Import Unbound 1.4.16 to work on in-tree (not yet linked to the build).

These are the direct sources from NLnet Labs upstream, minus these:
compat contrib libunbound/python pythonmod testcode testdata winrc

ok deraadt@ jakob@

7 files changed, 46 insertions, 278 deletions

diff --git a/usr.sbin/unbound/doc/README b/usr.sbin/unbound/doc/README
index df92fccb5d3..d03390585a9 100644
--- a/usr.sbin/unbound/doc/README
+++ b/usr.sbin/unbound/doc/README
@@ -1,10 +1,8 @@
-README for Unbound 1.5.1
+README for Unbound 1.4.16
 Copyright 2007 NLnet Labs
 http://unbound.net
 
 This software is under BSD license, see LICENSE for details.
-The DNS64 module has BSD license in dns64/dns64.c.
-The DNSTAP code has BSD license in dnstap/dnstap.c.
 
 * Download the latest release version of this software from 
   	http://unbound.net 
@@ -12,11 +10,15 @@ The DNSTAP code has BSD license in dnstap/dnstap.c.
   	http://unbound.net/svn/
 
 * Uses the following libraries; 
+  * ldns	http://www.nlnetlabs.nl/ldns/			(BSD license)
+    (required) can use ldns build directory directly with --with-ldns=path.
   * libevent	http://www.monkey.org/~provos/libevent/		(BSD license)
     (optional) can use builtin alternative instead.
-  * libexpat	(for the unbound-anchor helper program)		(MIT license)
 
 * Make and install: ./configure; make; make install
+  * Use GNU make; default on linux, often called 'gmake' on BSD and Solaris.
+  * --with-ldns=/path/to/ldns
+	It will dynamically link against it.
   * --with-libevent=/path/to/libevent
   	Can be set to either the system install or the build directory.
 	--with-libevent=no (default) gives a builtin alternative 
@@ -35,8 +37,8 @@ The DNSTAP code has BSD license in dnstap/dnstap.c.
 	programming errors, among which buffer overflows.  The program exits
 	with an error if an assertion fails (but the buffer did not overflow).
   * --enable-static-exe
-	This enables a debug option to statically link against the
-	libevent library.
+	This enables a debug option to statically link, against ldns and 
+	libevent libraries.
   * --enable-lock-checks
   	This enables a debug option to check lock and unlock calls. It needs
 	a recent pthreads library to work.
diff --git a/usr.sbin/unbound/doc/example.conf.in b/usr.sbin/unbound/doc/example.conf.in
index b95b3a6339c..3c8b8833004 100644
--- a/usr.sbin/unbound/doc/example.conf.in
+++ b/usr.sbin/unbound/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.1.
+# See unbound.conf(5) man page, version 1.4.16.
 #
 # this is a comment.
 
@@ -67,8 +67,6 @@ server:
 	# Use this to make sure unbound does not grab a UDP port that some
 	# other server on this computer needs. The default is to avoid
 	# IANA-assigned port numbers.
-	# If multiple outgoing-port-permit and outgoing-port-avoid options
-	# are present, they are processed in order.
 	# outgoing-port-avoid: "3200-3208"
 
 	# number of outgoing simultaneous tcp buffers to hold per thread.
@@ -84,18 +82,11 @@ server:
 	# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
 	# 0 is system default.  Use 4m to handle spikes on very busy servers.
 	# so-sndbuf: 0
-	
-	# use SO_REUSEPORT to distribute queries over threads.
-	# so-reuseport: no
 
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096
 
-	# Maximum UDP response size (not applied to TCP response).
-	# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
-	# max-udp-size: 4096
-
 	# buffer size for handling DNS data. No messages larger than this
 	# size can be sent or received, by UDP or TCP. In bytes.
 	# msg-buffer-size: 65552
@@ -114,9 +105,6 @@ server:
 
 	# if very busy, 50% queries run to completion, 50% get timeout in msec
 	# jostle-timeout: 200
-	
-	# msec to wait before close of port on timeout UDP. 0 disables.
-	# delay-close: 0
 
