update unbound, fix unbound openssl issue on OS X

2015-12-30 12:57:50 +02:00
parent 32a26332f8
commit 2d43ae8063
101 changed files with 4685 additions and 3057 deletions
--- a/external/unbound/doc/Changelog
+++ b/external/unbound/doc/Changelog
@@ -1,3 +1,175 @@
+15 December 2015: Ralph
+	- Fix #729: omit use of escape sequences in echo since they are not 
+	  portable (unbound-control-setup).
+
+11 December 2015: Wouter
+	- remove NULL-checks before free, patch from Michael McConville.
+	- updated ax_pthread.m4 to version 21 with clang support, this
+	  removes a warning from compilation.
+	- OSX portability, detect if sbrk is deprecated.
+	- OSX clang, stop -pthread unused during link stage warnings.
+	- OSX clang new flto check.
+
+10 December 2015: Wouter
+	- 1.5.7 release
+	- trunk has 1.5.8 in development.
+
+8 December 2015: Wouter
+	- Fixup 724 for unbound-control.
+
+7 December 2015: Ralph
+	- Do not minimise forwarded requests.
+
+4 December 2015: Wouter
+	- Removed unneeded whitespace from example.conf.
+
+3 December 2015: Ralph
+	- (after rc1 tag)
+	- Committed fix to qname minimisation and unit test case for it.
+	
+3 December 2015: Wouter
+	- iana portlist update.
+	- 1.5.7rc1 prerelease tag.
+
+2 December 2015: Wouter
+	- Fixup 724: Fix PCA prompt for unbound-service-install.exe.
+	  re-enable stdout printout.
+	- For 724: Add Changelog to windows binary dist.
+
+1 December 2015: Ralph
+	- Qname minimisation review fixes
+
+1 December 2015: Wouter
+	- Fixup 724 fix for fname_after_chroot() calls.
+	- Remove stdout printout for unbound-service-install.exe
+	- .gitignore for git users.
+
+30 November 2015: Ralph
+	- Implemented qname minimisation
+
+30 November 2015: Wouter
+	- Fix for #724: conf syntax to read files from run dir (on Windows).
+
+25 November 2015: Wouter
+	- Fix for #720, fix unbound-control-setup windows batch file.
+
+24 November 2015: Wouter
+	- Fix #720: add windows scripts to zip bundle.
+	- iana portlist update.
+
+20 November 2015: Wouter
+	- Added assert on rrset cache correctness.
+	- Fix that malformed EDNS query gets a response without malformed EDNS.
+
+18 November 2015: Wouter
+	- newer acx_nlnetlabs.m4.
+	- spelling fixes from Igor Sobrado Delgado.
+
+17 November 2015: Wouter
+	- Fix #594. libunbound: optionally use libnettle for crypto.
+	  Contributed by Luca Bruno.  Added --with-nettle for use with
+	  --with-libunbound-only.
+	- refactor nsec3 hash implementation to be more library-portable.
+	- iana portlist update.
+	- Fixup DER encoded DSA signatures for libnettle.
+
+16 November 2015: Wouter
+	- Fix for lenient accept of reverse order DNAME and CNAME.
+
+6 November 2015: Wouter
+	- Change example.conf: ftp.internic.net to https://www.internic.net
+
+5 November 2015: Wouter
+	- ACX_SSL_CHECKS no longer adds -ldl needlessly.
+
+3 November 2015: Wouter
+	- Fix #718: Fix unbound-control-setup with support for env
+	  without HEREDOC bash support.
+
+29 October 2015: Wouter
+	- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
+	- Fix #716: nodata proof with empty non-terminals and wildcards.
+
+28 October 2015: Wouter
+	- Fix checklock testcode for linux threads on exit.
