git: d4ed4b457f2e - stable/12 - unbound: Vendor import 1.16.1

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Tue, 09 Aug 2022 13:31:53 UTC
The branch stable/12 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=d4ed4b457f2e1252994b1400acbbf9403ab674ce

commit d4ed4b457f2e1252994b1400acbbf9403ab674ce
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-07-13 19:30:14 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-08-09 13:31:19 +0000

    unbound: Vendor import 1.16.1
    
    Merge commit 'd57351465531b38689892ec862de2725b52842dd' into unbound/main2
    
    (cherry picked from commit 0a92a9fca737edafbad03ee5a8efebe302851cff)
---
 contrib/unbound/Makefile.in                        |  12 +-
 contrib/unbound/config.h.in                        |   4 +
 contrib/unbound/configure                          | 109 ++++-
 contrib/unbound/configure.ac                       |  11 +-
 contrib/unbound/contrib/metrics.awk                |   1 +
 contrib/unbound/contrib/unbound_munin_             |   3 +-
 contrib/unbound/daemon/daemon.c                    |   2 +-
 contrib/unbound/daemon/remote.c                    |   2 +
 contrib/unbound/daemon/stats.c                     |   2 +
 contrib/unbound/daemon/worker.c                    |  24 +-
 contrib/unbound/doc/Changelog                      |  80 ++-
 contrib/unbound/doc/README                         |   2 +-
 contrib/unbound/doc/example.conf.in                |   6 +-
 contrib/unbound/doc/libunbound.3.in                |   4 +-
 contrib/unbound/doc/unbound-anchor.8.in            |   2 +-
 contrib/unbound/doc/unbound-checkconf.8.in         |   2 +-
 contrib/unbound/doc/unbound-control.8.in           |   6 +-
 contrib/unbound/doc/unbound-host.1.in              |   2 +-
 contrib/unbound/doc/unbound.8.in                   |   6 +-
 contrib/unbound/doc/unbound.conf.5.in              |  10 +-
 contrib/unbound/edns-subnet/subnetmod.c            |  49 +-
 contrib/unbound/edns-subnet/subnetmod.h            |   5 +-
 contrib/unbound/iterator/iter_delegpt.c            |  21 +-
 contrib/unbound/iterator/iter_delegpt.h            |   3 +-
 contrib/unbound/iterator/iter_utils.c              |   6 +-
 contrib/unbound/iterator/iterator.c                | 204 ++++++--
 contrib/unbound/iterator/iterator.h                |  29 +-
 contrib/unbound/libunbound/unbound.h               |   2 +
 contrib/unbound/services/authzone.c                |   4 +-
 contrib/unbound/services/mesh.c                    |   3 +-
 contrib/unbound/services/outside_network.c         |  12 +-
 contrib/unbound/services/outside_network.h         |   2 +
 contrib/unbound/sldns/parse.c                      |  55 ++-
 contrib/unbound/smallapp/unbound-control.c         |   2 +
 contrib/unbound/testcode/readzone.c                | 158 ------
 contrib/unbound/testcode/unittcpreuse.c            | 236 ---------
 contrib/unbound/testcode/unitzonemd.c              | 537 ---------------------
 contrib/unbound/testdata/auth_zonemd_anchor.rpl    | 234 ---------
 .../unbound/testdata/auth_zonemd_anchor_fail.rpl   | 236 ---------
 contrib/unbound/testdata/auth_zonemd_chain.rpl     | 234 ---------
 .../unbound/testdata/auth_zonemd_chain_fail.rpl    | 236 ---------
 contrib/unbound/testdata/auth_zonemd_file.rpl      | 183 -------
 contrib/unbound/testdata/auth_zonemd_file_fail.rpl | 185 -------
 .../unbound/testdata/auth_zonemd_file_unknown.rpl  | 184 -------
 contrib/unbound/testdata/auth_zonemd_insecure.rpl  | 215 ---------
 .../testdata/auth_zonemd_insecure_absent.rpl       | 217 ---------
 .../auth_zonemd_insecure_absent_reject.rpl         | 218 ---------
 .../unbound/testdata/auth_zonemd_insecure_fail.rpl | 218 ---------
 contrib/unbound/testdata/auth_zonemd_nokey.rpl     | 212 --------
 .../testdata/auth_zonemd_permissive_mode.rpl       | 187 -------
 contrib/unbound/testdata/auth_zonemd_xfr.rpl       | 238 ---------
 .../unbound/testdata/auth_zonemd_xfr_anchor.rpl    | 285 -----------
 .../testdata/auth_zonemd_xfr_anchor_fail.rpl       | 266 ----------
 contrib/unbound/testdata/auth_zonemd_xfr_chain.rpl | 310 ------------
 .../testdata/auth_zonemd_xfr_chain_fail.rpl        | 321 ------------
 .../testdata/auth_zonemd_xfr_chain_keyinxfr.rpl    | 315 ------------
 contrib/unbound/testdata/auth_zonemd_xfr_fail.rpl  | 241 ---------
 contrib/unbound/testdata/ede.tdir/bogus/clean.sh   |   1 -
 .../testdata/ede.tdir/bogus/dnskey-failures.test   |  10 -
 .../testdata/ede.tdir/bogus/dnssec-failures.test   |  15 -
 .../testdata/ede.tdir/bogus/make-broken-zone.sh    |  67 ---
 .../testdata/ede.tdir/bogus/nsec-failures.test     |  10 -
 .../testdata/ede.tdir/bogus/rrsig-failures.test    |  10 -
 contrib/unbound/testdata/ede.tdir/ede-auth.conf    |  27 --
 contrib/unbound/testdata/ede.tdir/ede.conf         |  49 --
 contrib/unbound/testdata/ede.tdir/ede.dsc          |  16 -
 contrib/unbound/testdata/ede.tdir/ede.post         |  10 -
 contrib/unbound/testdata/ede.tdir/ede.pre          |  37 --
 contrib/unbound/testdata/ede.tdir/ede.test         |  72 ---
 contrib/unbound/testdata/ede_acl_refused.rpl       |  35 --
 .../unbound/testdata/ede_cache_snoop_noth_auth.rpl |  33 --
 .../testdata/ede_localzone_dname_expansion.rpl     |  37 --
 .../testdata/edns_attached_once_per_upstream.rpl   |  90 ----
 contrib/unbound/testdata/fwd_error_retries.rpl     |  27 --
 .../fwd_udp_with_tcp_upstream.conf                 |  20 -
 .../fwd_udp_with_tcp_upstream.dsc                  |  16 -
 .../fwd_udp_with_tcp_upstream.post                 |  10 -
 .../fwd_udp_with_tcp_upstream.pre                  |  31 --
 .../fwd_udp_with_tcp_upstream.test                 |  35 --
 .../fwd_udp_with_tcp_upstream.testns               |  25 -
