Update Stubby to fix Windows build issues

Increase CMake required version 3.5 -> 3.20

.gitattributes

@@ -0,0 +1,18 @@
+/.dir-locals.el	export-ignore
+/.gitattributes	export-ignore
+/.gitignore	export-ignore
+/.gitmodules	export-ignore
+/.indent.pro	export-ignore
+/.travis.yml	export-ignore
+/getdns.pmdoc	export-ignore
+/gldns/compare.sh	export-ignore
+/gldns/import.sh	export-ignore
+/project-doc	export-ignore
+/src/test/tpkg	export-ignore
+/src/test/README	export-ignore
+/src/tools/Dockerfile	export-ignore
+/src/tools/README.adoc	export-ignore
+/src/util/import.sh	export-ignore
+/src/mk-const-info.c.sh	export-ignore
+/src/mk-symfiles.sh	export-ignore
+/README		export-ignore

.gitignore

@@ -1,5 +1,7 @@
 *~
 .DS_Store
+build*/
+tests*/
 getdns*.tar.gz
 *.o
 *.so

.travis.yml

@@ -1,4 +1,5 @@
 sudo: false
+dist: bionic
 language: c
 compiler:
   - gcc
@@ -6,8 +7,9 @@ compiler:
 addons:
   apt:
     packages:
+    - libssl-dev
     - libunbound-dev
-    - libidn11-dev
+    - libidn2-0-dev 
     - libyaml-dev
     - check
     - libevent-dev
@@ -17,8 +19,9 @@ addons:
     - clang
     - wget
     - openssh-client
+    - libgnutls28-dev
 script:
   - mkdir tests
   - cd tests
   - ../src/test/tpkg/run-all.sh
-# - ../src/test/tpkg/run-one.sh 225-stub-only-valgrind-checks
+# - ../src/test/tpkg/run-one.sh 290-transports.tpkg -V

ChangeLog

@@ -1,3 +1,167 @@
+* 2023-??-??: Version 1.7.4
+  * Issue #536: Broken trust anchor files are silently ignored
+    Thanks Stéphane Bortzmeyer
+
+* 2022-12-22: Version 1.7.3
+  * PR #532: Increase CMake required version 3.5 -> 3.20, because we
+    need cmake_path for Absolute paths in pkg-config (See Issue #517)
+    Thanks Gabriel Ganne
+  * Updated to Stubby 0.4.3 quickfix release
+
+* 2022-08-19: Version 1.7.2
+  * Updated to Stubby 0.4.2 quickfix release
+
+* 2022-08-19: Version 1.7.1
+  * Always send the `dot` ALPN when using DoT
+  * Strengthen version determination for Libidn2 during cmake processing
+    (thanks jpbion).
+  * Fix for issue in UDP stream selection in case of timeouts.
+    Thanks Shikha Sharma
+  * Fix using asterisk in ipstr for any address. Thanks uzlonewolf.
+  * Issue stubby#295: rdata not correctly written for validation for
+    certain RR type. Also, set default built type to RelWithDebInfo and
+    expose CFLAGS via GETDNS_BUILD_CFLAGS define and via
+    getdns_context_get_api_information()
+  * Issue #524: Bug fixes from submodules' upstream?
+    Thanks Johnnyslee
+  * Issue #517: Allow Absolute path CMAKE_INSTALL_{INCLUDE,LIB}DIR in
+    pkg-config files. Thanks Alex Shpilkin
+  * Issue #512: Update README.md to show correct PGP key location.
+    Thanks Katze Prior.
+
+* 2021-06-04: Version 1.7.0
+  * Make TLS Handshake timeout max 4/5th of timeout for the query,
+    just like connection setup timeout was, so fallback transport
+    have a chance too when TCP connection setup is less well
+    detectable (as with TCP_FASTOPEN on MacOS).
+  * Issue #466: Memory leak with retrying queries (for examples
+    with search paths). Thanks doublez13.
+  * Issue #480: Handling of strptime when Cross compiling with CMake.
+    A new option to FORCE_COMPAT_STRPTIME (default disabled) will
+    (when disabled) make cmake assume the target platform has a POSIX
+    compatible strptime when cross-compiling.
+  * Setting of the number of milliseconds send data may remain
+    unacknowledged by the peer in a TCP connection (when supported 
+    by the OS) with getdns_context_set_tcp_send_timeout()
+    Thanks maciejsszmigiero.
+  * Issue #497: Fix typo in CMAKE included files, so Stubby can use
+    TLS v1.3 with chipersuites options ON. Thanks har-riz.
+  * Basic name compression on server replied messages. Thanks amialkow!
+    This alleviates (but might not completely resolve) issues #495 and
+    #320 .
+  * Eventloop extensions back to the old names libgetdns_ext_event,
+    libgetdns_ext_ev and libgetdns_ext_uv.
+  * Compilation warning fixes. Thanks Andreas!
+
+* 2020-02-28: Version 1.6.0
+  * Issues #457, #458, #461: New symbols with libnettle >= 3.4.
+    Thanks hanvinke & kometchtech for testing & reporting.
+  * Issue #432: answer_ipv4_address and answer_ipv6_address in reply
+    and response dicts.
+  * Issue #430: Record and guard UDP max payload size with servers.
+  * Issue #407: Run only offline-tests option with:
+    src/test/tpkg/run-offline-only.sh (only with git checkouts).
+  * Issue #175: Include the packet the stub resolver sent to  the
+    upstream the call_reporting dict. Thanks Tom Pusateri
+  * Issue #169: Build eventloop support libraries if event libraries
+    are available. Thanks Tom Pusateri
+
+* 2019-12-20: Version 1.6.0-beta.1
+  * Migration of build system to cmake. Build now works on Ubuntu,
+    Windows 10 and macOS.
+    Some notes on minor differences in the new cmake build:
+      * OpenSSL 1.0.2 or higher is now required
+      * libunbound 1.5.9 is now required
+      * Only libidn2 2.0.0 and later is supported (not libidn)
+      * Windows uses ENABLE_STUB_ONLY=ON as the default
+      * Unit and regression tests work on Linux/macOS
+        (but not Windows yet)
+
+* 2019-04-03: Version 1.5.2
+  * PR #424: Two small trust anchor fetcher fixes
+    Thanks Maciej S. Szmigiero
+  * Issue #422: Enable server side and update client side TCP Fast
+    Open implementation. Thanks Craig Andrews
+  * Issue #423: Fix insecure delegation detection while scheduling.
+    Thanks Charles Milette
+  * Issue #419: Escape backslashed when printing in JSON format.
+    Thanks boB Rudis
+  * Use GnuTLS instead of OpenSSL for TLS with the --with-gnutls
+    option to configure.  libcrypto (from OpenSSL) still needed
+    for Zero configuration DNSSEC.
+  * DOA rr-type
+  * AMTRELAY rr-type
+
+* 2019-01-11: Version 1.5.1
+  * Introduce proof of concept GnuTLS implementation. Incomplete support
+    for Trust Anchor validation. Requires GnuTLS DANE library. Currently
+    untested with GnuTLS prior to 3.5.19, so configure demands a minumum
+    version of 3.5.0.
+  * Be consistent and always fail connection setup if setting ciphers/curves/
+    TLS version/cipher suites fails.
+  * Refactor OpenSSL usage into modules under src/openssl.
+    Drop support for LibreSSL and versions of OpenSSL prior to 1.0.2.
+  * PR #414: remove TLS13 ciphers from cipher_list, but
+    only when SSL_CTX_set_ciphersuites is available.
+    Thanks Bruno Pagani
+  * Issue #415: Filter out #defines etc. when creating
+    symbols file.  Thanks Zero King
+
+* 2018-12-21: Version 1.5.0
+  * RFE getdnsapi/stubby#121 log re-instantiating TLS
+    upstreams (because they reached tls_backoff_time) at
+    log level 4 (WARNING)
+  * GETDNS_RESPSTATUS_NO_NAME for NODATA answers too
+  * ZONEMD rr-type
+  * getdns_query queries for addresses when a query name
+    without a type is given.
+  * RFE #408: Fetching of trust anchors will be retried
+    after failure, after a certain backoff time. The time
+    can be configured with
+    getdns_context_set_trust_anchors_backoff_time().
+  * RFE #408: A "dnssec" extension that requires DNSSEC
+    verification.  When this extension is set, Indeterminate
+    DNSSEC status will not be returned.
+  * Issue #410: Unspecified ownership of get_api_information()
+  * Fix for DNSSEC bug in finding most specific key when
+    trust anchor proves non-existance of one of the labels
+    along the authentication chain other than the non-
+    existance of a DS record on a zonecut.
+  * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
+    Configurable minimum and maximum TLS versions with
+    getdns_context_set_tls_min_version() and
+    getdns_context_set_tls_max_version() functions and
+    tls_min_version and tls_max_version configuration parameters
+    for upstreams.
+  * Configurable TLS1.3 ciphersuites with the
+    getdns_context_set_tls_ciphersuites() function and
+    tls_ciphersuites config parameter for upstreams.
+  * Bugfix in upstream string configurations: tls_cipher_list and
+    tls_curve_list
+  * Bugfix finding signer for validating NSEC and NSEC3s, which
+    caused trouble with the partly tracing DNSSEC from the root
+    up, introduced in 1.4.2.  Thanks Philip Homburg
+
+* 2018-05-11: Version 1.4.2
+  * Bugfix getdnsapi/stubby#87: Detect and ignore duplicate certs
+    in the Windows root CA store.
+  * PR #397: No TCP sendto without TCP_FASTOPEN
+    Thanks Emery Hemingway
+  * Bugfix getdnsapi/stubby#106: Core dump when printing certain
+    configuration. Thanks Han Vinke
+  * Bugfix getdnsapi/stubby#99: Partly trace DNSSEC from the root
+    up (for tld and sld), to find insecure delegations quicker.
+    Thanks UniverseXXX
+  * Bugfix: Allow NSEC spans starting from (unexpanded) wildcards
+    Bug was introduced when dealing with CVE-2017-15105
+  * Bugfix getdnsapi/stubby#46: Don't assume trailing zero with
+    string bindata's.  Thanks Lonnie Abelbeck
+  * Bugfix #394: Update src/compat/getentropy_linux.c in order to
+    handle ENOSYS (not implemented) fallback.
+    Thanks Brent Blood
+  * Bugfix #395: Clarify that libidn2 dependency is for version 2.0.0
+    or higher. Thanks mire3212
+
 * 2018-03-12: Version 1.4.1
   * Bugfix #388: Prevent fallback to an earlier tries upstream within a
     single query.  Thanks Robert Groenenberg

INSTALL

@@ -1,401 +0,0 @@
-Installation Instructions
-*************************
-
-Copyright (C) 1994-1996, 1999-2002, 2004-2012 Free Software Foundation,
-Inc.
-
-   Copying and distribution of this file, with or without modification,
-are permitted in any medium without royalty provided the copyright
-notice and this notice are preserved.  This file is offered as-is,
-without warranty of any kind.
-
-(Options specific to getdns are listed at the end of this document.)
-
-Basic Installation
-==================
-
-   Briefly, the shell commands `./configure; make; make install' should
-configure, build, and install this package.  The following
-more-detailed instructions are generic; see the `README' file for
-instructions specific to this package.  Some packages provide this
-`INSTALL' file but do not implement all of the features documented
-below.  The lack of an optional feature in a given package is not
-necessarily a bug.  More recommendations for GNU packages can be found
-in *note Makefile Conventions: (standards)Makefile Conventions.
-
-   The `configure' shell script attempts to guess correct values for
-various system-dependent variables used during compilation.  It uses
-those values to create a `Makefile' in each directory of the package.
-It may also create one or more `.h' files containing system-dependent
-definitions.  Finally, it creates a shell script `config.status' that
-you can run in the future to recreate the current configuration, and a
-file `config.log' containing compiler output (useful mainly for
-debugging `configure').
-
-   It can also use an optional file (typically called `config.cache'
-and enabled with `--cache-file=config.cache' or simply `-C') that saves
-the results of its tests to speed up reconfiguring.  Caching is
-disabled by default to prevent problems with accidental use of stale
-cache files.
-
-   If you need to do unusual things to compile the package, please try
-to figure out how `configure' could check whether to do them, and mail
-diffs or instructions to the address given in the `README' so they can
-be considered for the next release.  If you are using the cache, and at
-some point `config.cache' contains results you don't want to keep, you
-may remove or edit it.
-
-   The file `configure.ac' (or `configure.in') is used to create
-`configure' by a program called `autoconf'.  You need `configure.ac' if
-you want to change it or regenerate `configure' using a newer version
-of `autoconf'.
-
-   The simplest way to compile this package is:
-
-  1. `cd' to the directory containing the package's source code and type
-     `./configure' to configure the package for your system.
-
-     Running `configure' might take a while.  While running, it prints
-     some messages telling which features it is checking for.
-
-  2. Type `make' to compile the package.
-
-  3. Optionally, type `make check' to run any self-tests that come with
-     the package, generally using the just-built uninstalled binaries.
-
-  4. Type `make install' to install the programs and any data files and
-     documentation.  When installing into a prefix owned by root, it is
-     recommended that the package be configured and built as a regular
-     user, and only the `make install' phase executed with root
-     privileges.
-
-  5. Optionally, type `make installcheck' to repeat any self-tests, but
-     this time using the binaries in their final installed location.
-     This target does not install anything.  Running this target as a
-     regular user, particularly if the prior `make install' required
-     root privileges, verifies that the installation completed
-     correctly.
-
-  6. You can remove the program binaries and object files from the
-     source code directory by typing `make clean'.  To also remove the
-     files that `configure' created (so you can compile the package for
-     a different kind of computer), type `make distclean'.  There is
-     also a `make maintainer-clean' target, but that is intended mainly
-     for the package's developers.  If you use it, you may have to get
-     all sorts of other programs in order to regenerate files that came
-     with the distribution.
-
-  7. Often, you can also type `make uninstall' to remove the installed
-     files again.  In practice, not all packages have tested that
-     uninstallation works correctly, even though it is required by the
-     GNU Coding Standards.
-
-  8. Some packages, particularly those that use Automake, provide `make
-     distcheck', which can by used by developers to test that all other
-     targets like `make install' and `make uninstall' work correctly.
-     This target is generally not run by end users.
-
-Compilers and Options
-=====================
-
-   Some systems require unusual options for compilation or linking that
-the `configure' script does not know about.  Run `./configure --help'
-for details on some of the pertinent environment variables.
-
-   You can give `configure' initial values for configuration parameters
-by setting variables in the command line or in the environment.  Here
-is an example:
-
-     ./configure CC=c99 CFLAGS=-g LIBS=-lposix
-
-   *Note Defining Variables::, for more details.
-
-Compiling For Multiple Architectures
-====================================
-
-   You can compile the package for more than one kind of computer at the
-same time, by placing the object files for each architecture in their
-own directory.  To do this, you can use GNU `make'.  `cd' to the
-directory where you want the object files and executables to go and run
-the `configure' script.  `configure' automatically checks for the
-source code in the directory that `configure' is in and in `..'.  This
-is known as a "VPATH" build.
-
-   With a non-GNU `make', it is safer to compile the package for one
-architecture at a time in the source code directory.  After you have
-installed the package for one architecture, use `make distclean' before
-reconfiguring for another architecture.
-
-   On MacOS X 10.5 and later systems, you can create libraries and
-executables that work on multiple system types--known as "fat" or
-"universal" binaries--by specifying multiple `-arch' options to the
-compiler but only a single `-arch' option to the preprocessor.  Like
-this:
-
-     ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
-                 CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
-                 CPP="gcc -E" CXXCPP="g++ -E"
-
-   This is not guaranteed to produce working output in all cases, you
-may have to build one architecture at a time and combine the results
-using the `lipo' tool if you have problems.
-
-Installation Names
-==================
-
-   By default, `make install' installs the package's commands under
-`/usr/local/bin', include files under `/usr/local/include', etc.  You
-can specify an installation prefix other than `/usr/local' by giving
-`configure' the option `--prefix=PREFIX', where PREFIX must be an
-absolute file name.
-
-   You can specify separate installation prefixes for
-architecture-specific files and architecture-independent files.  If you
-pass the option `--exec-prefix=PREFIX' to `configure', the package uses
-PREFIX as the prefix for installing programs and libraries.
-Documentation and other data files still use the regular prefix.
-
-   In addition, if you use an unusual directory layout you can give
-options like `--bindir=DIR' to specify different values for particular
-kinds of files.  Run `configure --help' for a list of the directories
-you can set and what kinds of files go in them.  In general, the
-default for these options is expressed in terms of `${prefix}', so that
-specifying just `--prefix' will affect all of the other directory
-specifications that were not explicitly provided.
-
-   The most portable way to affect installation locations is to pass the
-correct locations to `configure'; however, many packages provide one or
-both of the following shortcuts of passing variable assignments to the
-`make install' command line to change installation locations without
-having to reconfigure or recompile.
-
-   The first method involves providing an override variable for each
-affected directory.  For example, `make install
-prefix=/alternate/directory' will choose an alternate location for all
-directory configuration variables that were expressed in terms of
-`${prefix}'.  Any directories that were specified during `configure',
-but not in terms of `${prefix}', must each be overridden at install
-time for the entire installation to be relocated.  The approach of
-makefile variable overrides for each directory variable is required by
-the GNU Coding Standards, and ideally causes no recompilation.
-However, some platforms have known limitations with the semantics of
-shared libraries that end up requiring recompilation when using this
-method, particularly noticeable in packages that use GNU Libtool.
-
-   The second method involves providing the `DESTDIR' variable.  For
-example, `make install DESTDIR=/alternate/directory' will prepend
-`/alternate/directory' before all installation names.  The approach of
-`DESTDIR' overrides is not required by the GNU Coding Standards, and
-does not work on platforms that have drive letters.  On the other hand,
-it does better at avoiding recompilation issues, and works well even
-when some directory options were not specified in terms of `${prefix}'
-at `configure' time.
-
-Optional Features
-=================
-
-   If the package supports it, you can cause programs to be installed
-with an extra prefix or suffix on their names by giving `configure' the
-option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
-
-   Some packages pay attention to `--enable-FEATURE' options to
-`configure', where FEATURE indicates an optional part of the package.
-They may also pay attention to `--with-PACKAGE' options, where PACKAGE
-is something like `gnu-as' or `x' (for the X Window System).  The
-`README' should mention any `--enable-' and `--with-' options that the
-package recognizes.
-
-   For packages that use the X Window System, `configure' can usually
-find the X include and library files automatically, but if it doesn't,
-you can use the `configure' options `--x-includes=DIR' and
-`--x-libraries=DIR' to specify their locations.
-
-   Some packages offer the ability to configure how verbose the
-execution of `make' will be.  For these packages, running `./configure
---enable-silent-rules' sets the default to minimal output, which can be
-overridden with `make V=1'; while running `./configure
---disable-silent-rules' sets the default to verbose, which can be
-overridden with `make V=0'.
-
-Particular systems
-==================
-
-   On HP-UX, the default C compiler is not ANSI C compatible.  If GNU
-CC is not installed, it is recommended to use the following options in
-order to use an ANSI C compiler:
-
-     ./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
-
-and if that doesn't work, install pre-built binaries of GCC for HP-UX.
-
-   HP-UX `make' updates targets which have the same time stamps as
-their prerequisites, which makes it generally unusable when shipped
-generated files such as `configure' are involved.  Use GNU `make'
-instead.
-
-   On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
-parse its `<wchar.h>' header file.  The option `-nodtk' can be used as
-a workaround.  If GNU CC is not installed, it is therefore recommended
-to try
-
-     ./configure CC="cc"
-
-and if that doesn't work, try
-
-     ./configure CC="cc -nodtk"
-
-   On Solaris, don't put `/usr/ucb' early in your `PATH'.  This
-directory contains several dysfunctional programs; working variants of
-these programs are available in `/usr/bin'.  So, if you need `/usr/ucb'
-in your `PATH', put it _after_ `/usr/bin'.
-
-   On Haiku, software installed for all users goes in `/boot/common',
-not `/usr/local'.  It is recommended to use the following options:
-
-     ./configure --prefix=/boot/common
-
-   On Mac OSX getdns will not build against the version of OpenSSL shipped with
-OSX. If you link against a self-complied version of OpenSSL then manual 
-configuration of certificates into the default OpenSSL directory 
-/usr/local/etc/openssl/certs is currently required for TLS authentication to work.
-However if linking against the version of OpenSSL installed via Homebrew TLS 
-authentication will work out of the box.
-
-Specifying the System Type
-==========================
-
-   There may be some features `configure' cannot figure out
-automatically, but needs to determine by the type of machine the package
-will run on.  Usually, assuming the package is built to be run on the
-_same_ architectures, `configure' can figure that out, but if it prints
-a message saying it cannot guess the machine type, give it the
-`--build=TYPE' option.  TYPE can either be a short name for the system
-type, such as `sun4', or a canonical name which has the form:
-
-     CPU-COMPANY-SYSTEM
-
-where SYSTEM can have one of these forms:
-
-     OS
-     KERNEL-OS
-
-   See the file `config.sub' for the possible values of each field.  If
-`config.sub' isn't included in this package, then this package doesn't
-need to know the machine type.
-
-   If you are _building_ compiler tools for cross-compiling, you should
-use the option `--target=TYPE' to select the type of system they will
-produce code for.
-
-   If you want to _use_ a cross compiler, that generates code for a
-platform different from the build platform, you should specify the
-"host" platform (i.e., that on which the generated programs will
-eventually be run) with `--host=TYPE'.
-
-Sharing Defaults
-================
-
-   If you want to set default values for `configure' scripts to share,
-you can create a site shell script called `config.site' that gives
-default values for variables like `CC', `cache_file', and `prefix'.
-`configure' looks for `PREFIX/share/config.site' if it exists, then
-`PREFIX/etc/config.site' if it exists.  Or, you can set the
-`CONFIG_SITE' environment variable to the location of the site script.
-A warning: not all `configure' scripts look for a site script.
-
-Defining Variables
-==================
-
-   Variables not defined in a site shell script can be set in the
-environment passed to `configure'.  However, some packages may run
-configure again during the build, and the customized values of these
-variables may be lost.  In order to avoid this problem, you should set
-them in the `configure' command line, using `VAR=value'.  For example:
-
-     ./configure CC=/usr/local2/bin/gcc
-
-causes the specified `gcc' to be used as the C compiler (unless it is
-overridden in the site shell script).
-
-Unfortunately, this technique does not work for `CONFIG_SHELL' due to
-an Autoconf limitation.  Until the limitation is lifted, you can use
-this workaround:
-
-     CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
-
-`configure' Invocation
-======================
-
-   `configure' recognizes the following options to control how it
-operates.
-
-`--help'
-`-h'
-     Print a summary of all of the options to `configure', and exit.
-
-`--help=short'
-`--help=recursive'
-     Print a summary of the options unique to this package's
-     `configure', and exit.  The `short' variant lists options used
-     only in the top level, while the `recursive' variant lists options
-     also present in any nested packages.
-
-`--version'
-`-V'
-     Print the version of Autoconf used to generate the `configure'
-     script, and exit.
-
-`--cache-file=FILE'
-     Enable the cache: use and save the results of the tests in FILE,
-     traditionally `config.cache'.  FILE defaults to `/dev/null' to
-     disable caching.
-
-`--config-cache'
-`-C'
-     Alias for `--cache-file=config.cache'.
-
-`--quiet'
-`--silent'
-`-q'
-     Do not print messages saying which checks are being made.  To
-     suppress all normal output, redirect it to `/dev/null' (any error
-     messages will still be shown).
-
-`--srcdir=DIR'
-     Look for the package's source code in directory DIR.  Usually
-     `configure' can determine that directory automatically.
-
-`--prefix=DIR'
-     Use DIR as the installation prefix.  *note Installation Names::
-     for more details, including other options available for fine-tuning
-     the installation locations.
-
-`--no-create'
-`-n'
-     Run the configure checks, but stop before creating any output
-     files.
-
-`configure' also accepts some other, not widely useful, options.  Run
-`configure --help' for more details.
-
-getdns-specific Options
-=======================
-
-`--with-libidn=pathname'
-	path to libidn (default: search /usr/local ..)
-
-`--with-libunbound=pathname'
-	path to libunbound (default: search /usr/local ..)
-
-`--with-libevent'
-	path to libevent (default: search /usr/local ..)
-
-`--with-libuv'
-	path to libuv (default: search /usr/local ..)
-
-`--with-libev'
-	path to libev (default: search /usr/local ..)
-
-`--with-trust-anchor=KEYFILE'
-	Default location of the trust anchor file.
-	[default=SYSCONFDIR/unbound/getdns-root.key]

Makefile.in

@@ -1,312 +0,0 @@
-#
-# @configure_input@
-#
-#
-# Copyright (c) 2013, Verisign, Inc., NLnet Labs
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-# * Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-#   notice, this list of conditions and the following disclaimer in the
-#   documentation and/or other materials provided with the distribution.
-# * Neither the names of the copyright holders nor the
-#   names of its contributors may be used to endorse or promote products
-#   derived from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
-# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package = @PACKAGE_NAME@
-version = @PACKAGE_VERSION@@RELEASE_CANDIDATE@
-tarname	= @PACKAGE_TARNAME@
-PACKAGE_TARNAME	= @PACKAGE_TARNAME@
-distdir	= $(tarname)-$(version)
-bintar  = $(distdir)-bin.tar.gz
-
-prefix = @prefix@
-datarootdir=@datarootdir@
-exec_prefix = @exec_prefix@
-bindir = @bindir@
-docdir = @docdir@
-libdir = @libdir@
-
-srcdir = @srcdir@
-INSTALL = @INSTALL@
-
-all : default @GETDNS_QUERY@ @GETDNS_SERVER_MON@
-
-everything: default
-	cd src/test && $(MAKE)
-
-default:
-	cd src && $(MAKE) $@
-
-install-lib:
-	cd src && $(MAKE) install
-
-install: getdns.pc getdns_ext_event.pc install-lib @INSTALL_GETDNS_QUERY@ @INSTALL_GETDNS_SERVER_MON@
-	$(INSTALL) -m 755 -d $(DESTDIR)$(docdir)
-	$(INSTALL) -m 644 $(srcdir)/AUTHORS $(DESTDIR)$(docdir)
-	$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(docdir)
-	$(INSTALL) -m 644 $(srcdir)/COPYING $(DESTDIR)$(docdir)
-	$(INSTALL) -m 644 $(srcdir)/INSTALL $(DESTDIR)$(docdir)
-	$(INSTALL) -m 644 $(srcdir)/LICENSE $(DESTDIR)$(docdir)
-	$(INSTALL) -m 644 $(srcdir)/NEWS $(DESTDIR)$(docdir)
-	$(INSTALL) -m 644 $(srcdir)/README.md $(DESTDIR)$(docdir)
-	$(INSTALL) -m 755 -d $(DESTDIR)$(libdir)/pkgconfig
-	$(INSTALL) -m 644 getdns.pc $(DESTDIR)$(libdir)/pkgconfig
-	$(INSTALL) -m 644 getdns_ext_event.pc $(DESTDIR)$(libdir)/pkgconfig
-	$(INSTALL) -m 755 -d $(DESTDIR)$(docdir)/spec
-	$(INSTALL) -m 644 $(srcdir)/spec/index.html $(DESTDIR)$(docdir)/spec
-	cd doc && $(MAKE) install
-	@echo "***"
-	@echo "***  !!! IMPORTANT !!!!"
-	@echo "***"
-	@echo "***  From release 1.2.0, getdns comes with built-in DNSSEC"
-	@echo "***  trust anchor management.  External trust anchor management,"
-	@echo "***  for example with unbound-anchor, is no longer necessary"
-	@echo "***  and no longer recommended."
-	@echo "***"
-	@echo "***  Previously installed trust anchors, in the default location -"
-	@echo "***"
-	@echo "***        @TRUST_ANCHOR_FILE@"
-	@echo "***"
-	@echo "***  - will be preferred and used for DNSSEC validation, however"
-	@echo "***  getdns will fallback to trust-anchors obtained via built-in"
-	@echo "***  trust anchor management when the anchors from the default"
-	@echo "***  location fail to validate the root DNSKEY rrset."
-	@echo "***"
-	@echo "***  To prevent expired DNSSEC trust anchors to be used for"
-	@echo "***  validation, we strongly recommend removing the trust anchors"
-	@echo "***  on the default location when there is no active external"
-	@echo "***  trust anchor management keeping it up-to-date."
-	@echo "***"
-
-uninstall: @UNINSTALL_GETDNS_QUERY@ @UNINSTALL_GETDNS_SERVER_MON@
-	rm -rf $(DESTDIR)$(docdir)
-	cd doc && $(MAKE) $@
-	cd src && $(MAKE) $@
-
-doc:	FORCE
-	cd doc && $(MAKE) $@
-
-example:
-	cd spec/example && $(MAKE) $@
-
-test: default
-	cd src/test && $(MAKE) $@
-
-getdns_query: default
-	cd src/tools && $(MAKE) $@
-
-getdns_server_mon: default
-	cd src/tools && $(MAKE) $@
-
-stubby:
-	cd src && $(MAKE) $@
-
-scratchpad: default
-	cd src/test && $(MAKE) $@
-
-pad: scratchpad
-	src/test/scratchpad || ./libtool exec gdb src/test/scratchpad
-
-install-getdns_query: install-lib
-	cd src/tools && $(MAKE) $@
-
-uninstall-getdns_query:
-	cd src/tools && $(MAKE) $@
-
-install-getdns_server_mon: install-lib @INSTALL_GETDNS_QUERY@
-	cd src/tools && $(MAKE) $@
-
-uninstall-getdns_server_mon:
-	cd src/tools && $(MAKE) $@
-
-install-stubby:
-	cd src && $(MAKE) $@
-
-uninstall-stubby:
-	cd src && $(MAKE) $@
-
-clean:
-	cd src && $(MAKE) $@
-	cd doc && $(MAKE) $@
-	cd spec/example && $(MAKE) $@
-	rm -f *.o *.pc
-
-depend:
-	cd src && $(MAKE) $@
-	cd spec/example && $(MAKE) $@
-
-distclean:
-	cd src && $(MAKE) $@
-	rmdir src 2>/dev/null || true
-	cd doc && $(MAKE) $@
-	rmdir doc 2>/dev/null || true
-	cd spec/example && $(MAKE) $@
-	rmdir spec/example 2>/dev/null || true
-	rmdir spec 2>/dev/null || true
-	rm -f config.log config.status Makefile libtool getdns.pc getdns_ext_event.pc
-	rm -fR autom4te.cache
-	rm -f m4/libtool.m4
-	rm -f m4/lt~obsolete.m4
-	rm -f m4/ltoptions.m4
-	rm -f m4/ltsugar.m4
-	rm -f m4/ltversion.m4
-	rm -f $(distdir).tar.gz $(distdir).tar.gz.sha256
-	rm -f $(distdir).tar.gz.md5 $(distdir).tar.gz.asc
-
-megaclean:
-	cd $(srcdir) && rm -fr * .dir-locals.el .gitignore .indent.pro .travis.yml && git reset --hard && git submodule update --init
-
-autoclean: megaclean
-	libtoolize -ci
-	autoreconf -fi
-
-dist: $(distdir).tar.gz
-
-pub: $(distdir).tar.gz.sha256 $(distdir).tar.gz.md5 $(distdir).tar.gz.asc
-
-$(distdir).tar.gz.sha256: $(distdir).tar.gz
-	openssl sha256 $(distdir).tar.gz >$@
-
-$(distdir).tar.gz.md5: $(distdir).tar.gz
-	openssl md5 $(distdir).tar.gz >$@
-
-$(distdir).tar.gz.asc: $(distdir).tar.gz
-	gpg --armor --detach-sig $(distdir).tar.gz
-
-bindist: $(bintar)
-
-$(bintar): $(distdir)
-	chown -R 0:0 $(distdir) 2>/dev/null || true
-	cd $(distdir); ./configure; make
-	tar chof - $(distdir) | gzip -9 -c > $@
-	rm -rf $(distdir)
-
-$(distdir).tar.gz: $(distdir)
-	chown -R 0:0 $(distdir) 2>/dev/null || true
-	tar chof - $(distdir) | gzip -9 -c > $@
-	rm -rf $(distdir)
-
-$(distdir):
-	mkdir -p $(distdir)/m4
-	mkdir -p $(distdir)/src
-	mkdir -p $(distdir)/src/getdns
-	mkdir -p $(distdir)/src/test
-	mkdir -p $(distdir)/src/extension
-	mkdir -p $(distdir)/src/compat
-	mkdir -p $(distdir)/src/util
-	mkdir -p $(distdir)/src/gldns
-	mkdir -p $(distdir)/src/tools
-	mkdir -p $(distdir)/src/jsmn
-	mkdir -p $(distdir)/src/yxml
-	mkdir -p $(distdir)/src/ssl_dane
-	mkdir -p $(distdir)/doc
-	mkdir -p $(distdir)/spec
-	mkdir -p $(distdir)/spec/example
-	mkdir -p $(distdir)/stubby
-	mkdir -p $(distdir)/stubby/src
-	mkdir -p $(distdir)/stubby/src/yaml
-	mkdir -p $(distdir)/stubby/doc
-	cp $(srcdir)/configure.ac $(distdir)
-	cp $(srcdir)/configure $(distdir)
-	cp $(srcdir)/AUTHORS $(distdir)
-	cp $(srcdir)/ChangeLog $(distdir)
-	cp $(srcdir)/COPYING $(distdir)
-	cp $(srcdir)/INSTALL $(distdir)
-	cp $(srcdir)/LICENSE $(distdir)
-	cp $(srcdir)/NEWS $(distdir)
-	cp $(srcdir)/README.md $(distdir)
-	cp $(srcdir)/Makefile.in $(distdir)
-	cp $(srcdir)/install-sh $(distdir)
-	cp $(srcdir)/config.sub $(distdir)
-	cp $(srcdir)/config.guess $(distdir)
-	cp $(srcdir)/getdns.pc.in $(distdir)
-	cp $(srcdir)/getdns_ext_event.pc.in $(distdir)
-	cp libtool $(distdir)
-	cp $(srcdir)/ltmain.sh $(distdir)
-	cp $(srcdir)/m4/*.m4 $(distdir)/m4
-	cp $(srcdir)/src/*.in $(distdir)/src
-	cp $(srcdir)/src/*.[ch] $(distdir)/src
-	cp $(srcdir)/src/*.symbols $(distdir)/src
-	cp $(srcdir)/src/extension/*.[ch] $(distdir)/src/extension
-	cp $(srcdir)/src/extension/*.symbols $(distdir)/src/extension
-	cp $(srcdir)/src/getdns/*.in $(distdir)/src/getdns
-	cp $(srcdir)/src/getdns/getdns_*.h $(distdir)/src/getdns
-	cp $(srcdir)/src/test/Makefile.in $(distdir)/src/test
-	cp $(srcdir)/src/test/*.[ch] $(distdir)/src/test
-	cp $(srcdir)/src/test/*.sh $(distdir)/src/test
-	cp $(srcdir)/src/test/*.good $(distdir)/src/test
-	cp $(srcdir)/src/compat/*.[ch] $(distdir)/src/compat
-	cp $(srcdir)/src/util/*.[ch] $(distdir)/src/util
-	cp -r $(srcdir)/src/util/orig-headers $(distdir)/src/util
-	cp -r $(srcdir)/src/util/auxiliary $(distdir)/src/util
-	cp $(srcdir)/src/gldns/*.[ch] $(distdir)/src/gldns
-	cp $(srcdir)/doc/Makefile.in $(distdir)/doc
-	cp $(srcdir)/doc/*.in $(distdir)/doc
-	cp $(srcdir)/doc/manpgaltnames $(distdir)/doc
-	cp $(srcdir)/spec/*.html $(distdir)/spec
-	cp $(srcdir)/spec/example/Makefile.in $(distdir)/spec/example
-	cp $(srcdir)/spec/example/*.[ch] $(distdir)/spec/example
-	cp $(srcdir)/src/tools/Makefile.in $(distdir)/src/tools
-	cp $(srcdir)/src/tools/*.[ch] $(distdir)/src/tools
-	cp $(srcdir)/stubby/stubby.yml.example $(distdir)/stubby
-	cp $(srcdir)/stubby/macos/stubby-setdns-macos.sh $(distdir)/stubby
-	cp $(srcdir)/stubby/src/*.[ch] $(distdir)/stubby/src
-	cp $(srcdir)/stubby/src/yaml/*.[ch] $(distdir)/stubby/src/yaml
-	cp $(srcdir)/stubby/COPYING $(distdir)/stubby
-	cp $(srcdir)/stubby/README.md $(distdir)/stubby
-	cp $(srcdir)/stubby/doc/stubby.1.in $(distdir)/stubby/doc
-	cp $(srcdir)/src/jsmn/*.[ch] $(distdir)/src/jsmn
-	cp $(srcdir)/src/jsmn/LICENSE $(distdir)/src/jsmn
-	cp $(srcdir)/src/jsmn/README.md $(distdir)/src/jsmn
-	cp $(srcdir)/src/yxml/*.[ch] $(distdir)/src/yxml
-	cp $(srcdir)/src/yxml/COPYING $(distdir)/src/yxml
-	cp $(srcdir)/src/yxml/yxml.pod $(distdir)/src/yxml
-	cp $(srcdir)/src/ssl_dane/danessl.[ch] $(distdir)/src/ssl_dane
-	cp $(srcdir)/src/ssl_dane/README.md $(distdir)/src/ssl_dane
-	rm -f $(distdir)/Makefile $(distdir)/src/Makefile $(distdir)/src/getdns/getdns.h $(distdir)/spec/example/Makefile $(distdir)/src/test/Makefile $(distdir)/doc/Makefile $(distdir)/src/config.h
-
-distcheck: $(distdir).tar.gz
-	gzip -cd $(distdir).tar.gz | tar xvf -
-	cd $(distdir) && ./configure
-	cd $(distdir) && $(MAKE) all
-	cd $(distdir) && $(MAKE) check
-	cd $(distdir) && $(MAKE) DESTDIR=$${PWD}/_inst install
-	cd $(distdir) && $(MAKE) DESTDIR=$${PWD}/_inst uninstall
-	@remaining="`find $${PWD}/$(distdir)/_inst -type f | wc -l`"; \
-	if test "$${remaining}" -ne	0; then
-	echo "@@@	$${remaining} file(s) remaining	in stage directory!"; \
-	exit 1; \
-	fi
-	cd $(distdir) && $(MAKE) clean
-	rm -rf $(distdir)
-	@echo "*** Package $(distdir).tar.gz is ready for distribution"
-
-getdns.pc: $(srcdir)/getdns.pc.in
-	./config.status $@
-
-getdns_ext_event.pc: $(srcdir)/getdns_ext_event.pc.in
-	./config.status $@
-
-Makefile: $(srcdir)/Makefile.in config.status
-	./config.status $@
-
-configure.status: configure
-	./config.status --recheck
-
-.PHONY: all distclean clean default doc test
-FORCE:

README.md

@@ -40,7 +40,7 @@ The project home page at [getdnsapi.net](https://getdnsapi.net) provides documen
 If you are just getting started with the library take a look at the section below that describes building and handling external dependencies for the library.
 
 ### Examples
-Once it is built you should take a look at src/examples to see how the library is used.
+Once it is built you should take a look at `spec/example` to see how the library is used.
 
 
 # Download
@@ -48,9 +48,9 @@ Once it is built you should take a look at src/examples to see how the library i
 Download the sources from our [github repo](https://github.com/getdnsapi/getdns) 
 or from [getdnsapi.net](https://getdnsapi.net) and verify the download using
 the checksums (SHA1 or MD5) or using gpg to verify the signature.  Our keys are
-available from the [pgp keyservers](https://keyserver.pgp.com)
+available from the [openpgp keyserver](https://keys.openpgp.org/)
 
-* willem@nlnetlabs.nl, key id E5F8F8212F77A498
+* `willem@nlnetlabs.nl`, key id E5F8F8212F77A498
 
 # Releases
 
@@ -59,68 +59,96 @@ approach.  The code is currently under active development.
 
 The following requirements were met as conditions for the present release:
 
-* code compiles cleanly on at least the primary target platforms: OSX, RHEL/CentOS Linux, FreeBSD
+* code compiles cleanly on at least the primary target platforms: OSX, Linux (RHEL/CentOS, Ubuntu), FreeBSD
 * examples must compile and run cleanly
 * there must be clear documentation of supported and unsupported elements of the API
 
-# Building and External Dependencies
+# External Dependencies
 
 If you are installing from packages, you have to install the library and also the library-devel (or -dev) for your package management system to get the the necessary compile time files.
 
-External dependencies are linked outside the getdns API build tree (we rely on configure to find them).  We would like to keep the dependency tree short.  Please refer to section for building on Windows for separate dependency and build instructions for that platform.
+External dependencies are linked outside the getdns API build tree (we rely on CMake to find them).  We would like to keep the dependency tree short, see [Minimising Dependancies](#minimizing-dependancies) for more details.
 
-* [libunbound from NLnet Labs](https://unbound.net/) version 1.4.16 or later.
-* [libidn from the FSF](https://www.gnu.org/software/libidn/) version 1 or 2.  (Note that the libidn version means the conversions between A-labels and U-labels may permit conversion of formally invalid labels under IDNA2008.)
-* [libssl and libcrypto from the OpenSSL Project](https://www.openssl.org/) version 0.9.7 or later. (Note: version 1.0.1 or later is required for TLS support, version 1.0.2 or later is required for TLS hostname authentication)
-* Doxygen is used to generate documentation; while this is not technically necessary for the build it makes things a lot more pleasant.
+Required for all builds:
 
-For example, to build on a recent version of Ubuntu, you would need the following packages:
+* [libssl and libcrypto from the OpenSSL Project](https://www.openssl.org/) version 1.0.2 or later. Using OpenSSL 1.1 is recommended due to TSL 1.3 support.
 
-    # apt install build-essential libunbound-dev libidn2-dev libssl-dev libtool m4 autoconf
+Required for all builds that include recursive functionality:
+
+* [libunbound from NLnet Labs](https://unbound.net/) version 1.5.9 or later. (Note: linking to libunbound is not yet supported on Windows, see [Windows 10](#microsoft-windows-10))
+
+Required for all builds that include IDN functionality:
+
+* [libidn2 from the FSF](https://www.gnu.org/software/libidn/) version 2.0.0 and higher.
+
+Required to build the documentation:
+
+* [Doxygen](http://www.doxygen.nl) is used to generate documentation; while this is not technically necessary for the build it makes things a lot more pleasant.
+
+For example, to build on Ubuntu 18.04 or later, you would need the following packages for a full build:
+
+    # apt install build-essential libunbound-dev libidn2-dev libssl-dev cmake
+
+# Building
 
 If you are building from git, you need to do the following before building:
 
-
     # git submodule update --init
 
-    # libtoolize -ci # (use glibtoolize for OS X, libtool is installed as glibtool to avoid name conflict on OS X)
-    # autoreconf -fi
+From release 1.6.0 getdns uses CMake (previous versions used autoconf/libtool). To build from this release and later use:
 
+    # cmake .
+    # make
 
-As well as building the getdns library three other tools may be installed:
+If you are unfamiliar with CMake, see our [CMake Quick Start](https://getdnsapi.net/quick-start/cmake-quick-start/) for how to use CMake options to customise the getdns build.
 
-* getdns_query: a command line test script wrapper for getdns
-* stubby: an experimental DNS Privacy enabled client
+As well as building the getdns library two other tools are installed by default:
+
+* getdns_query: a command line test script wrapper for getdns. This can be used to quickly check the functionality of the library, see (#using-getdnsquery)
 * getdns_server_mon: test DNS server function and capabilities
 
-Note: If you only want to build stubby, then use the `--with-stubby` option when running 'configure'.
+Additionally `Stubby` a DNS Privacy enabled client can also be built and installed by using the `BUILD_STUBBY` option when running `cmake`, see [Stubby](#stubby).
 
 
 ## Minimizing dependencies
 
-* getdns can be configured for stub resolution mode only with the `--enable-stub-only` option to configure.  This removes the dependency on `libunbound`.
-* Currently getdns only offers two helper functions to deal with IDN: `getdns_convert_ulabel_to_alabel` and `getdns_convert_alabel_to_ulabel`.  If you do not need these functions, getdns can be configured to compile without them with the `--without-libidn` and `--without-libidn2` options to configure.
-* When `--enable-stub-only`, `--without-libidn` and `--without-libidn2` options are used, getdns has only one dependency left, which is OpenSSL.
+* getdns can be configured for stub resolution mode only with the `ENABLE_STUB_ONLY` option to `cmake`.  This removes the dependency on `libunbound`.
+* Currently getdns only offers two helper functions to deal with IDN: `getdns_convert_ulabel_to_alabel` and `getdns_convert_alabel_to_ulabel`.  If you do not need these functions, getdns can be configured to compile without them by setting the`USE_LIBIDN2` option to `cmake` to OFF.
+* When `ENABLE_STUB_ONLY` is ON, and `USE_LIBIDN2` is OFF, getdns has only one dependency left, which is OpenSSL.
 
 ## Extensions and Event loop dependencies
 
 The implementation works with a variety of event loops, each built as a separate shared library.  See [this Doxygen page](https://getdnsapi.net/doxygen/group__eventloops.html) and [this man page](https://getdnsapi.net/documentation/manpages/#ASYNCHRONOUS USE) for more details.
 
-* [libevent](http://libevent.org).  Note: the examples *require* this and should work with either libevent 1.x or 2.x.  2.x is preferred.
-* [libuv](https://github.com/joyent/libuv)
+* [libevent](http://libevent.org).  Note: the examples *require* this. libevent 2.x is required.
+* [libuv](https://libuv.org/)
 * [libev](http://software.schmorp.de/pkg/libev.html)
 
+## Using getdns_query
+
+Example test queries using `getdns_query` (pointed at Google Public DNS) and requesting the `call_reporting` extension which provides information on the transport and query time:
+
+   getdns_query -s example.com A @8.8.8.8     +return_call_reporting (UDP)
+   getdns_query -s example.com A @8.8.8.8 -T  +return_call_reporting (TCP)
+   getdns_query -s example.com A @8.8.8.8 -L  +return_call_reporting (TLS without authentication)
+   getdns_query -s getdnsapi.net A +dnssec_return_status +return_call_reporting (DNSSEC)
+
 ## Stubby
 
-* Stubby is an experimental implementation of a DNS Privacy enabled stub resolver than encrypts DNS queries using TLS. It is currently suitable for advanced/technical users - all feedback is welcome! 
+* Stubby is an implementation of a DNS Privacy enabled stub resolver that encrypts DNS queries using TLS. It is currently suitable for advanced/technical users - all feedback is welcome!
 * Details on how to use Stubby can be found in the [Stubby Reference Guide](https://dnsprivacy.org/wiki/x/JYAT).
 * Also see [dnsprivacy.org](https://dnsprivacy.org) for more information on DNS Privacy.
 
+## Experimental support for GnuTLS
+
+A project to allow user selection of either OpenSSL or GnuTLS is currently a work in progress. At present a user may select to use GnuTLS for the majority of the supported functionality, however, OpenSSL is still required for some cryptographic functions.
+
 ## Regression Tests
 
 A suite of regression tests are included with the library, if you make changes or just
 want to sanity check things on your system take a look at src/test.  You will need
 to install [libcheck](https://libcheck.github.io/check/).  The check library is also available from many of the package repositories for the more popular operating systems.
+Note: The tests currently do not run on Windows because of a dependancy on bash.
 
 ## DNSSEC dependencies
 
@@ -130,13 +158,13 @@ The library will try to load the root trust anchor from
 or more `DS` or `DNSKEY` resource records in presentation (i.e. zone file)
 format.  Note that this is different than the format of BIND.keys.
 
-##$ Zero configuration DNSSEC
+## Zero configuration DNSSEC
 
 When the root trust anchor is not installed in the default location and a DNSSEC query is done, getdns will try to use the trust anchors published here: http://data.iana.org/root-anchors/root-anchors.xml .
 It will validate these anchors with the ICANN Certificate Authority certificate following the procedure described in [RFC7958].
-The `root-anchors.xml` and `root-anchors.p7s` S/MIME signature will be cached in the `$HOME/.getdns` directory.
+The `root-anchors.xml` and `root-anchors.p7s` S/MIME signature will be cached in the `$HOME/.getdns` directory on Unixes, and the `%appdata%\getdns` directory on Windows.
 
-When using trust-anchors from the `root-anchors.xml` file, getdns will track the keys in the root DNSKEY rrset and store a copy in $HOME/.getdns/root.key.
+When using trust-anchors from the `root-anchors.xml` file, getdns will track the keys in the root DNSKEY rrset and store a copy in `$HOME/.getdns/root.key` on Unixes, and `%appdata%\getdns\root.key` on Windows.
 Only when the KSK DNSKEY's change, a new version of `root-anchors.xml` is tried to be retrieved from [data.iana.org](https://data.iana.org/root-anchors/).
 
 A installed trust-anchor from the default location (`/etc/unbound/getdns-root.key`) that fails to validate the root DNSKEY RRset, will also trigger the "Zero configuration DNSSEC" procedure described above.
@@ -146,9 +174,7 @@ Support
 
 ## Mailing lists
 
-We have a [getdns users list](https://getdnsapi.net/mailman/listinfo/users) for this implementation.
-
-The [getdns-api mailing list](https://getdnsapi.net/mailman/listinfo/spec) is a good place to engage in discussions regarding the design of the API.
+We have a [getdns users list](https://lists.getdnsapi.net/mailman/listinfo/users) for this implementation.
 
