git: 4f4adb0576df - stable/13 - unbound: Vendor import 1.18.0

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Wed, 04 Oct 2023 01:02:04 UTC
The branch stable/13 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=4f4adb0576dfbcd0d956db0146c9de7e1bb71563

commit 4f4adb0576dfbcd0d956db0146c9de7e1bb71563
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2023-09-19 04:17:09 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2023-10-04 01:01:51 +0000

    unbound: Vendor import 1.18.0
    
    Release notes at
        https://www.nlnetlabs.nl/news/2023/Aug/30/unbound-1.18.0-released/
    
    Merge commit '401770e05c71ecb5ae61a59d316069b4b78bf622' into main
    
    (cherry picked from commit 8f76bb7dad48538c6832c2fb466a433d2a3f8cd5)
---
 contrib/unbound/Makefile.in                        |   43 +-
 contrib/unbound/README.md                          |    2 +-
 contrib/unbound/acx_nlnetlabs.m4                   |   36 +-
 contrib/unbound/acx_python.m4                      |   61 +-
 contrib/unbound/cachedb/cachedb.c                  |   57 +-
 contrib/unbound/cachedb/redis.c                    |   28 +-
 contrib/unbound/compat/getentropy_solaris.c        |    2 +-
 contrib/unbound/config.guess                       |   51 +-
 contrib/unbound/config.h.in                        |   25 +-
 contrib/unbound/config.h.in~                       | 1456 ++++++++++++++++++++
 contrib/unbound/config.sub                         |   72 +-
 contrib/unbound/configure                          |  170 ++-
 contrib/unbound/configure.ac                       |   99 +-
 contrib/unbound/contrib/Dockerfile.tests           |    4 +-
 contrib/unbound/contrib/README                     |    3 +
 contrib/unbound/contrib/aaaa-filter-iterator.patch |    4 +-
 contrib/unbound/contrib/unbound.init_yocto         |  139 ++
 contrib/unbound/daemon/acl_list.c                  |    2 +
 contrib/unbound/daemon/acl_list.h                  |    8 +-
 contrib/unbound/daemon/cachedump.c                 |   28 +-
 contrib/unbound/daemon/remote.c                    |  236 ++--
 contrib/unbound/daemon/remote.h                    |    2 +-
 contrib/unbound/daemon/stats.c                     |   53 +-
 contrib/unbound/daemon/stats.h                     |    7 +
 contrib/unbound/daemon/worker.c                    |  471 ++++---
 contrib/unbound/dns64/dns64.c                      |    4 +-
 contrib/unbound/dnstap/dnstap.c                    |    7 +-
 contrib/unbound/dnstap/dnstap.h                    |    4 +-
 contrib/unbound/dnstap/unbound-dnstap-socket.c     |   39 +-
 contrib/unbound/doc/Changelog                      |  323 +++++
 contrib/unbound/doc/README                         |    2 +-
 contrib/unbound/doc/README.DNS64                   |   20 +
 contrib/unbound/doc/example.conf.in                |   32 +-
 contrib/unbound/doc/libunbound.3.in                |    4 +-
 contrib/unbound/doc/unbound-anchor.8.in            |    2 +-
 contrib/unbound/doc/unbound-checkconf.8.in         |    2 +-
 contrib/unbound/doc/unbound-control.8.in           |   58 +-
 contrib/unbound/doc/unbound-host.1.in              |    2 +-
 contrib/unbound/doc/unbound.8.in                   |    4 +-
 contrib/unbound/doc/unbound.conf.5.in              |  147 +-
 contrib/unbound/edns-subnet/subnetmod.c            |   27 +-
 contrib/unbound/iterator/iter_delegpt.c            |   39 +
 contrib/unbound/iterator/iter_delegpt.h            |   25 +
 contrib/unbound/iterator/iter_resptype.c           |    7 +
 contrib/unbound/iterator/iter_scrub.c              |   43 +-
 contrib/unbound/iterator/iter_utils.c              |   43 +-
 contrib/unbound/iterator/iter_utils.h              |    7 +-
 contrib/unbound/iterator/iterator.c                |  259 ++--
 contrib/unbound/iterator/iterator.h                |   23 +-
 contrib/unbound/libunbound/libworker.c             |   16 +-
 contrib/unbound/libunbound/unbound-event.h         |    6 +-
 contrib/unbound/libunbound/unbound.h               |  116 +-
 contrib/unbound/services/authzone.c                |   10 +-
 contrib/unbound/services/cache/dns.c               |   50 +-
 contrib/unbound/services/cache/infra.c             |   75 +-
 contrib/unbound/services/cache/infra.h             |    5 +-
 contrib/unbound/services/listen_dnsport.c          |  153 +-
 contrib/unbound/services/localzone.c               |   20 +-
 contrib/unbound/services/localzone.h               |    2 +
 contrib/unbound/services/mesh.c                    |  385 +++---
 contrib/unbound/services/mesh.h                    |   14 +-
 contrib/unbound/services/modstack.c                |   10 +-
 contrib/unbound/services/outside_network.c         |   28 +
 contrib/unbound/services/rpz.c                     |  230 +++-
 contrib/unbound/services/rpz.h                     |   16 +-
 contrib/unbound/sldns/rrdef.c                      |   12 +-
 contrib/unbound/sldns/rrdef.h                      |    7 +-
 contrib/unbound/sldns/str2wire.c                   |   94 +-