 .../127.0.0.1/example.com.zone                     |   3 -
 .../http_user_agent.tdir/http_user_agent.conf      |  24 -
 .../http_user_agent.tdir/http_user_agent.dsc       |  16 -
 .../http_user_agent.tdir/http_user_agent.post      |  11 -
 .../http_user_agent.tdir/http_user_agent.pre       |  37 --
 .../http_user_agent.tdir/http_user_agent.test      | 103 ----
 .../testdata/http_user_agent.tdir/petal.key        |  21 -
 .../testdata/http_user_agent.tdir/petal.pem        |  14 -
 .../http_user_agent.tdir/unbound_control.key       |  39 --
 .../http_user_agent.tdir/unbound_control.pem       |  22 -
 .../http_user_agent.tdir/unbound_server.key        |  39 --
 .../http_user_agent.tdir/unbound_server.pem        |  22 -
 contrib/unbound/testdata/ipset.tdir/ipset.conf     |  23 -
 contrib/unbound/testdata/ipset.tdir/ipset.dsc      |  16 -
 contrib/unbound/testdata/ipset.tdir/ipset.post     |  14 -
 contrib/unbound/testdata/ipset.tdir/ipset.pre      |  33 --
 contrib/unbound/testdata/ipset.tdir/ipset.test     | 155 ------
 contrib/unbound/testdata/ipset.tdir/ipset.testns   | 103 ----
 contrib/unbound/testdata/iter_cname_minimise.rpl   | 179 -------
 contrib/unbound/testdata/iter_dp_ip6useless.rpl    | 168 -------
 contrib/unbound/testdata/nsid_bogus.rpl            | 175 -------
 .../unbound/testdata/ratelimit.tdir/ratelimit.conf |  29 --
 .../unbound/testdata/ratelimit.tdir/ratelimit.dsc  |  16 -
 .../unbound/testdata/ratelimit.tdir/ratelimit.post |  14 -
 .../unbound/testdata/ratelimit.tdir/ratelimit.pre  |  33 --
 .../unbound/testdata/ratelimit.tdir/ratelimit.test | 183 -------
 .../testdata/ratelimit.tdir/ratelimit.testns       |  13 -
 .../testdata/ratelimit.tdir/unbound_control.key    |  39 --
 .../testdata/ratelimit.tdir/unbound_control.pem    |  22 -
 .../testdata/ratelimit.tdir/unbound_server.key     |  39 --
 .../testdata/ratelimit.tdir/unbound_server.pem     |  22 -
 contrib/unbound/testdata/rpz_clientip.rpl          | 264 ----------
 contrib/unbound/testdata/rpz_nsdname.rpl           | 390 ---------------
 contrib/unbound/testdata/rpz_nsip.rpl              | 408 ----------------
 contrib/unbound/testdata/rpz_passthru.rpl          | 154 ------
 contrib/unbound/testdata/rpz_qname_tcponly.rpl     | 117 -----
 contrib/unbound/testdata/rpz_respip_tcponly.rpl    | 207 --------
 contrib/unbound/testdata/rpz_rootwc.rpl            | 162 -------
 .../unbound/testdata/rpz_signal_nxdomain_ra.rpl    | 254 ----------
 .../stub_udp_with_tcp_upstream.conf                |  19 -
 .../stub_udp_with_tcp_upstream.dsc                 |  16 -
 .../stub_udp_with_tcp_upstream.post                |  10 -
 .../stub_udp_with_tcp_upstream.pre                 |  35 --
 .../stub_udp_with_tcp_upstream.test                |  37 --
 .../stub_udp_with_tcp_upstream.testns              |  48 --
 contrib/unbound/testdata/subnet_prefetch.crpl      | 215 ---------
 .../testdata/subnet_prefetch_with_client_ecs.crpl  | 221 ---------
 .../testdata/svcb.tdir/crypto.cloudflare.com.zone  |   9 -
 contrib/unbound/testdata/svcb.tdir/svcb.dsc        |  16 -
 .../testdata/svcb.tdir/svcb.failure-cases-01       |   9 -
 .../testdata/svcb.tdir/svcb.failure-cases-02       |   8 -
 .../testdata/svcb.tdir/svcb.failure-cases-03       |   8 -
 .../testdata/svcb.tdir/svcb.failure-cases-04       |   8 -
 .../testdata/svcb.tdir/svcb.success-cases.zone     |  47 --
 .../testdata/svcb.tdir/svcb.success-cases.zone.cmp |  10 -
 contrib/unbound/testdata/svcb.tdir/svcb.test       |  97 ----
 .../testdata/svcb.tdir/svcb.test-vectors-pf.zone   |  92 ----
 .../testdata/svcb.tdir/svcb.test-vectors-wf.zone   | 232 ---------
 contrib/unbound/testdata/zonemd.example1.zone      |   4 -
 contrib/unbound/testdata/zonemd.example10.zone     |  35 --
 contrib/unbound/testdata/zonemd.example11.zone     |  33 --
 contrib/unbound/testdata/zonemd.example12.zone     |  35 --
 contrib/unbound/testdata/zonemd.example13.zone     |  33 --
 contrib/unbound/testdata/zonemd.example14.zone     |  35 --
 contrib/unbound/testdata/zonemd.example15.zone     |  35 --
 contrib/unbound/testdata/zonemd.example16.zone     |  11 -
 contrib/unbound/testdata/zonemd.example17.zone     |  11 -
 contrib/unbound/testdata/zonemd.example2.zone      |  15 -
 contrib/unbound/testdata/zonemd.example3.zone      |  34 --
 contrib/unbound/testdata/zonemd.example4.zone      |  36 --
 contrib/unbound/testdata/zonemd.example5.zone      |  34 --
 contrib/unbound/testdata/zonemd.example6.zone      |  36 --
 contrib/unbound/testdata/zonemd.example7.zone      |  31 --
 contrib/unbound/testdata/zonemd.example8.zone      |  34 --
 contrib/unbound/testdata/zonemd.example9.zone      |  35 --
 contrib/unbound/testdata/zonemd.example_a1.zone    |   6 -
 contrib/unbound/testdata/zonemd.example_a2.zone    |  25 -
 contrib/unbound/testdata/zonemd.example_a3.zone    |  30 --
 contrib/unbound/testdata/zonemd.example_a4.zone    | 127 -----
 contrib/unbound/testdata/zonemd.example_a5.zone    |  48 --
 .../testdata/zonemd_reload.tdir/zonemd_reload.conf |  23 -
 .../testdata/zonemd_reload.tdir/zonemd_reload.dsc  |  16 -
 .../testdata/zonemd_reload.tdir/zonemd_reload.post |  14 -
 .../testdata/zonemd_reload.tdir/zonemd_reload.pre  |  35 --
 .../testdata/zonemd_reload.tdir/zonemd_reload.test |  74 ---
 .../zonemd_reload.tdir/zonemd_reload.testns        |  27 --
 .../testdata/zonemd_reload.tdir/zonemd_reload.zone |   8 -
 contrib/unbound/util/iana_ports.inc                |   9 +
 contrib/unbound/util/net_help.c                    |  10 +-
 contrib/unbound/validator/val_secalgo.c            | 127 +++--
 contrib/unbound/validator/val_sigcrypt.c           | 148 +++---
 contrib/unbound/validator/val_utils.c              |   2 +-
 172 files changed, 728 insertions(+), 12244 deletions(-)

