svn commit: r338568 - in head: contrib/unbound contrib/unbound/compat contrib/unbound/contrib contrib/unbound/daemon contrib/unbound/doc contrib/unbound/iterator contrib/unbound/libunbound contrib/...

Dag-Erling Smørgrav des at FreeBSD.org
Mon Sep 10 16:56:52 UTC 2018


Author: des
Date: Mon Sep 10 16:56:44 2018
New Revision: 338568
URL: https://svnweb.freebsd.org/changeset/base/338568

Log:
  Upgrade Unbound to 1.7.2.  More to follow.
  
  Approved by:	re (kib@)

Modified:
  head/contrib/unbound/Makefile.in
  head/contrib/unbound/compat/arc4random.c
  head/contrib/unbound/config.h
  head/contrib/unbound/config.h.in
  head/contrib/unbound/configure
  head/contrib/unbound/configure.ac
  head/contrib/unbound/contrib/libunbound.pc.in
  head/contrib/unbound/daemon/acl_list.c
  head/contrib/unbound/daemon/acl_list.h
  head/contrib/unbound/daemon/daemon.c
  head/contrib/unbound/daemon/unbound.c
  head/contrib/unbound/daemon/worker.c
  head/contrib/unbound/doc/Changelog
  head/contrib/unbound/doc/README
  head/contrib/unbound/doc/example.conf
  head/contrib/unbound/doc/example.conf.in
  head/contrib/unbound/doc/libunbound.3
  head/contrib/unbound/doc/libunbound.3.in
  head/contrib/unbound/doc/unbound-anchor.8
  head/contrib/unbound/doc/unbound-anchor.8.in
  head/contrib/unbound/doc/unbound-checkconf.8
  head/contrib/unbound/doc/unbound-checkconf.8.in
  head/contrib/unbound/doc/unbound-control.8
  head/contrib/unbound/doc/unbound-control.8.in
  head/contrib/unbound/doc/unbound-host.1
  head/contrib/unbound/doc/unbound-host.1.in
  head/contrib/unbound/doc/unbound.8
  head/contrib/unbound/doc/unbound.8.in
  head/contrib/unbound/doc/unbound.conf.5
  head/contrib/unbound/doc/unbound.conf.5.in
  head/contrib/unbound/iterator/iter_utils.c
  head/contrib/unbound/libunbound/context.c
  head/contrib/unbound/libunbound/context.h
  head/contrib/unbound/libunbound/libunbound.c
  head/contrib/unbound/libunbound/libworker.c
  head/contrib/unbound/services/authzone.c
  head/contrib/unbound/services/listen_dnsport.c
  head/contrib/unbound/services/mesh.c
  head/contrib/unbound/services/outside_network.c
  head/contrib/unbound/services/outside_network.h
  head/contrib/unbound/smallapp/unbound-host.c
  head/contrib/unbound/util/alloc.c
  head/contrib/unbound/util/alloc.h
  head/contrib/unbound/util/config_file.c
  head/contrib/unbound/util/config_file.h
  head/contrib/unbound/util/configlexer.lex
  head/contrib/unbound/util/configparser.y
  head/contrib/unbound/util/net_help.c
  head/contrib/unbound/util/net_help.h
  head/contrib/unbound/util/netevent.c
  head/lib/libunbound/Makefile
Directory Properties:
  head/contrib/unbound/   (props changed)

Modified: head/contrib/unbound/Makefile.in
==============================================================================
--- head/contrib/unbound/Makefile.in	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/Makefile.in	Mon Sep 10 16:56:44 2018	(r338568)
@@ -327,7 +327,7 @@ unbound-control$(EXEEXT):	$(CONTROL_OBJ_LINK) libunbou
 	$(LINK) -o $@ $(CONTROL_OBJ_LINK) $(EXTRALINK) $(SSLLIB) $(LIBS)
 
 unbound-host$(EXEEXT):	$(HOST_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(LIBS)
+	$(LINK) -o $@ $(HOST_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
 
 unbound-anchor$(EXEEXT):	$(UBANCHOR_OBJ_LINK) libunbound.la
 	$(LINK) -o $@ $(UBANCHOR_OBJ_LINK) -L. -L.libs -lunbound -lexpat $(SSLLIB) $(LIBS)
@@ -360,7 +360,7 @@ memstats$(EXEEXT):	$(MEMSTATS_OBJ_LINK)
 	$(LINK) -o $@ $(MEMSTATS_OBJ_LINK) $(SSLLIB) $(LIBS)
 
 asynclook$(EXEEXT):	$(ASYNCLOOK_OBJ_LINK) libunbound.la
-	$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) $(LIBS) -L. -L.libs -lunbound
+	$(LINK) -o $@ $(ASYNCLOOK_OBJ_LINK) -L. -L.libs -lunbound $(SSLLIB) $(LIBS)
 
 streamtcp$(EXEEXT):	$(STREAMTCP_OBJ_LINK)
 	$(LINK) -o $@ $(STREAMTCP_OBJ_LINK) $(SSLLIB) $(LIBS)
@@ -1463,7 +1463,7 @@ win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
  $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h
 w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
 unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
  $(srcdir)/winrc/w_inst.h