+
+27 October 2015: Wouter
+	- isblank() compat implementation.
+	- detect libexpat without xml_StopParser function.
+	- portability fixes.
+	- portability, replace snprintf if return value broken.
+
+23 October 2015: Wouter
+	- Fix #714: Document config to block private-address for IPv4
+	  mapped IPv6 addresses.
+
+22 October 2015: Wouter
+	- Fix #712: unbound-anchor appears to not fsync root.key.
+
+20 October 2015: Wouter
+	- 1.5.6 release.
+	- trunk tracks development of 1.5.7.
+
+15 October 2015: Wouter
+	- Fix segfault in the dns64 module in the formaterror error path.
+	- Fix sldns_wire2str_rdata_scan for malformed RRs.
+	- tag for 1.5.6rc1 release.
+
+14 October 2015: Wouter
+	- ANY responses include DNAME records if present, as per Evan Hunt's
+	  remark in dnsop.
+	- Fix manpage to suggest using SIGTERM to terminate the server.
+
+9 October 2015: Wouter
+	- Default for ssl-port is port 853, the temporary port assignment
+	  for secure domain name system traffic.
+	  If you used to rely on the older default of port 443, you have
+	  to put a clause in unbound.conf for that.  The new value is likely
+	  going to be the standardised port number for this traffic.
+	- iana portlist update.
+
+6 October 2015: Wouter
+	- 1.5.5 release.
+	- trunk tracks the development of 1.5.6.
+
+28 September 2015: Wouter
+	- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
+	  failures.
+	- tag for 1.5.5rc1 release.
+	- makedist.sh: pgp sig echo commands.
+
+25 September 2015: Wouter
+	- Fix unbound-control flush that does not succeed in removing data.
+
+22 September 2015: Wouter
+	- Fix config globbed include chroot treatment, this fixes reload of
+	  globs (patch from Dag-Erling Smørgrav).
+	- iana portlist update.
+	- Fix #702: New IPs for for h.root-servers.net.
+	- Remove confusion comment from canonical_compare() function.
+	- Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
+	- testbound selftest also works in non-debug mode.
+	- Fix minor error in unbound.conf.5.in
+	- Fix unbound.conf(5) access-control description for precedence
+	  and default.
+
+31 August 2015: Wouter
+	- changed windows setup compression to be more transparent.
+
+28 August 2015: Wouter
+	- Fix #697: Get PY_MAJOR_VERSION failure at configure for python
+	  2.4 to 2.6.
+	- Feature #699: --enable-pie option to that builds PIE binary.
+	- Feature #700: --enable-relro-now option that enables full read-only
+	  relocation.
+
+24 August 2015: Wouter
+	- Fix deadlock for local data add and zone add when unbound-control
+	  list_local_data printout is interrupted.
+	- iana portlist update.
+	- Change default of harden-algo-downgrade to off.  This is lenient
+	  for algorithm rollover.
+
 13 August 2015: Wouter
 	- 5011 implementation does not insist on all algorithms, when
 	  harden-algo-downgrade is turned off.
@@ -693,7 +865,7 @@
 	  existence in 4592.  NSEC empty non-terminals exist and thus the
 	  RCODE should have been NOERROR. If this occurs, and the RRsets
 	  are secure, we set the RCODE to NOERROR and the security status
-	  of the reponse is also considered secure.
+	  of the response is also considered secure.

