Vendor import of Unbound 1.13.0.

Security: CVE-2020-28935

Vendor import of Unbound 1.13.0.
Security: CVE-2020-28935
c1dbcbf2 · Cy Schubert · 4cb89f2e · c1dbcbf2 · c1dbcbf2 · c1dbcbf2
Commit c1dbcbf2 authored Dec 08, 2020 by Cy Schubert
--- a/config.guess
+++ b/config.guess
--- a/config.sub
+++ b/config.sub
@@ -2,7 +2,7 @@
 # Configuration validation subroutine script.
 #   Copyright 1992-2020 Free Software Foundation, Inc.

-timestamp='2020-09-08'
+timestamp='2020-12-02'

 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -33,7 +33,7 @@ timestamp='2020-09-08'
 # Otherwise, we print the canonical config type on stdout and succeed.

 # You can get the latest version of this script from:
-# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
+# https://git.savannah.gnu.org/cgit/config.git/plain/config.sub

 # This file is supposed to be the same for all GNU packages
 # and recognize all the CPU types, system types and aliases
@@ -50,7 +50,7 @@ timestamp='2020-09-08'
 #	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
 # It is wrong to echo any other type of specification.

-me=`echo "$0" | sed -e 's,.*/,,'`
+me=$(echo "$0" | sed -e 's,.*/,,')

 usage="\
 Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS
@@ -769,22 +769,22 @@ case $basic_machine in
 		vendor=hp
 		;;
 	i*86v32)
-		cpu=`echo "$1" | sed -e 's/86.*/86/'`
+		cpu=$(echo "$1" | sed -e 's/86.*/86/')
 		vendor=pc
 		basic_os=sysv32
 		;;
 	i*86v4*)
-		cpu=`echo "$1" | sed -e 's/86.*/86/'`
+		cpu=$(echo "$1" | sed -e 's/86.*/86/')
 		vendor=pc
 		basic_os=sysv4
 		;;
 	i*86v)
-		cpu=`echo "$1" | sed -e 's/86.*/86/'`
+		cpu=$(echo "$1" | sed -e 's/86.*/86/')
 		vendor=pc
 		basic_os=sysv
 		;;
 	i*86sol2)
-		cpu=`echo "$1" | sed -e 's/86.*/86/'`
+		cpu=$(echo "$1" | sed -e 's/86.*/86/')
 		vendor=pc
 		basic_os=solaris2
 		;;
@@ -917,7 +917,7 @@ case $basic_machine in
 		;;
 	leon-*|leon[3-9]-*)
 		cpu=sparc
-		vendor=`echo "$basic_machine" | sed 's/-.*//'`
+		vendor=$(echo "$basic_machine" | sed 's/-.*//')
 		;;

