update to unbound-1.5.9. (there will be a follow-up commit to cherrypick a

couple of post-1.5.9 patches).

tests from Mark Patruck, danj, matthieu, millert. reads ok to jung, ok florian.

10 files changed, 192 insertions, 13 deletions

diff --git a/usr.sbin/unbound/doc/Changelog b/usr.sbin/unbound/doc/Changelog
index 6bcc32ab456..76ba1e661ec 100644
--- a/usr.sbin/unbound/doc/Changelog
+++ b/usr.sbin/unbound/doc/Changelog
@@ -1,3 +1,156 @@
+2 June 2016: Wouter
+	- Fix libubound for edns optlist feature.
+	- Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
+	- Fix #752: retry resource temporarily unavailable on control pipe.
+	- un-document localzone tags.
+
+31 May 2016: Wouter
+	- Fix windows service to be created run with limited rights, as a
+	  network service account, from Mario Turschmann.
+	- compat strsep implementation.
+	- generic edns option parse and store code.
+	- and also generic edns options for upstream messages (and replies).
+	  after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID),
+	  to insert use edns_opt_append(edns, region, code, len, bindata) on
+	  the opt_list passed to send_query, or in edns_opt_inplace_reply.
+
+30 May 2016: Wouter
+	- Fix time in case answer comes from cache in ub_resolve_event().
+	- Attempted fix for #765: _unboundmodule missing for python3.
+
+27 May 2016: Wouter
+	- Fix #770: Small subgroup attack on DH used in unix pipe on localhost
+	  if unbound control uses a unix local named pipe.
+	- Document write permission to directory of trust anchor needed.
+	- Fix #768:  Unbound Service Sometimes Can Not Shutdown
+	  Completely, WER Report Shown Up.  Close handle before closing WSA.
+
+26 May 2016: Wouter
+	- Updated patch from Charles Walker.
+
+24 May 2016: Wouter
+	- disable-dnssec-lame-check config option from Charles Walker.
+	- remove memory leak from lame-check patch.
+	- iana portlist update.
+
+23 May 2016: Wouter
+	- Fix #767:  Reference to an expired Internet-Draft in
+	  harden-below-nxdomain documentation.
+
+20 May 2016: Ralph
+	- No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC 
+	  signed zones.
+	- iana portlist update.
+
+19 May 2016: Wouter
+	- Fix #766: dns64 should synthesize results on timeout/errors.
+
+18 May 2016: Wouter
+	- Fix #761: DNSSEC LAME false positive resolving nic.club.
+
+17 May 2016: Wouter
+	- trunk updated with output of flex 2.6.0.
+
+6 May 2016: Wouter
+	- Fix memory leak in out-of-memory conditions of local zone add.
+
+29 April 2016: Wouter
+	- Fix sldns with static checking fixes copied from getdns.
+
+28 April 2016: Wouter
+	- Fix #759: 0x20 capsforid no longer checks type PTR, for
+	  compatibility with cisco dns guard.  This lowers false positives.
+
+18 April 2016: Wouter
+	- Fix some malformed reponses to edns queries get fallback to nonedns.
+
+15 April 2016: Wouter
+	- cachedb module event handling design.
+
+14 April 2016: Wouter
+	- cachedb module framework (empty).
+	- iana portlist update.
+
+12 April 2016: Wouter
+	- Fix #753: document dump_requestlist is for first thread.
+
+24 March 2016: Wouter
+	- Document permit-small-holddown for 5011 debug.
+	- Fix #749: unbound-checkconf gets SIGSEGV when use against a
+	  malformatted conf file.
+
