import unbound 1.6.0

.gitattributes

+testdata/*.[0-9] linguist-documentation

cachedb/cachedb.c

@@ -547,8 +547,8 @@ cachedb_handle_query(struct module_qstate* qstate,
 		return;
 	}
 
-	if(qstate->blacklist) {
-		/* cache is blacklisted */
+	if(qstate->blacklist || qstate->no_cache_lookup) {
+		/* cache is blacklisted or we are instructed from edns to not look */
 		/* pass request to next module */
 		qstate->ext_state[id] = module_wait_module;
 		return;
@@ -556,10 +556,15 @@ cachedb_handle_query(struct module_qstate* qstate,
 
 	/* lookup inside unbound's internal cache */
 	if(cachedb_intcache_lookup(qstate)) {
-		if(verbosity >= VERB_ALGO)
-			log_dns_msg("cachedb internal cache lookup",
-				&qstate->return_msg->qinfo,
-				qstate->return_msg->rep);
+		if(verbosity >= VERB_ALGO) {
+			if(qstate->return_msg->rep)
+				log_dns_msg("cachedb internal cache lookup",
+					&qstate->return_msg->qinfo,
+					qstate->return_msg->rep);
+			else log_info("cachedb internal cache lookup: rcode %s",
+				sldns_lookup_by_id(sldns_rcodes, qstate->return_rcode)?
+				sldns_lookup_by_id(sldns_rcodes, qstate->return_rcode)->name:"??");
+		}
 		/* we are done with the query */
 		qstate->ext_state[id] = module_finished;
 		return;
@@ -595,8 +600,8 @@ static void
 cachedb_handle_response(struct module_qstate* qstate,
 	struct cachedb_qstate* ATTR_UNUSED(iq), struct cachedb_env* ie, int id)
 {
-	/* check if we are enabled, and skip if not */
-	if(!ie->enabled) {
+	/* check if we are not enabled or instructed to not cache, and skip */
+	if(!ie->enabled || qstate->no_cache_store) {
 		/* we are done with the query */
 		qstate->ext_state[id] = module_finished;
 		return;
@@ -649,6 +654,11 @@ cachedb_operate(struct module_qstate* qstate, enum module_ev event, int id,
 		(void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
 		return;
 	}
+	if(!iq && (event == module_event_moddone)) {
+		/* during priming, module done but we never started */
+		qstate->ext_state[id] = module_finished;
+		return;
+	}
 
 	log_err("bad event for cachedb");
 	(void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);

config.h.in

@@ -107,6 +107,9 @@
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
 
+/* Define to 1 if you have the `DSA_SIG_set0' function. */
+#undef HAVE_DSA_SIG_SET0
+
 /* Define to 1 if you have the <endian.h> header file. */
 #undef HAVE_ENDIAN_H
 
@@ -143,6 +146,9 @@
 /* Define to 1 if you have the `EVP_cleanup' function. */
 #undef HAVE_EVP_CLEANUP
 
+/* Define to 1 if you have the `EVP_dss1' function. */
+#undef HAVE_EVP_DSS1
+
 /* Define to 1 if you have the `EVP_MD_CTX_new' function. */
 #undef HAVE_EVP_MD_CTX_NEW
 
@@ -344,9 +350,6 @@
 /* Define to 1 if you have the `recvmsg' function. */
 #undef HAVE_RECVMSG
 
-/* define if you have the sbrk() call */
-#undef HAVE_SBRK
-
 /* Define to 1 if you have the `sendmsg' function. */
 #undef HAVE_SENDMSG
 
@@ -395,6 +398,9 @@
 /* Define if you have the SSL libraries installed. */
 #undef HAVE_SSL
 
+/* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
+#undef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+
 /* Define to 1 if you have the <stdarg.h> header file. */
 #undef HAVE_STDARG_H
 

