git: 63e3850ce9fb - stable/12 - unbound: Vendor import 1.15.0

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Mon, 07 Mar 2022 13:35:21 UTC
The branch stable/12 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=63e3850ce9fb25aaf3f441eef1a4a8f08f1e326a

commit 63e3850ce9fb25aaf3f441eef1a4a8f08f1e326a
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-02-18 00:05:15 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-03-07 13:34:56 +0000

    unbound: Vendor import 1.15.0
    
    Vendor import GA release of unbound 1.15.0.
    
    (cherry picked from commit 9cf5bc93f6ba1711ae7bf96a982a2b3c8b073a18)
---
 contrib/unbound/README.md                          |   4 +-
 contrib/unbound/config.guess                       |  16 +-
 contrib/unbound/config.h.in                        |   3 +
 contrib/unbound/config.sub                         |  20 +-
 contrib/unbound/configure                          |  72 ++++-
 contrib/unbound/configure.ac                       |  40 ++-
 contrib/unbound/contrib/aaaa-filter-iterator.patch |  78 +++---
 contrib/unbound/daemon/remote.c                    |  57 ++--
 contrib/unbound/daemon/worker.c                    |  18 +-
 contrib/unbound/dnstap/dtstream.c                  |  25 +-
 contrib/unbound/dnstap/unbound-dnstap-socket.c     |  10 +-
 contrib/unbound/doc/Changelog                      | 133 +++++++++
 contrib/unbound/doc/README                         |   2 +-
 contrib/unbound/doc/example.conf                   |  63 +++--
 contrib/unbound/doc/example.conf.in                |  63 +++--
 contrib/unbound/doc/libunbound.3                   |   4 +-
 contrib/unbound/doc/libunbound.3.in                |   4 +-
 contrib/unbound/doc/unbound-anchor.8               |   8 +-
 contrib/unbound/doc/unbound-anchor.8.in            |   8 +-
 contrib/unbound/doc/unbound-checkconf.8            |  20 +-
 contrib/unbound/doc/unbound-checkconf.8.in         |  20 +-
 contrib/unbound/doc/unbound-control.8              |  80 +++---
 contrib/unbound/doc/unbound-control.8.in           |  80 +++---
 contrib/unbound/doc/unbound-host.1                 |  16 +-
 contrib/unbound/doc/unbound-host.1.in              |  16 +-
 contrib/unbound/doc/unbound.8                      |   8 +-
 contrib/unbound/doc/unbound.8.in                   |   8 +-
 contrib/unbound/doc/unbound.conf.5                 | 242 +++++++++-------
 contrib/unbound/doc/unbound.conf.5.in              | 242 +++++++++-------
 contrib/unbound/iterator/iter_delegpt.c            |  71 +++--
 contrib/unbound/iterator/iter_delegpt.h            |  28 +-
 contrib/unbound/iterator/iter_fwd.c                |  16 +-
 contrib/unbound/iterator/iter_hints.c              |  20 +-
 contrib/unbound/iterator/iterator.c                | 108 +++-----
 contrib/unbound/iterator/iterator.h                |   4 +-
 contrib/unbound/libunbound/libworker.c             |  11 +-
 contrib/unbound/libunbound/worker.h                |  12 +-
 contrib/unbound/services/cache/infra.c             |  66 +++--
 contrib/unbound/services/cache/infra.h             |  14 +-
 contrib/unbound/services/listen_dnsport.c          |  37 +--
 contrib/unbound/services/localzone.c               | 102 ++++---
 contrib/unbound/services/outside_network.c         | 307 +++++++++++++++------
 contrib/unbound/services/outside_network.h         |  27 +-
 contrib/unbound/services/rpz.c                     |  34 ++-
 contrib/unbound/services/rpz.h                     |   2 +
 contrib/unbound/sldns/keyraw.c                     |   6 +-
 contrib/unbound/sldns/str2wire.c                   |  14 +-
 contrib/unbound/sldns/str2wire.h                   |   2 +-
 contrib/unbound/sldns/wire2str.c                   |  11 +
 contrib/unbound/smallapp/unbound-checkconf.c       |   6 +
 contrib/unbound/smallapp/worker_cb.c               |  12 +-
 .../testdata/edns_attached_once_per_upstream.rpl   |  90 ++++++
 contrib/unbound/testdata/nsid_bogus.rpl            | 174 ++++++++++++
 .../unbound/testdata/ratelimit.tdir/ratelimit.conf |  29 ++
 .../unbound/testdata/ratelimit.tdir/ratelimit.dsc  |  16 ++
 .../unbound/testdata/ratelimit.tdir/ratelimit.post |  14 +
 .../unbound/testdata/ratelimit.tdir/ratelimit.pre  |  33 +++
 .../unbound/testdata/ratelimit.tdir/ratelimit.test | 183 ++++++++++++
 .../testdata/ratelimit.tdir/ratelimit.testns       |  13 +
 .../testdata/ratelimit.tdir/unbound_control.key    |  39 +++
 .../testdata/ratelimit.tdir/unbound_control.pem    |  22 ++
 .../testdata/ratelimit.tdir/unbound_server.key     |  39 +++
 .../testdata/ratelimit.tdir/unbound_server.pem     |  22 ++
 contrib/unbound/testdata/rpz_nsdname.rpl           |   2 +-
 contrib/unbound/testdata/rpz_nsip.rpl              |   2 +-
 .../unbound/testdata/rpz_signal_nxdomain_ra.rpl    | 254 +++++++++++++++++
 contrib/unbound/util/config_file.c                 |  24 +-
 contrib/unbound/util/config_file.h                 |  11 +
 contrib/unbound/util/configlexer.lex               |   3 +
 contrib/unbound/util/configparser.y                |  36 ++-
 contrib/unbound/util/fptr_wlist.c                  |   8 +-
 contrib/unbound/util/fptr_wlist.h                  |   7 +-
 contrib/unbound/util/iana_ports.inc                |   2 +-
 contrib/unbound/util/module.h                      |   6 +-
 contrib/unbound/util/net_help.c                    |  40 +++
 contrib/unbound/util/net_help.h                    |  19 +-
 contrib/unbound/util/netevent.c                    |   2 +
 contrib/unbound/validator/val_utils.c              |   8 +-
 78 files changed, 2542 insertions(+), 826 deletions(-)

