Vendor import of Unbound 1.6.7.

cachedb/cachedb.c

@@ -347,6 +347,13 @@ prep_data(struct module_qstate* qstate, struct sldns_buffer* buf)
 
 	if(!qstate->return_msg || !qstate->return_msg->rep)
 		return 0;
+	/* We don't store the reply if its TTL is 0 unless serve-expired is
+	 * enabled.  Such a reply won't be reusable and simply be a waste for
+	 * the backend.  It's also compatible with the default behavior of
+	 * dns_cache_store_msg(). */
+	if(qstate->return_msg->rep->ttl == 0 &&
+		!qstate->env->cfg->serve_expired)
+		return 0;
 	if(verbosity >= VERB_ALGO)
 		log_dns_msg("cachedb encoding", &qstate->return_msg->qinfo,
 	                qstate->return_msg->rep);
@@ -387,32 +394,37 @@ good_expiry_and_qinfo(struct module_qstate* qstate, struct sldns_buffer* buf)
 		&expiry, sizeof(expiry));
 	expiry = be64toh(expiry);
 
-	if((time_t)expiry < *qstate->env->now)
+	if((time_t)expiry < *qstate->env->now &&
+		!qstate->env->cfg->serve_expired)
 		return 0;
 
 	return 1;
 }
 
+/* Adjust the TTL of the given RRset by 'subtract'.  If 'subtract' is
+ * negative, set the TTL to 0. */
 static void
 packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract)
 {
         size_t i;
         size_t total = data->count + data->rrsig_count;
-	if(data->ttl > subtract)
+	if(subtract >= 0 && data->ttl > subtract)
 		data->ttl -= subtract;
 	else	data->ttl = 0;
         for(i=0; i<total; i++) {
-		if(data->rr_ttl[i] > subtract)
+		if(subtract >= 0 && data->rr_ttl[i] > subtract)
                 	data->rr_ttl[i] -= subtract;
                 else	data->rr_ttl[i] = 0;
 	}
 }
 
+/* Adjust the TTL of a DNS message and its RRs by 'adjust'.  If 'adjust' is
+ * negative, set the TTLs to 0. */
 static void
 adjust_msg_ttl(struct dns_msg* msg, time_t adjust)
 {
 	size_t i;
-	if(msg->rep->ttl > adjust)
+	if(adjust >= 0 && msg->rep->ttl > adjust)
 		msg->rep->ttl -= adjust;
 	else	msg->rep->ttl = 0;
 	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
@@ -476,10 +488,26 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
 	adjust = *qstate->env->now - (time_t)timestamp;
 	if(qstate->return_msg->rep->ttl < adjust) {
 		verbose(VERB_ALGO, "cachedb msg expired");
-		return 0; /* message expired */
+		/* If serve-expired is enabled, we still use an expired message
+		 * setting the TTL to 0. */
+		if(qstate->env->cfg->serve_expired)
+			adjust = -1;
+		else
+			return 0; /* message expired */
 	}
 	verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust);
 	adjust_msg_ttl(qstate->return_msg, adjust);
+
+	/* Similar to the unbound worker, if serve-expired is enabled and
+	 * the msg would be considered to be expired, mark the state so a
+	 * refetch will be scheduled.  The comparison between 'expiry' and
+	 * 'now' should be redundant given how these values were calculated,
+	 * but we check it just in case as does good_expiry_and_qinfo(). */
+	if(qstate->env->cfg->serve_expired &&
+		(adjust == -1 || (time_t)expiry < *qstate->env->now)) {
+		qstate->need_refetch = 1;
+	}
+
 	return 1;
 }
 
@@ -563,11 +591,15 @@ cachedb_intcache_lookup(struct module_qstate* qstate)
 static void
 cachedb_intcache_store(struct module_qstate* qstate)
 {
+	uint32_t store_flags = qstate->query_flags;
+
+	if(qstate->env->cfg->serve_expired)
+		store_flags |= DNSCACHE_STORE_ZEROTTL;
 	if(!qstate->return_msg)
 		return;
 	(void)dns_cache_store(qstate->env, &qstate->qinfo,
 		qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0,
-		qstate->region, qstate->query_flags);
+		qstate->region, store_flags);
 }
 