configure

 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.5.10.
+# Generated by GNU Autoconf 2.69 for unbound 1.6.0.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.5.10'
-PACKAGE_STRING='unbound 1.5.10'
+PACKAGE_VERSION='1.6.0'
+PACKAGE_STRING='unbound 1.6.0'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
@@ -659,6 +659,7 @@ WINAPPS
 WINDRES
 CHECKLOCK_OBJ
 staticexe
+PC_LIBEVENT_DEPENDENCY
 UNBOUND_EVENT_UNINSTALL
 UNBOUND_EVENT_INSTALL
 SSLLIB
@@ -678,6 +679,7 @@ WITH_PYTHONMODULE
 swig
 SWIG_LIB
 SWIG
+PC_PY_DEPENDENCY
 PY_MAJOR_VERSION
 PYTHON_SITE_PKG
 PYTHON_LDFLAGS
@@ -1401,7 +1403,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.5.10 to adapt to many kinds of systems.
+\`configure' configures unbound 1.6.0 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1466,7 +1468,7 @@ fi
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.5.10:";;
+     short | recursive ) echo "Configuration of unbound 1.6.0:";;
    esac
   cat <<\_ACEOF
@@ -1656,7 +1658,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.5.10
+unbound configure 1.6.0
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2365,7 +2367,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.5.10, which was
+It was created by unbound $as_me 1.6.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
   $ $0 $@
@@ -2715,13 +2717,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 UNBOUND_VERSION_MAJOR=1
-UNBOUND_VERSION_MINOR=5
-UNBOUND_VERSION_MICRO=10
+UNBOUND_VERSION_MINOR=6
+UNBOUND_VERSION_MICRO=0
 LIBUNBOUND_CURRENT=6
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
 LIBUNBOUND_AGE=4
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2771,6 +2773,7 @@ LIBUNBOUND_AGE=4
 # 1.5.8 had 6:0:4 # adds ub_ctx_set_stub
 # 1.5.9 had 6:1:4
 # 1.5.10 had 6:2:4
+# 1.6.0 had 6:3:4
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -16823,6 +16826,8 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h
       LIBS="$PYTHON_LDFLAGS $LIBS"
       CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
       ub_have_python=yes
+      PC_PY_DEPENDENCY="python"
+
       # Check for SWIG
       ub_have_swig=no
@@ -17535,7 +17540,7 @@ fi
 done
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -17551,12 +17556,13 @@ done
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-for ac_func in OPENSSL_init_ssl
+for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level
 do :
-  ac_fn_c_check_func "$LINENO" "OPENSSL_init_ssl" "ac_cv_func_OPENSSL_init_ssl"
-if test "x$ac_cv_func_OPENSSL_init_ssl" = xyes; then :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
-#define HAVE_OPENSSL_INIT_SSL 1
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
 fi
@@ -17925,13 +17931,13 @@ if test "${enable_dsa+set}" = set; then :
 fi
 use_dsa="no"
-case "$enable_ecdsa" in
+case "$enable_dsa" in
     no)
       ;;
     *)
       # detect if DSA is supported, and turn it off if not.
-      ac_fn_c_check_func "$LINENO" "EVP_dss1" "ac_cv_func_EVP_dss1"
-if test "x$ac_cv_func_EVP_dss1" = xyes; then :
+      ac_fn_c_check_func "$LINENO" "DSA_SIG_new" "ac_cv_func_DSA_SIG_new"
+if test "x$ac_cv_func_DSA_SIG_new" = xyes; then :
 cat >>confdefs.h <<_ACEOF
@@ -18378,6 +18384,8 @@ _ACEOF
 fi
 done
  # only in libev. (tested on 4.00)
+        PC_LIBEVENT_DEPENDENCY="libevent"
+
 	if test -n "$BAK_LDFLAGS_SET"; then
 		LDFLAGS="$BAK_LDFLAGS"
 	fi
@@ -18959,33 +18967,6 @@ fi
 done
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sbrk" >&5
-$as_echo_n "checking for sbrk... " >&6; }
-# catch the warning of deprecated sbrk
-old_cflags="$CFLAGS"
-CFLAGS="$CFLAGS -Werror"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-$ac_includes_default
-
-int main(void) { void* cur = sbrk(0); printf("%u\n", (unsigned)(size_t)((char*)cur - (char*)sbrk(0))); return 0; }
-
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-
-$as_echo "#define HAVE_SBRK 1" >>confdefs.h
-
-
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-CFLAGS="$old_cflags"
-
 # check if setreuid en setregid fail, on MacOSX10.4(darwin8).
 if echo $build_os | grep darwin8 > /dev/null; then
@@ -19939,7 +19920,7 @@ _ACEOF
-version=1.5.10
+version=1.6.0
 date=`date +'%b %e, %Y'`
@@ -20454,7 +20435,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.5.10, which was
+This file was extended by unbound $as_me 1.6.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
   CONFIG_FILES    = $CONFIG_FILES
@@ -20520,7 +20501,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.5.10
+unbound config.status 1.6.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"

configure.ac

@@ -9,15 +9,15 @@ sinclude(dnstap/dnstap.m4)
 
