diff --git a/ChangeLog b/ChangeLog
index 3054561f..2fb2fce3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,15 @@
-* 2019-??-??: Version 1.?.?
+* 2019-04-03: Version 1.5.2
+  * PR #424: Two small trust anchor fetcher fixes
+    Thanks Maciej S. Szmigiero
   * Issue #422: Enable server side and update client side TCP Fast
     Open implementation. Thanks Craig Andrews
   * Issue #423: Fix insecure delegation detection while scheduling.
     Thanks Charles Milette
   * Issue #419: Escape backslashed when printing in JSON format.
     Thanks boB Rudis
+  * Use GnuTLS instead of OpenSSL for TLS with the --with-gnutls
+    option to configure.  libcrypto (from OpenSSL) still needed
+    for Zero configuration DNSSEC.
   * DOA rr-type
   * AMTRELAY rr-type
 
diff --git a/configure.ac b/configure.ac
index e7625f5b..dd8ff09f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,7 +37,7 @@ sinclude(./m4/ac_lib_nettle.m4)
 sinclude(./m4/ax_check_compile_flag.m4)
 sinclude(./m4/pkg.m4)
 
-AC_INIT([getdns], [1.5.1], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
+AC_INIT([getdns], [1.5.2], [team@getdnsapi.net], [getdns], [https://getdnsapi.net])
 
 # Autoconf 2.70 will have set up runstatedir. 2.69 is frequently (Debian)
 # patched to do the same, but frequently (MacOS) not. So add a with option
@@ -64,13 +64,13 @@ AC_ARG_WITH([current-date],
   [CURRENT_DATE="`date -u +%Y-%m-%dT%H:%M:%SZ`"])
 
 AC_SUBST(GETDNS_VERSION, ["AC_PACKAGE_VERSION$RELEASE_CANDIDATE"])
-AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050100])
+AC_SUBST(GETDNS_NUMERIC_VERSION, [0x01050200])
 AC_SUBST(API_VERSION, ["December 2015"])
 AC_SUBST(API_NUMERIC_VERSION, [0x07df0c00])
 GETDNS_COMPILATION_COMMENT="AC_PACKAGE_NAME $GETDNS_VERSION configured on $CURRENT_DATE for the $API_VERSION version of the API"
 
 AC_DEFINE_UNQUOTED([STUBBY_PACKAGE], ["stubby"], [Stubby package])
-AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.5$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
+AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.6$STUBBY_RELEASE_CANDIDATE"], [Stubby package string])
 
 # Library version
 # ---------------
@@ -107,9 +107,10 @@ AC_DEFINE_UNQUOTED([STUBBY_PACKAGE_STRING], ["0.2.5$STUBBY_RELEASE_CANDIDATE"],
 # getdns-1.4.0 had libversion 10:0:0
 # getdns-1.4.1 had libversion 10:1:0
 # getdns-1.4.2 had libversion 10:2:0
-# getdns-1.5.0 has libversion 11:0:1
-# getdns-1.5.1 has libversion 11:1:1
-GETDNS_LIBVERSION=11:1:1
+# getdns-1.5.0 had libversion 11:0:1
+# getdns-1.5.1 had libversion 11:1:1
+# getdns-1.5.2 has libversion 11:2:1
+GETDNS_LIBVERSION=11:2:1
 
 AC_SUBST(GETDNS_COMPILATION_COMMENT)
 AC_SUBST(GETDNS_LIBVERSION)
diff --git a/src/context.h b/src/context.h
index 10031014..eb42382f 100644
--- a/src/context.h
+++ b/src/context.h
@@ -201,12 +201,14 @@ typedef struct getdns_upstream {
 	getdns_network_req      *write_queue_last;
 	_getdns_rbtree_t         netreq_by_query_id;
 
-    /* TLS specific connection handling*/
+	/* TCP specific connection handling*/
+	unsigned                 tfo_use_sendto  : 1;
+	/* TLS specific connection handling*/
+	unsigned                 tls_fallback_ok : 1;
 	_getdns_tls_connection*  tls_obj;
 	_getdns_tls_session*     tls_session;
 	getdns_tls_hs_state_t    tls_hs_state;
 	getdns_auth_state_t      tls_auth_state;
-	unsigned                 tls_fallback_ok : 1;
 
 	/* TLS settings */
 	char                    *tls_cipher_list;
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 94335848..af1c3122 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -914,7 +914,7 @@ getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* c
 	int osr = SSL_dane_enable(conn->ssl, *auth_name ? auth_name : NULL);
 	(void) osr;
 	DEBUG_STUB("%s %-35s: DEBUG: SSL_dane_enable(\"%s\") -> %d\n"
-	          , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
+	          , STUB_DEBUG_SETUP_TLS, __FUNC__, auth_name, osr);
 	SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
 	const sha256_pin_t *pin_p;
 	size_t n_pins = 0;
diff --git a/src/stub.c b/src/stub.c
index 0a5b4b46..2547d10f 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -385,6 +385,7 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport)
 	int fd = -1;
 