 14 February 2014: Wouter
 	- Works on Minix (3.2.1).
@@ -1465,7 +1637,7 @@
 	- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
 	- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
 	- Fix warning unused in compat/strptime.c.
-	- Fix malloc detection and double defintion.
+	- Fix malloc detection and double definition.

 2 December 2011: Wouter
 	- configure generated with autoconf 2.68.
@@ -4910,7 +5082,7 @@
 	- Advertise builtin select libevent alternative when no libevent
 	  is found.
 	- signit can generate NSEC3 hashes, for generating tests.
-	- multiple nsec3 paramaters in message test.
+	- multiple nsec3 parameters in message test.
 	- too high nsec3 iterations becomes insecure test.

 21 September 2007: Wouter
@@ -4981,7 +5153,7 @@
 	- testbound can replay a TCP query (set MATCH TCP in the QUERY).
 	- DS and noDS referral validation test.
 	- if you configure many trust anchors, parent trust anchors can
-	  securely deny existance of child trust anchors, if validated.
+	  securely deny existence of child trust anchors, if validated.
 	- not all *.name NSECs are present because a wildcard was matched,
 	  and *.name NSECs can prove nodata for empty nonterminals.
 	  Also, for wildcard name NSECs, check they are not from the parent
@@ -5288,7 +5460,7 @@

 17 July 2007: Wouter
 	- forward zone options in config file.
-	- forward per zone in iterator. takes precendence over stubs.
+	- forward per zone in iterator. takes precedence over stubs.
 	- fixup commithooks.
 	- removed forward-to and forward-to-port features, subsumed by
 	  new forward zones.
@@ -5389,7 +5561,7 @@
 	  ldns and libevent are linked statically. Default is off.
 	- make install and make uninstall. Works with static-exe and without.
 	  installation of unbound binary and manual pages.
-	- alignement problem fix on solaris 64.
+	- alignment problem fix on solaris 64.
 	- fixup address in case of TCP error.

 12 June 2007: Wouter
@@ -5472,7 +5644,7 @@
 	- removed FLAG_CD from message and rrset caches. This was useful for
 	  an agnostic forwarder, but not for a sophisticated (trust value per
 	  rrset enabled) cache.
-	- iterator reponse typing.
+	- iterator response typing.
 	- iterator cname handle.
 	- iterator prime start.
 	- subquery work.
@@ -5492,7 +5664,7 @@
 	- Acknowledge use of unbound-java code in iterator. Nicer readme.
 	- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
 	  rrset cache from module environment.
-	- packed rrset key has type and class as easily accessable struct
+	- packed rrset key has type and class as easily accessible struct
 	  members. They are still kept in network format for fast msg encode.
 	- dns cache find_delegation routine.
 	- iterator main functions setup.
@@ -5576,7 +5748,7 @@
 	- EDNS read from query, used to make reply smaller.
 	- advertised edns value constants.
 	- EDNS BADVERS response, if asked for too high edns version.
-	- EDNS extended error reponses once the EDNS record from the query
+	- EDNS extended error responses once the EDNS record from the query
 	  has successfully been parsed.

 4 May 2007: Wouter
--- a/external/unbound/doc/example.conf.in
+++ b/external/unbound/doc/example.conf.in
@@ -8,7 +8,7 @@
 #Use this to include other text into the file.
 #include: "otherfile.conf"

-# The server clause sets the main parameters. 
+# The server clause sets the main parameters.
 server:
 	# whitespace is not necessary, but looks cleaner.

@@ -40,7 +40,7 @@ server:
 	# interface: 2001:DB8::5

 	# enable this feature to copy the source address of queries to reply.
-	# Socket options are not supported on all platforms. experimental. 
+	# Socket options are not supported on all platforms. experimental.
 	# interface-automatic: no

 	# port to answer queries from
@@ -84,10 +84,10 @@ server:
 	# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
 	# 0 is system default.  Use 4m to handle spikes on very busy servers.
 	# so-sndbuf: 0
-	
+
 	# use SO_REUSEPORT to distribute queries over threads.
 	# so-reuseport: no
-	
+
 	# use IP_TRANSPARENT so the interface: addresses can be non-local
 	# and you can config non-existing IPs that are going to work later on
 	# ip-transparent: no
@@ -105,7 +105,7 @@ server:
 	# msg-buffer-size: 65552

 	# the amount of memory to use for the message cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# msg-cache-size: 4m

 	# the number of slabs to use for the message cache.
@@ -118,12 +118,12 @@ server:

 	# if very busy, 50% queries run to completion, 50% get timeout in msec
 	# jostle-timeout: 200
-	
+
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0

