Vendor import of Unbound 1.7.0.vendor/unbound/1.7.0

10 files changed, 432 insertions, 37 deletions

diff --git a/doc/Changelog b/doc/Changelog
index 5c6be3ada8b7..f29935375ba7 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,9 +1,244 @@
-19 January 2018: Wouter 
+12 March 2018: Wouter
+	- Added documentation for aggressive-nsec: yes.
+	- tag 1.7.0rc3.
+
+9 March 2018: Wouter
+	- Fix #3598: Fix swig build issue on rhel6 based system.
+	  configure --disable-swig-version-check stops the swig version check.
+
+8 March 2018: Wouter
+	- tag 1.7.0rc2.
+
+7 March 2018: Wouter
+	- Fixed contrib/fastrpz.patch, even though this already applied
+	  cleanly for me, now also for others.
+	- patch to log creates keytag queries, from A. Schulze.
+	- patch suggested by Debian lintian: allow to -> allow one to, from 
+	  A. Schulze.
+	- Attempt to remove warning about trailing whitespace.
+
+6 March 2018: Wouter
+	- Reverted fix for #3512, this may not be the best way forward;
+	  although it could be changed at a later time, to stay similar to
+	  other implementations.
+	- svn trunk contains 1.7.0, this is the number for the next release.
+	- Fix for windows compile.
+	- tag 1.7.0rc1.
+
+5 March 2018: Wouter
+	- Fix to check define of DSA for when openssl is without deprecated.
+	- iana port update.
+	- Fix #3582: Squelch address already in use log when reuseaddr option
+	  causes same port to be used twice for tcp connections.
+
+27 February 2018: Wouter
+	- Fixup contrib/fastrpz.patch so that it applies.
+	- Fix compile without threads, and remove unused variable.
+	- Fix compile with staticexe and python module.
+	- Fix nettle compile.
+
+22 February 2018: Ralph
+	- Save wildcard RRset from answer with original owner for use in
+ 	  aggressive NSEC.
+
+21 February 2018: Wouter
+	- Fix #3512: unbound incorrectly reports SERVFAIL for CAA query
+	  when there is a CNAME loop.
+	- Fix validation for CNAME loops.  When it detects a cname loop,
+	  by finding the cname, cname in the existing list, it returns
+	  the partial result with the validation result up to then.
+	- more robust cachedump rrset routine.
+
+19 February 2018: Wouter
+	- Fix #3505: Documentation for default local zones references
+	  wrong RFC.
+	- Fix #3494: local-zone noview can be used to break out of the view
+	  to the global local zone contents, for queries for that zone.
+	- Fix for more maintainable code in localzone.
+
+16 February 2018: Wouter
+	- Fixes for clang static analyzer, the missing ; in
+	  edns-subnet/addrtree.c after the assert made clang analyzer
+	  produce a failure to analyze it.
+
+13 February 2018: Ralph
+	- Aggressive NSEC tests
+
+13 February 2018: Wouter
+	- tls-cert-bundle option in unbound.conf enables TLS authentication.
+	- iana port update.
+
+12 February 2018: Wouter
+	- Unit test for auth zone https url download.
+
+12 February 2018: Ralph
+	- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
+	- Processed aggressive NSEC code review remarks Wouter
+
+8 February 2018: Ralph
+	- Aggressive use of NSEC implementation. Use cached NSEC records to
+	  generate NXDOMAIN, NODATA and positive wildcard answers.
+
+8 February 2018: Wouter
+	- iana port update.
+	- auth zone url config.
+
+5 February 2018: Wouter
+	- Fix #3451: dnstap not building when you have a separate build dir.
+	  And removed protoc warning, set dnstap.proto syntax to proto2.
+	- auth-zone provides a way to configure RFC7706 from unbound.conf,
+	  eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
+	  fallback-enabled: yes and masters or a zonefile with data.
+
+2 February 2018: Wouter
+	- Fix unfreed locks in log and arc4random at exit of unbound.
+	- unit test with valgrind
+	- Fix lock race condition in dns cache dname synthesis.
