Generated configuration and documentation

Approved by:	re (blanket)

7 files changed, 3127 insertions, 0 deletions

diff --git a/contrib/unbound/config.h b/contrib/unbound/config.h
new file mode 100644
index 0000000..945f577
--- /dev/null
+++ b/contrib/unbound/config.h
@@ -0,0 +1,911 @@
+/* config.h.  Generated from config.h.in by configure.  */
+/* config.h.in.  Generated from configure.ac by autoheader.  */
+
+/* Directory to chroot to */
+#define CHROOT_DIR "/var/unbound"
+
+/* Pathname to the Unbound configuration file */
+#define CONFIGFILE "/etc/unbound/unbound.conf"
+
+/* configure flags */
+#define CONFIGURE_BUILD_WITH " '--with-conf-file=/etc/unbound/unbound.conf' '--with-run-dir=/var/unbound' '--with-username=unbound'"
+
+/* configure date */
+#define CONFIGURE_DATE "Sun Sep 15 02:01:38 CEST 2013"
+
+/* configure target system */
+#define CONFIGURE_TARGET "x86_64-unknown-freebsd10.0"
+
+/* Define this if on macOSX10.4-darwin8 and setreuid and setregid do not work
+   */
+/* #undef DARWIN_BROKEN_SETREUID */
+
+/* Whether daemon is deprecated */
+/* #undef DEPRECATED_DAEMON */
+
+/* Define if you want to use debug lock checking (slow). */
+/* #undef ENABLE_LOCK_CHECKS */
+
+/* Define this if you enabled-allsymbols from libunbound to link binaries to
+   it for smaller install size, but the libunbound export table is polluted by
+   internal symbols */
+/* #undef EXPORT_ALL_SYMBOLS */
+
+/* Define to 1 if you have the <arpa/inet.h> header file. */
+#define HAVE_ARPA_INET_H 1
+
+/* Whether the C compiler accepts the "format" attribute */
+#define HAVE_ATTR_FORMAT 1
+
+/* Whether the C compiler accepts the "unused" attribute */
+#define HAVE_ATTR_UNUSED 1
+
+/* Define to 1 if your system has a working `chown' function. */
+#define HAVE_CHOWN 1
+
+/* Define to 1 if you have the `chroot' function. */
+#define HAVE_CHROOT 1
+
+/* Define to 1 if you have the `ctime_r' function. */
+#define HAVE_CTIME_R 1
+
+/* Define to 1 if you have the `daemon' function. */
+#define HAVE_DAEMON 1
+
+/* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
+   don't. */
+#define HAVE_DECL_NID_SECP384R1 1
+
+/* Define to 1 if you have the declaration of `NID_X9_62_prime256v1', and to 0
+   if you don't. */
+#define HAVE_DECL_NID_X9_62_PRIME256V1 1
+
+/* Define to 1 if you have the declaration of `sk_SSL_COMP_pop_free', and to 0
+   if you don't. */
+#define HAVE_DECL_SK_SSL_COMP_POP_FREE 1
+
+/* Define to 1 if you have the declaration of
+   `SSL_COMP_get_compression_methods', and to 0 if you don't. */
+#define HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS 1
+
+/* Define to 1 if you have the <dlfcn.h> header file. */
+#define HAVE_DLFCN_H 1
+
+/* Define to 1 if you have the `event_base_free' function. */
+/* #undef HAVE_EVENT_BASE_FREE */
+
+/* Define to 1 if you have the `event_base_get_method' function. */
+/* #undef HAVE_EVENT_BASE_GET_METHOD */
+
+/* Define to 1 if you have the `event_base_new' function. */
+/* #undef HAVE_EVENT_BASE_NEW */
+
+/* Define to 1 if you have the `event_base_once' function. */
+/* #undef HAVE_EVENT_BASE_ONCE */
+
+/* Define to 1 if you have the <event.h> header file. */
+/* #undef HAVE_EVENT_H */
+
+/* Define to 1 if you have the `EVP_sha1' function. */
+#define HAVE_EVP_SHA1 1
+
+/* Define to 1 if you have the `EVP_sha256' function. */
+#define HAVE_EVP_SHA256 1
+
+/* Define to 1 if you have the `EVP_sha512' function. */
+#define HAVE_EVP_SHA512 1
+
+/* Define to 1 if you have the `ev_default_loop' function. */
+/* #undef HAVE_EV_DEFAULT_LOOP */
+
+/* Define to 1 if you have the `ev_loop' function. */
+/* #undef HAVE_EV_LOOP */
+
+/* Define to 1 if you have the <expat.h> header file. */
+#define HAVE_EXPAT_H 1
+
+/* Define to 1 if you have the `fcntl' function. */
+#define HAVE_FCNTL 1
+
+/* Define to 1 if you have the `FIPS_mode' function. */
+#define HAVE_FIPS_MODE 1
+
+/* Define to 1 if you have the `fork' function. */
+#define HAVE_FORK 1
+
+/* Define to 1 if fseeko (and presumably ftello) exists and is declared. */
+#define HAVE_FSEEKO 1
+
+/* Whether getaddrinfo is available */
+#define HAVE_GETADDRINFO 1
+
+/* Define to 1 if you have the <getopt.h> header file. */
+#define HAVE_GETOPT_H 1
+
+/* Define to 1 if you have the `getpwnam' function. */
+#define HAVE_GETPWNAM 1
+
+/* Define to 1 if you have the `getrlimit' function. */
+#define HAVE_GETRLIMIT 1
+
+/* Define to 1 if you have the `glob' function. */
+#define HAVE_GLOB 1
+
+/* Define to 1 if you have the <glob.h> header file. */
+#define HAVE_GLOB_H 1
+
+/* Define to 1 if you have the `gmtime_r' function. */
+#define HAVE_GMTIME_R 1
+
+/* Define to 1 if you have the <grp.h> header file. */
+#define HAVE_GRP_H 1
+
+/* If you have HMAC_CTX_init */
+#define HAVE_HMAC_CTX_INIT 1
+
+/* Define to 1 if you have the `inet_aton' function. */
+#define HAVE_INET_ATON 1
+
+/* Define to 1 if you have the `inet_ntop' function. */
+#define HAVE_INET_NTOP 1
+
+/* Define to 1 if you have the `inet_pton' function. */
+#define HAVE_INET_PTON 1
+
+/* Define to 1 if you have the `initgroups' function. */
+#define HAVE_INITGROUPS 1
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#define HAVE_INTTYPES_H 1
+
+/* if the function 'ioctlsocket' is available */
+/* #undef HAVE_IOCTLSOCKET */
+
+/* Define to 1 if you have the <iphlpapi.h> header file. */
+/* #undef HAVE_IPHLPAPI_H */
+
+/* Define to 1 if you have the `kill' function. */
+#define HAVE_KILL 1
+
+/* Define to 1 if you have the `ldns_key_EVP_unload_gost' function. */
+/* #undef HAVE_LDNS_KEY_EVP_UNLOAD_GOST */
+
+/* Define to 1 if you have the <ldns/ldns.h> header file. */
+#define HAVE_LDNS_LDNS_H 1
+
+/* Define to 1 if you have the `ldns' library (-lldns). */
+#define HAVE_LIBLDNS 1
+
+/* Define to 1 if you have the `localtime_r' function. */
+#define HAVE_LOCALTIME_R 1
+
+/* Define to 1 if you have the <login_cap.h> header file. */
+#define HAVE_LOGIN_CAP_H 1
+
+/* If have GNU libc compatible malloc */
+#define HAVE_MALLOC 1
+
+/* Define to 1 if you have the `memmove' function. */
+#define HAVE_MEMMOVE 1
+
+/* Define to 1 if you have the <memory.h> header file. */
+#define HAVE_MEMORY_H 1
+
+/* Define to 1 if you have the <netdb.h> header file. */
+#define HAVE_NETDB_H 1
+
+/* Define to 1 if you have the <netinet/in.h> header file. */
+#define HAVE_NETINET_IN_H 1
+
+/* Use libnss for crypto */
+/* #undef HAVE_NSS */
+
+/* Define to 1 if you have the `OPENSSL_config' function. */
+#define HAVE_OPENSSL_CONFIG 1
+
+/* Define to 1 if you have the <openssl/conf.h> header file. */
+#define HAVE_OPENSSL_CONF_H 1
+
+/* Define to 1 if you have the <openssl/engine.h> header file. */
+#define HAVE_OPENSSL_ENGINE_H 1
+
+/* Define to 1 if you have the <openssl/err.h> header file. */
+#define HAVE_OPENSSL_ERR_H 1
+
+/* Define to 1 if you have the <openssl/rand.h> header file. */
+#define HAVE_OPENSSL_RAND_H 1
+
+/* Define to 1 if you have the <openssl/ssl.h> header file. */
+#define HAVE_OPENSSL_SSL_H 1
+
+/* Define if you have POSIX threads libraries and header files. */
+#define HAVE_PTHREAD 1
+
+/* Define to 1 if the system has the type `pthread_rwlock_t'. */
+#define HAVE_PTHREAD_RWLOCK_T 1
+
+/* Define to 1 if the system has the type `pthread_spinlock_t'. */
+#define HAVE_PTHREAD_SPINLOCK_T 1
+
+/* Define to 1 if you have the <pwd.h> header file. */
+#define HAVE_PWD_H 1
+
+/* Define if you have Python libraries and header files. */
+/* #undef HAVE_PYTHON */
+
+/* Define to 1 if you have the `random' function. */
+#define HAVE_RANDOM 1
+
+/* Define to 1 if you have the `recvmsg' function. */
+#define HAVE_RECVMSG 1
+
+/* Define to 1 if you have the `sbrk' function. */
+/* #undef HAVE_SBRK */
+
+/* Define to 1 if you have the `sendmsg' function. */
+#define HAVE_SENDMSG 1
+
+/* Define to 1 if you have the `setregid' function. */
+/* #undef HAVE_SETREGID */
+
+/* Define to 1 if you have the `setresgid' function. */
+#define HAVE_SETRESGID 1
+
+/* Define to 1 if you have the `setresuid' function. */
+#define HAVE_SETRESUID 1
+
+/* Define to 1 if you have the `setreuid' function. */
+/* #undef HAVE_SETREUID */
+
+/* Define to 1 if you have the `setrlimit' function. */
+#define HAVE_SETRLIMIT 1
+
+/* Define to 1 if you have the `setsid' function. */
+#define HAVE_SETSID 1
+
+/* Define to 1 if you have the `setusercontext' function. */
+#define HAVE_SETUSERCONTEXT 1
+
+/* Define to 1 if you have the `sigprocmask' function. */
+#define HAVE_SIGPROCMASK 1
+
+/* Define to 1 if you have the `sleep' function. */
+#define HAVE_SLEEP 1
+
+/* Define to 1 if you have the `snprintf' function. */
+#define HAVE_SNPRINTF 1
+
+/* Define to 1 if you have the `socketpair' function. */
+#define HAVE_SOCKETPAIR 1
+
+/* Using Solaris threads */
+/* #undef HAVE_SOLARIS_THREADS */
+
+/* Define to 1 if you have the `srandom' function. */
+#define HAVE_SRANDOM 1
+
+/* Define if you have the SSL libraries installed. */
+#define HAVE_SSL /**/
+
+/* Define to 1 if you have the <stdarg.h> header file. */
+#define HAVE_STDARG_H 1
+
+/* Define to 1 if you have the <stdbool.h> header file. */
+#define HAVE_STDBOOL_H 1
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#define HAVE_STDINT_H 1
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#define HAVE_STDLIB_H 1
+
+/* Define to 1 if you have the `strftime' function. */
+#define HAVE_STRFTIME 1
+
+/* Define to 1 if you have the <strings.h> header file. */
+#define HAVE_STRINGS_H 1
+
+/* Define to 1 if you have the <string.h> header file. */
+#define HAVE_STRING_H 1
+
+/* Define to 1 if you have the `strlcpy' function. */
+#define HAVE_STRLCPY 1
+
+/* Define to 1 if you have the `strptime' function. */
+#define HAVE_STRPTIME 1
+
+/* Define to 1 if `ipi_spec_dst' is a member of `struct in_pktinfo'. */
+/* #undef HAVE_STRUCT_IN_PKTINFO_IPI_SPEC_DST */
+
+/* Define if you have Swig libraries and header files. */
+/* #undef HAVE_SWIG */
+
+/* Define to 1 if you have the <syslog.h> header file. */
+#define HAVE_SYSLOG_H 1
+
+/* Define to 1 if you have the <sys/param.h> header file. */
+#define HAVE_SYS_PARAM_H 1
+
+/* Define to 1 if you have the <sys/resource.h> header file. */
+#define HAVE_SYS_RESOURCE_H 1
+
+/* Define to 1 if you have the <sys/socket.h> header file. */
+#define HAVE_SYS_SOCKET_H 1
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#define HAVE_SYS_STAT_H 1
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#define HAVE_SYS_TYPES_H 1
+
+/* Define to 1 if you have the <sys/uio.h> header file. */
+#define HAVE_SYS_UIO_H 1
+
+/* Define to 1 if you have the <sys/wait.h> header file. */
+#define HAVE_SYS_WAIT_H 1
+
+/* Define to 1 if you have the <time.h> header file. */
+#define HAVE_TIME_H 1
+
+/* Define to 1 if you have the `tzset' function. */
+#define HAVE_TZSET 1
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#define HAVE_UNISTD_H 1
+
+/* Define to 1 if you have the `usleep' function. */
+#define HAVE_USLEEP 1
+
+/* Define to 1 if you have the `vfork' function. */
+#define HAVE_VFORK 1
+
+/* Define to 1 if you have the <vfork.h> header file. */
+/* #undef HAVE_VFORK_H */
+
+/* Define to 1 if you have the <windows.h> header file. */
+/* #undef HAVE_WINDOWS_H */
+
+/* Using Windows threads */
+/* #undef HAVE_WINDOWS_THREADS */
+
+/* Define to 1 if you have the <winsock2.h> header file. */
+/* #undef HAVE_WINSOCK2_H */
+
+/* Define to 1 if `fork' works. */
+#define HAVE_WORKING_FORK 1
+
+/* Define to 1 if `vfork' works. */
+#define HAVE_WORKING_VFORK 1
+
+/* Define to 1 if you have the `writev' function. */
+#define HAVE_WRITEV 1
+
+/* Define to 1 if you have the <ws2tcpip.h> header file. */
+/* #undef HAVE_WS2TCPIP_H */
+
+/* Define to 1 if you have the `_beginthreadex' function. */
+/* #undef HAVE__BEGINTHREADEX */
+
+/* if lex has yylex_destroy */
+#define LEX_HAS_YYLEX_DESTROY 1
+
+/* Define to the sub-directory in which libtool stores uninstalled libraries.
