Vendor import of Unbound 1.9.0.

9c9d011e · Dag-Erling Smørgrav · 089d83fb · 9c9d011e · 9c9d011e · 9c9d011e
Commit 9c9d011e authored Feb 06, 2019 by Dag-Erling Smørgrav
--- a/.gitignore
+++ b/.gitignore
@@ -36,4 +36,7 @@
 /streamtcp
 /testbound
 /unittest
+/contrib/libunbound.pc
+/contrib/unbound.service
+/contrib/unbound.socket

--- a/Makefile.in
+++ b/Makefile.in
--- a/aclocal.m4
+++ b/aclocal.m4
-# generated automatically by aclocal 1.15.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.16.1 -*- Autoconf -*-

-# Copyright (C) 1996-2017 Free Software Foundation, Inc.
+# Copyright (C) 1996-2018 Free Software Foundation, Inc.

 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9390,7 +9390,7 @@ AS_IF([test "$AS_TR_SH([with_]m4_tolower([$1]))" = "yes"],

 # AM_CONDITIONAL                                            -*- Autoconf -*-

-# Copyright (C) 1997-2017 Free Software Foundation, Inc.
+# Copyright (C) 1997-2018 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9421,7 +9421,7 @@ AC_CONFIG_COMMANDS_PRE(
 Usually this means the macro was only invoked conditionally.]])
 fi])])

-# Copyright (C) 2006-2017 Free Software Foundation, Inc.
+# Copyright (C) 2006-2018 Free Software Foundation, Inc.
 #
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,

--- a/compat/arc4random.c
+++ b/compat/arc4random.c
@@ -140,6 +140,7 @@ fallback_getentropy_urandom(void *buf, size_t len)
 static inline void
 _rs_init(u_char *buf, size_t n)
 {
+	assert(buf);
 	if (n < KEYSZ + IVSZ)
 		return;


--- a/config.guess
+++ b/config.guess
-#! /bin/sh
+#!/usr/bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright 1992-2016 Free Software Foundation, Inc.


--- a/config.h.in
+++ b/config.h.in
@@ -178,6 +178,9 @@
 /* Define to 1 if you have the <event.h> header file. */
 #undef HAVE_EVENT_H

+/* Define to 1 if you have the `EVP_aes_256_cbc' function. */
+#undef HAVE_EVP_AES_256_CBC
+
 /* Define to 1 if you have the `EVP_cleanup' function. */
 #undef HAVE_EVP_CLEANUP

@@ -187,6 +190,9 @@
 /* Define to 1 if you have the `EVP_dss1' function. */
 #undef HAVE_EVP_DSS1

+/* Define to 1 if you have the `EVP_EncryptInit_ex' function. */
+#undef HAVE_EVP_ENCRYPTINIT_EX
+
 /* Define to 1 if you have the `EVP_MD_CTX_new' function. */
 #undef HAVE_EVP_MD_CTX_NEW

@@ -259,6 +265,9 @@
 /* Define to 1 if you have the <hiredis/hiredis.h> header file. */
 #undef HAVE_HIREDIS_HIREDIS_H

+/* Define to 1 if you have the `HMAC_Init_ex' function. */
+#undef HAVE_HMAC_INIT_EX
+
 /* If you have HMAC_Update */
 #undef HAVE_HMAC_UPDATE

@@ -451,9 +460,15 @@
 /* Define if you have the SSL libraries installed. */
 #undef HAVE_SSL

+/* Define to 1 if you have the `SSL_CTX_set_ciphersuites' function. */
+#undef HAVE_SSL_CTX_SET_CIPHERSUITES
+
 /* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
 #undef HAVE_SSL_CTX_SET_SECURITY_LEVEL

+/* Define to 1 if you have the `SSL_CTX_set_tlsext_ticket_key_cb' function. */
+#undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_CB
+
 /* Define to 1 if you have the `SSL_get0_peername' function. */
 #undef HAVE_SSL_GET0_PEERNAME

@@ -586,6 +601,9 @@
 /* Define to 1 if you have the <ws2tcpip.h> header file. */
 #undef HAVE_WS2TCPIP_H

+/* Define to 1 if you have the `X509_VERIFY_PARAM_set1_host' function. */
+#undef HAVE_X509_VERIFY_PARAM_SET1_HOST
+
 /* Define to 1 if you have the `_beginthreadex' function. */
 #undef HAVE__BEGINTHREADEX


--- a/config.sub
+++ b/config.sub
-#! /bin/sh
+#!/usr/bin/sh
 # Configuration validation subroutine script.
 #   Copyright 1992-2016 Free Software Foundation, Inc.