+	- lock subnet new item before insertion to please checklocks,
+	  no modification of critical regions outside of lock region.
+
+1 February 2018: Wouter
+	- fix unaligned structure making a false positive in checklock
+	  unitialised memory.
+
+29 January 2018: Ralph
+	- Use NSEC with longest ce to prove wildcard absence.
+	- Only use *.ce to prove wildcard absence, no longer names.
+
+25 January 2018: Wouter
+	- ltrace.conf file for libunbound in contrib.
+
+23 January 2018: Wouter
+	- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
+	  for startup scripts to get the full pathname(s) of anchor file(s).
+	- Print fatal errors about remote control setup before log init,
+	  so that it is printed to console.
+
+22 January 2018: Wouter
+	- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
+	  also recognized and means the same.  Also for tls-port,
+	  tls-service-key, tls-service-pem, stub-tls-upstream and
+	  forward-tls-upstream.
+	- Fix #3397: Fix that cachedb could return a partial CNAME chain.
+	- Fix #3397: Fix that when the cache contains an unsigned DNAME in
+	  the middle of a cname chain, a result without the DNAME could
+	  be returned.
+
+19 January 2018: Wouter
+	- tag 1.6.8 for release with CVE fix.
+	- trunk has 1.6.9 with fix and previous commits.
 	- patch for CVE-2017-15105: vulnerability in the processing of
 	  wildcard synthesized NSEC records.
+	- iana port update.
+	- make depend: code dependencies updated in Makefile.
+
+4 January 2018: Ralph
+	- Copy query and correctly set flags on REFUSED answers when cache
+	  snooping is not allowed.
+
+3 January 2018: Ralph
+	- Fix queries being leaked above stub when refetching glue.
+
+2 January 2017: Wouter
+	- Fix that DS queries with referral replies are answered straight
+	  away, without a repeat query picking the DS from cache.
+	  The correct reply should have been an answer, the reply is fixed
+	  by the scrubber to have the answer in the answer section.
+	- Remove clang optimizer disable,
+	  Fix that expiration date checks don't fail with clang -O2.
+
+15 December 2017: Wouter
+	- Fix timestamp failure because of clang optimizer failure, by
+	  disabling -O2 when the compiler --version is clang.
+	- iana port update.
+	- Also disable -flto for clang, to make incep-expi signature check
+	  work.
+
+12 December 2017: Ralph
+	- Fix qname-minimisation documentation (A QTYPE, not NS)
+
+12 December 2017: Wouter
+	- authzone work, transfer connect.
+
+7 December 2017: Ralph
+	- Check whether --with-libunbound-only is set when using --with-nettle
+	  or --with-nss.
+
+4 December 2017: Wouter 
+	- Fix link failure on OmniOS.
+
+1 December 2017: Wouter 
+	- auth zone work.
+
+30 November 2017: Wouter 
+	- Fix #3299 - forward CNAME daisy chain is not working
+
+14 November 2017: Wouter 
+	- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
+	  set for stub zone.  It no longer searches for DNSSEC information.
+	- auth xfer work on probe timer and lookup.
+
+13 November 2017: Wouter 
+	- Fix #2801: Install libunbound.pc.
+	- Fix qname minimisation to send AAAA queries at zonecut like type A.
+	- reverted AAAA change.
+
+7 November 2017: Wouter 
+	- Fix #2492: Documentation libunbound.
+
+3 November 2017: Wouter 
+	- Fix #2362: TLS1.3/openssl-1.1.1 not working.
+	- Fix #2034 - Autoconf and -flto.
+	- Fix #2141 - for libsodium detect lack of entropy in chroot, print
+	  a message and exit.
+
+2 November 2017: Wouter 
+	- Fix #1913: ub_ctx_config is under circumstances thread-safe.
+	- make ip-transparent option work on OpenBSD.
+
+31 October 2017: Wouter 
+	- Document that errno is left informative on libunbound config read
+	  fail.
+	- lexer output.
+	- iana port update.
