19 files changed, 668 insertions, 38 deletions

diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog
index 6bcc32a..039eade 100644
--- a/contrib/unbound/doc/Changelog
+++ b/contrib/unbound/doc/Changelog
@@ -1,3 +1,367 @@
+20 September 2016: Wouter
+	- iana portlist update.
+	- Fix #835: fix --disable-dsa with nettle verify.
+	- tag for 1.5.10rc1 release.
+
+15 September 2016: Wouter
+	- Fix 883: error for duplicate local zone entry.
+	- Test for openssl init_crypto and init_ssl functions.
+
+15 September 2016: Ralph
+	- fix potential memory leak in daemon/remote.c and nullpointer
+	  dereference in validator/autotrust.
+	- iana portlist update.
+
+13 September 2016: Wouter
+	- Silenced flex-generated sign-unsigned warning print with gcc
+	  diagnostic pragma.
+	- Fix for new splint on FreeBSD.  Fix cast for sockaddr_un.sun_len.
+
+9 September 2016: Wouter
+	- Fix #831: workaround for spurious fread_chk warning against petal.c
+
+5 September 2016: Ralph
+	- Take configured minimum TTL into consideration when reducing TTL
+	  to original TTL from RRSIG.
+
+5 September 2016: Wouter
+	- Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
+	  off-by-one typo, from Jinmei Tatuya (Infoblox).
+	- Fix incomplete prototypes reported by Dag-Erling Smørgrav.
+	- Fix #828: missing type in access-control-tag-action redirect results
+	  in NXDOMAIN.
+
+2 September 2016: Wouter
+	- Fix compile with openssl 1.1.0 with api=1.1.0.
+
+1 September 2016: Wouter
+	- RFC 7958 is now out, updated docs for unbound-anchor.
+	- Fix for compile without warnings with openssl 1.1.0.
+	- Fix #826: Fix refuse_non_local could result in a broken response.
+	- iana portlist update.
+
+29 August 2016: Wouter
+	- Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
+	  Siewior.
+	- Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
+
+25 August 2016: Ralph
+	- Clarify local-zone-override entry in unbound.conf.5 
+	
+25 August 2016: Wouter
+	- 64bit build option for makedist windows compile, -w64.
+
+24 August 2016: Ralph
+	- Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
+	  in each iteration in find_tag_datas().
+	- unbound.conf.5 entries for define-tag, access-control-tag,
+	  access-control-tag-action, access-control-tag-data, local-zone-tag,
+	  and local-zone-override.
+	  
+23 August 2016: Wouter
+	- Fix #804: unbound stops responding after outage.  Fixes queries
+	  that attempt to wait for an empty list of subqueries.
+	- Fix #804: lower num_target_queries for iterator also for failed
+	  lookups.
+
+8 August 2016: Wouter
+	- Note that OPENPGPKEY type is RFC 7929.
+
+4 August 2016: Wouter
+	- Fix #807: workaround for possible some "unused" function parameters
+	  in test code, from Jinmei Tatuya.
+
+3 August 2016: Wouter
+	- use sendmsg instead of sendto for TFO.
+
+28 July 2016: Wouter
+	- Fix #806: wrong comment removed.
+
+26 July 2016: Wouter
+	- nicer ratelimit-below-domain explanation.
+
+22 July 2016: Wouter
+	- Fix #801: missing error condition handling in
+	  daemon_create_workers().
+	- Fix #802: workaround for function parameters that are "unused"
+	  without log_assert.
+	- Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
+
+20 July 2016: Wouter
+	- Fix typo in unbound.conf.
+
+18 July 2016: Wouter
+	- Fix #798: Client-side TCP fast open fails (Linux).
+
+14 July 2016: Wouter
+	- TCP Fast open patch from Sara Dickinson.
+	- Fixed unbound.doxygen for 1.8.11.
+
+7 July 2016: Wouter
+	- access-control-tag-data implemented. verbose(4) prints tag debug.
+
+5 July 2016: Wouter
+	- Fix dynamic link of anchor-update.exe on windows.
+	- Fix detect of mingw for MXE package build.
+	- Fixes for 64bit windows compile.
+	- Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
+	  --with-libunbound-only --with-nettle.
+
+4 July 2016: Wouter
+	- For #787: prefer-ip6 option for unbound.conf prefers to send
+	  upstream queries to ipv6 servers.
+	- Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
+	  freebind to use 64bits of entropy for every query with random local
+	  part.
+
+30 June 2016: Wouter
+	- Document always_transparent, always_refuse, always_nxdomain types.
+
+29 June 2016: Wouter
+	- Fix static compile on windows missing gdi32.
+
+28 June 2016: Wouter
+	- Create a pkg-config file for libunbound in contrib.
+
+27 June 2016: Wouter
+	- Fix #784: Build configure assumess that having getpwnam means there
+	  is endpwent function available.
+	- Updated repository with newer flex and bison output.
+
+24 June 2016: Ralph
+	- Possibility to specify local-zone type for an acl/tag pair
+	- Possibility to specify (override) local-zone type for a source address
+	  block
+16 June 2016: Ralph
+	- Decrease dp attempts at each QNAME minimisation iteration
+
+16 June 2016: Wouter
+	- Fix tcp timeouts in tv.usec.
+
+15 June 2016: Wouter
+	- TCP_TIMEOUT is specified in milliseconds.
+	- If more than half of tcp connections are in use, a shorter timeout
+	  is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
+
+14 June 2016: Ralph
+	- QNAME minimisation unit test for dropped QTYPE=A queries.
+
+14 June 2016: Wouter
+	- Fix 775: unbound-host and unbound-anchor crash on windows, ignore
+	  null delete for wsaevent.
+	- Fix spelling in freebind option man page text.
+	- Fix windows link of ssl with crypt32.
+	- Fix 779: Union casting is non-portable.
+	- Fix 780: MAP_ANON not defined in HP-UX 11.31.
+	- Fix 781: prealloc() is an HP-UX system library call.
+
+13 June 2016: Ralph
+	- Use QTYPE=A for QNAME minimisation.
+	- Keep track of number of time-outs when performing QNAME minimisation.
+	  Stop minimising when number of time-outs for a QNAME/QTYPE pair is
+	  more than three.
+
+13 June 2016: Wouter
+	- Fix #778: unbound 1.5.9: -h segfault (null deref).
+	- Fix directory: fix for unbound-checkconf, it restores cwd.
+
+10 June 2016: Wouter
+	- And delete service.conf.shipped on uninstall.
+	- In unbound.conf directory: dir immediately changes to that directory,
+	  so that include: file below that is relative to that directory.
+	  With chroot, make the directory an absolute path inside chroot.
+	- keep debug symbols in windows build.
+	- do not delete service.conf on windows uninstall.
+	- document directory immediate fix and allow EXECUTABLE syntax in it
+	  on windows.
+
+9 June 2016: Wouter
+	- Trunk is called 1.5.10 (with previous fixes already in there to 2
+	  june).
+	- Revert fix for NetworkService account on windows due to breakage
+	  it causes.
+	- Fix that windows install will not overwrite existing service.conf
+	  file (and ignore gui config choices if it exists).
+
+7 June 2016: Ralph
+	- Lookup localzones by taglist from acl.
+	- Possibility to lookup local_zone, regardless the taglist.
+	- Added local_zone/taglist/acl unit test.
+
+7 June 2016: Wouter
