Upgrade to Unbound 1.5.1. Almost all our local changes to date have been

adopted upstream, greatly reducing the diff.

15 files changed, 115 insertions, 64 deletions

diff --git a/contrib/unbound/libunbound/libunbound.c b/contrib/unbound/libunbound/libunbound.c
index 78d3196..91a663a 100644
--- a/contrib/unbound/libunbound/libunbound.c
+++ b/contrib/unbound/libunbound/libunbound.c
@@ -363,6 +363,26 @@ ub_ctx_add_ta_file(struct ub_ctx* ctx, const char* fname)
 	return UB_NOERROR;
 }
 
+int ub_ctx_add_ta_autr(struct ub_ctx* ctx, const char* fname)
+{
+	char* dup = strdup(fname);
+	if(!dup) return UB_NOMEM;
+	lock_basic_lock(&ctx->cfglock);
+	if(ctx->finalized) {
+		lock_basic_unlock(&ctx->cfglock);
+		free(dup);
+		return UB_AFTERFINAL;
+	}
+	if(!cfg_strlist_insert(&ctx->env->cfg->auto_trust_anchor_file_list,
+		dup)) {
+		lock_basic_unlock(&ctx->cfglock);
+		free(dup);
+		return UB_NOMEM;
+	}
+	lock_basic_unlock(&ctx->cfglock);
+	return UB_NOERROR;
+}
+
 int 
 ub_ctx_trustedkeys(struct ub_ctx* ctx, const char* fname)
 {
@@ -959,7 +979,7 @@ ub_ctx_resolvconf(struct ub_ctx* ctx, const char* fname)
 				parse++;
 			addr = parse;
 			/* skip [0-9a-fA-F.:]*, i.e. IP4 and IP6 address */
-			while(isxdigit(*parse) || *parse=='.' || *parse==':')
+			while(isxdigit((unsigned char)*parse) || *parse=='.' || *parse==':')
 				parse++;
 			/* terminate after the address, remove newline */
 			*parse = 0;
@@ -1031,7 +1051,7 @@ ub_ctx_hosts(struct ub_ctx* ctx, const char* fname)
 		/* format: <addr> spaces <name> spaces <name> ... */
 		addr = parse;
 		/* skip addr */
-		while(isxdigit(*parse) || *parse == '.' || *parse == ':')
+		while(isxdigit((unsigned char)*parse) || *parse == '.' || *parse == ':')
 			parse++;
 		if(*parse == '\n' || *parse == 0)
 			continue;
diff --git a/contrib/unbound/libunbound/libworker.c b/contrib/unbound/libunbound/libworker.c
index fa54180..e388e79 100644
--- a/contrib/unbound/libunbound/libworker.c
+++ b/contrib/unbound/libunbound/libworker.c
@@ -233,7 +233,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct event_base* eb)
 		w->env->infra_cache, w->env->rnd, cfg->use_caps_bits_for_id,
 		ports, numports, cfg->unwanted_threshold,
 		&libworker_alloc_cleanup, w, cfg->do_udp, w->sslctx,
-		cfg->delay_close);
+		cfg->delay_close, NULL);
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_unlock(&ctx->cfglock);
 	}
@@ -821,8 +821,9 @@ void libworker_alloc_cleanup(void* arg)
 
 struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
         uint16_t qtype, uint16_t qclass, uint16_t flags, int dnssec,
-	int want_dnssec, struct sockaddr_storage* addr, socklen_t addrlen,
-	uint8_t* zone, size_t zonelen, struct module_qstate* q)
+	int want_dnssec, int nocaps, struct sockaddr_storage* addr,
+	socklen_t addrlen, uint8_t* zone, size_t zonelen,
+	struct module_qstate* q)
 {
 	struct libworker* w = (struct libworker*)q->env->worker;
 	struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@@ -831,7 +832,7 @@ struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
 		return NULL;
 	e->qstate = q;
 	e->qsent = outnet_serviced_query(w->back, qname,
-		qnamelen, qtype, qclass, flags, dnssec, want_dnssec,
+		qnamelen, qtype, qclass, flags, dnssec, want_dnssec, nocaps,
 		q->env->cfg->tcp_upstream, q->env->cfg->ssl_upstream, addr,
 		addrlen, zone, zonelen, libworker_handle_service_reply, e,
 		w->back->udp_buff);
@@ -953,7 +954,7 @@ struct outbound_entry* worker_send_query(uint8_t* ATTR_UNUSED(qname),
 	size_t ATTR_UNUSED(qnamelen), uint16_t ATTR_UNUSED(qtype), 
 	uint16_t ATTR_UNUSED(qclass), uint16_t ATTR_UNUSED(flags), 
 	int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
-	struct sockaddr_storage* ATTR_UNUSED(addr), 
+	int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr), 
 	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
 	size_t ATTR_UNUSED(zonelen), struct module_qstate* ATTR_UNUSED(q))
 {
diff --git a/contrib/unbound/libunbound/python/examples/async-lookup.py b/contrib/unbound/libunbound/python/examples/async-lookup.py
index 52a2d3c..cbb8ea0 100644
--- a/contrib/unbound/libunbound/python/examples/async-lookup.py
+++ b/contrib/unbound/libunbound/python/examples/async-lookup.py
@@ -39,9 +39,9 @@ ctx = unbound.ub_ctx()
 ctx.resolvconf("/etc/resolv.conf")
 
 def call_back(my_data,status,result):
-    print "Call_back:", my_data
+    print("Call_back:", my_data)
     if status == 0 and result.havedata:
-        print "Result:", result.data.address_list
+        print("Result:", result.data.address_list)
         my_data['done_flag'] = True
 
 
@@ -53,4 +53,4 @@ while (status == 0) and (not my_data['done_flag']):
     time.sleep(0.1)
 
 if (status != 0):
-    print "Resolve error:", unbound.ub_strerror(status)
+    print("Resolve error:", unbound.ub_strerror(status))
diff --git a/contrib/unbound/libunbound/python/examples/dns-lookup.py b/contrib/unbound/libunbound/python/examples/dns-lookup.py
index 2821ed3..b3f4008 100644
--- a/contrib/unbound/libunbound/python/examples/dns-lookup.py
+++ b/contrib/unbound/libunbound/python/examples/dns-lookup.py
@@ -39,6 +39,6 @@ ctx.resolvconf("/etc/resolv.conf")
 
 status, result = ctx.resolve("www.nic.cz", unbound.RR_TYPE_A, unbound.RR_CLASS_IN)
 if status == 0 and result.havedata:
-    print "Result:", result.data.address_list
+    print("Result:", result.data.address_list)
 elif status != 0:
-    print "Error:", unbound.ub_strerror(status)
+    print("Error:", unbound.ub_strerror(status))
diff --git a/contrib/unbound/libunbound/python/examples/dnssec-valid.py b/contrib/unbound/libunbound/python/examples/dnssec-valid.py
index 3e05ddd..5c3cad9 100644
--- a/contrib/unbound/libunbound/python/examples/dnssec-valid.py
+++ b/contrib/unbound/libunbound/python/examples/dnssec-valid.py
@@ -48,12 +48,12 @@ if os.path.isfile("keys"):
 status, result = ctx.resolve("www.nic.cz", RR_TYPE_A, RR_CLASS_IN)
 if status == 0 and result.havedata:
 
-    print "Result:", result.data.address_list
+    print("Result:", result.data.address_list)
 
     if result.secure:
-        print "Result is secure"
+        print("Result is secure")
     elif result.bogus:
-        print "Result is bogus"
+        print("Result is bogus")
     else:
-        print "Result is insecure"
+        print("Result is insecure")
 