+
+25 October 2017: Ralph
+	- Fixed libunbound manual typo.
+	- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
+	- Fix #2031: Double included headers
+
+24 October 2017: Ralph
+	- Update B root ipv4 address.
+
+19 October 2017: Wouter 
+	- authzone work, probe timer setup.
+
+18 October 2017: Wouter 
+	- lint for recent authzone commit.
+
+17 October 2017: Wouter 
+	- Fix #1749: With harden-referral-path: performance drops, due to
+	  circular dependency in NS and DS lookups.
+	- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
+	  duplicates
+	- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
+	  from Manu Bretelle.
+	This option allows handling multiple cert/key pairs while only
+	distributing some of them.
+	In order to reliably match a client magic with a given key without
+	strong assumption as to how those were generated, we need both key and
+	cert. Likewise, in order to know which ES version should be used.
+	On the other hand, when rotating a cert, it can be desirable to only
+	serve the new cert but still be able to handle clients that are still
+	using the old certs's public key.
+	The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
+	publish the cert as part of the DNS's provider_name's TXT answer.
+	- Better documentation for cache-max-negative-ttl.
+	- Work on local root zone code.
 
 10 October 2017: Wouter 
 	- tag 1.6.7
+	- trunk has version 1.6.8.
 
 6 October 2017: Wouter 
 	- Fix spelling in unbound-control man page.
diff --git a/doc/README b/doc/README
index d3bea2e0bab2..58cd56fa8095 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.6.8
+README for Unbound 1.7.0
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index b18513600700..73ed7fde0e5a 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.6.8.
+# See unbound.conf(5) man page, version 1.7.0.
 #
 # this is a comment.
 
@@ -371,7 +371,7 @@ server:
 
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
-	# to NS when possible.
+	# to A when possible.
 	# qname-minimisation: no
 
 	# QNAME minimisation in strict mode. Do not fall-back to sending full
@@ -380,6 +380,10 @@ server:
 	# This option only has effect when qname-minimisation is enabled.
 	# qname-minimisation-strict: no
 
+	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+	# and other denials, using information from previous NXDOMAINs answers.
+	# aggressive-nsec: no
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
@@ -627,6 +631,7 @@ server:
 	# o inform_deny drops queries and logs client IP address
 	# o always_transparent, always_refuse, always_nxdomain, resolve in
 	#   that way but ignore local data for that name.
+	# o noview breaks out of that view towards global local-zones.
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
@@ -662,13 +667,16 @@ server:
 	# service clients over SSL (on the TCP sockets), with plain DNS inside
 	# the SSL stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
-	# ssl-service-key: "path/to/privatekeyfile.key"
-	# ssl-service-pem: "path/to/publiccertfile.pem"
-	# ssl-port: 853
+	# tls-service-key: "path/to/privatekeyfile.key"
+	# tls-service-pem: "path/to/publiccertfile.pem"
+	# tls-port: 853
 
 	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
-	# ssl-upstream: no
+	# tls-upstream: no
+
+	# Certificates used to authenticate connections made upstream.
+	# tls-cert-bundle: ""
 
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
@@ -787,7 +795,7 @@ remote-control:
 #	stub-addr: 192.0.2.68
 #	stub-prime: no
 #	stub-first: no
-#	stub-ssl-upstream: no
+#	stub-tls-upstream: no
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
@@ -803,11 +811,35 @@ remote-control:
 # 	forward-addr: 192.0.2.68
 # 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
 # 	forward-first: no
-# 	forward-ssl-upstream: no
+# 	forward-tls-upstream: no
 # forward-zone:
 # 	name: "example.org"
 # 	forward-host: fwd.example.com
 
+# Authority zones
+# The data for these zones is kept locally, from a file or downloaded.
+# The data can be served to downstream clients, or used instead of the
+# upstream (which saves a lookup to the upstream).  The first example
+# has a copy of the root for local usage.  The second serves example.org
+# authoritatively.  zonefile: reads from file (and writes to it if you also
+# download it), master: fetches with AXFR and IXFR, or url to zonefile.
