makedist script greps on the source here */
--/* anchor 19036 is from 2010 */
- /* anchor 20326 is from 2017 */
--". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
- ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
- }
- 

SOURCES/unbound-1.7.3-security-hardening.patch

@@ -1,677 +0,0 @@
-diff --git a/config.h.in b/config.h.in
-index 04356f3..3b06bfa 100644
---- a/config.h.in
-+++ b/config.h.in
-@@ -666,6 +666,9 @@
- /* Shared data */
- #undef SHARE_DIR
- 
-+/* The size of `size_t', as computed by sizeof. */
-+#undef SIZEOF_SIZE_T
-+
- /* The size of `time_t', as computed by sizeof. */
- #undef SIZEOF_TIME_T
- 
-diff --git a/configure.ac b/configure.ac
-index c5e0c7b..1bff4ed 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -371,6 +371,7 @@ AC_INCLUDES_DEFAULT
- # endif
- #endif
- ])
-+AC_CHECK_SIZEOF(size_t)
- 
- # add option to disable the evil rpath
- ACX_ARG_RPATH
-diff --git a/contrib/create_unbound_ad_servers.sh b/contrib/create_unbound_ad_servers.sh
-index d31f078..49fdbff 100644
---- a/contrib/create_unbound_ad_servers.sh
-+++ b/contrib/create_unbound_ad_servers.sh
-@@ -9,12 +9,13 @@
- # Variables
- dst_dir="/etc/opt/csw/unbound"
- work_dir="/tmp"
--list_addr="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
-+list_addr="https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=1&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D="
- 
- # OS commands
- CAT=`which cat`
- ECHO=`which echo`
- WGET=`which wget`
-+TR=`which tr`
- 
- # Check Wget installed
- if [ ! -f $WGET ]; then
-@@ -22,8 +23,10 @@ if [ ! -f $WGET ]; then
-  exit 1
- fi
- 
-+# remove special characters with tr to protect unbound.conf
- $WGET -O $work_dir/yoyo_ad_servers "$list_addr" && \
- $CAT $work_dir/yoyo_ad_servers | \
-+$TR -d '";$\\' | \
- while read line ; \
-  do \
-    $ECHO "local-zone: \"$line\" redirect" ;\
-@@ -36,4 +39,4 @@ echo "Done."
- #  the unbound_ad_servers file:
- #
- #   include: $dst_dir/unbound_ad_servers
--#
-\ No newline at end of file
-+#
-diff --git a/daemon/daemon.c b/daemon/daemon.c
-index 6820e11..1b4f329 100644
---- a/daemon/daemon.c
-+++ b/daemon/daemon.c
-@@ -426,9 +426,7 @@ daemon_create_workers(struct daemon* daemon)
- 	int* shufport;
- 	log_assert(daemon && daemon->cfg);
- 	if(!daemon->rand) {
--		unsigned int seed = (unsigned int)time(NULL) ^ 
--			(unsigned int)getpid() ^ 0x438;
--		daemon->rand = ub_initstate(seed, NULL);
-+		daemon->rand = ub_initstate(NULL);
- 		if(!daemon->rand)
- 			fatal_exit("could not init random generator");
- 		hash_set_raninit((uint32_t)ub_random(daemon->rand));
-diff --git a/daemon/worker.c b/daemon/worker.c
-index 3acecc1..8354010 100644
---- a/daemon/worker.c
-+++ b/daemon/worker.c
-@@ -1629,18 +1629,14 @@ worker_create(struct daemon* daemon, int id, int* ports, int n)
- 		return NULL;
- 	}
- 	/* create random state here to avoid locking trouble in RAND_bytes */
--	seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
--		(((unsigned int)worker->thread_num)<<17);
--		/* shift thread_num so it does not match out pid bits */
--	if(!(worker->rndstate = ub_initstate(seed, daemon->rand))) {
--		seed = 0;
-+	if(!(worker->rndstate = ub_initstate(daemon->rand))) {
- 		log_err("could not init random numbers.");
- 		tube_delete(worker->cmd);
- 		free(worker->ports);
- 		free(worker);
- 		return NULL;
- 	}
--	seed = 0;
-+	explicit_bzero(&seed, sizeof(seed));
- #ifdef USE_DNSTAP
- 	if(daemon->cfg->dnstap) {
- 		log_assert(daemon->dtenv != NULL);
-diff --git a/dns64/dns64.c b/dns64/dns64.c
-index 7889d72..300202c 100644
---- a/dns64/dns64.c
-+++ b/dns64/dns64.c
-@@ -782,6 +782,16 @@ dns64_inform_super(struct module_qstate* qstate, int id,
- 	 * Signal that the sub-query is finished, no matter whether we are
- 	 * successful or not. This lets the state machine terminate.
- 	 */
-+	if(!super->minfo[id]) {
-+		super->minfo[id] = (enum dns64_qstate *)regional_alloc(super->region,
-+			sizeof(*(super->minfo[id])));
-+		if(!super->minfo[id]) {
-+			log_err("out of memory");
-+			super->return_rcode = LDNS_RCODE_SERVFAIL;
-+			super->return_msg = NULL;
-+			return;
-+		}
-+	}
-	super->minfo[id] = (void*)DNS64_SUBQUERY_FINISHED;
- 
- 	/* If there is no successful answer, we're done. */
-diff --git a/dnscrypt/dnscrypt.c b/dnscrypt/dnscrypt.c
-index 3545d3d..7dd2ce5 100644
---- a/dnscrypt/dnscrypt.c
-+++ b/dnscrypt/dnscrypt.c
-@@ -732,6 +732,11 @@ dnsc_load_local_data(struct dnsc_env* dnscenv, struct config_file *cfg)
-             );
-             continue;
-         }
-+        if((unsigned)strlen(dnscenv->provider_name) >= (unsigned)0xffff0000) {
-+		    /* guard against integer overflow in rrlen calculation */
-+		    verbose(VERB_OPS, "cert #%" PRIu32 " is too long", serial);
-+		    continue;
-+        }
-         rrlen = strlen(dnscenv->provider_name) +
-                          strlen(ttl_class_type) +
-                          4 * sizeof(struct SignedCert) + // worst case scenario
-diff --git a/doc/Changelog b/doc/Changelog
-index bb74461..4cb080e 100644
---- a/doc/Changelog
-+++ b/doc/Changelog
-@@ -1,3 +1,55 @@
-+3 December 2019: Wouter
-+	- Fix Assert Causing DoS in synth_cname(),
-+	  reported by X41 D-Sec.
-+	- Fix Assert Causing DoS in dname_pkt_copy(),
-+	  reported by X41 D-Sec.
-+	- Fix OOB Read in sldns_wire2str_dname_scan(),
-+	  reported by X41 D-Sec.
-+	- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
-+	  reported by X41 D-Sec.
-+	- Fix Out of Bounds Write in sldns_b64_pton(),
-+	  fixed by check in sldns_str2wire_int16_data_buf(),
-+	  reported by X41 D-Sec.
-+	- Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
-+	  reported by X41 D-Sec.
-+	- Fix Out of Bound Write Compressed Names in rdata_copy(),
-+	  reported by X41 D-Sec.
-+	- Fix Hang in sldns_wire2str_pkt_scan(),
-+	  reported by X41 D-Sec.
-+
-+20 November 2019: Wouter
-+	- Fix Out of Bounds Read in rrinternal_get_owner(),
-+	  reported by X41 D-Sec.
-+	- Fix Race Condition in autr_tp_create(),
-+	  reported by X41 D-Sec.
-+	- Fix Shared Memory World Writeable,
-+	  reported by X41 D-Sec.
-+	- Adjust unbound-control to make stats_shm a read only operation.
-+	- Fix Weak Entropy Used For Nettle,
-+	  reported by X41 D-Sec.
-+	- Fix Randomness Error not Handled Properly,
-+	  reported by X41 D-Sec.
-+	- Fix Out-of-Bounds Read in dname_valid(),
-+	  reported by X41 D-Sec.
-+	- Fix Config Injection in create_unbound_ad_servers.sh,
-+	  reported by X41 D-Sec.
-+
-+19 November 2019: Wouter
-+	- Fix Integer Overflow in Regional Allocator,
-+	  reported by X41 D-Sec.
-+	- Fix Unchecked NULL Pointer in dns64_inform_super()
-+	  and ipsecmod_new(), reported by X41 D-Sec.
-+	- Fix Out-of-bounds Read in rr_comment_dnskey(),
-+	  reported by X41 D-Sec.
-+	- Fix Integer Overflows in Size Calculations,
-+	  reported by X41 D-Sec.
-+	- Fix Integer Overflow to Buffer Overflow in
-+	  sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
-+	- Fix Out of Bounds Read in sldns_str2wire_dname(),
-+	  reported by X41 D-Sec.
-+	- Fix Out of Bounds Write in sldns_bget_token_par(),
-+	  reported by X41 D-Sec.
-+
- 30 November 2018: Wouter
- 	- log-tag-queryreply: yes in unbound.conf tags the log-queries and
- 	  log-replies in the log file for easier log filter maintenance.
-diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
-index 3572f12..1422a62 100644
---- a/ipsecmod/ipsecmod.c
-+++ b/ipsecmod/ipsecmod.c
-@@ -103,11 +103,11 @@ ipsecmod_new(struct module_qstate* qstate, int id)
- {
- 	struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc(
- 		qstate->region, sizeof(struct ipsecmod_qstate));
--	memset(iq, 0, sizeof(*iq));
- 	qstate->minfo[id] = iq;
- 	if(!iq)
- 		return 0;
- 	/* Initialise it. */
-+	memset(iq, 0, sizeof(*iq));
- 	iq->enabled = qstate->env->cfg->ipsecmod_enabled;
- 	iq->is_whitelisted = ipsecmod_domain_is_whitelisted(
- 		(struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname,
-diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
-index 8230d17..942c3d5 100644
---- a/iterator/iter_scrub.c
-+++ b/iterator/iter_scrub.c
-@@ -231,6 +231,10 @@ synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