diff --git a/contrib/unbound/libunbound/python/examples/dnssec_test.py b/contrib/unbound/libunbound/python/examples/dnssec_test.py
index 138e19b..0d62b9f 100644
--- a/contrib/unbound/libunbound/python/examples/dnssec_test.py
+++ b/contrib/unbound/libunbound/python/examples/dnssec_test.py
@@ -3,27 +3,27 @@ from unbound import ub_ctx, RR_TYPE_A, RR_TYPE_RRSIG, RR_TYPE_NSEC, RR_TYPE_NSEC
 import ldns
 
 def dnssecParse(domain, rrType=RR_TYPE_A):
-    print "Resolving domain", domain
+    print("Resolving domain", domain)
     s, r = resolver.resolve(domain)
-    print "status: %s, secure: %s, rcode: %s, havedata: %s, answer_len; %s" % (s, r.secure, r.rcode_str, r.havedata, r.answer_len)
+    print("status: %s, secure: %s, rcode: %s, havedata: %s, answer_len; %s" % (s, r.secure, r.rcode_str, r.havedata, r.answer_len))
     
     s, pkt = ldns.ldns_wire2pkt(r.packet)
     if s != 0:
         raise RuntimeError("Error parsing DNS packet")
 
     rrsigs = pkt.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_ANSWER)
-    print "RRSIGs from answer:", rrsigs
+    print("RRSIGs from answer:", rrsigs)
     
     rrsigs = pkt.rr_list_by_type(RR_TYPE_RRSIG, ldns.LDNS_SECTION_AUTHORITY)
-    print "RRSIGs from authority:", rrsigs
+    print("RRSIGs from authority:", rrsigs)
     
     nsecs = pkt.rr_list_by_type(RR_TYPE_NSEC, ldns.LDNS_SECTION_AUTHORITY)
-    print "NSECs:", nsecs
+    print("NSECs:", nsecs)
     
     nsec3s = pkt.rr_list_by_type(RR_TYPE_NSEC3, ldns.LDNS_SECTION_AUTHORITY)
-    print "NSEC3s:", nsec3s
+    print("NSEC3s:", nsec3s)
     
-    print "---"
+    print("---")
 
 
 resolver = ub_ctx()
diff --git a/contrib/unbound/libunbound/python/examples/example8-1.py b/contrib/unbound/libunbound/python/examples/example8-1.py
index 6816da0..ca868e5 100644
--- a/contrib/unbound/libunbound/python/examples/example8-1.py
+++ b/contrib/unbound/libunbound/python/examples/example8-1.py
@@ -40,22 +40,22 @@ ctx.resolvconf("/etc/resolv.conf")
 
 status, result = ctx.resolve("nic.cz", unbound.RR_TYPE_MX, unbound.RR_CLASS_IN)
 if status == 0 and result.havedata:
-    print "Result:"
-    print "      raw data:", result.data
+    print("Result:")
+    print("      raw data:", result.data)
     for k in result.data.mx_list:
-        print "      priority:%d address:%s" % k
+        print("      priority:%d address:%s" % k)
 
 status, result = ctx.resolve("nic.cz", unbound.RR_TYPE_A, unbound.RR_CLASS_IN)
 if status == 0 and result.havedata:
-    print "Result:"
-    print "      raw data:", result.data
+    print("Result:")
+    print("      raw data:", result.data)
     for k in result.data.address_list:
-        print "      address:%s" % k
+        print("      address:%s" % k)
 
 status, result = ctx.resolve("nic.cz", unbound.RR_TYPE_NS, unbound.RR_CLASS_IN)
 if status == 0 and result.havedata:
-    print "Result:"
-    print "      raw data:", result.data
+    print("Result:")
+    print("      raw data:", result.data)
     for k in result.data.domain_list:
-        print "      host: %s" % k
+        print("      host: %s" % k)
 