Modified: head/contrib/unbound/compat/arc4random.c
==============================================================================
--- head/contrib/unbound/compat/arc4random.c	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/compat/arc4random.c	Mon Sep 10 16:56:44 2018	(r338568)
@@ -71,6 +71,72 @@ static struct {
 
 static inline void _rs_rekey(u_char *dat, size_t datlen);
 
+/*
+ * Basic sanity checking; wish we could do better.
+ */
+static int
+fallback_gotdata(char *buf, size_t len)
+{
+	char	any_set = 0;
+	size_t	i;
+
+	for (i = 0; i < len; ++i)
+		any_set |= buf[i];
+	if (any_set == 0)
+		return -1;
+	return 0;
+}
+
+/* fallback for getentropy in case libc returns failure */
+static int
+fallback_getentropy_urandom(void *buf, size_t len)
+{
+	size_t i;
+	int fd, flags;
+	int save_errno = errno;
+
+start:
+
+	flags = O_RDONLY;
+#ifdef O_NOFOLLOW
+	flags |= O_NOFOLLOW;
+#endif
+#ifdef O_CLOEXEC
+	flags |= O_CLOEXEC;
+#endif
+	fd = open("/dev/urandom", flags, 0);
+	if (fd == -1) {
+		if (errno == EINTR)
+			goto start;
+		goto nodevrandom;
+	}
+#ifndef O_CLOEXEC
+#  ifdef HAVE_FCNTL
+	fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#  endif
+#endif
+	for (i = 0; i < len; ) {
+		size_t wanted = len - i;
+		ssize_t ret = read(fd, (char*)buf + i, wanted);
+
+		if (ret == -1) {
+			if (errno == EAGAIN || errno == EINTR)
+				continue;
+			close(fd);
+			goto nodevrandom;
+		}
+		i += ret;
+	}
+	close(fd);
+	if (fallback_gotdata(buf, len) == 0) {
+		errno = save_errno;
+		return 0;		/* satisfied */
+	}
+nodevrandom:
+	errno = EIO;
+	return -1;
+}
+
 static inline void
 _rs_init(u_char *buf, size_t n)
 {
@@ -114,11 +180,14 @@ _rs_stir(void)
 	u_char rnd[KEYSZ + IVSZ];
 
 	if (getentropy(rnd, sizeof rnd) == -1) {
+		if(errno != ENOSYS ||
+			fallback_getentropy_urandom(rnd, sizeof rnd) == -1) {
 #ifdef SIGKILL
-		raise(SIGKILL);
+			raise(SIGKILL);
 #else
-		exit(9); /* windows */
+			exit(9); /* windows */
 #endif
+		}
 	}
 
 	if (!rs)

Modified: head/contrib/unbound/config.h
==============================================================================
--- head/contrib/unbound/config.h	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/config.h	Mon Sep 10 16:56:44 2018	(r338568)
@@ -31,6 +31,9 @@
    internal symbols */
 /* #undef EXPORT_ALL_SYMBOLS */
 
+/* Define to 1 if you have the `accept4' function. */
+#define HAVE_ACCEPT4 1
+
 /* Define to 1 if you have the `arc4random' function. */
 #define HAVE_ARC4RANDOM 1
 
@@ -628,7 +631,7 @@
 #define PACKAGE_NAME "unbound"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "unbound 1.7.1"
+#define PACKAGE_STRING "unbound 1.7.2"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "unbound"
@@ -637,7 +640,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "1.7.1"
+#define PACKAGE_VERSION "1.7.2"
 
 /* default pidfile location */
 #define PIDFILE "/var/unbound/unbound.pid"
@@ -656,7 +659,7 @@
 #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
 
 /* version number for resource files */
-#define RSRC_PACKAGE_VERSION 1,7,1,0
+#define RSRC_PACKAGE_VERSION 1,7,2,0
 
 /* Directory to chdir to */
 #define RUN_DIR "/var/unbound"

Modified: head/contrib/unbound/config.h.in
==============================================================================
--- head/contrib/unbound/config.h.in	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/config.h.in	Mon Sep 10 16:56:44 2018	(r338568)
@@ -30,6 +30,9 @@
    internal symbols */
 #undef EXPORT_ALL_SYMBOLS
 
+/* Define to 1 if you have the `accept4' function. */
+#undef HAVE_ACCEPT4
+
 /* Define to 1 if you have the `arc4random' function. */
 #undef HAVE_ARC4RANDOM
 