 	# the amount of memory to use for the RRset cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb". 
@@ -171,8 +159,6 @@ server:
 	# By default everything is refused, except for localhost.
 	# Choose deny (drop message), refuse (polite error reply),
 	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
-	# deny_non_local (drop queries unless can be answered from local-data)
-	# refuse_non_local (like deny_non_local but polite error reply).
 	# access-control: 0.0.0.0/0 refuse
 	# access-control: 127.0.0.0/8 allow
 	# access-control: ::0/0 refuse
@@ -323,15 +309,8 @@ server:
 	# if yes, perform key lookups adjacent to normal lookups.
 	# prefetch-key: no
 
-	# if yes, Unbound rotates RRSet order in response.
-	# rrset-roundrobin: no
-
-	# if yes, Unbound doesn't insert authority/additional sections
-	# into response messages when those sections are not required.
-	# minimal-responses: no
-
 	# module configuration of the server. A string with identifiers
-	# separated by spaces. Syntax: "[dns64] [validator] iterator"
+	# separated by spaces. "iterator" or "validator iterator"
 	# module-config: "validator iterator"
 
 	# File with trusted keys, kept uptodate using RFC5011 probes,
@@ -437,55 +416,6 @@ server:
 	# the amount of memory to use for the negative cache (used for DLV).
 	# plain value in bytes or you can append k, m or G. default is "1Mb". 
 	# neg-cache-size: 1m
-	
-	# By default, for a number of zones a small default 'nothing here'
-	# reply is built-in.  Query traffic is thus blocked.  If you
-	# wish to serve such zone you can unblock them by uncommenting one
-	# of the nodefault statements below.
-	# You may also have to use domain-insecure: zone to make DNSSEC work,
-	# unless you have your own trust anchors for this zone.
-	# local-zone: "localhost." nodefault
-	# local-zone: "127.in-addr.arpa." nodefault
-	# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
-	# local-zone: "10.in-addr.arpa." nodefault
-	# local-zone: "16.172.in-addr.arpa." nodefault
-	# local-zone: "17.172.in-addr.arpa." nodefault
-	# local-zone: "18.172.in-addr.arpa." nodefault
-	# local-zone: "19.172.in-addr.arpa." nodefault
-	# local-zone: "20.172.in-addr.arpa." nodefault
-	# local-zone: "21.172.in-addr.arpa." nodefault
-	# local-zone: "22.172.in-addr.arpa." nodefault
-	# local-zone: "23.172.in-addr.arpa." nodefault
-	# local-zone: "24.172.in-addr.arpa." nodefault
-	# local-zone: "25.172.in-addr.arpa." nodefault
-	# local-zone: "26.172.in-addr.arpa." nodefault
-	# local-zone: "27.172.in-addr.arpa." nodefault
-	# local-zone: "28.172.in-addr.arpa." nodefault
-	# local-zone: "29.172.in-addr.arpa." nodefault
-	# local-zone: "30.172.in-addr.arpa." nodefault
-	# local-zone: "31.172.in-addr.arpa." nodefault
-	# local-zone: "168.192.in-addr.arpa." nodefault
-	# local-zone: "0.in-addr.arpa." nodefault
-	# local-zone: "254.169.in-addr.arpa." nodefault
-	# local-zone: "2.0.192.in-addr.arpa." nodefault
-	# local-zone: "100.51.198.in-addr.arpa." nodefault
-	# local-zone: "113.0.203.in-addr.arpa." nodefault
-	# local-zone: "255.255.255.255.in-addr.arpa." nodefault
-	# local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
-	# local-zone: "d.f.ip6.arpa." nodefault
-	# local-zone: "8.e.f.ip6.arpa." nodefault
-	# local-zone: "9.e.f.ip6.arpa." nodefault
-	# local-zone: "a.e.f.ip6.arpa." nodefault
-	# local-zone: "b.e.f.ip6.arpa." nodefault
-	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
-	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
-	
-	# if unbound is running service for the local host then it is useful
-	# to perform lan-wide lookups to the upstream, and unblock the
-	# long list of local-zones above.  If this unbound is a dns server
-	# for a network of computers, disabled is better and stops information
-	# leakage of local lan information.
-	# unblock-lan-zones: no
 
 	# a number of locally served zones can be configured.
 	# 	local-zone: <zone> <type>
@@ -534,10 +464,6 @@ server:
 	# Default is no.  Can be turned on and off with unbound-control.
 	# ssl-upstream: no
 