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[5])
-m4_define([VERSION_MICRO],[10])
+m4_define([VERSION_MINOR],[6])
+m4_define([VERSION_MICRO],[0])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=6
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
 LIBUNBOUND_AGE=4
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -67,6 +67,7 @@ LIBUNBOUND_AGE=4
 # 1.5.8 had 6:0:4 # adds ub_ctx_set_stub
 # 1.5.9 had 6:1:4
 # 1.5.10 had 6:2:4
+# 1.6.0 had 6:3:4
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -543,6 +544,8 @@ if test x_$ub_test_python != x_no; then
       LIBS="$PYTHON_LDFLAGS $LIBS"
       CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS"
       ub_have_python=yes
+      PC_PY_DEPENDENCY="python"
+      AC_SUBST(PC_PY_DEPENDENCY)
 
       # Check for SWIG
       ub_have_swig=no
@@ -673,12 +676,12 @@ else
 	AC_MSG_RESULT([no])
 fi
 AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1])
 
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-AC_CHECK_FUNCS([OPENSSL_init_ssl])
+AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level])
 LIBS="$BAKLIBS"
 
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
@@ -864,12 +867,12 @@ esac
 
 AC_ARG_ENABLE(dsa, AC_HELP_STRING([--disable-dsa], [Disable DSA support]))
 use_dsa="no"
-case "$enable_ecdsa" in
+case "$enable_dsa" in
     no)
       ;;
     *)
       # detect if DSA is supported, and turn it off if not.
-      AC_CHECK_FUNC(EVP_dss1, [
+      AC_CHECK_FUNC(DSA_SIG_new, [
       AC_DEFINE_UNQUOTED([USE_DSA], [1], [Define this to enable DSA support.])
       ], [if test "x$enable_dsa" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support DSA and you used --enable-dsa.])
                fi ])
@@ -1000,6 +1003,8 @@ large outgoing port ranges.  ])
 	AC_CHECK_FUNCS([event_base_get_method]) # only in libevent 1.4.3 and later
 	AC_CHECK_FUNCS([ev_loop]) # only in libev. (tested on 3.51)
 	AC_CHECK_FUNCS([ev_default_loop]) # only in libev. (tested on 4.00)
+        PC_LIBEVENT_DEPENDENCY="libevent"
+        AC_SUBST(PC_LIBEVENT_DEPENDENCY)
 	if test -n "$BAK_LDFLAGS_SET"; then
 		LDFLAGS="$BAK_LDFLAGS"
 	fi
@@ -1142,19 +1147,6 @@ AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit se
 AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
 AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
 
-AC_MSG_CHECKING([for sbrk])
-# catch the warning of deprecated sbrk
-old_cflags="$CFLAGS"
-CFLAGS="$CFLAGS -Werror"
-AC_COMPILE_IFELSE([AC_LANG_SOURCE(AC_INCLUDES_DEFAULT
-[[
-int main(void) { void* cur = sbrk(0); printf("%u\n", (unsigned)(size_t)((char*)cur - (char*)sbrk(0))); return 0; }
-]])], [
-	AC_MSG_RESULT(yes)
-	AC_DEFINE(HAVE_SBRK, 1, [define if you have the sbrk() call])
-    ], [AC_MSG_RESULT(no)])
-CFLAGS="$old_cflags"
-
 # check if setreuid en setregid fail, on MacOSX10.4(darwin8).
 if echo $build_os | grep darwin8 > /dev/null; then
 	AC_DEFINE(DARWIN_BROKEN_SETREUID, 1, [Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work])

contrib/libunbound.pc.in

@@ -7,7 +7,7 @@ Name: unbound
 Description: Library with validating, recursive, and caching DNS resolver
 URL: http://www.unbound.net
 Version: @PACKAGE_VERSION@
-Requires: 
-Libs: -L${libdir} -lunbound @SSLLIB@ @LIBS@
-Libs.private: @LDFLAGS@
+Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
+Libs: -L${libdir} -lunbound
+Libs.private: @SSLLIB@ @LIBS@
 Cflags: -I${includedir} 