Modified: head/contrib/unbound/configure
==============================================================================
--- head/contrib/unbound/configure	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/configure	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.7.1.
+# Generated by GNU Autoconf 2.69 for unbound 1.7.2.
 #
 # Report bugs to <unbound-bugs at nlnetlabs.nl>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.7.1'
-PACKAGE_STRING='unbound 1.7.1'
+PACKAGE_VERSION='1.7.2'
+PACKAGE_STRING='unbound 1.7.2'
 PACKAGE_BUGREPORT='unbound-bugs at nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -1440,7 +1440,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.7.1 to adapt to many kinds of systems.
+\`configure' configures unbound 1.7.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1505,7 +1505,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.7.1:";;
+     short | recursive ) echo "Configuration of unbound 1.7.2:";;
    esac
   cat <<\_ACEOF
 
@@ -1722,7 +1722,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.7.1
+unbound configure 1.7.2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2431,7 +2431,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.7.1, which was
+It was created by unbound $as_me 1.7.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2783,11 +2783,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=7
 
-UNBOUND_VERSION_MICRO=1
+UNBOUND_VERSION_MICRO=2
 
 
 LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=9
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=5
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2848,6 +2848,7 @@ LIBUNBOUND_AGE=5
 # 1.6.8 had 7:7:5
 # 1.7.0 had 7:8:5
 # 1.7.1 had 7:9:5
+# 1.7.2 had 7:10:5
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -19467,7 +19468,7 @@ else
   WINDRES="$ac_cv_prog_WINDRES"
 fi
 
-	LIBS="$LIBS -liphlpapi"
+	LIBS="$LIBS -liphlpapi -lcrypt32"
 	WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
 
 	WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"
@@ -19701,7 +19702,7 @@ if test "$ac_res" != no; then :
 
 fi
 
-for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget
+for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -20854,6 +20855,8 @@ if test "${enable_cachedb+set}" = set; then :
   enableval=$enable_cachedb;
 fi
 
+# turn on cachedb when hiredis support is enabled.
+if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi
 case "$enable_cachedb" in
     yes)
 
@@ -21041,7 +21044,7 @@ _ACEOF
 
 
 
-version=1.7.1
+version=1.7.2
 
 date=`date +'%b %e, %Y'`
 
@@ -21560,7 +21563,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.7.1, which was
+This file was extended by unbound $as_me 1.7.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -21626,7 +21629,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.7.1
+unbound config.status 1.7.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

Modified: head/contrib/unbound/configure.ac
==============================================================================
--- head/contrib/unbound/configure.ac	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/configure.ac	Mon Sep 10 16:56:44 2018	(r338568)
@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[7])
-m4_define([VERSION_MICRO],[1])
+m4_define([VERSION_MICRO],[2])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs at nlnetlabs.nl, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=9
+LIBUNBOUND_REVISION=10
 LIBUNBOUND_AGE=5
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -79,6 +79,7 @@ LIBUNBOUND_AGE=5
 # 1.6.8 had 7:7:5
 # 1.7.0 had 7:8:5
 # 1.7.1 had 7:9:5
+# 1.7.2 had 7:10:5
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -1245,7 +1246,7 @@ if test "$USE_WINSOCK" = 1; then
 #include <windows.h>
 	])
 	AC_CHECK_TOOL(WINDRES, windres)
-	LIBS="$LIBS -liphlpapi"
+	LIBS="$LIBS -liphlpapi -lcrypt32"
 	WINAPPS="unbound-service-install.exe unbound-service-remove.exe anchor-update.exe"
 	AC_SUBST(WINAPPS)
 	WIN_DAEMON_SRC="winrc/win_svc.c winrc/w_inst.c"
@@ -1318,7 +1319,7 @@ AC_INCLUDES_DEFAULT
 #endif
 ])
 AC_SEARCH_LIBS([setusercontext], [util])
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4])
 AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
 AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
 
@@ -1488,6 +1489,8 @@ dnsc_DNSCRYPT([
 
 # check for cachedb if requested
 AC_ARG_ENABLE(cachedb, AC_HELP_STRING([--enable-cachedb], [enable cachedb module that can use external cache storage]))
+# turn on cachedb when hiredis support is enabled.
+if test "$found_libhiredis" = "yes"; then enable_cachedb="yes"; fi
 case "$enable_cachedb" in
     yes)
     	AC_DEFINE([USE_CACHEDB], [1], [Define to 1 to use cachedb support])

Modified: head/contrib/unbound/contrib/libunbound.pc.in
==============================================================================
--- head/contrib/unbound/contrib/libunbound.pc.in	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/contrib/libunbound.pc.in	Mon Sep 10 16:56:44 2018	(r338568)
@@ -7,7 +7,7 @@ Name: unbound
 Description: Library with validating, recursive, and caching DNS resolver
 URL: http://www.unbound.net
 Version: @PACKAGE_VERSION@
-Requires: libcrypto libssl @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
-Libs: -L${libdir} -lunbound
+Requires: @PC_LIBEVENT_DEPENDENCY@ @PC_PY_DEPENDENCY@
+Libs: -L${libdir} -lunbound -lssl -lcrypto
 Libs.private: @SSLLIB@ @LIBS@
 Cflags: -I${includedir} 