 	*-*)
@@ -1084,7 +1084,7 @@ case $cpu-$vendor in
 		cpu=mipsisa64sb1el
 		;;
 	sh5e[lb]-*)
-		cpu=`echo "$cpu" | sed 's/^\(sh.\)e\(.\)$/\1\2e/'`
+		cpu=$(echo "$cpu" | sed 's/^\(sh.\)e\(.\)$/\1\2e/')
 		;;
 	spur-*)
 		cpu=spur
@@ -1102,7 +1102,7 @@ case $cpu-$vendor in
 		cpu=x86_64
 		;;
 	xscale-* | xscalee[bl]-*)
-		cpu=`echo "$cpu" | sed 's/^xscale/arm/'`
+		cpu=$(echo "$cpu" | sed 's/^xscale/arm/')
 		;;
 	arm64-*)
 		cpu=aarch64
@@ -1241,6 +1241,7 @@ case $cpu-$vendor in
 			| sparcv8 | sparcv9 | sparcv9b | sparcv9v | sv1 | sx* \
 			| spu \
 			| tahoe \
+			| thumbv7* \
 			| tic30 | tic4x | tic54x | tic55x | tic6x | tic80 \
 			| tron \
 			| ubicom32 \
@@ -1286,11 +1287,15 @@ then
 case $basic_os in
 	gnu/linux*)
 		kernel=linux
-		os=`echo $basic_os | sed -e 's|gnu/linux|gnu|'`
+		os=$(echo $basic_os | sed -e 's|gnu/linux|gnu|')
+		;;
+	os2-emx)
+		kernel=os2
+		os=$(echo $basic_os | sed -e 's|os2-emx|emx|')
 		;;
 	nto-qnx*)
 		kernel=nto
-		os=`echo $basic_os | sed -e 's|nto-qnx|qnx|'`
+		os=$(echo $basic_os | sed -e 's|nto-qnx|qnx|')
 		;;
 	*-*)
 		# shellcheck disable=SC2162
@@ -1301,11 +1306,11 @@ EOF
 	# Default OS when just kernel was specified
 	nto*)
 		kernel=nto
-		os=`echo $basic_os | sed -e 's|nto|qnx|'`
+		os=$(echo $basic_os | sed -e 's|nto|qnx|')
 		;;
 	linux*)
 		kernel=linux
-		os=`echo $basic_os | sed -e 's|linux|gnu|'`
+		os=$(echo $basic_os | sed -e 's|linux|gnu|')
 		;;
 	*)
 		kernel=
@@ -1326,7 +1331,7 @@ case $os in
 		os=cnk
 		;;
 	solaris1 | solaris1.*)
-		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		os=$(echo $os | sed -e 's|solaris1|sunos4|')
 		;;
 	solaris)
 		os=solaris2
@@ -1355,7 +1360,7 @@ case $os in
 		os=sco3.2v4
 		;;
 	sco3.2.[4-9]*)
-		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		os=$(echo $os | sed -e 's/sco3.2./sco3.2v/')
 		;;
 	sco*v* | scout)
 		# Don't match below
@@ -1385,7 +1390,7 @@ case $os in
 		os=lynxos
 		;;
 	mac[0-9]*)
-		os=`echo "$os" | sed -e 's|mac|macos|'`
+		os=$(echo "$os" | sed -e 's|mac|macos|')
 		;;
 	opened*)
 		os=openedition
@@ -1394,10 +1399,10 @@ case $os in
 		os=os400
 		;;
 	sunos5*)
-		os=`echo "$os" | sed -e 's|sunos5|solaris2|'`
+		os=$(echo "$os" | sed -e 's|sunos5|solaris2|')
 		;;
 	sunos6*)
-		os=`echo "$os" | sed -e 's|sunos6|solaris3|'`
+		os=$(echo "$os" | sed -e 's|sunos6|solaris3|')
 		;;
 	wince*)
 		os=wince
@@ -1431,7 +1436,7 @@ case $os in
 		;;
 	# Preserve the version number of sinix5.
 	sinix5.*)
-		os=`echo $os | sed -e 's|sinix|sysv|'`
+		os=$(echo $os | sed -e 's|sinix|sysv|')
 		;;
 	sinix*)
 		os=sysv4
@@ -1716,7 +1721,7 @@ case $os in
 	     | skyos* | haiku* | rdos* | toppers* | drops* | es* \
 	     | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \
 	     | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \
-	     | nsk* | powerunix* | genode* | zvmoe* | qnx* )
+	     | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx*)
 		;;
 	# This one is extra strict with allowed versions
 	sco3.2v2 | sco3.2v[4-9]* | sco5v6*)
@@ -1747,6 +1752,8 @@ case $kernel-$os in
 		;;
 	nto-qnx*)
 		;;
+	os2-emx)
+		;;
 	*-eabi* | *-gnueabi*)
 		;;
 	-*)

--- a/configure
+++ b/configure
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.12.0.
+# Generated by GNU Autoconf 2.69 for unbound 1.13.0.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.12.0'
-PACKAGE_STRING='unbound 1.12.0'
+PACKAGE_VERSION='1.13.0'
+PACKAGE_STRING='unbound 1.13.0'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
  
@@ -1459,7 +1459,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures unbound 1.12.0 to adapt to many kinds of systems.
+\`configure' configures unbound 1.13.0 to adapt to many kinds of systems.
  