 contrib/unbound/sldns/str2wire.h                   |    4 +-
 contrib/unbound/sldns/wire2str.c                   |   19 +-
 contrib/unbound/smallapp/unbound-anchor.c          |    3 +-
 contrib/unbound/smallapp/unbound-checkconf.c       |    2 +-
 contrib/unbound/smallapp/unbound-control.c         |   54 +-
 contrib/unbound/smallapp/unbound-host.c            |    5 +-
 contrib/unbound/testdata/00-lint.tdir/00-lint.pre  |   14 +
 contrib/unbound/testdata/cachedb_cached_ede.crpl   |   91 ++
 .../unbound/testdata/edns_downstream_cookies.rpl   |  235 ++++
 .../testdata/ip_ratelimit.tdir/ip_ratelimit.conf   |   28 +
 .../testdata/ip_ratelimit.tdir/ip_ratelimit.dsc    |   16 +
 .../testdata/ip_ratelimit.tdir/ip_ratelimit.post   |   13 +
 .../testdata/ip_ratelimit.tdir/ip_ratelimit.pre    |   24 +
 .../testdata/ip_ratelimit.tdir/ip_ratelimit.test   |  165 +++
 .../testdata/ip_ratelimit.tdir/unbound_control.key |   39 +
 .../testdata/ip_ratelimit.tdir/unbound_control.pem |   22 +
 .../testdata/ip_ratelimit.tdir/unbound_server.key  |   39 +
 .../testdata/ip_ratelimit.tdir/unbound_server.pem  |   22 +
 .../unbound/testdata/iter_cname_minimise_nx.rpl    |  246 ++++
 contrib/unbound/testdata/iter_failreply.rpl        |  132 ++
 contrib/unbound/testdata/iter_ignore_empty.rpl     |  198 +++
 contrib/unbound/testdata/iter_nat64.rpl            |  117 ++
 contrib/unbound/testdata/iter_nat64_prefix.rpl     |  119 ++
 contrib/unbound/testdata/iter_nat64_prefix48.rpl   |  118 ++
 .../unbound/testdata/serve_expired_0ttl_nodata.rpl |  154 +++
 .../testdata/serve_expired_0ttl_nxdomain.rpl       |  154 +++
 .../testdata/serve_expired_0ttl_servfail.rpl       |  129 ++
 .../serve_expired_cached_servfail_refresh.rpl      |  145 ++
 .../stat_values.tdir/stat_values_cachedb.conf      |   36 +
 .../stat_values_downstream_cookies.conf            |   32 +
 contrib/unbound/testdata/subnet_cached_ede.crpl    |  114 ++
 .../unbound/testdata/subnet_global_prefetch.crpl   |  236 ++++
 .../subnet_global_prefetch_always_forward.crpl     |  167 +++
 .../testdata/subnet_global_prefetch_expired.crpl   |  241 ++++
 contrib/unbound/testdata/val_any_negcache.rpl      |  240 ++++
 contrib/unbound/util/config_file.c                 |  153 +-
 contrib/unbound/util/config_file.h                 |   65 +-
 contrib/unbound/util/configlexer.lex               |   15 +-
 contrib/unbound/util/configparser.y                |  148 +-
 contrib/unbound/util/data/msgencode.c              |  148 +-
 contrib/unbound/util/data/msgencode.h              |   42 +-
 contrib/unbound/util/data/msgparse.c               |   98 +-
 contrib/unbound/util/data/msgparse.h               |   18 +-
 contrib/unbound/util/data/msgreply.c               |   95 +-
 contrib/unbound/util/data/msgreply.h               |   30 +-
 contrib/unbound/util/edns.c                        |   59 +
 contrib/unbound/util/edns.h                        |   59 +
 contrib/unbound/util/fptr_wlist.c                  |    8 +
 contrib/unbound/util/iana_ports.inc                |    4 +
 contrib/unbound/util/module.c                      |   16 +-
 contrib/unbound/util/module.h                      |   14 +-
 contrib/unbound/util/net_help.c                    |   70 +-
 contrib/unbound/util/net_help.h                    |   23 +
 contrib/unbound/util/netevent.c                    |  229 +--
 contrib/unbound/util/netevent.h                    |   70 +-
 contrib/unbound/util/regional.c                    |    2 +-
 contrib/unbound/util/rfc_1982.c                    |   74 +
 contrib/unbound/util/rfc_1982.h                    |   63 +
 contrib/unbound/util/siphash.c                     |  187 +++
 contrib/unbound/util/siphash.h                     |   43 +
 contrib/unbound/util/storage/lruhash.c             |   25 +-
 contrib/unbound/util/storage/lruhash.h             |    5 +-
 contrib/unbound/util/storage/slabhash.c            |   18 +
 contrib/unbound/util/storage/slabhash.h            |    9 +
 contrib/unbound/util/timehist.c                    |   44 +-
 contrib/unbound/util/timeval_func.c                |  113 ++
 contrib/unbound/util/timeval_func.h                |   53 +
 contrib/unbound/validator/autotrust.c              |    2 +
 contrib/unbound/validator/val_kcache.c             |   10 +-
 contrib/unbound/validator/val_kcache.h             |    4 +-
 contrib/unbound/validator/val_kentry.c             |   48 +-
 contrib/unbound/validator/val_kentry.h             |   37 +-
 contrib/unbound/validator/val_neg.c                |    7 +-
 contrib/unbound/validator/val_nsec.c               |   19 +-
 contrib/unbound/validator/val_nsec.h               |    5 +-
 contrib/unbound/validator/val_sigcrypt.c           |   43 +-
 contrib/unbound/validator/val_utils.c              |   19 +-
 contrib/unbound/validator/validator.c              |  137 +-
 lib/libunbound/Makefile                            |    6 +-
 usr.sbin/unbound/config.h                          |    6 +-
 148 files changed, 9439 insertions(+), 1708 deletions(-)