-	# DNS64 prefix. Must be specified when DNS64 is use.
-	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
-	# dns64-prefix: 64:ff9b::0/96
-
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
 # o list python in the module-config string (above) to enable.
@@ -577,12 +503,10 @@ remote-control:
 # 'example.org' go to the given list of nameservers. list zero or more 
 # nameservers by hostname or by ipaddress. If you set stub-prime to yes, 
 # the list is treated as priming hints (default is no).
-# With stub-first yes, it attempts without the stub if it fails.
 # stub-zone:
 #	name: "example.com"
 #	stub-addr: 192.0.2.68
 #	stub-prime: no
-#	stub-first: no
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
@@ -592,12 +516,10 @@ remote-control:
 # 'example.org' go to the given list of servers. These servers have to handle
 # recursion to other nameservers. List zero or more nameservers by hostname
 # or by ipaddress. Use an entry with name "." to forward all queries.
-# If you enable forward-first, it attempts without the forward if it fails.
 # forward-zone:
 # 	name: "example.com"
 # 	forward-addr: 192.0.2.68
 # 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
-# 	forward-first: no
 # forward-zone:
 # 	name: "example.org"
 # 	forward-host: fwd.example.com
diff --git a/usr.sbin/unbound/doc/libunbound.3.in b/usr.sbin/unbound/doc/libunbound.3.in
index 55a9cb286e6..95bf7feedf0 100644
--- a/usr.sbin/unbound/doc/libunbound.3.in
+++ b/usr.sbin/unbound/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "libunbound" "3" "Feb  2, 2012" "NLnet Labs" "unbound 1.4.16"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -8,6 +8,7 @@
 .\"
 .\"
 .SH "NAME"
+.LP
 .B libunbound,
 .B unbound.h,
 .B ub_ctx,
@@ -22,7 +23,6 @@
 .B ub_ctx_resolvconf,
 .B ub_ctx_hosts,
 .B ub_ctx_add_ta,
-.B ub_ctx_add_ta_autr,
 .B ub_ctx_add_ta_file,
 .B ub_ctx_trustedkeys,
 .B ub_ctx_debugout,
@@ -42,8 +42,9 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.1 functions.
+\- Unbound DNS validating resolver 1.4.16 functions.
 .SH "SYNOPSIS"
+.LP
 .B #include <unbound.h>
 .LP
 \fIstruct ub_ctx *\fR
@@ -74,9 +75,6 @@
 \fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta);
 .LP
 \fIint\fR
-\fBub_ctx_add_ta_autr\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
-.LP
-\fIint\fR
 \fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
 .LP
 \fIint\fR
@@ -139,6 +137,7 @@
 \fIint\fR
 \fBub_ctx_data_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data);
 .SH "DESCRIPTION"
+.LP
 .B Unbound 
 is an implementation of a DNS resolver, that does caching and 
 DNSSEC validation. This is the library API, for using the \-lunbound library.
@@ -172,9 +171,6 @@ by default. Use
 and
 .B ub_ctx_hosts
 to read them.
-Before you call this, use the openssl functions CRYPTO_set_id_callback and
-CRYPTO_set_locking_callback to set up asyncronous operation if you use
-lib openssl (the application calls these functions once for initialisation).
 .TP
 .B ub_ctx_delete
 Delete validation context and free associated resources.
@@ -207,9 +203,7 @@ At this time it is only possible to set configuration before the
 first resolve is done.
 .TP
 .B ub_ctx_resolvconf
-By default the root servers are queried and full resolver mode is used, but
-you can use this call to read the list of nameservers to use from the
-filename given.
+Read list of nameservers to use from the filename given.
 Usually "/etc/resolv.conf". Uses those nameservers as caching proxies.
 If they do not support DNSSEC, validation may fail.
 Only nameservers are picked up, the searchdomain, ndots and other
@@ -235,15 +229,6 @@ first resolve is done.
 The format is a string, similar to the zone\-file format,
 [domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted.
 .TP
-.B ub_ctx_add_ta_autr
-Add filename with automatically tracked trust anchor to the given context.
-Pass name of a file with the managed trust anchor.  You can create this
-file with \fIunbound\-anchor\fR(8) for the root anchor.  You can also
-create it with an initial file with one line with a DNSKEY or DS record.
-If the file is writable, it is updated when the trust anchor changes.
-At this time it is only possible to add trusted keys before the
-first resolve is done.
-.TP
 .B ub_ctx_add_ta_file
 Add trust anchors to the given context.
 Pass name of a file with DS and DNSKEY records in zone file format.