 /**

configure

 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.6.6.
+# Generated by GNU Autoconf 2.69 for unbound 1.6.7.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.6.6'
-PACKAGE_STRING='unbound 1.6.6'
+PACKAGE_VERSION='1.6.7'
+PACKAGE_STRING='unbound 1.6.7'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
@@ -1437,7 +1437,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.6.6 to adapt to many kinds of systems.
+\`configure' configures unbound 1.6.7 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1502,7 +1502,7 @@ fi
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.6.6:";;
+     short | recursive ) echo "Configuration of unbound 1.6.7:";;
    esac
   cat <<\_ACEOF
@@ -1714,7 +1714,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.6.6
+unbound configure 1.6.7
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2423,7 +2423,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.6.6, which was
+It was created by unbound $as_me 1.6.7, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
   $ $0 $@
@@ -2775,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1
 UNBOUND_VERSION_MINOR=6
-UNBOUND_VERSION_MICRO=6
+UNBOUND_VERSION_MICRO=7
 LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=5
+LIBUNBOUND_REVISION=6
 LIBUNBOUND_AGE=5
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2836,6 +2836,7 @@ LIBUNBOUND_AGE=5
 # 1.6.4 had 7:3:5
 # 1.6.5 had 7:4:5
 # 1.6.6 had 7:5:5
+# 1.6.7 had 7:6:5
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -2851,7 +2852,7 @@ LIBUNBOUND_AGE=5
 # Current and Age.  Set Revision to 0, since this is the first
 # implementation of the new API.
 #
-# Otherwise, we're changing the binary API and breaking bakward
+# Otherwise, we're changing the binary API and breaking backward
 # compatibility with old binaries.  Increment Current.  Set Age to 0,
 # since we're backward compatible with no previous APIs.  Set Revision
 # to 0 too.
@@ -20693,7 +20694,7 @@ _ACEOF
-version=1.6.6
+version=1.6.7
 date=`date +'%b %e, %Y'`
@@ -21212,7 +21213,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.6.6, which was
+This file was extended by unbound $as_me 1.6.7, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
   CONFIG_FILES    = $CONFIG_FILES
@@ -21278,7 +21279,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.6.6
+unbound config.status 1.6.7
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"

configure.ac

@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[6])
-m4_define([VERSION_MICRO],[6])
+m4_define([VERSION_MICRO],[7])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=5
+LIBUNBOUND_REVISION=6
 LIBUNBOUND_AGE=5
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -75,6 +75,7 @@ LIBUNBOUND_AGE=5
 # 1.6.4 had 7:3:5
 # 1.6.5 had 7:4:5
 # 1.6.6 had 7:5:5
+# 1.6.7 had 7:6:5
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -90,7 +91,7 @@ LIBUNBOUND_AGE=5
 # Current and Age.  Set Revision to 0, since this is the first
 # implementation of the new API.
 #
-# Otherwise, we're changing the binary API and breaking bakward
+# Otherwise, we're changing the binary API and breaking backward
 # compatibility with old binaries.  Increment Current.  Set Age to 0,
 # since we're backward compatible with no previous APIs.  Set Revision
 # to 0 too.