diff --git a/contrib/unbound/Makefile.in b/contrib/unbound/Makefile.in
index 7dbe5760033b..3189731ad52f 100644
--- a/contrib/unbound/Makefile.in
+++ b/contrib/unbound/Makefile.in
@@ -345,14 +345,12 @@ test:	unittest$(EXEEXT) testbound$(EXEEXT)
 	./unittest$(EXEEXT)
 	./testbound$(EXEEXT) -s
 	for x in $(srcdir)/testdata/*.rpl; do \
-		printf "%s" "$$x "; \
-		if ./testbound$(EXEEXT) -p $$x >/dev/null 2>&1; then \
-			echo OK; \
+		output=`./testbound$(EXEEXT) -p $$x -o -vvvvv 2>&1`; \
+		if test $$? -eq 0; then \
+			printf "%s OK\n" "$$x "; \
 		else \
-			echo failed; \
-			./testbound$(EXEEXT) -p $$x -o -vvvvv; \
-			printf "%s" "$$x "; \
-			echo failed; \
+			printf "%s\n" "$$output "; \
+			printf "%s failed\n" "$$x "; \
 			exit 1; \
 		fi; \
 	done
diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in
index a080dde0da2e..cc1fbe864818 100644
--- a/contrib/unbound/config.h.in
+++ b/contrib/unbound/config.h.in
@@ -222,6 +222,10 @@
 /* Define to 1 if you have the `EVP_cleanup' function. */
 #undef HAVE_EVP_CLEANUP
 
