18 files changed, 302 insertions, 154 deletions

diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog
index 3f3b245..6824b1d 100644
--- a/contrib/unbound/doc/Changelog
+++ b/contrib/unbound/doc/Changelog
@@ -1,3 +1,121 @@
+8 December 2015: Wouter
+	- Fixup 724 for unbound-control.
+
+7 December 2015: Ralph
+	- Do not minimise forwarded requests.
+
+4 December 2015: Wouter
+	- Removed unneeded whitespace from example.conf.
+
+3 December 2015: Ralph
+	- (after rc1 tag)
+	- Committed fix to qname minimisation and unit test case for it.
+	
+3 December 2015: Wouter
+	- iana portlist update.
+	- 1.5.7rc1 prerelease tag.
+
+2 December 2015: Wouter
+	- Fixup 724: Fix PCA prompt for unbound-service-install.exe.
+	  re-enable stdout printout.
+	- For 724: Add Changelog to windows binary dist.
+
+1 December 2015: Ralph
+	- Qname minimisation review fixes
+
+1 December 2015: Wouter
+	- Fixup 724 fix for fname_after_chroot() calls.
+	- Remove stdout printout for unbound-service-install.exe
+	- .gitignore for git users.
+
+30 November 2015: Ralph
+	- Implemented qname minimisation
+
+30 November 2015: Wouter
+	- Fix for #724: conf syntax to read files from run dir (on Windows).
+
+25 November 2015: Wouter
+	- Fix for #720, fix unbound-control-setup windows batch file.
+
+24 November 2015: Wouter
+	- Fix #720: add windows scripts to zip bundle.
+	- iana portlist update.
+
+20 November 2015: Wouter
+	- Added assert on rrset cache correctness.
+	- Fix that malformed EDNS query gets a response without malformed EDNS.
+
+18 November 2015: Wouter
+	- newer acx_nlnetlabs.m4.
+	- spelling fixes from Igor Sobrado Delgado.
+
+17 November 2015: Wouter
+	- Fix #594. libunbound: optionally use libnettle for crypto.
+	  Contributed by Luca Bruno.  Added --with-nettle for use with
+	  --with-libunbound-only.
+	- refactor nsec3 hash implementation to be more library-portable.
+	- iana portlist update.
+	- Fixup DER encoded DSA signatures for libnettle.
+
+16 November 2015: Wouter
+	- Fix for lenient accept of reverse order DNAME and CNAME.
+
+6 November 2015: Wouter
+	- Change example.conf: ftp.internic.net to https://www.internic.net
+
+5 November 2015: Wouter
+	- ACX_SSL_CHECKS no longer adds -ldl needlessly.
+
+3 November 2015: Wouter
+	- Fix #718: Fix unbound-control-setup with support for env
+	  without HEREDOC bash support.
+
+29 October 2015: Wouter
+	- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
+	- Fix #716: nodata proof with empty non-terminals and wildcards.
+
+28 October 2015: Wouter
+	- Fix checklock testcode for linux threads on exit.
+
+27 October 2015: Wouter
+	- isblank() compat implementation.
+	- detect libexpat without xml_StopParser function.
+	- portability fixes.
+	- portability, replace snprintf if return value broken.
+
+23 October 2015: Wouter
+	- Fix #714: Document config to block private-address for IPv4
+	  mapped IPv6 addresses.
+
+22 October 2015: Wouter
+	- Fix #712: unbound-anchor appears to not fsync root.key.
+
+20 October 2015: Wouter
+	- 1.5.6 release.
+	- trunk tracks development of 1.5.7.
+
+15 October 2015: Wouter
+	- Fix segfault in the dns64 module in the formaterror error path.
+	- Fix sldns_wire2str_rdata_scan for malformed RRs.
+	- tag for 1.5.6rc1 release.
+
+14 October 2015: Wouter
+	- ANY responses include DNAME records if present, as per Evan Hunt's
+	  remark in dnsop.
+	- Fix manpage to suggest using SIGTERM to terminate the server.
+
+9 October 2015: Wouter
+	- Default for ssl-port is port 853, the temporary port assignment
+	  for secure domain name system traffic.
+	  If you used to rely on the older default of port 443, you have
+	  to put a clause in unbound.conf for that.  The new value is likely
+	  going to be the standardised port number for this traffic.
+	- iana portlist update.
+
+6 October 2015: Wouter
+	- 1.5.5 release.
+	- trunk tracks the development of 1.5.6.
+
 28 September 2015: Wouter
 	- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
 	  failures.
@@ -731,7 +849,7 @@
 	  existence in 4592.  NSEC empty non-terminals exist and thus the
 	  RCODE should have been NOERROR. If this occurs, and the RRsets
 	  are secure, we set the RCODE to NOERROR and the security status
-	  of the reponse is also considered secure.
+	  of the response is also considered secure.
 
 14 February 2014: Wouter
 	- Works on Minix (3.2.1).
@@ -1503,7 +1621,7 @@
 	- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
 	- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
 	- Fix warning unused in compat/strptime.c.
-	- Fix malloc detection and double defintion.
+	- Fix malloc detection and double definition.
 
 2 December 2011: Wouter
 	- configure generated with autoconf 2.68.
@@ -4948,7 +5066,7 @@
 	- Advertise builtin select libevent alternative when no libevent
 	  is found.
 	- signit can generate NSEC3 hashes, for generating tests.
-	- multiple nsec3 paramaters in message test.
+	- multiple nsec3 parameters in message test.
 	- too high nsec3 iterations becomes insecure test.
 