 Usage: $0 [OPTION]... [VAR=VALUE]...
  
@@ -1524,7 +1524,7 @@ fi
  
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.12.0:";;
+     short | recursive ) echo "Configuration of unbound 1.13.0:";;
   esac
  cat <<\_ACEOF
  
@@ -1752,7 +1752,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-unbound configure 1.12.0
+unbound configure 1.13.0
 generated by GNU Autoconf 2.69
  
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2461,7 +2461,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
  
-It was created by unbound $as_me 1.12.0, which was
+It was created by unbound $as_me 1.13.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  
  $ $0 $@
@@ -2811,13 +2811,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
  
 UNBOUND_VERSION_MAJOR=1
  
-UNBOUND_VERSION_MINOR=12
+UNBOUND_VERSION_MINOR=13
  
 UNBOUND_VERSION_MICRO=0
  
  
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=10
+LIBUNBOUND_REVISION=11
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2895,6 +2895,7 @@ LIBUNBOUND_AGE=1
 # 1.10.1 had 9:8:1
 # 1.11.0 had 9:9:1
 # 1.12.0 had 9:10:1
+# 1.13.0 had 9:11:1
  
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -14728,7 +14729,7 @@ $as_echo "no" >&6; }
 fi
  
 # Checks for header files.
-for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h
+for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h
 do :
  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@@ -14742,6 +14743,34 @@ fi
  
 done
  
+# net/if.h portability for Darwin see:
+# https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html
+for ac_header in net/if.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "net/if.h" "ac_cv_header_net_if_h" "
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+# include <sys/socket.h>
+#endif
+
+"
+if test "x$ac_cv_header_net_if_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_NET_IF_H 1
+_ACEOF
+
+fi
+
+done
+
  
 # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
 for ac_header in TargetConditionals.h
@@ -21686,7 +21715,7 @@ _ACEOF
  
  
  
-version=1.12.0
+version=1.13.0
  
 date=`date +'%b %e, %Y'`
  
@@ -22205,7 +22234,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.12.0, which was
+This file was extended by unbound $as_me 1.13.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  
  CONFIG_FILES    = $CONFIG_FILES
@@ -22271,7 +22300,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.12.0
+unbound config.status 1.13.0
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
  

--- a/configure.ac
+++ b/configure.ac
@@ -10,7 +10,7 @@ sinclude(dnscrypt/dnscrypt.m4)

 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[12])
+m4_define([VERSION_MINOR],[13])
 m4_define([VERSION_MICRO],[0])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
@@ -18,7 +18,7 @@ AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])

 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=10
+LIBUNBOUND_REVISION=11
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -96,6 +96,7 @@ LIBUNBOUND_AGE=1
 # 1.10.1 had 9:8:1
 # 1.11.0 had 9:9:1
 # 1.12.0 had 9:10:1
+# 1.13.0 had 9:11:1

 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -399,7 +400,23 @@ ACX_LIBTOOL_C_ONLY
 PKG_PROG_PKG_CONFIG

 # Checks for header files.
-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h net/if.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT])
+# net/if.h portability for Darwin see:
+# https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html
+AC_CHECK_HEADERS([net/if.h],,, [
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+# include <sys/socket.h>
+#endif
+])

 # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
 AC_CHECK_HEADERS([TargetConditionals.h])