contrib/unbound_munin_

@@ -150,7 +150,7 @@ get_state ( ) {
 			fi
 		done
 		# try to get it
-		echo $$ >$lock
+		if echo $$ >$lock ; then : ; else break; fi
 	done
 	# do not refetch if the file exists and only LEE seconds old
 	if test -f $state; then
@@ -266,7 +266,6 @@ if test "$1" = "config" ; then
 		echo "graph_args --base 1024 -l 0"
 		echo "graph_vlabel memory used in bytes"
 		echo "graph_category DNS"
-		p_config "mem.total.sbrk" "Total memory" "GAUGE"
 		p_config "mem.cache.rrset" "RRset cache memory" "GAUGE"
 		p_config "mem.cache.message" "Message cache memory" "GAUGE"
 		p_config "mem.mod.iterator" "Iterator module memory" "GAUGE"
@@ -458,20 +457,6 @@ queue)
 	done
 	;;
 memory)
-	mn=`echo mem.total.sbrk | sed $ABBREV | tr . _`
-	get_value 'mem.total.sbrk'
-	if test $value -eq 0; then
-		chk=`echo $ctrl | sed -e 's/-control$/-checkconf/'`
-		pidf=`$chk -o pidfile $conf 2>&1`
-		pid=`cat $pidf 2>&1`
-		value=`ps -p "$pid" -o rss= 2>&1`
-		if test "`expr $value + 1 - 1 2>&1`" -eq "$value" 2>&1; then
-			value=`expr $value \* 1024` 
-		else
-			value=0
-		fi
-	fi
-	echo "$mn.value" $value
 	for x in mem.cache.rrset mem.cache.message mem.mod.iterator \
 		mem.mod.validator msg.cache.count rrset.cache.count \
 		infra.cache.count key.cache.count; do

daemon/acl_list.c

@@ -170,6 +170,23 @@ acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
 	return 1;
 }
 
+/** apply acl_view string */
+static int
+acl_list_view_cfg(struct acl_list* acl, const char* str, const char* str2,
+	struct views* vs)
+{
+	struct acl_addr* node;
+	if(!(node=acl_find_or_create(acl, str)))
+		return 0;
+	node->view = views_find_view(vs, str2, 0 /* get read lock*/);
+	if(!node->view) {
+		log_err("no view with name: %s", str2);
+		return 0;
+	}
+	lock_rw_unlock(&node->view->lock);
+	return 1;
+}
+
 /** apply acl_tag_action string */
 static int
 acl_list_tag_action_cfg(struct acl_list* acl, struct config_file* cfg,
@@ -210,15 +227,47 @@ acl_list_tag_action_cfg(struct acl_list* acl, struct config_file* cfg,
 
 /** check wire data parse */
 static int
-check_data(const char* data)
+check_data(const char* data, const struct config_strlist* head)
 {
 	char buf[65536];
 	uint8_t rr[LDNS_RR_BUF_SIZE];
 	size_t len = sizeof(rr);
 	int res;
-	snprintf(buf, sizeof(buf), "%s %s", "example.com.", data);
+	/* '.' is sufficient for validation, and it makes the call to
+	 * sldns_wirerr_get_type() simpler below. */
+	snprintf(buf, sizeof(buf), "%s %s", ".", data);
 	res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600, NULL, 0,
 		NULL, 0);
+
+	/* Reject it if we would end up having CNAME and other data (including
+	 * another CNAME) for the same tag. */
+	if(res == 0 && head) {
+		const char* err_data = NULL;
+
+		if(sldns_wirerr_get_type(rr, len, 1) == LDNS_RR_TYPE_CNAME) {
+			/* adding CNAME while other data already exists. */
+			err_data = data;
+		} else {
+			snprintf(buf, sizeof(buf), "%s %s", ".", head->str);
+			len = sizeof(rr);
+			res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600,
+				NULL, 0, NULL, 0);
+			if(res != 0) {
+				/* This should be impossible here as head->str
+				 * has been validated, but we check it just in
+				 * case. */
+				return 0;
+			}
+			if(sldns_wirerr_get_type(rr, len, 1) ==
+				LDNS_RR_TYPE_CNAME) /* already have CNAME */
+				err_data = head->str;
+		}
+		if(err_data) {
+			log_err("redirect tag data '%s' must not coexist with "
+				"other data.", err_data);
+			return 0;
+		}
+	}
 	if(res == 0)
 		return 1;
 	log_err("rr data [char %d] parse error %s",
@@ -258,7 +307,7 @@ acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg,
 	}
 