 	# the amount of memory to use for the RRset cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# rrset-cache-size: 4m

 	# the number of slabs to use for the RRset cache.
@@ -145,7 +145,7 @@ server:
 	# the time to live (TTL) value for cached roundtrip times, lameness and
 	# EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900
-	
+
 	# minimum wait time for responses, increase if uplink is long. In msec.
 	# infra-cache-min-rtt: 50

@@ -195,8 +195,8 @@ server:
 	#
 	# If chroot is enabled, you should pass the configfile (from the
 	# commandline) as a full path from the original root. After the
-	# chroot has been performed the now defunct portion of the config 
-	# file path is removed to be able to reread the config after a reload. 
+	# chroot has been performed the now defunct portion of the config
+	# file path is removed to be able to reread the config after a reload.
 	#
 	# All other file paths (working dir, logfile, roothints, and
 	# key files) can be specified in several ways:
@@ -205,7 +205,7 @@ server:
 	# 	o as an absolute path relative to the original root.
 	# In the last case the path is adjusted to remove the unused portion.
 	#
-	# The pid file can be absolute and outside of the chroot, it is 
+	# The pid file can be absolute and outside of the chroot, it is
 	# written just prior to performing the chroot and dropping permissions.
 	#
 	# Additionally, unbound may need to access /dev/random (for entropy).
@@ -219,22 +219,22 @@ server:
 	# If you give "" no privileges are dropped.
 	# username: "@UNBOUND_USERNAME@"

-	# the working directory. The relative files in this config are 
+	# the working directory. The relative files in this config are
 	# relative to this directory. If you give "" the working directory
 	# is not changed.
 	# directory: "@UNBOUND_RUN_DIR@"

-	# the log file, "" means log to stderr. 
+	# the log file, "" means log to stderr.
 	# Use of this option sets use-syslog to "no".
 	# logfile: ""

-	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 
+	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
 	# log to, with identity "unbound". If yes, it overrides the logfile.
-	# use-syslog: yes 
+	# use-syslog: yes

 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 	# log-time-ascii: no
-	
+
 	# print one line with time, IP, name, type, class for every query.
 	# log-queries: no

@@ -242,7 +242,7 @@ server:
 	# pidfile: "@UNBOUND_PIDFILE@"

 	# file to read root hints from.
-	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
+	# get one from https://www.internic.net/domain/named.cache
 	# root-hints: ""

 	# enable to not answer id.server and hostname.bind queries.
@@ -258,8 +258,8 @@ server:
 	# version: ""

 	# the target fetch policy.
-	# series of integers describing the policy per dependency depth. 
-	# The number of values in the list determines the maximum dependency 
+	# series of integers describing the policy per dependency depth.
+	# The number of values in the list determines the maximum dependency
 	# depth the recursor will pursue before giving up. Each integer means:
 	# 	-1 : fetch all targets opportunistically,
 	# 	0: fetch on demand,
@@ -267,17 +267,17 @@ server:
 	# Enclose the list of numbers between quotes ("").
 	# target-fetch-policy: "3 2 1 0 0"

-	# Harden against very small EDNS buffer sizes. 
+	# Harden against very small EDNS buffer sizes.
 	# harden-short-bufsize: no

 	# Harden against unseemly large queries.
 	# harden-large-queries: no

-	# Harden against out of zone rrsets, to avoid spoofing attempts. 
+	# Harden against out of zone rrsets, to avoid spoofing attempts.
 	# harden-glue: yes

 	# Harden against receiving dnssec-stripped data. If you turn it
-	# off, failing to validate dnskey data for a trustanchor will 
+	# off, failing to validate dnskey data for a trustanchor will
 	# trigger insecure mode for that zone (like without a trustanchor).
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	# harden-dnssec-stripped: yes
@@ -287,27 +287,32 @@ server:

        # Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
-	# Default off, because the lookups burden the server.  Experimental 
+	# Default off, because the lookups burden the server.  Experimental
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	# harden-referral-path: no