diff --git a/contrib/unbound/libunbound/python/examples/idn-lookup.py b/contrib/unbound/libunbound/python/examples/idn-lookup.py
index 7cfdc9e..2170637 100644
--- a/contrib/unbound/libunbound/python/examples/idn-lookup.py
+++ b/contrib/unbound/libunbound/python/examples/idn-lookup.py
@@ -43,20 +43,20 @@ ctx.resolvconf("/etc/resolv.conf")
 #The unicode IDN string is automatically converted (if necessary)
 status, result = ctx.resolve(u"www.háčkyčárky.cz", unbound.RR_TYPE_A, unbound.RR_CLASS_IN)
 if status == 0 and result.havedata:
-    print "Result:"
-    print "      raw data:", result.data
+    print("Result:")
+    print("      raw data:", result.data)
     for k in result.data.address_list:
-        print "      address:%s" % k
+        print("      address:%s" % k)
 
 status, result = ctx.resolve(u"háčkyčárky.cz", unbound.RR_TYPE_MX, unbound.RR_CLASS_IN)
 if status == 0 and result.havedata:
-    print "Result:"
-    print "      raw data:", result.data
+    print("Result:")
+    print("      raw data:", result.data)
     for k in result.data.mx_list_idn:
-        print "      priority:%d address:%s" % k
+        print("      priority:%d address:%s" % k)
 
 status, result = ctx.resolve(unbound.reverse('217.31.204.66')+'.in-addr.arpa', unbound.RR_TYPE_PTR, unbound.RR_CLASS_IN)
 if status == 0 and result.havedata:
-    print "Result.data:", result.data
+    print("Result.data:", result.data)
     for k in result.data.domain_list_idn:
-        print "      dname:%s" % k
+        print("      dname:%s" % k)
diff --git a/contrib/unbound/libunbound/python/examples/mx-lookup.py b/contrib/unbound/libunbound/python/examples/mx-lookup.py
index cdcd1b1..f83f690 100644
--- a/contrib/unbound/libunbound/python/examples/mx-lookup.py
+++ b/contrib/unbound/libunbound/python/examples/mx-lookup.py
@@ -40,14 +40,14 @@ ctx.resolvconf("/etc/resolv.conf")
 
 status, result = ctx.resolve("nic.cz", unbound.RR_TYPE_MX, unbound.RR_CLASS_IN)
 if status == 0 and result.havedata:
-    print "Result:"
-    print "      raw data:", result.data
+    print("Result:")
+    print("      raw data:", result.data)
     for k in result.data.mx_list:
-        print "      priority:%d address:%s" % k
+        print("      priority:%d address:%s" % k)
 
 status, result = ctx.resolve("nic.cz", unbound.RR_TYPE_A, unbound.RR_CLASS_IN)
 if status == 0 and result.havedata:
-    print "Result:"
-    print "      raw data:", result.data
+    print("Result:")
+    print("      raw data:", result.data)
     for k in result.data.address_list:
-        print "      address:%s" % k
+        print("      address:%s" % k)
diff --git a/contrib/unbound/libunbound/python/examples/ns-lookup.py b/contrib/unbound/libunbound/python/examples/ns-lookup.py
index f9eafb2..bcd51de 100644
--- a/contrib/unbound/libunbound/python/examples/ns-lookup.py
+++ b/contrib/unbound/libunbound/python/examples/ns-lookup.py
@@ -40,8 +40,8 @@ ctx.resolvconf("/etc/resolv.conf")
 
 status, result = ctx.resolve("vutbr.cz", unbound.RR_TYPE_NS, unbound.RR_CLASS_IN)
 if status == 0 and result.havedata:
-    print "Result:"
-    print "      raw data:", result.data
+    print("Result:")
+    print("      raw data:", result.data)
     for k in result.data.domain_list:
-        print "      host: %s" % k
+        print("      host: %s" % k)
 
diff --git a/contrib/unbound/libunbound/python/examples/reverse-lookup.py b/contrib/unbound/libunbound/python/examples/reverse-lookup.py
index 4d3e0bb..7e06844e 100644
--- a/contrib/unbound/libunbound/python/examples/reverse-lookup.py
+++ b/contrib/unbound/libunbound/python/examples/reverse-lookup.py
@@ -39,5 +39,5 @@ ctx.resolvconf("/etc/resolv.conf")
 
 status, result = ctx.resolve(unbound.reverse("74.125.43.147") + ".in-addr.arpa.", unbound.RR_TYPE_PTR, unbound.RR_CLASS_IN)
 if status == 0 and result.havedata:
-    print "Result.data:", result.data, result.data.domain_list
+    print("Result.data:", result.data, result.data.domain_list)
 
diff --git a/contrib/unbound/libunbound/python/libunbound.i b/contrib/unbound/libunbound/python/libunbound.i
index 4f92799..313c748 100644
--- a/contrib/unbound/libunbound/python/libunbound.i
+++ b/contrib/unbound/libunbound/python/libunbound.i
@@ -44,6 +44,15 @@
 
