import unbound 1.6.0vendor/unbound/1.6.0

11 files changed, 332 insertions, 32 deletions

diff --git a/doc/CNAME-basedRedirectionDesignNotes.pdf b/doc/CNAME-basedRedirectionDesignNotes.pdf
new file mode 100644
index 000000000000..2be2273edb97
--- /dev/null
+++ b/doc/CNAME-basedRedirectionDesignNotes.pdf
diff --git a/doc/Changelog b/doc/Changelog
index 039eade55b63..57a13c8c537d 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,177 @@
+8 December 2016: Wouter
+	- Fix downcast warnings from visual studio in sldns code.
+
+7 December 2016: Ralph
+	- Add DSA support for OpenSSL 1.1.0
+	- Fix remote control without cert for LibreSSL
+
+6 December 2016: George
+	- Added generic EDNS code for registering known EDNS option codes,
+	  bypassing the cache response stage and uniquifying mesh states. Four EDNS
+	  option lists were added to module_qstate (module_qstate.edns_opts_*) to
+	  store EDNS options from/to front/back side.
+	- Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
+	  control the modules' cache interactions.
+	- Added code for registering inplace callback functions. The registered
+	  functions can be called just before replying with local data or Chaos,
+	  replying from cache, replying with SERVFAIL, replying with a resolved
+	  query, sending a query to a nameserver. The functions can inspect the
+	  available data and maybe change response/query related data (i.e. append
+	  EDNS options).
+	- Updated Python module for the above.
+	- Updated Python documentation.
+
+5 December 2016: Ralph
+	- Fix #1173: differ local-zone type deny from unset
+	  tag_actions element.
+
+5 December 2016: Wouter
+	- Fix #1170: document that 'inform' local-zone uses local-data.
+
+1 December 2016: Ralph
+	- hyphen as minus fix, by Andreas Schulze
+
+30 November 2016: Ralph
+	- Added local-zones and local-data bulk addition and removal
+	  functionality in unbound-control (local_zones, local_zones_remove,
+	  local_datas and local_datas_remove).
+	- iana portlist update
+
+29 November 2016: Wouter
+	- version 1.6.0 is in the development branch.
+	- braces in view.c around lock statements.
+
+28 November 2016: Wouter
+	- new install-sh.
+
+25 November 2016: Wouter
+	- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
+	  using no encryption over the unix socket.
+
+22 Novenber 2016: Ralph
+	- Make access-control-tag-data RDATA absolute. This makes the RDATA
+	  origin consistent between local-data and access-control-tag-data.
+	- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
+	  subdomain of the NSEC owner.
+	- QNAME minimisation uses QTYPE=A, therefore always check cache for
+	  this type in harden-below-nxdomain functionality.
+	- Added unit test for QNAME minimisation + harden below nxdomain
+	  synergy.
+
+22 November 2016: Wouter
+	- iana portlist update.
+	- Fix unit tests for DS hash processing for fake-dsa test option.
+	- patch from Dag-Erling Smorgrav that removes code that relies
+	  on sbrk().
+
+21 November 2016: Wouter
+	- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
+	  Underneath" for the harden-below-nxdomain option.
+
+10 November 2016: Ralph
+	- Fix #1155: test status code of unbound-control in 04-checkconf,
+	  not the status code from the tee command.
+
+4 November 2016: Ralph
+	- Added stub-ssl-upstream and forward-ssl-upstream options.
+
+4 November 2016: Wouter
+	- configure detects ssl security level API function in the autoconf
+	  manner.  Every function on its own, so that other libraries (eg.
+	  LibreSSL) can develop their API without hindrance.
+	- Fix #1154: segfault when reading config with duplicate zones.
+	- Note that for harden-below-nxdomain the nxdomain must be secure,
+	  this means nsec3 with optout is insufficient.
+
+3 November 2016: Ralph
+	- Set OpenSSL security level to 0 when using aNULL ciphers.
+
+3 November 2016: Wouter
+	- .gitattributes line for githubs code language display.
+	- log-identity: config option to set sys log identity, patch from
+	  "Robin H. Johnson" <robbat2@gentoo.org>
+
+2 November 2016: Wouter
+	- iana portlist update.
+
+31 October 2016: Wouter
+	- Fix failure to build on arm64 with no sbrk.
+	- iana portlist update.
+
+28 October 2016: Wouter
+	- Patch for server.num.zero_ttl stats for count of expired replies,
+	  from Pavel Odintsov.
+
+26 October 2016: Wouter
+	- Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
+	  with the undocumented switch 'fake-dsa'.  It logs a warning.
+
+25 October 2016: Wouter
+	- Fix #1134: unbound-control set_option -- val-override-date: -1 works
+	  immediately to ignore datetime, or back to 0 to enable it again.
+	  The -- is to ignore the '-1' as an option flag.
+
+24 October 2016: Wouter
+	- serve-expired config option: serve expired responses with TTL 0.
+	- g.root-servers.net has AAAA address.
+
+21 October 2016: Wouter
+	- Ported tests for local_cname unit test to testbound framework.
+
+20 October 2016: Wouter
+	- suppress compile warning in lex files.
+	- init lzt variable, for older gcc compiler warnings.
+	- fix --enable-dsa to work, instead of copying ecdsa enable.
+	- Fix DNSSEC validation of query type ANY with DNAME answers.
+	- Fixup query_info local_alias init.
+
+19 October 2016: Wouter
+	- Fix #1130: whitespace in example.conf.in more consistent.
+
+18 October 2016: Wouter
+	- Patch that resolves CNAMEs entered in local-data conf statements that
+	  point to data on the internet, from Jinmei Tatuya (Infoblox).
+	- Removed patch comments from acllist.c and msgencode.c
+	- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
+	  from Jinmei Tatuya (Infoblox).
+	- Fix #1125: unbound could reuse an answer packet incorrectly for
+	  clients with different EDNS parameters, from Jinmei Tatuya.
+	- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
+	- Added Requires line to libunbound.pc
+	- Please doxygen by modifying mesh.h
+
+17 October 2016: Wouter
+	- Re-fix #839 from view commit overwrite.
+	- Fixup const void cast warning.
+
+12 October 2016: Ralph
+	- Free view config elements.
+
+11 October 2016: Ralph
+	- Added qname-minimisation-strict config option.
+	- iana portlist update.
+	- fix memoryleak logfile when in debug mode.
+
+5 October 2016: Ralph
+	- Added views functionality.
+	- Fix #1117: spelling errors, from Robert Edmonds.
+
+30 September 2016: Wouter
+	- Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
+
+29 September 2016: Wouter
+	- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
+	- Fix #839: Memory grows unexpectedly with large RPZ files.
+	- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
+	- Fix #841: big local-zone's make it consume large amounts of memory.
+
+27 September 2016: Wouter
+	- tag for 1.5.10 release
+	- trunk contains 1.5.11 in development.
+	- Fix dnstap relaying "random" messages instead of resolver/forwarder
+	  responses, from Nikolay Edigaryev.
+	- Fix #836: unbound could echo back EDNS options in an error response.
+
 20 September 2016: Wouter
 	- iana portlist update.
 	- Fix #835: fix --disable-dsa with nettle verify.
diff --git a/doc/README b/doc/README
index 66e2f34d2bda..661adcbdf236 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.5.10
+README for Unbound 1.6.0
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index c520c881f0e9..55bbc32e616f 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.10.
+# See unbound.conf(5) man page, version 1.6.0.
 #
 # this is a comment.
 