+# auth-zone:
+#	name: "."
+#	for-downstream: no
+#	for-upstream: yes
+#	fallback-enabled: yes
+#	master: b.root-servers.net
+#	master: c.root-servers.net
+#	master: e.root-servers.net
+#	master: f.root-servers.net
+#	master: g.root-servers.net
+#	master: k.root-servers.net
+# auth-zone:
+#	name: "example.org"
+#	for-downstream: yes
+#	for-upstream: yes
+#	zonefile: "example.org.zone"
+
 # Views
 # Create named views. Name must be unique. Map views to requests using
 # the access-control-view option. Views can contain zero or more local-zone
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 0b8ca2afe32c..357e981fff4b 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
+.TH "libunbound" "3" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.6.8 functions.
+\- Unbound DNS validating resolver 1.7.0 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
@@ -150,7 +150,8 @@
 is an implementation of a DNS resolver, that does caching and 
 DNSSEC validation. This is the library API, for using the \-lunbound library.
 The server daemon is described in \fIunbound\fR(8).
-The library can be used to convert hostnames to ip addresses, and back,
+The library works independent from a running unbound server, and
+can be used to convert hostnames to ip addresses, and back,
 and obtain other information from the DNS. The library performs public\-key
 validation of results with DNSSEC.
 .P
@@ -162,7 +163,7 @@ and deleting it with
 It can be created and deleted at any time. Creating it anew removes any 
 previous configuration (such as trusted keys) and clears any cached results.
 .P
-The functions are thread\-safe, and a context an be used in a threaded (as 
+The functions are thread\-safe, and a context can be used in a threaded (as 
 well as in a non\-threaded) environment. Also resolution (and validation) 
 can be performed blocking and non\-blocking (also called asynchronous). 
 The async method returns from the call immediately, so that processing 
@@ -203,7 +204,10 @@ without trailing ':'.  The returned value must be free(2)d by the caller.
 A power\-user interface that lets you specify an unbound config file, see
 \fIunbound.conf\fR(5), which is read for configuration. Not all options are
 relevant. For some specific options, such as adding trust anchors, special
-routines exist.
+routines exist.  This function is thread\-safe only if a single instance of
+ub_ctx* exists in the application.  If several instances exist the
+application has to ensure that ub_ctx_config is not called in parallel by
+the different instances.
 .TP
 .B ub_ctx_set_fwd
 Set machine to forward DNS queries to, the caching resolver to use. 
@@ -407,6 +411,10 @@ returns NULL on an error (a malloc failure).
 returns true if some information may be available, false otherwise.
 .B ub_fd
 returns a file descriptor or \-1 on error.
+.B ub_ctx_config
+and
+.B ub_ctx_resolvconf
+attempt to leave errno informative on a function return with file read failure.
 .SH "SEE ALSO"
 \fIunbound.conf\fR(5), 
 \fIunbound\fR(8).
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index 093b75aa7cd3..f50bf28af3f5 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
+.TH "unbound-anchor" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index bfc55bdc0919..a07124e57a26 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
+.TH "unbound-checkconf" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 24e5ce23ad1d..53af91514eb7 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
+.TH "unbound-control" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index 42e6096ef597..6842514d287e 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
+.TH "unbound\-host" "1" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index 1e2adb1ea53d..3c5786a79773 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
+.TH "unbound" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.6.8.
+\- Unbound DNS validating resolver 1.7.0.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index f6e53111d2d9..156e3bed5f47 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jan 19, 2018" "NLnet Labs" "unbound 1.6.8"
+.TH "unbound.conf" "5" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -293,7 +293,8 @@ are going to exist later on, with host failover configuration.  This is
 a lot like interface\-automatic, but that one services all interfaces
 and with this option you can select which (future) interfaces unbound
 provides service on.  This option needs unbound to be started with root
-permissions on some systems.  The option uses IP_BINDANY on FreeBSD systems.
+permissions on some systems.  The option uses IP_BINDANY on FreeBSD systems
+and SO_BINDANY on OpenBSD systems.