 	# Harden against algorithm downgrade when multiple algorithms are
 	# advertised in the DS record.  If no, allows the weakest algorithm
 	# to validate the zone.
-	# harden-algo-downgrade: yes
+	# harden-algo-downgrade: no
+
+	# Sent minimum amount of information to upstream servers to enhance
+	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
+	# to NS when possible.
+	# qname-minimisation: no

 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
-	
+
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
 	# caps-whitelist: "licdn.com"

-	# Enforce privacy of these addresses. Strips them away from answers. 
-	# It may cause DNSSEC validation to additionally mark it as bogus. 
-	# Protects against 'DNS Rebinding' (uses browser as network proxy). 
-	# Only 'private-domain' and 'local-data' names are allowed to have 
+	# Enforce privacy of these addresses. Strips them away from answers.
+	# It may cause DNSSEC validation to additionally mark it as bogus.
+	# Protects against 'DNS Rebinding' (uses browser as network proxy).
+	# Only 'private-domain' and 'local-data' names are allowed to have
 	# these private addresses. No default.
 	# private-address: 10.0.0.0/8
 	# private-address: 172.16.0.0/12
@@ -315,6 +320,7 @@ server:
 	# private-address: 169.254.0.0/16
 	# private-address: fd00::/8
 	# private-address: fe80::/10
+	# private-address: ::ffff:0:0/96

 	# Allow the domain (and its subdomains) to contain private addresses.
 	# local-data statements are allowed to contain private addresses too.
@@ -373,7 +379,7 @@ server:
 	# Zone file format, with DS and DNSKEY entries.
 	# Note this gets out of date, use auto-trust-anchor-file please.
 	# trust-anchor-file: ""
-	
+
 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
 	# single line, surrounded by "". TTL is ignored. class is IN default.
 	# Note this gets out of date, use auto-trust-anchor-file please.
@@ -383,7 +389,7 @@ server:

 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry. Like trust-anchor-file
-	# but has a different file format. Format is BIND-9 style format, 
+	# but has a different file format. Format is BIND-9 style format,
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# you need external update procedures to track changes in keys.
 	# trusted-keys-file: ""
@@ -408,7 +414,7 @@ server:

 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
-	# potential bogus data in the additional section. All unsigned data 
+	# potential bogus data in the additional section. All unsigned data
 	# in the additional section is removed from secure messages.
 	# val-clean-additional: yes

@@ -433,7 +439,7 @@ server:
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
 	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
-	
+
 	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
 	# add-holddown: 2592000 # 30 days

@@ -448,7 +454,7 @@ server:
 	# permit-small-holddown: no

 	# the amount of memory to use for the key cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# key-cache-size: 4m

 	# the number of slabs to use for the key cache.
@@ -457,7 +463,7 @@ server:
 	# key-cache-slabs: 4

 	# the amount of memory to use for the negative cache (used for DLV).
-	# plain value in bytes or you can append k, m or G. default is "1Mb". 
+	# plain value in bytes or you can append k, m or G. default is "1Mb".
 	# neg-cache-size: 1m

 	# By default, for a number of zones a small default 'nothing here'
@@ -501,7 +507,7 @@ server:
 	# local-zone: "b.e.f.ip6.arpa." nodefault
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
-	
+
 	# if unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
 	# long list of local-zones above.  If this unbound is a dns server
@@ -512,7 +518,7 @@ server:
 	# a number of locally served zones can be configured.
 	# 	local-zone: <zone> <type>
 	# 	local-data: "<resource record string>"
-	# o deny serves local data (if any), else, drops queries. 
+	# o deny serves local data (if any), else, drops queries.
 	# o refuse serves local data (if any), else, replies with error.
 	# o static serves local data, else, nxdomain or nodata answer.
 	# o transparent gives local data, but resolves normally for other names
@@ -525,7 +531,7 @@ server:
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
 	# the default content is omitted, or you can omit it with 'nodefault'.
-	# 
+	#
 	# If you configure local-data without specifying local-zone, by
 	# default a transparent local-zone is created for the data.
 	#
@@ -552,7 +558,7 @@ server:
 	# default is "" (disabled).  requires restart to take effect.
 	# ssl-service-key: "path/to/privatekeyfile.key"
 	# ssl-service-pem: "path/to/publiccertfile.pem"
-	# ssl-port: 443
+	# ssl-port: 853

