Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

   1
   2
   3
   4
   5
   6
   7
   8
   9
  10
  11
  12
  13
  14
  15
  16
  17
  18
  19
  20
  21
  22
  23
  24
  25
  26
  27
  28
  29
  30
  31
  32
  33
  34
  35
  36
  37
  38
  39
  40
  41
  42
  43
  44
  45
  46
  47
  48
  49
  50
  51
  52
  53
  54
  55
  56
  57
  58
  59
  60
  61
  62
  63
  64
  65
  66
  67
  68
  69
  70
  71
  72
  73
  74
  75
  76
  77
  78
  79
  80
  81
  82
  83
  84
  85
  86
  87
  88
  89
  90
  91
  92
  93
  94
  95
  96
  97
  98
  99
 100
 101
 102
 103
 104
 105
 106
 107
 108
 109
 110
 111
 112
 113
 114
 115
 116
 117
 118
 119
 120
 121
 122
 123
 124
 125
 126
 127
 128
 129
 130
 131
 132
 133
 134
 135
 136
 137
 138
 139
 140
 141
 142
 143
 144
 145
 146
 147
 148
 149
 150
 151
 152
 153
 154
 155
 156
 157
 158
 159
 160
 161
 162
 163
 164
 165
 166
 167
 168
 169
 170
 171
 172
 173
 174
 175
 176
 177
 178
 179
 180
 181
 182
 183
 184
 185
 186
 187
 188
 189
 190
 191
 192
 193
 194
 195
 196
 197
 198
 199
 200
 201
 202
 203
 204
 205
 206
 207
 208
 209
 210
 211
 212
 213
 214
 215
 216
 217
 218
 219
 220
 221
 222
 223
 224
 225
 226
 227
 228
 229
 230
 231
 232
 233
 234
 235
 236
 237
 238
 239
 240
 241
 242
 243
 244
 245
 246
 247
 248
 249
 250
 251
 252
 253
 254
 255
 256
 257
 258
 259
 260
 261
 262
 263
 264
 265
 266
 267
 268
 269
 270
 271
 272
 273
 274
 275
 276
 277
 278
 279
 280
 281
 282
 283
 284
 285
 286
 287
 288
 289
 290
 291
 292
 293
 294
 295
 296
 297
 298
 299
 300
 301
 302
 303
 304
 305
 306
 307
 308
 309
 310
 311
 312
 313
 314
 315
 316
 317
 318
 319
 320
 321
 322
 323
 324
 325
 326
 327
 328
 329
 330
 331
 332
 333
 334
 335
 336
 337
 338
 339
 340
 341
 342
 343
 344
 345
 346
 347
 348
 349
 350
 351
 352
 353
 354
 355
 356
 357
 358
 359
 360
 361
 362
 363
 364
 365
 366
 367
 368
 369
 370
 371
 372
 373
 374
 375
 376
 377
 378
 379
 380
 381
 382
 383
 384
 385
 386
 387
 388
 389
 390
 391
 392
 393
 394
 395
 396
 397
 398
 399
 400
 401
 402
 403
 404
 405
 406
 407
 408
 409
 410
 411
 412
 413
 414
 415
 416
 417
 418
 419
 420
 421
 422
 423
 424
 425
 426
 427
 428
 429
 430
 431
 432
 433
 434
 435
 436
 437
 438
 439
 440
 441
 442
 443
 444
 445
 446
 447
 448
 449
 450
 451
 452
 453
 454
 455
 456
 457
 458
 459
 460
 461
 462
 463
 464
 465
 466
 467
 468
 469
 470
 471
 472
 473
 474
 475
 476
 477
 478
 479
 480
 481
 482
 483
 484
 485
 486
 487
 488
 489
 490
 491
 492
 493
 494
 495
 496
 497
 498
 499
 500
 501
 502
 503
 504
 505
 506
 507
 508
 509
 510
 511
 512
 513
 514
 515
 516
 517
 518
 519
 520
 521
 522
 523
 524
 525
 526
 527
 528
 529
 530
 531
 532
 533
 534
 535
 536
 537
 538
 539
 540
 541
 542
 543
 544
 545
 546
 547
 548
 549
 550
 551
 552
 553
 554
 555
 556
 557
 558
 559
 560
 561
 562
 563
 564
 565
 566
 567
 568
 569
 570
 571
 572
 573
 574
 575
 576
 577
 578
 579
 580
 581
 582
 583
 584
 585
 586
 587
 588
 589
 590
 591
 592
 593
 594
 595
 596
 597
 598
 599
 600
 601
 602
 603
 604
 605
 606
 607
 608
 609
 610
 611
 612
 613
 614
 615
 616
 617
 618
 619
 620
 621
 622
 623
 624
 625
 626
 627
 628
 629
 630
 631
 632
 633
 634
 635
 636
 637
 638
 639
 640
 641
 642
 643
 644
 645
 646
 647
 648
 649
 650
 651
 652
 653
 654
 655
 656
 657
 658
 659
 660
 661
 662
 663
 664
 665
 666
 667
 668
 669
 670
 671
 672
 673
 674
 675
 676
 677
 678
 679
 680
 681
 682
 683
 684
 685
 686
 687
 688
 689
 690
 691
 692
 693
 694
 695
 696
 697
 698
 699
 700
 701
 702
 703
 704
 705
 706
 707
 708
 709
 710
 711
 712
 713
 714
 715
 716
 717
 718
 719
 720
 721
 722
 723
 724
 725
 726
 727
 728
 729
 730
 731
 732
 733
 734
 735
 736
 737
 738
 739
 740
 741
 742
 743
 744
 745
 746
 747
 748
 749
 750
 751
 752
 753
 754
 755
 756
 757
 758
 759
 760
 761
 762
 763
 764
 765
 766
 767
 768
 769
 770
 771
 772
 773
 774
 775
 776
 777
 778
 779
 780
 781
 782
 783
 784
 785
 786
 787
 788
 789
 790
 791
 792
 793
 794
 795
 796
 797
 798
 799
 800
 801
 802
 803
 804
 805
 806
 807
 808
 809
 810
 811
 812
 813
 814
 815
 816
 817
 818
 819
 820
 821
 822
 823
 824
 825
 826
 827
 828
 829
 830
 831
 832
 833
 834
 835
 836
 837
 838
 839
 840
 841
 842
 843
 844
 845
 846
 847
 848
 849
 850
 851
 852
 853
 854
 855
 856
 857
 858
 859
 860
 861
 862
 863
 864
 865
 866
 867
 868
 869
 870
 871
 872
 873
 874
 875
 876
 877
 878
 879
 880
 881
 882
 883
 884
 885
 886
 887
 888
 889
 890
 891
 892
 893
 894
 895
 896
 897
 898
 899
 900
 901
 902
 903
 904
 905
 906
 907
 908
 909
 910
 911
 912
 913
 914
 915
 916
 917
 918
 919
 920
 921
 922
 923
 924
 925
 926
 927
 928
 929
 930
 931
 932
 933
 934
 935
 936
 937
 938
 939
 940
 941
 942
 943
 944
 945
 946
 947
 948
 949
 950
 951
 952
 953
 954
 955
 956
 957
 958
 959
 960
 961
 962
 963
 964
 965
 966
 967
 968
 969
 970
 971
 972
 973
 974
 975
 976
 977
 978
 979
 980
 981
 982
 983
 984
 985
 986
 987
 988
 989
 990
 991
 992
 993
 994
 995
 996
 997
 998
 999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
4354
4355
4356
4357
4358
4359
4360
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375
4376
4377
4378
4379
4380
4381
4382
4383
4384
4385
4386
4387
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
4400
4401
4402
4403
4404
4405
4406
4407
4408
4409
4410
4411
4412
4413
4414
4415
4416
4417
4418
4419
4420
4421
4422
4423
4424
4425
4426
4427
4428
4429
4430
4431
4432
4433
4434
4435
4436
4437
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447
4448
4449
4450
4451
4452
4453
4454
4455
4456
4457
4458
4459
4460
4461
4462
4463
4464
4465
4466
4467
4468
4469
4470
4471
4472
4473
4474
4475
4476
4477
4478
4479
4480
4481
4482
4483
4484
4485
4486
4487
4488
4489
4490
4491
4492
4493
4494
4495
4496
4497
4498
4499
4500
4501
4502
4503
4504
4505
4506
4507
4508
4509
4510
4511
4512
4513
4514
4515
4516
4517
4518
4519
4520
4521
4522
4523
4524
4525
4526
4527
4528
4529
4530
4531
4532
4533
4534
4535
4536
4537
4538
4539
4540
4541
4542
4543
4544
4545
4546
4547
4548
4549
4550
4551
4552
4553
4554
4555
4556
4557
4558
4559
4560
4561
4562
4563
4564
4565
4566
4567
4568
4569
4570
4571
4572
4573
4574
4575
4576
4577
4578
4579
4580
4581
4582
4583
4584
4585
4586
4587
4588
4589
4590
4591
4592
4593
4594
4595
4596
4597
4598
4599
4600
4601
4602
4603
4604
4605
4606
4607
4608
4609
4610
4611
4612
4613
4614
4615
4616
4617
4618
4619
4620
4621
4622
4623
4624
4625
4626
4627
4628
4629
4630
4631
4632
4633
4634
4635
4636
4637
4638
4639
4640
4641
4642
4643
4644
4645
4646
4647
4648
4649
4650
4651
4652
4653
4654
4655
4656
4657
4658
4659
4660
4661
4662
4663
4664
4665
4666
4667
4668
4669
4670
4671
4672
4673
4674
4675
4676
4677
4678
4679
4680
4681
4682
4683
4684
4685
4686
4687
4688
4689
4690
4691
4692
4693
4694
4695
4696
4697
4698
4699
4700
4701
4702
4703
4704
4705
4706
4707
4708
4709
4710
4711
4712
4713
4714
4715
4716
4717
4718
4719
4720
4721
4722
4723
4724
4725
4726
4727
4728
4729
4730
4731
4732
4733
4734
4735
4736
4737
4738
4739
4740
4741
4742
4743
4744
4745
4746
4747
4748
4749
4750
4751
4752
4753
4754
4755
4756
4757
4758
4759
4760
4761
4762
4763
4764
4765
4766
4767
4768
4769
4770
4771
4772
4773
4774
4775
4776
4777
4778
4779
4780
4781
4782
4783
4784
4785
4786
4787
4788
4789
4790
4791
4792
4793
4794
4795
4796
4797
4798
4799
4800
4801
4802
4803
4804
4805
4806
4807
4808
4809
4810
4811
4812
4813
4814
4815
4816
4817
4818
4819
4820
4821
4822
4823
4824
4825
4826
4827
4828
4829
4830
4831
4832
4833
4834
4835
4836
4837
4838
4839
4840
4841
4842
4843
4844
4845
4846
4847
4848
4849
4850
4851
4852
4853
4854
4855
4856
4857
4858
4859
4860
4861
4862
4863
4864
4865
4866
4867
4868
4869
4870
4871
4872
4873
4874
4875
4876
4877
4878
4879
4880
4881
4882
4883
4884
4885
4886
4887
4888
4889
4890
4891
4892
4893
4894
4895
4896
4897
4898
4899
4900
4901
4902
4903
4904
4905
4906
4907
4908
4909
4910
4911
4912
4913
4914
4915
4916
4917
4918
4919
4920
4921
4922
4923
4924
4925
4926
4927
4928
4929
4930
4931
4932
4933
4934
4935
4936
4937
4938
4939
4940
4941
4942
4943
4944
4945
4946
4947
4948
4949
4950
4951
4952
4953
4954
4955
4956
4957
4958
4959
4960
4961
4962
4963
4964
4965
4966
4967
4968
4969
4970
4971
4972
4973
4974
4975
4976
4977
4978
4979
4980
4981
4982
4983
4984
4985
4986
4987
4988
4989
4990
4991
4992
4993
4994
4995
4996
4997
4998
4999
5000
5001
5002
5003
5004
5005
5006
5007
5008
5009
5010
5011
5012
5013
5014
5015
5016
5017
5018
5019
5020
5021
5022
5023
5024
5025
5026
5027
5028
5029
5030
5031
5032
5033
5034
5035
5036
5037
5038
5039
5040
5041
5042
5043
5044
5045
5046
5047
5048
5049
5050
5051
5052
5053
5054
5055
5056
5057
5058
5059
5060
5061
5062
5063
5064
5065
5066
5067
5068
5069
5070
5071
5072
5073
5074
5075
5076
5077
5078
5079
5080
5081
5082
5083
5084
5085
5086
5087
5088
5089
5090
5091
5092
5093
5094
5095
5096
5097
5098
5099
5100
5101
5102
5103
5104
5105
5106
5107
5108
5109
5110
5111
5112
5113
5114
5115
5116
5117
5118
5119
5120
5121
5122
5123
5124
5125
5126
5127
5128
5129
5130
5131
5132
5133
5134
5135
5136
5137
5138
5139
5140
5141
5142
5143
5144
5145
5146
5147
5148
5149
5150
5151
5152
5153
5154
5155
5156
5157
5158
5159
5160
5161
5162
5163
5164
5165
5166
5167
5168
5169
5170
5171
5172
5173
5174
5175
5176
5177
5178
5179
5180
5181
5182
5183
5184
5185
5186
5187
5188
5189
5190
5191
5192
5193
5194
5195
5196
5197
5198
5199
5200
5201
5202
5203
5204
5205
5206
5207
5208
5209
5210
5211
5212
5213
5214
5215
5216
5217
5218
5219
5220
5221
5222
5223
5224
5225
5226
5227
5228
5229
5230
5231
5232
5233
5234
5235
5236
5237
5238
5239
5240
5241
5242
5243
5244
5245
5246
5247
5248
5249
5250
5251
5252
5253
5254
5255
5256
5257
5258
5259
5260
5261
5262
5263
5264
5265
5266
5267
5268
5269
5270
5271
5272
5273
5274
5275
5276
5277
5278
5279
5280
5281
5282
5283
5284
5285
5286
5287
5288
5289
5290
5291
5292
5293
5294
5295
5296
5297
5298
5299
5300
5301
5302
5303
5304
5305
5306
5307
5308
5309
5310
5311
5312
5313
5314
5315
5316
5317
5318
5319
5320
5321
5322
5323
5324
5325
5326
5327
5328
5329
5330
5331
5332
5333
5334
5335
5336
5337
5338
5339
5340
5341
5342
5343
5344
5345
5346
5347
5348
5349
5350
5351
5352
5353
5354
5355
5356
5357
5358
5359
5360
5361
5362
5363
5364
5365
5366
5367
5368
5369
5370
5371
5372
5373
5374
5375
5376
5377
5378
5379
5380
5381
5382
5383
5384
5385
5386
5387
5388
5389
5390
5391
5392
5393
5394
5395
5396
5397
5398
5399
5400
5401
5402
5403
5404
5405
5406
5407
5408
5409
5410
5411
5412
5413
5414
5415
5416
5417
5418
5419
5420
5421
5422
5423
5424
5425
5426
5427
5428
5429
5430
5431
5432
5433
5434
5435
5436
5437
5438
5439
5440
5441
5442
5443
5444
5445
5446
5447
5448
5449
5450
5451
5452
5453
5454
5455
5456
5457
5458
5459
5460
5461
5462
5463
5464
5465
5466
5467
5468
5469
5470
5471
5472
5473
5474
5475
5476
5477
5478
5479
5480
5481
5482
5483
5484
5485
5486
5487
5488
5489
5490
5491
5492
5493
5494
5495
5496
5497
5498
5499
5500
5501
5502
5503
5504
5505
5506
5507
5508
5509
5510
5511
5512
5513
5514
5515
5516
5517
5518
5519
5520
5521
5522
5523
5524
5525
5526
5527
5528
5529
5530
5531
5532
5533
5534
5535
5536
5537
5538
5539
5540
5541
5542
5543
5544
5545
5546
5547
5548
5549
5550
5551
5552
5553
5554
5555
5556
5557
5558
5559
5560
5561
5562
5563
5564
5565
5566
5567
5568
5569
5570
5571
5572
5573
5574
5575
5576
5577
5578
5579
5580
5581
5582
5583
5584
5585
5586
5587
5588
5589
5590
5591
5592
5593
5594
5595
5596
5597
5598
5599
5600
5601
5602
5603
5604
5605
5606
5607
5608
5609
5610
5611
5612
5613
5614
5615
5616
5617
5618
5619
5620
5621
5622
5623
5624
5625
5626
5627
5628
5629
5630
5631
5632
5633
5634
5635
5636
5637
5638
5639
5640
5641
5642
5643
5644
5645
5646
5647
5648
5649
5650
5651
5652
5653
5654
5655
5656
5657
5658
5659
5660
5661
5662
5663
5664
5665
5666
5667
5668
5669
5670
5671
5672
5673
5674
5675
5676
5677
5678
5679
5680
5681
5682
5683
5684
5685
5686
5687
5688
5689
5690
5691
5692
5693
5694
5695
5696
5697
5698
5699
5700
5701
5702
5703
5704
5705
5706
5707
5708
5709
5710
5711
5712
5713
5714
5715
5716
5717
5718
5719
5720
5721
5722
5723
5724
5725
5726
5727
5728
5729
5730
5731
5732
5733
5734
5735
5736
5737
5738
5739
5740
5741
5742
5743
5744
5745
5746
5747
5748
5749
5750
5751
5752
5753
5754
5755
5756
5757
5758
5759
5760
5761
5762
5763
5764
5765
5766
5767
5768
5769
5770
5771
5772
5773
5774
5775
5776
5777
5778
5779
5780
5781
5782
5783
5784
5785
5786
5787
5788
5789
5790
5791
5792
5793
5794
5795
5796
5797
5798
5799
5800
5801
5802
5803
5804
5805
5806
5807
5808
5809
5810
5811
5812
5813
5814
5815
5816
5817
5818
5819
5820
5821
5822
5823
5824
5825
5826
5827
5828
5829
5830
5831
5832
5833
5834
5835
5836
5837
5838
5839
5840
5841
5842
5843
5844
5845
5846
5847
5848
5849
5850
5851
5852
5853
5854
5855
5856
5857
5858
5859
5860
5861
5862
5863
5864
5865
5866
5867
5868
5869
5870
5871
5872
5873
5874
5875
5876
5877
5878
5879
5880
5881
5882
5883
5884
5885
5886
5887
5888
5889
5890
5891
5892
5893
5894
5895
5896
5897
5898
5899
5900
5901
5902
5903
5904
5905
5906
5907
5908
5909
5910
5911
5912
5913
5914
5915
5916
5917
5918
5919
5920
5921
5922
5923
5924
5925
5926
5927
5928
5929
5930
5931
5932
5933
5934
5935
5936
5937
5938
5939
5940
5941
5942
5943
5944
5945
5946
5947
5948
5949
5950
5951
5952
5953
5954
5955
5956
5957
5958
5959
5960
5961
5962
5963
5964
5965
5966
5967
5968
5969
5970
5971
5972
5973
5974
5975
5976
5977
5978
5979
5980
5981
5982
5983
5984
5985
5986
5987
5988
5989
5990
5991
5992
5993
5994
5995
5996
5997
5998
5999
6000
6001
6002
6003
6004
6005
6006
6007
6008
6009
6010
6011
6012
6013
6014
6015
6016
6017
6018
6019
6020
6021
6022
6023
6024
6025
6026
6027
6028
6029
6030
6031
6032
6033
6034
6035
6036
6037
6038
6039
6040
6041
6042
6043
6044
6045
6046
6047
6048
6049
6050
6051
6052
6053
6054
6055
6056
6057
6058
6059
6060
6061
6062
6063
6064
6065
6066
6067
6068
6069
6070
6071
6072
6073
6074
6075
6076
6077
6078
6079
6080
6081
6082
6083
6084
6085
6086
6087
6088
6089
6090
6091
6092
6093
6094
6095
6096
6097
6098
6099
6100
6101
6102
6103
6104
6105
6106
6107
6108
6109
6110
6111
6112
6113
6114
6115
6116
6117
6118
6119
6120
6121
6122
6123
6124
6125
6126
6127
6128
6129
6130
6131
6132
6133
6134
6135
6136
6137
6138
6139
6140
6141
6142
6143
6144
6145
6146
6147
6148
6149
6150
6151
6152
6153
6154
6155
6156
6157
6158
6159
6160
6161
6162
6163
6164
6165
6166
6167
6168
6169
6170
6171
6172
6173
6174
6175
6176
6177
6178
6179
6180
6181
6182
6183
6184
6185
6186
6187
6188
6189
6190
6191
6192
6193
6194
6195
6196
6197
6198
6199
6200
6201
6202
6203
6204
6205
6206
6207
6208
6209
6210
6211
6212
6213
6214
6215
6216
6217
6218
6219
6220
6221
6222
6223
6224
6225
6226
6227
6228
6229
6230
6231
6232
6233
6234
6235
6236
6237
6238
6239
6240
6241
6242
6243
6244
6245
6246
6247
6248
6249
6250
6251
6252
6253
6254
6255
6256
6257
6258
6259
6260
6261
6262
6263
6264
6265
6266
6267
6268
6269
6270
6271
6272
6273
6274
6275
6276
6277
6278
6279
6280
6281
6282
6283
6284
6285
6286
6287
6288
6289
6290
6291
6292
6293
6294
6295
6296
6297
6298
6299
6300
6301
6302
6303
6304
6305
6306
6307
6308
6309
6310
6311
6312
6313
6314
6315
6316
6317
6318
6319
6320
6321
6322
6323
6324
6325
6326
6327
6328
6329
6330
6331
6332
6333
6334
6335
6336
6337
6338
6339
6340
6341
6342
6343
6344
6345
6346
6347
6348
6349
6350
6351
6352
6353
6354
6355
6356
6357
6358
6359
6360
6361
6362
6363
6364
6365
6366
6367
6368
6369
6370
6371
6372
6373
6374
6375
6376
6377
6378
6379
6380
6381
6382
6383
6384
6385
6386
6387
6388
6389
6390
6391
6392
6393
6394
6395
6396
6397
6398
6399
6400
6401
6402
6403
6404
6405
6406
6407
6408
6409
6410
6411
6412
6413
6414
6415
6416
6417
6418
6419
6420
6421
6422
6423
6424
6425
6426
6427
6428
6429
6430
6431
6432
6433
6434
6435
6436
6437
6438
6439
6440
6441
6442
6443
6444
6445
6446
6447
6448
6449
6450
6451
6452
6453
6454
6455
6456
6457
6458
6459
6460
6461
6462
6463
6464
6465
6466
6467
6468
6469
6470
6471
6472
6473
6474
6475
6476
6477
6478
6479
6480
6481
6482
6483
6484
6485
6486
6487
6488
6489
6490
6491
6492
6493
6494
6495
6496
6497
6498
6499
6500
6501
6502
6503
6504
6505
6506
6507
6508
6509
6510
6511
6512
6513
6514
6515
6516
6517
6518
6519
6520
6521
6522
6523
6524
6525
6526
6527
6528
6529
6530
6531
6532
6533
6534
6535
6536
6537
6538
6539
6540
6541
6542
6543
6544
6545
6546
6547
6548
6549
6550
6551
6552
6553
6554
6555
6556
6557
6558
6559
6560
6561
6562
6563
6564
6565
6566
6567
6568
6569
6570
6571
6572
6573
6574
6575
6576
6577
6578
6579
6580
6581
6582
6583
6584
6585
6586
6587
6588
6589
6590
6591
6592
6593
6594
6595
6596
6597
6598
6599
6600
6601
6602
6603
6604
6605
6606
6607
6608
6609
6610
6611
6612
6613
6614
6615
6616
6617
6618
6619
6620
6621
6622
6623
6624
6625
6626
6627
6628
6629
6630
6631
6632
6633
6634
6635
6636
6637
6638
6639
6640
6641
6642
6643
6644
6645
6646
6647
6648
6649
6650
6651
6652
6653
6654
6655
6656
6657
6658
6659
6660
6661
6662
6663
6664
6665
6666
6667
6668
6669
6670
6671
6672
6673
6674
6675
6676
6677
6678
6679
6680
6681
6682
6683
6684
6685
6686
6687
6688
6689
6690
6691
6692
6693
6694
6695
6696
6697
6698
6699
6700
6701
6702
6703
6704
6705
6706
6707
6708
6709
6710
6711
6712
6713
6714
6715
6716
6717
6718
6719
6720
6721
6722
6723
6724
6725
6726
6727
6728
6729
6730
6731
6732
6733
6734
6735
6736
6737
6738
6739
6740
6741
6742
6743
6744
6745
6746
6747
6748
6749
6750
6751
6752
6753
6754
6755
6756
6757
6758
6759
6760
6761
6762
6763
6764
6765
6766
6767
6768
6769
6770
6771
6772
6773
6774
6775
6776
6777
6778
6779
6780
6781
6782
6783
6784
6785
6786
6787
6788
6789
6790
6791
6792
6793
6794
6795
6796
6797
6798
6799
6800
6801
6802
6803
6804
6805
6806
6807
6808
6809
6810
6811
6812
6813
6814
6815
6816
6817
6818
6819
6820
6821
6822
6823
6824
6825
6826
6827
6828
6829
6830
6831
6832
6833
6834
6835
6836
6837
6838
6839
6840
6841
6842
6843
6844
6845
6846
6847
6848
6849
6850
6851
6852
6853
6854
6855
6856
6857
6858
6859
6860
6861
6862
6863
6864
6865
6866
6867
6868
6869
6870
6871
6872
6873
6874
6875
6876
6877
6878
6879
6880
6881
6882
6883
6884
6885
6886
6887
6888
6889
6890
6891
6892
6893
6894
6895
6896
6897
6898
6899
6900
6901
6902
6903
6904
6905
6906
6907
6908
6909
6910
6911
6912
6913
6914
6915
6916
6917
6918
6919
6920
6921
6922
6923
6924
6925
6926
6927
6928
6929
6930
6931
6932
6933
6934
6935
6936
6937
6938
6939
6940
6941
6942
6943
6944
6945
6946
6947
6948
6949
6950
6951
6952
6953
6954
6955
6956
6957
6958
6959
6960
6961
6962
6963
6964
6965
6966
6967
6968
6969
6970
6971
6972
6973
6974
6975
6976
6977
6978
6979
6980
6981
6982
6983
6984
6985
6986
6987
6988
6989
6990
6991
6992
6993
6994
6995
6996
6997
6998
6999
7000
7001
7002
7003
7004
7005
7006
7007
7008
7009
7010
7011
7012
7013
7014
7015
7016
7017
7018
7019
7020
7021
7022
7023
7024
7025
7026
7027
7028
7029
7030
7031
7032
7033
7034
7035
7036
7037
7038
7039
7040
7041
7042
7043
7044
7045
7046
7047
7048
7049
7050
7051
7052
7053
7054
7055
7056
7057
7058
7059
7060
7061
7062
7063
7064
7065
7066
7067
7068
7069
7070
7071
7072
7073
7074
7075
7076
7077
7078
7079
7080
7081
7082
7083
7084
7085
7086
7087
7088
7089
7090
7091
7092
7093
7094
7095
7096
7097
7098
7099
7100
7101
7102
7103
7104
7105
7106
7107
7108
7109
7110
7111
7112
7113
7114
7115
7116
7117
7118
7119
7120
7121
7122
7123
7124
7125
7126
7127
7128
7129
7130
7131
7132
7133
7134
7135
7136
7137
7138
7139
7140
7141
7142
7143
7144
7145
7146
7147
7148
7149
7150
7151
7152
7153
7154
7155
7156
7157
7158
7159
7160
7161
7162
7163
7164
7165
7166
7167
7168
7169
7170
7171
7172
7173
7174
7175
7176
7177
7178
7179
7180
7181
7182
7183
7184
7185
7186
7187
7188
7189
7190
7191
7192
7193
7194
7195
7196
7197
7198
7199
7200
7201
7202
7203
7204
7205
7206
7207
7208
7209
7210
7211
7212
7213
7214
7215
7216
7217
7218
7219
7220
7221
7222
7223
7224
7225
7226
7227
7228
7229
7230
7231
7232
7233
7234
7235
7236
7237
7238
7239
7240
7241
7242
7243
7244
7245
7246
7247
7248
7249
7250
7251
7252
7253
7254
7255
7256
7257
7258
7259
7260
7261
7262
7263
7264
7265
7266
7267
7268
7269
7270
7271
7272
7273
7274
7275
7276
7277
7278
7279
7280
7281
7282
7283
7284
7285
7286
7287
7288
7289
7290
7291
7292
7293
7294
7295
7296
7297
7298
7299
7300
7301
7302
7303
7304
7305
7306
7307
7308
7309
7310
7311
7312
7313
7314
7315
7316
7317
7318
7319
7320
7321
7322
7323
7324
7325
7326
7327
7328
7329
7330
7331
7332
7333
7334
7335
7336
7337
7338
7339
7340
7341
7342
7343
7344
7345
7346
7347
7348
7349
7350
7351
7352
7353
7354
7355
7356
7357
7358
7359
7360
7361
7362
7363
7364
7365
7366
7367
7368
7369
7370
7371
7372
7373
7374
7375
7376
7377
7378
7379
7380
7381
7382
7383
7384
7385
7386
7387
7388
7389
7390
7391
7392
7393
7394
7395
7396
7397
7398
7399
7400
7401
7402
7403
7404
7405
7406
7407
7408
7409
7410
7411
7412
7413
7414
7415
7416
7417
7418
7419
7420
7421
7422
7423
7424
7425
7426
7427
7428
7429
7430
7431
7432
7433
7434
7435
7436
7437
7438
7439
7440
7441
7442
7443
7444
7445
7446
7447
7448
7449
7450
7451
7452
7453
7454
7455
7456
7457
7458
7459
7460
7461
7462
7463
7464
7465
7466
7467
7468
7469
7470
7471
7472
7473
7474
7475
7476
7477
7478
7479
7480
7481
7482
7483
7484
7485
7486
7487
7488
7489
7490
7491
7492
7493
7494
7495
7496
7497
7498
7499
7500
7501
7502
7503
7504
7505
7506
7507
7508
7509
7510
7511
7512
7513
7514
7515
7516
7517
7518
7519
7520
7521
7522
7523
7524
7525
7526
7527
7528
7529
7530
7531
7532
7533
7534
7535
7536
7537
7538
7539
7540
7541
7542
7543
7544
7545
7546
7547
7548
7549
7550
7551
7552
7553
7554
7555
7556
7557
7558
7559
7560
7561
7562
7563
7564
7565
7566
7567
7568
7569
7570
7571
7572
7573
7574
7575
7576
7577
7578
7579
7580
7581
7582
7583
7584
7585
7586
7587
7588
7589
7590
7591
7592
7593
7594
7595
7596
7597
7598
7599
7600
7601
7602
7603
7604
7605
7606
7607
7608
7609
7610
7611
7612
7613
7614
7615
7616
7617
7618
7619
7620
7621
7622
7623
7624
7625
7626
7627
7628
7629
7630
7631
7632
7633
7634
7635
7636
7637
7638
7639
7640
7641
7642
7643
7644
7645
7646
7647
7648
7649
7650
7651
7652
7653
7654
7655
7656
7657
7658
7659
7660
7661
7662
7663
7664
7665
7666
7667
7668
7669
7670
7671
7672
7673
7674
7675
7676
7677
7678
7679
7680
7681
7682
7683
7684
7685
7686
7687
7688
7689
7690
7691
7692
7693
7694
7695
7696
7697
7698
7699
7700
7701
7702
7703
7704
7705
7706
7707
7708
7709
7710
7711
7712
7713
7714
7715
7716
7717
7718
7719
7720
7721
7722
7723
7724
7725
7726
7727
7728
7729
7730
7731
7732
7733
7734
7735
7736
7737
7738
7739
7740
7741
7742
7743
7744
7745
7746
7747
7748
7749
7750
7751
7752
7753
7754
7755
7756
7757
7758
7759
7760
7761
7762
7763
7764
7765
7766
7767
7768
7769
7770
7771
7772
7773
7774
7775
7776
7777
7778
7779
7780
7781
7782
7783
7784
7785
7786
7787
7788
7789
7790
7791
7792
7793
7794
7795
7796
7797
7798
7799
7800
7801
7802
7803
7804
7805
7806
7807
7808
7809
7810
7811
7812
7813
7814
7815
7816
7817
7818
7819
7820
7821
7822
7823
7824
7825
7826
7827
7828
7829
7830
7831
7832
7833
7834
7835
7836
7837
7838
7839
7840
7841
7842
7843
7844
7845
7846
7847
7848
7849
7850
7851
7852
7853
7854
7855
7856
7857
7858
7859
7860
7861
7862
7863
7864
7865
7866
7867
7868
7869
7870
7871
7872
7873
7874
7875
7876
7877
7878
7879
7880
7881
7882
7883
7884
7885
7886
7887
7888
7889
7890
7891
7892
7893
7894
7895
7896
7897
7898
7899
7900
7901
7902
7903
7904
7905
7906
7907
7908
7909
7910
7911
7912
7913
7914
7915
7916
7917
7918
7919
7920
7921
7922
7923
7924
7925
7926
7927
7928
7929
7930
7931
7932
7933
7934
7935
7936
7937
7938
7939
7940
7941
7942
7943
7944
7945
7946
7947
7948
7949
7950
7951
7952
7953
7954
7955
7956
7957
7958
7959
7960
7961
7962
7963
7964
7965
7966
7967
7968
7969
7970
7971
7972
7973
7974
7975
7976
7977
7978
7979
7980
7981
7982
7983
7984
7985
7986
7987
7988
7989
7990
7991
7992
7993
7994
7995
7996
7997
7998
7999
8000
8001
8002
8003
8004
8005
8006
8007
8008
8009
8010
8011
8012
8013
8014
8015
8016
8017
8018
8019
8020
8021
8022
8023
8024
8025
8026
8027
8028
8029
8030
8031
8032
8033
8034
8035
8036
8037
8038
8039
8040
8041
8042
8043
8044
8045
8046
8047
8048
8049
8050
8051
8052
8053
8054
8055
8056
8057
8058
8059
8060
8061
8062
8063
8064
8065
8066
8067
8068
8069
8070
8071
8072
8073
8074
8075
8076
8077
8078
8079
8080
8081
8082
8083
8084
8085
8086
8087
8088
8089
8090
8091
8092
8093
8094
8095
8096
8097
8098
8099
8100
8101
8102
8103
8104
8105
8106
8107
8108
8109
8110
8111
8112
8113
8114
8115
8116
8117
8118
8119
8120
8121
8122
8123
8124
8125
8126
8127
8128
8129
8130
8131
8132
8133
8134
8135
8136
8137
8138
8139
8140
8141
8142
8143
8144
8145
8146
8147
8148
8149
8150
8151
8152
8153
8154
8155
8156
8157
8158
8159
8160
8161
8162
8163
8164
8165
8166
8167
8168
8169
8170
8171
8172
8173
8174
8175
8176
8177
8178
8179
8180
8181
8182
8183
8184
8185
8186
8187
8188
8189
8190
8191
8192
8193
8194
8195
8196
8197
8198
8199
8200
8201
8202
8203
8204
8205
8206
8207
8208
8209
8210
8211
8212
8213
8214
8215
8216
8217
8218
8219
8220
8221
8222
8223
8224
8225
8226
8227
8228
8229
8230
8231
8232
8233
8234
8235
8236
8237
8238
8239
8240
8241
8242
8243
8244
8245
8246
8247
8248
8249
8250
8251
8252
8253
8254
8255
8256
8257
8258
8259
8260
8261
8262
8263
8264
8265
8266
8267
8268
8269
8270
8271
8272
8273
8274
8275
8276
8277
8278
8279
8280
8281
8282
8283
8284
8285
8286
8287
8288
8289
8290
8291
8292
8293
8294
8295
8296
8297
8298
8299
8300
8301
8302
8303
8304
8305
8306
8307
8308
8309
8310
8311
8312
8313
8314
8315
8316
8317
8318
8319
8320
8321
8322
8323
8324
8325
8326
8327
8328
8329
8330
8331
8332
8333
8334
8335
8336
8337
8338
8339
8340
8341
8342
8343
8344
8345
8346
8347
8348
8349
8350
8351
8352
8353
8354
8355
8356
8357
8358
8359
8360
8361
8362
8363
8364
8365
8366
8367
8368
8369
8370
8371
8372
8373
8374
8375
8376
8377
8378
8379
8380
8381
8382
8383
8384
8385
8386
8387
8388
8389
8390
8391
8392
8393
8394
8395
8396
8397
8398
8399
8400
8401
8402
8403
8404
8405
8406
8407
8408
8409
8410
8411
8412
8413
8414
8415
8416
8417
8418
8419
8420
8421
8422
8423
8424
8425
8426
8427
8428
8429
8430
8431
8432
8433
8434
8435
8436
8437
8438
8439
8440
8441
8442
8443
8444
8445
8446
8447
8448
8449
8450
8451
8452
8453
8454
8455
8456
8457
8458
8459
8460
8461
8462
8463
8464
8465
8466
8467
8468
8469
8470
8471
8472
8473
8474
8475
8476
8477
8478
8479
8480
8481
8482
8483
8484
8485
8486
8487
8488
8489
8490
8491
8492
8493
8494
8495
8496
8497
8498
8499
8500
8501
8502
8503
8504
8505
8506
8507
8508
8509
8510
8511
8512
8513
8514
8515
8516
8517
8518
8519
8520
8521
8522
8523
8524
8525
8526
8527
8528
8529
8530
8531
8532
8533
8534
8535
8536
8537
8538
8539
8540
8541
8542
8543
8544
8545
8546
8547
8548
8549
8550
8551
8552
8553
8554
8555
8556
8557
8558
8559
8560
8561
8562
8563
8564
8565
8566
8567
8568
8569
8570
8571
8572
8573
8574
8575
8576
8577
8578
8579
8580
8581
8582
8583
8584
8585
8586
8587
8588
8589
8590
8591
8592
8593
8594
8595
8596
8597
8598
8599
8600
8601
8602
8603
8604
8605
8606
8607
8608
8609
8610
8611
8612
8613
8614
8615
8616
8617
8618
8619
8620
8621
8622
8623
8624
8625
8626
8627
8628
8629
8630
8631
8632
8633
8634
8635
8636
8637
8638
8639
8640
8641
8642
8643
8644
8645
8646
8647
8648
8649
8650
8651
8652
8653
8654
8655
8656
8657
8658
8659
8660
8661
8662
8663
8664
8665
8666
8667
8668
8669
8670
8671
8672
8673
8674
8675
8676
8677
8678
8679
8680
8681
8682
8683
8684
8685
8686
8687
8688
8689
8690
8691
8692
8693
8694
8695
8696
8697
8698
8699
8700
8701
8702
8703
8704
8705
8706
8707
8708
8709
8710
8711
8712
8713
8714
8715
8716
8717
8718
8719
8720
8721
8722
8723
8724
8725
8726
8727
8728
8729
8730
8731
8732
8733
8734
8735
8736
8737
8738
8739
8740
8741
8742
8743
8744
8745
8746
8747
8748
8749
8750
8751
8752
8753
8754
8755
8756
8757
8758
8759
8760
8761
8762
8763
8764
8765
8766
8767
8768
8769
8770
8771
8772
8773
8774
8775
8776
8777
8778
8779
8780
8781
8782
8783
8784
8785
8786
8787
8788
8789
8790
8791
8792
8793
8794
8795
8796
8797
8798
8799
8800
8801
8802
8803
8804
8805
8806
8807
8808
8809
8810
8811
8812
8813
8814
8815
8816
8817
8818
8819
8820
8821
8822
8823
8824
8825
8826
8827
8828
8829
8830
8831
8832
8833
8834
8835
8836
8837
8838
8839
8840
8841
8842
8843
8844
8845
8846
8847
8848
8849
8850
8851
8852
8853
8854
8855
8856
8857
8858
8859
8860
8861
8862
8863
8864
8865
8866
8867
8868
8869
8870
8871
8872
8873
8874
8875
8876
8877
8878
8879
8880
8881
8882
8883
8884
8885
8886
8887
8888
8889
8890
8891
8892
8893
8894
8895
8896
8897
8898
8899
8900
8901
8902
8903
8904
8905
8906
8907
8908
8909
8910
8911
8912
8913
8914
8915
8916
8917
8918
8919
8920
8921
8922
8923
8924
8925
8926
8927
8928
8929
8930
8931
8932
8933
8934
8935
8936
8937
8938
8939
8940
8941
8942
8943
8944
8945
8946
8947
8948
8949
8950
8951
8952
8953
8954
8955
8956
8957
8958
8959
8960
8961
8962
8963
8964
8965
8966
8967
8968
8969
8970
8971
8972
8973
8974
8975
8976
8977
8978
8979
8980
8981
8982
8983
8984
8985
8986
8987
8988
8989
8990
8991
8992
8993
8994
8995
8996
8997
8998
8999
9000
9001
9002
9003
9004
9005
9006
9007
9008
9009
9010
9011
9012
9013
9014
9015
9016
9017
9018
9019
9020
9021
9022
9023
9024
9025
9026
9027
9028
9029
9030
9031
9032
9033
9034
9035
9036
9037
9038
9039
9040
9041
9042
9043
9044
9045
9046
9047
9048
9049
9050
9051
9052
9053
9054
9055
9056
9057
9058
9059
9060
9061
9062
9063
9064
9065
9066
9067
9068
9069
9070
9071
9072
9073
9074
9075
9076
9077
9078
9079
9080
9081
9082
9083
9084
9085
9086
9087
9088
9089
9090
9091
9092
9093
9094
9095
9096
9097
9098
9099
9100
9101
9102
9103
9104
9105
9106
9107
9108
9109
9110
9111
9112
9113
9114
9115
9116
9117
9118
9119
9120
9121
9122
9123
9124
9125
9126
9127
9128
9129
9130
9131
9132
9133
9134
9135
9136
9137
9138
9139
9140
9141
9142
9143
9144
9145
9146
9147
9148
9149
9150
9151
9152
9153
9154
9155
9156
9157
9158
9159
9160
9161
9162
9163
9164
9165
9166
9167
9168
9169
9170
9171
9172
9173
9174
9175
9176
9177
9178
9179
9180
9181
9182
9183
9184
9185
9186
9187
9188
9189
9190
9191
9192
9193
9194
9195
9196
9197
9198
9199
9200
9201
9202
9203
9204
9205
9206
9207
9208
9209
9210
9211
9212
9213
9214
9215
9216
9217
9218
9219
9220
9221
9222
9223
9224
9225
9226
9227
9228
9229
9230
9231
9232
9233
9234
9235
9236
9237
9238
9239
9240
9241
9242
9243
9244
9245
9246
9247
9248
9249
9250
9251
9252
9253
9254
9255
9256
9257
9258
9259
9260
9261
9262
9263
9264
9265
9266
9267
9268
9269
9270
9271
9272
9273
9274
9275
9276
9277
9278
9279
9280
9281
9282
9283
9284
9285
9286
9287
9288
9289
9290
9291
9292
9293
9294
9295
9296
9297
9298
9299
9300
9301
9302
9303
9304
9305
9306
9307
9308
9309
9310
9311
9312
9313
9314
9315
9316
9317
9318
9319
9320
9321
9322
9323
9324
9325
9326
9327
9328
9329
9330
9331
9332
9333
9334
9335
9336
9337
9338
9339
9340
9341
9342
9343
9344
9345
9346
9347
9348
9349
9350
9351
9352
9353
9354
9355
9356
9357
9358
9359
9360
9361
9362
9363
9364
9365
9366
9367
9368
9369
9370
9371
9372
9373
9374
9375
9376
9377
9378
9379
9380
9381
9382
9383
9384
9385
9386
9387
9388
9389
9390
9391
9392
9393
9394
9395
9396
9397
9398
9399
9400
9401
9402
9403
9404
9405
9406
9407
9408
9409
9410
9411
9412
9413
9414
9415
9416
9417
9418
9419
9420
9421
9422
9423
9424
9425
9426
9427
9428
9429
9430
9431
9432
9433
9434
9435
9436
9437
9438
9439
9440
9441
9442
9443
9444
9445
9446
9447
9448
9449
9450
9451
9452
9453
9454
9455
9456
9457
9458
9459
9460
9461
9462
9463
9464
9465
9466
9467
9468
9469
9470
9471
9472
9473
9474
9475
9476
9477
9478
9479
9480
9481
9482
9483
9484
9485
9486
9487
9488
9489
9490
9491
9492
9493
9494
9495
9496
9497
9498
9499
9500
9501
9502
9503
9504
9505
9506
9507
9508
9509
9510
9511
9512
9513
9514
9515
9516
9517
9518
9519
9520
9521
9522
9523
9524
9525
9526
9527
9528
9529
9530
9531
9532
9533
9534
9535
9536
9537
9538
9539
9540
9541
9542
9543
9544
9545
9546
9547
9548
9549
9550
9551
9552
9553
9554
9555
9556
9557
9558
9559
9560
9561
9562
9563
9564
9565
9566
9567
9568
9569
9570
9571
9572
9573
9574
9575
9576
9577
9578
9579
9580
9581
9582
9583
9584
9585
9586
9587
9588
9589
9590
9591
9592
9593
9594
9595
9596
9597
9598
9599
9600
9601
9602
9603
9604
9605
9606
9607
9608
9609
9610
9611
9612
9613
9614
9615
9616
9617
9618
9619
9620
9621
9622
9623
9624
9625
9626
9627
9628
9629
9630
9631
9632
9633
9634
9635
9636
9637
9638
9639
9640
9641
9642
9643
9644
9645
9646
9647
9648
9649
9650
9651
9652
9653
9654
9655
9656
9657
9658
9659
9660
9661
9662
9663
9664
9665
9666
9667
9668
9669
9670
9671
9672
9673
9674
9675
9676
9677
9678
9679
9680
9681
9682
9683
9684
9685
9686
9687
9688
9689
9690
9691
9692
9693
9694
9695
9696
9697
9698
9699
9700
9701
9702
9703
9704
9705
9706
9707
9708
9709
9710
9711
9712
9713
9714
9715
9716
9717
9718
9719
9720
9721
9722
9723
9724
9725
9726
9727
9728
9729
9730
9731
9732
9733
9734
9735
9736
9737
9738
9739
9740
9741
9742
9743
9744
9745
9746
9747
9748
9749
9750
9751
9752
9753
9754
9755
9756
9757
9758
9759
9760
9761
9762
9763
9764
9765
9766
9767
9768
9769
9770
9771
9772
9773
9774
9775
9776
9777
9778
9779
9780
9781
9782
9783
9784
9785
9786
9787
9788
9789
9790
9791
9792
9793
9794
9795
9796
9797
9798
9799
9800
1 October 2020: Wouter
	- Current repo is version 1.12.0 for release.  Tag for 1.12.0rc1.

30 September 2020: Wouter
	- Fix doh tests when not compiled in.
	- Add dohclient test executable to gitignore.
	- Fix stream_ssl, ssl_req_order and ssl_req_timeout tests for
	  alloc check debug output.
	- Easier kill of unbound-dnstap-socket tool in test.
	- Fix memory leak of edns tags at libunbound context delete.
	- Fix double loopexit for unbound-dnstap-socket after sigterm.

29 September 2020: Ralph
	- DNS Flag Day 2020: change edns-buffer-size default to 1232.

28 September 2020: Wouter
	- Fix unit test for dnstap changes, so that it waits for the timer.

23 September 2020: Wouter
	- Fix #305: dnstap logging significantly affects unbound performance
	  (regression in 1.11).
	- Fix #305: only wake up thread when threshold reached.
	- Fix to ifdef fptr wlist item for dnstap.

23 September 2020: Ralph
	- Fix edns-client-tags get_option typo
	- Add edns-client-tag-opcode option
	- Use inclusive language in configuration

21 September 2020: Ralph
	- Fix #304: dnstap logging not recovering after dnstap process restarts

21 September 2020: Wouter
	- Merge PR #311 by luismerino: Dynlibmod leak.
	- Error message is logged for dynlibmod malloc failures.
	- iana portlist updated.

18 September 2020: Wouter
	- Fix that prefer-ip4 and prefer-ip6 can be get and set with
	  unbound-control, with libunbound and the unbound-checkconf option
	  output function.
	- iana portlist updated.

15 September 2020: George
	- Introduce test for statistics.

15 September 2020: Wouter
	- Spelling fix.

11 September 2020: Wouter
	- Remove x file mode on ipset/ipset.c and h files.

9 September 2020: Wouter
	- Fix num.expired statistics output.

31 August 2020: Wouter
	- Merge PR #293: Add missing prototype.  Also refactor to use the new
	  shorthand function to clean up the code.
	- Refactor to use sock_strerr shorthand function.
	- Fix #296: systemd nss-lookup.target is reached before unbound can
	  successfully answer queries. Changed contrib/unbound.service.in.

27 August 2020: Wouter
	- Similar to NSD PR#113, implement that interface names can be used,
	  eg. something like interface: eth0 is resolved at server start and
	  uses the IP addresses for that named interface.
	- Review fix, doxygen and assign null in case of error free.

26 August 2020: George
	- Update documentation in python example code.

24 August 2020: Wouter
	- Fix that dnstap reconnects do not spam the log with the repeated
	  attempts.  Attempts on the timer are only logged on high verbosity,
	  if they produce a connection failure error.
	- Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
	- Change configure to use EVP_sha256 instead of HMAC_Update for
	  openssl-3.0.0.

20 August 2020: Ralph
	- Fix stats double count issue (#289).

13 August 2020: Ralph
	- Create and init edns tags data for libunbound.

10 August 2020: Ralph
	- Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
	  by Vítězslav Čížek.

10 August 2020: Wouter
	- Fix #287: doc typo: "Additionaly".
	- Rerun autoconf

6 August 2020: Wouter
	- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
	  The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
	  was advise to stop using it.  The current code base does not contain
	  DLV code any more.  The use of dlv options displays a warning.

5 August 2020: Wouter
	- contrib/aaaa-filter-iterator.patch file renewed diff content to
	  apply cleanly to the current coderepo for the current code version.