+   */
+#define LT_OBJDIR ".libs/"
+
+/* Define to the maximum message length to pass to syslog. */
+#define MAXSYSLOGMSGLEN 10240
+
+/* Define if memcmp() does not compare unsigned bytes */
+/* #undef MEMCMP_IS_BROKEN */
+
+/* Define if mkdir has one argument. */
+/* #undef MKDIR_HAS_ONE_ARG */
+
+/* Define if the network stack does not fully support nonblocking io (causes
+   lower performance). */
+/* #undef NONBLOCKING_IS_BROKEN */
+
+/* Put -D_ALL_SOURCE define in config.h */
+/* #undef OMITTED__D_ALL_SOURCE */
+
+/* Put -D_BSD_SOURCE define in config.h */
+/* #undef OMITTED__D_BSD_SOURCE */
+
+/* Put -D_GNU_SOURCE define in config.h */
+/* #undef OMITTED__D_GNU_SOURCE */
+
+/* Put -D_LARGEFILE_SOURCE=1 define in config.h */
+/* #undef OMITTED__D_LARGEFILE_SOURCE_1 */
+
+/* Put -D_POSIX_C_SOURCE=200112 define in config.h */
+/* #undef OMITTED__D_POSIX_C_SOURCE_200112 */
+
+/* Put -D_XOPEN_SOURCE=600 define in config.h */
+/* #undef OMITTED__D_XOPEN_SOURCE_600 */
+
+/* Put -D_XOPEN_SOURCE_EXTENDED=1 define in config.h */
+/* #undef OMITTED__D_XOPEN_SOURCE_EXTENDED_1 */
+
+/* Put -D__EXTENSIONS__ define in config.h */
+/* #undef OMITTED__D__EXTENSIONS__ */
+
+/* Define to the address where bug reports for this package should be sent. */
+#define PACKAGE_BUGREPORT "unbound-bugs@nlnetlabs.nl"
+
+/* Define to the full name of this package. */
+#define PACKAGE_NAME "unbound"
+
+/* Define to the full name and version of this package. */
+#define PACKAGE_STRING "unbound 1.4.20"
+
+/* Define to the one symbol short name of this package. */
+#define PACKAGE_TARNAME "unbound"
+
+/* Define to the home page for this package. */
+#define PACKAGE_URL ""
+
+/* Define to the version of this package. */
+#define PACKAGE_VERSION "1.4.20"
+
+/* default pidfile location */
+#define PIDFILE "/var/unbound/unbound.pid"
+
+/* Define to necessary symbol if this constant uses a non-standard name on
+   your system. */
+/* #undef PTHREAD_CREATE_JOINABLE */
+
+/* Define as the return type of signal handlers (`int' or `void'). */
+#define RETSIGTYPE void
+
+/* default rootkey location */
+#define ROOT_ANCHOR_FILE "/var/unbound/root.key"
+
+/* default rootcert location */
+#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
+
+/* version number for resource files */
+#define RSRC_PACKAGE_VERSION 1,4,2,0
+
+/* Directory to chdir to */
+#define RUN_DIR "/var/unbound"
+
+/* Shared data */
+#define SHARE_DIR "/var/unbound"
+
+/* Define to 1 if you have the ANSI C header files. */
+#define STDC_HEADERS 1
+
+/* use default strptime. */
+#define STRPTIME_WORKS 1
+
+/* Use win32 resources and API */
+/* #undef UB_ON_WINDOWS */
+
+/* default username */
+#define UB_USERNAME "unbound"
+
+/* use to enable lightweight alloc assertions, for debug use */
+/* #undef UNBOUND_ALLOC_LITE */
+
+/* use malloc not regions, for debug use */
+/* #undef UNBOUND_ALLOC_NONREGIONAL */
+
+/* use statistics for allocs and frees, for debug use */
+/* #undef UNBOUND_ALLOC_STATS */
+
+/* define this to enable debug checks. */
+/* #undef UNBOUND_DEBUG */
+
+/* Define this to enable ECDSA support. */
+#define USE_ECDSA 1
+
+/* Define this to enable an EVP workaround for older openssl */
+/* #undef USE_ECDSA_EVP_WORKAROUND */
+
+/* Define this to enable GOST support. */
+/* #undef USE_GOST */
+
+/* Define if you want to use internal select based events */
+#define USE_MINI_EVENT 1
+
+/* Define this to enable SHA256 and SHA512 support. */
+#define USE_SHA2 1
+
+/* Enable extensions on AIX 3, Interix.  */
+#ifndef _ALL_SOURCE
+# define _ALL_SOURCE 1
+#endif
+/* Enable GNU extensions on systems that have them.  */
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE 1
+#endif
+/* Enable threading extensions on Solaris.  */
+#ifndef _POSIX_PTHREAD_SEMANTICS
+# define _POSIX_PTHREAD_SEMANTICS 1
+#endif
+/* Enable extensions on HP NonStop.  */
+#ifndef _TANDEM_SOURCE
+# define _TANDEM_SOURCE 1
+#endif
+/* Enable general extensions on Solaris.  */
+#ifndef __EXTENSIONS__
+# define __EXTENSIONS__ 1
+#endif
+
+
+/* Whether the windows socket API is used */
+/* #undef USE_WINSOCK */
+
+/* the version of the windows API enabled */
+#define WINVER 0x0502
+
+/* Define if you want Python module. */
+/* #undef WITH_PYTHONMODULE */
+
+/* Define if you want PyUnbound. */
+/* #undef WITH_PYUNBOUND */
+
+/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
+   `char[]'. */
+#define YYTEXT_POINTER 1
+
+/* Enable large inode numbers on Mac OS X 10.5.  */
+#ifndef _DARWIN_USE_64_BIT_INODE
+# define _DARWIN_USE_64_BIT_INODE 1
+#endif
+
+/* Number of bits in a file offset, on hosts where this is settable. */
+/* #undef _FILE_OFFSET_BITS */
+
+/* Define to 1 to make fseeko visible on some hosts (e.g. glibc 2.2). */
+/* #undef _LARGEFILE_SOURCE */
+
+/* Define for large files, on AIX-style hosts. */
+/* #undef _LARGE_FILES */
+
+/* Define to 1 if on MINIX. */
+/* #undef _MINIX */
+
+/* Define to 2 if the system does not provide POSIX.1 features except with
+   this defined. */
+/* #undef _POSIX_1_SOURCE */
+
+/* Define to 1 if you need to in order for `stat' and other things to work. */
+/* #undef _POSIX_SOURCE */
+
+/* Define to empty if `const' does not conform to ANSI C. */
+/* #undef const */
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+/* #undef gid_t */
+
+/* in_addr_t */
+/* #undef in_addr_t */
+
+/* in_port_t */
+/* #undef in_port_t */
+
+/* Define to `__inline__' or `__inline' if that's what the C compiler
+   calls it, or to nothing if 'inline' is not supported under any name.  */
+#ifndef __cplusplus
+/* #undef inline */
+#endif
+
+/* Define to `short' if <sys/types.h> does not define. */
+/* #undef int16_t */
+
+/* Define to `int' if <sys/types.h> does not define. */
+/* #undef int32_t */
+
+/* Define to `long long' if <sys/types.h> does not define. */
+/* #undef int64_t */
+
+/* Define to `signed char' if <sys/types.h> does not define. */
+/* #undef int8_t */
+
+/* Define if replacement function should be used. */
+/* #undef malloc */
+
+/* Define to `long int' if <sys/types.h> does not define. */
+/* #undef off_t */
+
+/* Define to `int' if <sys/types.h> does not define. */
+/* #undef pid_t */
+
+/* Define to 'int' if not defined */
+/* #undef rlim_t */
+
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+/* #undef size_t */
+
+/* Define to 'int' if not defined */
+/* #undef socklen_t */
+
+/* Define to `int' if <sys/types.h> does not define. */
+/* #undef ssize_t */
+
+/* Define to 'unsigned char if not defined */
+/* #undef u_char */
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+/* #undef uid_t */
+
+/* Define to `unsigned short' if <sys/types.h> does not define. */
+/* #undef uint16_t */
+
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+/* #undef uint32_t */
+
+/* Define to `unsigned long long' if <sys/types.h> does not define. */
+/* #undef uint64_t */
+
+/* Define to `unsigned char' if <sys/types.h> does not define. */
+/* #undef uint8_t */
+
+/* Define as `fork' if `vfork' does not work. */
+/* #undef vfork */
+
+#if defined(OMITTED__D_GNU_SOURCE) && !defined(_GNU_SOURCE)
+#define _GNU_SOURCE 1
+#endif 
+
+#if defined(OMITTED__D_BSD_SOURCE) && !defined(_BSD_SOURCE)
+#define _BSD_SOURCE 1
+#endif 
+
+#if defined(OMITTED__D__EXTENSIONS__) && !defined(__EXTENSIONS__)
+#define __EXTENSIONS__ 1
+#endif 
+
+#if defined(OMITTED__D_POSIX_C_SOURCE_200112) && !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 200112
+#endif 
+
+#if defined(OMITTED__D_XOPEN_SOURCE_600) && !defined(_XOPEN_SOURCE)
+#define _XOPEN_SOURCE 600
+#endif 
+
+#if defined(OMITTED__D_XOPEN_SOURCE_EXTENDED_1) && !defined(_XOPEN_SOURCE_EXTENDED)
+#define _XOPEN_SOURCE_EXTENDED 1
+#endif 
+
+#if defined(OMITTED__D_ALL_SOURCE) && !defined(_ALL_SOURCE)
+#define _ALL_SOURCE 1
+#endif 
+
+#if defined(OMITTED__D_LARGEFILE_SOURCE_1) && !defined(_LARGEFILE_SOURCE)
+#define _LARGEFILE_SOURCE 1
+#endif 
+
+
+
+
+#ifndef UNBOUND_DEBUG
+#  define NDEBUG
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <assert.h>
+
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+
+#include <errno.h>
+
+#if HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif
+
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+
+
+ 
+#ifdef HAVE_ATTR_FORMAT
+#  define ATTR_FORMAT(archetype, string_index, first_to_check) \
+    __attribute__ ((format (archetype, string_index, first_to_check)))
+#else /* !HAVE_ATTR_FORMAT */
+#  define ATTR_FORMAT(archetype, string_index, first_to_check) /* empty */
+#endif /* !HAVE_ATTR_FORMAT */
+
+
+#if defined(DOXYGEN)
+#  define ATTR_UNUSED(x)  x
+#elif defined(__cplusplus)
+#  define ATTR_UNUSED(x)
+#elif defined(HAVE_ATTR_UNUSED)
+#  define ATTR_UNUSED(x)  x __attribute__((unused))
+#else /* !HAVE_ATTR_UNUSED */
+#  define ATTR_UNUSED(x)  x
+#endif /* !HAVE_ATTR_UNUSED */
+
+
+#ifndef HAVE_FSEEKO
+#define fseeko fseek
+#define ftello ftell
+#endif /* HAVE_FSEEKO */
+
+
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 256
+#endif
+
+
+#ifndef HAVE_SNPRINTF
+#define snprintf snprintf_unbound
+#define vsnprintf vsnprintf_unbound
+#include <stdarg.h>
+int snprintf (char *str, size_t count, const char *fmt, ...);
+int vsnprintf (char *str, size_t count, const char *fmt, va_list arg);
+#endif /* HAVE_SNPRINTF */
+
+
+#ifndef HAVE_INET_PTON
+#define inet_pton inet_pton_unbound
+int inet_pton(int af, const char* src, void* dst);
+#endif /* HAVE_INET_PTON */
+
+
+#ifndef HAVE_INET_NTOP
+#define inet_ntop inet_ntop_unbound
+const char *inet_ntop(int af, const void *src, char *dst, size_t size);
+#endif
+
+
+#ifndef HAVE_INET_ATON
+#define inet_aton inet_aton_unbound
+int inet_aton(const char *cp, struct in_addr *addr);
+#endif
+
+
+#ifndef HAVE_MEMMOVE
+#define memmove memmove_unbound
+void *memmove(void *dest, const void *src, size_t n);
+#endif
+
+
+#ifndef HAVE_STRLCPY
+#define strlcpy strlcpy_unbound
+size_t strlcpy(char *dst, const char *src, size_t siz);
+#endif
+
+
+#ifndef HAVE_GMTIME_R
+#define gmtime_r gmtime_r_unbound
+struct tm *gmtime_r(const time_t *timep, struct tm *result);
+#endif
+
+
+#ifndef HAVE_SLEEP
+#define sleep(x) Sleep((x)*1000) /* on win32 */
+#endif /* HAVE_SLEEP */
+
+
+#ifndef HAVE_USLEEP
+#define usleep(x) Sleep((x)/1000 + 1) /* on win32 */
+#endif /* HAVE_USLEEP */
+
+
+#ifndef HAVE_RANDOM
+#define random rand /* on win32, for tests only (bad random) */
+#endif /* HAVE_RANDOM */
+
+
+#ifndef HAVE_SRANDOM
+#define srandom(x) srand(x) /* on win32, for tests only (bad random) */
+#endif /* HAVE_SRANDOM */
+
+
+/* detect if we need to cast to unsigned int for FD_SET to avoid warnings */
+#ifdef HAVE_WINSOCK2_H
+#define FD_SET_T (u_int)
+#else
+#define FD_SET_T 
+#endif
+
+
+#ifndef IPV6_MIN_MTU
+#define IPV6_MIN_MTU 1280
+#endif /* IPV6_MIN_MTU */
+
+
+#ifdef MEMCMP_IS_BROKEN
+#include "compat/memcmp.h"
+#define memcmp memcmp_unbound
+int memcmp(const void *x, const void *y, size_t n);
+#endif
+
+
+
+#ifndef HAVE_CTIME_R
+#define ctime_r unbound_ctime_r
+char *ctime_r(const time_t *timep, char *buf);
+#endif
+
+#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
+#define strptime unbound_strptime
+struct tm;
+char *strptime(const char *s, const char *format, struct tm *tm);
+#endif
+
+#if defined(HAVE_EVENT_H) && !defined(HAVE_EVENT_BASE_ONCE) && !(defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)) && (defined(HAVE_PTHREAD) || defined(HAVE_SOLARIS_THREADS))
+   /* using version of libevent that is not threadsafe. */
+#  define LIBEVENT_SIGNAL_PROBLEM 1
+#endif
+
+#ifndef CHECKED_INET6
+#  define CHECKED_INET6
+#  ifdef AF_INET6
+#    define INET6
+#  else
+#    define AF_INET6        28
+#  endif
+#endif /* CHECKED_INET6 */
+
+/* maximum nesting of included files */
+#define MAXINCLUDES 10
+#ifndef HAVE_GETADDRINFO
+struct sockaddr_storage;
+#include "compat/fake-rfc2553.h"
+#endif
+
+#ifdef UNBOUND_ALLOC_STATS
+#  define malloc(s) unbound_stat_malloc_log(s, __FILE__, __LINE__, __func__)
+#  define calloc(n,s) unbound_stat_calloc_log(n, s, __FILE__, __LINE__, __func__)
+#  define free(p) unbound_stat_free_log(p, __FILE__, __LINE__, __func__)
+#  define realloc(p,s) unbound_stat_realloc_log(p, s, __FILE__, __LINE__, __func__)
+void *unbound_stat_malloc(size_t size);
+void *unbound_stat_calloc(size_t nmemb, size_t size);
+void unbound_stat_free(void *ptr);
+void *unbound_stat_realloc(void *ptr, size_t size);
+void *unbound_stat_malloc_log(size_t size, const char* file, int line,
+	const char* func);
+void *unbound_stat_calloc_log(size_t nmemb, size_t size, const char* file,
+	int line, const char* func);
+void unbound_stat_free_log(void *ptr, const char* file, int line,
+	const char* func);
+void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
+	int line, const char* func);
+#elif defined(UNBOUND_ALLOC_LITE)
+#  include "util/alloc.h"
+#endif /* UNBOUND_ALLOC_LITE and UNBOUND_ALLOC_STATS */
+
+/** default port for DNS traffic. */
+#define UNBOUND_DNS_PORT 53
+/** default port for unbound control traffic, registered port with IANA,
+    ub-dns-control  8953/tcp    unbound dns nameserver control */
+#define UNBOUND_CONTROL_PORT 8953
+/** the version of unbound-control that this software implements */
+#define UNBOUND_CONTROL_VERSION 1
+
+
diff --git a/contrib/unbound/doc/libunbound.3 b/contrib/unbound/doc/libunbound.3
new file mode 100644
index 0000000..0f6f0c6
--- /dev/null
+++ b/contrib/unbound/doc/libunbound.3
@@ -0,0 +1,386 @@
+.TH "libunbound" "3" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
+.\"
+.\" libunbound.3 -- unbound library functions manual
+.\"
+.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
+.\"
+.\" See LICENSE for the license.