--- a/configure
+++ b/configure
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.8.1.
+# Generated by GNU Autoconf 2.69 for unbound 1.9.0.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.8.1'
-PACKAGE_STRING='unbound 1.8.1'
+PACKAGE_VERSION='1.9.0'
+PACKAGE_STRING='unbound 1.9.0'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
  
@@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures unbound 1.8.1 to adapt to many kinds of systems.
+\`configure' configures unbound 1.9.0 to adapt to many kinds of systems.
  
 Usage: $0 [OPTION]... [VAR=VALUE]...
  
@@ -1505,7 +1505,7 @@ fi
  
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.8.1:";;
+     short | recursive ) echo "Configuration of unbound 1.9.0:";;
   esac
  cat <<\_ACEOF
  
@@ -1722,7 +1722,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-unbound configure 1.8.1
+unbound configure 1.9.0
 generated by GNU Autoconf 2.69
  
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
  
-It was created by unbound $as_me 1.8.1, which was
+It was created by unbound $as_me 1.9.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  
  $ $0 $@
@@ -2781,14 +2781,14 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
  
 UNBOUND_VERSION_MAJOR=1
  
-UNBOUND_VERSION_MINOR=8
+UNBOUND_VERSION_MINOR=9
  
-UNBOUND_VERSION_MICRO=1
+UNBOUND_VERSION_MICRO=0
  
  
-LIBUNBOUND_CURRENT=8
-LIBUNBOUND_REVISION=1
-LIBUNBOUND_AGE=0
+LIBUNBOUND_CURRENT=9
+LIBUNBOUND_REVISION=0
+LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
 # 1.0.2 had 0:14:0
@@ -2852,6 +2852,9 @@ LIBUNBOUND_AGE=0
 # 1.7.3 had 7:11:5
 # 1.8.0 had 8:0:0 # changes the event callback function signature
 # 1.8.1 had 8:1:0
+# 1.8.2 had 8:2:0
+# 1.8.3 had 8:3:0
+# 1.8.4 had 9:0:1 # add ub_ctx_set_tls
  
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -17990,7 +17993,7 @@ fi
  
 done
  
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -18006,7 +18009,7 @@ done
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername
+for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -21145,7 +21148,7 @@ _ACEOF
  
  
  
-version=1.8.1
+version=1.9.0
  
 date=`date +'%b %e, %Y'`
  
@@ -21664,7 +21667,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.8.1, which was
+This file was extended by unbound $as_me 1.9.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  
  CONFIG_FILES    = $CONFIG_FILES
@@ -21730,7 +21733,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.8.1
+unbound config.status 1.9.0
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
  

--- a/configure.ac
+++ b/configure.ac
@@ -10,16 +10,16 @@ sinclude(dnscrypt/dnscrypt.m4)

 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[8])
-m4_define([VERSION_MICRO],[1])
+m4_define([VERSION_MINOR],[9])
+m4_define([VERSION_MICRO],[0])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])

-LIBUNBOUND_CURRENT=8
-LIBUNBOUND_REVISION=1
-LIBUNBOUND_AGE=0
+LIBUNBOUND_CURRENT=9
+LIBUNBOUND_REVISION=0
+LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
 # 1.0.2 had 0:14:0
@@ -83,6 +83,9 @@ LIBUNBOUND_AGE=0
 # 1.7.3 had 7:11:5
 # 1.8.0 had 8:0:0 # changes the event callback function signature
 # 1.8.1 had 8:1:0
+# 1.8.2 had 8:2:0
+# 1.8.3 had 8:3:0
+# 1.8.4 had 9:0:1 # add ub_ctx_set_tls