5 August 2020: Ralph
	- Merge PR #272: Add EDNS client tag functionality.

4 August 2020: George
	- Improve error log message when inserting rpz RR.
	- Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
	  definedness, by Felipe Gasper.

4 August 2020: Wouter
	- Fix mini_event.h on OpenBSD cannot find fd_set.

31 July 2020: Wouter
	- Fix doxygen comment for no ssl for tls session ticket key callback
	  routine.

27 July 2020: George
	- Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
	  March 2020, by and0x000.

27 July 2020: Ralph
	- Merge PR #269, Fix python module len() implementations, by Torbjörn
	  Lönnemark

27 July 2020: Wouter
	- branch now named 1.11.1.  1.11.0rc1 became the 1.11.0 release.
	- Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf

20 July 2020: Wouter
	- Fix streamtcp to print packet data to stdout.  This makes the
	  stdout and stderr not mix together lines, when parsing its output.
	- Fix contrib/fastrpz.patch to apply cleanly.  It fixes for changes
	  due to added libdynmod, but it does not compile, it conflicts with
	  new rpz code.
	- branch now named 1.11.0 and 1.11.0rc1 tag.

17 July 2020: Wouter
	- Fix libnettle compile for session ticket key callback function
	  changes.
	- Fix lock dependency cycle in rpz zone config setup.

17 July 2020: Ralph
	- Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
	  Courrèges-Anglas.
	- Fix PR #234 log_assert sizeof to use union buffer.

16 July 2020: Wouter
	- Fix check conf test for referencing installation paths.
	- Fix unused variable warning for clang analyzer.

16 July 2020: George
	- Introduce 'include-toplevel:' configuration option.

16 July 2020: Ralph
	- Add bidirectional frame streams support.

8 July 2020: Wouter
	- Fix add missing DSA header, for compilation without deprecated
	  OpenSSL APIs.
	- Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
	  3.0.0-alpha4.
	- Longer keys for the test set, this avoids weak crypto errors.

7 July 2020: Wouter
	- Fix #259: Fix unbound-checkconf does not check view existence.
	  unbound-checkconf checks access-control-view, access-control-tags,
	  access-control-tag-actions and access-control-tag-datas.
	- Fix offset of error printout for access-control-tag-datas.
	- Review fixes for checkconf #259 change.

6 July 2020: Wouter
	- run_vm cleanup better and removes trailing slash on single argument.

29 June 2020: Wouter
	- Move reply list clean for serve expired mesh callback to after
	  the reply is sent, so that script callbacks have reply_info.
	- Also move reply list clean for mesh callbacks to the scrip callback
	  can see the reply_info.
	- Fix for mesh accounting if the reply list already empty to begin
	  with.
	- Fix for mesh accounting when rpz decides to drop a reply with a
	  tcp stream waiting for it.
	- Review fix for number of detached states due to use of variable
	  after end of loop.
	- Fix tcp req info drop due to size call into mesh accounting
	  removal of mesh state during mesh send reply.

24 June 2020: Wouter
	- iana portlist updated.
	- doxygen file comments for dynlibmodule.

17 June 2020: Wouter
	- Fix default explanation in man page for qname-minimisation-strict.
	- Fix display of event loop method with libev.

8 June 2020: Wouter
	- Mention tls name possible when tls is enabled for stub-addr in the
	  man page.

27 May 2020: George
	- Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
	  "Requires:".

25 May 2020: George
	- Update contrib/aaaa-filter-iterator.patch for the recent
	  generate_sub_request() change and to apply cleanly.

21 May 2020: George
	- Fix for integer overflow when printing RDF_TYPE_TIME.

19 May 2020: Wouter
	- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
	  query into a large number of queries directed to a target.
	- CVE-2020-12663 Malformed answers from upstream name servers can be
	  used to make Unbound unresponsive.
	- Release 1.10.1 is 1.10.0 with fixes, code repository continues,
	  including those fixes, towards the next release.  Configure has
	  version 1.10.2 version number in it.
	- For PR #93: windows compile warnings removal
	- windows compile warnings removal for ip dscp option code.
	- For PR #93: unit test for dynlib module.

18 May 2020: Wouter
	- For PR #93: dynlibmod can handle reloads and deinit and inits again,
	  with dlclose and dlopen of the library again.  Also for multiple
	  modules.  Fix memory leak by not closing dlopened content.  Fix
	  to allow one dynlibmod instance by unbound-checkconf.
	- For PR #93: checkconf allows multiple dynlib in module-config, for
	  a couple cases.
	- For PR #93: checkconf allows python dynlib in module-config, for
	  a couple cases.
	- For PR #93: man page spelling reference fix.
	- For PR #93: fix link of other executables for dynlibmod dependency.

15 May 2020: Wouter
	- Merge PR #93: Add dynamic library support.
	- Fixed conflicts for PR #93 and make configure, yacc, lex.
	- For PR #93: Fix warnings for dynlibmodule.

15 May 2020: Ralph
	- Cache ECS answers with longest scope of CNAME chain.

22 April 2020: George
	- Explicitly use 'rrset-roundrobin: no' for test cases.

21 April 2020: Wouter
	- Merge #225 from akhait: KSK-2010 has been revoked. It removes the
	  KSK-2010 from the default list in unbound-anchor, now that the
	  revocation period is over.  KSK-2017 is the only trust anchor in
	  the shipped default now.

21 April 2020: George
	- Change default value for 'rrset-roundrobin' to yes.
	- Fix tests for new rrset-roundrobin default.

20 April 2020: Wouter
	- Fix #222: --enable-rpath, fails to rpath python lib.
	- Fix for count of reply states in the mesh.
	- Remove unneeded was_mesh_reply check.

17 April 2020: George
	- Add SNI support on more TLS connections (fixes #193).
	- Add SNI support to unbound-anchor.

16 April 2020: George
	- Add doxygen documentation for DSCP.

16 April 2020: Wouter
	- Fix help return code in unbound-control-setup script.
	- Fix for posix shell syntax for trap in nsd-control-setup.
	- Fix for posix shell syntax for trap in run_msg.sh test script.

15 April 2020: George
	- Fix #220: auth-zone section in config may lead to segfault.

7 April 2020: Wouter
	- Merge PR #214 from gearnode: unbound-control-setup recreate
	  certificates.  With the -r option the certificates are created
	  again, without it, only the files that do not exist are created.

6 April 2020: Ralph
	- Keep track of number of timeouts. Use this counter to determine if
	  capsforid fallback should be started.

6 April 2020: George
	- More documentation for redis-expire-records option.

1 April 2020: George
	- Merge PR #206: Redis TTL, by Talkabout.

30 March 2020: Wouter
	- Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and ::
	- Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
	  transports.

27 March 2020: Wouter
	- Merge PR #203 from noloader: Update README-Travis.md with current
	  procedures.

27 March 2020: Ralph
	- Make unbound-control error returned on missing domain name more user
	  friendly.

26 March 2020: Ralph
	- Fix RPZ concurrency issue when using auth_zone_reload.

25 March 2020: George
	- Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
	- Fix on #201.

24 March 2020: Wouter
	- Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
	  tag for outgoing packets.
	- Fixes on #200.
	- Travis fix for ios by omitting tools from install.

23 March 2020: Wouter
	- Fix compile on Solaris for unbound-checkconf.

20 March 2020: George
	- Merge PR #198 from fobser: Declare lz_enter_rr_into_zone() static, it's
	  only used in this file.

20 March 2020: Wouter
	- Merge PR #197 from fobser: Make log_ident_revert_to_default() a
	  proper prototype.

19 March 2020: Ralph
	- Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
	- Fix #158: open tls-session-ticket-keys as binary, for Windows. By
	  Daisuke HIGASHI.
	- Merge PR#134, Allow the kernel to provide random source ports. By
	  Florian Obser.
	- Log warning when using outgoing-port-permit and outgoing-port-avoid
	  while explicit port randomisation is disabled.
	- Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
	- Fix .travis.yml error, missing 'env' option.

16 March 2020: Wouter
	- Fix #192: In the unbound-checkconf tool, the module config of
	  dns64 subnetcache respip validator iterator is whitelisted, it was
	  reported it seems to work.

12 March 2020: Wouter
	- Fix compile of test tools without protobuf.

11 March 2020: Ralph
	- Add check to make sure RPZ records are subdomains of configured
	  zone origin.

11 March 2020: George
	- Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
	  type, by noloader.
	- Changelog entry for (Fix #189, Merge PR #190).

11 March 2020: Wouter
	- Fix #188: unbound-control.c:882:6: error: 'execlp' is
	  unavailable: not available on tvOS.

6 March 2020: George
	- Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by
	  noloader

5 March 2020: Wouter
	- Fix PR #182 from noloader: Add iOS testing to Travis.

4 March 2020: Ralph
	- Update README-Travis.md (from PR #179), by Jeffrey Walton.

4 March 2020: George
	- Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android.

4 March 2020: Wouter
	- Merge PR #180 from noloader: Avoid calling exit in Travis script.

3 March 2020: George
	- Upgrade config.guess(2020-01-01) and config.sub(2020-01-01).

2 March 2020: Ralph
	- Fix #175, Merge PR #176: fix link error when OpenSSL is configured
 	  with no-engine, thanks noloader.

2 March 2020: George
	- Fix compiler warning in dns64/dns64.c
	- Merge PR #174: Add Android to Travis testing, by noloader.
	- Move android build scripts to contrib/ and allow android tests to fail.

2 March 2020: Wouter
	- Fix #177: dnstap does not build on macOS.

28 February 2020: Ralph
	- Merge PR #172: Add IBM s390x arch for testing, by noloader.

28 February 2020: Wouter
	- Merge PR #173: updated makedist.sh for config.guess and
	  config.sub and sha256 digest for gpg, by noloader.
	- Merge PR #164: Framestreams, this branch implements dnstap
	  unidirectional connectivity in unbound. This has a number of
	  new features.

	  The dependency on libfstrm is removed. The fstrm protocol code
	  resides in dnstap/dnstap_fstrm.h and dnstap/dnstap_fstrm.c. This
	  contains a brief definition of what unbound needs.

	  The make unbound-dnstap-socket builds a debug tool,
	  unbound-dnstap-socket. It can listen, accept multiple DNSTAP
	  streams and print information. Commandline options control it.

	  Unbound can reconnect if the unix domain socket file socket is
	  closed. This uses exponential backoff after which it uses a
	  one second timer to throttle cpu down. There is also support
	  to use TCP and TLS for connecting to the log server. There
	  are new config options to turn them on, in the dnstap section
	  in the man page and example config file. dnstap-ip with IP
	  address of server for TCP or TLS use. dnstap-tls to turn
	  on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle,
	  dnstap-tls-client-key-file and dnstap-tls-client-cert-file
	  to configure the certificates for server authentication and
	  client authentication, or leave at "" to not use that.

27 February 2020: George
	- Merge PR #171: Add additional compilers and platforms to Travis
	  testing, by noloader.

27 February 2020: Wouter
	- Fix #169: Fix warning for daemon/remote.c output may be truncated
	  from snprintf.
	- Fix #170: Fix gcc undefined sanitizer signed integer overflow
	  warning in signature expiry RFC1982 serial number arithmetic.
	- Fix more undefined sanitizer issues, in respip copy_rrset null
	  dname, and in the client_info_compare routine for null memcmp.

26 February 2020: Wouter
	- iana portlist updated.

25 February 2020: Wouter
	- Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
	  using ipv4 filters, because the hosts ip6 netblock /64 is not owned
	  by one operator, and thus reputation is shared.

24 February 2020: George
	- Merge PR #166: Fix typo in unbound.service.in, by glitsj16.

20 February 2020: Wouter
	- Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for
	  Unbound from Yuri Voinov.
	- master branch has 1.10.1 version.

18 February 2020: Wouter
	- protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
	  different openssl versions.

17 February 2020: Wouter
	- changelog point where the tag for 1.10.0rc2 release is.  And with
	  the unbound_smf23 commit added to it, that is the 1.10.0 release.

17 February 2020: Ralph
	- Add respip to supported module-config options in unbound-checkconf.

17 February 2020: George
	- Remove unused variable.

17 February 2020: Wouter
	- contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
	  in RPZ-Format, contributed by Andreas Schulze.

14 February 2020: Wouter
	- Fix spelling in unbound.conf.5.in.
	- Stop unbound-checkconf from insisting that auth-zone and rpz
	  zonefiles have to exist.  They can not exist, and download later.

13 February 2020: Wouter
	- tag for 1.10.0rc1 release.

12 February 2020: Wouter
	- Fix with libnettle make test with dsa disabled.
	- Fix contrib/fastrpz.patch to apply cleanly.  Fix for serve-stale
	  fixes, but it does not compile, conflicts with new rpz code.
	- Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
	- Fix compile warning when threads disabled.
	- updated version number to 1.10.0.

10 February 2020: George
	- Document 'ub_result.was_ratelimited' in libunbound.
	- Fix use after free on log-identity after a reload; Fixes #163.

6 February 2020: George
	- Fix num_reply_states and num_detached_states counting with
	  serve_expired_callback.
	- Cleaner code in mesh_serve_expired_lookup.
	- Document in unbound.conf manpage that configuration clauses can be
	  repeated in the configuration file.

6 February 2020: Wouter
	- Fix num_reply_addr counting in mesh and tcp drop due to size
	  after serve_stale commit.
	- Fix to create and destroy rpz_lock in auth_zones structure.
	- Fix to lock zone before adding rpz qname trigger.
	- Fix to lock and release once in mesh_serve_expired_lookup.
	- Fix to put braces around empty if body when threading is disabled.

5 February 2020: George
	- Added serve-stale functionality as described in
	  draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
	  to configure the behavior.
	- Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
	- Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
	  come with a configurable TTL value (`serve-expired-reply-ttl`).
	- Fixed stats when replying with cached, cname-aliased records.
	- Added missing default values for redis cachedb backend.

3 February 2020: Ralph
	- Add assertion to please static analyzer

31 January 2020: Wouter
	- Fix fclose on error in TLS session ticket code.

30 January 2020: Ralph
	- Fix memory leak in error condition remote.c
	- Fix double free in error condition view.c
	- Fix memory leak in do_auth_zone_transfer on success
	- Merge RPZ support into master. Only QNAME and Response IP triggers are
	  supported.
	- Stop working on socket when socket() call returns an error.
	- Check malloc return values in TLS session ticket code

30 January 2020: Wouter
	- Fix subnet tests for disabled DSA algorithm by default.
	- Update contrib/fastrpz.patch for clean diff with current code.
	- Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
	  and Frzk.  Updates the unbound.service systemd file and adds
	  a portable systemd service file.
	- updated .gitignore for added contrib file.
	- Add build rule for ipset to Makefile
	- Add getentropy_freebsd.o to Makefile dependencies.

29 January 2020: Ralph
	- Merge PR#156 from Alexander Berkes; Added unbound-control
	  view_local_datas_remove command.

29 January 2020: Wouter
	- Fix #157: undefined reference to `htobe64'.

28 January 2020: Ralph
	- Merge PR#147; change rfc reference for reserved top level dns names.

28 January 2020: Wouter
	- iana portlist updated.
	- Fix to silence the tls handshake errors for broken pipe and reset
	  by peer, unless verbosity is set to 2 or higher.

27 January 2020: Ralph
	- Merge PR#154; Allow use of libbsd functions with configure option
	  --with-libbsd. By Robert Edmonds and Steven Chamberlain.
	- Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.

27 January 2020: Wouter
	- Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
	  to Libs/Requires for crypto library dependencies.
	- Fix #153: Disable validation for DSA algorithms.  RFC 8624
	  compliance.

23 January 2020: Wouter
	- Merge PR#150 from Frzk: Systemd unit without chroot.  It add
	  contrib/unbound_nochroot.service.in, a systemd file for use with
	  chroot: "", see comments in the file, it uses systemd protections
	  instead.

14 January 2020: Wouter
	- Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
	  because dnscrypt-proxy (2.0.36) does not support the test setup
	  any more, and also the config file format does not seem to have
	  the appropriate keys to recreate that setup.
	- Fix crash after reload where a stats lookup could reference old key
	  cache and neg cache structures.
	- Fix for memory leak when edns subnet config options are read when
	  compiled without edns subnet support.
	- Fix auth zone support for NSEC3 records without salt.

10 January 2020: Wouter
	- Fix the relationship between serve-expired and prefetch options,
	  patch from Saksham Manchanda from Secure64.
	- Fix unreachable code in ssl set options code.

8 January 2020: Ralph
	- Fix #138: stop binding pidfile inside chroot dir in systemd service
	  file.

8 January 2020: Wouter
	- Fix 'make test' to work for --disable-sha1 configure option.
	- Fix out-of-bounds null-byte write in sldns_bget_token_par while
	  parsing type WKS, reported by Luis Merino from X41 D-Sec.
	- Updated sldns_bget_token_par fix for also space for the zero
	  delimiter after the character.  And update for more spare space.

6 January 2020: George
	- Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
	  The dl_iterate_phdr() function introduced in newer versions raises
	  compilation errors on solaris 10.
	- Changes to compat/getentropy_solaris.c for,
	  ifdef stdint.h inclusion for older systems.
	  ifdef sha2.h inclusion for older systems.

6 January 2020: Wouter
	- Merge #135 from Florian Obser: Use passed in neg and key cache
	  if non-NULL.
	- Fix #140: Document slave not downloading new zonefile upon update.

16 December 2019: George
	- Update mailing list URL.

12 December 2019: Ralph
	- Master is 1.9.7 in development.
	- Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
	  Florian Obser

10 December 2019: Wouter
	- Fix to make auth zone IXFR to fallback to AXFR if a single
	  response RR is received over TCP with the SOA in it.

6 December 2019: Wouter
	- Fix ipsecmod compile.
	- Fix Makefile.in for ipset module compile, from Adi Prasaja.
	- release-1.9.6 tag, which became the 1.9.6 release

5 December 2019: Wouter
	- unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1
	  replacements for unbound-fuzzme.c that gets created after applying
	  the contrib/unbound-fuzzme.patch.  They are contributed by
	  Eric Sesterhenn from X41 D-Sec.
	- tag for 1.9.6rc1.

4 December 2019: Wouter
	- Fix lock type for memory purify log lock deletion.
	- Fix testbound for alloccheck runs, memory purify and lock checks.
	- update contrib/fastrpz.patch to apply more cleanly.
	- Fix Make Test Fails when Configured With --enable-alloc-nonregional,
	  reported by X41 D-Sec.

3 December 2019: Wouter
	- Merge pull request #124 from rmetrich: Changed log lock
	  from 'quick' to 'basic' because this is an I/O lock.
	- Fix text around serial arithmatic used for RRSIG times to refer
	  to correct RFC number.
	- Fix Assert Causing DoS in synth_cname(),
	  reported by X41 D-Sec.
	- Fix similar code in auth_zone synth cname to add the extra checks.
	- Fix Assert Causing DoS in dname_pkt_copy(),
	  reported by X41 D-Sec.
	- Fix OOB Read in sldns_wire2str_dname_scan(),
	  reported by X41 D-Sec.
	- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
	  reported by X41 D-Sec.
	- Fix Out of Bounds Write in sldns_b64_pton(),
	  fixed by check in sldns_str2wire_int16_data_buf(),
	  reported by X41 D-Sec.
	- Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
	  reported by X41 D-Sec.
	- Fix Out of Bound Write Compressed Names in rdata_copy(),
	  reported by X41 D-Sec.
	- Fix Hang in sldns_wire2str_pkt_scan(),
	  reported by X41 D-Sec.
	  This further lowers the max to 256.
	- Fix snprintf() supports the n-specifier,
	  reported by X41 D-Sec.
	- Fix Bad Indentation, in dnscrypt.c,
	  reported by X41 D-Sec.
	- Fix Client NONCE Generation used for Server NONCE,
	  reported by X41 D-Sec.
	- Fix compile error in dnscrypt.
	- Fix _vfixed not Used, removed from sbuffer code,
	  reported by X41 D-Sec.
	- Fix Hardcoded Constant, reported by X41 D-Sec.
	- make depend

2 December 2019: Wouter
	- Merge pull request #122 from he32: In tcp_callback_writer(),
	  don't disable time-out when changing to read.

22 November 2019: George
	- Fix compiler warnings.

22 November 2019: Wouter
	- Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
	- Add make distclean that removes everything configure produced,
	  and make maintainer-clean that removes bison and flex output.

20 November 2019: Wouter
	- Fix Out of Bounds Read in rrinternal_get_owner(),
	  reported by X41 D-Sec.
	- Fix Race Condition in autr_tp_create(),
	  reported by X41 D-Sec.
	- Fix Shared Memory World Writeable,
	  reported by X41 D-Sec.
	- Adjust unbound-control to make stats_shm a read only operation.
	- Fix Weak Entropy Used For Nettle,
	  reported by X41 D-Sec.
	- Fix Randomness Error not Handled Properly,
	  reported by X41 D-Sec.
	- Fix Out-of-Bounds Read in dname_valid(),
	  reported by X41 D-Sec.
	- Fix Config Injection in create_unbound_ad_servers.sh,
	  reported by X41 D-Sec.
	- Fix Local Memory Leak in cachedb_init(),
	  reported by X41 D-Sec.
	- Fix Integer Underflow in Regional Allocator,
	  reported by X41 D-Sec.
	- Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
	- Synchronize compat/getentropy_win.c with version 1.5 from
	  OpenBSD, no changes but makes the file, comments, identical.
	- Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
	- Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
	- Changes to compat/getentropy files for,
	  no link to openssl if using nettle, and hence config.h for
	  HAVE_NETTLE variable.
	  compat definition of MAP_ANON, for older systems.
	  ifdef stdint.h inclusion for older systems.
	  ifdef sha2.h inclusion for older systems.
	- Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
	- Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
	- Fix Terminating Quotes not Written, reported by X41 D-Sec.
	- Fix Useless memset() in validator, reported by X41 D-Sec.
	- Fix Unrequired Checks, reported by X41 D-Sec.
	- Fix Enum Name not Used, reported by X41 D-Sec.
	- Fix NULL Pointer Dereference via Control Port,
	  reported by X41 D-Sec.
	- Fix Bad Randomness in Seed, reported by X41 D-Sec.
	- Fix python examples/calc.py for eval, reported by X41 D-Sec.
	- Fix comments for doxygen in dns64.

19 November 2019: Wouter
	- Fix CVE-2019-18934, shell execution in ipsecmod.
	- 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development.
	- Fix authzone printout buffer length check.
	- Fixes to please lint checks.
	- Fix Integer Overflow in Regional Allocator,
	  reported by X41 D-Sec.
	- Fix Unchecked NULL Pointer in dns64_inform_super()
	  and ipsecmod_new(), reported by X41 D-Sec.
	- Fix Out-of-bounds Read in rr_comment_dnskey(),
	  reported by X41 D-Sec.
	- Fix Integer Overflows in Size Calculations,
	  reported by X41 D-Sec.
	- Fix Integer Overflow to Buffer Overflow in
	  sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
	- Fix Out of Bounds Read in sldns_str2wire_dname(),
	  reported by X41 D-Sec.
	- Fix Out of Bounds Write in sldns_bget_token_par(),
	  reported by X41 D-Sec.

18 November 2019: Wouter
	- In unbound-host use separate variable for get_option to please
	  code checkers.
	- update to bison output of 3.4.1 in code repository.
	- Provide a prototype for compat malloc to remove compile warning.
	- Portable grep usage for reuseport configure test.
	- Check return type of HMAC_Init_ex for openssl 0.9.8.
	- gitignore .source tempfile used for compatible make.

13 November 2019: Wouter
	- iana portlist updated.
	- contrib/fastrpz.patch updated to apply for current code.
	- fixes for splint cleanliness, long vs int in SSL set_mode.

11 November 2019: Wouter
	- Fix #109: check number of arguments for stdin-pipes in
	  unbound-control and fail if too many arguments.
	- Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.

24 October 2019: Wouter
	- Fix #99: Memory leak in ub_ctx (event_base will never be freed).

23 October 2019: George
	- Add new configure option `--enable-fully-static` to enable full static
	  build if requested; in relation to #91.

23 October 2019: Wouter
	- Merge #97: manpage: Add missing word on unbound.conf,
	  from Erethon.

22 October 2019: Wouter
	- drop-tld.diff: adds option drop-tld: yesno that drops 2 label
	  queries, to stop random floods.  Apply with
	  patch -p1 < contrib/drop-tld.diff and compile.
	  From Saksham Manchanda (Secure64).  Please note that we think this
	  will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
	  lookups for downstream clients.

7 October 2019: Wouter
	- Add doxygen comments to unbound-anchor source address code, in #86.

3 October 2019: Wouter
	- Merge #90 from vcunat: fix build with nettle-3.5.
	- Merge 1.9.4 release with fix for vulnerability CVE-2019-16866.
	- Continue with development of 1.9.5.
	- Merge #86 from psquarejho: Added -b source address option to
	  smallapp/unbound-anchor.c, from Lukas Wunner.

26 September 2019: Wouter
	- Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
	  Drop CAP_KILL, use + prefix for ExecReload= instead.

25 September 2019: Wouter
	- The unbound.conf includes are sorted ascending, for include
	  statements with a '*' from glob.

23 September 2019: Wouter
	- Merge #85 for #84 from sam-lunt: Add kill capability to systemd
	  service file to fix that systemctl reload fails.

20 September 2019: Wouter
	- Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
	  in unbound.service.
	- Merge #81 from Maryse47: Consistently use /dev/urandom instead
	  of /dev/random in scripts and docs.
	- Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
	  into the background.

19 September 2019: Wouter
	- Fix #78: Memory leak in outside_network.c.
	- Merge pull request #76 from Maryse47: Improvements and fixes for
	  systemd unbound.service.
	- oss-fuzz badge on README.md.
	- Fix fix for #78 to also free service callback struct.
	- Fix for oss-fuzz build warning.
	- Fix wrong response ttl for prepended short CNAME ttls, this would
	  create a wrong zero_ttl response count with serve-expired enabled.
	- Merge #80 from stasic: Improve wording in man page.

11 September 2019: Wouter
	- Use explicit bzero for wiping clear buffer of hash in cachedb,
	  reported by Eric Sesterhenn from X41 D-Sec.

9 September 2019: Wouter
	- Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
	  LOG_DAEMON (as before) can set the syslog facility that the server
	  uses to log messages.

4 September 2019: Wouter
	- Fix #71: fix openssl error squelch commit compilation error.

3 September 2019: Wouter
	- squelch DNS over TLS errors 'ssl handshake failed crypto error'
	  on low verbosity, they show on verbosity 3 (query details), because
	  there is a high volume and the operator cannot do anything for the
	  remote failure.  Specifically filters the high volume errors.

2 September 2019: Wouter
	- ipset module #28: log that an address is added, when verbosity high.
	- ipset: refactor long routine into three smaller ones.
	- updated Makefile dependencies.

23 August 2019: Wouter
	- Fix contrib/fastrpz.patch asprintf return value checks.

22 August 2019: Wouter
	- Fix that pkg-config is setup before --enable-systemd needs it.
	- 1.9.3rc2 release candidate tag.  And this became the 1.9.3 release.
	  Master is 1.9.4 in development.

21 August 2019: Wouter
	- Fix log_dns_msg to log irrespective of minimal responses config.

19 August 2019: Ralph
	- Document limitation of pidfile removal outside of chroot directory.

16 August 2019: Wouter
	- Fix unittest valgrind false positive uninitialised value report,
	  where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
	  issues an uninitialised value for the token buffer at the str2wire.c
	  rrinternal_get_owner() strcmp with the '@' value.  Rewritten to use
	  straight character comparisons removes the false positive.  Also
	  valgrinds --expensive-definedness-checks=yes can stop this false
	  positive.
	- Please doxygen's parser for "@" occurrence in doxygen comment.
	- Fixup contrib/fastrpz.patch
	- Remove warning about unknown cast-function-type warning pragma.

15 August 2019: Wouter
	- iana portlist updated.
	- Fix autotrust temp file uniqueness windows compile.
	- avoid warning about upcast on 32bit systems for autotrust.
	- escape commandline contents for -V.
	- Fix character buffer size in ub_ctx_hosts.
	- 1.9.3rc1 release candidate tag.
	- Option -V prints if TCP fastopen is available.

14 August 2019: George
	- Fix #59, when compiled with systemd support check that we can properly
	  communicate with systemd through the `NOTIFY_SOCKET`.

14 August 2019: Wouter
	- Generate configlexer with newer flex.
	- Fix warning for unused variable for compilation without systemd.

12 August 2019: George
	- Introduce `-V` option to print the version number and build options.
	  Previously reported build options like linked libs and linked modules
	  are now moved from `-h` to `-V` as well for consistency.
	- PACKAGE_BUGREPORT now also includes link to GitHub issues.

1 August 2019: Wouter
	- For #52 #53, second context does not close logfile override.
	- Fix #52 #53, fix for example fail program.
	- Fix to return after failed auth zone http chunk write.
	- Fix to remove unused test for task_probe existance.
	- Fix to timeval_add for remaining second in microseconds.
	- Check repinfo in worker_handle_request, if null, drop it.

29 July 2019: Wouter
	- Add verbose log message when auth zone file is written, at level 4.
	- Add hex print of trust anchor pointer to trust anchor file temp
	  name to make it unique, for libunbound created multiple contexts.

23 July 2019: Wouter
	- Fix question section mismatch in local zone redirect.

19 July 2019: Wouter
	- Fix #49: Set no renegotiation on the SSL context to stop client
	  session renegotiation.

12 July 2019: Wouter
	- Fix #48: Unbound returns additional records on NODATA response,
	  if minimal-responses is enabled, also the additional for negative
	  responses is removed.

9 July 2019: Ralph
	- Fix in respip addrtree selection. Absence of addr_tree_init_parents()
	  call made it impossible to go up the tree when the matching netmask is
	  too specific.

5 July 2019: Ralph
	- Fix for possible assertion failure when answering respip CNAME from
	  cache.

25 June 2019: Wouter
	- For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
	  when do-not-query-localhost is turned on, or at default on,
	  unbound-checkconf prints a warning if it is found in forward-addr or
	  stub-addr statements.

24 June 2019: Wouter
	- Fix memleak in unit test, reported from the clang 8.0 static analyzer.

18 June 2019: Wouter
	- PR #28: IPSet module, by Kevin Chou.  Created a module to support
	  the ipset that could add the domain's ip to a list easily.
	  Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
	- Fix to omit RRSIGs from addition to the ipset.
	- Fix to make unbound-control with ipset, remove unused variable,
	  use unsigned type because of comparison, and assign null instead
	  of compare with it.  Remade lex and yacc output.
	- make depend
	- Added documentation to the ipset files (for doxygen output).
	- Merge PR #6: Python module: support multiple instances
	- Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
	- Merge PR #4: Python module: assign something useful to the
	  per-query data store 'qdata'
	- Fix python dict reference and double free in config.

17 June 2019: Wouter
	- Master contains version 1.9.3 in development.
	- Fix #39: In libunbound, leftover logfile is close()d unpredictably.
	- Fix for #24: Fix abort due to scan of auth zone masters using old
	  address from previous scan.

12 June 2019: Wouter
	- Fix another spoolbuf storage code point, in prefetch.
	- 1.9.2rc3 release candidate tag.  Which became the 1.9.2 release
	  on 17 June 2019.

11 June 2019: Wouter
	- Fix that fixes the Fix that spoolbuf is not used to store tcp
	  pipelined response between mesh send and callback end, this fixes
	  error cases that did not use the correct spoolbuf.
	- 1.9.2rc2 release candidate tag.

6 June 2019: Wouter
	- 1.9.2rc1 release candidate tag.

4 June 2019: Wouter
	- iana portlist updated.

29 May 2019: Wouter
	- Fix to guard _OPENBSD_SOURCE from redefinition.

28 May 2019: Wouter
	- Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
	- gitignore config.h.in~.

27 May 2019: Wouter
	- Fix double file close in tcp pipelined response code.

24 May 2019: Wouter
	- Fix that spoolbuf is not used to store tcp pipelined response
	  between mesh send and callback end.

20 May 2019: Wouter
	- Note that so-reuseport at extreme load is better turned off,
	  otherwise queries are not distributed evenly, on Linux 4.4.x.

16 May 2019: Wouter
	- Fix #31: swig 4.0 and python module.

13 May 2019: Wouter
	- Squelch log messages from tcp send about connection reset by peer.
	  They can be enabled with verbosity at higher values for diagnosing
	  network connectivity issues.
	- Attempt to fix malformed tcp response.

9 May 2019: Wouter
	- Revert fix for oss-fuzz, error is in that build script that
	  unconditionally includes .o files detected by configure, also
	  when the machine architecture uses different LIBOBJS files.

8 May 2019: Wouter
	- Attempt to fix build failure in oss-fuzz because of reallocarray.
	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14648.
	  Does not omit compile flags from commandline.

7 May 2019: Wouter
	- Fix edns-subnet locks, in error cases the lock was not unlocked.
	- Fix doxygen output error on readme markdown vignettes.

6 May 2019: Wouter
	- Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
	- Fix #30: AddressSanitizer finding in lookup3.c.  This sets the
	  hash function to use a slower but better auditable code that does
	  not read beyond array boundaries.  This makes code better security
	  checkable, and is better for security.  It is fixed to be slower,
	  but not read outside of the array.

2 May 2019: Wouter
	- contrib/fastrpz.patch updated for code changes, and with git diff.
	- Fix .gitignore, add pythonmod and dnstap generated files.
	  And unit test generated files, and generated doc files.

1 May 2019: Wouter
	- Update makedist for git.
	- Nicer travis output for clang analysis.
	- PR #16: XoT support, AXFR over TLS, turn it on with
	  master: <ip>#<authname> in unbound.conf.  This uses TLS to
	  download the AXFR (or IXFR).

25 April 2019: Wouter
	- Fix wrong query name in local zone redirect answers with a CNAME,
	  the copy of the local alias is in unpacked form.

18 April 2019: Ralph
	- Scrub RRs from answer section when reusing NXDOMAIN message for
	  subdomain answers.
	- For harden-below-nxdomain: do not consider a name to be non-exitent
	  when message contains a CNAME record.

18 April 2019: Wouter
	- travis build file.

16 April 2019: Wouter
	- Better braces in if statement in TCP fastopen code.
	- iana portlist updated.

15 April 2019: Wouter
	- Fix tls write event for read state change to re-call SSL_write and
	  not resume the TLS handshake.

11 April 2019: George
	- Update python documentation for init_standard().
	- Typos.

11 April 2019: Wouter
	- Fix that auth zone uses correct network type for sockets for
	  SOA serial probes.  This fixes that probes fail because earlier
	  probe addresses are unreachable.
	- Fix that auth zone fails over to next master for timeout in tcp.
	- Squelch SSL read and write connection reset by peer and broken pipe 
	  messages.  Verbosity 2 and higher enables them.

8 April 2019: Wouter
	- Fix to use event_assign with libevent for thread-safety.
	- verbose information about auth zone lookup process, also lookup
	  start, timeout and fail.
	- Fix #17: Add python module example from Jan Janak, that is a
	  plugin for the Unbound DNS resolver to resolve DNS records in
	  multicast DNS [RFC 6762] via Avahi.  The plugin communicates
	  with Avahi via DBus. The comment section at the beginning of
	  the file contains detailed documentation.
	- Fix to wipe ssl ticket keys from memory with explicit_bzero,
	  if available.

5 April 2019: Wouter
	- Fix to reinit event structure for accepted TCP (and TLS) sockets.

4 April 2019: Wouter
	- Fix spelling error in log output for event method.

3 April 2019: Wouter
	- Move goto label in answer_from_cache to the end of the function
	  where it is more visible.
	- Fix auth-zone NSEC3 response for wildcard nodata answers,
	  include the closest encloser in the answer.

2 April 2019: Wouter
	- Fix auth-zone NSEC3 response for empty nonterminals with exact
	  match nsec3 records.
	- Fix for out of bounds integers, thanks to OSTIF audit.  It is in
	  allocation debug code.
	- Fix for auth zone nsec3 ent fix for wildcard nodata.

25 March 2019: Wouter
	- Fix that tls-session-ticket-keys: "" on its own in unbound.conf
	  disables the tls session ticker key calls into the OpenSSL API.
	- Fix crash if tls-servic-pem not filled in when necessary.

21 March 2019: Wouter
	- Fix #4240: Fix whitespace cleanup in example.conf.

19 March 2019: Wouter
	- add type CAA to libpyunbound (accessing libunbound from python).

18 March 2019: Wouter
	- Add log message, at verbosity 4, that says the query is encrypted
	  with TLS, if that is enabled for the query.
	- Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.

7 March 2019: Wouter
	- Fix for #4233: guard use of NDEBUG, so that it can be passed in
	  CFLAGS into configure.

5 March 2019: Wouter
	- Tag release 1.9.1rc1.  Which became 1.9.1 on 12 March 2019.  Trunk
	  has 1.9.2 in development.

1 March 2019: Wouter
	- output forwarder log in ssl_req_order test.

28 February 2019: Wouter
	- Remove memory leak on pythonmod python2 script file init.
	- Remove swig gcc8 python function cast warnings, they are ignored.
	- Print correct module that failed when module-config is wrong.

27 February 2019: Wouter
	- Fix #4229: Unbound man pages lack information, about access-control
	  order and local zone tags, and elements in views.
	- Fix #14: contrib/unbound.init: Fix wrong comparison judgment
	  before copying.
	- Fix for python module on Windows, fix fopen.

25 February 2019: Wouter
	- Fix #4227: pair event del and add for libevent for tcp_req_info.

21 February 2019: Wouter
	- Fix the error for unknown module in module-config is understandable,
	  and explains it was not compiled in and where to see the list.
	- In example.conf explain where to put cachedb module in module-config.
	- In man page and example config explain that most modules have to
	  be listed at the start of module-config.

20 February 2019: Wouter
	- Fix pythonmod include and sockaddr_un ifdefs for compile on
	  Windows, and for libunbound.

18 February 2019: Wouter
	- Print query name with ip_ratelimit exceeded log lines.
	- Spaces instead of tabs in that log message.
	- Print query name and IP address when domain rate limit exceeded.

14 February 2019: Wouter
	- Fix capsforid canonical sort qsort callback.

11 February 2019: Wouter
	- Note default for module-config in man page.
	- Fix recursion lame test for qname minimisation asked queries,
	  that were not present in the set of prepared answers.
	- Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
	  cert name matching, from man page.
	- make depend, with newer gcc, nicer layout.

7 February 2019: Wouter
	- Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
	- Fix that qname minimisation does not skip a label when missing
	  nameserver targets need to be fetched.
	- Fix #4225: clients seem to erroneously receive no answer with
	  DNS-over-TLS and qname-minimisation.

4 February 2019: Wouter
	- Fix that log-replies prints the correct name for local-alias
	  names, for names that have a CNAME in local-data configuration.
	  It logs the original query name, not the target of the CNAME.
	- Add local-zone type inform_redirect, which logs like type inform,
	  and redirects like type redirect.
	- Perform canonical sort for 0x20 capsforid compare of replies,
	  this sorts rrsets in the authority and additional section before
	  comparison, so that out of order rrsets do not cause failure.

31 January 2019: Wouter
	- Set ub_ctx_set_tls call signature in ltrace config file for
	  libunbound in contrib/libunbound.so.conf.
	- improve documentation for tls-service-key and forward-first.
	- #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
	  conditional section, fixes systemd builds, from Enrico Scholz.
	- #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
	  still supports the set_id_callback previous API.  And for 1.1.0
	  no locking callbacks are needed.
	- #8: Fix OpenSSL without ENGINE support compilation.
	- Wipe TLS session key data from memory on exit.

30 January 2019: Ralph
	- Fix case in which query timeout can result in marking delegation
	  as edns_lame_known.

29 January 2019: Wouter
	- Fix spelling of tls-ciphers in example.conf.in.
	- Fix #4224: auth_xfr_notify.rpl test broken due to typo
	- Fix locking for libunbound context setup with broken port config.

28 January 2019: Wouter
	- ub_ctx_set_tls call for libunbound that enables DoT for the machines
	  set with ub_ctx_set_fwd.  Patch from Florian Obser.
	- Set build system for added call in the libunbound API.
	- List example config for root zone copy locally hosted with auth-zone
	  as suggested from draft-ietf-dnsop-7706-bis-02.  But with updated
	  B root address.
	- set version to 1.9.0 for release.  And this was released with the
	  spelling for tls-ciphers fix as 1.9.0 on Feb 5.  Trunk has 1.9.1 in
	  development.

25 January 2019: Wouter
	- Fix that tcp for auth zone and outgoing does not remove and
	  then gets the ssl read again applied to the deleted commpoint.
	- updated contrib/fastrpz.patch to cleanly diff.
	- no lock when threads disabled in tcp request buffer count.
	- remove compile warnings from libnettle compile.
	- output of newer lex 2.6.1 and bison 3.0.5.

24 January 2019: Wouter
	- Newer aclocal and libtoolize used for generating configure scripts,
	  aclocal 1.16.1 and libtoolize 2.4.6.
	- Fix unit test for python 3.7 new keyword 'async'.
	- clang analysis fixes, assert arc4random buffer in init,
	  no check for already checked delegation pointer in iterator,
	  in testcode check for NULL packet matches, in perf do not copy
	  from NULL start list when growing capacity.  Adjust host and file
	  only when present in test header read to please checker.  In
	  testcode for unknown macro operand give zero result. Initialise the
	  passed argv array in test code.  In test code add EDNS data
	  segment copy only when nonempty.
	- Patch from Florian Obser fixes some compiler warnings:
	  include mini_event.h to have a prototype for mini_ev_cmp
	  include edns.h to have a prototype for apply_edns_options
	  sldns_wire2str_edns_keepalive_print is only called in the wire2str,
	  module declare it static to get rid of compiler warning:
	  no previous prototype for function
	  infra_find_ip_ratedata() is only called in the infra module,
	  declare it static to get rid of compiler warning:
	  no previous prototype for function
	  do not shadow local variable buf in authzone
	  auth_chunks_delete and az_nsec3_findnode are only called in the
	  authzone module, declare them static to get rid of compiler warning:
	  no previous prototype for function...
	  copy_rrset() is only called in the respip module, declare it
	  static to get rid of compiler warning:
	  no previous prototype for function 'copy_rrset'
	  no need for another variable "r"; gets rid of compiler warning:
	  declaration shadows a local variable in libunbound.c
	  no need for another variable "ns"; gets rid of compiler warning:
	  declaration shadows a local variable in iterator.c
	- Moved includes and make depend.

23 January 2019: Wouter
	- Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
	  options for unbound.conf.
	- Fixes for the patch, and man page entry.
	- Fix configure to detect SSL_CTX_set_ciphersuites, for better
	  library compatibility when compiling.
	- Patch for TLS session resumption from Manabu Sonoda,
	  enable with tls-session-ticket-keys in unbound.conf.
	- Fixes for patch (includes, declarations, warnings).  Free at end
	  and keep config options in order read from file to keep the first
	  one as the first one.
	- Fix for IXFR fallback to reset counter when IXFR does not timeout.

22 January 2019: Wouter
	- Fix space calculation for tcp req buffer size.
	- Doc for stream-wait-size and unit test.
	- unbound-control stats has mem.streamwait that counts TCP and TLS
	  waiting result buffers.
	- Fix for #4219: secondaries not updated after serial change, unbound
	  falls back to AXFR after IXFR gives several timeout failures.
	- Fix that auth zone after IXFR fallback tries the same master.

21 January 2019: Wouter
	- Fix tcp idle timeout test, for difference in the tcp reply code.
	- Unit test for tcp request reorder and timeouts.
	- Unit tests for ssl out of order processing.
	- Fix that multiple dns fragments can be carried in one TLS frame.
	- Add stream-wait-size: 4m config option to limit the maximum
	  memory used by waiting tcp and tls stream replies.  This avoids
	  a denial of service where these replies use up all of the memory.

17 January 2019: Wouter
	- For caps-for-id fallback, use the whitelist to avoid timeout
	  starting a fallback sequence for it.
	- increase mesh max activation count for capsforid long fetches.

16 January 2019: Ralph
	- Get ready for the DNS flag day: remove EDNS lame procedure, do not
	  re-query without EDNS after timeout.

15 January 2019: Wouter
	- In the out of order processing, reset byte count for (potential)
	  partial read.
	- Review fixes in out of order processing.

14 January 2019: Wouter
	- streamtcp option -a send queries consecutively and prints answers
	  as they arrive.
	- Fix for out of order processing administration quit cleanup.
	- unit test for tcp out of order processing.

11 January 2019: Wouter
	- Initial commit for out-of-order processing for TCP and TLS.

9 January 2019: Wouter
	- Log query name for looping module errors.

8 January 2019: Wouter
	- Fix syntax in comment of local alias processing.
	- Fix NSEC3 record that is returned in wildcard replies from
	  auth-zone zones with NSEC3 and wildcards.

7 January 2019: Wouter
	- On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
	  and server tcp fastopen is enabled at compile time.
	- Document interaction between the tls-upstream option in the server
	  section and forward-tls-upstream option in the forward-zone sections.
	- Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews,
	  the patch adds a program used for fuzzing.

12 December 2018: Wouter
	- Fix for crash in dns64 module if response is null.

10 December 2018: Wouter
	- Fix config parser memory leaks.
	- ip-ratelimit-factor of 1 allows all traffic through, instead of the
	  previous blocking everything.
	- Fix for FreeBSD port make with dnscrypt and dnstap enabled.
	- Fix #4206: support openssl 1.0.2 for TLS hostname verification,
	  alongside the 1.1.0 and later support that is already there.
	- Fixup openssl 1.0.2 compile

6 December 2018: Wouter
	- Fix dns64 allocation in wrong region for returned internal queries.

3 December 2018: Wouter
	- Fix icon, no ragged edges and nicer resolutions available, for eg.
	  Win 7 and Windows 10 display.
	- cache-max-ttl also defines upperbound of initial TTL in response.

30 November 2018: Wouter
	- Patch for typo in unbound.conf man page.
	- log-tag-queryreply: yes in unbound.conf tags the log-queries and
	  log-replies in the log file for easier log filter maintenance.

29 November 2018: Wouter
	- iana portlist updated.
	- Fix chroot auth-zone fix to remove chroot prefix.
	- tag for 1.8.2rc1, which became 1.8.2 on 4 dec 2018, with icon
	  updated.  Trunk contains 1.8.3 in development.
	  Which became 1.8.3 on 11 december with only the dns64 fix of 6 dec.
	  Trunk then became 1.8.4 in development.
	- Fix that unbound-checkconf does not complains if the config file
	  is not placed inside the chroot.
	- Refuse to start with no ports.
	- Remove clang analysis warnings.

28 November 2018: Wouter
	- Fix leak in chroot fix for auth-zone.
	- Fix clang analysis for outside directory build test.

27 November 2018: Wouter
	- Fix DNS64 to not store intermediate results in cache, this avoids
	  other threads from picking up the wrong data.  The module restores
	  the previous no_cache_store setting when the the module is finished.
	- Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
	- New and better fix for Fix #4193: Fix that prefetch failure does
	  not overwrite valid cache entry with SERVFAIL.
	- auth-zone give SERVFAIL when expired, fallback activates when
	  expired, and this is documented in the man page.
	- stat count SERVFAIL downstream auth-zone queries for expired zones.
	- Put new logos into windows installer.
	- Fix windows compile for new rrset roundrobin fix.
	- Update contrib fastrpz patch for latest release.

26 November 2018: Wouter
	- Fix to not set GLOB_NOSORT so the unbound.conf include: files are
	  sorted and in a predictable order.
	- Fix #4193: Fix that prefetch failure does not overwrite valid cache
	  entry with SERVFAIL.
	- Add unbound-control view_local_datas command, like local_datas.
	- Fix that unbound-control can send file for view_local_datas.

22 November 2018: Wouter
	- With ./configure --with-pyunbound --with-pythonmodule
	  PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests
	  succeed for the python module.
	- pythonmod logs the python error and traceback on failure.
	- ignore debug python module for test in doxygen output.
	- review fixes for python module.
	- Fix #4209: Crash in libunbound when called from getdns.
	- auth zone zonefiles can be in a chroot, the chroot directory
	  components are removed before use.
	- Fix that empty zonefile means the zonefile is not set and not used.
	- make depend.

21 November 2018: Wouter
	- Scrub NS records from NODATA responses as well.

20 November 2018: Wouter
	- Scrub NS records from NXDOMAIN responses to stop fragmentation
	  poisoning of the cache.
	- Add patch from Jan Vcelak for pythonmod,
	  add sockaddr_storage getters, add support for query callbacks,
	  allow raw address access via comm_reply and update API documentation.
	- Removed compile warnings in pythonmod sockaddr routines.

19 November 2018: Wouter
	- Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
	  option in unbound.conf.

6 November 2018: Ralph
	- Bugfix min-client-subnet-ipv6

25 October 2018: Ralph
	- Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.

25 October 2018: Wouter
	- Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
	- Fix #4190: Please create a "ANY" deny option, adds the option
	  deny-any: yes in unbound.conf.  This responds with an empty message
	  to queries of type ANY.
	- Fix #4141: More randomness to rrset-roundrobin.
	- Fix #4132: Openness/closeness of RANGE intervals in rpl files.
	- Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
	  adds the option unknown-server-time-limit to unbound.conf that
	  can be increased to avoid the problem.
	- remade makefile dependencies.
	- Fix #4152: Logs shows wrong time when using log-time-ascii: yes.

24 October 2018: Ralph
	- Add markdel function to ECS slabhash.
	- Limit ECS scope returned to client to the scope used for caching.
	- Make lint like previous #4154 fix.

22 October 2018: Wouter
	- Fix #4192: unbound-control-setup generates keys not readable by
	  group.
	- check that the dnstap socket file can be opened and exists, print
	  error if not.
	- Fix #4154: make ECS_MAX_TREESIZE configurable, with
	  the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.