- 	size_t dtarglen;
- 	if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt))
- 		return 0; 
-+	if(qnamelen <= dname_rrset->dname_len)
-+		return 0;
-+	if(qnamelen == 0)
-+		return 0;
- 	log_assert(qnamelen > dname_rrset->dname_len);
- 	/* DNAME from com. to net. with qname example.com. -> example.net. */
- 	/* so: \3com\0 to \3net\0 and qname \7example\3com\0 */
-diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c
-index 275e8d2..a8979c2 100644
---- a/libunbound/libunbound.c
-+++ b/libunbound/libunbound.c
-@@ -83,7 +83,6 @@
- static struct ub_ctx* ub_ctx_create_nopipe(void)
- {
- 	struct ub_ctx* ctx;
--	unsigned int seed;
- #ifdef USE_WINSOCK
- 	int r;
- 	WSADATA wsa_data;
-@@ -107,15 +106,12 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
- 		return NULL;
- 	}
- 	alloc_init(&ctx->superalloc, NULL, 0);
--	seed = (unsigned int)time(NULL) ^ (unsigned int)getpid();
--	if(!(ctx->seed_rnd = ub_initstate(seed, NULL))) {
--		seed = 0;
-+	if(!(ctx->seed_rnd = ub_initstate(NULL))) {
- 		ub_randfree(ctx->seed_rnd);
- 		free(ctx);
- 		errno = ENOMEM;
- 		return NULL;
- 	}
--	seed = 0;
- 	lock_basic_init(&ctx->qqpipe_lock);
- 	lock_basic_init(&ctx->rrpipe_lock);
- 	lock_basic_init(&ctx->cfglock);
-diff --git a/libunbound/libworker.c b/libunbound/libworker.c
-index 3dcaa78..07a08c6 100644
---- a/libunbound/libworker.c
-+++ b/libunbound/libworker.c
-@@ -122,7 +122,6 @@ libworker_delete_event(struct libworker* w)
- static struct libworker*
- libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
- {
--	unsigned int seed;
- 	struct libworker* w = (struct libworker*)calloc(1, sizeof(*w));
- 	struct config_file* cfg = ctx->env->cfg;
- 	int* ports;
-@@ -177,17 +176,13 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
- 	}
- 	w->env->worker = (struct worker*)w;
- 	w->env->probe_timer = NULL;
--	seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
--		(((unsigned int)w->thread_num)<<17);
--	seed ^= (unsigned int)w->env->alloc->next_id;
- 	if(!w->is_bg || w->is_bg_thread) {
- 		lock_basic_lock(&ctx->cfglock);
- 	}
--	if(!(w->env->rnd = ub_initstate(seed, ctx->seed_rnd))) {
-+	if(!(w->env->rnd = ub_initstate(ctx->seed_rnd))) {
- 		if(!w->is_bg || w->is_bg_thread) {
- 			lock_basic_unlock(&ctx->cfglock);
- 		}
--		seed = 0;
- 		libworker_delete(w);
- 		return NULL;
- 	}
-@@ -207,7 +202,6 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
- 			hash_set_raninit((uint32_t)ub_random(w->env->rnd));
- 		}
- 	}
--	seed = 0;
- 
- 	if(eb)
- 		w->base = comm_base_create_event(eb);
-diff --git a/respip/respip.c b/respip/respip.c
-index 2e9313f..7d2a588 100644
---- a/respip/respip.c
-+++ b/respip/respip.c
-@@ -475,10 +475,16 @@ copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region)
- 	if(!ck->rk.dname)
- 		return NULL;
- 
-+	if((unsigned)data->count >= 0xffff00U)
-+		return NULL; /* guard against integer overflow in dsize */
- 	dsize = sizeof(struct packed_rrset_data) + data->count *
- 		(sizeof(size_t)+sizeof(uint8_t*)+sizeof(time_t));
--	for(i=0; i<data->count; i++)
-+	for(i=0; i<data->count; i++) {
-+		if((unsigned)dsize >= 0x0fffffffU ||
-+			(unsigned)data->rr_len[i] >= 0x0fffffffU)
-+			return NULL; /* guard against integer overflow */
- 		dsize += data->rr_len[i];
-+	}
- 	d = regional_alloc(region, dsize);
- 	if(!d)
- 		return NULL;
-diff --git a/sldns/parse.c b/sldns/parse.c
-index b62c405..b30264e 100644
---- a/sldns/parse.c
-+++ b/sldns/parse.c
-@@ -325,8 +325,14 @@ sldns_bget_token_par(sldns_buffer *b, char *token, const char *delim,
- 		if (c == '\n' && p != 0) {
- 			/* in parentheses */
- 			/* do not write ' ' if we want to skip spaces */
--			if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' '))))
-+			if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' ')))) {
-+				/* check for space for the space character */
-+				if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
-+					*t = '\0';
-+					return -1;
-+				}
- 				*t++ = ' ';
-+			}
- 			lc = c;
- 			continue;
- 		}
-diff --git a/sldns/str2wire.c b/sldns/str2wire.c
-index 1a51bb6..414b7b8 100644
---- a/sldns/str2wire.c
-+++ b/sldns/str2wire.c
-@@ -150,6 +150,10 @@ int sldns_str2wire_dname_buf_origin(const char* str, uint8_t* buf, size_t* len,
- 	if(s) return s;
- 
- 	if(rel && origin && dlen > 0) {
-+		if((unsigned)dlen >= 0x00ffffffU ||
-+			(unsigned)origin_len >= 0x00ffffffU)
-+			/* guard against integer overflow in addition */
-+			return RET_ERR(LDNS_WIREPARSE_ERR_GENERAL, *len);
- 		if(dlen + origin_len - 1 > LDNS_MAX_DOMAINLEN)
- 			return RET_ERR(LDNS_WIREPARSE_ERR_DOMAINNAME_OVERFLOW,
- 				LDNS_MAX_DOMAINLEN);
-@@ -168,7 +172,9 @@ uint8_t* sldns_str2wire_dname(const char* str, size_t* len)
- 	uint8_t dname[LDNS_MAX_DOMAINLEN+1];
- 	*len = sizeof(dname);
- 	if(sldns_str2wire_dname_buf(str, dname, len) == 0) {
--		uint8_t* r = (uint8_t*)malloc(*len);
-+		uint8_t* r;
-+		if(*len > sizeof(dname)) return NULL;
-+		r = (uint8_t*)malloc(*len);
- 		if(r) return memcpy(r, dname, *len);
- 	}
- 	*len = 0;
-@@ -187,6 +193,9 @@ rrinternal_get_owner(sldns_buffer* strbuf, uint8_t* rr, size_t* len,
- 			sldns_buffer_position(strbuf));
- 	}
- 
-+	if(token_len < 2) /* make sure there is space to read "@" or "" */
-+		return RET_ERR(LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
-+			sldns_buffer_position(strbuf));
- 	if(strcmp(token, "@") == 0) {
- 		uint8_t* tocopy;
- 		if (origin) {
-@@ -1094,7 +1103,7 @@ int sldns_str2wire_str_buf(const char* str, uint8_t* rd, size_t* len)
- 	while(sldns_parse_char(&ch, &s)) {
- 		if(sl >= 255)
- 			return RET_ERR(LDNS_WIREPARSE_ERR_INVALID_STR, s-str);
--		if(*len < sl+1)
-+		if(*len < sl+2)
- 			return RET_ERR(LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
- 				s-str);
- 		rd[++sl] = ch;
-@@ -2095,6 +2104,8 @@ int sldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len)
- 	char* s;
- 	int n;
- 	n = strtol(str, &s, 10);
-+	if(n < 0) /* negative number not allowed */
-+		return LDNS_WIREPARSE_ERR_SYNTAX;
- 	if(*len < ((size_t)n)+2)
- 		return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
- 	if(n > 65535)
-diff --git a/sldns/wire2str.c b/sldns/wire2str.c
-index 832239f..a95c9b3 100644
---- a/sldns/wire2str.c
-+++ b/sldns/wire2str.c
-@@ -585,6 +585,7 @@ static int rr_comment_dnskey(char** s, size_t* slen, uint8_t* rr,
- 	if(rrlen < dname_off + 10) return 0;
- 	rdlen = sldns_read_uint16(rr+dname_off+8);
- 	if(rrlen < dname_off + 10 + rdlen) return 0;
-+	if(rdlen < 2) return 0;
- 	rdata = rr + dname_off + 10;
- 	flags = (int)sldns_read_uint16(rdata);
- 	w += sldns_str_print(s, slen, " ;{");
-@@ -781,7 +782,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
- 	/* spool labels onto the string, use compression if its there */
- 	uint8_t* pos = *d;
- 	unsigned i, counter=0;
--	const unsigned maxcompr = 1000; /* loop detection, max compr ptrs */
-+	const unsigned maxcompr = 256; /* loop detection, max compr ptrs */
- 	int in_buf = 1;
- 	if(*dlen == 0) return sldns_str_print(s, slen, "ErrorMissingDname");
- 	if(*pos == 0) {
-@@ -789,7 +790,7 @@ int sldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
- 		(*dlen)--;
- 		return sldns_str_print(s, slen, ".");
- 	}
--	while(*pos) {
-+	while((!pkt || pos < pkt+pktlen) && *pos) {
- 		/* read label length */
- 		uint8_t labellen = *pos++;
- 		if(in_buf) { (*d)++; (*dlen)--; }
-diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
-index d165417..2884309 100644
---- a/smallapp/unbound-control.c
-+++ b/smallapp/unbound-control.c
-@@ -407,19 +407,19 @@ static void print_stats_shm(const char* cfgfile)
- 	if(!config_read(cfg, cfgfile, NULL))
- 		fatal_exit("could not read config file");
- 	/* get shm segments */
--	id_ctl = shmget(cfg->shm_key, sizeof(int), SHM_R|SHM_W);
-+	id_ctl = shmget(cfg->shm_key, sizeof(int), SHM_R);
- 	if(id_ctl == -1) {
- 		fatal_exit("shmget(%d): %s", cfg->shm_key, strerror(errno));
- 	}
--	id_arr = shmget(cfg->shm_key+1, sizeof(int), SHM_R|SHM_W);
-+	id_arr = shmget(cfg->shm_key+1, sizeof(int), SHM_R);
- 	if(id_arr == -1) {
- 		fatal_exit("shmget(%d): %s", cfg->shm_key+1, strerror(errno));
- 	}
