vendor/unbound/1.12.0

10 files changed, 310 insertions, 114 deletions

diff --git a/doc/Changelog b/doc/Changelog
index 3339e77b30c6..87f796398993 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,133 @@
+1 October 2020: Wouter
+	- Current repo is version 1.12.0 for release.  Tag for 1.12.0rc1.
+
+30 September 2020: Wouter
+	- Fix doh tests when not compiled in.
+	- Add dohclient test executable to gitignore.
+	- Fix stream_ssl, ssl_req_order and ssl_req_timeout tests for
+	  alloc check debug output.
+	- Easier kill of unbound-dnstap-socket tool in test.
+	- Fix memory leak of edns tags at libunbound context delete.
+	- Fix double loopexit for unbound-dnstap-socket after sigterm.
+
+29 September 2020: Ralph
+	- DNS Flag Day 2020: change edns-buffer-size default to 1232.
+
+28 September 2020: Wouter
+	- Fix unit test for dnstap changes, so that it waits for the timer.
+
+23 September 2020: Wouter
+	- Fix #305: dnstap logging significantly affects unbound performance
+	  (regression in 1.11).
+	- Fix #305: only wake up thread when threshold reached.
+	- Fix to ifdef fptr wlist item for dnstap.
+
+23 September 2020: Ralph
+	- Fix edns-client-tags get_option typo
+	- Add edns-client-tag-opcode option
+	- Use inclusive language in configuration
+
+21 September 2020: Ralph
+	- Fix #304: dnstap logging not recovering after dnstap process restarts
+
+21 September 2020: Wouter
+	- Merge PR #311 by luismerino: Dynlibmod leak.
+	- Error message is logged for dynlibmod malloc failures.
+	- iana portlist updated.
+
+18 September 2020: Wouter
+	- Fix that prefer-ip4 and prefer-ip6 can be get and set with
+	  unbound-control, with libunbound and the unbound-checkconf option
+	  output function.
+	- iana portlist updated.
+
+15 September 2020: George
+	- Introduce test for statistics.
+
+15 September 2020: Wouter
+	- Spelling fix.
+
+11 September 2020: Wouter
+	- Remove x file mode on ipset/ipset.c and h files.
+
+9 September 2020: Wouter
+	- Fix num.expired statistics output.
+
+31 August 2020: Wouter
+	- Merge PR #293: Add missing prototype.  Also refactor to use the new
+	  shorthand function to clean up the code.
+	- Refactor to use sock_strerr shorthand function.
+	- Fix #296: systemd nss-lookup.target is reached before unbound can
+	  successfully answer queries. Changed contrib/unbound.service.in.
+
+27 August 2020: Wouter
+	- Similar to NSD PR#113, implement that interface names can be used,
+	  eg. something like interface: eth0 is resolved at server start and
+	  uses the IP addresses for that named interface.
+	- Review fix, doxygen and assign null in case of error free.
+
+26 August 2020: George
+	- Update documentation in python example code.
+
+24 August 2020: Wouter
+	- Fix that dnstap reconnects do not spam the log with the repeated
+	  attempts.  Attempts on the timer are only logged on high verbosity,
+	  if they produce a connection failure error.
+	- Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
+	- Change configure to use EVP_sha256 instead of HMAC_Update for
+	  openssl-3.0.0.
+
+20 August 2020: Ralph
+	- Fix stats double count issue (#289).
+
+13 August 2020: Ralph
+	- Create and init edns tags data for libunbound.
+
+10 August 2020: Ralph
+	- Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
+	  by Vítězslav Čížek.
+
+10 August 2020: Wouter
+	- Fix #287: doc typo: "Additionaly".
+	- Rerun autoconf
+
+6 August 2020: Wouter
+	- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
+	  The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
+	  was advise to stop using it.  The current code base does not contain
+	  DLV code any more.  The use of dlv options displays a warning.
+
+5 August 2020: Wouter
+	- contrib/aaaa-filter-iterator.patch file renewed diff content to
+	  apply cleanly to the current coderepo for the current code version.
+
+5 August 2020: Ralph
+	- Merge PR #272: Add EDNS client tag functionality.