+.\"
+.\"
+.SH "NAME"
+.LP
+.B libunbound,
+.B unbound.h,
+.B ub_ctx,
+.B ub_result,
+.B ub_callback_t,
+.B ub_ctx_create,
+.B ub_ctx_delete,
+.B ub_ctx_set_option,
+.B ub_ctx_get_option,
+.B ub_ctx_config,
+.B ub_ctx_set_fwd,
+.B ub_ctx_resolvconf,
+.B ub_ctx_hosts,
+.B ub_ctx_add_ta,
+.B ub_ctx_add_ta_file,
+.B ub_ctx_trustedkeys,
+.B ub_ctx_debugout,
+.B ub_ctx_debuglevel,
+.B ub_ctx_async,
+.B ub_poll,
+.B ub_wait,
+.B ub_fd,
+.B ub_process,
+.B ub_resolve,
+.B ub_resolve_async,
+.B ub_cancel,
+.B ub_resolve_free,
+.B ub_strerror,
+.B ub_ctx_print_local_zones,
+.B ub_ctx_zone_add,
+.B ub_ctx_zone_remove,
+.B ub_ctx_data_add,
+.B ub_ctx_data_remove
+\- Unbound DNS validating resolver 1.4.20 functions.
+.SH "SYNOPSIS"
+.LP
+.B #include <unbound.h>
+.LP
+\fIstruct ub_ctx *\fR
+\fBub_ctx_create\fR(\fIvoid\fR);
+.LP
+\fIvoid\fR
+\fBub_ctx_delete\fR(\fIstruct ub_ctx*\fR ctx);
+.LP
+\fIint\fR
+\fBub_ctx_set_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar*\fR val);
+.LP
+\fIint\fR
+\fBub_ctx_get_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar**\fR val);
+.LP
+\fIint\fR
+\fBub_ctx_config\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
+.LP
+\fIint\fR
+\fBub_ctx_set_fwd\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR addr);
+.LP
+\fIint\fR
+\fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
+.LP
+\fIint\fR
+\fBub_ctx_hosts\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
+.LP
+\fIint\fR
+\fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta);
+.LP
+\fIint\fR
+\fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
+.LP
+\fIint\fR
+\fBub_ctx_trustedkeys\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
+.LP
+\fIint\fR
+\fBub_ctx_debugout\fR(\fIstruct ub_ctx*\fR ctx, \fIFILE*\fR out);
+.LP
+\fIint\fR
+\fBub_ctx_debuglevel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR d);
+.LP
+\fIint\fR
+\fBub_ctx_async\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR dothread);
+.LP
+\fIint\fR
+\fBub_poll\fR(\fIstruct ub_ctx*\fR ctx);
+.LP
+\fIint\fR
+\fBub_wait\fR(\fIstruct ub_ctx*\fR ctx);
+.LP
+\fIint\fR
+\fBub_fd\fR(\fIstruct ub_ctx*\fR ctx);
+.LP
+\fIint\fR
+\fBub_process\fR(\fIstruct ub_ctx*\fR ctx);
+.LP
+\fIint\fR
+\fBub_resolve\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name, 
+.br
+           \fIint\fR rrtype, \fIint\fR rrclass, \fIstruct ub_result**\fR result);
+.LP
+\fIint\fR
+\fBub_resolve_async\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name, 
+.br
+                 \fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata, 
+.br
+                 \fIub_callback_t\fR callback, \fIint*\fR async_id);
+.LP
+\fIint\fR
+\fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id);
+.LP
+\fIvoid\fR
+\fBub_resolve_free\fR(\fIstruct ub_result*\fR result);
+.LP
+\fIconst char *\fR
+\fBub_strerror\fR(\fIint\fR err);
+.LP
+\fIint\fR
+\fBub_ctx_print_local_zones\fR(\fIstruct ub_ctx*\fR ctx);
+.LP
+\fIint\fR
+\fBub_ctx_zone_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name, \fIchar*\fR zone_type);
+.LP
+\fIint\fR
+\fBub_ctx_zone_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name);
+.LP
+\fIint\fR
+\fBub_ctx_data_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data);
+.LP
+\fIint\fR
+\fBub_ctx_data_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data);
+.SH "DESCRIPTION"
+.LP
+.B Unbound 
+is an implementation of a DNS resolver, that does caching and 
+DNSSEC validation. This is the library API, for using the \-lunbound library.
+The server daemon is described in \fIunbound\fR(8).
+The library can be used to convert hostnames to ip addresses, and back,
+and obtain other information from the DNS. The library performs public\-key
+validation of results with DNSSEC.
+.P
+The library uses a variable of type \fIstruct ub_ctx\fR to keep context
+between calls. The user must maintain it, creating it with
+.B ub_ctx_create
+and deleting it with
+.B ub_ctx_delete\fR.
+It can be created and deleted at any time. Creating it anew removes any 
+previous configuration (such as trusted keys) and clears any cached results.
+.P
+The functions are thread\-safe, and a context an be used in a threaded (as 
+well as in a non\-threaded) environment. Also resolution (and validation) 
+can be performed blocking and non\-blocking (also called asynchronous). 
+The async method returns from the call immediately, so that processing 
+can go on, while the results become available later. 
+.P
+The functions are discussed in turn below.
+.SH "FUNCTIONS"
+.TP 
+.B ub_ctx_create
+Create a new context, initialised with defaults.
+The information from /etc/resolv.conf and /etc/hosts is not utilised 
+by default. Use 
+.B ub_ctx_resolvconf
+and
+.B ub_ctx_hosts
+to read them.
+.TP
+.B ub_ctx_delete
+Delete validation context and free associated resources.
+Outstanding async queries are killed and callbacks are not called for them.
+.TP
+.B ub_ctx_set_option
+A power\-user interface that lets you specify one of the options from the
+config file format, see \fIunbound.conf\fR(5). Not all options are
+relevant. For some specific options, such as adding trust anchors, special
+routines exist. Pass the option name with the trailing ':'.
+.TP
+.B ub_ctx_get_option
+A power\-user interface that gets an option value.  Some options cannot be
+gotten, and others return a newline separated list.  Pass the option name
+without trailing ':'.  The returned value must be free(2)d by the caller.
+.TP
+.B ub_ctx_config
+A power\-user interface that lets you specify an unbound config file, see
+\fIunbound.conf\fR(5), which is read for configuration. Not all options are
+relevant. For some specific options, such as adding trust anchors, special
+routines exist.
+.TP
+.B ub_ctx_set_fwd
+Set machine to forward DNS queries to, the caching resolver to use. 
+IP4 or IP6 address. Forwards all DNS requests to that machine, which 
+is expected to run a recursive resolver. If the proxy is not 
+DNSSEC capable, validation may fail. Can be called several times, in 
+that case the addresses are used as backup servers.
+At this time it is only possible to set configuration before the
+first resolve is done.
+.TP
+.B ub_ctx_resolvconf
+By default the root servers are queried and full resolver mode is used, but
+you can use this call to read the list of nameservers to use from the
+filename given.
+Usually "/etc/resolv.conf". Uses those nameservers as caching proxies.
+If they do not support DNSSEC, validation may fail.
+Only nameservers are picked up, the searchdomain, ndots and other
+settings from \fIresolv.conf\fR(5) are ignored.
+If fname NULL is passed, "/etc/resolv.conf" is used (if on Windows, 
+the system\-wide configured nameserver is picked instead).
+At this time it is only possible to set configuration before the
+first resolve is done.
+.TP
+.B ub_ctx_hosts
+Read list of hosts from the filename given.
+Usually "/etc/hosts". When queried for, these addresses are not marked 
+DNSSEC secure. If fname NULL is passed, "/etc/hosts" is used 
+(if on Windows, etc/hosts from WINDIR is picked instead).
+At this time it is only possible to set configuration before the
+first resolve is done.
+.TP
+.B
+ub_ctx_add_ta
+Add a trust anchor to the given context.
+At this time it is only possible to add trusted keys before the
+first resolve is done.
+The format is a string, similar to the zone\-file format,
+[domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted.
+.TP
+.B ub_ctx_add_ta_file
+Add trust anchors to the given context.
+Pass name of a file with DS and DNSKEY records in zone file format.
+At this time it is only possible to add trusted keys before the
+first resolve is done.
+.TP
+.B ub_ctx_trustedkeys
+Add trust anchors to the given context.
+Pass the name of a bind\-style config file with trusted\-keys{}.
+At this time it is only possible to add trusted keys before the
+first resolve is done.
+.TP
+.B ub_ctx_debugout
+Set debug and error log output to the given stream. Pass NULL to disable
+output. Default is stderr. File\-names or using syslog can be enabled
+using config options, this routine is for using your own stream.
+.TP
+.B ub_ctx_debuglevel
+Set debug verbosity for the context. Output is directed to stderr.
+Higher debug level gives more output.
+.TP
+.B ub_ctx_async
+Set a context behaviour for asynchronous action.
+if set to true, enables threading and a call to 
+.B ub_resolve_async 
+creates a thread to handle work in the background.
+If false, a process is forked to handle work in the background.
+Changes to this setting after 
+.B ub_resolve_async 
+calls have been made have no effect (delete and re\-create the context 
+to change).
+.TP
+.B ub_poll
+Poll a context to see if it has any new results.
+Do not poll in a loop, instead extract the fd below to poll for readiness,
+and then check, or wait using the wait routine.
+Returns 0 if nothing to read, or nonzero if a result is available.
+If nonzero, call 
+.B ub_process 
+to do callbacks.
+.TP
+.B ub_wait
+Wait for a context to finish with results. Calls 
+.B ub_process 
+after the wait for you. After the wait, there are no more outstanding 
+asynchronous queries.
+.TP
+.B ub_fd
+Get file descriptor. Wait for it to become readable, at this point
+answers are returned from the asynchronous validating resolver.
+Then call the \fBub_process\fR to continue processing.
+.TP
+.B ub_process
+Call this routine to continue processing results from the validating
+resolver (when the fd becomes readable).
+Will perform necessary callbacks.
+.TP
+.B ub_resolve
+Perform resolution and validation of the target name.
+The name is a domain name in a zero terminated text string.
+The rrtype and rrclass are DNS type and class codes.
+The result structure is newly allocated with the resulting data.
+.TP
+.B ub_resolve_async
+Perform asynchronous resolution and validation of the target name.
+Arguments mean the same as for \fBub_resolve\fR except no
+data is returned immediately, instead a callback is called later.
+The callback receives a copy of the mydata pointer, that you can use to pass
+information to the callback. The callback type is a function pointer to
+a function declared as
+.IP
+void my_callback_function(void* my_arg, int err, 
+.br
+                  struct ub_result* result);
+.IP
+The async_id is returned so you can (at your option) decide to track it
+and cancel the request if needed.  If you pass a NULL pointer the async_id
+is not returned. 
+.TP
+.B ub_cancel
+Cancel an async query in progress.  This may return an error if the query
+does not exist, or the query is already being delivered, in that case you 
+may still get a callback for the query.
+.TP
+.B ub_resolve_free
+Free struct ub_result contents after use.
+.TP
+.B ub_strerror
+Convert error value from one of the unbound library functions 
+to a human readable string.
+.TP
+.B ub_ctx_print_local_zones
+Debug printout the local authority information to debug output.
+.TP
+.B ub_ctx_zone_add
+Add new zone to local authority info, like local\-zone \fIunbound.conf\fR(5) 
+statement.
+.TP
+.B ub_ctx_zone_remove
+Delete zone from local authority info.
+.TP
+.B ub_ctx_data_add
+Add resource record data to local authority info, like local\-data
+\fIunbound.conf\fR(5) statement.
+.TP
+.B ub_ctx_data_remove
+Delete local authority data from the name given.
+.SH "RESULT DATA STRUCTURE"
+.LP
+The result of the DNS resolution and validation is returned as 
+\fIstruct ub_result\fR. The result structure contains the following entries.
+.P
+.nf
+	struct ub_result {
+		char* qname; /* text string, original question */
+		int qtype;   /* type code asked for */
+		int qclass;  /* class code asked for */
+		char** data; /* array of rdata items, NULL terminated*/
+		int* len;    /* array with lengths of rdata items */
+		char* canonname; /* canonical name of result */
+		int rcode;   /* additional error code in case of no data */
+		void* answer_packet; /* full network format answer packet */
+		int answer_len; /* length of packet in octets */
+		int havedata; /* true if there is data */
+		int nxdomain; /* true if nodata because name does not exist */
+		int secure;  /* true if result is secure */
+		int bogus;   /* true if a security failure happened */
+		char* why_bogus; /* string with error if bogus */
+		int ttl;     /* number of seconds the result is valid */
+	};
+.fi
+.P
+If both secure and bogus are false, security was not enabled for the 
+domain of the query.
+.SH "RETURN VALUES"
+Many routines return an error code. The value 0 (zero) denotes no error
+happened. Other values can be passed to
+.B ub_strerror
+to obtain a readable error string.
+.B ub_strerror
+returns a zero terminated string.
+.B ub_ctx_create
+returns NULL on an error (a malloc failure).
+.B ub_poll
+returns true if some information may be available, false otherwise.
+.B ub_fd
+returns a file descriptor or \-1 on error.
+.SH "SEE ALSO"
+\fIunbound.conf\fR(5), 
+\fIunbound\fR(8).
+.SH "AUTHORS"
+.B Unbound
+developers are mentioned in the CREDITS file in the distribution.
diff --git a/contrib/unbound/doc/unbound-anchor.8 b/contrib/unbound/doc/unbound-anchor.8
new file mode 100644
index 0000000..4c9c6a7
--- /dev/null
+++ b/contrib/unbound/doc/unbound-anchor.8
@@ -0,0 +1,176 @@
+.TH "unbound-anchor" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
+.\"
+.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
+.\"
+.\" Copyright (c) 2008, NLnet Labs. All rights reserved.