 .TP
 .B ip\-freebind: \fI<yes or no>
 If yes, then use IP_FREEBIND socket option on sockets where unbound
@@ -330,6 +331,7 @@ the data in the cache does not match up with the actual data any more.
 .B cache\-max\-negative\-ttl: \fI<seconds>
 Time to live maximum for negative responses, these have a SOA in the
 authority section that is limited in time.  Default is 3600.
+This applies to nxdomain and nodata answers.
 .TP
 .B infra\-host\-ttl: \fI<seconds>
 Time to live for entries in the host cache. The host cache contains
@@ -396,30 +398,52 @@ Enable udp upstream even if do-udp is no.  Default is no, and this does not
 change anything.  Useful for TLS service providers, that want no udp downstream
 but use udp to fetch data upstream.
 .TP
-.B ssl\-upstream: \fI<yes or no>
+.B tls\-upstream: \fI<yes or no>
 Enabled or disable whether the upstream queries use SSL only for transport.
 Default is no.  Useful in tunneling scenarios.  The SSL contains plain DNS in
 TCP wireformat.  The other server must support this (see
-\fBssl\-service\-key\fR).
+\fBtls\-service\-key\fR).
+.TP
+.B ssl\-upstream: \fI<yes or no>
+Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config
+file the last is used.
 .TP
-.B ssl\-service-key: \fI<file>
+.B tls\-service\-key: \fI<file>
 If enabled, the server provider SSL service on its TCP sockets.  The clients
-have to use ssl\-upstream: yes.  The file is the private key for the TLS
-session.  The public certificate is in the ssl\-service\-pem file.  Default
+have to use tls\-upstream: yes.  The file is the private key for the TLS
+session.  The public certificate is in the tls\-service\-pem file.  Default
 is "", turned off.  Requires a restart (a reload is not enough) if changed,
 because the private key is read while root permissions are held and before
 chroot (if any).  Normal DNS TCP service is not provided and gives errors,
 this service is best run with a different \fBport:\fR config or \fI@port\fR
 suffixes in the \fBinterface\fR config.
 .TP
-.B ssl\-service\-pem: \fI<file>
-The public key certificate pem file for the ssl service.  Default is "",
+.B ssl\-service\-key: \fI<file>
+Alternate syntax for \fBtls\-service\-key\fR.
+.TP
+.B tls\-service\-pem: \fI<file>
+The public key certificate pem file for the tls service.  Default is "",
 turned off.
 .TP
-.B ssl\-port: \fI<number>
+.B ssl\-service\-pem: \fI<file>
+Alternate syntax for \fBtls\-service\-pem\fR.
+.TP
+.B tls\-port: \fI<number>
 The port number on which to provide TCP SSL service, default 853, only
 interfaces configured with that port number as @number get the SSL service.
 .TP
+.B ssl\-port: \fI<number>
+Alternate syntax for \fBtls\-port\fR.
+.TP
+.B tls\-cert\-bundle: \fI<file>
+If null or "", no file is used.  Set it to the certificate bundle file,
+for example "/etc/pki/tls/certs/ca\-bundle.crt".  These certificates are used
+for authenticating connections made to outside peers.  For example auth\-zone
+urls, and also DNS over TLS connections.
+.TP
+.B ssl\-cert\-bundle: \fI<file>
+Alternate syntax for \fBtls\-cert\-bundle\fR.
+.TP
 .B use\-systemd: \fI<yes or no>
 Enable or disable systemd socket activation.
 Default is no.
@@ -690,7 +714,7 @@ Can be given multiple times, for different domains.
 .TP
 .B qname\-minimisation: \fI<yes or no>
 Send minimum amount of information to upstream servers to enhance privacy.
-Only sent minimum required labels of the QNAME and set QTYPE to NS when
+Only sent minimum required labels of the QNAME and set QTYPE to A when
 possible. Best effort approach; full QNAME and original QTYPE will be sent when
 upstream replies with a RCODE other than NOERROR, except when receiving
 NXDOMAIN from a DNSSEC signed zone. Default is off.