 21 September 2007: Wouter
@@ -5019,7 +5137,7 @@
 	- testbound can replay a TCP query (set MATCH TCP in the QUERY).
 	- DS and noDS referral validation test.
 	- if you configure many trust anchors, parent trust anchors can
-	  securely deny existance of child trust anchors, if validated.
+	  securely deny existence of child trust anchors, if validated.
 	- not all *.name NSECs are present because a wildcard was matched,
 	  and *.name NSECs can prove nodata for empty nonterminals.
 	  Also, for wildcard name NSECs, check they are not from the parent
@@ -5326,7 +5444,7 @@
 
 17 July 2007: Wouter
 	- forward zone options in config file.
-	- forward per zone in iterator. takes precendence over stubs.
+	- forward per zone in iterator. takes precedence over stubs.
 	- fixup commithooks.
 	- removed forward-to and forward-to-port features, subsumed by
 	  new forward zones.
@@ -5427,7 +5545,7 @@
 	  ldns and libevent are linked statically. Default is off.
 	- make install and make uninstall. Works with static-exe and without.
 	  installation of unbound binary and manual pages.
-	- alignement problem fix on solaris 64.
+	- alignment problem fix on solaris 64.
 	- fixup address in case of TCP error.
 
 12 June 2007: Wouter
@@ -5510,7 +5628,7 @@
 	- removed FLAG_CD from message and rrset caches. This was useful for
 	  an agnostic forwarder, but not for a sophisticated (trust value per
 	  rrset enabled) cache.
-	- iterator reponse typing.
+	- iterator response typing.
 	- iterator cname handle.
 	- iterator prime start.
 	- subquery work.
@@ -5530,7 +5648,7 @@
 	- Acknowledge use of unbound-java code in iterator. Nicer readme.
 	- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
 	  rrset cache from module environment.
-	- packed rrset key has type and class as easily accessable struct
+	- packed rrset key has type and class as easily accessible struct
 	  members. They are still kept in network format for fast msg encode.
 	- dns cache find_delegation routine.
 	- iterator main functions setup.
@@ -5614,7 +5732,7 @@
 	- EDNS read from query, used to make reply smaller.
 	- advertised edns value constants.
 	- EDNS BADVERS response, if asked for too high edns version.
-	- EDNS extended error reponses once the EDNS record from the query
+	- EDNS extended error responses once the EDNS record from the query
 	  has successfully been parsed.
 
 4 May 2007: Wouter
diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README
index c8bddcc..8235ea2 100644
--- a/contrib/unbound/doc/README
+++ b/contrib/unbound/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.5.5
+README for Unbound 1.5.7
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/contrib/unbound/doc/example.conf b/contrib/unbound/doc/example.conf
index 87bbebe..11c3ba9 100644
--- a/contrib/unbound/doc/example.conf
+++ b/contrib/unbound/doc/example.conf
@@ -1,14 +1,14 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.5.
+# See unbound.conf(5) man page, version 1.5.7.
 #
 # this is a comment.
 
 #Use this to include other text into the file.
 #include: "otherfile.conf"
 
-# The server clause sets the main parameters. 
+# The server clause sets the main parameters.
 server:
 	# whitespace is not necessary, but looks cleaner.
 
@@ -40,7 +40,7 @@ server:
 	# interface: 2001:DB8::5
 
 	# enable this feature to copy the source address of queries to reply.
-	# Socket options are not supported on all platforms. experimental. 
+	# Socket options are not supported on all platforms. experimental.
 	# interface-automatic: no
 
 	# port to answer queries from
@@ -84,10 +84,10 @@ server:
 	# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
 	# 0 is system default.  Use 4m to handle spikes on very busy servers.
 	# so-sndbuf: 0
-	
+
 	# use SO_REUSEPORT to distribute queries over threads.
 	# so-reuseport: no
-	
+
 	# use IP_TRANSPARENT so the interface: addresses can be non-local
 	# and you can config non-existing IPs that are going to work later on
 	# ip-transparent: no
@@ -105,7 +105,7 @@ server:
 	# msg-buffer-size: 65552
 
 	# the amount of memory to use for the message cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# msg-cache-size: 4m
 
 	# the number of slabs to use for the message cache.
@@ -118,12 +118,12 @@ server:
 
 	# if very busy, 50% queries run to completion, 50% get timeout in msec
 	# jostle-timeout: 200
-	
+
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 
 	# the amount of memory to use for the RRset cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# rrset-cache-size: 4m
 
 	# the number of slabs to use for the RRset cache.
@@ -145,7 +145,7 @@ server:
 	# the time to live (TTL) value for cached roundtrip times, lameness and
 	# EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900
-	
+
 	# minimum wait time for responses, increase if uplink is long. In msec.
 	# infra-cache-min-rtt: 50
 