 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -778,12 +781,12 @@ else
 	AC_MSG_RESULT([no])
 fi
 AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_tlsext_ticket_key_cb EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex])

 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername])
+AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites])
 LIBS="$BAKLIBS"

 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [

--- a/contrib/README
+++ b/contrib/README
@@ -38,3 +38,5 @@ distribution but may be helpful.
 * unbound-querycachedb.py: utility to show data stored in cachedb backend
  for a particular query name and type.  It requires dnspython and (for
  redis backend) redis Python modules.
+* unbound-fuzzme.patch: adds unbound-fuzzme program that parses a packet from
+  stdin.  Used with fuzzers, patch from Jacob Hoffman-Andrews.
--- a/contrib/fastrpz.patch
+++ b/contrib/fastrpz.patch
@@ -3,7 +3,7 @@ Author: fastrpz@farsightsecurity.com
 ---
 Index: unboundfastrpz/Makefile.in
 ===================================================================
--- unboundfastrpz/Makefile.in	(revision 4923)
+--- unboundfastrpz/Makefile.in	(revision 5073)
 +++ unboundfastrpz/Makefile.in	(working copy)
 @@ -23,6 +23,8 @@
 CHECKLOCK_OBJ=@CHECKLOCK_OBJ@
@@ -46,9 +46,9 @@ Index: unboundfastrpz/Makefile.in
 	pythonmod/interface.h \
 Index: unboundfastrpz/config.h.in
 ===================================================================
--- unboundfastrpz/config.h.in	(revision 4923)
+--- unboundfastrpz/config.h.in	(revision 5073)
 +++ unboundfastrpz/config.h.in	(working copy)
-@@ -1272,4 +1272,11 @@
+@@ -1293,4 +1293,11 @@
 /** the version of unbound-control that this software implements */
 #define UNBOUND_CONTROL_VERSION 1
 
@@ -63,7 +63,7 @@ Index: unboundfastrpz/config.h.in
 +#undef ENABLE_FASTRPZ
 Index: unboundfastrpz/configure.ac
 ===================================================================
--- unboundfastrpz/configure.ac	(revision 4923)
+--- unboundfastrpz/configure.ac	(revision 5073)
 +++ unboundfastrpz/configure.ac	(working copy)
 @@ -6,6 +6,7 @@
 sinclude(acx_python.m4)
@@ -73,7 +73,7 @@ Index: unboundfastrpz/configure.ac
 sinclude(dnscrypt/dnscrypt.m4)
 
 # must be numbers. ac_defun because of later processing
-@@ -1565,6 +1566,9 @@
+@@ -1575,6 +1576,9 @@
 		;;
 esac
 
@@ -85,7 +85,7 @@ Index: unboundfastrpz/configure.ac
 # on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
 Index: unboundfastrpz/daemon/daemon.c
 ===================================================================
--- unboundfastrpz/daemon/daemon.c	(revision 4923)
+--- unboundfastrpz/daemon/daemon.c	(revision 5073)
 +++ unboundfastrpz/daemon/daemon.c	(working copy)
 @@ -91,6 +91,9 @@
 #include "sldns/keyraw.h"
@@ -124,7 +124,7 @@ Index: unboundfastrpz/daemon/daemon.c
 
