Vendor import of Unbound 1.8.1.

config.h.in

 /* config.h.in.  Generated from configure.ac by autoheader.  */
 
+/* apply the noreturn attribute to a function that exits the program */
+#undef ATTR_NORETURN
+
+/* apply the weak attribute to a symbol */
+#undef ATTR_WEAK
+
 /* Directory to chroot to */
 #undef CHROOT_DIR
 
@@ -45,6 +51,9 @@
 /* Whether the C compiler accepts the "format" attribute */
 #undef HAVE_ATTR_FORMAT
 
+/* Whether the C compiler accepts the "noreturn" attribute */
+#undef HAVE_ATTR_NORETURN
+
 /* Whether the C compiler accepts the "unused" attribute */
 #undef HAVE_ATTR_UNUSED
 
@@ -199,6 +208,9 @@
 /* Define to 1 if you have the <expat.h> header file. */
 #undef HAVE_EXPAT_H
 
+/* Define to 1 if you have the `explicit_bzero' function. */
+#undef HAVE_EXPLICIT_BZERO
+
 /* Define to 1 if you have the `fcntl' function. */
 #undef HAVE_FCNTL
 
@@ -1144,6 +1156,11 @@ char *strsep(char **stringp, const char *delim);
 int isblank(int c);
 #endif
 
+#ifndef HAVE_EXPLICIT_BZERO
+#define explicit_bzero unbound_explicit_bzero
+void explicit_bzero(void* buf, size_t len);
+#endif
+
 #if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP
 const char *inet_ntop(int af, const void *src, char *dst, size_t size);
 #endif
@@ -1176,7 +1193,6 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
 #  endif
 #endif /* HAVE_LIBRESSL */
 #ifndef HAVE_ARC4RANDOM
-void explicit_bzero(void* buf, size_t len);
 int getentropy(void* buf, size_t len);
 uint32_t arc4random(void);
 void arc4random_buf(void* buf, size_t n);

configure

 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.8.0.
+# Generated by GNU Autoconf 2.69 for unbound 1.8.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.8.0'
-PACKAGE_STRING='unbound 1.8.0'
+PACKAGE_VERSION='1.8.1'
+PACKAGE_STRING='unbound 1.8.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
@@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.8.0 to adapt to many kinds of systems.
+\`configure' configures unbound 1.8.1 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1505,7 +1505,7 @@ fi
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.8.0:";;
+     short | recursive ) echo "Configuration of unbound 1.8.1:";;
    esac
   cat <<\_ACEOF
@@ -1722,7 +1722,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.8.0
+unbound configure 1.8.1
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.8.0, which was
+It was created by unbound $as_me 1.8.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
   $ $0 $@
@@ -2783,11 +2783,11 @@ UNBOUND_VERSION_MAJOR=1
 UNBOUND_VERSION_MINOR=8
-UNBOUND_VERSION_MICRO=0
+UNBOUND_VERSION_MICRO=1
 LIBUNBOUND_CURRENT=8
-LIBUNBOUND_REVISION=0
+LIBUNBOUND_REVISION=1
 LIBUNBOUND_AGE=0
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2850,7 +2850,8 @@ LIBUNBOUND_AGE=0
 # 1.7.1 had 7:9:5
 # 1.7.2 had 7:10:5
 # 1.7.3 had 7:11:5
-# 1.7.4 had 8:0:0 # changes the event callback function signature
+# 1.8.0 had 8:0:0 # changes the event callback function signature
+# 1.8.1 had 8:1:0
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -6265,6 +6266,54 @@ if test $ac_cv_c_weak_attribute = yes; then
 $as_echo "#define HAVE_ATTR_WEAK 1" >>confdefs.h
+
+$as_echo "#define ATTR_WEAK __attribute__((weak))" >>confdefs.h
+
+fi
+
+
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler (${CC-cc}) accepts the \"noreturn\" attribute" >&5
+$as_echo_n "checking whether the C compiler (${CC-cc}) accepts the \"noreturn\" attribute... " >&6; }
+if ${ac_cv_c_noreturn_attribute+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_cv_c_noreturn_attribute=no
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+ #include <stdio.h>
+__attribute__((noreturn)) void f(int x) { printf("%d", x); }
+
+int
+main ()
+{
+
+   f(1);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  ac_cv_c_noreturn_attribute="yes"
+else
+  ac_cv_c_noreturn_attribute="no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_noreturn_attribute" >&5
+$as_echo "$ac_cv_c_noreturn_attribute" >&6; }
+if test $ac_cv_c_noreturn_attribute = yes; then
+
+$as_echo "#define HAVE_ATTR_NORETURN 1" >>confdefs.h
+
+
+$as_echo "#define ATTR_NORETURN __attribute__((__noreturn__))" >>confdefs.h
+
 fi
@@ -20033,6 +20082,20 @@ esac
 fi
+ac_fn_c_check_func "$LINENO" "explicit_bzero" "ac_cv_func_explicit_bzero"
+if test "x$ac_cv_func_explicit_bzero" = xyes; then :
+  $as_echo "#define HAVE_EXPLICIT_BZERO 1" >>confdefs.h
+
+else
+  case " $LIBOBJS " in
+  *" explicit_bzero.$ac_objext "* ) ;;
+  *) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext"
+ ;;
+esac
+
+fi
+
+
 LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
 ac_fn_c_check_func "$LINENO" "reallocarray" "ac_cv_func_reallocarray"
@@ -20079,12 +20142,6 @@ fi
 	if test "$ac_cv_func_arc4random" = "no"; then
-		case " $LIBOBJS " in
-  *" explicit_bzero.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS explicit_bzero.$ac_objext"
- ;;
-esac
-
 		case " $LIBOBJS " in
   *" arc4_lock.$ac_objext "* ) ;;
   *) LIBOBJS="$LIBOBJS arc4_lock.$ac_objext"
@@ -21077,7 +21134,7 @@ _ACEOF
-version=1.8.0
+version=1.8.1
 date=`date +'%b %e, %Y'`
@@ -21596,7 +21653,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.8.0, which was
+This file was extended by unbound $as_me 1.8.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
   CONFIG_FILES    = $CONFIG_FILES
@@ -21662,7 +21719,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.8.0
+unbound config.status 1.8.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"