@@ -195,8 +195,8 @@ server:
 	#
 	# If chroot is enabled, you should pass the configfile (from the
 	# commandline) as a full path from the original root. After the
-	# chroot has been performed the now defunct portion of the config 
-	# file path is removed to be able to reread the config after a reload. 
+	# chroot has been performed the now defunct portion of the config
+	# file path is removed to be able to reread the config after a reload.
 	#
 	# All other file paths (working dir, logfile, roothints, and
 	# key files) can be specified in several ways:
@@ -205,7 +205,7 @@ server:
 	# 	o as an absolute path relative to the original root.
 	# In the last case the path is adjusted to remove the unused portion.
 	#
-	# The pid file can be absolute and outside of the chroot, it is 
+	# The pid file can be absolute and outside of the chroot, it is
 	# written just prior to performing the chroot and dropping permissions.
 	#
 	# Additionally, unbound may need to access /dev/random (for entropy).
@@ -219,22 +219,22 @@ server:
 	# If you give "" no privileges are dropped.
 	# username: "unbound"
 
-	# the working directory. The relative files in this config are 
+	# the working directory. The relative files in this config are
 	# relative to this directory. If you give "" the working directory
 	# is not changed.
 	# directory: "/var/unbound"
 
-	# the log file, "" means log to stderr. 
+	# the log file, "" means log to stderr.
 	# Use of this option sets use-syslog to "no".
 	# logfile: ""
 
-	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 
+	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
 	# log to, with identity "unbound". If yes, it overrides the logfile.
-	# use-syslog: yes 
+	# use-syslog: yes
 
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 	# log-time-ascii: no
-	
+
 	# print one line with time, IP, name, type, class for every query.
 	# log-queries: no
 
@@ -242,7 +242,7 @@ server:
 	# pidfile: "/var/unbound/unbound.pid"
 
 	# file to read root hints from.
-	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
+	# get one from https://www.internic.net/domain/named.cache
 	# root-hints: ""
 
 	# enable to not answer id.server and hostname.bind queries.
@@ -258,8 +258,8 @@ server:
 	# version: ""
 
 	# the target fetch policy.
-	# series of integers describing the policy per dependency depth. 
-	# The number of values in the list determines the maximum dependency 
+	# series of integers describing the policy per dependency depth.
+	# The number of values in the list determines the maximum dependency
 	# depth the recursor will pursue before giving up. Each integer means:
 	# 	-1 : fetch all targets opportunistically,
 	# 	0: fetch on demand,
@@ -267,17 +267,17 @@ server:
 	# Enclose the list of numbers between quotes ("").
 	# target-fetch-policy: "3 2 1 0 0"
 
-	# Harden against very small EDNS buffer sizes. 
+	# Harden against very small EDNS buffer sizes.
 	# harden-short-bufsize: no
 
 	# Harden against unseemly large queries.
 	# harden-large-queries: no
 
-	# Harden against out of zone rrsets, to avoid spoofing attempts. 
+	# Harden against out of zone rrsets, to avoid spoofing attempts.
 	# harden-glue: yes
 
 	# Harden against receiving dnssec-stripped data. If you turn it
-	# off, failing to validate dnskey data for a trustanchor will 
+	# off, failing to validate dnskey data for a trustanchor will
 	# trigger insecure mode for that zone (like without a trustanchor).
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	# harden-dnssec-stripped: yes
@@ -287,7 +287,7 @@ server:
 
         # Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
-	# Default off, because the lookups burden the server.  Experimental 
+	# Default off, because the lookups burden the server.  Experimental
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	# harden-referral-path: no
 
@@ -296,18 +296,23 @@ server:
 	# to validate the zone.
 	# harden-algo-downgrade: no
 
+	# Sent minimum amount of information to upstream servers to enhance
+	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
+	# to NS when possible.
+	# qname-minimisation: no
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
-	
+
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
 	# caps-whitelist: "licdn.com"
 
-	# Enforce privacy of these addresses. Strips them away from answers. 
-	# It may cause DNSSEC validation to additionally mark it as bogus. 
-	# Protects against 'DNS Rebinding' (uses browser as network proxy). 
-	# Only 'private-domain' and 'local-data' names are allowed to have 
+	# Enforce privacy of these addresses. Strips them away from answers.
+	# It may cause DNSSEC validation to additionally mark it as bogus.
+	# Protects against 'DNS Rebinding' (uses browser as network proxy).
+	# Only 'private-domain' and 'local-data' names are allowed to have
 	# these private addresses. No default.
 	# private-address: 10.0.0.0/8
 	# private-address: 172.16.0.0/12
@@ -315,6 +320,7 @@ server:
 	# private-address: 169.254.0.0/16
 	# private-address: fd00::/8
 	# private-address: fe80::/10
+	# private-address: ::ffff:0:0/96
 
 	# Allow the domain (and its subdomains) to contain private addresses.
 	# local-data statements are allowed to contain private addresses too.
@@ -373,7 +379,7 @@ server:
 	# Zone file format, with DS and DNSKEY entries.
 	# Note this gets out of date, use auto-trust-anchor-file please.
 	# trust-anchor-file: ""
-	
+
 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
 	# single line, surrounded by "". TTL is ignored. class is IN default.
 	# Note this gets out of date, use auto-trust-anchor-file please.
@@ -383,7 +389,7 @@ server:
 
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry. Like trust-anchor-file
-	# but has a different file format. Format is BIND-9 style format, 
+	# but has a different file format. Format is BIND-9 style format,
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# you need external update procedures to track changes in keys.
 	# trusted-keys-file: ""
@@ -408,7 +414,7 @@ server:
 
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
-	# potential bogus data in the additional section. All unsigned data 
+	# potential bogus data in the additional section. All unsigned data
 	# in the additional section is removed from secure messages.
 	# val-clean-additional: yes
 