22 October 2018: Ralph
	- Change fast-server-num default to 3.

8 October 2018: Ralph
	- Add fast-server-permil and fast-server-num options.
	- Deprecate low-rtt and low-rtt-permil options.

8 October 2018: Wouter
	- Squelch log of failed to tcp initiate after TCP Fastopen failure.

5 October 2018: Wouter
	- Squelch EADDRNOTAVAIL errors when the interface goes away,
	  this omits 'can't assign requested address' errors unless
	  verbosity is set to a high value.
	- Set default for so-reuseport to no for FreeBSD.  It is enabled
	  by default for Linux and DragonFlyBSD.  The setting can 
	  be configured in unbound.conf to override the default.
	- iana port update.

2 October 2018: Wouter
	- updated contrib/fastrpz.patch to apply for this version
	- dnscrypt.c removed sizeof to get array bounds.
	- Fix testlock code to set noreturn on error routine.
	- Remove unused variable from contrib fastrpz/rpz.c and
	  remove unused diagnostic pragmas that themselves generate warnings
	- clang analyze test is used only when assertions are enabled.

1 October 2018: Wouter
	- tag for release 1.8.1rc1.  Became release 1.8.1 on 8 oct, with
	  fastrpz.patch fix included.  Trunk has 1.8.2 in development.

27 September 2018: Wouter
	- Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
	  qname minimisation with a forwarder when connectivity has issues
	  from rejecting responses.

25 September 2018: Wouter
	- Perform TLS SNI indication of the host that is being contacted
	  for DNS over TLS service.  It sets the configured tls auth name.
	  This is useful for hosts that apart from the DNS over TLS services
	  also provide other (web) services.
	- Fix #4149: Add SSL cleanup for tcp timeout.

17 September 2018: Wouter
	- Fix compile on Mac for unbound, provide explicit_bzero when libc
	  does not have it.
	- Fix unbound for openssl in FIPS mode, it uses the digests with
	  the EVP call contexts.
	- Fix that with harden-below-nxdomain and qname minisation enabled
	  some iterator states for nonresponsive domains can get into a
	  state where they waited for an empty list.
	- Stop UDP to TCP failover after timeouts that causes the ping count
	  to be reset by the TCP time measurement (that exists for TLS),
	  because that causes the UDP part to not be measured as timeout.
	- Fix #4156: Fix systemd service manager state change notification.

13 September 2018: Wouter
	- Fix seed for random backup code to use explicit zero when wiped.
	- exit log routine is annotated as noreturn function.
	- free memory leaks in config strlist and str2list insert functions.
	- do not move unused argv variable after getopt.
	- Remove unused if clause in testcode.
	- in testcode, free async ids, initialise array, and check for null
	  pointer during test of the test.  And use exit for return to note
	  irregular program stop.
	- Free memory leak in config strlist append.
	- make sure nsec3 comparison salt is initialized.
	- unit test has clang analysis.
	- remove unused variable assignment from iterator scrub routine.
	- check for null in delegation point during iterator refetch
	  in forward zone.
	- neater pointer cast in libunbound context quit routine.
	- initialize statistics totals for printout.
	- in authzone check that node exists before adding rrset.
	- in unbound-anchor, use readwrite memory BIO.
	- assertion in autotrust that packed rrset is formed correctly.
	- Fix memory leak when message parse fails partway through copy.
	- remove unused udpsize assignment in message encode.
	- nicer bio free code in unbound-anchor.
	- annotate exit functions with noreturn in unbound-control.

11 September 2018: Wouter
	- Fixed unused return value warnings in contrib/fastrpz.patch for
	  asprintf.
	- Fix to squelch respip warning in unit test, it is printed at
	  higher verbosity settings.
	- Fix spelling errors.
	- Fix initialisation in remote.c

10 September 2018: Wouter
	- 1.8.1 in svn trunk. (changes from 4,5,.. sep apply).
	- iana port update.

5 September 2018: Wouter
	- Fix spelling error in header, from getdns commit by Andreas Gelmini.

4 September 2018: Ralph
	- More explicitly mention the type of ratelimit when applying
	  ip-ratelimit.

4 September 2018: Wouter
	- Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018.

31 August 2018: Wouter
	- Disable minimal-responses in subnet unit tests.

30 August 2018: Wouter
	- Fix that a local-zone with a local-zone-type that is transparent
	  in a view with view-first, makes queries check for answers from the
	  local-zones defined outside of views.

28 August 2018: Ralph
	- Disable minimal-responses in ipsecmod unit tests.
	- Added serve-expired-ttl and serve-expired-ttl-reset options.

27 August 2018: Wouter
	- Set defaults to yes for a number of options to increase speed and
	  resilience of the server.  The so-reuseport, harden-below-nxdomain,
	  and minimal-responses options are enabled by default.  They used
	  to be disabled by default, waiting to make sure they worked.  They
	  are enabled by default now, and can be disabled explicitly by
	  setting them to "no" in the unbound.conf config file.  The reuseport
	  and minimal options increases speed of the server, and should be
	  otherwise harmless.  The harden-below-nxdomain option works well
	  together with the recently default enabled qname minimisation, this
	  causes more fetches to use information from the cache.
	- next release is called 1.8.0.
	- Fix lintflags for lint on FreeBSD.

22 August 2018: George
	- #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
	  gives access to reply information for the client's communication
	  point when the callback is called before the mesh state (modules).
	  Changes to C and Python's inplace_callback signatures were also
	  necessary.

21 August 2018: Wouter
	- log-local-actions: yes option for unbound.conf that logs all the
	  local zone actions, a patch from Saksham Manchanda (Secure64).
	- #4146: num.query.subnet and num.query.subnet_cache counters.
	- Fix only misc failure from log-servfail when val-log-level is not
	  enabled.

17 August 2018: Ralph
	- Fix classification for QTYPE=CNAME queries when QNAME minimisation is
 	  enabled.

17 August 2018: Wouter
	- Set libunbound to increase current, because the libunbound change
	  to the event callback function signature.  That needs programs,
	  that use it, to recompile against the new header definition.
	- print servfail info to log as error.
	- added more servfail printout statements, to the iterator.
	- log-servfail: yes prints log lines that say why queries are
	  returning SERVFAIL to clients.

16 August 2018: Wouter
	- Fix warning on compile without threads.
	- Fix contrib/fastrpz.patch.

15 August 2018: Wouter
	- Fix segfault in auth-zone read and reorder of RRSIGs.

14 August 2018: Wouter
	- Fix that printout of error for cycle targets is a verbosity 4
	  printout and does not wrongly print it is a memory error.
	- Upgraded crosscompile script to include libunbound DLL in the
	  zipfile.

10 August 2018: Wouter
	- Fix #4144: dns64 module caches wrong (negative) information.

9 August 2018: Wouter
	- unbound-checkconf checks if modules exist and prints if they are
	  not compiled in the name of the wrong module.
	- document --enable-subnet in doc/README.
	- Patch for stub-no-cache and forward-no-cache options that disable
	  caching for the contents of that stub or forward, for when you
	  want immediate changes visible, from Bjoern A. Zeeb.

7 August 2018: Ralph
	- Make capsforid fallback QNAME minimisation aware.

7 August 2018: Wouter
	- Fix #4142: unbound.service.in: improvements and fixes.
	  Add unit dependency ordering (based on systemd-resolved).
	  Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
	  about missing privileges during startup). Add 'AF_INET6' to
	  'RestrictAddressFamilies' (without it IPV6 can't work). From
	  Guido Shanahan.
	- Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
	  This limits the number of simultaneous TCP client connections
	  from a nominated netblock.
	- make depend, yacc, lex, doc, headers.  And log the limit exceeded
	  message only on high verbosity, so as to not spam the logs when
	  it is busy.

6 August 2018: Wouter
	- Fix for #4136: Fix to unconditionally call destroy in daemon.c.

3 August 2018: George
	- Expose if a query (or a subquery) was ratelimited (not src IP
	  ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
	  This also introduces a change to 'ub_event_callback_type' in
	  libunbound/unbound-event.h.
	- Tidy pylib tests.

3 August 2018: Wouter
	- Revert previous change for #4136: because it introduces build
	  problems.
	- New fix for #4136: This one ignores lex without without
	  yylex_destroy.

1 August 2018: Wouter
	- Fix to remove systemd sockaddr function check, that is not
	  always present.  Make socket activation more lenient.  But not
	  different when socket activation is not used.
	- iana port list update.

31 July 2018: Wouter
	- Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
	- Sort out test runs when the build directory isn't the project
	  root directory.
	- Add config tcp-idle-timeout (default 30s). This applies to
	  client connections only; the timeout on TCP connections upstream
	  is unaffected.
	- Error if EDNS Keepalive received over UDP.
	- Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
	  and implement option in client responses.
	- Correct and expand manual page entries for keepalive and idle timeout.
	- Implement progressive backoff of TCP idle/keepalive timeout.
	- Fix 'make depend' to work when build dir is not project root.
	- Add delay parameter to streamtcp, -d secs.
	  To be used when testing idle timeout.
	- From Wouter: make depend, the dependencies in the patches did not
	  apply cleanly.  Also remade yacc and lex.
	- Fix mesh.c incompatible pointer pass.
	- Please doxygen so it passes.
	- Fix #4139: Fix unbound-host leaks memory on ANY.

30 July 2018: Wouter
	- Fix #4136: insufficiency from mismatch of FLEX capability between
	  released tarball and build host.

27 July 2018: Wouter
	- Fix man page, say that chroot is enabled by default.

26 July 2018: Wouter
	- Fix #4135: 64-bit Windows Installer Creates Entries Under The
	  Wrong Registry Key, reported by Brian White.

23 July 2018: Wouter
	- Fix use-systemd readiness signalling, only when use-systemd is yes
	  and not in signal handler.

20 July 2018: Wouter
	- Fix #4130: print text describing -dd and unbound-checkconf on
	  config file read error at startup, the errors may have been moved
	  away by the startup process.
	- Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.

19 July 2018: Wouter
	- Fix #4129 unbound-control error message with wrong cert permissions
	  is too cryptic.

17 July 2018: Wouter
	- Fix #4127 unbound -h does not list -p help.
	- Print error if SSL name verification configured but not available
	  in the ssl library.
	- Fix that ratelimit and ip-ratelimit are applied after reload of
	  changed config file.
	- Resize ratelimit and ip-ratelimit caches if changed on reload.

16 July 2018: Wouter
	- Fix qname minimisation NXDOMAIN validation lookup failures causing
	  error_supers assertion fails.
	- Squelch can't bind socket errors with Permission denied unless
	  verbosity is 4 or higher, for UDP outgoing sockets.

12 July 2018: Wouter
	- Fix to improve systemd socket activation code file descriptor
	  assignment.
	- Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
	  easily changed to adjust default rtt assumptions.

10 July 2018: Wouter
	- Note in documentation that the cert name match code needs
	  OpenSSL 1.1.0 or later to be enabled.

6 July 2018: Wouter
	- Fix documentation ambiguity for tls-win-cert in tls-upstream and
	  forward-tls-upstream docs.
	- iana port update.
	- Note RFC8162 support.  SMIMEA record type can be read in by the
	  zone record parser.
	- Fix round robin for failed addresses with prefer-ip6: yes

4 July 2018: Wouter
	- Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
	  if DNSSEC is not enabled.  New option -R allows fallback from
	  resolv.conf to direct queries.

3 July 2018: Wouter
	- Better documentation for unblock-lan-zones and insecure-lan-zones
	  config statements.
	- Fix permission denied printed for auth zone probe random port nrs.

2 July 2018: Wouter
	- Fix checking for libhiredis printout in configure output.
	- Fix typo on man page in ip-address description.
	- Update libunbound/python/examples/dnssec_test.py example code to
	  also set the 20326 trust anchor for the root in the example code.

29 June 2018: Wouter
	- dns64-ignore-aaaa: config option to list domain names for which the
	  existing AAAA is ignored and dns64 processing is used on the A
	  record.

28 June 2018: Wouter
	- num.queries.tls counter for queries over TLS.
	- log port number with err_addr logs.

27 June 2018: Wouter
	- #4109: Fix that package config depends on python unconditionally.
	- Patch, do not export python from pkg-config, from Petr Menšík.

26 June 2018: Wouter
	- Partial fix for permission denied on IPv6 address on FreeBSD.
	- Fix that auth-zone master reply with current SOA serial does not
	  stop scan of masters for an updated zone.
	- Fix that auth-zone does not start the wait timer without checking
	  if the wait timer has already been started.

21 June 2018: Wouter
	- #4108: systemd reload hang fix.
	- Fix usage printout for unbound-host, hostname has to be last
	  argument on BSDs and Windows.

19 June 2018: Wouter
	- Fix for unbound-control on Windows and set TCP socket parameters
	  more closely.
	  This fix is part of 1.7.3.
	- Windows example service.conf edited with more windows specific
	  configuration.
	- Fix windows unbound-control no cert bad file descriptor error.
	  This fix is part of 1.7.3.

18 June 2018: Wouter
	- Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
	  This fix is part of 1.7.3rc2.
	- Fix unbound-checkconf for control-use-cert.
	  This fix is part of 1.7.3.

15 June 2018: Wouter
	- tag for 1.7.3rc1.
	- trunk has 1.7.4.
	- unbound-control auth_zone_reload _zone_ option rereads the zonefile.
	- unbound-control auth_zone_transfer _zone_ option starts the probe
	  sequence for a master to transfer the zone from and transfers when
	  a new zone version is available.

14 June 2018: Wouter
	- #4103: Fix that auth-zone does not insist on SOA record first in
	  file for url downloads.
	- Fix that first control-interface determines if TLS is used.  Warn
	  when IP address interfaces are used without TLS.
	- Fix nettle compile.

12 June 2018: Ralph
	- Don't count CNAME response types received during qname minimisation as
	  query restart.

12 June 2018: Wouter
	- #4102 for NSD, but for Unbound.  Named unix pipes do not use
	  certificate and key files, access can be restricted with file and
	  directory permissions.  The option control-use-cert is no longer
	  used, and ignored if found in unbound.conf.
	- Rename tls-additional-ports to tls-additional-port, because every
	  line adds one port.
	- Fix buffer size warning in unit test.
	- remade dependencies in the Makefile.

6 June 2018: Wouter
	- Patch to fix openwrt for mac os build darwin detection in configure.

5 June 2018: Wouter
	- Fix crash if ratelimit taken into use with unbound-control
	  instead of with unbound.conf.

4 June 2018: Wouter
	- Fix deadlock caused by incoming notify for auth-zone.
	- tag for 1.7.2rc1, became 1.7.2 release on 11 June 2018,
	  trunk is 1.7.3 in development from this point.
	- #4100: Fix stub reprime when it becomes useless.

1 June 2018: Wouter
	- Rename additional-tls-port to tls-additional-ports.
	  The older name is accepted for backwards compatibility.

30 May 2018: Wouter
	- Patch from Syzdek: Add ability to ignore RD bit and treat all
	  requests as if the RD bit is set.

29 May 2018: Wouter
	- in compat/arc4random call getentropy_urandom when getentropy fails
	  with ENOSYS.
	- Fix that fallback for windows port.

28 May 2018: Wouter
	- Fix windows tcp and tls spin on events.
	- Add routine from getdns to add windows cert store to the SSL_CTX.
	- tls-win-cert option that adds the system certificate store for
	  authenticating DNS-over-TLS connections.  It can be used instead
	  of the tls-cert-bundle option, or with it to add certificates.

25 May 2018: Wouter
	- For TCP and TLS connections that don't establish, perform address
	  update in infra cache, so future selections can exclude them.
	- Fix that tcp sticky events are removed for closed fd on windows.
	- Fix close events for tcp only.

24 May 2018: Wouter
	- Fix that libunbound can do DNS-over-TLS, when configured.
	- Fix that windows unbound service can use DNS-over-TLS.
	- unbound-host initializes ssl (for potential DNS-over-TLS usage
	  inside libunbound), when ssl upstream or a cert-bundle is configured.

23 May 2018: Wouter
	- Use accept4 to speed up incoming TCP (and TLS) connections,
	  available on Linux, FreeBSD and OpenBSD.

17 May 2018: Ralph
	- Qname minimisation default changed to yes.

15 May 2018: Wouter
	- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.

11 May 2018: Wouter
	- Fix contrib/libunbound.pc for libssl libcrypto references,
	  from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914

7 May 2018: Wouter
	- Fix windows to not have sticky TLS events for TCP.
	- Fix read of DNS over TLS length and data in one read call.
	- Fix mesh state assertion failure due to callback removal.

3 May 2018: Wouter
	- Fix that configure --with-libhiredis also turns on cachedb.
	- Fix gcc 8 buffer warning in testcode.
	- Fix function type cast warning in libunbound context callback type.

2 May 2018: Wouter
	- Fix fail to reject dead peers in forward-zone, with ssl-upstream.

1 May 2018: Wouter
	- Fix that unbound-control reload frees the rrset keys and returns
	  the memory pages to the system.

30 April 2018: Wouter
	- Fix spelling error in man page and note defaults as no instead of
	  off.

26 April 2018: Wouter
	- Fix for crash in daemon_cleanup with dnstap during reload,
	  from Saksham Manchanda.
	- Also that for dnscrypt.
	- tag for 1.7.1rc1 release.  Became 1.7.1 release on 3 May, trunk
	  is from here 1.7.2 in development.

25 April 2018: Ralph
	- Fix memory leak when caching wildcard records for aggressive NSEC use

24 April 2018: Wouter
	- Fix contrib/fastrpz.patch for this release.
	- Fix auth https for libev.

24 April 2018: Ralph
	- Added root-key-sentinel support

23 April 2018: Wouter
	- makedist uses bz2 for expat code, instead of tar.gz.
	- Fix #4092: libunbound: use-caps-for-id lacks colon in
	  config_set_option.
	- auth zone http download stores exact copy of downloaded file,
	  including comments in the file.
	- Fix sldns parse failure for CDS alternate delete syntax empty hex.
	- Attempt for auth zone fix; add of callback in mesh gets from
	  callback does not skip callback of result.
	- Fix cname classification with qname minimisation enabled.
	- list_auth_zones unbound-control command.

20 April 2018: Wouter
	- man page documentation for dns-over-tls forward-addr '#' notation.
	- removed free from failed parse case.
	- Fix #4091: Fix that reload of auth-zone does not merge the zonefile
	  with the previous contents.
	- Delete auth zone when removed from config.

19 April 2018: Wouter
	- Can set tls authentication with forward-addr: IP#tls.auth.name
	  And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
	  such as forward-addr: 9.9.9.9@853#dns.quad9.net or
	  1.1.1.1@853#cloudflare-dns.com
	- Fix #658: unbound using TLS in a forwarding configuration does not
	  verify the server's certificate (RFC 8310 support).
	- For addr with #authname and no @port notation, the default is 853.

18 April 2018: Wouter
	- Fix auth-zone retry timer to be on schedule with retry timeout,
	  with backoff.  Also time a refresh at the zone expiry.

17 April 2018: Wouter
	- auth zone notify work.
	- allow-notify: config statement for auth-zones.
	- unit test for allow-notify

16 April 2018: Wouter
	- Fix auth zone target lookup iterator.
	- auth zone notify with prefix
	- auth zone notify work.

13 April 2018: Wouter
	- Fix for max include depth for authzones.
	- Fix memory free on fail for $INCLUDE in authzone.
	- Fix that an internal error to look up the wrong rr type for
	  auth zone gets stopped, before trying to send there.
	- auth zone notify work.

10 April 2018: Ralph
	- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
	  statistics counters.

10 April 2018: Wouter
	- documentation for low-rtt and low-rtt-pct.
	- auth zone notify work.

9 April 2018: Wouter
	- Fix that flush_zone sets prefetch ttl expired, so that with
	  serve-expired enabled it'll start prefetching those entries.
	- num.query.authzone.up and num.query.authzone.down statistics counters.
	- Fix downstream auth zone, only fallback when auth zone fails to
	  answer and fallback is enabled.
	- Accept both option names with and without colon for get_option
	  and set_option.
	- low-rtt and low-rtt-pct in unbound.conf enable the server selection
	  of fast servers for some percentage of the time.

5 April 2018: Wouter
	- Combine write of tcp length and tcp query for dns over tls.
	- nitpick fixes in example.conf.
	- Fix above stub queries for type NS and useless delegation point.
	- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
	  tls_choose_sigalg routine does not allow the ciphers for the pipe,
	  so use TLSv1.2.
	- ED448 support.

3 April 2018: Wouter
	- Fix #4043: make test fails due to v6 presentation issue in macOS.
	- Fix unable to resolve after new WLAN connection, due to auth-zone
	  failing with a forwarder set.  Now, auth-zone is only used for
	  answers (not referrals) when a forwarder is set.

29 March 2018: Ralph
	- Check "result" in dup_all(), by Florian Obser.

23 March 2018: Ralph
	- Fix unbound-control get_option aggressive-nsec

21 March 2018: Ralph
	- Do not use cached NSEC records to generate negative answers for
	  domains under DNSSEC Negative Trust Anchors.

19 March 2018: Wouter
	- iana port update.

16 March 2018: Wouter
	- corrected a minor typo in the changelog.
	- move htobe64/be64toh portability code to cachedb.c.

15 March 2018: Wouter
	- Add --with-libhiredis, unbound support for a new cachedb backend
	  that uses a Redis server as the storage.  This implementation
	  depends on the hiredis client library (https://redislabs.com/lp/hiredis/).
	  And unbound should be built with both --enable-cachedb and
	  --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
	  should exist).  Patch from Jinmei Tatuya (Infoblox).
	- Fix #3817: core dump happens in libunbound delete, when queued
	  servfail hits deleted message queue.
	- Create additional tls service interfaces by opening them on other
	  portnumbers and listing the portnumbers as additional-tls-port: nr.

13 March 2018: Wouter
	- Fix typo in documentation.
	- Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
	  flushed with serve-expired on.

12 March 2018: Wouter
	- Added documentation for aggressive-nsec: yes.
	- tag 1.7.0rc3.  That became the 1.7.0 release on 15 Mar, trunk
	  now has 1.7.1 in development.
	- Fix #3727: Protocol name is TLS, options have been renamed but
	  documentation is not consistent.
	- Check IXFR start serial.

9 March 2018: Wouter
	- Fix #3598: Fix swig build issue on rhel6 based system.
	  configure --disable-swig-version-check stops the swig version check.

8 March 2018: Wouter
	- tag 1.7.0rc2.

7 March 2018: Wouter
	- Fixed contrib/fastrpz.patch, even though this already applied
	  cleanly for me, now also for others.
	- patch to log creates keytag queries, from A. Schulze.
	- patch suggested by Debian lintian: allow to -> allow one to, from 
	  A. Schulze.
	- Attempt to remove warning about trailing whitespace.

6 March 2018: Wouter
	- Reverted fix for #3512, this may not be the best way forward;
	  although it could be changed at a later time, to stay similar to
	  other implementations.
	- svn trunk contains 1.7.0, this is the number for the next release.
	- Fix for windows compile.
	- tag 1.7.0rc1.

5 March 2018: Wouter
	- Fix to check define of DSA for when openssl is without deprecated.
	- iana port update.
	- Fix #3582: Squelch address already in use log when reuseaddr option
	  causes same port to be used twice for tcp connections.

27 February 2018: Wouter
	- Fixup contrib/fastrpz.patch so that it applies.
	- Fix compile without threads, and remove unused variable.
	- Fix compile with staticexe and python module.
	- Fix nettle compile.

22 February 2018: Ralph
	- Save wildcard RRset from answer with original owner for use in
 	  aggressive NSEC.

21 February 2018: Wouter
	- Fix #3512: unbound incorrectly reports SERVFAIL for CAA query
	  when there is a CNAME loop.
	- Fix validation for CNAME loops.  When it detects a cname loop,
	  by finding the cname, cname in the existing list, it returns
	  the partial result with the validation result up to then.
	- more robust cachedump rrset routine.

19 February 2018: Wouter
	- Fix #3505: Documentation for default local zones references
	  wrong RFC.
	- Fix #3494: local-zone noview can be used to break out of the view
	  to the global local zone contents, for queries for that zone.
	- Fix for more maintainable code in localzone.

16 February 2018: Wouter
	- Fixes for clang static analyzer, the missing ; in
	  edns-subnet/addrtree.c after the assert made clang analyzer
	  produce a failure to analyze it.

13 February 2018: Ralph
	- Aggressive NSEC tests

13 February 2018: Wouter
	- tls-cert-bundle option in unbound.conf enables TLS authentication.
	- iana port update.

12 February 2018: Wouter
	- Unit test for auth zone https url download.

12 February 2018: Ralph
	- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
	- Processed aggressive NSEC code review remarks Wouter

8 February 2018: Ralph
	- Aggressive use of NSEC implementation. Use cached NSEC records to
	  generate NXDOMAIN, NODATA and positive wildcard answers.

8 February 2018: Wouter
	- iana port update.
	- auth zone url config.

5 February 2018: Wouter
	- Fix #3451: dnstap not building when you have a separate build dir.
	  And removed protoc warning, set dnstap.proto syntax to proto2.
	- auth-zone provides a way to configure RFC7706 from unbound.conf,
	  eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
	  fallback-enabled: yes and masters or a zonefile with data.

2 February 2018: Wouter
	- Fix unfreed locks in log and arc4random at exit of unbound.
	- unit test with valgrind
	- Fix lock race condition in dns cache dname synthesis.
	- lock subnet new item before insertion to please checklocks,
	  no modification of critical regions outside of lock region.

1 February 2018: Wouter
	- fix unaligned structure making a false positive in checklock
	  unitialised memory.

29 January 2018: Ralph
	- Use NSEC with longest ce to prove wildcard absence.
	- Only use *.ce to prove wildcard absence, no longer names.

25 January 2018: Wouter
	- ltrace.conf file for libunbound in contrib.

23 January 2018: Wouter
	- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
	  for startup scripts to get the full pathname(s) of anchor file(s).
	- Print fatal errors about remote control setup before log init,
	  so that it is printed to console.

22 January 2018: Wouter
	- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
	  also recognized and means the same.  Also for tls-port,
	  tls-service-key, tls-service-pem, stub-tls-upstream and
	  forward-tls-upstream.
	- Fix #3397: Fix that cachedb could return a partial CNAME chain.
	- Fix #3397: Fix that when the cache contains an unsigned DNAME in
	  the middle of a cname chain, a result without the DNAME could
	  be returned.

19 January 2018: Wouter
	- tag 1.6.8 for release with CVE fix.
	- trunk has 1.6.9 with fix and previous commits.
	- patch for CVE-2017-15105: vulnerability in the processing of
	  wildcard synthesized NSEC records.
	- iana port update.
	- make depend: code dependencies updated in Makefile.

4 January 2018: Ralph
	- Copy query and correctly set flags on REFUSED answers when cache
	  snooping is not allowed.

3 January 2018: Ralph
	- Fix queries being leaked above stub when refetching glue.

2 January 2017: Wouter
	- Fix that DS queries with referral replies are answered straight
	  away, without a repeat query picking the DS from cache.
	  The correct reply should have been an answer, the reply is fixed
	  by the scrubber to have the answer in the answer section.
	- Remove clang optimizer disable,
	  Fix that expiration date checks don't fail with clang -O2.

15 December 2017: Wouter
	- Fix timestamp failure because of clang optimizer failure, by
	  disabling -O2 when the compiler --version is clang.
	- iana port update.
	- Also disable -flto for clang, to make incep-expi signature check
	  work.

12 December 2017: Ralph
	- Fix qname-minimisation documentation (A QTYPE, not NS)

12 December 2017: Wouter
	- authzone work, transfer connect.

7 December 2017: Ralph
	- Check whether --with-libunbound-only is set when using --with-nettle
	  or --with-nss.

4 December 2017: Wouter 
	- Fix link failure on OmniOS.

1 December 2017: Wouter 
	- auth zone work.

30 November 2017: Wouter 
	- Fix #3299 - forward CNAME daisy chain is not working

14 November 2017: Wouter 
	- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
	  set for stub zone.  It no longer searches for DNSSEC information.
	- auth xfer work on probe timer and lookup.

13 November 2017: Wouter 
	- Fix #2801: Install libunbound.pc.
	- Fix qname minimisation to send AAAA queries at zonecut like type A.
	- reverted AAAA change.

7 November 2017: Wouter 
	- Fix #2492: Documentation libunbound.

3 November 2017: Wouter 
	- Fix #2362: TLS1.3/openssl-1.1.1 not working.
	- Fix #2034 - Autoconf and -flto.
	- Fix #2141 - for libsodium detect lack of entropy in chroot, print
	  a message and exit.

2 November 2017: Wouter 
	- Fix #1913: ub_ctx_config is under circumstances thread-safe.
	- make ip-transparent option work on OpenBSD.

31 October 2017: Wouter 
	- Document that errno is left informative on libunbound config read
	  fail.
	- lexer output.
	- iana port update.

25 October 2017: Ralph
	- Fixed libunbound manual typo.
	- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
	- Fix #2031: Double included headers

24 October 2017: Ralph
	- Update B root ipv4 address.

19 October 2017: Wouter 
	- authzone work, probe timer setup.

18 October 2017: Wouter 
	- lint for recent authzone commit.

17 October 2017: Wouter 
	- Fix #1749: With harden-referral-path: performance drops, due to
	  circular dependency in NS and DS lookups.
	- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
	  duplicates
	- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
	  from Manu Bretelle.
	This option allows handling multiple cert/key pairs while only
	distributing some of them.
	In order to reliably match a client magic with a given key without
	strong assumption as to how those were generated, we need both key and
	cert. Likewise, in order to know which ES version should be used.
	On the other hand, when rotating a cert, it can be desirable to only
	serve the new cert but still be able to handle clients that are still
	using the old certs's public key.
	The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
	publish the cert as part of the DNS's provider_name's TXT answer.
	- Better documentation for cache-max-negative-ttl.
	- Work on local root zone code.

10 October 2017: Wouter 
	- tag 1.6.7
	- trunk has version 1.6.8.

6 October 2017: Wouter 
	- Fix spelling in unbound-control man page.

5 October 2017: Wouter 
	- Fix trust-anchor-signaling works in libunbound.
	- Fix some more crpls in testdata for different signaling default.
	- tag 1.6.7rc1

5 October 2017: Ralph 
	- Set trust-anchor-signaling default to yes
	- Use RCODE from A query on DNS64 synthesized answer.

2 October 2017: Wouter
	- Fix param unused warning for windows exportsymbol compile.

25 September 2017: Ralph
	- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
	   (by Danilo G. Baio).

21 September 2017: Ralph
	- Log name of looping module

19 September 2017: Wouter
	- use a cachedb answer even if it's "expired" when serve-expired is yes
	  (patch from Jinmei Tatuya).
	- trigger refetching of the answer in that case (this will bypass
	  cachedb lookup)
	- allow storing a 0-TTL answer from cachedb in the in-memory message
	  cache when serve-expired is yes
	- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.

18 September 2017: Ralph
	- Fix #1400: allowing use of global cache on ECS-forwarding unless
	  always-forward.

18 September 2017: Wouter
	- tag 1.6.6 (is 1.6.6rc2)
	- Fix that looping modules always stop the query, and don't pass
	  control.
	- Fix #1435: Please allow UDP to be disabled separately upstream and
	  downstream.
	- Fix #1440: [dnscrypt] client nonce cache.

15 September 2017: Wouter
	- Fix unbound-host to report error for DNSSEC state of failed lookups.
	- Spelling fixes, from Josh Soref.

13 September 2017: Wouter
	- tag 1.6.6rc2, became 1.6.6 on 18 sep.  trunk 1.6.7 in development.

12 September 2017: Wouter
	- Add dns64 for client-subnet in unbound-checkconf.

4 September 2017: Ralph
	- Fix #1412: QNAME minimisation strict mode not honored
	- Fix #1434: Fix windows openssl 1.1.0 linking.

4 September 2017: Wouter
	- tag 1.6.6rc1
	- makedist fix for windows binaries, with openssl 1.1.0 windres fix,
	  and expat 2.2.4 install target fix.

1 September 2017: Wouter
	- Recommend 1472 buffer size in unbound.conf

31 August 2017: Wouter
	- Fix #1424: cachedb:testframe is not thread safe.
	- For #1417: escape ; in dnscrypt tests.
	- but reverted that, tests fails with that escape.
	- Fix #1417: [dnscrypt] shared secret cache counters, and works when
	  dnscrypt is not enabled.  And cache size configuration option.
	- make depend
	- Fix #1418: [ip ratelimit] initialize slabhash using
	  ip-ratelimit-slabs.

30 August 2017: Wouter
	- updated contrib/fastrpz.patch to apply with configparser changes.
	- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.

29 August 2017: Wouter
	- Fix #1414: fix segfault on parse failure and log_replies.
	- zero qinfo in handle_request, this zeroes local_alias and also the
	  qname member.
	- new keys and certs for dnscrypt tests.
	- fixup WKS test on buildhost without servicebyname.

28 August 2017: Wouter
	- Fix #1415: patch to free dnscrypt environment on reload.
	- iana portlist update
	- Fix #1415: [dnscrypt] shared secret cache, patch from
	  Manu Bretelle.
	- Small fixes for the shared secret cache patch.
	- Fix WKS records on kvm autobuild host, with default protobyname
	  entries for udp and tcp.

23 August 2017: Wouter
	- Fix #1407: Add ECS options check to unbound-checkconf.
	- make depend
	- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
	  allocation failure.

22 August 2017: Wouter
	- Fix install of trust anchor when two anchors are present, makes both
	  valid. Checks hash of DS but not signature of new key. This fixes
	  the root.key file if created when unbound is installed between
	  sep11 and oct11 2017.
	- tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
	- trunk version 1.6.6 in development.
	- Fix issue on macOX 10.10 where TCP fast open is detected but not
	  implemented causing TCP to fail. The fix allows fallback to regular
	  TCP in this case and is also more robust for cases where connectx()
	  fails for some reason.
	- Fix #1402: squelch invalid argument error for fd_set_block on windows.

10 August 2017: Wouter
	- Patch to show DNSCrypt status in help output, from Carsten
	  Strotmann.

8 August 2017: Wouter
	- Fix #1398: make cachedb secret configurable.
	- Remove spaces from Makefile.

7 August 2017: Wouter
	- Fix #1397: Recursive DS lookups for AS112 zones names should recurse.

3 August 2017: Ralph
	- Remove unused iter_env member (ip6arpa_dname)
	- Do not reset rrset.bogus stats when called using stats_noreset.
	- Added stats for queries that have been ratelimited by domain
	  recursion.
	- Do not add rrset_bogus and query ratelimiting stats per thread, these
	  module stats are global.

3 August 2017: Wouter
	- Fix #1394: mix of serve-expired and response-ip could cause a crash.

24 July 2017: Wouter
	- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
	  config.sub(2016-09-05).
	- annotate case statement fallthrough for gcc 7.1.1.
	- flex output from flex 2.6.1.
	- snprintf of thread number does not warn about truncated string.
	- squelch TCP fast open error on FreeBSD when kernel has it disabled,
	  unless verbosity is high.
	- remove warning from windows compile.
	- Fix compile with libnettle
	- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
	- Fix #1365: Add Ed25519 support using libnettle.
	- iana portlist update

17 July 2017: Wouter
	- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
	- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
	  With the -p option unbound does not create a pidfile.

11 July 2017: Wouter
	- Fix #1344: RFC6761-reserved domains: test. and invalid.
	- Redirect all localhost names to localhost address for RFC6761.

6 July 2017: Wouter
	- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
	- Fix svn hooks for tdir (selected if testcode/mini_tdir.sh exists)..

4 July 2017: Wouter
	- Fix 1332: Bump verbosity of failed chown'ing of the control socket.

3 July 2017: Wouter
	- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
	  on.
	- Fix #1331: libunbound segfault in threaded mode when context is
	  deleted.
	- Fix pythonmod link line option flag.
	- Fix openssl 1.1.0 load of ssl error strings from ssl init.

29 June 2017: Wouter
	- Fix python example0 return module wait instead of error for pass.
	- iana portlist update
	- enhancement for hardened-tls for DNS over TLS.  Removed duplicated
	  security settings.

27 June 2017: Wouter
	- Tag 1.6.4 is created with the 1.6.4rc2 contents.
	- Trunk contains 1.6.5, with changes from 26, 27 june.
	- Remove signed unsigned warning from authzone.
	- Fix that infra cache host hash does not change after reconfig.

26 June 2017: Wouter
	- (for 1.6.5)
	  Better fixup of dnscrypt_cert_chacha test for different escapes.
	- First fix for zero b64 and hex text zone format in sldns.
	- unbound-control dump_infra prints port number for address if not 53.

23 June 2017: Wouter
	- (for 1.6.5): fixup of dnscrypt_cert_chacha test (from Manu Bretelle).

22 June 2017: Wouter
	- Tag 1.6.4rc2

22 June 2017: Ralph
	- Added fastrpz patch to contrib

21 June 2017: Wouter
	- Fix #1316: heap read buffer overflow in parse_edns_options.

20 June 2017: Wouter
	- Fix warning in pythonmod under clang compiler.
	- Tag 1.6.4rc1
	- Fix lintian typo.

16 June 2017: Ralph
	- Fix #1277: disable domain ratelimit by setting value to 0.

16 June 2017: Wouter
	- Fix #1301: memory leak in respip and tests.
	- Free callback in edns-subnetmod on exit and restart.
	- Fix memory leak in sldns_buffer_new_frm_data.
	- Fix memory leak in dnscrypt config read.
	- Fix dnscrypt chacha cert support ifdefs.
	- Fix dnscrypt chacha cert unit test escapes in grep.
	- Remove asynclook tests that cause test and purifier problems.
	- Fix to unlock view in view test.

15 June 2017: Wouter
	- Fix stub zone queries leaking to the internet for
	  harden-referral-path ns checks.
	- Fix query for refetch_glue of stub leaking to internet.

13 June 2017: Wouter
	- Fix #1279: Memory leak on reload when python module is enabled.
	- Fix #1280: Unbound fails assert when response from authoritative
	  contains malformed qname.  When 0x20 caps-for-id is enabled, when
	  assertions are not enabled the malformed qname is handled correctly.
	- 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
	- More fixes in depth for buffer checks in 0x20 qname checks.

12 June 2017: Wouter
	- Fix #1278: Incomplete wildcard proof.

8 June 2017: Ralph
	- Added domain name based ECS whitelist.

8 June 2017: Wouter
	- Detect chacha for dnscrypt at configure time.
	- dnscrypt unit tests with chacha.

7 June 2017: Wouter
	- Fix that unbound-control can set val_clean_additional and val_permissive_mode.
	- Add dnscrypt XChaCha20 tests.

6 June 2017: Wouter
	- Add an explicit type cast for TCP FASTOPEN fix.
	- renumbering B-Root's IPv6 address to 2001:500:200::b.
	- Fix #1275: cached data in cachedb is never used.
	- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.

1 June 2017: Ralph
	- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
	  (from Manu Bretelle).

1 June 2017: Wouter
	- Fix fastopen EPIPE fallthrough to perform connect.

31 May 2017: Ralph
	- Also use global local-zones when there is a matching view that does
	  not have any local-zone specified.

31 May 2017: Wouter
	- Fix #1273: cachedb.c doesn't compile with -Wextra.
	- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.

30 May 2017: Ralph
	- Fix #1269: inconsistent use of built-in local zones with views.
	- Add defaults for new local-zone trees added to views using
	  unbound-control.

30 May 2017: Wouter
	- Support for openssl EVP_DigestVerify.
	- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).

29 May 2017: Wouter
	- Fix assertion for low buffer size and big edns payload when worker
	  overrides udpsize.

26 May 2017: Ralph
	- Added redirect-bogus.patch to contrib directory.

26 May 2017: Wouter
	- Fix #1270: unitauth.c doesn't compile with higher warning level
	  and optimization
	- exec_prefix is by default equal to prefix.
	- printout localzone for duplicate local-zone warnings.

24 May 2017: Wouter
	- authzone cname chain, no rrset duplicates, wildcard doesn't change
	  rrsets added for cname chain.

23 May 2017: Wouter
	- first services/authzone check in, it compiles and reads and writes
	  zonefiles.
	- iana portlist update

22 May 2017: Wouter
	- Fix #1268: SIGSEGV after log_reopen.

18 May 2017: Wouter
	- Fix #1265 to use /bin/kill.
	- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
	  and compatibility with BoringSSL.

17 May 2017: Wouter
	- Fix #1265: contrib/unbound.service contains hardcoded path.

17 May 2017: George
	- Use qstate's region for IPSECKEY rrset (ipsecmod).

16 May 2017: George
	- Implemented opportunistic IPsec support module (ipsecmod).
	- Some whitespace fixup.

16 May 2017: Wouter
	- updated dependencies in the makefile.
	- document trust-anchor-signaling in example config file.
	- updated configure, dependencies and flex output.
	- better module memory lookup, fix of unbound-control shm names for
	  module memory printout of statistics.
	- Fix type AVC sldns rrdef.

12 May 2017: Wouter
	- Adjust servfail by iterator to not store in cache when serve-expired
	  is enabled, to avoid overwriting useful information there.
	- Fix queries for nameservers under a stub leaking to the internet.

9 May 2017: Ralph
	- Add 'c' to getopt() in testbound.
	- iana portlist update

8 May 2017: Wouter
	- Fix tcp-mss failure printout text.
	- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
	  connect limited tcp connections.  With the option tcp connections
	  can share the same source port (for different destinations).

2 May 2017: Ralph
	- Added mesh_add_sub to add detached mesh entries.
	- Use mesh_add_sub for key tag signaling query.

2 May 2017: Wouter
	- Added test for leak of stub information.
	- Fix sldns wire2str printout of RR type CAA tags.
	- Fix sldns int16_data parse.
	- Fix sldns parse and printout of TSIG RRs.
	- sldns SMIMEA and AVC definitions, same as getdns definitions.

1 May 2017: Wouter
	- Fix #1259: "--disable-ecdsa" argument overwritten 
	  by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
	- iana portlist update
	- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
	  and fix that 64bit getting installed in C:\Program Files (x86).

26 April 2017: Ralph
	- Implemented trust anchor signaling using key tag query.

26 April 2017: Wouter
	- Based on #1257: check parse limit before t increment in sldns RR
	  string parse routine.

24 April 2017: Wouter
	- unbound-checkconf -o allows query of dnstap config variables.
	  Also unbound-control get_option.  Also for dnscrypt.
	- trunk contains 1.6.3 version number (changes from 1.6.2 back from
	  when the 1.6.2rc1 tag has been created).

21 April 2017: Ralph
	- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
	- iana portlist update
	
18 April 2017: Ralph
	- Fix #1252: more indentation inconsistencies.
	- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().

13 April 2017: Ralph
	- Added ECS unit test (from Manu Bretelle).
	- ECS documentation fix (from Manu Bretelle).

13 April 2017: Wouter
	- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
	- tag for 1.6.2rc1
	- (for 1.6.3:) unbound.h exports the shm stats structures.  They use
	  type long long and no ifdefs, and ub_ before the typenames.

12 April 2017: Wouter
	- subnet mem value is available in shm, also when not enabled,
	  to make the struct easier to memmap by other applications,
	  independent of the configuration of unbound.

12 April 2017: Ralph
	- Fix #1247: unbound does not shorten source prefix length when
	  forwarding ECS.
	- Properly check for allocation failure in local_data_find_tag_datas.
	- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
	- Set SHM ECS memory usage to 0 when module not loaded.

11 April 2017: Ralph
	- Display ECS module memory usage.

10 April 2017: Wouter
	- harden-algo-downgrade: no also makes unbound more lenient about
	  digest algorithms in DS records.

10 April 2017: Ralph
	- Remove ECS option after REFUSED answer.
	- Fix small memory leak in edns_opt_copy_alloc.
	- Respip dereference after NULL check.
	- Zero initialize addrtree allocation.
	- Use correct identifier for SHM destroy.

7 April 2017: George
	- Fix pythonmod for cb changes.
	- Some whitespace fixup.

7 April 2017: Ralph
	- Unlock view in respip unit test

6 April 2017: Ralph
	- Generalise inplace callback (de)registration
	- (de)register inplace callbacks for module id
	- No unbound-control set_option for ECS options
	- Deprecated client-subnet-opcode config option
	- Introduced client-subnet-always-forward config option
	- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
	- Removed extern ECS config options
	- module_restart_next now calls clear on all following modules
	- Also create ECS module qstate on module_event_pass event
	- remove malloc from inplace_cb_register

6 April 2017: Wouter
	- Small fixup for documentation.
	- iana portlist update
	- Fix respip for braces when locks arent used.
	- Fix pythonmod for cb changes.

4 April 2017: Wouter
	- Fix #1244: document that use of chroot requires trust anchor file to
	  be under chroot.
	- iana portlist update

3 April 2017: Ralph
	- Do not add current time twice to TTL before ECS cache store.
	- Do not touch rrset cache after ECS cache message generation.
	- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.

3 April 2017: Wouter
	- Fix #1217: Add metrics to unbound-control interface showing
	  crypted, cert request, plaintext and malformed queries (from
	  Manu Bretelle).
	- iana portlist update

27 March 2017: Wouter
	- Remove (now unused) event2 include from dnscrypt code.

24 March 2017: George
	- Fix to prevent non-referal query from being cached as referal when the
	  no_cache_store flag was set.

23 March 2017: Wouter
	- Fix #1239: configure fails to find python distutils if python
	  prints warning.

22 March 2017: Wouter
	- Fix #1238: segmentation fault when adding through the remote
	  interface a per-view local zone to a view with no previous
	  (configured) local zones.
	- Fix #1229: Systemd service sandboxing, options in wrong sections.

21 March 2017: Ralph
	- Merge EDNS Client subnet implementation from feature branch into main
	  branch, using new EDNS processing framework. 

21 March 2017: Wouter
	- Fix doxygen for dnscrypt files.

20 March 2017: Wouter
	- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
	  enabled in the config file from Manu Bretelle.
	- make depend, autoconf, remove warnings about statement before var.
	- lru_demote and lruhash_insert_or_retrieve functions for getdns.
	- fixup for lruhash (whitespace and header file comment).
	- dnscrypt tests.

17 March 2017: Wouter
	- Patch for view functionality for local-data-ptr from Björn Ketelaars.
	- Fix #1237 - Wrong resolving in chain, for norec queries that get
	  SERVFAIL returned.

16 March 2017: Wouter
	- Fix that SHM is not inited if not enabled.
	- Add trustanchor.unbound CH TXT that gets a response with a number
	  of TXT RRs with a string like "example.com. 2345 1234" with
	  the trust anchors and their keytags.
	- Fix that looped DNAMEs do not cause unbound to spend effort.
	- trustanchor tags are sorted.  reusable routine to fetch taglist.

13 March 2017: Wouter
	- testbound understands Deckard MATCH rcode question answer commands.
	- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
	  of YXDOMAIN + query loop, reported by Petr Spacek.

10 March 2017: Wouter
	- Fix #1234: shortening DNAME loop produces duplicate DNAME records
	  in ANSWER section.

9 March 2017: Wouter
	- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
	  DS records.  NSEC3 is not disabled.
	- fake-sha1 test option; print warning if used.  To make unit tests.
	- unbound-control list local zone and data commands listed in the
	  help output.

8 March 2017: Wouter
	- make depend for build dependencies.
	- swig version 2.0.1 required.
	- fix enum conversion warnings

7 March 2017: Wouter
	- Fix #1230: swig version 2.0.0 is required for pythonmod, with
	  1.3.40 it crashes when running repeatly unbound-control reload.
	- Response actions based on IP address from Jinmei Tatuya (Infoblox).

6 March 2017: Wouter
	- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
	- iana portlist update

28 February 2017: Ralph
	- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
	  record.

28 February 2017: Wouter
	- For #1227: if we have sha256, set the cipher list to have no
	  known vulns.

27 February 2017: Wouter
	- Fix #1227: Fix that Unbound control allows weak ciphersuits.
	- Fix #1226: provide official 32bit binary for windows.

24 February 2017: Wouter
	- include sys/time.h for new shm code on NetBSD.

23 February 2017: Wouter
	- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
	  redirect.
	- Patch from Luiz Fernando Softov for Stats Shared Memory.
	- unbound-control stats_shm command prints stats using shared memory,
	  which uses less cpu.
	- make depend, autoconf, doxygen and lint fixed up.

22 February 2017: Wouter
	- Fix #1224: Fix that defaults should not fall back to "Program Files
	  (x86) if Unbound is 64bit by default on windows.

21 February 2017: Wouter
	- iana portlist update

16 February 2017: Wouter
	- sldns updated for vfixed and buffer resize indication from getdns.

15 February 2017: Wouter
	- sldns has ED25519 and ED448 algorithm number and name for display.

14 February 2017: Wouter
	- tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2

13 February 2017: Wouter
	- Fix autoconf of systemd check for lack of pkg-config.

10 February 2017: Wouter
	- Fix pythonmod for typedef changes.
	- Fix dnstap for warning of set but not used.
	- tag 1.6.1rc2.

9 February 2017: Wouter
	- tag 1.6.1rc1.

8 February 2017: Wouter
	- Fix for type name change and fix warning on windows compile.

7 February 2017: Wouter
	- Include root trust anchor id 20326 in unbound-anchor.

6 February 2017: Wouter
	- Fix compile on solaris of the fix to use $host detect.

4 February 2017: Wouter
	- fix root_anchor test for updated icannbundle.pem lower certificates.

26 January 2017: Wouter
	- Fix 1211: Fix can't enable interface-automatic if no IPv6 with
	  more helpful error message.

20 January 2017: Wouter
	- Increase MAX_MODULE to 16.

19 January 2017: Wouter
	- Fix to Rename ub_callback_t to ub_callback_type, because POSIX
	  reserves _t typedefs.
	- Fix to rename internally used types from _t to _type, because _t
	  type names are reserved by POSIX.
	- iana portlist update

12 January 2017: Wouter
	- Fix to also block meta types 128 through to 248 with formerr. 
	- Fix #1206: Some view-related commands are missing from 'unbound-control -h'

9 January 2017: Wouter
	- Fix #1202: Fix code comment that packed_rrset_data is not always
	  'packed'.

6 January 2017: Wouter
	- Fix #1201: Fix missing unlock in answer_from_cache error condition.

5 January 2017: Wouter
	- Fix to return formerr for queries for meta-types, to avoid
	  packet amplification if this meta-type is sent on to upstream.
	- Fix #1184: Log DNS replies. This includes the same logging
	  information that DNS queries and response code and response size,
	  patch from Larissa Feng.
	- Fix #1187: Source IP rate limiting, patch from Larissa Feng.