Modified: head/contrib/unbound/daemon/acl_list.c
==============================================================================
--- head/contrib/unbound/daemon/acl_list.c	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/daemon/acl_list.c	Mon Sep 10 16:56:44 2018	(r338568)
@@ -111,6 +111,8 @@ acl_list_str_cfg(struct acl_list* acl, const char* str
 		control = acl_refuse_non_local;
 	else if(strcmp(s2, "allow_snoop") == 0)
 		control = acl_allow_snoop;
+	else if(strcmp(s2, "allow_setrd") == 0)
+		control = acl_allow_setrd;
 	else {
 		log_err("access control type %s unknown", str);
 		return 0;

Modified: head/contrib/unbound/daemon/acl_list.h
==============================================================================
--- head/contrib/unbound/daemon/acl_list.h	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/daemon/acl_list.h	Mon Sep 10 16:56:44 2018	(r338568)
@@ -63,7 +63,9 @@ enum acl_access {
 	/** allow full access for recursion (+RD) queries */
 	acl_allow,
 	/** allow full access for all queries, recursion and cache snooping */
-	acl_allow_snoop
+	acl_allow_snoop,
+	/** allow full access for recursion queries and set RD flag regardless of request */
+	acl_allow_setrd
 };
 
 /**

Modified: head/contrib/unbound/daemon/daemon.c
==============================================================================
--- head/contrib/unbound/daemon/daemon.c	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/daemon/daemon.c	Mon Sep 10 16:56:44 2018	(r338568)
@@ -704,6 +704,7 @@ daemon_cleanup(struct daemon* daemon)
 	free(daemon->workers);
 	daemon->workers = NULL;
 	daemon->num = 0;
+	alloc_clear_special(&daemon->superalloc);
 #ifdef USE_DNSTAP
 	dt_delete(daemon->dtenv);
 	daemon->dtenv = NULL;

Modified: head/contrib/unbound/daemon/unbound.c
==============================================================================
--- head/contrib/unbound/daemon/unbound.c	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/daemon/unbound.c	Mon Sep 10 16:56:44 2018	(r338568)
@@ -431,7 +431,7 @@ perform_setup(struct daemon* daemon, struct config_fil
 			fatal_exit("could not set up listen SSL_CTX");
 	}
 	if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL,
-		cfg->tls_cert_bundle)))
+		cfg->tls_cert_bundle, cfg->tls_win_cert)))
 		fatal_exit("could not set up connect SSL_CTX");
 #endif
 

Modified: head/contrib/unbound/daemon/worker.c
==============================================================================
--- head/contrib/unbound/daemon/worker.c	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/daemon/worker.c	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1351,6 +1351,13 @@ worker_handle_request(struct comm_point* c, void* arg,
 	}
 
 	/* If this request does not have the recursion bit set, verify
+	 * ACLs allow the recursion bit to be treated as set. */
+	if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&
+		acl == acl_allow_setrd ) {
+		LDNS_RD_SET(sldns_buffer_begin(c->buffer));
+	}
+
+	/* If this request does not have the recursion bit set, verify
 	 * ACLs allow the snooping. */
 	if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&
 		acl != acl_allow_snoop ) {

Modified: head/contrib/unbound/doc/Changelog
==============================================================================
--- head/contrib/unbound/doc/Changelog	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/Changelog	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,8 +1,80 @@
+4 June 2018: Wouter
+	- Fix deadlock caused by incoming notify for auth-zone.
+	- tag for 1.7.2rc1
+
+1 June 2018: Wouter
+	- Rename additional-tls-port to tls-additional-ports.
+	  The older name is accepted for backwards compatibility.
+
+30 May 2018: Wouter
+	- Patch from Syzdek: Add ability to ignore RD bit and treat all
+	  requests as if the RD bit is set.
+
+29 May 2018: Wouter
+	- in compat/arc4random call getentropy_urandom when getentropy fails
+	  with ENOSYS.
+	- Fix that fallback for windows port.
+
+28 May 2018: Wouter
+	- Fix windows tcp and tls spin on events.
+	- Add routine from getdns to add windows cert store to the SSL_CTX.
+	- tls-win-cert option that adds the system certificate store for
+	  authenticating DNS-over-TLS connections.  It can be used instead
+	  of the tls-cert-bundle option, or with it to add certificates.
+
+25 May 2018: Wouter
+	- For TCP and TLS connections that don't establish, perform address
+	  update in infra cache, so future selections can exclude them.
+	- Fix that tcp sticky events are removed for closed fd on windows.
+	- Fix close events for tcp only.
+
+24 May 2018: Wouter
+	- Fix that libunbound can do DNS-over-TLS, when configured.
+	- Fix that windows unbound service can use DNS-over-TLS.
+	- unbound-host initializes ssl (for potential DNS-over-TLS usage
+	  inside libunbound), when ssl upstream or a cert-bundle is configured.
+
+23 May 2018: Wouter
+	- Use accept4 to speed up incoming TCP (and TLS) connections,
+	  available on Linux, FreeBSD and OpenBSD.
+
+17 May 2018: Ralph
+	- Qname minimisation default changed to yes.
+
+15 May 2018: Wouter
+	- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
+
+11 May 2018: Wouter
+	- Fix contrib/libunbound.pc for libssl libcrypto references,
+	  from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
+
+7 May 2018: Wouter
+	- Fix windows to not have sticky TLS events for TCP.
+	- Fix read of DNS over TLS length and data in one read call.
+	- Fix mesh state assertion failure due to callback removal.
+
+3 May 2018: Wouter
+	- Fix that configure --with-libhiredis also turns on cachedb.
+	- Fix gcc 8 buffer warning in testcode.
+	- Fix function type cast warning in libunbound context callback type.
+
+2 May 2018: Wouter
+	- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
+
+1 May 2018: Wouter
+	- Fix that unbound-control reload frees the rrset keys and returns
+	  the memory pages to the system.
+
+30 April 2018: Wouter
+	- Fix spelling error in man page and note defaults as no instead of
+	  off.
+
 26 April 2018: Wouter
 	- Fix for crash in daemon_cleanup with dnstap during reload,
 	  from Saksham Manchanda.
 	- Also that for dnscrypt.
-	- tag for 1.7.1rc1 release.
+	- tag for 1.7.1rc1 release.  Became 1.7.1 release on 3 May, trunk
+	  is from here 1.7.2 in development.
 