contrib/aaaa-filter-iterator.patch

 Index: trunk/doc/unbound.conf.5.in
 ===================================================================
---- trunk/doc/unbound.conf.5.in	(revision 3587)
+--- trunk/doc/unbound.conf.5.in	(revision 4357)
 +++ trunk/doc/unbound.conf.5.in	(working copy)
-@@ -593,6 +593,13 @@
- possible. Best effort approach, full QNAME and original QTYPE will be sent when
- upstream replies with a RCODE other than NOERROR. Default is off.
+@@ -701,6 +701,13 @@
+ this option in enabled. Only use if you know what you are doing.
+ This option only has effect when qname-minimisation is enabled. Default is off.
  .TP
 +.B aaaa\-filter: \fI<yes or no>
 +Activate behavior similar to BIND's AAAA-filter.
@@ -18,7 +18,7 @@ Index: trunk/doc/unbound.conf.5.in
  on your private network, and are not allowed to be returned for
 Index: trunk/iterator/iter_scrub.c
 ===================================================================
---- trunk/iterator/iter_scrub.c	(revision 3587)
+--- trunk/iterator/iter_scrub.c	(revision 4357)
 +++ trunk/iterator/iter_scrub.c	(working copy)
 @@ -617,6 +617,32 @@
  }
@@ -75,10 +75,11 @@ Index: trunk/iterator/iter_scrub.c
  	/* At this point, we brutally remove ALL rrsets that aren't 
  	 * children of the originating zone. The idea here is that, 
  	 * as far as we know, the server that we contacted is ONLY 
-@@ -681,6 +715,24 @@
+@@ -680,6 +714,24 @@
+ 	prev = NULL;
  	rrset = msg->rrset_first;
  	while(rrset) {
- 
++
 +		/* ASN: For AAAA records only... */
 +		if((ie->aaaa_filter) && (rrset->type == LDNS_RR_TYPE_AAAA)) {
 +			/* ASN: If this is not a AAAA query, then remove AAAA
@@ -96,13 +97,12 @@ Index: trunk/iterator/iter_scrub.c
 +				LDNS_RR_TYPE_AAAA, qinfo->qclass);
 +		}
 +		/* ASN: End of added code */
-+
+ 
  		/* remove private addresses */
  		if( (rrset->type == LDNS_RR_TYPE_A || 
- 			rrset->type == LDNS_RR_TYPE_AAAA)) {
 Index: trunk/iterator/iter_utils.c
 ===================================================================
---- trunk/iterator/iter_utils.c	(revision 3587)
+--- trunk/iterator/iter_utils.c	(revision 4357)
 +++ trunk/iterator/iter_utils.c	(working copy)
 @@ -175,6 +175,7 @@
  	}
@@ -114,9 +114,9 @@ Index: trunk/iterator/iter_utils.c
  
 Index: trunk/iterator/iterator.c
 ===================================================================
---- trunk/iterator/iterator.c	(revision 3587)
+--- trunk/iterator/iterator.c	(revision 4357)
 +++ trunk/iterator/iterator.c	(working copy)
-@@ -1776,6 +1776,53 @@
+@@ -1847,6 +1847,53 @@
  
  	return 0;
  }
@@ -170,7 +170,7 @@ Index: trunk/iterator/iterator.c
  	
  /** 
   * This is the request event state where the request will be sent to one of
-@@ -1823,6 +1870,13 @@
+@@ -1894,6 +1941,13 @@
  		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
  	}
  	
@@ -184,7 +184,7 @@ Index: trunk/iterator/iterator.c
  	/* Make sure we have a delegation point, otherwise priming failed
  	 * or another failure occurred */
  	if(!iq->dp) {
-@@ -2922,6 +2976,61 @@
+@@ -3095,6 +3149,61 @@
  	return 0;
  }
  
@@ -244,9 +244,9 @@ Index: trunk/iterator/iterator.c
 +/* ASN: End of added code */
 +
  /*
-  * Return priming query results to interestes super querystates.
+  * Return priming query results to interested super querystates.
   * 
-@@ -2941,6 +3050,9 @@
+@@ -3114,6 +3223,9 @@
  	else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
  		super->minfo[id])->state == DSNS_FIND_STATE)
  		processDSNSResponse(qstate, id, super);
@@ -256,7 +256,7 @@ Index: trunk/iterator/iterator.c
  	else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
  		error_supers(qstate, id, super);
  	else if(qstate->is_priming)
-@@ -2978,6 +3090,9 @@
+@@ -3151,6 +3263,9 @@
  			case INIT_REQUEST_3_STATE:
  				cont = processInitRequest3(qstate, iq, id);
  				break;
@@ -266,7 +266,7 @@ Index: trunk/iterator/iterator.c
  			case QUERYTARGETS_STATE:
  				cont = processQueryTargets(qstate, iq, ie, id);
  				break;
-@@ -3270,6 +3385,8 @@
+@@ -3460,6 +3575,8 @@
  		return "INIT REQUEST STATE (stage 2)";
  	case INIT_REQUEST_3_STATE:
  		return "INIT REQUEST STATE (stage 3)";
@@ -275,7 +275,7 @@ Index: trunk/iterator/iterator.c
  	case QUERYTARGETS_STATE :
  		return "QUERY TARGETS STATE";
  	case PRIME_RESP_STATE :
-@@ -3294,6 +3411,7 @@
+@@ -3484,6 +3601,7 @@
  		case INIT_REQUEST_STATE :
  		case INIT_REQUEST_2_STATE :
  		case INIT_REQUEST_3_STATE :
@@ -285,19 +285,19 @@ Index: trunk/iterator/iterator.c
  			return 0;
 Index: trunk/iterator/iterator.h
 ===================================================================
---- trunk/iterator/iterator.h	(revision 3587)
+--- trunk/iterator/iterator.h	(revision 4357)
 +++ trunk/iterator/iterator.h	(working copy)
-@@ -113,6 +113,9 @@
+@@ -130,6 +130,9 @@
  	 */
  	int* target_fetch_policy;
  