--- a/contrib/README
+++ b/contrib/README
@@ -53,3 +53,5 @@ distribution but may be helpful.
  lookups for downstream clients.
 * drop2rpz: perl script that converts the Spamhaus DROP-List in RPZ-Format,
  contributed by Andreas Schulze.
+* metrics.awk: awk script that can convert unbound-control stats to
+  Prometheus metrics format output.
--- a/contrib/metrics.awk
+++ b/contrib/metrics.awk
+# read output of unbound-control stats
+# and output prometheus metrics style output.
+# use these options:
+#	server:		extended-statistics: yes
+#			statistics-cumulative: no
+#			statistics-interval: 0
+#	remote-control: control-enable: yes
+# Can use it like unbound-control stats | awk -f "metrics.awk"
+
+BEGIN {
+	FS="=";
+}
+# everything like total.num.queries=value is put in val["total.num.queries"]
+/^.*\..*=/ {
+	val[$1]=$2;
+}
+# print the output metrics
+END {
+	print "# HELP unbound_hits_queries Unbound DNS traffic and cache hits"
+	print "# TYPE unbound_hits_queries gauge"
+	print "unbound_hits_queries{type=\"total.num.queries\"} " val["total.num.queries"];
+	for (x=0; x<99; x++) {
+		if(val["thread" $x ".num.queries"] != "") {
+			print "unbound_hits_queries{type=\"thread" $x ".num.queries\"} " val["thread" $x ".num.queries"];
+		}
+	}
+	print "unbound_hits_queries{type=\"total.num.cachehits\"} " val["total.num.cachehits"];
+	print "unbound_hits_queries{type=\"total.num.prefetch\"} " val["total.num.prefetch"];
+	print "unbound_hits_queries{type=\"num.query.tcp\"} " val["num.query.tcp"];
+	print "unbound_hits_queries{type=\"num.query.tcpout\"} " val["num.query.tcpout"];
+	print "unbound_hits_queries{type=\"num.query.tls\"} " val["num.query.tls"];
+	print "unbound_hits_queries{type=\"num.query.tls.resume\"} " val["num.query.tls.resume"];
+	print "unbound_hits_queries{type=\"num.query.ipv6\"} " val["num.query.ipv6"];
+	print "unbound_hits_queries{type=\"unwanted.queries\"} " val["unwanted.queries"];
+	print ""
+
+	print "# HELP unbound_queue_queries Unbound requestlist size"
+	print "# TYPE unbound_queue_queries gauge"
+	print "unbound_queue_queries{type=\"total.requestlist.avg\"} " val["total.requestlist.avg"];
+	print "unbound_queue_queries{type=\"total.requestlist.max\"} " val["total.requestlist.max"];
+	print "unbound_queue_queries{type=\"total.requestlist.overwritten\"} " val["total.requestlist.overwritten"];
+	print "unbound_queue_queries{type=\"total.requestlist.exceeded\"} " val["total.requestlist.exceeded"];
+	print ""
+
+	print "# HELP unbound_memory_bytes Unbound memory usage"
+	print "# TYPE unbound_memory_bytes gauge"
+	print "unbound_memory_bytes{type=\"mem.cache.rrset\"} " val["mem.cache.rrset"];
+	print "unbound_memory_bytes{type=\"mem.cache.message\"} " val["mem.cache.message"];
+	print "unbound_memory_bytes{type=\"mem.mod.iterator\"} " val["mem.mod.iterator"];
+	if(val["mem.mod.validator"] != "") {
+		print "unbound_memory_bytes{type=\"mem.mod.validator\"} " val["mem.mod.validator"];
+	}
+	if(val["mem.mod.respip"] != "") {
+		print "unbound_memory_bytes{type=\"mem.mod.respip\"} " val["mem.mod.respip"];
+	}
+	if(val["mem.mod.subnet"] != "") {
+		print "unbound_memory_bytes{type=\"mem.mod.subnet\"} " val["mem.mod.subnet"];
+	}
+	if(val["mem.mod.ipsecmod"] != "") {
+		print "unbound_memory_bytes{type=\"mem.mod.ipsecmod\"} " val["mem.mod.ipsecmod"];
+	}
+	if(val["mem.mod.dynlibmod"] != "") {
+		print "unbound_memory_bytes{type=\"mem.mod.dynlibmod\"} " val["mem.mod.dynlibmod"];
+	}
+	print "unbound_memory_bytes{type=\"msg.cache.count\"} " val["msg.cache.count"];
+	print "unbound_memory_bytes{type=\"rrset.cache.count\"} " val["rrset.cache.count"];
+	print "unbound_memory_bytes{type=\"infra.cache.count\"} " val["infra.cache.count"];