diff --git a/contrib/unbound/Makefile.in b/contrib/unbound/Makefile.in
index bc021aa1eb00..0a2e7f9b6f08 100644
--- a/contrib/unbound/Makefile.in
+++ b/contrib/unbound/Makefile.in
@@ -122,15 +122,15 @@ iterator/iter_delegpt.c iterator/iter_donotq.c iterator/iter_fwd.c \
 iterator/iter_hints.c iterator/iter_priv.c iterator/iter_resptype.c \
 iterator/iter_scrub.c iterator/iter_utils.c services/listen_dnsport.c \
 services/localzone.c services/mesh.c services/modstack.c services/view.c \
-services/rpz.c \
+services/rpz.c util/rfc_1982.c \
 services/outbound_list.c services/outside_network.c util/alloc.c \
 util/config_file.c util/configlexer.c util/configparser.c \
 util/shm_side/shm_main.c services/authzone.c \
 util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
 util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
-util/rtt.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
+util/rtt.c util/siphash.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
 util/storage/lruhash.c util/storage/slabhash.c util/tcp_conn_limit.c \
-util/timehist.c util/tube.c util/proxy_protocol.c \
+util/timehist.c util/tube.c util/proxy_protocol.c util/timeval_func.c \
 util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \
 validator/autotrust.c validator/val_anchor.c validator/validator.c \
 validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \
@@ -145,14 +145,14 @@ as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
 iter_scrub.lo iter_utils.lo localzone.lo mesh.lo modstack.lo view.lo \
 outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
-fptr_wlist.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
+fptr_wlist.lo siphash.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
 random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
 slabhash.lo tcp_conn_limit.lo timehist.lo tube.lo winsock_event.lo \
-autotrust.lo val_anchor.lo rpz.lo proxy_protocol.lo \
+autotrust.lo val_anchor.lo rpz.lo rfc_1982.lo proxy_protocol.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
 val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo $(CACHEDB_OBJ) authzone.lo \
 $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
-$(IPSECMOD_OBJ) $(IPSET_OBJ) $(DYNLIBMOD_OBJ) respip.lo
+$(IPSECMOD_OBJ) $(IPSET_OBJ) $(DYNLIBMOD_OBJ) respip.lo timeval_func.lo
 COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
 outside_network.lo
 COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
@@ -198,7 +198,7 @@ CHECKCONF_OBJ=unbound-checkconf.lo worker_cb.lo
 CHECKCONF_OBJ_LINK=$(CHECKCONF_OBJ) $(COMMON_OBJ_ALL_SYMBOLS) $(SLDNS_OBJ) \
 $(COMPAT_OBJ) @WIN_CHECKCONF_OBJ_LINK@
 CONTROL_SRC=smallapp/unbound-control.c
-CONTROL_OBJ=unbound-control.lo 
+CONTROL_OBJ=unbound-control.lo
 CONTROL_OBJ_LINK=$(CONTROL_OBJ) worker_cb.lo $(COMMON_OBJ_ALL_SYMBOLS) \
 $(SLDNS_OBJ) $(COMPAT_OBJ) @WIN_CONTROL_OBJ_LINK@
 HOST_SRC=smallapp/unbound-host.c
@@ -455,6 +455,7 @@ unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnsta
 dynlibmod.lo dynlibdmod.o: $(srcdir)/dynlibmod/dynlibmod.c config.h $(srcdir)/dynlibmod/dynlibmod.h
 cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h
 redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h $(srcdir)/cachedb/redis.h
+timeval_func.lo timeval_func.o: $(srcdir)/util/timeval_func.c $(srcdir)/util/timeval_func.h
 
 # dnscrypt
 dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
@@ -498,6 +499,7 @@ util/configlexer.c:  $(srcdir)/util/configlexer.lex util/configparser.h
 		echo "#include \"util/configyyrename.h\"" >> $@ ;\
 		$(LEX) -t $(srcdir)/util/configlexer.lex >> $@ ;\
 	fi
+	@if test ! -f $@; then echo "No $@ : need flex and bison to compile from source repository"; exit 1; fi
 
 util/configparser.c util/configparser.h:  $(srcdir)/util/configparser.y
 	@-if test ! -d util; then $(INSTALL) -d util; fi
@@ -516,7 +518,7 @@ distclean: clean
 	rm -f doc/example.conf doc/libunbound.3 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound-control.8 doc/unbound.8 doc/unbound.conf.5 doc/unbound-host.1
 	rm -f smallapp/unbound-control-setup.sh dnstap/dnstap_config.h dnscrypt/dnscrypt_config.h contrib/libunbound.pc contrib/unbound.socket contrib/unbound.service
 	rm -f $(TEST_BIN)
-	rm -f Makefile 
+	rm -f Makefile
 
 maintainer-clean: distclean
 	rm -f util/configlexer.c util/configparser.c util/configparser.h
@@ -649,7 +651,7 @@ uninstall:	$(PYTHONMOD_UNINSTALL) $(PYUNBOUND_UNINSTALL) $(UNBOUND_EVENT_UNINSTA
 
 iana_update:
 	curl -o port-numbers.tmp https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml --compressed
-	if file port-numbers.tmp | grep 'gzip' >/dev/null; then zcat port-numbers.tmp; else cat port-numbers.tmp; fi | awk '/<record>/ {p=0;} /<protocol>udp/ {p=1;} /<protocol>[^u]/ {p=0;} /Decomissioned|Decommissioned|Removed|De-registered|unassigned|Unassigned|Reserved/ {u=1;} /<number>/ { if(u==1) {u=0;} else { if(p==1) { match($$0,/[0-9]+/); print substr($$0, RSTART, RLENGTH) ","}}}' | sort -nu > util/iana_ports.inc  
+	if file port-numbers.tmp | grep 'gzip' >/dev/null; then zcat port-numbers.tmp; else cat port-numbers.tmp; fi | awk '/<record>/ {p=0;} /<protocol>udp/ {p=1;} /<protocol>[^u]/ {p=0;} /Decomissioned|Decommissioned|Removed|De-registered|unassigned|Unassigned|Reserved/ {u=1;} /<number>/ { if(u==1) {u=0;} else { if(p==1) { match($$0,/[0-9]+/); print substr($$0, RSTART, RLENGTH) ","}}}' | sort -nu > util/iana_ports.inc
 	rm -f port-numbers.tmp
 