@@ -433,7 +439,7 @@ server:
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
 	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
-	
+
 	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
 	# add-holddown: 2592000 # 30 days
 
@@ -448,7 +454,7 @@ server:
 	# permit-small-holddown: no
 
 	# the amount of memory to use for the key cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# key-cache-size: 4m
 
 	# the number of slabs to use for the key cache.
@@ -457,7 +463,7 @@ server:
 	# key-cache-slabs: 4
 
 	# the amount of memory to use for the negative cache (used for DLV).
-	# plain value in bytes or you can append k, m or G. default is "1Mb". 
+	# plain value in bytes or you can append k, m or G. default is "1Mb".
 	# neg-cache-size: 1m
 
 	# By default, for a number of zones a small default 'nothing here'
@@ -501,7 +507,7 @@ server:
 	# local-zone: "b.e.f.ip6.arpa." nodefault
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
-	
+
 	# if unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
 	# long list of local-zones above.  If this unbound is a dns server
@@ -512,7 +518,7 @@ server:
 	# a number of locally served zones can be configured.
 	# 	local-zone: <zone> <type>
 	# 	local-data: "<resource record string>"
-	# o deny serves local data (if any), else, drops queries. 
+	# o deny serves local data (if any), else, drops queries.
 	# o refuse serves local data (if any), else, replies with error.
 	# o static serves local data, else, nxdomain or nodata answer.
 	# o transparent gives local data, but resolves normally for other names
@@ -525,7 +531,7 @@ server:
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
 	# the default content is omitted, or you can omit it with 'nodefault'.
-	# 
+	#
 	# If you configure local-data without specifying local-zone, by
 	# default a transparent local-zone is created for the data.
 	#
@@ -552,7 +558,7 @@ server:
 	# default is "" (disabled).  requires restart to take effect.
 	# ssl-service-key: "path/to/privatekeyfile.key"
 	# ssl-service-pem: "path/to/publiccertfile.pem"
-	# ssl-port: 443
+	# ssl-port: 853
 
 	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
@@ -571,7 +577,7 @@ server:
 	# ratelimit-size: 4m
 	# ratelimit cache slabs, reduces lock contention if equal to cpucount.
 	# ratelimit-slabs: 4
-	
+
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 
@@ -590,7 +596,7 @@ python:
 	# Script file to load
 	# python-script: "/var/unbound/ubmodule-tst.py"
 
-# Remote control config section. 
+# Remote control config section.
 remote-control:
 	# Enable remote control with unbound-control(8) here.
 	# set up the keys and certificates with unbound-control-setup.
@@ -621,9 +627,9 @@ remote-control:
 	# control-cert-file: "/var/unbound/unbound_control.pem"
 
 # Stub zones.
-# Create entries like below, to make all queries for 'example.com' and 
-# 'example.org' go to the given list of nameservers. list zero or more 
-# nameservers by hostname or by ipaddress. If you set stub-prime to yes, 
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of nameservers. list zero or more
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
 # the list is treated as priming hints (default is no).
 # With stub-first yes, it attempts without the stub if it fails.
 # Consider adding domain-insecure: name and local-zone: name nodefault
diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in
index 399aa80..ff90e3b 100644
--- a/contrib/unbound/doc/example.conf.in
+++ b/contrib/unbound/doc/example.conf.in
@@ -1,14 +1,14 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.5.
+# See unbound.conf(5) man page, version 1.5.7.
 #
 # this is a comment.
 
 #Use this to include other text into the file.
 #include: "otherfile.conf"
 
-# The server clause sets the main parameters. 
+# The server clause sets the main parameters.
 server:
 	# whitespace is not necessary, but looks cleaner.
 
@@ -40,7 +40,7 @@ server:
 	# interface: 2001:DB8::5
 
 	# enable this feature to copy the source address of queries to reply.
-	# Socket options are not supported on all platforms. experimental. 
+	# Socket options are not supported on all platforms. experimental.
 	# interface-automatic: no
 
 	# port to answer queries from
@@ -84,10 +84,10 @@ server:
 	# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
 	# 0 is system default.  Use 4m to handle spikes on very busy servers.
 	# so-sndbuf: 0
-	
+
 	# use SO_REUSEPORT to distribute queries over threads.
 	# so-reuseport: no
-	
+
 	# use IP_TRANSPARENT so the interface: addresses can be non-local
 	# and you can config non-existing IPs that are going to work later on
 	# ip-transparent: no
@@ -105,7 +105,7 @@ server:
 	# msg-buffer-size: 65552
 
 	# the amount of memory to use for the message cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# msg-cache-size: 4m
 
 	# the number of slabs to use for the message cache.
@@ -118,12 +118,12 @@ server:
 
 	# if very busy, 50% queries run to completion, 50% get timeout in msec
 	# jostle-timeout: 200
-	
+
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 
 	# the amount of memory to use for the RRset cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# rrset-cache-size: 4m
 
 	# the number of slabs to use for the RRset cache.
@@ -145,7 +145,7 @@ server:
 	# the time to live (TTL) value for cached roundtrip times, lameness and
 	# EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900
-	
+
 	# minimum wait time for responses, increase if uplink is long. In msec.
 	# infra-cache-min-rtt: 50
 