 Index: unboundfastrpz/daemon/daemon.h
 ===================================================================
--- unboundfastrpz/daemon/daemon.h	(revision 4923)
+--- unboundfastrpz/daemon/daemon.h	(revision 5073)
 +++ unboundfastrpz/daemon/daemon.h	(working copy)
 @@ -136,6 +136,11 @@
 	/** the dnscrypt environment */
@@ -140,7 +140,7 @@ Index: unboundfastrpz/daemon/daemon.h
 /**
 Index: unboundfastrpz/daemon/worker.c
 ===================================================================
--- unboundfastrpz/daemon/worker.c	(revision 4923)
+--- unboundfastrpz/daemon/worker.c	(revision 5073)
 +++ unboundfastrpz/daemon/worker.c	(working copy)
 @@ -75,6 +75,9 @@
 #include "libunbound/context.h"
@@ -268,9 +268,9 @@ Index: unboundfastrpz/daemon/worker.c
 			verbose(VERB_ALGO, "answer norec from cache -- "
 Index: unboundfastrpz/doc/unbound.conf.5.in
 ===================================================================
--- unboundfastrpz/doc/unbound.conf.5.in	(revision 4923)
+--- unboundfastrpz/doc/unbound.conf.5.in	(revision 5073)
 +++ unboundfastrpz/doc/unbound.conf.5.in	(working copy)
-@@ -1728,6 +1728,81 @@
+@@ -1781,6 +1781,81 @@
 used by dns64 processing instead.  Can be entered multiple times, list a
 new domain for which it applies, one per line.  Applies also to names
 underneath the name given.
@@ -2885,7 +2885,7 @@ Index: unboundfastrpz/fastrpz/rpz.m4
 +])
 Index: unboundfastrpz/iterator/iterator.c
 ===================================================================
--- unboundfastrpz/iterator/iterator.c	(revision 4923)
+--- unboundfastrpz/iterator/iterator.c	(revision 5073)
 +++ unboundfastrpz/iterator/iterator.c	(working copy)
 @@ -68,6 +68,9 @@
 #include "sldns/str2wire.h"
@@ -2895,9 +2895,9 @@ Index: unboundfastrpz/iterator/iterator.c
 +#include "fastrpz/rpz.h"
 +#endif
 
- int 
- iter_init(struct module_env* env, int id)
-@@ -525,6 +528,23 @@
+ /* in msec */
+ int UNKNOWN_SERVER_NICENESS = 376;
+@@ -551,6 +554,23 @@
 		if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME &&
 			query_dname_compare(*mname, r->rk.dname) == 0 &&
 			!iter_find_rrset_in_prepend_answer(iq, r)) {
@@ -2921,7 +2921,7 @@ Index: unboundfastrpz/iterator/iterator.c
 			/* Add this relevant CNAME rrset to the prepend list.*/
 			if(!iter_add_prepend_answer(qstate, iq, r))
 				return 0;
-@@ -533,6 +553,9 @@
+@@ -559,6 +579,9 @@
 
 		/* Other rrsets in the section are ignored. */
 	}
@@ -2931,7 +2931,7 @@ Index: unboundfastrpz/iterator/iterator.c
 	/* add authority rrsets to authority prepend, for wildcarded CNAMEs */
 	for(i=msg->rep->an_numrrsets; i<msg->rep->an_numrrsets +
 		msg->rep->ns_numrrsets; i++) {
-@@ -1216,6 +1239,7 @@
+@@ -1195,6 +1218,7 @@
 	uint8_t* delname;
 	size_t delnamelen;
 	struct dns_msg* msg = NULL;
@@ -2939,7 +2939,7 @@ Index: unboundfastrpz/iterator/iterator.c
 