 # dependency generation
@@ -877,7 +879,7 @@ rpz.lo rpz.o: $(srcdir)/services/rpz.c config.h $(srcdir)/services/rpz.h $(srcdi
 outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
  $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- 
+
 outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \
  $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
  $(srcdir)/dnscrypt/dnscrypt.h   \
@@ -915,7 +917,8 @@ config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/ut
 configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
  $(srcdir)/util/config_file.h util/configparser.h
 configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/sldns/rrdef.h
 shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
@@ -928,7 +931,7 @@ shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/ut
  $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \
  $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h
+ $(srcdir)/util/tube.h $(srcdir)/util/timeval_func.h
 authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/services/authzone.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
  $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/data/msgparse.h \
@@ -983,7 +986,7 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \
  $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h $(srcdir)/util/timeval_func.h
 proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c config.h \
  $(srcdir)/util/proxy_protocol.h $(srcdir)/sldns/sbuffer.h
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
@@ -1006,6 +1009,8 @@ rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/itera
  $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h
+siphash.lo siphash.o: $(srcdir)/util/siphash.c
+rfc_1982.lo rfc_1982.o: $(srcdir)/util/rfc_1982.c
 edns.lo edns.o: $(srcdir)/util/edns.c config.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/regional.h \
@@ -1186,7 +1191,7 @@ unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/r
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/random.h $(srcdir)/respip/respip.h \
  $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/services/outside_network.h 
+ $(srcdir)/services/outside_network.h
 unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \
  $(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
@@ -1321,7 +1326,7 @@ unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/timeval_func.h \
  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
@@ -1343,7 +1348,7 @@ testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/test
  $(srcdir)/daemon/remote.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/daemon/daemon.h \
- $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+ $(srcdir)/util/alloc.h $(srcdir)/util/timeval_func.h $(srcdir)/services/modstack.h  \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
@@ -1357,7 +1362,7 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/timeval_func.h \
  $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
@@ -1409,7 +1414,7 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s
  $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h
 replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-  $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
+  $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h $(srcdir)/util/timeval_func.h \
  $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
@@ -1417,7 +1422,7 @@ fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/t
  $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h $(srcdir)/util/timeval_func.h \
   $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
  $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
  $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
diff --git a/contrib/unbound/README.md b/contrib/unbound/README.md
index c3d9bc2492ef..c220da030458 100644
--- a/contrib/unbound/README.md
+++ b/contrib/unbound/README.md
@@ -1,6 +1,6 @@
 # Unbound
 
-[![Travis Build Status](https://travis-ci.org/NLnetLabs/unbound.svg?branch=master)](https://travis-ci.org/NLnetLabs/unbound)
+[![Github Build Status](https://github.com/NLnetLabs/unbound/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/NLnetLabs/unbound/actions)
 [![Packaging status](https://repology.org/badge/tiny-repos/unbound.svg)](https://repology.org/project/unbound/versions)
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/unbound.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:unbound)
 [![Documentation Status](https://readthedocs.org/projects/unbound/badge/?version=latest)](https://unbound.readthedocs.io/en/latest/?badge=latest)
diff --git a/contrib/unbound/acx_nlnetlabs.m4 b/contrib/unbound/acx_nlnetlabs.m4
index cf436ec54bb6..f27615bd8bce 100644
--- a/contrib/unbound/acx_nlnetlabs.m4
+++ b/contrib/unbound/acx_nlnetlabs.m4
@@ -2,7 +2,9 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 44
+# Version 46
+# 2023-05-04 fix to remove unused whitespace.
+# 2023-01-26 fix -Wstrict-prototypes.
 # 2022-09-01 fix checking if nonblocking sockets work on OpenBSD.
 # 2021-08-17 fix sed script in ssldir split handling.
 # 2021-08-17 fix for openssl to detect split version, with ssldir_include
@@ -187,7 +189,7 @@ dnl cache=`echo $1 | sed 'y%.=/+- %___p__%'`
 AC_CACHE_VAL(cv_prog_cc_flag_needed_$cache,
 [
 echo '$2' > conftest.c
-echo 'void f(){}' >>conftest.c
+echo 'void f(void){}' >>conftest.c
 if test -z "`$CC $CPPFLAGS $CFLAGS $ERRFLAG -c conftest.c 2>&1`"; then
 eval "cv_prog_cc_flag_needed_$cache=no"
 else
@@ -233,7 +235,7 @@ dnl DEPFLAG: set to flag that generates dependencies.
 AC_DEFUN([ACX_DEPFLAG],
 [
 AC_MSG_CHECKING([$CC dependency flag])
-echo 'void f(){}' >conftest.c
+echo 'void f(void){}' >conftest.c
 if test "`$CC -MM conftest.c 2>&1`" = "conftest.o: conftest.c"; then
 	DEPFLAG="-MM"
 else 
@@ -272,7 +274,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAUL
 #include <getopt.h>
 #endif
 
-int test() {
+int test(void) {
 	int a;
 	char **opts = NULL;
 	struct timeval tv;
@@ -309,7 +311,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG -D__EXTENSIONS__ -D_BSD_SOURCE -D_DEFAUL
 #include <getopt.h>
 #endif
 
-int test() {
+int test(void) {
 	int a;
 	char **opts = NULL;
 	struct timeval tv;
@@ -335,7 +337,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED($C99FLAG,
 [
 #include <stdbool.h>
 #include <ctype.h>
-int test() {
+int test(void) {
         int a = 0;
         return a;
 }
@@ -345,7 +347,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_BSD_SOURCE -D_DEFAULT_SOURCE,
 [
 #include <ctype.h>
 