 +	/** ASN: AAAA-filter flag */
 +	int aaaa_filter;
 +
- 	/** ip6.arpa dname in wireformat, used for qname-minimisation */
- 	uint8_t* ip6arpa_dname;
- };
-@@ -163,6 +166,14 @@
+ 	/** lock on ratelimit counter */
+ 	lock_basic_type queries_ratelimit_lock;
+ 	/** number of queries that have been ratelimited */
+@@ -182,6 +185,14 @@
  	INIT_REQUEST_3_STATE,
  
  	/**
@@ -311,26 +311,26 @@ Index: trunk/iterator/iterator.h
 +	/**
  	 * Each time a delegation point changes for a given query or a 
  	 * query times out and/or wakes up, this state is (re)visited. 
- 	 * This state is reponsible for iterating through a list of 
-@@ -346,6 +357,13 @@
+ 	 * This state is responsible for iterating through a list of 
+@@ -364,6 +375,13 @@
+ 	 * be used when creating the state. A higher one will be attempted.
  	 */
  	int refetch_glue;
- 
++
 +	/**
 +	 * ASN: This is a flag that, if true, means that this query is
 +	 * for fetching A records to populate cache and determine if we must
 +	 * return AAAA records or not.
 +	 */
 +	int fetch_a_for_aaaa;
-+
+ 
  	/** list of pending queries to authoritative servers. */
  	struct outbound_list outlist;
- 
 Index: trunk/pythonmod/interface.i
 ===================================================================
---- trunk/pythonmod/interface.i	(revision 3587)
+--- trunk/pythonmod/interface.i	(revision 4357)
 +++ trunk/pythonmod/interface.i	(working copy)
-@@ -632,6 +632,7 @@
+@@ -851,6 +851,7 @@
     int harden_dnssec_stripped;
     int harden_referral_path;
     int use_caps_bits_for_id;
@@ -340,9 +340,9 @@ Index: trunk/pythonmod/interface.i
     size_t unwanted_threshold;
 Index: trunk/util/config_file.c
 ===================================================================
---- trunk/util/config_file.c	(revision 3587)
+--- trunk/util/config_file.c	(revision 4357)
 +++ trunk/util/config_file.c	(working copy)
-@@ -176,6 +176,7 @@
+@@ -195,6 +195,7 @@
  	cfg->harden_referral_path = 0;
  	cfg->harden_algo_downgrade = 0;
  	cfg->use_caps_bits_for_id = 0;
@@ -352,9 +352,9 @@ Index: trunk/util/config_file.c
  	cfg->private_domain = NULL;
 Index: trunk/util/config_file.h
 ===================================================================
---- trunk/util/config_file.h	(revision 3587)
+--- trunk/util/config_file.h	(revision 4357)
 +++ trunk/util/config_file.h	(working copy)
-@@ -179,6 +179,8 @@
+@@ -209,6 +209,8 @@
  	int harden_algo_downgrade;
  	/** use 0x20 bits in query as random ID bits */
  	int use_caps_bits_for_id;
@@ -365,9 +365,9 @@ Index: trunk/util/config_file.h
  	/** strip away these private addrs from answers, no DNS Rebinding */
 Index: trunk/util/configlexer.lex
 ===================================================================
---- trunk/util/configlexer.lex	(revision 3587)
+--- trunk/util/configlexer.lex	(revision 4357)
 +++ trunk/util/configlexer.lex	(working copy)
-@@ -267,6 +267,7 @@
+@@ -279,6 +279,7 @@
  use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
  caps-whitelist{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
  unwanted-reply-threshold{COLON}	{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
@@ -377,9 +377,9 @@ Index: trunk/util/configlexer.lex
  prefetch-key{COLON}		{ YDVAR(1, VAR_PREFETCH_KEY) }
 Index: trunk/util/configparser.y
 ===================================================================
---- trunk/util/configparser.y	(revision 3587)
+--- trunk/util/configparser.y	(revision 4357)
 +++ trunk/util/configparser.y	(working copy)
-@@ -92,6 +92,7 @@
+@@ -95,6 +95,7 @@
  %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
  %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
  %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
@@ -387,7 +387,7 @@ Index: trunk/util/configparser.y
  %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
  %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
  %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
-@@ -169,6 +170,7 @@
+@@ -203,6 +204,7 @@
  	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
  	server_harden_referral_path | server_private_address |
  	server_private_domain | server_extended_statistics | 
@@ -395,10 +395,12 @@ Index: trunk/util/configparser.y
  	server_local_data_ptr | server_jostle_timeout | 
  	server_unwanted_reply_threshold | server_log_time_ascii | 
  	server_domain_insecure | server_val_sig_skew_min | 
-@@ -893,6 +895,15 @@
+@@ -1183,6 +1185,15 @@
+ 		OUTYY(("P(server_caps_whitelist:%s)\n", $2));
+ 		if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, $2))
  			yyerror("out of memory");
- 	}
- 	;
++	}
++	;
 +server_aaaa_filter: VAR_AAAA_FILTER STRING_ARG
 +	{
 +		OUTYY(("P(server_aaaa_filter:%s)\n", $2));
@@ -406,8 +408,6 @@ Index: trunk/util/configparser.y
 +			yyerror("expected yes or no.");
 +		else cfg_parser->cfg->aaaa_filter = (strcmp($2, "yes")==0);
 +		free($2);
-+	}
-+	;
+ 	}
+ 	;
  server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG
- 	{
- 		OUTYY(("P(server_private_address:%s)\n", $2));