 25 April 2018: Ralph
 	- Fix memory leak when caching wildcard records for aggressive NSEC use

Modified: head/contrib/unbound/doc/README
==============================================================================
--- head/contrib/unbound/doc/README	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/README	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-README for Unbound 1.7.1
+README for Unbound 1.7.2
 Copyright 2007 NLnet Labs
 http://unbound.net
 

Modified: head/contrib/unbound/doc/example.conf
==============================================================================
--- head/contrib/unbound/doc/example.conf	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/example.conf	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.7.1.
+# See unbound.conf(5) man page, version 1.7.2.
 #
 # this is a comment.
 
@@ -223,7 +223,8 @@ server:
 	# to this server. Specify classless netblocks with /size and action.
 	# By default everything is refused, except for localhost.
 	# Choose deny (drop message), refuse (polite error reply),
-	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
+	# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
+	# allow_snoop (recursive and nonrecursive ok)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
 	# access-control: 0.0.0.0/0 refuse
@@ -372,7 +373,7 @@ server:
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
 	# to A when possible.
-	# qname-minimisation: no
+	# qname-minimisation: yes
 
 	# QNAME minimisation in strict mode. Do not fall-back to sending full
 	# QNAME to potentially broken nameservers. A lot of domains will not be
@@ -681,8 +682,11 @@ server:
 	# Certificates used to authenticate connections made upstream.
 	# tls-cert-bundle: ""
 
+	# Add system certs to the cert bundle, from the Windows Cert Store
+	# tls-win-cert: no
+
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
-	# additional-tls-port: portno for each of the port numbers.
+	# tls-additional-ports: portno for each of the port numbers.
 
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
@@ -725,7 +729,7 @@ server:
 	# low-rtt: 45
 	# select low rtt this many times out of 1000. 0 means the fast server
 	# select is disabled.  prefetches are not sped up.
-	# low-rtt-pct: 0
+	# low-rtt-permil: 0
 
 	# Specific options for ipsecmod. unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.

Modified: head/contrib/unbound/doc/example.conf.in
==============================================================================
--- head/contrib/unbound/doc/example.conf.in	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/example.conf.in	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.7.1.
+# See unbound.conf(5) man page, version 1.7.2.
 #
 # this is a comment.
 
@@ -223,7 +223,8 @@ server:
 	# to this server. Specify classless netblocks with /size and action.
 	# By default everything is refused, except for localhost.
 	# Choose deny (drop message), refuse (polite error reply),
-	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
+	# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
+	# allow_snoop (recursive and nonrecursive ok)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
 	# access-control: 0.0.0.0/0 refuse
@@ -372,7 +373,7 @@ server:
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
 	# to A when possible.
-	# qname-minimisation: no
+	# qname-minimisation: yes
 
 	# QNAME minimisation in strict mode. Do not fall-back to sending full
 	# QNAME to potentially broken nameservers. A lot of domains will not be
@@ -681,8 +682,11 @@ server:
 	# Certificates used to authenticate connections made upstream.
 	# tls-cert-bundle: ""
 
+	# Add system certs to the cert bundle, from the Windows Cert Store
+	# tls-win-cert: no
+
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
-	# additional-tls-port: portno for each of the port numbers.
+	# tls-additional-ports: portno for each of the port numbers.
 