diff --git a/contrib/unbound/README.md b/contrib/unbound/README.md
index c8877d1e9df5..d1bbcf2b7797 100644
--- a/contrib/unbound/README.md
+++ b/contrib/unbound/README.md
@@ -11,7 +11,7 @@ have any feedback, we would love to hear from you. Don’t hesitate to
 [create an issue on Github](https://github.com/NLnetLabs/unbound/issues/new)
 or post a message on the [Unbound mailing list](https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users).
 You can learn more about Unbound by reading our
-[documentation](https://nlnetlabs.nl/documentation/unbound/).
+[documentation](https://unbound.docs.nlnetlabs.nl/).
 
 ## Compiling
 
@@ -33,7 +33,7 @@ support.
 
 All of Unbound's configuration options are described in the man pages, which
 will be installed and are available on the Unbound
-[documentation page](https://nlnetlabs.nl/documentation/unbound/).
+[documentation page](https://unbound.docs.nlnetlabs.nl/).
 
 An example configuration file is located in
 [doc/example.conf](https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in).
diff --git a/contrib/unbound/config.guess b/contrib/unbound/config.guess
index e81d3ae7c210..7f76b6228f73 100755
--- a/contrib/unbound/config.guess
+++ b/contrib/unbound/config.guess
@@ -1,14 +1,14 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
-#   Copyright 1992-2021 Free Software Foundation, Inc.
+#   Copyright 1992-2022 Free Software Foundation, Inc.
 
 # shellcheck disable=SC2006,SC2268 # see below for rationale
 
-timestamp='2021-06-03'
+timestamp='2022-01-09'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
+# the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful, but
@@ -60,7 +60,7 @@ version="\
 GNU config.guess ($timestamp)
 
 Originally written by Per Bothner.
-Copyright 1992-2021 Free Software Foundation, Inc.
+Copyright 1992-2022 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -437,7 +437,7 @@ case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in
 	# This test works for both compilers.
 	if test "$CC_FOR_BUILD" != no_compiler_found; then
 	    if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
-		(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
+		(CCOPTS="" $CC_FOR_BUILD -m64 -E - 2>/dev/null) | \
 		grep IS_64BIT_ARCH >/dev/null
 	    then
 		SUN_ARCH=x86_64
@@ -929,6 +929,9 @@ EOF
     i*:PW*:*)
 	GUESS=$UNAME_MACHINE-pc-pw32
 	;;
+    *:SerenityOS:*:*)
+        GUESS=$UNAME_MACHINE-pc-serenity
+        ;;
     *:Interix*:*)
 	case $UNAME_MACHINE in
 	    x86)
@@ -1522,6 +1525,9 @@ EOF
     i*86:rdos:*:*)
 	GUESS=$UNAME_MACHINE-pc-rdos
 	;;
+    i*86:Fiwix:*:*)
+	GUESS=$UNAME_MACHINE-pc-fiwix
+	;;
     *:AROS:*:*)
 	GUESS=$UNAME_MACHINE-unknown-aros
 	;;
diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in
index e8a26735d2d3..197c2838b33f 100644
--- a/contrib/unbound/config.h.in
+++ b/contrib/unbound/config.h.in
@@ -381,6 +381,9 @@
 /* Define to 1 if you have the <netinet/tcp.h> header file. */
 #undef HAVE_NETINET_TCP_H
 