+23 March 2016: Wouter
+	- OpenSSL 1.1.0 portability, --disable-dsa configure option.
+
+21 March 2016: Wouter
+	- Fix compile of getentropy_linux for SLES11 servicepack 4.
+	- Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
+	- Fix test for openssl to use HMAC_Update for 1.1.0.
+	- acx_nlnetlabs.m4 to v33, with HMAC_Update.
+	- acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
+	- ERR_remove_state deprecated since openssl 1.0.0.
+	- OPENSSL_config is deprecated, removing.
+
+18 March 2016: Ralph
+	- Validate QNAME minimised NXDOMAIN responses.
+	- If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
+	  harden-below-nxdomain.
+
+17 March 2016: Ralph
+	- Limit number of QNAME minimisation iterations.
+
+17 March 2016: Wouter
+	- Fix #746: Fix unbound sets CD bit on all forwards.
+	  If no trust anchors, it'll not set CD bit when forwarding to another
+	  server.  If a trust anchor, no CD bit on the first attempt to a
+	  forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
+	- iana portlist update.
+
+16 March 2016: Wouter
+	- Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
+	- Fix ip-transparent for tcp on freebsd.
+
+15 March 2016: Wouter
+	- ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
+	  binding to an IP address while the interface or address is down.
+
+14 March 2016: Wouter
+	- Fix warnings in ifdef corner case, older or unknown libevent.
+	- Fix compile for ub_event code with older libev.
+
+11 March 2016: Wouter
+	- Remove warning about unused parameter in event_pluggable.c.
+	- Fix libev usage of dispatch return value.
+	- No side effects in tolower() call, in case it is a macro.
+	- For test put free in pluggable api in parenthesis.
+
+10 March 2016: Wouter
+	- Fixup backend2str for libev.
+
+09 March 2016: Willem
+	- User defined pluggable event API for libunbound
+	- Fixup of compile fix for pluggable event API from P.Y. Adi
+	  Prasaja.
+
+09 March 2016: Wouter
+	- Updated configure and ltmain.sh.
+	- Updated L root IPv6 address.
+
+07 March 2016: Wouter
+	- Fix #747: assert in outnet_serviced_query_stop.
+	- iana ports fetched via https.
+	- iana portlist update.
+
+03 March 2016: Wouter
+	- configure tests for the weak attribute support by the compiler.
+
+02 March 2016: Wouter
+	- 1.5.8 release tag
+	- trunk contains 1.5.9 in development.
+	- iana portlist update.
+	- Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
+	  contains trailing dot.
+
 24 February 2016: Wouter
 	- Fix OpenBSD asynclook lock free that gets used later (fix test code).
 	- Fix that NSEC3 negative cache is used when there is no salt.
diff --git a/usr.sbin/unbound/doc/README b/usr.sbin/unbound/doc/README
index c87c62e5f39..7d0dd3712bc 100644
--- a/usr.sbin/unbound/doc/README
+++ b/usr.sbin/unbound/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.5.8
+README for Unbound 1.5.9
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/usr.sbin/unbound/doc/example.conf.in b/usr.sbin/unbound/doc/example.conf.in
index b5cc1c93e95..6e00bdf69de 100644
--- a/usr.sbin/unbound/doc/example.conf.in
+++ b/usr.sbin/unbound/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.8.
+# See unbound.conf(5) man page, version 1.5.9.
 #
 # this is a comment.
 