3 January 2017: Wouter
	- configure --enable-systemd and lets unbound use systemd sockets if
	  you enable use-systemd: yes in unbound.conf.
	  Also there are contrib/unbound.socket and contrib/unbound.service:
	  systemd files for unbound, install them in /usr/lib/systemd/system.
	  Contributed by Sami Kerola and Pavel Odintsov.
	- Fix reload chdir failure when also chrooted to that directory.

2 January 2017: Wouter
	- Fix #1194: Cross build fails when $host isn't `uname` for getentropy.

23 December 2016: Ralph
	- Fix #1190: Do not echo back EDNS options in local-zone error response.
	- iana portlist update

21 December 2016: Ralph
	- Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
	  with Nettle

19 December 2016: Ralph
	- Fix #1191: remove comment about view deletion.

15 December 2016: Wouter
	- iana portlist update
	- 64bit is default for windows builds.
	- Fix inet_ntop and inet_pton warnings in windows compile.

14 December 2016: Wouter
	- Fix #1178: attempt to fix setup error at end, pop result values
	  at end of install.

13 December 2016: Wouter
	- Fix #1182: Fix Resource leak (socket), at startup.
	- Fix unbound-control and ipv6 only.

9 December 2016: Wouter
	- Fix #1176: stack size too small for Alpine Linux.

8 December 2016: Wouter
	- Fix downcast warnings from visual studio in sldns code.
	- tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.

7 December 2016: Ralph
	- Add DSA support for OpenSSL 1.1.0
	- Fix remote control without cert for LibreSSL

6 December 2016: George
	- Added generic EDNS code for registering known EDNS option codes,
	  bypassing the cache response stage and uniquifying mesh states. Four EDNS
	  option lists were added to module_qstate (module_qstate.edns_opts_*) to
	  store EDNS options from/to front/back side.
	- Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
	  control the modules' cache interactions.
	- Added code for registering inplace callback functions. The registered
	  functions can be called just before replying with local data or Chaos,
	  replying from cache, replying with SERVFAIL, replying with a resolved
	  query, sending a query to a nameserver. The functions can inspect the
	  available data and maybe change response/query related data (i.e. append
	  EDNS options).
	- Updated Python module for the above.
	- Updated Python documentation.

5 December 2016: Ralph
	- Fix #1173: differ local-zone type deny from unset
	  tag_actions element.

5 December 2016: Wouter
	- Fix #1170: document that 'inform' local-zone uses local-data.

1 December 2016: Ralph
	- hyphen as minus fix, by Andreas Schulze

30 November 2016: Ralph
	- Added local-zones and local-data bulk addition and removal
	  functionality in unbound-control (local_zones, local_zones_remove,
	  local_datas and local_datas_remove).
	- iana portlist update

29 November 2016: Wouter
	- version 1.6.0 is in the development branch.
	- braces in view.c around lock statements.

28 November 2016: Wouter
	- new install-sh.

25 November 2016: Wouter
	- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
	  using no encryption over the unix socket.

22 Novenber 2016: Ralph
	- Make access-control-tag-data RDATA absolute. This makes the RDATA
	  origin consistent between local-data and access-control-tag-data.
	- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
	  subdomain of the NSEC owner.
	- QNAME minimisation uses QTYPE=A, therefore always check cache for
	  this type in harden-below-nxdomain functionality.
	- Added unit test for QNAME minimisation + harden below nxdomain
	  synergy.

22 November 2016: Wouter
	- iana portlist update.
	- Fix unit tests for DS hash processing for fake-dsa test option.
	- patch from Dag-Erling Smorgrav that removes code that relies
	  on sbrk().

21 November 2016: Wouter
	- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
	  Underneath" for the harden-below-nxdomain option.

10 November 2016: Ralph
	- Fix #1155: test status code of unbound-control in 04-checkconf,
	  not the status code from the tee command.

4 November 2016: Ralph
	- Added stub-ssl-upstream and forward-ssl-upstream options.

4 November 2016: Wouter
	- configure detects ssl security level API function in the autoconf
	  manner.  Every function on its own, so that other libraries (eg.
	  LibreSSL) can develop their API without hindrance.
	- Fix #1154: segfault when reading config with duplicate zones.
	- Note that for harden-below-nxdomain the nxdomain must be secure,
	  this means nsec3 with optout is insufficient.

3 November 2016: Ralph
	- Set OpenSSL security level to 0 when using aNULL ciphers.

3 November 2016: Wouter
	- .gitattributes line for githubs code language display.
	- log-identity: config option to set sys log identity, patch from
	  "Robin H. Johnson" <robbat2@gentoo.org>

2 November 2016: Wouter
	- iana portlist update.

31 October 2016: Wouter
	- Fix failure to build on arm64 with no sbrk.
	- iana portlist update.

28 October 2016: Wouter
	- Patch for server.num.zero_ttl stats for count of expired replies,
	  from Pavel Odintsov.

26 October 2016: Wouter
	- Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
	  with the undocumented switch 'fake-dsa'.  It logs a warning.

25 October 2016: Wouter
	- Fix #1134: unbound-control set_option -- val-override-date: -1 works
	  immediately to ignore datetime, or back to 0 to enable it again.
	  The -- is to ignore the '-1' as an option flag.

24 October 2016: Wouter
	- serve-expired config option: serve expired responses with TTL 0.
	- g.root-servers.net has AAAA address.

21 October 2016: Wouter
	- Ported tests for local_cname unit test to testbound framework.

20 October 2016: Wouter
	- suppress compile warning in lex files.
	- init lzt variable, for older gcc compiler warnings.
	- fix --enable-dsa to work, instead of copying ecdsa enable.
	- Fix DNSSEC validation of query type ANY with DNAME answers.
	- Fixup query_info local_alias init.

19 October 2016: Wouter
	- Fix #1130: whitespace in example.conf.in more consistent.

18 October 2016: Wouter
	- Patch that resolves CNAMEs entered in local-data conf statements that
	  point to data on the internet, from Jinmei Tatuya (Infoblox).
	- Removed patch comments from acllist.c and msgencode.c
	- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
	  from Jinmei Tatuya (Infoblox).
	- Fix #1125: unbound could reuse an answer packet incorrectly for
	  clients with different EDNS parameters, from Jinmei Tatuya.
	- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
	- Added Requires line to libunbound.pc
	- Please doxygen by modifying mesh.h

17 October 2016: Wouter
	- Re-fix #839 from view commit overwrite.
	- Fixup const void cast warning.

12 October 2016: Ralph
	- Free view config elements.

11 October 2016: Ralph
	- Added qname-minimisation-strict config option.
	- iana portlist update.
	- fix memoryleak logfile when in debug mode.

5 October 2016: Ralph
	- Added views functionality.
	- Fix #1117: spelling errors, from Robert Edmonds.

30 September 2016: Wouter
	- Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.

29 September 2016: Wouter
	- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
	- Fix #839: Memory grows unexpectedly with large RPZ files.
	- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
	- Fix #841: big local-zone's make it consume large amounts of memory.

27 September 2016: Wouter
	- tag for 1.5.10 release
	- trunk contains 1.5.11 in development.
	- Fix dnstap relaying "random" messages instead of resolver/forwarder
	  responses, from Nikolay Edigaryev.
	- Fix #836: unbound could echo back EDNS options in an error response.

20 September 2016: Wouter
	- iana portlist update.
	- Fix #835: fix --disable-dsa with nettle verify.
	- tag for 1.5.10rc1 release.

15 September 2016: Wouter
	- Fix 883: error for duplicate local zone entry.
	- Test for openssl init_crypto and init_ssl functions.

15 September 2016: Ralph
	- fix potential memory leak in daemon/remote.c and nullpointer
	  dereference in validator/autotrust.
	- iana portlist update.

13 September 2016: Wouter
	- Silenced flex-generated sign-unsigned warning print with gcc
	  diagnostic pragma.
	- Fix for new splint on FreeBSD.  Fix cast for sockaddr_un.sun_len.

9 September 2016: Wouter
	- Fix #831: workaround for spurious fread_chk warning against petal.c

5 September 2016: Ralph
	- Take configured minimum TTL into consideration when reducing TTL
	  to original TTL from RRSIG.

5 September 2016: Wouter
	- Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
	  off-by-one typo, from Jinmei Tatuya (Infoblox).
	- Fix incomplete prototypes reported by Dag-Erling Smørgrav.
	- Fix #828: missing type in access-control-tag-action redirect results
	  in NXDOMAIN.

2 September 2016: Wouter
	- Fix compile with openssl 1.1.0 with api=1.1.0.

1 September 2016: Wouter
	- RFC 7958 is now out, updated docs for unbound-anchor.
	- Fix for compile without warnings with openssl 1.1.0.
	- Fix #826: Fix refuse_non_local could result in a broken response.
	- iana portlist update.

29 August 2016: Wouter
	- Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
	  Siewior.
	- Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.

25 August 2016: Ralph
	- Clarify local-zone-override entry in unbound.conf.5 
	
25 August 2016: Wouter
	- 64bit build option for makedist windows compile, -w64.

24 August 2016: Ralph
	- Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
	  in each iteration in find_tag_datas().
	- unbound.conf.5 entries for define-tag, access-control-tag,
	  access-control-tag-action, access-control-tag-data, local-zone-tag,
	  and local-zone-override.
	  
23 August 2016: Wouter
	- Fix #804: unbound stops responding after outage.  Fixes queries
	  that attempt to wait for an empty list of subqueries.
	- Fix #804: lower num_target_queries for iterator also for failed
	  lookups.

8 August 2016: Wouter
	- Note that OPENPGPKEY type is RFC 7929.

4 August 2016: Wouter
	- Fix #807: workaround for possible some "unused" function parameters
	  in test code, from Jinmei Tatuya.

3 August 2016: Wouter
	- use sendmsg instead of sendto for TFO.

28 July 2016: Wouter
	- Fix #806: wrong comment removed.

26 July 2016: Wouter
	- nicer ratelimit-below-domain explanation.

22 July 2016: Wouter
	- Fix #801: missing error condition handling in
	  daemon_create_workers().
	- Fix #802: workaround for function parameters that are "unused"
	  without log_assert.
	- Fix #803: confusing (and incorrect) code comment in daemon_cleanup().

20 July 2016: Wouter
	- Fix typo in unbound.conf.

18 July 2016: Wouter
	- Fix #798: Client-side TCP fast open fails (Linux).

14 July 2016: Wouter
	- TCP Fast open patch from Sara Dickinson.
	- Fixed unbound.doxygen for 1.8.11.

7 July 2016: Wouter
	- access-control-tag-data implemented. verbose(4) prints tag debug.

5 July 2016: Wouter
	- Fix dynamic link of anchor-update.exe on windows.
	- Fix detect of mingw for MXE package build.
	- Fixes for 64bit windows compile.
	- Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
	  --with-libunbound-only --with-nettle.

4 July 2016: Wouter
	- For #787: prefer-ip6 option for unbound.conf prefers to send
	  upstream queries to ipv6 servers.
	- Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
	  freebind to use 64bits of entropy for every query with random local
	  part.

30 June 2016: Wouter
	- Document always_transparent, always_refuse, always_nxdomain types.

29 June 2016: Wouter
	- Fix static compile on windows missing gdi32.

28 June 2016: Wouter
	- Create a pkg-config file for libunbound in contrib.

27 June 2016: Wouter
	- Fix #784: Build configure assumess that having getpwnam means there
	  is endpwent function available.
	- Updated repository with newer flex and bison output.

24 June 2016: Ralph
	- Possibility to specify local-zone type for an acl/tag pair
	- Possibility to specify (override) local-zone type for a source address
	  block
16 June 2016: Ralph
	- Decrease dp attempts at each QNAME minimisation iteration

16 June 2016: Wouter
	- Fix tcp timeouts in tv.usec.

15 June 2016: Wouter
	- TCP_TIMEOUT is specified in milliseconds.
	- If more than half of tcp connections are in use, a shorter timeout
	  is used (200 msec, vs 2 minutes) to pressure tcp for new connects.

14 June 2016: Ralph
	- QNAME minimisation unit test for dropped QTYPE=A queries.

14 June 2016: Wouter
	- Fix 775: unbound-host and unbound-anchor crash on windows, ignore
	  null delete for wsaevent.
	- Fix spelling in freebind option man page text.
	- Fix windows link of ssl with crypt32.
	- Fix 779: Union casting is non-portable.
	- Fix 780: MAP_ANON not defined in HP-UX 11.31.
	- Fix 781: prealloc() is an HP-UX system library call.

13 June 2016: Ralph
	- Use QTYPE=A for QNAME minimisation.
	- Keep track of number of time-outs when performing QNAME minimisation.
	  Stop minimising when number of time-outs for a QNAME/QTYPE pair is
	  more than three.

13 June 2016: Wouter
	- Fix #778: unbound 1.5.9: -h segfault (null deref).
	- Fix directory: fix for unbound-checkconf, it restores cwd.

10 June 2016: Wouter
	- And delete service.conf.shipped on uninstall.
	- In unbound.conf directory: dir immediately changes to that directory,
	  so that include: file below that is relative to that directory.
	  With chroot, make the directory an absolute path inside chroot.
	- keep debug symbols in windows build.
	- do not delete service.conf on windows uninstall.
	- document directory immediate fix and allow EXECUTABLE syntax in it
	  on windows.

9 June 2016: Wouter
	- Trunk is called 1.5.10 (with previous fixes already in there to 2
	  june).
	- Revert fix for NetworkService account on windows due to breakage
	  it causes.
	- Fix that windows install will not overwrite existing service.conf
	  file (and ignore gui config choices if it exists).

7 June 2016: Ralph
	- Lookup localzones by taglist from acl.
	- Possibility to lookup local_zone, regardless the taglist.
	- Added local_zone/taglist/acl unit test.

7 June 2016: Wouter
	- Fix #773: Non-standard Python location build failure with pyunbound.
	- Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.

6 June 2016: Wouter
	- Better help text from -h (from Ray Griffith).
	- access-control-tag config directive.
	- local-zone-override config directive.
	- access-control-tag-action and access-control-tag-data config
	  directives.
	- free acl-tags, acltag-action and acltag-data config lists during
	  initialisation to free up memory for more entries.

3 June 2016: Wouter
	- Fix to not ignore return value of chown() in daemon startup.

2 June 2016: Wouter
	- Fix libubound for edns optlist feature.
	- Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
	- Fix #752: retry resource temporarily unavailable on control pipe.
	- un-document localzone tags.
	- tag for release 1.5.9rc1.
	  And this also became release 1.5.9.
	- Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
	  Program Files with (x86) appended.
	- re-documented localzone tags in example.conf.

31 May 2016: Wouter
	- Fix windows service to be created run with limited rights, as a
	  network service account, from Mario Turschmann.
	- compat strsep implementation.
	- generic edns option parse and store code.
	- and also generic edns options for upstream messages (and replies).
	  after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID),
	  to insert use edns_opt_append(edns, region, code, len, bindata) on
	  the opt_list passed to send_query, or in edns_opt_inplace_reply.

30 May 2016: Wouter
	- Fix time in case answer comes from cache in ub_resolve_event().
	- Attempted fix for #765: _unboundmodule missing for python3.

27 May 2016: Wouter
	- Fix #770: Small subgroup attack on DH used in unix pipe on localhost
	  if unbound control uses a unix local named pipe.
	- Document write permission to directory of trust anchor needed.
	- Fix #768:  Unbound Service Sometimes Can Not Shutdown
	  Completely, WER Report Shown Up.  Close handle before closing WSA.

26 May 2016: Wouter
	- Updated patch from Charles Walker.

24 May 2016: Wouter
	- disable-dnssec-lame-check config option from Charles Walker.
	- remove memory leak from lame-check patch.
	- iana portlist update.

23 May 2016: Wouter
	- Fix #767:  Reference to an expired Internet-Draft in
	  harden-below-nxdomain documentation.

20 May 2016: Ralph
	- No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC 
	  signed zones.
	- iana portlist update.

19 May 2016: Wouter
	- Fix #766: dns64 should synthesize results on timeout/errors.

18 May 2016: Wouter
	- Fix #761: DNSSEC LAME false positive resolving nic.club.

17 May 2016: Wouter
	- trunk updated with output of flex 2.6.0.

6 May 2016: Wouter
	- Fix memory leak in out-of-memory conditions of local zone add.

29 April 2016: Wouter
	- Fix sldns with static checking fixes copied from getdns.

28 April 2016: Wouter
	- Fix #759: 0x20 capsforid no longer checks type PTR, for
	  compatibility with cisco dns guard.  This lowers false positives.

18 April 2016: Wouter
	- Fix some malformed responses to edns queries get fallback to nonedns.

15 April 2016: Wouter
	- cachedb module event handling design.

14 April 2016: Wouter
	- cachedb module framework (empty).
	- iana portlist update.

12 April 2016: Wouter
	- Fix #753: document dump_requestlist is for first thread.

24 March 2016: Wouter
	- Document permit-small-holddown for 5011 debug.
	- Fix #749: unbound-checkconf gets SIGSEGV when use against a
	  malformatted conf file.

23 March 2016: Wouter
	- OpenSSL 1.1.0 portability, --disable-dsa configure option.

21 March 2016: Wouter
	- Fix compile of getentropy_linux for SLES11 servicepack 4.
	- Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
	- Fix test for openssl to use HMAC_Update for 1.1.0.
	- acx_nlnetlabs.m4 to v33, with HMAC_Update.
	- acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
	- ERR_remove_state deprecated since openssl 1.0.0.
	- OPENSSL_config is deprecated, removing.

18 March 2016: Ralph
	- Validate QNAME minimised NXDOMAIN responses.
	- If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
	  harden-below-nxdomain.

17 March 2016: Ralph
	- Limit number of QNAME minimisation iterations.

17 March 2016: Wouter
	- Fix #746: Fix unbound sets CD bit on all forwards.
	  If no trust anchors, it'll not set CD bit when forwarding to another
	  server.  If a trust anchor, no CD bit on the first attempt to a
	  forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
	- iana portlist update.

16 March 2016: Wouter
	- Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
	- Fix ip-transparent for tcp on freebsd.

15 March 2016: Wouter
	- ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
	  binding to an IP address while the interface or address is down.

14 March 2016: Wouter
	- Fix warnings in ifdef corner case, older or unknown libevent.
	- Fix compile for ub_event code with older libev.

11 March 2016: Wouter
	- Remove warning about unused parameter in event_pluggable.c.
	- Fix libev usage of dispatch return value.
	- No side effects in tolower() call, in case it is a macro.
	- For test put free in pluggable api in parenthesis.

10 March 2016: Wouter
	- Fixup backend2str for libev.

09 March 2016: Willem
	- User defined pluggable event API for libunbound
	- Fixup of compile fix for pluggable event API from P.Y. Adi
	  Prasaja.

09 March 2016: Wouter
	- Updated configure and ltmain.sh.
	- Updated L root IPv6 address.

07 March 2016: Wouter
	- Fix #747: assert in outnet_serviced_query_stop.
	- iana ports fetched via https.
	- iana portlist update.

03 March 2016: Wouter
	- configure tests for the weak attribute support by the compiler.

02 March 2016: Wouter
	- 1.5.8 release tag
	- trunk contains 1.5.9 in development.
	- iana portlist update.
	- Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
	  contains trailing dot.

24 February 2016: Wouter
	- Fix OpenBSD asynclook lock free that gets used later (fix test code).
	- Fix that NSEC3 negative cache is used when there is no salt.

23 February 2016: Wouter
	- ub_ctx_set_stub() function for libunbound to config stub zones.
	- sorted ubsyms.def file with exported libunbound functions.

19 February 2016: Wouter
	- Print understandable debug log when unusable DS record is seen.
	- load gost algorithm if digest is seen before key algorithm.
	- iana portlist update.

17 February 2016: Wouter
	- Fix that "make install" fails due to "text file busy" error.

16 February 2016: Wouter
	- Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.

15 February 2016: Wouter
	- ip-transparent option for FreeBSD with IP_BINDANY socket option.
	- wait for sendto to drain socket buffers when they are full.

9 February 2016: Wouter
	- Test for type OPENPGPKEY.
	- insecure-lan-zones: yesno config option, patch from Dag-Erling
	  Smørgrav.

8 February 2016: Wouter
	- Fix patch typo in prevuous commit for 734 from Adi Prasaja.
	- RR Type CSYNC support RFC 7477, in debug printout and config input.
	- RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).

29 January 2016: Wouter
	- Neater cmdline_verbose increment patch from Edgar Pettijohn.

27 January 2016: Wouter
	- Made netbsd sendmsg test nonfatal, in case of false positives.
	- Fix #741: log message for dnstap socket connection is more clear.

26 January 2016: Wouter
	- Fix #734: chown the pidfile if it resides inside the chroot.
	- Use arc4random instead of random in tests (because it is
	  available, possibly as compat, anyway).
	- Fix cmsg alignment for argument to sendmsg on NetBSD.
	- Fix that unbound complains about unimplemented IP_PKTINFO for
	  sendmsg on NetBSD (for interface-automatic).

25 January 2016: Wouter
	- Fix #738: Swig should not be invoked with CPPFLAGS.

19 January 2016: Wouter
	- Squelch 'cannot assign requested address' log messages unless
	  verbosity is high, it was spammed after network down.

14 January 2016: Wouter
	- Fix to simplify empty string checking from Michael McConville.
	- iana portlist update.

12 January 2016: Wouter
	- Fix #734: Do not log an error when the PID file cannot be chown'ed.
	  Patch from Simon Deziel.

11 January 2016: Wouter
	- Fix test if -pthreads unused to use better grep for portability.

06 January 2016: Wouter
	- Fix mingw crosscompile for recent mingw.
	- Update aclocal, autoconf output with new versions (1.15, 2.4.6).

05 January 2016: Wouter
	- #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
	  from Daisuke Higashi.
	- Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
	  by default, and can be unblocked with "nodefault" localzone config.

04 January 2016: Wouter
	- Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
	  for Linux glibc 2.20.
	- Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
	  source code, so it applies cleanly again.  Removed unused variable
	  warnings.

15 December 2015: Ralph
	- Fix #729: omit use of escape sequences in echo since they are not 
	  portable (unbound-control-setup).

11 December 2015: Wouter
	- remove NULL-checks before free, patch from Michael McConville.
	- updated ax_pthread.m4 to version 21 with clang support, this
	  removes a warning from compilation.
	- OSX portability, detect if sbrk is deprecated.
	- OSX clang, stop -pthread unused during link stage warnings.
	- OSX clang new flto check.

10 December 2015: Wouter
	- 1.5.7 release
	- trunk has 1.5.8 in development.

8 December 2015: Wouter
	- Fixup 724 for unbound-control.

7 December 2015: Ralph
	- Do not minimise forwarded requests.

4 December 2015: Wouter
	- Removed unneeded whitespace from example.conf.

3 December 2015: Ralph
	- (after rc1 tag)
	- Committed fix to qname minimisation and unit test case for it.
	
3 December 2015: Wouter
	- iana portlist update.
	- 1.5.7rc1 prerelease tag.

2 December 2015: Wouter
	- Fixup 724: Fix PCA prompt for unbound-service-install.exe.
	  re-enable stdout printout.
	- For 724: Add Changelog to windows binary dist.

1 December 2015: Ralph
	- Qname minimisation review fixes

1 December 2015: Wouter
	- Fixup 724 fix for fname_after_chroot() calls.
	- Remove stdout printout for unbound-service-install.exe
	- .gitignore for git users.

30 November 2015: Ralph
	- Implemented qname minimisation

30 November 2015: Wouter
	- Fix for #724: conf syntax to read files from run dir (on Windows).

25 November 2015: Wouter
	- Fix for #720, fix unbound-control-setup windows batch file.

24 November 2015: Wouter
	- Fix #720: add windows scripts to zip bundle.
	- iana portlist update.

20 November 2015: Wouter
	- Added assert on rrset cache correctness.
	- Fix that malformed EDNS query gets a response without malformed EDNS.

18 November 2015: Wouter
	- newer acx_nlnetlabs.m4.
	- spelling fixes from Igor Sobrado Delgado.

17 November 2015: Wouter
	- Fix #594. libunbound: optionally use libnettle for crypto.
	  Contributed by Luca Bruno.  Added --with-nettle for use with
	  --with-libunbound-only.
	- refactor nsec3 hash implementation to be more library-portable.
	- iana portlist update.
	- Fixup DER encoded DSA signatures for libnettle.

16 November 2015: Wouter
	- Fix for lenient accept of reverse order DNAME and CNAME.

6 November 2015: Wouter
	- Change example.conf: ftp.internic.net to https://www.internic.net

5 November 2015: Wouter
	- ACX_SSL_CHECKS no longer adds -ldl needlessly.

3 November 2015: Wouter
	- Fix #718: Fix unbound-control-setup with support for env
	  without HEREDOC bash support.

29 October 2015: Wouter
	- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
	- Fix #716: nodata proof with empty non-terminals and wildcards.

28 October 2015: Wouter
	- Fix checklock testcode for linux threads on exit.

27 October 2015: Wouter
	- isblank() compat implementation.
	- detect libexpat without xml_StopParser function.
	- portability fixes.
	- portability, replace snprintf if return value broken.

23 October 2015: Wouter
	- Fix #714: Document config to block private-address for IPv4
	  mapped IPv6 addresses.

22 October 2015: Wouter
	- Fix #712: unbound-anchor appears to not fsync root.key.

20 October 2015: Wouter
	- 1.5.6 release.
	- trunk tracks development of 1.5.7.

15 October 2015: Wouter
	- Fix segfault in the dns64 module in the formaterror error path.
	- Fix sldns_wire2str_rdata_scan for malformed RRs.
	- tag for 1.5.6rc1 release.

14 October 2015: Wouter
	- ANY responses include DNAME records if present, as per Evan Hunt's
	  remark in dnsop.
	- Fix manpage to suggest using SIGTERM to terminate the server.

9 October 2015: Wouter
	- Default for ssl-port is port 853, the temporary port assignment
	  for secure domain name system traffic.
	  If you used to rely on the older default of port 443, you have
	  to put a clause in unbound.conf for that.  The new value is likely
	  going to be the standardised port number for this traffic.
	- iana portlist update.

6 October 2015: Wouter
	- 1.5.5 release.
	- trunk tracks the development of 1.5.6.

28 September 2015: Wouter
	- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
	  failures.
	- tag for 1.5.5rc1 release.
	- makedist.sh: pgp sig echo commands.

25 September 2015: Wouter
	- Fix unbound-control flush that does not succeed in removing data.

22 September 2015: Wouter
	- Fix config globbed include chroot treatment, this fixes reload of
	  globs (patch from Dag-Erling Smørgrav).
	- iana portlist update.
	- Fix #702: New IPs for for h.root-servers.net.
	- Remove confusion comment from canonical_compare() function.
	- Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
	- testbound selftest also works in non-debug mode.
	- Fix minor error in unbound.conf.5.in
	- Fix unbound.conf(5) access-control description for precedence
	  and default.

31 August 2015: Wouter
	- changed windows setup compression to be more transparent.

28 August 2015: Wouter
	- Fix #697: Get PY_MAJOR_VERSION failure at configure for python
	  2.4 to 2.6.
	- Feature #699: --enable-pie option to that builds PIE binary.
	- Feature #700: --enable-relro-now option that enables full read-only
	  relocation.

24 August 2015: Wouter
	- Fix deadlock for local data add and zone add when unbound-control
	  list_local_data printout is interrupted.
	- iana portlist update.
	- Change default of harden-algo-downgrade to off.  This is lenient
	  for algorithm rollover.

13 August 2015: Wouter
	- 5011 implementation does not insist on all algorithms, when
	  harden-algo-downgrade is turned off.
	- Reap the child process that libunbound spawns.

11 August 2015: Wouter
	- Fix #694: configure script does not detect LibreSSL 2.2.2

4 August 2015: Wouter
	- Document that local-zone nodefault matches exactly and transparent
	  can be used to release a subzone.

3 August 2015: Wouter
	- Document in the manual more text about configuring locally served
	  zones.
	- Fix 5011 anchor update timer after reload.
	- Fix mktime in unbound-anchor not using UTC.

30 July 2015: Wouter
	- please afl-gcc (llvm) for uninitialised variable warning.
	- Added permit-small-holddown config to debug fast 5011 rollover.

24 July 2015: Wouter
	- Fix #690: Reload fails when so-reuseport is yes after changing
	  num-threads.
	- iana portlist update.

21 July 2015: Wouter
	- Fix configure to detect SSL_CTX_set_ecdh_auto.
	- iana portlist update.

20 July 2015: Wouter
	- Enable ECDHE for servers.  Where available, use
	  SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
	  enable ECDHE.  Otherwise, manually offer curve p256.
	  Client connections should automatically use ECDHE when available.
	  (thanks Daniel Kahn Gillmor)

18 July 2015: Willem
	- Allow certificate chain files to allow for intermediate certificates.
	  (thanks Daniel Kahn Gillmor)

13 July 2015: Wouter
	- makedist produces sha1 and sha256 files for created binaries too.

9 July 2015: Wouter
	- 1.5.4 release tag
	- trunk has 1.5.5 in development.
	- Fix #681: Setting forwarders with unbound-control forward
	  implicitly turns on forward-first.

29 June 2015: Wouter
	- iana portlist update.
	- Fix alloc with log for allocation size checks.

26 June 2015: Wouter
	- Fix #677 Fix DNAME responses from cache that failed internal chain
	  test.
	- iana portlist update.

22 June 2015: Wouter
	- Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
	  and was therefore always synthesized (thanks to Valentin Dietrich).

4 June 2015: Wouter
	- RFC 7553 RR type URI support, is now enabled by default.

2 June 2015: Wouter
	- Fix #674: Do not free pointers given by getenv.

29 May 2015: Wouter
	- Fix that unparseable error responses are ratelimited.
	- SOA negative TTL is capped at minimumttl in its rdata section.
	- cache-max-negative-ttl config option, default 3600.

26 May 2015: Wouter
	- Document that ratelimit works with unbound-control set_option.

21 May 2015: Wouter
	- iana portlist update.
	- documentation proposes ratelimit of 1000 (closer to what upstream
	  servers expect from us).

20 May 2015: Wouter
	- DLV is going to be decommissioned.  Advice to stop using it, and
	  put text in the example configuration and man page to that effect.

10 May 2015: Wouter
	- Change syntax of particular validator error to be easier for
	  machine parse, swap rrset and ip adres info so it looks like:
	  validation failure <www.example.nl. TXT IN>: signature crypto
	  failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>

1 May 2015: Wouter
	- caps-whitelist in unbound.conf allows whitelist of loadbalancers
	  that cannot work with caps-for-id or its fallback.

30 April 2015: Wouter
	- Unit test for type ANY synthesis.

22 April 2015: Wouter
	- Removed contrib/unbound_unixsock.diff, because it has been
	  integrated, use control-interface: /path in unbound.conf.
	- iana portlist update.

17 April 2015: Wouter
	- Synthesize ANY responses from cache.  Does not search exhaustively,
	  but MX,A,AAAA,SOA,NS also CNAME.
	- Fix leaked dns64prefix configuration string.

16 April 2015: Wouter
	- Add local-zone type inform_deny, that logs query and drops answer.
	- Ratelimit does not apply to prefetched queries, and ratelimit-factor
	  is default 10.  Repeated normal queries get resolved and with
	  prefetch stay in the cache.
	- Fix bug#664: libunbound python3 related fixes (from Tomas Hozza)
	  Use print_function also for Python2.
	  libunbound examples: produce sorted output.
	  libunbound-Python: libldns is not used anymore.
	  Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.

10 April 2015: Wouter
	- unbound-control ratelimit_list lists high rate domains.
	- ratelimit feature, ratelimit: 100, or some sensible qps, can be
	  used to turn it on.  It ratelimits recursion effort per zone.
	  For particular names you can configure exceptions in unbound.conf.
	- Fix that get_option for cache-sizes does not print double newline.
	- Fix#663: ssl handshake fails when using unix socket because dh size
	  is too small.

8 April 2015: Wouter
	- Fix crash in dnstap: Do not try to log TCP responses after timeout.

7 April 2015: Wouter
	- Libunbound skips dos-line-endings from etc/hosts.
	- Unbound exits with a fatal error when the auto-trust-anchor-file
	  fails to be writable.  This is seconds after startup.  You can
	  load a readonly auto-trust-anchor-file with trust-anchor-file.
	  The file has to be writable to notice the trust anchor change,
	  without it, a trust anchor change will be unnoticed and the system
	  will then become inoperable.
	- unbound-control list_insecure command shows the negative trust
	  anchors currently configured, patch from Jelte Jansen.

2 April 2015: Wouter
	- Fix #660: Fix interface-automatic broken in the presence of
	  asymmetric routing.

26 March 2015: Wouter
	- remote.c probedelay line is easier to read.
	- rename ldns subdirectory to sldns to avoid name collision.

25 March 2015: Wouter
	- Fix #657:  libunbound(3) recommends deprecated
	  CRYPTO_set_id_callback.
	- If unknown trust anchor algorithm, and libressl is used, error
	  message encourages upgrade of the libressl package.

23 March 2015: Wouter
	- Fix segfault on user not found at startup (from Maciej Soltysiak).

20 March 2015: Wouter
	- Fixed to add integer overflow checks on allocation (defense in depth).

19 March 2015: Wouter
	- Add ip-transparent config option for bind to non-local addresses.

17 March 2015: Wouter
	- Use reallocarray for integer overflow protection, patch submitted
	  by Loganaden Velvindron.

16 March 2015: Wouter
	- Fixup compile on cygwin, more portable openssl thread id.

12 March 2015: Wouter
	- Updated default keylength in unbound-control-setup to 3k.

10 March 2015: Wouter
	- Fix lintian warning in unbound-checkconf man page (from Andreas
	  Schulze).
	- print svnroot when building windows dist.
	- iana portlist update.
	- Fix warning on sign compare in getentropy_linux.

9 March 2015: Wouter
	- Fix #644: harden-algo-downgrade option, if turned off, fixes the
	  reported excessive validation failure when multiple algorithms
	  are present.  It allows the weakest algorithm to validate the zone.
	- iana portlist update.

5 March 2015: Wouter
	- contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
	  scripts.  Contributed by Yuri Voinov.
	- Document that incoming-num-tcp increase is good for large servers.
	- stats reports tcp usage, of incoming-num-tcp buffers.

4 March 2015: Wouter
	- Patch from Brad Smith that syncs compat/getentropy_linux with
	  OpenBSD's version (2015-03-04).
	- 0x20 fallback improved: servfail responses do not count as missing
	  comparisons (except if all responses are errors),
	  inability to find nameservers does not fail equality comparisons,
	  many nameservers does not try to compare more than max-sent-count,
	  parse failures start 0x20 fallback procedure.
	- store caps_response with best response in case downgrade response
	  happens to be the last one.
	- Document windows 8 tests.

3 March 2015: Wouter
	- tag 1.5.3rc1
	[ This became 1.5.3 on 10 March, trunk is 1.5.4 in development ]

2 March 2015: Wouter
	- iana portlist update.

20 February 2015: Wouter
	- Use the getrandom syscall introduced in Linux 3.17 (from Heiner
	  Kallweit).
	- Fix #645 Portability to Solaris 10, use AF_LOCAL.
	- Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
	- Fix #647 crash in 1.5.2 because pwd.db no longer accessible after
	  reload.

19 February 2015: Wouter
	- 1.5.2 release tag.
	- svn trunk contains 1.5.3 under development.

13 February 2015: Wouter
	- Fix #643: doc/example.conf.in: unnecessary whitespace.

12 February 2015: Wouter
	- tag 1.5.2rc1

11 February 2015: Wouter
	- iana portlist update.

10 February 2015: Wouter
	- Fix scrubber with harden-glue turned off to reject NS (and other
	  not-address) records.

9 February 2015: Wouter
	- Fix validation failure in case upstream forwarder (ISC BIND) does
	  not have the same trust anchors and decides to insert unsigned NS
	  record in authority section.

2 February 2015: Wouter
	- infra-cache-min-rtt patch from Florian Riehm, for expected long
	  uplink roundtrip times.

30 January 2015: Wouter
	- Fix 0x20 capsforid fallback to omit gratuitous NS and additional
	  section changes.
	- Portability fix for Solaris ('sun' is not usable for a variable).

29 January 2015: Wouter
	- Fix pyunbound byte string representation for python3.

26 January 2015: Wouter
	- Fix unintended use of gcc extension for incomplete enum types,
	  compile with pedantic c99 compliance (from Daniel Dickman).

23 January 2015: Wouter
	- windows port fixes, no AF_LOCAL, no chown, no chmod(grp).

16 January 2015: Wouter
	- unit test for local unix connection.  Documentation and log_addr
	  does not inspect port for AF_LOCAL.
	- unbound-checkconf -f prints chroot with pidfile path.

13 January 2015: Wouter
	- iana portlist update.

12 January 2015: Wouter
	- Cast sun_len sizeof to socklen_t.
	- Fix pyunbound ord call, portable for python 2 and 3.

7 January 2015: Wouter
	- Fix warnings in pythonmod changes.

6 January 2015: Wouter
	- iana portlist update.
	- patch for remote control over local sockets, from Dag-Erling
	  Smorgrav, Ilya Bakulin.  Use control-interface: /path/sock and
	  control-use-cert: no.
	- Fixup that patch and uid lookup (only for daemon).
	- coded the default of control-use-cert, to yes.

5 January 2015: Wouter
	- getauxval test for ppc64 linux compatibility.
	- make strip works for unbound-host and unbound-anchor.
	- patch from Stephane Lapie that adds to the python API, that
	  exposes struct delegpt, and adds the find_delegation function.
	- print query name when max target count is exceeded.
	- patch from Stuart Henderson that fixes DESTDIR in
	  unbound-control-setup for installs where config is not in
	  the prefix location.
	- Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
	  IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
	- Updated contrib warmup.cmd/sh to support two modes - load
	  from pre-defined list of domains or (with filename as argument)
	  load from user-specified list of domains, and updated contrib
	  unbound_cache.sh/cmd to support loading/save/reload cache to/from
	  default path or (with secondary argument) arbitrary path/filename,
	  from Yuri Voinov.
	- Patch from Philip Paeps to contrib/unbound_munin_ that uses
	  type ABSOLUTE.  Allows munin.conf: [idleserver.example.net]
	  unbound_munin_hits.graph_period minute

9 December 2014: Wouter
	- svn trunk has 1.5.2 in development.
	- config.guess and config.sub update from libtoolize.
	- local-zone: example.com inform makes unbound log a message with
	  client IP for queries in that zone.  Eg. for finding infected hosts.

8 December 2014: Wouter
	- Fix CVE-2014-8602: denial of service by making resolver chase
	  endless series of delegations.

1 December 2014: Wouter
	- Fix bug#632: unbound fails to build on AArch64, protects
	  getentropy compat code from calling sysctl if it is has been removed.

29 November 2014: Wouter
	- Add include to getentropy_linux.c, hopefully fixing debian build.

28 November 2014: Wouter
	- Fix makefile for build from noexec source tree.

26 November 2014: Wouter
	- Fix libunbound undefined symbol errors for main.
	  Referencing main does not seem to be possible for libunbound.

24 November 2014: Wouter
	- Fix log at high verbosity and memory allocation failure.
	- iana portlist update.

21 November 2014: Wouter
	- Fix crash on multiple thread random usage on systems without
	  arc4random.

20 November 2014: Wouter
	- fix compat/getentropy_win.c check if CryptGenRandom works and no
	  immediate exit on windows.

19 November 2014: Wouter
	- Fix cdflag dns64 processing.

18 November 2014: Wouter
	- Fix that CD flag disables DNS64 processing, returning the DNSSEC
	  signed AAAA denial.
	- iana portlist update.

17 November 2014: Wouter
	- Fix #627: SSL_CTX_load_verify_locations return code not properly
	  checked.

14 November 2014: Wouter
	- parser with bison 2.7

13 November 2014: Wouter
	- Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter,
	added to contrib/aaaa-filter-iterator.patch.

12 November 2014: Wouter
	- trunk has 1.5.1 in development.
	- Patch from Robert Edmonds to build pyunbound python module
	  differently.  No versioninfo, with -shared and without $(LIBS).
	- Patch from Robert Edmonds fixes hyphens in unbound-anchor man page.
	- Removed 'increased limit open files' log message that is written
	  to console.  It is only written on verbosity 4 and higher.
	  This keeps system bootup console cleaner.
	- Patch from James Raftery, always print stats for rcodes 0..5.

11 November 2014: Wouter
	- iana portlist update.
	- Fix bug where forward or stub addresses with same address but
	  different port number were not tried.
	- version number in svn trunk is 1.5.0
	- tag 1.5.0rc1
	- review fix from Ralph.

7 November 2014: Wouter
	- dnstap fixes by Robert Edmonds:
		dnstap/dnstap.m4: cosmetic fixes
		dnstap/: Remove compiled protoc-c output files
		dnstap/dnstap.m4: Error out if required libraries are not found
		dnstap: Fix ProtobufCBufferSimple usage that is incorrect as of
			protobuf-c 1.0.0
		dnstap/: Adapt to API changes in latest libfstrm (>= 0.2.0)

4 November 2014: Wouter
	- Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
	  tracked trust anchor to libunbound.
	- Redefine internal minievent symbols to unique symbols that helps
	  linking on platforms where the linker leaks names across modules.

27 October 2014: Wouter
	- Disabled use of SSLv3 in remote-control and ssl-upstream.
	- iana portlist update.

16 October 2014: Wouter
	- Documented dns64 configuration in unbound.conf man page.

13 October 2014: Wouter
	- Fix #617: in ldns in unbound, lowercase WKS services.
	- Fix ctype invocation casts.

10 October 2014: Wouter
	- Fix unbound-checkconf check for module config with dns64 module.
	- Fix unbound capsforid fallback, it ignores TTLs in comparison.

6 October 2014: Wouter
	- Fix #614: man page variable substitution bug.
6 October 2014: Willem
	- Whitespaces after $ORIGIN are not part of the origin dname (ldns).
	- $TTL's value starts at position 5 (ldns).

1 October 2014: Wouter
	- fix #613: Allow tab ws in var length last rdfs (in ldns str2wire).

29 September 2014: Wouter
	- Fix #612: create service with service.conf in present directory and
	  auto load it.
	- Fix for mingw compile openssl ranlib.

25 September 2014: Wouter
	- updated configure and aclocal with newer autoconf 1.13.

22 September 2014: Wouter
	- Fix swig and python examples for Python 3.x.
	- Fix for mingw compile with openssl-1.0.1i.

19 September 2014: Wouter
	- improve python configuration detection to build on Fedora 22.

18 September 2014: Wouter
	- patches to also build with Python 3.x (from Pavel Simerda).

16 September 2014: Wouter
	- Fix tcp timer waiting list removal code.
	- iana portlist update.
	- Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue
	  is longer and more tcp connections can be handled.

15 September 2014: Wouter
	- Fix unit test for CDS typecode.

5 September 2014: Wouter
	- type CDS and CDNSKEY types in sldns.

25 August 2014: Wouter
	- Fixup checklock code for log lock and its mutual initialization
	  dependency.
	- iana portlist update.
	- Removed necessity for pkg-config from the dnstap.m4, new are
	  the --with-libfstrm and --with-protobuf-c configure options.

19 August 2014: Wouter
	- Update unbound manpage with more explanation (from Florian Obser).

18 August 2014: Wouter
	- Fix #603: unbound-checkconf -o <option> should skip verification
	  checks.
	- iana portlist update.
	- Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.

5 August 2014: Wouter
	- dnstap support, with a patch from Farsight Security, written by
	  Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c.
	  It is BSD licensed (see dnstap/dnstap.c).
	  Building with --enable-dnstap needs pkg-config with this patch.
	- Noted dnstap in doc/README and doc/CREDITS.
	- Changes to the dnstap patch.
	  - lint fixes.
	  - dnstap/dnstap_config.h should not have been added to the repo,
	    because is it generated.

1 August 2014: Wouter
	- Patch add msg, rrset, infra and key cache sizes to stats command
	  from Maciej Soltysiak.
	- iana portlist update.

31 July 2014: Wouter
	- DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
	  Initial commit of the patch from the FreeBSD base (with its fixes).
	  This adds a module (for module-config in unbound.conf) dns64 that
	  performs DNS64 processing, see README.DNS64.
	- Changes from DNS64:
	  strcpy changed to memmove.
	  arraybound check fixed from prefix_net/8/4 to prefix_net/8+4.
	  allocation of result consistently in the correct region.
	  time_t is now used for ttl in unbound (since the patch's version).
	- testdata/dns64_lookup.rpl for unit test for dns64 functionality.

29 July 2014: Wouter
	- Patch from Dag-Erling Smorgrav that implements feature, unbound -dd
	  does not fork in the background and also logs to stderr.

21 July 2014: Wouter
	- Fix endian.h include for OpenBSD.

16 July 2014: Wouter
	- And Fix#596: Bail out of unbound-control dump_infra when ssl
	  write fails.

15 July 2014: Wouter
	- Fix #596: Bail out of unbound-control list_local_zones when ssl
	  write fails.
	- iana portlist update.

13 July 2014: Wouter
	- Configure tests if main can be linked to from getentropy compat.

12 July 2014: Wouter
	- Fix getentropy compat code, function refs were not portable.
	- Fix to check openssl version number only for OpenSSL.
	- LibreSSL provides compat items, check for that in configure.
	- Fix bug in fix for log locks that caused deadlock in signal handler.
	- update compat/getentropy and arc4random to the most recent ones from OpenBSD.

11 July 2014: Matthijs
	- fake-rfc2553 patch (thanks Benjamin Baier).

11 July 2014: Wouter
	- arc4random in compat/ and getentropy, explicit_bzero, chacha for
	  dependencies, from OpenBSD.  arc4_lock and sha512 in compat.
	  This makes arc4random available on all platforms, except when
	  compiled with LIBNSS (it uses libNSS crypto random).
	- fix strptime implicit declaration error on OpenBSD.
	- arc4random, getentropy and explicit_bzero compat for Windows.

4 July 2014: Wouter
	- Fix #593: segfault or crash upon rotating logfile.

3 July 2014: Wouter
	- DLV tests added.
	- signit tool fixup for compile with libldns library.
	- iana portlist updated.

27 June 2014: Wouter
	- so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.

26 June 2014: Wouter
	- unbound-control status reports if so-reuseport was successful.
	- iana portlist updated.

24 June 2014: Wouter
	- Fix caps-for-id fallback, and added fallback attempt when servers
	  drop 0x20 perturbed queries.
	- Fixup testsetup for VM tests (run testcode/run_vm.sh).

17 June 2014: Wouter
	- iana portlist updated.

3 June 2014: Wouter
	- Add AAAA for B root server to default root hints.

2 June 2014: Wouter
	- Remove unused define from iterator.h

30 May 2014: Wouter
	- Fixup sldns_enum_edns_option typedef definition.

28 May 2014: Wouter
	- Code cleanup patch from Dag-Erling Smorgrav, with compiler issue
	  fixes from FreeBSD's copy of Unbound, he notes:
	  Generate unbound-control-setup.sh at build time so it respects
	  prefix and sysconfdir from the configure script.  Also fix the
	  umask to match the comment, and the comment to match the umask.
	  Add const and static where needed.  Use unions instead of
	  playing pointer poker.  Move declarations that are needed in
	  multiple source files into a shared header.  Move sldns_bgetc()
	  from parse.c to buffer.c where it belongs.  Introduce a new
	  header file, worker.h, which declares the callbacks that
	  all workers must define.  Remove those declarations from
	  libworker.h.	Include the correct headers in the correct places.
	  Fix a few dummy callbacks that don't match their prototype.
	  Fix some casts.  Hide the sbrk madness behind #ifdef HAVE_SBRK.
	  Remove a useless printf which breaks reproducible builds.
	  Get rid of CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're
	  no longer used.  Add unbound-control-setup.sh to the list of
	  generated files.  The prototype for libworker_event_done_cb()
	  needs to be moved from libunbound/libworker.h to
	  libunbound/worker.h.
	- Fixup out-of-directory compile with unbound-control-setup.sh.in.
	- make depend.

23 May 2014: Wouter
	- unbound-host -D enabled dnssec and reads root trust anchor from
	  the default root key file that was compiled in.

20 May 2014: Wouter
	- Feature, unblock-lan-zones: yesno that you can use to make unbound
	  perform 10.0.0.0/8 and other reverse lookups normally, for use if
	  unbound is running service for localhost on localhost.

16 May 2014: Wouter
	- Updated create_unbound_ad_servers and unbound_cache scripts from
	  Yuri Voinov in the source/contrib directory. Added
	  warmup.cmd (and .sh): warm up the DNS cache with your MRU domains.

9 May 2014: Wouter
	- Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
	- iana portlist updated.

8 May 2014: Wouter
	- Contrib windows scripts from Yuri Voinov added to src/contrib:
	  create_unbound_ad_servers.cmd: enters anti-ad server lists.
	  unbound_cache.cmd: saves and loads the cache.
	- Added unbound-control-setup.cmd from Yuri Voinov to the windows
	  unbound distribution set.  It requires openssl installed in %PATH%.