+
+4 August 2020: George
+	- Improve error log message when inserting rpz RR.
+	- Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
+	  definedness, by Felipe Gasper.
+
+4 August 2020: Wouter
+	- Fix mini_event.h on OpenBSD cannot find fd_set.
+
+31 July 2020: Wouter
+	- Fix doxygen comment for no ssl for tls session ticket key callback
+	  routine.
+
+27 July 2020: George
+	- Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
+	  March 2020, by and0x000.
+
+27 July 2020: Ralph
+	- Merge PR #269, Fix python module len() implementations, by Torbjörn
+	  Lönnemark
+
+27 July 2020: Wouter
+	- branch now named 1.11.1.  1.11.0rc1 became the 1.11.0 release.
+	- Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
+
 20 July 2020: Wouter
 	- Fix streamtcp to print packet data to stdout.  This makes the
 	  stdout and stderr not mix together lines, when parsing its output.
diff --git a/doc/README b/doc/README
index 6bd9a4c5fdae..c6ff31a6fac3 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.11.0
+README for Unbound 1.12.0
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 4f6411033e69..2fe9a2c7e7a7 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.11.0.
+# See unbound.conf(5) man page, version 1.12.0.
 #
 # this is a comment.
 
@@ -129,8 +129,8 @@ server:
 	# ip-dscp: 0
 
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
-	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
-	# edns-buffer-size: 4096
+	# is set with msg-buffer-size).
+	# edns-buffer-size: 1232
 
 	# Maximum UDP response size (not applied to TCP response).
 	# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
@@ -431,8 +431,8 @@ server:
 
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
-	# caps-whitelist: "licdn.com"
-	# caps-whitelist: "senderbase.org"
+	# caps-exempt: "licdn.com"
+	# caps-exempt: "senderbase.org"
 
 	# Enforce privacy of these addresses. Strips them away from answers.
 	# It may cause DNSSEC validation to additionally mark it as bogus.
@@ -509,11 +509,6 @@ server:
 	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
 	# root-key-sentinel: yes
 
-	# File with DLV trusted keys. Same format as trust-anchor-file.
-	# There can be only one DLV configured, it is trusted from root down.
-	# DLV is going to be decommissioned.  Please do not use it any more.
-	# dlv-anchor-file: "dlv.isc.org.key"
-
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.
 	# Zone file format, with DS and DNSKEY entries.
@@ -589,7 +584,7 @@ server:
 	#
 	# Time in milliseconds before replying to the client with expired data.
 	# This essentially enables the serve-stale behavior as specified in
-	# draft-ietf-dnsop-serve-stale-10 that first tries to resolve before
+	# RFC 8767 that first tries to resolve before
 	# immediately responding with expired data.  0 disables this behavior.
 	# A recommended value is 1800.
 	# serve-expired-client-timeout: 0
@@ -627,7 +622,7 @@ server:
 	# more slabs reduce lock contention, but fragment memory usage.
 	# key-cache-slabs: 4
 
-	# the amount of memory to use for the negative cache (used for DLV).
+	# the amount of memory to use for the negative cache.
 	# plain value in bytes or you can append k, m or G. default is "1Mb".
 	# neg-cache-size: 1m
 
@@ -738,12 +733,14 @@ server:
 	# add a netblock specific override to a localzone, with zone type
 	# local-zone-override: "example.com" 192.0.2.0/24 refuse
 
-	# service clients over TLS (on the TCP sockets), with plain DNS inside
-	# the TLS stream.  Give the certificate to use and private key.
+	# service clients over TLS (on the TCP sockets) with plain DNS inside
+	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
+	# Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# tls-service-key: "path/to/privatekeyfile.key"
 	# tls-service-pem: "path/to/publiccertfile.pem"
 	# tls-port: 853
+	# https-port: 443
 
 	# cipher setting for TLSv1.2
 	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
@@ -775,6 +772,22 @@ server:
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
 	# tls-additional-port: portno for each of the port numbers.
 
+	# HTTP endpoint to provide DNS-over-HTTPS service on.