+/* Define to 1 if you have the <netioapi.h> header file. */
+#undef HAVE_NETIOAPI_H
+
 /* Use libnettle for crypto */
 #undef HAVE_NETTLE
 
diff --git a/contrib/unbound/config.sub b/contrib/unbound/config.sub
index d74fb6deac94..dba16e84c77c 100755
--- a/contrib/unbound/config.sub
+++ b/contrib/unbound/config.sub
@@ -1,14 +1,14 @@
 #! /bin/sh
 # Configuration validation subroutine script.
-#   Copyright 1992-2021 Free Software Foundation, Inc.
+#   Copyright 1992-2022 Free Software Foundation, Inc.
 
 # shellcheck disable=SC2006,SC2268 # see below for rationale
 
-timestamp='2021-08-14'
+timestamp='2022-01-03'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
+# the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful, but
@@ -76,7 +76,7 @@ Report bugs and patches to <config-patches@gnu.org>."
 version="\
 GNU config.sub ($timestamp)
 
-Copyright 1992-2021 Free Software Foundation, Inc.
+Copyright 1992-2022 Free Software Foundation, Inc.
 
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -1020,6 +1020,11 @@ case $cpu-$vendor in
 		;;
 
 	# Here we normalize CPU types with a missing or matching vendor
+	armh-unknown | armh-alt)
+		cpu=armv7l
+		vendor=alt
+		basic_os=${basic_os:-linux-gnueabihf}
+		;;
 	dpx20-unknown | dpx20-bull)
 		cpu=rs6000
 		vendor=bull
@@ -1121,7 +1126,7 @@ case $cpu-$vendor in
 	xscale-* | xscalee[bl]-*)
 		cpu=`echo "$cpu" | sed 's/^xscale/arm/'`
 		;;
-	arm64-*)
+	arm64-* | aarch64le-*)
 		cpu=aarch64
 		;;
 
@@ -1304,7 +1309,7 @@ esac
 if test x$basic_os != x
 then
 
-# First recognize some ad-hoc caes, or perhaps split kernel-os, or else just
+# First recognize some ad-hoc cases, or perhaps split kernel-os, or else just
 # set os.
 case $basic_os in
 	gnu/linux*)
@@ -1748,7 +1753,8 @@ case $os in
 	     | skyos* | haiku* | rdos* | toppers* | drops* | es* \
 	     | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \
 	     | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \
-	     | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr*)
+	     | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \
+	     | fiwix* )
 		;;
 	# This one is extra strict with allowed versions
 	sco3.2v2 | sco3.2v[4-9]* | sco5v6*)
diff --git a/contrib/unbound/configure b/contrib/unbound/configure
index 0e964568e234..48f9c2d02b68 100755
--- a/contrib/unbound/configure
+++ b/contrib/unbound/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.14.0.
+# Generated by GNU Autoconf 2.69 for unbound 1.15.0.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.14.0'
-PACKAGE_STRING='unbound 1.14.0'
+PACKAGE_VERSION='1.15.0'
+PACKAGE_STRING='unbound 1.15.0'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -1466,7 +1466,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.14.0 to adapt to many kinds of systems.
+\`configure' configures unbound 1.15.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1531,7 +1531,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.14.0:";;
+     short | recursive ) echo "Configuration of unbound 1.15.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1773,7 +1773,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.14.0
+unbound configure 1.15.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2482,7 +2482,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.14.0, which was
+It was created by unbound $as_me 1.15.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2832,13 +2832,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 UNBOUND_VERSION_MAJOR=1
 
-UNBOUND_VERSION_MINOR=14
+UNBOUND_VERSION_MINOR=15
 
 UNBOUND_VERSION_MICRO=0
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=14
+LIBUNBOUND_REVISION=15
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2920,6 +2920,7 @@ LIBUNBOUND_AGE=1
 # 1.13.1 had 9:12:1
 # 1.13.2 had 9:13:1
 # 1.14.0 had 9:14:1
+# 1.15.0 had 9:15:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -14812,6 +14813,51 @@ fi
 
 done
 
+for ac_header in netioapi.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "netioapi.h" "ac_cv_header_netioapi_h" "$ac_includes_default
+#if HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif
+
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+
+"
+if test "x$ac_cv_header_netioapi_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_NETIOAPI_H 1
+_ACEOF
+
+fi
+
+done
+
 