+	- Fix #773: Non-standard Python location build failure with pyunbound.
+	- Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
+
+6 June 2016: Wouter
+	- Better help text from -h (from Ray Griffith).
+	- access-control-tag config directive.
+	- local-zone-override config directive.
+	- access-control-tag-action and access-control-tag-data config
+	  directives.
+	- free acl-tags, acltag-action and acltag-data config lists during
+	  initialisation to free up memory for more entries.
+
+3 June 2016: Wouter
+	- Fix to not ignore return value of chown() in daemon startup.
+
+2 June 2016: Wouter
+	- Fix libubound for edns optlist feature.
+	- Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
+	- Fix #752: retry resource temporarily unavailable on control pipe.
+	- un-document localzone tags.
+	- tag for release 1.5.9rc1.
+	  And this also became release 1.5.9.
+	- Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
+	  Program Files with (x86) appended.
+	- re-documented localzone tags in example.conf.
+
+31 May 2016: Wouter
+	- Fix windows service to be created run with limited rights, as a
+	  network service account, from Mario Turschmann.
+	- compat strsep implementation.
+	- generic edns option parse and store code.
+	- and also generic edns options for upstream messages (and replies).
+	  after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID),
+	  to insert use edns_opt_append(edns, region, code, len, bindata) on
+	  the opt_list passed to send_query, or in edns_opt_inplace_reply.
+
+30 May 2016: Wouter
+	- Fix time in case answer comes from cache in ub_resolve_event().
+	- Attempted fix for #765: _unboundmodule missing for python3.
+
+27 May 2016: Wouter
+	- Fix #770: Small subgroup attack on DH used in unix pipe on localhost
+	  if unbound control uses a unix local named pipe.
+	- Document write permission to directory of trust anchor needed.
+	- Fix #768:  Unbound Service Sometimes Can Not Shutdown
+	  Completely, WER Report Shown Up.  Close handle before closing WSA.
+
+26 May 2016: Wouter
+	- Updated patch from Charles Walker.
+
+24 May 2016: Wouter
+	- disable-dnssec-lame-check config option from Charles Walker.
+	- remove memory leak from lame-check patch.
+	- iana portlist update.
+
+23 May 2016: Wouter
+	- Fix #767:  Reference to an expired Internet-Draft in
+	  harden-below-nxdomain documentation.
+
+20 May 2016: Ralph
+	- No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC 
+	  signed zones.
+	- iana portlist update.
+
+19 May 2016: Wouter
+	- Fix #766: dns64 should synthesize results on timeout/errors.
+
+18 May 2016: Wouter
+	- Fix #761: DNSSEC LAME false positive resolving nic.club.
+
+17 May 2016: Wouter
+	- trunk updated with output of flex 2.6.0.
+
+6 May 2016: Wouter
+	- Fix memory leak in out-of-memory conditions of local zone add.
+
+29 April 2016: Wouter
+	- Fix sldns with static checking fixes copied from getdns.
+
+28 April 2016: Wouter
+	- Fix #759: 0x20 capsforid no longer checks type PTR, for
+	  compatibility with cisco dns guard.  This lowers false positives.
+
+18 April 2016: Wouter
+	- Fix some malformed reponses to edns queries get fallback to nonedns.
+
+15 April 2016: Wouter
+	- cachedb module event handling design.
+
+14 April 2016: Wouter
+	- cachedb module framework (empty).
+	- iana portlist update.
+
+12 April 2016: Wouter
+	- Fix #753: document dump_requestlist is for first thread.
+
+24 March 2016: Wouter
+	- Document permit-small-holddown for 5011 debug.
+	- Fix #749: unbound-checkconf gets SIGSEGV when use against a
+	  malformatted conf file.
+
+23 March 2016: Wouter
+	- OpenSSL 1.1.0 portability, --disable-dsa configure option.
+
+21 March 2016: Wouter
+	- Fix compile of getentropy_linux for SLES11 servicepack 4.
+	- Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
+	- Fix test for openssl to use HMAC_Update for 1.1.0.
+	- acx_nlnetlabs.m4 to v33, with HMAC_Update.
+	- acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
+	- ERR_remove_state deprecated since openssl 1.0.0.
+	- OPENSSL_config is deprecated, removing.
+
+18 March 2016: Ralph
+	- Validate QNAME minimised NXDOMAIN responses.
+	- If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
+	  harden-below-nxdomain.
+
+17 March 2016: Ralph
+	- Limit number of QNAME minimisation iterations.
+
+17 March 2016: Wouter
+	- Fix #746: Fix unbound sets CD bit on all forwards.
+	  If no trust anchors, it'll not set CD bit when forwarding to another
+	  server.  If a trust anchor, no CD bit on the first attempt to a
+	  forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
+	- iana portlist update.
+
+16 March 2016: Wouter
+	- Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
+	- Fix ip-transparent for tcp on freebsd.
+
+15 March 2016: Wouter
+	- ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
+	  binding to an IP address while the interface or address is down.
+
+14 March 2016: Wouter
+	- Fix warnings in ifdef corner case, older or unknown libevent.
+	- Fix compile for ub_event code with older libev.
+
+11 March 2016: Wouter
+	- Remove warning about unused parameter in event_pluggable.c.
+	- Fix libev usage of dispatch return value.
+	- No side effects in tolower() call, in case it is a macro.
+	- For test put free in pluggable api in parenthesis.
+
+10 March 2016: Wouter
+	- Fixup backend2str for libev.
+
+09 March 2016: Willem
+	- User defined pluggable event API for libunbound
+	- Fixup of compile fix for pluggable event API from P.Y. Adi
+	  Prasaja.
+
+09 March 2016: Wouter
+	- Updated configure and ltmain.sh.
+	- Updated L root IPv6 address.
+
+07 March 2016: Wouter
+	- Fix #747: assert in outnet_serviced_query_stop.
+	- iana ports fetched via https.
+	- iana portlist update.
+
+03 March 2016: Wouter
+	- configure tests for the weak attribute support by the compiler.
+
+02 March 2016: Wouter
+	- 1.5.8 release tag
+	- trunk contains 1.5.9 in development.
+	- iana portlist update.
+	- Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
+	  contains trailing dot.
+
 24 February 2016: Wouter
 	- Fix OpenBSD asynclook lock free that gets used later (fix test code).
 	- Fix that NSEC3 negative cache is used when there is no salt.
diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README
index c87c62e..66e2f34 100644
--- a/contrib/unbound/doc/README
+++ b/contrib/unbound/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.5.8
+README for Unbound 1.5.10
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/contrib/unbound/doc/example.conf b/contrib/unbound/doc/example.conf
index 3b2267d..80c0f3e 100644
--- a/contrib/unbound/doc/example.conf
+++ b/contrib/unbound/doc/example.conf
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.8.
+# See unbound.conf(5) man page, version 1.5.10.
 #
 # this is a comment.
 