@@ -195,8 +195,8 @@ server:
 	#
 	# If chroot is enabled, you should pass the configfile (from the
 	# commandline) as a full path from the original root. After the
-	# chroot has been performed the now defunct portion of the config 
-	# file path is removed to be able to reread the config after a reload. 
+	# chroot has been performed the now defunct portion of the config
+	# file path is removed to be able to reread the config after a reload.
 	#
 	# All other file paths (working dir, logfile, roothints, and
 	# key files) can be specified in several ways:
@@ -205,7 +205,7 @@ server:
 	# 	o as an absolute path relative to the original root.
 	# In the last case the path is adjusted to remove the unused portion.
 	#
-	# The pid file can be absolute and outside of the chroot, it is 
+	# The pid file can be absolute and outside of the chroot, it is
 	# written just prior to performing the chroot and dropping permissions.
 	#
 	# Additionally, unbound may need to access /dev/random (for entropy).
@@ -219,22 +219,22 @@ server:
 	# If you give "" no privileges are dropped.
 	# username: "@UNBOUND_USERNAME@"
 
-	# the working directory. The relative files in this config are 
+	# the working directory. The relative files in this config are
 	# relative to this directory. If you give "" the working directory
 	# is not changed.
 	# directory: "@UNBOUND_RUN_DIR@"
 
-	# the log file, "" means log to stderr. 
+	# the log file, "" means log to stderr.
 	# Use of this option sets use-syslog to "no".
 	# logfile: ""
 
-	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 
+	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
 	# log to, with identity "unbound". If yes, it overrides the logfile.
-	# use-syslog: yes 
+	# use-syslog: yes
 
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 	# log-time-ascii: no
-	
+
 	# print one line with time, IP, name, type, class for every query.
 	# log-queries: no
 
@@ -242,7 +242,7 @@ server:
 	# pidfile: "@UNBOUND_PIDFILE@"
 
 	# file to read root hints from.
-	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
+	# get one from https://www.internic.net/domain/named.cache
 	# root-hints: ""
 
 	# enable to not answer id.server and hostname.bind queries.
@@ -258,8 +258,8 @@ server:
 	# version: ""
 
 	# the target fetch policy.
-	# series of integers describing the policy per dependency depth. 
-	# The number of values in the list determines the maximum dependency 
+	# series of integers describing the policy per dependency depth.
+	# The number of values in the list determines the maximum dependency
 	# depth the recursor will pursue before giving up. Each integer means:
 	# 	-1 : fetch all targets opportunistically,
 	# 	0: fetch on demand,
@@ -267,17 +267,17 @@ server:
 	# Enclose the list of numbers between quotes ("").
 	# target-fetch-policy: "3 2 1 0 0"
 
-	# Harden against very small EDNS buffer sizes. 
+	# Harden against very small EDNS buffer sizes.
 	# harden-short-bufsize: no
 
 	# Harden against unseemly large queries.
 	# harden-large-queries: no
 
-	# Harden against out of zone rrsets, to avoid spoofing attempts. 
+	# Harden against out of zone rrsets, to avoid spoofing attempts.
 	# harden-glue: yes
 
 	# Harden against receiving dnssec-stripped data. If you turn it
-	# off, failing to validate dnskey data for a trustanchor will 
+	# off, failing to validate dnskey data for a trustanchor will
 	# trigger insecure mode for that zone (like without a trustanchor).
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	# harden-dnssec-stripped: yes
@@ -287,7 +287,7 @@ server:
 
         # Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
-	# Default off, because the lookups burden the server.  Experimental 
+	# Default off, because the lookups burden the server.  Experimental
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	# harden-referral-path: no
 
@@ -296,18 +296,23 @@ server:
 	# to validate the zone.
 	# harden-algo-downgrade: no
 
+	# Sent minimum amount of information to upstream servers to enhance
+	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
+	# to NS when possible.
+	# qname-minimisation: no
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
-	
+
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
 	# caps-whitelist: "licdn.com"
 
-	# Enforce privacy of these addresses. Strips them away from answers. 
-	# It may cause DNSSEC validation to additionally mark it as bogus. 
-	# Protects against 'DNS Rebinding' (uses browser as network proxy). 
-	# Only 'private-domain' and 'local-data' names are allowed to have 
+	# Enforce privacy of these addresses. Strips them away from answers.
+	# It may cause DNSSEC validation to additionally mark it as bogus.
+	# Protects against 'DNS Rebinding' (uses browser as network proxy).
+	# Only 'private-domain' and 'local-data' names are allowed to have
 	# these private addresses. No default.
 	# private-address: 10.0.0.0/8
 	# private-address: 172.16.0.0/12
@@ -315,6 +320,7 @@ server:
 	# private-address: 169.254.0.0/16
 	# private-address: fd00::/8
 	# private-address: fe80::/10
+	# private-address: ::ffff:0:0/96
 
 	# Allow the domain (and its subdomains) to contain private addresses.
 	# local-data statements are allowed to contain private addresses too.
@@ -373,7 +379,7 @@ server:
 	# Zone file format, with DS and DNSKEY entries.
 	# Note this gets out of date, use auto-trust-anchor-file please.
 	# trust-anchor-file: ""
-	
+
 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
 	# single line, surrounded by "". TTL is ignored. class is IN default.
 	# Note this gets out of date, use auto-trust-anchor-file please.
@@ -383,7 +389,7 @@ server:
 