 # check for types.
 # Using own tests for int64* because autoconf builtin only give 32bit.
@@ -17895,7 +17941,7 @@ if test "`uname`" = "NetBSD"; then
 
 fi
 
-if test "`uname -o`" = "GNU/Linux"; then
+if test "`uname`" = "Linux"; then
 	# splint cannot parse modern c99 header files
 	GCC_DOCKER_LINTFLAGS='-syntax'
 
@@ -21840,7 +21886,7 @@ _ACEOF
 
 
 
-version=1.14.0
+version=1.15.0
 
 date=`date +'%b %e, %Y'`
 
@@ -22359,7 +22405,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.14.0, which was
+This file was extended by unbound $as_me 1.15.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22425,7 +22471,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.14.0
+unbound config.status 1.15.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac
index 36fdb4598c27..5c7da1978131 100644
--- a/contrib/unbound/configure.ac
+++ b/contrib/unbound/configure.ac
@@ -10,7 +10,7 @@ sinclude(dnscrypt/dnscrypt.m4)
 
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[14])
+m4_define([VERSION_MINOR],[15])
 m4_define([VERSION_MICRO],[0])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
@@ -18,7 +18,7 @@ AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=14
+LIBUNBOUND_REVISION=15
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -100,6 +100,7 @@ LIBUNBOUND_AGE=1
 # 1.13.1 had 9:12:1
 # 1.13.2 had 9:13:1
 # 1.14.0 had 9:14:1
+# 1.15.0 had 9:15:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -412,6 +413,39 @@ AC_CHECK_HEADERS([net/if.h],,, [
 
 # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH
 AC_CHECK_HEADERS([TargetConditionals.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([netioapi.h],,, [AC_INCLUDES_DEFAULT
+#if HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif
+
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+])
 
 # check for types.  
 # Using own tests for int64* because autoconf builtin only give 32bit.
@@ -782,7 +816,7 @@ if test "`uname`" = "NetBSD"; then
 	AC_SUBST(NETBSD_LINTFLAGS)
 fi
 
-if test "`uname -o`" = "GNU/Linux"; then
+if test "`uname`" = "Linux"; then
 	# splint cannot parse modern c99 header files
 	GCC_DOCKER_LINTFLAGS='-syntax'
 	AC_SUBST(GCC_DOCKER_LINTFLAGS)
diff --git a/contrib/unbound/contrib/aaaa-filter-iterator.patch b/contrib/unbound/contrib/aaaa-filter-iterator.patch
index f51de2a40d9b..5513133722db 100644
--- a/contrib/unbound/contrib/aaaa-filter-iterator.patch
+++ b/contrib/unbound/contrib/aaaa-filter-iterator.patch
@@ -1,8 +1,8 @@
 diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
-index f426ac5f..147fbfa9 100644
+index 5a75e319..c6c6dbe2 100644
 --- a/doc/unbound.conf.5.in
 +++ b/doc/unbound.conf.5.in
-@@ -872,6 +872,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
+@@ -970,6 +970,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
  this option in enabled. Only use if you know what you are doing.
  This option only has effect when qname-minimisation is enabled. Default is no.
  .TP
@@ -17,10 +17,10 @@ index f426ac5f..147fbfa9 100644
  Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
  and other denials, using information from previous NXDOMAINs answers.
 diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
-index aae934dd..55c55de0 100644
+index f093c1bf..e55a2246 100644
 --- a/iterator/iter_scrub.c
 +++ b/iterator/iter_scrub.c
-@@ -667,6 +667,32 @@ static int sanitize_nsec_is_overreach(struct rrset_parse* rrset,
+@@ -679,6 +679,32 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
  	return 0;
  }
  
@@ -53,7 +53,7 @@ index aae934dd..55c55de0 100644
  /**
   * Given a response event, remove suspect RRsets from the response.
   * "Suspect" rrsets are potentially poison. Note that this routine expects
-@@ -686,6 +712,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
+@@ -698,6 +724,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  	struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
  	struct iter_env* ie)
  {
@@ -61,7 +61,7 @@ index aae934dd..55c55de0 100644
  	int del_addi = 0; /* if additional-holding rrsets are deleted, we
  		do not trust the normalized additional-A-AAAA any more */
  	struct rrset_parse* rrset, *prev;
-@@ -721,6 +748,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
+@@ -733,6 +760,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  		rrset = rrset->rrset_all_next;
  	}
  