@@ -352,6 +337,7 @@ Add resource record data to local authority info, like local\-data
 .B ub_ctx_data_remove
 Delete local authority data from the name given.
 .SH "RESULT DATA STRUCTURE"
+.LP
 The result of the DNS resolution and validation is returned as 
 \fIstruct ub_result\fR. The result structure contains the following entries.
 .P
@@ -371,12 +357,11 @@ The result of the DNS resolution and validation is returned as
 		int secure;  /* true if result is secure */
 		int bogus;   /* true if a security failure happened */
 		char* why_bogus; /* string with error if bogus */
-		int ttl;     /* number of seconds the result is valid */
 	};
 .fi
 .P
 If both secure and bogus are false, security was not enabled for the 
-domain of the query.  Else, they are not both true, one of them is true.
+domain of the query.
 .SH "RETURN VALUES"
 Many routines return an error code. The value 0 (zero) denotes no error
 happened. Other values can be passed to
diff --git a/usr.sbin/unbound/doc/unbound-anchor.8.in b/usr.sbin/unbound/doc/unbound-anchor.8.in
index 80a3438dcaa..cd44c8e32d9 100644
--- a/usr.sbin/unbound/doc/unbound-anchor.8.in
+++ b/usr.sbin/unbound/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "unbound-anchor" "8" "Feb  2, 2012" "NLnet Labs" "unbound 1.4.16"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
@@ -8,6 +8,7 @@
 .\"
 .\"
 .SH "NAME"
+.LP
 .B unbound\-anchor
 \- Unbound anchor utility.
 .SH "SYNOPSIS"
@@ -24,14 +25,14 @@ Suggested usage:
 .nf
 	# in the init scripts.
 	# provide or update the root anchor (if necessary)
-	unbound-anchor \-a "@UNBOUND_ROOTKEY_FILE@"
+	unbound-anchor -a "@UNBOUND_ROOTKEY_FILE@"
 	# Please note usage of this root anchor is at your own risk
 	# and under the terms of our LICENSE (see source).
 	#
 	# start validating resolver
 	# the unbound.conf contains:
 	#   auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
-	unbound \-c unbound.conf
+	unbound -c unbound.conf
 .fi
 .P
 This tool provides builtin default contents for the root anchor and root
@@ -44,7 +45,7 @@ all checks are successful, it updates the root anchor file.  Otherwise
 the root anchor file is unchanged.  It performs RFC5011 tracking if the
 DNSSEC information available via the DNS makes that possible.
 .P
-It does not perform an update if the certificate is expired, if the network
+If does not perform an update if the certificate is expired, if the network
 is down or other errors occur.
 .P
 The available options are:
@@ -76,11 +77,6 @@ The pathname to the root\-anchors.p7s file on the server. (forms URL with \-u).
 The default is /root\-anchors/root\-anchors.p7s.  This file has to be a PKCS7
 signature over the xml file, using the pem file (\-c) as trust anchor.
 .TP
-.B \-n \fIname
-The emailAddress for the Subject of the signer's certificate from the p7s
-signature file.  Only signatures from this name are allowed.  default is
-dnssec@iana.org.  If you pass "" then the emailAddress is not checked.
-.TP
 .B \-4
 Use IPv4 for domain resolution and contacting the server on https.  Default is
 to use IPv4 and IPv6 where appropriate.
@@ -130,6 +126,9 @@ but then ignores the result and goes on to use the xml fallback method.
 .TP
 .B \-h
 Show the version and commandline option help.
+.TP
+.B \-v
+More verbose.  Prints output detailing what happens.
 .SH "EXIT CODE"
 This tool exits with value 1 if the root anchor was updated using the
 certificate or if the builtin root-anchor was used.  It exits with code
@@ -138,7 +137,7 @@ tracking, or if an error occurred.
 .P
 You can check the exit value in this manner:
 .nf
-	unbound-anchor \-a "root.key" || logger "Please check root.key"
+	unbound-anchor -a "root.key" || logger "Please check root.key"
 .fi
 Or something more suitable for your operational environment.
 .SH "TRUST"
diff --git a/usr.sbin/unbound/doc/unbound-checkconf.8.in b/usr.sbin/unbound/doc/unbound-checkconf.8.in
index 5ab53480b6f..f036e7f086d 100644
--- a/usr.sbin/unbound/doc/unbound-checkconf.8.in
+++ b/usr.sbin/unbound/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "unbound-checkconf" "8" "Feb  2, 2012" "NLnet Labs" "unbound 1.4.16"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
@@ -8,6 +8,7 @@
 .\"
 .\"
 .SH "NAME"
+.LP
 unbound\-checkconf
 \- Check unbound configuration file for errors.
 .SH "SYNOPSIS"
diff --git a/usr.sbin/unbound/doc/unbound-control.8.in b/usr.sbin/unbound/doc/unbound-control.8.in