--	shm_stat = (struct ub_shm_stat_info*)shmat(id_ctl, NULL, 0);
-+	shm_stat = (struct ub_shm_stat_info*)shmat(id_ctl, NULL, SHM_RDONLY);
- 	if(shm_stat == (void*)-1) {
- 		fatal_exit("shmat(%d): %s", id_ctl, strerror(errno));
- 	}
--	stats = (struct ub_stats_info*)shmat(id_arr, NULL, 0);
-+	stats = (struct ub_stats_info*)shmat(id_arr, NULL, SHM_RDONLY);
- 	if(stats == (void*)-1) {
- 		fatal_exit("shmat(%d): %s", id_arr, strerror(errno));
- 	}
-diff --git a/testcode/unitmain.c b/testcode/unitmain.c
-index fecde80..96a6654 100644
---- a/testcode/unitmain.c
-+++ b/testcode/unitmain.c
-@@ -537,10 +537,8 @@ rnd_test(void)
- 	struct ub_randstate* r;
- 	int num = 1000, i;
- 	long int a[1000];
--	unsigned int seed = (unsigned)time(NULL);
- 	unit_show_feature("ub_random");
--	printf("ub_random seed is %u\n", seed);
--	unit_assert( (r = ub_initstate(seed, NULL)) );
-+	unit_assert( (r = ub_initstate(NULL)) );
- 	for(i=0; i<num; i++) {
- 		a[i] = ub_random(r);
- 		unit_assert(a[i] >= 0);
-diff --git a/util/data/dname.c b/util/data/dname.c
-index b744f06..923be02 100644
---- a/util/data/dname.c
-+++ b/util/data/dname.c
-@@ -75,6 +75,8 @@ dname_valid(uint8_t* dname, size_t maxlen)
- {
- 	size_t len = 0;
- 	size_t labellen;
-+	if(maxlen == 0)
-+		return 0; /* too short, shortest is '0' root label */
- 	labellen = *dname++;
- 	while(labellen) {
- 		if(labellen&0xc0)
-@@ -345,11 +347,17 @@ dname_pkt_hash(sldns_buffer* pkt, uint8_t* dname, hashvalue_type h)
- void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
- {
- 	/* copy over the dname and decompress it at the same time */
-+	size_t comprcount = 0;
- 	size_t len = 0;
- 	uint8_t lablen;
- 	lablen = *dname++;
- 	while(lablen) {
- 		if(LABEL_IS_PTR(lablen)) {
-+			if(comprcount++ > MAX_COMPRESS_PTRS) {
-+				/* too many compression pointers */
-+				*to = 0; /* end the result prematurely */
-+				return;
-+			}
- 			/* follow pointer */
-             if((size_t)PTR_OFFSET(lablen, *dname)
-                 >= sldns_buffer_limit(pkt))
-@@ -358,6 +366,10 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
- 			lablen = *dname++;
- 			continue;
- 		}
-+		if(lablen > LDNS_MAX_LABELLEN) {
-+			*to = 0; /* end the result prematurely */
-+			return;
-+		}
- 		log_assert(lablen <= LDNS_MAX_LABELLEN);
- 		len += (size_t)lablen+1;
- 		if(len >= LDNS_MAX_DOMAINLEN) {
-diff --git a/util/data/msgreply.c b/util/data/msgreply.c
-index df2131c..dbae34d 100644
---- a/util/data/msgreply.c
-+++ b/util/data/msgreply.c
-@@ -238,10 +238,10 @@ rdata_copy(sldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to,
- 				break;
- 			}
- 			if(len) {
-+				log_assert(len <= pkt_len);
- 				memmove(to, sldns_buffer_current(pkt), len);
- 				to += len;
- 				sldns_buffer_skip(pkt, (ssize_t)len);
--				log_assert(len <= pkt_len);
- 				pkt_len -= len;
- 			}
- 			rdf++;
-diff --git a/util/random.c b/util/random.c
-index 8332960..9380502 100644
---- a/util/random.c
-+++ b/util/random.c
-@@ -86,8 +86,7 @@ ub_systemseed(unsigned int ATTR_UNUSED(seed))
- }
- 
- struct ub_randstate* 
--ub_initstate(unsigned int ATTR_UNUSED(seed),
--	struct ub_randstate* ATTR_UNUSED(from))
-+ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
- {
- 	struct ub_randstate* s = (struct ub_randstate*)malloc(1);
- 	if(!s) {
-@@ -123,8 +122,8 @@ void ub_systemseed(unsigned int ATTR_UNUSED(seed))
- {
- }
- 
--struct ub_randstate* ub_initstate(unsigned int ATTR_UNUSED(seed), 
--	struct ub_randstate* ATTR_UNUSED(from))
-+struct ub_randstate* 
-+ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
- {
- 	struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
- 	if(!s) {
-@@ -140,7 +139,9 @@ long int ub_random(struct ub_randstate* ATTR_UNUSED(state))
- 	/* random 31 bit value. */
- 	SECStatus s = PK11_GenerateRandom((unsigned char*)&x, (int)sizeof(x));
- 	if(s != SECSuccess) {
--		log_err("PK11_GenerateRandom error: %s",
-+		/* unbound needs secure randomness for randomized
-+		 * ID bits and port numbers in packets to upstream servers */
-+		fatal_exit("PK11_GenerateRandom error: %s",
- 			PORT_ErrorToString(PORT_GetError()));
- 	}
- 	return x & MAX_VALUE;
-@@ -166,8 +167,7 @@ void ub_systemseed(unsigned int ATTR_UNUSED(seed))
- 	log_err("Re-seeding not supported, generator untouched");
- }
- 
--struct ub_randstate* ub_initstate(unsigned int seed,
--	struct ub_randstate* ATTR_UNUSED(from))
-+struct ub_randstate* ub_initstate(struct ub_randstate* ATTR_UNUSED(from))
- {
- 	struct ub_randstate* s = (struct ub_randstate*)calloc(1, sizeof(*s));
- 	uint8_t buf[YARROW256_SEED_FILE_SIZE];
-@@ -183,15 +183,10 @@ struct ub_randstate* ub_initstate(unsigned int seed,
- 		yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
- 		s->seeded = yarrow256_is_seeded(&s->ctx);
- 	} else {
--		/* Stretch the uint32 input seed and feed it to Yarrow */
--		uint32_t v = seed;
--		size_t i;
--		for(i=0; i < (YARROW256_SEED_FILE_SIZE/sizeof(seed)); i++) {
--			memmove(buf+i*sizeof(seed), &v, sizeof(seed));
--			v = v*seed + (uint32_t)i;
--		}
--		yarrow256_seed(&s->ctx, YARROW256_SEED_FILE_SIZE, buf);
--		s->seeded = yarrow256_is_seeded(&s->ctx);
-+		log_err("nettle random(yarrow) cannot initialize, "
-+			"getentropy failed: %s", strerror(errno));
-+		free(s);
-+		return NULL;
- 	}
- 
- 	return s;
-diff --git a/util/random.h b/util/random.h
-index a05a994..e75157d 100644
---- a/util/random.h
-+++ b/util/random.h
-@@ -57,15 +57,12 @@ void ub_systemseed(unsigned int seed);
- 
- /**
-  * Initialize a random generator state for use 
-- * @param seed: seed value to create state contents.
-- *	(ignored for arc4random).
-  * @param from: if not NULL, the seed is taken from this random structure.
-  * 	can be used to seed random states via a parent-random-state that
-  * 	is itself seeded with entropy.
-  * @return new state or NULL alloc failure.
-  */
--struct ub_randstate* ub_initstate(unsigned int seed, 
--	struct ub_randstate* from);
-+struct ub_randstate* ub_initstate(struct ub_randstate* from);
- 
- /**
-  * Generate next random number from the state passed along.
-diff --git a/util/regional.c b/util/regional.c
-index 899a54e..5be09eb 100644
---- a/util/regional.c
-+++ b/util/regional.c
-@@ -120,8 +120,18 @@ regional_destroy(struct regional *r)
- void *
- regional_alloc(struct regional *r, size_t size)
- {
--	size_t a = ALIGN_UP(size, ALIGNMENT);
-+	size_t a;
- 	void *s;
-+	if(
-+#if SIZEOF_SIZE_T == 8
-+		(unsigned long long)size >= 0xffffffffffffff00ULL
-+#else
-+		(unsigned)size >= (unsigned)0xffffff00UL
-+#endif
-+		)
-+		return NULL; /* protect against integer overflow in
-+			malloc and ALIGN_UP */
-+	a = ALIGN_UP(size, ALIGNMENT);
- 	/* large objects */
- 	if(a > REGIONAL_LARGE_OBJECT_SIZE) {
- 		s = malloc(ALIGNMENT + size);
-diff --git a/util/shm_side/shm_main.c b/util/shm_side/shm_main.c
-index a783c09..69bee4d 100644
---- a/util/shm_side/shm_main.c
-+++ b/util/shm_side/shm_main.c
-@@ -121,7 +121,7 @@ int shm_main_init(struct daemon* daemon)
- 		shmctl(daemon->shm_info->id_arr, IPC_RMID, NULL);
- 
- 	/* SHM: Create the segment */
--	daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct ub_shm_stat_info), IPC_CREAT | 0666);
-+	daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct ub_shm_stat_info), IPC_CREAT | 0644);
- 
- 	if (daemon->shm_info->id_ctl < 0)
- 	{
-@@ -134,7 +134,7 @@ int shm_main_init(struct daemon* daemon)
- 		return 0;
- 	}
- 
--	daemon->shm_info->id_arr = shmget(daemon->shm_info->key + 1, shm_size, IPC_CREAT | 0666);
-+	daemon->shm_info->id_arr = shmget(daemon->shm_info->key + 1, shm_size, IPC_CREAT | 0644);
- 
- 	if (daemon->shm_info->id_arr < 0)
- 	{
-diff --git a/validator/autotrust.c b/validator/autotrust.c
-index 7bc5577..e19bd7b 100644
---- a/validator/autotrust.c
-+++ b/validator/autotrust.c
-@@ -370,10 +370,10 @@ autr_tp_create(struct val_anchors* anchors, uint8_t* own, size_t own_len,
- 		free(tp);
- 		return NULL;
- 	}
--	lock_basic_unlock(&anchors->lock);
- 	lock_basic_init(&tp->lock);
- 	lock_protect(&tp->lock, tp, sizeof(*tp));
- 	lock_protect(&tp->lock, tp->autr, sizeof(*tp->autr));
-+	lock_basic_unlock(&anchors->lock);
- 	return tp;
- }
- 