6 May 2014: Wouter
	- Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.

5 May 2014: Wouter
	- More #567: remove : from output of stub and forward lists, this is
	  easier to parse.

29 April 2014: Wouter
	- iana portlist updated.
	- Add unbound-control flush_negative that flushed nxdomains, nodata,
	  and errors from the cache.  For dnssec-trigger and NetworkManager,
	  fixes cases where network changes have localdata that was already
	  negatively cached from the previous network.

23 April 2014: Wouter
	- Patch from Jeremie Courreges-Anglas to use arc4random_uniform
	  if available on the OS, it gets entropy from the OS.

15 April 2014: Wouter
	- Fix compile with libevent2 on FreeBSD.

11 April 2014: Wouter
	- Fix #502: explain that do-ip6 disable does not stop AAAA lookups,
	  but it stops the use of the ipv6 transport layer for DNS traffic.
	- iana portlist updated.

10 April 2014: Wouter
	- iana portlist updated.
	- Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
	  option for DNS fragmentation defense.
	- Document that dump_requestlist only prints queries from thread 0.
	- unbound-control stats prints num.query.tcpout with number of TCP
	  outgoing queries made in the previous statistics interval.
	- Fix #567: unbound lists if forward zone is secure or insecure with
	  +i annotation in output of list_forwards, also for list_stubs
	  (for NetworkManager integration.)
	- Fix #554: use unsigned long to print 64bit statistics counters on
	  64bit systems.
	- Fix #558: failed prefetch lookup does not remove cached response
	  but delays next prefetch (in lieu of caching a SERVFAIL).
	- Fix #545: improved logging, the ip address of the error is printed
	  on the same log-line as the error.

8 April 2014: Wouter
	- Fix #574: make test fails on Ubuntu 14.04.  Disabled remote-control
	  in testbound scripts.
	- iana portlist updated.

7 April 2014: Wouter
	- C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
	  hints (patch from Anand Buddhdev).
	- Fix #572: Fix unit test failure for systems with different
	  /etc/services.

28 March 2014: Wouter
	- Fix #569: do_tcp is do-tcp in unbound.conf man page.

25 March 2014: Wouter
	- Patch from Stuart Henderson to build unbound-host man from .1.in.

24 March 2014: Wouter
	- Fix print filename of encompassing config file on read failure.

12 March 2014: Wouter
	- tag 1.4.22
	- trunk has 1.4.23 in development.

10 March 2014: Wouter
	- Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes
	  because of spelling.  Patch from Chris Coates.

27 February 2014: Wouter
	- tag 1.4.22rc1

21 February 2014: Wouter
	- iana portlist updated.

20 February 2014: Matthijs
	- Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is
	  received. This is okay according 4035, but not after revising
	  existence in 4592.  NSEC empty non-terminals exist and thus the
	  RCODE should have been NOERROR. If this occurs, and the RRsets
	  are secure, we set the RCODE to NOERROR and the security status
	  of the response is also considered secure.

14 February 2014: Wouter
	- Works on Minix (3.2.1).

11 February 2014: Wouter
	- Fix parse of #553(NSD) string in sldns, quotes without spaces.

7 February 2014: Wouter
	- iana portlist updated.
	- add body to ifstatement if locks disabled.
	- add TXT string"string" test case to unit test.
	- Fix #551: License change "Regents" to "Copyright holder", matching
	  the BSD license on opensource.org.

6 February 2014: Wouter
	- sldns has type HIP.
	- code documentation on the module interface.

5 February 2014: Wouter
	- Fix sldns parse tests on osx.

3 February 2014: Wouter
	- Detect libevent2 install automatically by configure.
	- Fixup link with lib/event2 subdir.
	- Fix parse in sldns of quoted parenthesized text strings.

31 January 2014: Wouter
	- unit test for ldns wire to str and back with zones, root, nlnetlabs
	  and types.sidnlabs.
	- Fix for hex to string in unknown, atma and nsap.
	- fixup nss compile (no ldns in it).
	- fixup warning in unitldns
	- fixup WKS and rdata type service to print unsigned because strings
	  are not portable; they cannot be read (for sure) on other computers.
	- fixup type EUI48 and EUI64, type APL and type IPSECKEY in string
	  parse sldns.

30 January 2014: Wouter
	- delay-close does not act if there are udp-wait queries, so that
	  it does not make a socketdrain DoS easier.

28 January 2014: Wouter
	- iana portlist updated.
	- iana portlist test updated so it does not touch the source
	  if there are no changes.
	- delay-close: msec option that delays closing ports for which
	  the UDP reply has timed out.  Keeps the port open, only accepts
	  the correct reply.  This correct reply is not used, but the port
	  is open so that no port-denied ICMPs are generated.

27 January 2014: Wouter
	- reuseport is attempted, then fallback to without on failure.

24 January 2014: Wouter
	- Change unbound-event.h to use void* buffer, length idiom.
	- iana portlist updated.
	- unbound-event.h is installed if you configure --enable-event-api.
	- speed up unbound (reports say it could be up to 10%), by reducing
	  lock contention on localzones.lock.  It is changed to an rwlock.
	- so-reuseport: yesno option to distribute queries evenly over
	  threads on Linux (Thanks Robert Edmonds).
	- made lint clean.

21 January 2014: Wouter
	- Fix #547: no trustanchor written if filesystem full, fclose checked.

17 January 2014: Wouter
	- Fix isprint() portability in sldns, uses unsigned int.
	- iana portlist updated.

16 January 2014: Wouter
	- fix #544: Fixed +i causes segfault when running with module conf
	  "iterator".
	- Windows port, adjust %lld to %I64d, and warning in win_event.c.

14 January 2014: Wouter
	- iana portlist updated.

5 Dec 2013: Wouter
	- Fix bug in cachedump that uses sldns.
	- update pythonmod for ldns_ to sldns_ name change.

3 Dec 2013: Wouter
	- Fix sldns to use sldns_ prefix for all ldns_ variables.
	- Fix windows compile to compile with sldns.

30 Nov 2013: Wouter
	- Fix sldns to make globals use sldns_ prefix.  This fixes
	  linking with libldns that uses global variables ldns_ .

13 Nov 2013: Wouter
	- Fix bug#537: compile python plugin without ldns library.

12 Nov 2013: Wouter
	- Fix bug#536: acl_deny_non_local and refuse_non_local added.

5 Nov 2013: Wouter
	- Patch from Neel Goyal to fix async id assignment if callback
	  is called by libunbound in the mesh attach.
	- Accept ip-address: as an alternative for interface: for
	  consistency with nsd.conf syntax.

4 Nov 2013: Wouter
	- Patch from Neel Goyal to fix callback in libunbound.

3 Nov 2013: Wouter
	- if configured --with-libunbound-only fix make install.

31 Oct 2013: Wouter
	- Fix #531: Set SO_REUSEADDR so that the wildcard interface and a 
	  more specific interface port 53 can be used at the same time, and
	  one of the daemons is unbound.
	- iana portlist update.
	- separate ldns into core ldns inside ldns/ subdirectory.  No more
	  --with-ldns is needed and unbound does not rely on libldns.
	- portability fixes for new USE_SLDNS ldns subdir codebase.

22 Oct 2013: Wouter
	- Patch from Neel Goyal: Add an API call to set an event base on an
	  existing ub_ctx.  This basically just destroys the current worker and
	  sets the event base to the current.  And fix a deadlock in
	  ub_resolve_event – the cfglock is held when libworker_create is
	  called.  This ends up trying to acquire the lock again in
	  context_obtain_alloc in the call chain.
	- Fix #528: if very high logging (4 or more) segfault on allow_snoop.

26 Sep 2013: Wouter
	- unbound-event.h is installed if configured --with-libevent.  It
	  contains low-level library calls, that use libevent's event_base
	  and an ldns_buffer for the wire return packet to perform async
	  resolution in the client's eventloop.

19 Sep 2013: Wouter
	- 1.4.21 tag created.
	- trunk has 1.4.22 number inside it.
	- iana portlist updated.
	- acx_nlnetlabs.m4 to 26; improve FLTO help text.

16 Sep 2013: Wouter
	- Fix#524: max-udp-size not effective to non-EDNS0 queries, from
	  Daisuke HIGASHI.

10 Sep 2013: Wouter
	- MIN_TTL and MAX_TTL also in time_t.
	- tag 1.4.21rc1 made again.

26 Aug 2013: Wouter
	- More fixes for bug#519: for the threaded case test if the bg
	  thread has been killed, on ub_ctx_delete, to avoid hangs.

22 Aug 2013: Wouter
	- more fixes that I overlooked.
	- review fixes from Willem.

21 Aug 2013: Wouter
	- Fix#520: Errors found by static analysis from Tomas Hozza(redhat).

20 Aug 2013: Wouter
	- Fix for 2038, with time_t instead of uint32_t.

19 Aug 2013: Wouter
	- Fix#519 ub_ctx_delete may hang in some scenarios (libunbound).

14 Aug 2013: Wouter
	- Fix uninit variable in fix#516.

8 Aug 2013: Wouter
	- Fix#516 dnssec lameness detection for answers that are improper.

30 Jun 2013: Wouter
	- tag 1.4.21rc1

29 Jun 2013: Wouter
	- Fix#512 memleak in testcode for testbound (if it fails).
	- Fix#512 NSS returned arrays out of setup function to be statics.

26 Jun 2013: Wouter
	- max include of 100.000 files (depth and globbed at one time).
	  This is to preserve system memory in bug cases, or endless cases.
	- iana portlist updated.

19 Jun 2013: Wouter
	- streamtcp man page, contributed by Tomas Hozza.
	- iana portlist updated.
	- libunbound documentation on how to avoid openssl race conditions.

25 Jun 2013: Wouter
	- Squelch sendto-permission denied errors when the network is
	  not connected, to avoid spamming syslog.
	- configure --disable-flto option (from Robert Edmonds).

18 Jun 2013: Wouter
	- Fix for const string literals in C++ for libunbound, from Karel
	  Slany.
	- iana portlist updated.

17 Jun 2013: Wouter
	- Fixup manpage syntax.

14 Jun 2013: Wouter
	- get_option and set_option support for log-time-ascii, python-script
	  val-sig-skew-min and val-sig-skew-max.  log-time-ascii takes effect
	  immediately.  The others are mostly useful for libunbound users.

13 Jun 2013: Wouter
	- get_option, set_option, unbound-checkconf -o and libunbound
	  getoption and setoption support cache-min-ttl and cache-max-ttl.

10 Jun 2013: Wouter
	- Fix#501: forward-first does not recurse, when forward name is ".".
	- iana portlist update.
	- Max include depth is unlimited.

27 May 2013: Wouter
	- Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply
	  patch to it to not fail when -Werror is also specified, from the
	  autoconf-archives.
	- iana portlist update.

21 May 2013: Wouter
	- Explain bogus and secure flags in libunbound more.

16 May 2013: Wouter
	- Fix#499 use-after-free in out-of-memory handling code (thanks Jake
	  Montgomery).
	- Fix#500 use on non-initialised values on socket bind failures.

15 May 2013: Wouter
	- Fix round-robin doesn't work with some Windows clients (from Ilya
	  Bakulin).

3 May 2013: Wouter
	- update acx_nlnetlabs.m4 to v23, sleep w32 fix.

26 April 2013: Wouter
	- add unbound-control insecure_add and insecure_remove for the
	  administration of negative trust anchors.

25 April 2013: Wouter
	- Implement max-udp-size config option, default 4096 (thanks
	  Daisuke Higashi).
	- Robust checks on dname validity from rdata for dname compare.
	- updated iana portlist.

19 April 2013: Wouter
	- Fixup snprintf return value usage, fixed libunbound_get_option.

18 April 2013: Wouter
	- fix bug #491: pick program name (0th argument) as syslog identity.
	- own implementation of compat/snprintf.c.

15 April 2013: Wouter
	- Fix so that for a configuration line of include: "*.conf" it is not
	  an error if there are no files matching the glob pattern.
	- unbound-anchor review: BIO_write can return 0 successfully if it
	  has successfully appended a zero length string.

11 April 2013: Wouter
	- Fix queries leaking up for stubs and forwards, if the configured
	  nameservers all fail to answer.

10 April 2013: Wouter
	- code improve for minimal responses, small speed increase.

9 April 2013: Wouter
	- updated iana portlist.
	- Fix crash in previous private address fixup of 22 March.

28 March 2013: Wouter
	- Make reverse zones easier by documenting the nodefault statements
	  commented-out in the example config file.

26 March 2013: Wouter
	- more fixes to lookup3.c endianness detection.

25 March 2013: Wouter
	- #492: Fix endianness detection, revert to older lookup3.c detection
	  and put new detect lines after previous tests, to avoid regressions
	  but allow new detections to succeed.
	  And add detection for machine/endian.h to it.

22 March 2013: Wouter
	- Fix resolve of names that use a mix of public and private addresses.
	- iana portlist update.
	- Fix makedist for new svn for -d option.
	- unbound.h header file has UNBOUND_VERSION_MAJOR define.
	- Fix windows RSRC version for long version numbers.

21 March 2013: Wouter
	- release 1.4.20
	- trunk has 1.4.21
	- committed libunbound version 4:1:2 for binary API updated in 1.4.20
	- install copy of unbound-control.8 man page for unbound-control-setup

14 March 2013: Wouter
	- iana portlist update.
	- tag 1.4.20rc1

12 March 2013: Wouter
	- Fixup makedist.sh for windows compile.

11 March 2013: Wouter
	- iana portlist update.
	- testcode/ldns-testpkts.c check for makedist is informational.

15 February 2013: Wouter
	- fix defines in lookup3 for bigendian bsd alpha

11 February 2013: Wouter
	- Fixup openssl_thread init code to only run if compiled with SSL.

7 February 2013: Wouter
	- detect endianness in lookup3 on BSD.
	- add libunbound.ttl at end of result structure, version bump for
	  libunbound and binary backwards compatible, but 1.4.19 is not
	  forward compatible with 1.4.20.
	- update iana port list.

30 January 2013: Wouter
	- includes and have_ssl fixes for nss.

29 January 2013: Wouter
	- printout name of zone with duplicate fwd and hint errors.

28 January 2013: Wouter
	- updated fwd_zero for newer nc. Updated common.sh for newer netstat.

17 January 2013: Wouter
	- unbound-anchors checks the emailAddress of the signer of the
	  root.xml file, default is dnssec@iana.org.  It also checks that
	  the signer has the correct key usage for a digital signature.
	- update iana port list.

3 January 2013: Wouter
	- Test that unbound-control checks client credentials.
	- Test that unbound can handle a CNAME at an intermediate node in
	  the chain of trust (where it seeks a DS record).
	- Check the commonName of the signer of the root.xml file in
	  unbound-anchor, default is dnssec@iana.org.

2 January 2013: Wouter
	- Fix openssl lock free on exit (reported by Robert Fleischman).
	- iana portlist updated.
	- Tested that unbound implements the RFC5155 Technical Errata id 3441.
	  Unbound already implements insecure classification of an empty
	  nonterminal in NSEC3 optout zone.

20 December 2012: Wouter
	- Fix unbound-anchor xml parse of entity declarations for safety.

19 December 2012: Wouter
	- iana portlist updated.

18 December 2012: Wouter
	- iana portlist updated.

14 December 2012: Wouter
	- Change of D.ROOT-SERVERS.NET A address in default root hints.

12 December 2012: Wouter
	- 1.4.19 release.
	- trunk has 1.4.20 under development.

5 December 2012: Wouter
	- note support for AAAA RR type RFC.

4 December 2012: Wouter
	- 1.4.19rc1 tag.

30 November 2012: Wouter
	- bug 481: fix python example0.
	- iana portlist updated.

27 November 2012: Wouter
	- iana portlist updated.

9 November 2012: Wouter
	- Fix unbound-control forward disables configured stubs below it.

7 November 2012: Wouter
	- Fixup ldns-testpkts, identical to ldns/examples.
	- iana portlist updated.

30 October 2012: Wouter
	- Fix bug #477: unbound-anchor segfaults if EDNS is blocked.

29 October 2012: Matthijs
	- Fix validation for responses with both CNAME and wildcard
	  expanded CNAME records in answer section.

8 October 2012: Wouter
	- update ldns-testpkts.c to ldns 1.6.14 version.
	- fix build of pythonmod in objdir, for unbound.py.
	- make clean and makerealclean remove generated python and docs.

5 October 2012: Wouter
	- fix build of pythonmod in objdir (thanks Jakob Schlyter).

3 October 2012: Wouter
	- fix text in unbound-anchor man page.

1 October 2012: Wouter
	- ignore trusted-keys globs that have no files (from Paul Wouters).

27 September 2012: Wouter
	- include: directive in config file accepts wildcards.  Patch from
	  Paul Wouters.  Suggested use: include: "/etc/unbound.d/conf.d/*"
	- unbound-control -q option is quiet, patch from Mariano Absatz.
	- iana portlist updated.
	- updated contrib/unbound.spec, patch from Valentin Bud.

21 September 2012: Wouter
	- chdir to / after chroot call (suggested by Camiel Dobbelaar).

17 September 2012: Wouter
	- patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
	  otherwise it is treated as insecure.  The RSAMD5 algorithm is
	  deprecated (RFC6725).  The MD5 hash is considered weak for some
	  purposes, if you want to sign your zone, then RSASHA256 is an
	  uncontested hash.

30 August 2012: Wouter
	- RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
	- iana portlist updated.

29 August 2012: Wouter
	- Nicer comments outgoing-port-avoid, thanks Stu (bug #465).

22 August 2012: Wouter
	- Fallback to 1472 and 1232, one fragment size without headers.

21 August 2012: Wouter
	- Fix timeouts so that when a server has been offline for a while
	  and is probed to see it works, it becomes fully available for
	  server selection again.

17 August 2012: Wouter
	- Add documentation to libunbound for default nonuse of resolv.conf.

2 August 2012: Wouter
	- trunk has 1.4.19 under development (fixes from 1 aug and 31 july
	are for 1.4.19).
	- iana portlist updated.

1 August 2012: Wouter
	- Fix openssl race condition, initializes openssl locks, reported
	  by Einar Lonn and Patrik Wallstrom.

31 July 2012: Wouter
	- Improved forward-first and stub-first documentation.
	- Fix that enables modules to register twice for the same
	  serviced_query, without race conditions or administration issues.
	  This should not happen with the current codebase, but it is robust.
	- Fix forward-first option where it sets the RD flag wrongly.
	- added manpage links for libunbound calls (Thanks Paul Wouters).

30 July 2012: Wouter
	- tag 1.4.18rc2 (became 1.4.18 release at 2 august 2012).

27 July 2012: Wouter
	- unbound-host works with libNSS
	- fix bogus nodata cname chain not reported as bogus by validator,
	  (Thanks Peter van Dijk).

26 July 2012: Wouter
	- iana portlist updated.
	- tag 1.4.18rc1.

25 July 2012: Wouter
	- review fix for libnss, check hash prefix allocation size.

23 July 2012: Wouter
	- fix missing break for GOST DS hash function.
	- implemented forward_first for the root.

20 July 2012: Wouter
	- Fix bug#452 and another assertion failure in mesh.c, makes
	  assertions in mesh.c resist duplicates.  Fixes DS NS search to
	  not generate duplicate sub queries.

19 July 2012: Willem
	- Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac,
	  if CFLAGS is specified at configure time then '-g -O2' is not
	  appended to CFLAGS, so that the user can override them.

18 July 2012: Willem
	- Fix libunbound report of errors when in background mode.

11 July 2012: Willem
	- updated iana ports list.

9 July 2012: Willem
	- Add flush_bogus option for unbound-control

6 July 2012: Wouter
	- Fix validation of qtype DS queries that result in no data for
	  non-optout NSEC3 zones.

4 July 2012: Wouter
	- compile libunbound with libnss on Suse, passes regression tests.

3 July 2012: Wouter
	- FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.

2 July 2012: Wouter
	- updated iana ports list.

29 June 2012: Wouter
	- patch for unbound_munin_ script to handle arbitrary thread count by
	  Sven Ulland.

28 June 2012: Wouter
	- detect if openssl has FIPS_mode.
	- code review: return value of cache_store can be ignored for better
	  performance in out of memory conditions.
	- fix edns-buffer-size and msg-buffer-size manpage documentation.
	- updated iana ports list.

25 June 2012: Wouter
	- disable RSAMD5 if in FIPS mode (for openssl and for libnss).

22 June 2012: Wouter
	- implement DS records, NSEC3 and ECDSA for compile with libnss.

21 June 2012: Wouter
	- fix error handling of alloc failure during rrsig verification.
	- nss check for verification failure.
	- nss crypto works for RSA and DSA.

20 June 2012: Wouter
	- work on --with-nss build option (for now, --with-libunbound-only).

19 June 2012: Wouter
	- --with-libunbound-only build option, only builds the library and
	  not the daemon and other tools.

18 June 2012: Wouter
	- code review.

15 June 2012: Wouter
	- implement log-time-ascii on windows.
	- The key-cache bad key ttl is now 60 seconds.
	- updated iana ports list.
	- code review.

11 June 2012: Wouter
	- bug #452: fix crash on assert in mesh_state_attachment.

30 May 2012: Wouter
	- silence warning from swig-generated code (md set but not used in
	  swig initmodule, due to ifdefs in swig-generated code).

27 May 2012: Wouter
	- Fix debian-bugs-658021: Please enable hardened build flags.

25 May 2012: Wouter
	- updated iana ports list.

24 May 2012: Wouter
	- tag for 1.4.17 release.
	- trunk is 1.4.18 in development.

18 May 2012: Wouter
	- Review comments, removed duplicate memset to zero in delegpt.

16 May 2012: Wouter
	- Updated doc/FEATURES with RFCs that are implemented but not listed.
	- Protect if statements in val_anchor for compile without locks.
	- tag for 1.4.17rc1.

15 May 2012: Wouter
	- fix configure ECDSA support in ldns detection for windows compile.
	- fix possible uninitialised variable in windows pipe implementation.

9 May 2012: Wouter
	- Fix alignment problem in util/random on sparc64/freebsd.

8 May 2012: Wouter
	- Fix for accept spinning reported by OpenBSD.
	- iana portlist updated.

2 May 2012: Wouter
	- Fix validation of nodata for DS query in NSEC zones, reported by
	  Ondrej Mikle.

13 April 2012: Wouter
	- ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
	  openssl.

10 April 2012: Wouter
	- Applied patch from Daisuke HIGASHI for rrset-roundrobin and
	  minimal-responses features.
	- iana portlist updated.

5 April 2012: Wouter
	- fix bug #443: --with-chroot-dir not honoured by configure.
	- fix bug #444: setusercontext was called too late (thanks Bjorn
	  Ketelaars).

27 March 2012: Wouter
	- fix bug #442: Fix that Makefile depends on pythonmod headers
	  even using --without-pythonmodule.

22 March 2012: Wouter
	- contrib/validation-reporter follows rotated log file (patch from
	  Augie Schwer).

21 March 2012: Wouter
	- new approach to NS fetches for DS lookup that works with
	  cornercases, and is more robust and considers forwarders.

19 March 2012: Wouter
	- iana portlist updated.
	- fix to locate nameservers for DS lookup with NS fetches.

16 March 2012: Wouter
	- Patch for access to full DNS packet data in unbound python module
	  from Ondrej Mikle.

9 March 2012: Wouter
	- Applied line-buffer patch from Augie Schwer to validation.reporter.sh.

2 March 2012: Wouter
	- flush_infra cleans timeouted servers from the cache too.
	- removed warning from --enable-ecdsa.

1 March 2012: Wouter
	- forward-first option.  Tries without forward if a query fails.
	  Also stub-first option that is similar.

28 February 2012: Wouter
	- Fix from code review, if EINPROGRESS not defined chain if statement
	  differently.

27 February 2012: Wouter
	- Fix bug#434: on windows check registry for config file location
	  for unbound-control.exe, and unbound-checkconf.exe.

23 February 2012: Wouter
	- Fix to squelch 'network unreachable' errors from tcp connect in
	  logs, high verbosity will show them.

16 February 2012: Wouter
	- iter_hints is now thread-owned in module env, and thus threadsafe.
	- Fix prefetch and sticky NS, now the prefetch works.  It picks
	  nameservers that 'would be valid in the future', and if this makes
	  the NS timeout, it updates that NS by asking delegation from the
	  parent again.  If child NS has longer TTL, that TTL does not get
	  refreshed from the lookup to the child nameserver.

15 February 2012: Wouter
	- Fix forward-zone memory, uses malloc and frees original root dp.
	- iter hints (stubs) uses malloc inside for more dynamicity.
	- unbound-control forward_add, forward_remove, stub_add, stub_remove
	  can modify stubs and forwards for running unbound (on mobile computer)
	  they can also add and remove domain-insecure for the zone.

14 February 2012: Wouter
	- Fix sticky NS (ghost domain problem) if prefetch is yes.
	- iter forwards uses malloc inside for more dynamicity.

13 February 2012: Wouter
	- RT#2955. Fix for cygwin compilation. 
	- iana portlist updated.

10 February 2012: Wouter
	- Slightly smaller critical region in one case in infra cache.
	- Fix timeouts to keep track of query type, A, AAAA and other, if
	  another has caused timeout blacklist, different type can still probe.
	- unit test fix for nomem_cnametopos.rpl race condition.

9 February 2012: Wouter
	- Fix AHX_BROKEN_MEMCMP for autoheader mess up of #undef in config.h.

8 February 2012: Wouter
	- implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This
	  implementation is experimental at this time and not recommended
	  for use on the public internet (the protocol numbers have not
	  been assigned).  Needs recent ldns with --enable-ecdsa.
	- fix memory leak in errorcase for DSA signatures.
	- iana portlist updated.
	- workaround for openssl 0.9.8 ecdsa sha2 and evp problem.

3 February 2012: Wouter
	- fix for windows, rename() is not posix compliant on windows.

2 February 2012: Wouter
	- 1.4.16 release tag.
	- svn trunk is 1.4.17 in development.
	- iana portlist updated.

1 February 2012: Wouter
	- Fix validation failures (like: validation failure xx: no NSEC3
	  closest encloser from yy for DS zz. while building chain of trust,
	  because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
	  for an NSEC3.  Now it does not change rdata, and fixes TTL.

30 January 2012: Wouter
	- Fix version-number in libtool to be version-info so it produces
	  libunbound.so.2 like it should.

26 January 2012: Wouter
	- Tag 1.4.15 (same as 1.4.15rc1), for 1.4.15 release.
	- trunk 1.4.16; includes changes memset testcode, #424 openindiana,
	  and keyfile write fixup.
	- applied patch to support outgoing-interface with ub_ctx_set_option.

23 January 2012: Wouter
	- Fix memset in test code.

20 January 2012: Wouter
	- Fix bug #424: compile on OpenIndiana OS with gcc 4.6.2.

19 January 2012: Wouter
	- Fix to write key files completely to a temporary file, and if that
	  succeeds, replace the real key file.  So failures leave a useful file.

18 January 2012: Wouter
	- tag 1.4.15rc1 created
	- updated libunbound/ubsyms.def and remade tag 1.4.15rc1.

17 January 2012: Wouter
	- Fix bug where canonical_compare of RRSIG did not downcase the
	  signer-name.  This is mostly harmless because RRSIGs do not have
	  to be sorted in canonical order, usually.

12 January 2012: Wouter
	- bug#428: add ub_version() call to libunbound.  API version increase,
	  with (binary) backwards compatibility for the previous version.

10 January 2012: Wouter
	- Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL
	  that would be permissible by the RFCs but it is not the TTL in the
	  cache.
	- iana portlist updated.
	- uninitialised variable in reprobe for rtt blocked domains fixed.
	- lintfix and new flex output.

2 January 2012: Wouter
	- Fix to randomize hash function, based on 28c3 congress, reported
	  by Peter van Dijk.

24 December 2011: Wouter
	- Fix for memory leak (about 20 bytes when a tcp or udp send operation
	  towards authority servers failed, takes about 50.000 such failures to
	  leak one Mb, such failures are also usually logged), reported by
	  Robert Fleischmann.
	- iana portlist updated.

19 December 2011: Wouter
	- Fix for VU#209659 CVE-2011-4528: Unbound denial of service
	  vulnerabilities from nonstandard redirection and denial of existence
	  http://www.unbound.net/downloads/CVE-2011-4528.txt
	- robust checks for next-closer NSEC3s.
	- tag 1.4.14 created.
	- trunk has 1.4.15 in development.

15 December 2011: Wouter
	- remove uninit warning from cachedump code.
	- Fix parse error on negative SOA RRSIGs if badly ordered in the packet.

13 December 2011: Wouter
	- iana portlist updated.
	- svn tag 1.4.14rc1
	- fix infra cache comparison.
	- Fix to constrain signer_name to be a parent of the lookupname.

5 December 2011: Wouter
	- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
	- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
	- Fix warning unused in compat/strptime.c.
	- Fix malloc detection and double definition.

2 December 2011: Wouter
	- configure generated with autoconf 2.68.

30 November 2011: Wouter
	- Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes
	  SERVFAILs.  Also fixed for UDP (but less likely).

28 November 2011: Wouter
	- Fix quartile time estimate, it was too low, (thanks Jan Komissar).
	- iana ports updated.

11 November 2011: Wouter
	- Makefile compat with SunOS make, BSD make and GNU make.
	- iana ports updated.

10 November 2011: Wouter
	- Makefile changed for BSD make compatibility.

9 November 2011: Wouter
	- added unit test for SSL service and SSL-upstream.

8 November 2011: Wouter
	- can configure ssl service to one port number, and not on others.
	- fixup windows compile with ssl support.
	- Fix double free in unbound-host, reported by Steve Grubb.
	- iana portlist updated.

1 November 2011: Wouter
	- dns over ssl support as a client, ssl-upstream yes turns it on.
	  It performs an SSL transaction for every DNS query (250 msec).
	- documentation for new options: ssl-upstream, ssl-service-key and
	  ssl-service.pem.
	- iana portlist updated.
	- fix -flto detection on Lion for llvm-gcc.

31 October 2011: Wouter
	- dns over ssl support, ssl-service-pem and ssl-service-key files
	  can be given and then TCP queries are serviced wrapped in SSL.

27 October 2011: Wouter
	- lame-ttl and lame-size options no longer exist, it is integrated
	  with the host info.  They are ignored (with verbose warning) if
	  encountered to keep the config file backwards compatible.
	- fix iana-update for changing gzip compression of results.
	- fix export-all-symbols on OSX.

26 October 2011: Wouter
	- iana portlist updated.
	- Infra cache stores information about ping and lameness per IP, zone.
	  This fixes bug #416.
	- fix iana_update target for gzipped file on iana site.

24 October 2011: Wouter
	- Fix resolve of partners.extranet.microsoft.com with a fix for the
	  server selection for choosing out of a (particular) list of bad
	  choices. (bug#415)
	- Fix make_new_space function so that the incoming query is not
	  overwritten if a jostled out query causes a waiting query to be
	  resumed that then fails and sends an error message.  (Thanks to
	  Matthew Lee).

21 October 2011: Wouter
	- fix --enable-allsymbols, fptr wlist is disabled on windows with this 
	  option enabled because of memory layout exe vs dll.

19 October 2011: Wouter
	- fix unbound-anchor for broken strptime on OSX lion, detected
	  in configure.
	- Detect if GOST really works, openssl1.0 on OSX fails.
	- Implement ipv6%interface notation for scope_id usage.

17 October 2011: Wouter
	- better documentation for inform_super (Thanks Yang Zhe).

14 October 2011: Wouter
	- Fix for out-of-memory condition in libunbound (thanks
	  Robert Fleischman).

13 October 2011: Wouter
	- Fix --enable-allsymbols, it depended on link specifics of the
	  target platform, or fptr_wlist assertion failures could occur.

12 October 2011: Wouter
	- updated contrib/unbound_munin_ to family=auto so that it works with
	  munin-node-configure automatically (if installed as
	  /usr/local/share/munin/plugins/unbound_munin_ ).

27 September 2011: Wouter
	- unbound.exe -w windows option for start and stop service.

23 September 2011: Wouter
	- TCP-upstream calculates tcp-ping so server selection works if there
	  are alternatives.

20 September 2011: Wouter
	- Fix classification of NS set in answer section, where there is a
	  parent-child server, and the answer has the AA flag for dir.slb.com.
	  Thanks to Amanda Constant from Secure64.

16 September 2011: Wouter
	- fix bug #408: accept patch from Steve Snyder that comments out
	  unused functions in lookup3.c.
	- iana portlist updated.
	- fix EDNS1480 change memleak and TCP fallback.
	- fix various compiler warnings (reported by Paul Wouters).
	- max sent count.  EDNS1480 only for rtt < 5000.  No promiscuous
	  fetch if sentcount > 3, stop query if sentcount > 16.  Count is
	  reset when referral or CNAME happens.  This makes unbound better
	  at managing large NS sets, they are explored when there is continued
	  interest (in the form of queries).

15 September 2011: Wouter
	- release 1.4.13.
	- trunk contains 1.4.14 in development.
	- Unbound probes at EDNS1480 if there an EDNS0 timeout.

12 September 2011: Wouter
	- Reverted dns EDNS backoff fix, it did not help and needs
	  fragmentation fixes instead.
	- tag 1.4.13rc2

7 September 2011: Wouter
	- Fix operation in ipv6 only (do-ip4: no) mode.

6 September 2011: Wouter
	- fedora specfile updated.

5 September 2011: Wouter
	- tag 1.4.13rc1

2 September 2011: Wouter
	- iana portlist updated.

26 August 2011: Wouter
	- Fix num-threads 0 does not segfault, reported by Simon Deziel.
	- Fix validation failures due to EDNS backoff retries, the retry
	  for fetch of data has want_dnssec because the iter_indicate_dnssec
	  function returns true when validation failure retry happens, and
	  then the serviced query code does not fallback to noEDNS, even if
	  the cache says it has this.  This helps for DLV deployment when
	  the DNSSEC status is not known for sure before the lookup concludes.

24 August 2011: Wouter
	- Applied patch from Karel Slany that fixes a memory leak in the
	  unbound python module, in string conversions.

22 August 2011: Wouter
	- Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
	  Zhang and Luo Ce).  Unbound responds with the RR types that are
	  available at the name for qtype ANY and validates those RR types.
	  It does not test for completeness (i.e. with NSEC or NSEC3 query),
	  and it does not follow the CNAME or DNAME to another name (with
	  even more data for the already large response).
	- Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
	- Documented the options that work with control set_option command.
	- tcp-upstream yes/no option (works with set_option) for tunnels.

18 August 2011: Wouter
	- fix autoconf call in makedist crosscompile to RC or snapshot.

17 August 2011: Wouter
	- Fix validation of . DS query.
	- new xml format at IANA, new awk for iana_update.
	- iana portlist updated.

10 August 2011: Wouter
	- Fix python site-packages path to /usr/lib64.
	- updated patch from Tom.
	- fix memory and fd leak after out-of-memory condition.

9 August 2011: Wouter
	- patch from Tom Hendrikx fixes load of python modules.

8 August 2011: Wouter
	- make clean had ldns-src reference, removed.

1 August 2011: Wouter
	- Fix autoconf 2.68 warnings

14 July 2011: Wouter
	- Unbound implements RFC6303 (since version 1.4.7).
	- tag 1.4.12rc1 is released as 1.4.12 (without the other fixes in the
	  meantime, those are for 1.4.13).
	- iana portlist updated.

13 July 2011: Wouter
	- Quick fix for contrib/unbound.spec example, no ldns-builtin any more.

11 July 2011: Wouter
	- Fix wildcard expansion no-data reply under an optout NSEC3 zone is
	  validated as insecure, reported by Jia Li (lijia@cnnic.cn).

4 July 2011: Wouter
	- 1.4.12rc1 tag created.

1 July 2011: Wouter
	- version number in example config file.
	- fix that --enable-static-exe does not complain about it unknown.

30 June 2011: Wouter
	- tag relase 1.4.11, trunk is 1.4.12 development.
	- iana portlist updated.
	- fix bug#395: id bits of other query may leak out under conditions
	- fix replyaddr count wrong after jostled queries, which leads to
	  eventual starvation where the daemon has no replyaddrs left to use.
	- fix comment about rndc port, that referred to the old port number.
	- fix that the listening socket is not closed when too many remote
	  control connections are made at the same time.
	- removed ldns-src tarball inside the unbound tarball.

23 June 2011: Wouter
	- Changed -flto check to support clang compiler.
	- tag 1.4.11rc3 created.

17 June 2011: Wouter
	- tag 1.4.11rc1 created.
	- remove warning about signed/unsigned from flex (other flex version).
	- updated aclocal.m4 and libtool to match.
	- tag 1.4.11rc2 created.

16 June 2011: Wouter
	- log-queries: yesno option, default is no, prints querylog.
	- version is 1.4.11.

14 June 2011: Wouter
	- Use -flto compiler flag for link time optimization, if supported.
	- iana portlist updated.

12 June 2011: Wouter
	- IPv6 service address for d.root-servers.net (2001:500:2D::D).

10 June 2011: Wouter
	- unbound-control has version number in the header,
	  UBCT[version]_space_ is the header sent by the client now.
	- Unbound control port number is registered with IANA:
	  ub-dns-control  8953/tcp    unbound dns nameserver control
	  This is the new default for the control-port config setting.
	- statistics-interval prints the number of jostled queries to log.

30 May 2011: Wouter
	- Fix Makefile for U in environment, since wrong U is more common than
	  deansification necessity.
	- iana portlist updated.
	- updated ldns tarball to 1.6.10rc2 snapshot of today.

25 May 2011: Wouter
	- Fix assertion failure when unbound generates an empty error reply
	  in response to a query, CVE-2011-1922 VU#531342.
	- This fix is in tag 1.4.10.
	- defense in depth against the above bug, an error is printed to log
	  instead of an assertion failure.

10 May 2011: Wouter
	- bug#386: --enable-allsymbols option links all binaries to libunbound
	  and reduces install size significantly.
	- feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
	- iana portlist updated.
	- Fix TTL of SOA so negative TTL is separately cached from normal TTL.

14 April 2011: Wouter
	- configure created with newer autoconf 2.66.

12 April 2011: Wouter
	- bug#378: Fix that configure checks for ldns_get_random presence.

8 April 2011: Wouter
	- iana portlist updated.
	- queries with CD flag set cause DNSSEC validation, but the answer is
	  not withheld if it is bogus.  Thus, unbound will retry if it is bad
	  and curb the TTL if it is bad, thus protecting the cache for use by
	  downstream validators.
	- val-override-date: -1 ignores dates entirely, for NTP usage.

29 March 2011: Wouter
	- harden-below-nxdomain: changed so that it activates when the
	  cached nxdomain is dnssec secure.  This avoids backwards
	  incompatibility because those old servers do not have dnssec.

24 March 2011: Wouter
	- iana portlist updated.
	- release 1.4.9.
	- trunk is 1.5.0

17 March 2011: Wouter
	- bug#370: new unbound.spec for CentOS 5.x from Harold Jones.
	  Applied but did not do the --disable-gost.

10 March 2011: Wouter
	- tag 1.4.9 release candidate 1 created.

3 March 2011: Wouter
	- updated ldns to today.

1 March 2011: Wouter
	- Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
	- give config parse error for multiple names on a stub or forward zone.
	- updated ldns tarball to 1.6.9(todays snapshot).

24 February 2011: Wouter
	- bug #361: Fix, time.elapsed variable not reset with stats_noreset.

23 February 2011: Wouter
	- iana portlist updated.
	- common.sh to version 3.

18 February 2011: Wouter
	- common.sh in testdata updated to version 2.

15 February 2011: Wouter
	- Added explicit note on unbound-anchor usage:
	  Please note usage of unbound-anchor root anchor is at your own risk
	  and under the terms of our LICENSE (see that file in the source).

11 February 2011: Wouter
	- iana portlist updated.
	- tpkg updated with common.sh for common functionality.

7 February 2011: Wouter
	- Added regression test for addition of a .net DS to the root, and
	  cache effects with different TTL for glue and DNSKEY.
	- iana portlist updated.

28 January 2011: Wouter
	- Fix remove private address does not throw away entire response.

24 January 2011: Wouter
	- release 1.4.8

19 January 2011: Wouter
	- fix bug#349: no -L/usr for ldns.

18 January 2011: Wouter
	- ldns 1.6.8 tarball included.
	- release 1.4.8rc1.

17 January 2011: Wouter
	- add get and set option for harden-below-nxdomain feature.
	- iana portlist updated.

14 January 2011: Wouter
	- Fix so a changed NS RRset does not get moved name stuck on old
	  server, for type NS the TTL is not increased.

13 January 2011: Wouter
	- Fix prefetch so it does not get stuck on old server for moved names.

12 January 2011: Wouter
	- iana portlist updated.

11 January 2011: Wouter
	- Fix insecure CNAME sequence marked as secure, reported by Bert
	  Hubert.

10 January 2011: Wouter
	- faster lruhash get_mem routine.

4 January 2011: Wouter
	- bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root.
	- iana portlist updated.

23 December 2010: Wouter
	- Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.

21 December 2010: Wouter
	- algorithm compromise protection using the algorithms signalled in
	  the DS record.  Also, trust anchors, DLV, and RFC5011 receive this,
	  and thus, if you have multiple algorithms in your trust-anchor-file
	  then it will now behave different than before.  Also, 5011 rollover
	  for algorithms needs to be double-signature until the old algorithm
	  is revoked.
	  It is not an option, because I see no use to turn the security off.
	- iana portlist updated.

17 December 2010: Wouter
	- squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them).
	- fix validation in this case: CNAME to nodata for co-hosted opt-in
	  NSEC3 insecure delegation, was bogus, fixed to be insecure.

16 December 2010: Wouter
	- Fix our 'BDS' license (typo reported by Xavier Belanger).

10 December 2010: Wouter
	- iana portlist updated.
	- review changes for unbound-anchor.

2 December 2010: Wouter
	- feature typetransparent localzone, does not block other RR types.

1 December 2010: Wouter
	- Fix bug#338: print address when socket creation fails.

30 November 2010: Wouter
	- Fix storage of EDNS failures in the infra cache.
	- iana portlist updated.

18 November 2010: Wouter
	- harden-below-nxdomain option, default off (because very old
	  software may be incompatible).  We could enable it by default in
	  the future.

17 November 2010: Wouter
	- implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
	- make test output nicer.

15 November 2010: Wouter
	- silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
	- iana portlist updated.
	- so-sndbuf option for very busy servers, a bit like so-rcvbuf.

9 November 2010: Wouter
	- unbound-anchor compiles with openssl 0.9.7.

8 November 2010: Wouter
	- release tag 1.4.7.
	- trunk is version 1.4.8.
	- Be lenient and accept imgw.pl malformed packet (like BIND).

5 November 2010: Wouter
	- do not synthesize a CNAME message from cache for qtype DS.

4 November 2010: Wouter
	- Use central entropy to seed threads.

3 November 2010: Wouter
	- Change the rtt used to probe EDNS-timeout hosts to 1000 msec.

2 November 2010: Wouter
	- tag 1.4.7rc1.
	- code review.

1 November 2010: Wouter
	- GOST code enabled by default (RFC 5933).

27 October 2010: Wouter
	- Fix uninit value in dump_infra print.
	- Fix validation failure for parent and child on same server with an
	  insecure childzone and a CNAME from parent to child.
	- Configure detects libev-4.00.

26 October 2010: Wouter
	- dump_infra and flush_infra commands for unbound-control.
	- no timeout backoff if meanwhile a query succeeded.
	- Change of timeout code.  No more lost and backoff in blockage.
	  At 12sec timeout (and at least 2x lost before) one probe per IP
	  is allowed only.  At 120sec, the IP is blocked.  After 15min, a
	  120sec entry has a single retry packet.

25 October 2010: Wouter
	- Configure errors if ldns is not found.

22 October 2010: Wouter
	- Windows 7 fix for the installer.

21 October 2010: Wouter
	- Fix bug where fallback_tcp causes wrong roundtrip and edns
	  observation to be noted in cache.  Fix bug where EDNSprobe halted
	  exponential backoff if EDNS status unknown.
	- new unresponsive host method, exponentially increasing block backoff.
	- iana portlist updated.

20 October 2010: Wouter
	- interface automatic works for some people with ip6 disabled.
	  Therefore the error check is removed, so they can use the option.

19 October 2010: Wouter
	- Fix for request list growth, if a server has long timeout but the
	  lost counter is low, then its effective rtt is the one without
	  exponential backoff applied.  Because the backoff is not working.
	  The lost counter can then increase and the server is blacklisted,
	  or the lost counter does not increase and the server is working
	  for some queries.

18 October 2010: Wouter
	- iana portlist updated.

13 October 2010: Wouter
	- Fix TCP so it uses a random outgoing-interface.
	- unbound-anchor handles ADDPEND keystate.

11 October 2010: Wouter
	- Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
	  the zone has a secure delegation hosted on the same server did not
	  verify as secure (it was insecure by mistake).
	- iana portlist updated.
	- ldns tarball updated (for reading cachedumps with bad RR data).

1 October 2010: Wouter
	- test for unbound-anchor. fix for reading certs.
	- Fix alloc_reg_release for longer uptime in out of memory conditions.

28 September 2010: Wouter
	- unbound-anchor working, it creates or updates a root.key file.
	  Use it before you start the validator (e.g. at system boot time).

27 September 2010: Wouter
	- iana portlist updated.

24 September 2010: Wouter
	- bug#329: in example.conf show correct ipv4 link-local 169.254/16.

23 September 2010: Wouter
	- unbound-anchor app, unbound requires libexpat (xml parser library).

22 September 2010: Wouter
	- compliance with draft-ietf-dnsop-default-local-zones-14, removed
	  reverse ipv6 orchid prefix from builtin list.
	- iana portlist updated.

17 September 2010: Wouter
	- DLV has downgrade protection again, because the RFC says so.
	- iana portlist updated.

16 September 2010: Wouter
	- Algorithm rollover operational reality intrudes, for trust-anchor,
	  5011-store, and DLV-anchor if one key matches it's good enough.
	- iana portlist updated.
	- Fix reported validation error in out of memory condition.

15 September 2010: Wouter
	- Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.

14 September 2010: Wouter
	- increased mesh-max-activation from 1000 to 3000 for crazy domains
	  like _tcp.slb.com with 262 servers.
	- iana portlist updated.

13 September 2010: Wouter
	- bug#327: Fix for cannot access stub zones until the root is primed.

9 September 2010: Wouter
	- unresponsive servers are not completely blacklisted (because of
	  firewalls), but also not probed all the time (because of the request
	  list size it generates).  The probe rate is 1%.
	- iana portlist updated.

20 August 2010: Wouter
	- openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled.
	  iterator get_mem includes priv_get_mem.  delegpt nodup removed.
	  listen_pushback, query_info_allocqname, write_socket, send_packet,
	  comm_point_set_cb_arg and listen_resume removed.

19 August 2010: Wouter
	- Fix bug#321: resolution of rs.ripe.net artifacts with 0x20.
	  Delegpt structures checked for duplicates always.
	  No more nameserver lookups generated when depth is full anyway.
	- example.conf notes how to do DNSSEC validation and track the root.
	- iana portlist updated.

18 August 2010: Wouter
	- Fix bug#322: configure does not respect CFLAGS on Solaris.
	  Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
	  if use sun-cc, but some systems need different flags.

16 August 2010: Wouter
	- Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
	  changes, uses m4_bpatsubst now.
	- make test (or make check) should be more portable and run the unit 
	  test and testbound scripts. (make longtest has special requirements).

13 August 2010: Wouter
	- More pleasant remote control command parsing.
	- documentation added for return values reported by doxygen 1.7.1.
	- iana portlist updated.

9 August 2010: Wouter
	- Fix name of rrset printed that failed validation.

5 August 2010: Wouter
	- Return NXDOMAIN after chain of CNAMEs ends at name-not-found.

4 August 2010: Wouter
	- Fix validation in case a trust anchor enters into a zone with
	  unsupported algorithms.

3 August 2010: Wouter
	- updated ldns tarball with bugfixes.
	- release tag 1.4.6.
	- trunk becomes 1.4.7 develop.
	- iana portlist updated.

22 July 2010: Wouter
	- more error details on failed remote control connection.

15 July 2010: Wouter
	- rlimit adjustments for select and ulimit can happen at the same time.

14 July 2010: Wouter
	- Donation text added to README.
	- Fix integer underflow in prefetch ttl creation from cache.  This
	  fixes a potential negative prefetch ttl.

12 July 2010: Wouter
	- Changed the defaults for num-queries-per-thread/outgoing-range.
	  For builtin-select: 512/960, for libevent 1024/4096 and for
	  windows 24/48 (because of win api).  This makes the ratio this way
	  to improve resilience under heavy load.  For high performance, use
	  libevent and possibly higher numbers.

10 July 2010: Wouter
	- GOST enabled if SSL is recent and ldns has GOST enabled too.
	- ldns tarball updated.

9 July 2010: Wouter
	- iana portlist updated.
	- Fix validation of qtype DNSKEY when a key-cache entry exists but
	  no rr-cache entry is used (it expired or prefetch), it then goes
	  back up to the DS or trust-anchor to validate the DNSKEY.

7 July 2010: Wouter
	- Neat function prototypes, unshadowed local declarations.

6 July 2010: Wouter
	- failure to chown the pidfile is not fatal any more.
	- testbound uses UTC timezone.
	- ldns tarball updated (ports and works on Minix 3.1.7).  On Minix, add
	  /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake.

5 July 2010: Wouter
	- log if a server is skipped because it is on the donotquery list,
	  at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.
	- added feature to print configure date, target and options with -h.
	- added feature to print event backend system details with -h.
	- wdiff is not actually required by make test, updated requirements.

1 July 2010: Wouter
	- Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
	  must be signed with all algorithms from the DS rrset at the parent.
	  This is now checked and becomes bogus if not.