+/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled'
+   function. */
+#undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
+
 /* Define to 1 if you have the `EVP_DigestVerify' function. */
 #undef HAVE_EVP_DIGESTVERIFY
 
diff --git a/contrib/unbound/configure b/contrib/unbound/configure
index a9ec94479b55..0029d5b42782 100755
--- a/contrib/unbound/configure
+++ b/contrib/unbound/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.16.0.
+# Generated by GNU Autoconf 2.69 for unbound 1.16.1.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.16.0'
-PACKAGE_STRING='unbound 1.16.0'
+PACKAGE_VERSION='1.16.1'
+PACKAGE_STRING='unbound 1.16.1'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.16.0 to adapt to many kinds of systems.
+\`configure' configures unbound 1.16.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1543,7 +1543,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.16.0:";;
+     short | recursive ) echo "Configuration of unbound 1.16.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1785,7 +1785,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.16.0
+unbound configure 1.16.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.16.0, which was
+It was created by unbound $as_me 1.16.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2846,11 +2846,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=16
 
-UNBOUND_VERSION_MICRO=0
+UNBOUND_VERSION_MICRO=1
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=16
+LIBUNBOUND_REVISION=17
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2934,6 +2934,7 @@ LIBUNBOUND_AGE=1
 # 1.14.0 had 9:14:1
 # 1.15.0 had 9:15:1
 # 1.16.0 had 9:16:1
+# 1.16.1 had 9:17:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -18545,7 +18546,7 @@ fi
 
 done
 
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -19967,7 +19968,46 @@ if test x_$enable_static_exe = x_yes; then
 		else
 			LIBS="$LIBS -lgdi32"
 		fi
-		LIBS="$LIBS -lz"
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for compress in -lz" >&5
+$as_echo_n "checking for compress in -lz... " >&6; }
+if ${ac_cv_lib_z_compress+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lz  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char compress ();
+int
+main ()
+{
+return compress ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_z_compress=yes
+else
+  ac_cv_lib_z_compress=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_z_compress" >&5
+$as_echo "$ac_cv_lib_z_compress" >&6; }
+if test "x$ac_cv_lib_z_compress" = xyes; then :
+   LIBS="$LIBS -lz"
+fi
+
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi
@@ -19987,7 +20027,46 @@ if test x_$enable_fully_static = x_yes; then
 		else
 			LIBS="$LIBS -lgdi32"
 		fi
-		LIBS="$LIBS -lz"
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for compress in -lz" >&5
+$as_echo_n "checking for compress in -lz... " >&6; }
+if ${ac_cv_lib_z_compress+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lz  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char compress ();
+int
+main ()
+{
+return compress ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_z_compress=yes
+else
+  ac_cv_lib_z_compress=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_z_compress" >&5
+$as_echo "$ac_cv_lib_z_compress" >&6; }
+if test "x$ac_cv_lib_z_compress" = xyes; then :
+   LIBS="$LIBS -lz"
+fi
+
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi
@@ -21934,7 +22013,7 @@ _ACEOF
 
 
 
-version=1.16.0
+version=1.16.1
 
 date=`date +'%b %e, %Y'`
 
@@ -22453,7 +22532,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.16.0, which was
+This file was extended by unbound $as_me 1.16.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22519,7 +22598,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.16.0
+unbound config.status 1.16.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac
index 1453b3a2fe29..e41c811ae826 100644
--- a/contrib/unbound/configure.ac
+++ b/contrib/unbound/configure.ac
@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[16])
-m4_define([VERSION_MICRO],[0])
+m4_define([VERSION_MICRO],[1])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=16
+LIBUNBOUND_REVISION=17
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -102,6 +102,7 @@ LIBUNBOUND_AGE=1
 # 1.14.0 had 9:14:1
 # 1.15.0 had 9:15:1
 # 1.16.0 had 9:16:1
+# 1.16.1 had 9:17:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -906,7 +907,7 @@ else
 	AC_MSG_RESULT([no])
 fi
 AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
 