@@ -52,7 +52,7 @@ server:
 	# outgoing-interface: 192.0.2.153
 	# outgoing-interface: 2001:DB8::5
 	# outgoing-interface: 2001:DB8::6
-	
+
 	# Specify a netblock to use remainder 64 bits as random bits for
 	# upstream queries.  Uses freebind option (Linux).
 	# outgoing-interface: 2001:DB8::/64
@@ -171,7 +171,7 @@ server:
 
 	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000
-	
+
 	# define a number of tags here, use with local-zone, access-control.
 	# repeat the define-tag statement to add additional tags.
 	# define-tag: "tag1 tag2 tag3"
@@ -230,6 +230,9 @@ server:
 	# set redirect data for particular tag for access control element
 	# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
 
+	# Set view for access control element
+	# access-control-view: 192.0.2.0/24 viewname
+
 	# if given, a chroot(2) is done to the given directory.
 	# i.e. you can chroot to the working directory, for example,
 	# for extra security, but make sure all files are in that directory.
@@ -272,9 +275,13 @@ server:
 	# logfile: ""
 
 	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
-	# log to, with identity "unbound". If yes, it overrides the logfile.
+	# log to. If yes, it overrides the logfile.
 	# use-syslog: yes
 
+	# Log identity to report. if empty, defaults to the name of argv[0]
+	# (usually "unbound").
+	# log-identity: ""
+
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 	# log-time-ascii: no
 
@@ -328,7 +335,7 @@ server:
 	# Harden against queries that fall under dnssec-signed nxdomain names.
 	# harden-below-nxdomain: no
 
-        # Harden the referral path by performing additional queries for
+	# Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
 	# Default off, because the lookups burden the server.  Experimental
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
@@ -344,6 +351,12 @@ server:
 	# to NS when possible.
 	# qname-minimisation: no
 