28 June 2010: Wouter
	- Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps
	  in overload situations to be about 5 qps for the class of shortly
	  serviced queries.
	  The capacity of the resolver is then about (numqueriesperthread / 2)
	  / (average time for such long queries) qps for long queries.
	  And about (numqueriesperthread / 2)/(jostletimeout in whole seconds)
	  qps for short queries, per thread.
	- Fix the max number of reply-address count to be applied for duplicate
	  queries, and not for new query list entries.  This raises the memory
	  usage to a max of (16+1)*numqueriesperthread reply addresses.

25 June 2010: Wouter
	- Fix handling of corner case reply from lame server, follows rfc2308.
	  It could lead to a nodata reply getting into the cache if the search
	  for a non-lame server turned up other misconfigured servers.
	- unbound.h has extern "C" statement for easier include in c++.

23 June 2010: Wouter
	- iana portlist updated.
	- makedist upgraded cross compile openssl option, like this: 
	  ./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost

22 June 2010: Wouter
	- Unbound reports libev or libevent correctly in logs in verbose mode.
	- Fix to unload gost dynamic library module for leak testing.

18 June 2010: Wouter
	- iana portlist updated.

17 June 2010: Wouter
	- Add AAAA to root hints for I.ROOT-SERVERS.NET.

16 June 2010: Wouter
	- Fix assertion failure reported by Kai Storbeck from XS4ALL, the
	  assertion was wrong.
	- updated ldns tarball.

15 June 2010: Wouter
	- tag 1.4.5 created.
	- trunk contains 1.4.6 in development.
	- Fix TCPreply on systems with no writev, if just 1 byte could be sent.
	- Fix to use one pointer less for iterator query state store_parent_NS.
	- makedist crosscompile to windows uses builtin ldns not host ldns.
	- Max referral count from 30 to 130, because 128 one character domains
	  is valid DNS.
	- added documentation for the histogram printout to syslog.

11 June 2010: Wouter
	- When retry to parent the retrycount is not wiped, so failed 
	  nameservers are not tried again.
	- iana portlist updated.

10 June 2010: Wouter
	- Fix bug where a long loop could be entered, now cycle detection
	  has a loop-counter and maximum search amount.

4 June 2010: Wouter
	- iana portlist updated.
	- 1.4.5rc1 tag created.

3 June 2010: Wouter
	- ldns tarball updated, 1.6.5.
	- review comments, split dependency cycle tracking for parentside
	  last resort lookups for A and AAAA so there are more lookup options.

2 June 2010: Wouter
	- Fix compile warning if compiled without threads.
	- updated ldns-tarball with current ldns svn (pre 1.6.5).
	- GOST disabled-by-default, the algorithm number is allocated but the
	  RFC is still has to pass AUTH48 at the IETF.

1 June 2010: Wouter
	- Ignore Z flag in incoming messages too.
	- Fix storage of negative parent glue if that last resort fails.
	- libtoolize 2.2.6b, autoconf 2.65 applied to configure.
	- new splint flags for newer splint install.

31 May 2010: Wouter
	- Fix AD flag handling, it could in some cases mistakenly copy the AD 
	  flag from upstream servers.
	- alloc_special_obtain out of memory is not a fatal error any more,
	  enabling unbound to continue longer in out of memory conditions.
	- parentside names are dispreferred but not said to be dnssec-lame.
	- parentside check for cached newname glue.
	- fix parentside and querytargets modulestate, for dump_requestlist.
	- unbound-control-setup makes keys -rw-r--- so not all users permitted.
	- fix parentside from cache to be marked dispreferred for bad names.

28 May 2010: Wouter
	- iana portlist updated.
	- parent-child disagreement approach altered.  Older fixes are
	  removed in place of a more exhaustive search for misconfigured data
	  available via the parent of a delegation.
	  This is designed to be throttled by cache entries, with TTL from the
	  parent if possible.  Additionally the loop-counter is used.
	  It also tests for NS RRset differences between parent and child.
	  The fetch of misconfigured data should be more reliable and thorough.
	  It should work reliably even with no or only partial data in cache.
	  Data received from the child (as always) is deemed more
	  authoritative than information received from the delegation parent.
	  The search for misconfigured data is not performed normally.

26 May 2010: Wouter
	- Contribution from Migiel de Vos (Surfnet): nagios patch for
	  unbound-host, in contrib/ (in the source tarball).  Makes
	  unbound-host suitable for monitoring dnssec(-chain) status.

21 May 2010: Wouter
	- EDNS timeout code will not fire if EDNS status already known.
	- EDNS failure not stored if EDNS status known to work.

19 May 2010: Wouter
	- Fix resolution for domains like safesvc.com.cn.  If the iterator
	  can not recurse further and it finds the delegation in a state
	  where it would otherwise have rejected it outhand if so received
	  from a cache lookup, then it can try to ask higherup (with loop
	  protection).
	- Fix comments in iter_utils:dp_is_useless.

18 May 2010: Wouter
	- Fix various compiler warnings from the clang llvm compiler.
	- iana portlist updated.

6 May 2010: Wouter
	- Fix bug#308: spelling error in variable name in parser and lexer.

4 May 2010: Wouter
	- Fix dnssec-missing detection that was turned off by server selection.
	- Conforms to draft-ietf-dnsop-default-local-zones-13.  Added default
	  reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
	  113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.

29 April 2010: Wouter
	- Fix for dnssec lameness detection to use the key cache.
	- infra cache entries that are expired are wiped clean.  Previously
	  it was possible to not expire host data (if accessed often).

28 April 2010: Wouter
	- ldns tarball updated and GOST support is detected and then enabled. 
	- iana portlist updated.
	- Fix detection of gost support in ldns (reported by Chris Smith).

27 April 2010: Wouter
	- unbound-control get_option domain-insecure shows config file items.
	- fix retry sequence if prime hints are recursion-lame.
	- autotrust anchor file can be initialized with a ZSK key as well.
	- harden-referral-path does not result in failures due to max-depth.
	  You can increase the max-depth by adding numbers (' 0') after the
	  target-fetch-policy, this increases the depth to which is checked.

26 April 2010: Wouter
	- Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
	  CPPFLAGS during configure process.
	- if libev is installed on the base system (not libevent), detect
	  it from the event.h header file and link with -lev.
	- configlexer.lex gets config.h, and configyyrename.h added by make,
	  no more double include.
	- More strict scrubber (Thanks to George Barwood for the idea):
	  NS set must be pertinent to the query (qname subdomain nsname).
	- Fix bug#307: In 0x20 backoff fix fallback so the number of 
	  outstanding queries does not become -1 and block the request.
	  Fixed handling of recursion-lame in combination with 0x20 fallback.
	  Fix so RRsets are compared canonicalized and sorted if the immediate
	  comparison fails, this makes it work around round-robin sites.

23 April 2010: Wouter
	- Squelch log message: sendto failed permission denied for
	  255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
	- Fix to fetch data as last resort more tenaciously.  When cycle
	  targets cause the server selection to believe there are more options
	  when they really are not there, the server selection is reinitiated.
	- Fix fetch from blacklisted dnssec lame servers as last resort.  The
	  server's IP address is then given in validator errors as well.
	- Fix local-zone type redirect that did not use the query name for
	  the answer rrset.

22 April 2010: Wouter
	- tag 1.4.4.
	- trunk contains 1.4.5 in development.
	- Fix validation failure for qtype ANY caused by a RRSIG parse failure.
	  The validator error message was 'no signatures from ...'.

16 April 2010: Wouter
	- more portability defines for CMSG_SPACE, CMSG_ALIGN, CMSG_LEN.
	- tag 1.4.4rc1.

15 April 2010: Wouter
	- ECC-GOST algorithm number 12 that is assigned by IANA.  New test
	  example key and signatures for GOST.  GOST requires openssl-1.0.0.
	  GOST is still disabled by default.

9 April 2010: Wouter
	- Fix bug#305: pkt_dname_tolower could read beyond end of buffer or
	  get into an endless loop, if 0x20 was enabled, and buffers are small
	  or particular broken packets are received.
	- Fix chain of trust with CNAME at an intermediate step, for the DS
	  processing proof.

8 April 2010: Wouter
	- Fix validation of queries with wildcard names (*.example).

6 April 2010: Wouter
	- Fix EDNS probe for .de DNSSEC testbed failure, where the infra
	  cache timeout coincided with a server update, the current EDNS 
	  backoff is less sensitive, and does not cache the backoff unless 
	  the backoff actually works and the domain is not expecting DNSSEC.
	- GOST support with correct algorithm numbers.

1 April 2010: Wouter
	- iana portlist updated.

24 March 2010: Wouter
	- unbound control flushed items are not counted when flushed again.

23 March 2010: Wouter
	- iana portlist updated.

22 March 2010: Wouter
	- unbound-host disables use-syslog from config file so that the
	  config file for the main server can be used more easily.
	- fix bug#301: unbound-checkconf could not parse interface
	  '0.0.0.0@5353', even though unbound itself worked fine.

19 March 2010: Wouter
	- fix fwd_ancil test to pass if the socket options are not supported.

18 March 2010: Wouter
	- Fixed random numbers for port, interface and server selection.
	  Removed very small bias.
	- Refer to the listing in unbound-control man page in the extended
	  statistics entry in the unbound.conf man page.

16 March 2010: Wouter
	- Fix interface-automatic for OpenBSD: msg.controllen was too small,
	  also assertions on ancillary data buffer.
	- check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
	- for NSEC3 check if signatures are cached.

15 March 2010: Wouter
	- unit test for util/regional.c.

12 March 2010: Wouter
	- Reordered configure checks so fork and -lnsl -lsocket checks are
	  earlier, and thus later checks benefit from and do not hinder them.
	- iana portlist updated.
	- ldns tarball updated.
	- Fix python use when multithreaded.
	- Fix solaris python compile.
	- Include less in config.h and include per code file for ldns, ssl.

11 March 2010: Wouter
	- another memory allocation option: --enable-alloc-nonregional.
	  exposes the regional allocations to other memory purifiers.
	- fix for memory alignment in struct sock_list allocation.
	- Fix for MacPorts ldns without ssl default, unbound checks if ldns
	  has dnssec functionality and uses the builtin if not.
	- Fix daemonize on Solaris 10, it did not detach from terminal.
	- tag 1.4.3 created.
	- trunk is 1.4.4 in development.
	- spelling fix in validation error involving cnames.

10 March 2010: Wouter
	- --enable-alloc-lite works with test set.
	- portability in the testset: printf format conversions, prototypes.

9 March 2010: Wouter
	- tag 1.4.2 created.
	- trunk is 1.4.3 in development.
	- --enable-alloc-lite debug option.

8 March 2010: Wouter
	- iana portlist updated.

4 March 2010: Wouter
	- Fix crash in control channel code.

3 March 2010: Wouter
	- better casts in pipe code, brackets placed wrongly.
	- iana portlist updated.

1 March 2010: Wouter
	- make install depends on make all.
	- Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
	- --enable-checking: enables assertions but does not look nonproduction.
	- nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with
	  nxdomain and nodata distinguished.
	- ldns tarball updated.
	- --disable-rpath fixed for libtool not found errors.
	- new fedora specfile from Fedora13 in contrib from Paul Wouters.

26 February 2010: Wouter
	- Fixup prototype for lexer cleanup in daemon code.
	- unbound-control list_stubs, list_forwards, list_local_zones and
	  list_local_data.

24 February 2010: Wouter
	- Fix scrubber bug that potentially let NS records through.  Reported
	  by Amanda Constant.
	- Also delete potential poison references from additional.
	- Fix: no classification of a forwarder as lame, throw away instead.

23 February 2010: Wouter
	- libunbound ub_ctx_get_option() added.
	- unbound-control set_option and get_option commands.
	- iana portlist updated.

18 February 2010: Wouter
	- A little more strict DS scrubbing.
	- No more blacklisting of unresponsive servers, a 2 minute timeout
	  is backed off to.
	- RD flag not enabled for dnssec-blacklisted tries, unless necessary.
	- pickup ldns compile fix, libdl for libcrypto.
	- log 'tcp connect: connection timed out' only in high verbosity.
	- unbound-control log_reopen command.
	- moved get_option code from unbound-checkconf to util/config_file.c

17 February 2010: Wouter
	- Disregard DNSKEY from authority section for chain of trust.
	  DS records that are irrelevant to a referral scrubbed.  Anti-poison.
	- iana portlist updated.

16 February 2010: Wouter
	- Check for 'no space left on device' (or other errors) when 
	  writing updated autotrust anchors and print errno to log.

15 February 2010: Wouter
	- Fixed the requery protection, the TTL was 0, it is now 900 seconds,
	  hardcoded.  We made the choice to send out more conservatively,
	  protecting against an aggregate effect more than protecting a
	  single user (from their own folly, perhaps in case of misconfig).

12 February 2010: Wouter
	- Re-query pattern changed on validation failure.  To protect troubled
	  authority servers, unbound caches a failure for the DNSKEY or DS
	  records for the entire zone, and only retries that 900 seconds later.
	  This implies that only a handful of packets are sent extra to the
	  authority if the zone fails.

11 February 2010: Wouter
	- ldns tarball update for long label length syntax error fix.
	- iana portlist updated.

9 February 2010: Wouter
	- Fixup in compat snprintf routine, %f 1.02 and %g support.
	- include math.h for testbound test compile portability.

2 February 2010: Wouter
	- Updated url of IANA itar, interim trust anchor repository, in script.

1 February 2010: Wouter
	- iana portlist updated.
	- configure test for memcmp portability.

27 January 2010: Wouter
	- removed warning on format string in validator error log statement.
	- iana portlist updated.

22 January 2010: Wouter
	- libtool finish the install of unbound python dynamic library.

21 January 2010: Wouter
	- acx_nlnetlabs.m4 synchronised with nsd's version.

20 January 2010: Wouter
	- Fixup lookup trouble for parent-child domains on the first query.

14 January 2010: Wouter
	- Fixup ldns detection to also check for header files.

13 January 2010: Wouter
	- prefetch-key option that performs DNSKEY queries earlier in the
	  validation process, and that could halve the latency on DNSSEC
	  queries.  It takes some extra processing (CPU, a cache is needed).

12 January 2010: Wouter
	- Fix unbound-checkconf for auto-trust-anchor-file present checks.

8 January 2010: Wouter
	- Fix for parent-child disagreement code which could have trouble
	  when (a) ipv6 was disabled and (b) the TTL for parent and child
	  were different.  There were two bugs, the parent-side information
	  is fixed to no longer block lookup of child side information and
	  the iterator is fixed to no longer attempt to get ipv6 when it is
	  not enabled and then give up in failure.
	- test and fixes to make prefetch actually store the answer in the
	  cache.  Considers some rrsets 'already expired' but does not allow
	  overwriting of rrsets considered more secure.

7 January 2010: Wouter
	- Fixup python documentation (thanks Leo Vandewoestijne).
	- Work on cache prefetch feature.
	- Stats for prefetch, in log print stats, unbound-control stats
	  and in unbound_munin plugin.

6 January 2010: Wouter
	- iana portlist updated.
	- bug#291: DNS wireformat max is 255. dname_valid allowed 256 length.
	- verbose output includes parent-side-address notion for lameness.
	- documented val-log-level: 2 setting in example.conf and man page.
	- change unbound-control-setup from 1024(sha1) to 1536(sha256).

1 January 2010: Wouter
	- iana portlist updated.

22 December 2009: Wouter
	- configure with newer libtool 2.2.6b.

17 December 2009: Wouter
	- review comments.
	- tag 1.4.1.
	- trunk to version 1.4.2.
	
15 December 2009: Wouter
	- Answer to qclass=ANY queries, with class IN contents.
	  Test that validation also works.
	- updated ldns snapshot tarball with latest fixes (parsing records).

11 December 2009: Wouter
	- on IPv4 UDP turn off DF flag.

10 December 2009: Wouter
	- requirements.txt updated with design choice explanations.
	- Reading fixes: fix to set unlame when child confirms parent glue,
	  and fix to avoid duplicate addresses in delegation point.
	- verify_rrsig routine checks expiration last.

9 December 2009: Wouter
	- Fix Bug#287(reopened): update of ldns tarball with fix for parse
	  errors generated for domain names like '.example.com'.
	- Fix SOA excluded from negative DS responses.  Reported by Hauke
	  Lampe.  The negative cache did not include proper SOA records for
	  negative qtype DS responses which makes BIND barf on it, such
	  responses are now only used internally.
	- Fix negative cache lookup of closestencloser check of DS type bit.

8 December 2009: Wouter
	- Fix for lookup of parent-child disagreement domains, where the
	  parent-side glue works but it does not provide proper NS, A or AAAA
	  for itself, fixing domains such as motorcaravanners.eu.
	- Feature: you can specify a port number in the interface: line, so
	  you can bind the same interface multiple times at different ports.

7 December 2009: Wouter
	- Bug#287: Fix segfault when unbound-control remove nonexistent local
	  data.  Added check to tests.

1 December 2009: Wouter
	- Fix crash with module-config "iterator".
	- Added unit test that has "iterator" module-config.

30 November 2009: Wouter
	- bug#284: fix parse of # without end-of-line at end-of-file.

26 November 2009: Wouter
	- updated ldns with release candidate for version 1.6.3.
	- tag for 1.4.0 release.
	- 1.4.1 version in trunk.
	- Fixup major libtool version to 2 because of why_bogus change.
	  It was 1:5:0 but should have been 2:0:0.

23 November 2009: Wouter
	- Patch from David Hubbard for libunbound manual page.
	- Fixup endless spinning in unbound-control stats reported by
	  Attila Nagy.  Probably caused by clock reversal.

20 November 2009: Wouter
	- contrib/split-itar.sh contributed by Tom Hendrikx.

19 November 2009: Wouter
	- better argument help for unbound-control.
	- iana portlist updated.

17 November 2009: Wouter
	- noted multiple entries for multiple domain names in example.conf.
	- iana portlist updated.

16 November 2009: Wouter
	- Fixed signer detection of CNAME responses without signatures.
	- Fix#282 libunbound memleak on error condition by Eric Sesterhenn.
	- Tests for CNAMEs to deeper trust anchors, secure and bogus.
	- svn tag 1.4.0rc1 made.

13 November 2009: Wouter
	- Fixed validation failure for CNAME to optout NSEC3 nodata answer.
	- unbound-host does not fail on type ANY.
	- Fixed wireparse failure to put RRSIGs together with data in some
	  long ANY mix cases, which fixes validation failures.

12 November 2009: Wouter
	- iana portlist updated.
	- fix manpage errors reported by debian lintian.
	- review comments.
	- fixup very long vallog2 level error strings.
	
11 November 2009: Wouter
	- ldns tarball updated (to 1.6.2).
	- review comments.

10 November 2009: Wouter
	- Thanks to Surfnet found bug in new dnssec-retry code that failed
	  to combine well when combined with DLV and a particular failure. 
	- Fixed unbound-control -h output about argument optionality.
	- review comments.

5 November 2009: Wouter
	- lint fixes and portability tests.
	- better error text for multiple domain keys in one autotrust file.

2 November 2009: Wouter
	- Fix bug where autotrust does not work when started with a DS.
	- Updated GOST unit tests for unofficial algorithm number 249
	  and DNSKEY-format changes in draft version -01.

29 October 2009: Wouter
	- iana portlist updated.
	- edns-buffer-size option, default 4096.
	- fixed do-udp: no.

28 October 2009: Wouter
	- removed abort on prealloc failure, error still printed but softfail.
	- iana portlist updated.
	- RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
	- ldns tarball updated (which also enables rsasha256 support).

27 October 2009: Wouter
	- iana portlist updated.

8 October 2009: Wouter
	- please doxygen
	- add val-log-level print to corner case (nameserver.epost.bg).
	- more detail to errors from insecure delegation checks.
	- Fix double time subtraction in negative cache reported by 
	  Amanda Constant and Hugh Mahon.
	- Made new validator error string available from libunbound for
	  applications.  It is in result->why_bogus, a zero-terminated string.
	  unbound-host prints it by default if a result is bogus.
	  Also the errinf is public in module_qstate (for other modules).

7 October 2009: Wouter
	- retry for validation failure in DS and prime results. Less mem use.
	  unit test.  Provisioning in other tests for requeries.
	- retry for validation failure in DNSKEY in middle of chain of trust.
	  unit test.
	- retry for empty non terminals in chain of trust and unit test.
	- Fixed security bug where the signatures for NSEC3 records were not
	  checked when checking for absence of DS records.  This could have
	  enabled the substitution of an insecure delegation.
	- moved version number to 1.4.0 because of 1.3.4 release with only
	  the NSEC3 patch from the entry above.
	- val-log-level: 2 shows extended error information for validation
	  failures, but still one (longish) line per failure.  For example:
	  validation failure <example.com. DNSKEY IN>: signature expired from
	  192.0.2.4 for trust anchor example.com. while building chain of trust
	  validation failure <www.example.com. A IN>: no signatures from
	  192.0.2.6 for key example.com. while building chain of trust

6 October 2009: Wouter
	- Test set updated to provide additional ns lookup result.
	  The retry would attempt to fetch the data from other nameservers
	  for bogus data, and this needed to be provisioned in the tests.

5 October 2009: Wouter
	- first validation failure retry code.  Retries for data failures.
	  And unit test.

2 October 2009: Wouter
	- improve 5011 modularization.
	- fix unbound-host so -d can be given before -C.
	- iana portlist updated.

28 September 2009: Wouter
	- autotrust-anchor-file can read multiline input and $ORIGIN.
	- prevent integer overflow in holddown calculation. review fixes.
	- fixed race condition in trust point revocation. review fix.
	- review fixes to comments, removed unused code.

25 September 2009: Wouter
	- so-rcvbuf: 4m option added.  Set this on large busy servers to not
	  drop the occasional packet in spikes due to full socket buffers.
	  netstat -su keeps a counter of UDP dropped due to full buffers.
	- review of validator/autotrust.c, small fixes and comments.

23 September 2009: Wouter
	- 5011 query failed counts verification failures, not lookup failures.
	- 5011 probe failure handling fixup.
	- test unbound reading of original autotrust data.
	  The metadata per-key, such as key state (PENDING, MISSING, VALID) is
	  picked up, otherwise performs initial probe like usual.

22 September 2009: Wouter
	- autotrust test with algorithm rollover, new ordering of checks
	  assists in orderly rollover.
	- autotrust test with algorithm rollover to unknown algorithm.
	  checks if new keys are supported before adding them.
	- autotrust test with trust point revocation, becomes unsigned.
	- fix DNSSEC-missing-signature detection for minimal responses
	  for qtype DNSKEY (assumes DNSKEY occurs at zone apex).

18 September 2009: Wouter
	- autotrust tests, fix trustpoint timer deletion code.
	  fix count of valid anchors during missing remove.
	- autotrust: pick up REVOKE even if not signed with known other keys.

17 September 2009: Wouter
	- fix compile of unbound-host when --enable-alloc-checks.
	- Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
	- Manual page fixes reported by Tony Finch.

16 September 2009: Wouter
	- Fix memory leak reported by Tao Ma.
	- Fix memstats test tool for log-time-ascii log format.

15 September 2009: Wouter
	- iana portlist updated.

10 September 2009: Wouter
	- increased MAXSYSLOGLEN so .bg key can be printed in debug output.
	- use linebuffering for log-file: output, this can be significantly
	  faster than the previous fflush method and enable some class of
	  resolvers to use high verbosity (for short periods).
	  Not on windows, because line buffering does not work there.

9 September 2009: Wouter
	- Fix bug where DNSSEC-bogus messages were marked with too high TTL.
	  The RRsets would still expire at the normal time, but this would
	  keep messages bogus in the cache for too long.
	- regression test for that bug.
	- documented that load_cache is meant for debugging.

8 September 2009: Wouter
	- fixup printing errors when load_cache, they were printed to the
	  SSL connection which broke, now to the log.
	- new ldns - with fixed parse of large SOA values.

7 September 2009: Wouter
	- autotrust testbound scenarios.
	- autotrust fix that failure count is written to file.
	- autotrust fix that keys may become valid after add holddown time
	  alone, before the probe returns.

4 September 2009: Wouter
	- Changes to make unbound work with libevent-2.0.3 alpha. (in
	  configure detection due to new ssl dependency in libevent)
	- do not call sphinx for documentation when python is disabled.
	- remove EV_PERSIST from libevent timeout code to make the code
	  compatible with the libevent-2.0.  Works with older libevent too.
	- fix memory leak in python code.

3 September 2009: Wouter
	- Got a patch from Luca Bruno for libunbound support on windows to
	  pick up the system resolvconf nameservers and hosts there.
	- included ldns updated (enum warning fixed).
	- makefile fix for parallel makes.
	- Patch from Zdenek Vasicek and Attila Nagy for using the source IP
	  from python scripts.  See pythonmod/examples/resip.py.
	- doxygen comment fixes.

2 September 2009: Wouter
	- TRAFFIC keyword for testbound. Simplifies test generation.
	  ${range lower val upper} to check probe timeout values.
	- test with 5011-prepublish rollover and revocation.
	- fix revocation of RR for autotrust, stray exclamation mark.

1 September 2009: Wouter
	- testbound variable arithmetic.
	- autotrust probe time is randomised.
	- autotrust: the probe is active and does not fetch from cache.

31 August 2009: Wouter
	- testbound variable processing.

28 August 2009: Wouter
	- fixup unbound-control lookup to print forward and stub servers.

27 August 2009: Wouter
	- autotrust: mesh answer callback is empty.

26 August 2009: Wouter
	- autotrust probing.
	- iana portlist updated.

25 August 2009: Wouter
	- fixup memleak in trust anchor unsupported algorithm check.
	- iana portlist updated.
	- autotrust options: add-holddown, del-holddown, keep-missing.
	- autotrust store revoked status of trust points.
	- ctime_r compat definition.
	- detect yylex_destroy() in configure.
	- detect SSL_get_compression_methods declaration in configure.
	- fixup DS lookup at anchor point with unsigned parent.
	- fixup DLV lookup for DS queries to unsigned domains.

24 August 2009: Wouter
	- cleaner memory allocation on exit. autotrust test routines.
	- free all memory on program exit, fix for ssl and flex.

21 August 2009: Wouter
	- autotrust: debug routines. Read,write and conversions work.

20 August 2009: Wouter
	- autotrust: save and read trustpoint variables.

19 August 2009: Wouter
	- autotrust: state table updates.
	- iana portlist updated.

17 August 2009: Wouter
	- autotrust: process events.

17 August 2009: Wouter
	- Fix so that servers are only blacklisted if they fail to reply 
	  to 16 queries in a row and the timeout gets above 2 minutes.
	- autotrust work, split up DS verification of DNSKEYs.

14 August 2009: Wouter
	- unbound-control lookup prints out infra cache information, like RTT.
	- Fix bug in DLV lookup reported by Amanda from Secure64.
	  It could sometimes wrongly classify a domain as unsigned, which
	  does not give the AD bit on replies.

13 August 2009: Wouter
	- autotrust read anchor files. locked trust anchors.

12 August 2009: Wouter
	- autotrust import work.

11 August 2009: Wouter
	- Check for openssl compatible with gost if enabled.
	- updated unit test for GOST=211 code.
	  Nicer naming of test files.
	- iana portlist updated.

7 August 2009: Wouter
	- call OPENSSL_config() in unbound and unit test so that the
	  operator can use openssl.cnf for configuration options.
	- removed small memory leak from config file reader.

6 August 2009: Wouter
	- configure --enable-gost for GOST support, experimental
	  implementation of draft-dolmatov-dnsext-dnssec-gost-01.
	- iana portlist updated.
	- ldns tarball updated (with GOST support).

5 August 2009: Wouter
	- trunk moved to 1.3.4.

4 August 2009: Wouter
	- Added test that the examples from draft rsasha256-14 verify.
	- iana portlist updated.
	- tagged 1.3.3

3 August 2009: Wouter
	- nicer warning when algorithm not supported, tells you to upgrade.
	- iana portlist updated.

27 July 2009: Wouter
	- Updated unbound-cacti contribution from Dmitriy Demidov, with
	  the queue statistics displayed in its own graph.
	- iana portlist updated.

22 July 2009: Wouter
	- Fix bug found by Michael Tokarev where unbound would try to
	  prime the root servers even though forwarders are configured for
	  the root.
	- tagged 1.3.3rc1

21 July 2009: Wouter
	- Fix server selection, so that it waits for open target queries when
	  faced with lameness.

20 July 2009: Wouter
	- Ignore transient sendto errors, no route to host, and host, net down.
	- contrib/update-anchor.sh has -r option for root-hints.
	- feature val-log-level: 1 prints validation failures so you can
	  keep track of them during dnssec deployment.

16 July 2009: Wouter
	- fix replacement malloc code.  Used in crosscompile.
	- makedist -w creates crosscompiled setup.exe on fedora11.

15 July 2009: Wouter
	- dependencies for compat items, for crosscompile.
	- mingw32 crosscompile changes, dependencies and zipfile creation.
	  and with System.dll from the windows NSIS you can make setup.exe.
	- package libgcc_s_sjlj exception handler for NSISdl.dll.

14 July 2009: Wouter
	- updated ldns tarball for solaris x64 compile assistance.
	- no need to define RAND_MAX from config.h.
	- iana portlist updated.
	- configure changes and ldns update for mingw32 crosscompile.

13 July 2009: Wouter
	- Fix for crash at start on windows.
	- tag for release 1.3.2.
	- trunk has version 1.3.3.
	- Fix for ID bits on windows to use all 16. RAND_MAX was not
	  defined like you'd expect on mingw. Reported by Mees de Roo.

9 July 2009: Wouter
	- tag for release 1.3.1.
	- trunk has version 1.3.2.

7 July 2009: Wouter
	- iana portlist updated.

6 July 2009: Wouter
	- prettier error handling in SSL setup.
	- makedist.sh uname fix (same as ldns).
	- updated fedora spec file.

3 July 2009: Wouter
	- fixup linking when ldnsdir is "".

30 June 2009: Wouter
	- more lenient truncation checks.

29 June 2009: Wouter
	- ldns trunk r2959 imported as tarball, because of solaris cc compile
	  support for c99.  r2960 for better configure.
	- better wrongly_truncated check.
	- On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to
	  avoid dropped packets at routers.

26 June 2009: Wouter
	- Fix EDNS fallback when EDNS works for short answers but long answers
	  are dropped.

22 June 2009: Wouter
	- fixup iter priv strict aliasing while preserving size of sockaddr.
	- iana portlist updated.  (one less port allocated, one more fraction
	  of a bit for security!)
	- updated fedora specfile in contrib from Paul Wouters.
	
19 June 2009: Wouter
	- Fixup strict aliasing warning in iter priv code.
	  and config_file code.
	- iana portlist updated.
	- harden-referral-path: handle cases where NS is in answer section.

18 June 2009: Wouter
	- Fix of message parse bug where (specifically) an NSEC and RRSIG
	  in the wrong order would be parsed, but put wrongly into internal
	  structures so that later validation would fail.
	- Extreme lenience for wrongly truncated replies where a positive
	  reply has an NS in the authority but no signatures.  They are
	  turned into minimal responses with only the (secure) answer.
	- autoconf 2.63 for configure.
	- python warnings suppress.  Keep python API away from header files.

17 June 2009: Wouter
	- CREDITS entry for cz.nic, sponsoring a 'summer of code' that was
	  used for the python code in unbound. (http://www.nic.cz/vip/ in cz).

16 June 2009: Wouter
	- Fixup opportunistic target query generation to it does not
	  generate queries that are known to fail.
	- Touchup on munin total memory report.
	- messages picked out of the cache by the iterator are checked
	  if their cname chain is still correct and if validation status
	  has to be reexamined.

15 June 2009: Wouter
	- iana portlist updated.

14 June 2009: Wouter
	- Fixed bug where cached responses would lose their security
	  status on second validation, which especially impacted dlv
	  lookups.  Reported by Hauke Lampe.

13 June 2009: Wouter
	- bug #254. removed random whitespace from example.conf.

12 June 2009: Wouter
	- Fixup potential wrong NSEC picked out of the cache.
	- If unfulfilled callbacks are deleted they are called with an error.
	- fptr wlist checks for mesh callbacks.
	- fwd above stub in configuration works.

11 June 2009: Wouter
	- Fix queries for type DS when forward or stub zones are there.
	  They are performed to higherup domains, and thus treated as if
	  going to higher zones when looking up the right forward or stub
	  server.  This makes a stub pointing to a local server that has
	  a local view of example.com signed with the same keys as are
	  publicly used work.  Reported by Johan Ihren.
	- Added build-unbound-localzone-from-hosts.pl to contrib, from
	  Dennis DeDonatis.  It converts /etc/hosts into config statements.
	- same thing fixed for forward-zone and DS, chain of trust from
	  public internet into the forward-zone works now.  Added unit test.

9 June 2009: Wouter
	- openssl key files are opened apache-style, when user is root and
	  before chrooting.  This makes permissions on remote-control key 
	  files easier to set up.  Fixes bug #251.
	- flush_type and flush_name remove msg cache entries.
	- codereview - dp copy bogus setting fix.

8 June 2009: Wouter
	- Removed RFC5011 REVOKE flag support. Partial 5011 support may cause
	  inadvertant behaviour.
	- 1.3.0 tarball for release created.
	- 1.3.1 development in svn trunk.
	- iana portlist updated.
	- fix lint from complaining on ldns/sha.h.
	- help compiler figure out aliasing in priv_rrset_bad() routine.
	- fail to configure with python if swig is not found.
	- unbound_munin_ in contrib uses ps to show rss if sbrk does not work.

3 June 2009: Wouter
	- fixup bad free() when wrongly encoded DSA signature is seen.
	  Reported by Paul Wouters.
	- review comments from Matthijs.

2 June 2009: Wouter
	- --enable-sha2 option. The draft rsasha256 changed its algorithm
	  numbers too often.  Therefore it is more prudent to disable the
	  RSASHA256 and RSASHA512 support by default.
	- ldns trunk included as new tarball.
	- recreated the 1.3.0 tag in svn. rc1 tarball generated at this point.

29 May 2009: Wouter
	- fixup doc bug in README reported by Matthew Dempsky.

28 May 2009: Wouter
	- update iana port list
	- update ldns lib tarball

27 May 2009: Wouter
	- detect lack of IPv6 support on XP (with a different error code).
	- Fixup a crash-on-exit which was triggered by a very long queue.
	  Unbound would try to re-use ports that came free, but this is
	  of course not really possible because everything is deleted.
	  Most easily triggered on XP (not Vista), maybe because of the
	  network stack encouraging large messages backlogs.
	- change in debug statements.
	- Fixed bug that could cause a crash if root prime failed when there
	  were message backlogs.

26 May 2009: Wouter
	- Thanks again to Brett Carr, found an assertion that was not true.
	  Assertion checked if recursion parent query still existed.

29 April 2009: Wouter
	- Thanks to Brett Carr, caught windows resource leak, use 
	  closesocket() and not close() on sockets or else the network stack
	  starts to leak handles.
	- Removed usage of windows Mutex because windows cannot handle enough
	  mutexes open.  Provide own mutex implementation using primitives.

28 April 2009: Wouter
	- created svn tag for 1.3.0.

27 April 2009: Wouter
	- optimised cname from cache.
	- ifdef windows functions in testbound.

23 April 2009: Wouter
	- fix for threadsafety in solaris thr_key_create() in tests.
	- iana portlist updated.
	- fix pylib test for Darwin.
	- fix pymod test for Darwin and a python threading bug in pymod init.
	- check python >= 2.4 in configure.
	- -ldl check for libcrypto 1.0.0beta.

21 April 2009: Wouter
	- fix for build outside sourcedir.
	- fix for configure script swig detection.

17 April 2009: Wouter
	- Fix reentrant in minievent handler for unix. Could have resulted
	  in spurious event callbacks.
	- timers do not take up a fd slot for winsock handler.
	- faster fix for winsock reentrant check.
	- fix rsasha512 unit test for new (interim) algorithm number.
	- fix test:ldns doesn't like DOS line endings in keyfiles on unix.
	- fix compile warning on ubuntu (configlexer fwrite return value).
	- move python include directives into CPPFLAGS instead of CFLAGS.

16 April 2009: Wouter
	- winsock event handler exit very quickly on signal, even if
	  under heavy load.
	- iana portlist updated.
	- fixup windows winsock handler reentrant problem.

14 April 2009: Wouter
	- bug #245: fix munin plugin, perform cleanup of stale lockfiles.
	- makedist.sh; better help text.
	- cache-min-ttl option and tests.
	- mingw detect error condition on TCP sockets (NOTCONN).

9 April 2009: Wouter
	- Fix for removal of RSASHA256_NSEC3 protonumber from ldns.
	- ldns tarball updated.
	- iana portlist update.
	- detect GOST support in openssl-1.0.0-beta1, and fix compile problem
	  because that openssl defines the name STRING for itself.

6 April 2009: Wouter
	- windows compile fix.
	- Detect FreeBSD jail without ipv6 addresses assigned.
	- python libunbound wrapper unit test.
	- installs the following files. Default is to not build them.
	  	from configure --with-pythonmodule:
	  /usr/lib/python2.x/site-packages/unboundmodule.py
	  	from configure --with-pyunbound:
	  /usr/lib/python2.x/site-packages/unbound.py
	  /usr/lib/python2.x/site-packages/_unbound.so*
	  The example python scripts (pythonmod/examples and
	  libunbound/python/examples) are not installed.
	- python invalidate routine respects packed rrset ids and locks.
	- clock skew checks in unbound, config statements.
	- nxdomain ttl considerations in requirements.txt

3 April 2009: Wouter
	- Fixed a bug that caused messages to be stored in the cache too 
	  long.  Hard to trigger, but NXDOMAINs for nameservers or CNAME
	  targets have been more vulnerable to the TTL miscalculation bug. 
	- documentation test fixed for python addition.

2 April 2009: Wouter
	- pyunbound (libunbound python plugin) compiles using libtool.
	- documentation for pythonmod and pyunbound is generated in doc/html.
	- iana portlist updated.
	- fixed bug in unbound-control flush_zone where it would not flush
	  every message in the target domain.  This especially impacted 
	  NXDOMAIN messages which could remain in the cache regardless.
	- python module test package.

1 April 2009: Wouter
	- suppress errors when trying to contact authority servers that gave
	  ipv6 AAAA records for their nameservers with ipv4 mapped contents.
	  Still tries to do so, could work when deployed in intranet.
	  Higher verbosity shows the error.
	- new libunbound calls documented.
	- pyunbound in libunbound/python. Removed compile warnings.
	  Makefile to make it.

30 March 2009: Wouter
	- Fixup LDFLAGS from libevent sourcedir compile configure restore.
	- Fixup so no non-absolute rpaths are added.
	- Fixup validation of RRSIG queries, they are let through.
	- read /dev/random before chroot
	- checkconf fix no python checks when no python module enabled.
	- fix configure, pthread first, so other libs do not change outcome.

27 March 2009: Wouter
	- nicer -h output. report linked libraries and modules.
	- prints modules in intuitive order (config file friendly).
	- python compiles easily on BSD.

26 March 2009: Wouter
	- ignore swig varargs warnings with gcc.
	- remove duplicate example.conf text from python example configs.
	- outofdir compile fix for python.
	- pyunbound works.
	- print modules compiled in on -h. manpage.

25 March 2009: Wouter
	- initial import of the python contribution from Zdenek Vasicek and
	  Marek Vavrusa.
	- pythonmod in Makefile; changes to remove warnings/errors for 1.3.0.

24 March 2009: Wouter
	- more neat configure.ac. Removed duplicate config.h includes.
	- neater config.h.in.
	- iana portlist updated.
	- fix util/configlexer.c and solaris -std=c99 flag.
	- fix postcommit aclocal errors.
	- spaces stripped. Makefile cleaner, /usr omitted from -I, -L, -R.
	- swap order of host detect and libtool generation.

23 March 2009: Wouter
	- added launchd plist example file for MacOSX to contrib.
	- deprecation test for daemon(3).
	- moved common configure actions to m4 include, prettier Makefile.

20 March 2009: Wouter
	- bug #239: module-config entries order is important. Documented.
	- build fix for test asynclook.

19 March 2009: Wouter
	- winrc/README.txt dos-format text file.
	- iana portlist updated.
	- use _beginthreadex() when available (performs stack alignment).
	- defaults for windows baked into configure.ac (used if on mingw).

18 March 2009: Wouter
	- Added tests, unknown algorithms become insecure. fallback works.
	- Fix for and test for unknown algorithms in a trust anchor
	  definition.  Trust anchors with no supported algos are ignored.
	  This means a (higher)DS or DLV entry for them could succeed, and
	  otherwise they are treated as insecure.
	- domain-insecure: "example.com" statement added. Sets domain
	  insecure regardless of chain of trust DSs or DLVs. The inverse
	  of a trust-anchor.

17 March 2009: Wouter
	- unit test for unsupported algorithm in anchor warning.
	- fixed so queries do not fail on opportunistic target queries.

16 March 2009: Wouter
	- fixup diff error printout in contrib/update-itar.sh.
	- added contrib/unbound_cacti for statistics support in cacti,
	  contributed by Dmitriy Demidov.

13 March 2009: Wouter
	- doxygen and lex/yacc on linux.
	- strip update-anchor on makedist -w.
	- fix testbound on windows.
	- default log to syslog for windows.
	- uninstaller can stop unbound - changed text on it to reflect that.
	- remove debugging from windows 'cron' actions.

12 March 2009: Wouter
	- log to App.logs on windows prints executable identity.
	- fixup tests.
	- munin plugin fix benign locking error printout.
	- anchor-update for windows, called every 24 hours; unbound reloads.

11 March 2009: Wouter
	- winsock event handler resets WSAevents after signalled.
	- winsock event handler tests if signals are really signalled.
	- install and service with log to file works on XP and Vista on 
	  default install location.
	- on windows logging to the Application logbook works (as a service).
	- fix RUN_DIR on windows compile setting in makedist.
	- windows registry has Software\Unbound\ConfigFile element.
	  If does not exist, the default is used. The -c switch overrides it.
	- fix makedist version cleanup function.

10 March 2009: Wouter
	- makedist -w strips out old rc.. and snapshot info from version.
	- setup.exe starts and stops unbound after install, before uninstall.
	- unbound-checkconf recognizes absolute pathnames on windows (C:...).

9 March 2009: Wouter
	- Nullsoft NSIS installer creation script.

5 March 2009: Wouter
	- fixup memory leak introduced on 18feb in mesh reentrant fix.

3 March 2009: Wouter
	- combined icon with 16x16(4) 32x32(4) 48x48(8) 64x64(8).
	- service works on xp/vista, no config necessary (using defaults).
	- windows registry settings.

2 March 2009: Wouter
	- fixup --export-symbols to be -export-symbls for libtool.
	  This should fix extraneous symbols exported from libunbound.
	  Thanks to Ondrej Sury and Robert Edmonds for finding it.
	- iana portlist updated.
	- document FAQ entry on stub/forward zones and default blocking.
	- fix asynclook test app for libunbound not exporting symbols.
	- service install and remove utils that work with vista UAC.
		
27 February 2009: Wouter
	- Fixup lexer, to not give warnings about fwrite. Appeared in
	  new lexer features.
	- makedistro functionality for mingw. Has RC support.
	- support spaces and backslashes in configured defaults paths.
	- register, deregister in service control manager.

25 February 2009: Wouter
	- windres usage for application resources.

24 February 2009: Wouter
	- isc moved their dlv key download location.
	- fixup warning on vista/mingw.
	- makedist -w for window zip distribution first version.

20 February 2009: Wouter
	- Fixup contrib/update-itar.sh, the exit codes 1 and 0 were swapped.
	  Nicer script layout.  Added url to site in -h output.

19 February 2009: Wouter
	- unbound-checkconf and unbound print warnings when trust anchors
	  have unsupported algorithms.
	- added contrib/update-itar.sh  This script is similar to
	  update-anchor.sh, and updates from the IANA ITAR repository.
	  You can provide your own PGP key and trust repo, or can use the
	  builtin.  The program uses wget and gpg to work.
	- iana portlist updated.
	- update-itar.sh: using ftp:// urls because https godaddy certificate
	  is not available everywhere and then gives fatal errors.  The 
	  security is provided by pgp signature.

18 February 2009: Wouter
	- more cycle detection. Also for target queries.
	- fixup bug where during deletion of the mesh queries the callbacks
	  that were reentrant caused assertion failures. Keep the mesh in 
	  a reentrant safe state.  Affects libunbound, reload of server,
	  on quit and flush_requestlist.
	- iana portlist updated.

13 February 2009: Wouter
	- forwarder information now per-thread duplicated.
	  This keeps it read only for speed, with no locking necessary.
	- forward command for unbound control to change forwarders to use
	  on the fly.
	- document that unbound-host reads no config file by default.
	- updated iana portlist.

12 February 2009: Wouter
	- call setusercontext if available (on BSD).
	- small refactor of stats clearing.
	- #227: flush_stats feature for unbound-control.
	- stats_noreset feature for unbound-control.
	- flush_requestlist feature for unbound-control.
	- libunbound version upped API (was changed 5 feb).
	- unbound-control status shows if root forwarding is in use.
	- slightly nicer memory management in iter-fwd code.

10 February 2009: Wouter
	- keys with rfc5011 REVOKE flag are skipped and not considered when
	  validating data.
	- iana portlist updated
	- #226: dump_requestlist feature for unbound-control.

6 February 2009: Wouter
	- contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
	- iana portlist updated.
	- fixup EOL in include directive (reported by Paul Wouters).
	  You can no longer specify newlines in the names of included files.
	- config parser changed. Gives some syntax errors closer to where they 
	  occurred. Does not enforce a space after keyword anymore.
	  Does not allow literal newlines inside quoted strings anymore.
	- verbosity level 5 logs customer IP for new requestlist entries.
	- test fix, lexer and cancel test.
	- new option log-time-ascii: yes  if you enable it prints timestamps
	  in the log file as Feb 06 13:45:26 (like syslog does).
	- detect event_base_new in libevent-1.4.1 and later and use it.
	- #231 unbound-checkconf -o option prints that value from config file.
	  Useful for scripting in management scripts and the like.

5 February 2009: Wouter
	- ldns 1.5.0 rc as tarball included.
	- 1.3.0 development continues:
	  change in libunbound API: ub_cancel can return an error, that
	  the async_id did not exist, or that it was already delivered.
	  The result could have been delivered just before the cancel 
	  routine managed to acquire the lock, so a caller may get the
	  result at the same time they call cancel.  For this case, 
	  ub_cancel tries to return an error code.
	  Fixes race condition in ub_cancel() libunbound function.
	- MacOSX Leopard cleaner text output from configure.
	- initgroups(3) is called to drop secondary group permissions, if
	  applicable.
	- configure option --with-ldns-builtin forces the use of the 
	  inluded ldns package with the unbound source.  The -I include
	  is put before the others, so it avoids bad include files from
	  an older ldns install.
	- daemon(3) posix call is used when available.
	- testbound test for older fix added.

4 February 2009: Wouter
	- tag for release 1.2.1.
	- trunk setup for 1.3.0 development.

3 February 2009: Wouter
	- noted feature requests in doc/TODO.
	- printout more detailed errors on ssl certificate loading failures.
	- updated IANA portlist.

16 January 2009: Wouter
	- more quiet about ipv6 network failures, i.e. when ipv6 is not
	  available (network unreachable). Debug still printed on high
	  verbosity.
	- unbound-host -4 and -6 options. Stops annoying ipv6 errors when
	  debugging with unbound-host -4 -d ... 
	- more cycle detection for NS-check, addr-check, root-prime and
	  stub-prime queries in the iterator.  Avoids possible deadlock
	  when priming fails.

15 January 2009: Wouter
	- bug #229: fixup configure checks for compilation with Solaris 
	  Sun cc compiler, ./configure CC=/opt/SUNWspro/bin/cc
	- fixup suncc warnings.
	- fix bug where unbound could crash using libevent 1.3 and older.
	- update testset for recent retry change.

14 January 2009: Wouter
	- 1.2.1 feature: negative caching for failed queries.
	  Queries that failed are cached for 5 seconds (NORR_TTL).
	  If the failure is local, like out of memory, it is not cached.
	- the TTL comparison for the cache used different comparisons,
	  causing many cache responses that used the iterator and validator
	  state machines unnecessarily.
	- retry from 4 to 5 so that EDNS drop retry is part of the first
	  query resolve attempt, and cached error does not stop EDNS fallback.
	- remove debug prints that protect against bad referrals.
	- honor QUIET=no on make commandline (or QUIET=yes ).

13 January 2009: Wouter
	- fixed bug in lameness marking, removed printouts.
	- find NS rrset more cleanly for qtype NS.
	- Moved changes to 1.2.0 for release. Thanks to Mark Zealey for
	  reporting and logs.
	- 1.2.1 feature: stops resolving AAAAs promiscuously when they
	  are in the negative cache.

12 January 2009: Wouter
	- fixed bug in infrastructure lameness cache, did not lowercase
	  name of zone to hash when setting lame.
	- lameness debugging printouts.

9 January 2009: Wouter
	- created svn tag for 1.2.0 release.
	- svn trunk contains 1.2.1 version number.
	- iana portlist updated for todays list.
	- removed debug print.

8 January 2009: Wouter
	- new version of ldns-trunk (today) included as tarball, fixed 
	  bug #224, building with -j race condition.
	- remove possible race condition in the test for race conditions.

7 January 2009: Wouter
	- version 1.2.0 in preparation.
	- feature to allow wildcards (*, ?, [], {}. ~) in trusted-keys-file
	  statements. (Adapted from patch by Paul Wouters).
	- typo fix and iana portlist updated.
	- porting testsuite; unused var warning, and type fixup.

6 January 2009: Wouter
	- fixup packet-of-death when compiled with --enable-debug.
	  A malformed packet could cause an internal assertion failure.
	- added test for HINFO canonicalisation behaviour.
	- fixup reported problem with transparent local-zone data where
	  queries with different type could get nxdomain. Now queries
	  with a different name get resolved normally, with different type
	  get a correct NOERROR/NODATA answer.
	- HINFO no longer downcased for validation, making unbound compatible
	  with bind and ldns.
	- fix reading included config files when chrooted.
	  Give full path names for include files.
	  Relative path names work if the start dir equals the working dir.
	- fix libunbound message transport when no packet buffer is available.