@@ -52,6 +52,15 @@ server:
 	# outgoing-interface: 192.0.2.153
 	# outgoing-interface: 2001:DB8::5
 	# outgoing-interface: 2001:DB8::6
+	
+	# Specify a netblock to use remainder 64 bits as random bits for
+	# upstream queries.  Uses freebind option (Linux).
+	# outgoing-interface: 2001:DB8::/64
+	# Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
+	# And: ip -6 route add local 2001:db8::/64 dev lo
+	# And set prefer-ip6: yes to use the ip6 randomness from a netblock.
+	# Set this to yes to prefer ipv6 upstream servers over ipv4.
+	# prefer-ip6: no
 
 	# number of ports to allocate per thread, determines the size of the
 	# port range that can be open simultaneously.  About double the
@@ -93,6 +102,11 @@ server:
 	# (uses IP_BINDANY on FreeBSD).
 	# ip-transparent: no
 
+	# use IP_FREEBIND so the interface: addresses can be non-local
+	# and you can bind to nonexisting IPs and interfaces that are down.
+	# Linux only.  On Linux you also have ip-transparent that is similar.
+	# ip-freebind: no
+
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096
@@ -157,6 +171,10 @@ server:
 
 	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000
+	
+	# define a number of tags here, use with local-zone, access-control.
+	# repeat the define-tag statement to add additional tags.
+	# define-tag: "tag1 tag2 tag3"
 
 	# Enable IPv4, "yes" or "no".
 	# do-ip4: yes
@@ -198,6 +216,20 @@ server:
 	# access-control: ::1 allow
 	# access-control: ::ffff:127.0.0.1 allow
 
+	# tag access-control with list of tags (in "" with spaces between)
+	# Clients using this access control element use localzones that
+	# are tagged with one of these tags.
+	# access-control-tag: 192.0.2.0/24 "tag2 tag3"
+
+	# set action for particular tag for given access control element
+	# if you have multiple tag values, the tag used to lookup the action
+	# is the first tag match between access-control-tag and local-zone-tag
+	# where "first" comes from the order of the define-tag values.
+	# access-control-tag-action: 192.0.2.0/24 tag3 refuse
+
+	# set redirect data for particular tag for access control element
+	# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
+
 	# if given, a chroot(2) is done to the given directory.
 	# i.e. you can chroot to the working directory, for example,
 	# for extra security, but make sure all files are in that directory.
@@ -231,6 +263,8 @@ server:
 	# the working directory. The relative files in this config are
 	# relative to this directory. If you give "" the working directory
 	# is not changed.
+	# If you give a server: directory: dir before include: file statements
+	# then those includes can be relative to the working directory.
 	# directory: "/var/unbound"
 
 	# the log file, "" means log to stderr.
@@ -317,6 +351,7 @@ server:
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
 	# caps-whitelist: "licdn.com"
+	# caps-whitelist: "senderbase.org"
 
 	# Enforce privacy of these addresses. Strips them away from answers.
 	# It may cause DNSSEC validation to additionally mark it as bogus.
@@ -364,6 +399,9 @@ server:
 	# into response messages when those sections are not required.
 	# minimal-responses: no
 
+	# true to disable DNSSEC lameness check in iterator.
+	# disable-dnssec-lame-check: no
+
 	# module configuration of the server. A string with identifiers
 	# separated by spaces. Syntax: "[dns64] [validator] iterator"
 	# module-config: "validator iterator"
@@ -459,7 +497,8 @@ server:
 	# If the value 0 is given, missing anchors are not removed.
 	# keep-missing: 31622400 # 366 days
 
-	# debug option that allows very small holddown times for key rollover
+	# debug option that allows very small holddown times for key rollover,
+	# otherwise the RFC mandates probe intervals must be at least 1 hour.
 	# permit-small-holddown: no
 
 	# the amount of memory to use for the key cache.
@@ -541,6 +580,8 @@ server:
 	# o typetransparent resolves normally for other types and other names
 	# o inform resolves normally, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
+	# o always_transparent, always_refuse, always_nxdomain, resolve in
+	#   that way but ignore local data for that name.
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
@@ -567,6 +608,12 @@ server:
 	# you need to do the reverse notation yourself.
 	# local-data-ptr: "192.0.2.3 www.example.com"
 
+	# tag a localzone with a list of tag names (in "" with spaces between)
+	# local-zone-tag: "example.com" "tag2 tag3"
+
+	# add a netblock specific override to a localzone, with zone type
+	# local-zone-override: "example.com" 192.0.2.0/24 refuse
+
 	# service clients over SSL (on the TCP sockets), with plain DNS inside
 	# the SSL stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
@@ -600,7 +647,7 @@ server:
 	# ratelimit-for-domain: example.com 1000
 	# override the ratelimits for all domains below a domain name
 	# can give this multiple times, the name closest to the zone is used.
-	# ratelimit-below-domain: example 1000
+	# ratelimit-below-domain: com 1000
 
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in
index b5cc1c9..c520c88 100644
--- a/contrib/unbound/doc/example.conf.in
+++ b/contrib/unbound/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.8.
+# See unbound.conf(5) man page, version 1.5.10.
 #
 # this is a comment.
 