 %pythoncode %{
    import encodings.idna
+
+   # Ensure compatibility with older python versions
+   if 'bytes' not in vars():
+       bytes = str
+
+   def ord(s):
+       if isinstance(s, int):
+           return s
+       return __builtins__.ord(s)
 %}
 
 //%include "doc.i"
@@ -559,10 +568,10 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
                :returns: * (int) 0 if OK, else error.
                          * (:class:`ub_result`) the result data is returned in a newly allocated result structure. May be None on return, return value is set to an error in that case (out of memory).
             """
-            if isinstance(name, unicode): #probably IDN
-                return _unbound.ub_resolve(self,idn2dname(name),rrtype,rrclass)
-            else:
+            if isinstance(name, bytes): #probably IDN
                 return _unbound.ub_resolve(self,name,rrtype,rrclass)
+            else:
+                return _unbound.ub_resolve(self,idn2dname(name),rrtype,rrclass)
             #parameters: struct ub_ctx *,char *,int,int,
             #retvals: int,struct ub_result **
 
@@ -597,10 +606,10 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
                         * `result` - the result structure. The result may be None, in that case err is set.
 
             """
-            if isinstance(name, unicode): #probably IDN
-                return _unbound._ub_resolve_async(self,idn2dname(name),rrtype,rrclass,mydata,callback)
-            else:
+            if isinstance(name, bytes): #probably IDN
                 return _unbound._ub_resolve_async(self,name,rrtype,rrclass,mydata,callback)
+            else:
+                return _unbound._ub_resolve_async(self,idn2dname(name),rrtype,rrclass,mydata,callback)
             #parameters: struct ub_ctx *,char *,int,int,void *,ub_callback_t,
             #retvals: int, int
 
@@ -689,7 +698,8 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
          idx = ofs
          while (idx < slen):
             complen = ord(s[idx])
-            res.append(s[idx+1:idx+1+complen])
+            # In python 3.x `str()` converts the string to unicode which is the expected text string type
+            res.append(str(s[idx+1:idx+1+complen]))
             idx += complen + 1
 
          return res
@@ -764,13 +774,13 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
      
      list = PyList_New(cnt);
      for (i=0;i<cnt;i++) 
-         PyList_SetItem(list, i, PyString_FromStringAndSize(result->data[i],result->len[i]));
+         PyList_SetItem(list, i, PyBytes_FromStringAndSize(result->data[i],result->len[i]));
      
      return list;
   }
 
   PyObject* _packet() {
-      return PyString_FromStringAndSize($self->answer_packet, $self->answer_len);
+      return PyBytes_FromStringAndSize($self->answer_packet, $self->answer_len);
   }
   
  %pythoncode %{
diff --git a/contrib/unbound/libunbound/ubsyms.def b/contrib/unbound/libunbound/ubsyms.def
index 866c176..ff3d958 100644
--- a/contrib/unbound/libunbound/ubsyms.def
+++ b/contrib/unbound/libunbound/ubsyms.def
@@ -8,6 +8,7 @@ ub_ctx_set_fwd
 ub_ctx_resolvconf
 ub_ctx_hosts
 ub_ctx_add_ta
+ub_ctx_add_ta_autr
 ub_ctx_add_ta_file
 ub_ctx_trustedkeys
 ub_ctx_debugout
diff --git a/contrib/unbound/libunbound/unbound.h b/contrib/unbound/libunbound/unbound.h
index 86bd3bf..fe903d0 100644
--- a/contrib/unbound/libunbound/unbound.h
+++ b/contrib/unbound/libunbound/unbound.h
@@ -357,6 +357,21 @@ int ub_ctx_add_ta(struct ub_ctx* ctx, const char* ta);
 int ub_ctx_add_ta_file(struct ub_ctx* ctx, const char* fname);
 