+	# QNAME minimisation in strict mode. Do not fall-back to sending full
+	# QNAME to potentially broken nameservers. A lot of domains will not be
+	# resolvable when this option in enabled.
+	# This option only has effect when qname-minimisation is enabled.
+	# qname-minimisation-strict: no
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
@@ -477,6 +490,10 @@ server:
 	# that set CD but cannot validate themselves.
 	# ignore-cd-flag: no
 
+	# Serve expired reponses from cache, with TTL 0 in the response,
+	# and then attempt to fetch the data afresh.
+	# serve-expired: no
+
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
 	# val-log-level: 0
@@ -578,7 +595,7 @@ server:
 	# o redirect serves the zone data for any subdomain in the zone.
 	# o nodefault can be used to normally resolve AS112 zones.
 	# o typetransparent resolves normally for other types and other names
-	# o inform resolves normally, but logs client IP address
+	# o inform acts like transparent, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
 	# o always_transparent, always_refuse, always_nxdomain, resolve in
 	#   that way but ignore local data for that name.
@@ -700,6 +717,7 @@ remote-control:
 #	stub-addr: 192.0.2.68
 #	stub-prime: no
 #	stub-first: no
+#	stub-ssl-upstream: no
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
@@ -715,6 +733,23 @@ remote-control:
 # 	forward-addr: 192.0.2.68
 # 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
 # 	forward-first: no
+# 	forward-ssl-upstream: no
 # forward-zone:
 # 	name: "example.org"
 # 	forward-host: fwd.example.com
+
+# Views
+# Create named views. Name must be unique. Map views to requests using
+# the access-control-view option. Views can contain zero or more local-zone
+# and local-data options. Options from matching views will override global
+# options. Global options will be used if no matching view is found.
+# With view-first yes, it will try to answer using the global local-zone and
+# local-data elements if there is no view specific match.
+# view:
+#	name: "viewname"
+#	local-zone: "example.com" redirect
+#	local-data: "example.com A 192.0.2.3"
+#	view-first: no
+# view:
+#	name: "anotherview"
+#	local-zone: "example.com" refuse
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 1bf3fc2c880b..37d63a5d2452 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
+.TH "libunbound" "3" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.10 functions.
+\- Unbound DNS validating resolver 1.6.0 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
@@ -180,7 +180,7 @@ and
 .B ub_ctx_hosts
 to read them.
 Before you call this, use the openssl functions CRYPTO_set_id_callback and
-CRYPTO_set_locking_callback to set up asyncronous operation if you use
+CRYPTO_set_locking_callback to set up asynchronous operation if you use
 lib openssl (the application calls these functions once for initialisation).
 Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function.
 .TP
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index 7403caa41455..31a48c26e1e5 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
+.TH "unbound-anchor" "8" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
@@ -67,7 +67,7 @@ List the builtin root key and builtin root update certificate on stdout.
 .B \-u \fIname
 The server name, it connects to https://name.  Specify without https:// prefix.
 The default is "data.iana.org".  It connects to the port specified with \-P.
-You can pass an IPv4 addres or IPv6 address (no brackets) if you want.
+You can pass an IPv4 address or IPv6 address (no brackets) if you want.
 .TP
 .B \-x \fIpath
 The pathname to the root\-anchors.xml file on the server. (forms URL with \-u).
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index 03f5b3cd36a6..d9a5b03aea1a 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
+.TH "unbound-checkconf" "8" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 9089db9b55e5..aa801c4bda71 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
+.TH "unbound-control" "8" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -99,6 +99,22 @@ but if the name has become an empty nonterminal (there is still data in
 domain names below the removed name), NOERROR nodata answers are the 
 result for that name.
 .TP
+.B local_zones
+Add local zones read from stdin of unbound\-control. Input is read per line,
+with name space type on a line. For bulk additions.
+.TP
+.B local_zones_remove
+Remove local zones read from stdin of unbound\-control. Input is one name per
+line. For bulk removals.
+.TP
+.B local_datas
+Add local data RRs read from stdin of unbound\-control. Input is one RR per
+line. For bulk additions.
+.TP
+.B local_datas_remove
+Remove local data RRs read from stdin of unbound\-control. Input is one name per
+line. For bulk removals.
+.TP
 .B dump_cache
 The contents of the cache is printed in a text format to stdout. You can