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
@@ -725,7 +729,7 @@ server:
 	# low-rtt: 45
 	# select low rtt this many times out of 1000. 0 means the fast server
 	# select is disabled.  prefetches are not sped up.
-	# low-rtt-pct: 0
+	# low-rtt-permil: 0
 
 	# Specific options for ipsecmod. unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.

Modified: head/contrib/unbound/doc/libunbound.3
==============================================================================
--- head/contrib/unbound/doc/libunbound.3	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/libunbound.3	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "libunbound" "3" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.7.1 functions.
+\- Unbound DNS validating resolver 1.7.2 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

Modified: head/contrib/unbound/doc/libunbound.3.in
==============================================================================
--- head/contrib/unbound/doc/libunbound.3.in	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/libunbound.3.in	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "libunbound" "3" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.7.1 functions.
+\- Unbound DNS validating resolver 1.7.2 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

Modified: head/contrib/unbound/doc/unbound-anchor.8
==============================================================================
--- head/contrib/unbound/doc/unbound-anchor.8	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound-anchor.8	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-anchor" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

Modified: head/contrib/unbound/doc/unbound-anchor.8.in
==============================================================================
--- head/contrib/unbound/doc/unbound-anchor.8.in	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound-anchor.8.in	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-anchor" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

Modified: head/contrib/unbound/doc/unbound-checkconf.8
==============================================================================
--- head/contrib/unbound/doc/unbound-checkconf.8	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound-checkconf.8	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-checkconf" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
@@ -8,7 +8,7 @@
 .\"
 .\"
 .SH "NAME"
-unbound\-checkconf
+.B unbound\-checkconf
 \- Check unbound configuration file for errors.
 .SH "SYNOPSIS"
 .B unbound\-checkconf

Modified: head/contrib/unbound/doc/unbound-checkconf.8.in
==============================================================================
--- head/contrib/unbound/doc/unbound-checkconf.8.in	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound-checkconf.8.in	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-checkconf" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"

Modified: head/contrib/unbound/doc/unbound-control.8
==============================================================================
--- head/contrib/unbound/doc/unbound-control.8	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound-control.8	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-control" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"

Modified: head/contrib/unbound/doc/unbound-control.8.in
==============================================================================
--- head/contrib/unbound/doc/unbound-control.8.in	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound-control.8.in	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound-control" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"

Modified: head/contrib/unbound/doc/unbound-host.1
==============================================================================
--- head/contrib/unbound/doc/unbound-host.1	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound-host.1	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound\-host" "1" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

Modified: head/contrib/unbound/doc/unbound-host.1.in
==============================================================================
--- head/contrib/unbound/doc/unbound-host.1.in	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound-host.1.in	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound\-host" "1" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

Modified: head/contrib/unbound/doc/unbound.8
==============================================================================
--- head/contrib/unbound/doc/unbound.8	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound.8	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.7.1.
+\- Unbound DNS validating resolver 1.7.2.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

Modified: head/contrib/unbound/doc/unbound.8.in
==============================================================================
--- head/contrib/unbound/doc/unbound.8.in	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound.8.in	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound" "8" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.7.1.
+\- Unbound DNS validating resolver 1.7.2.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