@@ -75,7 +75,7 @@ index aae934dd..55c55de0 100644
  	/* At this point, we brutally remove ALL rrsets that aren't 
  	 * children of the originating zone. The idea here is that, 
  	 * as far as we know, the server that we contacted is ONLY 
-@@ -732,6 +766,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
+@@ -744,6 +778,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  	rrset = msg->rrset_first;
  	while(rrset) {
  
@@ -101,22 +101,22 @@ index aae934dd..55c55de0 100644
  		if( (rrset->type == LDNS_RR_TYPE_A || 
  			rrset->type == LDNS_RR_TYPE_AAAA)) {
 diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
-index 7bc67da6..e10f547a 100644
+index 2482a1f4..bd5ba243 100644
 --- a/iterator/iter_utils.c
 +++ b/iterator/iter_utils.c
-@@ -175,6 +175,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
- 	}
+@@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
  	iter_env->supports_ipv6 = cfg->do_ip6;
  	iter_env->supports_ipv4 = cfg->do_ip4;
+ 	iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
 +	iter_env->aaaa_filter = cfg->aaaa_filter;
  	return 1;
  }
  
 diff --git a/iterator/iterator.c b/iterator/iterator.c
-index 23b07ea9..ca29b48c 100644
+index 54006940..768fe202 100644
 --- a/iterator/iterator.c
 +++ b/iterator/iterator.c
-@@ -2127,6 +2127,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
+@@ -2155,6 +2155,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
  
  	return 0;
  }
@@ -170,7 +170,7 @@ index 23b07ea9..ca29b48c 100644
  	
  /** 
   * This is the request event state where the request will be sent to one of
-@@ -2186,6 +2233,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -2216,6 +2263,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
  		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
  	}
  	
@@ -184,7 +184,7 @@ index 23b07ea9..ca29b48c 100644
  	/* Make sure we have a delegation point, otherwise priming failed
  	 * or another failure occurred */
  	if(!iq->dp) {
-@@ -3574,6 +3628,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -3648,6 +3702,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
  	return 0;
  }
  
@@ -246,7 +246,7 @@ index 23b07ea9..ca29b48c 100644
  /*
   * Return priming query results to interested super querystates.
   * 
-@@ -3593,6 +3702,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
+@@ -3667,6 +3776,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
  	else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
  		super->minfo[id])->state == DSNS_FIND_STATE)
  		processDSNSResponse(qstate, id, super);
@@ -256,7 +256,7 @@ index 23b07ea9..ca29b48c 100644
  	else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
  		error_supers(qstate, id, super);
  	else if(qstate->is_priming)
-@@ -3630,6 +3742,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
+@@ -3704,6 +3816,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
  			case INIT_REQUEST_3_STATE:
  				cont = processInitRequest3(qstate, iq, id);
  				break;
@@ -266,7 +266,7 @@ index 23b07ea9..ca29b48c 100644
  			case QUERYTARGETS_STATE:
  				cont = processQueryTargets(qstate, iq, ie, id);
  				break;
-@@ -3961,6 +4076,8 @@ iter_state_to_string(enum iter_state state)
+@@ -4040,6 +4155,8 @@ iter_state_to_string(enum iter_state state)
  		return "INIT REQUEST STATE (stage 2)";
  	case INIT_REQUEST_3_STATE:
  		return "INIT REQUEST STATE (stage 3)";
@@ -275,7 +275,7 @@ index 23b07ea9..ca29b48c 100644
  	case QUERYTARGETS_STATE :
  		return "QUERY TARGETS STATE";
  	case PRIME_RESP_STATE :
-@@ -3985,6 +4102,7 @@ iter_state_is_responsestate(enum iter_state s)
+@@ -4064,6 +4181,7 @@ iter_state_is_responsestate(enum iter_state s)
  		case INIT_REQUEST_STATE :
  		case INIT_REQUEST_2_STATE :
  		case INIT_REQUEST_3_STATE :
@@ -284,10 +284,10 @@ index 23b07ea9..ca29b48c 100644
  		case COLLECT_CLASS_STATE :
  			return 0;
 diff --git a/iterator/iterator.h b/iterator/iterator.h
-index 342ac207..731948d1 100644
+index 8b840528..a61c4195 100644
 --- a/iterator/iterator.h
 +++ b/iterator/iterator.h
-@@ -135,6 +135,9 @@ struct iter_env {
+@@ -133,6 +133,9 @@ struct iter_env {
  	 */
  	int* target_fetch_policy;
  