+	# http-endpoint: "/dns-query"
+
+	# HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use.
+	# http-max-streams: 100
+
+	# Maximum number of bytes used for all HTTP/2 query buffers.
+	# http-query-buffer-size: 4m
+
+	# Maximum number of bytes used for all HTTP/2 response buffers.
+	# http-response-buffer-size: 4m
+
+	# Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
+	# service.
+	# http-nodelay: yes
+
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96
@@ -848,9 +861,9 @@ server:
 	# ipsecmod-ignore-bogus: no
 	#
 	# Domains for which ipsecmod will be triggered. If not defined (default)
-	# all domains are treated as being whitelisted.
-	# ipsecmod-whitelist: "example.com"
-	# ipsecmod-whitelist: "nlnetlabs.nl"
+	# all domains are treated as being allowed.
+	# ipsecmod-allow: "example.com"
+	# ipsecmod-allow: "nlnetlabs.nl"
 
 
 # Python config section. To enable:
@@ -948,27 +961,27 @@ remote-control:
 # upstream (which saves a lookup to the upstream).  The first example
 # has a copy of the root for local usage.  The second serves example.org
 # authoritatively.  zonefile: reads from file (and writes to it if you also
-# download it), master: fetches with AXFR and IXFR, or url to zonefile.
-# With allow-notify: you can give additional (apart from masters) sources of
+# download it), primary: fetches with AXFR and IXFR, or url to zonefile.
+# With allow-notify: you can give additional (apart from primaries) sources of
 # notifies.
 # auth-zone:
 #	name: "."
-#	master: 199.9.14.201         # b.root-servers.net
-#	master: 192.33.4.12          # c.root-servers.net
-#	master: 199.7.91.13          # d.root-servers.net
-#	master: 192.5.5.241          # f.root-servers.net
-#	master: 192.112.36.4         # g.root-servers.net
-#	master: 193.0.14.129         # k.root-servers.net
-#	master: 192.0.47.132         # xfr.cjr.dns.icann.org
-#	master: 192.0.32.132         # xfr.lax.dns.icann.org
-#	master: 2001:500:200::b      # b.root-servers.net
-#	master: 2001:500:2::c        # c.root-servers.net
-#	master: 2001:500:2d::d       # d.root-servers.net
-#	master: 2001:500:2f::f       # f.root-servers.net
-#	master: 2001:500:12::d0d     # g.root-servers.net
-#	master: 2001:7fd::1          # k.root-servers.net
-#	master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-#	master: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+#	primary: 199.9.14.201         # b.root-servers.net
+#	primary: 192.33.4.12          # c.root-servers.net
+#	primary: 199.7.91.13          # d.root-servers.net
+#	primary: 192.5.5.241          # f.root-servers.net
+#	primary: 192.112.36.4         # g.root-servers.net
+#	primary: 193.0.14.129         # k.root-servers.net
+#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+#	primary: 2001:500:200::b      # b.root-servers.net
+#	primary: 2001:500:2::c        # c.root-servers.net
+#	primary: 2001:500:2d::d       # d.root-servers.net
+#	primary: 2001:500:2f::f       # f.root-servers.net
+#	primary: 2001:500:12::d0d     # g.root-servers.net
+#	primary: 2001:7fd::1          # k.root-servers.net
+#	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+#	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
 #	fallback-enabled: yes
 #	for-downstream: no
 #	for-upstream: yes
@@ -1088,7 +1101,7 @@ remote-control:
 # rpz:
 #     name: "rpz.example.com"
 #     zonefile: "rpz.example.com"
-#     master: 192.0.2.0
+#     primary: 192.0.2.0
 #     allow-notify: 192.0.2.0/32
 #     url: http://www.example.com/rpz.example.org.zone
 #     rpz-action-override: cname
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 10bda1614b26..34778ee5c09e 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "libunbound" "3" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -44,7 +44,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.11.0 functions.
+\- Unbound DNS validating resolver 1.12.0 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index 1c7799ca11d8..21f12ebeff1c 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound-anchor" "8" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index c7a0f9449572..a7389376599a 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound-checkconf" "8" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 154450303366..f82b62d3d9b6 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound-control" "8" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -506,6 +506,14 @@ negative cache.