Modified: head/contrib/unbound/doc/unbound.conf.5
==============================================================================
--- head/contrib/unbound/doc/unbound.conf.5	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound.conf.5	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound.conf" "5" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -403,6 +403,8 @@ Enabled or disable whether the upstream queries use TL
 Default is no.  Useful in tunneling scenarios.  The TLS contains plain DNS in
 TCP wireformat.  The other server must support this (see
 \fBtls\-service\-key\fR).
+If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
+load CA certs, otherwise the connections cannot be authenticated.
 .TP
 .B ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config
@@ -444,8 +446,14 @@ urls, and also DNS over TLS connections.
 .B ssl\-cert\-bundle: \fI<file>
 Alternate syntax for \fBtls\-cert\-bundle\fR.
 .TP
-.B additional\-tls\-port: \fI<portnr>
-List portnumbers as additional\-tls\-port, and when interfaces are defined,
+.B tls\-win\-cert: \fI<yes or no>
+Add the system certificates to the cert bundle certificates for authentication.
+If no cert bundle, it uses only these certificates.  Default is no.
+On windows this option uses the certificates from the cert store.  Use
+the tls\-cert\-bundle option on other systems.
+.TP
+.B tls\-additional\-ports: \fI<portnr>
+List portnumbers as tls\-additional\-ports, and when interfaces are defined,
 eg. with the @port suffix, as this port number, they provide dns over TLS
 service.  Can list multiple, each on a new statement.
 .TP
@@ -461,7 +469,8 @@ Default is yes.
 .B access\-control: \fI<IP netblock> <action>
 The netblock is given as an IP4 or IP6 address with /size appended for a
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
-\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
+\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
+\fIrefuse_non_local\fR.
 The most specific netblock match is used, if none match \fIdeny\fR is used.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
@@ -480,6 +489,15 @@ in the reply.  This supports normal operations where n
 are made for the authoritative data.  For nonrecursive queries any replies
 from the dynamic cache are refused.
 .IP
+The \fIallow_setrd\fR action ignores the recursion desired (RD) bit and
+treats all requests as if the recursion desired bit is set.  Note that this
+behavior violates RFC 1034 which states that a name server should never perform
+recursive service unless asked via the RD bit since this interferes with
+trouble shooting of name servers and their databases. This prohibited behavior
+may be useful if another DNS server must forward requests for specific
+zones to a resolver DNS server, but only supports stub domains and
+sends queries to the resolver DNS server with the RD bit cleared.
+.IP
 The action \fIallow_snoop\fR gives nonrecursive access too.  This give
 both recursive and non recursive access.  The name \fIallow_snoop\fR refers
 to cache snooping, a technique to use nonrecursive queries to examine
@@ -691,7 +709,7 @@ infrastructure data.  Validates the replies if trust a
 and the zones are signed.  This enforces DNSSEC validation on nameserver
 NS sets and the nameserver addresses that are encountered on the referral
 path to the answer.
-Default off, because it burdens the authority servers, and it is
+Default no, because it burdens the authority servers, and it is
 not RFC standard, and could lead to performance problems because of the
 extra query load that is generated.  Experimental option.
 If you enable it consider adding more numbers after the target\-fetch\-policy
@@ -722,7 +740,7 @@ Send minimum amount of information to upstream servers
 Only sent minimum required labels of the QNAME and set QTYPE to A when
 possible. Best effort approach; full QNAME and original QTYPE will be sent when
 upstream replies with a RCODE other than NOERROR, except when receiving
-NXDOMAIN from a DNSSEC signed zone. Default is off.
+NXDOMAIN from a DNSSEC signed zone. Default is yes.
 .TP
 .B qname\-minimisation\-strict: \fI<yes or no>
 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
@@ -1315,10 +1333,10 @@ factor given.
 .TP 5
 .B low\-rtt: \fI<msec time>
 Set the time in millisecond that is considere a low ping time for fast
-server selection with the low\-rtt\-pct option, that turns this on or off.
+server selection with the low\-rtt\-permil option, that turns this on or off.
 The default is 45 msec, a number from IPv6 quick response documents.
 .TP 5
-.B low\-rtt\-pct: \fI<number>
+.B low\-rtt\-permil: \fI<number>
 Specify how many times out of 1000 to pick the fast server from the low
 rtt band.  0 turns the feature off.  A value of 900 would pick the fast
 server when such fast servers are available 90 percent of the time, and
@@ -1328,7 +1346,7 @@ sped up, because there is no one waiting for it, and i
 moment to perform server exploration.  The low\-rtt option can be used
 to specify which servers are picked for fast server selection, servers
 with a ping roundtrip time below that value are considered.
-The default for low\-rtt\-pct is 0.
+The default for low\-rtt\-permil is 0.
 .SS "Remote Control Options"
 In the
 .B remote\-control:
@@ -1429,7 +1447,7 @@ IP address of stub zone nameserver. Can be IP 4 or IP 
 To use a nondefault port for DNS communication append '@' with the port number.
 .TP
 .B stub\-prime: \fI<yes or no>
-This option is by default off.  If enabled it performs NS set priming,
+This option is by default no.  If enabled it performs NS set priming,
 which is similar to root hints, where it starts using the list of nameservers
 currently published by the zone.  Thus, if the hint list is slightly outdated,
 the resolver picks up a correct list online.
@@ -1490,6 +1508,8 @@ The default is no.
 .B forward\-tls\-upstream: \fI<yes or no>
 Enabled or disable whether the queries to this forwarder use TLS for transport.
 Default is no.
+If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
+load CA certs, otherwise the connections cannot be authenticated.
 .TP
 .B forward\-ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBforward\-tls\-upstream\fR.
@@ -1827,7 +1847,7 @@ If Unbound was built with
 on a system that has installed the hiredis C client library of Redis,
 then the "redis" backend can be used.
 This backend communicates with the specified Redis server over a TCP
-connection to store and retrive cache data.
+connection to store and retrieve cache data.
 It can be used as a persistent and/or shared cache backend.
 It should be noted that Unbound never removes data stored in the Redis server,
 even if some data have expired in terms of DNS TTL or the Redis server has