 ## Tickets and Bug Reports
 
@@ -162,8 +188,8 @@ Features of this release
 The goals of this implementation of the getdns API are:
 
 * Provide an open source implementation, in C, of the formally described getdns API by getdns API team at <https://getdnsapi.net/spec.html>
-* Support FreeBSD, OSX, Linux (CentOS/RHEL, Ubuntu) via functional "configure" script
-* Support Windows 8.1 
+* Support FreeBSD, OSX, Linux (CentOS/RHEL, Ubuntu)
+* Support Windows 10
 * Include examples and tests as part of the build
 * Document code using doxygen
 * Leverage github as much as possible for project coordination
@@ -204,69 +230,37 @@ Stub mode does not support:
 
 # Supported Platforms
 
-The primary platforms targeted are Linux and FreeBSD, other platform are supported as we get time.  The names listed here are intended to help ensure that we catch platform specific breakage, not to limit the work that folks are doing.
+The platforms listed here are intended to help ensure that we catch platform specific breakage prior to release.
 
-* RHEL/CentOS 6.4
-* OSX 10.8
-* Ubuntu 16.04
-* Microsoft Windows 8.1
-
-We intend to add Android and other platforms to future releases as we have time to port it.
+* Ubuntu 18.04 LTS and newer LTS releases
+* Microsoft Windows 10
+* FreeBSD 11.3 and newer
+* RHEL/CentOS 8
+* OSX 10.14 and 10.15
 
 
-##  Platform Specific Build Reports
+###  Platform Specific Build Notes
 
 [![Build Status](https://travis-ci.org/getdnsapi/getdns.png?branch=master)](https://travis-ci.org/getdnsapi/getdns)
 
-### FreeBSD
+## FreeBSD
 
 If you're using [FreeBSD](https://www.freebsd.org/), you may install getdns via the [ports tree](https://www.freshports.org/dns/getdns/) by running: `cd /usr/ports/dns/getdns && make install clean`
 
 If you are using FreeBSD 10 getdns can be intalled via 'pkg install getdns'.
 
-### CentOS and RHEL 6.5
+## Ubuntu
 
-We rely on the most excellent package manager fpm to build the linux packages, which
-means that the packaging platform requires ruby 2.1.0.  There are other ways to
-build the packages; this is simply the one we chose to use.
+getdns should also work on Ubuntu 16.04, however if you require IDN functionality you will have to install a recent version of libidn2 via a ppa e.g. from https://launchpad.net/~ondrej/+archive/ubuntu/php
 
-    # cat /etc/redhat-release
-    CentOS release 6.5 (Final)
-    # uname -a
-    Linux host-10-1-1-6 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
-    # cd getdns-0.2.0rc1
-    # ./configure --prefix=/home/deploy/build
-    # make; make install
-    # cd /home/deploy/build
-    # mv lib lib64
-    # . /usr/local/rvm/config/alias
-    # fpm -x "*.la" -a native -s dir -t rpm -n getdns -v 0.2.0rc1 -d "unbound" -d "libevent" -d "libidn" --prefix /usr --vendor "Verisign Inc., NLnet Labs" --license "BSD New" --url "https://getdnsapi.net" --description "Modern asynchronous API to the DNS" .
+You will also have to build Unbound from source code to provide libunbound at version >= 1.5.9.
 
-### OSX
+## OSX
 
-    # sw_vers
-    ProductName:	Mac OS X
-    ProductVersion:	10.8.5
-    BuildVersion:	12F45
-
-    Built using PackageMaker, libevent2.
-
-    # ./configure --with-libevent --prefix=$HOME/getdnsosx/export
-    # make
-    # make install
-
-    edit/fix hardcoded paths in lib/*.la to reference /usr/local
-
-    update getdns.pmdoc to match release info
-
-    build package using PackageMaker
-
-    create dmg
-
-    A self-compiled version of OpenSSL or the version installed via Homebrew is required.
+A self-compiled version of OpenSSL or the version installed via Homebrew is required and the options OPENSSL_ROOT_DIR, OPENSSL_CRYPTO_LIBRARY and OPENSSL_SSL_LIBRARY can be used to specify the location of the libraries.
 Note: If using a self-compiled version, manual configuration of certificates into /usr/local/etc/openssl/certs is required for TLS authentication to work.
 
-#### Homebrew
+### Homebrew
 
 If you're using [Homebrew](http://brew.sh/), you may run `brew install getdns`.  By default, this will only build the core library without any 3rd party event loop support.
 
@@ -274,48 +268,37 @@ To install the [event loop integration libraries](https://getdnsapi.net/doxygen/
 
 Note that in order to compile the examples, the `--with-libevent` switch is required.
 
-Additionally, the OpenSSL library installed by Homebrew is linked against. Note that the Homebrew OpenSSL installation clones the Keychain certificates to the default OpenSSL location so TLS certificate authentication should work out of the box.
+Additionally, getdns is linked against the the OpenSSL library installed by Homebrew. Note that the Homebrew OpenSSL installation clones the Keychain certificates to the default OpenSSL location so TLS certificate authentication should work out of the box.
 
-### Microsoft Windows 8.1
+## Microsoft Windows 10
 
-The build has been tested using the following:
-32 bit only Mingw: [Mingw(3.21.0) and Msys 1.0](http://www.mingw.org/) on Windows 8.1
-32 bit build on a 64 bit Mingw [Download latest from: http://mingw-w64.org/doku.php/download/mingw-builds and http://msys2.github.io/]. IMPORTANT: Install tested ONLY on the  "x86_64" for 64-bit installer of msys2.
+You will need CMake for Windows. Installers can be downloaded from https://cmake.org/download/.
 
-#### Dependencies
-The following dependencies are 
-* openssl-1.0.2j
-* libidn
+Windows versions of the following libraries are available using [the vcpkg package manager](https://docs.microsoft.com/en-us/cpp/build/vcpkg).
 
-Instructions to build openssl-1.0.2j:
-Open the mingw32_shell.bat from msys2 in order to build:
+* OpenSSL
+* libevent
+* libiconv (required for libidn2)
+* libidn2
+* libyaml
+* libuv
 
-If necessary, install the following using pacman:
+Once these are installed, set CMake variables CMAKE_INCLUDE_PATH and CMAKE_LIBRARY_PATH to the vcpkg include and library directories e.g. `../vcpkg/installed/x64-windows/include` and `../vcpkg/installed/x64-windows/lib`.
 
-    pacman -S pkg-config  libtool automake
-    pacman -S autoconf automake-wrapper
+To generate a project suitable for use in Visual Studio, select the appropriate Visual Studio generator in CMake. Once generated, the cmake-gui Open Project button can be used to load the project into Visual Studio.
 
-    tar -xvf openssl-1.0.2j.tar 
-    cd openssl-1.0.2j/
-    ./Configure --prefix=${LOCALDESTDIR} --openssldir=${LOCALDESTDIR}/etc/ssl --libdir=lib shared zlib-dynamic mingw
-    make
-    make install
+### Limitations on Windows
 
-To configure:
+Full support for Windows is a work in progress. The following limitations will  be addresses in future:
 
-    ./configure --enable-stub-only --with-trust-anchor="c:\\\MinGW\\\msys\\\1.0\\\etc\\\unbound\\\getdns-root.key" --with-ssl=<location of openssl from above> --with-getdns_query
+* At present, no native Windows DLL version of libunbound exists; support for linking against libunbound is not currently available. The default build option for ENABLE_STUB_ONLY_ is ON for Windows.
 
- The trust anchor is also installed by unbound on `c:\program Files (X86)\unbound\root.key` and can be referenced from there
- or anywhere else that the user chooses to configure it.
+* The getdns unit tests (built with `make test`) require libcheck which is not currently available for Windows and so cannot be built.
 
- After configuring, do a `make` and `make install` to build getdns for Windows.
+* The getdns tpkg test suite is not currently supported on Windows.
 
- Example test queries:
+* The detection of the location of the `/etc/hosts` file should be optimised - it currently assumes Windows is installed in the default directory on the C: drive
 
-    ./getdns_query.exe -s gmadkat.com A @64.6.64.6  +return_call_reporting (UDP)
-    ./getdns_query.exe -s gmadkat.com A @64.6.64.6 -T  +return_call_reporting (TCP)
-    ./getdns_query.exe -s gmadkat.com A -l L @185.49.141.37  +return_call_reporting (TLS without authentication)
-    ./getdns_query.exe -s www.huque.com A +dnssec_return_status +return_call_reporting (DNSSEC)
 
 Contributors
 ============
@@ -368,4 +351,4 @@ Contributors
 
 Acknowledgements
 ================
-The development team explicitly acknowledges Paul Hoffman for his initiative and efforts to develop a consensus based DNS API. We would like to thank the participants of the [mailing list](https://getdnsapi.net/mailman/listinfo/spec) for their contributions.
+The development team explicitly acknowledges Paul Hoffman for his initiative and efforts to develop a consensus based DNS API. We would like to thank the participants of the getdns-api mailing list (discontinued) for their contributions.

cmake/include/cmakeconfig.h.in

@@ -0,0 +1,540 @@
+#ifndef CONFIG_H
+#define CONFIG_H
+
+#cmakedefine PACKAGE            "@PACKAGE@"
+#cmakedefine PACKAGE_NAME       "@PACKAGE_NAME@"
+#cmakedefine PACKAGE_VERSION    "@PACKAGE_VERSION@"
+#cmakedefine PACKAGE_URL        "@PACKAGE_URL@"
+#cmakedefine PACKAGE_BUGREPORT  "@PACKAGE_BUGREPORT@"
+
+#cmakedefine PACKAGE_STRING     "@PACKAGE_STRING@"
+#cmakedefine PACKAGE_TARNAME    "@PACKAGE_TARNAME@"
+
+#cmakedefine HAVE_ASSERT_H      1
+#cmakedefine HAVE_INTTYPES_H    1
+#cmakedefine HAVE_LIMITS_H      1
+#cmakedefine HAVE_SYS_LIMITS_H  1
+#cmakedefine HAVE_STDARG_H      1
+#cmakedefine HAVE_STDDEF_H      1
+#cmakedefine HAVE_STDINT_H      1
+#cmakedefine HAVE_STDIO_H       1
+#cmakedefine HAVE_STDLIB_H      1
+#cmakedefine HAVE_STRING_H      1
+#cmakedefine HAVE_TIME_H        1
+#cmakedefine HAVE_UNISTD_H	1
+
+#cmakedefine HAVE_FCNTL_H	1
+
+#cmakedefine HAVE_SIGNAL_H      1
+#cmakedefine HAVE_SYS_POLL_H    1
+#cmakedefine HAVE_POLL_H        1
+#cmakedefine HAVE_RESOURCE_H    1
+#cmakedefine HAVE_SYS_TYPES_H   1
+#cmakedefine HAVE_SYS_STAT_H    1
+
+#cmakedefine HAVE_ENDIAN_H      1
+#cmakedefine HAVE_NETDB_H       1
+#cmakedefine HAVE_ARPA_INET_H   1
+#cmakedefine HAVE_NETINET_IN_H  1
+#cmakedefine HAVE_NETINET_TCP_H 1
+#cmakedefine HAVE_SYS_SELECT_H  1
+#cmakedefine HAVE_SYS_SOCKET_H  1
+#cmakedefine HAVE_SYS_SYSCTL_H  1
+#cmakedefine HAVE_SYS_TIME_H    1
+#cmakedefine HAVE_SYS_WAIT_H    1
+
+#cmakedefine HAVE_WINDOWS_H     1
+#cmakedefine HAVE_WINSOCK_H     1
+#cmakedefine HAVE_WINSOCK2_H    1
+#cmakedefine HAVE_WS2TCPIP_H    1
+#cmakedefine GETDNS_ON_WINDOWS  1
+#cmakedefine USE_WINSOCK	1
+
+#cmakedefine HAVE_SSL           1
+#cmakedefine USE_DANESSL	1
+
+#cmakedefine HAVE_OPENSSL_SSL_H         1
+#cmakedefine HAVE_OPENSSL_EVP_H         1
+#cmakedefine HAVE_OPENSSL_ERR_H         1
+#cmakedefine HAVE_OPENSSL_RAND_H        1
+#cmakedefine HAVE_OPENSSL_CONF_H        1
+#cmakedefine HAVE_OPENSSL_ENGINE_H      1
+#cmakedefine HAVE_OPENSSL_BN_H          1
+#cmakedefine HAVE_OPENSSL_DSA_H         1
+#cmakedefine HAVE_OPENSSL_RSA_H         1
+#cmakedefine HAVE_OPENSSL_PARAM_BUILD_H 1
+
+#cmakedefine HAVE_DSA_SIG_SET0		1
+#cmakedefine HAVE_DSA_SET0_PQG		1
+#cmakedefine HAVE_DSA_SET0_KEY		1
+
+#cmakedefine HAVE_RSA_SET0_KEY		1
+
+#cmakedefine HAVE_EVP_MD5		1
+#cmakedefine HAVE_EVP_SHA1		1
+#cmakedefine HAVE_EVP_SHA224		1
+#cmakedefine HAVE_EVP_SHA256		1
+#cmakedefine HAVE_EVP_SHA384		1
+#cmakedefine HAVE_EVP_SHA512		1
+
+#cmakedefine HAVE_EVP_DSS1		1
+#cmakedefine HAVE_EVP_DIGESTVERIFY	1
+
+#cmakedefine HAVE_EVP_MD_CTX_NEW	1
+
+#cmakedefine HAVE_HMAC_CTX_NEW		1
+
+#cmakedefine HAVE_NETTLE_GET_SECP_256R1	1
+#cmakedefine HAVE_NETTLE_GET_SECP_384R1	1
+
+#cmakedefine HAVE_TLS_CLIENT_METHOD	1
+
+#cmakedefine HAVE_OPENSSL_VERSION_NUM	1
+#cmakedefine HAVE_OPENSSL_VERSION	1
+
+#cmakedefine HAVE_SSL_CTX_DANE_ENABLE	1
+#cmakedefine HAVE_SSL_CTX_SET_CIPHERSUITES	1
+#cmakedefine HAVE_SSL_SET_CIPHERSUITES	1
+
+#cmakedefine HAVE_OPENSSL_INIT_CRYPTO	1
+
+#cmakedefine HAVE_OSSL_PARAM_BLD_NEW	1
+
+#cmakedefine HAVE_SSL_DANE_ENABLE			1
+#cmakedefine HAVE_DECL_SSL_CTX_SET1_CURVES_LIST		1
+#cmakedefine HAVE_DECL_SSL_SET1_CURVES_LIST		1
+#cmakedefine HAVE_DECL_SSL_SET_MIN_PROTO_VERSION	1
+#cmakedefine HAVE_X509_GET_NOTAFTER			1
+#cmakedefine HAVE_X509_GET0_NOTAFTER			1
+
+#cmakedefine HAVE_PTHREAD               1
+#cmakedefine HAVE_WINDOWS_THREADS       1
+
+#cmakedefine RUNSTATEDIR                "@RUNSTATEDIR@"
+#cmakedefine TRUST_ANCHOR_FILE          "@PATH_TRUST_ANCHOR_FILE@"
+#cmakedefine GETDNS_FN_RESOLVCONF       "@PATH_RESOLVCONF@"
+#cmakedefine GETDNS_FN_HOSTS            "@PATH_HOSTS@"
+
+#cmakedefine DNSSEC_ROADBLOCK_AVOIDANCE         1
+#cmakedefine HAVE_MDNS_SUPPORT			1
+#cmakedefine STUB_NATIVE_DNSSEC                 1
+#cmakedefine MAXIMUM_UPSTREAM_OPTION_SPACE      @MAXIMUM_UPSTREAM_OPTION_SPACE@
+#cmakedefine EDNS_PADDING_OPCODE                @EDNS_PADDING_OPCODE@
+#cmakedefine MAX_CNAME_REFERRALS                @MAX_CNAME_REFERRALS@
+#cmakedefine DRAFT_RRTYPES                      @DRAFT_RRTYPES@
+#cmakedefine EDNS_COOKIES			1
+#cmakedefine EDNS_COOKIE_OPCODE                 @EDNS_COOKIE_OPCODE@
+#cmakedefine EDNS_COOKIE_ROLLOVER_TIME          @EDNS_COOKIE_ROLLOVER_TIME@
+#cmakedefine UDP_MAX_BACKOFF			@MAX_UDP_BACKOFF@
+
+#cmakedefine HAVE_DECL_GETENTROPY       1
+#cmakedefine HAVE_DECL_INET_PTON        1
+#cmakedefine HAVE_DECL_INET_NTOP        1
+#cmakedefine HAVE_WIN_DECL_INET_PTON    1
+#cmakedefine HAVE_WIN_DECL_INET_NTOP    1
+#cmakedefine HAVE_DECL_MKSTEMP          1
+#cmakedefine HAVE_DECL_SIGEMPTYSET      1
+#cmakedefine HAVE_DECL_SIGFILLSET       1
+#cmakedefine HAVE_DECL_SIGADDSET        1
+#cmakedefine HAVE_DECL_STRPTIME         1
+
+#cmakedefine HAVE_DECL_TCP_FASTOPEN		1
+#cmakedefine HAVE_DECL_TCP_FASTOPEN_CONNECT	1
+#cmakedefine HAVE_DECL_MSG_FASTOPEN		1
+
+#if defined(HAVE_DECL_INET_PTON) || defined(HAVE_WIN_DECL_INET_PTON)
+#undef HAVE_DECL_INET_PTON
+#define HAVE_DECL_INET_PTON 1
+#endif
+#if defined(HAVE_DECL_INET_NTOP) || defined(HAVE_WIN_DECL_INET_NTOP)
+#undef HAVE_DECL_INET_NTOP
+#define HAVE_DECL_INET_NTOP 1
+#endif
+
+#cmakedefine HAVE_FCNTL		        1
+#cmakedefine HAVE_GETTIMEOFDAY		1
+#cmakedefine HAVE_IOCTLSOCKET		1
+#cmakedefine HAVE_SIGEMPTYSET           1
+#cmakedefine HAVE_SIGFILLSET            1
+#cmakedefine HAVE_SIGADDSET             1
+#cmakedefine HAVE_STRPTIME              1
+
+#cmakedefine HAVE_SIGSET_T              1
+#cmakedefine HAVE__SIGSET_T             1
+
+#cmakedefine HAVE_BSD_STDLIB_H		1
+#cmakedefine HAVE_BSD_STRING_H		1
+
+#cmakedefine HAVE_DECL_STRLCPY                  1
+#cmakedefine HAVE_DECL_ARC4RANDOM               1
+#cmakedefine HAVE_DECL_ARC4RANDOM_UNIFORM       1
+#cmakedefine HAVE_BSD_DECL_STRLCPY              1
+#cmakedefine HAVE_BSD_DECL_ARC4RANDOM           1
+#cmakedefine HAVE_BSD_DECL_ARC4RANDOM_UNIFORM   1
+
+#cmakedefine HAVE_STRLCPY               1
+#cmakedefine HAVE_ARC4RANDOM            1
+#cmakedefine HAVE_ARC4RANDOM_UNIFORM    1
+
+#cmakedefine HAVE_LIBUNBOUND		1
+#cmakedefine HAVE_UNBOUND_EVENT_H	1
+#cmakedefine HAVE_UNBOUND_EVENT_API	1
+#cmakedefine HAVE_UB_CTX_SET_STUB	1
+
+#cmakedefine HAVE_LIBIDN		1
+#cmakedefine HAVE_LIBIDN2		1
+
+#cmakedefine HAVE_NETTLE		1
+#cmakedefine HAVE_NETTLE_DSA_COMPAT_H	1
+#cmakedefine HAVE_NETTLE_EDDSA_H	1
+
+#cmakedefine HAVE_EVENT2_EVENT_H	1
+#cmakedefine HAVE_EVENT_BASE_NEW	1
+#cmakedefine HAVE_EVENT_BASE_FREE	1
+
+#cmakedefine DEFAULT_EVENTLOOP          "@DEFAULT_EVENTLOOP@"
+#cmakedefine USE_POLL_DEFAULT_EVENTLOOP 1
+
+#cmakedefine STRPTIME_WORKS		1
+
+#cmakedefine FD_SETSIZE			@FD_SETSIZE@
+
+#cmakedefine REQ_DEBUG			1
+#cmakedefine SCHED_DEBUG		1
+#cmakedefine STUB_DEBUG			1
+#cmakedefine DAEMON_DEBUG		1
+#cmakedefine SEC_DEBUG			1
+#cmakedefine SERVER_DEBUG		1
+#cmakedefine ANCHOR_DEBUG		1
+#cmakedefine KEEP_CONNECTIONS_OPEN_DEBUG  1
+
+#cmakedefine USE_SHA1			1
+#cmakedefine USE_SHA2			1
+#cmakedefine USE_GOST			1
+#cmakedefine USE_ECDSA			1
+#cmakedefine USE_DSA			1
+#cmakedefine USE_ED25519		1
+#cmakedefine USE_ED448			1
+
+#cmakedefine USE_OSX_TCP_FASTOPEN	1
+
+#cmakedefine HAVE_DECL_TCP_USER_TIMEOUT	1
+
+#cmakedefine HAVE_NEW_UV_TIMER_CB	1
+
+#cmakedefine HAVE_TARGET_ENDIANNESS
+#cmakedefine TARGET_IS_BIG_ENDIAN
+
+#cmakedefine HAVE___FUNC__		1
+
+#ifdef HAVE___FUNC__
+#define __FUNC__ __func__
+#else
+#define __FUNC__ __FUNCTION__
+#endif
+
+#ifdef GETDNS_ON_WINDOWS
+ /* On windows it is allowed to increase the FD_SETSIZE
+  * (and nescessary to make our custom eventloop work)
+  * See: https://support.microsoft.com/en-us/kb/111855
+  */
+# ifndef FD_SETSIZE
+#  define FD_SETSIZE 1024
+# endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* the version of the windows API enabled */
+# ifndef WINVER
+#  define WINVER 0x0600 // 0x0502
+# endif
+# ifndef _WIN32_WINNT
+#  define _WIN32_WINNT 0x0600 // 0x0502
+# endif
+# ifdef HAVE_WS2TCPIP_H
+#  include <ws2tcpip.h>
+# endif
+
+# ifdef _MSC_VER
+#  if _MSC_VER >= 1800
+#   define PRIsz "zu"
+#  else
+#   define PRIsz "Iu"
+#  endif
+#  include <BaseTsd.h>
+   typedef SSIZE_T ssize_t;
+# else
+#  define PRIsz "Iu"
+# endif
+
+# ifdef HAVE_WINSOCK2_H
+#  include <winsock2.h>
+# endif
+
+/* detect if we need to cast to unsigned int for FD_SET to avoid warnings */
+# ifdef HAVE_WINSOCK2_H
+#  define FD_SET_T (u_int)
+# else
+#  define FD_SET_T
+# endif
+
+ /* Windows wants us to use _strdup instead of strdup */
+# ifndef strdup
+#  define strdup _strdup
+# endif
+
+/* Windows doesn't have strcasecmp and strncasecmp. */
+# define strcasecmp _stricmp
+# define strncasecmp _strnicmp
+#else
+# define PRIsz "zu"
+#endif
+
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+
+#ifdef HAVE_STDIO_H
+#include <stdio.h>
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_ASSERT_H
+#include <assert.h>
+#endif
+
+#ifdef HAVE_STRING_H
+#include <string.h>
+#endif
+
+#ifdef HAVE_STDLIB_H
+#include <stdlib.h>
+#endif
+
+#ifdef HAVE_STDDEF_H
+#include <stddef.h>
+#endif
+
+#ifdef HAVE_BSD_STDLIB_H
+#include <bsd/stdlib.h>
+#endif
+
+#ifdef HAVE_BSD_STRING_H
+#include <bsd/string.h>
+#endif
+
+#if !defined(HAVE_STRLCPY) || !HAVE_DECL_STRLCPY || !defined(strlcpy)
+size_t strlcpy(char *dst, const char *src, size_t siz);
+#else
+#ifndef __BSD_VISIBLE
+#define __BSD_VISIBLE 1
+#endif
+#endif
+#if !defined(HAVE_ARC4RANDOM) || !HAVE_DECL_ARC4RANDOM
+uint32_t arc4random(void);
+#endif
+#if !defined(HAVE_ARC4RANDOM_UNIFORM) || !HAVE_DECL_ARC4RANDOM_UNIFORM
+uint32_t arc4random_uniform(uint32_t upper_bound);
+#endif
+#ifndef HAVE_ARC4RANDOM
+void explicit_bzero(void* buf, size_t len);
+int getentropy(void* buf, size_t len);
+void arc4random_buf(void* buf, size_t n);
+void _ARC4_LOCK(void);
+void _ARC4_UNLOCK(void);
+#endif
+#ifdef COMPAT_SHA512
+#ifndef SHA512_DIGEST_LENGTH
+#define SHA512_BLOCK_LENGTH             128
+#define SHA512_DIGEST_LENGTH            64
+#define SHA512_DIGEST_STRING_LENGTH     (SHA512_DIGEST_LENGTH * 2 + 1)
+typedef struct _SHA512_CTX {
+        uint64_t        state[8];
+        uint64_t        bitcount[2];
+        uint8_t buffer[SHA512_BLOCK_LENGTH];
+} SHA512_CTX;
+#endif /* SHA512_DIGEST_LENGTH */
+void SHA512_Init(SHA512_CTX*);
+void SHA512_Update(SHA512_CTX*, void*, size_t);
+void SHA512_Final(uint8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*);
+unsigned char *SHA512(void* data, unsigned int data_len, unsigned char *digest);
+#endif /* COMPAT_SHA512 */
+
+#ifdef USE_WINSOCK
+# ifndef  _CUSTOM_VSNPRINTF
+#  define _CUSTOM_VSNPRINTF
+static inline int _gldns_custom_vsnprintf(char *str, size_t size, const char *format, va_list ap)
+{ int r = vsnprintf(str, size, format, ap); return r == -1 ? _vscprintf(format, ap) : r; }
+#  define vsnprintf _gldns_custom_vsnprintf
+# endif
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+/** Use on-board gldns */
+#define USE_GLDNS 1
+#ifdef HAVE_SSL
+#  define GLDNS_BUILD_CONFIG_HAVE_SSL 1
+#endif
+
+#ifdef HAVE_STDARG_H
+#include <stdarg.h>
+#endif
+
+#include <errno.h>
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_SIGNAL_H
+#include <signal.h>
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+
+#ifdef HAVE_SYS_LIMITS_H
+#include <sys/limits.h>
+#endif
+
+#ifdef PATH_MAX
+#define _GETDNS_PATH_MAX PATH_MAX
+#else
+#define _GETDNS_PATH_MAX 2048
+#endif
+
+#ifndef PRIu64
+#define PRIu64 "llu"
+#endif
+
+#ifdef HAVE_ATTR_FORMAT
+#  define ATTR_FORMAT(archetype, string_index, first_to_check) \
+    __attribute__ ((format (archetype, string_index, first_to_check)))
+#else /* !HAVE_ATTR_FORMAT */
+#  define ATTR_FORMAT(archetype, string_index, first_to_check) /* empty */
+#endif /* !HAVE_ATTR_FORMAT */
+
+#if defined(DOXYGEN)
+#  define ATTR_UNUSED(x)  x
+#elif defined(__cplusplus)
+#  define ATTR_UNUSED(x)
+#elif defined(__GNUC__)
+#  define ATTR_UNUSED(x)  x __attribute__((unused))
+#else /* !HAVE_ATTR_UNUSED */
+#  define ATTR_UNUSED(x)  x
+#endif /* !HAVE_ATTR_UNUSED */
+
+#ifdef TIME_WITH_SYS_TIME
+# include <sys/time.h>
+# include <time.h>
+#else
+# ifdef HAVE_SYS_TIME_H
+#  include <sys/time.h>
+# else
+#  include <time.h>
+# endif
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(HAVE_STRPTIME) || !defined(STRPTIME_WORKS)
+#define strptime unbound_strptime
+struct tm;
+char *strptime(const char *s, const char *format, struct tm *tm);
+#endif
+
+#if !defined(HAVE_SIGSET_T) && defined(HAVE__SIGSET_T)
+typedef _sigset_t sigset_t;
+#endif
+#if !defined(HAVE_SIGEMPTYSET)
+#  define sigemptyset(pset)    (*(pset) = 0)
+#endif
+#if !defined(HAVE_SIGFILLSET)
+#  define sigfillset(pset)     (*(pset) = (sigset_t)-1)
+#endif
+#if !defined(HAVE_SIGADDSET)
+#  define sigaddset(pset, num) (*(pset) |= (1L<<(num)))
+#endif
+
+#ifdef HAVE_LIBUNBOUND
+# include <unbound.h>
+# ifdef HAVE_UNBOUND_EVENT_H
+#  include <unbound-event.h>
+# else
+#  ifdef HAVE_UNBOUND_EVENT_API
+#   ifndef _UB_EVENT_PRIMITIVES
+#    define _UB_EVENT_PRIMITIVES
+struct ub_event_base;
+struct ub_ctx* ub_ctx_create_ub_event(struct ub_event_base* base);
+typedef void (*ub_event_callback_t)(void*, int, void*, int, int, char*);
+int ub_resolve_event(struct ub_ctx* ctx, const char* name, int rrtype,
+        int rrclass, void* mydata, ub_event_callback_t callback, int* async_id);
+#   endif
+#  endif
+# endif
+#endif
+
+#ifndef HAVE_DECL_INET_PTON
+int inet_pton(int af, const char* src, void* dst);
+#endif
+
+#ifndef HAVE_DECL_INET_NTOP
+const char *inet_ntop(int af, const void *src, char *dst, size_t size);
+#endif
+
+#ifndef HAVE_DECL_MKSTEMP
+int mkstemp(char *template);
+#endif
+
+#ifndef HAVE_GETTIMEOFDAY
+int gettimeofday(struct timeval* tv, void* tz);
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* CONFIG_H */

cmake/include/getdns_shared_version.rc.in

@@ -0,0 +1,19 @@
+1 VERSIONINFO
+    FILEVERSION @version_current@,@version_revision@,@version_age@,0
+    PRODUCTVERSION @version_current@,@version_revision@,0,0
+    FILEOS 4
+    FILETYPE 2
+    FILESUBTYPE 0
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904e4"
+        BEGIN
+            VALUE "CompanyName", "getdns project\0"
+            VALUE "ProductName", "getdns\0"
+            VALUE "FileVersion", "@version_current@.@version_revision@\0"
+            VALUE "ProductVersion", "@version_current@.@version_revision@\0"
+            VALUE "LegalCopyright", "NLnet Labs, Sinodun, No Mountain Software. New BSD licence.\0"
+        END
+    END
+END

cmake/modules/FindCheck.cmake

@@ -0,0 +1,114 @@
+#[=======================================================================[.rst:
+FindCheck
+--------
+
+Find the Check (Unit Testing Framework for C) library
+
+Imported targets
+^^^^^^^^^^^^^^^^
+
+This module defines the following :prop_tgt:`IMPORTED` targets:
+
+``Check::Check``
+  The Check library, if found.
+
+Result variables
+^^^^^^^^^^^^^^^^
+
+This module will set the following variables in your project:
+
+``Check_FOUND``
+  If false, do not try to use Check.
+``CHECK_INCLUDE_DIR``
+  where to find check.h, etc.
+``CHECK_LIBRARIES``
+  the libraries needed to use Check.
+``CHECK_VERSION``
+  the version of the Check library found
+
+#]=======================================================================]
+
+find_package(PkgConfig QUIET)
+if (PKG_CONFIG_FOUND)
+    pkg_check_modules(PkgCheck IMPORTED_TARGET GLOBAL check)
+endif ()
+
+if (PkgCheck_FOUND)
+  set(CHECK_INCLUDE_DIR ${PkgCheck_INCLUDE_DIRS} CACHE FILEPATH "check include path")
+  set(CHECK_LIBRARIES ${PkgCheck_LIBRARIES} CACHE STRING "check libraries")
+  set(CHECK_VERSION ${PkgCheck_VERSION})
+  add_library(Check::Check ALIAS PkgConfig::PkgCheck)
+  set(Check_FOUND ON)
+else ()
+  find_path(CHECK_INCLUDE_DIR check.h
+    HINTS
+    "${CHECK_DIR}"
+    "${CHECK_DIR}/include"
+    )
+
+  # Check for PIC and non-PIC libraries. If PIC present, use that
+  # in preference (as per Debian check.pc).
+  find_library(CHECK_LIBRARY NAMES check_pic libcheck_pic
+    HINTS
+    "${CHECK_DIR}"
+    "${CHECK_DIR}/lib"
+    )
+
+  if (NOT CHECK_LIBRARY)
+    find_library(CHECK_LIBRARY NAMES check libcheck
+      HINTS
+      "${CHECK_DIR}"
+      "${CHECK_DIR}/lib"
+      )
+  endif ()
+
+  set(_CHECK_LIBARIES "")
+
+  # Check may need the math, subunit and rt libraries on Unix
+  if (UNIX)
+    find_library(CHECK_MATH_LIBRARY m)
+    find_library(CHECK_RT_LIBRARY rt)
+    find_library(CHECK_SUBUNIT_LIBRARY subunit)
+
+    if (CHECK_MATH_LIBRARY)
+      list(APPEND _CHECK_LIBARIES "${CHECK_MATH_LIBRARY}")
+    endif ()
+    if (CHECK_RT_LIBRARY)
+      list(APPEND _CHECK_LIBARIES "${CHECK_RT_LIBRARY}")
+    endif ()
+    if (CHECK_SUBUNIT_LIBRARY)
+      list(APPEND _CHECK_LIBARIES "${CHECK_SUBUNIT_LIBRARY}")
+    endif ()
+  endif()
+
+  set(CHECK_LIBRARIES ${_CHECK_LIBARIES} ${CHECK_LIBRARY} CACHE STRING "check libraries")
+
+  if (CHECK_INCLUDE_DIR AND CHECK_LIBRARY)
+    if (NOT TARGET Check::Check)
+      add_library(Check::Check UNKNOWN IMPORTED)
+      set_target_properties(Check::Check PROPERTIES
+        INTERFACE_INCLUDE_DIRECTORIES "${CHECK_INCLUDE_DIR}"
+        INTERFACE_LINK_LIBRARIES "${CHECK_LIBRARIES}"
+        IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+        IMPORTED_LOCATION "${CHECK_LIBRARY}"
+        )
+    endif ()
+
+    if (NOT CHECK_VERSION AND CHECK_INCLUDE_DIR AND EXISTS "${CHECK_INCLUDE_DIR}/check.h")
+      file(STRINGS "${CHECK_INCLUDE_DIR}/check.h" CHECK_H REGEX "^#define CHECK_M[A-Z]+_VERSION")
+      string(REGEX REPLACE "^.*\(([0-9]+)\).*\(([0-9]+)\).*\(([0-9]+)\).*$" "\\1.\\2.\\3" CHECK_VERSION "${CHECK_H}")
+    endif ()
+  endif()
+
+  list(APPEND CHECK_LIBRARIES "${CHECK_LIBRARY}")
+
+  include(FindPackageHandleStandardArgs)
+  find_package_handle_standard_args(Check
+    REQUIRED_VARS CHECK_LIBRARIES CHECK_INCLUDE_DIR
+    VERSION_VAR CHECK_VERSION
+    )
+
+endif()
+
+mark_as_advanced(CHECK_INCLUDE_DIR CHECK_LIBRARIES CHECK_LIBRARY
+  CHECK_MATH_LIBRARY CHECK_RT_LIBRARY CHECK_SUBUNIT_LIBRARY)

cmake/modules/FindGnuTLS.cmake

@@ -0,0 +1,101 @@
+#[=======================================================================[.rst:
+FindGnuTLS
+----------
+
+Find the GnuTLS library.
+
+Imported targets
+^^^^^^^^^^^^^^^^
+
+This module defines the following :prop_tgt:`IMPORTED` targets:
+
+``GnuTLS::GnuTLS``
+  The GnuTLS library, if found.
+``GnuTLS::Dane``
+  The GnuTLS DANE library, if found.
+
+Result variables
+^^^^^^^^^^^^^^^^
+
+This module will set the following variables in your project:
+
+``GnuTLS_FOUND``
+  If false, do not try to use GnuTLS.
+``GNUTLS_INCLUDE_DIR``
+  where to find GnuTLS headers.
+``GNUTLS_LIBRARIES``
+  the libraries needed to use GnuTLS.
+``GNUTLS_VERSION``
+  the version of the GnuTLS library found
+
+#]=======================================================================]
+
+find_package(PkgConfig QUIET)
+if (PKG_CONFIG_FOUND)
+  pkg_check_modules(PkgGnuTLS IMPORTED_TARGET GLOBAL QUIET gnutls)
+  pkg_check_modules(PkgGnuTLSDane IMPORTED_TARGET GLOBAL QUIET gnutls-dane)
+endif ()
+
+if (PkgGnuTLS_FOUND AND PkgGnuTLSDane_FOUND)
+  set(GNUTLS_INCLUDE_DIR ${PkgGnuTLS_INCLUDE_DIRS} $PkgGnuTLSDane_INCLUDE_DIRS} CACHE FILEPATH "GnuTLS include path")
+  set(NETTLE_LIBRARIES ${PkgGnuTLS_LIBRARIES} ${PkgGnuTLSDane_LIBRARIES} CACHE STRING "GnuTLS libraries")
+  set(NETTLE_VERSION ${PkgGnuTLS_VERSION})
+  add_library(GnuTLS::GnuTLS ALIAS PkgConfig::PkgGnuTLS)
+  add_library(GnuTLS::Dane ALIAS PkgConfig::PkgGnuTLSDane)
+  set(GnuTLS_FOUND ON)
+else ()
+  find_path(GNUTLS_INCLUDE_DIR gnutls/gnutls.h
+    HINTS
+    "${GNUTLS_DIR}"
+    "${GNUTLS_DIR}/include"
+  )
+  
+  find_library(GNUTLS_LIBRARY NAMES gnutls libgnutls
+    HINTS
+    "${GNUTLS_DIR}"
+    "${GNUTLS_DIR}/lib"
+  )
+  
+  find_library(GNUTLS_DANE_LIBRARY NAMES gnutls-dane libgnutls-dane
+    HINTS
+    "${GNUTLS_DIR}"
+    "${GNUTLS_DIR}/lib"
+  )
+  
+  set(_GNUTLS_LIBRARIES "")
+  
+  if (GNUTLS_INCLUDE_DIR AND GNUTLS_LIBRARY AND GNUTLS_DANE_LIBRARY)
+    if (NOT TARGET GnuTLS::GnuTLS)
+      add_library(GnuTLS::GnuTLS UNKNOWN IMPORTED)
+      set_target_properties(GnuTLS::GnuTLS PROPERTIES
+        INTERFACE_INCLUDE_DIRECTORIES "${GNUTLS_INCLUDE_DIR}"
+        IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+        IMPORTED_LOCATION "${GNUTLS_LIBRARY}"
+        )
+    endif ()
+    if (NOT TARGET GnuTLS::Dane)
+      add_library(GnuTLS::Dane UNKNOWN IMPORTED)
+      set_target_properties(GnuTLS::Dane PROPERTIES
+        INTERFACE_INCLUDE_DIRECTORIES "${GNUTLS_INCLUDE_DIR}"
+        IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+        IMPORTED_LOCATION "${GNUTLS_DANE_LIBRARY}"
+        )
+    endif ()
+  
+    if (NOT GNUTLS_VERSION AND GNUTLS_INCLUDE_DIR)
+      file(STRINGS "${GNUTLS_INCLUDE_DIR}/gnutls/gnutls.h" GNUTLS_VER_H REGEX "^#define GNUTLS_VERSION_(MAJOR|MINOR|PATCH) ")
+      string(REGEX REPLACE "^.*_MAJOR ([0-9]+).*_MINOR ([0-9]+).*_PATCH ([0-9]+).*$" "\\1.\\2.\\3c" GNUTLS_VERSION "${GNUTLS_VER_H}")
+    endif ()
+  endif ()
+  
+  list(APPEND _GNUTLS_LIBRARIES "${GNUTLS_LIBRARY}" "${GNUTLS_DANE_LIBRARY}")
+  set(GNUTLS_LIBRARIES ${_GNUTLS_LIBRARIES} CACHE STRING "GnuTLS libraries")
+
+  include(FindPackageHandleStandardArgs)
+  find_package_handle_standard_args(GnuTLS
+    REQUIRED_VARS GNUTLS_LIBRARIES GNUTLS_INCLUDE_DIR
+    VERSION_VAR GNUTLS_VERSION
+    )
+endif ()
+
+mark_as_advanced(GNUTLS_INCLUDE_DIR GNUTLS_LIBRARIES GNUTLS_LIBRARY GNUTLS_DANE_LIBRARY)

cmake/modules/FindLibev.cmake

@@ -0,0 +1,63 @@
+#[=======================================================================[.rst:
+FindLibev
+---------
+
+Find the Libev library.
+
+Imported targets
+^^^^^^^^^^^^^^^^
+
+This module defines the following :prop_tgt:`IMPORTED` targets:
+
+``Libev::Libev``
+  The Libev library, if found.
+
+Result variables
+^^^^^^^^^^^^^^^^
+
+This module will set the following variables in your project:
+
+``Libev_FOUND``
+  If false, do not try to use Libev.
+``LIBEV_INCLUDE_DIR``
+  where to find libev headers.
+``LIBEV_LIBRARIES``
+  the libraries needed to use Libev.
+``LIBEV_VERSION``
+  the version of the Libev library found
+
+#]=======================================================================]
+
+find_path(LIBEV_INCLUDE_DIR ev.h
+  HINTS
+  "${LIBEV_DIR}"
+  "${LIBEV_DIR}/include"
+)
+
+find_library(LIBEV_LIBRARY NAMES ev libev
+  HINTS
+  "${LIBEV_DIR}"
+  "${LIBEV_DIR}/lib"
+)
+
+set(LIBEV_LIBRARIES "")
+
+if (LIBEV_INCLUDE_DIR AND LIBEV_LIBRARY)
+  if (NOT TARGET Libev::Libev)
+    add_library(Libev::Libev UNKNOWN IMPORTED)
+    set_target_properties(Libev::Libev PROPERTIES
+      INTERFACE_INCLUDE_DIRECTORIES "${LIBEV_INCLUDE_DIR}"
+      IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+      IMPORTED_LOCATION "${LIBEV_LIBRARY}"
+      )
+  endif ()
+endif()
+
+list(APPEND LIBEV_LIBRARIES "${LIBEV_LIBRARY}")
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(Libev
+  REQUIRED_VARS LIBEV_LIBRARIES LIBEV_INCLUDE_DIR
+  )
+
+mark_as_advanced(LIBEV_INCLUDE_DIR LIBEV_LIBRARIES LIBEV_LIBRARY)

cmake/modules/FindLibevent2.cmake

@@ -0,0 +1,78 @@
+#[=======================================================================[.rst:
+FindLibevent2
+-------------
+
+Find the Libevent2 library. For now this finds the core library only.
+
+Imported targets
+^^^^^^^^^^^^^^^^
+
+This module defines the following :prop_tgt:`IMPORTED` targets:
+
+``Libevent2::Libevent_core``
+  The Libevent2 library, if found.
+
+Result variables
+^^^^^^^^^^^^^^^^
+
+This module will set the following variables in your project:
+
+``Libevent2_FOUND``
+  If false, do not try to use Libevent2.
+``LIBEVENT2_INCLUDE_DIR``
+  where to find libevent headers.
+``LIBEVENT2_LIBRARIES``
+  the libraries needed to use Libevent2.
+``LIBEVENT2_VERSION``
+  the version of the Libevent2 library found
+
+#]=======================================================================]
+
+find_package(PkgConfig QUIET)
+if (PKG_CONFIG_FOUND)
+    pkg_check_modules(PkgLibevent IMPORTED_TARGET GLOBAL QUIET libevent>=2)
+endif ()
+
+if (PkgLibevent_FOUND)
+  set(LIBEVENT2_INCLUDE_DIR ${PkgLibevent_INCLUDE_DIRS} CACHE FILEPATH "libevent2 include path")
+  set(LIBEVENT2_LIBRARIES ${PkgLibevent_LIBRARIES} CACHE STRING "libevent2 libraries")
+  set(LIBEVENT2_VERSION ${PkgLibevent_VERSION})
+  add_library(Libevent2::Libevent_core ALIAS PkgConfig::PkgLibevent)
+  set(Libevent2_FOUND ON)
+else ()
+  find_path(LIBEVENT2_INCLUDE_DIR event2/event.h
+    HINTS
+    "${LIBEVENT2_DIR}"
+    "${LIBEVENT2_DIR}/include"
+  )
+  
+  find_library(LIBEVENT2_LIBRARIES NAMES event_core libevent_core
+    HINTS
+    "${LIBEVENT2_DIR}"
+    "${LIBEVENT2_DIR}/lib"
+  )
+  
+  if (LIBEVENT2_INCLUDE_DIR AND LIBEVENT2_LIBRARIES)
+    if (NOT TARGET Libevent2::Libevent_core)
+      add_library(Libevent2::Libevent_core UNKNOWN IMPORTED)
+      set_target_properties(Libevent2::Libevent_core PROPERTIES
+        INTERFACE_INCLUDE_DIRECTORIES "${LIBEVENT2_INCLUDE_DIR}"
+        IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+        IMPORTED_LOCATION "${LIBEVENT2_LIBRARIES}"
+        )
+    endif ()
+  
+    if (NOT LIBEVENT2_VERSION AND LIBEVENT2_INCLUDE_DIR AND EXISTS "${LIBEVENT2_INCLUDE_DIR}/event2/event.h")
+      file(STRINGS "${LIBEVENT2_INCLUDE_DIR}/event2/event-config.h" LIBEVENT2_H REGEX "^#define _?EVENT_+VERSION ")
+      string(REGEX REPLACE "^.*EVENT_+VERSION \"([^\"]+)\".*$" "\\1" LIBEVENT2_VERSION "${LIBEVENT2_H}")
+    endif ()
+  endif ()
+
+  include(FindPackageHandleStandardArgs)
+  find_package_handle_standard_args(Libevent2
+    REQUIRED_VARS LIBEVENT2_LIBRARIES LIBEVENT2_INCLUDE_DIR
+    VERSION_VAR LIBEVENT2_VERSION
+  )
+endif ()
+
+mark_as_advanced(LIBEVENT2_INCLUDE_DIR LIBEVENT2_LIBRARIES)

cmake/modules/FindLibidn2.cmake

@@ -0,0 +1,77 @@
+#[=======================================================================[.rst:
+FindLibidn2
+-----------
+
+Find the Libidn2 library
+
+Imported targets
+^^^^^^^^^^^^^^^^
+
+This module defines the following :prop_tgt:`IMPORTED` targets:
+
+``Libidn2::Libidn2``
+  The Libidn2 library, if found.
+
+Result variables
+^^^^^^^^^^^^^^^^
+
+This module will set the following variables in your project:
+
+``Libidn2_FOUND``
+  If false, do not try to use Libidn2.
+``LIBIDN2_INCLUDE_DIR``
+  where to find libidn2 headers.
+``LIBIDN2_LIBRARIES``
+  the libraries needed to use Libidn2.
+``LIBIDN2_VERSION``
+  the version of the Libidn2 library found
+
+#]=======================================================================]
+
+find_package(PkgConfig QUIET)
+if (PKG_CONFIG_FOUND)
+    pkg_check_modules(PkgLibIdn2 IMPORTED_TARGET GLOBAL libidn2)
+endif ()
+
+if (PkgLibIdn2_FOUND)
+  set(LIBIDN2_INCLUDE_DIR ${PkgLibIdn2_INCLUDE_DIRS} CACHE FILEPATH "libidn2 include path")
+  set(LIBIDN2_LIBRARIES ${PkgLibIdn2_LIBRARIES} CACHE STRING "libidn2 libraries")
+  set(LIBIDN2_VERSION ${PkgLibIdn2_VERSION})
+  add_library(Libidn2::Libidn2 ALIAS PkgConfig::PkgLibIdn2)
+  set(Libidn2_FOUND ON)
+else ()
+  find_path(LIBIDN2_INCLUDE_DIR idn2.h
+    HINTS
+      "${LIBIDN2_DIR}"
+      "${LIBIDN2_DIR}/include"
+  )
+
+  find_library(LIBIDN2_LIBRARIES NAMES idn2 libidn2
+    HINTS
+      "${LIBIDN2_DIR}"
+      "${LIBIDN2_DIR}/lib"
+  )
+
+  if (LIBIDN2_INCLUDE_DIR AND LIBIDN2_LIBRARIES)
+    if (NOT TARGET Libidn2::Libidn2)
+      add_library(Libidn2::Libidn2 UNKNOWN IMPORTED)
+      set_target_properties(Libidn2::Libidn2 PROPERTIES
+        INTERFACE_INCLUDE_DIRECTORIES "${LIBIDN2_INCLUDE_DIR}"
+        IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+        IMPORTED_LOCATION "${LIBIDN2_LIBRARIES}"
+      )
+    endif ()
+
+    if (NOT LIBIDN2_VERSION AND LIBIDN2_INCLUDE_DIR AND EXISTS "${LIBIDN2_INCLUDE_DIR}/idn2.h")
+      file(STRINGS "${LIBIDN2_INCLUDE_DIR}/idn2.h" LIBIDN2_H REGEX "^[ \t]*#[ \t]*define[ \t]+IDN2_VERSION[ \t]")
+      string(REGEX REPLACE "^.*IDN2_VERSION[ \t]+\"([0-9.]+)\".*$" "\\1" LIBIDN2_VERSION "${LIBIDN2_H}")
+    endif ()
+  endif ()
+  include(FindPackageHandleStandardArgs)
+  find_package_handle_standard_args(Libidn2
+    REQUIRED_VARS LIBIDN2_LIBRARIES LIBIDN2_INCLUDE_DIR
+    VERSION_VAR LIBIDN2_VERSION
+  )
+endif ()
+
+mark_as_advanced(LIBIDN2_INCLUDE_DIR LIBIDN2_LIBRARIES)