 
+	upstream->tfo_use_sendto = 0;
 	DEBUG_STUB("%s %-35s: Creating TCP connection:      %p\n", STUB_DEBUG_SETUP, 
 	           __FUNC__, (void*)upstream);
 	if ((fd = socket(upstream->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
@@ -413,21 +414,50 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport)
 	   doesn't start till the sendto() lack of connection is often delayed until
 	   then or even the subsequent event depending on the error and platform.*/
 # if  defined(HAVE_DECL_TCP_FASTOPEN_CONNECT) && HAVE_DECL_TCP_FASTOPEN_CONNECT
-	(void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT
-	                , (void *)&enable, sizeof(enable));
+	if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT
+	              , (void *)&enable, sizeof(enable)) < 0) {
+		/* runtime fallback to TCP_FASTOPEN option */
+		_getdns_upstream_log(upstream,
+		    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING,
+		    "%-40s : Upstream   : "
+		    "Could not setup TLS capable TFO connect\n",
+		     upstream->addr_str);
+#  if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN
+		/* TCP_FASTOPEN works for TCP only (not TLS) */
+		if (transport != GETDNS_TRANSPORT_TCP)
+			; /* This variant of TFO doesn't work with TLS */
+		else if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN
+		                   , (void *)&enable, sizeof(enable)) >= 0) {
+
+			upstream->tfo_use_sendto = 1;
+			return fd;
+		} else
+			_getdns_upstream_log(upstream,
+			    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING,
+			    "%-40s : Upstream   : "
+			    "Could not fallback to TCP TFO\n",
+			     upstream->addr_str);
+#  endif/* HAVE_DECL_TCP_FASTOPEN*/
+	}
+	/* On success regular connect is fine, TFO will happen automagically */
 # else	/* HAVE_DECL_TCP_FASTOPEN_CONNECT */
 #  if defined(HAVE_DECL_TCP_FASTOPEN) && HAVE_DECL_TCP_FASTOPEN
-	(void)setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN
-	                , (void *)&enable, sizeof(enable));
+	/* TCP_FASTOPEN works for TCP only (not TLS) */
+	if (transport != GETDNS_TRANSPORT_TCP)
+		; /* This variant of TFO doesn't work with TLS */
+	else if (setsockopt( fd, IPPROTO_TCP, TCP_FASTOPEN
+	                  , (void *)&enable, sizeof(enable)) >= 0) {
+
+		upstream->tfo_use_sendto = 1;
+		return fd;
+	} else
+		_getdns_upstream_log(upstream,
+		    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_WARNING,
+		    "%-40s : Upstream   : Could not setup TCP TFO\n",
+		     upstream->addr_str);
+
 #  endif/* HAVE_DECL_TCP_FASTOPEN*/
 # endif	/* HAVE_DECL_TCP_FASTOPEN_CONNECT */
-# if  defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN
-	/* Leave the connect to the later call to sendto() if using TCP*/
-	if (transport == GETDNS_TRANSPORT_TCP)
-		return fd;
-# else  /* HAVE_DECL_MSG_FASTOPEN */
-	(void)transport;
-# endif /* HAVE_DECL_MSG_FASTOPEN */
 #endif	/* USE_OSX_TCP_FASTOPEN */
 	if (connect(fd, (struct sockaddr *)&upstream->addr,
 	    upstream->addr_len) == -1) {
@@ -758,22 +788,24 @@ stub_tcp_write(int fd, getdns_tcp_state *tcp, getdns_network_req *netreq)
 		 * Lets see how much of it we can write
 		 */
 		/* We use sendto() here which will do both a connect and send */
-#ifdef USE_TCP_FASTOPEN
-		written = sendto(fd, netreq->query - 2, pkt_len + 2,
+		if (netreq->upstream->tfo_use_sendto) {
+			written = sendto(fd, netreq->query - 2, pkt_len + 2,
 # if   defined(HAVE_DECL_MSG_FASTOPEN) && HAVE_DECL_MSG_FASTOPEN
-		    MSG_FASTOPEN,
+			    MSG_FASTOPEN,
 # else
-		    0,
+			    0,
 # endif
-		    (struct sockaddr *)&(netreq->upstream->addr),
-		    netreq->upstream->addr_len);
-		/* If pipelining we will find that the connection is already up so 
-		   just fall back to a 'normal' write. */
-		if (written == -1 && _getdns_socketerror() == _getdns_EISCONN) 
-			written = write(fd, netreq->query - 2, pkt_len + 2);
-#else
-		written = send(fd, (const char *)(netreq->query - 2), pkt_len + 2, 0);
-#endif
+			    (struct sockaddr *)&(netreq->upstream->addr),
+			    netreq->upstream->addr_len);
+			/* If pipelining we will find that the connection is already up so 
+			   just fall back to a 'normal' write. */
+			if (written == -1
+			&&  _getdns_socketerror() == _getdns_EISCONN) 
+				written = write(fd, netreq->query - 2
+				                  , pkt_len + 2);
+		} else
+			written = send(fd, (const char *)(netreq->query - 2)
+			                 , pkt_len + 2, 0);
 		if ((written == -1 && _getdns_socketerror_wants_retry()) ||
 		    (size_t)written < pkt_len + 2) {
 
@@ -967,8 +999,7 @@ tls_do_handshake(getdns_upstream *upstream)
 				return STUB_TCP_RETRY;
 			default:
 				DEBUG_STUB("%s %-35s: FD:  %d Handshake failed %d\n", 
-				            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd,
-				            want);
+				            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, r);
 				return STUB_SETUP_ERROR;
 	   }
 	}
diff --git a/stubby b/stubby
index 108a15c6..b0d3154a 160000
--- a/stubby
+++ b/stubby
@@ -1 +1 @@
-Subproject commit 108a15c63dc08b50d6fd3800cef6948f87e14c8a
+Subproject commit b0d3154af61e1b46a30b56d239dc074273642217