-int test() {
+int test(void) {
         int a;
         a = isascii(32);
         return a;
@@ -356,7 +358,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_GNU_SOURCE,
 [
 #include <netinet/in.h>
 
-int test() {
+int test(void) {
         struct in6_pktinfo inf;
 	int a = (int)sizeof(inf);
         return a;
@@ -370,7 +372,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_GNU_SOURCE -D_FRSRESGID,
 [
 #include <unistd.h>
 
-int test() {
+int test(void) {
 	int a = setresgid(0,0,0);
 	a = setresuid(0,0,0);
         return a;
@@ -385,7 +387,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D_POSIX_C_SOURCE=200112,
 #endif
 #include <netdb.h>
 
-int test() {
+int test(void) {
         int a = 0;
         char *t;
         time_t time = 0;
@@ -413,7 +415,7 @@ ACX_CHECK_COMPILER_FLAG_NEEDED(-D__EXTENSIONS__,
 #include <getopt.h>
 #endif
 
-int test() {
+int test(void) {
         int a;
         char **opts = NULL;
         struct timeval tv;
@@ -475,7 +477,7 @@ fi
 dnl Setup ATTR_FORMAT config.h parts.
 dnl make sure you call ACX_CHECK_FORMAT_ATTRIBUTE also.
 AC_DEFUN([AHX_CONFIG_FORMAT_ATTRIBUTE],
-[ 
+[
 #ifdef HAVE_ATTR_FORMAT
 #  define ATTR_FORMAT(archetype, string_index, first_to_check) \
     __attribute__ ((format (archetype, string_index, first_to_check)))
@@ -834,7 +836,7 @@ dnl try to see if an additional _LARGEFILE_SOURCE 1 is needed to get fseeko
 ACX_CHECK_COMPILER_FLAG_NEEDED(-D_LARGEFILE_SOURCE=1,
 [
 #include <stdio.h>
-int test() {
+int test(void) {
         int a = fseeko(stdin, 0, 0);
         return a;
 }
@@ -859,7 +861,7 @@ char* (*f) () = getaddrinfo;
 #ifdef __cplusplus
 }
 #endif
-int main() {
+int main(void) {
         ;
         return 0;
 }
@@ -923,7 +925,7 @@ cache=`echo $1 | sed 'y%.=/+-%___p_%'`
 AC_CACHE_VAL(cv_cc_deprecated_$cache,
 [
 echo '$3' >conftest.c
-echo 'void f(){ $2 }' >>conftest.c
+echo 'void f(void){ $2 }' >>conftest.c
 if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then
 eval "cv_cc_deprecated_$cache=no"
 else
@@ -1317,7 +1319,7 @@ AC_DEFUN([AHX_CONFIG_W32_FD_SET_T],
 #ifdef HAVE_WINSOCK2_H
 #define FD_SET_T (u_int)
 #else
-#define FD_SET_T 
+#define FD_SET_T
 #endif
 ])
 
@@ -1355,7 +1357,7 @@ dnl $3: define value, 1
 AC_DEFUN([AHX_CONFIG_FLAG_OMITTED],
 [#if defined($1) && !defined($2)
 #define $2 $3
-[#]endif ])
+[#]endif])
 
 dnl Wrapper for AHX_CONFIG_FLAG_OMITTED for -D style flags
 dnl $1: the -DNAME or -DNAME=value string.
diff --git a/contrib/unbound/acx_python.m4 b/contrib/unbound/acx_python.m4
index 16c0c6fd943f..c945d6c8989e 100644
--- a/contrib/unbound/acx_python.m4
+++ b/contrib/unbound/acx_python.m4
@@ -17,33 +17,62 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
 		PYTHON_VERSION=`$PYTHON -c "import sys; \
 			print(sys.version.split()[[0]])"`
 	fi
+	# calculate the version number components.
+	[
+	v="$PYTHON_VERSION"
+	PYTHON_VERSION_MAJOR=`echo $v | sed 's/[^0-9].*//'`
+	if test -z "$PYTHON_VERSION_MAJOR"; then PYTHON_VERSION_MAJOR="0"; fi
+	v=`echo $v | sed -e 's/^[0-9]*$//' -e 's/[0-9]*[^0-9]//'`
+	PYTHON_VERSION_MINOR=`echo $v | sed 's/[^0-9].*//'`
+	if test -z "$PYTHON_VERSION_MINOR"; then PYTHON_VERSION_MINOR="0"; fi
+	v=`echo $v | sed -e 's/^[0-9]*$//' -e 's/[0-9]*[^0-9]//'`
+	PYTHON_VERSION_PATCH=`echo $v | sed 's/[^0-9].*//'`
+	if test -z "$PYTHON_VERSION_PATCH"; then PYTHON_VERSION_PATCH="0"; fi
+	]
 
-	# Check if you have sysconfig
-	AC_MSG_CHECKING([for the sysconfig Python module])
-        if ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`; then
+	# For some systems, sysconfig exists, but has the wrong paths,
+	# on Debian 10, for python 2.7 and 3.7. So, we check the version,
+	# and for older versions try distutils.sysconfig first. For newer
+	# versions>=3.10, where distutils.sysconfig is deprecated, use
+	# sysconfig first and then attempt the other one.
+	py_distutils_first="no"
+	if test $PYTHON_VERSION_MAJOR -lt 3; then
+		py_distutils_first="yes"
+	fi
+	if test $PYTHON_VERSION_MAJOR -eq 3 -a $PYTHON_VERSION_MINOR -lt 10; then
+		py_distutils_first="yes"
+	fi
+
+	# Check if you have the first module
+	if test "$py_distutils_first" = "yes"; then m="distutils"; else m="sysconfig"; fi
+	sysconfig_module=""
+	AC_MSG_CHECKING([for the $m Python module])
+        if ac_modulecheck_result1=`$PYTHON -c "import $m" 2>&1`; then
                 AC_MSG_RESULT([yes])
-		sysconfig_module="sysconfig"
-		# if yes, use sysconfig, because distutils is deprecated.
+		sysconfig_module="$m"
 	else
                 AC_MSG_RESULT([no])
-		# if no, try to use distutils
+	fi
 