@@ -297,7 +297,7 @@ index 342ac207..731948d1 100644
  	/** lock on ratelimit counter */
  	lock_basic_type queries_ratelimit_lock;
  	/** number of queries that have been ratelimited */
-@@ -186,6 +189,14 @@ enum iter_state {
+@@ -187,6 +190,14 @@ enum iter_state {
  	 */
  	INIT_REQUEST_3_STATE,
  
@@ -312,7 +312,7 @@ index 342ac207..731948d1 100644
  	/**
  	 * Each time a delegation point changes for a given query or a 
  	 * query times out and/or wakes up, this state is (re)visited. 
-@@ -375,6 +386,13 @@ struct iter_qstate {
+@@ -376,6 +387,13 @@ struct iter_qstate {
  	 */
  	int refetch_glue;
  
@@ -327,10 +327,10 @@ index 342ac207..731948d1 100644
  	struct outbound_list outlist;
  
 diff --git a/pythonmod/interface.i b/pythonmod/interface.i
-index f08b575d..47f1bb2e 100644
+index 1ca8686a..d91b19ec 100644
 --- a/pythonmod/interface.i
 +++ b/pythonmod/interface.i
-@@ -975,6 +975,7 @@ struct config_file {
+@@ -995,6 +995,7 @@ struct config_file {
     int harden_dnssec_stripped;
     int harden_referral_path;
     int use_caps_bits_for_id;
@@ -339,10 +339,10 @@ index f08b575d..47f1bb2e 100644
     struct config_strlist* private_domain;
     size_t unwanted_threshold;
 diff --git a/util/config_file.c b/util/config_file.c
-index 0ab8614a..729fb147 100644
+index 969d664b..8d94b008 100644
 --- a/util/config_file.c
 +++ b/util/config_file.c
-@@ -218,6 +218,7 @@ config_create(void)
+@@ -231,6 +231,7 @@ config_create(void)
  	cfg->harden_referral_path = 0;
  	cfg->harden_algo_downgrade = 0;
  	cfg->use_caps_bits_for_id = 0;
@@ -351,10 +351,10 @@ index 0ab8614a..729fb147 100644
  	cfg->private_address = NULL;
  	cfg->private_domain = NULL;
 diff --git a/util/config_file.h b/util/config_file.h
-index e61257a3..dabaa7bb 100644
+index c7c9a0a4..e3aa15b0 100644
 --- a/util/config_file.h
 +++ b/util/config_file.h
-@@ -260,6 +260,8 @@ struct config_file {
+@@ -285,6 +285,8 @@ struct config_file {
  	int harden_algo_downgrade;
  	/** use 0x20 bits in query as random ID bits */
  	int use_caps_bits_for_id;
@@ -364,38 +364,38 @@ index e61257a3..dabaa7bb 100644
  	struct config_strlist* caps_whitelist;
  	/** strip away these private addrs from answers, no DNS Rebinding */
 diff --git a/util/configlexer.lex b/util/configlexer.lex
-index 79a0edca..4eaec678 100644
+index 34a0e5dd..c890be2a 100644
 --- a/util/configlexer.lex
 +++ b/util/configlexer.lex
-@@ -304,6 +304,7 @@ harden-algo-downgrade{COLON}	{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
- use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
+@@ -317,6 +317,7 @@ use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
  caps-whitelist{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
+ caps-exempt{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
  unwanted-reply-threshold{COLON}	{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
 +aaaa-filter{COLON}		{ YDVAR(1, VAR_AAAA_FILTER) }
  private-address{COLON}		{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
  private-domain{COLON}		{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
  prefetch-key{COLON}		{ YDVAR(1, VAR_PREFETCH_KEY) }
 diff --git a/util/configparser.y b/util/configparser.y
-index 1d0e8658..f284dd43 100644
+index d4f965f9..8cc237c6 100644
 --- a/util/configparser.y
 +++ b/util/configparser.y
 @@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser;
- %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
+ %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
  %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
  %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
 +%token VAR_AAAA_FILTER
  %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
  %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
  %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
-@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port |
+@@ -247,6 +248,7 @@ content_server: server_num_threads | server_verbosity | server_port |
  	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
  	server_harden_referral_path | server_private_address |
- 	server_private_domain | server_extended_statistics | 
+ 	server_private_domain | server_extended_statistics |
 +	server_aaaa_filter |
- 	server_local_data_ptr | server_jostle_timeout | 
- 	server_unwanted_reply_threshold | server_log_time_ascii | 
- 	server_domain_insecure | server_val_sig_skew_min | 
-@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
+ 	server_local_data_ptr | server_jostle_timeout |
+ 	server_unwanted_reply_threshold | server_log_time_ascii |
+ 	server_domain_insecure | server_val_sig_skew_min |
+@@ -1754,6 +1756,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
  			yyerror("out of memory");
  	}
  	;
diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c
index adf0383895d4..675ef43970d1 100644
--- a/contrib/unbound/daemon/remote.c
+++ b/contrib/unbound/daemon/remote.c
@@ -300,6 +300,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 		 */
 		if(fd != -1) {
 #ifdef HAVE_CHOWN
+			chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
 			if (cfg->username && cfg->username[0] &&
 				cfg_uid != (uid_t)-1) {
 				if(chown(ip, cfg_uid, cfg_gid) == -1)
@@ -307,7 +308,6 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 					  (unsigned)cfg_uid, (unsigned)cfg_gid,
 					  ip, strerror(errno));
 			}
-			chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
 #else
 			(void)cfg;
 #endif
@@ -2015,7 +2015,7 @@ print_root_fwds(RES* ssl, struct iter_forwards* fwds, uint8_t* root)
 