@@ -52,6 +52,15 @@ server:
 	# outgoing-interface: 192.0.2.153
 	# outgoing-interface: 2001:DB8::5
 	# outgoing-interface: 2001:DB8::6
+	
+	# Specify a netblock to use remainder 64 bits as random bits for
+	# upstream queries.  Uses freebind option (Linux).
+	# outgoing-interface: 2001:DB8::/64
+	# Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
+	# And: ip -6 route add local 2001:db8::/64 dev lo
+	# And set prefer-ip6: yes to use the ip6 randomness from a netblock.
+	# Set this to yes to prefer ipv6 upstream servers over ipv4.
+	# prefer-ip6: no
 
 	# number of ports to allocate per thread, determines the size of the
 	# port range that can be open simultaneously.  About double the
@@ -93,6 +102,11 @@ server:
 	# (uses IP_BINDANY on FreeBSD).
 	# ip-transparent: no
 
+	# use IP_FREEBIND so the interface: addresses can be non-local
+	# and you can bind to nonexisting IPs and interfaces that are down.
+	# Linux only.  On Linux you also have ip-transparent that is similar.
+	# ip-freebind: no
+
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096
@@ -157,6 +171,10 @@ server:
 
 	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000
+	
+	# define a number of tags here, use with local-zone, access-control.
+	# repeat the define-tag statement to add additional tags.
+	# define-tag: "tag1 tag2 tag3"
 
 	# Enable IPv4, "yes" or "no".
 	# do-ip4: yes
@@ -198,6 +216,20 @@ server:
 	# access-control: ::1 allow
 	# access-control: ::ffff:127.0.0.1 allow
 
+	# tag access-control with list of tags (in "" with spaces between)
+	# Clients using this access control element use localzones that
+	# are tagged with one of these tags.
+	# access-control-tag: 192.0.2.0/24 "tag2 tag3"
+
+	# set action for particular tag for given access control element
+	# if you have multiple tag values, the tag used to lookup the action
+	# is the first tag match between access-control-tag and local-zone-tag
+	# where "first" comes from the order of the define-tag values.
+	# access-control-tag-action: 192.0.2.0/24 tag3 refuse
+
+	# set redirect data for particular tag for access control element
+	# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
+
 	# if given, a chroot(2) is done to the given directory.
 	# i.e. you can chroot to the working directory, for example,
 	# for extra security, but make sure all files are in that directory.
@@ -231,6 +263,8 @@ server:
 	# the working directory. The relative files in this config are
 	# relative to this directory. If you give "" the working directory
 	# is not changed.
+	# If you give a server: directory: dir before include: file statements
+	# then those includes can be relative to the working directory.
 	# directory: "@UNBOUND_RUN_DIR@"
 
 	# the log file, "" means log to stderr.
@@ -317,6 +351,7 @@ server:
 	# Domains (and domains in them) without support for dns-0x20 and
 	# the fallback fails because they keep sending different answers.
 	# caps-whitelist: "licdn.com"
+	# caps-whitelist: "senderbase.org"
 
 	# Enforce privacy of these addresses. Strips them away from answers.
 	# It may cause DNSSEC validation to additionally mark it as bogus.
@@ -364,6 +399,9 @@ server:
 	# into response messages when those sections are not required.
 	# minimal-responses: no
 
+	# true to disable DNSSEC lameness check in iterator.
+	# disable-dnssec-lame-check: no
+
 	# module configuration of the server. A string with identifiers
 	# separated by spaces. Syntax: "[dns64] [validator] iterator"
 	# module-config: "validator iterator"
@@ -459,7 +497,8 @@ server:
 	# If the value 0 is given, missing anchors are not removed.
 	# keep-missing: 31622400 # 366 days
 
-	# debug option that allows very small holddown times for key rollover
+	# debug option that allows very small holddown times for key rollover,
+	# otherwise the RFC mandates probe intervals must be at least 1 hour.
 	# permit-small-holddown: no
 
 	# the amount of memory to use for the key cache.
@@ -541,6 +580,8 @@ server:
 	# o typetransparent resolves normally for other types and other names
 	# o inform resolves normally, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
+	# o always_transparent, always_refuse, always_nxdomain, resolve in
+	#   that way but ignore local data for that name.
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
@@ -567,6 +608,12 @@ server:
 	# you need to do the reverse notation yourself.
 	# local-data-ptr: "192.0.2.3 www.example.com"
 
+	# tag a localzone with a list of tag names (in "" with spaces between)
+	# local-zone-tag: "example.com" "tag2 tag3"
+
+	# add a netblock specific override to a localzone, with zone type
+	# local-zone-override: "example.com" 192.0.2.0/24 refuse
+
 	# service clients over SSL (on the TCP sockets), with plain DNS inside
 	# the SSL stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
@@ -600,7 +647,7 @@ server:
 	# ratelimit-for-domain: example.com 1000
 	# override the ratelimits for all domains below a domain name
 	# can give this multiple times, the name closest to the zone is used.
-	# ratelimit-below-domain: example 1000
+	# ratelimit-below-domain: com 1000
 