 Memory in bytes in used by the TCP and TLS stream wait buffers.  These are
 answers waiting to be written back to the clients.
 .TP
+.I mem.http.query_buffer
+Memory in bytes used by the HTTP/2 query buffers. Containing (partial) DNS
+queries waiting for request stream completion.
+.TP
+.I mem.http.response_buffer
+Memory in bytes used by the HTTP/2 response buffers. Containing DNS responses
+waiting to be written back to the clients.
+.TP
 .I histogram.<sec>.<usec>.to.<sec>.<usec>
 Shows a histogram, summed over all threads. Every element counts the
 recursive queries whose reply time fit between the lower and upper bound.
@@ -545,6 +553,11 @@ These are also counted in num.query.tcp, because TLS uses TCP.
 Number of TLS session resumptions, these are queries over TLS towards
 the unbound server where the client negotiated a TLS session resumption key.
 .TP
+.I num.query.https
+Number of queries that were made using HTTPS towards the unbound server.
+These are also counted in num.query.tcp and num.query.tls, because HTTPS
+uses TLS and TCP.
+.TP
 .I num.query.ipv6
 Number of queries that were made using IPv6 towards the unbound server.
 .TP
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index cae708d66b12..d3b502d92657 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound\-host" "1" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index fcdb3d833406..44a9879e5872 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound" "8" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.11.0.
+\- Unbound DNS validating resolver 1.12.0.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 04dca3561ea2..bcbc9f205333 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jul 27, 2020" "NLnet Labs" "unbound 1.11.0"
+.TH "unbound.conf" "5" "Oct  8, 2020" "NLnet Labs" "unbound 1.12.0"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -122,7 +122,8 @@ The port number, default 53, on which the server responds to queries.
 Interface to use to connect to the network. This interface is listened to
 for queries from clients, and answers to clients are given from it.
 Can be given multiple times to work on several interfaces. If none are
-given the default is to listen to localhost.
+given the default is to listen to localhost.  If an interface name is used
+instead of an ip address, the list of ip addresses on that interface are used.
 The interfaces are not changed on a reload (kill \-HUP) but only on restart.
 A port number can be specified with @port (without spaces between
 interface and port number), if not specified the default port (from
@@ -206,12 +207,11 @@ accepted. For larger installations increasing this value is a good idea.
 Number of bytes size to advertise as the EDNS reassembly buffer size.
 This is the value put into datagrams over UDP towards peers.  The actual
 buffer size is determined by msg\-buffer\-size (both for TCP and UDP).  Do
-not set higher than that value.  Default is 4096 which is RFC recommended.
-If you have fragmentation reassembly problems, usually seen as timeouts,
-then a value of 1472 can fix it.  Setting to 512 bypasses even the most
-stringent path MTU problems, but is seen as extreme, since the amount
-of TCP fallback generated is excessive (probably also for this resolver,
-consider tuning the outgoing tcp number).
+not set higher than that value.  Default is 1232 which is the DNS Flag Day 2020
+recommendation. Setting to 512 bypasses even the most stringent path MTU
+problems, but is seen as extreme, since the amount of TCP fallback generated is
+excessive (probably also for this resolver, consider tuning the outgoing tcp
+number).
 .TP
 .B max\-udp\-size: \fI<number>
 Maximum UDP response size (not applied to TCP response).  65536 disables the
@@ -484,15 +484,16 @@ Alternate syntax for \fBtls\-upstream\fR.  If both are present in the config
 file the last is used.
 .TP
 .B tls\-service\-key: \fI<file>
-If enabled, the server provides TLS service on the TCP ports marked
-implicitly or explicitly for TLS service with tls\-port.  The file must
-contain the private key for the TLS session, the public certificate is in
-the tls\-service\-pem file and it must also be specified if tls\-service\-key
-is specified.  The default is "", turned off.  Enabling or disabling
-this service requires a restart (a reload is not enough), because the
-key is read while root permissions are held and before chroot (if any).