SOURCES/unbound-1.7.3-symlink-traversal.patch

@@ -1,43 +0,0 @@
-diff --git a/unbound-1.7.3/daemon/unbound.c b/unbound-1.7.3/daemon/unbound.c
-index 1383110..66ed61d 100644
---- a/daemon/unbound.c
-+++ b/daemon/unbound.c
-@@ -327,18 +327,32 @@ readpid (const char* file)
- static void
- writepid (const char* pidfile, pid_t pid)
- {
--	FILE* f;
-+	int fd;
-+	char pidbuf[32];
-+	size_t count = 0;
-+	snprintf(pidbuf, sizeof(pidbuf), "%lu\n", (unsigned long)pid);
- 
--	if ((f = fopen(pidfile, "w")) ==  NULL ) {
-+    if((fd = open(pidfile, O_WRONLY | O_CREAT | O_TRUNC
-+#ifdef O_NOFOLLOW
-+		| O_NOFOLLOW
-+#endif
-+		, 0644)) == -1) {
- 		log_err("cannot open pidfile %s: %s", 
- 			pidfile, strerror(errno));
- 		return;
- 	}
--	if(fprintf(f, "%lu\n", (unsigned long)pid) < 0) {
--		log_err("cannot write to pidfile %s: %s", 
--			pidfile, strerror(errno));
-+    while(count < strlen(pidbuf)) {
-+		ssize_t r = write(fd, pidbuf+count, strlen(pidbuf)-count);
-+		if(r == -1) {
-+			if(errno == EAGAIN || errno == EINTR)
-+				continue;
-+			log_err("cannot write to pidfile %s: %s",
-+				pidfile, strerror(errno));
-+			break;
-+		}
-+		count += r;
- 	}
--	fclose(f);
-+	close(fd);
- }
- 
- /**

SOURCES/unbound-1.7.3-use-basic-lock.patch

@@ -1,109 +0,0 @@
-diff --git a/util/log.c b/util/log.c
-index 75a58f9..43dd572 100644
---- a/util/log.c
-+++ b/util/log.c
-@@ -70,7 +70,7 @@ static int key_created = 0;
- static ub_thread_key_type logkey;
- #ifndef THREADS_DISABLED
- /** pthread mutex to protect FILE* */
--static lock_quick_type log_lock;
-+static lock_basic_type log_lock;
- #endif
- /** the identity of this executable/process */
- static const char* ident="unbound";
-@@ -90,18 +90,18 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
- 	if(!key_created) {
- 		key_created = 1;
- 		ub_thread_key_create(&logkey, NULL);
--		lock_quick_init(&log_lock);
-+		lock_basic_init(&log_lock);
- 	}
--	lock_quick_lock(&log_lock);
-+	lock_basic_lock(&log_lock);
- 	if(logfile 
- #if defined(HAVE_SYSLOG_H) || defined(UB_ON_WINDOWS)
- 	|| logging_to_syslog
- #endif
- 	) {
--		lock_quick_unlock(&log_lock); /* verbose() needs the lock */
-+		lock_basic_unlock(&log_lock); /* verbose() needs the lock */
- 		verbose(VERB_QUERY, "switching log to %s", 
- 			use_syslog?"syslog":(filename&&filename[0]?filename:"stderr"));
--		lock_quick_lock(&log_lock);
-+		lock_basic_lock(&log_lock);
- 	}
- 	if(logfile && logfile != stderr) {
- 		FILE* cl = logfile;
-@@ -119,7 +119,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
- 		 * chroot and no longer be able to access dev/log and so on */
- 		openlog(ident, LOG_NDELAY, LOG_DAEMON);
- 		logging_to_syslog = 1;
--		lock_quick_unlock(&log_lock);
-+		lock_basic_unlock(&log_lock);
- 		return;
- 	}
- #elif defined(UB_ON_WINDOWS)
-@@ -128,13 +128,13 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
- 	}
- 	if(use_syslog) {
- 		logging_to_syslog = 1;
--		lock_quick_unlock(&log_lock);
-+		lock_basic_unlock(&log_lock);
- 		return;
- 	}
- #endif /* HAVE_SYSLOG_H */
- 	if(!filename || !filename[0]) {
- 		logfile = stderr;
--		lock_quick_unlock(&log_lock);
-+		lock_basic_unlock(&log_lock);
- 		return;
- 	}
- 	/* open the file for logging */
-@@ -143,7 +143,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
- 		filename += strlen(chrootdir);
- 	f = fopen(filename, "a");
- 	if(!f) {
--		lock_quick_unlock(&log_lock);
-+		lock_basic_unlock(&log_lock);
- 		log_err("Could not open logfile %s: %s", filename, 
- 			strerror(errno));
- 		return;
-@@ -153,14 +153,14 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
- 	setvbuf(f, NULL, (int)_IOLBF, 0);
- #endif
- 	logfile = f;
--	lock_quick_unlock(&log_lock);
-+	lock_basic_unlock(&log_lock);
- }
- 
- void log_file(FILE *f)
- {
--	lock_quick_lock(&log_lock);
-+	lock_basic_lock(&log_lock);
- 	logfile = f;
--	lock_quick_unlock(&log_lock);
-+	lock_basic_unlock(&log_lock);
- }
- 
- void log_thread_set(int* num)
-@@ -250,9 +250,9 @@ log_vmsg(int pri, const char* type,
- 		return;
- 	}
- #endif /* HAVE_SYSLOG_H */
--	lock_quick_lock(&log_lock);
-+	lock_basic_lock(&log_lock);
- 	if(!logfile) {
--		lock_quick_unlock(&log_lock);
-+		lock_basic_unlock(&log_lock);
- 		return;
- 	}
- 	if(log_now)
-@@ -279,7 +279,7 @@ log_vmsg(int pri, const char* type,
- 	/* line buffering does not work on windows */
- 	fflush(logfile);
- #endif
--	lock_quick_unlock(&log_lock);
-+	lock_basic_unlock(&log_lock);
- }
- 
- /**

SOURCES/unbound-keygen.service

@@ -2,14 +2,17 @@
 Description=Unbound Control Key And Certificate Generator
 After=syslog.target 
 Before=unbound.service
-ConditionPathExists=!/etc/unbound/unbound_control.key
+ConditionPathExists=|!/etc/unbound/unbound_control.pem
+ConditionPathExists=|!/etc/unbound/unbound_control.key
+ConditionPathExists=|!/etc/unbound/unbound_server.pem
+ConditionPathExists=|!/etc/unbound/unbound_server.key
+PartOf=unbound.service
 
 [Service]
 Type=oneshot
 Group=unbound
 ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/
 ExecStart=/sbin/restorecon /etc/unbound/*
-RemainAfterExit=yes
 
 [Install]
 WantedBy=multi-user.target

SOURCES/unbound.conf

@@ -5,9 +5,13 @@
 #
 # this is a comment.
 