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
diff --git a/contrib/unbound/doc/libunbound.3 b/contrib/unbound/doc/libunbound.3
index df4b8fd..1bf3fc2 100644
--- a/contrib/unbound/doc/libunbound.3
+++ b/contrib/unbound/doc/libunbound.3
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "libunbound" "3" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.8 functions.
+\- Unbound DNS validating resolver 1.5.10 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in
index df4b8fd..1bf3fc2 100644
--- a/contrib/unbound/doc/libunbound.3.in
+++ b/contrib/unbound/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "libunbound" "3" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -43,7 +43,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.8 functions.
+\- Unbound DNS validating resolver 1.5.10 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/contrib/unbound/doc/unbound-anchor.8 b/contrib/unbound/doc/unbound-anchor.8
index c5d9d7f..fbc7e20 100644
--- a/contrib/unbound/doc/unbound-anchor.8
+++ b/contrib/unbound/doc/unbound-anchor.8
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound-anchor" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
@@ -16,6 +16,8 @@
 .SH "DESCRIPTION"
 .B Unbound\-anchor
 performs setup or update of the root trust anchor for DNSSEC validation.
+The program fetches the trust anchor with the method from RFC7958 when
+regular RFC5011 update fails to bring it up to date.
 It can be run (as root) from the commandline, or run as part of startup
 scripts.  Before you start the \fIunbound\fR(8) DNS server.
 .P
@@ -39,8 +41,8 @@ update certificate files.
 .P
 It tests if the root anchor file works, and if not, and an update is possible,
 attempts to update the root anchor using the root update certificate.
-It performs a https fetch of root-anchors.xml and checks the results, if
-all checks are successful, it updates the root anchor file.  Otherwise
+It performs a https fetch of root-anchors.xml and checks the results (RFC7958), 
+if all checks are successful, it updates the root anchor file.  Otherwise
 the root anchor file is unchanged.  It performs RFC5011 tracking if the
 DNSSEC information available via the DNS makes that possible.
 .P
diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in
index de283e5..7403caa 100644
--- a/contrib/unbound/doc/unbound-anchor.8.in
+++ b/contrib/unbound/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound-anchor" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
@@ -16,6 +16,8 @@
 .SH "DESCRIPTION"
 .B Unbound\-anchor
 performs setup or update of the root trust anchor for DNSSEC validation.
+The program fetches the trust anchor with the method from RFC7958 when
+regular RFC5011 update fails to bring it up to date.
 It can be run (as root) from the commandline, or run as part of startup
 scripts.  Before you start the \fIunbound\fR(8) DNS server.
 .P
@@ -39,8 +41,8 @@ update certificate files.
 .P
 It tests if the root anchor file works, and if not, and an update is possible,
 attempts to update the root anchor using the root update certificate.
-It performs a https fetch of root-anchors.xml and checks the results, if
-all checks are successful, it updates the root anchor file.  Otherwise
+It performs a https fetch of root-anchors.xml and checks the results (RFC7958), 
+if all checks are successful, it updates the root anchor file.  Otherwise
 the root anchor file is unchanged.  It performs RFC5011 tracking if the
 DNSSEC information available via the DNS makes that possible.
 .P
diff --git a/contrib/unbound/doc/unbound-checkconf.8 b/contrib/unbound/doc/unbound-checkconf.8
index f166720..3c8198b 100644
--- a/contrib/unbound/doc/unbound-checkconf.8
+++ b/contrib/unbound/doc/unbound-checkconf.8
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound-checkconf" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in
index 92be13f..03f5b3c 100644
--- a/contrib/unbound/doc/unbound-checkconf.8.in
+++ b/contrib/unbound/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound-checkconf" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/contrib/unbound/doc/unbound-control.8 b/contrib/unbound/doc/unbound-control.8
index 75219d2..892bbeb 100644
--- a/contrib/unbound/doc/unbound-control.8
+++ b/contrib/unbound/doc/unbound-control.8
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound-control" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in
index 0e814b8..9089db9 100644
--- a/contrib/unbound/doc/unbound-control.8.in
+++ b/contrib/unbound/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound-control" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
diff --git a/contrib/unbound/doc/unbound-host.1 b/contrib/unbound/doc/unbound-host.1
index 28a50a8..ef1eaed 100644
--- a/contrib/unbound/doc/unbound-host.1
+++ b/contrib/unbound/doc/unbound-host.1
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound\-host" "1" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in
index 65253ad..04d19ad 100644
--- a/contrib/unbound/doc/unbound-host.1.in
+++ b/contrib/unbound/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound\-host" "1" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/contrib/unbound/doc/unbound.8 b/contrib/unbound/doc/unbound.8
index d8c5494..26abc06 100644
--- a/contrib/unbound/doc/unbound.8
+++ b/contrib/unbound/doc/unbound.8
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.8.
+\- Unbound DNS validating resolver 1.5.10.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in
index 4b752bb..78e497d 100644
--- a/contrib/unbound/doc/unbound.8.in
+++ b/contrib/unbound/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound" "8" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.8.
+\- Unbound DNS validating resolver 1.5.10.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/contrib/unbound/doc/unbound.conf.5 b/contrib/unbound/doc/unbound.conf.5
index 569bd26..6897761 100644
--- a/contrib/unbound/doc/unbound.conf.5
+++ b/contrib/unbound/doc/unbound.conf.5
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound.conf" "5" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -72,7 +72,8 @@ Processing continues as if the text from the included file was copied into
 the config file at that point.  If also using chroot, using full path names
 for the included files works, relative pathnames for the included names work
 if the directory where the daemon is started equals its chroot/working 
-directory.  Wildcards can be used to include multiple files, see \fIglob\fR(7).
+directory or is specified before the include statement with directory: dir.
+Wildcards can be used to include multiple files, see \fIglob\fR(7).
 .SS "Server Options"
 These options are part of the
 .B server:
@@ -126,7 +127,7 @@ Detect source interface on UDP queries and copy them to replies.  This
 feature is experimental, and needs support in your OS for particular socket
 options.  Default value is no.
 .TP
-.B outgoing\-interface: \fI<ip address>
+.B outgoing\-interface: \fI<ip address or ip6 netblock>
