merge in some missed bits from 1.7.0 to simplify update prep.

(I think we actually had slightly beyond 1.7.0, I've left code bits but
there are some SSL->TLS changes which go away with this and will come back
with the update).

10 files changed, 26 insertions, 25 deletions

diff --git a/usr.sbin/unbound/doc/README b/usr.sbin/unbound/doc/README
index d0c0bf34f3f..58cd56fa809 100644
--- a/usr.sbin/unbound/doc/README
+++ b/usr.sbin/unbound/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.6.6
+README for Unbound 1.7.0
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/usr.sbin/unbound/doc/example.conf.in b/usr.sbin/unbound/doc/example.conf.in
index 1511c1b21c0..a31ee6d3c4f 100644
--- a/usr.sbin/unbound/doc/example.conf.in
+++ b/usr.sbin/unbound/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.6.6.
+# See unbound.conf(5) man page, version 1.7.0.
 #
 # this is a comment.
 
@@ -664,14 +664,14 @@ server:
 	# add a netblock specific override to a localzone, with zone type
 	# local-zone-override: "example.com" 192.0.2.0/24 refuse
 
-	# service clients over TLS (on the TCP sockets), with plain DNS inside
-	# the TLS stream.  Give the certificate to use and private key.
+	# service clients over SSL (on the TCP sockets), with plain DNS inside
+	# the SSL stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# tls-service-key: "path/to/privatekeyfile.key"
 	# tls-service-pem: "path/to/publiccertfile.pem"
 	# tls-port: 853
 
-	# request upstream over TLS (with plain DNS inside the TLS stream).
+	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
 	# tls-upstream: no
 