+.\"
+.\" See LICENSE for the license.
+.\"
+.\"
+.SH "NAME"
+.LP
+.B unbound\-anchor
+\- Unbound anchor utility.
+.SH "SYNOPSIS"
+.B unbound\-anchor
+.RB [ opts ]
+.SH "DESCRIPTION"
+.B Unbound\-anchor
+performs setup or update of the root trust anchor for DNSSEC validation.
+It can be run (as root) from the commandline, or run as part of startup
+scripts.  Before you start the \fIunbound\fR(8) DNS server.
+.P
+Suggested usage:
+.P
+.nf
+	# in the init scripts.
+	# provide or update the root anchor (if necessary)
+	unbound-anchor -a "/var/unbound/root.key"
+	# Please note usage of this root anchor is at your own risk
+	# and under the terms of our LICENSE (see source).
+	#
+	# start validating resolver
+	# the unbound.conf contains:
+	#   auto-trust-anchor-file: "/var/unbound/root.key"
+	unbound -c unbound.conf
+.fi
+.P
+This tool provides builtin default contents for the root anchor and root
+update certificate files.
+.P
+It tests if the root anchor file works, and if not, and an update is possible,
+attempts to update the root anchor using the root update certificate.
+It performs a https fetch of root-anchors.xml and checks the results, if
+all checks are successful, it updates the root anchor file.  Otherwise
+the root anchor file is unchanged.  It performs RFC5011 tracking if the
+DNSSEC information available via the DNS makes that possible.
+.P
+It does not perform an update if the certificate is expired, if the network
+is down or other errors occur.
+.P
+The available options are:
+.TP
+.B \-a \fIfile
+The root anchor key file, that is read in and written out.
+Default is /var/unbound/root.key.
+If the file does not exist, or is empty, a builtin root key is written to it.
+.TP
+.B \-c \fIfile
+The root update certificate file, that is read in.
+Default is /var/unbound/icannbundle.pem.
+If the file does not exist, or is empty, a builtin certificate is used.
+.TP
+.B \-l
+List the builtin root key and builtin root update certificate on stdout.
+.TP
+.B \-u \fIname
+The server name, it connects to https://name.  Specify without https:// prefix.
+The default is "data.iana.org".  It connects to the port specified with \-P.
+You can pass an IPv4 addres or IPv6 address (no brackets) if you want.
+.TP
+.B \-x \fIpath
+The pathname to the root\-anchors.xml file on the server. (forms URL with \-u).
+The default is /root\-anchors/root\-anchors.xml.
+.TP
+.B \-s \fIpath
+The pathname to the root\-anchors.p7s file on the server. (forms URL with \-u).
+The default is /root\-anchors/root\-anchors.p7s.  This file has to be a PKCS7
+signature over the xml file, using the pem file (\-c) as trust anchor.
+.TP
+.B \-n \fIname
+The emailAddress for the Subject of the signer's certificate from the p7s
+signature file.  Only signatures from this name are allowed.  default is
+dnssec@iana.org.  If you pass "" then the emailAddress is not checked.
+.TP
+.B \-4
+Use IPv4 for domain resolution and contacting the server on https.  Default is
+to use IPv4 and IPv6 where appropriate.
+.TP
+.B \-6
+Use IPv6 for domain resolution and contacting the server on https.  Default is
+to use IPv4 and IPv6 where appropriate.
+.TP
+.B \-f \fIresolv.conf
+Use the given resolv.conf file.  Not enabled by default, but you could try to
+pass /etc/resolv.conf on some systems.  It contains the IP addresses of the
+recursive nameservers to use.  However, since this tool could be used to
+bootstrap that very recursive nameserver, it would not be useful (since
+that server is not up yet, since we are bootstrapping it).  It could be
+useful in a situation where you know an upstream cache is deployed (and
+running) and in captive portal situations.
+.TP
+.B \-r \fIroot.hints
+Use the given root.hints file (same syntax as the BIND and Unbound root hints
+file) to bootstrap domain resolution.  By default a list of builtin root
+hints is used.  Unbound\-anchor goes to the network itself for these roots,
+to resolve the server (\-u option) and to check the root DNSKEY records.
+It does so, because the tool when used for bootstrapping the recursive
+resolver, cannot use that recursive resolver itself because it is bootstrapping
+that server.
+.TP
+.B \-v
+More verbose. Once prints informational messages, multiple times may enable
+large debug amounts (such as full certificates or byte\-dumps of downloaded
+files).  By default it prints almost nothing.  It also prints nothing on
+errors by default; in that case the original root anchor file is simply
+left undisturbed, so that a recursive server can start right after it.
+.TP
+.B \-C \fIunbound.conf
+Debug option to read unbound.conf into the resolver process used.
+.TP
+.B \-P \fIport
+Set the port number to use for the https connection.  The default is 443.
+.TP
+.B \-F
+Debug option to force update of the root anchor through downloading the xml
+file and verifying it with the certificate.  By default it first tries to
+update by contacting the DNS, which uses much less bandwidth, is much
+faster (200 msec not 2 sec), and is nicer to the deployed infrastructure.
+With this option, it still attempts to do so (and may verbosely tell you),
+but then ignores the result and goes on to use the xml fallback method.
+.TP
+.B \-h
+Show the version and commandline option help.
+.SH "EXIT CODE"
+This tool exits with value 1 if the root anchor was updated using the
+certificate or if the builtin root-anchor was used.  It exits with code
+0 if no update was necessary, if the update was possible with RFC5011
+tracking, or if an error occurred.
+.P
+You can check the exit value in this manner:
+.nf
+	unbound-anchor -a "root.key" || logger "Please check root.key"
+.fi
+Or something more suitable for your operational environment.
+.SH "TRUST"
+The root keys and update certificate included in this tool
+are provided for convenience and under the terms of our
+license (see the LICENSE file in the source distribution or
+http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or
+not suitable to your purpose.
+.P
+By running "unbound\-anchor \-l" the  keys and certificate that are
+configured in the code are printed for your convenience.
+.P
+The build\-in configuration can be overridden by providing a root\-cert
+file and a rootkey file.
+.SH "FILES"
+.TP
+.I /var/unbound/root.key
+The root anchor file, updated with 5011 tracking, and read and written to.
+The file is created if it does not exist.
+.TP
+.I /var/unbound/icannbundle.pem
+The trusted self\-signed certificate that is used to verify the downloaded
+DNSSEC root trust anchor.  You can update it by fetching it from
+https://data.iana.org/root\-anchors/icannbundle.pem (and validate it).
+If the file does not exist or is empty, a builtin version is used.
+.TP
+.I https://data.iana.org/root\-anchors/root\-anchors.xml
+Source for the root key information.
+.TP
+.I https://data.iana.org/root\-anchors/root\-anchors.p7s
+Signature on the root key information.
+.SH "SEE ALSO"
+\fIunbound.conf\fR(5), 
+\fIunbound\fR(8).
diff --git a/contrib/unbound/doc/unbound-checkconf.8 b/contrib/unbound/doc/unbound-checkconf.8
new file mode 100644
index 0000000..f0b5a0b
--- /dev/null
+++ b/contrib/unbound/doc/unbound-checkconf.8
@@ -0,0 +1,49 @@
+.TH "unbound-checkconf" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
+.\"
+.\" unbound-checkconf.8 -- unbound configuration checker manual
+.\"
+.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
+.\"
+.\" See LICENSE for the license.
+.\"
+.\"
+.SH "NAME"
+.LP
+unbound\-checkconf
+\- Check unbound configuration file for errors.
+.SH "SYNOPSIS"
+.B unbound\-checkconf
+.RB [ \-h ]
+.RB [ \-o
+.IR option ]
+.RI [ cfgfile ]
+.SH "DESCRIPTION"
+.B Unbound\-checkconf
+checks the configuration file for the
+\fIunbound\fR(8)
+DNS resolver for syntax and other errors. 
+The config file syntax is described in 
+\fIunbound.conf\fR(5).
+.P
+The available options are:
+.TP
+.B \-h
+Show the version and commandline option help.
+.TP
+.B \-o\fI option
+If given, after checking the config file the value of this option is 
+printed to stdout.  For "" (disabled) options an empty line is printed.
+.TP
+.I cfgfile
+The config file to read with settings for unbound. It is checked.
+If omitted, the config file at the default location is checked.
+.SH "EXIT CODE"
+The unbound\-checkconf program exits with status code 1 on error, 
+0 for a correct config file.
+.SH "FILES"
+.TP
+.I /etc/unbound/unbound.conf
+unbound configuration file.
+.SH "SEE ALSO"
+\fIunbound.conf\fR(5), 
+\fIunbound\fR(8).
diff --git a/contrib/unbound/doc/unbound-control.8 b/contrib/unbound/doc/unbound-control.8
new file mode 100644
index 0000000..0d6a077
--- /dev/null
+++ b/contrib/unbound/doc/unbound-control.8
@@ -0,0 +1,456 @@
+.TH "unbound-control" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
+.\"
+.\" unbound-control.8 -- unbound remote control manual
+.\"
+.\" Copyright (c) 2008, NLnet Labs. All rights reserved.
+.\"
+.\" See LICENSE for the license.
+.\"
+.\"
+.SH "NAME"
+.LP
+.B unbound\-control,
+.B unbound\-control\-setup
+\- Unbound remote server control utility.
+.SH "SYNOPSIS"
+.B unbound\-control
+.RB [ \-hq ]
+.RB [ \-c 
+.IR cfgfile ]
+.RB [ \-s 
+.IR server ]
+.IR command
+.SH "DESCRIPTION"
+.B Unbound\-control
+performs remote administration on the \fIunbound\fR(8) DNS server.
+It reads the configuration file, contacts the unbound server over SSL
+sends the command and displays the result.
+.P
+The available options are:
+.TP
+.B \-h
+Show the version and commandline option help.
+.TP
+.B \-c \fIcfgfile
+The config file to read with settings.  If not given the default
+config file /etc/unbound/unbound.conf is used.
+.TP
+.B \-s \fIserver[@port]
+IPv4 or IPv6 address of the server to contact.  If not given, the
+address is read from the config file.
+.TP
+.B \-q
+quiet, if the option is given it does not print anything if it works ok.
+.SH "COMMANDS"
+There are several commands that the server understands.
+.TP
+.B start
+Start the server. Simply execs \fIunbound\fR(8).  The unbound executable 
+is searched for in the \fBPATH\fR set in the environment.  It is started 
+with the config file specified using \fI\-c\fR or the default config file.
+.TP
+.B stop
+Stop the server. The server daemon exits.
+.TP
+.B reload
+Reload the server. This flushes the cache and reads the config file fresh.
+.TP
+.B verbosity \fInumber
+Change verbosity value for logging. Same values as \fBverbosity\fR keyword in
+\fIunbound.conf\fR(5).  This new setting lasts until the server is issued
+a reload (taken from config file again), or the next verbosity control command.
+.TP
+.B log_reopen
+Reopen the logfile, close and open it.  Useful for logrotation to make the
+daemon release the file it is logging to.  If you are using syslog it will
+attempt to close and open the syslog (which may not work if chrooted).
+.TP
+.B stats
+Print statistics. Resets the internal counters to zero, this can be 
+controlled using the \fBstatistics\-cumulative\fR config statement. 
+Statistics are printed with one [name]: [value] per line.
+.TP
+.B stats_noreset
+Peek at statistics. Prints them like the \fBstats\fR command does, but does not
+reset the internal counters to zero.
+.TP
+.B status
+Display server status. Exit code 3 if not running (the connection to the 
+port is refused), 1 on error, 0 if running.
+.TP
+.B local_zone \fIname\fR \fItype
+Add new local zone with name and type. Like \fBlocal\-zone\fR config statement.
+If the zone already exists, the type is changed to the given argument.
+.TP
+.B local_zone_remove \fIname
+Remove the local zone with the given name.  Removes all local data inside
+it.  If the zone does not exist, the command succeeds.
+.TP
+.B local_data \fIRR data...
+Add new local data, the given resource record. Like \fBlocal\-data\fR
+config statement, except for when no covering zone exists.  In that case
+this remote control command creates a transparent zone with the same 
+name as this record.  This command is not good at returning detailed syntax 
+errors.
+.TP
+.B local_data_remove \fIname
+Remove all RR data from local name.  If the name already has no items,
+nothing happens.  Often results in NXDOMAIN for the name (in a static zone),
+but if the name has become an empty nonterminal (there is still data in 
+domain names below the removed name), NOERROR nodata answers are the 
+result for that name.
+.TP
+.B dump_cache
+The contents of the cache is printed in a text format to stdout. You can
+redirect it to a file to store the cache in a file.
+.TP
+.B load_cache
+The contents of the cache is loaded from stdin.  Uses the same format as
+dump_cache uses.  Loading the cache with old, or wrong data can result
+in old or wrong data returned to clients.  Loading data into the cache
+in this way is supported in order to aid with debugging.
+.TP
+.B lookup \fIname
+Print to stdout the name servers that would be used to look up the 
+name specified.
+.TP
+.B flush \fIname
+Remove the name from the cache. Removes the types
+A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR.
+Because that is fast to do. Other record types can be removed using 
+.B flush_type 
+or 
+.B flush_zone\fR.
+.TP
+.B flush_type \fIname\fR \fItype
+Remove the name, type information from the cache.
+.TP
+.B flush_zone \fIname
+Remove all information at or below the name from the cache. 
+The rrsets and key entries are removed so that new lookups will be performed.
+This needs to walk and inspect the entire cache, and is a slow operation.
+.TP
+.B flush_bogus
+Remove all bogus data from the cache.
+.TP
+.B flush_stats
+Reset statistics to zero.
+.TP
+.B flush_requestlist
+Drop the queries that are worked on.  Stops working on the queries that the
+server is working on now.  The cache is unaffected.  No reply is sent for
+those queries, probably making those users request again later.
+Useful to make the server restart working on queries with new settings,
+such as a higher verbosity level.
+.TP
+.B dump_requestlist
+Show what is worked on.  Prints all queries that the server is currently
+working on.  Prints the time that users have been waiting.  For internal
+requests, no time is printed.  And then prints out the module status.
+.TP
+.B flush_infra \fIall|IP
+If all then entire infra cache is emptied.  If a specific IP address, the
+entry for that address is removed from the cache.  It contains EDNS, ping
+and lameness data.
+.TP
+.B dump_infra
+Show the contents of the infra cache.
+.TP
+.B set_option \fIopt: val
+Set the option to the given value without a reload.  The cache is
+therefore not flushed.  The option must end with a ':' and whitespace
+must be between the option and the value.  Some values may not have an
+effect if set this way, the new values are not written to the config file,
+not all options are supported.  This is different from the set_option call
+in libunbound, where all values work because unbound has not been inited.
+.IP
+The values that work are: statistics\-interval, statistics\-cumulative,
+do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
+harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain,
+harden\-referral\-path, prefetch, prefetch\-key, log\-queries,
+hide\-identity, hide\-version, identity, version, val\-log\-level,
+val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown,
+keep\-missing, tcp\-upstream, ssl\-upstream.