+	print "unbound_memory_bytes{type=\"key.cache.count\"} " val["key.cache.count"];
+	print ""
+
+	print "# HELP unbound_by_type_queries Unbound DNS queries by type"
+	print "# TYPE unbound_by_type_queries gauge"
+	for(x in val) {
+		if(x ~ /^num.query.type./) {
+			if(val[x] != "") {
+				split(x, a, ".");
+				print "unbound_by_type_queries{type=\"" a[4] "\"} " val[x];
+			}
+		}
+	}
+	print ""
+
+	print "# HELP unbound_by_class_queries Unbound DNS queries by class"
+	print "# TYPE unbound_by_class_queries gauge"
+	for(x in val) {
+		if(x ~ /^num.query.class./) {
+			if(val[x] != "") {
+				split(x, a, ".");
+				print "unbound_by_class_queries{class=\"" a[4] "\"} " val[x];
+			}
+		}
+	}
+	print ""
+
+	print "# HELP unbound_by_opcode_queries Unbound DNS queries by opcode"
+	print "# TYPE unbound_by_opcode_queries gauge"
+	for(x in val) {
+		if(x ~ /^num.query.opcode./) {
+			if(val[x] != "") {
+				split(x, a, ".");
+				print "unbound_by_opcode_queries{opcode=\"" a[4] "\"} " val[x];
+			}
+		}
+	}
+	print ""
+
+	print "# HELP unbound_by_rcode_queries Unbound DNS answers by rcode"
+	print "# TYPE unbound_by_rcode_queries gauge"
+	for(x in val) {
+		if(x ~ /^num.answer.rcode./) {
+			if(val[x] != "") {
+				split(x, a, ".");
+				print "unbound_by_rcode_queries{rcode=\"" a[4] "\"} " val[x];
+			}
+		}
+	}
+	print ""
+
+	print "# HELP unbound_by_flags_queries Unbound DNS queries by flags"
+	print "# TYPE unbound_by_flags_queries gauge"
+	for(x in val) {
+		if(x ~ /^num.query.flags./) {
+			if(val[x] != "") {
+				split(x, a, ".");
+				print "unbound_by_flags_queries{flag=\"" a[4] "\"} " val[x];
+			}
+		}
+	}
+	if(val["num.query.edns.present"] != "") {
+		print "unbound_by_flags_queries{flag=\"num.query.edns.present\"} " val["num.query.edns.present"];
+	}
+	if(val["num.query.edns.DO"] != "") {
+		print "unbound_by_flags_queries{flag=\"num.query.edns.DO\"} " val["num.query.edns.DO"];
+	}
+	print ""
+
+	print "# HELP unbound_histogram_seconds Unbound DNS histogram of reply time"
+	print "# TYPE unbound_histogram_seconds gauge"
+	print "unbound_histogram_seconds{bucket=\"000000.000000.to.000000.000001\"} " val["histogram.000000.000000.to.000000.000001"];
+	print "unbound_histogram_seconds{bucket=\"000000.000001.to.000000.000002\"} " val["histogram.000000.000001.to.000000.000002"];
+	print "unbound_histogram_seconds{bucket=\"000000.000002.to.000000.000004\"} " val["histogram.000000.000002.to.000000.000004"];
+	print "unbound_histogram_seconds{bucket=\"000000.000004.to.000000.000008\"} " val["histogram.000000.000004.to.000000.000008"];
+	print "unbound_histogram_seconds{bucket=\"000000.000008.to.000000.000016\"} " val["histogram.000000.000008.to.000000.000016"];
+	print "unbound_histogram_seconds{bucket=\"000000.000016.to.000000.000032\"} " val["histogram.000000.000016.to.000000.000032"];
+	print "unbound_histogram_seconds{bucket=\"000000.000032.to.000000.000064\"} " val["histogram.000000.000032.to.000000.000064"];
+	print "unbound_histogram_seconds{bucket=\"000000.000064.to.000000.000128\"} " val["histogram.000000.000064.to.000000.000128"];
+	print "unbound_histogram_seconds{bucket=\"000000.000128.to.000000.000256\"} " val["histogram.000000.000128.to.000000.000256"];
+	print "unbound_histogram_seconds{bucket=\"000000.000256.to.000000.000512\"} " val["histogram.000000.000256.to.000000.000512"];
+	print "unbound_histogram_seconds{bucket=\"000000.000512.to.000000.001024\"} " val["histogram.000000.000512.to.000000.001024"];
+	print "unbound_histogram_seconds{bucket=\"000000.001024.to.000000.002048\"} " val["histogram.000000.001024.to.000000.002048"];
+	print "unbound_histogram_seconds{bucket=\"000000.002048.to.000000.004096\"} " val["histogram.000000.002048.to.000000.004096"];