 Interface to use to connect to the network. This interface is used to send
 queries to authoritative servers and receive their replies. Can be given 
 multiple times to work on several interfaces. If none are given the 
@@ -136,12 +137,28 @@ and
 .B outgoing\-interface:
 lines, the interfaces are then used for both purposes. Outgoing queries are 
 sent via a random outgoing interface to counter spoofing.
+.IP
+If an IPv6 netblock is specified instead of an individual IPv6 address,
+outgoing UDP queries will use a randomised source address taken from the
+netblock to counter spoofing. Requires the IPv6 netblock to be routed to the
+host running unbound, and requires OS support for unprivileged non-local binds
+(currently only supported on Linux). Several netblocks may be specified with
+multiple
+.B outgoing\-interface:
+options, but do not specify both an individual IPv6 address and an IPv6
+netblock, or the randomisation will be compromised.  Consider combining with
+.B prefer\-ip6: yes
+to increase the likelihood of IPv6 nameservers being selected for queries.
+On Linux you need these two commands to be able to use the freebind socket
+option to receive traffic for the ip6 netblock:
+ip -6 addr add mynetblock/64 dev lo &&
+ip -6 route add local mynetblock/64 dev lo
 .TP
 .B outgoing\-range: \fI<number>
 Number of ports to open. This number of file descriptors can be opened per 
 thread. Must be at least 1. Default depends on compile options. Larger 
 numbers need extra resources from the operating system.  For performance a
-a very large value is best, use libevent to make this possible.
+very large value is best, use libevent to make this possible.
 .TP
 .B outgoing\-port\-permit: \fI<port number or range>
 Permit unbound to open this port or range of ports for use to send queries.
@@ -277,6 +294,13 @@ and with this option you can select which (future) interfaces unbound
 provides service on.  This option needs unbound to be started with root
 permissions on some systems.  The option uses IP_BINDANY on FreeBSD systems.
 .TP
+.B ip\-freebind: \fI<yes or no>
+If yes, then use IP_FREEBIND socket option on sockets where unbound
+is listening to incoming traffic.  Default no.  Allows you to bind to
+IP addresses that are nonlocal or do not exist, like when the network
+interface or IP address is down.  Exists only on Linux, where the similar
+ip\-transparent option is also available.
+.TP
 .B rrset\-cache\-size: \fI<number>
 Number of bytes size of the RRset cache. Default is 4 megabytes.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
@@ -322,6 +346,10 @@ Lower limit for dynamic retransmit timeout calculation in infrastructure
 cache. Default is 50 milliseconds. Increase this value if using forwarders
 needing more time to do recursive name resolution.
 .TP
+.B define\-tag: \fI<"list of tags">
+Define the tags that can be used with local\-zone and access\-control.
+Enclose the list between quotes ("") and put spaces between tags.
+.TP
 .B do\-ip4: \fI<yes or no>
 Enable or disable whether ip4 queries are answered or issued. Default is yes.
 .TP
@@ -332,6 +360,10 @@ IPv6 to the internet nameservers.  With this option you can disable the
 ipv6 transport for sending DNS traffic, it does not impact the contents of
 the DNS traffic, which may have ip4 and ip6 addresses in it.
 .TP
+.B prefer\-ip6: \fI<yes or no>
+If enabled, prefer IPv6 transport for sending DNS queries to internet
+nameservers. Default is no.
+.TP
 .B do\-udp: \fI<yes or no>
 Enable or disable whether UDP queries are answered or issued. Default is yes.
 .TP
@@ -425,6 +457,23 @@ allowed full recursion but only the static data.  With deny_non_local,
 messages that are disallowed are dropped, with refuse_non_local they
 receive error code REFUSED.
 .TP
+.B access\-control\-tag: \fI<IP netblock> <"list of tags">
+Assign tags to access-control elements. Clients using this access control
+element use localzones that are tagged with one of these tags. Tags must be
+defined in \fIdefine\-tags\fR.  Enclose list of tags in quotes ("") and put
+spaces between tags. If access\-control\-tag is configured for a netblock that
+does not have an access\-control, an access\-control element with action
+\fIallow\fR is configured for this netblock.
+.TP
+.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
+Set action for particular tag for given access control element. If you have
+multiple tag values, the tag used to lookup the action is the first tag match
+between access\-control\-tag and local\-zone\-tag where "first" comes from the
+order of the define-tag values.
+.TP
+.B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
+Set redirect data for particular tag for given access control element.
+.TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
 commandline) as a full path from the original root. After the
@@ -462,6 +511,8 @@ requires privileges, then a reload will fail; a restart is needed.
 Sets the working directory for the program. Default is "/var/unbound".
 On Windows the string "%EXECUTABLE%" tries to change to the directory
 that unbound.exe resides in.
+If you give a server: directory: dir before include: file statements
+then those includes can be relative to the working directory.
 .TP
 .B logfile: \fI<filename>
 If "" is given, logging goes to stderr, or nowhere once daemonized.
@@ -570,6 +621,7 @@ might return nxdomain for empty nonterminals (that usually happen for reverse
 IP address lookups), and thus may be incompatible with this.  To try to avoid
 this only DNSSEC-secure nxdomains are used, because the old software does not
 have DNSSEC.  Default is off.
+Currently, draft\-ietf\-dnsop\-nxdomain\-cut promotes this technique.
 .TP
 .B harden\-referral\-path: \fI<yes or no>
 Harden the referral path by performing additional queries for
@@ -673,6 +725,13 @@ This may cause a slight speedup.  The default is no, because the DNS
 protocol RFCs mandate these sections, and the additional content could
 be of use and save roundtrips for clients.
 .TP
+.B disable-dnssec-lame-check: \fI<yes or no>
+If true, disables the DNSSEC lameness check in the iterator.  This check
+sees if RRSIGs are present in the answer, when dnssec is expected,
+and retries another authority if RRSIGs are unexpectedly missing.
+The validator will insist in RRSIGs for DNSSEC signed domains regardless
+of this setting, if a trust anchor is loaded.
+.TP
 .B module\-config: \fI<"module names">
 Module configuration, a list of module names separated by spaces, surround
 the string with quotes (""). The modules can be validator, iterator.
@@ -691,7 +750,9 @@ File with trust anchor for one zone, which is tracked with RFC5011 probes.
 The probes are several times per month, thus the machine must be online
 frequently.  The initial file can be one with contents as described in
 \fBtrust\-anchor\-file\fR.  The file is written to when the anchor is updated,
-so the unbound user must have write permission.
+so the unbound user must have write permission.  Write permission to the file,