cmake/modules/FindLibunbound.cmake

@@ -0,0 +1,104 @@
+#[=======================================================================[.rst:
+FindLibunbound
+--------------
+
+Find the Libunbound library
+
+Imported targets
+^^^^^^^^^^^^^^^^
+
+This module defines the following :prop_tgt:`IMPORTED` targets:
+
+``Libunbound::Libunbound``
+  The Libunbound library, if found.
+
+Result variables
+^^^^^^^^^^^^^^^^
+
+This module will set the following variables in your project:
+
+``Libunbound_FOUND``
+  If false, do not try to use Libunbound.
+``LIBUNBOUND_INCLUDE_DIR``
+  where to find libunbound headers.
+``LIBUNBOUND_LIBRARIES``
+  the libraries needed to use Libunbound.
+``LIBUNBOUND_VERSION``
+  the version of the Libunbound library found
+
+#]=======================================================================]
+
+find_package(PkgConfig QUIET)
+if (PKG_CONFIG_FOUND)
+  pkg_check_modules(PkgLibunbound IMPORTED_TARGET GLOBAL QUIET libunbound)
+endif ()
+
+if (PkgLibunbound_FOUND)
+  set(LIBUNBOUND_INCLUDE_DIR ${PkgLibunbound_INCLUDE_DIRS} CACHE FILEPATH "libunbound include path")
+  set(LIBUNBOUND_LIBRARIES ${PkgLibunbound_LIBRARIES} CACHE STRING "libunbound libraries")
+  set(LIBUNBOUND_VERSION ${PkgLibunbound_VERSION})
+  add_library(Libunbound::Libunbound ALIAS PkgConfig::PkgLibunbound)
+  set(Libunbound_FOUND ON)
+else ()
+  find_path(LIBUNBOUND_INCLUDE_DIR unbound.h
+    HINTS
+    "${LIBUNBOUND_DIR}"
+    "${LIBUNBOUND_DIR}/include"
+  )
+  
+  find_library(LIBUNBOUND_LIBRARY NAMES unbound
+    HINTS
+    "${LIBUNBOUND_DIR}"
+    "${LIBUNBOUND_DIR}/lib"
+  )
+  
+  set(_LIBUNBOUND_LIBRARIES "")
+  
+  if (UNIX)
+    find_package(Threads REQUIRED)
+    find_package(OpenSSL REQUIRED)
+  
+    list(APPEND _LIBUNBOUND_LIBRARIES "${CMAKE_THREAD_LIBS_INIT}")
+    list(APPEND _LIBUNBOUND_LIBRARIES "${OPENSSL_LIBRARIES}")
+  endif()
+  
+  if (LIBUNBOUND_INCLUDE_DIR AND LIBUNBOUND_LIBRARY)
+    if (NOT TARGET Libunbound::Libunbound)
+      add_library(Libunbound::Libunbound UNKNOWN IMPORTED)
+      set_target_properties(Libunbound::Libunbound PROPERTIES
+        INTERFACE_INCLUDE_DIRECTORIES "${LIBUNBOUND_INCLUDE_DIR}"
+        IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+        IMPORTED_LOCATION "${LIBUNBOUND_LIBRARY}"
+        )
+  
+      if(UNIX AND TARGET Threads::Threads)
+        set_property(TARGET Libunbound::Libunbound APPEND PROPERTY
+          INTERFACE_LINK_LIBRARIES Threads::Threads)
+      endif ()
+      if(UNIX AND TARGET OpenSSL::SSL)
+        set_property(TARGET Libunbound::Libunbound APPEND PROPERTY
+          INTERFACE_LINK_LIBRARIES OpenSSL::SSL)
+      endif ()
+      if(UNIX AND TARGET OpenSSL::Crypto)
+        set_property(TARGET Libunbound::Libunbound APPEND PROPERTY
+          INTERFACE_LINK_LIBRARIES OpenSSL::Crypto)
+      endif ()
+    endif ()
+  
+    if (NOT LIBUNBOUND_VERSION AND LIBUNBOUND_INCLUDE_DIR AND EXISTS "${LIBUNBOUND_INCLUDE_DIR}/unbound.h")
+      file(STRINGS "${LIBUNBOUND_INCLUDE_DIR}/unbound.h" LIBUNBOUND_H REGEX "^#define UNBOUND_VERSION_M[A-Z]+")
+      string(REGEX REPLACE "^.*MAJOR ([0-9]+).*MINOR ([0-9]+).*MICRO ([0-9]+).*$" "\\1.\\2.\\3" LIBUNBOUND_VERSION "${LIBUNBOUND_H}")
+    endif ()
+  endif ()
+  
+  list(APPEND _LIBUNBOUND_LIBRARIES "${LIBUNBOUND_LIBRARY}")
+  set(LIBUNBOUND_LIBRARIES ${_LIBUNBOUND_LIBRARIES} CACHE STRING "libunbound libraries")
+
+  include(FindPackageHandleStandardArgs)
+  find_package_handle_standard_args(Libunbound
+    REQUIRED_VARS LIBUNBOUND_LIBRARIES LIBUNBOUND_INCLUDE_DIR
+    VERSION_VAR LIBUNBOUND_VERSION
+    )
+endif ()
+
+mark_as_advanced(LIBUNBOUND_INCLUDE_DIR LIBUNBOUND_LIBRARIES LIBUNBOUND_LIBRARY)

cmake/modules/FindLibuv.cmake

@@ -0,0 +1,82 @@
+#[=======================================================================[.rst:
+FindLibuv
+---------
+
+Find the Libuv library.
+
+Imported targets
+^^^^^^^^^^^^^^^^
+
+This module defines the following :prop_tgt:`IMPORTED` targets:
+
+``Libuv::Libuv``
+  The Libuv library, if found.
+
+Result variables
+^^^^^^^^^^^^^^^^
+
+This module will set the following variables in your project:
+
+``Libuv_FOUND``
+  If false, do not try to use Libuv.
+``LIBUV_INCLUDE_DIR``
+  where to find libuv headers.
+``LIBUV_LIBRARIES``
+  the libraries needed to use Libuv.
+``LIBUV_VERSION``
+  the version of the Libuv library found
+
+#]=======================================================================]
+
+find_package(PkgConfig QUIET)
+if (PKG_CONFIG_FOUND)
+  pkg_check_modules(PkgLibuv IMPORTED_TARGET GLOBAL libuv)
+endif ()
+
+if (PkgLibuv_FOUND)
+  set(LIBUV_INCLUDE_DIR ${PkgLibuv_INCLUDE_DIRS} CACHE FILEPATH "libuv include path")
+  set(LIBUV_LIBRARIES ${PkgLibuv_LIBRARIES} CACHE STRING "libuv libraries")
+  set(LIBUV_VERSION ${PkgLibuv_VERSION})
+  add_library(Libuv::Libuv ALIAS PkgConfig::PkgLibuv)
+  set(Libuv_FOUND ON)
+else ()
+  find_path(LIBUV_INCLUDE_DIR uv.h
+    HINTS
+    "${LIBUV_DIR}"
+    "${LIBUV_DIR}/include"
+  )
+  
+  find_library(LIBUV_LIBRARIES NAMES uv libuv
+    HINTS
+    "${LIBUV_DIR}"
+    "${LIBUV_DIR}/lib"
+  )
+  
+  if (LIBUV_INCLUDE_DIR AND LIBUV_LIBRARIES)
+    if (NOT TARGET Libuv::Libuv)
+      add_library(Libuv::Libuv UNKNOWN IMPORTED)
+      set_target_properties(Libuv::Libuv PROPERTIES
+        INTERFACE_INCLUDE_DIRECTORIES "${LIBUV_INCLUDE_DIR}"
+        IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+        IMPORTED_LOCATION "${LIBUV_LIBRARIES}"
+        )
+    endif ()
+  
+    if (NOT LIBUV_VERSION AND LIBUV_INCLUDE_DIR)
+      if (EXISTS "${LIBUV_INCLUDE_DIR}/uv-version.h")
+        file(STRINGS "${LIBUV_INCLUDE_DIR}/uv-version.h" LIBUV_VER_H REGEX "^#define UV_VERSION_(MAJOR|MINOR|PATCH) ")
+      elseif (EXISTS "${LIBUV_INCLUDE_DIR}/uv/version.h")
+        file(STRINGS "${LIBUV_INCLUDE_DIR}/uv/version.h" LIBUV_VER_H REGEX "^#define UV_VERSION_(MAJOR|MINOR|PATCH) ")
+      endif ()
+      string(REGEX REPLACE "^.*_MAJOR ([0-9]+).*_MINOR ([0-9]+).*_PATCH ([0-9]+).*$" "\\1.\\2.\\3" LIBUV_VERSION "${LIBUV_VER_H}")
+    endif ()
+  endif ()
+
+  include(FindPackageHandleStandardArgs)
+  find_package_handle_standard_args(Libuv
+    REQUIRED_VARS LIBUV_LIBRARIES LIBUV_INCLUDE_DIR
+    VERSION_VAR LIBUV_VERSION
+  )
+endif ()
+
+mark_as_advanced(LIBUV_INCLUDE_DIR LIBUV_LIBRARIES)

cmake/modules/FindNettle.cmake

@@ -0,0 +1,111 @@
+#[=======================================================================[.rst:
+FindNettle
+----------
+
+Find the Nettle library.
+
+Imported targets
+^^^^^^^^^^^^^^^^
+
+This module defines the following :prop_tgt:`IMPORTED` targets:
+
+``Nettle::Nettle``
+  The Nettle library, if found.
+``Nettle::Hogweed``
+  The Hogweed library, if found.
+
+Result variables
+^^^^^^^^^^^^^^^^
+
+This module will set the following variables in your project:
+
+``Nettle_FOUND``
+  If false, do not try to use Nettle.
+``NETTLE_INCLUDE_DIR``
+  where to find Nettle headers.
+``NETTLE_LIBRARIES``
+  the libraries needed to use Nettle.
+``NETTLE_VERSION``
+  the version of the Nettle library found
+
+#]=======================================================================]
+
+find_package(PkgConfig QUIET)
+if(PKG_CONFIG_FOUND)
+  pkg_check_modules(PkgNettle IMPORTED_TARGET GLOBAL nettle)
+  pkg_check_modules(PkgHogweed IMPORTED_TARGET GLOBAL QUIET hogweed)
+endif()
+
+if(PkgNettle_FOUND AND PkHogweed_FOUND)
+  set(NETTLE_INCLUDE_DIR ${PkgNettle_INCLUDE_DIRS} ${PkgHogweed_INCLUDE_DIRS} CACHE FILEPATH "Nettle include path")
+  set(NETTLE_LIBRARIES ${PkgNettle_LIBRARIES} ${PkgHogweed_LIBRARIES} CACHE STRING "Nettle libraries")
+  set(NETTLE_VERSION ${PkgNettle_VERSION})
+  add_library(Nettle::Nettle ALIAS PkgConfig::PkgNettle)
+  add_library(Nettle::Hogweed ALIAS PkgConfig::PkgHogweed)
+  set(Nettle_FOUND ON)
+else()
+  find_path(NETTLE_INCLUDE_DIR nettle/version.h
+    HINTS
+    "${NETTLE_DIR}"
+    "${NETTLE_DIR}/include"
+  )
+  
+  find_library(NETTLE_LIBRARY NAMES nettle libnettle
+    HINTS
+    "${NETTLE_DIR}"
+    "${NETTLE_DIR}/lib"
+  )
+  
+  find_library(HOGWEED_LIBRARY NAMES hogweed libhogweed
+    HINTS
+    "${NETTLE_DIR}"
+    "${NETTLE_DIR}/lib"
+  )
+
+  set(_NETTLE_LIBRARIES ${NETTLE_LIBRARY} ${HOGWEED_LIBRARY})
+  
+  # May need gmp library on Unix.
+  if (UNIX)
+    find_library(NETTLE_GMP_LIBRARY gmp)
+  endif ()
+  if (NETTLE_GMP_LIBRARY)
+    list(APPEND _NETTLE_LIBRARIES "${NETTLE_GMP_LIBRARY}")
+ endif ()
+  set(NETTLE_LIBRARIES ${_NETTLE_LIBRARIES} CACHE STRING "nettle libraries")
+
+  
+  if (NETTLE_INCLUDE_DIR AND NETTLE_LIBRARY AND HOGWEED_LIBRARY)
+    if (NOT TARGET Nettle::Nettle)
+      add_library(Nettle::Nettle UNKNOWN IMPORTED)
+      set_target_properties(Nettle::Nettle PROPERTIES
+        INTERFACE_INCLUDE_DIRECTORIES "${NETTLE_INCLUDE_DIR}"
+        INTERFACE_LINK_LIBRARIES "${NETTLE_LIBRARIES}"
+        IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+        IMPORTED_LOCATION "${NETTLE_LIBRARY}"
+        )
+    endif ()
+    if (NOT TARGET Nettle::Hogweed)
+      add_library(Nettle::Hogweed UNKNOWN IMPORTED)
+      set_target_properties(Nettle::Hogweed PROPERTIES
+        INTERFACE_INCLUDE_DIRECTORIES "${NETTLE_INCLUDE_DIR}"
+        IMPORTED_LINK_INTERFACE_LANGUAGES "C"
+        IMPORTED_LOCATION "${HOGWEED_LIBRARY}"
+        )
+    endif ()
+  
+    if (NOT NETTLE_VERSION AND NETTLE_INCLUDE_DIR)
+      file(STRINGS "${NETTLE_INCLUDE_DIR}/nettle/version.h" NETTLE_VER_H REGEX "^#define NETTLE_VERSION_(MAJOR|MINOR) ")
+      string(REGEX REPLACE "^.*_MAJOR ([0-9]+).*_MINOR ([0-9]+).*$" "\\1.\\2" NETTLE_VERSION "${NETTLE_VER_H}")
+    endif ()
+  endif()
+  
+  list(APPEND NETTLE_LIBRARIES "${NETTLE_LIBRARY}" "${HOGWEED_LIBRARY}")
+
+  include(FindPackageHandleStandardArgs)
+  find_package_handle_standard_args(Nettle
+    REQUIRED_VARS NETTLE_LIBRARIES NETTLE_INCLUDE_DIR
+    VERSION_VAR NETTLE_VERSION
+  )
+endif()
+
+mark_as_advanced(NETTLE_INCLUDE_DIR NETTLE_LIBRARIES NETTLE_LIBRARY HOGWEED_LIBRARY NETTLE_GMP_LIBRARY)

cmake/modules/TargetSharedLibraryExports.cmake

@@ -0,0 +1,27 @@
+# Export only named entry points from shared library.
+function(target_shared_library_exports lib libname symbols)
+  if (WIN32)
+    file(WRITE "${CMAKE_CURRENT_BINARY_DIR}/${libname}.def" "LIBRARY ${libname}\n  EXPORTS\n")
+    foreach (symbol IN LISTS symbols)
+      file(APPEND "${CMAKE_CURRENT_BINARY_DIR}/${libname}.def" "    ${symbol}\n")
+    endforeach ()
+    target_sources(${lib} PRIVATE "${CMAKE_CURRENT_BINARY_DIR}/${libname}.def")
+  elseif (APPLE)
+    file(WRITE "${CMAKE_CURRENT_BINARY_DIR}/${libname}.syms" "")
+    foreach (symbol IN LISTS symbols)
+      file(APPEND "${CMAKE_CURRENT_BINARY_DIR}/${libname}.syms" "_${symbol}\n")
+    endforeach ()
+    target_sources(${lib} PRIVATE "${CMAKE_CURRENT_BINARY_DIR}/${libname}.syms")
+    target_link_libraries(${lib} PRIVATE "-exported_symbols_list ${libname}.syms")
+  elseif (UNIX)
+    # Assume GNU ld.
+    file(WRITE "${CMAKE_CURRENT_BINARY_DIR}/${libname}.ver" "{ global:\n")
+    foreach (symbol IN LISTS symbols)
+      file(APPEND "${CMAKE_CURRENT_BINARY_DIR}/${libname}.ver" "  ${symbol};\n")
+    endforeach ()
+    file(APPEND "${CMAKE_CURRENT_BINARY_DIR}/${libname}.ver" "local:\n  *;\n};\n")
+    target_link_libraries(${lib} PRIVATE "-Wl,--version-script=${libname}.ver")
+  else ()
+    message(WARNING "Unknown platform, ${lib} exports not set.")
+  endif ()
+endfunction ()

cmake/modules/TargetSharedLibraryVersion.cmake

@@ -0,0 +1,25 @@
+# Add version to given shared library linkage.
+function(target_shared_library_version lib version_current version_revision version_age)
+  if (APPLE)
+    # Follow libtool. Add one to major version, as version 0 doesn't work.
+    # But tag dynlib name with current-age.
+    math(EXPR major_version "${version_current}+1")
+    math(EXPR dynlib_version "${version_current}-${version_age}")
+    set_target_properties(${lib} PROPERTIES VERSION "${dynlib_version}")
+    target_link_libraries(${lib} PRIVATE "-compatibility_version ${major_version}")
+    target_link_libraries(${lib} PRIVATE "-current_version ${major_version}.${version_revision}")
+  elseif (UNIX OR MINGW OR MSYS OR CYGWIN)
+    # Assume GNU ld, and again follow libtool. Major version is current-age.
+    math(EXPR compat_version "${version_current}-${version_age}")
+    set_target_properties(${lib} PROPERTIES VERSION "${compat_version}.${version_age}.${version_revision}" SOVERSION "${compat_version}")
+  elseif (WIN32)
+    set(rc_template "${CMAKE_CURRENT_SOURCE_DIR}/cmake/include/${lib}_version.rc.in")
+    if (EXISTS ${rc_template})
+      configure_file(${rc_template} ${lib}.rc @ONLY)
+      target_sources(${lib} PRIVATE ${lib}.rc)
+    endif ()
+    target_link_libraries(${lib} PRIVATE "-VERSION:${version_current}.${version_revision}")
+  else ()
+    message(WARNING "Unknown platform, ${lib} will not be versioned.")
+  endif ()
+endfunction ()

cmake/tests/test___func__.c

@@ -0,0 +1,4 @@
+int main (int ac, char *av[])
+{
+	char *s = __func__;
+}

cmake/tests/test_poll.c

@@ -0,0 +1,11 @@
+#ifdef HAVE_SYS_POLL_H
+#include <sys/poll.h>
+#else
+#include <poll.h>
+#endif
+
+int main (int ac, char *av[])
+{
+    int rc;
+    rc = poll((struct pollfd *)(0), 0, 0);
+}

cmake/tests/test_uv_cb.c

@@ -0,0 +1,12 @@
+#include <uv.h>
+
+void test_cb(uv_timer_t *handle)
+{
+    (void) handle;
+}
+
+int main(int ac, char *av[])
+{
+    uv_timer_cb cb = test_cb;
+    (*cb)(0);
+}

doc/Makefile.in

@@ -1,93 +0,0 @@
-#
-# @configure_input@
-#
-#
-# Copyright (c) 2013, Verisign, Inc., NLnet Labs
-# All rights reserved.
-# 
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-# * Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-#   notice, this list of conditions and the following disclaimer in the
-#   documentation and/or other materials provided with the distribution.
-# * Neither the names of the copyright holders nor the
-#   names of its contributors may be used to endorse or promote products
-#   derived from this software without specific prior written permission.
-# 
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
-# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package = @PACKAGE_NAME@
-version = @PACKAGE_VERSION@
-tarname = @PACKAGE_TARNAME@
-distdir = $(tarname)-$(version)
-
-api_version = @API_VERSION@
-
-prefix = @prefix@
-exec_prefix = @exec_prefix@
-bindir = @bindir@
-# datarootdir is here to please some checkers
-datarootdir=@datarootdir@
-mandir = @mandir@
-INSTALL = @INSTALL@
-
-srcdir = @srcdir@
-VPATH = @srcdir@
-
-EDITS=-e 's/@''version@/$(version)/g'
-DOXYGEN = @DOXYGEN@
-
-DOCDIRS = html latex man
-MANPAGES3 = libgetdns.3 getdns_address.3 getdns_cancel_callback.3 getdns_context.3 getdns_context_set.3 getdns_context_set_context_update_callback.3 getdns_convert.3 getdns_dict.3 getdns_dict_get.3 getdns_dict_set.3 getdns_display_ip_address.3 getdns_general.3 getdns_hostname.3 getdns_list.3 getdns_list_get.3 getdns_list_set.3 getdns_pretty_print_dict.3 getdns_root_trust_anchor.3 getdns_service.3 getdns_validate_dnssec.3 
-
-default: all
-
-all: doc
-
-doc: 	$(MANPAGES3)
-	if test x_$(DOXYGEN) != x_ ; then cd ../src; doxygen; fi
-
-.SUFFIXES: .3.in .3
-.3.in.3:
-	sed $(EDITS) -e "s/@date@/$(api_version)/g" $< > $@
-
-# we assume that we want a separate file for each "name" specified for each man page
-# and consider these "alternate names" simple copies of the main man page
-install:	$(MANPAGES3)
-	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)
-	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man3
-	for x in $(MANPAGES3); do echo $(INSTALL) -m 644 $$x $(DESTDIR)$(mandir)/man3; $(INSTALL) -m 644 $$x $(DESTDIR)$(mandir)/man3; for altpg in $$($(srcdir)/manpgaltnames $$x); do cp $$x $$altpg; echo $(INSTALL) -m 644 $$altpg $(DESTDIR)$(mandir)/man3; $(INSTALL) -m 644 $$altpg $(DESTDIR)$(mandir)/man3; done; done
-
-check: $(MANPAGES3)
-	for x in $(MANPAGES3); do LC_ALL=en_US.UTF-8 MANROFFSEQ='' MANWIDTH=80 man --warnings -E UTF-8 -l -Tutf8 -Z $$x 2>&1 >/dev/null | awk "-vpage=$$x" '{printf("%s: ", page);print}'; if ! lexgrog $$x >/dev/null 2>&1 ; then echo $$x: manpage-has-bad-whatis-entry; fi; done
-
-uninstall:
-	for x in $(MANPAGES3); do echo rm -f $(DESTDIR)$(mandir)/man3/$$x; rm -f $(DESTDIR)$(mandir)/man3/$$x; for altpg in $$($(srcdir)/manpgaltnames $$x); do echo rm -f $(DESTDIR)$(mandir)/man3/$$altpg;  rm -f $(DESTDIR)$(mandir)/man3/$$altpg; done; done
-
-clean:
-	for x in $(MANPAGES3); do rm -f $$($(srcdir)/manpgaltnames $$x); done
-	rm -f tagfile
-	rm -rf $(DOCDIRS) $(MANPAGES3)
-
-distclean : clean
-	rm -f Makefile config.status config.log
-	rm -Rf autom4te.cache
-
-Makefile: Makefile.in ../config.status
-	cd .. && ./config.status $@
-
-configure.status: configure
-	cd .. && ./config.status --recheck
-
-.PHONY: clean $(DOC)

doc/getdns_general.3.in

@@ -76,7 +76,7 @@ getdns_dict **response)
 The getdns_general(3) and getdns_general_sync functions provide public entry
 points into the getdns API library to retrieve any valid responses to a query
 from the DNS (note that other namespaces in the context are not used).   Most
-typical use cases for applications are probably satisifed via calls to
+typical use cases for applications are probably satisfied via calls to
 getdns_address(3) which would replace getaddrinfo(3).
 
 .HP 3

getdns.pc.in

@@ -1,7 +1,7 @@
 prefix=@prefix@
 exec_prefix=${prefix}
-libdir=${exec_prefix}/lib
-includedir=${prefix}/include
+libdir=@libdir_for_pc_file@
+includedir=@includedir_for_pc_file@
 
 Name: getdns
 Version: @GETDNS_VERSION@

getdns_ext_event.pc.in

@@ -1,7 +1,7 @@
 prefix=@prefix@
 exec_prefix=${prefix}
-libdir=${exec_prefix}/lib
-includedir=${prefix}/include
+libdir=${exec_prefix}/@CMAKE_INSTALL_LIBDIR@
+includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@
 
 Name: getdns_ext_event
 Version: @GETDNS_VERSION@

m4/acx_getaddrinfo.m4

@@ -1,81 +0,0 @@
-# Taken from acx_nlnetlabs.m4 - common macros for configure checks
-# Copyright 2009, Wouter Wijngaards, NLnet Labs.   
-# BSD licensed.
-#
-
-dnl Check getaddrinfo.
-dnl Works on linux, solaris, bsd and windows(links winsock).
-dnl defines HAVE_GETADDRINFO, USE_WINSOCK.
-AC_DEFUN([ACX_CHECK_GETADDRINFO_WITH_INCLUDES],
-[AC_REQUIRE([AC_PROG_CC])
-AC_MSG_CHECKING(for getaddrinfo)
-ac_cv_func_getaddrinfo=no
-AC_LINK_IFELSE(
-[AC_LANG_SOURCE([[
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-char* getaddrinfo();
-char* (*f) () = getaddrinfo;
-#ifdef __cplusplus
-}
-#endif
-int main() {
-        ;
-        return 0;
-}
-]])],
-dnl this case on linux, solaris, bsd
-[ac_cv_func_getaddrinfo="yes"
-dnl see if on windows
-if test "$ac_cv_header_windows_h" = "yes"; then
-	AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used])
-	USE_WINSOCK="1"
-	LIBS="$LIBS -lws2_32 -lcrypt32"
-fi
-],
-dnl no quick getaddrinfo, try mingw32 and winsock2 library.
-ORIGLIBS="$LIBS"
-LIBS="$LIBS -lws2_32 -lcrypt32"
-AC_LINK_IFELSE(
-[AC_LANG_PROGRAM(
-[
-#define _WIN32_WINNT 0x0501
-#ifdef HAVE_WINDOWS_H
-#include <windows.h>
-#endif
-#ifdef HAVE_WINSOCK_H
-#include <winsock.h>
-#endif
-#ifdef HAVE_WINSOCK2_H
-#include <winsock2.h>
-#endif
-#include <stdio.h>
-#ifdef HAVE_WS2TCPIP_H
-#include <ws2tcpip.h>
-#endif
-],
-[
-        (void)getaddrinfo(NULL, NULL, NULL, NULL);
-]
-)],
-[
-ac_cv_func_getaddrinfo="yes"
-dnl already: LIBS="$LIBS -lws2_32 -lcrypt32"
-AC_DEFINE(USE_WINSOCK, 1, [Whether the windows socket API is used])
-USE_WINSOCK="1"
-],
-[
-ac_cv_func_getaddrinfo="no"
-LIBS="$ORIGLIBS"
-])
-)
-
-AC_MSG_RESULT($ac_cv_func_getaddrinfo)
-if test $ac_cv_func_getaddrinfo = yes; then
-  AC_DEFINE(HAVE_GETADDRINFO, 1, [Whether getaddrinfo is available])
-fi
-])dnl Endof AC_CHECK_GETADDRINFO_WITH_INCLUDES
-
-dnl End of file

m4/acx_openssl.m4

@@ -1,164 +0,0 @@
-# Taken from acx_nlnetlabs.m4 - common macros for configure checks
-# Copyright 2009, Wouter Wijngaards, NLnet Labs.   
-# BSD licensed.
-#
-dnl Add a -R to the RUNTIME_PATH.  Only if rpath is enabled and it is
-dnl an absolute path.
-dnl $1: the pathname to add.
-AC_DEFUN([ACX_RUNTIME_PATH_ADD], [
-	if test "x$enable_rpath" = xyes; then
-		if echo "$1" | grep "^/" >/dev/null; then
-			RUNTIME_PATH="$RUNTIME_PATH -R$1"
-		fi
-	fi
-])
-dnl Common code for both ACX_WITH_SSL and ACX_WITH_SSL_OPTIONAL
-dnl Takes one argument; the withval checked in those 2 functions
-dnl sets up the environment for the given openssl path
-AC_DEFUN([ACX_SSL_CHECKS], [
-    withval=$1
-    if test x_$withval != x_no; then
-        AC_MSG_CHECKING(for SSL)
-        if test x_$withval = x_ -o x_$withval = x_yes; then
-            withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr"
-        fi
-        for dir in $withval; do
-            ssldir="$dir"
-            if test -f "$dir/include/openssl/ssl.h"; then
-                found_ssl="yes"
-                AC_DEFINE_UNQUOTED([HAVE_SSL], [], [Define if you have the SSL libraries installed.])
-                dnl assume /usr/include is already in the include-path.
-                if test "$ssldir" != "/usr"; then
-                        CPPFLAGS="$CPPFLAGS -I$ssldir/include"
-                        LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include"
-                fi
-                break;
-            fi
-        done
-        if test x_$found_ssl != x_yes; then
-            AC_MSG_ERROR(Cannot find the SSL libraries in $withval)
-        else
-            AC_MSG_RESULT(found in $ssldir)
-            HAVE_SSL=yes
-            dnl assume /usr is already in the lib and dynlib paths.
-            if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
-                LDFLAGS="$LDFLAGS -L$ssldir/lib"
-                LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
-                ACX_RUNTIME_PATH_ADD([$ssldir/lib])
-            fi
-        
-            AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
-            LIBS="-lssl -lcrypto $LIBS"
-            LIBSSL_LIBS="-lssl -lcrypto $LIBSSL_LIBS"
-            AC_TRY_LINK(, [
-                int HMAC_Update(void);
-                (void)HMAC_Update();
-              ], [
-                AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
-                          [If you have HMAC_Update])
-                AC_MSG_RESULT(yes)
-              ], [
-                AC_MSG_RESULT(no)
-                # check if -lwsock32 or -lgdi32 are needed.	
-                BAKLIBS="$LIBS"
-                BAKSSLLIBS="$LIBSSL_LIBS"
-                LIBS="$LIBS -lgdi32"
-                LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32"
-                AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
-                AC_TRY_LINK([], [
-                    int HMAC_Update(void);
-                    (void)HMAC_Update();
-                  ],[
-                    AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
-                        [If you have HMAC_Update])
-                    AC_MSG_RESULT(yes) 
-                  ],[
-                    AC_MSG_RESULT(no)
-                    LIBS="$BAKLIBS"
-                    LIBSSL_LIBS="$BAKSSLLIBS"
-                    LIBS="$LIBS -ldl"
-                    LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
-                    AC_MSG_CHECKING([if -lcrypto needs -ldl])
-                    AC_TRY_LINK([], [
-                        int HMAC_Update(void);
-                        (void)HMAC_Update();
-                      ],[
-                        AC_DEFINE([HAVE_HMAC_UPDATE], 1, 
-                            [If you have HMAC_Update])
-                        AC_MSG_RESULT(yes) 
-                      ],[
-                        AC_MSG_RESULT(no)
-                    AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
-                    ])
-                ])
-            ])
-        fi
-        AC_SUBST(HAVE_SSL)
-        AC_SUBST(RUNTIME_PATH)
-    fi
-AC_CHECK_HEADERS([openssl/ssl.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_HEADERS([openssl/err.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_HEADERS([openssl/rand.h],,, [AC_INCLUDES_DEFAULT])
-
-dnl TLS v1.2 requires OpenSSL 1.0.1
-AC_CHECK_FUNC(TLSv1_2_client_method,AC_DEFINE([HAVE_TLS_v1_2], [1],
-    [Define if you have libssl with tls 1.2]),[AC_MSG_WARN([Cannot find TLSv1_2_client_method in libssl library. TLS will not be available.])])
-
-dnl Native OpenSSL hostname verification requires OpenSSL 1.0.2
-AC_CHECK_FUNC(SSL_CTX_get0_param,AC_DEFINE([HAVE_SSL_HN_AUTH], [1],
-    [Define if you have libssl with host name verification]),[AC_MSG_WARN([Cannot find SSL_CTX_get0_param in libssl library. TLS hostname verification will not be available.])])
-])
-
-dnl Check for SSL, where SSL is mandatory
-dnl Adds --with-ssl option, searches for openssl and defines HAVE_SSL if found
-dnl Setup of CPPFLAGS, CFLAGS.  Adds -lcrypto to LIBS. 
-dnl Checks main header files of SSL.
-dnl
-AC_DEFUN([ACX_WITH_SSL],
-[
-AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
-                                    [enable SSL (will check /usr/local/ssl
-                            /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
-        ],[
-            withval="yes"
-        ])
-    if test x_$withval = x_no; then
-	AC_MSG_ERROR([Need SSL library to do digital signature cryptography])
-    fi
-    ACX_SSL_CHECKS($withval)
-])dnl End of ACX_WITH_SSL
-
-dnl Check for SSL, where ssl is optional (--without-ssl is allowed)
-dnl Adds --with-ssl option, searches for openssl and defines HAVE_SSL if found
-dnl Setup of CPPFLAGS, CFLAGS.  Adds -lcrypto to LIBS. 
-dnl Checks main header files of SSL.
-dnl
-AC_DEFUN([ACX_WITH_SSL_OPTIONAL],
-[
-AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
-                                [enable SSL (will check /usr/local/ssl
-                                /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
-        ],[
-            withval="yes"
-        ])
-    ACX_SSL_CHECKS($withval)
-])dnl End of ACX_WITH_SSL_OPTIONAL
-
-dnl Setup to use -lssl
-dnl To use -lcrypto, use the ACX_WITH_SSL setup (before this one).
-AC_DEFUN([ACX_LIB_SSL],
-[
-# check if libssl needs libdl
-BAKLIBS="$LIBS"
-LIBS="-lssl $LIBS"
-AC_MSG_CHECKING([if libssl needs libdl])
-AC_TRY_LINK_FUNC([SSL_CTX_new], [
-	AC_MSG_RESULT([no])
-	LIBS="$BAKLIBS"
-] , [
-	AC_MSG_RESULT([yes])
-	LIBS="$BAKLIBS"
-	AC_SEARCH_LIBS([dlopen], [dl])
-]) ])dnl End of ACX_LIB_SSL
-
-

m4/ax_check_compile_flag.m4

@@ -1,74 +0,0 @@
-# ===========================================================================
-#   http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
-# ===========================================================================
-#
-# SYNOPSIS
-#
-#   AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
-#
-# DESCRIPTION
-#
-#   Check whether the given FLAG works with the current language's compiler
-#   or gives an error.  (Warnings, however, are ignored)
-#
-#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
-#   success/failure.
-#
-#   If EXTRA-FLAGS is defined, it is added to the current language's default
-#   flags (e.g. CFLAGS) when the check is done.  The check is thus made with
-#   the flags: "CFLAGS EXTRA-FLAGS FLAG".  This can for example be used to
-#   force the compiler to issue an error when a bad flag is given.
-#
-#   INPUT gives an alternative input source to AC_COMPILE_IFELSE.
-#
-#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
-#   macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
-#
-# LICENSE
-#
-#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
-#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
-#
-#   This program is free software: you can redistribute it and/or modify it
-#   under the terms of the GNU General Public License as published by the
-#   Free Software Foundation, either version 3 of the License, or (at your
-#   option) any later version.
-#
-#   This program is distributed in the hope that it will be useful, but
-#   WITHOUT ANY WARRANTY; without even the implied warranty of
-#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
-#   Public License for more details.
-#
-#   You should have received a copy of the GNU General Public License along
-#   with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-#   As a special exception, the respective Autoconf Macro's copyright owner
-#   gives unlimited permission to copy, distribute and modify the configure
-#   scripts that are the output of Autoconf when processing the Macro. You
-#   need not follow the terms of the GNU General Public License when using
-#   or distributing such scripts, even though portions of the text of the
-#   Macro appear in them. The GNU General Public License (GPL) does govern
-#   all other use of the material that constitutes the Autoconf Macro.
-#
-#   This special exception to the GPL applies to versions of the Autoconf
-#   Macro released by the Autoconf Archive. When you make and distribute a
-#   modified version of the Autoconf Macro, you may extend this special
-#   exception to the GPL to apply to your modified version as well.
-
-#serial 3
-
-AC_DEFUN([AX_CHECK_COMPILE_FLAG],
-[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
-AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
-AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
-  ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
-  _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
-  AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
-    [AS_VAR_SET(CACHEVAR,[yes])],
-    [AS_VAR_SET(CACHEVAR,[no])])
-  _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
-AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
-  [m4_default([$2], :)],
-  [m4_default([$3], :)])
-AS_VAR_POPDEF([CACHEVAR])dnl
-])dnl AX_CHECK_COMPILE_FLAGS

m4/pkg.m4

@@ -1,214 +0,0 @@
-# pkg.m4 - Macros to locate and utilise pkg-config.            -*- Autoconf -*-
-# serial 1 (pkg-config-0.24)
-# 
-# Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# PKG_PROG_PKG_CONFIG([MIN-VERSION])
-# ----------------------------------
-AC_DEFUN([PKG_PROG_PKG_CONFIG],
-[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
-m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
-m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$])
-AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
-AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
-AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
-
-if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
-	AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
-fi
-if test -n "$PKG_CONFIG"; then
-	_pkg_min_version=m4_default([$1], [0.9.0])
-	AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
-	if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
-		AC_MSG_RESULT([yes])
-	else
-		AC_MSG_RESULT([no])
-		PKG_CONFIG=""
-	fi
-fi[]dnl
-])# PKG_PROG_PKG_CONFIG
-
-# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
-#
-# Check to see whether a particular set of modules exists.  Similar
-# to PKG_CHECK_MODULES(), but does not set variables or print errors.
-#
-# Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
-# only at the first occurence in configure.ac, so if the first place
-# it's called might be skipped (such as if it is within an "if", you
-# have to call PKG_CHECK_EXISTS manually
-# --------------------------------------------------------------
-AC_DEFUN([PKG_CHECK_EXISTS],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-if test -n "$PKG_CONFIG" && \
-    AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
-  m4_default([$2], [:])
-m4_ifvaln([$3], [else
-  $3])dnl
-fi])
-
-# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
-# ---------------------------------------------
-m4_define([_PKG_CONFIG],
-[if test -n "$$1"; then
-    pkg_cv_[]$1="$$1"
- elif test -n "$PKG_CONFIG"; then
-    PKG_CHECK_EXISTS([$3],
-                     [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`
-		      test "x$?" != "x0" && pkg_failed=yes ],
-		     [pkg_failed=yes])
- else
-    pkg_failed=untried
-fi[]dnl
-])# _PKG_CONFIG
-
-# _PKG_SHORT_ERRORS_SUPPORTED
-# -----------------------------
-AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-        _pkg_short_errors_supported=yes
-else
-        _pkg_short_errors_supported=no
-fi[]dnl
-])# _PKG_SHORT_ERRORS_SUPPORTED
-
-
-# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
-# [ACTION-IF-NOT-FOUND])
-#
-#
-# Note that if there is a possibility the first call to
-# PKG_CHECK_MODULES might not happen, you should be sure to include an
-# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
-#
-#
-# --------------------------------------------------------------
-AC_DEFUN([PKG_CHECK_MODULES],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
-AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
-
-pkg_failed=no
-AC_MSG_CHECKING([for $1])
-
-_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
-_PKG_CONFIG([$1][_LIBS], [libs], [$2])
-
-m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
-and $1[]_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.])
-
-if test $pkg_failed = yes; then
-   	AC_MSG_RESULT([no])
-        _PKG_SHORT_ERRORS_SUPPORTED
-        if test $_pkg_short_errors_supported = yes; then
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
-        else 
-	        $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
-        fi
-	# Put the nasty error message in config.log where it belongs
-	echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
-
-	m4_default([$4], [AC_MSG_ERROR(
-[Package requirements ($2) were not met:
-
-$$1_PKG_ERRORS
-
-Consider adjusting the PKG_CONFIG_PATH environment variable if you
-installed software in a non-standard prefix.
-
-_PKG_TEXT])[]dnl
-        ])
-elif test $pkg_failed = untried; then
-     	AC_MSG_RESULT([no])
-	m4_default([$4], [AC_MSG_FAILURE(
-[The pkg-config script could not be found or is too old.  Make sure it
-is in your PATH or set the PKG_CONFIG environment variable to the full
-path to pkg-config.
-
-_PKG_TEXT
-
-To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
-        ])
-else
-	$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
-	$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
-        AC_MSG_RESULT([yes])
-	$3
-fi[]dnl
-])# PKG_CHECK_MODULES
-
-
-# PKG_INSTALLDIR(DIRECTORY)
-# -------------------------
-# Substitutes the variable pkgconfigdir as the location where a module
-# should install pkg-config .pc files. By default the directory is
-# $libdir/pkgconfig, but the default can be changed by passing
-# DIRECTORY. The user can override through the --with-pkgconfigdir
-# parameter.
-AC_DEFUN([PKG_INSTALLDIR],
-[m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])])
-m4_pushdef([pkg_description],
-    [pkg-config installation directory @<:@]pkg_default[@:>@])
-AC_ARG_WITH([pkgconfigdir],
-    [AS_HELP_STRING([--with-pkgconfigdir], pkg_description)],,
-    [with_pkgconfigdir=]pkg_default)
-AC_SUBST([pkgconfigdir], [$with_pkgconfigdir])
-m4_popdef([pkg_default])
-m4_popdef([pkg_description])
-]) dnl PKG_INSTALLDIR
-
-
-# PKG_NOARCH_INSTALLDIR(DIRECTORY)
-# -------------------------
-# Substitutes the variable noarch_pkgconfigdir as the location where a
-# module should install arch-independent pkg-config .pc files. By
-# default the directory is $datadir/pkgconfig, but the default can be
-# changed by passing DIRECTORY. The user can override through the
-# --with-noarch-pkgconfigdir parameter.
-AC_DEFUN([PKG_NOARCH_INSTALLDIR],
-[m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])])
-m4_pushdef([pkg_description],
-    [pkg-config arch-independent installation directory @<:@]pkg_default[@:>@])
-AC_ARG_WITH([noarch-pkgconfigdir],
-    [AS_HELP_STRING([--with-noarch-pkgconfigdir], pkg_description)],,
-    [with_noarch_pkgconfigdir=]pkg_default)
-AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir])
-m4_popdef([pkg_default])
-m4_popdef([pkg_description])
-]) dnl PKG_NOARCH_INSTALLDIR
-
-
-# PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
-# [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
-# -------------------------------------------
-# Retrieves the value of the pkg-config variable for the given module.
-AC_DEFUN([PKG_CHECK_VAR],
-[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
-
-_PKG_CONFIG([$1], [variable="][$3]["], [$2])
-AS_VAR_COPY([$1], [pkg_cv_][$1])
-
-AS_VAR_IF([$1], [""], [$5], [$4])dnl
-])# PKG_CHECK_VAR

project-doc/freebsd-tests-notes.txt

@@ -0,0 +1,10 @@
+pkg update
+pkg upgrade
+pkg install -y gawk unbound valgrind bash check cmake git libyaml libevent libuv
+git clone git@github.com:getdnsapi/getdns.git
+cd getdns/
+git checkout remotes/origin/release/1.6.0-beta.1
+mkdir test
+cd test/
+../src/test/tpkg/run-all.sh
+

project-doc/makedist.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+[ ! -f git-archive-all.sh ] && wget "https://raw.githubusercontent.com/meitar/git-archive-all.sh/master/git-archive-all.sh"
+[ ! -x git-archive-all.sh ] && chmod +x git-archive-all.sh
+[ ! -f git-archive-all.sh ] && exit 1
+GIT_ARCHIVE="`pwd`/git-archive-all.sh"
+git submodule update --init
+GIT_ROOT=`git rev-parse --show-toplevel`
+version=`awk '/^set\(PACKAGE_VERSION/{V=$2}
+              /^set\(RELEASE_CANDIDATE/{RC=$2}
+              END{print V""RC}' "$GIT_ROOT/CMakeLists.txt" | sed 's/[")]//g'`
+output_file="getdns-${version}.tar.gz"
+( cd "$GIT_ROOT" \
+  && "$GIT_ARCHIVE" --prefix "getdns-$version/" --format tar.gz \
+                    --worktree-attributes -- - ) > "$output_file"
+openssl md5 "$output_file" > "${output_file}.md5"
+openssl sha1 "$output_file" > "${output_file}.sha1"
+openssl sha256 "$output_file" > "${output_file}.sha256"
+gpg --armor --detach-sig "$output_file"
+[ -f "$output_file" -a -f "${output_file}.md5" -a -f "${output_file}.sha1" -a -f "${output_file}.sha256" -a -f "${output_file}.asc" ] \
+&& rm git-archive-all.sh

project-doc/packages.txt

@@ -0,0 +1,20 @@
+Some notes about packages and maintainers.
+
+For Homebrew, created and maintained by ilovezfs
+https://github.com/Homebrew/homebrew-core/Formula/getdns.rb
+https://github.com/Homebrew/homebrew-core/Formula/stubby.rb
+
+For Arch, created and maintained by Bruno Pagani (ArchangeGabriel)
+
+For OpenWRT, created and maintained by David Mora (iamperson347)
+https://github.com/openwrt/packages/tree/master/libs/getdns
+https://github.com/openwrt/packages/tree/master/net/stubby
+
+For AstLinux Project, created and maintained by Lonnie Abelbeck (abelbeck)
+https://github.com/astlinux-project/astlinux/tree/master/package/getdns
+
+For Genode, created and maintained by Emery Hemingway (ehmry)
+https://github.com/genodelabs/genode/blob/master/repos/ports/ports/getdns.port
+
+For Gentoo, created and maintained by CaseOf (Quentin R.?)
+https://packages.gentoo.org/packages/net-dns/getdns

spec/example/Makefile.in

@@ -1,172 +0,0 @@
-#
-# @configure_input@
-#
-# Copyright (c) 2013, Verisign, Inc., NLNet Labs
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-# * Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-#   notice, this list of conditions and the following disclaimer in the
-#   documentation and/or other materials provided with the distribution.
-# * Neither the names of the copyright holders nor the
-#   names of its contributors may be used to endorse or promote products
-#   derived from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
-# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package = @PACKAGE_NAME@
-version = @PACKAGE_VERSION@
-tarname = @PACKAGE_TARNAME@
-distdir = $(tarname)-$(version)
-
-prefix = @prefix@
-exec_prefix = @exec_prefix@
-bindir = @bindir@
-LIBTOOL = ../../libtool
-
-srcdir = @srcdir@
-
-EXTENSION_LIBEVENT_EXT_LIBS=@EXTENSION_LIBEVENT_EXT_LIBS@
-EXTENSION_LIBEVENT_LDFLAGS=@EXTENSION_LIBEVENT_LDFLAGS@
-EXTENSION_LIBEVENT_LIB=../../src/libgetdns_ext_event.la
-
-CC=@CC@
-CFLAGS=-I$(srcdir) -I$(srcdir)/../../src -I../../src @CFLAGS@
-LDFLAGS=@LDFLAGS@ -L../../src
-LDLIBS=../../src/libgetdns.la @LIBS@
-
-
-OBJS=example-all-functions.lo example-simple-answers.lo example-tree.lo example-synchronous.lo example-reverse.lo
-
-PROGRAMS=example-all-functions example-synchronous example-simple-answers example-tree example-reverse
-
-.SUFFIXES: .c .o .a .lo .h
-
-.c.o:
-	$(CC) $(CFLAGS) -c $< -o $@
-
-.c.lo:
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $< -o $@
-
-default: all
-example: all
-
-all: $(PROGRAMS)
-
-$(OBJS):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/$(@:.lo=.c) -o $@
-
-example-all-functions: example-all-functions.lo
-	 $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) $(LDFLAGS) $(LDLIBS) -o $@ example-all-functions.lo
-
-example-synchronous: example-synchronous.lo
-	 $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) $(LDFLAGS) $(LDLIBS) -o $@ example-synchronous.lo
-
-$(EXTENSION_LIBEVENT_LIB):
-	@echo "***"
-	@echo "*** Three examples from the specification need libevent."
-	@echo "*** libevent was not found or usable at configure time."
-	@echo "*** To compile and run all examples from the spec, make sure"
-	@echo "*** libevent is available and usable during configuration."
-	@echo "***"
-	@false
-
-example-simple-answers:	example-simple-answers.lo $(EXTENSION_LIBEVENT_LIB)
-	 $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) $(LDFLAGS) $(EXTENSION_LIBEVENT_LIB) $(EXTENSION_LIBEVENT_LDFLAGS) $(EXTENSION_LIBEVENT_EXT_LIBS) $(LDLIBS) -o $@ example-simple-answers.lo
-
-example-tree: example-tree.lo $(EXTENSION_LIBEVENT_LIB)
-	 $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) $(LDFLAGS) $(EXTENSION_LIBEVENT_LIB) $(EXTENSION_LIBEVENT_LDFLAGS) $(EXTENSION_LIBEVENT_EXT_LIBS) $(LDLIBS) -o $@ example-tree.lo
-
-example-reverse: example-reverse.lo $(EXTENSION_LIBEVENT_LIB)
-	 $(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) $(LDFLAGS) $(EXTENSION_LIBEVENT_LIB) $(EXTENSION_LIBEVENT_LDFLAGS) $(EXTENSION_LIBEVENT_EXT_LIBS) $(LDLIBS) -o $@ example-reverse.lo
-
-clean:
-	rm -f *.o *.lo $(PROGRAMS)
-	rm -rf .libs
-
-distclean : clean
-	rm -f Makefile config.status config.log
-	rm -Rf autom4te.cache
-
-$(distdir): FORCE
-	mkdir -p $(distdir)/src
-	cp configure.ac $(distdir)
-	cp configure $(distdir)
-	cp Makefile.in $(distdir)
-	cp src/Makefile.in $(distdir)/src
-
-distcheck: $(distdir).tar.gz
-	gzip -cd $(distdir).tar.gz | tar xvf -
-	cd $(distdir) && ./configure
-	cd $(distdir) && $(MAKE) all
-	cd $(distdir) && $(MAKE) check
-	cd $(distdir) && $(MAKE) DESTDIR=$${PWD}/_inst install
-	cd $(distdir) && $(MAKE) DESTDIR=$${PWD}/_inst uninstall
-	@remaining="`find $${PWD}/$(distdir)/_inst -type f | wc -l`"; \
-	if test "$${remaining}" -ne 0; then
-	  echo "@@@ $${remaining} file(s) remaining in stage directory!"; \
-	  exit 1; \
-	fi
-	cd $(distdir) && $(MAKE) clean
-	rm -rf $(distdir)
-	@echo "*** Package $(distdir).tar.gz is ready for distribution"
-
-Makefile: $(srcdir)/Makefile.in ../../config.status
-	cd ../.. && ./config.status spec/example/Makefile
-
-configure.status: configure
-	cd ../.. && ./config.status --recheck
-
-.PHONY: clean
-
-depend:
-	(cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new )
-	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I../../src -I"$$blddir"/../../src *.c | \
-		sed -e "s? $$blddir/? ?g" \
-		    -e 's? \([a-z_-]*\)\.\([ch]\)? $$(srcdir)/\1.\2?g' \
-		    -e 's? \$$(srcdir)/\.\./\.\./src/config\.h? ../../src/config.h?g' \
-		    -e 's? $$(srcdir)/\.\./\.\./src/getdns/getdns_extra\.h? ../../src/getdns/getdns_extra.h?g' \
-		    -e 's? \.\./\.\./src/getdns/getdns_ext_libevent\.h? $$(srcdir)/../../src/getdns/getdns_ext_libevent.h?g' \
-		    -e 's? \.\./\.\./src/getdns/getdns_ext_libev\.h? $$(srcdir)/../../src/getdns/getdns_ext_libev.h?g' \
-		    -e 's? \.\./\.\./src/getdns/getdns_ext_libuv\.h? $$(srcdir)/../../src/getdns/getdns_ext_libuv.h?g' \
-		    -e 's? \.\./\.\./src/debug\.h? $$(srcdir)/../../src/debug.h?g' \
-		    -e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' >> Makefile.in.new )
-	(cd $(srcdir) ; diff Makefile.in.new Makefile.in && rm Makefile.in.new \
-	                                                 || mv Makefile.in.new Makefile.in )
-
-
-# Dependencies for the examples
-example-all-functions.lo example-all-functions.o: $(srcdir)/example-all-functions.c $(srcdir)/getdns_libevent.h \
- ../../src/config.h \
- ../../src/getdns/getdns.h \
- $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
- ../../src/getdns/getdns_extra.h
-example-reverse.lo example-reverse.o: $(srcdir)/example-reverse.c $(srcdir)/getdns_libevent.h \
- ../../src/config.h \
- ../../src/getdns/getdns.h \
- $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
- ../../src/getdns/getdns_extra.h
-example-simple-answers.lo example-simple-answers.o: $(srcdir)/example-simple-answers.c $(srcdir)/getdns_libevent.h \
- ../../src/config.h \
- ../../src/getdns/getdns.h \
- $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
- ../../src/getdns/getdns_extra.h
-example-synchronous.lo example-synchronous.o: $(srcdir)/example-synchronous.c $(srcdir)/getdns_core_only.h \
- ../../src/getdns/getdns.h
-example-tree.lo example-tree.o: $(srcdir)/example-tree.c $(srcdir)/getdns_libevent.h \
- ../../src/config.h \
- ../../src/getdns/getdns.h \
- $(srcdir)/../../src/getdns/getdns_ext_libevent.h \
- ../../src/getdns/getdns_extra.h

src/Doxyfile.in

@@ -58,7 +58,7 @@ PROJECT_LOGO           =
 # entered, it will be relative to the location where doxygen was started. If
 # left blank the current directory will be used.
 