 	log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
 	/* check effort */
-@@ -1302,8 +1326,7 @@
+@@ -1281,8 +1305,7 @@
 	}
 	if(msg) {
 		/* handle positive cache response */
@@ -2949,7 +2949,7 @@ Index: unboundfastrpz/iterator/iterator.c
 		if(verbosity >= VERB_ALGO) {
 			log_dns_msg("msg from cache lookup", &msg->qinfo, 
 				msg->rep);
-@@ -1311,7 +1334,22 @@
+@@ -1290,7 +1313,22 @@
 				(int)msg->rep->ttl, 
 				(int)msg->rep->prefetch_ttl);
 		}
@@ -2972,7 +2972,7 @@ Index: unboundfastrpz/iterator/iterator.c
 		if(type == RESPONSE_TYPE_CNAME) {
 			uint8_t* sname = 0;
 			size_t slen = 0;
-@@ -2716,6 +2754,62 @@
+@@ -2694,6 +2732,62 @@
 			sock_list_insert(&qstate->reply_origin, 
 				&qstate->reply->addr, qstate->reply->addrlen, 
 				qstate->region);
@@ -3035,7 +3035,7 @@ Index: unboundfastrpz/iterator/iterator.c
 		if(iq->minimisation_state != DONOT_MINIMISE_STATE
 			&& !(iq->chase_flags & BIT_RD)) {
 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
-@@ -3462,6 +3556,10 @@
+@@ -3440,6 +3534,10 @@
 		 * but only if we did recursion. The nonrecursion referral
 		 * from cache does not need to be stored in the msg cache. */
 		if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
@@ -3046,7 +3046,7 @@ Index: unboundfastrpz/iterator/iterator.c
 			iter_dns_store(qstate->env, &qstate->qinfo, 
 				iq->response->rep, 0, qstate->prefetch_leeway,
 				iq->dp&&iq->dp->has_parent_side_NS,
-@@ -3468,6 +3566,34 @@
+@@ -3446,6 +3544,34 @@
 				qstate->region, qstate->query_flags);
 		}
 	}
@@ -3083,7 +3083,7 @@ Index: unboundfastrpz/iterator/iterator.c
 	return 0;
 Index: unboundfastrpz/iterator/iterator.h
 ===================================================================
--- unboundfastrpz/iterator/iterator.h	(revision 4923)
+--- unboundfastrpz/iterator/iterator.h	(revision 5073)
 +++ unboundfastrpz/iterator/iterator.h	(working copy)
 @@ -386,6 +386,16 @@
 	 */
@@ -3104,9 +3104,9 @@ Index: unboundfastrpz/iterator/iterator.h
 	 * the QNAME minimisation QTYPE is blocked. */
 Index: unboundfastrpz/services/cache/dns.c
 ===================================================================
--- unboundfastrpz/services/cache/dns.c	(revision 4923)
+--- unboundfastrpz/services/cache/dns.c	(revision 5073)
 +++ unboundfastrpz/services/cache/dns.c	(working copy)
-@@ -928,6 +928,14 @@
+@@ -939,6 +939,14 @@
 	struct regional* region, uint32_t flags)
 {
 	struct reply_info* rep = NULL;
@@ -3123,7 +3123,7 @@ Index: unboundfastrpz/services/cache/dns.c
 	if(!rep)
 Index: unboundfastrpz/services/mesh.c
 ===================================================================
--- unboundfastrpz/services/mesh.c	(revision 4923)
+--- unboundfastrpz/services/mesh.c	(revision 5073)
 +++ unboundfastrpz/services/mesh.c	(working copy)
 @@ -60,6 +60,9 @@
 #include "sldns/wire2str.h"
@@ -3133,9 +3133,9 @@ Index: unboundfastrpz/services/mesh.c
 +#include "fastrpz/rpz.h"
 +#endif
 #include "respip/respip.h"
+ #include "services/listen_dnsport.h"
 