+	print "unbound_histogram_seconds{bucket=\"000000.004096.to.000000.008192\"} " val["histogram.000000.004096.to.000000.008192"];
+	print "unbound_histogram_seconds{bucket=\"000000.008192.to.000000.016384\"} " val["histogram.000000.008192.to.000000.016384"];
+	print "unbound_histogram_seconds{bucket=\"000000.016384.to.000000.032768\"} " val["histogram.000000.016384.to.000000.032768"];
+	print "unbound_histogram_seconds{bucket=\"000000.032768.to.000000.065536\"} " val["histogram.000000.032768.to.000000.065536"];
+	print "unbound_histogram_seconds{bucket=\"000000.065536.to.000000.131072\"} " val["histogram.000000.065536.to.000000.131072"];
+	print "unbound_histogram_seconds{bucket=\"000000.131072.to.000000.262144\"} " val["histogram.000000.131072.to.000000.262144"];
+	print "unbound_histogram_seconds{bucket=\"000000.262144.to.000000.524288\"} " val["histogram.000000.262144.to.000000.524288"];
+	print "unbound_histogram_seconds{bucket=\"000000.524288.to.000001.000000\"} " val["histogram.000000.524288.to.000001.000000"];
+	print "unbound_histogram_seconds{bucket=\"000001.000000.to.000002.000000\"} " val["histogram.000001.000000.to.000002.000000"];
+	print "unbound_histogram_seconds{bucket=\"000002.000000.to.000004.000000\"} " val["histogram.000002.000000.to.000004.000000"];
+	print "unbound_histogram_seconds{bucket=\"000004.000000.to.000008.000000\"} " val["histogram.000004.000000.to.000008.000000"];
+	print "unbound_histogram_seconds{bucket=\"000008.000000.to.000016.000000\"} " val["histogram.000008.000000.to.000016.000000"];
+	print "unbound_histogram_seconds{bucket=\"000016.000000.to.000032.000000\"} " val["histogram.000016.000000.to.000032.000000"];
+	print "unbound_histogram_seconds{bucket=\"000032.000000.to.000064.000000\"} " val["histogram.000032.000000.to.000064.000000"];
+	print "unbound_histogram_seconds{bucket=\"000064.000000.to.000128.000000\"} " val["histogram.000064.000000.to.000128.000000"];
+	print "unbound_histogram_seconds{bucket=\"000128.000000.to.000256.000000\"} " val["histogram.000128.000000.to.000256.000000"];
+	print "unbound_histogram_seconds{bucket=\"000256.000000.to.000512.000000\"} " val["histogram.000256.000000.to.000512.000000"];
+	print "unbound_histogram_seconds{bucket=\"000512.000000.to.001024.000000\"} " val["histogram.000512.000000.to.001024.000000"];
+	print "unbound_histogram_seconds{bucket=\"001024.000000.to.002048.000000\"} " val["histogram.001024.000000.to.002048.000000"];
+	print "unbound_histogram_seconds{bucket=\"002048.000000.to.004096.000000\"} " val["histogram.002048.000000.to.004096.000000"];
+	print "unbound_histogram_seconds{bucket=\"004096.000000.to.008192.000000\"} " val["histogram.004096.000000.to.008192.000000"];
+	print "unbound_histogram_seconds{bucket=\"008192.000000.to.016384.000000\"} " val["histogram.008192.000000.to.016384.000000"];
+	print "unbound_histogram_seconds{bucket=\"016384.000000.to.032768.000000\"} " val["histogram.016384.000000.to.032768.000000"];
+	print "unbound_histogram_seconds{bucket=\"032768.000000.to.065536.000000\"} " val["histogram.032768.000000.to.065536.000000"];
+	print "unbound_histogram_seconds{bucket=\"065536.000000.to.131072.000000\"} " val["histogram.065536.000000.to.131072.000000"];
+	print "unbound_histogram_seconds{bucket=\"131072.000000.to.262144.000000\"} " val["histogram.131072.000000.to.262144.000000"];
+	print "unbound_histogram_seconds{bucket=\"262144.000000.to.524288.000000\"} " val["histogram.262144.000000.to.524288.000000"];
+	print ""
+}
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -66,7 +66,7 @@ ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
 StateDirectory=unbound
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources

--- a/contrib/unbound_portable.service.in
+++ b/contrib/unbound_portable.service.in
@@ -38,7 +38,7 @@ ProtectSystem=strict
 RuntimeDirectory=unbound
 ConfigurationDirectory=unbound
 StateDirectory=unbound
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictRealtime=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources

--- a/daemon/daemon.c
+++ b/daemon/daemon.c
@@ -291,7 +291,7 @@ daemon_init(void)
 		free(daemon);
 		return NULL;
 	}
-	if(!(daemon->env->edns_tags = edns_tags_create())) {
+	if(!(daemon->env->edns_strings = edns_strings_create())) {
 		auth_zones_delete(daemon->env->auth_zones);
 		acl_list_delete(daemon->acl);
 		tcl_list_delete(daemon->tcl);
@@ -638,9 +638,9 @@ daemon_fork(struct daemon* daemon)
 		&daemon->use_rpz))
 		fatal_exit("auth_zones could not be setup");

-	/* Set-up EDNS tags */
-	if(!edns_tags_apply_cfg(daemon->env->edns_tags, daemon->cfg))
-		fatal_exit("Could not set up EDNS tags");
+	/* Set-up EDNS strings */
+	if(!edns_strings_apply_cfg(daemon->env->edns_strings, daemon->cfg))
+		fatal_exit("Could not set up EDNS strings");

 	/* setup modules */
 	daemon_setup_modules(daemon);
@@ -773,7 +773,7 @@ daemon_delete(struct daemon* daemon)
 		rrset_cache_delete(daemon->env->rrset_cache);
 		infra_delete(daemon->env->infra_cache);
 		edns_known_options_delete(daemon->env);
-		edns_tags_delete(daemon->env->edns_tags);
+		edns_strings_delete(daemon->env->edns_strings);
 		auth_zones_delete(daemon->env->auth_zones);
 	}
 	ub_randfree(daemon->rand);

--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@@ -337,22 +337,44 @@ readpid (const char* file)
 /** write pid to file. 
 * @param pidfile: file name of pid file.
 * @param pid: pid to write to file.
+ * @return false on failure
 */
-static void
+static int
 writepid (const char* pidfile, pid_t pid)
 {
-	FILE* f;
+	int fd;
+	char pidbuf[32];
+	size_t count = 0;
+	snprintf(pidbuf, sizeof(pidbuf), "%lu\n", (unsigned long)pid);

-	if ((f = fopen(pidfile, "w")) ==  NULL ) {
+	if((fd = open(pidfile, O_WRONLY | O_CREAT | O_TRUNC
+#ifdef O_NOFOLLOW
+		| O_NOFOLLOW
+#endif