 	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
@@ -571,7 +577,7 @@ server:
 	# ratelimit-size: 4m
 	# ratelimit cache slabs, reduces lock contention if equal to cpucount.
 	# ratelimit-slabs: 4
-	
+
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10

@@ -590,7 +596,7 @@ python:
 	# Script file to load
 	# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"

-# Remote control config section. 
+# Remote control config section.
 remote-control:
 	# Enable remote control with unbound-control(8) here.
 	# set up the keys and certificates with unbound-control-setup.
@@ -621,9 +627,9 @@ remote-control:
 	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"

 # Stub zones.
-# Create entries like below, to make all queries for 'example.com' and 
-# 'example.org' go to the given list of nameservers. list zero or more 
-# nameservers by hostname or by ipaddress. If you set stub-prime to yes, 
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of nameservers. list zero or more
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
 # the list is treated as priming hints (default is no).
 # With stub-first yes, it attempts without the stub if it fails.
 # Consider adding domain-insecure: name and local-zone: name nodefault
--- a/external/unbound/doc/unbound-control.8.in
+++ b/external/unbound/doc/unbound-control.8.in
@@ -169,7 +169,7 @@ therefore not flushed.  The option must end with a ':' and whitespace
 must be between the option and the value.  Some values may not have an
 effect if set this way, the new values are not written to the config file,
 not all options are supported.  This is different from the set_option call
-in libunbound, where all values work because unbound has not been inited.
+in libunbound, where all values work because unbound has not been initialized.
 .IP
 The values that work are: statistics\-interval, statistics\-cumulative,
 do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
--- a/external/unbound/doc/unbound.conf.5.in
+++ b/external/unbound/doc/unbound.conf.5.in
@@ -296,7 +296,7 @@ trust (very large) TTL values.
 .TP
 .B cache\-min\-ttl: \fI<seconds>
 Time to live minimum for RRsets and messages in the cache. Default is 0.
-If the the minimum kicks in, the data is cached for longer than the domain
+If the minimum kicks in, the data is cached for longer than the domain
 owner intended, and thus less queries are made to look up the data.
 Zero makes sure the data in the cache is as the domain owner intended,
 higher values, especially more than an hour or so, can lead to trouble as 
@@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service.  Default is "",
 turned off.
 .TP
 .B ssl\-port: \fI<number>
-The port number on which to provide TCP SSL service, default 443, only
+The port number on which to provide TCP SSL service, default 853, only
 interfaces configured with that port number as @number get the SSL service.
 .TP
 .B do\-daemonize: \fI<yes or no>
@@ -373,6 +373,7 @@ a daemon. Default is yes.
 The netblock is given as an IP4 or IP6 address with /size appended for a 
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, 
 \fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
+The most specific netblock match is used, if none match \fIdeny\fR is used.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
 .IP
@@ -443,6 +444,8 @@ requires privileges, then a reload will fail; a restart is needed.
 .TP
 .B directory: \fI<directory>
 Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
+On Windows the string "%EXECUTABLE%" tries to change to the directory
+that unbound.exe resides in.
 .TP
 .B logfile: \fI<filename>
 If "" is given, logging goes to stderr, or nowhere once daemonized.
@@ -480,7 +483,7 @@ kill \-HUP `cat @UNBOUND_PIDFILE@`
 .fi
 triggers a reload,
 .nf
-kill \-QUIT `cat @UNBOUND_PIDFILE@` 
+kill \-TERM `cat @UNBOUND_PIDFILE@` 
 .fi
 gracefully terminates.
 .TP
@@ -567,7 +570,7 @@ to increase the max depth that is checked to.
 .B harden\-algo\-downgrade: \fI<yes or no>
 Harden against algorithm downgrade when multiple algorithms are
 advertised in the DS record.  If no, allows the weakest algorithm to