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
@@ -1499,7 +1500,7 @@ if test x_$enable_static_exe = x_yes; then
 		else
 			LIBS="$LIBS -lgdi32"
 		fi
-		LIBS="$LIBS -lz"
+		AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ])
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi
@@ -1516,7 +1517,7 @@ if test x_$enable_fully_static = x_yes; then
 		else
 			LIBS="$LIBS -lgdi32"
 		fi
-		LIBS="$LIBS -lz"
+		AC_CHECK_LIB([z], [compress], [ LIBS="$LIBS -lz" ])
 		LIBS="$LIBS -l:libssp.a"
 	fi
 fi
diff --git a/contrib/unbound/contrib/metrics.awk b/contrib/unbound/contrib/metrics.awk
index 5a7a2569c29a..ca48c035aa0e 100644
--- a/contrib/unbound/contrib/metrics.awk
+++ b/contrib/unbound/contrib/metrics.awk
@@ -28,6 +28,7 @@ END {
 	print "unbound_hits_queries{type=\"total.num.prefetch\"} " val["total.num.prefetch"];
 	print "unbound_hits_queries{type=\"num.query.tcp\"} " val["num.query.tcp"];
 	print "unbound_hits_queries{type=\"num.query.tcpout\"} " val["num.query.tcpout"];
+	print "unbound_hits_queries{type=\"num.query.udpout\"} " val["num.query.udpout"];
 	print "unbound_hits_queries{type=\"num.query.tls\"} " val["num.query.tls"];
 	print "unbound_hits_queries{type=\"num.query.tls.resume\"} " val["num.query.tls.resume"];
 	print "unbound_hits_queries{type=\"num.query.ipv6\"} " val["num.query.ipv6"];
diff --git a/contrib/unbound/contrib/unbound_munin_ b/contrib/unbound/contrib/unbound_munin_
index 5037527580e2..a756a5d1ca20 100755
--- a/contrib/unbound/contrib/unbound_munin_
+++ b/contrib/unbound/contrib/unbound_munin_
@@ -253,6 +253,7 @@ if test "$1" = "config" ; then
 		p_config "total.num.prefetch" "cache prefetch" "ABSOLUTE"
 		p_config "num.query.tcp" "TCP queries" "ABSOLUTE"
 		p_config "num.query.tcpout" "TCP out queries" "ABSOLUTE"
+		p_config "num.query.udpout" "UDP out queries" "ABSOLUTE"
 		p_config "num.query.tls" "TLS queries" "ABSOLUTE"
 		p_config "num.query.tls.resume" "TLS resumes" "ABSOLUTE"
 		p_config "num.query.ipv6" "IPv6 queries" "ABSOLUTE"
@@ -452,7 +453,7 @@ hits)
 	for x in `grep "^thread[0-9][0-9]*\.num\.queries=" $state |
 		sed -e 's/=.*//'` total.num.queries \
 		total.num.cachehits total.num.prefetch num.query.tcp \
-		num.query.tcpout num.query.tls num.query.tls.resume \
+		num.query.tcpout num.query.udpout num.query.tls num.query.tls.resume \
 		num.query.ipv6 unwanted.queries \
 		unwanted.replies; do
 		if grep "^"$x"=" $state >/dev/null 2>&1; then
diff --git a/contrib/unbound/daemon/daemon.c b/contrib/unbound/daemon/daemon.c
index 0e3923b4e9f2..4ed531855ee6 100644
--- a/contrib/unbound/daemon/daemon.c
+++ b/contrib/unbound/daemon/daemon.c
@@ -795,7 +795,7 @@ daemon_delete(struct daemon* daemon)
 	ub_c_lex_destroy();
 	/* libcrypto cleanup */
 #ifdef HAVE_SSL
-#  if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
+#  if defined(USE_GOST)
 	sldns_key_EVP_unload_gost();
 #  endif
 #  if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS && HAVE_DECL_SK_SSL_COMP_POP_FREE
diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c
index 675ef43970d1..ec7a4d5d93f4 100644
--- a/contrib/unbound/daemon/remote.c
+++ b/contrib/unbound/daemon/remote.c
@@ -988,6 +988,8 @@ print_ext(RES* ssl, struct ub_stats_info* s)
 		(unsigned long)s->svr.qtcp)) return 0;
 	if(!ssl_printf(ssl, "num.query.tcpout"SQ"%lu\n", 
 		(unsigned long)s->svr.qtcp_outgoing)) return 0;
+	if(!ssl_printf(ssl, "num.query.udpout"SQ"%lu\n",
+		(unsigned long)s->svr.qudp_outgoing)) return 0;
 	if(!ssl_printf(ssl, "num.query.tls"SQ"%lu\n", 
 		(unsigned long)s->svr.qtls)) return 0;
 	if(!ssl_printf(ssl, "num.query.tls.resume"SQ"%lu\n", 
diff --git a/contrib/unbound/daemon/stats.c b/contrib/unbound/daemon/stats.c
index d08f18dbb137..57c42827161c 100644
--- a/contrib/unbound/daemon/stats.c
+++ b/contrib/unbound/daemon/stats.c
@@ -281,6 +281,7 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	/* values from outside network */
 	s->svr.unwanted_replies = (long long)worker->back->unwanted_replies;
 	s->svr.qtcp_outgoing = (long long)worker->back->num_tcp_outgoing;
+	s->svr.qudp_outgoing = (long long)worker->back->num_udp_outgoing;
 