configure.ac

@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[8])
-m4_define([VERSION_MICRO],[0])
+m4_define([VERSION_MICRO],[1])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=8
-LIBUNBOUND_REVISION=0
+LIBUNBOUND_REVISION=1
 LIBUNBOUND_AGE=0
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -81,7 +81,8 @@ LIBUNBOUND_AGE=0
 # 1.7.1 had 7:9:5
 # 1.7.2 had 7:10:5
 # 1.7.3 had 7:11:5
-# 1.7.4 had 8:0:0 # changes the event callback function signature
+# 1.8.0 had 8:0:0 # changes the event callback function signature
+# 1.8.1 had 8:1:0
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -310,11 +311,36 @@ __attribute__((weak)) void f(int x) { printf("%d", x); }
 AC_MSG_RESULT($ac_cv_c_weak_attribute)
 if test $ac_cv_c_weak_attribute = yes; then
   AC_DEFINE(HAVE_ATTR_WEAK, 1, [Whether the C compiler accepts the "weak" attribute])
+  AC_DEFINE(ATTR_WEAK, [__attribute__((weak))], [apply the weak attribute to a symbol])
 fi
 ])dnl End of CHECK_WEAK_ATTRIBUTE
 
 CHECK_WEAK_ATTRIBUTE
 
+AC_DEFUN([CHECK_NORETURN_ATTRIBUTE],
+[AC_REQUIRE([AC_PROG_CC])
+AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "noreturn" attribute)
+AC_CACHE_VAL(ac_cv_c_noreturn_attribute,
+[ac_cv_c_noreturn_attribute=no
+AC_TRY_COMPILE(
+[ #include <stdio.h>
+__attribute__((noreturn)) void f(int x) { printf("%d", x); }
+], [
+   f(1);
+],
+[ac_cv_c_noreturn_attribute="yes"],
+[ac_cv_c_noreturn_attribute="no"])
+])
+
+AC_MSG_RESULT($ac_cv_c_noreturn_attribute)
+if test $ac_cv_c_noreturn_attribute = yes; then
+  AC_DEFINE(HAVE_ATTR_NORETURN, 1, [Whether the C compiler accepts the "noreturn" attribute])
+  AC_DEFINE(ATTR_NORETURN, [__attribute__((__noreturn__))], [apply the noreturn attribute to a function that exits the program])
+fi
+])dnl End of CHECK_NORETURN_ATTRIBUTE
+
+CHECK_NORETURN_ATTRIBUTE
+
 if test "$srcdir" != "."; then
 	CPPFLAGS="$CPPFLAGS -I$srcdir"
 fi
@@ -1396,6 +1422,7 @@ AC_REPLACE_FUNCS(strlcpy)
 AC_REPLACE_FUNCS(memmove)
 AC_REPLACE_FUNCS(gmtime_r)
 AC_REPLACE_FUNCS(isblank)
+AC_REPLACE_FUNCS(explicit_bzero)
 dnl without CTIME, ARC4-functions and without reallocarray.
 LIBOBJ_WITHOUT_CTIMEARC4="$LIBOBJS"
 AC_SUBST(LIBOBJ_WITHOUT_CTIMEARC4)
@@ -1404,7 +1431,6 @@ if test "$USE_NSS" = "no"; then
 	AC_REPLACE_FUNCS(arc4random)
 	AC_REPLACE_FUNCS(arc4random_uniform)
 	if test "$ac_cv_func_arc4random" = "no"; then
-		AC_LIBOBJ(explicit_bzero)
 		AC_LIBOBJ(arc4_lock)
 		AC_CHECK_FUNCS([getentropy],,[
 		    if test "$USE_WINSOCK" = 1; then
@@ -1729,6 +1755,11 @@ char *strsep(char **stringp, const char *delim);
 int isblank(int c);
 #endif
 