-#Use this to include other text into the file.
+# Use this anywhere in the file to include other text into this file.
 #include: "otherfile.conf"
 
+# Use this anywhere in the file to include other text, that explicitly starts a
+# clause, into this file. Text after this directive needs to start a clause.
+#include-toplevel: "otherfile.conf"
+
 # The server clause sets the main parameters.
 server:
 	# whitespace is not necessary, but looks cleaner.
@@ -86,25 +90,29 @@ server:
 	# Set this to yes to prefer ipv6 upstream servers over ipv4.
 	# prefer-ip6: no
 
+	# Prefer ipv4 upstream servers, even if ipv6 is available.
+	# prefer-ip4: no
+
 	# number of ports to allocate per thread, determines the size of the
 	# port range that can be open simultaneously.  About double the
 	# num-queries-per-thread, or, use as many as the OS will allow you.
 	# outgoing-range: 4096
 
-	# permit unbound to use this port number or port range for
+	# permit Unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
 	# Only ephemeral ports are allowed by SElinux
 	outgoing-port-permit: 32768-60999
 
-	# deny unbound the use this of port number or port range for
+	# deny Unbound the use this of port number or port range for
 	# making outgoing queries, using an outgoing interface.
-	# Use this to make sure unbound does not grab a UDP port that some
+	# Use this to make sure Unbound does not grab a UDP port that some
 	# other server on this computer needs. The default is to avoid
 	# IANA-assigned port numbers.
 	# If multiple outgoing-port-permit and outgoing-port-avoid options
 	# are present, they are processed in order.
 	# Our SElinux policy does not allow non-ephemeral ports to be used
 	outgoing-port-avoid: 0-32767
+	outgoing-port-avoid: 61000-65535
 
 	# number of outgoing simultaneous tcp buffers to hold per thread.
 	# outgoing-num-tcp: 10
@@ -121,6 +129,7 @@ server:
 	# so-sndbuf: 0
 
 	# use SO_REUSEPORT to distribute queries over threads.
+	# at extreme load it could be better to turn it off to distribute even.
 	so-reuseport: yes
 
 	# use IP_TRANSPARENT so the interface: addresses can be non-local
@@ -133,9 +142,14 @@ server:
 	# Linux only.  On Linux you also have ip-transparent that is similar.
 	# ip-freebind: no
 
+	# the value of the Differentiated Services Codepoint (DSCP)
+	# in the differentiated services field (DS) of the outgoing
+	# IP packets
+	# ip-dscp: 0
+
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
-	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts).
+	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
-	# edns-buffer-size: 4096
+	# edns-buffer-size: 1232
 
 	# Maximum UDP response size (not applied to TCP response).
 	# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
@@ -143,6 +157,9 @@ server:
 	# Helps mitigating DDOS
 	max-udp-size: 3072
 
+	# max memory to use for stream(tcp and tls) waiting result buffers.
+	# stream-wait-size: 4m
+
 	# buffer size for handling DNS data. No messages larger than this
 	# size can be sent or received, by UDP or TCP. In bytes.
 	# msg-buffer-size: 65552
@@ -165,6 +182,13 @@ server:
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 
+	# perform connect for UDP sockets to mitigate ICMP side channel.
+	# udp-connect: yes
+
+	# msec for waiting for an unknown server to reply.  Increase if you
+	# are behind a slow satellite link, to eg. 1128.
+	# unknown-server-time-limit: 376
+
 	# the amount of memory to use for the RRset cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# rrset-cache-size: 4m
@@ -192,6 +216,9 @@ server:
 	# minimum wait time for responses, increase if uplink is long. In msec.
 	# infra-cache-min-rtt: 50
 
+	# enable to make server probe down hosts more frequently.
+	# infra-keep-probing: no
+
 	# the number of slabs to use for the Infrastructure cache.
 	# the number of slabs must be a power of 2.
 	# more slabs reduce lock contention, but fragment memory usage.
@@ -211,7 +238,7 @@ server:
 	# do-ip6: yes
 
 	# Enable UDP, "yes" or "no".
-	# NOTE: if setting up an unbound on tls443 for public use, you might want to
+	# NOTE: if setting up an Unbound on tls443 for public use, you might want to
 	# disable UDP to avoid being used in DNS amplification attacks.
 	# do-udp: yes
 
@@ -234,12 +261,21 @@ server:
 	# Default is 0, system default MSS.
 	# outgoing-tcp-mss: 0
 
+	# Idle TCP timeout, connection closed in milliseconds
+	# tcp-idle-timeout: 30000
+
+	# Enable EDNS TCP keepalive option.
+	edns-tcp-keepalive: yes
+
+	# Timeout for EDNS TCP keepalive, in msec.
+	# edns-tcp-keepalive-timeout: 120000
+
 	# Fedora note: do not activate this - can cause a crash
 	# Use systemd socket activation for UDP, TCP, and control sockets.
 	# use-systemd: no
 
 	# Detach from the terminal, run in background, "yes" or "no".
-	# Set the value to "no" when unbound runs as systemd service.
+	# Set the value to "no" when Unbound runs as systemd service.
 	# do-daemonize: yes
 
 	# control which clients are allowed to make (recursive) queries
@@ -292,7 +328,7 @@ server:
 	# The pid file can be absolute and outside of the chroot, it is
 	# written just prior to performing the chroot and dropping permissions.
 	#
-	# Additionally, unbound may need to access /dev/random (for entropy).
+	# Additionally, Unbound may need to access /dev/urandom (for entropy).
 	# How to do this is specific to your OS.
 	#
 	# If you give "" no chroot is performed. The path must not end in a /.
@@ -333,8 +369,19 @@ server:
 	# timetoresolve, fromcache and responsesize.
 	# log-replies: no
 
+	# log with tag 'query' and 'reply' instead of 'info' for
+	# filtering log-queries and log-replies from the log.
+	# log-tag-queryreply: no
+
+	# log the local-zone actions, like local-zone type inform is enabled
+	# also for the other local zone types.
+	# log-local-actions: no
+
+	# print log lines that say why queries return SERVFAIL to clients.
+	# log-servfail: no
+
 	# the pid file. Can be an absolute path outside of chroot/work dir.
-	pidfile: "/run/unbound/unbound.pid"
+	pidfile: "/var/run/unbound/unbound.pid"
 
 	# file to read root hints from.
 	# get one from https://www.internic.net/domain/named.cache
@@ -346,15 +393,28 @@ server:
 	# enable to not answer version.server and version.bind queries.
 	# hide-version: no
 
+	# enable to not set the User-Agent HTTP header.
+	# hide-http-user-agent: no
+
 	# enable to not answer trustanchor.unbound queries.
 	# hide-trustanchor: no
 
+	# enable to not set the User-Agent HTTP header.
+	# hide-http-user-agent: no
+
 	# the identity to report. Leave "" or default to return hostname.
 	# identity: ""
 
 	# the version to report. Leave "" or default to return package version.
 	# version: ""
 
+	# NSID identity (hex string, or "ascii_somestring"). default disabled.
+	# nsid: "aabbccdd"
+
+	# User-Agent HTTP header to use. Leave "" or default to use package name
+	# and version.
+	# http-user-agent: ""
+
 	# the target fetch policy.
 	# series of integers describing the policy per dependency depth.
 	# The number of values in the list determines the maximum dependency
@@ -366,7 +426,7 @@ server:
 	# target-fetch-policy: "3 2 1 0 0"
 
 	# Harden against very small EDNS buffer sizes.
-	# harden-short-bufsize: no
+	# harden-short-bufsize: yes
 
 	# Harden against unseemly large queries.
 	# harden-large-queries: no
@@ -396,7 +456,7 @@ server:
 
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
-	# to NS when possible.
+	# to A when possible.
 	qname-minimisation: yes
 