+but also to the directory it is in (to create a temporary file, which is
+necessary to deal with filesystem full events).
 .TP
 .B trust\-anchor: \fI<"Resource Record">
 A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
@@ -866,6 +927,7 @@ address space are not validated.  This is usually required whenever
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,
 transparent, redirect, nodefault, typetransparent, inform, inform_deny,
+always_transparent, always_refuse, always_nxdomain,
 and are explained below. After that the default settings are listed. Use
 local\-data: to enter data into the local zone. Answers for local zones
 are authoritative DNS answers. By default the zones are class IN.
@@ -926,6 +988,15 @@ logged, eg. to run antivirus on them.
 The query is dropped, like 'deny', and logged, like 'inform'.  Ie. find
 infected machines without answering the queries.
 .TP 10
+\h'5'\fIalways_transparent\fR 
+Like transparent, but ignores local data and resolves normally.
+.TP 10
+\h'5'\fIalways_refuse\fR 
+Like refuse, but ignores local data and refuses the query.
+.TP 10
+\h'5'\fIalways_nxdomain\fR 
+Like static, but ignores local data and returns nxdomain for the query.
+.TP 10
 \h'5'\fInodefault\fR 
 Used to turn off default contents for AS112 zones. The other types
 also turn off default contents for the zone. The 'nodefault' option 
@@ -1043,6 +1114,18 @@ Configure local data shorthand for a PTR record with the reversed IPv4 or
 IPv6 address and the host name.  For example "192.0.2.4 www.example.com".
 TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
 .TP 5
+.B local\-zone\-tag: \fI<zone> <"list of tags">
+Assign tags to localzones. Tagged localzones will only be applied when the
+used access-control element has a matching tag. Tags must be defined in
+\fIdefine\-tags\fR.  Enclose list of tags in quotes ("") and put spaces between
+tags.
+.TP 5
+.B local\-zone\-override: \fI<zone> <IP netblock> <type>
+Override the localzone type for queries from addresses matching netblock. 
+Use this localzone type, regardless the type configured for the local-zone
+(both tagged and untagged) and regardless the type configured using
+access\-control\-tag\-action.
+.TP 5
 .B ratelimit: \fI<number or 0>
 Enable ratelimiting of queries sent to nameserver for performing recursion.
 If 0, the default, it is disabled.  This option is experimental at this time.
diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in
index 3f84cac..f813c44 100644
--- a/contrib/unbound/doc/unbound.conf.5.in
+++ b/contrib/unbound/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Mar  2, 2016" "NLnet Labs" "unbound 1.5.8"
+.TH "unbound.conf" "5" "Sep 27, 2016" "NLnet Labs" "unbound 1.5.10"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -72,7 +72,8 @@ Processing continues as if the text from the included file was copied into
 the config file at that point.  If also using chroot, using full path names
 for the included files works, relative pathnames for the included names work
 if the directory where the daemon is started equals its chroot/working 
-directory.  Wildcards can be used to include multiple files, see \fIglob\fR(7).
+directory or is specified before the include statement with directory: dir.
+Wildcards can be used to include multiple files, see \fIglob\fR(7).
 .SS "Server Options"
 These options are part of the
 .B server:
@@ -126,7 +127,7 @@ Detect source interface on UDP queries and copy them to replies.  This
 feature is experimental, and needs support in your OS for particular socket
 options.  Default value is no.
 .TP
-.B outgoing\-interface: \fI<ip address>
+.B outgoing\-interface: \fI<ip address or ip6 netblock>
 Interface to use to connect to the network. This interface is used to send
 queries to authoritative servers and receive their replies. Can be given 
 multiple times to work on several interfaces. If none are given the 
@@ -136,12 +137,28 @@ and
 .B outgoing\-interface:
 lines, the interfaces are then used for both purposes. Outgoing queries are 
 sent via a random outgoing interface to counter spoofing.
+.IP
+If an IPv6 netblock is specified instead of an individual IPv6 address,
+outgoing UDP queries will use a randomised source address taken from the
+netblock to counter spoofing. Requires the IPv6 netblock to be routed to the
+host running unbound, and requires OS support for unprivileged non-local binds
+(currently only supported on Linux). Several netblocks may be specified with
+multiple
+.B outgoing\-interface:
+options, but do not specify both an individual IPv6 address and an IPv6
+netblock, or the randomisation will be compromised.  Consider combining with
+.B prefer\-ip6: yes
+to increase the likelihood of IPv6 nameservers being selected for queries.
+On Linux you need these two commands to be able to use the freebind socket
+option to receive traffic for the ip6 netblock:
+ip -6 addr add mynetblock/64 dev lo &&
+ip -6 route add local mynetblock/64 dev lo
 .TP
 .B outgoing\-range: \fI<number>
 Number of ports to open. This number of file descriptors can be opened per 
 thread. Must be at least 1. Default depends on compile options. Larger 
 numbers need extra resources from the operating system.  For performance a
-a very large value is best, use libevent to make this possible.
+very large value is best, use libevent to make this possible.
 .TP
 .B outgoing\-port\-permit: \fI<port number or range>
 Permit unbound to open this port or range of ports for use to send queries.
@@ -277,6 +294,13 @@ and with this option you can select which (future) interfaces unbound
 provides service on.  This option needs unbound to be started with root
 permissions on some systems.  The option uses IP_BINDANY on FreeBSD systems.
 .TP
+.B ip\-freebind: \fI<yes or no>
+If yes, then use IP_FREEBIND socket option on sockets where unbound
+is listening to incoming traffic.  Default no.  Allows you to bind to
+IP addresses that are nonlocal or do not exist, like when the network
+interface or IP address is down.  Exists only on Linux, where the similar
+ip\-transparent option is also available.
+.TP
 .B rrset\-cache\-size: \fI<number>
 Number of bytes size of the RRset cache. Default is 4 megabytes.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
@@ -322,6 +346,10 @@ Lower limit for dynamic retransmit timeout calculation in infrastructure
 cache. Default is 50 milliseconds. Increase this value if using forwarders
 needing more time to do recursive name resolution.
 .TP
+.B define\-tag: \fI<"list of tags">
+Define the tags that can be used with local\-zone and access\-control.
+Enclose the list between quotes ("") and put spaces between tags.
+.TP
 .B do\-ip4: \fI<yes or no>
 Enable or disable whether ip4 queries are answered or issued. Default is yes.
 .TP
@@ -332,6 +360,10 @@ IPv6 to the internet nameservers.  With this option you can disable the
 ipv6 transport for sending DNS traffic, it does not impact the contents of