contrib/parseunbound.pl

@@ -91,7 +91,7 @@ while ( scalar keys %startstats < $numthreads || scalar keys %donestats < $numth
             $allstats{$inthread}->{outstandingexc} = $4;
         }
         elsif ( $line =~ m/info: average recursion processing time ([0-9\.]+) sec/ ) {
-            $allstats{$inthread}->{recursionavg} = int($1 * 1000); # change sec to milisec.
+            $allstats{$inthread}->{recursionavg} = int($1 * 1000); # change sec to millisec.
         }
         elsif ( $line =~ m/info: histogram of recursion processing times/ ) {
             next;
@@ -103,7 +103,7 @@ while ( scalar keys %startstats < $numthreads || scalar keys %donestats < $numth
         }
         elsif ( $line =~ m/info: lower\(secs\) upper\(secs\) recursions/ ) {
             # since after this line we're unsure if we get these numbers
-            # at all, we sould consider this marker as the end of the
+            # at all, we should consider this marker as the end of the
             # block. Chances that we're parsing a file halfway written
             # at this stage are small. Bold statement.
             $donestats{$inthread} = 1;

daemon/remote.c

@@ -827,6 +827,7 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 #endif /* USE_IPSECMOD */
 #ifdef USE_DNSCRYPT
 	size_t dnscrypt_shared_secret = 0;
+	size_t dnscrypt_nonce = 0;
 #endif /* USE_DNSCRYPT */
 	msg = slabhash_get_mem(daemon->env->msg_cache);
 	rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
@@ -843,6 +844,7 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 	if(daemon->dnscenv) {
 		dnscrypt_shared_secret = slabhash_get_mem(
 			daemon->dnscenv->shared_secrets_cache);
+		dnscrypt_nonce = slabhash_get_mem(daemon->dnscenv->nonces_cache);
 	}
 #endif /* USE_DNSCRYPT */
 
@@ -868,6 +870,9 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
 	if(!print_longnum(ssl, "mem.cache.dnscrypt_shared_secret"SQ,
 			dnscrypt_shared_secret))
 		return 0;
+	if(!print_longnum(ssl, "mem.cache.dnscrypt_nonce"SQ,
+			dnscrypt_nonce))
+		return 0;
 #endif /* USE_DNSCRYPT */
 	return 1;
 }
@@ -1058,8 +1063,12 @@ print_ext(SSL* ssl, struct ub_stats_info* s)
 #ifdef USE_DNSCRYPT
 	if(!ssl_printf(ssl, "dnscrypt_shared_secret.cache.count"SQ"%u\n",
 		(unsigned)s->svr.shared_secret_cache_count)) return 0;
+	if(!ssl_printf(ssl, "dnscrypt_nonce.cache.count"SQ"%u\n",
+		(unsigned)s->svr.nonce_cache_count)) return 0;
 	if(!ssl_printf(ssl, "num.query.dnscrypt.shared_secret.cachemiss"SQ"%lu\n",
 		(unsigned long)s->svr.num_query_dnscrypt_secret_missed_cache)) return 0;
+	if(!ssl_printf(ssl, "num.query.dnscrypt.replay"SQ"%lu\n",
+		(unsigned long)s->svr.num_query_dnscrypt_replay)) return 0;
 #endif /* USE_DNSCRYPT */
 	return 1;
 }
@@ -1771,7 +1780,7 @@ negative_del_rrset(struct lruhash_entry* e, void* arg)
 	struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key;
 	struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
 	/* delete the parentside negative cache rrsets,
-	 * these are namerserver rrsets that failed lookup, rdata empty */
+	 * these are nameserver rrsets that failed lookup, rdata empty */
 	if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 &&
 		d->rrsig_count == 0 && d->rr_len[0] == 0) {
 		d->ttl = inf->expired;