@@ -701,6 +725,12 @@ potentially broken nameservers. A lot of domains will not be resolvable when
 this option in enabled. Only use if you know what you are doing.
 This option only has effect when qname-minimisation is enabled. Default is off.
 .TP
+.B aggressive\-nsec: \fI<yes or no>
+Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+and other denials, using information from previous NXDOMAINs answers.
+Default is off.  It helps to reduce the query rate towards targets that get
+a very high nonexistant name lookup rate.
+.TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
 on your private network, and are not allowed to be returned for
@@ -976,7 +1006,7 @@ address space are not validated.  This is usually required whenever
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,
 transparent, redirect, nodefault, typetransparent, inform, inform_deny,
-always_transparent, always_refuse, always_nxdomain,
+always_transparent, always_refuse, always_nxdomain, noview,
 and are explained below. After that the default settings are listed. Use
 local\-data: to enter data into the local zone. Answers for local zones
 are authoritative DNS answers. By default the zones are class IN.
@@ -1046,6 +1076,13 @@ Like refuse, but ignores local data and refuses the query.
 \h'5'\fIalways_nxdomain\fR
 Like static, but ignores local data and returns nxdomain for the query.
 .TP 10
+\h'5'\fInoview\fR
+Breaks out of that view and moves towards the global local zones for answer
+to the query.  If the view first is no, it'll resolve normally.  If view first
+is enabled, it'll break perform that step and check the global answers.
+For when the view has view specific overrides but some zone has to be
+answered from global local zone contents. 
+.TP 10
 \h'5'\fInodefault\fR
 Used to turn off default contents for AS112 zones. The other types
 also turn off default contents for the zone. The 'nodefault' option
@@ -1109,7 +1146,7 @@ local\-data: "onion. 10800 IN
     SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
 .fi
 .TP 10
-\h'5'\fItest (RFC 7686)\fR
+\h'5'\fItest (RFC 2606)\fR
 Default content:
 .nf
 local\-zone: "test." static
@@ -1118,7 +1155,7 @@ local\-data: "test. 10800 IN
     SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
 .fi
 .TP 10
-\h'5'\fIinvalid (RFC 7686)\fR
+\h'5'\fIinvalid (RFC 2606)\fR
 Default content:
 .nf
 local\-zone: "invalid." static
@@ -1378,9 +1415,12 @@ The data could not be retrieved and would have caused SERVFAIL because
 the servers are unreachable, instead it is tried without this clause.
 The default is no.
 .TP
-.B stub\-ssl\-upstream: \fI<yes or no>
+.B stub\-tls\-upstream: \fI<yes or no>
 Enabled or disable whether the queries to this stub use SSL for transport.
 Default is no.
+.TP
+.B stub\-ssl\-upstream: \fI<yes or no>
+Alternate syntax for \fBstub\-tls\-upstream\fR.
 .SS "Forward Zone Options"
 .LP
 There may be multiple
@@ -1392,6 +1432,9 @@ forward the queries to. The servers listed as \fBforward\-host:\fR and
 those servers are not authority servers, but are (just like unbound is)
 recursive servers too; unbound does not perform recursion itself for the
 forward zone, it lets the remote server do it.  Class IN is assumed.
+CNAMEs are chased by unbound itself, asking the remote server for every
+name in the indirection chain, to protect the local cache from illegal
+indirect referenced items.
 A forward\-zone entry with name "." and a forward\-addr target will
 forward all queries to that other server (unless it can answer from
 the cache).
@@ -1412,9 +1455,73 @@ The data could not be retrieved and would have caused SERVFAIL because
 the servers are unreachable, instead it is tried without this clause.
 The default is no.
 .TP
-.B forward\-ssl\-upstream: \fI<yes or no>
+.B forward\-tls\-upstream: \fI<yes or no>
 Enabled or disable whether the queries to this forwarder use SSL for transport.
 Default is no.