diff --git a/usr.sbin/unbound/doc/libunbound.3.in b/usr.sbin/unbound/doc/libunbound.3.in
index 8245f70cd84..357e981fff4 100644
--- a/usr.sbin/unbound/doc/libunbound.3.in
+++ b/usr.sbin/unbound/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "libunbound" "3" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.6.6 functions.
+\- Unbound DNS validating resolver 1.7.0 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/usr.sbin/unbound/doc/unbound-anchor.8.in b/usr.sbin/unbound/doc/unbound-anchor.8.in
index a008e0c0e26..f50bf28af3f 100644
--- a/usr.sbin/unbound/doc/unbound-anchor.8.in
+++ b/usr.sbin/unbound/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound-anchor" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/usr.sbin/unbound/doc/unbound-checkconf.8.in b/usr.sbin/unbound/doc/unbound-checkconf.8.in
index 2e38e76b997..a07124e57a2 100644
--- a/usr.sbin/unbound/doc/unbound-checkconf.8.in
+++ b/usr.sbin/unbound/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound-checkconf" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/usr.sbin/unbound/doc/unbound-control.8.in b/usr.sbin/unbound/doc/unbound-control.8.in
index 2f3fbf9e4f1..53af91514eb 100644
--- a/usr.sbin/unbound/doc/unbound-control.8.in
+++ b/usr.sbin/unbound/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound-control" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
diff --git a/usr.sbin/unbound/doc/unbound-host.1.in b/usr.sbin/unbound/doc/unbound-host.1.in
index de8f0bdd052..6842514d287 100644
--- a/usr.sbin/unbound/doc/unbound-host.1.in
+++ b/usr.sbin/unbound/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound\-host" "1" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/usr.sbin/unbound/doc/unbound.8.in b/usr.sbin/unbound/doc/unbound.8.in
index 24959ba26ce..3c5786a7977 100644
--- a/usr.sbin/unbound/doc/unbound.8.in
+++ b/usr.sbin/unbound/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound" "8" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.6.6.
+\- Unbound DNS validating resolver 1.7.0.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/usr.sbin/unbound/doc/unbound.conf.5.in b/usr.sbin/unbound/doc/unbound.conf.5.in
index b83e8808dfe..ba30f4f89eb 100644
--- a/usr.sbin/unbound/doc/unbound.conf.5.in
+++ b/usr.sbin/unbound/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Sep 18, 2017" "NLnet Labs" "unbound 1.6.6"
+.TH "unbound.conf" "5" "Mar 15, 2018" "NLnet Labs" "unbound 1.7.0"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -252,7 +252,7 @@ silently (unless verbosity 3) without the option.
 .B ip\-transparent: \fI<yes or no>
 If yes, then use IP_TRANSPARENT socket option on sockets where unbound
 is listening for incoming traffic.  Default no.  Allows you to bind to
-non\-local interfaces.  For example for non\-existent IP addresses that
+non\-local interfaces.  For example for non\-existant IP addresses that
 are going to exist later on, with host failover configuration.  This is
 a lot like interface\-automatic, but that one services all interfaces
 and with this option you can select which (future) interfaces unbound
@@ -363,8 +363,8 @@ change anything.  Useful for TLS service providers, that want no udp downstream
 but use udp to fetch data upstream.
 .TP
 .B tls\-upstream: \fI<yes or no>
-Enabled or disable whether the upstream queries use TLS only for transport.
-Default is no.  Useful in tunneling scenarios.  The TLS contains plain DNS in
+Enabled or disable whether the upstream queries use SSL only for transport.
+Default is no.  Useful in tunneling scenarios.  The SSL contains plain DNS in
 TCP wireformat.  The other server must support this (see
 \fBtls\-service\-key\fR).
 .TP
@@ -373,7 +373,7 @@ Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config
 file the last is used.
 .TP
 .B tls\-service\-key: \fI<file>
-If enabled, the server provider TLS service on its TCP sockets.  The clients
+If enabled, the server provider SSL service on its TCP sockets.  The clients
 have to use tls\-upstream: yes.  The file is the private key for the TLS
 session.  The public certificate is in the tls\-service\-pem file.  Default
 is "", turned off.  Requires a restart (a reload is not enough) if changed,
@@ -393,8 +393,8 @@ turned off.
 Alternate syntax for \fBtls\-service\-pem\fR.
 .TP
 .B tls\-port: \fI<number>
-The port number on which to provide TCP TLS service, default 853, only
-interfaces configured with that port number as @number get the TLS service.
+The port number on which to provide TCP SSL service, default 853, only
+interfaces configured with that port number as @number get the SSL service.
 .TP
 .B ssl\-port: \fI<number>
 Alternate syntax for \fBtls\-port\fR.
@@ -683,8 +683,8 @@ This option only has effect when qname-minimisation is enabled. Default is off.
 .B aggressive\-nsec: \fI<yes or no>
 Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
 and other denials, using information from previous NXDOMAINs answers.
-Default is no.  It helps to reduce the query rate towards targets that get
-a very high nonexistent name lookup rate.
+Default is off.  It helps to reduce the query rate towards targets that get
+a very high nonexistant name lookup rate.
 .TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
@@ -1265,7 +1265,7 @@ In the
 clause are the declarations for the remote control facility.  If this is
 enabled, the \fIunbound\-control\fR(8) utility can be used to send
 commands to the running unbound server.  The server uses these clauses
-to setup TLSv1 security for the connection.  The
+to setup SSLv3 / TLSv1 security for the connection.  The
 \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
 section for options.  To setup the correct self\-signed certificates use the
 \fIunbound\-control\-setup\fR(8) utility.
@@ -1371,7 +1371,7 @@ the servers are unreachable, instead it is tried without this clause.
 The default is no.
 .TP
 .B stub\-tls\-upstream: \fI<yes or no>
-Enabled or disable whether the queries to this stub use TLS for transport.
+Enabled or disable whether the queries to this stub use SSL for transport.
 Default is no.
 .TP
 .B stub\-ssl\-upstream: \fI<yes or no>
@@ -1411,7 +1411,7 @@ the servers are unreachable, instead it is tried without this clause.
 The default is no.
 .TP
 .B forward\-tls\-upstream: \fI<yes or no>
-Enabled or disable whether the queries to this forwarder use TLS for transport.
+Enabled or disable whether the queries to this forwarder use SSL for transport.
 Default is no.
 .TP
 .B forward\-ssl\-upstream: \fI<yes or no>
diff --git a/usr.sbin/unbound/util/iana_ports.inc b/usr.sbin/unbound/util/iana_ports.inc
index 5afec2f886f..e44a796dc4a 100644
--- a/usr.sbin/unbound/util/iana_ports.inc
+++ b/usr.sbin/unbound/util/iana_ports.inc
@@ -4635,6 +4635,7 @@
 7402,
 7410,
 7411,
+7420,
 7421,
 7426,
 7427,