5 January 2009: Wouter
	- fixup getaddrinfo failure handling for remote control port.
	- added L.ROOT-SERVERS.NET. AAAA 2001:500:3::42 to builtin root hints.
	- fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/
	- comm_timer_set performs base_set operation after event_add.

18 December 2008: Wouter
	- fixed bug reported by Duane Wessels: error in DLV lookup, would make
	  some zones that had correct DLV keys as insecure.
	- follows -rc makedist from ldns changes (no _rc).
	- ldns tarball updated with 1.4.1rc for DLV unit test.
	- verbose prints about recursion lame detection and server selection.
	- fixup BSD port for infra host storage. It hashed wrongly.
	- fixup makedist snapshot name generation.
	- do not reopen syslog to avoid dev/log dependency.

17 December 2008: Wouter
	- follows ldns makedist.sh. -rc option. autom4te dir removed.
	- unbound-control status command.
	- extended statistics has a number of ipv6 queries counter.
	  contrib/unbound_munin_ was updated to draw ipv6 in the hits graph.

16 December 2008: Wouter
	- follow makedist improvements from ldns, for maintainers prereleases.
	- snapshot version uses _ not - to help rpm distinguish the
	  version number.

11 December 2008: Wouter
	- better fix for bug #219: use LOG_NDELAY with openlog() call.
	  Thanks to Tamas Tevesz.

9 December 2008: Wouter
	- bug #221 fixed: unbound checkconf checks if key files exist if
	  remote control is enabled. Also fixed NULL printf when not chrooted.
	- iana portlist updated.

3 December 2008: Wouter
	- Fix problem reported by Jaco Engelbrecht where unbound-control stats
	  freezes up unbound if this was compiled without threading, and
	  was using multiple processes.
	- iana portlist updated.
	- test for remote control with interprocess communication.
	- created command distribution mechanism so that remote control
	  commands other than 'stats' work on all processes in a nonthreaded
	  compiled version. dump/load cache work, on the first process.
	- fixup remote control local_data addition memory corruption bug.

1 December 2008: Wouter
	- SElinux policy files in contrib/selinux for the unbound daemon,
	  by Paul Wouters and Adam Tkac.

25 November 2008: Wouter
	- configure complains when --without-ssl is given (bug #220).
	- skip unsupported feature tests on vista/mingw.
	- fixup testcode/streamtcp to work on vista/mingw.
	- root-hints test checks version of dig required.
	- blacklisted servers are polled at a low rate (1%) to see if they
	  come back up. But not if there is some other working server.

24 November 2008: Wouter
	- document that the user of the server daemon needs read privileges
	  on the keys and certificates generated by unbound-control-setup.
	  This is different per system or distribution, usually, running the
	  script under the same username as the server uses suffices.
	  i.e.  sudo -u unbound unbound-control-setup
	- testset port to vista/mingw.
	- tcp_sigpipe to freebsd port.

21 November 2008: Wouter
	- fixed tcp accept, errors were printed when they should not.
	- unbound-control-setup.sh removes read/write permissions other
	  from the keys it creates (as suggested by Dmitriy Demidov).

20 November 2008: Wouter
	- fixup fatal error due to faulty error checking after tcp accept.
	- add check in rlimit to avoid integer underflow.
	- rlimit check with new formula; better estimate for number interfaces
	- nicer comments in rlimit check.
	- tag 1.1.1 created in svn.
	- trunk label is 1.1.2

19 November 2008: Wouter
	- bug #219: fixed so that syslog which delays opening until the first
	  log line is written, gets a log line while not chroot'ed yet.

18 November 2008: Wouter
	- iana portlist updated.
	- removed cast in unit test debug print that was not 64bit safe.
	- trunk back to 1.1.0; copied to tags 1.1.0 release.
	- trunk to has version number 1.1.1 again.
	- in 1.1.1; make clean nicer. grammar in manpage.

17 November 2008: Wouter
	- theoretical fix for problems reported on mailing list.
	  If a delegation point has no A but only AAAA and do-ip6 is no,
	  resolution would fail. Fixed to ask for the A and AAAA records.
	  It has to ask for both always, so that it can fail quietly, from
	  TLD perspective, when a zone is only reachable on one transport.
	- test for above, only AAAA and doip6 is no. Fix causes A record
	  for nameserver to be fetched.
	- fixup address duplication on cache fillup for delegation points.
	- testset updated for new query answer requirements.

14 November 2008: Wouter
	- created 1.1.0 release tag in svn.
	- trunk moved to 1.1.1
	- fixup unittest-neg for locking.

13 November 2008: Wouter
	- added fedora init and specfile to contrib (by Paul Wouters).
	- added configure check for ldns 1.4.0 (using its compat funcs).
	- neater comments in worker.h.
	- removed doc/plan and updated doc/TODO.
	- silenced EHOSTDOWN (verbosity 2 or higher to see it).
	- review comments from Jelte, Matthijs. Neater code.

12 November 2008: Wouter
	- add unbound-control manpage to makedist replace list.

11 November 2008: Wouter
	- unit test for negative cache, stress tests the refcounting.
	- fix for refcounting error that could cause fptr_wlist fatal exit
	  in the negative cache rbtree (upcoming 1.1 feature). (Thanks to 
	  Attila Nagy for testing).
	- nicer comments in cachedump about failed RR to string conversion.
	- fix 32bit wrap around when printing large (4G and more) mem usage
	  for extended statistics.

10 November 2008: Wouter
	- fixup the getaddrinfo compat code rename.

8 November 2008: Wouter
	- added configure check for eee build warning.

7 November 2008: Wouter
	- fix bug 217: fixed, setreuid and setregid do not work on MacOSX10.4.
	- detect nonblocking problems in network stack in configure script.

6 November 2008: Wouter
	- dname_priv must decompress the name before comparison.
	- iana portlist updated.

5 November 2008: Wouter
	- fixed possible memory leak in key_entry_key deletion.
	  Would leak a couple bytes when trust anchors were replaced.
	- if query and reply qname overlap, the bytes are skipped not copied.
	- fixed file descriptor leak when messages were jostled out that
	  had outstanding (TCP) replies.
	- DNAMEs used from cache have their synthesized CNAMEs initialized
	  properly.
	- fixed file descriptor leak for localzone type deny (for TCP).
	- fixed memleak at exit for nsec3 negative cached zones.
	- fixed memleak for the keyword 'nodefault' when reading config.
	- made verbosity of 'edns incapable peer' warning higher, so you
	  do not get spammed by it.
	- caught elusive Bad file descriptor error bug, that would print the
	  error while unnecessarily try to listen to a closed fd. Fixed.

4 November 2008: Wouter
	- fixed -Wwrite-strings warnings that result in better code.

3 November 2008: Wouter
	- fixup build process for Mac OSX linker, use ldns b32 compat funcs.
	- generated configure with autoconf-2.61.
	- iana portlist updated.
	- detect if libssl needs libdl.  For static linking with libssl.
	- changed to use new algorithm identifiers for sha256/sha512
	  from ldns 1.4.0 (need very latest version).
	- updated the included ldns tarball.
	- proper detection of SHA256 and SHA512 functions (not just sizes).

23 October 2008: Wouter
	- a little more debug info for failure on signer names. prints names.

22 October 2008: Wouter
	- CFLAGS are picked up by configure from the environment.
	- iana portlist updated.
	- updated ldns to use 1.4.0-pre20081022 so it picks up CFLAGS too.
	- new stub-prime: yesno option. Default is off, so it does not prime.
	  can be turned on to get same behaviour as previous unbound release.
	- made automated test that checks if builtin root hints are uptodate.
	- finished draft-wijngaards-dnsext-resolver-side-mitigation
	  implementation. The unwanted-reply-threshold can be set.
	- fixup so fptr_whitelist test in alloc.c works.

21 October 2008: Wouter
	- fix update-anchors.sh, so it does not report different RR order
	  as an update.  Sorts the keys in the file.  Updated copyright.
	- fixup testbound on windows, the command control pipe doesn't exist.
	- skip 08hostlib test on windows, no fork() available.
	- made unbound-remote work on windows.

20 October 2008: Wouter
	- quench a log message that is debug only.
	- iana portlist updated.
	- do not query bogus nameservers.  It is like nameservers that have 
	  the NS or A or AAAA record bogus are listed as donotquery.
	- if server selection is faced with only bad choices, it will
	  attempt to get more options to be fetched.
	- changed bogus-ttl default value from 900 to 60 seconds.
	  In anticipation that operator caused failures are more likely than
	  actual attacks at this time.  And thus repeated validation helps
	  the operators get the problem fixed sooner.  It makes validation
	  failures go away sooner (60 seconds after the zone is fixed).
	  Also it is likely to try different nameserver targets every minute,
	  so that if a zone is bad on one server but not another, it is 
	  likely to pick up the 'correct' one after a couple minutes,
	  and if the TTL is big enough that solves validation for the zone.
	- fixup unbound-control compilation on windows.

17 October 2008: Wouter
	- port Leopard/G5: fixup type conversion size_t/uint32.
	  please ranlib, stop file without symbols warning.
	- harden referral path now also validates the root after priming.
	  It looks up the root NS authoritatively as well as the root servers
	  and attemps to validate the entries.

16 October 2008: Wouter
	- Fixup negative TTL values appearing (reported by Attila Nagy).

15 October 2008: Wouter
	- better documentation for 0x20; remove fallback TODO, it is done.
	- harden-referral-path feature includes A, AAAA queries for glue,
	  as well as very careful NS caching (only when doing NS query).
	  A, AAAA use the delegation from the NS-query.

14 October 2008: Wouter
	- fwd_three.tpkg test was flaky.  If the three requests hit the
	  wrong threads by chance (or bad OS) then the test would fail.
	  Made less flaky by increasing number of retries.
	- stub_udp.tpkg changed to work, give root hints. fixed ldns_dname_abs.
	- ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081014).
	  Which includes the ldns_dname_absolute fix.
	- fwd_three test remains flaky now that unbound does not stop
	  listening when full.  Thus, removed timeout problem.
	  It may be serviced by three threads, or maybe by one.
	  Mostly only useful for lock-check testing now.

13 October 2008: Wouter
	- fixed recursion servers deployed as authoritative detection, so
	  that as a last resort, a +RD query is sent there to get the 
	  correct answer.
	- iana port list update.
	- ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081013).

10 October 2008: Wouter
	- fixup tests - the negative cache contained the correct NSEC3s for
	  two tests that are supposed to fail to validate.

9 October 2008: Wouter
	- negative cache caps max iterations of NSEC3 done.
	- NSEC3 negative cache for qtype DS works.

8 October 2008: Wouter
	- NSEC negative cache for DS.

6 October 2008: Wouter
	- jostle-timeout option, so you can config for slow links.
	- 0x20 fallback code.  Tries 3xnumber of nameserver addresses
	  queries that must all be the same.  Sent to random nameservers.
	- documented choices for DoS, EDNS, 0x20.

2 October 2008: Wouter
	- fixup unlink of pidfile.
	- fixup SHA256 algorithm collation code.
	- contrib/update-anchor.sh does not overwrite anchors if not needed.
	  exits 0 when a restart is needed, other values if not.
	  so,  update-anchor.sh -d mydir && /etc/rc.d/unbound restart
	  can restart unbound exactly when needed.

30 September 2008: Wouter
	- fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.
	- tests for sha256 support and downgrade resistance.
	- RSASHA256 and RSASHA512 support (using the draft in dnsext),
	  using the drafted protocol numbers.
	- when using stub on localhost (127.0.0.1@10053) unbound works.
	  Like when running NSD to host a local zone, on the same machine.
	  The noprime feature. manpages more explanation. Added a test for it.
	- shorthand for reverse PTR,  local-data-ptr: "1.2.3.4 www.ex.com"

29 September 2008: Wouter
	- EDNS lameness detection, if EDNS packets are dropped this is
	  detected, eventually.
	- multiple query timeout rtt backoff does not backoff too much.

26 September 2008: Wouter
	- tests for remote-control.
	- small memory leak in exception during remote control fixed.
	- fixup for lock checking but not unchecking in remote control.
	- iana portlist updated.

23 September 2008: Wouter
	- Msg cache is loaded. A cache load enables cache responses.
	- unbound-control flush [name], flush_type and flush_zone.

22 September 2008: Wouter
	- dump_cache and load_cache statements in unbound-control.
	  RRsets are dumped and loaded correctly.
	  Msg cache is dumped.

19 September 2008: Wouter
	- locking on the localdata structure.
	- add and remove local zone and data with unbound-control.
	- ldns trunk snapshot updated, make tests work again.

18 September 2008: Wouter
	- fixup error in time calculation.
	- munin plugin improvements.
	- nicer abbreviations for high query types values (ixfr, axfr, any...)
	- documented the statistics output in unbound-control man page.
	- extended statistics prints out histogram, over unbound-control.

17 September 2008: Wouter
	- locking for threadsafe bogus rrset counter.
	- ldns trunk no longer exports b32 functions, provide compat.
	- ldns tarball updated.
	- testcode/ldns-testpkts.c const fixups.
	- fixed rcode stat printout.
	- munin plugin in contrib.
	- stats always printout uptime, because stats plugins need it.

16 September 2008: Wouter
	- extended-statistics: yesno config option.
	- unwanted replies spoof nearmiss detector.
	- iana portlist updated.

15 September 2008: Wouter
	- working start, stop, reload commands for unbound-control.
	- test for unbound-control working; better exit value for control.
	- verbosity control via unbound-control.
	- unbound-control stats.

12 September 2008: Wouter
	- removed browser control mentions. Proto speccy.

11 September 2008: Wouter
	- set nonblocking on new TCP streams, because linux does not inherit
	  the socket options to the accepted socket.
	- fix TCP timeouts.
	- SSL protected connection between server and unbound-control.

10 September 2008: Wouter
	- remove memleak in privacy addresses on reloads and quits.
	- remote control work.

9 September 2008: Wouter
	- smallapp/unbound-control-setup.sh script to set up certificates.

4 September 2008: Wouter
	- scrubber scrubs away private addresses.
	- test for private addresses. man page entry.
	- code refactored for name and address tree lookups.

3 September 2008: Wouter
	- options for 'DNS Rebinding' protection: private-address and
	  private-domain.
	- dnstree for reuse of routines that help with domain, addr lookups.
	- private-address and private-domain config option read, stored.

2 September 2008: Wouter
	- DoS protection features. Queries are jostled out to make room.
	- testbound can pass time, increasing the internal timer.
	- do not mark unsigned additionals bogus, leave unchecked, which
	  is removed too.

1 September 2008: Wouter
	- disallow nonrecursive queries for cache snooping by default.
	  You can allow is using access-control: <subnet> allow_snoop.
	  The defaults do allow access no authoritative data without RD bit.
	- two tests for it and fixups of tests for nonrec refused.

29 August 2008: Wouter
	- version 1.1 number in trunk.
	- harden-referral-path option for query for NS records.
	  Default turns off expensive, experimental option.

28 August 2008: Wouter
	- fixup logfile handling; it is created with correct permissions
	  again. (from bugfix#199).
	  Some errors are not written to logfile (pidfile writing, forking),
	  and these are only visible by using the -d commandline flag.

27 August 2008: Wouter
	- daemon(3) is causing problems for people. Reverting the patch.
	  bug#200, and 199 and 203 contain sideline discussion on it.
	- bug#199 fixed: pidfile can be outside chroot. openlog is done before
	  chroot and drop permissions.
	- config option to set size of aggressive negative cache,
	  neg-cache-size.
	- bug#203 fixed: dlv has been implemented.

26 August 2008: Wouter
	- test for insecure zone when DLV is in use, also does negative cache.
	- test for trustanchor when DLV is in use (the anchor works).
	- test for DLV used for a zone below a trustanchor.
	- added scrub filter for overreaching NSEC records and unit test.
	- iana portlist update
	- use of setresuid or setreuid when available.
	- use daemon(3) if available.

25 August 2008: Wouter
	- realclean patch from Robert Edmonds.

22 August 2008: Wouter
	- nicer debuglogging of DLV.
	- test with secure delegation inside the DLV repository.

21 August 2008: Wouter
	- negative cache code linked into validator, for DLV use.
	  negative cache works for DLV.
	- iana portlist update.
	- dlv-anchor option for unit tests.
	- fixup NSEC_AT_APEX classification for short typemaps.
	- ldns-testns has subdomain checks, for unit tests.

20 August 2008: Wouter
	- negative cache code, reviewed.

18 August 2008: Wouter
	- changes info: in logfile to notice: info: or debug: depending on 
	  the verbosity of the statements.  Better logfile message
	  classification.
	- bug #208: extra rc.d unbound flexibility for freebsd/nanobsd.

15 August 2008: Wouter
	- DLV nsec code fixed for better detection of closest existing 
	  enclosers from NSEC responses.
	- DLV works, straight to the dlv repository, so not for production.
	- Iana port update.

14 August 2008: Wouter
	- synthesize DLV messages from the rrset cache, like done for DS.

13 August 2008: Wouter
	- bug #203: nicer do-auto log message when user sets incompatible
	  options.
	- bug #204: variable name ameliorated in log.c.
	- bug #206: in iana_update, no egrep, but awk use.
	- ldns snapshot r2699 taken (includes DLV type).
	- DLV work, config file element, trust anchor read in.

12 August 2008: Wouter
	- finished adjusting testset to provide qtype NS answers.

11 August 2008: Wouter
	- Fixup rrset security updates overwriting 2181 trust status.
	  This makes validated to be insecure data just as worthless as
	  nonvalidated data, and 2181 rules prevent cache overwrites to them.
	- Fix assertion fail on bogus key handling.
	- dnssec lameness detection works on first query at trust apex.
	- NS queries get proper cache and dnssec lameness treatment.
	- fixup compilation without pthreads on linux.

8 August 2008: Wouter
	- NS queries are done after every referral.
	  validator is used on those NS records (if anchors enabled).

7 August 2008: Wouter
	- Scrubber more strict. CNAME chains, DNAMEs from cache, other 
	  irrelevant rrsets removed.
	- 1.0.2 released from 1.0 support branch.
	- fixup update-anchor.sh to work both in BSD shell and bash.

5 August 2008: Wouter
	- fixup DS test so apex nodata works again.

4 August 2008: Wouter
	- iana port update. 
	- TODO update.
	- fix bug 201: null ptr deref on cleanup while udp pkts wait for port.
	- added explanatory text for outgoing-port-permit in manpage.

30 July 2008: Wouter
	- fixup bug qtype DS for unsigned zone and signed parent validation.

25 July 2008: Wouter
	- added original copyright statement of OpenBSD arc4random code.
	- created tube signaling solution on windows, as a pipe replacement.
	  this makes background asynchronous resolution work on windows.
	- removed very insecure socketpair compat code. It also did not
	  work with event_waiting. Solved by pipe replacement.
	- unbound -h prints openssl version number as well.

22 July 2008: Wouter
	- moved pipe actions to util/tube.c. easier porting and shared code.
	- check _raw() commpoint callbacks with fptr_wlist.
	- iana port update.

21 July 2008: Wouter
	- #198: nicer entropy warning message. manpage OS hints.

19 July 2008: Wouter
	- #198: fixup man page to suggest chroot entropy fix.

18 July 2008: Wouter
	- branch for 1.0 support.
	- trunk work on tube.c.

17 July 2008: Wouter
	- fix bug #196, compile outside source tree.
	- fix bug #195, add --with-username=user configure option.
	- print error and exit if started with config that requires more
	  fds than the builtin minievent can handle.

16 July 2008: Wouter
	- made svn tag 1.0.1, trunk now 1.0.2
	- sha256 checksums enabled in makedist.sh

15 July 2008: Wouter
	- Follow draft-ietf-dnsop-default-local-zones-06 added reverse
	  IPv6 example prefix to AS112 default blocklist.
	- fixup lookup of DS records by client with trustanchor for same.
	- libunbound ub_resolve, fix handling of error condition during setup.
	- lowered log_hex blocksize to fit through BSD syslog linesize.
	- no useless initialisation if getpwnam not available.
	- iana, ldns snapshot updated.

3 July 2008: Wouter
	- Matthijs fixed memory leaks in root hints file reading.

26 June 2008: Wouter
	- fixup streamtcp bounds setting for udp mode, in the test framework.
	- contrib item for updating trust anchors.

25 June 2008: Wouter
	- fixup fwd_ancil test typos.
	- Fix for newegg lameness : ok for qtype=A, but lame for others.
	- fixup unit test for infra cache, test lame merging.
	- porting to mingw, bind, listen, getsockopt and setsockopt error
	  handling.

24 June 2008: Wouter
	- removed testcode/checklocks from production code compilation path.
	- streamtcp can use UDP mode (connected UDP socket), for testing IPv6
	  on windows.
	- fwd_ancil test fails if platform support is lacking.

23 June 2008: Wouter
	- fixup minitpkg to cleanup on windows with its file locking troubles.
	- minitpkg shows skipped tests in report.
	- skip ipv6 tests on ipv4 only hosts (requires only ipv6 localhost not
	  ipv6 connectivity).
	- winsock event handler keeps track of sticky TCP events, that have
	  not been fully handled yet. when interest in the event(s) resumes,
	  they are sent again. When WOULDBLOCK is returned events are cleared.
	- skip tests that need signals when testing on mingw.

18 June 2008: Wouter
	- open testbound replay files in binary mode, because fseek/ftell
	  do not work in ascii-mode on windows. The b does nothing on unix.
	  unittest and testbound tests work on windows (xp too).
	- ioctlsocket prints nicer error message.
	- fixed up some TCP porting for winsock.
	- lack of IPv6 gives a warning, no fatal error.
	- use WSAGetLastError() on windows instead of errno for some errors.

17 June 2008: Wouter
	- outgoing num fds 32 by default on windows ; it supports less
	  fds for waiting on than unixes.
	- winsock_event minievent handler for windows. (you could also
	  attempt to link with libevent/libev ports for windows).
	- neater crypto check and gdi32 detection.
	- unbound.exe works to resolve and validate www.nlnetlabs.nl on vista.

16 June 2008: Wouter
	- on windows, use windows threads, mutex and thread-local-storage(Tls).
	- detect if openssl needs gdi32.
	- if no threading, THREADS_DISABLED is defined for use in the code.
	- sets USE_WINSOCK if using ws2_32 on windows.
	- wsa_strerror() function for more readable errors.
	- WSA Startup and Cleanup called in unbound.exe.

13 June 2008: Wouter
	- port mingw32, more signal ifdefs, detect sleep, usleep, 
	  random, srandom (used inside the tests).
	- signed or unsigned FD_SET is cast.

10 June 2008: Wouter
	- fixup warnings compiling on eeepc xandros linux.

9 June 2008: Wouter
	- in iteration response type code
	  * first check for SOA record (negative answer) before NS record
	    and lameness.
	  * check if no AA bit for non-forwarder, and thus lame zone.
	    In response to error report by Richard Doty for mail.opusnet.com.
	- fixup unput warning from lexer on freeBSD.
	- bug#183. pidfile, rundir, and chroot configure options. Also the
	  example.conf and manual pages get the configured defaults.
	  You can use: (or accept the defaults to /usr/local/etc/unbound/)
	  --with-conf-file=filename
	  --with-pidfile=filename
	  --with-run-dir=path
	  --with-chroot-dir=path

8 June 2008: Wouter
	- if multiple CNAMEs, use the first one. Fixup akamai CNAME bug.
	  Reported by Robert Edmonds.
	- iana port updated.

4 June 2008: Wouter
	- updated libtool files with newer version.
	- iana portlist updated.

3 June 2008: Wouter
	- fixup local-zone: "30.172.in-addr.arpa." nodefault, so that the
	  trailing dot is not used during comparison.

2 June 2008: Wouter
	- Jelte fixed bugs in my absence
	  - bug 178: fixed unportable shell usage in configure (relied on 
	    bash shell).
	  - bug 180: fixed buffer overflow in unbound-checkconf use of strncat.
	  - bug 181: fixed buffer overflow in ldns (called by unbound to parse
	    config file parts).
	- fixes by Wouter
	  - bug 177: fixed compilation failure on opensuse, the 
	    --disable-static configure flag caused problems.  (Patch from 
	    Klaus Singvogel)
	  - bug 179: same fix as 177.
	  - bug 185: --disable-shared not passed along to ldns included with 
	    unbound. Fixed so that configure parameters are passed to the
	    subdir configure script.
	    fixed that ./libtool is used always, you can still override
	    manually with ./configure libtool=mylibtool or set $libtool in
	    the environment.
	- update of the ldns tarball to current ldns svn version (fix 181).
	- bug 184: -r option for unbound-host, read resolv.conf for 
	  forwarder. (Note that forwarder must support DNSSEC for validation
	  to succeed).

23 May 2008: Wouter
	- mingw32 porting.
	  - test for sys/wait.h
	  - WSAEWOULDBLOCK test after nonblocking TCP connect.
	  - write_iov_buffer removed: unused and no struct iov on windows.
	  - signed/unsigned warning fixup mini_event.
	  - use ioctlsocket to set nonblocking I/O if fnctl is unavailable.
	  - skip signals that are not defined
	  - detect pwd.h.
	  - detect getpwnam, getrlimit, setsid, sbrk, chroot.
	  - default config has no chroot if chroot() unavailable.
	  - if no kill() then no pidfile is read or written.
	  - gmtime_r is replaced by nonthreadsafe alternative if unavail.
	    used in rrsig time validation errors.

22 May 2008: Wouter
	- contrib unbound.spec from Patrick Vande Walle.
	- fixup bug#175: call tzset before chroot to have correct timestamps
	  in system log.
	- do not generate lex input and lex unput functions.
	- mingw port. replacement functions labelled _unbound.
	- fix bug 174 - check for tcp_sigpipe that ldns-testns is installed.

19 May 2008: Wouter
	- fedora 9, check in6_pktinfo define in configure.
	- CREDITS fixup of history.
	- ignore ldns-1.2.2 if installed, use builtin 1.3.0-pre alternative.

16 May 2008: Wouter
	- fixup for MacOSX hosts file reading (reported by John Dickinson).
	- created 1.0.0 svn tag.
	- trunk version 1.0.1.

14 May 2008: Wouter
	- accepted patch from Ondrej Sury for library version libtool option.
	- configure --disable-rpath fixes up libtool for rpath trouble.
	  Adapted from debian package patch file.

13 May 2008: Wouter
	- Added root ipv6 addresses to builtin root hints.
	- TODO modified for post 1.0 plans.
	- trunk version set to 1.0.0.
	- no unnecessary linking with librt (only when libevent/libev used).

7 May 2008: Wouter
	- fixup no-ip4 problem with error callback in outside network.

25 April 2008: Wouter
	- DESTDIR is honored by the Makefile for rpms.
	- contrib files unbound.spec and unbound.init, builds working RPM
	  on FC7 Linux, a chrooted caching resolver, and libunbound.
	- iana ports update.

24 April 2008: Wouter
	- chroot checks improved. working directory relative to chroot.
	  checks if config file path is inside chroot. Documentation on it.
	- nicer example.conf text.
	- created 0.11 tag.

23 April 2008: Wouter
	- parseunbound.pl contrib update from Kai Storbeck for threads.
	- iana ports update

22 April 2008: Wouter
	- ignore SIGPIPE.
	- unit test for SIGPIPE ignore.

21 April 2008: Wouter
	- FEATURES document.
	- fixup reread of config file if it was given as a full path
	  and chroot was used.

16 April 2008: Wouter
	- requirements doc, updated clean query returns.
	- parseunbound.pl update from Kai Storbeck.
	- sunos4 porting changes.

15 April 2008: Wouter
	- fixup default rc.d pidfile location to /usr/local/etc.
	- iana ports updated.
	- copyright updated in ldns-testpkts to keep same as in ldns.
	- fixup checkconf chroot tests a bit more, chdir must be inside
	  chroot dir.
	- documented 'gcc: unrecognized -KPIC option' errors on Solaris.
	- example.conf values changed to /usr/local/etc/unbound
	- DSA test work.
	- DSA signatures: unbound is compatible with both encodings found.
	  It will detect and convert when necessary.

14 April 2008: Wouter
	- got update for parseunbound.pl statistics script from Kai Storbeck.
	- tpkg tests for udp wait list.
	- documented 0x20 status.
	- fixup chroot and checkconf, it is much smarter now.
	- fixup DSA EVP signature decoding. Solution that Jelte found copied.
	- and check first sig byte for the encoding type.

11 April 2008: Wouter
	- random port selection out of the configged ports.
	- fixup threadsafety for libevent-1.4.3+ (event_base_get_method).
	- removed base_port.
	- created 256-port ephemeral space for the OS, 59802 available.
	- fixup consistency of port_if out array during heavy use.

10 April 2008: Wouter
	- --with-libevent works with latest libevent 1.4.99-trunk.
	- added log file statistics perl script to contrib.
	- automatic iana ports update from makefile. 60058 available.

9 April 2008: Wouter
	- configure can detect libev(from its build directory) when passed
	  --with-libevent=/home/wouter/libev-3.2
	  libev-3.2 is a little faster than libevent-1.4.3-stable (about 5%).
	- unused commpoints not listed in epoll list.
	- statistics-cumulative option so that the values are not reset.
	- config creates array of available ports, 61841 available,
	  it excludes <1024 and iana assigned numbers.
	  config statements to modify the available port numbers.

8 April 2008: Wouter
	- unbound tries to set the ulimit fds when started as server.
	  if that does not work, it will scale back its requirements.

27 March 2008: Wouter
	- documented /dev/random symlink from chrootdir as FAQ entry.

26 March 2008: Wouter
	- implemented AD bit signaling. If a query sets AD bit (but not DO)
	  then the AD bit is set in the reply if the answer validated.
	  Without including DNSSEC signatures. Useful if you have a trusted
	  path from the client to the resolver. Follows dnssec-updates draft.

25 March 2008: Wouter
	- implemented check that for NXDOMAIN and NOERROR answers a query
	  section must be present in the reply (by the scrubber). And it must
	  be equal to the question sent, at least lowercase folded.
	  Previously this feature happened because the cache code refused
	  to store such messages. However blocking by the scrubber makes 
	  sure nothing gets into the RRset cache. Also, this looks like a
	  timeout (instead of an allocation failure) and this retries are
	  done (which is useful in a spoofing situation).
	- RTT banding. Band size 400 msec, this makes band around zero (fast)
	  include unknown servers. This makes unbound explore unknown servers.

7 March 2008: Wouter
	- -C config feature for harvest program. 
	- harvest handles CNAMEs too.

5 March 2008: Wouter
	- patch from Hugo Koji Kobayashi for iterator logs spelling.

4 March 2008: Wouter
	- From report by Jinmei Tatuya, rfc2181 trust value for remainder
	  of a cname trust chain is lower; not full answer_AA. 
	- test for this fix.
	- default config file location is /usr/local/etc/unbound.
	  Thus prefix is used to determine the location. This is also the
	  chroot and pidfile default location.

3 March 2008: Wouter
	- Create 0.10 svn tag.
	- 0.11 version in trunk.
	- indentation nicer.

29 February 2008: Wouter
	- documentation update.
	- fixup port to Solaris of perf test tool.
	- updated ldns-tarball with decl-after-statement fixes.

28 February 2008: Wouter
	- fixed memory leaks in libunbound (during cancellation and wait).
	- libunbound returns the answer packet in full.
	- snprintf compat update.
	- harvest performs lookup.
	- ldns-tarball update with fix for ldns_dname_label.
	- installs to sbin by default.
	- install all manual pages (unbound-host and libunbound too).

27 February 2008: Wouter
	- option to use caps for id randomness.
	- config file option use-caps-for-id: yes
	- harvest debug tool

26 February 2008: Wouter
	- delay utility delays TCP as well. If the server that is forwarded 
	  to has a TCP error, the delay utility closes the connection.
	- delay does REUSE_ADDR, and can handle a server that closes its end.
	- answers use casing from query.

25 February 2008: Wouter
	- delay utility works. Gets decent thoughput too (>20000).

22 February 2008: Wouter
	- +2% for recursions, if identical queries (except for destination
	  and query ID) in the reply list, avoid re-encoding the answer.
	- removed TODO items for optimizations that do not show up in
	  profile reports.
	- default is now minievent - not libevent. As its faster and
	  not needed for regular installs, only for very large port ranges.
	- loop check different speedup pkt-dname-reading, 1% faster for
	  nocache-recursion check.
	- less hashing during msg parse, 4% for recursion.
	- small speed fix for dname_count_size_labels, +1 or +2% recursion.
	- some speed results noted:
	  optimization resulted in +40% for recursion (cache miss) and
	  +70 to +80 for cache hits, and +96% for version.bind.
	  zone nsec3 example, 100 NXDOMAIN queries, NSD 35182.8 Ub 36048.4
	  www.nlnetlabs.nl from cache: BIND 8987.99 Ub 31218.3
	  www with DO bit set : BIND 8269.31 Ub 28735.6 qps.
	  So, unbound can be about equal qps to NSD in cache hits.
	  And about 3.4x faster than BIND in cache performance.
	- delay utility for testing.

21 February 2008: Wouter
	- speedup of root-delegation message encoding by 15%.
	- minor speedup of compress tree_lookup, maybe 1%.
	- speedup of dname_lab_cmp and memlowercmp - the top functions in 
	  profiler output, maybe a couple percent when it matters.

20 February 2008: Wouter
	- setup speec_cache for need-ldns-testns in dotests.
	- check number of queued replies on incoming queries to avoid overload
	  on that account.
	- fptr whitelist checks are not disabled in optimize mode.
	- do-daemonize config file option.
	- minievent time share initializes time at start.
	- updated testdata for nsec3 new algorithm numbers (6, 7).
	- small performance test of packet encoding (root delegation).

19 February 2008: Wouter
	- applied patch to unbound-host man page from Jan-Piet Mens.
	- fix donotquery-localhost: yes default (it erroneously was switched
	  to default 'no').
	- time is only gotten once and the value is shared across unbound.
	- unittest cleans up crypto, so that it has no memory leaks.
	- mini_event shares the time value with unbound this results in 
	  +3% speed for cache responses and +9% for recursions.
	- ldns tarball update with new NSEC3 sign code numbers.
	- perform several reads per UDP operation. This improves performance
	  in DoS conditions, and costs very little in normal conditions.
	  improves cache response +50%, and recursions +10%.
	- modified asynclook test. because the callback from async is not
	  in any sort of lock (and thus can use all library functions freely),
	  this causes a tiny race condition window when the last lock is 
	  released for a callback and a new cancel() for that callback.
	  The only way to remove this is by putting callbacks into some 
	  lock window. I'd rather have the small possibility of a callback
	  for a cancelled function then no use of library functions in 
	  callbacks. Could be possible to only outlaw process(), wait(),
	  cancel() from callbacks, by adding another lock, but I'd rather not.

18 February 2008: Wouter
	- patch to unbound-host from Jan-Piet Mens.
	- unbound host prints errors if fails to configure context.
	- fixup perf to resend faster, so that long waiting requests do
	  not hold up the queue, they become lost packets or SERVFAILs,
	  or can be sent a little while later (i.e. processing time may 
	  take long, but throughput has to be high).
	- fixup iterator operating in no cache conditions (RD flag unset
	  after a CNAME).
	- streamlined code for RD flag setting.
	- profiled code and changed dname compares to be faster. 
	  The speedup is about +3% to +8% (depending on the test).
	- minievent tests for eintr and eagain.

15 February 2008: Wouter
	- added FreeBSD rc.d script to contrib.
	- --prefix option for configure also changes directory: pidfile:
	  and chroot: defaults in config file.
	- added cache speed test, for cache size OK and cache too small.

14 February 2008: Wouter
	- start without a config file (will complain, but start with
	  defaults).
	- perf test program works.

13 February 2008: Wouter
	- 0.9 released.
	- 1.0 development. Printout ldns version on unbound -h.
	- start of perf tool.
	- bugfix to read empty lines from /etc/hosts.

12 February 2008: Wouter
	- fixup problem with configure calling itself if ldns-src tarball
	  is not present.

11 February 2008: Wouter
	- changed library to use ub_ instead of ub_val_ as prefix.
	- statistics output text nice.
	- etc/hosts handling.
	- library function to put logging to a stream.
	- set any option interface.

8 February 2008: Wouter
	- test program for multiple queries over a TCP channel.
	- tpkg test for stream tcp queries.
	- unbound replies to multiple TCP queries on a TCP channel.
	- fixup misclassification of root referral with NS in answer
	  when validating a nonrec query.
	- tag 0.9
	- layout of manpages, spelling fix in header, manpages process by
	  makedist, list asynclook and tcpstream tests as ldns-testns
	  required.

7 February 2008: Wouter
	- moved up all current level 2 to be level 3. And 3 to 4.
	  to make room for new debug level 2 for detailed information 
	  for operators.
	- verbosity level 2. Describes recursion and validation.
	- cleaner configure script and fixes for libevent solaris.
	- signedness for log output memory sizes in high verbosity.

6 February 2008: Wouter
	- clearer explanation of threading configure options.
	- fixup asynclook test for nothreading (it creates only one process
	  to do the extended test).
	- changed name of ub_val_result_free to ub_val_resolve_free.
	- removes warning message during library linking, renamed
	  libunbound/unbound.c -> libunbound.c and worker to libworker.
	- fallback without EDNS if result is NOTIMPL as well as on FORMERR.

5 February 2008: Wouter
	- statistics-interval: seconds option added.
	- test for statistics option
	- ignore errors making directories, these can occur in parallel builds
	- fixup Makefile strip command and libunbound docs typo.

31 January 2008: Wouter
	- bg thread/process reads and writes the pipe nonblocking all the time
	  so that even if the pipe is buffered or so, the bg thread does not
	  block, and services both pipes and queries.

30 January 2008: Wouter
	- check trailing / on chrootdir in checkconf.
	- check if root hints and anchor files are in chrootdir.
	- no route to host tcp error is verbosity level 2. 
	- removed unused send_reply_iov. and its configure check.
	- added prints of 'remote address is 1.2.3.4 port 53' to errors
	  from netevent; the basic socket errors.

28 January 2008: Wouter
	- fixup uninit use of buffer by libunbound (query id, flags) for
	  local_zone answers.
	- fixup uninit warning from random.c; also seems to fix sporadic
	  sigFPE coming out of openssl.
	- made openssl entropy warning more silent for library use. Needs
	  verbosity 1 now.
	- fixup forgotten locks for rbtree_searches on ctx->query tree.
	- random generator cleanup - RND_STATE_SIZE removed, and instead
	  a super-rnd can be passed at init to chain init random states.
	- test also does lock checks if available.
	- protect config access in libworker_setup().
	- libevent doesn't like comm_base_exit outside of runloop.
	- close fds after removing commpoints only (for epoll, kqueue).

25 January 2008: Wouter
	- added tpkg for asynclook and library use. 
	- allows localhost to be queried when as a library.
	- fixup race condition between cancel and answer (in case of
	  really fast answers that beat the cancel).
	- please doxygen, put doxygen comment in one place.
	- asynclook -b blocking mode and test.
	- refactor asynclook, nicer code.
	- fixup race problems from opensll in rand init from library, with
	  a mutex around the rand init.
	- fix pass async_id=NULL to _async resolve().
	- rewrote _wait() routine, so that it is threadsafe.
	- cancelation is threadsafe.
	- asynclook extended test in tpkg.
	- fixed two races where forked bg process waits for (somehow shared?)
	  locks, so does not service the query pipe on the bg side.
	  Now those locks are only held for fg_threads and for bg_as_a_thread.

24 January 2008: Wouter
	- tested the cancel() function.
	- asynclook -c (cancel) feature.
	- fix fail to allocate context actions.
	- make pipe nonblocking at start.
	- update plane for retry mode with caution to limit bandwidth.
	- fix Makefile for concurrent make of unbound-host.
	- renamed ub_val_ctx_wait/poll/process/fd to ub_val*.
	- new calls to set forwarding added to header and docs.

23 January 2008: Wouter
	- removed debug prints from if-auto, verb-algo enables some.
	- libunbound QUIT setup, remove memory leaks, when using threads
	  will share memory for passing results instead of writing it over
	  the pipe, only writes ID number over the pipe (towards the handler
	  thread that does process() ).

22 January 2008: Wouter
	- library code for async in libunbound/unbound.c.
	- fix link testbound.
	- fixup exit bug in mini_event.
	- background worker query enter and result functions.
	- bg query test application asynclook, it looks up multiple
	  hostaddresses (A records) at the same time.

21 January 2008: Wouter
	- libworker work, netevent raw commpoints, write_msg, serialize.

18 January 2008: Wouter
	- touch up of manpage for libunbound.
	- support for IP_RECVDSTADDR (for *BSD ip4).
	- fix for BSD, do not use ip4to6 mapping, make two sockets, once
	  ip6 and once ip4, uses socket options.
	- goodbye ip4to6 mapping.
	- update ldns-testpkts with latest version from ldns-trunk.
	- updated makedist for relative ldns pathnames.
	- library API with more information inside the result structure.
	- work on background resolves.

17 January 2008: Wouter
	- fixup configure in case -lldns is installed.
	- fixup a couple of doxygen warnings, about enum variables.
	- interface-automatic now copies the interface address from the
	  PKT_INFO structure as well.
	- manual page with library API, all on one page 'man libunbound'.
	- rewrite of PKTINFO structure, it also captures IP4 PKTINFO.

16 January 2008: Wouter
	- incoming queries to the server with TC bit on are replied FORMERR.
	- interface-automatic replied the wrong source address on localhost
	  queries. Seems to be due to ifnum=0 in recvmsg PKTINFO. Trying
	  to use ifnum=-1 to mean 'no interface, use kernel route'.

15 January 2008: Wouter
	- interface-automatic feature. experimental. Nice for anycast.
	- tpkg test for ip6 ancillary data.
	- removed debug prints.
	- porting experience, define for Solaris, test refined for BSD
	  compatibility. The feature probably will not work on OpenBSD.
	- makedist fixup for ldns-src in build-dir.

14 January 2008: Wouter
	- in no debug sets NDEBUG to remove asserts.
	- configure --enable-debug is needed for dependency generation
	  for assertions and for compiler warnings.
	- ldns.tgz updated with ldns-trunk (where buffer.h is updated).
	- fix lint, unit test in optimize mode.
	- default access control allows ::ffff:127.0.0.1 v6mapped localhost.
	
11 January 2008: Wouter
	- man page, warning removed.
	- added text describing the use of stub zones for private zones.
	- checkconf tests for bad hostnames (IP address), and for doubled
	  interface lines.
	- memory sizes can be given with 'k', 'Kb', or M or G appended.

10 January 2008: Wouter
	- typo in example.conf.
	- made using ldns-src that is included the package more portable
	  by linking with .lo instead of .o files in the ldns package.
	- nicer do-ip6: yes/no documentation.
	- nicer linking of libevent .o files.
	- man pages render correctly on solaris.

9 January 2008: Wouter
	- fixup openssl RAND problem, when the system is not configured to
	  give entropy, and the rng needs to be seeded.

8 January 2008: Wouter
	- print median and quartiles with extensive logging.

4 January 2008: Wouter
	- document misconfiguration in private network.

2 January 2008: Wouter
	- fixup typo in requirements.
	- document that 'refused' is a better choice than 'drop' for 
	  the access control list, as refused will stop retries.

7 December 2007: Wouter
	- unbound-host has a -d option to show what happens. This can help
	  with debugging (why do I get this answer).
	- fixup CNAME handling, on nodata, sets and display canonname.
	- dot removed from CNAME display.
	- respect -v for NXDOMAINs.
	- updated ldns-src.tar.gz with ldns-trunk today (1.2.2 fixes).
	- size_t to int for portability of the header file.
	- fixup bogus handling.
	- dependencies and lint for unbound-host.

6 December 2007: Wouter
	- library resolution works in foreground mode, unbound-host app
	  receives data.
	- unbound-host prints rdata using ldns.
	- unbound-host accepts trust anchors, and prints validation
	  information when you give -v.

5 December 2007: Wouter
	- locking in context_new() inside the function.
	- setup of libworker.

4 December 2007: Wouter
	- minor Makefile fixup.
	- moved module-stack code out of daemon/daemon into services/modstack,
	  preparing for code-reuse.
	- move context into own header file.
	- context query structure.
	- removed unused variable pwd from checkconf.
	- removed unused assignment from outside netw.
	- check timeval length of string.
	- fixup error in val_utils getsigner.
	- fixup same (*var) error in netblocktostr.
	- fixup memleak on parse error in localzone.
	- fixup memleak on packet parse error.
	- put ; after union in parser.y.
	- small hardening in iter_operate against iq==NULL.
	- hardening, if error reply with rcode=0 (noerror) send servfail.
	- fixup same (*var) error in find_rrset in msgparse, was harmless.
	- check return value of evtimer_add().
	- fixup lockorder in lruhash_reclaim(), building up a list of locked
	  entries one at a time. Instead they are removed and unlocked.
	- fptr_wlist for markdelfunc.
	- removed is_locked param from lruhash delkeyfunc.
	- moved bin_unlock during bin_split purely to please.

3 December 2007: Wouter
	- changed checkconf/ to smallapp/ to make room for more support tools.
	  (such as unbound-host).
	- install dirs created with -m 755 because they need to be accessible.
	- library extensive featurelist added to TODO.
	- please doxygen, lint.
	- library test application, with basic functionality.
	- fix for building in a subdirectory. 
	- link lib fix for Leopard.

30 November 2007: Wouter
	- makefile that creates libunbound.la, basic file or libunbound.a
	  when creating static executables (no libtool).
	- more API setup.

29 November 2007: Wouter
	- 0.9 public API start.

28 November 2007: Wouter
	- Changeup plan for 0.8 - no complication needed, a simple solution
	  has been chosen for authoritative features.
	- you can use single quotes in the config file, so it is possible
	  to specify TXT records in local data.
	- fixup small memory problem in implicit transparent zone creation.
	- test for implicit zone creation and multiple RR RRsets local data.
	- local-zone nodefault test.
	- show testbound testlist on commit.
	- iterator normalizer changes CNAME chains ending in NXDOMAIN where
	  the packet got rcode NXDOMAIN into rcode NOERROR. (since the initial
	  domain exists).
	- nicer verbosity: 0 and 1 levels.
	- lower nonRDquery chance of eliciting wrongly typed validation
	  requiring message from the cache.
	- fix for nonRDquery validation typing; nodata is detected when
	  SOA record in auth section (all validation-requiring nodata messages
	  have a SOA record in authority, so this is OK for the validator),
	  and NS record is needed to be a referral.
	- duplicate checking when adding NSECs for a CNAME, and test.
	- created svn tag 0.8, after completing testbed tests.

27 November 2007: Wouter
	- per suggestion in rfc2308, replaced default max-ttl value with 1 day.
	- set size of msgparse lookup table to 32, from 1024, so that its size
	  is below the 2048 regional large size threshold, and does not cause
	  a call to malloc when a message is parsed.
	- update of memstats tool to print number of allocation calls.
	  This is what is taking time (not space) and indicates the avg size
	  of the allocations as well. region_alloc stat is removed.

22 November 2007: Wouter
	- noted EDNS in-the-middle dropping trouble as a TODO.
	  At this point theoretical, no user trouble has been reported.
	- added all default AS112 zones.
	- answers from local zone content.
		* positive answer, the rrset in question
		* nodata answer (exist, but not that type).
		* nxdomain answer (domain does not exist).
		* empty-nonterminal answer.
		* But not: wildcard, nsec, referral, rrsig, cname/dname,
			or additional section processing, NS put in auth.
	- test for correct working of static and transparent and couple
	  of important defaults (localhost, as112, reverses). 
	  Also checks deny and refuse settings.
	- fixup implicit zone generation and AA bit for NXDOMAIN on localdata.

21 November 2007: Wouter
	- local zone internal data setup.

20 November 2007: Wouter
	- 0.8 - str2list config support for double string config options.
	- local-zone and local-data options, config storage and documentation.

19 November 2007: Wouter
	- do not downcase NSEC and RRSIG for verification. Follows 
	  draft-ietf-dnsext-dnssec-bis-updates-06.txt.
	- fixup leaking unbound daemons at end of tests.
	- README file updated.
	- nice libevent not found error.
	- README talks about gnu make.
	- 0.8: unit test for addr_mask and fixups for it.
	  and unit test for addr_in_common().
	- 0.8: access-control config file element.
	  and unit test rpl replay file.
	- 0.8: fixup address reporting from netevent.

16 November 2007: Wouter
	- privilege separation is not needed in unbound at this time.
	  TODO item marked as such.
	- created beta-0.7 branch for support.
	- tagged 0.7 for beta release.
	- moved trunk to 0.8 for 0.8(auth features) development.
	- 0.8: access control list setup.

15 November 2007: Wouter
	- review fixups from Jelte.

14 November 2007: Wouter
	- testbed script does not recreate configure, since its in svn now.
	- fixup checkconf test so that it does not test 
	  /etc/unbound/unbound.conf.
	- tag 0.6.

13 November 2007: Wouter
	- remove debug print.
	- fixup testbound exit when LIBEVENT_SIGNAL_PROBLEM exists.

12 November 2007: Wouter
	- fixup signal handling where SIGTERM could be ignored if a SIGHUP
	  arrives later on.
	- bugreports to unbound-bugs@nlnetlabs.nl
	- fixup testbound so it exits cleanly.
	- cleanup the caches on a reload, so that rrsetID numbers won't clash.

9 November 2007: Wouter
	- took ldns snapshot in repo.
	- default config file is /etc/unbound/unbound.conf.
	  If it doesn't exist, it is installed with the doc/example.conf file.
	  The file is not deleted on uninstall.
	- default listening is not all, but localhost interfaces.
	