index 92d2d1a9343..193e66c16b7 100644
--- a/usr.sbin/unbound/doc/unbound-control.8.in
+++ b/usr.sbin/unbound/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "unbound-control" "8" "Feb  2, 2012" "NLnet Labs" "unbound 1.4.16"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -8,12 +8,13 @@
 .\"
 .\"
 .SH "NAME"
+.LP
 .B unbound\-control,
 .B unbound\-control\-setup
 \- Unbound remote server control utility.
 .SH "SYNOPSIS"
 .B unbound\-control
-.RB [ \-hq ]
+.RB [ \-h ]
 .RB [ \-c 
 .IR cfgfile ]
 .RB [ \-s 
@@ -37,9 +38,6 @@ config file @ub_conf_file@ is used.
 .B \-s \fIserver[@port]
 IPv4 or IPv6 address of the server to contact.  If not given, the
 address is read from the config file.
-.TP
-.B \-q
-quiet, if the option is given it does not print anything if it works ok.
 .SH "COMMANDS"
 There are several commands that the server understands.
 .TP
@@ -129,15 +127,6 @@ Remove all information at or below the name from the cache.
 The rrsets and key entries are removed so that new lookups will be performed.
 This needs to walk and inspect the entire cache, and is a slow operation.
 .TP
-.B flush_bogus
-Remove all bogus data from the cache.
-.TP
-.B flush_negative
-Remove all negative data from the cache.  This is nxdomain answers,
-nodata answers and servfail answers.  Also removes bad key entries
-(which could be due to failed lookups) from the dnssec key cache, and
-iterator last-resort lookup failures from the rrset cache.
-.TP
 .B flush_stats
 Reset statistics to zero.
 .TP
@@ -152,8 +141,6 @@ such as a higher verbosity level.
 Show what is worked on.  Prints all queries that the server is currently
 working on.  Prints the time that users have been waiting.  For internal
 requests, no time is printed.  And then prints out the module status.
-This prints the queries from the first thread, and not queries that are
-being serviced from other threads.
 .TP
 .B flush_infra \fIall|IP
 If all then entire infra cache is emptied.  If a specific IP address, the
@@ -177,7 +164,7 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain,
 harden\-referral\-path, prefetch, prefetch\-key, log\-queries,
 hide\-identity, hide\-version, identity, version, val\-log\-level,
 val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown,
-keep\-missing, tcp\-upstream, ssl\-upstream, max\-udp\-size.
+keep\-missing, tcp\-upstream, ssl\-upstream.
 .TP
 .B get_option \fIopt
 Get the value of the option.  Give the option name without a trailing ':'.
@@ -203,35 +190,6 @@ List the local zones in use.  These are printed one per line with zone type.
 .B list_local_data
 List the local data RRs in use.  The resource records are printed.
 .TP
-.B insecure_add \fIzone
-Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf.
-Adds to the running unbound without affecting the cache contents (which may
-still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file.
-.TP
-.B insecure_remove \fIzone
-Removes domain\-insecure for the given zone.
-.TP
-.B forward_add \fR[\fI+i\fR] \fIzone addr ...
-Add a new forward zone to running unbound.  With +i option also adds a
-\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
-a DNSSEC root trust anchor configured for other names).
-The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
-in unbound.conf.
-.TP
-.B forward_remove \fR[\fI+i\fR] \fIzone
-Remove a forward zone from running unbound.  The +i also removes a
-\fIdomain\-insecure\fR for the zone.
-.TP
-.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
-Add a new stub zone to running unbound.  With +i option also adds a
-\fIdomain\-insecure\fR for the zone.  With +p the stub zone is set to prime,
-without it it is set to notprime.  The addr can be IP4, IP6 or nameserver
-names, like the \fIstub-zone\fR config in unbound.conf.
-.TP
-.B stub_remove \fR[\fI+i\fR] \fIzone
-Remove a stub zone from running unbound.  The +i also removes a
-\fIdomain\-insecure\fR for the zone.
-.TP
 .B forward \fR[\fIoff\fR | \fIaddr ...\fR ]
 Setup forwarding mode.  Configures if the server should ask other upstream
 nameservers, should go to the internet root nameservers itself, or show 
@@ -408,10 +366,6 @@ Also printed for other opcodes, UPDATE, ...
 .I num.query.tcp
 Number of queries that were made using TCP towards the unbound server.
 .TP
-.I num.query.tcpout
-Number of queries that the unbound server made using TCP outgoing towards