-The ports enabled implicitly or explicitly via \fBtls\-port:\fR do not provide
-normal DNS TCP service.
+If enabled, the server provides DNS-over-TLS or DNS-over-HTTPS service on the
+TCP ports marked implicitly or explicitly for these services with tls\-port or
+https\-port. The file must contain the private key for the TLS session, the
+public certificate is in the tls\-service\-pem file and it must also be
+specified if tls\-service\-key is specified.  The default is "", turned off.
+Enabling or disabling this service requires a restart (a reload is not enough),
+because the key is read while root permissions are held and before chroot (if any).
+The ports enabled implicitly or explicitly via \fBtls\-port:\fR and
+\fBhttps\-port:\fR do not provide normal DNS TCP service. Unbound needs to be
+compiled with libnghttp2 in order to provide DNS-over-HTTPS.
 .TP
 .B ssl\-service\-key: \fI<file>
 Alternate syntax for \fBtls\-service\-key\fR.
@@ -557,6 +558,35 @@ Enable or disable sending the SNI extension on TLS connections.
 Default is yes.
 Changing the value requires a reload.
 .TP
+.B https\-port: \fI<number>
+The port number on which to provide DNS-over-HTTPS service, default 443, only
+interfaces configured with that port number as @number get the HTTPS service.
+.TP
+.B http\-endpoint: \fI<endpoint string>
+The HTTP endpoint to provide DNS-over-HTTPS service on. Default "/dns-query".
+.TP
+.B http\-max\-streams: \fI<number of streams>
+Number used in the SETTINGS_MAX_CONCURRENT_STREAMS parameter in the HTTP/2
+SETTINGS frame for DNS-over-HTTPS connections. Default 100.
+.TP
+.B http\-query\-buffer\-size: \fI<size in bytes>
+Maximum number of bytes used for all HTTP/2 query buffers combined. These
+buffers contain (partial) DNS queries waiting for request stream completion.
+An RST_STREAM frame will be send to streams exceeding this limit. Default is 4
+megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
+megabytes or gigabytes (1024*1024 bytes in a megabyte).
+.TP
+.B http\-response\-buffer\-size: \fI<size in bytes>
+Maximum number of bytes used for all HTTP/2 response buffers combined. These
+buffers contain DNS responses waiting to be written back to the clients.
+An RST_STREAM frame will be send to streams exceeding this limit. Default is 4
+megabytes. A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes,
+megabytes or gigabytes (1024*1024 bytes in a megabyte).
+.TP
+.B http\-nodelay: \fI<yes or no>
+Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
+Ignored if the option is not available. Default is yes.
+.TP
 .B use\-systemd: \fI<yes or no>
 Enable or disable systemd socket activation.
 Default is no.
@@ -853,12 +883,15 @@ authority servers and checks if the reply still has the correct casing.
 Disabled by default.
 This feature is an experimental implementation of draft dns\-0x20.
 .TP
-.B caps\-whitelist: \fI<domain>
-Whitelist the domain so that it does not receive caps\-for\-id perturbed
+.B caps\-exempt: \fI<domain>
+Exempt the domain so that it does not receive caps\-for\-id perturbed
 queries.  For domains that do not support 0x20 and also fail with fallback
 because they keep sending different answers, like some load balancers.
 Can be given multiple times, for different domains.
 .TP
+.B caps\-whitelist: \fI<yes or no>
+Alternate syntax for \fBcaps\-exempt\fR.
+.TP
 .B qname\-minimisation: \fI<yes or no>
 Send minimum amount of information to upstream servers to enhance privacy.
 Only send minimum required labels of the QNAME and set QTYPE to A when
@@ -1010,26 +1043,11 @@ Send RFC8145 key tag query after trust anchor priming. Default is yes.
 .B root\-key\-sentinel: \fI<yes or no>
 Root key trust anchor sentinel. Default is yes.
 .TP
-.B dlv\-anchor\-file: \fI<filename>
-This option was used during early days DNSSEC deployment when no parent-side
-DS record registrations were easily available.  Nowadays, it is best to have
-DS records registered with the parent zone (many top level zones are signed).