8 November 2007: Wouter
	- Fixup chroot and drop user privileges.
	- new L root ip address in default hints.

1 November 2007: Wouter
	- Fixup of crash on reload, due to anchors in env not NULLed after
	  dealloc during deinit.
	- Fixup of chroot call. Happens after privileges are dropped, so
	  that checking the passwd entry still works.
	- minor touch up of clear() hashtable function.
	- VERB_DETAIL prints out what chdir, username, chroot is being done.
	- when id numbers run out, caches are cleared, as in design notes.
	  Tested with a mock setup with very few bits in id, it worked.
	- harden-dnssec-stripped: yes is now default. It insists on dnssec
	  data for trust anchors. Included tests for the feature.

31 October 2007: Wouter
	- cache-max-ttl config option.
	- building outside sourcedir works again.
	- defaults more secure:
		username: "unbound"
		chroot: "/etc/unbound"
	  The operator can override them to be less secure ("") if necessary.
	- fix horrible oversight in sorting rrset references in a message,
	  sort per reference key pointer, not on referencepointer itself.
	- pidfile: "/etc/unbound/unbound.pid" is now the default.
	- tests changed to reflect the updated default.
	- created hashtable clear() function that respects locks.

30 October 2007: Wouter
	- fixup assertion failure that relied on compressed names to be
	  smaller than uncompressed names. A packet from comrite.com was seen
	  to be compressed to a larger size. Added it as unit test.
	- quieter logging at low verbosity level for common tcp messages.
	- no greedy TTL update.

23 October 2007: Wouter
	- fixup (grand-)parent problem for dnssec-lameness detection.
	- fixup tests to do additional section processing for lame replies,
	  since the detection needs that.
	- no longer trust in query section in reply during dnssec lame detect.
	- dnssec lameness does not make the server never ever queried, but
	  non-preferred. If no other servers exist or answer, the dnssec lame
	  server is used; the fastest dnssec lame server is chosen.
	- added test then when trust anchor cannot be primed (nodata), the
	  insecure mode from unbound works.
	- Fixup max queries per thread, any more are dropped.

22 October 2007: Wouter
	- added donotquerylocalhost config option. Can be turned off for
	  out test cases.
	- ISO C compat changes.
	- detect RA-no-AA lameness, as LAME.
	- DNSSEC-lameness detection, as LAME.
	  See notes in requirements.txt for choices made.
	- tests for lameness detection.
	- added all to make test target; need unbound for fwd tests.
	- testbound does not pollute /etc/unbound.

19 October 2007: Wouter
	- added configure (and its files) to svn, so that the trunk is easier
	  to use. ./configure, config.guess, config.sub, ltmain.sh,
	  and config.h.in.
	- added yacc/lex generated files, util/configlexer.c, 
	  util/configparser.c util/configparser.h, to svn. 
	- without lex no attempt to use it.
	- unsecure response validation collated into one block.
	- remove warning about const cast of cfgfile name.
	- outgoing-interfaces can be different from service interfaces.
	- ldns-src configure is done during unbound configure and
	  ldns-src make is done during unbound make, and so inherits the
	  make arguments from the unbound make invocation.
	- nicer error when libevent problem causes instant exit on signal.
	- read root hints from a root hint file (like BIND does).
	  
18 October 2007: Wouter
	- addresses are logged with errors.
	- fixup testcode fake event to remove pending before callback
	  since the callback may create new pending items.
	- tests updated because retries are now in iterator module.
	- ldns-testpkts code is checked for differences between unbound
	  and ldns by makedist.sh.
	- ldns trunk from today added in svn repo for fallback in case
	  no ldns is installed on the system.
	  make download_ldns refreshes the tarball with ldns svn trunk.
	- ldns-src.tar.gz is used if no ldns is found on the system, and
	  statically linked into unbound.
	- start of regional allocator code.
	- regional uses less memory and variables, simplified code.
	- remove of region-allocator.
	- alloc cache keeps a cache of recently released regional blocks,
	  up to a maximum.
	- make unit test cleanly free memory.

17 October 2007: Wouter
	- fixup another cycle detect and ns-addr timeout resolution bug.
	  This time by refusing delegations from the cache without addresses
	  when resolving a mandatory-glue nameserver-address for that zone.
	  We're going to have to ask a TLD server anyway; might as well be
	  the TLD server for this name. And this resolves a lot of cases where
	  the other nameserver names lead to cycles or are not available.
	- changed random generator from random(3) clone to arc4random wrapped
	  for thread safety. The random generator is initialised with
	  entropy from the system.
	- fix crash where failure to prime DNSKEY tried to print null pointer
	  in the log message.
	- removed some debug prints, only verb_algo (4) enables them.
	- fixup test; new random generator took new paths; such as one 
	  where no scripted answer was available.
	- mark insecure RRs as insecure.
	- fixup removal of nonsecure items from the additional.
	- reduced timeout values to more realistic, 376 msec (262 msec has
	  90% of roundtrip times, 512 msec has 99% of roundtrip times.)
	- server selection failover to next server after timeout (376 msec).

16 October 2007: Wouter
	- no malloc in log_hex.
	- assertions around system calls.
	- protect against gethostname without ending zero.
	- ntop output is null terminated by unbound.
	- pidfile content null termination
	- various snprintf use sizeof(stringbuf) instead of fixed constant.
	- changed loopdetect % 8 with & 0x7 since % can become negative for
	  weird negative input and particular interpretation of integer math.
	- dname_pkt_copy checks length of result, to protect result buffers.
	  prints an error, this should not happen. Bad strings should have
	  been rejected earlier in the program.
	- remove a size_t underflow from msgreply size func.

15 October 2007: Wouter
	- nicer warning.
	- fix IP6 TCP, wrong definition check. With test package.
	- fixup the fact that the query section was not compressed to,
	  the code was there but was called by value instead of by reference.
	  And test for the case, uses xxd and nc.
	- more portable ip6 check for sockaddr types.

8 October 2007: Wouter
	- --disable-rpath option in configure for 64bit systems with
	  several dynamic lib dirs.

7 October 2007: Wouter
	- fixup tests for no AD bit in non-DO queries.
	- test that makes sure AD bit is not set on non-DO query.

6 October 2007: Wouter
	- removed logfile open early. It did not have the proper permissions;
	  it was opened as root instead of the user. And we cannot change user
	  id yet, since chroot and bind ports need to be done.
	- callback checks for event callbacks done from mini_event. Because
	  of deletions cannot do this from netevent. This means when using
	  libevent the protection does not work on event-callbacks.
	- fixup too small reply (did not zero counts).
	- fixup reply no longer AD bit when query without DO bit.

5 October 2007: Wouter
	- function pointer whitelist.

4 October 2007: Wouter
	- overwrite sensitive random seed value after use.
	- switch to logfile very soon if not -d (console attached).
	- error messages do not reveal the trustanchor contents.
	- start work on function pointer whitelists.

3 October 2007: Wouter
	- fix for multiple empty nonterminals, after multiple DSes in the
	  chain of trust.
	- mesh checks if modules are looping, and stops them.
	- refetch with CNAMEd nameserver address regression test added.
	- fixup line count bug in testcode, so testbound prints correct line
	  number with parse errors.
	- unit test for multiple ENT case.
	- fix for cname out of validated unsec zone.
	- fixup nasty id=0 reuse. Also added assertions to detect its
	  return (the assertion catches in the existing test cases).

1 October 2007: Wouter
	- skip F77, CXX, objC tests in configure step.
	- fixup crash in refetch glue after a CNAME.
	  and protection against similar failures (with error print).

28 September 2007: Wouter
	- test case for unbound-checkconf, fixed so it also checks the
	  interface: statements.

26 September 2007: Wouter
	- SIGHUP will reopen the log file.
	- Option to log to syslog.
	- please lint, fixup tests (that went to syslog on open, oops).
	- config check program.

25 September 2007: Wouter
	- tests for NSEC3. Fixup bitmap checks for NSEC3.
	- positive ANY response needs to check if wildcard expansion, and
	  check that original data did not exist.
	- tests for NSEC3 that wrong use of OPTOUT is bad. For insecure
	  delegation, for abuse of child zone apex nsec3.
	- create 0.5 release tag.

24 September 2007: Wouter
	- do not make test programs by default.
	- But 'make test' will perform all of the tests.
	- Advertise builtin select libevent alternative when no libevent
	  is found.
	- signit can generate NSEC3 hashes, for generating tests.
	- multiple nsec3 parameters in message test.
	- too high nsec3 iterations becomes insecure test.

21 September 2007: Wouter
	- fixup empty_DS_name allocated in wrong region (port DEC Alpha).
	- fixup testcode lock safety (port FreeBSD).
	- removes subscript has type char warnings (port Solaris 9).
	- fixup of field with format type to int (port MacOS/X intel).
	- added test for infinite loop case in nonRD answer validation.
	  It was a more general problem, but hard to reproduce. When an
	  unsigned rrset is being validated and the key fetched, the DS
	  sequence is followed, but if the final name has no DS, then no
	  proof is possible - the signature has been stripped off.

20 September 2007: Wouter
	- fixup and test for NSEC wildcard with empty nonterminals. 
	- makedist.sh fixup for svn info.
	- acl features request in plan.
	- improved DS empty nonterminal handling.
	- compat with ANS nxdomain for empty nonterminals. Attempts the nodata
	  proof anyway, which succeeds in ANS failure case.
	- striplab protection in case it becomes -1.
	- plans for static and blacklist config.

19 September 2007: Wouter
	- comments about non-packed usage.
	- plan for overload support in 0.6.
	- added testbound tests for a failed resolution from the logs
	  and for failed prime when missing glue.
	- fixup so useless delegation points are not returned from the
	  cache. Also the safety belt is used if priming fails to complete.
	- fixup NSEC rdata not to be lowercased, bind compat.

18 September 2007: Wouter
	- wildcard nsec3 testcases, and fixup to get correct wildcard name.
	- validator prints subtype classification for debug.

17 September 2007: Wouter
	- NSEC3 hash cache unit test.
	- validator nsec3 nameerror test.

14 September 2007: Wouter
	- nsec3 nodata proof, nods proof, wildcard proof.
	- nsec3 support for cname chain ending in noerror or nodata.
	- validator calls nsec3 proof routines if no NSECs prove anything.
	- fixup iterator bug where it stored the answer to a cname under
	  the wrong qname into the cache. When prepending the cnames, the
	  qname has to be reset to the original qname.

13 September 2007: Wouter
	- nsec3 find matching and covering, ce proof, prove namerror msg.

12 September 2007: Wouter
	- fixup of manual page warnings, like for NSD bugreport.
	- nsec3 work, config, max iterations, filter, and hash cache. 

6 September 2007: Wouter
	- fixup to find libevent on mac port install.
	- fixup size_t vs unsigned portability in validator/sigcrypt.
	- please compiler on different platforms, for unreachable code.
	- val_nsec3 file.
	- pthread_rwlock type is optional, in case of old pthread libs.

5 September 2007: Wouter
	- cname, name error validator tests.
	- logging of qtype ANY works.
	- ANY type answers get RRSIG in answer section of replies (but not
	  in other sections, unless DO bit is on).
	- testbound can replay a TCP query (set MATCH TCP in the QUERY).
	- DS and noDS referral validation test.
	- if you configure many trust anchors, parent trust anchors can
	  securely deny existence of child trust anchors, if validated.
	- not all *.name NSECs are present because a wildcard was matched,
	  and *.name NSECs can prove nodata for empty nonterminals.
	  Also, for wildcard name NSECs, check they are not from the parent
	  zone (for wildcarded zone cuts), and check absence of CNAME bit,
	  for a nodata proof.
	- configure option for memory allocation debugging.
	- port configure option for memory allocation to solaris10.

4 September 2007: Wouter
	- fixup of Leakage warning when serviced queries processed multiple
	  callbacks for the same query from the same server.
	- testbound removes config file from /tmp on failed exit.
	- fixup for referral cleanup of the additional section.
	- tests for cname, referral validation.
	- neater testbound tpkg output.
	- DNAMEs no longer match their apex when synthesized from the cache.
	- find correct signer name for DNAME responses.
	- wildcarded DNAME test and fixup code to detect.
	- prepend NSEC and NSEC3 rrsets in the iterator while chasing CNAMEs.
	  So that wildcarded CNAMEs get their NSEC with them to the answer.
	- test for a CNAME to a DNAME to a CNAME to an answer, all from
	  different domains, for key fetching and signature checking of
	  CNAME'd messages.

3 September 2007: Wouter
	- Fixed error in iterator that would cause assertion failure in 
	  validator. CNAME to a NXDOMAIN response was collated into a response
	  with both a CNAME and the NXDOMAIN rcode. Added a test that the
	  rcode is changed to NOERROR (because of the CNAME).
	- timeout on tcp does not lead to spurious leakage detect.
	- account memory for name of lame zones, so that memory leakages does
	  not show lame cache growth as a leakage growth.
	- config setting for lameness cache expressed in bytes, instead of
	  number of entries.
	- tool too summarize allocations per code line.

31 August 2007: Wouter
	- can read bind trusted-keys { ... }; files, in a compatibility mode. 
	- iterator should not detach target queries that it still could need.
	  the protection against multiple outstanding queries is moved to a
	  current_query num check.
	- validator nodata, positive, referral tests.
	- dname print can print '*' wildcard.

30 August 2007: Wouter
	- fixup override date config option.
	- config options to control memory usage.
	- caught bad free of un-alloced data in worker_send error case.
	- memory accounting for key cache (trust anchors and temporary cache).
	- memory accounting fixup for outside network tcp pending waits.
	- memory accounting fixup for outside network tcp callbacks.
	- memory accounting for iterator fixed storage.
	- key cache size and slabs config options.
	- lib crypto cleanups at exit. 

29 August 2007: Wouter
	- test tool to sign rrsets for testing validator with.
	- added RSA and DSA test keys, public and private pairs, 512 bits.
	- default configuration is with validation enabled.
	  Only a trust-anchor needs to be configured for DNSSEC to work.
	- do not convert to DER for DSA signature verification.
	- validator replay test file, for a DS to DNSKEY DSA key prime and
	  positive response.

28 August 2007: Wouter
	- removed double use for udp buffers, that could fail,
	  instead performs a malloc to do the backup.
	- validator validates referral messages, by validating all the rrsets
	  and stores the rrsets in the cache. Further referral (nonRD queries)
	  replies are made from the rrset cache directly. Unless unchecked
	  rrsets are encountered, there are then validated.
	- enforce that signing is done by a parent domain (or same domain).
	- adjust TTL downwards if rrset TTL bigger than signature allows.
	- permissive mode feature, sets AD bit for secure, but bogus does
	  not give servfail (bogus is changed into indeterminate).
	- optimization of rrset verification. rr canonical sorting is reused,
	  for the same rrset. canonical rrset image in buffer is reused for
	  the same signature.
	- if the rrset is too big (64k exactly + large owner name) the
	  canonicalization routine will fail if it does not fit in buffer.
	- faster verification for large sigsets.
	- verb_detail mode reports validation failures, but not the entire
	  algorithm for validation. Key prime failures are reported as 
	  verb_ops level.

27 August 2007: Wouter
	- do not garble the edns if a cache answer fails.
	- answer norecursive from cache if possible.
	- honor clean_additional setting when returning secure non-recursive
	  referrals.
	- do not store referral in msg cache for nonRD queries.
	- store verification status in the rrset cache to speed up future
	  verification.
	- mark rrsets indeterminate and insecure if they are found to be so.
	  and store this in the cache.

24 August 2007: Wouter
	- message is bogus if unsecure authority rrsets are present.
	- val-clean-additional option, so you can turn it off.
	- move rrset verification out of the specific proof types into one
	  routine. This makes the proof routines prettier.
	- fixup cname handling in validator, cname-to-positive and cname-to-
	  nodata work.
	- Do not synthesize DNSKEY and DS responses from the rrset cache if
	  the rrset is from the additional section. Signatures may have
	  fallen off the packet, and cause validation failure.
	- more verbose signature date errors (with the date attached).
	- increased default infrastructure cache size. It is important for
	  performance, and 1000 entries are only 212k (or a 400 k total cache
	  size). To 10000 entries (for 2M entries, 4M cache size).

23 August 2007: Wouter
	- CNAME handling - move needs_validation to before val_new().
	  val_new() setups the chase-reply to be an edited copy of the msg.
	  new classification, and find signer can find for it. 
	  removal of unsigned crap from additional, and query restart for
	  cname.
	- refuse to follow wildcarded DNAMEs when validating.
	  But you can query for qtype ANY, or qtype DNAME and validate that.

22 August 2007: Wouter
	- bogus TTL.
	- review - use val_error().

21 August 2007: Wouter
	- ANY response validation.
	- store security status in cache.
	- check cache security status and either send the query to be
	  validated, return the query to client, or send servfail to client.
	  Sets AD bit on validated replies.
	- do not examine security status on an error reply in mesh_done.
	- construct DS, DNSKEY messages from rrset cache.
	- manual page entry for override-date.

20 August 2007: Wouter
	- validate and positive validation, positive wildcard NSEC validation.
	- nodata validation, nxdomain validation.

18 August 2007: Wouter
	- process DNSKEY response in FINDKEY state.

17 August 2007: Wouter
	- work on DS2KE routine.
	- val_nsec.c for validator NSEC proofs.
	- unit test for NSEC bitmap reading.
	- dname iswild and canonical_compare with unit tests.

16 August 2007: Wouter
	- DS sig unit test.
	- latest release libevent 1.3c and 1.3d have threading fixed.
	- key entry fixup data pointer and ttl absolute.
	- This makes a key-prime succeed in validator, with DS or DNSKEY as
	  trust-anchor.
	- fixup canonical compare byfield routine, fix bug and also neater.
	- fixed iterator response type classification for queries of type
	  ANY and NS.
	  dig ANY gives sometimes NS rrset in AN and NS section, and parser
	  removes the NS section duplicate. dig NS gives sometimes the NS
	  in the answer section, as referral.
	- validator FINDKEY state.

15 August 2007: Wouter
	- crypto calls to verify signatures.
	- unit test for rrsig verification.

14 August 2007: Wouter
	- default outgoing ports changed to avoid port 2049 by default.
	  This port is widely blocked by firewalls.
	- count infra lameness cache in memory size.
	- accounting of memory improved
	- outbound entries are allocated in the query region they are for.
	- extensive debugging for memory allocations.
	- --enable-lock-checks can be used to enable lock checking.
	- protect undefs in config.h from autoheaders ministrations.
	- print all received udp packets. log hex will print on multiple
	  lines if needed.
	- fixed error in parser with backwards rrsig references.
	- mark cycle targets for iterator did not have CD flag so failed
	  its task.

13 August 2007: Wouter
	- fixup makefile, if lexer is missing give nice error and do not
	  mess up the dependencies.
	- canonical compare routine updated.
	- canonical hinfo compare.
	- printout list of the queries that the mesh is working on.

10 August 2007: Wouter
	- malloc and free overrides that track total allocation and frees.
	  for memory debugging.
	- work on canonical sort.

9 August 2007: Wouter
	- canonicalization, signature checks
	- dname signature label count and unit test.
	- added debug heap size print to memory printout.
	- typo fixup in worker.c
	- -R needed on solaris.
	- validator override option for date check testing.

8 August 2007: Wouter
	- ldns _raw routines created (in ldns trunk).
	- sigcrypt DS digest routines
	- val_utils uses sigcrypt to perform signature cryptography.
	- sigcrypt keyset processing

7 August 2007: Wouter
	- security status type.
	- security status is copied when rdata is equal for rrsets.
	- rrset id is updated to invalidate all the message cache entries
	  that refer to NSEC, NSEC3, DNAME rrsets that have changed.
	- val_util work
	- val_sigcrypt file for validator signature checks.

6 August 2007: Wouter
	- key cache for validator.
	- moved isroot and dellabel to own dname routines, with unit test.

3 August 2007: Wouter
	- replanning.
	- scrubber check section of lame NS set.
	- trust anchors can be in config file or read from zone file,
	  DS and DNSKEY entries.
	- unit test trust anchor storage.
	- trust anchors converted to packed rrsets.
	- key entry definition.

2 August 2007: Wouter
	- configure change for latest libevent trunk version (needs -lrt).
	- query_done and walk_supers are moved out of module interface.
	- fixup delegation point duplicates.
	- fixup iterator scrubber; lame NS set is let through the scrubber
	  so that the classification is lame.
	- validator module exists, and does nothing but pass through,
	  with calling of next module and return.
	- validator work.

1 August 2007: Wouter
	- set version to 0.5
	- module work for module to module interconnections.
	- config of modules.
	- detect cycle takes flags.

31 July 2007: Wouter
	- updated plan
	- release 0.4 tag.

30 July 2007: Wouter
	- changed random state init, so that sequential process IDs are not
	  cancelled out by sequential thread-ids in the random number seed.
	- the fwd_three test, which sends three queries to unbound, and 
	  unbound is kept waiting by ldns-testns for 3 seconds, failed
	  because the retry timeout for default by unbound is 3 seconds too,
	  it would hit that timeout and fail the test. Changed so that unbound
	  is kept waiting for 2 seconds instead.

27 July 2007: Wouter
	- removed useless -C debug option. It did not work.
	- text edit of documentation.
	- added doc/CREDITS file, referred to by the manpages.
	- updated planning.

26 July 2007: Wouter
	- cycle detection, for query state dependencies. Will attempt to
	  circumvent the cycle, but if no other targets available fails.
	- unit test for AXFR, IXFR response.
	- test for cycle detection.

25 July 2007: Wouter
	- testbound read ADDRESS and check it.
	- test for version.bind and friends.
	- test for iterator chaining through several referrals.
	- test and fixup for refetch for glue. Refetch fails if glue
	  is still not provided.

24 July 2007: Wouter
	- Example section in config manual.
	- Addr stored for range and moment in replay.

20 July 2007: Wouter
	- Check CNAME chain before returning cache entry with CNAMEs.
	- Option harden-glue, default is on. It will discard out of zone
	  data. If disabled, performance is faster, but spoofing attempts
	  become a possibility. Note that still normalize scrubbing is done,
	  and that the potentially spoofed data is used for infrastructure
	  and not returned to the client.
	- if glue times out, refetch by asking parent of delegation again.
	  Much like asking for DS at the parent side.
	- TODO items from forgery-resilience draft.
	  and on memory handling improvements.
	- renamed module_event_timeout to module_event_noreply.
	- memory reporting code; reports on memory usage after handling
	  a network packet (not on cache replies).

19 July 2007: Wouter
	- shuffle NS selection when getting nameserver target addresses.
	- fixup of deadlock warnings, yield cpu in checklock code so that
	  freebsd scheduler selects correct process to run.
	- added identity and version config options and replies.
	- store cname messages complete answers.

18 July 2007: Wouter
	- do not query addresses, 127.0.0.1, and ::1 by default.

17 July 2007: Wouter
	- forward zone options in config file.
	- forward per zone in iterator. takes precedence over stubs.
	- fixup commithooks.
	- removed forward-to and forward-to-port features, subsumed by
	  new forward zones.
	- fix parser to handle absent server: clause.
	- change untrusted rrset test to account for scrubber that is now
	  applied during the test (which removes the poison, by the way).
	- feature, addresses can be specified with @portnumber, like nsd.conf.
	- test config files changed over to new forwarder syntax.

27 June 2007: Wouter
	- delete of mesh does a postorder traverse of the tree.
	- found and fixed a memory leak. For TTL=0 messages, that would
	  not be cached, instead the msg-replyinfo structure was leaked.
	- changed server selection so it will filter out hosts that are
	  unresponsive. This is defined as a host with the maximum rto value.
	  This means that unbound tried the host for retries up to 120 secs.
	  The rto value will time out after host-ttl seconds from the cache.
	  This keeps such unresolvable queries from taking up resources.
	- utility for keeping histogram.

26 June 2007: Wouter
	- mesh is called by worker, and iterator uses it.
	  This removes the hierarchical code.
	  QueryTargets state and Finished state are merged for iterator.
	- forwarder mode no longer sets AA bit on first reply.
	- rcode in walk_supers is not needed.

25 June 2007: Wouter
	- more mesh work.
	- error encode routine for ease.

22 June 2007: Wouter
	- removed unused _node iterator value from rbtree_t. Takes up space.
	- iterator can handle querytargets state without a delegation point
	  set, so that a priming(stub) subquery error can be handled.
	- iterator stores if it is priming or not.
	- log_query_info() neater logging.
	- changed iterator so that it does not alter module_qstate.qinfo
	  but keeps a chase query info. Also query_flags are not altered,
	  the iterator uses chase_flags.
	- fixup crash in case no ports for the family exist.

21 June 2007: Wouter
	- Fixup secondary buffer in case of error callback.
	- cleanup slumber list of runnable states.
	- module_subreq_depth fails to work in slumber list.
	- fixup query release for cached results to sub targets.
	- neater error for tcp connection failure, shows addr in verbose.
	- rbtree_init so that it can be used with preallocated memory.

20 June 2007: Wouter
	- new -C option to enable coredumps after forking away.
	- doc update.
	- fixup CNAME generation by scrubber, and memory allocation of it.
	- fixup deletion of serviced queries when all callbacks delete too.
	- set num target queries to 0 when you move them to slumber list.
	- typo in check caused subquery errors to be ignored, fixed.
	- make lint happy about rlim_t.
	- freeup of modules after freeup of module-states.
	- duplicate replies work, this uses secondary udp buffer in outnet.

19 June 2007: Wouter
	- nicer layout in stats.c, review 0.3 change.
	- spelling improvement, review 0.3 change.
	- uncapped timeout for server selection, so that very fast or slow
	  servers will stand out from the rest.
	- target-fetch-policy: "3 2 1 0 0" config setting.
	- fixup queries answered without RD bit (for root prime results).
	- refuse AXFR and IXFR requests.
	- fixup RD flag in error reply from iterator. fixup RA flag from
	  worker error reply.
	- fixup encoding of very short edns buffer sizes, now sets TC bit.
	- config options harden-short-bufsize and harden-large-queries.

18 June 2007: Wouter
	- same, move subqueries to slumber list when first has resolved.
	- fixup last fix for duplicate callbacks.
	- another offbyone in targetcounter. Also in Java prototype by the way.

15 June 2007: Wouter
	- if a query asks to be notified of the same serviced query result
	  multiple times, this will succeed. Only one callback will happen;
	  multiple outbound-list entries result (but the double cleanup of it
	  will not matter).
	- when iterator moves on due to CNAME or referral, it will remove
	  the subqueries (for other targets). These are put on the slumber
	  list.
	- state module wait subq is OK with no new subqs, an old one may have
	  stopped, with an error, and it is still waiting for other ones.
	- if a query loops, halt entire query (easy way to clean up properly).

14 June 2007: Wouter
	- num query targets was > 0 , not >= 0 compared, so that fetch
	  policy of 0 did nothing.

13 June 2007: Wouter
	- debug option: configure --enable-static-exe for compile where
	  ldns and libevent are linked statically. Default is off.
	- make install and make uninstall. Works with static-exe and without.
	  installation of unbound binary and manual pages.
	- alignment problem fix on solaris 64.
	- fixup address in case of TCP error.

12 June 2007: Wouter
	- num target queries was set to 0 at a bad time. Default it to 0 and
	  increase as target queries are done.
	- synthesize CNAME and DNAME responses from the cache.
	- Updated doxygen config for doxygen 1.5.
	- aclocal newer version.
	- doxygen 1.5 fixes for comments (for the strict check on docs).

11 June 2007: Wouter
	- replies on TCP queries have the address field set in replyinfo,
	  for serviced queries, because the initiator does not know that
	  a TCP fallback has occured.
	- omit DNSSEC types from nonDO replies, except if qtype is ANY or
	  if qtype directly queries for the type (and then only show that
	  'unknown type' in the answer section).
	- fixed message parsing where rrsigs on their own would be put
	  in the signature list over the rrsig type.

7 June 2007: Wouter
	- fixup error in double linked list insertion for subqueries and
	  for outbound list of serviced queries for iterator module.
	- nicer printout of outgoing port selection. 
	- fixup cname target readout.
	- nicer debug output.
	- fixup rrset counts when prepending CNAMEs to the answer.
	- fixup rrset TTL for prepended CNAMEs.
	- process better check for looping modules, and which submodule to
	  run next.
	- subreq insertion code fixup for slumber list.
	- VERB_DETAIL, verbosity: 2 level gives short but readable output.
	  VERB_ALGO, verbosity: 3 gives extensive output.
	- fixup RA bit in cached replies.
	- fixup CNAME responses from the cache no longer partial response.
	- error in network send handled without leakage.
	- enable ip6 from config, and try ip6 addresses if available,
	  if ip6 is not connected, skips to next server.

5 June 2007: Wouter
	- iterator state finished.
	- subrequests without parent store in cache and stop.
	- worker slumber list for ongoing promiscuous queries.
	- subrequest error handling.
	- priming failure returns SERVFAIL.
	- priming gives LAME result, returns SERVFAIL.
	- debug routine to print dns_msg as handled by iterator.
	- memleak in config file stubs fixup.
	- more small bugs, in scrubber, query compare no ID for lookup,
	  in dname validation for NS targets.
	- sets entry.key for new special allocs.
	- lognametypeclass can display unknown types and classes.

4 June 2007: Wouter
	- random selection of equally preferred nameserver targets.
	- reply info copy routine. Reuses existing code.
	- cache lameness in response handling.
	- do not touch qstate after worker_process_query because it may have
	  been deleted by that routine.
	- Prime response state.
	- Process target response state.
	- some memcmp changed to dname_compare for case preservation.

1 June 2007: Wouter
	- normalize incoming messages. Like unbound-java, with CNAME chain
	  checked, DNAME checked, CNAME's synthesized, glue checked.
	- sanitize incoming messages.
	- split msgreply encode functions into own file msgencode.c.
	- msg_parse to queryinfo/replyinfo conversion more versatile.
	- process_response, classify response, delegpt_from_message. 

31 May 2007: Wouter
	- querytargets state.
	- dname_subdomain_c() routine.
	- server selection, based on RTT. ip6 is filtered out if not available,
	  and lameness is checked too.
	- delegation point copy routine.

30 May 2007: Wouter
	- removed FLAG_CD from message and rrset caches. This was useful for
	  an agnostic forwarder, but not for a sophisticated (trust value per
	  rrset enabled) cache.
	- iterator response typing.
	- iterator cname handle.
	- iterator prime start.
	- subquery work.
	- processInitRequest and processInitRequest2.
	- cache synthesizes referral messages, with DS and NSEC.
	- processInitRequest3.
	- if a request creates multiple subrequests these are all activated.

29 May 2007: Wouter
	- routines to lock and unlock array of rrsets moved to cache/rrset.
	- lookup message from msg cache (and copy to region).
	- fixed cast error in dns msg lookup.
	- message with duplicate rrset does not increase its TTLs twice.
	- 'qnamesize' changed to 'qname_len' for similar naming scheme.

25 May 2007: Wouter
	- Acknowledge use of unbound-java code in iterator. Nicer readme.
	- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
	  rrset cache from module environment.
	- packed rrset key has type and class as easily accessible struct
	  members. They are still kept in network format for fast msg encode.
	- dns cache find_delegation routine.
	- iterator main functions setup.
	- dns cache lookup setup.

24 May 2007: Wouter
	- small changes to prepare for subqueries.
	- iterator forwarder feature separated out.
	- iterator hints stub code, config file stub code, so that first
	  testing can proceed locally.
	- replay tests now have config option to enable forwarding mode.

23 May 2007: Wouter
	- outside network does precise timers for roundtrip estimates for rtt
	  and for setting timeout for UDP. Pending_udp takes milliseconds.
	- cleaner iterator sockaddr conversion of forwarder address.
	- iterator/iter_utils and iter_delegpt setup.
	- root hints.

22 May 2007: Wouter
	- outbound query list for modules and support to callback with the
	  outbound entry to the module.
	- testbound support for new serviced queries.
	- test for retry to TCP cannot use testbound any longer.
	- testns test for EDNS fallback, test for TCP fallback already exists.
	- fixes for no-locking compile.
	- mini_event timer precision and fix for change in timeouts during
	  timeout callback. Fix for fwd_three tests, performed nonexit query.

21 May 2007: Wouter
	- small comment on hash table locking.
	- outside network serviced queries, contain edns and tcp fallback,
	  and udp retries and rtt timing.

16 May 2007: Wouter
	- lruhash_touch() would cause locking order problems. Fixup in 
	  lock-verify in case locking cycle is found.
	- services/cache/rrset.c for rrset cache code.
	- special rrset_cache LRU updating function that uses the rrset id.
	- no dependencies calculation when make clean is called.
	- config settings for infra cache.
	- daemon code slightly cleaner, only creates caches once.

15 May 2007: Wouter
	- host cache code.
	- unit test for host cache.

14 May 2007: Wouter
	- Port to OS/X and Dec Alpha. Printf format and alignment fixes.
	- extensive lock debug report on join timeout.
	- proper RTT calculation, in utility code.
	- setup of services/cache/infra, host cache.

11 May 2007: Wouter
	- iterator/iterator.c module.
	- fixup to pass reply_info in testcode and in netevent.

10 May 2007: Wouter
	- created release-0.3 svn tag.
	- util/module.h
	- fixed compression - no longer compresses root name.

9 May 2007: Wouter
	- outside network cleans up waiting tcp queries on exit.
	- fallback to TCP.
	- testbound replay with retry in TCP mode.
	- tpkg test for retry in TCP mode, against ldns-testns server.
	- daemon checks max number of open files and complains if not enough.
	- test where data expires in the cache.
	- compiletests: fixed empty body ifstatements in alloc.c, in case
	  locks are disabled.

8 May 2007: Wouter
	- outgoing network keeps list of available tcp buffers for outgoing 
	  tcp queries.
	- outgoing-num-tcp config option.
	- outgoing network keeps waiting list of queries waiting for buffer.
	- netevent supports outgoing tcp commpoints, nonblocking connects.

7 May 2007: Wouter
	- EDNS read from query, used to make reply smaller.
	- advertised edns value constants.
	- EDNS BADVERS response, if asked for too high edns version.
	- EDNS extended error responses once the EDNS record from the query
	  has successfully been parsed.

4 May 2007: Wouter
	- msgreply sizefunc is more accurate.
	- config settings for rrset cache size and slabs.
	- hashtable insert takes argument so that a thread can use its own
	  alloc cache to store released keys.
	- alloc cache special_release() locks if necessary.
	- rrset trustworthiness type added.
	- thread keeps a scratchpad region for handling messages.
	- writev used in netevent to write tcp length and data after another.
	  This saves a roundtrip on tcp replies.
	- test for one rrset updated in the cache.
	- test for one rrset which is not updated, as it is not deemed
	  trustworthy enough.
	- test for TTL refreshed in rrset.

3 May 2007: Wouter
	- fill refs. Use new parse and encode to answer queries.
	- stores rrsets in cache.
	- uses new msgreply format in cache.

2 May 2007: Wouter
	- dname unit tests in own file and spread out neatly in functions.
	- more dname unit tests.
	- message encoding creates truncated TC flagged messages if they do 
	  not fit, and will leave out (whole)rrsets from additional if needed.

1 May 2007: Wouter
	- decompress query section, extremely lenient acceptance.
	  But only for answers from other servers, not for plain queries.
	- compression and decompression test cases.
	- some stats added.
	- example.conf interface: line is changed from 127.0.0.1 which leads
	  to problems if used (restricting communication to the localhost),
	  to a documentation and test address.

27 April 2007: Wouter
	- removed iov usage, it is not good for dns message encoding.
	- owner name compression more optimal.
	- rrsig owner name compression.
	- rdata domain name compression.

26 April 2007: Wouter
	- floating point exception fix in lock-verify.
	- lint uses make dependency
	- fixup lint in dname owner domain name compression code.
	- define for offset range that can be compressed to.

25 April 2007: Wouter
	- prettier code; parse_rrset->type kept in host byte order.
	- datatype used for hashvalue of converted rrsig structure.
	- unit test compares edns section data too.

24 April 2007: Wouter
	- ttl per RR, for RRSIG rrsets and others.
	- dname_print debug function.
	- if type is not known, size calc will skip DNAME decompression.
	- RRSIG parsing and storing and putting in messages.
	- dnssec enabled unit tests (from nlnetlabs.nl and se queries).
	- EDNS extraction routine.

20 April 2007: Wouter
	- code comes through all of the unit tests now.
	- disabled warning about spurious extra data.
	- documented the RRSIG parse plan in msgparse.h.
	- rrsig reading and outputting.

19 April 2007: Wouter
	- fix unit test to actually to tests.
	- fix write iov helper, and fakevent code.
	- extra builtin testcase (small packet).
	- ttl converted to network format in packets.
	- flags converted correctly
	- rdatalen off by 2 error fixup.
	- uses less iov space for header.

18 April 2007: Wouter
	- review of msgparse code.
	- smaller test cases.

17 April 2007: Wouter
	- copy and decompress dnames.
	- store calculated hash value too.
	- routine to create message out of stored information.
	- util/data/msgparse.c for message parsing code.
	- unit test, and first fixes because of test.
		* forgot rrset_count addition.
		* did & of ptr on stack for memory position calculation.
		* dname_pkt_copy forgot to read next label length.
	- test from file and fixes
		* double frees fixed in error conditions.
		* types with less than full rdata allowed by parser.
		  Some dynamic update packets seem to use it.

16 April 2007: Wouter
	- following a small change in LDNS, parsing code calculates the
	  memory size to allocate for rrs.
	- code to handle ID creation.

13 April 2007: Wouter
	- parse routines. Code that parses rrsets, rrs.

12 April 2007: Wouter
	- dname compare routine that preserves case, with unit tests.
	
11 April 2007: Wouter
	- parse work - dname packet parse, msgparse, querysection parse,
	  start of sectionparse.

10 April 2007: Wouter
	- Improved alignment of reply_info packet, nice for 32 and 64 bit.
	- Put RRset counts in reply_info, because the number of RRs can change
	  due to RRset updates.
	- import of region-allocator code from nsd.
	- set alloc special type to ub_packed_rrset_key.
	  Uses lruhash entry overflow chain next pointer in alloc cache.
	- doxygen documentation for region-allocator.
	- setup for parse scratch data.

5 April 2007: Wouter
	- discussed packed rrset with Jelte.

4 April 2007: Wouter
	- moved to version 0.3.
	- added util/data/dname.c
	- layout of memory for rrsets.

3 April 2007: Wouter
	- detect sign of msghdr.msg_iovlen so that the cast to that type
	  in netevent (which is there to please lint) can be correct.
	  The type on several OSes ranges from int, int32, uint32, size_t.
	  Detects unsigned or signed using math trick.
	- constants for DNS flags. 
	- compilation without locks fixup.
	- removed include of unportable header from lookup3.c.
	- more portable use of struct msghdr.
	- casts for printf warning portability.
	- tweaks to tests to port them to the testbed.
	- 0.2 tag created.

2 April 2007: Wouter
	- check sizes of udp received messages, not too short.
	- review changes. Some memmoves can be memcpys: 4byte aligned.
	  set id correctly on cached answers. 
	- review changes msgreply.c, memleak on error condition. AA flag
	  clear on cached reply. Lowercase queries on hashing.
	  unit test on lowercasing. Test AA bit not set on cached reply.
	  Note that no TTLs are managed.

29 March 2007: Wouter
	- writev or sendmsg used when answering from cache.
	  This avoids a copy of the data.
	- do not do useless byteswap on query id. Store reply flags in uint16
	  for easier access (and no repeated byteswapping).
	- reviewed code.
	- configure detects and config.h includes sys/uio.h for writev decl.

28 March 2007: Wouter
	- new config option: num-queries-per-thread.
	- added tpkg test for answering three queries at the same time
	  using one thread (from the query service list).

27 March 2007: Wouter
	- added test for cache and not cached answers, in testbound replays.
	- testbound can give config file and commandline options from the
	  replay file to unbound.
	- created test that checks if items drop out of the cache.
	- added word 'partitioned hash table' to documentation on slab hash.
	  A slab hash is a partitioned hash table.
	- worker can handle multiple queries at a time.

26 March 2007: Wouter
	- config settings for slab hash message cache.
	- test for cached answer.
	- Fixup deleting fake answer from testbound list.

23 March 2007: Wouter
	- review of yesterday's commits.
	- covered up memory leak of the entry locks.
	- answers from the cache correctly. Copies flags correctly.
	- sanity check for incoming query replies.
	- slabbed hash table. Much nicer contention, need dual cpu to see.

22 March 2007: Wouter
	- AIX configure check.
	- lock-verify can handle references to locks that are created
	  in files it has not yet read in.
	- threaded hash table test. 
	- unit test runs lock-verify afterwards and checks result.
	- need writelock to update data on hash_insert.
	- message cache code, msgreply code.

21 March 2007: Wouter
	- unit test of hash table, fixup locking problem in table_grow().
	- fixup accounting of sizes for removing items from hashtable.
	- unit test for hash table, single threaded test of integrity.
	- lock-verify reports errors nicely. More quiet in operation.

16 March 2007: Wouter
	- lock-verifier, checks consistent order of locking.

14 March 2007: Wouter
	- hash table insert (and subroutines) and lookup implemented.
	- hash table remove.
	- unit tests for hash internal bin, lru functions.

13 March 2007: Wouter
	- lock_unprotect in checklocks.
	- util/storage/lruhash.h for LRU hash table structure.

12 March 2007: Wouter
	- configure.ac moved to 0.2.
	- query_info and replymsg util/data structure.

9 March 2007: Wouter
	- added rwlock writelock checking.
	  So it will keep track of the writelock, and readlocks are enforced
	  to not change protected memory areas.
	- log_hex function to dump hex strings to the logfile.
	- checklocks zeroes its destroyed lock after checking memory areas.
	- unit test for alloc.
	- identifier for union in checklocks to please older compilers.
	- created 0.1 tag.

8 March 2007: Wouter
	- Reviewed checklock code.

7 March 2007: Wouter
	- created a wrapper around thread calls that performs some basic
	  checking for data race and deadlock, and basic performance 
	  contention measurement.

6 March 2007: Wouter
	- Testbed works with threading (different machines, different options).
	- alloc work, does the special type.

2 March 2007: Wouter
	- do not compile fork funcs unless needed. Otherwise will give
	  type errors as their typedefs have not been enabled.
	- log shows thread numbers much more nicely (and portably).
	- even on systems with nonthreadsafe libevent signal handling,
	  unbound will exit if given a signal.
	  Reloads will not work, and exit is not graceful.
	- start of alloc framework layout.

1 March 2007: Wouter
	- Signals, libevent and threads work well, with libevent patch and
	  changes to code (close after event_del).
	- set ipc pipes nonblocking.

27 February 2007: Wouter
	- ub_thread_join portable definition.
	- forking is used if no threading is available.
	  Tested, it works, since pipes work across processes as well.
	  Thread_join is replaced with waitpid. 
	- During reloads the daemon will temporarily handle signals,
	  so that they do not result in problems.
	- Also randomize the outgoing port range for tests.
	- If query list is full, will stop selecting listening ports for read.
	  This makes all threads service incoming requests, instead of one.
	  No memory is leaking during reloads, service of queries, etc.
	- test that uses ldns-testns -f to test threading. Have to answer
	  three queries at the same time.
	- with verbose=0 operates quietly.

26 February 2007: Wouter
	- ub_random code used to select ID and port.
	- log code prints thread id.
	- unbound can thread itself, with reload(HUP) and quit working
	  correctly.
	- don't open pipes for #0, doesn't need it.
	- listens to SIGTERM, SIGQUIT, SIGINT (all quit) and SIGHUP (reload).

23 February 2007: Wouter
	- Can do reloads on sigHUP. Everything is stopped, and freed,
	  except the listening ports. Then the config file is reread.
	  And everything is started again (and listening ports if needed).
	- Ports for queries are shared.
	- config file added interface:, chroot: and username:.
	- config file: directory, logfile, pidfile. And they work too.
	- will daemonize by default now. Use -d to stay in the foreground.
	- got BSD random[256 state] code, made it threadsafe. util/random.

22 February 2007: Wouter
	- Have a config file. Removed commandline options, moved to config.
	- tests use config file.

21 February 2007: Wouter
	- put -c option in man page.
	- minievent fd array capped by FD_SETSIZE.

20 February 2007: Wouter
	- Added locks code and pthread spinlock detection.
	- can use no locks, or solaris native thread library.
	- added yacc and lex configure, and config file parsing code.
	  also makedist.sh, and manpage.
	- put include errno.h in config.h

19 February 2007: Wouter
	- Created 0.0 svn tag.
	- added acx_pthread.m4 autoconf check for pthreads from 
	  the autoconf archive. It is GPL-with-autoconf-exception Licensed.
	  You can specify --with-pthreads, or --without-pthreads to configure.

16 February 2007: Wouter
	- Updated testbed script, works better by using make on remote end.
	- removed check decls, we can compile without them.
	- makefile supports LIBOBJ replacements.
	- docs checks ignore compat code.
	- added util/mini-event.c and .h, a select based alternative used with
	  ./configure --with-libevent=no
	  It is limited to 1024 file descriptors, and has less features.
	- will not create ip6 sockets if ip6 not on the machine.

15 February 2007: Wouter
	- port to FreeBSD 4.11 Dec Alpha. Also works on Solaris 10 sparc64,
	  Solaris 9, FreeBSD 6, Linux i386 and OSX powerpc.
	- malloc rndstate, so that it is aligned for access.
	- fixed rbtree cleanup with postorder traverse.
	- fixed pending messages are deleted when handled.
	- You can control verbosity; default is not verbose, every -v
	  adds more verbosity.

14 February 2007: Wouter
	- Included configure.ac changes from ldns.
	- detect (some) headers before the standards check.
	- do not use isblank to test c99, since its not available on solaris9.
	- review of testcode.
		* entries in a RANGE are no longer reversed.
		* print name of file with replay entry parse errors.
	- port to OSX: cast to int for some prints of sizet.
	- Makefile copies ldnstestpkts.c before doing dependencies on it.

13 February 2007: Wouter
	- work on fake events, first fwd replay works.
	- events can do timeouts and errors on queries to servers.
	- test package that runs replay scenarios.

12 February 2007: Wouter
	- work on fake events.

9 February 2007: Wouter
	- replay file reading.
	- fake event setup, it creates fake structures, and teardowns,
	  added signal callbacks to reply to be able to fake those,
	  and main structure of event replay routines.

8 February 2007: Wouter
	- added tcp test.
	- replay storage.
	- testcode/fake_event work.

7 February 2007: Wouter
	- return answer with the same ID as query was sent with.
	- created udp forwarder test. I've done some effort to make it perform
	  quickly. After servers are created, no big sleep statements but
	  it checks the logfiles to see if servers have come up. Takes 0.14s.
	- set addrlen value when calling recvfrom.
	- comparison of addrs more portable.
	- LIBEVENT option for testbed to set libevent directory.
	- work on tcp input.

6 February 2007: Wouter
	- reviewed code and improved in places.

5 February 2007: Wouter
	- Picked up stdc99 and other define tests from ldns. Improved
	  POSIX define test to include getaddrinfo.
	- defined constants for netevent callback error code.
	- unit test for strisip6.

2 February 2007: Wouter
	- Created udp4 and udp6 port arrays to provide service for both
	  address families.
	- uses IPV6_USE_MIN_MTU for udp6 ,IPV6_V6ONLY to make ip6 sockets.
	- listens on both ip4 and ip6 ports to provide correct return address.
	- worker fwder address filled correctly.
	- fixup timer code.
	- forwards udp queries and sends answer.

1 February 2007: Wouter
	- outside network more UDP work.
	- moved * closer to type.
	- comm_timer object and events.

31 January 2007: Wouter
	- Added makedist.sh script to make release tarball.
	- Removed listen callback layer, did not add anything.
	- Added UDP recv to netevent, worker callback for udp.
	- netevent communication reply storage structure.
	- minimal query header sanity checking for worker.
	- copied over rbtree implementation from NSD (BSD licensed too).
	- outgoing network query service work.

30 January 2007: Wouter
	- links in example/ldns-testpkts.c and .h for premade packet support.
	- added callback argument to listen_dnsport and daemon/worker.

29 January 2007: Wouter
	- unbound.8 a short manpage.

26 January 2007: Wouter
	- fixed memleak.
	- make lint works on BSD and Linux (openssl defines).
	- make tags works.
	- testbound program start.

25 January 2007: Wouter
	- fixed lint so it may work on BSD.
	- put license into header of every file.
	- created verbosity flag.
	- fixed libevent configure flag.
	- detects event_base_free() in new libevent 1.2 version.
	- getopt in daemon. fatal_exit() and verbose() logging funcs.
	- created log_assert, that throws assertions to the logfile.
	- listen_dnsport service. Binds ports.

24  January 2007: Wouter
	- cleaned up configure.ac.

23  January 2007: Wouter
	- added libevent to configure to link with.
	- util/netevent setup work.
	- configure searches for libevent.
	- search for libs at end of configure (when other headers and types
	  have been found).
	- doxygen works with ATTR_UNUSED().
	- util/netevent implementation.

22  January 2007: Wouter
	- Designed header file for network communication.

16  January 2007: Wouter
	- added readme.svn and readme.tests.

4 January 2007: Wouter
	- Testbed script (run on multiple platforms the test set).
	  Works on Sunos9, Sunos10, FreeBSD 6.1, Fedora core 5.
	- added unit test tpkg.

3 January 2007: Wouter
	- committed first set of files into subversion repository.
	  svn co svn+ssh://unbound.net/svn/unbound
	  You need a ssh login.  There is no https access yet.
	- Added LICENSE, the BSD license.
	- Added doc/README with compile help.
	- main program stub and quiet makefile.
	- minimal logging service (to stderr).
	- added postcommit hook that serves emails.
	- added first test 00-lint. postcommit also checks if build succeeds.
	- 01-doc: doxygen doc target added for html docs. And stringent test
	  on documented files, functions and parameters.

15 December 2006: Wouter
	- Created Makefile.in and configure.ac.