@@ -93,6 +93,11 @@ server:
 	# (uses IP_BINDANY on FreeBSD).
 	# ip-transparent: no
 
+	# use IP_FREEBIND so the interface: addresses can be non-local
+	# and you can bind to nonexisting IPs and interfaces that are down.
+	# Linux only.  On Linux you also have ip-transparent that is similar.
+	# ip-freebind: no
+
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096
@@ -364,6 +369,9 @@ server:
 	# into response messages when those sections are not required.
 	# minimal-responses: no
 
+	# true to disable DNSSEC lameness check in iterator.
+	# disable-dnssec-lame-check: no
+
 	# module configuration of the server. A string with identifiers
 	# separated by spaces. Syntax: "[dns64] [validator] iterator"
 	# module-config: "validator iterator"
@@ -459,7 +467,8 @@ server:
 	# If the value 0 is given, missing anchors are not removed.
 	# keep-missing: 31622400 # 366 days
 
-	# debug option that allows very small holddown times for key rollover
+	# debug option that allows very small holddown times for key rollover,
+	# otherwise the RFC mandates probe intervals must be at least 1 hour.
 	# permit-small-holddown: no
 
 	# the amount of memory to use for the key cache.
diff --git a/usr.sbin/unbound/doc/libunbound.3.in b/usr.sbin/unbound/doc/libunbound.3.in
index df4b8fd4f6d..163a6fa44d0 100644
--- a/usr.sbin/unbound/doc/libunbound.3.in
+++ b/usr.sbin/unbound/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "libunbound" "3" "Jun  9, 2016" "NLnet Labs" "unbound 1.5.9"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.8 functions.
+\- Unbound DNS validating resolver 1.5.9 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/usr.sbin/unbound/doc/unbound-anchor.8.in b/usr.sbin/unbound/doc/unbound-anchor.8.in
index de283e5d8f4..1dabc725fa5 100644
--- a/usr.sbin/unbound/doc/unbound-anchor.8.in
+++ b/usr.sbin/unbound/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound-anchor" "8" "Jun  9, 2016" "NLnet Labs" "unbound 1.5.9"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/usr.sbin/unbound/doc/unbound-checkconf.8.in b/usr.sbin/unbound/doc/unbound-checkconf.8.in
index 92be13ffe1b..a4cdf3b9ea9 100644
--- a/usr.sbin/unbound/doc/unbound-checkconf.8.in
+++ b/usr.sbin/unbound/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound-checkconf" "8" "Jun  9, 2016" "NLnet Labs" "unbound 1.5.9"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/usr.sbin/unbound/doc/unbound-control.8.in b/usr.sbin/unbound/doc/unbound-control.8.in
index 0e814b81223..3b24b1fa9a8 100644
--- a/usr.sbin/unbound/doc/unbound-control.8.in
+++ b/usr.sbin/unbound/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound-control" "8" "Jun  9, 2016" "NLnet Labs" "unbound 1.5.9"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
diff --git a/usr.sbin/unbound/doc/unbound-host.1.in b/usr.sbin/unbound/doc/unbound-host.1.in
index 65253ad5886..700382eb9f1 100644
--- a/usr.sbin/unbound/doc/unbound-host.1.in
+++ b/usr.sbin/unbound/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound\-host" "1" "Jun  9, 2016" "NLnet Labs" "unbound 1.5.9"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/usr.sbin/unbound/doc/unbound.8.in b/usr.sbin/unbound/doc/unbound.8.in
index 4b752bb2c13..35385b9f1a0 100644
--- a/usr.sbin/unbound/doc/unbound.8.in
+++ b/usr.sbin/unbound/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound" "8" "Jun  9, 2016" "NLnet Labs" "unbound 1.5.9"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.8.
+\- Unbound DNS validating resolver 1.5.9.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/usr.sbin/unbound/doc/unbound.conf.5.in b/usr.sbin/unbound/doc/unbound.conf.5.in
index 6c6252708b6..dcd10de5aa0 100644
--- a/usr.sbin/unbound/doc/unbound.conf.5.in
+++ b/usr.sbin/unbound/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound.conf" "5" "Jun  9, 2016" "NLnet Labs" "unbound 1.5.9"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -241,6 +241,13 @@ and with this option you can select which (future) interfaces unbound
 provides service on.  This option needs unbound to be started with root
 permissions on some systems.  The option uses IP_BINDANY on FreeBSD systems.
 .TP
+.B ip\-freebind: \fI<yes or no>
+If yes, then use IP_FREEBIND socket option on sockets where unbound
+is listening to incoming traffic.  Default no.  Allows you to bind to
+IP addresses that are nonlocal or do not exist, like when the network
+interface or IP adress is down.  Exists only on Linux, where the similar
+ip\-transparent option is also available.
+.TP
 .B rrset\-cache\-size: \fI<number>
 Number of bytes size of the RRset cache. Default is 4 megabytes.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
@@ -523,6 +530,7 @@ might return nxdomain for empty nonterminals (that usually happen for reverse
 IP address lookups), and thus may be incompatible with this.  To try to avoid
 this only DNSSEC-secure nxdomains are used, because the old software does not
 have DNSSEC.  Default is off.
+Currently, draft\-ietf\-dnsop\-nxdomain\-cut promotes this technique.
 .TP
 .B harden\-referral\-path: \fI<yes or no>
 Harden the referral path by performing additional queries for
@@ -626,6 +634,13 @@ This may cause a slight speedup.  The default is no, because the DNS
 protocol RFCs mandate these sections, and the additional content could
 be of use and save roundtrips for clients.
 .TP
+.B disable-dnssec-lame-check: \fI<yes or no>
+If true, disables the DNSSEC lameness check in the iterator.  This check
+sees if RRSIGs are present in the answer, when dnssec is expected,
+and retries another authority if RRSIGs are unexpectedly missing.
+The validator will insist in RRSIGs for DNSSEC signed domains regardless
+of this setting, if a trust anchor is loaded.
+.TP
 .B module\-config: \fI<"module names">
 Module configuration, a list of module names separated by spaces, surround
 the string with quotes (""). The modules can be validator, iterator.
@@ -644,7 +659,9 @@ File with trust anchor for one zone, which is tracked with RFC5011 probes.
 The probes are several times per month, thus the machine must be online
 frequently.  The initial file can be one with contents as described in
 \fBtrust\-anchor\-file\fR.  The file is written to when the anchor is updated,
-so the unbound user must have write permission.
+so the unbound user must have write permission.  Write permission to the file,
+but also to the directory it is in (to create a temporary file, which is
+necessary to deal with filesystem full events).
 .TP
 .B trust\-anchor: \fI<"Resource Record">
 A DS or DNSKEY RR for a key to use for validation. Multiple entries can be