-validate the zone.  Default is yes.  Zone signers must produce zones
+validate the zone.  Default is no.  Zone signers must produce zones
 that allow this feature to work, but sometimes they do not, and turning
 this option off avoids that validation failure.
 .TP
@@ -584,23 +587,30 @@ queries.  For domains that do not support 0x20 and also fail with fallback
 because they keep sending different answers, like some load balancers.
 Can be given multiple times, for different domains.
 .TP
+.B qname\-minimisation: \fI<yes or no>
+Send minimum amount of information to upstream servers to enhance privacy.
+Only sent minimum required labels of the QNAME and set QTYPE to NS when 
+possible. Best effort approach, full QNAME and original QTYPE will be sent when
+upstream replies with a RCODE other than NOERROR. Default is off.
+.TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
-on your private network, and are not allowed to be returned for public
-internet names.  Any occurence of such addresses are removed from
-DNS answers. Additionally, the DNSSEC validator may mark the answers
-bogus. This protects against so\-called DNS Rebinding, where a user browser
-is turned into a network proxy, allowing remote access through the browser
-to other parts of your private network.  Some names can be allowed to
-contain your private addresses, by default all the \fBlocal\-data\fR
-that you configured is allowed to, and you can specify additional
-names using \fBprivate\-domain\fR.  No private addresses are enabled
-by default.  We consider to enable this for the RFC1918 private IP
-address space by default in later releases. That would enable private 
-addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 
-fd00::/8 and fe80::/10, since the RFC standards say these addresses 
-should not be visible on the public internet.  Turning on 127.0.0.0/8 
-would hinder many spamblocklists as they use that.
+on your private network, and are not allowed to be returned for
+public internet names.  Any occurrence of such addresses are removed
+from DNS answers. Additionally, the DNSSEC validator may mark the
+answers bogus. This protects against so\-called DNS Rebinding, where
+a user browser is turned into a network proxy, allowing remote access
+through the browser to other parts of your private network.  Some names
+can be allowed to contain your private addresses, by default all the
+\fBlocal\-data\fR that you configured is allowed to, and you can specify
+additional names using \fBprivate\-domain\fR.  No private addresses are
+enabled by default.  We consider to enable this for the RFC1918 private
+IP address space by default in later releases. That would enable private
+addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
+fd00::/8 and fe80::/10, since the RFC standards say these addresses
+should not be visible on the public internet.  Turning on 127.0.0.0/8
+would hinder many spamblocklists as they use that.  Adding ::ffff:0:0/96
+stops IPv4-mapped IPv6 addresses from bypassing the filter.
 .TP
 .B private\-domain: \fI<domain name>
 Allow this domain, and all its subdomains to contain private addresses.
@@ -745,7 +755,7 @@ Instruct the validator to remove data from the additional section of secure
 messages that are not signed properly. Messages that are insecure, bogus,
 indeterminate or unchecked are not affected. Default is yes. Use this setting
 to protect the users that rely on this validator for authentication from 
-protentially bad data in the additional section.
+potentially bad data in the additional section.
 .TP
 .B val\-log\-level: \fI<number>
 Have the validator print validation failures to the log.  Regardless of
@@ -1032,7 +1042,7 @@ If set to 0, all queries are dropped for domains where the limit is
 exceeded.  If set to another value, 1 in that number is allowed through
 to complete.  Default is 10, allowing 1/10 traffic to flow normally.
 This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigiting the traffic flow by the
+and enter the cache, whilst also mitigating the traffic flow by the
 factor given.
 .TP 5
 .B ratelimit\-for\-domain: \fI<domain> <number qps>