 redirect it to a file to store the cache in a file.
@@ -263,6 +279,21 @@ estimated qps and qps limit from config.  With +a it prints all domains, not
 just the ratelimited domains, with their estimated qps.  The ratelimited
 domains return an error for uncached (new) queries, but cached queries work
 as normal.
+.TP
+.B view_list_local_zones \fIview\fR
+\fIlist_local_zones\fR for given view.
+.TP
+.B view_local_zone \fIview\fR \fIname\fR \fItype
+\fIlocal_zone\fR for given view.
+.TP
+.B view_local_zone_remove \fIview\fR \fIname
+\fIlocal_zone_remove\fR for given view.
+.TP
+.B view_local_data \fIview\fR \fIRR data...
+\fIlocal_data\fR for given view.
+.TP
+.B view_local_data_remove \fIview\fR \fIname
+\fIlocal_data_remove\fR for given view.
 .SH "EXIT CODE"
 The unbound\-control program exits with status code 1 on error, 0 on success.
 .SH "SET UP"
@@ -301,6 +332,9 @@ and resulted in recursive processing, taking a slot in the requestlist.
 Not part of the recursivereplies (or the histogram thereof) or cachemiss,
 as a cache response was sent.
 .TP
+.I threadX.num.zero_ttl
+number of replies with ttl zero, because they served an expired cache entry.
+.TP
 .I threadX.num.recursivereplies
 The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries.
 .TP
@@ -350,6 +384,9 @@ summed over threads.
 .I total.num.prefetch
 summed over threads.
 .TP
+.I total.num.zero_ttl
+summed over threads.
+.TP
 .I total.num.recursivereplies
 summed over threads.
 .TP
@@ -384,9 +421,6 @@ uptime since server boot in seconds.
 time since last statistics printout, in seconds.
 .SH EXTENDED STATISTICS
 .TP
-.I mem.total.sbrk
-If sbrk(2) is available, an estimate of the heap size of the program in number of bytes. Close to the total memory used by the program, as reported by top and ps.  Could be wrong if the OS allocates memory non\-contiguously.
-.TP
 .I mem.cache.rrset
 Memory in bytes in use by the RRset cache.
 .TP
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index 04d19addb0a2..b7fe345cbe27 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
+.TH "unbound\-host" "1" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index 78e497d5d0ef..af2ac111b73e 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
+.TH "unbound" "8" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.10.
+\- Unbound DNS validating resolver 1.6.0.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index f813c44edc98..39ce95c57993 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
+.TH "unbound.conf" "5" "Dec 15, 2016" "NLnet Labs" "unbound 1.6.0"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -151,8 +151,8 @@ netblock, or the randomisation will be compromised.  Consider combining with
 to increase the likelihood of IPv6 nameservers being selected for queries.
 On Linux you need these two commands to be able to use the freebind socket
 option to receive traffic for the ip6 netblock:
-ip -6 addr add mynetblock/64 dev lo &&
-ip -6 route add local mynetblock/64 dev lo
+ip \-6 addr add mynetblock/64 dev lo &&
+ip \-6 route add local mynetblock/64 dev lo
 .TP
 .B outgoing\-range: \fI<number>
 Number of ports to open. This number of file descriptors can be opened per 
@@ -474,6 +474,9 @@ order of the define-tag values.
 .B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
 Set redirect data for particular tag for given access control element.
 .TP
+.B access\-control\-view: \fI<IP netblock> <view name>
+Set view for given access control element.
+.TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
 commandline) as a full path from the original root. After the
@@ -531,6 +534,13 @@ The log facility LOG_DAEMON is used, with identity "unbound".
 The logfile setting is overridden when use\-syslog is turned on.
 The default is to log to syslog.
 .TP
+.B log\-identity: \fI<string>
+If "" is given (default), then the name of the executable, usually "unbound"
+is used to report to the log.  Enter a string to override it
+with that, which is useful on systems that run more than one instance of
+unbound, with different configurations, so that the logs can be easily
+distinguished against.
+.TP
 .B log\-time\-ascii: \fI<yes or no>
 Sets logfile lines to use a timestamp in UTC ascii. Default is no, which
 prints the seconds since 1970 in brackets. No effect if using syslog, in
@@ -614,14 +624,15 @@ unsigned to badly signed often. If turned off you run the risk of a
 downgrade attack that disables security for a zone. Default is on.
 .TP
 .B harden\-below\-nxdomain: \fI<yes or no>
-From draft\-vixie\-dnsext\-resimprove, returns nxdomain to queries for a name
+From RFC 8020 (with title "NXDOMAIN: There Really Is Nothing Underneath"),
+returns nxdomain to queries for a name
 below another name that is already known to be nxdomain.  DNSSEC mandates
 noerror for empty nonterminals, hence this is possible.  Very old software
 might return nxdomain for empty nonterminals (that usually happen for reverse