+#ifndef HAVE_EXPLICIT_BZERO
+#define explicit_bzero unbound_explicit_bzero
+void explicit_bzero(void* buf, size_t len);
+#endif
+
 #if defined(HAVE_INET_NTOP) && !HAVE_DECL_INET_NTOP
 const char *inet_ntop(int af, const void *src, char *dst, size_t size);
 #endif
@@ -1761,7 +1792,6 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
 #  endif
 #endif /* HAVE_LIBRESSL */
 #ifndef HAVE_ARC4RANDOM
-void explicit_bzero(void* buf, size_t len);
 int getentropy(void* buf, size_t len);
 uint32_t arc4random(void);
 void arc4random_buf(void* buf, size_t n);

daemon/daemon.c

@@ -660,18 +660,15 @@ daemon_fork(struct daemon* daemon)
 
 	/* Start resolver service on main thread. */
 #ifdef HAVE_SYSTEMD
-	if(daemon->cfg->use_systemd)
-		sd_notify(0, "READY=1");
+	sd_notify(0, "READY=1");
 #endif
 	log_info("start of service (%s).", PACKAGE_STRING);
 	worker_work(daemon->workers[0]);
 #ifdef HAVE_SYSTEMD
-	if(daemon->cfg->use_systemd) {
-		if (daemon->workers[0]->need_to_exit)
-			sd_notify(0, "STOPPING=1");
-		else
-			sd_notify(0, "RELOADING=1");
-	}
+	if (daemon->workers[0]->need_to_exit)
+		sd_notify(0, "STOPPING=1");
+	else
+		sd_notify(0, "RELOADING=1");
 #endif
 	log_info("service stopped (%s).", PACKAGE_STRING);
 

daemon/remote.c

@@ -275,12 +275,13 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 	struct addrinfo hints;
 	struct addrinfo* res;
 	struct listen_port* n;
-	int noproto;
+	int noproto = 0;
 	int fd, r;
 	char port[15];
 	snprintf(port, sizeof(port), "%d", nr);
 	port[sizeof(port)-1]=0;
 	memset(&hints, 0, sizeof(hints));
+	log_assert(ip);
 
 	if(ip[0] == '/') {
 		/* This looks like a local socket */
@@ -1069,6 +1070,7 @@ do_stats(RES* ssl, struct daemon_remote* rc, int reset)
 	struct ub_stats_info total;
 	struct ub_stats_info s;
 	int i;
+	memset(&total, 0, sizeof(total));
 	log_assert(daemon->num > 0);
 	/* gather all thread statistics in one place */
 	for(i=0; i<daemon->num; i++) {

daemon/unbound.c

@@ -730,7 +730,7 @@ main(int argc, char* argv[])
 		}
 	}
 	argc -= optind;
-	argv += optind;
+	/* argv += optind; not using further arguments */
 
 	if(winopt) {
 #ifdef UB_ON_WINDOWS

daemon/worker.c

@@ -1180,7 +1180,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			char addrbuf[128];
 			addr_to_str(&repinfo->addr, repinfo->addrlen,
 						addrbuf, sizeof(addrbuf));
-		  verbose(VERB_OPS, "ip_ratelimit allowed through for ip address %s ",
+		  verbose(VERB_QUERY, "ip_ratelimit allowed through for ip address %s because of slip in ip_ratelimit_factor",
 				  addrbuf);
 		} else {
 			worker->stats.num_queries_ip_ratelimited++;
@@ -1671,14 +1671,14 @@ worker_create(struct daemon* daemon, int id, int* ports, int n)
 		(((unsigned int)worker->thread_num)<<17);
 		/* shift thread_num so it does not match out pid bits */
 	if(!(worker->rndstate = ub_initstate(seed, daemon->rand))) {
-		seed = 0;
+		explicit_bzero(&seed, sizeof(seed));
 		log_err("could not init random numbers.");
 		tube_delete(worker->cmd);
 		free(worker->ports);
 		free(worker);
 		return NULL;
 	}
-	seed = 0;
+	explicit_bzero(&seed, sizeof(seed));
 #ifdef USE_DNSTAP
 	if(daemon->cfg->dnstap) {
 		log_assert(daemon->dtenv != NULL);