-File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
-DNSKEY entries can be used in the file, in the same format as for
-\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
-would be slow. The DLV configured is used as a root trusted DLV, this
-means that it is a lookaside for the root. Default is "", or no dlv anchor
-file. DLV is going to be decommissioned.  Please do not use it any more.
-.TP
-.B dlv\-anchor: \fI<"Resource Record">
-Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
-DLV is going to be decommissioned.  Please do not use it any more.
-.TP
 .B domain\-insecure: \fI<domain name>
 Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
 the domain name.  So a trust anchor above the domain name can not make the
 domain secure with a DS record, such a DS record is then ignored.
-Also keys from DLV are ignored for the domain.  Can be given multiple times
+Can be given multiple times
 to specify multiple domains that are treated as if unsigned.  If you set
 trust anchors for the domain they override this setting (and the domain
 is secured).
@@ -1108,7 +1126,7 @@ later on.  Default is "no".
 .B serve\-expired\-ttl: \fI<seconds>
 Limit serving of expired responses to configured seconds after expiration. 0
 disables the limit.  This option only applies when \fBserve\-expired\fR is
-enabled.  A suggested value per draft-ietf-dnsop-serve-stale-10 is between
+enabled.  A suggested value per RFC 8767 is between
 86400 (1 day) and 259200 (3 days).  The default is 0.
 .TP
 .B serve\-expired\-ttl\-reset: \fI<yes or no>
@@ -1120,14 +1138,14 @@ expired records will be served as long as there are queries for it.  Default is
 .B serve\-expired\-reply\-ttl: \fI<seconds>
 TTL value to use when replying with expired data.  If
 \fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to
-use 30 as the value (draft-ietf-dnsop-serve-stale-10).  The default is 30.
+use 30 as the value (RFC 8767).  The default is 30.
 .TP
 .B serve\-expired\-client\-timeout: \fI<msec>
 Time in milliseconds before replying to the client with expired data.  This
 essentially enables the serve-stale behavior as specified in
-draft-ietf-dnsop-serve-stale-10 that first tries to resolve before immediately
+RFC 8767 that first tries to resolve before immediately
 responding with expired data.  A recommended value per
-draft-ietf-dnsop-serve-stale-10 is 1800.  Setting this to 0 will disable this
+RFC 8767 is 1800.  Setting this to 0 will disable this
 behavior.  Default is 0.
 .TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
@@ -1516,6 +1534,16 @@ servers set. The default for fast\-server\-permil is 0.
 Set the number of servers that should be used for fast server selection. Only
 use the fastest specified number of servers with the fast\-server\-permil
 option, that turns this on or off. The default is to use the fastest 3 servers.
+.TP 5
+.B edns\-client\-tag: \fI<IP netblock> <tag data>
+Include an edns-client-tag option in queries with destination address matching
+the configured IP netblock. This configuration option can be used multiple
+times. The most specific match will be used. The tag data is configured in
+decimal format, from 0 to 65535.
+.TP 5
+.B edns\-client\-tag\-opcode: \fI<opcode>
+EDNS0 option code for the edns-client-tag option, from 0 to 65535. Default is
+16, as assigned by IANA.
 .SS "Remote Control Options"
 In the
 .B remote\-control:
@@ -1718,16 +1746,16 @@ uses the SOA timer values and performs SOA UDP queries to detect zone changes.
 If the update fetch fails, the timers in the SOA record are used to time
 another fetch attempt.  Until the SOA expiry timer is reached.  Then the
 zone is expired.  When a zone is expired, queries are SERVFAIL, and
-any new serial number is accepted from the master (even if older), and if
+any new serial number is accepted from the primary (even if older), and if
 fallback is enabled, the fallback activates to fetch from the upstream instead
 of the SERVFAIL.
 .TP
 .B name: \fI<zone name>
 Name of the authority zone.
 .TP
-.B master: \fI<IP address or host name>
+.B primary: \fI<IP address or host name>
 Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
-masters can be specified.  They are all tried if one fails.
+primaries can be specified.  They are all tried if one fails.
 With the "ip#name" notation a AXFR over TLS can be used.