 	/* get and reset validator rrset bogus number */
 	s->svr.rrset_bogus = (long long)get_rrset_bogus(worker, reset);
@@ -424,6 +425,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 		total->svr.qclass_big += a->svr.qclass_big;
 		total->svr.qtcp += a->svr.qtcp;
 		total->svr.qtcp_outgoing += a->svr.qtcp_outgoing;
+		total->svr.qudp_outgoing += a->svr.qudp_outgoing;
 		total->svr.qtls += a->svr.qtls;
 		total->svr.qtls_resume += a->svr.qtls_resume;
 		total->svr.qhttps += a->svr.qhttps;
diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c
index bf8c5d6b6763..27626ce938ca 100644
--- a/contrib/unbound/daemon/worker.c
+++ b/contrib/unbound/daemon/worker.c
@@ -1639,10 +1639,11 @@ lookup_cache:
 		is_secure_answer = 0;
 		h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
 		if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
+			struct reply_info* rep = (struct reply_info*)e->data;
 			/* answer from cache - we have acquired a readlock on it */
-			if(answer_from_cache(worker, &qinfo,
-				cinfo, &need_drop, &is_expired_answer, &is_secure_answer,
-				&alias_rrset, &partial_rep, (struct reply_info*)e->data,
+			if(answer_from_cache(worker, &qinfo, cinfo, &need_drop,
+				&is_expired_answer, &is_secure_answer,
+				&alias_rrset, &partial_rep, rep,
 				*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 				sldns_buffer_read_u16_at(c->buffer, 2), repinfo,
 				&edns)) {
@@ -1650,15 +1651,13 @@ lookup_cache:
 				 * Note that if there is more than one pass
 				 * its qname must be that used for cache
 				 * lookup. */
-				if((worker->env.cfg->prefetch && *worker->env.now >=
-							((struct reply_info*)e->data)->prefetch_ttl) ||
-						(worker->env.cfg->serve_expired &&
-						*worker->env.now >= ((struct reply_info*)e->data)->ttl)) {
-
-					time_t leeway = ((struct reply_info*)e->
-						data)->ttl - *worker->env.now;
-					if(((struct reply_info*)e->data)->ttl
-						< *worker->env.now)
+				if((worker->env.cfg->prefetch &&
+					*worker->env.now >= rep->prefetch_ttl) ||
+					(worker->env.cfg->serve_expired &&
+					*worker->env.now > rep->ttl)) {
+
+					time_t leeway = rep->ttl - *worker->env.now;
+					if(rep->ttl < *worker->env.now)
 						leeway = 0;
 					lock_rw_unlock(&e->lock);
 
@@ -2218,6 +2217,7 @@ void worker_stats_clear(struct worker* worker)
 	mesh_stats_clear(worker->env.mesh);
 	worker->back->unwanted_replies = 0;
 	worker->back->num_tcp_outgoing = 0;
+	worker->back->num_udp_outgoing = 0;
 }
 
 void worker_start_accept(void* arg)
diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog
index 8df5f367c4e1..d3573190e7e2 100644
--- a/contrib/unbound/doc/Changelog
+++ b/contrib/unbound/doc/Changelog
@@ -1,6 +1,84 @@
+4 July 2022: George
+	- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
+	  one loop pass'.
+	- Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
+	  outbound tcp sockets.
+
+4 July 2022: Wouter
+	- Tag for 1.16.1rc1 release.
+
+3 July 2022: George
+	- Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS
+	  mode on openssl3.
+	- Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
+	- For #660: formatting, less verbose logging, add EDE information.
+	- Fix for correct openssl error when adding windows CA certificates to
+	  the openssl trust store.
+	- Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
+	- Reintroduce documentation and more EDE support for
+	  val_sigcrypt.c::dnskeyset_verify_rrset_sig.
+
+1 July 2022: George
+	- Merge PR #706: NXNS fallback.
+	- From #706: Cached NXDOMAIN does not increase the target nx
+	  responses.
+	- From #706: Don't generate parent side queries if we already
+	  have the lame records in cache.
+	- From #706: When a lame address is the best choice, don't try to
+	  generate target queries when the missing targets are all lame.
+
+29 June 2022: Wouter
+	- iana portlist update.
+	- Fix detection of libz on windows compile with static option.
+	- Fix compile warning for windows compile.
+
+29 June 2022: George
+	- Add debug option to the mini_tdir.sh test code.
+	- Fix #704: [FR] Statistics counter for number of outgoing UDP queries
+	  sent; introduces 'num.query.udpout' to the 'unbound-control stats'
+	  command.
+	- Fix to not count cached NXDOMAIN for MAX_TARGET_NX.
+	- Allow fallback to the parent side when MAX_TARGET_NX is reached.
+	  This will also allow MAX_TARGET_NX more NXDOMAINs.
+
+28 June 2022: George
+	- Show the output of the exact .rpl run that failed with 'make test'.
+	- Fix for cached 0 TTL records to not trigger prefetching when
+	  serve-expired-client-timeout is set.
+
+28 June 2022: Wouter
+	- Fix test program dohclient close to use portability routine.
+
+23 June 2022: Tom
+	- Clarify -v flag manpage entry (#705)
+
+22 June 2022: Philip
+	- Fix #663: use after free issue with edns options.
+
+21 June 2022: Philip
+	- Fix for loading locally stored zones that have lines with blanks or
+	  blanks and comments.
+
+20 June 2022: George
+	- Remove unused LDNS function check for GOST Engine unloading.
+
+14 June 2022: George
+	- Merge PR #688: Rpz url notify issue.
+	- Note in the unbound.conf text that NOTIFY is allowed from the url:
+	  addresses for auth and rpz zones.
+
+3 June 2022: George
+	- Fix for edns client subnet to respect not looking in its cache when
+	  instructed to do so (e.g., prefetch).
+
+3 June 2022: Wouter
+	- makedist.sh picks up 32bit libssp-0.dll when 32bit compile.
+
 27 May 2022: Wouter
 	- Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3 (and possibly other distributions)
-	- Version is set to 1.16.0 for release. Release tag 1.16.0rc1.
+	- Version is set to 1.16.0 for release. Release tag 1.16.0rc1. This
+	  became release 1.16.0 on 2 June 2022. The source code branch
+	  continues with version 1.16.1 under development.
 