-		#
-		# Check if you have distutils, else fail
-		#
-		AC_MSG_CHECKING([for the distutils Python package])
-		if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then
+	# if not found, try the other one.
+	if test -z "$sysconfig_module"; then
+		if test "$py_distutils_first" = "yes"; then m2="sysconfig"; else m2="distutils"; fi
+		AC_MSG_CHECKING([for the $m2 Python module])
+		if ac_modulecheck_result2=`$PYTHON -c "import $m2" 2>&1`; then
 			AC_MSG_RESULT([yes])
+			sysconfig_module="$m2"
 		else
 			AC_MSG_RESULT([no])
-			AC_MSG_ERROR([cannot import Python module "distutils".
-	Please check your Python installation. The error was:
-	$ac_distutils_result])
+			AC_MSG_ERROR([cannot import Python module "$m", or "$m2".
+	Please check your Python installation. The errors are:
+	$m
+	$ac_modulecheck_result1
+	$m2
+	$ac_modulecheck_result2])
 			PYTHON_VERSION=""
 		fi
-
-		sysconfig_module="distutils.sysconfig"
 	fi
+	if test "$sysconfig_module" = "distutils"; then sysconfig_module="distutils.sysconfig"; fi
 
         #
         # Check for Python include path
diff --git a/contrib/unbound/cachedb/cachedb.c b/contrib/unbound/cachedb/cachedb.c
index 245daa986967..30645268ca23 100644
--- a/contrib/unbound/cachedb/cachedb.c
+++ b/contrib/unbound/cachedb/cachedb.c
@@ -102,7 +102,6 @@ static int
 testframe_init(struct module_env* env, struct cachedb_env* cachedb_env)
 {
 	struct testframe_moddata* d;
-	(void)env;
 	verbose(VERB_ALGO, "testframe_init");
 	d = (struct testframe_moddata*)calloc(1,
 		sizeof(struct testframe_moddata));
@@ -111,6 +110,15 @@ testframe_init(struct module_env* env, struct cachedb_env* cachedb_env)
 		log_err("out of memory");
 		return 0;
 	}
+	/* Register an EDNS option (65534) to bypass the worker cache lookup
+	 * for testing */
+	if(!edns_register_option(LDNS_EDNS_UNBOUND_CACHEDB_TESTFRAME_TEST,
+		1 /* bypass cache */,
+		0 /* no aggregation */, env)) {
+		log_err("testframe_init, could not register test opcode");
+		free(d);
+		return 0;
+	}
 	lock_basic_init(&d->lock);
 	lock_protect(&d->lock, d, sizeof(*d));
 	return 1;
@@ -218,6 +226,8 @@ static int
 cachedb_apply_cfg(struct cachedb_env* cachedb_env, struct config_file* cfg)
 {
 	const char* backend_str = cfg->cachedb_backend;
+	if(!backend_str || *backend_str==0)
+		return 1;
 	cachedb_env->backend = cachedb_find_backend(backend_str);
 	if(!cachedb_env->backend) {
 		log_err("cachedb: cannot find backend name '%s'", backend_str);
@@ -228,7 +238,7 @@ cachedb_apply_cfg(struct cachedb_env* cachedb_env, struct config_file* cfg)
 	return 1;
 }
 
-int 
+int
 cachedb_init(struct module_env* env, int id)
 {
 	struct cachedb_env* cachedb_env = (struct cachedb_env*)calloc(1,
@@ -267,19 +277,16 @@ cachedb_init(struct module_env* env, int id)
 	return 1;
 }
 
-void 
+void
 cachedb_deinit(struct module_env* env, int id)
 {
 	struct cachedb_env* cachedb_env;
 	if(!env || !env->modinfo[id])
 		return;
 	cachedb_env = (struct cachedb_env*)env->modinfo[id];
-	/* free contents */
-	/* TODO */
 	if(cachedb_env->enabled) {
 		(*cachedb_env->backend->deinit)(env, cachedb_env);
 	}
-
 	free(cachedb_env);
 	env->modinfo[id] = NULL;
 }
@@ -406,6 +413,14 @@ prep_data(struct module_qstate* qstate, struct sldns_buffer* buf)
 	if(qstate->return_msg->rep->ttl == 0 &&
 		!qstate->env->cfg->serve_expired)
 		return 0;
+
+	/* The EDE is added to the out-list so it is encoded in the cached message */
+	if (qstate->env->cfg->ede && qstate->return_msg->rep->reason_bogus != LDNS_EDE_NONE) {
+		edns_opt_list_append_ede(&edns.opt_list_out, qstate->env->scratch,
+					qstate->return_msg->rep->reason_bogus,
+					qstate->return_msg->rep->reason_bogus_str);
+	}
+
 	if(verbosity >= VERB_ALGO)
 		log_dns_msg("cachedb encoding", &qstate->return_msg->qinfo,
 	                qstate->return_msg->rep);
@@ -502,6 +517,7 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
 {
 	struct msg_parse* prs;
 	struct edns_data edns;
+	struct edns_option* ede;
 	uint64_t timestamp, expiry;
 	time_t adjust;
 	size_t lim = sldns_buffer_limit(buf);
@@ -539,6 +555,24 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
 	if(!qstate->return_msg)
 		return 0;
 	