 	# QNAME minimisation in strict mode. Do not fall-back to sending full
@@ -415,8 +475,8 @@ server:
 
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
-	# caps-whitelist: "licdn.com"
+	# caps-exempt: "licdn.com"
-	# caps-whitelist: "senderbase.org"
+	# caps-exempt: "senderbase.org"
 
 	# Enforce privacy of these addresses. Strips them away from answers.
 	# It may cause DNSSEC validation to additionally mark it as bogus.
@@ -457,6 +517,9 @@ server:
 	# if yes, perform key lookups adjacent to normal lookups.
 	prefetch-key: yes
 
+	# deny queries of type ANY with an empty response.
+	deny-any: yes
+
 	# if yes, Unbound rotates RRSet order in response.
 	rrset-roundrobin: yes
 
@@ -469,6 +532,9 @@ server:
 
 	# module configuration of the server. A string with identifiers
 	# separated by spaces. Syntax: "[dns64] [validator] iterator"
+	# most modules have to be listed at the beginning of the line,
+	# except cachedb(just before iterator), and python (at the beginning,
+	# or, just before the iterator).
 	module-config: "ipsecmod validator iterator"
 
 	# File with trusted keys, kept uptodate using RFC5011 probes,
@@ -476,7 +542,7 @@ server:
 	# Use several entries, one per domain name, to track multiple zones.
 	#
 	# If you want to perform DNSSEC validation, run unbound-anchor before
-	# you start unbound (i.e. in the system boot scripts).  And enable:
+	# you start Unbound (i.e. in the system boot scripts).  And enable:
 	# Please note usage of unbound-anchor root anchor is at your own risk
 	# and under the terms of our LICENSE (see that file in the source).
 	# auto-trust-anchor-file: "/var/lib/unbound/root.key"
@@ -487,11 +553,6 @@ server:
 	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
 	root-key-sentinel: yes
 
-	# File with DLV trusted keys. Same format as trust-anchor-file.
-	# There can be only one DLV configured, it is trusted from root down.
-	# DLV is going to be decommissioned.  Please do not use it any more.
-	# dlv-anchor-file: "dlv.isc.org.key"
-
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.
 	# Zone file format, with DS and DNSKEY entries.
@@ -533,6 +594,10 @@ server:
 	# val-sig-skew-min: 3600
 	# val-sig-skew-max: 86400
 
+	# The maximum number the validator should restart validation with
+	# another authority in case of failed validation.
+	# val-max-restart: 5
+
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
 	# potential bogus data in the additional section. All unsigned data
@@ -548,13 +613,40 @@ server:
 	val-permissive-mode: no
 
 	# Ignore the CD flag in incoming queries and refuse them bogus data.
-	# Enable it if the only clients of unbound are legacy servers (w2008)
+	# Enable it if the only clients of Unbound are legacy servers (w2008)
 	# that set CD but cannot validate themselves.
 	# ignore-cd-flag: no
 
-	# Serve expired responses from cache, with TTL 0 in the response,
+	# Serve expired responses from cache, with serve-expired-reply-ttl in
-	# and then attempt to fetch the data afresh.
+	# the response, and then attempt to fetch the data afresh.
 	serve-expired: yes
+	#
+	# Limit serving of expired responses to configured seconds after
+	# expiration. 0 disables the limit.
+	serve-expired-ttl: 14400
+	#
+	# Set the TTL of expired records to the serve-expired-ttl value after a
+	# failed attempt to retrieve the record from upstream. This makes sure
+	# that the expired records will be served as long as there are queries
+	# for it.
+	# serve-expired-ttl-reset: no
+	#
+	# TTL value to use when replying with expired data.
+	# serve-expired-reply-ttl: 30
+	#
+	# Time in milliseconds before replying to the client with expired data.
+	# This essentially enables the serve-stale behavior as specified in
+	# RFC 8767 that first tries to resolve before
+	# immediately responding with expired data.  0 disables this behavior.
+	# A recommended value is 1800.
+	# serve-expired-client-timeout: 0
+
+	# Return the original TTL as received from the upstream name server rather
+	# than the decrementing TTL as stored in the cache.  Enabling this feature
+	# does not impact cache expiry, it only changes the TTL Unbound embeds in
+	# responses to queries. Note that enabling this feature implicitly disables
+	# enforcement of the configured minimum and maximum TTL.
+	# serve-original-ttl: no
 
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
@@ -564,7 +656,10 @@ server:
 	# keysize. Keep this table very short, as linear search is done.
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
-	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+	# val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
+
+	# if enabled, ZONEMD verification failures do not block the zone.
+	# zonemd-permissive-mode: no
 
 	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
 	# add-holddown: 2592000 # 30 days
@@ -589,7 +684,7 @@ server:
 	# more slabs reduce lock contention, but fragment memory usage.
 	# key-cache-slabs: 4
 
-	# the amount of memory to use for the negative cache (used for DLV).
+	# the amount of memory to use for the negative cache.
 	# plain value in bytes or you can append k, m or G. default is "1Mb".
 	# neg-cache-size: 1m
 
@@ -638,9 +733,12 @@ server:
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
 
-	# If unbound is running service for the local host then it is useful
+	# Add example.com into ipset
+	# local-zone: "example.com" ipset
+
+	# If Unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
-	# long list of local-zones above.  If this unbound is a dns server
+	# long list of local-zones above.  If this Unbound is a dns server
 	# for a network of computers, disabled is better and stops information
 	# leakage of local lan information.
 	# unblock-lan-zones: no
@@ -661,8 +759,11 @@ server:
 	# o typetransparent resolves normally for other types and other names
 	# o inform acts like transparent, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
-	# o always_transparent, always_refuse, always_nxdomain, resolve in
+	# o inform_redirect redirects queries and logs client IP address
-	#   that way but ignore local data for that name
+	# o always_transparent, always_refuse, always_nxdomain, always_nodata,
+	#   always_deny resolve in that way but ignore local data for
+	#   that name
+	# o always_null returns 0.0.0.0 or ::0 for any name in the zone.
 	# o noview breaks out of that view towards global local-zones.
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
@@ -698,14 +799,43 @@ server:
 	# add a netblock specific override to a localzone, with zone type
 	# local-zone-override: "example.com" 192.0.2.0/24 refuse
 
-	# service clients over SSL (on the TCP sockets), with plain DNS inside
+	# service clients over TLS (on the TCP sockets) with plain DNS inside
-	# the SSL stream.  Give the certificate to use and private key.
+	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
+	# Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# tls-service-key: "/etc/unbound/unbound_server.key"
 	# tls-service-pem: "/etc/unbound/unbound_server.pem"
 	# tls-port: 853
-	#
+	# https-port: 443
-	# request upstream over SSL (with plain DNS inside the SSL stream).
+
+	# cipher setting for TLSv1.2
+	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
+	# cipher setting for TLSv1.3
+	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+	# Fedora/RHEL: use system-wide crypto policies
+	tls-ciphers: "PROFILE=SYSTEM"
+	# TODO: ask system-wide crypto people what to use here
+	#tls-ciphersuites: "PROFILE=SYSTEM" # does not work
+
+	# Pad responses to padded queries received over TLS
+	# pad-responses: yes
+
+	# Padded responses will be padded to the closest multiple of this size.
+	# pad-responses-block-size: 468
+
+	# Use the SNI extension for TLS connections.  Default is yes.
+	# Changing the value requires a reload.
+	# tls-use-sni: yes
+
+	# Add the secret file for TLS Session Ticket.
+	# Secret file must be 80 bytes of random data.
+	# First key use to encrypt and decrypt TLS session tickets.
+	# Other keys use to decrypt only.
+	# requires restart to take effect.
+	# tls-session-ticket-keys: "path/to/secret_file1"
+	# tls-session-ticket-keys: "path/to/secret_file2"
+
+	# request upstream over TLS (with plain DNS inside the TLS stream).
 	# Default is no.  Can be turned on and off with unbound-control.
 	# tls-upstream: no
 
@@ -715,13 +845,41 @@ server:
 	# Add system certs to the cert bundle, from the Windows Cert Store
 	# tls-win-cert: no
 
+	# Pad queries over TLS upstreams
+	# pad-queries: yes
+
+	# Padded queries will be padded to the closest multiple of this size.
+	# pad-queries-block-size: 128
+
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
-	# tls-additional-ports: portno for each of the port numbers.
+	# tls-additional-port: portno for each of the port numbers.
+
+	# HTTP endpoint to provide DNS-over-HTTPS service on.
+	# http-endpoint: "/dns-query"
+
+	# HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use.
+	# http-max-streams: 100
+
+	# Maximum number of bytes used for all HTTP/2 query buffers.
+	# http-query-buffer-size: 4m
+
+	# Maximum number of bytes used for all HTTP/2 response buffers.
+	# http-response-buffer-size: 4m
+
+	# Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
+	# service.
+	# http-nodelay: yes
+
+	# Disable TLS for DNS-over-HTTP downstream service.
+	# http-notls-downstream: no
 