doc/Changelog

+8 October 2018: Wouter
+	- fastrpz.patch fix included.
+
+1 October 2018: Wouter
+	- tag for release 1.8.1rc1.
+
+27 September 2018: Wouter
+	- Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
+	  qname minimisation with a forwarder when connectivity has issues
+	  from rejecting responses.
+
+25 September 2018: Wouter
+	- Perform TLS SNI indication of the host that is being contacted
+	  for DNS over TLS service.  It sets the configured tls auth name.
+	  This is useful for hosts that apart from the DNS over TLS services
+	  also provide other (web) services.
+	- Fix #4149: Add SSL cleanup for tcp timeout.
+
+17 September 2018: Wouter
+	- Fix compile on Mac for unbound, provide explicit_bzero when libc
+	  does not have it.
+	- Fix unbound for openssl in FIPS mode, it uses the digests with
+	  the EVP call contexts.
+	- Fix that with harden-below-nxdomain and qname minisation enabled
+	  some iterator states for nonresponsive domains can get into a
+	  state where they waited for an empty list.
+	- Stop UDP to TCP failover after timeouts that causes the ping count
+	  to be reset by the TCP time measurement (that exists for TLS),
+	  because that causes the UDP part to not be measured as timeout.
+	- Fix #4156: Fix systemd service manager state change notification.
+
+13 September 2018: Wouter
+	- Fix seed for random backup code to use explicit zero when wiped.
+	- exit log routine is annotated as noreturn function.
+	- free memory leaks in config strlist and str2list insert functions.
+	- do not move unused argv variable after getopt.
+	- Remove unused if clause in testcode.
+	- in testcode, free async ids, initialise array, and check for null
+	  pointer during test of the test.  And use exit for return to note
+	  irregular program stop.
+	- Free memory leak in config strlist append.
+	- make sure nsec3 comparison salt is initialized.
+	- unit test has clang analysis.
+	- remove unused variable assignment from iterator scrub routine.
+	- check for null in delegation point during iterator refetch
+	  in forward zone.
+	- neater pointer cast in libunbound context quit routine.
+	- initialize statistics totals for printout.
+	- in authzone check that node exists before adding rrset.
+	- in unbound-anchor, use readwrite memory BIO.
+	- assertion in autotrust that packed rrset is formed correctly.
+	- Fix memory leak when message parse fails partway through copy.
+	- remove unused udpsize assignment in message encode.
+	- nicer bio free code in unbound-anchor.
+	- annotate exit functions with noreturn in unbound-control.
+
+11 September 2018: Wouter
+	- Fixed unused return value warnings in contrib/fastrpz.patch for
+	  asprintf.
+	- Fix to squelch respip warning in unit test, it is printed at
+	  higher verbosity settings.
+	- Fix spelling errors.
+	- Fix initialisation in remote.c
+
+10 September 2018: Wouter
+	- 1.8.1 in svn trunk. (changes from 4,5,.. sep apply).
+	- iana port update.
+
+5 September 2018: Wouter
+	- Fix spelling error in header, from getdns commit by Andreas Gelmini.
+
+4 September 2018: Ralph
+	- More explicitly mention the type of ratelimit when applying
+	  ip-ratelimit.
+
 4 September 2018: Wouter
-	- Tag for 1.8.0rc1 release.
+	- Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018.
 
 31 August 2018: Wouter
 	- Disable minimal-responses in subnet unit tests.
@@ -1856,7 +1931,7 @@
 	  compatibility with cisco dns guard.  This lowers false positives.
 
 18 April 2016: Wouter
-	- Fix some malformed reponses to edns queries get fallback to nonedns.
+	- Fix some malformed responses to edns queries get fallback to nonedns.
 