-OUTPUT_DIRECTORY       = ../doc
+OUTPUT_DIRECTORY       = doc
 
 # If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
 # directories (in 2 levels) under the output directory of each output format and

src/Makefile.in

@@ -1,618 +0,0 @@
-#
-# @configure_input@
-#
-# Copyright (c) 2013, Verisign, Inc., NLnet Labs
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-# * Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-#   notice, this list of conditions and the following disclaimer in the
-#   documentation and/or other materials provided with the distribution.
-# * Neither the names of the copyright holders nor the
-#   names of its contributors may be used to endorse or promote products
-#   derived from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
-# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package = @PACKAGE_NAME@
-version = @PACKAGE_VERSION@
-tarname = @PACKAGE_TARNAME@
-distdir = $(tarname)-$(version)
-libversion = @GETDNS_LIBVERSION@
-
-prefix = @prefix@
-exec_prefix = @exec_prefix@
-bindir = @bindir@
-sbindir = @sbindir@
-libdir = @libdir@
-includedir = @includedir@
-sysconfdir = @sysconfdir@
-localstatedir = @localstatedir@
-runstatedir = @runstatedir@
-stubbyconfdir = $(sysconfdir)/stubby
-have_libevent = @have_libevent@
-have_libuv = @have_libuv@
-have_libev = @have_libev@
-# datarootdir is here to please some checkers
-datarootdir=@datarootdir@
-mandir=@mandir@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-
-srcdir = @srcdir@
-stubbysrcdir = $(srcdir)/../stubby
-LIBTOOL = ../libtool
-
-CC=@CC@
-CFLAGS=-I$(srcdir) -I. -I$(srcdir)/util/auxiliary -I$(stubbysrcdir)/src @CFLAGS@ @CPPFLAGS@ $(XTRA_CFLAGS)
-WPEDANTICFLAG=@WPEDANTICFLAG@
-WNOERRORFLAG=@WNOERRORFLAG@
-LDFLAGS=@LDFLAGS@ @LIBS@
-
-STUBBY_LDFLAGS=@STUBBY_LDFLAGS@ @STUBBY_LIBS@
-
-EXTENSION_LIBEVENT_LIB=@EXTENSION_LIBEVENT_LIB@
-EXTENSION_LIBEVENT_EXT_LIBS=@EXTENSION_LIBEVENT_EXT_LIBS@
-EXTENSION_LIBEVENT_LDFLAGS=@EXTENSION_LIBEVENT_LDFLAGS@
-EXTENSION_LIBEV_LIB=@EXTENSION_LIBEV_LIB@
-EXTENSION_LIBEV_EXT_LIBS=@EXTENSION_LIBEV_EXT_LIBS@
-EXTENSION_LIBEV_LDFLAGS=@EXTENSION_LIBEV_LDFLAGS@
-EXTENSION_LIBUV_LIB=@EXTENSION_LIBUV_LIB@
-EXTENSION_LIBUV_EXT_LIBS=@EXTENSION_LIBUV_EXT_LIBS@
-EXTENSION_LIBUV_LDFLAGS=@EXTENSION_LIBUV_LDFLAGS@
-
-C99COMPATFLAGS=@C99COMPATFLAGS@
-
-DEFAULT_EVENTLOOP_OBJ=@DEFAULT_EVENTLOOP@.lo
-
-GETDNS_OBJ=const-info.lo convert.lo dict.lo dnssec.lo general.lo \
-	list.lo request-internal.lo platform.lo pubkey-pinning.lo rr-dict.lo \
-	rr-iter.lo server.lo stub.lo sync.lo ub_loop.lo util-internal.lo \
-	mdns.lo
-
-GLDNS_OBJ=keyraw.lo gbuffer.lo wire2str.lo parse.lo parseutil.lo rrdef.lo \
-	str2wire.lo
-
-PROGRAMS=@STUBBY@
-
-LIBOBJDIR=
-LIBOBJS=@LIBOBJS@
-COMPAT_OBJ=$(LIBOBJS:.o=.lo)
-
-UTIL_OBJ=rbtree.lo val_secalgo.lo lruhash.lo lookup3.lo locks.lo
-
-JSMN_OBJ=jsmn.lo
-YXML_OBJ=yxml.lo
-
-YAML_OBJ=convert_yaml_to_json.lo
-DANESSL_OBJ=danessl.lo
-
-GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@ @DANESSL_XTRA_OBJS@
-STUBBY_XTRA_OBJS=@STUBBY_XTRA_OBJS@
-
-EXTENSION_OBJ=$(DEFAULT_EVENTLOOP_OBJ) libevent.lo libev.lo
-
-NON_C99_OBJS=libuv.lo context.lo anchor.lo
-
-.SUFFIXES: .c .o .a .lo .h
-
-.c.o:
-	$(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $< -o $@
-
-.c.lo:
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $< -o $@
-
-default: all
-
-all: libgetdns.la $(EXTENSION_LIBEVENT_LIB) $(EXTENSION_LIBUV_LIB) $(EXTENSION_LIBEV_LIB) $(PROGRAMS)
-
-$(GETDNS_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/$(@:.lo=.c) -o $@
-
-$(GLDNS_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/gldns/$(@:.lo=.c) -o $@
-
-$(COMPAT_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(srcdir)/compat/$(@:.lo=.c) -o $@
-
-$(UTIL_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WNOERRORFLAG) -c $(srcdir)/util/$(@:.lo=.c) -o $@
-
-$(JSMN_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -DJSMN_GETDNS -c $(srcdir)/jsmn/$(@:.lo=.c) -o $@
-
-$(YAML_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@
-
-$(DANESSL_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WNOERRORFLAG) -c $(srcdir)/ssl_dane/$(@:.lo=.c) -o $@
-
-$(YXML_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -I$(srcdir)/yxml -DYXML_GETDNS -Wno-unused-parameter -c $(srcdir)/yxml/$(@:.lo=.c) -o $@
-
-$(EXTENSION_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -c $(srcdir)/extension/$(@:.lo=.c) -o $@
-
-anchor.lo:
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/anchor.c -o anchor.lo
-
-context.lo:
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/context.c -o context.lo
-
-libuv.lo:
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) $(C99COMPATFLAGS) -c $(srcdir)/extension/libuv.c -o libuv.lo
-
-install-headers: getdns/getdns.h getdns/getdns_extra.h
-	$(INSTALL) -m 755 -d $(DESTDIR)$(includedir)
-	$(INSTALL) -m 755 -d $(DESTDIR)$(includedir)/getdns
-	$(INSTALL) -m 644 getdns/getdns.h $(DESTDIR)$(includedir)/getdns/getdns.h
-	$(INSTALL) -m 644 getdns/getdns_extra.h $(DESTDIR)$(includedir)/getdns/getdns_extra.h
-	if test $(have_libevent) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libevent.h $(DESTDIR)$(includedir)/getdns/ ; fi
-	if test $(have_libuv) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libuv.h $(DESTDIR)$(includedir)/getdns/ ; fi
-	if test $(have_libev) = 1 ; then $(INSTALL) -m 644 $(srcdir)/getdns/getdns_ext_libev.h $(DESTDIR)$(includedir)/getdns/ ; fi
-
-uninstall-headers:
-	rm -rf $(DESTDIR)$(includedir)/getdns
-
-install-libs: libgetdns.la $(EXTENSION_LIBEVENT_LIB) $(EXTENSION_LIBUV_LIB) $(EXTENSION_LIBEV_LIB)
-	$(INSTALL) -m 755 -d $(DESTDIR)$(libdir)
-	$(LIBTOOL) --mode=install cp libgetdns.la $(DESTDIR)$(libdir)
-	if test $(have_libevent) = 1 ; then $(LIBTOOL) --mode=install cp $(EXTENSION_LIBEVENT_LIB) $(DESTDIR)$(libdir) ; fi
-	if test $(have_libuv) = 1 ; then $(LIBTOOL) --mode=install cp $(EXTENSION_LIBUV_LIB) $(DESTDIR)$(libdir) ; fi
-	if test $(have_libev) = 1 ; then $(LIBTOOL) --mode=install cp $(EXTENSION_LIBEV_LIB) $(DESTDIR)$(libdir) ; fi
-	$(LIBTOOL) --mode=finish $(DESTDIR)$(libdir)
-
-uninstall-libs:
-	if test $(have_libevent) = 1; then $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$(EXTENSION_LIBEVENT_LIB) ; fi
-	if test $(have_libuv) = 1; then $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$(EXTENSION_LIBUV_LIB) ; fi
-	if test $(have_libev) = 1; then $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/$(EXTENSION_LIBEV_LIB) ; fi
-	$(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/libgetdns.la
-
-install: install-libs install-headers @INSTALL_STUBBY@
-
-uninstall: @UNINSTALL_STUBBY@ uninstall-headers uninstall-libs
-
-libgetdns_ext_event.la: libgetdns.la libevent.lo
-	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ libevent.lo libgetdns.la $(LDFLAGS) $(EXTENSION_LIBEVENT_LDFLAGS) $(EXTENSION_LIBEVENT_EXT_LIBS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/extension/libevent.symbols
-
-libgetdns_ext_uv.la: libgetdns.la libuv.lo
-	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ libuv.lo libgetdns.la $(LDFLAGS) $(EXTENSION_LIBUV_LDFLAGS) $(EXTENSION_LIBUV_EXT_LIBS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/extension/libuv.symbols
-
-
-libgetdns_ext_ev.la: libgetdns.la libev.lo
-	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ libev.lo libgetdns.la $(LDFLAGS) $(EXTENSION_LIBEV_LDFLAGS) $(EXTENSION_LIBEV_EXT_LIBS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/extension/libev.symbols
-
-libgetdns.la: $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS)
-	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ $(GETDNS_OBJ) version.lo context.lo anchor.lo $(DEFAULT_EVENTLOOP_OBJ) $(GLDNS_OBJ) $(COMPAT_OBJ) $(UTIL_OBJ) $(JSMN_OBJ) $(YXML_OBJ) $(GETDNS_XTRA_OBJS) $(LDFLAGS) -rpath $(libdir) -version-info $(libversion) -no-undefined -export-symbols $(srcdir)/libgetdns.symbols
-
-test: default
-	cd test && $(MAKE) $@
-
-getdns_query: default
-	cd tools && $(MAKE) $@
-
-getdns_server_mon: default
-	cd tools && $(MAKE) $@
-
-stubby.1: $(stubbysrcdir)/doc/stubby.1.in
-	sed -e "s|@ETCDIR@|$(stubbyconfdir)|g" $(stubbysrcdir)/doc/stubby.1.in > $@
-
-stubby.lo: $(stubbysrcdir)/src/stubby.c
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR=\"$(sysconfdir)/stubby\" -DRUNSTATEDIR=\"$(runstatedir)\" -c $(stubbysrcdir)/src/stubby.c -o $@
-
-stubby: stubby.lo libgetdns.la $(STUBBY_XTRA_OBJS)
-	$(LIBTOOL) --tag=CC --mode=link $(CC) -o $@ stubby.lo $(STUBBY_XTRA_OBJS) $(STUBBY_LDFLAGS) libgetdns.la
-
-install-stubby-files-unix: $(stubbysrcdir)/stubby.yml.example
-	$(INSTALL) -m 755 -d $(DESTDIR)$(stubbyconfdir)
-	test -f $(DESTDIR)$(stubbyconfdir)/stubby.yml || \
-		$(INSTALL_DATA) $(stubbysrcdir)/stubby.yml.example $(DESTDIR)$(stubbyconfdir)/stubby.yml
-
-install-stubby-files-macos: $(stubbysrcdir)/macos/stubby-setdns-macos.sh install-stubby-files-unix
-	$(INSTALL) -m 755 -d $(DESTDIR)$(sbindir)
-	$(INSTALL) -m 755  $(stubbysrcdir)/macos/stubby-setdns-macos.sh $(DESTDIR)$(sbindir)
-
-stubby.yml.windows: $(stubbysrcdir)/stubby.yml.example
-	awk "{sub(/$$/,\"\r\")}1" $(stubbysrcdir)/stubby.yml.example > stubby.yml.windows
-
-install-stubby-files-windows: stubby.yml.windows
-	$(INSTALL) -m 755 -d $(DESTDIR)$(stubbyconfdir)
-	test -f $(DESTDIR)$(stubbyconfdir)/stubby.yml || \
-		$(INSTALL_DATA) stubby.yml.windows $(DESTDIR)$(stubbyconfdir)/stubby.yml
-
-install-stubby: stubby stubby.1 install-stubby-files-@HOSTOS@
-	$(INSTALL) -m 755 -d $(DESTDIR)$(bindir)
-	$(LIBTOOL) --mode=install cp stubby $(DESTDIR)$(bindir)
-	$(INSTALL) -m 755 -d $(DESTDIR)$(runstatedir)
-	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)
-	$(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man1
-	$(INSTALL) -m 644 stubby\.1 $(DESTDIR)$(mandir)/man1
-
-uninstall-stubby:
-	$(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/stubby
-	rm -f $(DESTDIR)$(sbindir)/stubby-setdns-macos.sh
-	rm -f $(DESTDIR)$(mandir)/man1/stubby.1
-
-scratchpad: default
-	cd test && $(MAKE) $@
-
-pad: scratchpad
-
-clean:
-	cd tools && $(MAKE) $@
-	cd test && $(MAKE) $@
-	rm -f *.o *.lo extension/*.lo extension/*.o $(PROGRAMS) libgetdns.la libgetdns_ext_*.la
-	rm -rf .libs extension/.libs
-
-distclean : clean
-	cd tools && $(MAKE) $@
-	cd test && $(MAKE) $@
-	rmdir test 2>/dev/null || true
-	rm -f Makefile config.status config.log Doxyfile config.h version.c getdns/Makefile getdns/getdns.h getdns/getdns_extra.h
-	rmdir getdns 2>/dev/null || true
-	rmdir extension 2>/dev/null || true
-	rm -Rf autom4te.cache
-
-Makefile: $(srcdir)/Makefile.in ../config.status
-	cd .. && ./config.status src/Makefile
-
-depend:
-	(cd $(srcdir) ; awk 'BEGIN{P=1}{if(P)print}/^# Dependencies/{P=0}' Makefile.in > Makefile.in.new )
-
-	(blddir=`pwd`; cd $(srcdir) ; gcc -MM -I. -I"$$blddir" -Iyxml -Iutil/auxiliary -I../stubby/src *.c gldns/*.c compat/*.c util/*.c jsmn/*.c yxml/*.c ssl_dane/danessl.c extension/*.c ../stubby/src/*.c | \
-		sed -e "s? $$blddir/? ?g" \
-		    -e 's? gldns/? $$(srcdir)/gldns/?g' \
-		    -e 's? compat/? $$(srcdir)/compat/?g' \
-		    -e 's? util/auxiliary/util/? $$(srcdir)/util/auxiliary/util/?g' \
-		    -e 's? util/? $$(srcdir)/util/?g' \
-		    -e 's? jsmn/? $$(srcdir)/jsmn/?g' \
-		    -e 's? yxml/? $$(srcdir)/yxml/?g' \
-		    -e 's? ssl_dane/? $$(srcdir)/ssl_dane/?g' \
-		    -e 's? extension/? $$(srcdir)/extension/?g' \
-		    -e 's? \.\./stubby/? $$(stubbysrcdir)/?g' \
-		    -e 's? \([a-z_-]*\)\.\([ch]\)? $$(srcdir)/\1.\2?g' \
-		    -e 's? \$$(srcdir)/config\.h? config.h?g' \
-		    -e 's? \$$(srcdir)/getdns/getdns_extra\.h? getdns/getdns_extra.h?g' \
-		    -e 's? \$$(srcdir)/version\.c? version.c?g' \
-		    -e 's? getdns/getdns_ext_libevent\.h? $$(srcdir)/getdns/getdns_ext_libevent.h?g' \
-		    -e 's? getdns/getdns_ext_libev\.h? $$(srcdir)/getdns/getdns_ext_libev.h?g' \
-		    -e 's? getdns/getdns_ext_libuv\.h? $$(srcdir)/getdns/getdns_ext_libuv.h?g' \
-		    -e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' >> Makefile.in.new )
-	(cd $(srcdir) ; diff Makefile.in.new Makefile.in && rm Makefile.in.new \
-	                                                 || mv Makefile.in.new Makefile.in )
-	cd tools && $(MAKE) $@
-	cd test && $(MAKE) $@
-
-.PHONY: clean test
-FORCE:
-
-# Dependencies for gldns, utils, the extensions and compat functions
-anchor.lo anchor.o: $(srcdir)/anchor.c \
- config.h \
- $(srcdir)/debug.h $(srcdir)/anchor.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/types-internal.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/yxml/yxml.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/platform.h
-const-info.lo const-info.o: $(srcdir)/const-info.c \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/const-info.h
-context.lo context.o: $(srcdir)/context.c \
- config.h \
- $(srcdir)/anchor.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/debug.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/context.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/dnssec.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h $(srcdir)/list.h $(srcdir)/dict.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h
-convert.lo convert.o: $(srcdir)/convert.c \
- config.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
- $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h \
- $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h $(srcdir)/const-info.h $(srcdir)/dict.h \
- $(srcdir)/list.h $(srcdir)/jsmn/jsmn.h $(srcdir)/convert.h
-dict.lo dict.o: $(srcdir)/dict.c \
- config.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/const-info.h $(srcdir)/gldns/wire2str.h \
- $(srcdir)/gldns/parseutil.h
-dnssec.lo dnssec.o: $(srcdir)/dnssec.c \
- config.h \
- $(srcdir)/debug.h \
- getdns/getdns.h \
- $(srcdir)/context.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/general.h $(srcdir)/dict.h $(srcdir)/list.h $(srcdir)/util/val_secalgo.h \
- $(srcdir)/util/orig-headers/val_secalgo.h
-general.lo general.o: $(srcdir)/general.c \
- config.h \
- $(srcdir)/general.h \
- getdns/getdns.h \
- $(srcdir)/types-internal.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/ub_loop.h $(srcdir)/debug.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h $(srcdir)/stub.h \
- $(srcdir)/dict.h $(srcdir)/mdns.h $(srcdir)/platform.h
-list.lo list.o: $(srcdir)/list.c $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h \
- config.h \
- $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/list.h $(srcdir)/dict.h
-mdns.lo mdns.o: $(srcdir)/mdns.c \
- config.h \
- $(srcdir)/debug.h $(srcdir)/context.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/general.h $(srcdir)/gldns/rrdef.h $(srcdir)/util-internal.h \
- $(srcdir)/platform.h $(srcdir)/mdns.h $(srcdir)/util/auxiliary/util/fptr_wlist.h $(srcdir)/util/lookup3.h \
- $(srcdir)/util/orig-headers/lookup3.h
-platform.lo platform.o: $(srcdir)/platform.c $(srcdir)/platform.h \
- config.h
-pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/pubkey-pinning.c \
- config.h \
- $(srcdir)/debug.h \
- getdns/getdns.h \
- $(srcdir)/context.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h
-request-internal.lo request-internal.o: $(srcdir)/request-internal.c \
- config.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/dict.h $(srcdir)/convert.h $(srcdir)/general.h
-rr-dict.lo rr-dict.o: $(srcdir)/rr-dict.c $(srcdir)/rr-dict.h \
- config.h \
- getdns/getdns.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/util-internal.h $(srcdir)/context.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h \
- $(srcdir)/dict.h
-rr-iter.lo rr-iter.o: $(srcdir)/rr-iter.c $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h \
- config.h \
- getdns/getdns.h \
- $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/gldns/rrdef.h
-server.lo server.o: $(srcdir)/server.c \
- config.h \
- getdns/getdns_extra.h \
- getdns/getdns.h \
- $(srcdir)/context.h $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/util-internal.h $(srcdir)/platform.h
-stub.lo stub.o: $(srcdir)/stub.c \
- config.h \
- $(srcdir)/debug.h $(srcdir)/stub.h \
- getdns/getdns.h \
- $(srcdir)/types-internal.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/rr-iter.h \
- $(srcdir)/rr-dict.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h \
- $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/anchor.h \
- $(srcdir)/util-internal.h $(srcdir)/platform.h $(srcdir)/general.h $(srcdir)/pubkey-pinning.h $(srcdir)/ssl_dane/danessl.h
-sync.lo sync.o: $(srcdir)/sync.c \
- getdns/getdns.h \
- config.h \
- $(srcdir)/context.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/general.h $(srcdir)/util-internal.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h \
- $(srcdir)/stub.h $(srcdir)/gldns/wire2str.h
-ub_loop.lo ub_loop.o: $(srcdir)/ub_loop.c $(srcdir)/ub_loop.h \
- config.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/debug.h
-util-internal.lo util-internal.o: $(srcdir)/util-internal.c \
- config.h \
- getdns/getdns.h \
- $(srcdir)/dict.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/types-internal.h \
- getdns/getdns_extra.h \
- $(srcdir)/list.h $(srcdir)/util-internal.h $(srcdir)/context.h $(srcdir)/extension/default_eventloop.h \
- $(srcdir)/extension/poll_eventloop.h $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h \
- $(srcdir)/util/lruhash.h $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h \
- $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/gldns/str2wire.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/dnssec.h $(srcdir)/gldns/rrdef.h
-gbuffer.lo gbuffer.o: $(srcdir)/gldns/gbuffer.c \
- config.h \
- $(srcdir)/gldns/gbuffer.h
-keyraw.lo keyraw.o: $(srcdir)/gldns/keyraw.c \
- config.h \
- $(srcdir)/gldns/keyraw.h $(srcdir)/gldns/rrdef.h
-parse.lo parse.o: $(srcdir)/gldns/parse.c \
- config.h \
- $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h
-parseutil.lo parseutil.o: $(srcdir)/gldns/parseutil.c \
- config.h \
- $(srcdir)/gldns/parseutil.h
-rrdef.lo rrdef.o: $(srcdir)/gldns/rrdef.c \
- config.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/parseutil.h
-str2wire.lo str2wire.o: $(srcdir)/gldns/str2wire.c \
- config.h \
- $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/parse.h $(srcdir)/gldns/parseutil.h
-wire2str.lo wire2str.o: $(srcdir)/gldns/wire2str.c \
- config.h \
- $(srcdir)/gldns/wire2str.h $(srcdir)/gldns/str2wire.h $(srcdir)/gldns/rrdef.h $(srcdir)/gldns/pkthdr.h \
- $(srcdir)/gldns/parseutil.h $(srcdir)/gldns/gbuffer.h $(srcdir)/gldns/keyraw.h
-arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c \
- config.h
-arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c \
- config.h \
- $(srcdir)/compat/chacha_private.h
-arc4random_uniform.lo arc4random_uniform.o: $(srcdir)/compat/arc4random_uniform.c \
- config.h
-explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c \
- config.h
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c \
- config.h
-getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c \
- config.h
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c \
- config.h
-getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
-gettimeofday.lo gettimeofday.o: $(srcdir)/compat/gettimeofday.c \
- config.h
-inet_ntop.lo inet_ntop.o: $(srcdir)/compat/inet_ntop.c \
- config.h
-inet_pton.lo inet_pton.o: $(srcdir)/compat/inet_pton.c \
- config.h
-sha512.lo sha512.o: $(srcdir)/compat/sha512.c \
- config.h
-strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c \
- config.h
-strptime.lo strptime.o: $(srcdir)/compat/strptime.c \
- config.h
-locks.lo locks.o: $(srcdir)/util/locks.c \
- config.h \
- $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h
-lookup3.lo lookup3.o: $(srcdir)/util/lookup3.c \
- config.h \
- $(srcdir)/util/auxiliary/util/storage/lookup3.h $(srcdir)/util/lookup3.h \
- $(srcdir)/util/orig-headers/lookup3.h
-lruhash.lo lruhash.o: $(srcdir)/util/lruhash.c \
- config.h \
- $(srcdir)/util/auxiliary/util/storage/lruhash.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/util/fptr_wlist.h
-rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c \
- config.h \
- $(srcdir)/util/auxiliary/log.h $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h \
- $(srcdir)/util/auxiliary/fptr_wlist.h $(srcdir)/util/auxiliary/util/fptr_wlist.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h
-val_secalgo.lo val_secalgo.o: $(srcdir)/util/val_secalgo.c \
- config.h \
- $(srcdir)/util/auxiliary/util/data/packed_rrset.h \
- $(srcdir)/util/auxiliary/validator/val_secalgo.h $(srcdir)/util/val_secalgo.h \
- $(srcdir)/util/orig-headers/val_secalgo.h $(srcdir)/util/auxiliary/validator/val_nsec3.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/util/auxiliary/sldns/rrdef.h \
- $(srcdir)/gldns/rrdef.h $(srcdir)/util/auxiliary/sldns/keyraw.h $(srcdir)/gldns/keyraw.h \
- $(srcdir)/util/auxiliary/sldns/sbuffer.h $(srcdir)/gldns/gbuffer.h
-jsmn.lo jsmn.o: $(srcdir)/jsmn/jsmn.c $(srcdir)/jsmn/jsmn.h
-yxml.lo yxml.o: $(srcdir)/yxml/yxml.c $(srcdir)/yxml/yxml.h
-danessl.lo danessl.o: $(srcdir)/ssl_dane/danessl.c $(srcdir)/ssl_dane/danessl.h
-libev.lo libev.o: $(srcdir)/extension/libev.c \
- config.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libev.h
-libevent.lo libevent.o: $(srcdir)/extension/libevent.c \
- config.h \
- $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libevent.h
-libuv.lo libuv.o: $(srcdir)/extension/libuv.c \
- config.h \
- $(srcdir)/debug.h $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/getdns/getdns_ext_libuv.h
-poll_eventloop.lo poll_eventloop.o: $(srcdir)/extension/poll_eventloop.c \
- config.h \
- $(srcdir)/util-internal.h $(srcdir)/context.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/types-internal.h $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h \
- $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
- $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/debug.h $(srcdir)/server.h $(srcdir)/util/lruhash.h \
- $(srcdir)/util/orig-headers/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/orig-headers/locks.h \
- $(srcdir)/util/auxiliary/util/log.h $(srcdir)/debug.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
- $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/platform.h
-select_eventloop.lo select_eventloop.o: $(srcdir)/extension/select_eventloop.c \
- config.h \
- $(srcdir)/debug.h $(srcdir)/types-internal.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/orig-headers/rbtree.h $(srcdir)/platform.h \
- $(srcdir)/extension/select_eventloop.h
-stubby.lo stubby.o: $(stubbysrcdir)/src/stubby.c \
- config.h \
- getdns/getdns.h \
- getdns/getdns_extra.h \
- $(stubbysrcdir)/src/yaml/convert_yaml_to_json.h

src/anchor.c

@@ -33,10 +33,7 @@
 #include "debug.h"
 #include "anchor.h"
 #include <fcntl.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/err.h>
-#include <strings.h>
+#include <string.h>
 #include <time.h>
 #include "types-internal.h"
 #include "context.h"
@@ -52,141 +49,6 @@
 #include "util-internal.h"
 #include "platform.h"
 
-/* get key usage out of its extension, returns 0 if no key_usage extension */
-static unsigned long
-_getdns_get_usage_of_ex(X509* cert)
-{
-	unsigned long val = 0;
-	ASN1_BIT_STRING* s;
-
-	if((s=X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL))) {
-		if(s->length > 0) {
-			val = s->data[0];
-			if(s->length > 1)
-				val |= s->data[1] << 8;
-		}
-		ASN1_BIT_STRING_free(s);
-	}
-	return val;
-}
-
-/** get valid signers from the list of signers in the signature */
-static STACK_OF(X509)*
-_getdns_get_valid_signers(PKCS7* p7, const char* p7signer)
-{
-	int i;
-	STACK_OF(X509)* validsigners = sk_X509_new_null();
-	STACK_OF(X509)* signers = PKCS7_get0_signers(p7, NULL, 0);
-	unsigned long usage = 0;
-	if(!validsigners) {
-		DEBUG_ANCHOR("ERROR %s(): Failed to allocated validsigners\n"
-		            , __FUNC__);
-		sk_X509_free(signers);
-		return NULL;
-	}
-	if(!signers) {
-		DEBUG_ANCHOR("ERROR %s(): Failed to allocated signers\n"
-		            , __FUNC__);
-		sk_X509_free(validsigners);
-		return NULL;
-	}
-	for(i=0; i<sk_X509_num(signers); i++) {
-		char buf[1024];
-		X509_NAME* nm = X509_get_subject_name(
-			sk_X509_value(signers, i));
-		if(!nm) {
-			DEBUG_ANCHOR("%s(): cert %d has no subject name\n"
-				    , __FUNC__, i);
-			continue;
-		}
-		if(!p7signer || strcmp(p7signer, "")==0) {
-			/* there is no name to check, return all records */
-			DEBUG_ANCHOR("%s(): did not check commonName of signer\n"
-				    , __FUNC__);
-		} else {
-			if(!X509_NAME_get_text_by_NID(nm,
-				NID_pkcs9_emailAddress,
-				buf, (int)sizeof(buf))) {
-				DEBUG_ANCHOR("%s(): removed cert with no name\n"
-					    , __FUNC__);
-				continue; /* no name, no use */
-			}
-			if(strcmp(buf, p7signer) != 0) {
-				DEBUG_ANCHOR("%s(): removed cert with wrong name\n"
-					    , __FUNC__);
-				continue; /* wrong name, skip it */
-			}
-		}
-
-		/* check that the key usage allows digital signatures
-		 * (the p7s) */
-		usage = _getdns_get_usage_of_ex(sk_X509_value(signers, i));
-		if(!(usage & KU_DIGITAL_SIGNATURE)) {
-			DEBUG_ANCHOR("%s(): removed cert with no key usage "
-			             "Digital Signature allowed\n"
-				    , __FUNC__);
-			continue;
-		}
-
-		/* we like this cert, add it to our list of valid
-		 * signers certificates */
-		sk_X509_push(validsigners, sk_X509_value(signers, i));
-	}
-	sk_X509_free(signers);
-	return validsigners;
-}
-
-static int
-_getdns_verify_p7sig(BIO* data, BIO* p7s, X509_STORE *store, const char* p7signer)
-{
-	PKCS7* p7;
-	STACK_OF(X509)* validsigners;
-	int secure = 0;
-#ifdef X509_V_FLAG_CHECK_SS_SIGNATURE
-	X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new();
-	if(!param) {
-		DEBUG_ANCHOR("ERROR %s(): Failed to allocated param\n"
-		            , __FUNC__);
-		return 0;
-	}
-	/* do the selfcheck on the root certificate; it checks that the
-	 * input is valid */
-	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CHECK_SS_SIGNATURE);
-	X509_STORE_set1_param(store, param);
-	X509_VERIFY_PARAM_free(param);
-#endif
-	(void)BIO_reset(p7s);
-	(void)BIO_reset(data);
-
-	/* convert p7s to p7 (the signature) */
-	p7 = d2i_PKCS7_bio(p7s, NULL);
-	if(!p7) {
-		DEBUG_ANCHOR("ERROR %s(): could not parse p7s signature file\n"
-		            , __FUNC__);
-		return 0;
-	}
-	/* check what is in the Subject name of the certificates,
-	 * and build a stack that contains only the right certificates */
-	validsigners = _getdns_get_valid_signers(p7, p7signer);
-	if(!validsigners) {
-		PKCS7_free(p7);
-		return 0;
-	}
-	if(PKCS7_verify(p7, validsigners, store, data, NULL, PKCS7_NOINTERN) == 1) {
-		secure = 1;
-	}
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
-	else {
-		DEBUG_ANCHOR("ERROR %s(): the PKCS7 signature did not verify\n"
-		            , __FUNC__);
-		ERR_print_errors_cb(_getdns_ERR_print_errors_cb_f, NULL);
-	}
-#endif
-	sk_X509_free(validsigners);
-	PKCS7_free(p7);
-	return secure;
-}
-
 typedef struct ta_iter {
 	uint8_t yxml_buf[4096];
 	yxml_t x;
@@ -206,6 +68,15 @@ typedef struct ta_iter {
 	char  digest[2048];
 } ta_iter;
 
+static void strcpytrunc(char* dst, const char* src, size_t dstsize)
+{
+	size_t to_copy = strlen(src);
+	if (to_copy >= dstsize)
+		to_copy = dstsize -1;
+	memcpy(dst, src, to_copy);
+	dst[to_copy] = '\0';
+}
+
 /**
  * XML convert DateTime element to time_t.
  * [-]CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm]
@@ -213,7 +84,7 @@ typedef struct ta_iter {
  * @param str: the string
  * @return a time_t representation or 0 on failure.
  */
-static time_t
+time_t
 _getdns_xml_convertdate(const char* str)
 {
 	time_t t = 0;
@@ -328,7 +199,7 @@ static ta_iter *ta_iter_next(ta_iter *ta)
 
 				else if (level == 0 && cur) {
 					/* <Zone> content ready */
-					(void) strncpy( ta->zone, value
+					strcpytrunc( ta->zone, value
 						     , sizeof(ta->zone));
 
 					/* Reset to start of <TrustAnchor> */
@@ -504,19 +375,19 @@ static ta_iter *ta_iter_next(ta_iter *ta)
 			DEBUG_ANCHOR("elem end: %s\n", value);
 			switch (elem_type) {
 			case KEYTAG:
-				(void) strncpy( ta->keytag, value
+				strcpytrunc( ta->keytag, value
 					     , sizeof(ta->keytag));
 				break;
 			case ALGORITHM:
-				(void) strncpy( ta->algorithm, value
+				strcpytrunc( ta->algorithm, value
 					     , sizeof(ta->algorithm));
 				break;
 			case DIGESTTYPE:
-				(void) strncpy( ta->digesttype, value
+				strcpytrunc( ta->digesttype, value
 					     , sizeof(ta->digesttype));
 				break;
 			case DIGEST:
-				(void) strncpy( ta->digest, value
+				strcpytrunc( ta->digest, value
 					     , sizeof(ta->digest));
 				break;
 			}
@@ -558,7 +429,7 @@ static ta_iter *ta_iter_init(ta_iter *ta, const char *doc, size_t doc_len)
 	return ta_iter_next(ta);
 }
 
-static uint16_t _getdns_parse_xml_trust_anchors_buf(
+uint16_t _getdns_parse_xml_trust_anchors_buf(
     gldns_buffer *gbuf, uint64_t *now_ms, char *xml_data, size_t xml_len)
 {
 	ta_iter ta_spc, *ta;
@@ -647,200 +518,6 @@ static uint16_t _getdns_parse_xml_trust_anchors_buf(
 	return ta_count;
 }
 
-static uint8_t *tas_validate(struct mem_funcs *mf,
-    const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd,
-    const getdns_bindata *crt_bd, const char *p7signer,
-    uint64_t *now_ms, uint8_t *tas, size_t *tas_len)
-{
-	BIO *xml = NULL, *p7s = NULL, *crt = NULL;
-	X509 *x = NULL;
-	X509_STORE *store = NULL;
-	uint8_t *success = NULL;
-
-	if (!(xml = BIO_new_mem_buf(xml_bd->data, xml_bd->size)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n"
-		            , __FUNC__);
-
-	else if (!(p7s = BIO_new_mem_buf(p7s_bd->data, p7s_bd->size)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n"
-		            , __FUNC__);
-	
-	else if (!(crt = BIO_new_mem_buf(crt_bd->data, crt_bd->size)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n"
-		            , __FUNC__);
-
-	else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL)))
-		DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n"
-		            , __FUNC__);
-
-	else if (!(store = X509_STORE_new()))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n"
-		            , __FUNC__);
-
-	else if (!X509_STORE_add_cert(store, x))
-		DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n"
-		            , __FUNC__);
-
-	else if (_getdns_verify_p7sig(xml, p7s, store, p7signer)) {
-		gldns_buffer gbuf;
-
-		gldns_buffer_init_vfixed_frm_data(&gbuf, tas, *tas_len);
-
-		if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms,
-		    (char *)xml_bd->data, xml_bd->size))
-			DEBUG_ANCHOR("Failed to parse trust anchor XML data");
-
-		else if (gldns_buffer_position(&gbuf) > *tas_len) {
-			*tas_len = gldns_buffer_position(&gbuf);
-			if ((success = GETDNS_XMALLOC(*mf, uint8_t, *tas_len))) {
-				gldns_buffer_init_frm_data(&gbuf, success, *tas_len);
-				if (!_getdns_parse_xml_trust_anchors_buf(&gbuf,
-				    now_ms, (char *)xml_bd->data, xml_bd->size)) {
-
-					DEBUG_ANCHOR("Failed to re-parse trust"
-					             " anchor XML data\n");
-					GETDNS_FREE(*mf, success);
-					success = NULL;
-				}
-			} else
-				DEBUG_ANCHOR("Could not allocate space for "
-				             "trust anchors\n");
-		} else {
-			success = tas;
-			*tas_len = gldns_buffer_position(&gbuf);
-		}
-	} else {
-		DEBUG_ANCHOR("Verifying trust-anchors failed!\n");
-	}
-	if (store)	X509_STORE_free(store);
-	if (x)		X509_free(x);
-	if (crt)	BIO_free(crt);
-	if (xml)	BIO_free(xml);
-	if (p7s)	BIO_free(p7s);
-	return success;
-}
-
-void _getdns_context_equip_with_anchor(
-    getdns_context *context, uint64_t *now_ms)
-{
-	uint8_t xml_spc[4096], *xml_data = NULL;
-	uint8_t p7s_spc[4096], *p7s_data = NULL;
-	size_t xml_len, p7s_len;
-	const char *verify_email = NULL;
-	const char *verify_CA = NULL;
-	getdns_return_t r;
-
-	BIO *xml = NULL, *p7s = NULL, *crt = NULL;
-	X509 *x = NULL;
-	X509_STORE *store = NULL;
-
-	if ((r = getdns_context_get_trust_anchors_verify_CA(
-	    context, &verify_CA)))
-		DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify"
-			     " CA: \"%s\"\n", __FUNC__
-			    , getdns_get_errorstr_by_id(r));
-
-	else if (!verify_CA || !*verify_CA)
-		DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely "
-		             "disabled by empty verify CA\n");
-
-	else if ((r = getdns_context_get_trust_anchors_verify_email(
-	    context, &verify_email)))
-		DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify email "
-		             "address: \"%s\"\n", __FUNC__
-		            , getdns_get_errorstr_by_id(r));
-
-	else if (!verify_email || !*verify_email)
-		DEBUG_ANCHOR("NOTICE: Trust anchor verification explicitely "
-		             "disabled by empty verify email\n");
-
-	else if (!(xml_data = _getdns_context_get_priv_file(context,
-	    "root-anchors.xml", xml_spc, sizeof(xml_spc), &xml_len)))
-		DEBUG_ANCHOR("DEBUG %s(): root-anchors.xml not present\n"
-		            , __FUNC__);
-
-	else if (!(p7s_data = _getdns_context_get_priv_file(context,
-	    "root-anchors.p7s", p7s_spc, sizeof(p7s_spc), &p7s_len)))
-		DEBUG_ANCHOR("DEBUG %s(): root-anchors.p7s not present\n"
-		            , __FUNC__);
-
-	else if (!(xml = BIO_new_mem_buf(xml_data, xml_len)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating xml BIO\n"
-		            , __FUNC__);
-
-	else if (!(p7s = BIO_new_mem_buf(p7s_data, p7s_len)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating p7s BIO\n"
-		            , __FUNC__);
-
-	else if (!(crt = BIO_new_mem_buf((void *)verify_CA, -1)))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating crt BIO\n"
-		            , __FUNC__);
-
-	else if (!(x = PEM_read_bio_X509(crt, NULL, 0, NULL)))
-		DEBUG_ANCHOR("ERROR %s(): Parsing builtin certificate\n"
-		            , __FUNC__);
-
-	else if (!(store = X509_STORE_new()))
-		DEBUG_ANCHOR("ERROR %s(): Failed allocating store\n"
-		            , __FUNC__);
-
-	else if (!X509_STORE_add_cert(store, x))
-		DEBUG_ANCHOR("ERROR %s(): Adding certificate to store\n"
-		            , __FUNC__);
-
-	else if (_getdns_verify_p7sig(xml, p7s, store, verify_email)) {
-		uint8_t ta_spc[sizeof(context->trust_anchors_spc)];
-		size_t ta_len;
-		uint8_t *ta = NULL;
-		gldns_buffer gbuf;
-
-		gldns_buffer_init_vfixed_frm_data(
-		    &gbuf, ta_spc, sizeof(ta_spc));
-
-		if (!_getdns_parse_xml_trust_anchors_buf(&gbuf, now_ms,
-		    (char *)xml_data, xml_len))
-			DEBUG_ANCHOR("Failed to parse trust anchor XML data");
-		else if ((ta_len = gldns_buffer_position(&gbuf)) > sizeof(ta_spc)) {
-			if ((ta = GETDNS_XMALLOC(context->mf, uint8_t, ta_len))) {
-				gldns_buffer_init_frm_data(&gbuf, ta,
-				    gldns_buffer_position(&gbuf));
-				if (!_getdns_parse_xml_trust_anchors_buf(
-				    &gbuf, now_ms, (char *)xml_data, xml_len)) {
-					DEBUG_ANCHOR("Failed to re-parse trust"
-					             " anchor XML data");
-					GETDNS_FREE(context->mf, ta);
-				} else {
-					context->trust_anchors = ta;
-					context->trust_anchors_len = ta_len;
-					context->trust_anchors_source = GETDNS_TASRC_XML;
-					_getdns_ta_notify_dnsreqs(context);
-				}
-			} else
-				DEBUG_ANCHOR("Could not allocate space for XML file");
-		} else {
-			(void)memcpy(context->trust_anchors_spc, ta_spc, ta_len);
-			context->trust_anchors = context->trust_anchors_spc;
-			context->trust_anchors_len = ta_len;
-			context->trust_anchors_source = GETDNS_TASRC_XML;
-			_getdns_ta_notify_dnsreqs(context);
-		}
-		DEBUG_ANCHOR("ta: %p, ta_len: %d\n",
-		    (void *)context->trust_anchors, (int)context->trust_anchors_len);
-		
-	} else {
-		DEBUG_ANCHOR("Verifying trust-anchors failed!\n");
-	}
-	if (store)	X509_STORE_free(store);
-	if (x)		X509_free(x);
-	if (crt)	BIO_free(crt);
-	if (xml)	BIO_free(xml);
-	if (p7s)	BIO_free(p7s);
-	if (xml_data && xml_data != xml_spc)
-		GETDNS_FREE(context->mf, xml_data);
-	if (p7s_data && p7s_data != p7s_spc)
-		GETDNS_FREE(context->mf, p7s_data);
-}
-
 static const char tas_write_p7s_buf[] =
 "GET %s HTTP/1.1\r\n"
 "Host: %s\r\n"
@@ -855,10 +532,8 @@ static const char tas_write_xml_p7s_buf[] =
 "\r\n";
 
 
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 static inline const char * rt_str(uint16_t rt)
 { return rt == GETDNS_RRTYPE_A ? "A" : rt == GETDNS_RRTYPE_AAAA ? "AAAA" : "?"; }
-#endif
 
 static int tas_busy(tas_connection *a)
 {
@@ -905,7 +580,8 @@ static void tas_success(getdns_context *context, tas_connection *a)
 	tas_cleanup(context, a);
 	tas_cleanup(context, other);
 
-	DEBUG_ANCHOR("Successfully fetched new trust anchors\n");
+	_getdns_log( &context->log, GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
+	           , "Successfully fetched new trust anchors\n");
 	context->trust_anchors_source = GETDNS_TASRC_XML;
 	_getdns_ta_notify_dnsreqs(context);
 }
@@ -913,20 +589,26 @@ static void tas_success(getdns_context *context, tas_connection *a)
 static void tas_fail(getdns_context *context, tas_connection *a)
 {
 	tas_connection *other = &context->a == a ? &context->aaaa : &context->a;
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 	uint16_t rt = &context->a == a ? GETDNS_RRTYPE_A : GETDNS_RRTYPE_AAAA;
-	uint16_t ort = rt == GETDNS_RRTYPE_A ? GETDNS_RRTYPE_AAAA : GETDNS_RRTYPE_A;
-#endif
+
 	tas_cleanup(context, a);
 
 	if (!tas_busy(other)) {
-		DEBUG_ANCHOR("Fatal error fetching trust anchor: "
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+			   , "Fatal error fetching trust anchor: "
 		             "%s connection failed too\n", rt_str(rt));
 		context->trust_anchors_source = GETDNS_TASRC_FAILED;
+		context->trust_anchors_backoff_expiry = 
+		    _getdns_get_now_ms() + context->trust_anchors_backoff_time;
 		_getdns_ta_notify_dnsreqs(context);
 	} else
-		DEBUG_ANCHOR("%s connection failed, waiting for %s\n"
-		            , rt_str(rt), rt_str(ort));
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+			   , "%s connection failed, waiting for %s\n"
+		            , rt_str(rt)
+			    , rt_str( rt == GETDNS_RRTYPE_A 
+				    ? GETDNS_RRTYPE_AAAA : GETDNS_RRTYPE_A));
 }
 
 static void tas_connect(getdns_context *context, tas_connection *a);
@@ -958,7 +640,9 @@ static void tas_timeout_cb(void *userarg)
 		a = &context->a;
 	else	a = &context->aaaa;
 