 /** parse args into delegpt */
 static struct delegpt*
-parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names)
+parse_delegpt(RES* ssl, char* args, uint8_t* nm)
 {
 	/* parse args and add in */
 	char* p = args;
@@ -2037,40 +2037,35 @@ parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names)
 		}
 		/* parse address */
 		if(!authextstrtoaddr(todo, &addr, &addrlen, &auth_name)) {
-			if(allow_names) {
-				uint8_t* n = NULL;
-				size_t ln;
-				int lb;
-				if(!parse_arg_name(ssl, todo, &n, &ln, &lb)) {
-					(void)ssl_printf(ssl, "error cannot "
-						"parse IP address or name "
-						"'%s'\n", todo);
-					delegpt_free_mlc(dp);
-					return NULL;
-				}
-				if(!delegpt_add_ns_mlc(dp, n, 0)) {
-					(void)ssl_printf(ssl, "error out of memory\n");
-					free(n);
-					delegpt_free_mlc(dp);
-					return NULL;
-				}
-				free(n);
-
-			} else {
+			uint8_t* dname= NULL;
+			int port;
+			dname = authextstrtodname(todo, &port, &auth_name);
+			if(!dname) {
 				(void)ssl_printf(ssl, "error cannot parse"
-					" IP address '%s'\n", todo);
+					" '%s'\n", todo);
+				delegpt_free_mlc(dp);
+				return NULL;
+			}
+#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+			if(auth_name)
+				log_err("no name verification functionality in "
+				"ssl library, ignored name for %s", todo);
+#endif
+			if(!delegpt_add_ns_mlc(dp, dname, 0, auth_name, port)) {
+				(void)ssl_printf(ssl, "error out of memory\n");
+				free(dname);
 				delegpt_free_mlc(dp);
 				return NULL;
 			}
 		} else {
 #if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
 			if(auth_name)
-			  log_err("no name verification functionality in "
+				log_err("no name verification functionality in "
 				"ssl library, ignored name for %s", todo);
 #endif
 			/* add address */
 			if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
-				auth_name)) {
+				auth_name, -1)) {
 				(void)ssl_printf(ssl, "error out of memory\n");
 				delegpt_free_mlc(dp);
 				return NULL;
@@ -2103,7 +2098,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
 		forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, root);
 	} else {
 		struct delegpt* dp;
-		if(!(dp = parse_delegpt(ssl, args, root, 0)))
+		if(!(dp = parse_delegpt(ssl, args, root)))
 			return;
 		if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
 			(void)ssl_printf(ssl, "error out of memory\n");
@@ -2149,7 +2144,7 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
 
 	/* parse dp */
 	if(dp) {
-		if(!(*dp = parse_delegpt(ssl, args, *nm, 1))) {
+		if(!(*dp = parse_delegpt(ssl, args, *nm))) {
 			free(*nm);
 			return 0;
 		}
@@ -2865,6 +2860,8 @@ struct ratelimit_list_arg {
 	int all;
 	/** current time */
 	time_t now;
+	/** if backoff is enabled */
+	int backoff;
 };
 