+.TP
+.B get_option \fIopt
+Get the value of the option.  Give the option name without a trailing ':'.
+The value is printed.  If the value is "", nothing is printed
+and the connection closes.  On error 'error ...' is printed (it gives
+a syntax error on unknown option).  For some options a list of values,
+one on each line, is printed.  The options are shown from the config file
+as modified with set_option.  For some options an override may have been
+taken that does not show up with this command, not results from e.g. the
+verbosity and forward control commands.  Not all options work, see list_stubs,
+list_forwards, list_local_zones and list_local_data for those.
+.TP
+.B list_stubs
+List the stub zones in use.  These are printed one by one to the output.
+This includes the root hints in use.
+.TP
+.B list_forwards
+List the forward zones in use.  These are printed zone by zone to the output.
+.TP
+.B list_local_zones
+List the local zones in use.  These are printed one per line with zone type.
+.TP
+.B list_local_data
+List the local data RRs in use.  The resource records are printed.
+.TP
+.B forward_add \fR[\fI+i\fR] \fIzone addr ...
+Add a new forward zone to running unbound.  With +i option also adds a
+\fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
+a DNSSEC root trust anchor configured for other names).
+The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
+in unbound.conf.
+.TP
+.B forward_remove \fR[\fI+i\fR] \fIzone
+Remove a forward zone from running unbound.  The +i also removes a
+\fIdomain\-insecure\fR for the zone.
+.TP
+.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
+Add a new stub zone to running unbound.  With +i option also adds a
+\fIdomain\-insecure\fR for the zone.  With +p the stub zone is set to prime,
+without it it is set to notprime.  The addr can be IP4, IP6 or nameserver
+names, like the \fIstub-zone\fR config in unbound.conf.
+.TP
+.B stub_remove \fR[\fI+i\fR] \fIzone
+Remove a stub zone from running unbound.  The +i also removes a
+\fIdomain\-insecure\fR for the zone.
+.TP
+.B forward \fR[\fIoff\fR | \fIaddr ...\fR ]
+Setup forwarding mode.  Configures if the server should ask other upstream
+nameservers, should go to the internet root nameservers itself, or show 
+the current config.  You could pass the nameservers after a DHCP update.
+.IP
+Without arguments the current list of addresses used to forward all queries
+to is printed.  On startup this is from the forward\-zone "." configuration.
+Afterwards it shows the status.  It prints off when no forwarding is used.
+.IP
+If \fIoff\fR is passed, forwarding is disabled and the root nameservers
+are used.  This can be used to avoid to avoid buggy or non\-DNSSEC supporting
+nameservers returned from DHCP.  But may not work in hotels or hotspots.
+.IP
+If one or more IPv4 or IPv6 addresses are given, those are then used to forward
+queries to.  The addresses must be separated with spaces.  With '@port' the
+port number can be set explicitly (default port is 53 (DNS)).
+.IP
+By default the forwarder information from the config file for the root "." is
+used.  The config file is not changed, so after a reload these changes are
+gone.  Other forward zones from the config file are not affected by this command.
+.SH "EXIT CODE"
+The unbound\-control program exits with status code 1 on error, 0 on success.
+.SH "SET UP"
+The setup requires a self\-signed certificate and private keys for both 
+the server and client.  The script \fIunbound\-control\-setup\fR generates
+these in the default run directory, or with \-d in another directory.
+If you change the access control permissions on the key files you can decide
+who can use unbound\-control, by default owner and group but not all users.
+Run the script under the same username as you have configured in unbound.conf
+or as root, so that the daemon is permitted to read the files, for example with:
+.nf
+    sudo \-u unbound unbound\-control\-setup
+.fi
+If you have not configured
+a username in unbound.conf, the keys need read permission for the user
+credentials under which the daemon is started.
+The script preserves private keys present in the directory.
+After running the script as root, turn on \fBcontrol\-enable\fR in 
+\fIunbound.conf\fR.
+.SH "STATISTIC COUNTERS"
+The \fIstats\fR command shows a number of statistic counters.
+.TP
+.I threadX.num.queries
+number of queries received by thread
+.TP
+.I threadX.num.cachehits
+number of queries that were successfully answered using a cache lookup
+.TP
+.I threadX.num.cachemiss
+number of queries that needed recursive processing
+.TP
+.I threadX.num.prefetch
+number of cache prefetches performed.  This number is included in
+cachehits, as the original query had the unprefetched answer from cache,
+and resulted in recursive processing, taking a slot in the requestlist.
+Not part of the recursivereplies (or the histogram thereof) or cachemiss,
+as a cache response was sent.
+.TP
+.I threadX.num.recursivereplies
+The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries.
+.TP
+.I threadX.requestlist.avg
+The average number of requests in the internal recursive processing request list on insert of a new incoming recursive processing query.
+.TP
+.I threadX.requestlist.max
+Maximum size attained by the internal recursive processing request list.
+.TP
+.I threadX.requestlist.overwritten
+Number of requests in the request list that were overwritten by newer entries. This happens if there is a flood of queries that recursive processing and the server has a hard time.
+.TP
+.I threadX.requestlist.exceeded
+Queries that were dropped because the request list was full. This happens if a flood of queries need recursive processing, and the server can not keep up.
+.TP
+.I threadX.requestlist.current.all
+Current size of the request list, includes internally generated queries (such
+as priming queries and glue lookups).
+.TP
+.I threadX.requestlist.current.user
+Current size of the request list, only the requests from client queries.
+.TP
+.I threadX.recursion.time.avg
+Average time it took to answer queries that needed recursive processing. Note that queries that were answered from the cache are not in this average.
+.TP
+.I threadX.recursion.time.median
+The median of the time it took to answer queries that needed recursive
+processing.  The median means that 50% of the user queries were answered in 
+less than this time.  Because of big outliers (usually queries to non 
+responsive servers), the average can be bigger than the median.  This median
+has been calculated by interpolation from a histogram.
+.TP
+.I total.num.queries
+summed over threads.
+.TP
+.I total.num.cachehits
+summed over threads.
+.TP
+.I total.num.cachemiss
+summed over threads.
+.TP
+.I total.num.prefetch
+summed over threads.
+.TP
+.I total.num.recursivereplies
+summed over threads.
+.TP
+.I total.requestlist.avg
+averaged over threads.
+.TP
+.I total.requestlist.max
+the maximum of the thread requestlist.max values.
+.TP
+.I total.requestlist.overwritten
+summed over threads.
+.TP
+.I total.requestlist.exceeded
+summed over threads.
+.TP
+.I total.requestlist.current.all
+summed over threads.
+.TP
+.I total.recursion.time.median
+averaged over threads.
+.TP
+.I time.now
+current time in seconds since 1970.
+.TP
+.I time.up
+uptime since server boot in seconds.
+.TP
+.I time.elapsed
+time since last statistics printout, in seconds.
+.SH EXTENDED STATISTICS
+.TP
+.I mem.total.sbrk
+If sbrk(2) is available, an estimate of the heap size of the program in number of bytes. Close to the total memory used by the program, as reported by top and ps.  Could be wrong if the OS allocates memory non\-contiguously.
+.TP
+.I mem.cache.rrset
+Memory in bytes in use by the RRset cache.
+.TP
+.I mem.cache.message
+Memory in bytes in use by the message cache.
+.TP
+.I mem.mod.iterator
+Memory in bytes in use by the iterator module.
+.TP
+.I mem.mod.validator
+Memory in bytes in use by the validator module. Includes the key cache and
+negative cache.
+.TP
+.I histogram.<sec>.<usec>.to.<sec>.<usec>
+Shows a histogram, summed over all threads. Every element counts the
+recursive queries whose reply time fit between the lower and upper bound.
+Times larger or equal to the lowerbound, and smaller than the upper bound.
+There are 40 buckets, with bucket sizes doubling.
+.TP
+.I num.query.type.A
+The total number of queries over all threads with query type A.
+Printed for the other query types as well, but only for the types for which
+queries were received, thus =0 entries are omitted for brevity.
+.TP
+.I num.query.type.other
+Number of queries with query types 256\-65535.
+.TP
+.I num.query.class.IN
+The total number of queries over all threads with query class IN (internet).
+Also printed for other classes (such as CH (CHAOS) sometimes used for
+debugging), or NONE, ANY, used by dynamic update.
+num.query.class.other is printed for classes 256\-65535.
+.TP
+.I num.query.opcode.QUERY
+The total number of queries over all threads with query opcode QUERY.
+Also printed for other opcodes, UPDATE, ...
+.TP
+.I num.query.tcp
+Number of queries that were made using TCP towards the unbound server.
+.TP
+.I num.query.ipv6
+Number of queries that were made using IPv6 towards the unbound server.
+.TP
+.I num.query.flags.RD
+The number of queries that had the RD flag set in the header.
+Also printed for flags QR, AA, TC, RA, Z, AD, CD.
+Note that queries with flags QR, AA or TC may have been rejected 
+because of that.
+.TP
+.I num.query.edns.present
+number of queries that had an EDNS OPT record present.
+.TP
+.I num.query.edns.DO
+number of queries that had an EDNS OPT record with the DO (DNSSEC OK) bit set.
+These queries are also included in the num.query.edns.present number.
+.TP
+.I num.answer.rcode.NXDOMAIN
+The number of answers to queries, from cache or from recursion, that had the
+return code NXDOMAIN. Also printed for the other return codes.
+.TP
+.I num.answer.rcode.nodata
+The number of answers to queries that had the pseudo return code nodata.
+This means the actual return code was NOERROR, but additionally, no data was
+carried in the answer (making what is called a NOERROR/NODATA answer).
+These queries are also included in the num.answer.rcode.NOERROR number.
+Common for AAAA lookups when an A record exists, and no AAAA.
+.TP
+.I num.answer.secure
+Number of answers that were secure.  The answer validated correctly. 
+The AD bit might have been set in some of these answers, where the client
+signalled (with DO or AD bit in the query) that they were ready to accept
+the AD bit in the answer.
+.TP
+.I num.answer.bogus
+Number of answers that were bogus.  These answers resulted in SERVFAIL
+to the client because the answer failed validation.
+.TP
+.I num.rrset.bogus
+The number of rrsets marked bogus by the validator.  Increased for every
+RRset inspection that fails.
+.TP
+.I unwanted.queries
+Number of queries that were refused or dropped because they failed the
+access control settings.
+.TP
+.I unwanted.replies
+Replies that were unwanted or unsolicited.  Could have been random traffic,
+delayed duplicates, very late answers, or could be spoofing attempts.
+Some low level of late answers and delayed duplicates are to be expected
+with the UDP protocol.  Very high values could indicate a threat (spoofing).
+.SH "FILES"
+.TP
+.I /etc/unbound/unbound.conf
+unbound configuration file.
+.TP
+.I /var/unbound
+directory with private keys (unbound_server.key and unbound_control.key) and
+self\-signed certificates (unbound_server.pem and unbound_control.pem).
+.SH "SEE ALSO"
+\fIunbound.conf\fR(5), 
+\fIunbound\fR(8).
diff --git a/contrib/unbound/doc/unbound.8 b/contrib/unbound/doc/unbound.8
new file mode 100644
index 0000000..009ff6f
--- /dev/null
+++ b/contrib/unbound/doc/unbound.8
@@ -0,0 +1,51 @@
+.TH "unbound" "8" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
+.\"
+.\" unbound.8 -- unbound manual
+.\"
+.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
+.\"
+.\" See LICENSE for the license.
+.\"
+.\"
+.SH "NAME"
+.LP
+.B unbound
+\- Unbound DNS validating resolver 1.4.20.
+.SH "SYNOPSIS"
+.LP
+.B unbound
+.RB [ \-h ]
+.RB [ \-d ]
+.RB [ \-v ]
+.RB [ \-c 
+.IR cfgfile ]
+.SH "DESCRIPTION"
+.LP
+.B Unbound 
+is an implementation of a DNS resolver, that does caching and 
+DNSSEC validation.
+.P
+The available options are:
+.TP
+.B \-h
+Show the version and commandline option help.
+.TP
+.B \-c\fI cfgfile
+Set the config file with settings for unbound to read instead of reading the 
+file at the default location, /etc/unbound/unbound.conf. The syntax is
+described in \fIunbound.conf\fR(5).
+.TP
+.B \-d
+Debug flag, do not fork into the background, but stay attached to the
+console. This flag will also delay writing to the logfile until the
+thread\-spawn time. So that most config and setup errors appear on stderr.
+.TP
+.B \-v
+Increase verbosity. If given multiple times, more information is logged.
+This is in addition to the verbosity (if any) from the config file.
+.SH "SEE ALSO"
+\fIunbound.conf\fR(5), 
+\fIunbound\-checkconf\fR(8).
+.SH "AUTHORS"
+.B Unbound
+developers are mentioned in the CREDITS file in the distribution.
diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5
new file mode 100644
index 0000000..d2b6b91
--- /dev/null
+++ b/contrib/unbound/doc/unbound.conf.5
@@ -0,0 +1,1098 @@
+.TH "unbound.conf" "5" "Mar 21, 2013" "NLnet Labs" "unbound 1.4.20"
+.\"
+.\" unbound.conf.5 -- unbound.conf manual
+.\"
+.\" Copyright (c) 2007, NLnet Labs. All rights reserved.
+.\"
+.\" See LICENSE for the license.
+.\"
+.\"
+.SH "NAME"
+.LP
+.B unbound.conf
+\- Unbound configuration file.
+.SH "SYNOPSIS"
+.LP
+.B unbound.conf
+.SH "DESCRIPTION"
+.LP
+.B unbound.conf
+is used to configure
+\fIunbound\fR(8).
+The file format has attributes and values. Some attributes have attributes inside them.
+The notation is: attribute: value.
+.P
+Comments start with # and last to the end of line. Empty lines are
+ignored as is whitespace at the beginning of a line.
+.P
+The utility 
+\fIunbound\-checkconf\fR(8)
+can be used to check unbound.conf prior to usage.
+.SH "EXAMPLE"
+An example config file is shown below. Copy this to /etc/unbound/unbound.conf
+and start the server with:
+.P
+.nf
+	$ unbound \-c /etc/unbound/unbound.conf 
+.fi
+.P
+Most settings are the defaults. Stop the server with:
+.P
+.nf
+	$ kill `cat /etc/unbound/unbound.pid`
+.fi
+.P
+Below is a minimal config file. The source distribution contains an extensive
+example.conf file with all the options.
+.P
+.nf
+# unbound.conf(5) config file for unbound(8).
+server:
+	directory: "/etc/unbound"
+	username: unbound
+	# make sure unbound can access entropy from inside the chroot.
+	# e.g. on linux the use these commands (on BSD, devfs(8) is used):
+	#      mount \-\-bind \-n /dev/random /etc/unbound/dev/random
+	# and  mount \-\-bind \-n /dev/log /etc/unbound/dev/log
+	chroot: "/etc/unbound"
+	# logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
+	pidfile: "/etc/unbound/unbound.pid"
+	# verbosity: 1		# uncomment and increase to get more logging.