 /**
+ * Add trust anchor to the given context that is tracked with RFC5011
+ * automated trust anchor maintenance.  The file is written to when the
+ * trust anchor is changed.
+ * Pass the name of a file that was output from eg. unbound-anchor,
+ * or you can start it by providing a trusted DNSKEY or DS record on one
+ * line in the file.
+ * @param ctx: context.
+ *	At this time it is only possible to add trusted keys before the
+ *	first resolve is done.
+ * @param fname: filename of file with trust anchor.
+ * @return 0 if OK, else error.
+ */
+int ub_ctx_add_ta_autr(struct ub_ctx* ctx, const char* fname);
+
+/**
  * Add trust anchors to the given context.
  * Pass the name of a bind-style config file with trusted-keys{}.
  * @param ctx: context.
@@ -508,7 +523,7 @@ void ub_resolve_free(struct ub_result* result);
 
 /** 
  * Convert error value to a human readable string.
- * @param err: error code from one of the ub_val* functions.
+ * @param err: error code from one of the libunbound functions.
  * @return pointer to constant text string, zero terminated.
  */
 const char* ub_strerror(int err);
diff --git a/contrib/unbound/libunbound/worker.h b/contrib/unbound/libunbound/worker.h
index d8354c6..824012a 100644
--- a/contrib/unbound/libunbound/worker.h
+++ b/contrib/unbound/libunbound/worker.h
@@ -58,6 +58,7 @@ struct tube;
  * @param flags: host order flags word, with opcode and CD bit.
  * @param dnssec: if set, EDNS record will have DO bit set.
  * @param want_dnssec: signatures needed.
+ * @param nocaps: ignore capsforid(if in config), do not perturb qname.
  * @param addr: where to.
  * @param addrlen: length of addr.
  * @param zone: delegation point name.
@@ -68,8 +69,9 @@ struct tube;
  */
 struct outbound_entry* libworker_send_query(uint8_t* qname, size_t qnamelen,
         uint16_t qtype, uint16_t qclass, uint16_t flags, int dnssec,
-	int want_dnssec, struct sockaddr_storage* addr, socklen_t addrlen,
-	uint8_t* zone, size_t zonelen, struct module_qstate* q);
+	int want_dnssec, int nocaps, struct sockaddr_storage* addr,
+	socklen_t addrlen, uint8_t* zone, size_t zonelen,
+	struct module_qstate* q);
 
 /** process incoming replies from the network */
 int libworker_handle_reply(struct comm_point* c, void* arg, int error,
@@ -111,6 +113,7 @@ void worker_sighandler(int sig, void* arg);
  * @param flags: host order flags word, with opcode and CD bit.
  * @param dnssec: if set, EDNS record will have DO bit set.
  * @param want_dnssec: signatures needed.
+ * @param nocaps: ignore capsforid(if in config), do not perturb qname.
  * @param addr: where to.
  * @param addrlen: length of addr.
  * @param zone: wireformat dname of the zone.
@@ -121,8 +124,9 @@ void worker_sighandler(int sig, void* arg);
  */
 struct outbound_entry* worker_send_query(uint8_t* qname, size_t qnamelen, 
 	uint16_t qtype, uint16_t qclass, uint16_t flags, int dnssec, 
-	int want_dnssec, struct sockaddr_storage* addr, socklen_t addrlen,
-	uint8_t* zone, size_t zonelen, struct module_qstate* q);
+	int want_dnssec, int nocaps, struct sockaddr_storage* addr,
+	socklen_t addrlen, uint8_t* zone, size_t zonelen,
+	struct module_qstate* q);
 
 /** 
  * process control messages from the main thread. Frees the control