 15 April 2016: Wouter
 	- cachedb module event handling design.

doc/README

-README for Unbound 1.8.0
+README for Unbound 1.8.1
 Copyright 2007 NLnet Labs
 http://unbound.net
 

doc/example.conf.in

 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.8.0.
+# See unbound.conf(5) man page, version 1.8.1.
 #
 # this is a comment.
 

doc/libunbound.3.in

-.TH "libunbound" "3" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
+.TH "libunbound" "3" "Oct  8, 2018" "NLnet Labs" "unbound 1.8.1"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.8.0 functions.
+\- Unbound DNS validating resolver 1.8.1 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

doc/unbound-anchor.8.in

-.TH "unbound-anchor" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
+.TH "unbound-anchor" "8" "Oct  8, 2018" "NLnet Labs" "unbound 1.8.1"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

doc/unbound-checkconf.8.in

-.TH "unbound-checkconf" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
+.TH "unbound-checkconf" "8" "Oct  8, 2018" "NLnet Labs" "unbound 1.8.1"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"

doc/unbound-control.8.in

-.TH "unbound-control" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
+.TH "unbound-control" "8" "Oct  8, 2018" "NLnet Labs" "unbound 1.8.1"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -301,7 +301,7 @@ you set unbound to validate with for-upstream yes and that can be cleared
 with \fBflush_zone\fR \fIzone\fR.
 .TP
 .B auth_zone_transfer \fIzone\fR
-Tranfer the auth zone from master.  The auth zone probe sequence is started,
+Transfer the auth zone from master.  The auth zone probe sequence is started,
 where the masters are probed to see if they have an updated zone (with the SOA
 serial check).  And then the zone is transferred for a newer zone version.
 .TP

doc/unbound-host.1.in

-.TH "unbound\-host" "1" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
+.TH "unbound\-host" "1" "Oct  8, 2018" "NLnet Labs" "unbound 1.8.1"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

doc/unbound.8.in

-.TH "unbound" "8" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
+.TH "unbound" "8" "Oct  8, 2018" "NLnet Labs" "unbound 1.8.1"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.8.0.
+\- Unbound DNS validating resolver 1.8.1.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

doc/unbound.conf.5.in

-.TH "unbound.conf" "5" "Sep 10, 2018" "NLnet Labs" "unbound 1.8.0"
+.TH "unbound.conf" "5" "Oct  8, 2018" "NLnet Labs" "unbound 1.8.1"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -498,7 +498,7 @@ a daemon.  Set the value to \fIno\fR when unbound runs as systemd service.
 Default is yes.
 .TP
 .B tcp\-connection\-limit: \fI<IP netblock> <limit>
-Allow up to \fIlimit\R simultaneous TCP connections from the given netblock.
+Allow up to \fIlimit\fR simultaneous TCP connections from the given netblock.
 When at the limit, further connections are accepted but closed immediately.
 This option is experimental at this time.
 .TP

iterator/iter_scrub.c

@@ -437,7 +437,9 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 					rrset->rrset_all_next =
 						nx->rrset_all_next;
 					nx->rrset_all_next = rrset;
-					prev = nx;
+					/* prev = nx; unused, enable if there
+					 * is other rrset removal code after
+					 * this */
 				}
 			}
 

iterator/iterator.c

@@ -1125,7 +1125,7 @@ forward_request(struct module_qstate* qstate, struct iter_qstate* iq)
 	struct delegpt* dp;
 	uint8_t* delname = iq->qchase.qname;
 	size_t delnamelen = iq->qchase.qname_len;
-	if(iq->refetch_glue) {
+	if(iq->refetch_glue && iq->dp) {
 		delname = iq->dp->name;
 		delnamelen = iq->dp->namelen;
 	}
@@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		return 0;
 	}
 
-	if(iq->minimisation_state == INIT_MINIMISE_STATE) {
+	if(iq->minimisation_state == INIT_MINIMISE_STATE
+		&& !(iq->chase_flags & BIT_RD)) {
 		/* (Re)set qinfo_out to (new) delegation point, except when
 		 * qinfo_out is already a subdomain of dp. This happens when
 		 * increasing by more than one label at once (QNAMEs with more
@@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			sock_list_insert(&qstate->reply_origin, 
 				&qstate->reply->addr, qstate->reply->addrlen, 
 				qstate->region);
-		if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
+		if(iq->minimisation_state != DONOT_MINIMISE_STATE
+			&& !(iq->chase_flags & BIT_RD)) {
 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
 				LDNS_RCODE_NOERROR) {
 				if(qstate->env->cfg->qname_minimisation_strict)
@@ -2752,6 +2754,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 						verbose(VERB_ALGO,
 						"could not validate NXDOMAIN "
 						"response");