+	# listen on all interfaces, answer queries from the local subnet.
+	interface: 0.0.0.0
+	interface: ::0
+	access\-control: 10.0.0.0/8 allow
+	access\-control: 2001:DB8::/64 allow
+.fi
+.SH "FILE FORMAT"
+.LP
+There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
+is followed by its containing attributes, or a value.
+.P
+Files can be included using the
+.B include:
+directive. It can appear anywhere, it accepts a single file name as argument.
+Processing continues as if the text from the included file was copied into
+the config file at that point.  If also using chroot, using full path names
+for the included files works, relative pathnames for the included names work
+if the directory where the daemon is started equals its chroot/working 
+directory.  Wildcards can be used to include multiple files, see \fIglob\fR(7).
+.SS "Server Options"
+These options are part of the
+.B server:
+clause.
+.TP
+.B verbosity: \fI<number>
+The verbosity number, level 0 means no verbosity, only errors. Level 1 
+gives operational information. Level 2 gives detailed operational
+information. Level 3 gives query level information, output per query. 
+Level 4 gives algorithm level information.  Level 5 logs client 
+identification for cache misses.  Default is level 1. 
+The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
+.TP
+.B statistics\-interval: \fI<seconds>
+The number of seconds between printing statistics to the log for every thread.
+Disable with value 0 or "". Default is disabled.  The histogram statistics
+are only printed if replies were sent during the statistics interval, 
+requestlist statistics are printed for every interval (but can be 0).
+This is because the median calculation requires data to be present.
+.TP
+.B statistics\-cumulative: \fI<yes or no>
+If enabled, statistics are cumulative since starting unbound, without clearing
+the statistics counters after logging the statistics. Default is no.
+.TP
+.B extended\-statistics: \fI<yes or no>
+If enabled, extended statistics are printed from \fIunbound\-control\fR(8). 
+Default is off, because keeping track of more statistics takes time.  The
+counters are listed in \fIunbound\-control\fR(8).
+.TP
+.B num\-threads: \fI<number>
+The number of threads to create to serve clients. Use 1 for no threading.
+.TP
+.B port: \fI<port number>
+The port number, default 53, on which the server responds to queries.
+.TP
+.B interface: \fI<ip address[@port]>
+Interface to use to connect to the network. This interface is listened to
+for queries from clients, and answers to clients are given from it.
+Can be given multiple times to work on several interfaces. If none are 
+given the default is to listen to localhost.
+The interfaces are not changed on a reload (kill \-HUP) but only on restart.
+A port number can be specified with @port (without spaces between
+interface and port number), if not specified the default port (from
+\fBport\fR) is used.
+.TP
+.B interface\-automatic: \fI<yes or no>
+Detect source interface on UDP queries and copy them to replies.  This 
+feature is experimental, and needs support in your OS for particular socket
+options.  Default value is no.
+.TP
+.B outgoing\-interface: \fI<ip address>
+Interface to use to connect to the network. This interface is used to send
+queries to authoritative servers and receive their replies. Can be given 
+multiple times to work on several interfaces. If none are given the 
+default (all) is used. You can specify the same interfaces in 
+.B interface:
+and
+.B outgoing\-interface:
+lines, the interfaces are then used for both purposes. Outgoing queries are 
+sent via a random outgoing interface to counter spoofing.
+.TP
+.B outgoing\-range: \fI<number>
+Number of ports to open. This number of file descriptors can be opened per 
+thread. Must be at least 1. Default depends on compile options. Larger 
+numbers need extra resources from the operating system.  For performance a
+a very large value is best, use libevent to make this possible.
+.TP
+.B outgoing\-port\-permit: \fI<port number or range>
+Permit unbound to open this port or range of ports for use to send queries.
+A larger number of permitted outgoing ports increases resilience against
+spoofing attempts. Make sure these ports are not needed by other daemons. 
+By default only ports above 1024 that have not been assigned by IANA are used.
+Give a port number or a range of the form "low\-high", without spaces.
+.IP
+The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements 
+are processed in the line order of the config file, adding the permitted ports 
+and subtracting the avoided ports from the set of allowed ports.  The 
+processing starts with the non IANA allocated ports above 1024 in the set 
+of allowed ports.
+.TP
+.B outgoing\-port\-avoid: \fI<port number or range>
+Do not permit unbound to open this port or range of ports for use to send 
+queries. Use this to make sure unbound does not grab a port that another
+daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
+By default only ports above 1024 that have not been assigned by IANA are used.
+Give a port number or a range of the form "low\-high", without spaces.
+.TP
+.B outgoing\-num\-tcp: \fI<number>
+Number of outgoing TCP buffers to allocate per thread. Default is 10. If set
+to 0, or if do_tcp is "no", no TCP queries to authoritative servers are done.
+.TP
+.B incoming\-num\-tcp: \fI<number>
+Number of incoming TCP buffers to allocate per thread. Default is 10. If set
+to 0, or if do_tcp is "no", no TCP queries from clients are accepted.
+.TP
+.B edns\-buffer\-size: \fI<number>
+Number of bytes size to advertise as the EDNS reassembly buffer size.
+This is the value put into datagrams over UDP towards peers.  The actual
+buffer size is determined by msg\-buffer\-size (both for TCP and UDP).  Do
+not set higher than that value.  Default is 4096 which is RFC recommended.
+If you have fragmentation reassembly problems, usually seen as timeouts,
+then a value of 1480 can fix it.  Setting to 512 bypasses even the most
+stringent path MTU problems, but is seen as extreme, since the amount
+of TCP fallback generated is excessive (probably also for this resolver,
+consider tuning the outgoing tcp number).
+.TP
+.B msg\-buffer\-size: \fI<number>
+Number of bytes size of the message buffers. Default is 65552 bytes, enough
+for 64 Kb packets, the maximum DNS message size. No message larger than this
+can be sent or received. Can be reduced to use less memory, but some requests
+for DNS data, such as for huge resource records, will result in a SERVFAIL 
+reply to the client.
+.TP
+.B msg\-cache\-size: \fI<number>
+Number of bytes size of the message cache. Default is 4 megabytes.
+A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
+or gigabytes (1024*1024 bytes in a megabyte).
+.TP
+.B msg\-cache\-slabs: \fI<number>
+Number of slabs in the message cache. Slabs reduce lock contention by threads.
+Must be set to a power of 2. Setting (close) to the number of cpus is a 
+reasonable guess.
+.TP
+.B num\-queries\-per\-thread: \fI<number>
+The number of queries that every thread will service simultaneously.
+If more queries arrive that need servicing, and no queries can be jostled out
+(see \fIjostle\-timeout\fR), then the queries are dropped. This forces
+the client to resend after a timeout; allowing the server time to work on
+the existing queries. Default depends on compile options, 512 or 1024.
+.TP
+.B jostle\-timeout: \fI<msec>
+Timeout used when the server is very busy.  Set to a value that usually
+results in one roundtrip to the authority servers.  If too many queries 
+arrive, then 50% of the queries are allowed to run to completion, and
+the other 50% are replaced with the new incoming query if they have already 
+spent more than their allowed time.  This protects against denial of 
+service by slow queries or high query rates.  Default 200 milliseconds.
+The effect is that the qps for long-lasting queries is about 
+(numqueriesperthread / 2) / (average time for such long queries) qps.
+The qps for short queries can be about (numqueriesperthread / 2)
+/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
+qps by default.
+.TP
+.B so\-rcvbuf: \fI<number>
+If not 0, then set the SO_RCVBUF socket option to get more buffer
+space on UDP port 53 incoming queries.  So that short spikes on busy
+servers do not drop packets (see counter in netstat \-su).  Default is
+0 (use system value).  Otherwise, the number of bytes to ask for, try
+"4m" on a busy server.  The OS caps it at a maximum, on linux unbound
+needs root permission to bypass the limit, or the admin can use sysctl
+net.core.rmem_max.  On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf.
+On OpenBSD change header and recompile kernel. On Solaris ndd \-set
+/dev/udp udp_max_buf 8388608.
+.TP
+.B so\-sndbuf: \fI<number>
+If not 0, then set the SO_SNDBUF socket option to get more buffer space on
+UDP port 53 outgoing queries.  This for very busy servers handles spikes
+in answer traffic, otherwise 'send: resource temporarily unavailable'
+can get logged, the buffer overrun is also visible by netstat \-su.
+Default is 0 (use system value).  Specify the number of bytes to ask
+for, try "4m" on a very busy server.  The OS caps it at a maximum, on
+linux unbound needs root permission to bypass the limit, or the admin
+can use sysctl net.core.wmem_max.  On BSD, Solaris changes are similar
+to so\-rcvbuf.
+.TP
+.B rrset\-cache\-size: \fI<number>
+Number of bytes size of the RRset cache. Default is 4 megabytes.
+A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
+or gigabytes (1024*1024 bytes in a megabyte).
+.TP
+.B rrset\-cache\-slabs: \fI<number>
+Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
+Must be set to a power of 2. 
+.TP
+.B cache\-max\-ttl: \fI<seconds>
+Time to live maximum for RRsets and messages in the cache. Default is 
+86400 seconds (1 day). If the maximum kicks in, responses to clients 
+still get decrementing TTLs based on the original (larger) values. 
+When the internal TTL expires, the cache item has expired.
+Can be set lower to force the resolver to query for data often, and not
+trust (very large) TTL values.
+.TP
+.B cache\-min\-ttl: \fI<seconds>
+Time to live minimum for RRsets and messages in the cache. Default is 0.
+If the the minimum kicks in, the data is cached for longer than the domain
+owner intended, and thus less queries are made to look up the data.
+Zero makes sure the data in the cache is as the domain owner intended,
+higher values, especially more than an hour or so, can lead to trouble as 
+the data in the cache does not match up with the actual data any more.
+.TP
+.B infra\-host\-ttl: \fI<seconds>
+Time to live for entries in the host cache. The host cache contains 
+roundtrip timing, lameness and EDNS support information. Default is 900.
+.TP
+.B infra\-cache\-slabs: \fI<number>
+Number of slabs in the infrastructure cache. Slabs reduce lock contention 
+by threads. Must be set to a power of 2. 
+.TP
+.B infra\-cache\-numhosts: \fI<number>
+Number of hosts for which information is cached. Default is 10000.
+.TP
+.B do\-ip4: \fI<yes or no>
+Enable or disable whether ip4 queries are answered or issued. Default is yes.
+.TP
+.B do\-ip6: \fI<yes or no>
+Enable or disable whether ip6 queries are answered or issued. Default is yes.
+If disabled, queries are not answered on IPv6, and queries are not sent on
+IPv6 to the internet nameservers.
+.TP
+.B do\-udp: \fI<yes or no>
+Enable or disable whether UDP queries are answered or issued. Default is yes.
+.TP
+.B do\-tcp: \fI<yes or no>
+Enable or disable whether TCP queries are answered or issued. Default is yes.
+.TP
+.B tcp\-upstream: \fI<yes or no>
+Enable or disable whether the upstream queries use TCP only for transport.
+Default is no.  Useful in tunneling scenarios.
+.TP
+.B ssl\-upstream: \fI<yes or no>
+Enabled or disable whether the upstream queries use SSL only for transport.
+Default is no.  Useful in tunneling scenarios.  The SSL contains plain DNS in
+TCP wireformat.  The other server must support this (see \fBssl\-service\-key\fR).
+.TP
+.B ssl\-service-key: \fI<file>
+If enabled, the server provider SSL service on its TCP sockets.  The clients
+have to use ssl\-upstream: yes.  The file is the private key for the TLS
+session.  The public certificate is in the ssl\-service\-pem file.  Default
+is "", turned off.  Requires a restart (a reload is not enough) if changed,
+because the private key is read while root permissions are held and before
+chroot (if any).  Normal DNS TCP service is not provided and gives errors,
+this service is best run with a different \fBport:\fR config or \fI@port\fR
+suffixes in the \fBinterface\fR config.
+.TP
+.B ssl\-service\-pem: \fI<file>
+The public key certificate pem file for the ssl service.  Default is "",
+turned off.
+.TP
+.B ssl\-port: \fI<number>
+The port number on which to provide TCP SSL service, default 443, only
+interfaces configured with that port number as @number get the SSL service.
+.TP
+.B do\-daemonize: \fI<yes or no>
+Enable or disable whether the unbound server forks into the background as
+a daemon. Default is yes.
+.TP
+.B access\-control: \fI<IP netblock> <action>
+The netblock is given as an IP4 or IP6 address with /size appended for a 
+classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, 
+\fIallow\fR or \fIallow_snoop\fR.
+.IP
+The action \fIdeny\fR stops queries from hosts from that netblock.
+.IP
+The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED 
+error message back.
+.IP
+The action \fIallow\fR gives access to clients from that netblock.  
+It gives only access for recursion clients (which is 
+what almost all clients need).  Nonrecursive queries are refused.
+.IP
+The \fIallow\fR action does allow nonrecursive queries to access the 
+local\-data that is configured.  The reason is that this does not involve
+the unbound server recursive lookup algorithm, and static data is served 
+in the reply.  This supports normal operations where nonrecursive queries 
+are made for the authoritative data.  For nonrecursive queries any replies 
+from the dynamic cache are refused.
+.IP
+The action \fIallow_snoop\fR gives nonrecursive access too.  This give 
+both recursive and non recursive access.  The name \fIallow_snoop\fR refers 
+to cache snooping, a technique to use nonrecursive queries to examine
+the cache contents (for malicious acts).  However, nonrecursive queries can 
+also be a valuable debugging tool (when you want to examine the cache 
+contents). In that case use \fIallow_snoop\fR for your administration host.
+.IP
+By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
+The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS 
+protocol is not designed to handle dropped packets due to policy, and 
+dropping may result in (possibly excessive) retried queries.
+.TP
+.B chroot: \fI<directory>
+If chroot is enabled, you should pass the configfile (from the
+commandline) as a full path from the original root. After the
+chroot has been performed the now defunct portion of the config 
+file path is removed to be able to reread the config after a reload. 
+.IP
+All other file paths (working dir, logfile, roothints, and
+key files) can be specified in several ways:
+as an absolute path relative to the new root,
+as a relative path to the working directory, or
+as an absolute path relative to the original root.
+In the last case the path is adjusted to remove the unused portion.
+.IP
+The pidfile can be either a relative path to the working directory, or
+an absolute path relative to the original root. It is written just prior
+to chroot and dropping permissions. This allows the pidfile to be 
+/var/run/unbound.pid and the chroot to be /var/unbound, for example.
+.IP
+Additionally, unbound may need to access /dev/random (for entropy)
+from inside the chroot.
+.IP
+If given a chroot is done to the given directory. The default is 
+"/var/unbound". If you give "" no chroot is performed.
+.TP
+.B username: \fI<name>
+If given, after binding the port the user privileges are dropped. Default is
+"unbound". If you give username: "" no user change is performed. 
+.IP
+If this user is not capable of binding the
+port, reloads (by signal HUP) will still retain the opened ports.
+If you change the port number in the config file, and that new port number 
+requires privileges, then a reload will fail; a restart is needed.
+.TP
+.B directory: \fI<directory>
+Sets the working directory for the program. Default is "/var/unbound".