-	DEBUG_ANCHOR("Trust anchor fetch timeout\n");
+	_getdns_log( &context->log, GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+	           , "Trust anchor fetch timeout\n");
+
 	GETDNS_CLEAR_EVENT(a->loop, &a->event);
 	tas_next(context, a);
 }
@@ -974,7 +658,9 @@ static void tas_reconnect_cb(void *userarg)
 		a = &context->a;
 	else	a = &context->aaaa;
 
-	DEBUG_ANCHOR("Waiting for second document timeout. Reconnecting...\n");
+	_getdns_log( &context->log, GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+	           , "Waiting for second document timeout. Reconnecting...\n");
+
 	GETDNS_CLEAR_EVENT(a->loop, &a->event);
 	close(a->fd);
 	a->fd = -1;
@@ -989,8 +675,6 @@ static void tas_read_cb(void *userarg);
 static void tas_write_cb(void *userarg);
 static void tas_doc_read(getdns_context *context, tas_connection *a)
 {
-	DEBUG_ANCHOR("doc (size: %d)\n", (int)a->tcp.read_buf_len);
-
 	assert(a->tcp.read_pos == a->tcp.read_buf + a->tcp.read_buf_len);
 	assert(context);
 
@@ -1019,20 +703,22 @@ static void tas_doc_read(getdns_context *context, tas_connection *a)
 
 		if ((r = getdns_context_get_trust_anchors_verify_CA(
 		    context, (const char **)&verify_CA.data)))
-			DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify"
-				     " CA: \"%s\"\n", __FUNC__
-				    , getdns_get_errorstr_by_id(r));
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Cannot get trust anchor verify CA: "
+				     "\"%s\"\n", getdns_get_errorstr_by_id(r));
 
 		else if (!(verify_CA.size = strlen((const char *)verify_CA.data)))
 			; /* pass */
 
 		else if ((r = getdns_context_get_trust_anchors_verify_email(
 		    context, &verify_email)))
-			DEBUG_ANCHOR("ERROR %s(): Getting trust anchor verify"
-				     " email address: \"%s\"\n", __FUNC__
-				    , getdns_get_errorstr_by_id(r));
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Cannot get trust anchor verify email: "
+				     "\"%s\"\n", getdns_get_errorstr_by_id(r));
 
-		else if (!(tas = tas_validate(&context->mf, &a->xml, &p7s_bd,
+		else if (!(tas = _getdns_tas_validate(&context->mf, &a->xml, &p7s_bd,
 		    &verify_CA, verify_email, &now_ms, tas, &tas_len)))
 			; /* pass */
 
@@ -1064,7 +750,7 @@ static void tas_doc_read(getdns_context *context, tas_connection *a)
 		a->tcp.read_pos = a->tcp.read_buf;
 		a->tcp.to_read = sizeof(context->tas_hdr_spc);
 	}
-	GETDNS_SCHEDULE_EVENT(a->loop, a->fd, 50,
+	GETDNS_SCHEDULE_EVENT(a->loop, a->fd, 2000,
 	    getdns_eventloop_event_init(&a->event, a->req->owner,
 	    tas_read_cb, NULL, tas_reconnect_cb));
 	return;
@@ -1155,7 +841,11 @@ static void tas_read_cb(void *userarg)
 			DEBUG_ANCHOR("i: %d, n: %d, doc_len: %d\n"
 			            , (int)i, (int)n, doc_len);
 			if (!doc)
-				DEBUG_ANCHOR("Memory error");
+				_getdns_log( &context->log
+					   , GETDNS_LOG_SYS_ANCHOR
+					   , GETDNS_LOG_ERR
+					   , "Memory error while reading "
+					     "trust anchor\n");
 			else {
 				ssize_t surplus = n - i;
 
@@ -1202,7 +892,11 @@ static void tas_read_cb(void *userarg)
 	} else if (_getdns_socketerror_wants_retry())
 		return;
 
-	DEBUG_ANCHOR("Read error: %d %s\n", (int)n, _getdns_errnostr());
+	_getdns_log( &context->log
+		   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		   , "Error while receiving trust anchor: %s\n"
+		   , _getdns_errnostr());
+
 	GETDNS_CLEAR_EVENT(a->loop, &a->event);
 	tas_next(context, a);
 }
@@ -1252,7 +946,9 @@ static void tas_write_cb(void *userarg)
 	} else if (_getdns_socketerror_wants_retry())
 		return;
 
-	DEBUG_ANCHOR("Write error: %s\n", _getdns_errnostr());
+	_getdns_log( &context->log, GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		   , "Error while sending to trust anchor site: %s\n"
+		   , _getdns_errnostr());
 	GETDNS_CLEAR_EVENT(a->loop, &a->event);
 	tas_next(context, a);
 }
@@ -1291,9 +987,7 @@ static getdns_return_t _getdns_get_tas_url_hostname(
 
 static void tas_connect(getdns_context *context, tas_connection *a)
 {
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 	char a_buf[40];
-#endif
 	int r;
 
 #ifdef HAVE_FCNTL
@@ -1309,15 +1003,19 @@ static void tas_connect(getdns_context *context, tas_connection *a)
 		tas_next(context, a);
 		return;
 	}
-	DEBUG_ANCHOR("Initiating connection to %s\n"
+
+	_getdns_log( &context->log, GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+		   , "Setting op connection to: %s\n"
 		   , inet_ntop( ( a->req->request_type == GETDNS_RRTYPE_A
 	                        ? AF_INET : AF_INET6)
-	            , a->rr->rr_i.rr_type + 10, a_buf, sizeof(a_buf)));
+	                      , a->rr->rr_i.rr_type + 10
+	                      , a_buf, sizeof(a_buf)));
 
 	if ((a->fd = socket(( a->req->request_type == GETDNS_RRTYPE_A
 	    ? AF_INET : AF_INET6), SOCK_STREAM, IPPROTO_TCP)) == -1) {
-		DEBUG_ANCHOR("Error creating socket: %s\n",
-		             _getdns_errnostr());
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+			   , "Error creating socket: %s\n", _getdns_errnostr());
 		tas_next(context, a);
 		return;
 	}
@@ -1368,8 +1066,10 @@ static void tas_connect(getdns_context *context, tas_connection *a)
 		}
 		if ((R = _getdns_get_tas_url_hostname(
 		    context, tas_hostname, &path))) {
-			DEBUG_ANCHOR("ERROR %s(): Could not get_tas_url_hostname"
-				     ": \"%s\"", __FUNC__
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Cannot get hostname from trust anchor "
+				     "url: \"%s\"\n"
 				   , getdns_get_errorstr_by_id(r));
 			goto error;
 		}
@@ -1378,22 +1078,26 @@ static void tas_connect(getdns_context *context, tas_connection *a)
 			tas_hostname[--hostname_len] = '\0';
 		path_len = strlen(path);
 		if (path_len < 4) {
-			DEBUG_ANCHOR("ERROR %s(): path of tas_url \"%s\" too "
-			             "small\n", __FUNC__, path);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Trust anchor path \"%s\" too small\n"
+				   , path);
 			goto error;
 		}
 		if (a->state == TAS_RETRY_GET_PS7) {
 			buf_sz = sizeof(tas_write_p7s_buf)
-			       + 1 * (hostname_len - 2) + 1 * (path_len - 2) + 1;
+			       + 1 * (hostname_len - 2) + 1 * (path_len - 2);
 			fmt = tas_write_p7s_buf;
 		} else {
 			buf_sz = sizeof(tas_write_xml_p7s_buf)
-			       + 2 * (hostname_len - 2) + 2 * (path_len - 2) + 1;
+			       + 2 * (hostname_len - 2) + 2 * (path_len - 2);
 			fmt = tas_write_xml_p7s_buf;
 		}
 		if (!(write_buf = GETDNS_XMALLOC(context->mf, char, buf_sz))) {
-			DEBUG_ANCHOR("ERROR %s(): Could not allocate write "
-			             "buffer\n", __FUNC__);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Cannot allocate write buffer for "
+				     "sending to trust anchor host\n");
 			goto error;
 		}
 		if (a->state == TAS_RETRY_GET_PS7) {
@@ -1427,8 +1131,10 @@ static void tas_connect(getdns_context *context, tas_connection *a)
 		DEBUG_ANCHOR("Scheduled write with event\n");
 		return;
 	} else
-		DEBUG_ANCHOR("Connect error: %s\n", _getdns_errnostr());
-
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+			   , "Error connecting to trust anchor host: %s\n "
+			   , _getdns_errnostr());
 error:
 	tas_next(context, a);
 }
@@ -1442,7 +1148,10 @@ static void tas_happy_eyeballs_cb(void *userarg)
 	if (tas_fetching(&context->aaaa))
 		return;
 	else {
-		DEBUG_ANCHOR("AAAA came too late, clearing Happy Eyeballs timer\n");
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+			   , "Too late reception of AAAA for trust anchor "
+			     "host for Happy Eyeballs\n");
 		GETDNS_CLEAR_EVENT(context->a.loop, &context->a.event);
 		tas_connect(context, &context->a);
 	}
@@ -1461,28 +1170,31 @@ static void _tas_hostname_lookup_cb(getdns_dns_req *dnsreq)
 	    &a->rrset_spc, a->req->response, a->req->response_len);
 
 	if (!a->rrset) {
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 		char tas_hostname[256] = "<no hostname>";
 		(void) _getdns_get_tas_url_hostname(context, tas_hostname, NULL);
-		DEBUG_ANCHOR("%s lookup for %s returned no response\n"
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+			   , "%s lookup for %s returned no response\n"
 		            , rt_str(a->req->request_type), tas_hostname);
-#endif
+
 	} else if (a->req->response_len < dnsreq->name_len + 12 ||
 	    !_getdns_dname_equal(a->req->response + 12, dnsreq->name) ||
 	    a->rrset->rr_type != a->req->request_type) {
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 		char tas_hostname[256] = "<no hostname>";
 		(void) _getdns_get_tas_url_hostname(context, tas_hostname, NULL);
-		DEBUG_ANCHOR("%s lookup for %s returned wrong response\n"
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+			   , "%s lookup for %s returned wrong response\n"
 		            , rt_str(a->req->request_type), tas_hostname);
-#endif
+
 	} else  if (!(a->rr = _getdns_rrtype_iter_init(&a->rr_spc, a->rrset))) {
-#if defined(ANCHOR_DEBUG) && ANCHOR_DEBUG
 		char tas_hostname[256] = "<no hostname>";
 		(void) _getdns_get_tas_url_hostname(context, tas_hostname, NULL);
-		DEBUG_ANCHOR("%s lookup for %s returned no addresses\n"
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+			   , "%s lookup for %s returned no addresses\n"
 		            , rt_str(a->req->request_type), tas_hostname);
-#endif
+
 	} else {
 		tas_connection *other = a == &context->a ? &context->aaaa
 		                                         : &context->a;
@@ -1492,8 +1204,9 @@ static void _tas_hostname_lookup_cb(getdns_dns_req *dnsreq)
 			; /* pass */
 
 		else if (a == &context->a && tas_busy(other)) {
-			DEBUG_ANCHOR("Postponing connection initiation: "
-			             "Happy Eyeballs\n");
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+				   , "Waiting 25ms for AAAA to arrive\n");
 			GETDNS_SCHEDULE_EVENT(a->loop, a->fd, 25,
 			    getdns_eventloop_event_init(&a->event,
 			    a->req->owner, NULL, NULL, tas_happy_eyeballs_cb));
@@ -1510,47 +1223,57 @@ static void _tas_hostname_lookup_cb(getdns_dns_req *dnsreq)
 	tas_fail(context, a);
 }
 
-void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop)
+void _getdns_start_fetching_ta(
+    getdns_context *context, getdns_eventloop *loop, uint64_t *now_ms)
 {
 	getdns_return_t r;
 	size_t scheduled;
-	char tas_hostname[256];
+	char tas_hostname[256] = "";
 	const char *verify_CA;
 	const char *verify_email;
 
 	if ((r = _getdns_get_tas_url_hostname(context, tas_hostname, NULL))) {
-		DEBUG_ANCHOR("ERROR %s(): Could not get_tas_url_hostname"
-		             ": \"%s\"", __FUNC__
-		            , getdns_get_errorstr_by_id(r));
+		_getdns_log( &context->log
+			   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+			   , "Cannot get hostname from trust anchor url: "
+			     "\"%s\"\n", getdns_get_errorstr_by_id(r));
 		return;
 
 	} else if ((r = getdns_context_get_trust_anchors_verify_CA(
 	    context, &verify_CA))) {
-		DEBUG_ANCHOR("ERROR %s(): Could not get verify CA"
-		             ": \"%s\"", __FUNC__
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Cannot get trust anchor verify CA: \"%s\"\n"
 			   , getdns_get_errorstr_by_id(r));
 		return;
 
 	} else if (!verify_CA || !*verify_CA) {
-		DEBUG_ANCHOR("NOTICE: Trust anchor fetching explicitely "
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
+		           , "Trust anchor verification explicitly "
 		             "disabled by empty verify CA\n");
 		return;
 
 	} else if ((r = getdns_context_get_trust_anchors_verify_email(
 	    context, &verify_email))) {
-		DEBUG_ANCHOR("ERROR %s(): Could not get verify email address"
-		             ": \"%s\"", __FUNC__
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+		           , "Cannot get trust anchor verify email: \"%s\"\n"
 			   , getdns_get_errorstr_by_id(r));
 		return;
 
 	} else if (!verify_email || !*verify_email) {
-		DEBUG_ANCHOR("NOTICE: Trust anchor fetching explicitely "
-		             "disabled by empty verify email address\n");
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_INFO
+		           , "Trust anchor verification explicitly "
+		             "disabled by empty verify email\n");
 		return;
 
 	} else if (!_getdns_context_can_write_appdata(context)) {
-		DEBUG_ANCHOR("NOTICE %s(): Not fetching TA, because "
-		             "non writeable appdata directory\n", __FUNC__);
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+		           , "Not fetching TA, because "
+		             "non writeable appdata directory\n");
 		return;
 	} 
 	DEBUG_ANCHOR("Hostname: %s\n", tas_hostname);
@@ -1558,35 +1281,44 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop)
 	             loop == &context->sync_eventloop.loop ? "" : "a");
 
 	scheduled = 0;
-#if 1
 	context->a.state = TAS_LOOKUP_ADDRESSES;
 	if ((r = _getdns_general_loop(context, loop,
 	    tas_hostname, GETDNS_RRTYPE_A,
 	    no_dnssec_checking_disabled_opportunistic,
 	    context, &context->a.req, NULL, _tas_hostname_lookup_cb))) {
-		DEBUG_ANCHOR("Error scheduling A lookup for %s: %s\n"
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+		           , "Error scheduling A lookup for %s: %s\n"
 		           , tas_hostname, getdns_get_errorstr_by_id(r));
 	} else
 		scheduled += 1;
-#endif
 
-#if 1
 	context->aaaa.state = TAS_LOOKUP_ADDRESSES;
 	if ((r = _getdns_general_loop(context, loop,
 	    tas_hostname, GETDNS_RRTYPE_AAAA,
 	    no_dnssec_checking_disabled_opportunistic,
 	    context, &context->aaaa.req, NULL, _tas_hostname_lookup_cb))) {
-		DEBUG_ANCHOR("Error scheduling AAAA lookup for %s: %s\n"
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+		           , "Error scheduling AAAA lookup for %s: %s\n"
 		           , tas_hostname, getdns_get_errorstr_by_id(r));
 	} else
 		scheduled += 1;
-#endif
 
 	if (!scheduled) {
-		DEBUG_ANCHOR("Fatal error fetching trust anchor: Unable to "
-		             "schedule address requests for %s\n"
+		_getdns_log( &context->log
+		           , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_WARNING
+		           , "Error scheduling address lookups for %s\n"
 		           , tas_hostname);
+
 		context->trust_anchors_source = GETDNS_TASRC_FAILED;
+		if (now_ms) {
+			if (*now_ms == 0) *now_ms = _getdns_get_now_ms();
+			context->trust_anchors_backoff_expiry = 
+			    *now_ms + context->trust_anchors_backoff_time;
+		} else
+			context->trust_anchors_backoff_expiry = 
+			    _getdns_get_now_ms() + context->trust_anchors_backoff_time;
 		_getdns_ta_notify_dnsreqs(context);
 	} else
 		context->trust_anchors_source = GETDNS_TASRC_FETCHING;
@@ -1703,7 +1435,10 @@ static void _getdns_context_read_root_ksk(getdns_context *context)
 			buf_sz *= 2;
 		}
 		if (!(buf = GETDNS_XMALLOC(context->mf, uint8_t, buf_sz))) {
-			DEBUG_ANCHOR("ERROR %s(): Memory error\n", __FUNC__);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Error allocating memory to read "
+				     "root.key\n");
 			break;;
 		}
 		ptr = buf;
@@ -1788,8 +1523,10 @@ _getdns_context_update_root_ksk(
 			break;
 		}
 		if (str_buf != str_spc) {
-			DEBUG_ANCHOR("ERROR %s(): Buffer size determination "
-			             "error\n", __FUNC__);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Error determining buffer size for root "
+				     "KSK\n");
 			if (str_buf)
 				GETDNS_FREE(context->mf, str_buf);
 
@@ -1797,11 +1534,13 @@ _getdns_context_update_root_ksk(
 		}
 		if (!(str_pos = str_buf = GETDNS_XMALLOC( context->mf, char,
 		    (str_sz = sizeof(str_spc) - remaining) + 1))) {
-			DEBUG_ANCHOR("ERROR %s(): Memory error\n", __FUNC__);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_ERR
+				   , "Error allocating memory to read "
+				     "root KSK\n");
 			return;
 		}
 		remaining = str_sz + 1;
-		DEBUG_ANCHOR("Retrying with buf size: %d\n", remaining);
 	};
 
 	/* Write presentation format DNSKEY rrset to "root.key" file */
@@ -1876,17 +1615,21 @@ _getdns_context_update_root_ksk(
 					break;
 			}
 			if (!ta) {
-				DEBUG_ANCHOR("NOTICE %s(): Key with id %d "
-				             "*not* found in TA.\n"
-				             "\"root-anchors.xml\" need "
-					     "updating.\n", __FUNC__
+				_getdns_log( &context->log
+					   , GETDNS_LOG_SYS_ANCHOR
+					   , GETDNS_LOG_NOTICE
+					   , "Key with id %d not found in TA; "
+				             "\"root-anchors.xml\" needs to be "
+					     "updated.\n"
 				            , context->root_ksk.ids[i]);
 				context->trust_anchors_source =
 				    GETDNS_TASRC_XML_UPDATE;
 				break;
 			}
-			DEBUG_ANCHOR("DEBUG %s(): Key with id %d found in TA\n"
-			            , __FUNC__, context->root_ksk.ids[i]);
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_DEBUG
+				   , "Key with id %d found in TA\n"
+			           , context->root_ksk.ids[i]);
 		}
 	}
 	if (str_buf && str_buf != str_spc)

src/anchor.h

@@ -39,9 +39,33 @@
 #include <time.h>
 #include "rr-iter.h"
 
+#include "types-internal.h"
+
+/**
+ ** Internal functions, implemented in anchor-internal.c.
+ **/
 void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms);
 
-void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop);
+uint8_t *_getdns_tas_validate(struct mem_funcs *mf,
+    const getdns_bindata *xml_bd, const getdns_bindata *p7s_bd,
+    const getdns_bindata *crt_bd, const char *p7signer,
+                      uint64_t *now_ms, uint8_t *tas, size_t *tas_len);
+
+
+/**
+ ** anchor.c functions used by anchor-internal.c.
+ **/
+time_t _getdns_xml_convertdate(const char* str);
+
+uint16_t _getdns_parse_xml_trust_anchors_buf(gldns_buffer *gbuf, uint64_t *now_ms, char *xml_data, size_t xml_len);
+
+/**
+ ** Public interface.
+ **/
+void _getdns_context_equip_with_anchor(getdns_context *context, uint64_t *now_ms);
+
+void _getdns_start_fetching_ta(
+    getdns_context *context, getdns_eventloop *loop, uint64_t *now_ms);
 
 #define MAX_KSKS        16
 #define RRSIG_RDATA_LEN 16

src/compat/arc4random.c

@@ -31,11 +31,11 @@
 #endif
 #include <stdlib.h>
 #include <string.h>
+#ifndef GETDNS_ON_WINDOWS
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/time.h>
-#ifndef GETDNS_ON_WINDOWS
 #include <sys/mman.h>
 #endif
 #if defined(GETDNS_ON_WINDOWS) && !defined(MAP_INHERIT_ZERO)
@@ -51,6 +51,9 @@
 #else				/* !__GNUC__ */
 #define inline
 #endif				/* !__GNUC__ */
+#ifndef MAP_ANON
+#define MAP_ANON MAP_ANONYMOUS
+#endif
 
 #define KEYSZ	32
 #define IVSZ	8
@@ -71,6 +74,72 @@ static struct {
 
 static inline void _rs_rekey(u_char *dat, size_t datlen);
 
+/*
+ * Basic sanity checking; wish we could do better.
+ */
+static int
+fallback_gotdata(char *buf, size_t len)
+{
+	char	any_set = 0;
+	size_t	i;
+
+	for (i = 0; i < len; ++i)
+		any_set |= buf[i];
+	if (any_set == 0)
+		return -1;
+	return 0;
+}
+
+/* fallback for getentropy in case libc returns failure */
+static int
+fallback_getentropy_urandom(void *buf, size_t len)
+{
+	size_t i;
+	int fd, flags;
+	int save_errno = errno;
+
+start:
+
+	flags = O_RDONLY;
+#ifdef O_NOFOLLOW
+	flags |= O_NOFOLLOW;
+#endif
+#ifdef O_CLOEXEC
+	flags |= O_CLOEXEC;
+#endif
+	fd = open("/dev/urandom", flags, 0);
+	if (fd == -1) {
+		if (errno == EINTR)
+			goto start;
+		goto nodevrandom;
+	}
+#ifndef O_CLOEXEC
+#  ifdef HAVE_FCNTL
+	fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#  endif
+#endif
+	for (i = 0; i < len; ) {
+		size_t wanted = len - i;
+		ssize_t ret = read(fd, (char*)buf + i, wanted);
+
+		if (ret == -1) {
+			if (errno == EAGAIN || errno == EINTR)
+				continue;
+			close(fd);
+			goto nodevrandom;
+		}
+		i += ret;
+	}
+	close(fd);
+	if (fallback_gotdata(buf, len) == 0) {
+		errno = save_errno;
+		return 0;		/* satisfied */
+	}
+nodevrandom:
+	errno = EIO;
+	return -1;
+}
+
 static inline void
 _rs_init(u_char *buf, size_t n)
 {
@@ -102,6 +171,9 @@ _rs_init(u_char *buf, size_t n)
 		if(!rsx)
 			abort();
 #endif
+		/* Pleast older clang scan-build */
+		if (!buf)
+			buf = rsx->rs_buf;
 	}
 
 	chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8, 0);
@@ -114,15 +186,15 @@ _rs_stir(void)
 	u_char rnd[KEYSZ + IVSZ];
 
 	if (getentropy(rnd, sizeof rnd) == -1) {
+		if(errno != ENOSYS ||
+			fallback_getentropy_urandom(rnd, sizeof rnd) == -1) {
 #ifdef SIGKILL
 			raise(SIGKILL);
 #else
-#ifdef GETDNS_ON_WINDOWS
-		DebugBreak();
-#endif
 			exit(9); /* windows */
 #endif
 		}
+	}
 
 	if (!rs)
 		_rs_init(rnd, sizeof(rnd));
@@ -131,9 +203,6 @@ _rs_stir(void)
 	explicit_bzero(rnd, sizeof(rnd));	/* discard source seed */
 
 	/* invalidate rs_buf */
-#ifdef GETDNS_ON_WINDOWS
-	_Analysis_assume_(rs != NULL);
-#endif
 	rs->rs_have = 0;
 	memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
 
@@ -143,17 +212,9 @@ _rs_stir(void)
 static inline void
 _rs_stir_if_needed(size_t len)
 {
-#ifndef MAP_INHERIT_ZERO
+#if !defined(GETDNS_ON_WINDOWS)	&& !defined(MAP_INHERIT_ZERO)
 	static pid_t _rs_pid = 0;
-#ifdef GETDNS_ON_WINDOWS
-	/* 
-	 * TODO: if compiling for the Windows Runtime, use GetCurrentProcessId(),
-	 * but this requires linking with kernel32.lib
-	 */
-	pid_t pid = _getpid();
-#else
 	pid_t pid = getpid();
-#endif
 
 	/* If a system lacks MAP_INHERIT_ZERO, resort to getpid() */
 	if (_rs_pid == 0 || _rs_pid != pid) {
@@ -164,9 +225,6 @@ _rs_stir_if_needed(size_t len)
 #endif
 	if (!rs || rs->rs_count <= len)
 		_rs_stir();
-#ifdef GETDNS_ON_WINDOWS
-	_Analysis_assume_(rs != NULL);
-#endif
 	if (rs->rs_count <= len)
 		rs->rs_count = 0;
 	else

src/compat/arc4random_uniform.c

@@ -39,7 +39,7 @@ arc4random_uniform(uint32_t upper_bound)
 		return 0;
 
 	/* 2**32 % x == (2**32 - x) % x */
-	min = ((uint32_t)(-(int32_t)upper_bound)) % upper_bound;
+	min = -upper_bound % upper_bound;
 
 	/*
 	 * This could theoretically loop forever but each retry has

src/compat/explicit_bzero.c

@@ -6,17 +6,12 @@
 #include "config.h"
 #include <string.h>
 
-__attribute__((weak)) void
-__explicit_bzero_hook(void *ATTR_UNUSED(buf), size_t ATTR_UNUSED(len))
-{
-}
-
 void
 explicit_bzero(void *buf, size_t len)
 {
-#ifdef UB_ON_WINDOWS
+#ifdef GETDNS_ON_WINDOWS
 	SecureZeroMemory(buf, len);
-#endif
+#else
 	memset(buf, 0, len);
-	__explicit_bzero_hook(buf, len);
+#endif
 }

src/compat/getentropy_linux.c

@@ -60,6 +60,9 @@
 #include <sys/auxv.h>
 #endif
 #include <sys/vfs.h>
+#ifndef MAP_ANON
+#define MAP_ANON MAP_ANONYMOUS
+#endif
 
 #define REPEAT 5
 #define min(a, b) (((a) < (b)) ? (a) : (b))
@@ -94,7 +97,7 @@ int	getentropy(void *buf, size_t len);
 extern int main(int, char *argv[]);
 #endif
 static int gotdata(char *buf, size_t len);
-#ifdef SYS_getrandom
+#if defined(SYS_getrandom) && defined(__NR_getrandom)
 static int getentropy_getrandom(void *buf, size_t len);
 #endif
 static int getentropy_urandom(void *buf, size_t len);
@@ -113,7 +116,7 @@ getentropy(void *buf, size_t len)
 		return -1;
 	}
 
-#ifdef SYS_getrandom
+#if defined(SYS_getrandom) && defined(__NR_getrandom)
 	/*
 	 * Try descriptor-less getrandom()
 	 */
@@ -209,7 +212,7 @@ gotdata(char *buf, size_t len)
 	return 0;
 }
 
-#ifdef SYS_getrandom
+#if defined(SYS_getrandom) && defined(__NR_getrandom)
 static int
 getentropy_getrandom(void *buf, size_t len)
 {

src/compat/gettimeofday.c

@@ -21,8 +21,9 @@
   */
 #include "config.h"
 
-#ifdef GETDNS_ON_WINDOWS
-int gettimeofday(struct timeval* tv, struct timezone* tz)
+#ifndef HAVE_GETTIMEOFDAY
+
+int gettimeofday(struct timeval* tv, void* tz)
 {
 	FILETIME ft;
 	uint64_t now = 0;
@@ -70,4 +71,4 @@ int gettimeofday(struct timeval* tv, struct timezone* tz)
 
 	return 0;
 }
-#endif /* GETDNS_ON_WINDOWS */
+#endif /* HAVE_GETTIMEOFDAY */

src/compat/inet_ntop.c

@@ -19,8 +19,6 @@
 
 #include <config.h>
 
-#ifndef HAVE_INET_NTOP
-
 #include <sys/param.h>
 #include <sys/types.h>
 #ifdef HAVE_SYS_SOCKET_H
@@ -214,5 +212,3 @@ inet_ntop6(const u_char *src, char *dst, size_t size)
 	strlcpy(dst, tmp, size);
 	return (dst);
 }
-
-#endif /* !HAVE_INET_NTOP */

src/compat/inet_pton.c

@@ -17,7 +17,6 @@
  */
 
 #include <config.h>
-
 #include <string.h>
 #include <stdio.h>
 #include <errno.h>

src/compat/mkstemp.c

@@ -0,0 +1,43 @@
+/**
+ * \file mkstemp.c
+ * @brief Implementation of mkstemp for Windows.
+ */
+
+/*
+ * Copyright (c) 2019 Sinodun
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/stat.h>
+
+int mkstemp(char *template)
+{
+		if (_mktemp_s(template, strlen(template) + 1) != 0)
+				return -1;
+		return open(template, _O_CREAT | _O_EXCL | _O_RDWR, _S_IWRITE | _S_IREAD);
+}

src/compat/strlcpy.c

@@ -18,7 +18,6 @@
 /* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */
 
 #include <config.h>
-#ifndef HAVE_STRLCPY
 
 #include <sys/types.h>
 #include <string.h>
@@ -53,5 +52,3 @@ strlcpy(char *dst, const char *src, size_t siz)
 
 	return(s - src - 1);	/* count does not include NUL */
 }
-
-#endif /* !HAVE_STRLCPY */

src/const-info.c

@@ -93,6 +93,10 @@ static struct const_info consts_info[] = {
 	{     632, "GETDNS_CONTEXT_CODE_TLS_CA_FILE", GETDNS_CONTEXT_CODE_TLS_CA_FILE_TEXT },
 	{     633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT },
 	{     634, "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT },
+	{     635, "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT },
+	{     636, "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT },
+	{     637, "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT },
+	{     638, "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME", GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME_TEXT },
 	{     699, "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT },
 	{     700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
 	{     701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
@@ -115,7 +119,16 @@ static struct const_info consts_info[] = {
 	{    1202, "GETDNS_TRANSPORT_TLS", GETDNS_TRANSPORT_TLS_TEXT },
 	{    1300, "GETDNS_AUTHENTICATION_NONE", GETDNS_AUTHENTICATION_NONE_TEXT },
 	{    1301, "GETDNS_AUTHENTICATION_REQUIRED", GETDNS_AUTHENTICATION_REQUIRED_TEXT },
-	{    4096, "GETDNS_LOG_UPSTREAM_STATS", GETDNS_LOG_UPSTREAM_STATS_TEXT },
+	{    1400, "GETDNS_SSL3", GETDNS_SSL3_TEXT },
+	{    1401, "GETDNS_TLS1", GETDNS_TLS1_TEXT },
+	{    1402, "GETDNS_TLS1_1", GETDNS_TLS1_1_TEXT },
+	{    1403, "GETDNS_TLS1_2", GETDNS_TLS1_2_TEXT },
+	{    1404, "GETDNS_TLS1_3", GETDNS_TLS1_3_TEXT },
+	{    8192, "GETDNS_LOG_SYS_STUB", GETDNS_LOG_SYS_STUB_TEXT },
+	{   12288, "GETDNS_LOG_UPSTREAM_STATS", GETDNS_LOG_UPSTREAM_STATS_TEXT },
+	{   16384, "GETDNS_LOG_SYS_RECURSING", GETDNS_LOG_SYS_RECURSING_TEXT },
+	{   24576, "GETDNS_LOG_SYS_RESOLVING", GETDNS_LOG_SYS_RESOLVING_TEXT },
+	{   32768, "GETDNS_LOG_SYS_ANCHOR", GETDNS_LOG_SYS_ANCHOR_TEXT },
 };
 
 static int const_info_cmp(const void *a, const void *b)
@@ -190,10 +203,14 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CONTEXT_CODE_TLS_BACKOFF_TIME", 623 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CA_FILE", 632 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CA_PATH", 631 },
+	{ "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", 635 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", 634 },
+	{ "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", 637 },
+	{ "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", 636 },
 	{ "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 },
+	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME", 638 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA", 626 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_EMAIL", 627 },
@@ -212,7 +229,11 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_LOG_ERR", 3 },
 	{ "GETDNS_LOG_INFO", 6 },
 	{ "GETDNS_LOG_NOTICE", 5 },
-	{ "GETDNS_LOG_UPSTREAM_STATS", 4096 },
+	{ "GETDNS_LOG_SYS_ANCHOR", 32768 },
+	{ "GETDNS_LOG_SYS_RECURSING", 16384 },
+	{ "GETDNS_LOG_SYS_RESOLVING", 24576 },
+	{ "GETDNS_LOG_SYS_STUB", 8192 },
+	{ "GETDNS_LOG_UPSTREAM_STATS", 12288 },
 	{ "GETDNS_LOG_WARNING", 4 },
 	{ "GETDNS_NAMESPACE_DNS", 500 },
 	{ "GETDNS_NAMESPACE_LOCALNAMES", 501 },
@@ -227,6 +248,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_OPCODE_STATUS", 2 },
 	{ "GETDNS_OPCODE_UPDATE", 5 },
 	{ "GETDNS_RCODE_BADALG", 21 },
+	{ "GETDNS_RCODE_BADCOOKIE", 23 },
 	{ "GETDNS_RCODE_BADKEY", 17 },
 	{ "GETDNS_RCODE_BADMODE", 19 },
 	{ "GETDNS_RCODE_BADNAME", 20 },
@@ -234,7 +256,6 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RCODE_BADTIME", 18 },
 	{ "GETDNS_RCODE_BADTRUNC", 22 },
 	{ "GETDNS_RCODE_BADVERS", 16 },
-	{ "GETDNS_RCODE_COOKIE", 23 },
 	{ "GETDNS_RCODE_FORMERR", 1 },
 	{ "GETDNS_RCODE_NOERROR", 0 },
 	{ "GETDNS_RCODE_NOTAUTH", 9 },
@@ -279,8 +300,10 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRCLASS_IN", 1 },
 	{ "GETDNS_RRCLASS_NONE", 254 },
 	{ "GETDNS_RRTYPE_A", 1 },
+	{ "GETDNS_RRTYPE_A6", 38 },
 	{ "GETDNS_RRTYPE_AAAA", 28 },
 	{ "GETDNS_RRTYPE_AFSDB", 18 },
+	{ "GETDNS_RRTYPE_AMTRELAY", 260 },
 	{ "GETDNS_RRTYPE_ANY", 255 },
 	{ "GETDNS_RRTYPE_APL", 42 },
 	{ "GETDNS_RRTYPE_ATMA", 34 },
@@ -299,15 +322,20 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_DOA", 259 },
 	{ "GETDNS_RRTYPE_DS", 43 },
 	{ "GETDNS_RRTYPE_EID", 31 },
+	{ "GETDNS_RRTYPE_EUI48", 108 },
+	{ "GETDNS_RRTYPE_EUI64", 109 },
 	{ "GETDNS_RRTYPE_GID", 102 },
 	{ "GETDNS_RRTYPE_GPOS", 27 },
 	{ "GETDNS_RRTYPE_HINFO", 13 },
 	{ "GETDNS_RRTYPE_HIP", 55 },
+	{ "GETDNS_RRTYPE_HTTPS", 65 },
 	{ "GETDNS_RRTYPE_IPSECKEY", 45 },
 	{ "GETDNS_RRTYPE_ISDN", 20 },
 	{ "GETDNS_RRTYPE_IXFR", 251 },
 	{ "GETDNS_RRTYPE_KEY", 25 },
 	{ "GETDNS_RRTYPE_KX", 36 },
+	{ "GETDNS_RRTYPE_L32", 105 },
+	{ "GETDNS_RRTYPE_L64", 106 },
 	{ "GETDNS_RRTYPE_LOC", 29 },
 	{ "GETDNS_RRTYPE_LP", 107 },
 	{ "GETDNS_RRTYPE_MAILA", 254 },
@@ -327,6 +355,8 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_NSAP", 22 },
 	{ "GETDNS_RRTYPE_NSAP_PTR", 23 },
 	{ "GETDNS_RRTYPE_NSEC", 47 },
+	{ "GETDNS_RRTYPE_NSEC3", 50 },
+	{ "GETDNS_RRTYPE_NSEC3PARAM", 51 },
 	{ "GETDNS_RRTYPE_NULL", 10 },
 	{ "GETDNS_RRTYPE_NXT", 30 },
 	{ "GETDNS_RRTYPE_OPENPGPKEY", 61 },
@@ -344,6 +374,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_SPF", 99 },
 	{ "GETDNS_RRTYPE_SRV", 33 },
 	{ "GETDNS_RRTYPE_SSHFP", 44 },
+	{ "GETDNS_RRTYPE_SVCB", 64 },
 	{ "GETDNS_RRTYPE_TA", 32768 },
 	{ "GETDNS_RRTYPE_TALINK", 58 },
 	{ "GETDNS_RRTYPE_TKEY", 249 },
@@ -355,6 +386,13 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_UNSPEC", 103 },
 	{ "GETDNS_RRTYPE_URI", 256 },
 	{ "GETDNS_RRTYPE_WKS", 11 },
+	{ "GETDNS_RRTYPE_X25", 19 },
+	{ "GETDNS_RRTYPE_ZONEMD", 63 },
+	{ "GETDNS_SSL3", 1400 },
+	{ "GETDNS_TLS1", 1401 },
+	{ "GETDNS_TLS1_1", 1402 },
+	{ "GETDNS_TLS1_2", 1403 },
+	{ "GETDNS_TLS1_3", 1404 },
 	{ "GETDNS_TRANSPORT_TCP", 1201 },
 	{ "GETDNS_TRANSPORT_TCP_ONLY", 542 },
 	{ "GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN", 543 },

src/context.h

@@ -50,6 +50,7 @@
 #endif
 #include "rr-iter.h"
 #include "anchor.h"
+#include "tls.h"
 
 struct getdns_dns_req;
 struct ub_ctx;
@@ -127,7 +128,7 @@ const getdns_tsig_info *_getdns_get_tsig_info(getdns_tsig_algo tsig_alg);
 
 /* for doing public key pinning of TLS-capable upstreams: */
 typedef struct sha256_pin {
-	char pin[SHA256_DIGEST_LENGTH];
+	uint8_t pin[SHA256_DIGEST_LENGTH];
 	struct sha256_pin *next;
 } sha256_pin_t;
 
@@ -200,14 +201,25 @@ typedef struct getdns_upstream {
 	getdns_network_req      *write_queue_last;
 	_getdns_rbtree_t         netreq_by_query_id;
 
+	/* TCP specific connection handling*/
+	unsigned                 tfo_use_sendto  : 1;
 	/* TLS specific connection handling*/
-	SSL*                     tls_obj;
-	SSL_SESSION*             tls_session;
+	unsigned                 tls_fallback_ok : 1;
+	_getdns_tls_connection*  tls_obj;
+	_getdns_tls_session*     tls_session;
 	getdns_tls_hs_state_t    tls_hs_state;
 	getdns_auth_state_t      tls_auth_state;
-	unsigned                 tls_fallback_ok : 1;
+	uint64_t                 expires; /* Expire time of waiting netreqs.
+	                                   * This is how long a handshake may
+	                                   * take.
+	                                   */
+	/* TLS settings */
 	char                    *tls_cipher_list;
+	char                    *tls_ciphersuites;
 	char                    *tls_curves_list;
+	getdns_tls_version_t     tls_min_version;
+	getdns_tls_version_t     tls_max_version;
+
 	/* Auth credentials */
 	char                     tls_auth_name[256];
 	sha256_pin_t            *tls_pubkey_pinset;
@@ -231,15 +243,13 @@ typedef struct getdns_upstream {
 	unsigned is_sync_loop : 1;
 
 	/* EDNS cookies */
-	uint32_t secret;
-	uint8_t  client_cookie[8];
-	uint8_t  prev_client_cookie[8];
-	uint8_t  server_cookie[32];
+	uint8_t  server_cookie[40];
+	size_t   server_cookie_len;
 	
-	unsigned has_client_cookie : 1;
-	unsigned has_prev_client_cookie : 1;
-	unsigned has_server_cookie : 1;
-	unsigned server_cookie_len : 5;
+	uint64_t                src_addr_checked;
+	struct sockaddr_storage src_addr;
+	socklen_t               src_addr_len;
+	char                    src_addr_str[INET6_ADDRSTRLEN];
 
 	/* TSIG */
 	uint8_t          tsig_dname[256];
@@ -315,6 +325,7 @@ struct getdns_context {
 	size_t               namespace_count;
 	uint64_t             timeout;
 	uint64_t             idle_timeout;
+	int                  tcp_send_timeout; /* -1 is unset */
 	getdns_redirects_t   follow_redirects;
 	getdns_list          *dns_root_servers;
 
@@ -341,6 +352,8 @@ struct getdns_context {
 	char                 *trust_anchors_url;
 	char                 *trust_anchors_verify_CA;
 	char                 *trust_anchors_verify_email;
+	uint64_t              trust_anchors_backoff_time;
+	uint64_t              trust_anchors_backoff_expiry;
 
 	_getdns_ksks          root_ksk;
 
@@ -350,7 +363,10 @@ struct getdns_context {
 	char                 *tls_ca_path;
 	char                 *tls_ca_file;
 	char                 *tls_cipher_list;
+	char                 *tls_ciphersuites;
 	char                 *tls_curves_list;
+	getdns_tls_version_t  tls_min_version;
+	getdns_tls_version_t  tls_max_version;
 
 	getdns_upstreams     *upstreams;
 	uint16_t             limit_outstanding_queries;
@@ -371,7 +387,7 @@ struct getdns_context {
 	int edns_maximum_udp_payload_size; /* -1 is unset */
 	uint8_t edns_client_subnet_private;
 	uint16_t tls_query_padding_blocksize;
-	SSL_CTX* tls_ctx;
+	_getdns_tls_context* tls_ctx;
 
 	getdns_update_callback  update_callback;
 	getdns_update_callback2 update_callback2;
@@ -381,6 +397,7 @@ struct getdns_context {
 
 	int processing;
 	int destroying;
+	int to_destroy;
 
 	struct mem_funcs mf;
 	struct mem_funcs my_mf;
@@ -433,6 +450,7 @@ struct getdns_context {
 	getdns_dict *header;
 	getdns_dict *add_opt_parameters;
 	unsigned add_warning_for_bad_dns             : 1;
+	unsigned dnssec                              : 1;
 	unsigned dnssec_return_all_statuses          : 1;
 	unsigned dnssec_return_full_validation_chain : 1;
 	unsigned dnssec_return_only_secure           : 1;
@@ -490,11 +508,38 @@ struct getdns_context {
 #endif /* HAVE_MDNS_SUPPORT */
 }; /* getdns_context */
 
-void _getdns_upstream_log(getdns_upstream *upstream, uint64_t system,
-    getdns_loglevel_type level, const char *fmt, ...);
+static inline int _getdns_check_log(const getdns_log_config *log,
+    uint64_t system, getdns_loglevel_type level)
+{ assert(log)
+; return log->func && (log->system & system) && level <= log->level; }
 
-void _getdns_context_log(getdns_context *context, uint64_t system,
-    getdns_loglevel_type level, const char *fmt, ...);
+static inline void _getdns_log(const getdns_log_config *log,
+    uint64_t system, getdns_loglevel_type level, const char *fmt, ...)
+{
+	va_list args;
+
+	if (!_getdns_check_log(log, system, level))
+		return;
+
+	va_start(args, fmt);
+	log->func(log->userarg, system, level, fmt, args);
+	va_end(args);
+}
+
+static inline void _getdns_upstream_log(const getdns_upstream *up,
+    uint64_t system, getdns_loglevel_type level, const char *fmt, ...)
+{
+	va_list args;
+
+	if (!up || !up->upstreams
+	||  !_getdns_check_log(&up->upstreams->log, system, level))
+		return;
+
+	va_start(args, fmt);
+	up->upstreams->log.func(
+	    up->upstreams->log.userarg, system, level, fmt, args);
+	va_end(args);
+}
 
 
 /** internal functions **/
@@ -551,8 +596,9 @@ void _getdns_upstreams_dereference(getdns_upstreams *upstreams);
 
 void _getdns_upstream_shutdown(getdns_upstream *upstream);
 
-FILE *_getdns_context_get_priv_fp(getdns_context *context, const char *fn);
-uint8_t *_getdns_context_get_priv_file(getdns_context *context,
+FILE *_getdns_context_get_priv_fp(
+    const getdns_context *context, const char *fn);
+uint8_t *_getdns_context_get_priv_file(const getdns_context *context,
     const char *fn, uint8_t *buf, size_t buf_len, size_t *file_sz);
 
 int _getdns_context_write_priv_file(getdns_context *context,

src/convert.c

@@ -41,9 +41,6 @@
 #endif
 #if defined(HAVE_LIBIDN2)
 #include <idn2.h>
-#elif defined(HAVE_LIBIDN)
-#include <stringprep.h>
-#include <idna.h>
 #endif
 #include "getdns/getdns.h"
 #include "getdns/getdns_extra.h"
@@ -124,34 +121,8 @@ getdns_convert_ulabel_to_alabel(const char *ulabel)
 
 	if (idn2_lookup_u8((uint8_t *)ulabel, &alabel, IDN2_TRANSITIONAL) == IDN2_OK)
 		return (char *)alabel;
-
-#elif defined(HAVE_LIBIDN)
-	char *alabel;
-	char *prepped;
-	char  prepped2[BUFSIZ];
-
-	if (!ulabel) return NULL;
-
-	setlocale(LC_ALL, "");
-	if ((prepped = stringprep_locale_to_utf8(ulabel))) {
-		if(strlen(prepped)+1 > BUFSIZ) {
-			free(prepped);
-			return NULL;
-		}
-		memcpy(prepped2, prepped, strlen(prepped)+1);
-		free(prepped);
-
-		/* convert to utf8 fails, which it can, but continue anyway */
-	} else if (strlen(ulabel)+1 > BUFSIZ)
-		return NULL;
-	else
-		memcpy(prepped2, ulabel, strlen(ulabel)+1);
-
-	if (stringprep(prepped2, BUFSIZ, 0, stringprep_nameprep) == STRINGPREP_OK
-	&&  idna_to_ascii_8z(prepped2, &alabel, 0) == IDNA_SUCCESS)
-		return alabel;
 #else
-	(void)ulabel;
+	(void)ulabel; /* unused parameter */
 #endif
 	return NULL;
 }
@@ -170,19 +141,15 @@ getdns_convert_ulabel_to_alabel(const char *ulabel)
 char *
 getdns_convert_alabel_to_ulabel(const char *alabel)
 {
-#if defined(HAVE_LIBIDN2) || defined(HAVE_LIBIDN)
+#if defined(HAVE_LIBIDN2)
 	char *ulabel;
 
 	if (!alabel) return NULL;
 
-# if defined(HAVE_LIBIDN2)
 	if (idn2_to_unicode_8z8z(alabel, &ulabel, 0) == IDN2_OK)
-# else
-	if (idna_to_unicode_8z8z(alabel, &ulabel, 0) == IDNA_SUCCESS)
-# endif
 		return ulabel;
 #else
-	(void)alabel;
+	(void)alabel; /* unused parameter */
 #endif
 	return NULL;
 }
@@ -460,7 +427,7 @@ getdns_rr_dict2str_scan(
 	prev_str_len = *str_len;
 	sz = (size_t)*str_len;
 	sz_needed = gldns_wire2str_rr_scan(
-	    &scan_buf, &scan_sz, str, &sz, NULL, 0);
+	    &scan_buf, &scan_sz, str, &sz, NULL, 0, NULL);
 
 	if (sz_needed > prev_str_len) {
 		*str = prev_str + sz_needed;
@@ -562,8 +529,10 @@ _getdns_fp2rr_list(struct mem_funcs *mf,
 	else while (r == GETDNS_RETURN_GOOD && !feof(in)) {
 		len = GLDNS_RR_BUF_SIZE;
 		dname_len = 0;
-		if (gldns_fp2wire_rr_buf(in, rr, &len, &dname_len, &pst))
+		if (gldns_fp2wire_rr_buf(in, rr, &len, &dname_len, &pst)) {
+			r = GETDNS_RETURN_GENERIC_ERROR;
 			break;
+		}
 		if (dname_len && dname_len < sizeof(pst.prev_rr)) {
 			memcpy(pst.prev_rr, rr, dname_len);
 			pst.prev_rr_len = dname_len;
@@ -777,6 +746,75 @@ getdns_wire2msg_dict_scan(
 		else   GLDNS_ ## Y ## _CLR(header); \
 	}
 