 If you point it at another Unbound instance, it would not work because
 that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download
@@ -1736,27 +1764,31 @@ If you specify the hostname, you cannot use the domain from the zonefile,
 because it may not have that when retrieving that data, instead use a plain
 IP address to avoid a circular dependency on retrieving that IP address.
 .TP
+.B master: \fI<IP address or host name>
+Alternate syntax for \fBprimary\fR.
+.TP
 .B url: \fI<url to zonefile>
 Where to download a zonefile for the zone.  With http or https.  An example
 for the url is "http://www.example.com/example.org.zone".  Multiple url
 statements can be given, they are tried in turn.  If only urls are given
 the SOA refresh timer is used to wait for making new downloads.  If also
-masters are listed, the masters are first probed with UDP SOA queries to
+primaries are listed, the primaries are first probed with UDP SOA queries to
 see if the SOA serial number has changed, reducing the number of downloads.
-If none of the urls work, the masters are tried with IXFR and AXFR.
+If none of the urls work, the primaries are tried with IXFR and AXFR.
 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
 to authenticate the connection.
 If you specify a hostname in the URL, you cannot use the domain from the
 zonefile, because it may not have that when retrieving that data, instead
 use a plain IP address to avoid a circular dependency on retrieving that IP
-address.  Avoid dependencies on name lookups by using a notation like "http://192.0.2.1/unbound-master/example.com.zone", with an explicit IP address.
+address.  Avoid dependencies on name lookups by using a notation like
+"http://192.0.2.1/unbound-primaries/example.com.zone", with an explicit IP address.
 .TP
 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
 With allow\-notify you can specify additional sources of notifies.
 When notified, the server attempts to first probe and then zone transfer.
-If the notify is from a master, it first attempts that master.  Otherwise
-other masters are attempted.  If there are no masters, but only urls, the
-file is downloaded when notified.  The masters from master: statements are
+If the notify is from a primary, it first attempts that primary.  Otherwise
+other primaries are attempted.  If there are no primaries, but only urls, the
+file is downloaded when notified.  The primaries from primary: statements are
 allowed notify by default.
 .TP
 .B fallback\-enabled: \fI<yes or no>
@@ -1784,7 +1816,7 @@ downstream clients, and use the zone data as a local copy to speed up lookups.
 .B zonefile: \fI<filename>
 The filename where the zone is stored.  If not given then no zonefile is used.
 If the file does not exist or is empty, unbound will attempt to fetch zone
-data (eg. from the master servers).
+data (eg. from the primary servers).
 .SS "View Options"
 .LP
 There may be multiple
@@ -1951,14 +1983,16 @@ The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
 validator iterator" directive and be compiled into the daemon to be
 enabled.  These settings go in the \fBserver:\fR section.
 .LP
-If the destination address is whitelisted with Unbound will add the EDNS0
-option to the query containing the relevant part of the client's address. When
-an answer contains the ECS option the response and the option are placed in a
-specialized cache. If the authority indicated no support, the response is
+If the destination address is allowed in the configuration Unbound will add the
+EDNS0 option to the query containing the relevant part of the client's address.
+When an answer contains the ECS option the response and the option are placed in
+a specialized cache. If the authority indicated no support, the response is
 stored in the regular cache.
 .LP
 Additionally, when a client includes the option in its queries, Unbound will
-forward the option to the authority if present in the whitelist, or
+forward the option when sending the query to addresses that are explicitly
+allowed in the configuration using \fBsend\-client\-subnet\fR. The option will
+always be forwarded, regardless the allowed addresses, if
 \fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
 the regular cache is skipped.
 .LP
@@ -1979,11 +2013,11 @@ given multiple times. Zones not listed will not receive edns-subnet information,
 unless hosted by authority specified in \fBsend\-client\-subnet\fR.
 .TP
 .B client\-subnet\-always\-forward: \fI<yes or no>\fR
-Specify whether the ECS whitelist check (configured using
+Specify whether the ECS address check (configured using
 \fBsend\-client\-subnet\fR) is applied for all queries, even if the triggering
 query contains an ECS record, or only for queries for which the ECS record is
 generated using the querier address (and therefore did not contain ECS data in
-the client query). If enabled, the whitelist check is skipped when the client
+the client query). If enabled, the address check is skipped when the client
 query contains an ECS record. Default is no.