 the DNS traffic, which may have ip4 and ip6 addresses in it.
 .TP
+.B prefer\-ip6: \fI<yes or no>
+If enabled, prefer IPv6 transport for sending DNS queries to internet
+nameservers. Default is no.
+.TP
 .B do\-udp: \fI<yes or no>
 Enable or disable whether UDP queries are answered or issued. Default is yes.
 .TP
@@ -425,6 +457,23 @@ allowed full recursion but only the static data.  With deny_non_local,
 messages that are disallowed are dropped, with refuse_non_local they
 receive error code REFUSED.
 .TP
+.B access\-control\-tag: \fI<IP netblock> <"list of tags">
+Assign tags to access-control elements. Clients using this access control
+element use localzones that are tagged with one of these tags. Tags must be
+defined in \fIdefine\-tags\fR.  Enclose list of tags in quotes ("") and put
+spaces between tags. If access\-control\-tag is configured for a netblock that
+does not have an access\-control, an access\-control element with action
+\fIallow\fR is configured for this netblock.
+.TP
+.B access\-control\-tag\-action: \fI<IP netblock> <tag> <action>
+Set action for particular tag for given access control element. If you have
+multiple tag values, the tag used to lookup the action is the first tag match
+between access\-control\-tag and local\-zone\-tag where "first" comes from the
+order of the define-tag values.
+.TP
+.B access\-control\-tag\-data: \fI<IP netblock> <tag> <"resource record string">
+Set redirect data for particular tag for given access control element.
+.TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
 commandline) as a full path from the original root. After the
@@ -462,6 +511,8 @@ requires privileges, then a reload will fail; a restart is needed.
 Sets the working directory for the program. Default is "@UNBOUND_RUN_DIR@".
 On Windows the string "%EXECUTABLE%" tries to change to the directory
 that unbound.exe resides in.
+If you give a server: directory: dir before include: file statements
+then those includes can be relative to the working directory.
 .TP
 .B logfile: \fI<filename>
 If "" is given, logging goes to stderr, or nowhere once daemonized.
@@ -570,6 +621,7 @@ might return nxdomain for empty nonterminals (that usually happen for reverse
 IP address lookups), and thus may be incompatible with this.  To try to avoid
 this only DNSSEC-secure nxdomains are used, because the old software does not
 have DNSSEC.  Default is off.
+Currently, draft\-ietf\-dnsop\-nxdomain\-cut promotes this technique.
 .TP
 .B harden\-referral\-path: \fI<yes or no>
 Harden the referral path by performing additional queries for
@@ -673,6 +725,13 @@ This may cause a slight speedup.  The default is no, because the DNS
 protocol RFCs mandate these sections, and the additional content could
 be of use and save roundtrips for clients.
 .TP
+.B disable-dnssec-lame-check: \fI<yes or no>
+If true, disables the DNSSEC lameness check in the iterator.  This check
+sees if RRSIGs are present in the answer, when dnssec is expected,
+and retries another authority if RRSIGs are unexpectedly missing.
+The validator will insist in RRSIGs for DNSSEC signed domains regardless
+of this setting, if a trust anchor is loaded.
+.TP
 .B module\-config: \fI<"module names">
 Module configuration, a list of module names separated by spaces, surround
 the string with quotes (""). The modules can be validator, iterator.
@@ -691,7 +750,9 @@ File with trust anchor for one zone, which is tracked with RFC5011 probes.
 The probes are several times per month, thus the machine must be online
 frequently.  The initial file can be one with contents as described in
 \fBtrust\-anchor\-file\fR.  The file is written to when the anchor is updated,
-so the unbound user must have write permission.
+so the unbound user must have write permission.  Write permission to the file,
+but also to the directory it is in (to create a temporary file, which is
+necessary to deal with filesystem full events).
 .TP
 .B trust\-anchor: \fI<"Resource Record">
 A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
@@ -866,6 +927,7 @@ address space are not validated.  This is usually required whenever
 Configure a local zone. The type determines the answer to give if
 there is no match from local\-data. The types are deny, refuse, static,
 transparent, redirect, nodefault, typetransparent, inform, inform_deny,
+always_transparent, always_refuse, always_nxdomain,
 and are explained below. After that the default settings are listed. Use
 local\-data: to enter data into the local zone. Answers for local zones
 are authoritative DNS answers. By default the zones are class IN.
@@ -926,6 +988,15 @@ logged, eg. to run antivirus on them.
 The query is dropped, like 'deny', and logged, like 'inform'.  Ie. find
 infected machines without answering the queries.
 .TP 10
+\h'5'\fIalways_transparent\fR 
+Like transparent, but ignores local data and resolves normally.
+.TP 10
+\h'5'\fIalways_refuse\fR 
+Like refuse, but ignores local data and refuses the query.
+.TP 10
+\h'5'\fIalways_nxdomain\fR 
+Like static, but ignores local data and returns nxdomain for the query.
+.TP 10
 \h'5'\fInodefault\fR 
 Used to turn off default contents for AS112 zones. The other types
 also turn off default contents for the zone. The 'nodefault' option 
@@ -1043,6 +1114,18 @@ Configure local data shorthand for a PTR record with the reversed IPv4 or
 IPv6 address and the host name.  For example "192.0.2.4 www.example.com".
 TTL can be inserted like this: "2001:DB8::4 7200 www.example.com"
 .TP 5
+.B local\-zone\-tag: \fI<zone> <"list of tags">
+Assign tags to localzones. Tagged localzones will only be applied when the
+used access-control element has a matching tag. Tags must be defined in
+\fIdefine\-tags\fR.  Enclose list of tags in quotes ("") and put spaces between
+tags.
+.TP 5
+.B local\-zone\-override: \fI<zone> <IP netblock> <type>
+Override the localzone type for queries from addresses matching netblock. 
+Use this localzone type, regardless the type configured for the local-zone
+(both tagged and untagged) and regardless the type configured using
+access\-control\-tag\-action.
+.TP 5
 .B ratelimit: \fI<number or 0>
 Enable ratelimiting of queries sent to nameserver for performing recursion.
 If 0, the default, it is disabled.  This option is experimental at this time.
diff --git a/contrib/unbound/doc/unbound.doxygen b/contrib/unbound/doc/unbound.doxygen
index 43f2e38..fe39876 100644
--- a/contrib/unbound/doc/unbound.doxygen
+++ b/contrib/unbound/doc/unbound.doxygen
@@ -623,7 +623,9 @@ EXCLUDE                = ./build \
                          pythonmod/examples/resip.py \
                          libunbound/python/unbound.py \
                          libunbound/python/libunbound_wrap.c \
-                         ./ldns-src
+                         ./ldns-src \
+			 doc/control_proto_spec.txt \
+			 doc/requirements.txt
 
 # The EXCLUDE_SYMLINKS tag can be used select whether or not files or
 # directories that are symbolic links (a Unix filesystem feature) are excluded