- /** subtract timers and the values do not overflow or become negative */
-@@ -1057,6 +1060,13 @@
+@@ -1072,6 +1075,13 @@
 	else	secure = 0;
 	if(!rep && rcode == LDNS_RCODE_NOERROR)
 		rcode = LDNS_RCODE_SERVFAIL;
@@ -3149,7 +3149,7 @@ Index: unboundfastrpz/services/mesh.c
 	/* send the reply */
 	/* We don't reuse the encoded answer if either the previous or current
 	 * response has a local alias.  We could compare the alias records
-@@ -1230,6 +1240,7 @@
+@@ -1247,6 +1257,7 @@
 	key.s.is_valrec = valrec;
 	key.s.qinfo = *qinfo;
 	key.s.query_flags = qflags;
@@ -3157,7 +3157,7 @@ Index: unboundfastrpz/services/mesh.c
 	/* We are searching for a similar mesh state when we DO want to
 	 * aggregate the state. Thus unique is set to NULL. (default when we
 	 * desire aggregation).*/
-@@ -1276,6 +1287,10 @@
+@@ -1293,6 +1304,10 @@
 	if(!r)
 		return 0;
 	r->query_reply = *rep;
@@ -3170,9 +3170,9 @@ Index: unboundfastrpz/services/mesh.c
 		r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
 Index: unboundfastrpz/util/config_file.c
 ===================================================================
--- unboundfastrpz/util/config_file.c	(revision 4923)
+--- unboundfastrpz/util/config_file.c	(revision 5073)
 +++ unboundfastrpz/util/config_file.c	(working copy)
-@@ -1386,6 +1386,8 @@
+@@ -1418,6 +1418,8 @@
 	free(cfg->dnstap_socket_path);
 	free(cfg->dnstap_identity);
 	free(cfg->dnstap_version);
@@ -3183,9 +3183,9 @@ Index: unboundfastrpz/util/config_file.c
 #ifdef USE_IPSECMOD
 Index: unboundfastrpz/util/config_file.h
 ===================================================================
--- unboundfastrpz/util/config_file.h	(revision 4923)
+--- unboundfastrpz/util/config_file.h	(revision 5073)
 +++ unboundfastrpz/util/config_file.h	(working copy)
-@@ -468,6 +468,11 @@
+@@ -490,6 +490,11 @@
 	/** true to disable DNSSEC lameness check in iterator */
 	int disable_dnssec_lame_check;
 
@@ -3199,9 +3199,9 @@ Index: unboundfastrpz/util/config_file.h
 	/** number of slabs for ip_ratelimit cache */
 Index: unboundfastrpz/util/configlexer.lex
 ===================================================================
--- unboundfastrpz/util/configlexer.lex	(revision 4923)
+--- unboundfastrpz/util/configlexer.lex	(revision 5073)
 +++ unboundfastrpz/util/configlexer.lex	(working copy)
-@@ -429,6 +429,10 @@
+@@ -439,6 +439,10 @@
 		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
 dnstap-log-forwarder-response-messages{COLON}	{
 		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
@@ -3214,7 +3214,7 @@ Index: unboundfastrpz/util/configlexer.lex
 ratelimit{COLON}		{ YDVAR(1, VAR_RATELIMIT) }
 Index: unboundfastrpz/util/configparser.y
 ===================================================================
--- unboundfastrpz/util/configparser.y	(revision 4923)
+--- unboundfastrpz/util/configparser.y	(revision 5073)
 +++ unboundfastrpz/util/configparser.y	(working copy)
 @@ -125,6 +125,7 @@
 %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
@@ -3224,7 +3224,7 @@ Index: unboundfastrpz/util/configparser.y
 %token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
 %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
 %token VAR_DISABLE_DNSSEC_LAME_CHECK
-@@ -164,7 +165,7 @@
+@@ -170,7 +171,7 @@
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -3233,8 +3233,8 @@ Index: unboundfastrpz/util/configparser.y
 	forwardstart contents_forward | pythonstart contents_py | 
 	rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
 	dnscstart contents_dnsc | cachedbstart contents_cachedb |
-@@ -2546,6 +2547,50 @@
- 			(strcmp($2, "yes")==0);
+@@ -2708,6 +2709,50 @@
+ 		free($2);
 	}
 	;
 +rpzstart: VAR_RPZ
@@ -3286,9 +3286,9 @@ Index: unboundfastrpz/util/configparser.y
 		OUTYY(("\nP(python:)\n")); 
 Index: unboundfastrpz/util/data/msgencode.c
 ===================================================================
--- unboundfastrpz/util/data/msgencode.c	(revision 4923)
+--- unboundfastrpz/util/data/msgencode.c	(revision 5073)
 +++ unboundfastrpz/util/data/msgencode.c	(working copy)
-@@ -585,6 +585,35 @@
+@@ -590,6 +590,35 @@
 	return RETVAL_OK;
 }
 