 20 May 2022: Wouter
 	- Fix to silence test for ede error output to the console from the
diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README
index ea93afddcd5f..13992ac7f9ec 100644
--- a/contrib/unbound/doc/README
+++ b/contrib/unbound/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.16.0
+README for Unbound 1.16.1
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in
index 64adfe9e5e9c..b01d2c58dbfe 100644
--- a/contrib/unbound/doc/example.conf.in
+++ b/contrib/unbound/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.16.0.
+# See unbound.conf(5) man page, version 1.16.1.
 #
 # this is a comment.
 
@@ -1045,8 +1045,8 @@ remote-control:
 # has a copy of the root for local usage.  The second serves example.org
 # authoritatively.  zonefile: reads from file (and writes to it if you also
 # download it), primary: fetches with AXFR and IXFR, or url to zonefile.
-# With allow-notify: you can give additional (apart from primaries) sources of
-# notifies.
+# With allow-notify: you can give additional (apart from primaries and urls)
+# sources of notifies.
 # auth-zone:
 #	name: "."
 #	primary: 199.9.14.201         # b.root-servers.net
diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in
index b1be90ce0f0f..8049e3ae29d3 100644
--- a/contrib/unbound/doc/libunbound.3.in
+++ b/contrib/unbound/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Jun  2, 2022" "NLnet Labs" "unbound 1.16.0"
+.TH "libunbound" "3" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -44,7 +44,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.16.0 functions.
+\- Unbound DNS validating resolver 1.16.1 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in
index 4da37b1d5ff9..85b71fd30b8e 100644
--- a/contrib/unbound/doc/unbound-anchor.8.in
+++ b/contrib/unbound/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Jun  2, 2022" "NLnet Labs" "unbound 1.16.0"
+.TH "unbound-anchor" "8" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in
index 4c607a231b9f..8133feeaa364 100644
--- a/contrib/unbound/doc/unbound-checkconf.8.in
+++ b/contrib/unbound/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Jun  2, 2022" "NLnet Labs" "unbound 1.16.0"
+.TH "unbound-checkconf" "8" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in
index 3ef1d659f58a..128101e2f887 100644
--- a/contrib/unbound/doc/unbound-control.8.in
+++ b/contrib/unbound/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Jun  2, 2022" "NLnet Labs" "unbound 1.16.0"
+.TH "unbound-control" "8" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -552,6 +552,10 @@ Number of queries that were made using TCP towards the Unbound server.
 Number of queries that the Unbound server made using TCP outgoing towards
 other servers.
 .TP
+.I num.query.udpout
+Number of queries that the Unbound server made using UDP outgoing towards
+other servers.
+.TP
 .I num.query.tls
 Number of queries that were made using TLS towards the Unbound server.
 These are also counted in num.query.tcp, because TLS uses TCP.
diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in
index a30d1dfd216f..fb73e625df47 100644
--- a/contrib/unbound/doc/unbound-host.1.in
+++ b/contrib/unbound/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Jun  2, 2022" "NLnet Labs" "unbound 1.16.0"
+.TH "unbound\-host" "1" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in
index e3492724c95d..bc768c6a151b 100644
--- a/contrib/unbound/doc/unbound.8.in
+++ b/contrib/unbound/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Jun  2, 2022" "NLnet Labs" "unbound 1.16.0"
+.TH "unbound" "8" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.16.0.
+\- Unbound DNS validating resolver 1.16.1.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
@@ -75,7 +75,7 @@ concurrently.
 .TP
 .B \-v
 Increase verbosity. If given multiple times, more information is logged.
-This is in addition to the verbosity (if any) from the config file.
+This is added to the verbosity (if any) from the config file.
 .TP
 .B \-V
 Show the version number and build options, and exit.
diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in
index 3c891aa59e28..1157a2d1975f 100644
--- a/contrib/unbound/doc/unbound.conf.5.in
+++ b/contrib/unbound/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jun  2, 2022" "NLnet Labs" "unbound 1.16.0"
+.TH "unbound.conf" "5" "Jul 11, 2022" "NLnet Labs" "unbound 1.16.1"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -2067,8 +2067,8 @@ With allow\-notify you can specify additional sources of notifies.
 When notified, the server attempts to first probe and then zone transfer.
 If the notify is from a primary, it first attempts that primary.  Otherwise
 other primaries are attempted.  If there are no primaries, but only urls, the
-file is downloaded when notified.  The primaries from primary: statements are
-allowed notify by default.
+file is downloaded when notified.  The primaries from primary: and url:
+statements are allowed notify by default.
 .TP
 .B fallback\-enabled: \fI<yes or no>
 Default no.  If enabled, Unbound falls back to querying the internet as
@@ -2682,8 +2682,8 @@ With allow\-notify you can specify additional sources of notifies.
 When notified, the server attempts to first probe and then zone transfer.
 If the notify is from a primary, it first attempts that primary.  Otherwise
 other primaries are attempted.  If there are no primaries, but only urls, the
-file is downloaded when notified.  The primaries from primary: statements are
-allowed notify by default.
+file is downloaded when notified.  The primaries from primary: and url:
+statements are allowed notify by default.
 .TP
 .B zonefile: \fI<filename>
 The filename where the zone is stored.  If not given then no zonefile is used.
diff --git a/contrib/unbound/edns-subnet/subnetmod.c b/contrib/unbound/edns-subnet/subnetmod.c
index 25190b040d45..75446113b742 100644
--- a/contrib/unbound/edns-subnet/subnetmod.c
+++ b/contrib/unbound/edns-subnet/subnetmod.c
@@ -93,13 +93,14 @@ subnet_new_qstate(struct module_qstate *qstate, int id)
 	qstate->minfo[id] = sq;
 	memset(sq, 0, sizeof(*sq));
 	sq->started_no_cache_store = qstate->no_cache_store;
+	sq->started_no_cache_lookup = qstate->no_cache_lookup;
 	return 1;
 }
 