+	/* We find the EDE in the in-list after parsing */
+	if(qstate->env->cfg->ede &&
+		(ede = edns_opt_list_find(edns.opt_list_in, LDNS_EDNS_EDE))) {
+		if(ede->opt_len >= 2) {
+			qstate->return_msg->rep->reason_bogus =
+				sldns_read_uint16(ede->opt_data);
+		}
+		/* allocate space and store the error string and it's size */
+		if(ede->opt_len > 2) {
+			size_t ede_len = ede->opt_len - 2;
+			qstate->return_msg->rep->reason_bogus_str = regional_alloc(
+				qstate->region, sizeof(char) * (ede_len+1));
+			memcpy(qstate->return_msg->rep->reason_bogus_str,
+				ede->opt_data+2, ede_len);
+			qstate->return_msg->rep->reason_bogus_str[ede_len] = 0;
+		}
+	}
+
 	qstate->return_rcode = LDNS_RCODE_NOERROR;
 
 	/* see how much of the TTL expired, and remove it */
@@ -630,11 +664,15 @@ cachedb_extcache_store(struct module_qstate* qstate, struct cachedb_env* ie)
  * See if unbound's internal cache can answer the query
  */
 static int
-cachedb_intcache_lookup(struct module_qstate* qstate)
+cachedb_intcache_lookup(struct module_qstate* qstate, struct cachedb_env* cde)
 {
 	uint8_t* dpname=NULL;
 	size_t dpnamelen=0;
 	struct dns_msg* msg;
+	/* for testframe bypass this lookup */
+	if(cde->backend == &testframe_backend) {
+		return 0;
+	}
 	if(iter_stub_fwd_no_cache(qstate, &qstate->qinfo,
 		&dpname, &dpnamelen))
 		return 0; /* no cache for these queries */
@@ -693,6 +731,7 @@ cachedb_handle_query(struct module_qstate* qstate,
 	struct cachedb_qstate* ATTR_UNUSED(iq),
 	struct cachedb_env* ie, int id)
 {
+	qstate->is_cachedb_answer = 0;
 	/* check if we are enabled, and skip if so */
 	if(!ie->enabled) {
 		/* pass request to next module */
@@ -709,7 +748,7 @@ cachedb_handle_query(struct module_qstate* qstate,
 
 	/* lookup inside unbound's internal cache.
 	 * This does not look for expired entries. */
-	if(cachedb_intcache_lookup(qstate)) {
+	if(cachedb_intcache_lookup(qstate, ie)) {
 		if(verbosity >= VERB_ALGO) {
 			if(qstate->return_msg->rep)
 				log_dns_msg("cachedb internal cache lookup",
@@ -746,6 +785,7 @@ cachedb_handle_query(struct module_qstate* qstate,
 				qstate->ext_state[id] = module_wait_module;
 				return;
 		}
+		qstate->is_cachedb_answer = 1;
 		/* we are done with the query */
 		qstate->ext_state[id] = module_finished;
 		return;
@@ -768,6 +808,7 @@ static void
 cachedb_handle_response(struct module_qstate* qstate,
 	struct cachedb_qstate* ATTR_UNUSED(iq), struct cachedb_env* ie, int id)
 {
+	qstate->is_cachedb_answer = 0;
 	/* check if we are not enabled or instructed to not cache, and skip */
 	if(!ie->enabled || qstate->no_cache_store) {
 		/* we are done with the query */
diff --git a/contrib/unbound/cachedb/redis.c b/contrib/unbound/cachedb/redis.c
index 16c3741f786b..93a575a4c6d2 100644
--- a/contrib/unbound/cachedb/redis.c
+++ b/contrib/unbound/cachedb/redis.c
@@ -56,6 +56,8 @@ struct redis_moddata {
 	int numctxs;		/* number of ctx entries */
 	const char* server_host; /* server's IP address or host name */
 	int server_port;	 /* server's TCP port */
+	const char* server_path; /* server's unix path, or "", NULL if unused */
+	const char* server_password; /* server's AUTH password, or "", NULL if unused */
 	struct timeval timeout;	 /* timeout for connection setup and commands */
 };
 
@@ -67,8 +69,13 @@ redis_connect(const struct redis_moddata* moddata)
 {
 	redisContext* ctx;
 
-	ctx = redisConnectWithTimeout(moddata->server_host,
-		moddata->server_port, moddata->timeout);
+	if(moddata->server_path && moddata->server_path[0]!=0) {
+		ctx = redisConnectUnixWithTimeout(moddata->server_path,
+			moddata->timeout);
+	} else {
+		ctx = redisConnectWithTimeout(moddata->server_host,
+			moddata->server_port, moddata->timeout);
+	}
 	if(!ctx || ctx->err) {
 		const char *errstr = "out of memory";
 		if(ctx)
@@ -80,6 +87,17 @@ redis_connect(const struct redis_moddata* moddata)
 		log_err("failed to set redis timeout");
 		goto fail;
 	}
+	if(moddata->server_password && moddata->server_password[0]!=0) {
+		redisReply* rep;
+		rep = redisCommand(ctx, "AUTH %s", moddata->server_password);
+		if(!rep || rep->type == REDIS_REPLY_ERROR) {
+			log_err("failed to authenticate with password");
+			freeReplyObject(rep);
+			goto fail;
+		}
+		freeReplyObject(rep);
+	}
+	verbose(VERB_OPS, "Connection to Redis established");
 	return ctx;
 
   fail:
@@ -94,7 +112,7 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
 	int i;
 	struct redis_moddata* moddata = NULL;
 