+.TP
+.B forward\-ssl\-upstream: \fI<yes or no>
+Alternate syntax for \fBforward\-tls\-upstream\fR.
+.SS "Authority Zone Options"
+.LP
+Authority zones are configured with \fBauth\-zone:\fR, and each one must
+have a \fBname:\fR.  There can be multiple ones, by listing multiple auth\-zone clauses, each with a different name, pertaining to that part of the namespace.
+The authority zone with the name closest to the name looked up is used.
+Authority zones are processed after \fBlocal\-zones\fR and before
+cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner
+make unbound respond like an authority server.  Authority zones are also
+processed after cache, just before going to the network to fetch
+information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used
+in this manner provide a local copy of an authority server that speeds up
+lookups of that data.
+.LP
+Authority zones can be read from zonefile.  And can be kept updated via
+AXFR and IXFR.  After update the zonefile is rewritten.  The update mechanism
+uses the SOA timer values and performs SOA UDP queries to detect zone changes.
+.TP
+.B name: \fI<zone name>
+Name of the authority zone.
+.TP
+.B master: \fI<IP address or host name>
+Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
+masters can be specified.  They are all tried if one fails.
+.TP
+.B url: \fI<url to zonefile>
+Where to download a zonefile for the zone.  With http or https.  An example
+for the url is "http://www.example.com/example.org.zone".  Multiple url
+statements can be given, they are tried in turn.  If only urls are given
+the SOA refresh timer is used to wait for making new downloads.  If also
+masters are listed, the masters are first probed with UDP SOA queries to
+see if the SOA serial number has changed, reducing the number of downloads.
+If none of the urls work, the masters are tried with IXFR and AXFR.
+For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
+to authenticate the connection.
+.TP
+.B fallback\-enabled: \fI<yes or no>
+Default no.  If enabled, unbound falls back to querying the internet as
+a resolver for this zone when lookups fail.  For example for DNSSEC
+validation failures.
+.TP
+.B for\-downstream: \fI<yes or no>
+Default yes.  If enabled, unbound serves authority responses to
+downstream clients for this zone.  This option makes unbound behave, for
+the queries with names in this zone, like one of the authority servers for
+that zone.  Turn it off if you want unbound to provide recursion for the
+zone but have a local copy of zone data.  If for\-downstream is no and
+for\-upstream is yes, then unbound will DNSSEC validate the contents of the
+zone before serving the zone contents to clients and store validation
+results in the cache.
+.TP
+.B for\-upstream: \fI<yes or no>
+Default yes.  If enabled, unbound fetches data from this data collection
+for answering recursion queries.  Instead of sending queries over the internet
+to the authority servers for this zone, it'll fetch the data directly from
+the zone data.  Turn it on when you want unbound to provide recursion for
+downstream clients, and use the zone data as a local copy to speed up lookups.
+.TP
+.B zonefile: \fI<filename>
+The filename where the zone is stored.  If not given then no zonefile is used.
+If the file does not exist or is empty, unbound will attempt to fetch zone
+data (eg. from the master servers).
 .SS "View Options"
 .LP
 There may be multiple
@@ -1513,6 +1620,19 @@ times.
 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
 This option may be specified multiple times.
 .TP
+.B dnscrypt\-provider\-cert\-rotated: \fI<path to cert file>\fR
+Path to a certificate that we should be able to serve existing connection from
+but do not want to advertise over \fBdnscrypt\-provider\fR's TXT record certs
+distribution.
+A typical use case is when rotating certificates, existing clients may still use
+the client magic from the old cert in their queries until they fetch and update
+the new cert. Likewise, it would allow one to prime the new cert/key without
+distributing the new cert yet, this can be useful when using a network of
+servers using anycast and on which the configuration may not get updated at the
+exact same time. By priming the cert, the servers can handle both old and new
+certs traffic while distributing only one.
+This option may be specified multiple times.
+.TP
 .B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
 Give the size of the data structure in which the shared secret keys are kept
 in.  Default 4m.  In bytes or use m(mega), k(kilo), g(giga).