 #define ip_ratelimit_list_arg ratelimit_list_arg
@@ -2878,7 +2875,7 @@ rate_list(struct lruhash_entry* e, void* arg)
 	struct rate_data* d = (struct rate_data*)e->data;
 	char buf[257];
 	int lim = infra_find_ratelimit(a->infra, k->name, k->namelen);
-	int max = infra_rate_max(d, a->now);
+	int max = infra_rate_max(d, a->now, a->backoff);
 	if(a->all == 0) {
 		if(max < lim)
 			return;
@@ -2896,7 +2893,7 @@ ip_rate_list(struct lruhash_entry* e, void* arg)
 	struct ip_rate_key* k = (struct ip_rate_key*)e->key;
 	struct ip_rate_data* d = (struct ip_rate_data*)e->data;
 	int lim = infra_ip_ratelimit;
-	int max = infra_rate_max(d, a->now);
+	int max = infra_rate_max(d, a->now, a->backoff);
 	if(a->all == 0) {
 		if(max < lim)
 			return;
@@ -2914,6 +2911,7 @@ do_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
 	a.infra = worker->env.infra_cache;
 	a.now = *worker->env.now;
 	a.ssl = ssl;
+	a.backoff = worker->env.cfg->ratelimit_backoff;
 	arg = skipwhite(arg);
 	if(strcmp(arg, "+a") == 0)
 		a.all = 1;
@@ -2932,6 +2930,7 @@ do_ip_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
 	a.infra = worker->env.infra_cache;
 	a.now = *worker->env.now;
 	a.ssl = ssl;
+	a.backoff = worker->env.cfg->ip_ratelimit_backoff;
 	arg = skipwhite(arg);
 	if(strcmp(arg, "+a") == 0)
 		a.all = 1;
diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c
index 5d2483cd2cd9..862affb24e9a 100644
--- a/contrib/unbound/daemon/worker.c
+++ b/contrib/unbound/daemon/worker.c
@@ -1167,7 +1167,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 
 	/* check if this query should be dropped based on source ip rate limiting */
 	if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo,
-			*worker->env.now, c->buffer)) {
+			*worker->env.now,
+			worker->env.cfg->ip_ratelimit_backoff, c->buffer)) {
 		/* See if we are passed through with slip factor */
 		if(worker->env.cfg->ip_ratelimit_factor != 0 &&
 			ub_random_max(worker->env.rnd,
@@ -1967,9 +1968,10 @@ worker_delete(struct worker* worker)
 
 struct outbound_entry*
 worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec,
-	int want_dnssec, int nocaps, struct sockaddr_storage* addr,
-	socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream,
-	int ssl_upstream, char* tls_auth_name, struct module_qstate* q)
+	int want_dnssec, int nocaps, int check_ratelimit,
+	struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone,
+	size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name,
+	struct module_qstate* q, int* was_ratelimited)
 {
 	struct worker* worker = q->env->worker;
 	struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
@@ -1978,9 +1980,10 @@ worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec,
 		return NULL;
 	e->qstate = q;
 	e->qsent = outnet_serviced_query(worker->back, qinfo, flags, dnssec,
-		want_dnssec, nocaps, tcp_upstream,
+		want_dnssec, nocaps, check_ratelimit, tcp_upstream,
 		ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, q,
-		worker_handle_service_reply, e, worker->back->udp_buff, q->env);
+		worker_handle_service_reply, e, worker->back->udp_buff, q->env,
+		was_ratelimited);
 	if(!e->qsent) {
 		return NULL;
 	}
@@ -2024,10 +2027,11 @@ struct outbound_entry* libworker_send_query(
 	struct query_info* ATTR_UNUSED(qinfo),
 	uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec),
 	int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps),
+	int ATTR_UNUSED(check_ratelimit),
 	struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen),
 	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream),
 	int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name),
-	struct module_qstate* ATTR_UNUSED(q))
+	struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited))
 {
 	log_assert(0);
 	return 0;
diff --git a/contrib/unbound/dnstap/dtstream.c b/contrib/unbound/dnstap/dtstream.c
index 14aacaef567b..a1dd9703ea95 100644
--- a/contrib/unbound/dnstap/dtstream.c
+++ b/contrib/unbound/dnstap/dtstream.c
@@ -188,9 +188,9 @@ mq_wakeup_cb(void* arg)
 
 /** start timer to wakeup dtio because there is content in the queue */
 static void
-dt_msg_queue_start_timer(struct dt_msg_queue* mq)
+dt_msg_queue_start_timer(struct dt_msg_queue* mq, int wakeupnow)
 {
-	struct timeval tv;
+	struct timeval tv = {0};
 	/* Start a timer to process messages to be logged.
*** 6593 LINES SKIPPED ***