-other servers.
-.TP
 .I num.query.ipv6
 Number of queries that were made using IPv6 towards the unbound server.
 .TP
@@ -462,21 +416,6 @@ Replies that were unwanted or unsolicited.  Could have been random traffic,
 delayed duplicates, very late answers, or could be spoofing attempts.
 Some low level of late answers and delayed duplicates are to be expected
 with the UDP protocol.  Very high values could indicate a threat (spoofing).
-.TP
-.I msg.cache.count
-The number of items (DNS replies) in the message cache.
-.TP
-.I rrset.cache.count
-The number of RRsets in the rrset cache.  This includes rrsets used by
-the messages in the message cache, but also delegation information.
-.TP
-.I infra.cache.count
-The number of items in the infra cache.  These are IP addresses with their
-timing and protocol support information.
-.TP
-.I key.cache.count
-The number of items in the key cache.  These are DNSSEC keys, one item
-per delegation point, and their validation status.
 .SH "FILES"
 .TP
 .I @ub_conf_file@
diff --git a/usr.sbin/unbound/doc/unbound.conf.5.in b/usr.sbin/unbound/doc/unbound.conf.5.in
index f08a01b3184..eeec7daaf73 100644
--- a/usr.sbin/unbound/doc/unbound.conf.5.in
+++ b/usr.sbin/unbound/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Dec  8, 2014" "NLnet Labs" "unbound 1.5.1"
+.TH "unbound.conf" "5" "Feb  2, 2012" "NLnet Labs" "unbound 1.4.16"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -8,11 +8,14 @@
 .\"
 .\"
 .SH "NAME"
+.LP
 .B unbound.conf
 \- Unbound configuration file.
 .SH "SYNOPSIS"
+.LP
 .B unbound.conf
 .SH "DESCRIPTION"
+.LP
 .B unbound.conf
 is used to configure
 \fIunbound\fR(8).
@@ -62,17 +65,18 @@ server:
 	access\-control: 2001:DB8::/64 allow
 .fi
 .SH "FILE FORMAT"
+.LP
 There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
 is followed by its containing attributes, or a value.
 .P
 Files can be included using the
 .B include:
-directive. It can appear anywhere, it accepts a single file name as argument.
+directive. It can appear anywhere, and takes a single filename as an argument.
 Processing continues as if the text from the included file was copied into
 the config file at that point.  If also using chroot, using full path names
 for the included files works, relative pathnames for the included names work
 if the directory where the daemon is started equals its chroot/working 
-directory.  Wildcards can be used to include multiple files, see \fIglob\fR(7).
+directory.
 .SS "Server Options"
 These options are part of the
 .B server:
@@ -118,9 +122,6 @@ A port number can be specified with @port (without spaces between
 interface and port number), if not specified the default port (from
 \fBport\fR) is used.
 .TP
-.B ip\-address: \fI<ip address[@port]>
-Same as interface: (for easy of compatibility with nsd.conf).
-.TP
 .B interface\-automatic: \fI<yes or no>
 Detect source interface on UDP queries and copy them to replies.  This 
 feature is experimental, and needs support in your OS for particular socket
@@ -165,28 +166,23 @@ Give a port number or a range of the form "low\-high", without spaces.
 .TP
 .B outgoing\-num\-tcp: \fI<number>
 Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
-to 0, or if do\-tcp is "no", no TCP queries to authoritative servers are done.
+to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done.
 .TP
 .B incoming\-num\-tcp: \fI<number>
 Number of incoming TCP buffers to allocate per thread. Default is 10. If set
-to 0, or if do\-tcp is "no", no TCP queries from clients are accepted.
+to 0, or if do_tcp is "no", no TCP queries from clients are accepted.
 .TP
 .B edns\-buffer\-size: \fI<number>
 Number of bytes size to advertise as the EDNS reassembly buffer size.
 This is the value put into datagrams over UDP towards peers.  The actual
 buffer size is determined by msg\-buffer\-size (both for TCP and UDP).  Do
-not set higher than that value.  Default is 4096 which is RFC recommended.
+not set lower than that value.  Default is 4096 which is RFC recommended.
 If you have fragmentation reassembly problems, usually seen as timeouts,
 then a value of 1480 can fix it.  Setting to 512 bypasses even the most
 stringent path MTU problems, but is seen as extreme, since the amount
 of TCP fallback generated is excessive (probably also for this resolver,
 consider tuning the outgoing tcp number).