 IP address lookups), and thus may be incompatible with this.  To try to avoid
 this only DNSSEC-secure nxdomains are used, because the old software does not
 have DNSSEC.  Default is off.
-Currently, draft\-ietf\-dnsop\-nxdomain\-cut promotes this technique.
+The nxdomain must be secure, this means nsec3 with optout is insufficient.
 .TP
 .B harden\-referral\-path: \fI<yes or no>
 Harden the referral path by performing additional queries for
@@ -658,8 +669,15 @@ Can be given multiple times, for different domains.
 .B qname\-minimisation: \fI<yes or no>
 Send minimum amount of information to upstream servers to enhance privacy.
 Only sent minimum required labels of the QNAME and set QTYPE to NS when 
-possible. Best effort approach, full QNAME and original QTYPE will be sent when
-upstream replies with a RCODE other than NOERROR. Default is off.
+possible. Best effort approach; full QNAME and original QTYPE will be sent when
+upstream replies with a RCODE other than NOERROR, except when receiving
+NXDOMAIN from a DNSSEC signed zone. Default is off.
+.TP
+.B qname\-minimisation\-strict: \fI<yes or no>
+QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
+potentially broken nameservers. A lot of domains will not be resolvable when
+this option in enabled. Only use if you know what you are doing.
+This option only has effect when qname-minimisation is enabled. Default is off.
 .TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
@@ -859,6 +877,11 @@ servers that set the CD flag but cannot validate DNSSEC themselves are
 the clients, and then unbound provides them with DNSSEC protection.
 The default value is "no".
 .TP
+.B serve\-expired: \fI<yes or no>
+If enabled, unbound attempts to serve old responses from cache with a
+TTL of 0 in the response without waiting for the actual resolution to finish.
+The actual resolution answer ends up in the cache later on.  Default is "no".
+.TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
 List of keysize and iteration count values, separated by spaces, surrounded
 by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
@@ -978,11 +1001,11 @@ queries for www.example.com and www.foo.example.com are redirected, so
 that users with web browsers cannot access sites with suffix example.com.
 .TP 10
 \h'5'\fIinform\fR 
-The query is answered normally.  The client IP address (@portnumber)
-is printed to the logfile.  The log message is: timestamp, unbound-pid,
-info: zonename inform IP@port queryname type class.  This option can be
-used for normal resolution, but machines looking up infected names are
-logged, eg. to run antivirus on them.
+The query is answered normally, same as transparent.  The client IP
+address (@portnumber) is printed to the logfile.  The log message is:
+timestamp, unbound-pid, info: zonename inform IP@port queryname type
+class.  This option can be used for normal resolution, but machines
+looking up infected names are logged, eg. to run antivirus on them.
 .TP 10
 \h'5'\fIinform_deny\fR 
 The query is dropped, like 'deny', and logged, like 'inform'.  Ie. find
@@ -1280,6 +1303,10 @@ If enabled, a query is attempted without the stub clause if it fails.
 The data could not be retrieved and would have caused SERVFAIL because
 the servers are unreachable, instead it is tried without this clause.
 The default is no.
+.TP
+.B stub\-ssl\-upstream: \fI<yes or no>
+Enabled or disable whether the queries to this stub use SSL for transport.
+Default is no.
 .SS "Forward Zone Options"
 .LP
 There may be multiple
@@ -1310,6 +1337,36 @@ If enabled, a query is attempted without the forward clause if it fails.
 The data could not be retrieved and would have caused SERVFAIL because
 the servers are unreachable, instead it is tried without this clause.
 The default is no.
+.TP
+.B forward\-ssl\-upstream: \fI<yes or no>
+Enabled or disable whether the queries to this forwarder use SSL for transport.
+Default is no.
+.SS "View Options"
+.LP
+There may be multiple
+.B view:
+clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
+\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view
+name in an \fBaccess\-control\-view\fR element. Options from matching views will
+override global options. Global options will be used if no matching view
+is found.
+.TP
+.B name: \fI<view name>
+Name of the view. Must be unique. This name is used in access\-control\-view
+elements.
+.TP
+.B local\-zone: \fI<zone> <type>
+View specific local\-zone elements. Has the same types and behaviour as the
+global local\-zone elements.
+.TP
+.B local\-data: \fI"<resource record string>"
+View specific local\-data elements. Has the same behaviour as the global
+local\-data elements.
+.TP
+.B view\-first: \fI<yes or no>
+If enabled, it attempts to use the global local\-zone and local\-data if there
+is no match in the view specific options.
+The default is no.
 .SS "Python Module Options"
 .LP
 The