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry. Like trust-anchor-file
-	# but has a different file format. Format is BIND-9 style format, 
+	# but has a different file format. Format is BIND-9 style format,
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# you need external update procedures to track changes in keys.
 	# trusted-keys-file: ""
@@ -408,7 +414,7 @@ server:
 
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
-	# potential bogus data in the additional section. All unsigned data 
+	# potential bogus data in the additional section. All unsigned data
 	# in the additional section is removed from secure messages.
 	# val-clean-additional: yes
 
@@ -433,7 +439,7 @@ server:
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
 	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
-	
+
 	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
 	# add-holddown: 2592000 # 30 days
 
@@ -448,7 +454,7 @@ server:
 	# permit-small-holddown: no
 
 	# the amount of memory to use for the key cache.
-	# plain value in bytes or you can append k, m or G. default is "4Mb". 
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# key-cache-size: 4m
 
 	# the number of slabs to use for the key cache.
@@ -457,7 +463,7 @@ server:
 	# key-cache-slabs: 4
 
 	# the amount of memory to use for the negative cache (used for DLV).
-	# plain value in bytes or you can append k, m or G. default is "1Mb". 
+	# plain value in bytes or you can append k, m or G. default is "1Mb".
 	# neg-cache-size: 1m
 
 	# By default, for a number of zones a small default 'nothing here'
@@ -501,7 +507,7 @@ server:
 	# local-zone: "b.e.f.ip6.arpa." nodefault
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
-	
+
 	# if unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
 	# long list of local-zones above.  If this unbound is a dns server
@@ -512,7 +518,7 @@ server:
 	# a number of locally served zones can be configured.
 	# 	local-zone: <zone> <type>
 	# 	local-data: "<resource record string>"
-	# o deny serves local data (if any), else, drops queries. 
+	# o deny serves local data (if any), else, drops queries.
 	# o refuse serves local data (if any), else, replies with error.
 	# o static serves local data, else, nxdomain or nodata answer.
 	# o transparent gives local data, but resolves normally for other names
@@ -525,7 +531,7 @@ server:
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
 	# the default content is omitted, or you can omit it with 'nodefault'.
-	# 
+	#
 	# If you configure local-data without specifying local-zone, by
 	# default a transparent local-zone is created for the data.
 	#
@@ -552,7 +558,7 @@ server:
 	# default is "" (disabled).  requires restart to take effect.
 	# ssl-service-key: "path/to/privatekeyfile.key"
 	# ssl-service-pem: "path/to/publiccertfile.pem"
-	# ssl-port: 443
+	# ssl-port: 853
 
 	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
@@ -571,7 +577,7 @@ server:
 	# ratelimit-size: 4m
 	# ratelimit cache slabs, reduces lock contention if equal to cpucount.
 	# ratelimit-slabs: 4
-	
+
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 
@@ -590,7 +596,7 @@ python:
 	# Script file to load
 	# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
 
-# Remote control config section. 
+# Remote control config section.
 remote-control:
 	# Enable remote control with unbound-control(8) here.
 	# set up the keys and certificates with unbound-control-setup.
@@ -621,9 +627,9 @@ remote-control:
 	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
 