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96
 
+	# DNS64 ignore AAAA records for these domains and use A instead.
+	# dns64-ignore-aaaa: "example.com"
+
 	# ratelimit for uncached, new queries, this limits recursion effort.
 	# ratelimiting is experimental, and may help against randomqueryflood.
 	# if 0(default) it is disabled, otherwise state qps allowed per zone.
@@ -735,12 +893,6 @@ server:
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 
-	# what is considered a low rtt (ping time for upstream server), in msec
-	# low-rtt: 45
-	# select low rtt this many times out of 1000. 0 means the fast server
-	# select is disabled.  prefetches are not sped up.
-	# low-rtt-permil: 0
-
 	# override the ratelimit for a specific domain name.
 	# give this setting multiple times to have multiple overrides.
 	# ratelimit-for-domain: example.com 1000
@@ -761,7 +913,16 @@ server:
 	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
 	# ip-ratelimit-factor: 10
 
-	# Specific options for ipsecmod. unbound needs to be configured with
+	# Limit the number of connections simultaneous from a netblock
+	# tcp-connection-limit: 192.0.2.0/24 12
+
+	# select from the fastest servers this many times out of 1000. 0 means
+	# the fast server select is disabled. prefetches are not sped up.
+	# fast-server-permil: 0
+	# the number of servers that will be used in the fast server selection.
+	# fast-server-num: 3
+
+	# Specific options for ipsecmod. Unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.
 	#
 	# Enable or disable ipsecmod (it still needs to be defined in
@@ -775,7 +936,7 @@ server:
 	# ipsecmod-hook: "./my_executable"
 	ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
 
-	# When enabled unbound will reply with SERVFAIL if the return value of
+	# When enabled Unbound will reply with SERVFAIL if the return value of
 	# the ipsecmod-hook is not 0.
 	# ipsecmod-strict: no
 	#
@@ -787,18 +948,38 @@ server:
 	# ipsecmod-ignore-bogus: no
 	#
 	# Domains for which ipsecmod will be triggered. If not defined (default)
-	# all domains are treated as being whitelisted.
+	# all domains are treated as being allowed.
-	# ipsecmod-whitelist: "libreswan.org"
+	# ipsecmod-allow: "example.com"
-	# ipsecmod-whitelist: "nlnetlabs.nl"
+	# ipsecmod-allow: "nlnetlabs.nl"
+
+	# Timeout for REUSE entries in milliseconds.
+	# tcp-reuse-timeout: 60000
+	# Max number of queries on a reuse connection.
+	# max-reuse-tcp-queries: 200
+	# Timeout in milliseconds for TCP queries to auth servers.
+	# tcp-auth-query-timeout: 3000
 
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
 # o list python in the module-config string (above) to enable.
+#   It can be at the start, it gets validated results, or just before
+#   the iterator and process before DNSSEC validation.
 # o and give a python-script to run.
 python:
 	# Script file to load
 	# python-script: "/etc/unbound/ubmodule-tst.py"
 
+# Dynamic library config section. To enable:
+# o use --with-dynlibmodule to configure before compiling.
+# o list dynlib in the module-config string (above) to enable.
+#   It can be placed anywhere, the dynlib module is only a very thin wrapper
+#   to load modules dynamically.
+# o and give a dynlib-file to run. If more than one dynlib entry is listed in
+#   the module-config then you need one dynlib-file per instance.
+dynlib:
+	# Script file to load
+	# dynlib-file: "/etc/unbound/dynlib.so"
+
 # Remote control config section.
 remote-control:
 	# Enable remote control with unbound-control(8) here.
@@ -808,20 +989,24 @@ remote-control:
 
 	# Set to no and use an absolute path as control-interface to use
 	# a unix local named pipe for unbound-control.
+	# For local sockets this option is ignored, and TLS is not used.
 	# control-use-cert: yes
 
 	# what interfaces are listened to for remote control.
 	# give 0.0.0.0 and ::0 to listen to all interfaces.
+	# set to an absolute path to use a unix local name pipe, certificates
+	# are not used for that, so key and cert files need not be present.
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
+	# moved to /etc/unbound/conf.d/remote-control.conf
 
 	# port number for remote control operations.
 	# control-port: 8953
 
-	# unbound server key file.
+	# Unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"
 
-	# unbound server certificate file.
+	# Unbound server certificate file.
 	server-cert-file: "/etc/unbound/unbound_server.pem"
 
 	# unbound-control key file.
@@ -847,6 +1032,7 @@ include: /etc/unbound/conf.d/*.conf
 #	stub-prime: no
 #	stub-first: no
 #	stub-tls-upstream: no
+#	stub-no-cache: no
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
@@ -867,6 +1053,7 @@ include: /etc/unbound/conf.d/*.conf
 # 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
 # 	forward-first: no
 # 	forward-tls-upstream: no
+#	forward-no-cache: no
 # forward-zone:
 # 	name: "example.org"
 # 	forward-host: fwd.example.com
@@ -882,21 +1069,36 @@ include: /etc/unbound/conf.d/*.conf
 # has a copy of the root for local usage.  The second serves example.org
 # authoritatively.  zonefile: reads from file (and writes to it if you also
 # download it), master: fetches with AXFR and IXFR, or url to zonefile.
+# With allow-notify: you can give additional (apart from masters) sources of
+# notifies.
 auth-zone:
 	name: "."
+	primary: 199.9.14.201         # b.root-servers.net
+	primary: 192.33.4.12          # c.root-servers.net
+	primary: 199.7.91.13          # d.root-servers.net
+	primary: 192.5.5.241          # f.root-servers.net
+	primary: 192.112.36.4         # g.root-servers.net
+	primary: 193.0.14.129         # k.root-servers.net
+	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+	primary: 2001:500:200::b      # b.root-servers.net
+	primary: 2001:500:2::c        # c.root-servers.net
+	primary: 2001:500:2d::d       # d.root-servers.net
+	primary: 2001:500:2f::f       # f.root-servers.net
+	primary: 2001:500:12::d0d     # g.root-servers.net
+	primary: 2001:7fd::1          # k.root-servers.net
+	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+	fallback-enabled: yes
 	for-downstream: no
 	for-upstream: yes
-	fallback-enabled: yes
+
-	master: b.root-servers.net
-	master: c.root-servers.net
-	master: e.root-servers.net
-	master: f.root-servers.net
-	master: g.root-servers.net
-	master: k.root-servers.net
 # auth-zone:
 #	name: "example.org"
 #	for-downstream: yes
 #	for-upstream: yes
+#	zonemd-check: no
+#	zonemd-reject-absence: no
 #	zonefile: "example.org.zone"
 
 # Views
@@ -921,7 +1123,7 @@ auth-zone:
 #
 # DNSCrypt
 # Caveats:
-# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
+# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
 #   for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
 # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
 #   listen on `dnscrypt-port` with the follo0wing snippet:
@@ -943,11 +1145,12 @@ auth-zone:
 # Enable external backend DB as auxiliary cache.  Specify the backend name
 # (default is "testframe", which has no use other than for debugging and
 # testing) and backend-specific options.  The 'cachedb' module must be
-# included in module-config.
+# included in module-config, just before the iterator module.
 # cachedb:
 #     backend: "testframe"
 #     # secret seed string to calculate hashed keys
 #     secret-seed: "default"
+#
 #     # For "redis" backend:
 #     # redis server's IP address or host name
 #     redis-server-host: 127.0.0.1
@@ -955,3 +1158,70 @@ auth-zone:
 #     redis-server-port: 6379
 #     # timeout (in ms) for communication with the redis server
 #     redis-timeout: 100
+#     # set timeout on redis records based on DNS response TTL
+#     redis-expire-records: no
+
+# IPSet
+# Add specify domain into set via ipset.
+# Note: To enable ipset Unbound needs to run as root user.
+# ipset:
+#     # set name for ip v4 addresses
+#     name-v4: "list-v4"
+#     # set name for ip v6 addresses
+#     name-v6: "list-v6"
+#
+
+# Dnstap logging support, if compiled in.  To enable, set the dnstap-enable
+# to yes and also some of dnstap-log-..-messages to yes.  And select an
+# upstream log destination, by socket path, TCP or TLS destination.
+# dnstap:
+# 	dnstap-enable: no
+# 	# if set to yes frame streams will be used in bidirectional mode
+# 	dnstap-bidirectional: yes
+# 	dnstap-socket-path: "/etc/unbound/dnstap.sock"
+# 	# if "" use the unix socket in dnstap-socket-path, otherwise,
+# 	# set it to "IPaddress[@port]" of the destination.
+# 	dnstap-ip: ""
+# 	# if set to yes if you want to use TLS to dnstap-ip, no for TCP.
+# 	dnstap-tls: yes
+# 	# name for authenticating the upstream server. or "" disabled.
+# 	dnstap-tls-server-name: ""
+# 	# if "", it uses the cert bundle from the main Unbound config.
+# 	dnstap-tls-cert-bundle: ""
+# 	# key file for client authentication, or "" disabled.
+# 	dnstap-tls-client-key-file: ""
+# 	# cert file for client authentication, or "" disabled.
+# 	dnstap-tls-client-cert-file: ""
+# 	dnstap-send-identity: no
+# 	dnstap-send-version: no
+# 	# if "" it uses the hostname.
+# 	dnstap-identity: ""
+# 	# if "" it uses the package version.
+# 	dnstap-version: ""
+# 	dnstap-log-resolver-query-messages: no
+# 	dnstap-log-resolver-response-messages: no
+# 	dnstap-log-client-query-messages: no
+# 	dnstap-log-client-response-messages: no
+# 	dnstap-log-forwarder-query-messages: no
+# 	dnstap-log-forwarder-response-messages: no
+
+# Response Policy Zones
+# RPZ policies. Applied in order of configuration. QNAME, Response IP
+# Address, nsdname, nsip and clientip triggers are supported. Supported
+# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only
+# and drop.  Policies can be loaded from a file, or using zone
+# transfer, or using HTTP. The respip module needs to be added
+# to the module-config, e.g.: module-config: "respip validator iterator".
+# rpz:
+#     name: "rpz.example.com"
+#     zonefile: "rpz.example.com"
+#     primary: 192.0.2.0
+#     allow-notify: 192.0.2.0/32
+#     url: http://www.example.com/rpz.example.org.zone
+#     rpz-action-override: cname
+#     rpz-cname-override: www.example.org
+#     rpz-log: yes
+#     rpz-log-name: "example policy"
+#     rpz-signal-nxdomain-ra: no
+#     for-downstream: no
+#     tags: "example"