Modified: head/contrib/unbound/doc/unbound.conf.5.in
==============================================================================
--- head/contrib/unbound/doc/unbound.conf.5.in	Mon Sep 10 16:33:14 2018	(r338567)
+++ head/contrib/unbound/doc/unbound.conf.5.in	Mon Sep 10 16:56:44 2018	(r338568)
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "May  3, 2018" "NLnet Labs" "unbound 1.7.1"
+.TH "unbound.conf" "5" "Jun 11, 2018" "NLnet Labs" "unbound 1.7.2"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -403,6 +403,8 @@ Enabled or disable whether the upstream queries use TL
 Default is no.  Useful in tunneling scenarios.  The TLS contains plain DNS in
 TCP wireformat.  The other server must support this (see
 \fBtls\-service\-key\fR).
+If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
+load CA certs, otherwise the connections cannot be authenticated.
 .TP
 .B ssl\-upstream: \fI<yes or no>
 Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config
@@ -444,8 +446,14 @@ urls, and also DNS over TLS connections.
 .B ssl\-cert\-bundle: \fI<file>
 Alternate syntax for \fBtls\-cert\-bundle\fR.
 .TP
-.B additional\-tls\-port: \fI<portnr>
-List portnumbers as additional\-tls\-port, and when interfaces are defined,
+.B tls\-win\-cert: \fI<yes or no>
+Add the system certificates to the cert bundle certificates for authentication.
+If no cert bundle, it uses only these certificates.  Default is no.
+On windows this option uses the certificates from the cert store.  Use
+the tls\-cert\-bundle option on other systems.
+.TP
+.B tls\-additional\-ports: \fI<portnr>
+List portnumbers as tls\-additional\-ports, and when interfaces are defined,
 eg. with the @port suffix, as this port number, they provide dns over TLS
 service.  Can list multiple, each on a new statement.
 .TP
@@ -461,7 +469,8 @@ Default is yes.
 .B access\-control: \fI<IP netblock> <action>
 The netblock is given as an IP4 or IP6 address with /size appended for a
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
-\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
+\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
+\fIrefuse_non_local\fR.
 The most specific netblock match is used, if none match \fIdeny\fR is used.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
@@ -480,6 +489,15 @@ in the reply.  This supports normal operations where n
 are made for the authoritative data.  For nonrecursive queries any replies
 from the dynamic cache are refused.
 .IP
+The \fIallow_setrd\fR action ignores the recursion desired (RD) bit and
+treats all requests as if the recursion desired bit is set.  Note that this
+behavior violates RFC 1034 which states that a name server should never perform
+recursive service unless asked via the RD bit since this interferes with
+trouble shooting of name servers and their databases. This prohibited behavior
+may be useful if another DNS server must forward requests for specific
+zones to a resolver DNS server, but only supports stub domains and
+sends queries to the resolver DNS server with the RD bit cleared.
+.IP
 The action \fIallow_snoop\fR gives nonrecursive access too.  This give
 both recursive and non recursive access.  The name \fIallow_snoop\fR refers
 to cache snooping, a technique to use nonrecursive queries to examine
@@ -691,7 +709,7 @@ infrastructure data.  Validates the replies if trust a
 and the zones are signed.  This enforces DNSSEC validation on nameserver
 NS sets and the nameserver addresses that are encountered on the referral
 path to the answer.
-Default off, because it burdens the authority servers, and it is
+Default no, because it burdens the authority servers, and it is
 not RFC standard, and could lead to performance problems because of the
 extra query load that is generated.  Experimental option.
 If you enable it consider adding more numbers after the target\-fetch\-policy
@@ -722,7 +740,7 @@ Send minimum amount of information to upstream servers
 Only sent minimum required labels of the QNAME and set QTYPE to A when
 possible. Best effort approach; full QNAME and original QTYPE will be sent when
 upstream replies with a RCODE other than NOERROR, except when receiving
-NXDOMAIN from a DNSSEC signed zone. Default is off.
+NXDOMAIN from a DNSSEC signed zone. Default is yes.
 .TP
 .B qname\-minimisation\-strict: \fI<yes or no>
 QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
@@ -1315,10 +1333,10 @@ factor given.
 .TP 5
 .B low\-rtt: \fI<msec time>
 Set the time in millisecond that is considere a low ping time for fast
-server selection with the low\-rtt\-pct option, that turns this on or off.
+server selection with the low\-rtt\-permil option, that turns this on or off.
 The default is 45 msec, a number from IPv6 quick response documents.
 .TP 5
-.B low\-rtt\-pct: \fI<number>
+.B low\-rtt\-permil: \fI<number>
 Specify how many times out of 1000 to pick the fast server from the low
 rtt band.  0 turns the feature off.  A value of 900 would pick the fast
 server when such fast servers are available 90 percent of the time, and
@@ -1328,7 +1346,7 @@ sped up, because there is no one waiting for it, and i
 moment to perform server exploration.  The low\-rtt option can be used
 to specify which servers are picked for fast server selection, servers
 with a ping roundtrip time below that value are considered.
-The default for low\-rtt\-pct is 0.
+The default for low\-rtt\-permil is 0.
 .SS "Remote Control Options"
 In the
 .B remote\-control:
@@ -1429,7 +1447,7 @@ IP address of stub zone nameserver. Can be IP 4 or IP 
 To use a nondefault port for DNS communication append '@' with the port number.
 .TP
 .B stub\-prime: \fI<yes or no>

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-src-all mailing list