 	/* check data? */
-	if(!check_data(data)) {
+	if(!check_data(data, node->tag_datas[tagid])) {
 		log_err("cannot parse access-control-tag data: %s %s '%s'",
 			str, tag, data);
 		return 0;
@@ -312,6 +361,27 @@ read_acl_tags(struct acl_list* acl, struct config_file* cfg)
 	return 1;
 }
 
+/** read acl view config */
+static int 
+read_acl_view(struct acl_list* acl, struct config_file* cfg, struct views* v)
+{
+	struct config_str2list* np, *p = cfg->acl_view;
+	cfg->acl_view = NULL;
+	while(p) {
+		log_assert(p->str && p->str2);
+		if(!acl_list_view_cfg(acl, p->str, p->str2, v)) {
+			return 0;
+		}
+		/* free the items as we go to free up memory */
+		np = p->next;
+		free(p->str);
+		free(p->str2);
+		free(p);
+		p = np;
+	}
+	return 1;
+}
+
 /** read acl tag actions config */
 static int 
 read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg)
@@ -362,12 +432,15 @@ read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg)
 }
 
 int 
-acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg)
+acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
+	struct views* v)
 {
 	regional_free_all(acl->region);
 	addr_tree_init(&acl->tree);
 	if(!read_acl_list(acl, cfg))
 		return 0;
+	if(!read_acl_view(acl, cfg, v))
+		return 0;
 	if(!read_acl_tags(acl, cfg))
 		return 0;
 	if(!read_acl_tag_actions(acl, cfg))

daemon/acl_list.h

@@ -43,6 +43,7 @@
 #ifndef DAEMON_ACL_LIST_H
 #define DAEMON_ACL_LIST_H
 #include "util/storage/dnstree.h"
+#include "services/view.h"
 struct config_file;
 struct regional;
 
@@ -100,6 +101,8 @@ struct acl_addr {
 	struct config_strlist** tag_datas;
 	/** size of the tag_datas array */
 	size_t tag_datas_size;
+	/* view element, NULL if none */
+	struct view* view;
 };
 
 /**
@@ -118,9 +121,11 @@ void acl_list_delete(struct acl_list* acl);
  * Process access control config.
  * @param acl: where to store.
  * @param cfg: config options.
+ * @param v: views structure
  * @return 0 on error.
  */
-int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg);
+int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
+	struct views* v);
 
 /**
  * Lookup access control status for acl structure.

daemon/cachedump.c

@@ -563,6 +563,7 @@ load_qinfo(char* str, struct query_info* qinfo, struct regional* region)
 	qinfo->qclass = sldns_wirerr_get_class(rr, rr_len, dname_len);
 	qinfo->qname_len = dname_len;
 	qinfo->qname = (uint8_t*)regional_alloc_init(region, rr, dname_len);
+	qinfo->local_alias = NULL;
 	if(!qinfo->qname) {
 		log_warn("error out of memory");
 		return NULL;
@@ -826,6 +827,7 @@ int print_deleg_lookup(SSL* ssl, struct worker* worker, uint8_t* nm,
 	qinfo.qname_len = nmlen;
 	qinfo.qtype = LDNS_RR_TYPE_A;
 	qinfo.qclass = LDNS_RR_CLASS_IN;
+	qinfo.local_alias = NULL;
 
 	dname_str(nm, b);
 	if(!ssl_printf(ssl, "The following name servers are used for lookup "

daemon/daemon.c

@@ -79,6 +79,7 @@
 #include "services/cache/rrset.h"
 #include "services/cache/infra.h"
 #include "services/localzone.h"
+#include "services/view.h"
 #include "services/modstack.h"
 #include "util/module.h"
 #include "util/random.h"
@@ -248,9 +249,16 @@ daemon_init(void)
 		free(daemon);
 		return NULL;
 	}
+	/* init edns_known_options */
+	if(!edns_known_options_init(daemon->env)) {
+		free(daemon->env);
+		free(daemon);
+		return NULL;
+	}
 	alloc_init(&daemon->superalloc, NULL, 0);
 	daemon->acl = acl_list_create();
 	if(!daemon->acl) {
+		edns_known_options_delete(daemon->env);
 		free(daemon->env);
 		free(daemon);
 		return NULL;
@@ -347,6 +355,7 @@ static void daemon_setup_modules(struct daemon* daemon)
 		daemon->env)) {
 		fatal_exit("failed to setup modules");
 	}