 # Stub zones.
-# Create entries like below, to make all queries for 'example.com' and 
-# 'example.org' go to the given list of nameservers. list zero or more 
-# nameservers by hostname or by ipaddress. If you set stub-prime to yes, 
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of nameservers. list zero or more
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
 # the list is treated as priming hints (default is no).
 # With stub-first yes, it attempts without the stub if it fails.
 # Consider adding domain-insecure: name and local-zone: name nodefault
diff --git a/contrib/unbound/doc/libunbound.3 b/contrib/unbound/doc/libunbound.3
index 9ef367f..d299330 100644
--- a/contrib/unbound/doc/libunbound.3
+++ b/contrib/unbound/doc/libunbound.3
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "libunbound" "3" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -42,7 +42,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.5 functions.
+\- Unbound DNS validating resolver 1.5.7 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in
index 9ef367f..d299330 100644
--- a/contrib/unbound/doc/libunbound.3.in
+++ b/contrib/unbound/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "libunbound" "3" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -42,7 +42,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.5 functions.
+\- Unbound DNS validating resolver 1.5.7 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/contrib/unbound/doc/unbound-anchor.8 b/contrib/unbound/doc/unbound-anchor.8
index 7fbb0a7..5200d18 100644
--- a/contrib/unbound/doc/unbound-anchor.8
+++ b/contrib/unbound/doc/unbound-anchor.8
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-anchor" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in
index e89be5b..e5e6364 100644
--- a/contrib/unbound/doc/unbound-anchor.8.in
+++ b/contrib/unbound/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-anchor" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/contrib/unbound/doc/unbound-checkconf.8 b/contrib/unbound/doc/unbound-checkconf.8
index eaa406b..19ecb1e 100644
--- a/contrib/unbound/doc/unbound-checkconf.8
+++ b/contrib/unbound/doc/unbound-checkconf.8
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-checkconf" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in
index 234a04a..2d3c4ae 100644
--- a/contrib/unbound/doc/unbound-checkconf.8.in
+++ b/contrib/unbound/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-checkconf" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/contrib/unbound/doc/unbound-control.8 b/contrib/unbound/doc/unbound-control.8
index 5de37cf..e1fa36ab 100644
--- a/contrib/unbound/doc/unbound-control.8
+++ b/contrib/unbound/doc/unbound-control.8
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-control" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -169,7 +169,7 @@ therefore not flushed.  The option must end with a ':' and whitespace
 must be between the option and the value.  Some values may not have an
 effect if set this way, the new values are not written to the config file,
 not all options are supported.  This is different from the set_option call
-in libunbound, where all values work because unbound has not been inited.
+in libunbound, where all values work because unbound has not been initialized.
 .IP
 The values that work are: statistics\-interval, statistics\-cumulative,
 do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in
index eefd207..57742ae 100644
--- a/contrib/unbound/doc/unbound-control.8.in
+++ b/contrib/unbound/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-control" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
@@ -169,7 +169,7 @@ therefore not flushed.  The option must end with a ':' and whitespace
 must be between the option and the value.  Some values may not have an
 effect if set this way, the new values are not written to the config file,
 not all options are supported.  This is different from the set_option call
-in libunbound, where all values work because unbound has not been inited.
+in libunbound, where all values work because unbound has not been initialized.
 .IP
 The values that work are: statistics\-interval, statistics\-cumulative,
 do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries,
diff --git a/contrib/unbound/doc/unbound-host.1 b/contrib/unbound/doc/unbound-host.1
index d600ee6..70b697f 100644
--- a/contrib/unbound/doc/unbound-host.1
+++ b/contrib/unbound/doc/unbound-host.1
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound\-host" "1" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in
index a4742d7..eeb25f0 100644
--- a/contrib/unbound/doc/unbound-host.1.in
+++ b/contrib/unbound/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound\-host" "1" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/contrib/unbound/doc/unbound.8 b/contrib/unbound/doc/unbound.8
index 3935e61..86fcb59 100644
--- a/contrib/unbound/doc/unbound.8
+++ b/contrib/unbound/doc/unbound.8
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.5.
+\- Unbound DNS validating resolver 1.5.7.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in
index df9baa0..ed139a7 100644
--- a/contrib/unbound/doc/unbound.8.in
+++ b/contrib/unbound/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound" "8" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.5.
+\- Unbound DNS validating resolver 1.5.7.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5
index 990a0a6..16155de 100644
--- a/contrib/unbound/doc/unbound.conf.5
+++ b/contrib/unbound/doc/unbound.conf.5
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound.conf" "5" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service.  Default is "",
 turned off.
 .TP
 .B ssl\-port: \fI<number>
-The port number on which to provide TCP SSL service, default 443, only
+The port number on which to provide TCP SSL service, default 853, only
 interfaces configured with that port number as @number get the SSL service.
 .TP
 .B do\-daemonize: \fI<yes or no>
@@ -444,6 +444,8 @@ requires privileges, then a reload will fail; a restart is needed.
 .TP
 .B directory: \fI<directory>
 Sets the working directory for the program. Default is "/var/unbound".
+On Windows the string "%EXECUTABLE%" tries to change to the directory
+that unbound.exe resides in.
 .TP
 .B logfile: \fI<filename>
 If "" is given, logging goes to stderr, or nowhere once daemonized.
@@ -585,23 +587,30 @@ queries.  For domains that do not support 0x20 and also fail with fallback
 because they keep sending different answers, like some load balancers.
 Can be given multiple times, for different domains.
 .TP
+.B qname\-minimisation: \fI<yes or no>
+Send minimum amount of information to upstream servers to enhance privacy.
+Only sent minimum required labels of the QNAME and set QTYPE to NS when 
+possible. Best effort approach, full QNAME and original QTYPE will be sent when
+upstream replies with a RCODE other than NOERROR. Default is off.
+.TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
-on your private network, and are not allowed to be returned for public
-internet names.  Any occurence of such addresses are removed from
-DNS answers. Additionally, the DNSSEC validator may mark the answers
-bogus. This protects against so\-called DNS Rebinding, where a user browser
-is turned into a network proxy, allowing remote access through the browser
-to other parts of your private network.  Some names can be allowed to
-contain your private addresses, by default all the \fBlocal\-data\fR
-that you configured is allowed to, and you can specify additional
-names using \fBprivate\-domain\fR.  No private addresses are enabled