daemon/stats.c

@@ -174,6 +174,21 @@ get_dnscrypt_cache_miss(struct worker* worker, int reset)
 	lock_basic_unlock(&de->shared_secrets_cache_lock);
 	return r;
 }
+
+/** get the number of replayed queries */
+static size_t
+get_dnscrypt_replay(struct worker* worker, int reset)
+{
+	size_t r;
+	struct dnsc_env* de = worker->daemon->dnscenv;
+
+	lock_basic_lock(&de->nonces_cache_lock);
+	r = de->num_query_dnscrypt_replay;
+	if(reset && !worker->env.cfg->stat_cumulative)
+		de->num_query_dnscrypt_replay = 0;
+	lock_basic_unlock(&de->nonces_cache_lock);
+	return r;
+}
 #endif /* USE_DNSCRYPT */
 
 void
@@ -225,13 +240,21 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 			(long long)get_dnscrypt_cache_miss(worker, reset);
 		s->svr.shared_secret_cache_count = (long long)count_slabhash_entries(
 			worker->daemon->dnscenv->shared_secrets_cache);
+		s->svr.nonce_cache_count = (long long)count_slabhash_entries(
+			worker->daemon->dnscenv->nonces_cache);
+		s->svr.num_query_dnscrypt_replay =
+			(long long)get_dnscrypt_replay(worker, reset);
 	} else {
 		s->svr.num_query_dnscrypt_secret_missed_cache = 0;
 		s->svr.shared_secret_cache_count = 0;
+		s->svr.nonce_cache_count = 0;
+		s->svr.num_query_dnscrypt_replay = 0;
 	}
 #else
 	s->svr.num_query_dnscrypt_secret_missed_cache = 0;
 	s->svr.shared_secret_cache_count = 0;
+	s->svr.nonce_cache_count = 0;
+	s->svr.num_query_dnscrypt_replay = 0;
 #endif /* USE_DNSCRYPT */
 
 	/* get tcp accept usage */

daemon/unbound.c

@@ -400,7 +400,7 @@ detach(void)
 #endif /* HAVE_DAEMON */
 }
 
-/** daemonize, drop user priviliges and chroot if needed */
+/** daemonize, drop user privileges and chroot if needed */
 static void
 perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 	const char** cfgfile, int need_pidfile)

daemon/worker.c

@@ -1633,7 +1633,8 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		cfg->use_caps_bits_for_id, worker->ports, worker->numports,
 		cfg->unwanted_threshold, cfg->outgoing_tcp_mss,
 		&worker_alloc_cleanup, worker,
-		cfg->do_udp, worker->daemon->connect_sslctx, cfg->delay_close,
+		cfg->do_udp || cfg->udp_upstream_without_downstream,
+		worker->daemon->connect_sslctx, cfg->delay_close,
 		dtenv);
 	if(!worker->back) {
 		log_err("could not create outgoing sockets");

dns64/dns64.c

@@ -792,6 +792,10 @@ dns64_inform_super(struct module_qstate* qstate, int id,
 					qstate->return_msg->rep))
 		return;
 
+	/* Use return code from A query in response to client. */
+	if (super->return_rcode != LDNS_RCODE_NOERROR)
+		super->return_rcode = qstate->return_rcode;
+
 	/* Generate a response suitable for the original query. */
 	if (qstate->qinfo.qtype == LDNS_RR_TYPE_A) {
 		dns64_adjust_a(id, super, qstate