+static getdns_return_t
+_getdns_reply_dict2wire_hdr(
+    const getdns_dict *reply, gldns_buffer *gbuf, getdns_bindata *wf_reply)
+{
+	size_t          pkt_start = gldns_buffer_position(gbuf);
+	size_t          pkt_len = wf_reply->size;
+	uint8_t        *header = gldns_buffer_current(gbuf);
+	uint8_t        *pkt_end = header + pkt_len;
+	getdns_list    *sec;
+	size_t          sec_len;
+	uint32_t        n, i;
+	_getdns_rr_iter rr_iter_storage, *rr_iter;
+	getdns_list    *section;
+	size_t          rrs2skip;
+	getdns_dict    *rr_dict;
+
+	gldns_buffer_write(gbuf, wf_reply->data, wf_reply->size);
+
+	if (GLDNS_QDCOUNT(header) != 1
+	|| (GLDNS_ARCOUNT(header) != 0 && GLDNS_ARCOUNT(header) != 1))
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	sec_len = 0;
+	if (!getdns_dict_get_list(reply, "answer", &sec))
+		(void) getdns_list_get_length(sec, &sec_len);
+	if (sec_len != GLDNS_ANCOUNT(header))
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	sec_len = 0;
+	if (!getdns_dict_get_list(reply, "authority", &sec))
+		(void) getdns_list_get_length(sec, &sec_len);
+	if (sec_len != GLDNS_NSCOUNT(header))
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	rrs2skip = 1 + GLDNS_ANCOUNT(header) +  GLDNS_NSCOUNT(header);
+
+	SET_HEADER_INT(id, ID);
+	SET_HEADER_BIT(qr, QR);
+	SET_HEADER_BIT(aa, AA);
+	SET_HEADER_BIT(tc, TC);
+	SET_HEADER_BIT(rd, RD);
+	SET_HEADER_BIT(cd, CD);
+	SET_HEADER_BIT(ra, RA);
+	SET_HEADER_BIT(ad, AD);
+	SET_HEADER_INT(opcode, OPCODE);
+	SET_HEADER_INT(rcode, RCODE);
+	SET_HEADER_BIT(z, Z);
+
+	for ( rr_iter = _getdns_rr_iter_init(&rr_iter_storage, header, pkt_len)
+	    ; rr_iter
+	    ; rr_iter = _getdns_rr_iter_next(rr_iter)) {
+		if (rr_iter->nxt > pkt_end)
+			return GETDNS_RETURN_GENERIC_ERROR;
+		if (!--rrs2skip)
+			break;
+		/* TODO: Delete sigs when do bit was off */
+	}
+	gldns_buffer_set_position(gbuf, rr_iter->nxt - header);
+	if (!getdns_dict_get_list(reply, "additional", &section)) {
+		for ( n = 0, i = 0
+		    ; !getdns_list_get_dict(section, i, &rr_dict); i++) {
+			 if (!_getdns_rr_dict2wire(rr_dict, gbuf))
+				 n++;
+		}
+		gldns_buffer_write_u16_at(gbuf, pkt_start+GLDNS_ARCOUNT_OFF, n);
+	}
+	return GETDNS_RETURN_GOOD;
+}
+
 getdns_return_t
 _getdns_reply_dict2wire(
     const getdns_dict *reply, gldns_buffer *buf, int reuse_header)
@@ -787,6 +825,7 @@ _getdns_reply_dict2wire(
 	getdns_list *section;
 	getdns_dict *rr_dict;
 	getdns_bindata *qname;
+	name_cache_t name_cache = {0};
 	int remove_dnssec;
 
 	pkt_start = gldns_buffer_position(buf);
@@ -816,7 +855,7 @@ _getdns_reply_dict2wire(
 	if (!getdns_dict_get_bindata(reply, "/question/qname", &qname) &&
 	    !getdns_dict_get_int(reply, "/question/qtype", &qtype)) {
 		(void)getdns_dict_get_int(reply, "/question/qclass", &qclass);
-		gldns_buffer_write(buf, qname->data, qname->size);
+		_getdns_rr_buffer_write_cached_name(buf, qname, &name_cache);
 		gldns_buffer_write_u16(buf, (uint16_t)qtype);
 		gldns_buffer_write_u16(buf, (uint16_t)qclass);
 		gldns_buffer_write_u16_at(buf, pkt_start+GLDNS_QDCOUNT_OFF, 1);
@@ -839,7 +878,7 @@ _getdns_reply_dict2wire(
 			    !getdns_dict_get_int(rr_dict, "type", &rr_type) &&
 			    rr_type == GETDNS_RRTYPE_RRSIG)
 				continue;
-			if (!_getdns_rr_dict2wire(rr_dict, buf))
+			if (!_getdns_rr_dict2wire_cache(rr_dict, buf, &name_cache))
 				 n++;
 		}
 		gldns_buffer_write_u16_at(buf, pkt_start+GLDNS_ANCOUNT_OFF, n);
@@ -883,6 +922,8 @@ _getdns_msg_dict2wire_buf(const getdns_dict *msg_dict, gldns_buffer *gbuf)
 	getdns_return_t r;
 	getdns_list    *replies;
 	getdns_dict    *reply;
+	getdns_list    *wf_replies = NULL;
+	getdns_bindata *wf_reply;
 	size_t i;
 
 	if ((r = getdns_dict_get_list(msg_dict, "replies_tree", &replies))) {
@@ -890,8 +931,23 @@ _getdns_msg_dict2wire_buf(const getdns_dict *msg_dict, gldns_buffer *gbuf)
 			return r;
 		return _getdns_reply_dict2wire(msg_dict, gbuf, 0);
 	}
+	(void) getdns_dict_get_list(msg_dict, "replies_full", &wf_replies);
 	for (i = 0; r == GETDNS_RETURN_GOOD; i++) {
-		if (!(r = getdns_list_get_dict(replies, i, &reply)))
+		if ((r = getdns_list_get_dict(replies, i, &reply)))
+			;
+		else if (wf_replies
+		     && !getdns_list_get_bindata(wf_replies, i, &wf_reply)) {
+			size_t pkt_start = gldns_buffer_position(gbuf);
+
+			if (!gldns_buffer_reserve(gbuf, wf_reply->size))
+				return GETDNS_RETURN_NEED_MORE_SPACE;
+
+			if ((r = _getdns_reply_dict2wire_hdr( reply, gbuf
+			                                    , wf_reply))) {
+				gldns_buffer_set_position(gbuf, pkt_start);
+				r = _getdns_reply_dict2wire(reply, gbuf, 0);
+			}
+		} else
 			r = _getdns_reply_dict2wire(reply, gbuf, 0);
 	}
 	return r == GETDNS_RETURN_NO_SUCH_LIST_ITEM ? GETDNS_RETURN_GOOD : r;
@@ -1135,7 +1191,7 @@ _getdns_ipaddr_dict_mf(struct mem_funcs *mf, const char *ipstr)
 			tsig_name_str = "";
 		}
 	}
-	if (*ipstr == '*') {
+	if (*ipstr == '*' && *(ipstr+1) == '\0') {
 		getdns_dict_util_set_string(r, "address_type", "IPv6");
 		addr.size = 16;
 		(void) memset(buf, 0, 16);
@@ -1389,7 +1445,7 @@ static int _jsmn_get_int(const char *js, jsmntok_t *t, uint32_t *value)
 
 static int _jsmn_get_const(const char *js, jsmntok_t *t, uint32_t *value)
 {
-	char value_str[80];
+	char value_str[80] = "";
 	int size = t->end - t->start;
 
 	if (size <= 0 || size >= (int)sizeof(value_str))
@@ -1670,7 +1726,7 @@ getdns_str2dict(const char *str, getdns_dict **dict)
 	if (!str || !dict)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 
-	while (*str && isspace(*str))
+	while (*str && isspace((unsigned char)*str))
 		str++;
 
 	if (*str != '{') {
@@ -1847,8 +1903,8 @@ getdns_yaml2list(const char *str, getdns_list **list)
 		return GETDNS_RETURN_GENERIC_ERROR;
 	}	
 #else /* USE_YAML_CONFIG */
-	(void) str;
-	(void) list;
+	(void) str; /* unused parameter */
+	(void) list; /* unused parameter */
 	return GETDNS_RETURN_NOT_IMPLEMENTED;
 #endif /* USE_YAML_CONFIG */
 }
@@ -1871,8 +1927,8 @@ getdns_yaml2bindata(const char *str, getdns_bindata **bindata)
 		return GETDNS_RETURN_GENERIC_ERROR;
 	}	
 #else /* USE_YAML_CONFIG */
-	(void) str;
-	(void) bindata;
+	(void) str; /* unused parameter */
+	(void) bindata; /* unused parameter */
 	return GETDNS_RETURN_NOT_IMPLEMENTED;
 #endif /* USE_YAML_CONFIG */
 }
@@ -1895,8 +1951,8 @@ getdns_yaml2int(const char *str, uint32_t *value)
 		return GETDNS_RETURN_GENERIC_ERROR;
 	}	
 #else /* USE_YAML_CONFIG */
-	(void) str;
-	(void) value;
+	(void) str; /* unused parameter */
+	(void) value; /* unused parameter */
 	return GETDNS_RETURN_NOT_IMPLEMENTED;
 #endif /* USE_YAML_CONFIG */
 }

src/convert.h

@@ -38,6 +38,10 @@
 #include "types-internal.h"
 #include <stdio.h>
 
+getdns_return_t
+_getdns_wire2msg_dict_scan(struct mem_funcs *mf,
+    const uint8_t **wire, size_t *wire_len, getdns_dict **msg_dict);
+
 getdns_return_t _getdns_wire2rr_dict(struct mem_funcs *mf,
     const uint8_t *wire, size_t wire_len, getdns_dict **rr_dict);
 

src/dict.c

@@ -83,7 +83,7 @@ static char *_json_ptr_first(const struct mem_funcs *mf,
 static struct getdns_dict_item *
 _find_dict_item(const getdns_dict *dict, const char *jptr)
 {
-	char first_spc[1024], *first;
+	char first_spc[1024] = "", *first;
 	struct getdns_dict_item *d;
 
 	first = _json_ptr_first(&dict->mf, jptr,
@@ -434,7 +434,7 @@ getdns_dict_create_with_memory_functions(void *(*malloc)(size_t),
 
 /*-------------------------- getdns_dict_create_with_context */
 struct getdns_dict *
-getdns_dict_create_with_context(struct getdns_context *context)
+getdns_dict_create_with_context(const getdns_context *context)
 {
 	if (context)
 		return getdns_dict_create_with_extended_memory_functions(
@@ -655,7 +655,8 @@ getdns_dict_set_bindata(
 
 /*---------------------------------------- getdns_dict_set_bindata */
 getdns_return_t
-getdns_dict_util_set_string(getdns_dict *dict, char *name, const char *value)
+getdns_dict_util_set_string(getdns_dict *dict,
+    const char *name, const char *value)
 {
 	getdns_item    *item;
 	getdns_bindata *newbindata;
@@ -737,21 +738,16 @@ getdns_pp_base64(gldns_buffer *buf, getdns_bindata *bindata)
 {
 	size_t p = gldns_buffer_position(buf);
 	size_t base64str_sz;
-	char *target;
-	size_t avail;
 
 	if (gldns_buffer_printf(buf, " <bindata of ") < 0)
 		return -1;
 
 	base64str_sz = gldns_b64_ntop_calculate_size(bindata->size);
-	target = (char *)gldns_buffer_current(buf);
-	avail = gldns_buffer_remaining(buf);
-	if (avail >= base64str_sz)
-		gldns_buffer_skip(buf, gldns_b64_ntop(
-		    bindata->data, bindata->size,
-		    target, base64str_sz));
-	else
-		gldns_buffer_skip(buf, base64str_sz);
+	if (!gldns_buffer_reserve(buf, base64str_sz))
+		return -1;
+
+	gldns_buffer_skip(buf, gldns_b64_ntop(bindata->data, bindata->size,
+	    (char *)gldns_buffer_current(buf), base64str_sz));
 
 	if (gldns_buffer_printf(buf, ">") < 0)
 		return -1;
@@ -786,13 +782,37 @@ getdns_pp_bindata(gldns_buffer *buf, getdns_bindata *bindata,
 
 	if (bindata->size > 0 && i == bindata->size) {     /* all printable? */
 
-		if (json)
-			(void)snprintf(spc, sizeof(spc), "\"%%.%ds\"", (int)i);
-		else
+		if (json) {
+			const uint8_t *s = bindata->data;
+			const uint8_t *e = s + bindata->size;
+			const uint8_t *b;
+
+			if (!gldns_buffer_reserve(buf, (e - s) + 2))
+				return -1;
+			gldns_buffer_write_u8(buf, '"');
+			for (;;) {
+				for ( b = s
+				    ; b < e && *b != '\\' && *b != '"'
+				    ; b++)
+					; /* pass */
+				if (b == e)
+					break;
+				if (!gldns_buffer_reserve(buf, (b - s) + 3))
+					return -1;
+				gldns_buffer_write(buf, s, b - s);
+				gldns_buffer_write_u8(buf, '\\');
+				gldns_buffer_write_u8(buf, *b);
+				s = b + 1;
+			}
+			if (s < e)
+			       	gldns_buffer_write(buf, s, e - s);
+			gldns_buffer_write_u8(buf, '"');
+		} else {
 			(void)snprintf(spc, sizeof(spc), "of \"%%.%ds\"%s>",
 			    (int)(i > 32 ? 32 : i), (i > 32 ? "..." : ""));
 			if (gldns_buffer_printf(buf, spc, bindata->data) < 0)
 				return -1;
+		}
 
 	} else if (bindata->size > 1 &&         /* null terminated printable */
 	    i == bindata->size - 1 && bindata->data[i] == 0) {
@@ -872,6 +892,7 @@ getdns_pp_list(gldns_buffer *buf, size_t indent, const getdns_list *list,
 	struct getdns_bindata *bindata_item;
 	uint32_t int_item;
 	const char *strval;
+	char abuf[80];
 
 	if (list == NULL)
 		return 0;
@@ -913,7 +934,21 @@ getdns_pp_list(gldns_buffer *buf, size_t indent, const getdns_list *list,
 			if (getdns_list_get_bindata(list, i, &bindata_item) !=
 			    GETDNS_RETURN_GOOD)
 				return -1;
-			if (getdns_pp_bindata(
+
+			if (for_literals && (bindata_item->size == 4  ||
+			                     bindata_item->size == 16 )) {
+
+				if (gldns_buffer_printf(buf, 
+				    (json ? "\"%s\"" : " <bindata for %s>"),
+				    inet_ntop(( bindata_item->size == 4
+				              ? AF_INET : AF_INET6)
+				              , bindata_item->data
+				              , abuf
+				              , sizeof(abuf) - 1
+				              )) < 0)
+					return -1;
+
+			} else if (getdns_pp_bindata(
 			    buf, bindata_item, 0, json) < 0)
 				return -1;
 			break;
@@ -1010,12 +1045,12 @@ _getdns_print_rcode(gldns_buffer *buf, uint32_t rcode)
 		" GETDNS_RCODE_BADSIG"  , " GETDNS_RCODE_BADKEY"   ,
 		" GETDNS_RCODE_BADTIME" , " GETDNS_RCODE_BADMODE"  ,
 		" GETDNS_RCODE_BADNAME" , " GETDNS_RCODE_BADALG"   ,
-		" GETDNS_RCODE_BADTRUNC"
+		" GETDNS_RCODE_BADTRUNC", " GETDNS_RCODE_BADCOOKIE"
 	};
 	if (rcode <= 10)
 		(void) gldns_buffer_printf(buf, "%s", rcodes[rcode]);
-	else if (rcode >= 16 && rcode <= 22)
-		(void) gldns_buffer_printf(buf, "%s", rcodes[rcode-6]);
+	else if (rcode >= 16 && rcode <= 23)
+		(void) gldns_buffer_printf(buf, "%s", rcodes[rcode-5]);
 	else
 		return 0;
 	return 1;
@@ -1083,9 +1118,12 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent,
 			     strcmp(item->node.key, "transport") == 0 ||
 			     strcmp(item->node.key, "resolution_type") == 0 ||
 			     strcmp(item->node.key, "tls_authentication") == 0 ||
+			     strcmp(item->node.key, "tls_min_version") == 0 ||
+			     strcmp(item->node.key, "tls_max_version") == 0 ||
 
 			     /* extensions */
 			     strcmp(item->node.key, "add_warning_for_bad_dns") == 0 ||
+			     strcmp(item->node.key, "dnssec") == 0 ||
 			     strcmp(item->node.key, "dnssec_return_all_statuses") == 0 ||
 			     strcmp(item->node.key, "dnssec_return_full_validation_chain") == 0 ||
 			     strcmp(item->node.key, "dnssec_return_only_secure") == 0 ||
@@ -1118,6 +1156,11 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent,
 			if (!json && strcmp(item->node.key, "rcode") == 0 &&
 			    _getdns_print_rcode(buf, item->i.data.n))
 				break;
+			if (!json &&
+			    strcmp(item->node.key, "extended_rcode") == 0 &&
+			    item->i.data.n >= 16 &&
+			    _getdns_print_rcode(buf, item->i.data.n))
+				break;
 			if (gldns_buffer_printf(
 			    buf,(json < 2 ? " %d" : "%d"), item->i.data.n) < 0)
 				return -1;
@@ -1126,7 +1169,9 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent,
 		case t_bindata:
 			if ((strcmp(item->node.key, "address_data") == 0 ||
 			     strcmp(item->node.key, "ipv4_address") == 0 ||
-			     strcmp(item->node.key, "ipv6_address") == 0 ) &&
+			     strcmp(item->node.key, "ipv6_address") == 0 ||
+			     strcmp(item->node.key, "answer_ipv4_address") == 0 ||
+			     strcmp(item->node.key, "answer_ipv6_address") == 0) &&
 			    (item->i.data.bindata->size == 4  ||
 			     item->i.data.bindata->size == 16 )) {
 
@@ -1174,8 +1219,9 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent,
 			if (getdns_pp_list(buf, indent, item->i.data.list, 
 			    (strcmp(item->node.key, "namespaces") == 0 ||
 			     strcmp(item->node.key, "dns_transport_list") == 0
-			     || strcmp(item->node.key, "bad_dns") == 0),
-			    json) < 0)
+			     || strcmp(item->node.key, "bad_dns") == 0 ||
+			     strcmp(item->node.key, "dns_root_servers") == 0
+			    ), json) < 0)
 				return -1;
 			break;
 

src/dnssec.c

@@ -178,7 +178,7 @@
  * "DNSSEC Validation".
  *
  * Many functions are of key verification boolean return type; e.g.
- * key_proves_non_existance(), ds_authenticates_keys(), a_key_signed_rrset()
+ * key_proves_nonexistance(), ds_authenticates_keys(), a_key_signed_rrset()
  * These will return the keytag identifying the key that was used to 
  * authenticate + 0x10000 to allow keytag 0.
  *
@@ -192,9 +192,7 @@
 #include "debug.h"
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <unistd.h>
 #include <ctype.h>
-#include <openssl/sha.h>
 #include "getdns/getdns.h"
 #include "context.h"
 #include "util-internal.h"
@@ -210,6 +208,7 @@
 #include "list.h"
 #include "util/val_secalgo.h"
 #include "anchor.h"
+#include "tls.h"
 
 #define SIGNATURE_VERIFIED         0x10000
 #define NSEC3_ITERATION_COUNT_HIGH 0x20000
@@ -244,13 +243,16 @@ static inline int _dname_equal(const uint8_t *left, const uint8_t *right)
 static int _dname_is_parent(
     const uint8_t * const parent, const uint8_t *subdomain)
 {
-	while (*subdomain) {
+	if (*parent == 0)
+		return 1;
+
+	else while (*subdomain) {
 		if (_dname_equal(parent, subdomain))
 			return 1;
 
 		subdomain += *subdomain + 1;
 	}
-	return *parent == 0;
+	return 0;
 }
 
 static uint8_t *_dname_label_copy(uint8_t *dst, const uint8_t *src, size_t dst_len)
@@ -396,7 +398,7 @@ static inline void debug_sec_print_rr(const char *msg, _getdns_rr_iter *rr)
 	}
 	(void) gldns_wire2str_rr_scan(
 	    (UNCONST_UINT8_p *) &data, &data_len, &str, &str_len,
-	    (UNCONST_UINT8_p) rr->pkt, rr->pkt_end - rr->pkt);
+	    (UNCONST_UINT8_p) rr->pkt, rr->pkt_end - rr->pkt, NULL);
 	DEBUG_SEC("%s%s", msg, str_spc);
 }
 static inline void debug_sec_print_dname(const char *msg, const uint8_t *label)
@@ -520,7 +522,7 @@ static void val_chain_sched(chain_head *head, const uint8_t *dname);
 static void val_chain_sched_ds(chain_head *head, const uint8_t *dname);
 static void val_chain_sched_signer(chain_head *head, _getdns_rrsig_iter *rrsig);
 
-static chain_head *add_rrset2val_chain(struct mem_funcs *mf,
+static chain_head *add_rrset2val_chain(const struct mem_funcs *mf,
     chain_head **chain_p, _getdns_rrset *rrset, getdns_network_req *netreq)
 {
 	chain_head *head;
@@ -671,6 +673,24 @@ static chain_head *add_rrset2val_chain(struct mem_funcs *mf,
 	if (!(node[-1].parent = max_node))
 		val_chain_sched(head, (uint8_t *)"\0");
 
+	/* For an NSEC or NSEC3 query, stop at that.  If it is valid it will
+	 * have a signature which will be chased.
+	 */
+	if (head->rrset.rr_type == GETDNS_RRTYPE_NSEC ||
+	    head->rrset.rr_type == GETDNS_RRTYPE_NSEC3)
+		return head;
+
+	/* Otherwise, schedule key lookups for the tld and sld too. */
+	if (!max_node) {
+		if (head->node_count > 1)
+			val_chain_sched(head, node[-2].ds.name);
+		if (head->node_count > 2)
+			val_chain_sched(head, node[-3].ds.name);
+	} else if ((max_labels == 1 || max_labels == 2) && head->node_count > 0)
+		val_chain_sched(head, node[-1].ds.name);
+	if (max_labels == 1 && head->node_count > 1)
+		val_chain_sched(head, node[-2].ds.name);
+
 	return head;
 }
 
@@ -767,7 +787,7 @@ static int is_synthesized_cname(_getdns_rrset *cname)
  * When a SOA query was successful, a query for DS will follow for that
  * owner name.
  */
-static void add_pkt2val_chain(struct mem_funcs *mf,
+static void add_pkt2val_chain(const struct mem_funcs *mf,
     chain_head **chain_p, uint8_t *pkt, size_t pkt_len,
     getdns_network_req *netreq)
 {
@@ -829,7 +849,7 @@ static void add_pkt2val_chain(struct mem_funcs *mf,
  * checked eventually.
  * But only if we know the question of course...
  */
-static void add_question2val_chain(struct mem_funcs *mf,
+static void add_question2val_chain(const struct mem_funcs *mf,
     chain_head **chain_p, uint8_t *pkt, size_t pkt_len,
     const uint8_t *qname, uint16_t qtype, uint16_t qclass,
     getdns_network_req *netreq)
@@ -902,7 +922,7 @@ static getdns_dict *CD_extension(getdns_dns_req *dnsreq)
 	     ? dnssec_ok_checking_disabled_roadblock_avoidance
 	     : dnssec_ok_checking_disabled_avoid_roadblocks;
 #else
-	(void)dnsreq;
+	(void)dnsreq; /* unused parameter */
 	return dnssec_ok_checking_disabled;
 #endif
 }
@@ -1051,6 +1071,105 @@ static void val_chain_sched_signer(chain_head *head, _getdns_rrsig_iter *rrsig)
 	val_chain_sched_signer_node(head->parent, rrsig);
 }
 
+/* Cancel all DS and DNSKEY for subdomains of parent_dname,
+ * and also the DNSKEY query at the parent_dname
+ */
+static void cancel_requests_for_subdomains_of(
+    chain_head *head, const uint8_t *parent_dname)
+{
+	chain_head *next;
+	chain_node *node;
+	size_t      node_count;
+
+	while (head) {
+		next = head->next;
+
+		if (!_dname_is_parent(parent_dname, head->rrset.name)) {
+			head = next;
+			continue;
+		}
+		for ( node_count = head->node_count, node = head->parent
+		    ; node_count
+		    ; node_count--, node = node->parent ) {
+
+			if (!_getdns_netreq_finished(node->dnskey_req)) {
+				_getdns_context_cancel_request(
+				    node->dnskey_req->owner);
+				node->dnskey_req = NULL;
+			}
+
+			if (_dname_equal(parent_dname, node->ds.name))
+				break;
+
+			if (!_getdns_netreq_finished(node->ds_req)) {
+				_getdns_context_cancel_request(
+				    node->ds_req->owner);
+				node->ds_req = NULL;
+			}
+		}
+		head = next;
+	}
+
+}
+
+static int nsec3_matches_name(_getdns_rrset *nsec3, const uint8_t *name);
+static int nsec3_covers_name(
+    _getdns_rrset *nsec3, const uint8_t *name, int *opt_out);
+
+static int insecure_delegation(_getdns_rrset *ds_rrset)
+{
+	_getdns_rrset        nsec_rrset;
+	_getdns_rrtype_iter *rr, rr_spc;
+	_getdns_rrsig_iter   rrsig_spc;
+	_getdns_rdf_iter     bitmap_spc, *bitmap;
+	_getdns_rrset_iter  *i, i_spc;
+
+	/* For NSEC, an insecure delegation is a NODATA proof for DS */
+	nsec_rrset = *ds_rrset;
+	nsec_rrset.rr_type = GETDNS_RRTYPE_NSEC;
+	if (!_getdns_rrsig_iter_init(&rrsig_spc, &nsec_rrset))
+		; /* pass */
+	else for ( rr = _getdns_rrtype_iter_init(&rr_spc, &nsec_rrset)
+	         ; rr ; rr = _getdns_rrtype_iter_next(rr)) {
+
+		if ((bitmap = _getdns_rdf_iter_init_at( &bitmap_spc
+		                                      , &rr->rr_i, 1))
+		    &&  bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
+		    && !bitmap_has_type(bitmap, GETDNS_RRTYPE_DS)
+		    && _getdns_rrsig_iter_init(&rrsig_spc, &nsec_rrset))
+			return 1;
+	}
+
+	/* For NSEC3 it is either a NODATA proof with a delegation,
+           or a NSEC3 opt-out coverage  */
+	for ( i = _getdns_rrset_iter_init(&i_spc, ds_rrset->pkt
+	                                        , ds_rrset->pkt_len
+	                                        , SECTION_NO_ADDITIONAL)
+	    ; i ; i = _getdns_rrset_iter_next(i)) {
+		_getdns_rrset *nsec3_rrset = _getdns_rrset_iter_value(i);
+		int opt_out;
+
+		if (  !nsec3_rrset
+		    || nsec3_rrset->rr_type != GETDNS_RRTYPE_NSEC3
+		    ||!(rr = _getdns_rrtype_iter_init(&rr_spc, nsec3_rrset)))
+			continue;
+
+		if (!nsec3_covers_name(nsec3_rrset, ds_rrset->name, &opt_out))
+			continue;
+
+		if (nsec3_matches_name(nsec3_rrset, ds_rrset->name)) {
+			bitmap = _getdns_rdf_iter_init_at( &bitmap_spc
+			                                 , &rr->rr_i, 5);
+			return  bitmap
+			    &&  bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
+			    && !bitmap_has_type(bitmap, GETDNS_RRTYPE_DS);
+		}
+		else if (opt_out)
+			return 1;
+	}
+	return 0;
+}
+
 static void val_chain_node_cb(getdns_dns_req *dnsreq)
 {
 	chain_node *node = (chain_node *)dnsreq->user_pointer;
@@ -1092,12 +1211,28 @@ static void val_chain_node_cb(getdns_dns_req *dnsreq)
 			n_signers++;
 		}
 	}
-	if (netreq->request_type == GETDNS_RRTYPE_DS && n_signers == 0)
+	if (netreq->request_type != GETDNS_RRTYPE_DS)
+		; /* pass */
+	else if (n_signers) {
+		_getdns_rrtype_iter ds_spc;
+
+		if (_getdns_rrtype_iter_init(&ds_spc, &node->ds))
+			; /* pass */
+
+		else if (insecure_delegation(&node->ds)) {
+			debug_sec_print_rrset("Insecure delegation. "
+			    "Canceling requests below ", &node->ds);
+			cancel_requests_for_subdomains_of(
+			    node->chains, node->ds.name);
+		} else {
+			debug_sec_print_rrset("No DS at ", &node->ds);
+		}
+	} else {
 		/* No signed DS and no signed proof of non-existance.
 		 * Search further up the tree...
 		 */
 		val_chain_sched_ds_node(node->parent);
-
+	}
 	if (node->lock) node->lock--;
 	check_chain_complete(node->chains);
 }
@@ -1293,8 +1428,9 @@ static int _rr_iter_rdata_cmp(const void *a, const void *b)
  * nc_name will be set to the next closer (within rrset->name).
  */
 #define VAL_RRSET_SPC_SZ 256
-static int _getdns_verify_rrsig(struct mem_funcs *mf,
-    _getdns_rrset *rrset, _getdns_rrsig_iter *rrsig, _getdns_rrtype_iter *key, const uint8_t **nc_name)
+static int _getdns_verify_rrsig(const struct mem_funcs *mf,
+    _getdns_rrset *rrset, _getdns_rrsig_iter *rrsig, _getdns_rrtype_iter *key,
+    const uint8_t **nc_name)
 {
 	int r;
 	int to_skip;
@@ -1418,7 +1554,7 @@ static int _getdns_verify_rrsig(struct mem_funcs *mf,
 		for ( rdf = _getdns_rdf_iter_init(&rdf_spc, &val_rrset[i])
 		    ; rdf
 		    ; rdf = _getdns_rdf_iter_next(rdf) ) {
-			if (!(rdf->rdd_pos->type & GETDNS_RDF_N)) {
+			if ((rdf->rdd_pos->type & GETDNS_RDF_N) != GETDNS_RDF_N) {
 				gldns_buffer_write(
 				    &valbuf, rdf->pos, rdf->nxt - rdf->pos);
 				continue;
@@ -1512,12 +1648,12 @@ static uint8_t *_getdns_nsec3_hash_label(uint8_t *label, size_t label_len,
 	(void)memcpy(dst, salt + 1, *salt);
 	dst += *salt;
 
-	(void)SHA1(buf, dst - buf, md);
+	_getdns_tls_sha1(buf, dst - buf, md);
 	if (iterations) {
 		(void)memcpy(buf + SHA_DIGEST_LENGTH, salt + 1, *salt);
 		while (iterations--) {
 			(void)memcpy(buf, md, SHA_DIGEST_LENGTH);
-			SHA1(buf, SHA_DIGEST_LENGTH + *salt, md);
+			_getdns_tls_sha1(buf, SHA_DIGEST_LENGTH + *salt, md);
 		}
 	}
 	*label = gldns_b32_ntop_extended_hex(
@@ -1612,8 +1748,9 @@ static int check_dates(time_t now, int32_t skew, int32_t exp, int32_t inc)
 /* Returns whether dnskey signed rrset.  If the rrset was a valid wildcard
  * expansion, nc_name will point to the next closer part of the name in rrset.
  */
-static int dnskey_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
-    _getdns_rrtype_iter *dnskey, _getdns_rrset *rrset, const uint8_t **nc_name)
+static int dnskey_signed_rrset(const struct mem_funcs *mf, time_t now,
+    uint32_t skew, _getdns_rrtype_iter *dnskey, _getdns_rrset *rrset,
+    const uint8_t **nc_name)
 {
 	_getdns_rrsig_iter rrsig_spc, *rrsig;
 	_getdns_rdf_iter rdf_spc, *rdf;
@@ -1681,11 +1818,11 @@ static int dnskey_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
 }
 
 /* Returns whether a dnskey for keyset signed a non wildcard rrset. */
-static int a_key_signed_rrset_no_wc(struct mem_funcs *mf, time_t now,
+static int a_key_signed_rrset_no_wc(const struct mem_funcs *mf, time_t now,
     uint32_t skew, _getdns_rrset *keyset, _getdns_rrset *rrset)
 {
 	_getdns_rrtype_iter dnskey_spc, *dnskey;
-	const uint8_t *nc_name;
+	const uint8_t *nc_name; /* Initialized by dnskey_signed_rrset() */
 	int keytag;
 
 	assert(keyset->rr_type == GETDNS_RRTYPE_DNSKEY);
@@ -1693,23 +1830,33 @@ static int a_key_signed_rrset_no_wc(struct mem_funcs *mf, time_t now,
 	for ( dnskey = _getdns_rrtype_iter_init(&dnskey_spc, keyset)
 	    ; dnskey ; dnskey = _getdns_rrtype_iter_next(dnskey) ) {
 
-		if ((keytag = dnskey_signed_rrset(mf, now, skew,
-		    dnskey, rrset, &nc_name)) && !nc_name)
+		if (!(keytag = dnskey_signed_rrset(mf, now, skew,
+		    dnskey, rrset, &nc_name)))
+			continue;
+
+		if (!nc_name) /* Not a wildcard, then success! */
+			return keytag;
+
+ 		/* Not a wildcard expansion, but the wildcard name itself. */
+		if (rrset->rr_type == GETDNS_RRTYPE_NSEC &&
+		    rrset->name[0] == 1 && rrset->name[1] == '*' &&
+		    nc_name == rrset->name)
 			return keytag;
 	}
 	return 0;
 }
 
-static int find_nsec_covering_name(
-    struct mem_funcs *mf, time_t now, uint32_t skew, _getdns_rrset *dnskey,
+static int find_nsec_covering_name(const struct mem_funcs *mf,
+    time_t now, uint32_t skew, _getdns_rrset *dnskey,
     _getdns_rrset *rrset, const uint8_t *name, int *opt_out);
 
 /* Returns whether a dnskey for keyset signed rrset. */
-static int a_key_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
-    _getdns_rrset *keyset, _getdns_rrset *rrset)
+static int a_key_signed_rrset(const struct mem_funcs *mf, time_t now,
+    uint32_t skew, _getdns_rrset *keyset, _getdns_rrset *rrset)
 {
 	_getdns_rrtype_iter dnskey_spc, *dnskey;
-	const uint8_t *nc_name;
+	const uint8_t *nc_name; /* Initialized by dnskey_signed_rrset() */
+
 	int keytag;
 
 	assert(keyset->rr_type == GETDNS_RRTYPE_DNSKEY);
@@ -1728,7 +1875,8 @@ static int a_key_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
 		 * There is no more specific!
 		 */
 		if (rrset->rr_type == GETDNS_RRTYPE_NSEC &&
-		    rrset->name[0] == 1 && rrset->name[1] == '*')
+		    rrset->name[0] == 1 && rrset->name[1] == '*' &&
+		    nc_name == rrset->name)
 			return keytag;
 
 		debug_sec_print_rrset("wildcard expanded to: ", rrset);
@@ -1745,13 +1893,13 @@ static int a_key_signed_rrset(struct mem_funcs *mf, time_t now, uint32_t skew,
 /* Returns whether a DS in ds_set matches a dnskey in dnskey_set which in turn
  * signed the dnskey set.
  */
-static int ds_authenticates_keys(struct mem_funcs *mf,
+static int ds_authenticates_keys(const struct mem_funcs *mf,
     time_t now, uint32_t skew, _getdns_rrset *ds_set, _getdns_rrset *dnskey_set)
 {
 	_getdns_rrtype_iter dnskey_spc, *dnskey;
 	_getdns_rrtype_iter ds_spc, *ds;
 	uint16_t keytag;
-	const uint8_t *nc_name;
+	const uint8_t *nc_name; /* Initialized by dnskey_signed_rrset() */
 	size_t valid_dsses = 0, supported_dsses = 0;
 	uint8_t max_supported_digest = 0;
 	int max_supported_result = 0;
@@ -2030,8 +2178,8 @@ static int nsec3_covers_name(
 	}
 }
 
-static int find_nsec_covering_name(
-    struct mem_funcs *mf, time_t now, uint32_t skew, _getdns_rrset *dnskey,
+static int find_nsec_covering_name(const struct mem_funcs *mf, time_t now,
+    uint32_t skew, _getdns_rrset *dnskey,
     _getdns_rrset *rrset, const uint8_t *name, int *opt_out)
 {
 	_getdns_rrset_iter i_spc, *i;
@@ -2133,7 +2281,7 @@ static int find_nsec_covering_name(
 }
 
 static int nsec3_find_next_closer(
-    struct mem_funcs *mf, time_t now, uint32_t skew,
+    const struct mem_funcs *mf, time_t now, uint32_t skew,
     _getdns_rrset *dnskey, _getdns_rrset *rrset,
     const uint8_t *nc_name, int *opt_out)
 {
@@ -2185,7 +2333,7 @@ static int nsec3_find_next_closer(
  * verifying key: it returns keytag + NSEC3_ITERATION_COUNT_HIGH (0x20000)
  */
 static int key_proves_nonexistance(
-    struct mem_funcs *mf, time_t now, uint32_t skew,
+    const struct mem_funcs *mf, time_t now, uint32_t skew,
     _getdns_rrset *keyset, _getdns_rrset *rrset, int *opt_out)
 {
 	_getdns_rrset nsec_rrset, *cover, *ce;
@@ -2198,6 +2346,7 @@ static int key_proves_nonexistance(
 
 	assert(keyset->rr_type == GETDNS_RRTYPE_DNSKEY);
 
+	debug_sec_print_rrset("Commencing NX proof for: ", rrset);
 	if (opt_out)
 		*opt_out = 0;
 
@@ -2247,6 +2396,14 @@ static int key_proves_nonexistance(
 	    && (keytag = a_key_signed_rrset_no_wc(
 				    mf, now, skew, keyset, &nsec_rrset))) {
 
+		/* Flag an insecure delegation via opt_out.
+		 * See usage of key_proves_nonexistance() from
+		 * chain_node_get_trusted_keys() for explanation.
+		 */
+		if (opt_out && rrset->rr_type == GETDNS_RRTYPE_DS)
+			*opt_out =  bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
+			        && !bitmap_has_type(bitmap, GETDNS_RRTYPE_SOA);
+
 		debug_sec_print_rrset("NSEC NODATA proof for: ", rrset);
 		return keytag;
 	}
@@ -2392,6 +2549,15 @@ static int key_proves_nonexistance(
 		    && (   keytag & NSEC3_ITERATION_COUNT_HIGH
 		        || nsec3_matches_name(ce, rrset->name))) {
 
+			/* Flag an insecure delegation via opt_out.
+			 * See usage of key_proves_nonexistance() from
+			 * chain_node_get_trusted_keys() for explanation.
+			 */
+			if (opt_out && rrset->rr_type == GETDNS_RRTYPE_DS)
+				*opt_out =
+				    bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
+				&& !bitmap_has_type(bitmap, GETDNS_RRTYPE_SOA);
+
 			debug_sec_print_rrset("NSEC3 No Data for: ", rrset);
 			return keytag;
 		}
@@ -2471,10 +2637,11 @@ static int key_proves_nonexistance(
  * non-existence of a DS along the path is proofed, and SECURE otherwise.
  */
 static int chain_node_get_trusted_keys(
-    struct mem_funcs *mf, time_t now, uint32_t skew,
+    const struct mem_funcs *mf, time_t now, uint32_t skew,
     chain_node *node, _getdns_rrset *ta, _getdns_rrset **keys)
 {
 	int s, keytag;
+	int opt_out;
 
 	/* Ascend up to the root */
 	if (! node)
@@ -2505,16 +2672,33 @@ static int chain_node_get_trusted_keys(
 			*keys = ta;
 			return GETDNS_DNSSEC_SECURE;
 		}
-		/* ta is parent's ZSK */
+		/* ta is parent's ZSK proving insecurity below this node? */
 		if ((keytag = key_proves_nonexistance(
-		    mf, now, skew, ta, &node->ds, NULL))) {
+		    mf, now, skew, ta, &node->ds, &opt_out))) {
 			node->ds_signer = keytag;
-			return GETDNS_DNSSEC_INSECURE;
-		}
 
-		if ((keytag = a_key_signed_rrset_no_wc(
+			/* When the proof is in an opt_out span, result will
+			 * be INSECURE regardless the purpose of the searched
+			 * for key.
+			 *
+			 * Otherwise, INSECURE only when this is a zonecut.
+			 * i.e. a NODATA proof, with the NS bit and no SOA bit.
+			 *
+			 * key_proves_nonexistance() will set opt_out also for
+			 * these conditions.
+			 */
+			if (opt_out)
+				return GETDNS_DNSSEC_INSECURE;
+
+			/* If this is not an insecurity proof,
+			 * continue searching one label up.
+			 */
+
+		/* ta is parent's ZSK authenticating DS? */
+		} else if ((keytag = a_key_signed_rrset_no_wc(
 					mf, now, skew, ta, &node->ds))) {
 			node->ds_signer = keytag;
+			/* DS should authenticate the DNSKEY rrset now */
 			if ((keytag = ds_authenticates_keys(
 			    mf, now, skew, &node->ds, &node->dnskey))) {
 				*keys = &node->dnskey;
@@ -2523,6 +2707,7 @@ static int chain_node_get_trusted_keys(
 				     ? GETDNS_DNSSEC_INSECURE
 				     : GETDNS_DNSSEC_SECURE;
 			}
+			/* DS without DNSKEY rrset == BOGUS */
 			return GETDNS_DNSSEC_BOGUS;
 		}
 	} else
@@ -2540,10 +2725,22 @@ static int chain_node_get_trusted_keys(
 	/* keys is an authenticated dnskey rrset always now (i.e. ZSK) */
 	ta = *keys;
 	/* Back down to the head */
+	/*************************/
 	if ((keytag = key_proves_nonexistance(
-	    mf, now, skew, ta, &node->ds, NULL))) {
+	    mf, now, skew, ta, &node->ds, &opt_out))) {
 		node->ds_signer = keytag;
-		return GETDNS_DNSSEC_INSECURE;
+
+		/* When the proof is in an opt_out span, result will be
+		 * INSECURE regardless the purpose of the searched for key.
+		 *
+		 * Otherwise, INSECURE only when this is a zonecut.
+		 * i.e. a NODATA proof, with the NS bit, but no SOA bit.
+		 *
+		 * key_proves_nonexistance() will set opt_out also for these
+		 * conditions. (NODATA of DS with NS bit and wihout SOA bit)
+		 */
+		return opt_out ? GETDNS_DNSSEC_INSECURE
+		               : GETDNS_DNSSEC_SECURE;
 	}
 	if (key_matches_signer(ta, &node->ds)) {
 		
@@ -2583,22 +2780,64 @@ static int chain_node_get_trusted_keys(
  * For this first a secure keyset is looked up, with which the keyset is 
  * evaluated.
  */
-static int chain_head_validate_with_ta(struct mem_funcs *mf,
+static int chain_head_validate_with_ta(const struct mem_funcs *mf,
     time_t now, uint32_t skew, chain_head *head, _getdns_rrset *ta)
 {
 	_getdns_rrset *keys;
 	int s, keytag, opt_out;
 
-	debug_sec_print_rrset("validating ", &head->rrset);
-	debug_sec_print_rrset("with trust anchor ", ta);
+	_getdns_rrtype_iter nsec_spc, *nsec_rr;
+	_getdns_rdf_iter bitmap_spc, *bitmap;
+	chain_node *parent;
+
+	debug_sec_print_rrset("Validating ", &head->rrset);
+	debug_sec_print_rrset("\twith trust anchor ", ta);
+
+	/* A DS is never at the apex */
+	if (   head->rrset.rr_type == GETDNS_RRTYPE_DS
+	    && head->parent->parent)
+		parent = head->parent->parent;
+
+	/* Only at the apex, a NSEC is signed with a DNSKEY with the same
+	 * owner name.  All other are signed by the parent domain or higher.
+	 * Besides a shortcut, choosing to search for a trusted key from the
+	 * parent is essential for NSECs at a delagation point! (which would
+	 * otherwise turn out BOGUS).
+	 */
+	else if (head->rrset.rr_type == GETDNS_RRTYPE_NSEC
+	    &&  head->parent->parent
+	    && (nsec_rr = _getdns_rrtype_iter_init(&nsec_spc, &head->rrset))
+	    && (bitmap = _getdns_rdf_iter_init_at(
+			    &bitmap_spc, &nsec_rr->rr_i, 1))
+	    && !bitmap_has_type(bitmap, GETDNS_RRTYPE_SOA))
+		parent = head->parent->parent;
+
+	/* NSEC3 is always signed by the parent domain!
+	 * ( the ownername of the NSEC3 itself is not in the original zone!
+	 *   so a search for a trusted key at that name gives either INSECURE
+	 *   (with opt-out) or BOGUS! )
+	 */
+	else if (head->rrset.rr_type == GETDNS_RRTYPE_NSEC3
+	    && head->parent->parent)
+		parent = head->parent->parent;
+	else
+		parent = head->parent;
 
 	if ((s = chain_node_get_trusted_keys(
-	    mf, now, skew, head->parent, ta, &keys)) != GETDNS_DNSSEC_SECURE)
+	    mf, now, skew, parent, ta, &keys)) != GETDNS_DNSSEC_SECURE) {
+		debug_sec_print_rrset("Could not get trusted keys "
+		                      "for validating ", &head->rrset);
+		DEBUG_SEC("\tstatus: %d\n", (int)s);
 		return s;
+	}
+	debug_sec_print_rrset("Validating ", &head->rrset);
+	debug_sec_print_rrset("\twith keys ", keys);
 
 	if (_getdns_rrset_has_rrs(&head->rrset)) {
 		if ((keytag = a_key_signed_rrset(
 		    mf, now, skew, keys, &head->rrset))) {
+			DEBUG_SEC("Key %d proved\n", (int)keytag);
+			debug_sec_print_rrset("\tSECURE: ", &head->rrset);
 			head->signer = keytag;
 			return GETDNS_DNSSEC_SECURE;
 
@@ -2607,23 +2846,29 @@ static int chain_head_validate_with_ta(struct mem_funcs *mf,
 					skew, keys, &head->rrset, &opt_out))
 				&& opt_out) {
 
+			DEBUG_SEC("Key %d proved (optout)\n", (int)keytag);
+			debug_sec_print_rrset("\tINSECURE: ", &head->rrset);
 			head->signer = keytag;
 			return GETDNS_DNSSEC_INSECURE;
 		}
 	} else if ((keytag = key_proves_nonexistance(mf, now, skew,
 					keys, &head->rrset, &opt_out))) {
+		DEBUG_SEC("Key %d proved (NX)\n", (int)keytag);
+		debug_sec_print_rrset("\tSECURE: ", &head->rrset);
 		head->signer = keytag;
 		return opt_out || (keytag & NSEC3_ITERATION_COUNT_HIGH)
 		     ? GETDNS_DNSSEC_INSECURE : GETDNS_DNSSEC_SECURE;
 	}
+	debug_sec_print_rrset("BOGUS: ", &head->rrset);
+	debug_sec_print_rrset("\twith trust anchor: ", ta);
 	return GETDNS_DNSSEC_BOGUS;
 }
 
 /* The DNSSEC status of the rrset in head is evaluated by trying the trust
  * anchors in tas in turn.  The best outcome counts.
  */
-static int chain_head_validate(struct mem_funcs *mf, time_t now, uint32_t skew,
-    chain_head *head, _getdns_rrset_iter *tas)
+static int chain_head_validate(const struct mem_funcs *mf, time_t now,
+    uint32_t skew, chain_head *head, _getdns_rrset_iter *tas)
 {
 	_getdns_rrset_iter *i;
 	_getdns_rrset *ta, dnskey_ta, ds_ta;
@@ -2772,7 +3017,7 @@ static void chain_clear_netreq_dnssec_status(chain_head *chain)
  * processing each head in turn.  The worst outcome is the dnssec status for
  * the whole.
  */
-static int chain_validate_dnssec(struct mem_funcs *mf,
+static int chain_validate_dnssec(const struct mem_funcs *mf,
     time_t now, uint32_t skew, chain_head *chain, _getdns_rrset_iter *tas)
 {
 	int s = GETDNS_DNSSEC_INDETERMINATE, t;
@@ -3108,7 +3353,6 @@ static void check_chain_complete(chain_head *chain)
        	
 	} else if (_getdns_bogus(dnsreq)) {
 		_getdns_rrsig_iter rrsig_spc;
-		DEBUG_ANCHOR("Request was bogus!\n");
 
 		if ((head = chain) && (node = _to_the_root(head->parent))
  		    /* The root DNSKEY rrset */
@@ -3121,13 +3365,15 @@ static void check_chain_complete(chain_head *chain)
 		    && _getdns_rrsig_iter_init(&rrsig_spc, &node->dnskey)
 		    ){
 