-by default.  We consider to enable this for the RFC1918 private IP
-address space by default in later releases. That would enable private 
-addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 
-fd00::/8 and fe80::/10, since the RFC standards say these addresses 
-should not be visible on the public internet.  Turning on 127.0.0.0/8 
-would hinder many spamblocklists as they use that.
+on your private network, and are not allowed to be returned for
+public internet names.  Any occurrence of such addresses are removed
+from DNS answers. Additionally, the DNSSEC validator may mark the
+answers bogus. This protects against so\-called DNS Rebinding, where
+a user browser is turned into a network proxy, allowing remote access
+through the browser to other parts of your private network.  Some names
+can be allowed to contain your private addresses, by default all the
+\fBlocal\-data\fR that you configured is allowed to, and you can specify
+additional names using \fBprivate\-domain\fR.  No private addresses are
+enabled by default.  We consider to enable this for the RFC1918 private
+IP address space by default in later releases. That would enable private
+addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
+fd00::/8 and fe80::/10, since the RFC standards say these addresses
+should not be visible on the public internet.  Turning on 127.0.0.0/8
+would hinder many spamblocklists as they use that.  Adding ::ffff:0:0/96
+stops IPv4-mapped IPv6 addresses from bypassing the filter.
 .TP
 .B private\-domain: \fI<domain name>
 Allow this domain, and all its subdomains to contain private addresses.
@@ -746,7 +755,7 @@ Instruct the validator to remove data from the additional section of secure
 messages that are not signed properly. Messages that are insecure, bogus,
 indeterminate or unchecked are not affected. Default is yes. Use this setting
 to protect the users that rely on this validator for authentication from 
-protentially bad data in the additional section.
+potentially bad data in the additional section.
 .TP
 .B val\-log\-level: \fI<number>
 Have the validator print validation failures to the log.  Regardless of
@@ -1033,7 +1042,7 @@ If set to 0, all queries are dropped for domains where the limit is
 exceeded.  If set to another value, 1 in that number is allowed through
 to complete.  Default is 10, allowing 1/10 traffic to flow normally.
 This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigiting the traffic flow by the
+and enter the cache, whilst also mitigating the traffic flow by the
 factor given.
 .TP 5
 .B ratelimit\-for\-domain: \fI<domain> <number qps>
diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in
index 42653a5..51f7c4e 100644
--- a/contrib/unbound/doc/unbound.conf.5.in
+++ b/contrib/unbound/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound.conf" "5" "Dec 10, 2015" "NLnet Labs" "unbound 1.5.7"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service.  Default is "",
 turned off.
 .TP
 .B ssl\-port: \fI<number>
-The port number on which to provide TCP SSL service, default 443, only
+The port number on which to provide TCP SSL service, default 853, only
 interfaces configured with that port number as @number get the SSL service.
 .TP
 .B do\-daemonize: \fI<yes or no>
@@ -444,6 +444,8 @@ requires privileges, then a reload will fail; a restart is needed.
 .TP
 .B directory: \fI<directory>
 Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
+On Windows the string "%EXECUTABLE%" tries to change to the directory
+that unbound.exe resides in.
 .TP
 .B logfile: \fI<filename>
 If "" is given, logging goes to stderr, or nowhere once daemonized.
@@ -585,23 +587,30 @@ queries.  For domains that do not support 0x20 and also fail with fallback
 because they keep sending different answers, like some load balancers.
 Can be given multiple times, for different domains.
 .TP
+.B qname\-minimisation: \fI<yes or no>
+Send minimum amount of information to upstream servers to enhance privacy.
+Only sent minimum required labels of the QNAME and set QTYPE to NS when 
+possible. Best effort approach, full QNAME and original QTYPE will be sent when
+upstream replies with a RCODE other than NOERROR. Default is off.
+.TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses
-on your private network, and are not allowed to be returned for public
-internet names.  Any occurence of such addresses are removed from
-DNS answers. Additionally, the DNSSEC validator may mark the answers
-bogus. This protects against so\-called DNS Rebinding, where a user browser
-is turned into a network proxy, allowing remote access through the browser
-to other parts of your private network.  Some names can be allowed to
-contain your private addresses, by default all the \fBlocal\-data\fR
-that you configured is allowed to, and you can specify additional
-names using \fBprivate\-domain\fR.  No private addresses are enabled
-by default.  We consider to enable this for the RFC1918 private IP
-address space by default in later releases. That would enable private 
-addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 
-fd00::/8 and fe80::/10, since the RFC standards say these addresses 
-should not be visible on the public internet.  Turning on 127.0.0.0/8 
-would hinder many spamblocklists as they use that.
+on your private network, and are not allowed to be returned for
+public internet names.  Any occurrence of such addresses are removed
+from DNS answers. Additionally, the DNSSEC validator may mark the
+answers bogus. This protects against so\-called DNS Rebinding, where
+a user browser is turned into a network proxy, allowing remote access
+through the browser to other parts of your private network.  Some names
+can be allowed to contain your private addresses, by default all the
+\fBlocal\-data\fR that you configured is allowed to, and you can specify
+additional names using \fBprivate\-domain\fR.  No private addresses are
+enabled by default.  We consider to enable this for the RFC1918 private
+IP address space by default in later releases. That would enable private
+addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16
+fd00::/8 and fe80::/10, since the RFC standards say these addresses
+should not be visible on the public internet.  Turning on 127.0.0.0/8
+would hinder many spamblocklists as they use that.  Adding ::ffff:0:0/96
+stops IPv4-mapped IPv6 addresses from bypassing the filter.
 .TP
 .B private\-domain: \fI<domain name>
 Allow this domain, and all its subdomains to contain private addresses.
@@ -746,7 +755,7 @@ Instruct the validator to remove data from the additional section of secure
 messages that are not signed properly. Messages that are insecure, bogus,
 indeterminate or unchecked are not affected. Default is yes. Use this setting
 to protect the users that rely on this validator for authentication from 
-protentially bad data in the additional section.
+potentially bad data in the additional section.
 .TP
 .B val\-log\-level: \fI<number>
 Have the validator print validation failures to the log.  Regardless of
@@ -1033,7 +1042,7 @@ If set to 0, all queries are dropped for domains where the limit is
 exceeded.  If set to another value, 1 in that number is allowed through
 to complete.  Default is 10, allowing 1/10 traffic to flow normally.
 This can make ordinary queries complete (if repeatedly queried for),
-and enter the cache, whilst also mitigiting the traffic flow by the
+and enter the cache, whilst also mitigating the traffic flow by the
 factor given.
 .TP 5
 .B ratelimit\-for\-domain: \fI<domain> <number qps>