 /** Add ecs struct to edns list, after parsing it to wire format. */
 void
 subnet_ecs_opt_list_append(struct ecs_data* ecs, struct edns_option** list,
-	struct module_qstate *qstate)
+	struct module_qstate *qstate, struct regional *region)
 {
 	size_t sn_octs, sn_octs_remainder;
 	sldns_buffer* buf = qstate->env->scratch_buffer;
@@ -131,7 +132,7 @@ subnet_ecs_opt_list_append(struct ecs_data* ecs, struct edns_option** list,
 		edns_opt_list_append(list,
 				qstate->env->cfg->client_subnet_opcode,
 				sn_octs + sn_octs_remainder + 4,
-				sldns_buffer_begin(buf), qstate->region);
+				sldns_buffer_begin(buf), region);
 	}
 }
 
@@ -139,7 +140,7 @@ int ecs_whitelist_check(struct query_info* qinfo,
 	uint16_t ATTR_UNUSED(flags), struct module_qstate* qstate,
 	struct sockaddr_storage* addr, socklen_t addrlen,
 	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
-	struct regional* ATTR_UNUSED(region), int id, void* ATTR_UNUSED(cbargs))
+	struct regional *region, int id, void* ATTR_UNUSED(cbargs))
 {
 	struct subnet_qstate *sq;
 	struct subnet_env *sn_env;
@@ -165,7 +166,7 @@ int ecs_whitelist_check(struct query_info* qinfo,
 		if(!edns_opt_list_find(qstate->edns_opts_back_out,
 			qstate->env->cfg->client_subnet_opcode)) {
 			subnet_ecs_opt_list_append(&sq->ecs_server_out,
-				&qstate->edns_opts_back_out, qstate);
+				&qstate->edns_opts_back_out, qstate, region);
 		}
 		sq->subnet_sent = 1;
 	}
@@ -331,9 +332,11 @@ update_cache(struct module_qstate *qstate, int id)
 	struct ecs_data *edns = &sq->ecs_client_in;
 	size_t i;
 
-	/* We already calculated hash upon lookup */
-	hashvalue_type h = qstate->minfo[id] ? 
-		((struct subnet_qstate*)qstate->minfo[id])->qinfo_hash : 
+	/* We already calculated hash upon lookup (lookup_and_reply) if we were
+	 * allowed to look in the ECS cache */
+	hashvalue_type h = qstate->minfo[id] &&
+		((struct subnet_qstate*)qstate->minfo[id])->qinfo_hash_calculated?
+		((struct subnet_qstate*)qstate->minfo[id])->qinfo_hash :
 		query_info_hash(&qstate->qinfo, qstate->query_flags);
 	/* Step 1, general qinfo lookup */
 	struct lruhash_entry *lru_entry = slabhash_lookup(subnet_msg_cache, h,
@@ -416,7 +419,10 @@ lookup_and_reply(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
 
 	memset(&sq->ecs_client_out, 0, sizeof(sq->ecs_client_out));
 
-	if (sq) sq->qinfo_hash = h; /* Might be useful on cache miss */
+	if (sq) {
+		sq->qinfo_hash = h; /* Might be useful on cache miss */
+		sq->qinfo_hash_calculated = 1;
+	}
 	e = slabhash_lookup(sne->subnet_msg_cache, h, &qstate->qinfo, 1);
 	if (!e) return 0; /* qinfo not in cache */
 	data = e->data;
@@ -758,18 +764,21 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
 				return;
 		}
 
-		lock_rw_wrlock(&sne->biglock);
-		if (lookup_and_reply(qstate, id, sq)) {
-			sne->num_msg_cache++;
-			lock_rw_unlock(&sne->biglock);
-			verbose(VERB_QUERY, "subnetcache: answered from cache");
-			qstate->ext_state[id] = module_finished;
+		if(!sq->started_no_cache_lookup && !qstate->blacklist) {
+			lock_rw_wrlock(&sne->biglock);
+			if(lookup_and_reply(qstate, id, sq)) {
+				sne->num_msg_cache++;
+				lock_rw_unlock(&sne->biglock);
+				verbose(VERB_QUERY, "subnetcache: answered from cache");
+				qstate->ext_state[id] = module_finished;
 
-			subnet_ecs_opt_list_append(&sq->ecs_client_out,
-				&qstate->edns_opts_front_out, qstate);
-			return;
+				subnet_ecs_opt_list_append(&sq->ecs_client_out,
+					&qstate->edns_opts_front_out, qstate,
+					qstate->region);
+				return;
+			}
+			lock_rw_unlock(&sne->biglock);
 		}
-		lock_rw_unlock(&sne->biglock);
 		
 		sq->ecs_server_out.subnet_addr_fam =
 			sq->ecs_client_in.subnet_addr_fam;
*** 14045 LINES SKIPPED ***