-			DEBUG_ANCHOR("root DNSKEY set was bogus!\n");
+			_getdns_log( &context->log
+				   , GETDNS_LOG_SYS_ANCHOR, GETDNS_LOG_NOTICE
+				   , "root DNSKEY set was bogus!\n");
 			if (!dnsreq->waiting_for_ta) {
-				uint64_t now = 0;
+				uint64_t now_ms = 0;
 
 				dnsreq->waiting_for_ta = 1;
 				_getdns_context_equip_with_anchor(
-				    context, &now);
+				    context, &now_ms);
 
 				if (context->trust_anchors_source
 				    == GETDNS_TASRC_XML) {
@@ -3135,9 +3381,19 @@ static void check_chain_complete(chain_head *chain)
 					check_chain_complete(chain);
 					return;
 				}
+				if (context->trust_anchors_source ==
+						GETDNS_TASRC_FAILED
+				&& 0 == _getdns_ms_until_expiry2(
+				    context->trust_anchors_backoff_expiry,
+				    &now_ms)) {
+					context->trust_anchors_source =
+					    GETDNS_TASRC_NONE;
+				}
+				if (context->trust_anchors_source
+				!=  GETDNS_TASRC_FAILED) {
 					_getdns_start_fetching_ta(
-				    context,  dnsreq->loop);
-
+					    context,  dnsreq->loop, &now_ms);
+				}
 				if (dnsreq->waiting_for_ta &&
 				    context->trust_anchors_source
 				    == GETDNS_TASRC_FETCHING) {
@@ -3312,31 +3568,7 @@ void _getdns_ta_notify_dnsreqs(getdns_context *context)
 
 void _getdns_validation_chain_timeout(getdns_dns_req *dnsreq)
 {
-	chain_head *head = dnsreq->chain, *next;
-	chain_node *node;
-	size_t      node_count;
-
-	while (head) {
-		next = head->next;
-
-		for ( node_count = head->node_count, node = head->parent
-		    ; node_count
-		    ; node_count--, node = node->parent ) {
-
-			if (!_getdns_netreq_finished(node->dnskey_req)) {
-				_getdns_context_cancel_request(
-				    node->dnskey_req->owner);
-				node->dnskey_req = NULL;
-			}
-
-			if (!_getdns_netreq_finished(node->ds_req)) {
-				_getdns_context_cancel_request(
-				    node->ds_req->owner);
-				node->ds_req = NULL;
-			}
-		}
-		head = next;
-	}
+	cancel_requests_for_subdomains_of(dnsreq->chain, (uint8_t *)"\0");
 	dnsreq->request_timed_out = 1;
 	check_chain_complete(dnsreq->chain);
 }
@@ -3441,7 +3673,7 @@ void _getdns_get_validation_chain(getdns_dns_req *dnsreq)
  *****************************************************************************/
 
 
-static int wire_validate_dnssec(struct mem_funcs *mf,
+static int wire_validate_dnssec(const struct mem_funcs *mf,
     time_t now, uint32_t skew, uint8_t *to_val, size_t to_val_len,
     uint8_t *support, size_t support_len, uint8_t *tas, size_t tas_len)
 {
@@ -3523,9 +3755,9 @@ static int wire_validate_dnssec(struct mem_funcs *mf,
  *
  */
 getdns_return_t
-getdns_validate_dnssec2(getdns_list *records_to_validate,
-    getdns_list *support_records,
-    getdns_list *trust_anchors,
+getdns_validate_dnssec2(const getdns_list *records_to_validate,
+    const getdns_list *support_records,
+    const getdns_list *trust_anchors,
     time_t now, uint32_t skew)
 {
 	uint8_t to_val_buf[4096], *to_val,
@@ -3537,7 +3769,7 @@ getdns_validate_dnssec2(getdns_list *records_to_validate,
 	       tas_len = sizeof(tas_buf);
 
 	int r = GETDNS_RETURN_MEMORY_ERROR;
-	struct mem_funcs *mf;
+	const struct mem_funcs *mf;
 
 	size_t i;
 	getdns_dict *reply;
@@ -3618,9 +3850,9 @@ exit_free_support:
 
 
 getdns_return_t
-getdns_validate_dnssec(getdns_list *records_to_validate,
-    getdns_list *support_records,
-    getdns_list *trust_anchors)
+getdns_validate_dnssec(const getdns_list *records_to_validate,
+    const getdns_list *support_records,
+    const getdns_list *trust_anchors)
 {
 	return getdns_validate_dnssec2(records_to_validate, support_records,
 	    trust_anchors, time(NULL), 0);

src/extension/libev.c

@@ -97,7 +97,7 @@ static void
 getdns_libev_read_cb(struct ev_loop *l, struct ev_io *io, int revents)
 {
         getdns_eventloop_event *el_ev = (getdns_eventloop_event *)io->data;
-	(void)l; (void)revents;
+	(void)l; (void)revents; /* unused parameters */
         assert(el_ev->read_cb);
         el_ev->read_cb(el_ev->userarg);
 }
@@ -106,7 +106,7 @@ static void
 getdns_libev_write_cb(struct ev_loop *l, struct ev_io *io, int revents)
 {
         getdns_eventloop_event *el_ev = (getdns_eventloop_event *)io->data;
-	(void)l; (void)revents;
+	(void)l; (void)revents; /* unused parameters */
         assert(el_ev->write_cb);
         el_ev->write_cb(el_ev->userarg);
 }
@@ -115,7 +115,7 @@ static void
 getdns_libev_timeout_cb(struct ev_loop *l, struct ev_timer *timer, int revents)
 {
         getdns_eventloop_event *el_ev = (getdns_eventloop_event *)timer->data;
-	(void)l; (void)revents;
+	(void)l; (void)revents; /* unused parameters */
         assert(el_ev->timeout_cb);
         el_ev->timeout_cb(el_ev->userarg);
 }

src/extension/libevent.c

@@ -33,7 +33,11 @@
 
 #include "config.h"
 #include "types-internal.h"
+#ifndef USE_WINSOCK
 #include <sys/time.h>
+#else
+#include <winsock2.h>
+#endif
 #include "getdns/getdns_ext_libevent.h"
 
 #ifdef HAVE_EVENT2_EVENT_H
@@ -95,7 +99,7 @@ static getdns_return_t
 getdns_libevent_clear(getdns_eventloop *loop, getdns_eventloop_event *el_ev)
 {
 	struct event *my_ev = (struct event *)el_ev->ev;
-	(void)loop;
+	(void)loop; /* unused parameter */
 
 	assert(my_ev);
 
@@ -111,7 +115,7 @@ static void
 getdns_libevent_callback(evutil_socket_t fd, short bits, void *arg)
 {
 	getdns_eventloop_event *el_ev = (getdns_eventloop_event *)arg;
-	(void)fd;
+	(void)fd; /* unused parameter */
 
 	if (bits & EV_READ) {
 		assert(el_ev->read_cb);

src/extension/libuv.c

@@ -73,8 +73,7 @@ getdns_libuv_cleanup(getdns_eventloop *loop)
 }
 
 typedef struct poll_timer {
-	uv_poll_t        read;
-	uv_poll_t        write;
+	uv_poll_t        poll;
 	uv_timer_t       timer;
 	int              to_close;
 	struct mem_funcs mf;
@@ -104,22 +103,15 @@ getdns_libuv_clear(getdns_eventloop *loop, getdns_eventloop_event *el_ev)
 	poll_timer   *my_ev = (poll_timer *)el_ev->ev;
 	uv_poll_t    *my_poll;
 	uv_timer_t   *my_timer;
-	(void)loop;
+	(void)loop; /* unused parameter */
 	
 	assert(my_ev);
 
 	DEBUG_UV("enter libuv_clear(el_ev = %p, my_ev = %p, to_close = %d)\n"
 	        , el_ev, my_ev, my_ev->to_close);
 
-	if (el_ev->read_cb) {
-		my_poll = &my_ev->read;
-		uv_poll_stop(my_poll);
-		my_ev->to_close += 1;
-		my_poll->data = my_ev;
-		uv_close((uv_handle_t *)my_poll, getdns_libuv_close_cb);
-	}
-	if (el_ev->write_cb) {
-		my_poll = &my_ev->write;
+	if (el_ev->read_cb || el_ev->write_cb) {
+		my_poll = &my_ev->poll;
 		uv_poll_stop(my_poll);
 		my_ev->to_close += 1;
 		my_poll->data = my_ev;
@@ -139,29 +131,29 @@ getdns_libuv_clear(getdns_eventloop *loop, getdns_eventloop_event *el_ev)
 }
 
 static void
-getdns_libuv_read_cb(uv_poll_t *poll, int status, int events)
+getdns_libuv_cb(uv_poll_t *poll, int status, int events)
 {
 	getdns_eventloop_event *el_ev = (getdns_eventloop_event *)poll->data;
-	(void)status; (void)events;
+
+	if (status == 0) {
+		if (events & UV_READABLE) {
 			assert(el_ev->read_cb);
 			DEBUG_UV("enter libuv_read_cb(el_ev = %p, el_ev->ev = %p)\n"
 					, el_ev, el_ev->ev);
 			el_ev->read_cb(el_ev->userarg);
 			DEBUG_UV("exit  libuv_read_cb(el_ev = %p, el_ev->ev = %p)\n"
 					, el_ev, el_ev->ev);
-}
-
-static void
-getdns_libuv_write_cb(uv_poll_t *poll, int status, int events)
-{
-        getdns_eventloop_event *el_ev = (getdns_eventloop_event *)poll->data;
-	(void)status; (void)events;
+		} else if (events & UV_WRITABLE) {
 			assert(el_ev->write_cb);
 			DEBUG_UV("enter libuv_write_cb(el_ev = %p, el_ev->ev = %p)\n"
 					, el_ev, el_ev->ev);
 			el_ev->write_cb(el_ev->userarg);
 			DEBUG_UV("exit  libuv_write_cb(el_ev = %p, el_ev->ev = %p)\n"
 					, el_ev, el_ev->ev);
+		} else {
+			assert(ASSERT_UNREACHABLE);
+		}
+	}
 }
 
 static void
@@ -173,7 +165,7 @@ getdns_libuv_timeout_cb(uv_timer_t *timer, int status)
 {
         getdns_eventloop_event *el_ev = (getdns_eventloop_event *)timer->data;
 #ifndef HAVE_NEW_UV_TIMER_CB
-	(void)status;
+	(void)status; /* unused parameter */
 #endif
         assert(el_ev->timeout_cb);
 	DEBUG_UV("enter libuv_timeout_cb(el_ev = %p, el_ev->ev = %p)\n"
@@ -206,17 +198,14 @@ getdns_libuv_schedule(getdns_eventloop *loop,
 	my_ev->mf = ext->mf;
 	el_ev->ev = my_ev;
 
-	if (el_ev->read_cb) {
-		my_poll = &my_ev->read;
+	if (el_ev->read_cb || el_ev->write_cb) {
+		my_poll = &my_ev->poll;
 		my_poll->data = el_ev;
 		uv_poll_init(ext->loop, my_poll, fd);
-		uv_poll_start(my_poll, UV_READABLE, getdns_libuv_read_cb);
-	}
-	if (el_ev->write_cb) {
-		my_poll = &my_ev->write;
-		my_poll->data = el_ev;
-		uv_poll_init(ext->loop, my_poll, fd);
-		uv_poll_start(my_poll, UV_WRITABLE, getdns_libuv_write_cb);
+		int events =
+			(el_ev->read_cb ? UV_READABLE : 0) |
+			(el_ev->write_cb ? UV_WRITABLE : 0);
+		uv_poll_start(my_poll, events, getdns_libuv_cb);
 	}
 	if (el_ev->timeout_cb) {
 		my_timer = &my_ev->timer;

src/extension/poll_eventloop.c

@@ -288,7 +288,7 @@ static void
 poll_read_cb(int fd, getdns_eventloop_event *event)
 {
 #if !defined(SCHED_DEBUG) || !SCHED_DEBUG
-	(void)fd;
+	(void)fd; /* unused parameter */
 #endif
 	DEBUG_SCHED( "%s(fd: %d, event: %p)\n", __FUNC__, fd, (void *)event);
 	if (event && event->read_cb)
@@ -299,7 +299,7 @@ static void
 poll_write_cb(int fd, getdns_eventloop_event *event)
 {
 #if !defined(SCHED_DEBUG) || !SCHED_DEBUG
-	(void)fd;
+	(void)fd; /* unused parameter */
 #endif
 	DEBUG_SCHED( "%s(fd: %d, event: %p)\n", __FUNC__, fd, (void *)event);
 	if (event && event->write_cb)

src/extension/select_eventloop.c

@@ -154,14 +154,14 @@ select_eventloop_clear(getdns_eventloop *loop, getdns_eventloop_event *event)
 static void
 select_eventloop_cleanup(getdns_eventloop *loop)
 {
-	(void)loop;
+	(void)loop; /* unused parameter */
 }
 
 static void
 select_read_cb(int fd, getdns_eventloop_event *event)
 {
 #if !defined(SCHED_DEBUG) || !SCHED_DEBUG
-	(void)fd;
+	(void)fd; /* unused parameter */
 #endif
 	DEBUG_SCHED( "%s(fd: %d, event: %p)\n", __FUNC__, fd, (void *)event);
 	event->read_cb(event->userarg);
@@ -171,7 +171,7 @@ static void
 select_write_cb(int fd, getdns_eventloop_event *event)
 {
 #if !defined(SCHED_DEBUG) || !SCHED_DEBUG
-	(void)fd;
+	(void)fd; /* unused parameter */
 #endif
 	DEBUG_SCHED( "%s(fd: %d, event: %p)\n", __FUNC__, fd, (void *)event);
 	event->write_cb(event->userarg);
@@ -181,7 +181,7 @@ static void
 select_timeout_cb(int fd, getdns_eventloop_event *event)
 {
 #if !defined(SCHED_DEBUG) || !SCHED_DEBUG
-	(void)fd;
+	(void)fd; /* unused parameter */
 #endif
 	DEBUG_SCHED( "%s(fd: %d, event: %p)\n", __FUNC__, fd, (void *)event);
 	event->timeout_cb(event->userarg);
@@ -244,7 +244,7 @@ select_eventloop_run_once(getdns_eventloop *loop, int blocking)
 	} else {
 #endif
 	if (select(max_fd + 1, &readfds, &writefds, NULL,
-	    (timeout == TIMEOUT_FOREVER ? NULL : &tv)) < 0) {
+		   ((blocking && timeout == TIMEOUT_FOREVER) ? NULL : &tv)) < 0) {
 		if (_getdns_socketerror_wants_retry())
 			return;
 
@@ -309,7 +309,7 @@ _getdns_select_eventloop_init(struct mem_funcs *mf, _getdns_select_eventloop *lo
 		select_eventloop_run,
 		select_eventloop_run_once
 	};
-	(void) mf;
+	(void) mf; /* unused parameter */
 	(void) memset(loop, 0, sizeof(_getdns_select_eventloop));
 	loop->loop.vmt = &select_eventloop_vmt;
 }

src/general.c

@@ -218,12 +218,14 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req)
 	        && !dns_req->avoid_dnssec_roadblocks
 	        && (dns_req->dnssec_return_status ||
 	            dns_req->dnssec_return_only_secure ||
+	            dns_req->dnssec ||
 	            dns_req->dnssec_return_all_statuses
 	           ))
 #endif
 	    || (   dns_req->context->resolution_type == GETDNS_RESOLUTION_RECURSING
 	       && (dns_req->dnssec_return_status ||
 	           dns_req->dnssec_return_only_secure ||
+	           dns_req->dnssec ||
 	           dns_req->dnssec_return_all_statuses)
 	       && _getdns_bogus(dns_req))
 	    )) {
@@ -241,7 +243,6 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req)
 #if defined(REQ_DEBUG) && REQ_DEBUG
 		debug_req("getting validation chain for ", *dns_req->netreqs);
 #endif
-		DEBUG_ANCHOR("Valchain lookup\n");
 		_getdns_get_validation_chain(dns_req);
 	} else
 		_getdns_call_user_callback(
@@ -250,10 +251,18 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req)
 
 #ifdef HAVE_LIBUNBOUND
 #ifdef HAVE_UNBOUND_EVENT_API
+#if UNBOUND_VERSION_MAJOR > 1 || (UNBOUND_VERSION_MAJOR == 1 && UNBOUND_VERSION_MINOR >= 8)
+static void
+ub_resolve_event_callback(void* arg, int rcode, void *pkt, int pkt_len,
+    int sec, char* why_bogus, int was_ratelimited)
+{
+	(void) was_ratelimited; /* unused parameter */
+#else
 static void
 ub_resolve_event_callback(void* arg, int rcode, void *pkt, int pkt_len,
     int sec, char* why_bogus)
 {
+#endif
 	getdns_network_req *netreq = (getdns_network_req *) arg;
 	getdns_dns_req *dns_req = netreq->owner;
 
@@ -423,6 +432,7 @@ _getdns_submit_netreq(getdns_network_req *netreq, uint64_t *now_ms)
 	if ( context->resolution_type == GETDNS_RESOLUTION_RECURSING
 	    || dns_req->dnssec_return_status
 	    || dns_req->dnssec_return_only_secure
+	    || dns_req->dnssec
 	    || dns_req->dnssec_return_all_statuses
 	    || dns_req->dnssec_return_validation_chain) {
 #endif
@@ -492,7 +502,7 @@ extformatcmp(const void *a, const void *b)
 
 /*---------------------------------------- validate_extensions */
 static getdns_return_t
-validate_extensions(struct getdns_dict * extensions)
+validate_extensions(const getdns_dict * extensions)
 {
 	/**
 	  * this is a comprehensive list of extensions and their data types
@@ -503,6 +513,7 @@ validate_extensions(struct getdns_dict * extensions)
 	static getdns_extension_format extformats[] = {
 		{"add_opt_parameters"            , t_dict, 1},
 		{"add_warning_for_bad_dns"       , t_int , 1},
+		{"dnssec"                        , t_int , 1},
 		{"dnssec_return_all_statuses"    , t_int , 1},
 		{"dnssec_return_full_validation_chain", t_int , 1},
 		{"dnssec_return_only_secure"     , t_int , 1},
@@ -555,7 +566,7 @@ validate_extensions(struct getdns_dict * extensions)
 
 static getdns_return_t
 getdns_general_ns(getdns_context *context, getdns_eventloop *loop,
-    const char *name, uint16_t request_type, getdns_dict *extensions,
+    const char *name, uint16_t request_type, const getdns_dict *extensions,
     void *userarg, getdns_network_req **return_netreq_p,
     getdns_callback_t callbackfn, internal_cb_t internal_cb, int usenamespaces)
 {
@@ -591,13 +602,18 @@ getdns_general_ns(getdns_context *context, getdns_eventloop *loop,
 	_getdns_context_track_outbound_request(req);
 
 	if (req->dnssec_extension_set) {
+		if (context->trust_anchors_source == GETDNS_TASRC_FAILED
+		&&  _getdns_ms_until_expiry2(
+		    context->trust_anchors_backoff_expiry, &now_ms) == 0) {
+			context->trust_anchors_source = GETDNS_TASRC_NONE;
+		}
 		if (context->trust_anchors_source == GETDNS_TASRC_XML_UPDATE)
-			_getdns_start_fetching_ta(context, loop);
+			_getdns_start_fetching_ta(context, loop, &now_ms);
 
 		else if (context->trust_anchors_source == GETDNS_TASRC_NONE) {
 			_getdns_context_equip_with_anchor(context, &now_ms);
 			if (context->trust_anchors_source == GETDNS_TASRC_NONE) {
-				_getdns_start_fetching_ta(context, loop);
+				_getdns_start_fetching_ta(context, loop, &now_ms);
 			}
 		}
 	}
@@ -635,6 +651,8 @@ getdns_general_ns(getdns_context *context, getdns_eventloop *loop,
 				req->is_dns_request = 0;
 				_getdns_call_user_callback
 				    ( req, localnames_response);
+				if (return_netreq_p)
+					*return_netreq_p = NULL;
 				break;
 			}
 #ifdef HAVE_MDNS_SUPPORT
@@ -706,7 +724,7 @@ getdns_general_ns(getdns_context *context, getdns_eventloop *loop,
 
 getdns_return_t
 _getdns_general_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, uint16_t request_type, getdns_dict *extensions,
+    const char *name, uint16_t request_type, const getdns_dict *extensions,
     void *userarg, getdns_network_req **netreq_p,
     getdns_callback_t callback, internal_cb_t internal_cb)
 {
@@ -718,33 +736,33 @@ _getdns_general_loop(getdns_context *context, getdns_eventloop *loop,
 
 getdns_return_t
 _getdns_address_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, getdns_dict *extensions, void *userarg,
+    const char *name, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callback)
 {
-	getdns_dict *my_extensions = extensions;
+	getdns_dict *my_extensions = NULL;
 	getdns_return_t r;
 	uint32_t value;
 	getdns_network_req *netreq = NULL;
 
-	if (!my_extensions) {
+	if (!extensions) {
 		if (!(my_extensions=getdns_dict_create_with_context(context)))
 			return GETDNS_RETURN_MEMORY_ERROR;
 	} else if (
-	    getdns_dict_get_int(my_extensions, "return_both_v4_and_v6", &value)
+	    getdns_dict_get_int(extensions, "return_both_v4_and_v6", &value)
 	    && (r = _getdns_dict_copy(extensions, &my_extensions)))
 		return r;
 
-	if (my_extensions != extensions && (r = getdns_dict_set_int(
+	if (my_extensions && (r = getdns_dict_set_int(
 	    my_extensions, "return_both_v4_and_v6", GETDNS_EXTENSION_TRUE)))
 		return r;
 
 	r = getdns_general_ns(context, loop,
-	    name, GETDNS_RRTYPE_AAAA, my_extensions,
+	    name, GETDNS_RRTYPE_AAAA, my_extensions ? my_extensions : extensions,
 	    userarg, &netreq, callback, NULL, 1);
 	if (netreq && transaction_id)
 		*transaction_id = netreq->owner->trans_id;
 
-	if (my_extensions != extensions)
+	if (my_extensions)
 		getdns_dict_destroy(my_extensions);
 
 	return r;
@@ -752,7 +770,7 @@ _getdns_address_loop(getdns_context *context, getdns_eventloop *loop,
 
 getdns_return_t
 _getdns_hostname_loop(getdns_context *context, getdns_eventloop *loop,
-    getdns_dict *address, getdns_dict *extensions, void *userarg,
+    const getdns_dict *address, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callback)
 {
 	struct getdns_bindata *address_data;
@@ -842,7 +860,7 @@ _getdns_hostname_loop(getdns_context *context, getdns_eventloop *loop,
 
 getdns_return_t
 _getdns_service_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, getdns_dict *extensions, void *userarg,
+    const char *name, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t * transaction_id, getdns_callback_t callback)
 {
 	getdns_return_t r;
@@ -859,7 +877,7 @@ _getdns_service_loop(getdns_context *context, getdns_eventloop *loop,
  */
 getdns_return_t
 getdns_general(getdns_context *context,
-    const char *name, uint16_t request_type, getdns_dict *extensions,
+    const char *name, uint16_t request_type, const getdns_dict *extensions,
     void *userarg, getdns_transaction_t * transaction_id,
     getdns_callback_t callbackfn)
 {
@@ -881,7 +899,7 @@ getdns_general(getdns_context *context,
  */
 getdns_return_t
 getdns_address(getdns_context *context,
-    const char *name, getdns_dict *extensions, void *userarg,
+    const char *name, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callbackfn)
 {
 	if (!context) return GETDNS_RETURN_INVALID_PARAMETER;
@@ -896,7 +914,7 @@ getdns_address(getdns_context *context,
  */
 getdns_return_t
 getdns_hostname(getdns_context *context,
-    getdns_dict *address, getdns_dict *extensions, void *userarg,
+    const getdns_dict *address, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callbackfn)
 {
 	if (!context) return GETDNS_RETURN_INVALID_PARAMETER;
@@ -910,7 +928,7 @@ getdns_hostname(getdns_context *context,
  */
 getdns_return_t
 getdns_service(getdns_context *context,
-    const char *name, getdns_dict *extensions, void *userarg,
+    const char *name, const getdns_dict *extensions, void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callbackfn)
 {
 	if (!context) return GETDNS_RETURN_INVALID_PARAMETER;

src/general.h

@@ -63,25 +63,25 @@ int _getdns_submit_netreq(getdns_network_req *netreq, uint64_t *now_ms);
 
 getdns_return_t
 _getdns_general_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, uint16_t request_type, getdns_dict *extensions,
+    const char *name, uint16_t request_type, const getdns_dict *extensions,
     void *userarg, getdns_network_req **netreq_p,
     getdns_callback_t callbackfn, internal_cb_t internal_cb);
 
 getdns_return_t
 _getdns_address_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, getdns_dict *extensions,
+    const char *name, const getdns_dict *extensions,
     void *userarg, getdns_transaction_t *transaction_id,
     getdns_callback_t callbackfn);
 
 getdns_return_t
 _getdns_hostname_loop(getdns_context *context, getdns_eventloop *loop,
-    getdns_dict *address, getdns_dict *extensions,
+    const getdns_dict *address, const getdns_dict *extensions,
     void *userarg, getdns_transaction_t *transaction_id,
     getdns_callback_t callbackfn);
 
 getdns_return_t
 _getdns_service_loop(getdns_context *context, getdns_eventloop *loop,
-    const char *name, getdns_dict *extensions,
+    const char *name, const getdns_dict *extensions,
     void *userarg, getdns_transaction_t *transaction_id,
     getdns_callback_t callbackfn);
 

src/getdns/getdns.h.in

@@ -416,6 +416,9 @@ typedef enum getdns_callback_type_t {
 #define GETDNS_RRTYPE_CDNSKEY   60
 #define GETDNS_RRTYPE_OPENPGPKEY 61
 #define GETDNS_RRTYPE_CSYNC     62
+#define GETDNS_RRTYPE_ZONEMD    63
+#define GETDNS_RRTYPE_SVCB      64
+#define GETDNS_RRTYPE_HTTPS     65
 #define GETDNS_RRTYPE_SPF       99
 #define GETDNS_RRTYPE_UINFO     100
 #define GETDNS_RRTYPE_UID       101
@@ -438,6 +441,7 @@ typedef enum getdns_callback_type_t {
 #define GETDNS_RRTYPE_CAA       257
 #define GETDNS_RRTYPE_AVC       258
 #define GETDNS_RRTYPE_DOA       259
+#define GETDNS_RRTYPE_AMTRELAY  260
 #define GETDNS_RRTYPE_TA        32768
 #define GETDNS_RRTYPE_DLV       32769
 /** @}
@@ -490,7 +494,7 @@ typedef enum getdns_callback_type_t {
 #define GETDNS_RCODE_BADNAME   20
 #define GETDNS_RCODE_BADALG    21
 #define GETDNS_RCODE_BADTRUNC  22
-#define GETDNS_RCODE_COOKIE   23
+#define GETDNS_RCODE_BADCOOKIE 23
 /** @}
  */
 
@@ -743,7 +747,7 @@ getdns_list *getdns_list_create();
  *                used to create and initialize the list.
  * @return pointer to an allocated list, NULL if insufficient memory
  */
-getdns_list *getdns_list_create_with_context(getdns_context *context);
+getdns_list *getdns_list_create_with_context(const getdns_context *context);
 
 /**
  * create a new list with no items, creating and initializing it with the
@@ -863,7 +867,7 @@ getdns_dict *getdns_dict_create();
  *                used to create and initialize the dict.
  * @return pointer to an allocated dict, NULL if insufficient memory
  */
-getdns_dict *getdns_dict_create_with_context(getdns_context *context);
+getdns_dict *getdns_dict_create_with_context(const getdns_context *context);
 
 /**
  * create a new dict with no items, creating and initializing it with the
@@ -1030,7 +1034,7 @@ getdns_return_t
 getdns_general(getdns_context *context,
     const char *name,
     uint16_t request_type,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callbackfn);
 
@@ -1048,7 +1052,7 @@ getdns_general(getdns_context *context,
 getdns_return_t
 getdns_address(getdns_context *context,
     const char *name,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callbackfn);
 
@@ -1065,8 +1069,8 @@ getdns_address(getdns_context *context,
  */
 getdns_return_t
 getdns_hostname(getdns_context *context,
-    getdns_dict *address,
-    getdns_dict *extensions,
+    const getdns_dict *address,
+    const getdns_dict *extensions,
     void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callbackfn);
 
@@ -1084,7 +1088,7 @@ getdns_hostname(getdns_context *context,
 getdns_return_t
 getdns_service(getdns_context *context,
     const char *name,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     void *userarg,
     getdns_transaction_t *transaction_id, getdns_callback_t callbackfn);
 /** @}
@@ -1201,7 +1205,7 @@ getdns_return_t
 getdns_general_sync(getdns_context *context,
     const char *name,
     uint16_t request_type,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     getdns_dict **response);
 
 /**
@@ -1216,7 +1220,7 @@ getdns_general_sync(getdns_context *context,
 getdns_return_t
 getdns_address_sync(getdns_context *context,
     const char *name,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     getdns_dict **response);
 
 /**
@@ -1230,8 +1234,8 @@ getdns_address_sync(getdns_context *context,
  */
 getdns_return_t
 getdns_hostname_sync(getdns_context *context,
-    getdns_dict *address,
-    getdns_dict *extensions,
+    const getdns_dict *address,
+    const getdns_dict *extensions,
     getdns_dict **response);
 
 /**
@@ -1246,7 +1250,7 @@ getdns_hostname_sync(getdns_context *context,
 getdns_return_t
 getdns_service_sync(getdns_context *context,
     const char *name,
-    getdns_dict *extensions,
+    const getdns_dict *extensions,
     getdns_dict **response);
 
 /** @}
@@ -1341,9 +1345,8 @@ char *getdns_convert_alabel_to_ulabel(const char *alabel);
  * depending on the validation status.
  */
 getdns_return_t
-getdns_validate_dnssec(getdns_list *to_validate,
-    getdns_list *support_records,
-    getdns_list *trust_anchors);
+getdns_validate_dnssec(const getdns_list *to_validate,
+    const getdns_list *support_records, const getdns_list *trust_anchors);
 
 /**
  * Get the default list of trust anchor records that is used by the library
@@ -1444,7 +1447,7 @@ getdns_context_set_resolution_type(getdns_context *context,
  */
 getdns_return_t
 getdns_context_set_namespaces(getdns_context *context,
-    size_t namespace_count, getdns_namespace_t *namespaces);
+    size_t namespace_count, const getdns_namespace_t *namespaces);
 
 /**
  * Specifies what transport are used for DNS lookups. The default is
@@ -1513,6 +1516,24 @@ getdns_context_set_dns_transport_list(getdns_context *context,
 getdns_return_t
 getdns_context_set_idle_timeout(getdns_context *context, uint64_t timeout);
 
+/**
+ * Set the number of milliseconds send data may remain unacknowledged by
+ * the peer in a TCP connection, if supported by the operation system.
+ * When not set (the default), the system default is left alone.
+ *
+ * @see getdns_context_get_tcp_send_timeout
+ * @see getdns_context_unset_tcp_send_timeout
+ * @param context The context to configure
+ * @param value The number of milliseconds the send data may remain
+ *              unacknowledged by the peer in a TCP connection.
+ * @return GETDNS_RETURN_GOOD when successful.
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL or the
+ *         value was too high.
+ */
+getdns_return_t
+getdns_context_set_tcp_send_timeout(getdns_context *context,
+    uint32_t value);
+
 /**
  * Limit the number of outstanding DNS queries. When more than limit requests
  * are scheduled, they are kept on an internal queue, to be rescheduled when
@@ -1578,7 +1599,7 @@ getdns_context_set_follow_redirects(getdns_context *context,
  *                  contains at least two names: address_type (whose value is
  *                  a bindata; it is currently either "IPv4" or "IPv6") and
  *                  address_data (whose value is a bindata).
- *                  This implementation also accepts a list of addressxi
+ *                  This implementation also accepts a list of address
  *                  bindatas. Or a list of rr_dicts for address records (i.e.
  *                  the additional section of a NS query for ".", or a with
  *                  getdns_fp2rr_list() converted root.hints file).
@@ -1812,9 +1833,11 @@ getdns_context_set_extended_memory_functions(getdns_context *context,
  *            GETDNS_RESOLUTION_STUB.
  *         - all_context (a dict) with names for all the other settings in
  *           context.
+ *         The application is responsible for cleaning up the returned dictionary 
+ *         object with getdns_dict_destroy.
  */
 getdns_dict*
-getdns_context_get_api_information(getdns_context* context);
+getdns_context_get_api_information(const getdns_context *context);
 
 /** @}
  */

src/getdns/getdns_extra.h.in

@@ -36,10 +36,14 @@
 #define _GETDNS_EXTRA_H_
 
 #include <getdns/getdns.h>
-#include <sys/time.h>
-#include <stdio.h>
-#include <time.h>
 #include <stdarg.h>
+#include <stdio.h>
+#if defined(_WIN32)
+/* For struct timeval, see getdns_context_get_num_pending_requests */
+#include <winsock2.h>
+#else
+#include <sys/time.h>
+#endif
 
 #ifdef __cplusplus
 extern "C" {
@@ -102,6 +106,15 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT "Change related to getdns_context_set_tls_cipher_list"
 #define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST 634
 #define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT "Change related to getdns_context_set_tls_curves_list"
+#define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES 635
+#define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT "Change related to getdns_context_set_tls_ciphersuites"
+#define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION 636
+#define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT "Change related to getdns_context_set_tls_min_version"
+#define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION 637
+#define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT "Change related to getdns_context_set_tls_max_version"
+#define GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME 638
+#define GETDNS_CONTEXT_CODE_TRUST_ANCHORS_BACKOFF_TIME_TEXT "Change related to getdns_context_set_trust_anchors_backoff_time"
+
 
 /** @}
   */
@@ -115,6 +128,7 @@ extern "C" {
 #define GETDNS_NUMERIC_VERSION @GETDNS_NUMERIC_VERSION@
 #define GETDNS_API_VERSION "@API_VERSION@"
 #define GETDNS_API_NUMERIC_VERSION @API_NUMERIC_VERSION@
+#define GETDNS_BUILD_CFLAGS "@GETDNS_BUILD_CFLAGS@"
 /** @}
   */
 
@@ -368,7 +382,7 @@ getdns_context_set_eventloop(getdns_context* context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or evenloop were NULL
  */
 getdns_return_t
-getdns_context_get_eventloop(getdns_context* context,
+getdns_context_get_eventloop(const getdns_context *context,
     getdns_eventloop **eventloop);
 
 /**
@@ -527,6 +541,18 @@ getdns_context_set_tls_query_padding_blocksize(getdns_context *context, uint16_t
 getdns_return_t
 getdns_context_unset_edns_maximum_udp_payload_size(getdns_context *context);
 
+/**
+ * Configure context to use the system default setting for the time
+ * send data may remain unacknowledged by the peer in a TCP connection.
+ * @see getdns_context_set_tcp_send_timeout
+ * @see getdns_context_get_tcp_send_timeout
+ * @param context The context to configure
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
+ */
+getdns_return_t
+getdns_context_unset_tcp_send_timeout(getdns_context *context);
+
 
 typedef enum getdns_loglevel_type {
 	GETDNS_LOG_EMERG   = 0,
@@ -548,8 +574,18 @@ typedef enum getdns_loglevel_type {
 #define GETDNS_LOG_INFO_TEXT    "Informational message"
 #define GETDNS_LOG_DEBUG_TEXT   "Debug-level message"
 
-#define GETDNS_LOG_UPSTREAM_STATS 4096
+#define GETDNS_LOG_UPSTREAM_STATS 0x3000
 #define GETDNS_LOG_UPSTREAM_STATS_TEXT "Log messages about upstream statistics"
+#define GETDNS_LOG_SYS_STUB 0x2000
+#define GETDNS_LOG_SYS_STUB_TEXT "Log messages about stub resolving"
+#define GETDNS_LOG_SYS_RECURSING 0x4000
+#define GETDNS_LOG_SYS_RECURSING_TEXT "Log messages about recursive resolving"
+#define GETDNS_LOG_SYS_RESOLVING 0x6000
+#define GETDNS_LOG_SYS_RESOLVING_TEXT "Log messages about resolving"
+#define GETDNS_LOG_SYS_ANCHOR 0x8000
+#define GETDNS_LOG_SYS_ANCHOR_TEXT "Log messages about fetching trust anchors"
+
+
 
 typedef void (*getdns_logfunc_type) (void *userarg, uint64_t log_systems,
     getdns_loglevel_type, const char *, va_list ap);
@@ -694,6 +730,22 @@ getdns_return_t
 getdns_context_set_trust_anchors_verify_email(
     getdns_context *context, const char *verify_email);
 
+/**
+ * Configure the amount of milliseconds the trust anchors should not be tried
+ * to be fetched after failure.  Default is 2500 which is two and a half seconds.
+ * Setting the trust anchors backoff time will cause fetching to be retried
+ * immediatly.
+ * @see getdns_context_get_trust_anchors_backoff_time
+ * @param context The context to configure
+ * @param value Number of milliseconds before fetch trust anchors
+ *              will be retried.
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
+ */
+getdns_return_t
+getdns_context_set_trust_anchors_backoff_time(
+    getdns_context *context, uint64_t value);
+
 /**
  * Initialized the context's upstream recursive servers and suffixes
  * with the values from the given resolv.conf file.
@@ -755,6 +807,18 @@ getdns_return_t
 getdns_context_set_tls_cipher_list(
     getdns_context *context, const char *cipher_list);
 
+/**
+ * Configure the available TLS1.3 ciphersuites for authenticated TLS upstreams.
+ * @see getdns_context_get_tls_ciphersuites
+ * @param[in] context       The context to configure
+ * @param[in] ciphersuites  The cipher list
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_set_tls_ciphersuites(
+    getdns_context *context, const char *ciphersuites);
+
 /**
  * Sets the supported curves TLS upstreams.
  * @see getdns_context_get_tls_curves_list
@@ -768,6 +832,80 @@ getdns_return_t
 getdns_context_set_tls_curves_list(
     getdns_context *context, const char *curves_list);
 
+typedef enum getdns_tls_version_t {
+	GETDNS_SSL3 = 1400,
+	GETDNS_TLS1 = 1401,
+	GETDNS_TLS1_1 = 1402,
+	GETDNS_TLS1_2 = 1403,
+	GETDNS_TLS1_3 = 1404
+} getdns_tls_version_t;
+
+#define GETDNS_SSL3_TEXT   "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_TEXT   "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_1_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_2_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_3_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
+
+/**
+ * Configure context for minimum supported TLS version.
+ * @see getdns_context_set_tls_max_version
+ * @see getdns_context_get_tls_min_version
+ * @param context The context to configure
+ * @param min_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_set_tls_min_version(
+    getdns_context *context, getdns_tls_version_t min_version);
+
+/**
+ * Get configured minimum supported TLS version.
+ * @see getdns_context_get_tls_max_version
+ * @see getdns_context_set_tls_min_version
+ * @param context The context to configure
+ * @param min_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_get_tls_min_version(
+    const getdns_context *context, getdns_tls_version_t *min_version);
+
+/**
+ * Configure context for maximum supported TLS version.
+ * @see getdns_context_set_tls_min_version
+ * @see getdns_context_get_tls_max_version
+ * @param context The context to configure
+ * @param max_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_set_tls_max_version(
+    getdns_context *context, getdns_tls_version_t max_version);
+
+/**
+ * Get configured maximum supported TLS version.
+ * @see getdns_context_get_tls_min_version
+ * @see getdns_context_set_tls_max_version
+ * @param context The context to configure
+ * @param max_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_get_tls_max_version(
+    const getdns_context *context, getdns_tls_version_t *max_version);
+
 /**
  * Get the current resolution type setting from this context.
  * @see getdns_context_set_resolution_type
@@ -779,7 +917,7 @@ getdns_context_set_tls_curves_list(
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_resolution_type(getdns_context *context,
+getdns_context_get_resolution_type(const getdns_context *context,
     getdns_resolution_t *value);
 
 /**
@@ -794,7 +932,7 @@ getdns_context_get_resolution_type(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when any of the arguments was NULL.
  */
 getdns_return_t
-getdns_context_get_namespaces(getdns_context *context,
+getdns_context_get_namespaces(const getdns_context *context,
     size_t *namespace_count, getdns_namespace_t **namespaces);
 
 /**
@@ -808,7 +946,7 @@ getdns_context_get_namespaces(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when any of the arguments was NULL.
  */
 getdns_return_t
-getdns_context_get_dns_transport(getdns_context *context,
+getdns_context_get_dns_transport(const getdns_context *context,
     getdns_transport_t *value);
 
 /**
@@ -824,7 +962,7 @@ getdns_context_get_dns_transport(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when any of the arguments was NULL.
  */
 getdns_return_t
-getdns_context_get_dns_transport_list(getdns_context *context,
+getdns_context_get_dns_transport_list(const getdns_context *context,
     size_t *transport_count, getdns_transport_list_t **transports);
 
 /**
@@ -836,7 +974,7 @@ getdns_context_get_dns_transport_list(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or limit was NULL.
  */
 getdns_return_t
-getdns_context_get_limit_outstanding_queries(getdns_context *context,
+getdns_context_get_limit_outstanding_queries(const getdns_context *context,
     uint16_t *limit);
 
 /**
@@ -850,7 +988,7 @@ getdns_context_get_limit_outstanding_queries(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or limit was NULL.
  */
 getdns_return_t
-getdns_context_get_timeout(getdns_context *context, uint64_t* timeout);
+getdns_context_get_timeout(const getdns_context *context, uint64_t *timeout);
 
 /**
  * Get the current number of milliseconds the API will leave an idle TCP or TLS
@@ -864,7 +1002,24 @@ getdns_context_get_timeout(getdns_context *context, uint64_t* timeout);
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or timeout was NULL.
  */
 getdns_return_t
-getdns_context_get_idle_timeout(getdns_context *context, uint64_t* timeout);
+getdns_context_get_idle_timeout(
+    const getdns_context *context, uint64_t *timeout);
+
+/**
+ * Get the number of milliseconds send data may remain unacknowledged by
+ * the peer in a TCP connection setting from context.
+ * @see getdns_context_set_tcp_send_timeout
+ * @see getdns_context_unset_tcp_send_timeout
+ * @param[in]  context The context from which to get the setting
+ * @param[out] value   The number of milliseconds the send data may remain
+ *                     unacknowledged by the peer in a TCP connection.
+ *                     When the value is unset, 0 is returned.
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
+ */
+getdns_return_t
+getdns_context_get_tcp_send_timeout(const getdns_context *context,
+    uint32_t *value);
 
 /**
  * Get the setting that says whether or not DNS queries follow redirects.
@@ -876,7 +1031,7 @@ getdns_context_get_idle_timeout(getdns_context *context, uint64_t* timeout);
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_follow_redirects(getdns_context *context,
+getdns_context_get_follow_redirects(const getdns_context *context,
     getdns_redirects_t *value);
 
 /**
@@ -894,7 +1049,7 @@ getdns_context_get_follow_redirects(getdns_context *context,
  * @return GETDNS_RETURN_MEMORY_ERROR when the copy could not be allocated
  */
 getdns_return_t
-getdns_context_get_dns_root_servers(getdns_context *context,
+getdns_context_get_dns_root_servers(const getdns_context *context,
     getdns_list **addresses);
 
 /**
@@ -912,7 +1067,7 @@ getdns_context_get_dns_root_servers(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_append_name(getdns_context *context,
+getdns_context_get_append_name(const getdns_context *context,
     getdns_append_name_t *value);
 
 /**
@@ -929,7 +1084,7 @@ getdns_context_get_append_name(getdns_context *context,
  * @return GETDNS_RETURN_MEMORY_ERROR when the copy could not be allocated
  */
 getdns_return_t
-getdns_context_get_suffix(getdns_context *context, getdns_list **value);
+getdns_context_get_suffix(const getdns_context *context, getdns_list **value);
 
 /**
  * Get a copy of the list of DNSSEC trust anchors in use by context.
@@ -944,7 +1099,7 @@ getdns_context_get_suffix(getdns_context *context, getdns_list **value);
  * @return GETDNS_RETURN_MEMORY_ERROR when the copy could not be allocated
  */
 getdns_return_t
-getdns_context_get_dnssec_trust_anchors(getdns_context *context,
+getdns_context_get_dnssec_trust_anchors(const getdns_context *context,
     getdns_list **value);
 
 /**
@@ -958,7 +1113,7 @@ getdns_context_get_dnssec_trust_anchors(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_dnssec_allowed_skew(getdns_context *context,
+getdns_context_get_dnssec_allowed_skew(const getdns_context *context,
     uint32_t *value);
 
 /**
@@ -975,7 +1130,7 @@ getdns_context_get_dnssec_allowed_skew(getdns_context *context,
  * @return GETDNS_RETURN_MEMORY_ERROR when the copy could not be allocated
  */
 getdns_return_t
-getdns_context_get_upstream_recursive_servers(getdns_context *context,
+getdns_context_get_upstream_recursive_servers(const getdns_context *context,
     getdns_list **upstream_list);
 
 /**
@@ -990,7 +1145,7 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_edns_maximum_udp_payload_size(getdns_context *context,
+getdns_context_get_edns_maximum_udp_payload_size(const getdns_context *context,
     uint16_t *value);
 
 /**
@@ -1002,7 +1157,7 @@ getdns_context_get_edns_maximum_udp_payload_size(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_edns_extended_rcode(getdns_context *context,
+getdns_context_get_edns_extended_rcode(const getdns_context *context,
     uint8_t *value);
 
 /**
@@ -1014,7 +1169,7 @@ getdns_context_get_edns_extended_rcode(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_edns_version(getdns_context *context, uint8_t* value);
+getdns_context_get_edns_version(const getdns_context *context, uint8_t *value);
 
 /**
  * Get the DO bit advertised in an EDNS0 OPT record setting from context
@@ -1026,7 +1181,7 @@ getdns_context_get_edns_version(getdns_context *context, uint8_t* value);
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_edns_do_bit(getdns_context *context, uint8_t* value);
+getdns_context_get_edns_do_bit(const getdns_context *context, uint8_t *value);
 
 /**
  * Get whether queries with this context will have the EDNS Client Subnet 
@@ -1039,7 +1194,8 @@ getdns_context_get_edns_do_bit(getdns_context *context, uint8_t* value);
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_edns_client_subnet_private(getdns_context *context, uint8_t* value);
+getdns_context_get_edns_client_subnet_private(const getdns_context *context,
+    uint8_t *value);
 
 /**
  * Get the blocksize that will be used to pad outgoing queries over TLS.
@@ -1051,7 +1207,8 @@ getdns_context_get_edns_client_subnet_private(getdns_context *context, uint8_t*
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_query_padding_blocksize(getdns_context *context, uint16_t* value);
+getdns_context_get_tls_query_padding_blocksize(
+    const getdns_context *context, uint16_t *value);
 
 /**
  * Get whether the upstream needs to be authenticated with DNS over TLS.
@@ -1069,7 +1226,7 @@ getdns_context_get_tls_query_padding_blocksize(getdns_context *context, uint16_t
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_authentication(getdns_context *context,
+getdns_context_get_tls_authentication(const getdns_context *context,
     getdns_tls_authentication_t *value);
 
 /**
@@ -1082,7 +1239,7 @@ getdns_context_get_tls_authentication(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_round_robin_upstreams(getdns_context *context,
+getdns_context_get_round_robin_upstreams(const getdns_context *context,
     uint8_t *value);
 
 /**
@@ -1097,7 +1254,7 @@ getdns_context_get_round_robin_upstreams(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_backoff_time(getdns_context *context,
+getdns_context_get_tls_backoff_time(const getdns_context *context,
     uint16_t *value);
 
 /**
@@ -1112,7 +1269,7 @@ getdns_context_get_tls_backoff_time(getdns_context *context,
  * @return GETDNS_RETURN_INVALID_PARAMETER when context or value was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_connection_retries(getdns_context *context,
+getdns_context_get_tls_connection_retries(const getdns_context *context,
     uint16_t *value);
 
 /**
@@ -1130,7 +1287,8 @@ getdns_context_get_tls_connection_retries(getdns_context *context,
  * @return GETDNS_RETURN_GOOD on success or an error code on failure.
  */
 getdns_return_t
-getdns_context_get_update_callback(getdns_context *context, void **userarg,
+getdns_context_get_update_callback(const getdns_context *context,
+    void **userarg,
     void (**value) (getdns_context *, getdns_context_code_t, void *));
 
 
@@ -1184,7 +1342,7 @@ getdns_context_get_update_callback(getdns_context *context, void **userarg,
  */
 getdns_return_t
 getdns_context_get_trust_anchors_url(
-    getdns_context *context, const char **url);
+    const getdns_context *context, const char **url);
 
 /**
  * Gets the public certificate for the Certificate Authority with which to
@@ -1203,7 +1361,7 @@ getdns_context_get_trust_anchors_url(
  */
 getdns_return_t
 getdns_context_get_trust_anchors_verify_CA(
-    getdns_context *context, const char **verify_CA);
+    const getdns_context *context, const char **verify_CA);
 
 /**
  * Gets the email address for the Subject of the signer's certificate from the
@@ -1220,7 +1378,21 @@ getdns_context_get_trust_anchors_verify_CA(
  */
 getdns_return_t
 getdns_context_get_trust_anchors_verify_email(
-    getdns_context *context, const char **verify_email);
+    const getdns_context *context, const char **verify_email);
+
+/**
+ * Get the amount of milliseconds the trust anchors will not be tried to be
+ * fetched after failure.
+ * @see getdns_context_set_trust_anchors_backoff_time
+ * @param context The context to configure
+ * @param value Number of milliseconds before fetch trust anchors
+ *              will be retried.
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null.
+ */
+getdns_return_t
+getdns_context_get_trust_anchors_backoff_time(
+    const getdns_context *context, uint64_t *value);
 