+.TP
+.B logfile: \fI<filename>
+If "" is given, logging goes to stderr, or nowhere once daemonized.
+The logfile is appended to, in the following format: 
+.nf
+[seconds since 1970] unbound[pid:tid]: type: message. 
+.fi
+If this option is given, the use\-syslog is option is set to "no".
+The logfile is reopened (for append) when the config file is reread, on 
+SIGHUP.
+.TP
+.B use\-syslog: \fI<yes or no>
+Sets unbound to send log messages to the syslogd, using 
+\fIsyslog\fR(3). 
+The log facility LOG_DAEMON is used, with identity "unbound".
+The logfile setting is overridden when use\-syslog is turned on.
+The default is to log to syslog.
+.TP
+.B log\-time\-ascii: \fI<yes or no>
+Sets logfile lines to use a timestamp in UTC ascii. Default is no, which
+prints the seconds since 1970 in brackets. No effect if using syslog, in
+that case syslog formats the timestamp printed into the log files.
+.TP
+.B log\-queries: \fI<yes or no>
+Prints one line per query to the log, with the log timestamp and IP address,
+name, type and class.  Default is no.  Note that it takes time to print these
+lines which makes the server (significantly) slower.  Odd (nonprintable)
+characters in names are printed as '?'.
+.TP
+.B pidfile: \fI<filename>
+The process id is written to the file. Default is "/var/unbound/unbound.pid". 
+So,
+.nf
+kill \-HUP `cat /var/unbound/unbound.pid` 
+.fi
+triggers a reload,
+.nf
+kill \-QUIT `cat /var/unbound/unbound.pid` 
+.fi
+gracefully terminates.
+.TP
+.B root\-hints: \fI<filename>
+Read the root hints from this file. Default is nothing, using builtin hints
+for the IN class. The file has the format of zone files, with root 
+nameserver names and addresses only. The default may become outdated,
+when servers change, therefore it is good practice to use a root\-hints file.
+.TP
+.B hide\-identity: \fI<yes or no>
+If enabled id.server and hostname.bind queries are refused.
+.TP
+.B identity: \fI<string>
+Set the identity to report. If set to "", the default, then the hostname
+of the server is returned.
+.TP
+.B hide\-version: \fI<yes or no>
+If enabled version.server and version.bind queries are refused.
+.TP
+.B version: \fI<string>
+Set the version to report. If set to "", the default, then the package
+version is returned.
+.TP
+.B target\-fetch\-policy: \fI<"list of numbers">
+Set the target fetch policy used by unbound to determine if it should fetch
+nameserver target addresses opportunistically. The policy is described per
+dependency depth. 
+.IP
+The number of values determines the maximum dependency depth
+that unbound will pursue in answering a query.  
+A value of \-1 means to fetch all targets opportunistically for that dependency
+depth. A value of 0 means to fetch on demand only. A positive value fetches
+that many targets opportunistically. 
+.IP
+Enclose the list between quotes ("") and put spaces between numbers.
+The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
+closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour 
+rumoured to be closer to that of BIND 8.
+.TP
+.B harden\-short\-bufsize: \fI<yes or no>
+Very small EDNS buffer sizes from queries are ignored. Default is off, since
+it is legal protocol wise to send these, and unbound tries to give very 
+small answers to these queries, where possible.
+.TP
+.B harden\-large\-queries: \fI<yes or no>
+Very large queries are ignored. Default is off, since it is legal protocol
+wise to send these, and could be necessary for operation if TSIG or EDNS
+payload is very large.
+.TP
+.B harden\-glue: \fI<yes or no>
+Will trust glue only if it is within the servers authority. Default is on.
+.TP
+.B harden\-dnssec\-stripped: \fI<yes or no>
+Require DNSSEC data for trust\-anchored zones, if such data is absent,
+the zone becomes bogus. If turned off, and no DNSSEC data is received
+(or the DNSKEY data fails to validate), then the zone is made insecure, 
+this behaves like there is no trust anchor. You could turn this off if 
+you are sometimes behind an intrusive firewall (of some sort) that 
+removes DNSSEC data from packets, or a zone changes from signed to 
+unsigned to badly signed often. If turned off you run the risk of a 
+downgrade attack that disables security for a zone. Default is on.
+.TP
+.B harden\-below\-nxdomain: \fI<yes or no>
+From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name
+below another name that is already known to be nxdomain.  DNSSEC mandates
+noerror for empty nonterminals, hence this is possible.  Very old software
+might return nxdomain for empty nonterminals (that usually happen for reverse
+IP address lookups), and thus may be incompatible with this.  To try to avoid
+this only DNSSEC-secure nxdomains are used, because the old software does not
+have DNSSEC.  Default is off.
+.TP
+.B harden\-referral\-path: \fI<yes or no>
+Harden the referral path by performing additional queries for
+infrastructure data.  Validates the replies if trust anchors are configured
+and the zones are signed.  This enforces DNSSEC validation on nameserver
+NS sets and the nameserver addresses that are encountered on the referral 
+path to the answer.
+Default off, because it burdens the authority servers, and it is
+not RFC standard, and could lead to performance problems because of the
+extra query load that is generated.  Experimental option.
+If you enable it consider adding more numbers after the target\-fetch\-policy
+to increase the max depth that is checked to.
+.TP
+.B use\-caps\-for\-id: \fI<yes or no>
+Use 0x20\-encoded random bits in the query to foil spoof attempts.
+This perturbs the lowercase and uppercase of query names sent to 
+authority servers and checks if the reply still has the correct casing. 
+Disabled by default. 
+This feature is an experimental implementation of draft dns\-0x20.
+.TP
+.B private\-address: \fI<IP address or subnet>
+Give IPv4 of IPv6 addresses or classless subnets. These are addresses
+on your private network, and are not allowed to be returned for public
+internet names.  Any occurence of such addresses are removed from
+DNS answers. Additionally, the DNSSEC validator may mark the answers
+bogus. This protects against so\-called DNS Rebinding, where a user browser
+is turned into a network proxy, allowing remote access through the browser
+to other parts of your private network.  Some names can be allowed to
+contain your private addresses, by default all the \fBlocal\-data\fR
+that you configured is allowed to, and you can specify additional
+names using \fBprivate\-domain\fR.  No private addresses are enabled
+by default.  We consider to enable this for the RFC1918 private IP
+address space by default in later releases. That would enable private 
+addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 
+fd00::/8 and fe80::/10, since the RFC standards say these addresses 
+should not be visible on the public internet.  Turning on 127.0.0.0/8 
+would hinder many spamblocklists as they use that.
+.TP
+.B private\-domain: \fI<domain name>
+Allow this domain, and all its subdomains to contain private addresses.
+Give multiple times to allow multiple domain names to contain private 
+addresses. Default is none.
+.TP
+.B unwanted\-reply\-threshold: \fI<number>
+If set, a total number of unwanted replies is kept track of in every thread.
+When it reaches the threshold, a defensive action is taken and a warning
+is printed to the log.  The defensive action is to clear the rrset and
+message caches, hopefully flushing away any poison.  A value of 10 million
+is suggested.  Default is 0 (turned off).
+.TP
+.B do\-not\-query\-address: \fI<IP address>
+Do not query the given IP address. Can be IP4 or IP6. Append /num to 
+indicate a classless delegation netblock, for example like
+10.2.3.4/24 or 2001::11/64.
+.TP
+.B do\-not\-query\-localhost: \fI<yes or no>
+If yes, localhost is added to the do\-not\-query\-address entries, both
+IP6 ::1 and IP4 127.0.0.1/8. If no, then localhost can be used to send
+queries to. Default is yes.
+.TP
+.B prefetch: \fI<yes or no>
+If yes, message cache elements are prefetched before they expire to
+keep the cache up to date.  Default is no.  Turning it on gives about
+10 percent more traffic and load on the machine, but popular items do
+not expire from the cache.
+.TP
+.B prefetch-key: \fI<yes or no>
+If yes, fetch the DNSKEYs earlier in the validation process, when a DS
+record is encountered.  This lowers the latency of requests.  It does use
+a little more CPU.  Also if the cache is set to 0, it is no use. Default is no.
+.TP
+.B rrset-roundrobin: \fI<yes or no>
+If yes, Unbound rotates RRSet order in response (the random number is taken
+from the query ID, for speed and thread safety).  Default is no.
+.TP
+.B minimal-responses: \fI<yes or no>
+If yes, Unbound doesn't insert authority/additional sections into response
+messages when those sections are not required.  This reduces response
+size significantly, and may avoid TCP fallback for some responses.
+This may cause a slight speedup.  The default is no, because the DNS
+protocol RFCs mandate these sections, and the additional content could
+be of use and save roundtrips for clients.
+.TP
+.B module\-config: \fI<"module names">
+Module configuration, a list of module names separated by spaces, surround
+the string with quotes (""). The modules can be validator, iterator.
+Setting this to "iterator" will result in a non\-validating server.
+Setting this to "validator iterator" will turn on DNSSEC validation.
+The ordering of the modules is important.
+You must also set trust\-anchors for validation to be useful.
+.TP
+.B trust\-anchor\-file: \fI<filename>
+File with trusted keys for validation. Both DS and DNSKEY entries can appear
+in the file. The format of the file is the standard DNS Zone file format.
+Default is "", or no trust anchor file.
+.TP
+.B auto\-trust\-anchor\-file: \fI<filename>
+File with trust anchor for one zone, which is tracked with RFC5011 probes.
+The probes are several times per month, thus the machine must be online
+frequently.  The initial file can be one with contents as described in
+\fBtrust\-anchor\-file\fR.  The file is written to when the anchor is updated,
+so the unbound user must have write permission.
+.TP
+.B trust\-anchor: \fI<"Resource Record">
+A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
+given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
+The resource record is entered in the same format as 'dig' or 'drill' prints
+them, the same format as in the zone file. Has to be on a single line, with
+"" around it. A TTL can be specified for ease of cut and paste, but is ignored. 
+A class can be specified, but class IN is default.
+.TP
+.B trusted\-keys\-file: \fI<filename>
+File with trusted keys for validation. Specify more than one file
+with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
+but has a different file format. Format is BIND\-9 style format, 
+the trusted\-keys { name flag proto algo "key"; }; clauses are read.
+It is possible to use wildcards with this statement, the wildcard is
+expanded on start and on reload.
+.TP
+.B dlv\-anchor\-file: \fI<filename>
+File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
+DNSKEY entries can be used in the file, in the same format as for
+\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
+would be slow. The DLV configured is used as a root trusted DLV, this 
+means that it is a lookaside for the root. Default is "", or no dlv anchor file.
+.TP
+.B dlv\-anchor: \fI<"Resource Record">
+Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
+.TP
+.B domain\-insecure: \fI<domain name>
+Sets domain name to be insecure, DNSSEC chain of trust is ignored towards
+the domain name.  So a trust anchor above the domain name can not make the
+domain secure with a DS record, such a DS record is then ignored.
+Also keys from DLV are ignored for the domain.  Can be given multiple times
+to specify multiple domains that are treated as if unsigned.  If you set
+trust anchors for the domain they override this setting (and the domain 
+is secured).
+.IP
+This can be useful if you want to make sure a trust anchor for external
+lookups does not affect an (unsigned) internal domain.  A DS record 
+externally can create validation failures for that internal domain.
+.TP
+.B val\-override\-date: \fI<rrsig\-style date spec>
+Default is "" or "0", which disables this debugging feature. If enabled by
+giving a RRSIG style date, that date is used for verifying RRSIG inception
+and expiration dates, instead of the current date. Do not set this unless 
+you are debugging signature inception and expiration. The value \-1 ignores
+the date altogether, useful for some special applications.
+.TP
+.B val\-sig\-skew\-min: \fI<seconds>
+Minimum number of seconds of clock skew to apply to validated signatures.
+A value of 10% of the signature lifetime (expiration \- inception) is
+used, capped by this setting.  Default is 3600 (1 hour) which allows for
+daylight savings differences.  Lower this value for more strict checking
+of short lived signatures.
+.TP
+.B val\-sig\-skew\-max: \fI<seconds>
+Maximum number of seconds of clock skew to apply to validated signatures.
+A value of 10% of the signature lifetime (expiration \- inception)
+is used, capped by this setting.  Default is 86400 (24 hours) which
+allows for timezone setting problems in stable domains.  Setting both
+min and max very low disables the clock skew allowances.  Setting both
+min and max very high makes the validator check the signature timestamps
+less strictly.
+.TP
+.B val\-bogus\-ttl: \fI<number>
+The time to live for bogus data. This is data that has failed validation;
+due to invalid signatures or other checks. The TTL from that data cannot be
+trusted, and this value is used instead. The value is in seconds, default 60.
+The time interval prevents repeated revalidation of bogus data.
+.TP
+.B val\-clean\-additional: \fI<yes or no>
+Instruct the validator to remove data from the additional section of secure
+messages that are not signed properly. Messages that are insecure, bogus,
+indeterminate or unchecked are not affected. Default is yes. Use this setting
+to protect the users that rely on this validator for authentication from 
+protentially bad data in the additional section.
+.TP
+.B val\-log\-level: \fI<number>
+Have the validator print validation failures to the log.  Regardless of
+the verbosity setting.  Default is 0, off.  At 1, for every user query
+that fails a line is printed to the logs.  This way you can monitor what
+happens with validation.  Use a diagnosis tool, such as dig or drill,
+to find out why validation is failing for these queries.  At 2, not only
+the query that failed is printed but also the reason why unbound thought
+it was wrong and which server sent the faulty data.
+.TP
+.B val\-permissive\-mode: \fI<yes or no>
+Instruct the validator to mark bogus messages as indeterminate. The security
+checks are performed, but if the result is bogus (failed security), the
+reply is not withheld from the client with SERVFAIL as usual. The client 
+receives the bogus data. For messages that are found to be secure the AD bit 
+is set in replies. Also logging is performed as for full validation.
+The default value is "no". 
+.TP
+.B ignore\-cd\-flag: \fI<yes or no>
+Instruct unbound to ignore the CD flag from clients and refuse to
+return bogus answers to them.  Thus, the CD (Checking Disabled) flag
+does not disable checking any more.  This is useful if legacy (w2008)
+servers that set the CD flag but cannot validate DNSSEC themselves are
+the clients, and then unbound provides them with DNSSEC protection.
+The default value is "no".
+.TP
+.B val\-nsec3\-keysize\-iterations: \fI<"list of values">
+List of keysize and iteration count values, separated by spaces, surrounded
+by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
+maximum allowed NSEC3 iteration count before a message is simply marked
+insecure instead of performing the many hashing iterations. The list must
+be in ascending order and have at least one entry. If you set it to 
+"1024 65535" there is no restriction to NSEC3 iteration values.
+This table must be kept short; a very long list could cause slower operation.
+.TP
+.B add\-holddown: \fI<seconds>
+Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
+autotrust updates to add new trust anchors only after they have been
+visible for this time.  Default is 30 days as per the RFC.
+.TP
+.B del\-holddown: \fI<seconds>
+Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
+autotrust updates to remove revoked trust anchors after they have been
+kept in the revoked list for this long.  Default is 30 days as per
+the RFC.