 .TP
-.B max\-udp\-size: \fI<number>
-Maximum UDP response size (not applied to TCP response).  65536 disables the
-udp response size maximum, and uses the choice from the client, always.
-Suggested values are 512 to 4096. Default is 4096. 
-.TP
 .B msg\-buffer\-size: \fI<number>
 Number of bytes size of the message buffers. Default is 65552 bytes, enough
 for 64 Kb packets, the maximum DNS message size. No message larger than this
@@ -224,15 +220,6 @@ The qps for short queries can be about (numqueriesperthread / 2)
 / (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
 qps by default.
 .TP
-.B delay\-close: \fI<msec>
-Extra delay for timeouted UDP ports before they are closed, in msec.
-Default is 0, and that disables it.  This prevents very delayed answer
-packets from the upstream (recursive) servers from bouncing against
-closed ports and setting off all sort of close-port counters, with
-eg. 1500 msec.  When timeouts happen you need extra sockets, it checks
-the ID and remote IP of packets, and unwanted packets are added to the
-unwanted packet counter.
-.TP
 .B so\-rcvbuf: \fI<number>
 If not 0, then set the SO_RCVBUF socket option to get more buffer
 space on UDP port 53 incoming queries.  So that short spikes on busy
@@ -255,16 +242,6 @@ linux unbound needs root permission to bypass the limit, or the admin
 can use sysctl net.core.wmem_max.  On BSD, Solaris changes are similar
 to so\-rcvbuf.
 .TP
-.B so\-reuseport: \fI<yes or no>
-If yes, then open dedicated listening sockets for incoming queries for each
-thread and try to set the SO_REUSEPORT socket option on each socket.  May
-distribute incoming queries to threads more evenly.  Default is no.  On Linux
-it is supported in kernels >= 3.9.  On other systems, FreeBSD, OSX it may
-also work.  You can enable it (on any platform and kernel),
-it then attempts to open the port and passes the option if it was available
-at compile time, if that works it is used, if it fails, it continues
-silently (unless verbosity 3) without the option.
-.TP
 .B rrset\-cache\-size: \fI<number>
 Number of bytes size of the RRset cache. Default is 4 megabytes.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
@@ -307,9 +284,7 @@ Enable or disable whether ip4 queries are answered or issued. Default is yes.
 .B do\-ip6: \fI<yes or no>
 Enable or disable whether ip6 queries are answered or issued. Default is yes.
 If disabled, queries are not answered on IPv6, and queries are not sent on
-IPv6 to the internet nameservers.  With this option you can disable the
-ipv6 transport for sending DNS traffic, it does not impact the contents of
-the DNS traffic, which may have ip4 and ip6 addresses in it.
+IPv6 to the internet nameservers.
 .TP
 .B do\-udp: \fI<yes or no>
 Enable or disable whether UDP queries are answered or issued. Default is yes.
@@ -351,7 +326,7 @@ a daemon. Default is yes.
 .B access\-control: \fI<IP netblock> <action>
 The netblock is given as an IP4 or IP6 address with /size appended for a 
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, 
-\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
+\fIallow\fR or \fIallow_snoop\fR.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
 .IP
@@ -380,12 +355,6 @@ By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS 
 protocol is not designed to handle dropped packets due to policy, and 
 dropping may result in (possibly excessive) retried queries.
-.IP
-The deny_non_local and refuse_non_local settings are for hosts that are
-only allowed to query for the authoritative local\-data, they are not
-allowed full recursion but only the static data.  With deny_non_local,
-messages that are disallowed are dropped, with refuse_non_local they
-receive error code REFUSED.
 .TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
@@ -523,7 +492,7 @@ unsigned to badly signed often. If turned off you run the risk of a
 downgrade attack that disables security for a zone. Default is on.
 .TP
 .B harden\-below\-nxdomain: \fI<yes or no>
-From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name
+From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name
 below another name that is already known to be nxdomain.  DNSSEC mandates
 noerror for empty nonterminals, hence this is possible.  Very old software
 might return nxdomain for empty nonterminals (that usually happen for reverse