SOURCES/unbound.service

@@ -11,7 +11,7 @@ Wants=nss-lookup.target
 Type=simple
 EnvironmentFile=-/etc/sysconfig/unbound
 ExecStartPre=/usr/sbin/unbound-checkconf
-ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
 ExecReload=/usr/sbin/unbound-control reload
 

SPECS/unbound.spec

@@ -33,8 +33,8 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.7.3
+Version: 1.16.2
-Release: 15%{?extra_version:.%{extra_version}}%{?dist}
+Release: 5.9%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@@ -54,21 +54,28 @@ Source14: unbound.sysconfig
 Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
+Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
+Source21: remote-control.conf
 
-Patch2: unbound-1.7.2-python3-devel.patch
+# Reverts ABI change done in version 1.8.0 (bz#2027735)
-Patch3: unbound-1.7.2-python3-pkgconfig.patch
+# Makes possible backward binary compatibility with a new features
-Patch4: unbound-1.7.3-anchor-fallback.patch
+Patch1:   unbound-1.15-soversion2-compat.patch
-Patch5: unbound-1.7.3-host-any.patch
+Patch2:   unbound-1.15-source-compat.patch
-Patch6: unbound-1.7.3-use-basic-lock.patch
+# https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
-Patch7: unbound-1.7.3-ipsec-hook.patch
+Patch3:   unbound-1.16-CVE-2022-3204.patch
-Patch8: unbound-1.7.3-auth-callback.patch
+# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
-Patch9: unbound-1.7.3-ksk-2010-revoked.patch
+Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
-Patch10: unbound-1.7.3-DNS-over-TLS-memory-leak.patch
+# https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259
-Patch11: unbound-1.7.3-amplifying-an-incoming-query.patch
+Patch5: unbound-1.21-CVE-2024-8508.patch
-Patch12: unbound-1.7.3-crypto-policy-non-compliance-openssl.patch
+# The patch for CVE-2025-5994 requires certain changes fixing bugs in subnet module
-Patch13: unbound-1.7.3-additional-logging.patch
+# that is why we have to backport these commits. They have their respective tests
-Patch14: unbound-1.7.3-security-hardening.patch
+# backported with them.
-Patch15: unbound-1.7.3-symlink-traversal.patch
+# https://github.com/NLnetLabs/unbound/commit/0f08cc6d5577ad4747749c55229e16df8711ee32
+# https://github.com/NLnetLabs/unbound/commit/6d0812b56731af130e8bc7e1572388934beb9b3b
+# https://github.com/NLnetLabs/unbound/commit/be626f7c5330dc414a582a04b537ea79d5c452fb
+# https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f
+# https://github.com/NLnetLabs/unbound/commit/a1150078f29e14b36c8e4d9d05a263a5e6abbc5b
+Patch6: unbound-1.23.1-CVE-2025-5994.patch
 
 BuildRequires: gdb
 BuildRequires: gcc, make
@@ -83,12 +90,14 @@ BuildRequires: python3-devel swig
 %endif # with_python3
 BuildRequires: systemd
 # Required for SVN versions
-# BuildRequires: bison
+BuildRequires: bison
-# BuildRequires: automake autoconf libtool
+BuildRequires: automake autoconf libtool
 
 %{?systemd_requires}
 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+# unbound-keygen.service requires it, bug #2116790
+Requires: openssl
 
 %description
 Unbound is a validating, recursive, and caching DNS(SEC) resolver.
@@ -165,23 +174,14 @@ Python 3 modules and extensions for unbound
 %setup -qcn %{pkgname}
 
 pushd %{pkgname}
-%patch2 -p1 -b .python3
-%patch3 -p1 -b .python3
-%patch4 -p1 -b .anchor-fallback
-%patch5 -p1 -b .host-any
-%patch6 -p1 -b .use-basic-lock
-%patch7 -p1 -b .ipsec-hook
-%patch8 -p1 -b .auth-callback
-%patch9 -p1 -b .ksk-2010-revoked
-%patch10 -p1 -b .DNS-over-TLS-memory-leak
-%patch11 -p1 -b .amplifying-an-incoming-query
-%patch12 -p1 -b .crypto-policy
-%patch13 -p1 -b .additional-logging
-%patch14 -p1 -b .security-hardening
-%patch15 -p1 -b .symlink-traversal
 
-# only for snapshots
+%patch1 -p2 -b .solib2-compat
-# autoreconf -iv
+%patch2 -p1 -b .srccompat
+%patch3 -p2 -b .CVE-2022-3204
+%patch4 -p2 -b .CVE-2023-50387-CVE-2023-50868
+%patch5 -p2 -b .CVE-2024-8508
+%patch6 -p2 -b .CVE-2025-5994
+
 
 # copy common doc files - after here, since it may be patched
 cp -pr doc pythonmod libunbound ../
@@ -193,9 +193,6 @@ cp -a %{dir_primary} %{dir_secondary}
 %endif
 
 %build
-# This is needed to rebuild the configure script to support Python 3.x
-# autoreconf -iv
-
 # ./configure script common arguments
 %global configure_args --with-libevent --with-pthreads --with-ssl \\\
             --disable-rpath --disable-static \\\
@@ -204,10 +201,14 @@ cp -a %{dir_primary} %{dir_secondary}
             --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
             --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
             --enable-sha2 --disable-gost --enable-ecdsa \\\
-            --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
+            --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
+            --enable-linux-ip-local-port-range
 
 pushd %{dir_primary}
 
+# configure.ac is modified, force refresh
+autoreconf -fiv
+
 %configure  \
 %if 0%{?python_primary:1}
             --with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \
@@ -291,12 +292,6 @@ rm %{buildroot}%{python2_sitearch}/*.la
 rm %{buildroot}%{python3_sitearch}/*.la
 %endif # with_python3
 
-# create softlink for all functions of libunbound man pages
-for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove;
-do
-  echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/$mpage ;
-done
-
 mkdir -p %{buildroot}%{_localstatedir}/run/unbound
 
 # Install directories for easier config file drop in
@@ -305,6 +300,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
 install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
+install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
@@ -452,6 +448,65 @@ popd
 %verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
 
 %changelog
+* Thu Jul 24 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.9
+- Fix RebirthDay Attack (CVE-2025-5994)
+- Resolves: RHEL-104123
+
+* Tue Nov 12 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.8
+- Prevent unbounded name compression (CVE-2024-8508)
+
+* Tue May 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.7
+- Rebuild to propagate to CentOS Stream (RHEL-25500)
+
+* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.6
+- Ensure group access correction reaches also updated configs (CVE-2024-1488)
+
+* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.3
+- Ensure only unbound group can change configuration (CVE-2024-1488)
+
+* Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.1
+- Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387
+- Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868
+- Resolves: RHEL-25428
+- Resolves: RHEL-25423
+
+* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-5
+- Stop creating wrong devel manual pages (#2135322)
+
+* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-4
+- Apply correctly previous change (CVE-2022-3204)
+
+* Tue Oct 11 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-3
+- Fix NRDelegation attack leading to uncontrolled resource consumption
+  (CVE-2022-3204)
+
+* Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2
+- Require openssl tool for unbound-keygen (#2018806)
+
+* Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
+- Update to 1.16.2 (#2027735)
+
+* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-2
+- Restart keygen service before every unbound start (#1959468)
+
+* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
+- Upgrade to 9.16.0 (#2027735)
+- Update to recent version with compatibility with RHEL8 (#2027735)
+- Ensure also source level compatibility with previous version
+
+* Thu May 19 2022 Richard Lescak <rlescak@gmail.com> - 1.7.3-18
+- Change file mode before owner when configuring remote control unix socket to avoid AVC denials
+- Resolves: rhbz#2038251
+
+* Mon Apr 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-17
+- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux
+- Resolves: rhbz#1830625
+
+* Tue Apr 06 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-16
+- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR
+  environment variable equals to "yes"
+- Resolves: rhbz#1922448
+
 * Tue Sep 01 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-15
 - Fix SPEC file to not check md5 mtime and size of /var/lib/unbound/root.key
 - Resolves: rhbz#1714175