+.TP
+.B keep\-missing: \fI<seconds>
+Instruct the \fBauto\-trust\-anchor\-file\fR probe mechanism for RFC5011
+autotrust updates to remove missing trust anchors after they have been
+unseen for this long.  This cleans up the state file if the target zone
+does not perform trust anchor revocation, so this makes the auto probe
+mechanism work with zones that perform regular (non\-5011) rollovers.
+The default is 366 days.  The value 0 does not remove missing anchors,
+as per the RFC.
+.TP
+.B key\-cache\-size: \fI<number>
+Number of bytes size of the key cache. Default is 4 megabytes.
+A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
+or gigabytes (1024*1024 bytes in a megabyte).
+.TP
+.B key\-cache\-slabs: \fI<number>
+Number of slabs in the key cache. Slabs reduce lock contention by threads.
+Must be set to a power of 2. Setting (close) to the number of cpus is a 
+reasonable guess.
+.TP
+.B neg\-cache\-size: \fI<number>
+Number of bytes size of the aggressive negative cache. Default is 1 megabyte.
+A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
+or gigabytes (1024*1024 bytes in a megabyte).
+.TP
+.B local\-zone: \fI<zone> <type>
+Configure a local zone. The type determines the answer to give if
+there is no match from local\-data. The types are deny, refuse, static,
+transparent, redirect, nodefault, typetransparent, and are explained
+below. After that the default settings are listed. Use local\-data: to
+enter data into the local zone. Answers for local zones are authoritative
+DNS answers. By default the zones are class IN.
+.IP
+If you need more complicated authoritative data, with referrals, wildcards,
+CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
+it as detailed in the stub zone section below.
+.TP 10
+\h'5'\fIdeny\fR
+Do not send an answer, drop the query.
+If there is a match from local data, the query is answered.
+.TP 10
+\h'5'\fIrefuse\fR
+Send an error message reply, with rcode REFUSED.
+If there is a match from local data, the query is answered.
+.TP 10
+\h'5'\fIstatic\fR
+If there is a match from local data, the query is answered.
+Otherwise, the query is answered with nodata or nxdomain.
+For a negative answer a SOA is included in the answer if present
+as local\-data for the zone apex domain.
+.TP 10
+\h'5'\fItransparent\fR 
+If there is a match from local data, the query is answered.
+Otherwise if the query has a different name, the query is resolved normally.
+If the query is for a name given in localdata but no such type of data is
+given in localdata, then a noerror nodata answer is returned.
+If no local\-zone is given local\-data causes a transparent zone
+to be created by default.
+.TP 10
+\h'5'\fItypetransparent\fR 
+If there is a match from local data, the query is answered.  If the query
+is for a different name, or for the same name but for a different type,
+the query is resolved normally.  So, similar to transparent but types
+that are not listed in local data are resolved normally, so if an A record
+is in the local data that does not cause a nodata reply for AAAA queries.
+.TP 10
+\h'5'\fIredirect\fR 
+The query is answered from the local data for the zone name.
+There may be no local data beneath the zone name.
+This answers queries for the zone, and all subdomains of the zone
+with the local data for the zone.
+It can be used to redirect a domain to return a different address record
+to the end user, with 
+local\-zone: "example.com." redirect and 
+local\-data: "example.com. A 127.0.0.1"
+queries for www.example.com and www.foo.example.com are redirected, so
+that users with web browsers cannot access sites with suffix example.com.
+.TP 10
+\h'5'\fInodefault\fR 
+Used to turn off default contents for AS112 zones. The other types
+also turn off default contents for the zone. The 'nodefault' option 
+has no other effect than turning off default contents for the 
+given zone.
+.P
+The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
+zones. The AS112 zones are reverse DNS zones for private use and reserved
+IP addresses for which the servers on the internet cannot provide correct
+answers. They are configured by default to give nxdomain (no reverse 
+information) answers. The defaults can be turned off by specifying your
+own local\-zone of that name, or using the 'nodefault' type. Below is a 
+list of the default zone contents.
+.TP 10
+\h'5'\fIlocalhost\fR 
+The IP4 and IP6 localhost information is given. NS and SOA records are provided
+for completeness and to satisfy some DNS update tools. Default content:
+.nf
+local\-zone: "localhost." static
+local\-data: "localhost. 10800 IN NS localhost."
+local\-data: "localhost. 10800 IN 
+    SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+local\-data: "localhost. 10800 IN A 127.0.0.1"
+local\-data: "localhost. 10800 IN AAAA ::1"
+.fi
+.TP 10
+\h'5'\fIreverse IPv4 loopback\fR 
+Default content:
+.nf
+local\-zone: "127.in\-addr.arpa." static
+local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
+local\-data: "127.in\-addr.arpa. 10800 IN 
+    SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN 
+    PTR localhost."
+.fi
+.TP 10
+\h'5'\fIreverse IPv6 loopback\fR 
+Default content:
+.nf
+local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
+    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
+local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
+    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 
+    NS localhost."
+local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
+    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 
+    SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
+local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
+    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN 
+    PTR localhost."
+.fi
+.TP 10
+\h'5'\fIreverse RFC1918 local use zones\fR 
+Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to 
+31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
+The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS 
+records are provided.
+.TP 10
+\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR 
+Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa, 
+2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
+113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
+.TP 10
+\h'5'\fIreverse RFC4291 IP6 unspecified\fR
+Reverse data for zone 
+.nf
+0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
+0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
+.fi
+.TP 10
+\h'5'\fIreverse RFC4193 IPv6 Locally Assigned Local Addresses\fR
+Reverse data for zone D.F.ip6.arpa.
+.TP 10
+\h'5'\fIreverse RFC4291 IPv6 Link Local Addresses\fR
+Reverse data for zones 8.E.F.ip6.arpa to B.E.F.ip6.arpa.
+.TP 10
+\h'5'\fIreverse IPv6 Example Prefix\fR
+Reverse data for zone 8.B.D.0.1.0.0.2.ip6.arpa. This zone is used for
+tutorials and examples. You can remove the block on this zone with:
+.nf
+  local\-zone: 8.B.D.0.1.0.0.2.ip6.arpa. nodefault
+.fi
+You can also selectively unblock a part of the zone by making that part
+transparent with a local\-zone statement.
+This also works with the other default zones.
+.\" End of local-zone listing.
+.TP 5
+.B local\-data: \fI"<resource record string>"
+Configure local data, which is served in reply to queries for it.
+The query has to match exactly unless you configure the local\-zone as 
+redirect. If not matched exactly, the local\-zone type determines
+further processing. If local\-data is configured that is not a subdomain of
+a local\-zone, a transparent local\-zone is configured. 
+For record types such as TXT, use single quotes, as in 
+local\-data: 'example. TXT "text"'.
+.IP
+If you need more complicated authoritative data, with referrals, wildcards,
+CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for
+it as detailed in the stub zone section below.
+.TP 5
+.B local\-data\-ptr: \fI"IPaddr name"
+Configure local data shorthand for a PTR record with the reversed IPv4 or
+IPv6 address and the host name.  For example "192.0.2.4 www.example.com".
+TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
+.SS "Remote Control Options"
+In the
+.B remote\-control:
+clause are the declarations for the remote control facility.  If this is
+enabled, the \fIunbound\-control\fR(8) utility can be used to send
+commands to the running unbound server.  The server uses these clauses
+to setup SSLv3 / TLSv1 security for the connection.  The
+\fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR
+section for options.  To setup the correct self\-signed certificates use the
+\fIunbound\-control\-setup\fR(8) utility.
+.TP 5
+.B control\-enable:     \fI<yes or no>
+The option is used to enable remote control, default is "no".
+If turned off, the server does not listen for control commands.
+.TP 5
+.B control\-interface: <ip address>
+Give IPv4 or IPv6 addresses to listen on for control commands.
+By default localhost (127.0.0.1 and ::1) is listened to.
+Use 0.0.0.0 and ::0 to listen to all interfaces.
+.TP 5
+.B control\-port: <port number>
+The port number to listen on for control commands, default is 8953.
+If you change this port number, and permissions have been dropped,
+a reload is not sufficient to open the port again, you must then restart.
+.TP 5
+.B server\-key\-file: "<private key file>"
+Path to the server private key, by default unbound_server.key.
+This file is generated by the \fIunbound\-control\-setup\fR utility.
+This file is used by the unbound server, but not by \fIunbound\-control\fR.
+.TP 5
+.B server\-cert\-file: "<certificate file.pem>"
+Path to the server self signed certificate, by default unbound_server.pem.
+This file is generated by the \fIunbound\-control\-setup\fR utility.
+This file is used by the unbound server, and also by \fIunbound\-control\fR.
+.TP 5
+.B control\-key\-file: "<private key file>"
+Path to the control client private key, by default unbound_control.key.
+This file is generated by the \fIunbound\-control\-setup\fR utility.
+This file is used by \fIunbound\-control\fR.
+.TP 5
+.B control\-cert\-file: "<certificate file.pem>"
+Path to the control client certificate, by default unbound_control.pem.
+This certificate has to be signed with the server certificate.
+This file is generated by the \fIunbound\-control\-setup\fR utility.
+This file is used by \fIunbound\-control\fR.
+.SS "Stub Zone Options"
+.LP
+There may be multiple
+.B stub\-zone:
+clauses. Each with a name: and zero or more hostnames or IP addresses.
+For the stub zone this list of nameservers is used. Class IN is assumed.
+The servers should be authority servers, not recursors; unbound performs
+the recursive processing itself for stub zones.
+.P
+The stub zone can be used to configure authoritative data to be used
+by the resolver that cannot be accessed using the public internet servers.
+This is useful for company\-local data or private zones. Setup an 
+authoritative server on a different host (or different port). Enter a config 
+entry for unbound with 
+.B stub\-addr:
+<ip address of host[@port]>. 
+The unbound resolver can then access the data, without referring to the 
+public internet for it. 
+.P
+This setup allows DNSSEC signed zones to be served by that 
+authoritative server, in which case a trusted key entry with the public key
+can be put in config, so that unbound can validate the data and set the AD 
+bit on replies for the private zone (authoritative servers do not set the 
+AD bit).  This setup makes unbound capable of answering queries for the 
+private zone, and can even set the AD bit ('authentic'), but the AA 
+('authoritative') bit is not set on these replies. 
+.TP
+.B name: \fI<domain name>
+Name of the stub zone.
+.TP
+.B stub\-host: \fI<domain name>
+Name of stub zone nameserver. Is itself resolved before it is used.
+.TP
+.B stub\-addr: \fI<IP address>
+IP address of stub zone nameserver. Can be IP 4 or IP 6.
+To use a nondefault port for DNS communication append '@' with the port number.
+.TP
+.B stub\-prime: \fI<yes or no>
+This option is by default off.  If enabled it performs NS set priming, 
+which is similar to root hints, where it starts using the list of nameservers 
+currently published by the zone.  Thus, if the hint list is slightly outdated,
+the resolver picks up a correct list online.
+.TP
+.B stub\-first: \fI<yes or no>
+If enabled, a query is attempted without the stub clause if it fails.
+The data could not be retrieved and would have caused SERVFAIL because
+the servers are unreachable, instead it is tried without this clause.
+The default is no.
+.SS "Forward Zone Options"
+.LP
+There may be multiple
+.B forward\-zone:
+clauses. Each with a \fBname:\fR and zero or more hostnames or IP
+addresses.  For the forward zone this list of nameservers is used to
+forward the queries to. The servers listed as \fBforward\-host:\fR and
+\fBforward\-addr:\fR have to handle further recursion for the query.  Thus,
+those servers are not authority servers, but are (just like unbound is)
+recursive servers too; unbound does not perform recursion itself for the
+forward zone, it lets the remote server do it.  Class IN is assumed.
+A forward\-zone entry with name "." and a forward\-addr target will
+forward all queries to that other server (unless it can answer from
+the cache).
+.TP
+.B name: \fI<domain name>
+Name of the forward zone.
+.TP
+.B forward\-host: \fI<domain name>
+Name of server to forward to. Is itself resolved before it is used.
+.TP
+.B forward\-addr: \fI<IP address>
+IP address of server to forward to. Can be IP 4 or IP 6.
+To use a nondefault port for DNS communication append '@' with the port number.
+.TP
+.B forward\-first: \fI<yes or no>
+If enabled, a query is attempted without the forward clause if it fails.
+The data could not be retrieved and would have caused SERVFAIL because
+the servers are unreachable, instead it is tried without this clause.
+The default is no.
+.SS "Python Module Options"
+.LP
+The
+.B python:
+clause gives the settings for the \fIpython\fR(1) script module.  This module
+acts like the iterator and validator modules do, on queries and answers.
+To enable the script module it has to be compiled into the daemon,
+and the word "python" has to be put in the \fBmodule\-config:\fR option
+(usually first, or between the validator and iterator).
+.TP
+.B python\-script: \fI<python file>\fR
+The script file to load. 
+.SH "MEMORY CONTROL EXAMPLE"
+In the example config settings below memory usage is reduced. Some service
+levels are lower, notable very large data and a high TCP load are no longer
+supported. Very large data and high TCP loads are exceptional for the DNS.
+DNSSEC validation is enabled, just add trust anchors.
+If you do not have to worry about programs using more than 3 Mb of memory,
+the below example is not for you. Use the defaults to receive full service,
+which on BSD\-32bit tops out at 30\-40 Mb after heavy usage. 
+.P
+.nf
+# example settings that reduce memory usage
+server:
+	num\-threads: 1
+	outgoing\-num\-tcp: 1	# this limits TCP service, uses less buffers.
+	incoming\-num\-tcp: 1
+	outgoing\-range: 60	# uses less memory, but less performance.
+	msg\-buffer\-size: 8192   # note this limits service, 'no huge stuff'.
+	msg\-cache\-size: 100k
+	msg\-cache\-slabs: 1
+	rrset\-cache\-size: 100k
+	rrset\-cache\-slabs: 1
+	infra\-cache\-numhosts: 200
+	infra\-cache\-slabs: 1
+	key\-cache\-size: 100k
+	key\-cache\-slabs: 1
+	neg\-cache\-size: 10k
+	num\-queries\-per\-thread: 30
+	target\-fetch\-policy: "2 1 0 0 0 0"
+	harden\-large\-queries: "yes"
+	harden\-short\-bufsize: "yes"
+.fi
+.SH "FILES"
+.TP
+.I /var/unbound
+default unbound working directory.
+.TP
+.I /var/unbound
+default
+\fIchroot\fR(2)
+location.
+.TP
+.I /etc/unbound/unbound.conf
+unbound configuration file.
+.TP
+.I /var/unbound/unbound.pid
+default unbound pidfile with process ID of the running daemon.
+.TP
+.I unbound.log
+unbound log file. default is to log to 
+\fIsyslog\fR(3). 
+.SH "SEE ALSO"
+\fIunbound\fR(8), 
+\fIunbound\-checkconf\fR(8).
+.SH "AUTHORS"
+.B Unbound 
+was written by NLnet Labs. Please see CREDITS file
+in the distribution for further details.