@@ -601,18 +570,6 @@ If yes, fetch the DNSKEYs earlier in the validation process, when a DS
 record is encountered.  This lowers the latency of requests.  It does use
 a little more CPU.  Also if the cache is set to 0, it is no use. Default is no.
 .TP
-.B rrset-roundrobin: \fI<yes or no>
-If yes, Unbound rotates RRSet order in response (the random number is taken
-from the query ID, for speed and thread safety).  Default is no.
-.TP
-.B minimal-responses: \fI<yes or no>
-If yes, Unbound doesn't insert authority/additional sections into response
-messages when those sections are not required.  This reduces response
-size significantly, and may avoid TCP fallback for some responses.
-This may cause a slight speedup.  The default is no, because the DNS
-protocol RFCs mandate these sections, and the additional content could
-be of use and save roundtrips for clients.
-.TP
 .B module\-config: \fI<"module names">
 Module configuration, a list of module names separated by spaces, surround
 the string with quotes (""). The modules can be validator, iterator.
@@ -777,17 +734,6 @@ Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
 or gigabytes (1024*1024 bytes in a megabyte).
 .TP
-.B unblock\-lan\-zones: \fI<yesno>
-Default is disabled.  If enabled, then for private address space,
-the reverse lookups are no longer filtered.  This allows unbound when
-running as dns service on a host where it provides service for that host,
-to put out all of the queries for the 'lan' upstream.  When enabled,
-only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured
-with default local zones.  Disable the option when unbound is running
-as a (DHCP-) DNS network resolver for a group of machines, where such
-lookups should be filtered (RFC compliance), this also stops potential
-data leakage about the local network to the upstream DNS servers.
-.TP
 .B local\-zone: \fI<zone> <type>
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,
@@ -904,7 +850,6 @@ records are provided.
 Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, 
 2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
 113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
-And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
 .TP 10
 \h'5'\fIreverse RFC4291 IP6 unspecified\fR
 Reverse data for zone 
@@ -1034,12 +979,6 @@ This option is by default off.  If enabled it performs NS set priming,
 which is similar to root hints, where it starts using the list of nameservers 
 currently published by the zone.  Thus, if the hint list is slightly outdated,
 the resolver picks up a correct list online.
-.TP
-.B stub\-first: \fI<yes or no>
-If enabled, a query is attempted without the stub clause if it fails.
-The data could not be retrieved and would have caused SERVFAIL because
-the servers are unreachable, instead it is tried without this clause.
-The default is no.
 .SS "Forward Zone Options"
 .LP
 There may be multiple
@@ -1064,12 +1003,6 @@ Name of server to forward to. Is itself resolved before it is used.
 .B forward\-addr: \fI<IP address>
 IP address of server to forward to. Can be IP 4 or IP 6.
 To use a nondefault port for DNS communication append '@' with the port number.
-.TP
-.B forward\-first: \fI<yes or no>
-If enabled, a query is attempted without the forward clause if it fails.
-The data could not be retrieved and would have caused SERVFAIL because
-the servers are unreachable, instead it is tried without this clause.
-The default is no.
 .SS "Python Module Options"
 .LP
 The
@@ -1082,19 +1015,6 @@ and the word "python" has to be put in the \fBmodule\-config:\fR option
 .TP
 .B python\-script: \fI<python file>\fR
 The script file to load. 
-.SS "DNS64 Module Options"
-.LP
-The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
-validator iterator" directive and be compiled into the daemon to be
-enabled.  These settings go in the \fBserver:\fR section.
-.TP
-.B dns64\-prefix: \fI<IPv6 prefix>\fR
-This sets the DNS64 prefix to use to synthesize AAAA records with.
-It must be /96 or shorter.  The default prefix is 64:ff9b::/96.
-.TP
-.B dns64\-synthall: \fI<yes or no>\fR
-Debug option, default no.  If enabled, synthesize all AAAA records
-despite the presence of actual AAAA records.
 .SH "MEMORY CONTROL EXAMPLE"
 In the example config settings below memory usage is reduced. Some service
 levels are lower, notable very large data and a high TCP load are no longer