-	verbose(VERB_ALGO, "redis_init");
+	verbose(VERB_OPS, "Redis initialization");
 
 	moddata = calloc(1, sizeof(struct redis_moddata));
 	if(!moddata) {
@@ -112,6 +130,8 @@ redis_init(struct module_env* env, struct cachedb_env* cachedb_env)
 	 * we don't have to free it in this module. */
 	moddata->server_host = env->cfg->redis_server_host;
 	moddata->server_port = env->cfg->redis_server_port;
+	moddata->server_path = env->cfg->redis_server_path;
+	moddata->server_password = env->cfg->redis_server_password;
 	moddata->timeout.tv_sec = env->cfg->redis_timeout / 1000;
 	moddata->timeout.tv_usec = (env->cfg->redis_timeout % 1000) * 1000;
 	for(i = 0; i < moddata->numctxs; i++)
@@ -154,7 +174,7 @@ redis_deinit(struct module_env* env, struct cachedb_env* cachedb_env)
 		cachedb_env->backend_data;
 	(void)env;
 
-	verbose(VERB_ALGO, "redis_deinit");
+	verbose(VERB_OPS, "Redis deinitialization");
 
 	if(!moddata)
 		return;
diff --git a/contrib/unbound/compat/getentropy_solaris.c b/contrib/unbound/compat/getentropy_solaris.c
index 5e3b1cbbbd30..1ff8162917b3 100644
--- a/contrib/unbound/compat/getentropy_solaris.c
+++ b/contrib/unbound/compat/getentropy_solaris.c
@@ -47,7 +47,7 @@
 #define SHA512_Update SHA512Update
 #define SHA512_Final SHA512Final
 #else
-#include "openssl/sha.h"
+#include <openssl/sha.h>
 #endif
 
 #include <sys/vfs.h>
diff --git a/contrib/unbound/config.guess b/contrib/unbound/config.guess
index 980b02083815..b187213930f1 100755
--- a/contrib/unbound/config.guess
+++ b/contrib/unbound/config.guess
@@ -1,10 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
-#   Copyright 1992-2022 Free Software Foundation, Inc.
+#   Copyright 1992-2023 Free Software Foundation, Inc.
 
 # shellcheck disable=SC2006,SC2268 # see below for rationale
 
-timestamp='2022-09-17'
+timestamp='2023-07-20'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -47,7 +47,7 @@ me=`echo "$0" | sed -e 's,.*/,,'`
 usage="\
 Usage: $0 [OPTION]
 
-Output the configuration name of the system \`$me' is run on.
+Output the configuration name of the system '$me' is run on.
 
 Options:
   -h, --help         print this help, then exit
@@ -60,13 +60,13 @@ version="\
 GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
-Copyright 1992-2022 Free Software Foundation, Inc.
+Copyright 1992-2023 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
 
 help="
-Try \`$me --help' for more information."
+Try '$me --help' for more information."
 
 # Parse command line
 while test $# -gt 0 ; do
@@ -102,8 +102,8 @@ GUESS=
 # temporary files to be created and, as you can see below, it is a
 # headache to deal with in a portable fashion.
 
-# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
-# use `HOST_CC' if defined, but it is deprecated.
+# Historically, 'CC_FOR_BUILD' used to be named 'HOST_CC'. We still
+# use 'HOST_CC' if defined, but it is deprecated.
 
 # Portable tmp directory creation inspired by the Autoconf team.
 
@@ -459,7 +459,7 @@ case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in
 		UNAME_RELEASE=`uname -v`
 		;;
 	esac
-	# Japanese Language versions have a version number like `4.1.3-JL'.
+	# Japanese Language versions have a version number like '4.1.3-JL'.
 	SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/'`
 	GUESS=sparc-sun-sunos$SUN_REL
 	;;
@@ -976,7 +976,27 @@ EOF
 	GUESS=$UNAME_MACHINE-unknown-minix
 	;;
     aarch64:Linux:*:*)
-	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
+	set_cc_for_build
+	CPU=$UNAME_MACHINE
+	LIBCABI=$LIBC
+	if test "$CC_FOR_BUILD" != no_compiler_found; then
+	    ABI=64
+	    sed 's/^	    //' << EOF > "$dummy.c"
+	    #ifdef __ARM_EABI__
+	    #ifdef __ARM_PCS_VFP
+	    ABI=eabihf
+	    #else
+	    ABI=eabi
+	    #endif
+	    #endif
+EOF
+	    cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'`
+	    eval "$cc_set_abi"
+	    case $ABI in
+		eabi | eabihf) CPU=armv8l; LIBCABI=$LIBC$ABI ;;
+	    esac
+	fi
+	GUESS=$CPU-unknown-linux-$LIBCABI
 	;;
     aarch64_be:Linux:*:*)
 	UNAME_MACHINE=aarch64_be
@@ -1042,6 +1062,15 @@ EOF
     k1om:Linux:*:*)
 	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
 	;;
+    kvx:Linux:*:*)
+	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
+	;;
+    kvx:cos:*:*)
+	GUESS=$UNAME_MACHINE-unknown-cos
+	;;
+    kvx:mbr:*:*)
+	GUESS=$UNAME_MACHINE-unknown-mbr
+	;;
     loongarch32:Linux:*:* | loongarch64:Linux:*:*)
 	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
 	;;
@@ -1197,7 +1226,7 @@ EOF
 	GUESS=$UNAME_MACHINE-pc-sysv4.2uw$UNAME_VERSION
 	;;
     i*86:OS/2:*:*)
-	# If we were able to find `uname', then EMX Unix compatibility
+	# If we were able to find 'uname', then EMX Unix compatibility
 	# is probably installed.
 	GUESS=$UNAME_MACHINE-pc-os2-emx
 	;;
@@ -1338,7 +1367,7 @@ EOF
 		GUESS=ns32k-sni-sysv
 	fi
 	;;
-    PENTIUM:*:4.0*:*)	# Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+    PENTIUM:*:4.0*:*)	# Unisys 'ClearPath HMP IX 4000' SVR4/MP effort
 			# says <Richard.M.Bartel@ccMail.Census.GOV>
 	GUESS=i586-unisys-sysv4
 	;;
diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in
index 2caecf30d040..f31354d01408 100644
*** 18537 LINES SKIPPED ***