@@ -3324,7 +3324,7 @@ Index: unboundfastrpz/util/data/msgencode.c
 /** store query section in wireformat buffer, return RETVAL */
 static int
 insert_query(struct query_info* qinfo, struct compress_tree_node** tree, 
-@@ -748,6 +777,19 @@
+@@ -753,6 +782,19 @@
 			return 0;
 		}
 		sldns_buffer_write_u16_at(buffer, 10, arcount);
@@ -3346,7 +3346,7 @@ Index: unboundfastrpz/util/data/msgencode.c
 	return 1;
 Index: unboundfastrpz/util/data/packed_rrset.c
 ===================================================================
--- unboundfastrpz/util/data/packed_rrset.c	(revision 4923)
+--- unboundfastrpz/util/data/packed_rrset.c	(revision 5073)
 +++ unboundfastrpz/util/data/packed_rrset.c	(working copy)
 @@ -255,6 +255,10 @@
 	case sec_status_insecure: 	return "sec_status_insecure";
@@ -3361,7 +3361,7 @@ Index: unboundfastrpz/util/data/packed_rrset.c
 }
 Index: unboundfastrpz/util/data/packed_rrset.h
 ===================================================================
--- unboundfastrpz/util/data/packed_rrset.h	(revision 4923)
+--- unboundfastrpz/util/data/packed_rrset.h	(revision 5073)
 +++ unboundfastrpz/util/data/packed_rrset.h	(working copy)
 @@ -193,7 +193,15 @@
 	sec_status_secure_sentinel_fail,
@@ -3382,9 +3382,9 @@ Index: unboundfastrpz/util/data/packed_rrset.h
 /**
 Index: unboundfastrpz/util/netevent.c
 ===================================================================
--- unboundfastrpz/util/netevent.c	(revision 4923)
+--- unboundfastrpz/util/netevent.c	(revision 5073)
 +++ unboundfastrpz/util/netevent.c	(working copy)
-@@ -56,6 +56,9 @@
+@@ -57,6 +57,9 @@
 #ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
 #endif
@@ -3394,7 +3394,7 @@ Index: unboundfastrpz/util/netevent.c
 
 /* -------- Start of local definitions -------- */
 /** if CMSG_ALIGN is not defined on this platform, a workaround */
-@@ -588,6 +591,9 @@
+@@ -590,6 +593,9 @@
 	struct cmsghdr* cmsg;
 #endif /* S_SPLINT_S */
 
@@ -3404,7 +3404,7 @@ Index: unboundfastrpz/util/netevent.c
 	rep.c = (struct comm_point*)arg;
 	log_assert(rep.c->type == comm_udp);
 
-@@ -677,6 +683,9 @@
+@@ -679,6 +685,9 @@
 	int i;
 	struct sldns_buffer *buffer;
 
@@ -3414,7 +3414,7 @@ Index: unboundfastrpz/util/netevent.c
 	rep.c = (struct comm_point*)arg;
 	log_assert(rep.c->type == comm_udp);
 
-@@ -720,6 +729,9 @@
+@@ -722,6 +731,9 @@
 			(void)comm_point_send_udp_msg(rep.c, buffer,
 				(struct sockaddr*)&rep.addr, rep.addrlen);
 		}
@@ -3424,9 +3424,9 @@ Index: unboundfastrpz/util/netevent.c
 		if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for
 		another UDP port. Note rep.c cannot be reused with TCP fd. */
 			break;
-@@ -3035,6 +3047,9 @@
- 		comm_point_start_listening(repinfo->c, -1,
- 			repinfo->c->tcp_timeout_msec);
+@@ -3108,6 +3120,9 @@
+ 				repinfo->c->tcp_timeout_msec);
+ 		}
 	}
 +#ifdef ENABLE_FASTRPZ
 +	rpz_end(repinfo);
@@ -3434,7 +3434,7 @@ Index: unboundfastrpz/util/netevent.c
 }
 
 void 
-@@ -3044,6 +3059,9 @@
+@@ -3117,6 +3132,9 @@
 		return;
 	log_assert(repinfo && repinfo->c);
 	log_assert(repinfo->c->type != comm_tcp_accept);
@@ -3443,8 +3443,8 @@ Index: unboundfastrpz/util/netevent.c
 +#endif
 	if(repinfo->c->type == comm_udp)
 		return;