 .TP
 .B max\-client\-subnet\-ipv6: \fI<number>\fR
@@ -2073,10 +2107,13 @@ to yes, the hook will be called and the A/AAAA answer will be returned to the
 client.  If set to no, the hook will not be called and the answer to the
 A/AAAA query will be SERVFAIL.  Mainly used for testing.  Defaults to no.
 .TP
-.B ipsecmod\-whitelist: \fI<domain>\fR
-Whitelist the domain so that the module logic will be executed.  Can
-be given multiple times, for different domains.  If the option is not
-specified, all domains are treated as being whitelisted (default).
+.B ipsecmod\-allow: \fI<domain>\fR
+Allow the ipsecmod functionality for the domain so that the module logic will be
+executed.  Can be given multiple times, for different domains.  If the option is
+not specified, all domains are treated as being allowed (default).
+.TP
+.B ipsecmod\-whitelist: \fI<yes or no>
+Alternate syntax for \fBipsecmod\-allow\fR.
 .SS "Cache DB Module Options"
 .LP
 The Cache DB module must be configured in the \fBmodule\-config:\fR
@@ -2110,7 +2147,7 @@ even if some data have expired in terms of DNS TTL or the Redis server has
 cached too much data;
 if necessary the Redis server must be configured to limit the cache size,
 preferably with some kind of least-recently-used eviction policy.
-Additionaly, the \fBredis\-expire\-records\fR option can be used in order to
+Additionally, the \fBredis\-expire\-records\fR option can be used in order to
 set the relative DNS TTL of the message as timeout to the Redis records; keep
 in mind that some additional memory is used per key and that the expire
 information is stored as absolute Unix timestamps in Redis (computer time must
@@ -2273,33 +2310,36 @@ are applied after
 .B name: \fI<zone name>
 Name of the authority zone.
 .TP
-.B master: \fI<IP address or host name>
+.B primary: \fI<IP address or host name>
 Where to download a copy of the zone from, with AXFR and IXFR.  Multiple
-masters can be specified.  They are all tried if one fails.
+primaries can be specified.  They are all tried if one fails.
+.TP
+.B master: \fI<IP address or host name>
+Alternate syntax for \fBprimary\fR.
 .TP
 .B url: \fI<url to zonefile>
 Where to download a zonefile for the zone.  With http or https.  An example
 for the url is "http://www.example.com/example.org.zone".  Multiple url
 statements can be given, they are tried in turn.  If only urls are given
 the SOA refresh timer is used to wait for making new downloads.  If also
-masters are listed, the masters are first probed with UDP SOA queries to
+primaries are listed, the primaries are first probed with UDP SOA queries to
 see if the SOA serial number has changed, reducing the number of downloads.
-If none of the urls work, the masters are tried with IXFR and AXFR.
+If none of the urls work, the primaries are tried with IXFR and AXFR.
 For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
 to authenticate the connection.
 .TP
 .B allow\-notify: \fI<IP address or host name or netblockIP/prefix>
 With allow\-notify you can specify additional sources of notifies.
 When notified, the server attempts to first probe and then zone transfer.
-If the notify is from a master, it first attempts that master.  Otherwise
-other masters are attempted.  If there are no masters, but only urls, the
-file is downloaded when notified.  The masters from master: statements are
+If the notify is from a primary, it first attempts that primary.  Otherwise
+other primaries are attempted.  If there are no primaries, but only urls, the
+file is downloaded when notified.  The primaries from primary: statements are
 allowed notify by default.
 .TP
 .B zonefile: \fI<filename>
 The filename where the zone is stored.  If not given then no zonefile is used.
 If the file does not exist or is empty, unbound will attempt to fetch zone
-data (eg. from the master servers).
+data (eg. from the primary servers).
 .TP
 .B rpz\-action\-override: \fI<action>
 Always use this RPZ action for matching triggers from this zone. Possible action