 /**
  * Get the value with which the context's upstream recursive servers
@@ -1233,7 +1405,8 @@ getdns_context_get_trust_anchors_verify_email(
  * @return GETDNS_RETURN_GOOD when successful and error code otherwise.
  */
 getdns_return_t
-getdns_context_get_resolvconf(getdns_context *context, const char **resolvconf);
+getdns_context_get_resolvconf(
+    const getdns_context *context, const char **resolvconf);
 
 /**
  * Get the value with which the context's GETDNS_NAMESPACE_LOCALNAMES namespace 
@@ -1246,7 +1419,8 @@ getdns_context_get_resolvconf(getdns_context *context, const char **resolvconf);
  * @return GETDNS_RETURN_GOOD when successful and error code otherwise.
  */
 getdns_return_t
-getdns_context_get_hosts(getdns_context *context, const char **hosts);
+getdns_context_get_hosts(
+    const getdns_context *context, const char **hosts);
 
 /**
  * Get the location of the directory for CA certificates for verification
@@ -1260,7 +1434,8 @@ getdns_context_get_hosts(getdns_context *context, const char **hosts);
  * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path);
+getdns_context_get_tls_ca_path(
+    const getdns_context *context, const char **tls_ca_path);
 
 /**
  * Get the file location with CA certificates for verification purposes.
@@ -1273,7 +1448,8 @@ getdns_context_get_tls_ca_path(getdns_context *context, const char **tls_ca_path
  * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
  */
 getdns_return_t
-getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file);
+getdns_context_get_tls_ca_file(
+    const getdns_context *context, const char **tls_ca_file);
 
 /**
  * Get the list of available ciphers for authenticated TLS upstreams.
@@ -1285,7 +1461,20 @@ getdns_context_get_tls_ca_file(getdns_context *context, const char **tls_ca_file
  */
 getdns_return_t
 getdns_context_get_tls_cipher_list(
-    getdns_context *context, const char **cipher_list);
+    const getdns_context *context, const char **cipher_list);
+
+/**
+ * Get the configured available TLS1.3 ciphersuited for authenticated TLS 
+ * upstreams.
+ * @see getdns_context_set_tls_ciphersuites
+ * @param[in]  context      The context configure
+ * @param[out] ciphersuites  The cipher list
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_get_tls_ciphersuites(
+    const getdns_context *context, const char **ciphersuites);
 
 /**
  * Get the supported curves list if one has been set earlier.
@@ -1300,7 +1489,7 @@ getdns_context_get_tls_cipher_list(
  */
 getdns_return_t
 getdns_context_get_tls_curves_list(
-    getdns_context *context, const char **curves_list);
+    const getdns_context *context, const char **curves_list);
 
 /** @}
  */
@@ -1388,7 +1577,8 @@ const char *getdns_get_errorstr_by_id(uint16_t err);
  * @return GETDNS_RETURN_MEMORY_ERROR when the copy could not be allocated
  */
 getdns_return_t
-getdns_dict_util_set_string(getdns_dict *dict, char *name, const char *value);
+getdns_dict_util_set_string(
+    getdns_dict *dict, const char *name, const char *value);
 
 /**
  * Get the string associated with the speicifed name.  The string should not
@@ -1401,7 +1591,8 @@ getdns_dict_util_set_string(getdns_dict *dict, char *name, const char *value);
  * @return GETDNS_RETURN_NO_SUCH_DICT_NAME if dict is invalid or name does not exist
  */
 getdns_return_t
-getdns_dict_util_get_string(getdns_dict * dict, char *name, char **result);
+getdns_dict_util_get_string(
+    const getdns_dict * dict, const char *name, char **result);
 
 /** @}
  */
@@ -1442,9 +1633,9 @@ getdns_dict_util_get_string(getdns_dict * dict, char *name, char **result);
  *         return code.
  */
 getdns_return_t
-getdns_validate_dnssec2(getdns_list *to_validate,
-    getdns_list *support_records,
-    getdns_list *trust_anchors,
+getdns_validate_dnssec2(const getdns_list *to_validate,
+    const getdns_list *support_records,
+    const getdns_list *trust_anchors,
     time_t validation_time, uint32_t skew);
 
 
@@ -1488,7 +1679,7 @@ getdns_validate_dnssec2(getdns_list *to_validate,
  * @return a dict created from ctx, or  NULL if the string did not match. 
  */
 getdns_dict *getdns_pubkey_pin_create_from_string(
-	getdns_context* context,
+	const getdns_context *context,
 	const char *str);
 
 
@@ -2155,7 +2346,7 @@ getdns_context_set_listen_addresses(
  */
 getdns_return_t
 getdns_reply(getdns_context *context,
-    getdns_dict *reply, getdns_transaction_t request_id);
+    const getdns_dict *reply, getdns_transaction_t request_id);
 
 
 /** @}
@@ -2187,7 +2378,7 @@ getdns_return_t getdns_context_process_async(getdns_context* context);
  * WARNING! Do not use this function.  This function will be removed in
  * future versions of getdns.
  */
-uint32_t getdns_context_get_num_pending_requests(getdns_context* context,
+uint32_t getdns_context_get_num_pending_requests(const getdns_context *context,
     struct timeval *next_timeout);
 
 /**

src/gldns/compare.sh

@@ -3,7 +3,7 @@
 # Meant to be run from this directory
 rm -fr gldns
 mkdir gldns
-svn co http://unbound.net/svn/trunk/sldns/
+svn co https://github.com/NLnetLabs/unbound/trunk/sldns/
 mv gbuffer.h sbuffer.h
 mv gbuffer.c sbuffer.c
 for f in sldns/*.[ch]

src/gldns/gbuffer.c

@@ -14,6 +14,7 @@
 #include "config.h"
 #include "gldns/gbuffer.h"
 #include <stdarg.h>
+#include <stdlib.h>
 
 gldns_buffer *
 gldns_buffer_new(size_t capacity)
@@ -106,6 +107,8 @@ int
 gldns_buffer_reserve(gldns_buffer *buffer, size_t amount)
 {
 	gldns_buffer_invariant(buffer);
+	if (buffer->_vfixed)
+		return 1;
 	assert(!buffer->_fixed);
 	if (buffer->_capacity < buffer->_position + amount) {
 		size_t new_capacity = buffer->_capacity * 3 / 2;

src/gldns/gbuffer.h

@@ -13,6 +13,12 @@
 #ifndef GLDNS_SBUFFER_H
 #define GLDNS_SBUFFER_H
 
+#include <stdint.h>
+#if defined(_MSC_VER)
+#include <BaseTsd.h>
+typedef SSIZE_T ssize_t;
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -130,7 +136,7 @@ struct gldns_buffer
 	/** If the buffer is fixed it cannot be resized */
 	unsigned _fixed : 1;
 
-	/** If the buffer is vfixed, no more than capacity bytes willl be
+	/** If the buffer is vfixed, no more than capacity bytes will be
 	 * written to _data, however the _position counter will be updated
 	 * with the amount that would have been written in consecutive
 	 * writes.  This allows for a modus operandi in which a sequence is
@@ -160,7 +166,7 @@ gldns_buffer_invariant(gldns_buffer *buffer)
 	assert(buffer != NULL);
 	assert(buffer->_position <= buffer->_limit || buffer->_vfixed);
 	assert(buffer->_limit <= buffer->_capacity);
-	assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0));
+	assert(buffer->_data != NULL || (buffer->_vfixed && buffer->_capacity == 0 && buffer->_limit == 0));
 }
 #endif
 
@@ -226,7 +232,6 @@ INLINE void gldns_buffer_clear(gldns_buffer *buffer)
  * the position is set to 0.
  *
  * \param[in] buffer the buffer to flip
- * \return void
  */
 INLINE void gldns_buffer_flip(gldns_buffer *buffer)
 {
@@ -776,7 +781,6 @@ int gldns_buffer_printf(gldns_buffer *buffer, const char *format, ...)
 /**
  * frees the buffer.
  * \param[in] *buffer the buffer to be freed
- * \return void
  */
 void gldns_buffer_free(gldns_buffer *buffer);
 
@@ -784,7 +788,6 @@ void gldns_buffer_free(gldns_buffer *buffer);
  * Makes the buffer fixed and returns a pointer to the data.  The
  * caller is responsible for free'ing the result.
  * \param[in] *buffer the buffer to be exported
- * \return void
  */
 void *gldns_buffer_export(gldns_buffer *buffer);
 

src/gldns/import.sh

@@ -16,16 +16,5 @@ then
 	mv sbuffer.h gbuffer.h
 	mv sbuffer.c gbuffer.c
 else
-	svn co http://unbound.net/svn/trunk/ldns/
-	for f in ldns/*.[ch]
-	do
-		sed -e 's/sldns_/gldns_/g' \
-		    -e 's/LDNS_/GLDNS_/g' \
-		    -e 's/include "sldns/include "gldns/g' \
-		    -e 's/<sldns\/rrdef\.h>/<gldns\/rrdef.h>/g' \
-		    -e 's/sbuffer\.h/gbuffer.h/g' $f > ${f#ldns/}
-	done
-	mv sbuffer.h gbuffer.h
-	mv sbuffer.c gbuffer.c
-	rm -r ldns
+	echo Run compare first
 fi

src/gldns/keyraw.c

@@ -14,26 +14,6 @@
 #include "gldns/keyraw.h"
 #include "gldns/rrdef.h"
 
-#ifdef HAVE_SSL
-#include <openssl/ssl.h>
-#include <openssl/evp.h>
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/md5.h>
-#ifdef HAVE_OPENSSL_ENGINE_H
-#  include <openssl/engine.h>
-#endif
-#ifdef HAVE_OPENSSL_BN_H
-#include <openssl/bn.h>
-#endif
-#ifdef HAVE_OPENSSL_RSA_H
-#include <openssl/rsa.h>
-#endif
-#ifdef HAVE_OPENSSL_DSA_H
-#include <openssl/dsa.h>
-#endif
-#endif /* HAVE_SSL */
-
 size_t
 gldns_rr_dnskey_key_size_raw(const unsigned char* keydata,
 	const size_t len, int alg)
@@ -89,6 +69,14 @@ gldns_rr_dnskey_key_size_raw(const unsigned char* keydata,
                 return 256;
         case GLDNS_ECDSAP384SHA384:
                 return 384;
+#endif
+#ifdef USE_ED25519
+	case GLDNS_ED25519:
+		return 256;
+#endif
+#ifdef USE_ED448
+	case GLDNS_ED448:
+		return 456;
 #endif
 	default:
 		return 0;
@@ -118,312 +106,3 @@ uint16_t gldns_calc_keytag_raw(const uint8_t* key, size_t keysize)
 		return (uint16_t) (ac32 & 0xFFFF);
 	}
 }
-
-#ifdef HAVE_SSL
-#ifdef USE_GOST
-/** store GOST engine reference loaded into OpenSSL library */
-ENGINE* gldns_gost_engine = NULL;
-
-int
-gldns_key_EVP_load_gost_id(void)
-{
-	static int gost_id = 0;
-	const EVP_PKEY_ASN1_METHOD* meth;
-	ENGINE* e;
-
-	if(gost_id) return gost_id;
-
-	/* see if configuration loaded gost implementation from other engine*/
-	meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
-	if(meth) {
-		EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
-		return gost_id;
-	}
-
-	/* see if engine can be loaded already */
-	e = ENGINE_by_id("gost");
-	if(!e) {
-		/* load it ourself, in case statically linked */
-		ENGINE_load_builtin_engines();
-		ENGINE_load_dynamic();
-		e = ENGINE_by_id("gost");
-	}
-	if(!e) {
-		/* no gost engine in openssl */
-		return 0;
-	}
-	if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
-		ENGINE_finish(e);
-		ENGINE_free(e);
-		return 0;
-	}
-
-	meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
-	if(!meth) {
-		/* algo not found */
-		ENGINE_finish(e);
-		ENGINE_free(e);
-		return 0;
-	}
-        /* Note: do not ENGINE_finish and ENGINE_free the acquired engine
-         * on some platforms this frees up the meth and unloads gost stuff */
-        gldns_gost_engine = e;
-	
-	EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
-	return gost_id;
-} 
-
-void gldns_key_EVP_unload_gost(void)
-{
-        if(gldns_gost_engine) {
-                ENGINE_finish(gldns_gost_engine);
-                ENGINE_free(gldns_gost_engine);
-                gldns_gost_engine = NULL;
-        }
-}
-#endif /* USE_GOST */
-
-DSA *
-gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
-{
-	uint8_t T;
-	uint16_t length;
-	uint16_t offset;
-	DSA *dsa;
-	BIGNUM *Q; BIGNUM *P;
-	BIGNUM *G; BIGNUM *Y;
-
-	if(len == 0)
-		return NULL;
-	T = (uint8_t)key[0];
-	length = (64 + T * 8);
-	offset = 1;
-
-	if (T > 8) {
-		return NULL;
-	}
-	if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
-		return NULL;
-
-	Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
-	offset += SHA_DIGEST_LENGTH;
-
-	P = BN_bin2bn(key+offset, (int)length, NULL);
-	offset += length;
-
-	G = BN_bin2bn(key+offset, (int)length, NULL);
-	offset += length;
-
-	Y = BN_bin2bn(key+offset, (int)length, NULL);
-
-	/* create the key and set its properties */
-	if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
-		BN_free(Q);
-		BN_free(P);
-		BN_free(G);
-		BN_free(Y);
-		return NULL;
-	}
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
-#ifndef S_SPLINT_S
-	dsa->p = P;
-	dsa->q = Q;
-	dsa->g = G;
-	dsa->pub_key = Y;
-#endif /* splint */
-
-#else /* OPENSSL_VERSION_NUMBER */
-	if (!DSA_set0_pqg(dsa, P, Q, G)) {
-		/* QPG not yet attached, need to free */
-		BN_free(Q);
-		BN_free(P);
-		BN_free(G);
-
-		DSA_free(dsa);
-		BN_free(Y);
-		return NULL;
-	}
-	if (!DSA_set0_key(dsa, Y, NULL)) {
-		/* QPG attached, cleaned up by DSA_fre() */
-		DSA_free(dsa);
-		BN_free(Y);
-		return NULL;
-	}
-#endif
-
-	return dsa;
-}
-
-RSA *
-gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
-{
-	uint16_t offset;
-	uint16_t exp;
-	uint16_t int16;
-	RSA *rsa;
-	BIGNUM *modulus;
-	BIGNUM *exponent;
-
-	if (len == 0)
-		return NULL;
-	if (key[0] == 0) {
-		if(len < 3)
-			return NULL;
-		memmove(&int16, key+1, 2);
-		exp = ntohs(int16);
-		offset = 3;
-	} else {
-		exp = key[0];
-		offset = 1;
-	}
-
-	/* key length at least one */
-	if(len < (size_t)offset + exp + 1)
-		return NULL;
-
-	/* Exponent */
-	exponent = BN_new();
-	if(!exponent) return NULL;
-	(void) BN_bin2bn(key+offset, (int)exp, exponent);
-	offset += exp;
-
-	/* Modulus */
-	modulus = BN_new();
-	if(!modulus) {
-		BN_free(exponent);
-		return NULL;
-	}
-	/* length of the buffer must match the key length! */
-	(void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
-
-	rsa = RSA_new();
-	if(!rsa) {
-		BN_free(exponent);
-		BN_free(modulus);
-		return NULL;
-	}
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
-#ifndef S_SPLINT_S
-	rsa->n = modulus;
-	rsa->e = exponent;
-#endif /* splint */
-
-#else /* OPENSSL_VERSION_NUMBER */
-	if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
-		BN_free(exponent);
-		BN_free(modulus);
-		RSA_free(rsa);
-		return NULL;
-	}
-#endif
-
-	return rsa;
-}
-
-#ifdef USE_GOST
-EVP_PKEY*
-gldns_gost2pkey_raw(unsigned char* key, size_t keylen)
-{
-	/* prefix header for X509 encoding */
-	uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85, 
-		0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85, 
-		0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 
-		0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40};
-	unsigned char encoded[37+64];
-	const unsigned char* pp;
-	if(keylen != 64) {
-		/* key wrong size */
-		return NULL;
-	}
-
-	/* create evp_key */
-	memmove(encoded, asn, 37);
-	memmove(encoded+37, key, 64);
-	pp = (unsigned char*)&encoded[0];
-
-	return d2i_PUBKEY(NULL, &pp, (int)sizeof(encoded));
-}
-#endif /* USE_GOST */
-
-#ifdef USE_ECDSA
-EVP_PKEY*
-gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
-{
-	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
-        const unsigned char* pp = buf;
-        EVP_PKEY *evp_key;
-        EC_KEY *ec;
-	/* check length, which uncompressed must be 2 bignums */
-        if(algo == GLDNS_ECDSAP256SHA256) {
-		if(keylen != 2*256/8) return NULL;
-                ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-        } else if(algo == GLDNS_ECDSAP384SHA384) {
-		if(keylen != 2*384/8) return NULL;
-                ec = EC_KEY_new_by_curve_name(NID_secp384r1);
-        } else    ec = NULL;
-        if(!ec) return NULL;
-	if(keylen+1 > sizeof(buf)) { /* sanity check */
-                EC_KEY_free(ec);
-		return NULL;
-	}
-	/* prepend the 0x02 (from docs) (or actually 0x04 from implementation
-	 * of openssl) for uncompressed data */
-	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
-	memmove(buf+1, key, keylen);
-        if(!o2i_ECPublicKey(&ec, &pp, (int)keylen+1)) {
-                EC_KEY_free(ec);
-                return NULL;
-        }
-        evp_key = EVP_PKEY_new();
-        if(!evp_key) {
-                EC_KEY_free(ec);
-                return NULL;
-        }
-        if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
-		EVP_PKEY_free(evp_key);
-		EC_KEY_free(ec);
-		return NULL;
-	}
-        return evp_key;
-}
-#endif /* USE_ECDSA */
-
-#ifdef USE_ED25519
-EVP_PKEY*
-gldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
-{
-	/* ASN1 for ED25519 is 302a300506032b6570032100 <32byteskey> */
-	uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
-		0x70, 0x03, 0x21, 0x00};
-	int pre_len = 12;
-	uint8_t buf[256];
-	EVP_PKEY *evp_key;
-	/* pp gets modified by d2i() */
-	const unsigned char* pp = (unsigned char*)buf;
-	if(keylen != 32 || keylen + pre_len > sizeof(buf))
-		return NULL; /* wrong length */
-	memmove(buf, pre, pre_len);
-	memmove(buf+pre_len, key, keylen);
-	evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
-	return evp_key;
-}
-#endif /* USE_ED25519 */
-
-int
-gldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
-	const EVP_MD* md)
-{
-	EVP_MD_CTX* ctx;
-	ctx = EVP_MD_CTX_create();
-	if(!ctx)
-		return 0;
-	if(!EVP_DigestInit_ex(ctx, md, NULL) ||
-		!EVP_DigestUpdate(ctx, data, len) ||
-		!EVP_DigestFinal_ex(ctx, dest, NULL)) {
-		EVP_MD_CTX_destroy(ctx);
-		return 0;
-	}
-	EVP_MD_CTX_destroy(ctx);
-	return 1;
-}
-#endif /* HAVE_SSL */

src/gldns/keyraw.h

@@ -20,13 +20,11 @@
 #ifndef GLDNS_KEYRAW_H
 #define GLDNS_KEYRAW_H
 
+#include "keyraw-internal.h"
+
 #ifdef __cplusplus
 extern "C" {
 #endif
-#if GLDNS_BUILD_CONFIG_HAVE_SSL
-#  include <openssl/ssl.h>
-#  include <openssl/evp.h>
-#endif /* GLDNS_BUILD_CONFIG_HAVE_SSL */
 
 /**
  * get the length of the keydata in bits
@@ -46,74 +44,6 @@ size_t gldns_rr_dnskey_key_size_raw(const unsigned char *keydata,
  */
 uint16_t gldns_calc_keytag_raw(const uint8_t* key, size_t keysize);
 
-#if GLDNS_BUILD_CONFIG_HAVE_SSL
-/** 
- * Get the PKEY id for GOST, loads GOST into openssl as a side effect.
- * Only available if GOST is compiled into the library and openssl.
- * \return the gost id for EVP_CTX creation.
- */
-int gldns_key_EVP_load_gost_id(void);
-
-/** Release the engine reference held for the GOST engine. */
-void gldns_key_EVP_unload_gost(void);
-
-/**
- * Like gldns_key_buf2dsa, but uses raw buffer.
- * \param[in] key the uncompressed wireformat of the key.
- * \param[in] len length of key data
- * \return a DSA * structure with the key material
- */
-DSA *gldns_key_buf2dsa_raw(unsigned char* key, size_t len);
-
-/**
- * Converts a holding buffer with key material to EVP PKEY in openssl.
- * Only available if ldns was compiled with GOST.
- * \param[in] key data to convert
- * \param[in] keylen length of the key data
- * \return the key or NULL on error.
- */
-EVP_PKEY* gldns_gost2pkey_raw(unsigned char* key, size_t keylen);
-
-/**
- * Converts a holding buffer with key material to EVP PKEY in openssl.
- * Only available if ldns was compiled with ECDSA.
- * \param[in] key data to convert
- * \param[in] keylen length of the key data
- * \param[in] algo precise algorithm to initialize ECC group values.
- * \return the key or NULL on error.
- */
-EVP_PKEY* gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
-
-/**
- * Like gldns_key_buf2rsa, but uses raw buffer.
- * \param[in] key the uncompressed wireformat of the key.
- * \param[in] len length of key data
- * \return a RSA * structure with the key material
- */
-RSA *gldns_key_buf2rsa_raw(unsigned char* key, size_t len);
-
-/**
- * Converts a holding buffer with key material to EVP PKEY in openssl.
- * Only available if ldns was compiled with ED25519.
- * \param[in] key the uncompressed wireformat of the key.
- * \param[in] len length of key data
- * \return the key or NULL on error.
- */
-EVP_PKEY* gldns_ed255192pkey_raw(const unsigned char* key, size_t len);
-
-/**
- * Utility function to calculate hash using generic EVP_MD pointer.
- * \param[in] data the data to hash.
- * \param[in] len  length of data.
- * \param[out] dest the destination of the hash, must be large enough.
- * \param[in] md the message digest to use.
- * \return true if worked, false on failure.
- */
-int gldns_digest_evp(unsigned char* data, unsigned int len, 
-	unsigned char* dest, const EVP_MD* md);
-
-#endif /* GLDNS_BUILD_CONFIG_HAVE_SSL */
-
 #ifdef __cplusplus
 }
 #endif

src/gldns/parse.c

@@ -34,7 +34,7 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 {
 	int c, prev_c;
 	int p; /* 0 -> no parentheses seen, >0 nr of ( seen */
-	int com, quoted;
+	int com, quoted, only_blank;
 	char *t;
 	size_t i;
 	const char *d;
@@ -53,6 +53,7 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 	com = 0;
 	quoted = 0;
 	prev_c = 0;
+	only_blank = 1;	/* Assume we got only <blank> until now */
 	t = token;
 	if (del[0] == '"') {
 		quoted = 1;
@@ -101,6 +102,22 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 			if (line_nr) {
 				*line_nr = *line_nr + 1;
 			}
+			if (only_blank && i > 0) {
+				/* Got only <blank> so far. Reset and try
+				 * again with the next line.
+				 */
+				i = 0;
+				t = token;
+			}
+			if (p == 0) {
+				/* If p != 0 then the next line is a continuation. So
+				 * we assume that the next line starts with a blank only
+				 * if it is actually a new line.
+				 */
+				only_blank = 1;	/* Assume next line starts with
+						 * <blank>.
+						 */
+			}
 			if (p == 0 && i > 0) {
 				goto tokenread;
 			} else {
@@ -120,7 +137,7 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 			if (line_nr) {
 				*line_nr = *line_nr + 1;
 			}
-			if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+			if (limit > 0 && (i+1 >= limit || (size_t)(t-token)+1 >= limit)) {
 				*t = '\0';
 				return -1;
 			}
@@ -131,23 +148,49 @@ gldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
 
 		/* check if we hit the delim */
 		for (d = del; *d; d++) {
+			if (c == *d)
+				break;
+		}
+
 		if (c == *d && i > 0 && prev_c != '\\' && p == 0) {
 			if (c == '\n' && line_nr) {
 				*line_nr = *line_nr + 1;
 			}
+			if (only_blank) {
+				/* Got only <blank> so far. Reset and
+				 * try again with the next line.
+				 */
+				i = 0;
+				t = token;
+				only_blank = 1;
+				prev_c = c;
+				continue;
+			}
 			goto tokenread;
 		}
+		if (c != ' ' && c != '\t') {
+			/* Found something that is not <blank> */
+			only_blank= 0;
 		}
 		if (c != '\0' && c != '\n') {
 			i++;
 		}
-		if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+		/* is there space for the character and the zero after it */
+		if (limit > 0 && (i+1 >= limit || (size_t)(t-token)+1 >= limit)) {
 			*t = '\0';
 			return -1;
 		}
 		if (c != '\0' && c != '\n') {
 			*t++ = c;
 		}
+		if (c == '\n') {
+			if (line_nr) {
+				*line_nr = *line_nr + 1;
+			}
+			only_blank = 1;	/* Assume next line starts with
+					 * <blank>.
+					 */
+		}
 		if (c == '\\' && prev_c == '\\')
 			prev_c = 0;
 		else	prev_c = c;
@@ -325,8 +368,14 @@ gldns_bget_token_par(gldns_buffer *b, char *token, const char *delim,
 		if (c == '\n' && p != 0) {
 			/* in parentheses */
 			/* do not write ' ' if we want to skip spaces */
-			if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' '))))
+			if(!(skipw && (strchr(skipw, c)||strchr(skipw, ' ')))) {
+				/* check for space for the space character and a zero delimiter after that. */
+				if (limit > 0 && (i+1 >= limit || (size_t)(t-token)+1 >= limit)) {
+					*t = '\0';
+					return -1;
+				}
 				*t++ = ' ';
+			}
 			lc = c;
 			continue;
 		}
@@ -348,7 +397,7 @@ gldns_bget_token_par(gldns_buffer *b, char *token, const char *delim,
 		}
 
 		i++;
-		if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+		if (limit > 0 && (i+1 >= limit || (size_t)(t-token)+1 >= limit)) {
 			*t = '\0';
 			return -1;
 		}

src/gldns/parse.h

@@ -153,7 +153,6 @@ int gldns_bgetc(struct gldns_buffer *buffer);
  * the position to the first character that is not in *s.
  * \param[in] *buffer buffer to use
  * \param[in] *s characters to skip
- * \return void
  */
 void gldns_bskipcs(struct gldns_buffer *buffer, const char *s);
 
@@ -162,7 +161,6 @@ void gldns_bskipcs(struct gldns_buffer *buffer, const char *s);
  * the position to the first character that is not in *s.
  * \param[in] *fp file to use
  * \param[in] *s characters to skip
- * \return void
  */
 void gldns_fskipcs(FILE *fp, const char *s);
 
@@ -173,7 +171,6 @@ void gldns_fskipcs(FILE *fp, const char *s);
  * \param[in] *fp file to use
  * \param[in] *s characters to skip
  * \param[in] line_nr pointer to an integer containing the current line number (for debugging purposes)
- * \return void
  */
 void gldns_fskipcs_l(FILE *fp, const char *s, int *line_nr);
 

src/gldns/parseutil.c

@@ -167,7 +167,7 @@ gldns_gmtime64_r(int64_t clock, struct tm *result)
 static int64_t
 gldns_serial_arithmetics_time(int32_t time, time_t now)
 {
-	int32_t offset = time - (int32_t) now;
+	int32_t offset = (int32_t)((uint32_t) time - (uint32_t) now);
 	return (int64_t) now + offset;
 }
 
@@ -209,11 +209,13 @@ gldns_hexdigit_to_int(char ch)
 }
 
 uint32_t
-gldns_str2period(const char *nptr, const char **endptr)
+gldns_str2period(const char *nptr, const char **endptr, int* overflow)
 {
 	int sign = 0;
 	uint32_t i = 0;
 	uint32_t seconds = 0;
+	const uint32_t maxint = 0xffffffff;
+	*overflow = 0;
 
 	for(*endptr = nptr; **endptr; (*endptr)++) {
 		switch (**endptr) {
@@ -236,26 +238,46 @@ gldns_str2period(const char *nptr, const char **endptr)
 				break;
 			case 's':
 			case 'S':
+				if(seconds > maxint-i) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i;
 				i = 0;
 				break;
 			case 'm':
 			case 'M':
+				if(i > maxint/60 || seconds > maxint-(i*60)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60;
 				i = 0;
 				break;
 			case 'h':
 			case 'H':
+				if(i > maxint/(60*60) || seconds > maxint-(i*60*60)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60;
 				i = 0;
 				break;
 			case 'd':
 			case 'D':
+				if(i > maxint/(60*60*24) || seconds > maxint-(i*60*60*24)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60 * 24;
 				i = 0;
 				break;
 			case 'w':
 			case 'W':
+				if(i > maxint/(60*60*24*7) || seconds > maxint-(i*60*60*24*7)) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i * 60 * 60 * 24 * 7;
 				i = 0;
 				break;
@@ -269,15 +291,27 @@ gldns_str2period(const char *nptr, const char **endptr)
 			case '7':
 			case '8':
 			case '9':
+				if(i > maxint/10 || i*10 > maxint - (**endptr - '0')) {
+					*overflow = 1;
+					return 0;
+				}
 				i *= 10;
 				i += (**endptr - '0');
 				break;
 			default:
+				if(seconds > maxint-i) {
+					*overflow = 1;
+					return 0;
+				}
 				seconds += i;
 				/* disregard signedness */
 				return seconds;
 		}
 	}
+	if(seconds > maxint-i) {
+		*overflow = 1;
+		return 0;
+	}
 	seconds += i;
 	/* disregard signedness */
 	return seconds;
@@ -619,13 +653,18 @@ size_t gldns_b64_ntop_calculate_size(size_t srcsize)
  *
  * This routine does not insert spaces or linebreaks after 76 characters.
  */
-int gldns_b64_ntop(uint8_t const *src, size_t srclength,
-	char *target, size_t targsize)
+static int gldns_b64_ntop_base(uint8_t const *src, size_t srclength,
+	char *target, size_t targsize, int base64url, int padding)
 {
-	const char* b64 =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+	char* b64;
 	const char pad64 = '=';
 	size_t i = 0, o = 0;
+	if(base64url)
+		b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123"
+			"456789-_";
+	else
+		b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123"
+			"456789+/";
 	if(targsize < gldns_b64_ntop_calculate_size(srclength))
 		return -1;
 	/* whole chunks: xxxxxxyy yyyyzzzz zzwwwwww */
@@ -645,18 +684,26 @@ int gldns_b64_ntop(uint8_t const *src, size_t srclength,
 		target[o] = b64[src[i] >> 2];
 		target[o+1] = b64[ ((src[i]&0x03)<<4) | (src[i+1]>>4) ];
 		target[o+2] = b64[ ((src[i+1]&0x0f)<<2) ];
+		if(padding) {
 			target[o+3] = pad64;
 			/* i += 2; */
 			o += 4;
+		} else {
+			o += 3;
+		}
 		break;
 	case 1:
 		/* one at end, converted into A B = = */
 		target[o] = b64[src[i] >> 2];
 		target[o+1] = b64[ ((src[i]&0x03)<<4) ];
+		if(padding) {
 			target[o+2] = pad64;
 			target[o+3] = pad64;
 			/* i += 1; */
 			o += 4;
+		} else {
+			o += 2;
+		}
 		break;
 	case 0:
 	default:
@@ -669,19 +716,36 @@ int gldns_b64_ntop(uint8_t const *src, size_t srclength,
 	return (int)o;
 }
 
+int gldns_b64_ntop(uint8_t const *src, size_t srclength, char *target,
+	size_t targsize)
+{
+	return gldns_b64_ntop_base(src, srclength, target, targsize,
+		0 /* no base64url */, 1 /* padding */);
+}
+
+int gldns_b64url_ntop(uint8_t const *src, size_t srclength, char *target,
+	size_t targsize)
+{
+	return gldns_b64_ntop_base(src, srclength, target, targsize,
+		1 /* base64url */, 0 /* no padding */);
+}
+
 size_t gldns_b64_pton_calculate_size(size_t srcsize)
 {
 	return (((((srcsize + 3) / 4) * 3)) + 1);
 }
 
-int gldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
+/* padding not required if srcsize is set */
+static int gldns_b64_pton_base(char const *src, size_t srcsize, uint8_t *target,
+	size_t targsize, int base64url)
 {
 	const uint8_t pad64 = 64; /* is 64th in the b64 array */
 	const char* s = src;
 	uint8_t in[4];
 	size_t o = 0, incount = 0;
+	int check_padding = (srcsize) ? 0 : 1;
 
-	while(*s) {
+	while(*s && (check_padding || srcsize)) {
 		/* skip any character that is not base64 */
 		/* conceptually we do:
 		const char* b64 =      pad'=' is appended to array
@@ -690,30 +754,43 @@ int gldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
 		and use d-b64;
 		*/
 		char d = *s++;
+		srcsize--;
 		if(d <= 'Z' && d >= 'A')
 			d -= 'A';
 		else if(d <= 'z' && d >= 'a')
 			d = d - 'a' + 26;
 		else if(d <= '9' && d >= '0')
 			d = d - '0' + 52;
-		else if(d == '+')
+		else if(!base64url && d == '+')
 			d = 62;
-		else if(d == '/')
+		else if(base64url && d == '-')
+			d = 62;
+		else if(!base64url && d == '/')
 			d = 63;
-		else if(d == '=')
-			d = 64;
-		else	continue;
-		in[incount++] = (uint8_t)d;
-		if(incount != 4)
+		else if(base64url && d == '_')
+			d = 63;
+		else if(d == '=') {
+			if(!check_padding)
 				continue;
+			d = 64;
+		} else	continue;
+
+		in[incount++] = (uint8_t)d;
+		/* work on block of 4, unless padding is not used and there are
+		 * less than 4 chars left */
+		if(incount != 4 && (check_padding || srcsize))
+			continue;
+		assert(!check_padding || incount==4);
 		/* process whole block of 4 characters into 3 output bytes */
-		if(in[3] == pad64 && in[2] == pad64) { /* A B = = */
+		if((incount == 2 ||
+			(incount == 4 && in[3] == pad64 && in[2] == pad64))) { /* A B = = */
 			if(o+1 > targsize)
 				return -1;
 			target[o] = (in[0]<<2) | ((in[1]&0x30)>>4);
 			o += 1;
 			break; /* we are done */
-		} else if(in[3] == pad64) { /* A B C = */
+		} else if(incount == 3 ||
+			(incount == 4 && in[3] == pad64)) { /* A B C = */
 			if(o+2 > targsize)
 				return -1;
 			target[o] = (in[0]<<2) | ((in[1]&0x30)>>4);
@@ -721,7 +798,7 @@ int gldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
 			o += 2;
 			break; /* we are done */
 		} else {
-			if(o+3 > targsize)
+			if(incount != 4 || o+3 > targsize)
 				return -1;
 			/* write xxxxxxyy yyyyzzzz zzwwwwww */
 			target[o] = (in[0]<<2) | ((in[1]&0x30)>>4);
@@ -733,3 +810,32 @@ int gldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
 	}
 	return (int)o;
 }
+
+int gldns_b64_pton(char const *src, uint8_t *target, size_t targsize)
+{
+	return gldns_b64_pton_base(src, 0, target, targsize, 0);
+}
+
+int gldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
+	size_t targsize)
+{
+	if(!srcsize) {
+		return 0;
+	}
+	return gldns_b64_pton_base(src, srcsize, target, targsize, 1);
+}
+
+int gldns_b64_contains_nonurl(char const *src, size_t srcsize)
+{
+	const char* s = src;
+	while(*s && srcsize) {
+		char d = *s++;
+		srcsize--;
+		/* the '+' and the '/' and padding '=' is not allowed in b64
+		 * url encoding */
+		if(d == '+' || d == '/' || d == '=') {
+			return 1;
+		}
+	}
+	return 0;
+}

src/gldns/parseutil.h

@@ -74,9 +74,11 @@ struct tm * gldns_serial_arithmetics_gmtime_r(int32_t time, time_t now, struct t
  * converts a ttl value (like 5d2h) to a long.
  * \param[in] nptr the start of the string
  * \param[out] endptr points to the last char in case of error
+ * \param[out] overflow returns if the string causes integer overflow error,
+ * 	       the number is too big, string of digits too long.
  * \return the convert duration value
  */
-uint32_t gldns_str2period(const char *nptr, const char **endptr);
+uint32_t gldns_str2period(const char *nptr, const char **endptr, int* overflow);
 
 /**
  * Returns the int value of the given (hex) digit
@@ -92,13 +94,17 @@ size_t gldns_b64_ntop_calculate_size(size_t srcsize);
 
 int gldns_b64_ntop(uint8_t const *src, size_t srclength,
 	char *target, size_t targsize);
+int gldns_b64url_ntop(uint8_t const *src, size_t srclength, char *target,
+	size_t targsize);
 
 /**
  * calculates the size needed to store the result of gldns_b64_pton
  */
 size_t gldns_b64_pton_calculate_size(size_t srcsize);
-
 int gldns_b64_pton(char const *src, uint8_t *target, size_t targsize);
+int gldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
+	size_t targsize);
+int gldns_b64_contains_nonurl(char const *src, size_t srcsize);
 
 /**
  * calculates the size needed to store the result of b32_ntop

src/gldns/pkthdr.h

@@ -97,18 +97,22 @@ extern "C" {
 #define	QDCOUNT(wirebuf)		(ntohs(*(uint16_t *)(wirebuf+QDCOUNT_OFF)))
 */
 #define	GLDNS_QDCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_QDCOUNT_OFF))
+#define GLDNS_QDCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_QDCOUNT_OFF, i))
 
 /* Counter of the answer section */
 #define GLDNS_ANCOUNT_OFF		6
 #define	GLDNS_ANCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_ANCOUNT_OFF))
+#define GLDNS_ANCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_ANCOUNT_OFF, i))
 
 /* Counter of the authority section */
 #define GLDNS_NSCOUNT_OFF		8
 #define	GLDNS_NSCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_NSCOUNT_OFF))
+#define GLDNS_NSCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_NSCOUNT_OFF, i))
 
 /* Counter of the additional section */
 #define GLDNS_ARCOUNT_OFF		10
 #define	GLDNS_ARCOUNT(wirebuf)		(gldns_read_uint16(wirebuf+GLDNS_ARCOUNT_OFF))
+#define GLDNS_ARCOUNT_SET(wirebuf, i)    (gldns_write_uint16(wirebuf+GLDNS_ARCOUNT_OFF, i))
 
 /**
  * The sections of a packet

src/gldns/rrdef.c

@@ -16,6 +16,8 @@
 #include "gldns/rrdef.h"
 #include "gldns/parseutil.h"
 
+#include <stdlib.h>
+
 /* classes  */
 static gldns_lookup_table gldns_rr_classes_data[] = {
         { GLDNS_RR_CLASS_IN, "IN" },
@@ -150,6 +152,12 @@ static const gldns_rdf_type type_openpgpkey_wireformat[] = {
 static const gldns_rdf_type type_csync_wireformat[] = {
 	GLDNS_RDF_TYPE_INT32, GLDNS_RDF_TYPE_INT16, GLDNS_RDF_TYPE_NSEC
 };
+static const gldns_rdf_type type_zonemd_wireformat[] = {
+	GLDNS_RDF_TYPE_INT32, GLDNS_RDF_TYPE_INT8, GLDNS_RDF_TYPE_INT8, GLDNS_RDF_TYPE_HEX
+};
+static const gldns_rdf_type type_svcb_wireformat[] = {
+	GLDNS_RDF_TYPE_INT16, GLDNS_RDF_TYPE_DNAME
+};
 /* nsec3 is some vars, followed by same type of data of nsec */
 static const gldns_rdf_type type_nsec3_wireformat[] = {
 /*	GLDNS_RDF_TYPE_NSEC3_VARS, GLDNS_RDF_TYPE_NSEC3_NEXT_OWNER, GLDNS_RDF_TYPE_NSEC*/
@@ -229,6 +237,15 @@ static const gldns_rdf_type type_caa_wireformat[] = {
 	GLDNS_RDF_TYPE_TAG,
 	GLDNS_RDF_TYPE_LONG_STR
 };
+#ifdef DRAFT_RRTYPES
+static const gldns_rdf_type type_doa_wireformat[] = {
+	GLDNS_RDF_TYPE_INT32, GLDNS_RDF_TYPE_INT32, GLDNS_RDF_TYPE_INT8,
+	GLDNS_RDF_TYPE_STR, GLDNS_RDF_TYPE_B64
+};
+static const gldns_rdf_type type_amtrelay_wireformat[] = {
+	GLDNS_RDF_TYPE_AMTRELAY
+};
+#endif
 
 /* All RR's defined in 1035 are well known and can thus
  * be compressed. See RFC3597. These RR's are:
@@ -236,7 +253,7 @@ static const gldns_rdf_type type_caa_wireformat[] = {
  */
 static gldns_rr_descriptor rdata_field_descriptors[] = {
 	/* 0 */
-	{ 0, NULL, 0, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+	{(enum gldns_enum_rr_type)0, NULL, 0, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* 1 */
 	{GLDNS_RR_TYPE_A, "A", 1, 1, type_a_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* 2 */
@@ -342,12 +359,9 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 	/* 52 */
 	{GLDNS_RR_TYPE_TLSA, "TLSA", 4, 4, type_tlsa_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* 53 */
-#ifdef DRAFT_RRTYPES
 	{GLDNS_RR_TYPE_SMIMEA, "SMIMEA", 4, 4, type_tlsa_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-#else
-{GLDNS_RR_TYPE_NULL, "TYPE53", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-#endif
-{GLDNS_RR_TYPE_NULL, "TYPE54", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+	/* 54 */
+{(enum gldns_enum_rr_type)0, "TYPE54", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
         /* 55
 	 * Hip ends with 0 or more Rendezvous Servers represented as dname's.
 	 * Hence the GLDNS_RDF_TYPE_DNAME _variable field and the _maximum field
@@ -361,8 +375,8 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 	/* 57 */
 	{GLDNS_RR_TYPE_RKEY, "RKEY", 4, 4, type_key_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 #else
-{GLDNS_RR_TYPE_NULL, "TYPE56", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE57", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE56", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE57", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 #endif
 	/* 58 */
 	{GLDNS_RR_TYPE_TALINK, "TALINK", 2, 2, type_talink_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 2 },
@@ -375,54 +389,57 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 {GLDNS_RR_TYPE_OPENPGPKEY, "OPENPGPKEY", 1, 1, type_openpgpkey_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* 62 */
 	{GLDNS_RR_TYPE_CSYNC, "CSYNC", 3, 3, type_csync_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE63", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE64", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE65", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE66", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE67", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE68", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE69", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE70", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE71", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE72", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE73", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE74", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE75", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE76", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE77", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE78", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE79", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE80", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE81", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE82", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE83", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE84", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE85", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE86", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE87", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE88", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE89", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE90", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE91", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE92", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE93", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE94", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE95", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE96", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE97", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE98", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+	/* 63 */
+	{GLDNS_RR_TYPE_ZONEMD, "ZONEMD", 4, 4, type_zonemd_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+	/* 64 */
+	{GLDNS_RR_TYPE_SVCB, "SVCB", 2, 2, type_svcb_wireformat, GLDNS_RDF_TYPE_SVCPARAM, GLDNS_RR_NO_COMPRESS, 1 },
+	/* 65 */
+	{GLDNS_RR_TYPE_HTTPS, "HTTPS", 2, 2, type_svcb_wireformat, GLDNS_RDF_TYPE_SVCPARAM, GLDNS_RR_NO_COMPRESS, 1 },
+{(enum gldns_enum_rr_type)0, "TYPE66", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE67", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE68", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE69", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE70", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE71", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE72", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE73", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE74", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE75", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE76", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE77", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE78", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE79", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE80", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE81", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE82", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE83", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE84", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE85", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE86", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE87", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE88", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE89", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE90", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE91", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE92", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE93", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE94", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE95", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE96", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE97", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE98", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 
 	/* 99 */
 	{GLDNS_RR_TYPE_SPF,  "SPF", 1, 0, NULL, GLDNS_RDF_TYPE_STR, GLDNS_RR_NO_COMPRESS, 0 },
 
 	/* UINFO  [IANA-Reserved] */
-{GLDNS_RR_TYPE_NULL, "TYPE100", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE100", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* UID    [IANA-Reserved] */
-{GLDNS_RR_TYPE_NULL, "TYPE101", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE101", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* GID    [IANA-Reserved] */
-{GLDNS_RR_TYPE_NULL, "TYPE102", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE102", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 	/* UNSPEC [IANA-Reserved] */
-{GLDNS_RR_TYPE_NULL, "TYPE103", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE103", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 
 	/* 104 */
 	{GLDNS_RR_TYPE_NID, "NID", 2, 2, type_nid_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
@@ -438,145 +455,145 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 	/* 109 */
 	{GLDNS_RR_TYPE_EUI64, "EUI64", 1, 1, type_eui64_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 
-{GLDNS_RR_TYPE_NULL, "TYPE110", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE111", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE112", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE113", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE114", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE115", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE116", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE117", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE118", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE119", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE120", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE121", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE122", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE123", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE124", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE125", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE126", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE127", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE128", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE129", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE130", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE131", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE132", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE133", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE134", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE135", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE136", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE137", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE138", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE139", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE140", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE141", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE142", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE143", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE144", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE145", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE146", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE147", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE148", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE149", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE150", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE151", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE152", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE153", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE154", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE155", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE156", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE157", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE158", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE159", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE160", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE161", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE162", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE163", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE164", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE165", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE166", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE167", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE168", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE169", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE170", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE171", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE172", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE173", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE174", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE175", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE176", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE177", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE178", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE179", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE180", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE181", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE182", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE183", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE184", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE185", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE186", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE187", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE188", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE189", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE190", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE191", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE192", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE193", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE194", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE195", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE196", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE197", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE198", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE199", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE200", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE201", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE202", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE203", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE204", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE205", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE206", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE207", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE208", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE209", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE210", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE211", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE212", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE213", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE214", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE215", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE216", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE217", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE218", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE219", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE220", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE221", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE222", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE223", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE224", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE225", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE226", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE227", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE228", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE229", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE230", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE231", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE232", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE233", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE234", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE235", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE236", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE237", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE238", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE239", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE240", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE241", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE242", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE243", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE244", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE245", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE246", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE247", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
-{GLDNS_RR_TYPE_NULL, "TYPE248", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE110", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE111", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE112", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE113", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE114", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE115", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE116", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE117", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE118", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE119", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE120", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE121", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE122", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE123", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE124", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE125", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE126", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE127", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE128", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE129", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE130", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE131", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE132", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE133", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE134", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE135", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE136", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE137", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE138", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE139", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE140", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE141", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE142", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE143", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE144", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE145", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE146", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE147", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE148", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE149", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE150", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE151", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE152", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE153", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE154", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE155", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE156", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE157", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE158", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE159", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE160", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE161", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE162", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE163", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE164", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE165", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE166", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE167", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE168", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE169", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE170", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE171", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE172", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE173", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE174", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE175", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE176", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE177", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE178", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE179", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE180", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE181", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE182", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE183", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE184", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE185", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE186", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE187", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE188", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE189", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE190", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE191", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE192", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE193", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE194", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE195", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE196", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE197", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE198", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE199", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE200", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE201", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE202", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE203", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE204", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE205", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE206", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE207", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE208", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE209", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE210", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE211", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE212", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE213", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE214", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE215", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE216", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE217", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE218", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE219", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE220", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE221", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE222", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE223", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE224", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE225", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE226", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE227", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE228", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE229", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE230", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE231", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE232", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE233", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE234", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE235", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE236", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE237", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE238", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE239", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE240", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE241", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE242", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE243", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE244", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE245", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE246", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE247", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE248", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 
 	/* GLDNS_RDF_TYPE_INT16_DATA takes two fields (length and data) as one.
 	 * So, unlike RFC 2930 spec, we have 7 min/max rdf's i.s.o. 8/9.
@@ -607,8 +624,14 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 #ifdef DRAFT_RRTYPES
 	/* 258 */
 	{GLDNS_RR_TYPE_AVC, "AVC", 1, 0, NULL, GLDNS_RDF_TYPE_STR, GLDNS_RR_NO_COMPRESS, 0 },
+	/* 259 */
+	{GLDNS_RR_TYPE_DOA, "DOA", 1, 0, type_doa_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+	/* 260 */
+	{GLDNS_RR_TYPE_AMTRELAY, "AMTRELAY", 1, 0, type_amtrelay_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 #else
-{GLDNS_RR_TYPE_NULL, "TYPE258", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE258", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE259", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE260", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 #endif
 
 /* split in array, no longer contiguous */
@@ -617,7 +640,7 @@ static gldns_rr_descriptor rdata_field_descriptors[] = {
 	/* 32768 */
 	{GLDNS_RR_TYPE_TA, "TA", 4, 4, type_ds_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 #else
-{GLDNS_RR_TYPE_NULL, "TYPE32768", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
+{(enum gldns_enum_rr_type)0, "TYPE32768", 1, 1, type_0_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 },
 #endif
 	/* 32769 */
 	{GLDNS_RR_TYPE_DLV, "DLV", 4, 4, type_ds_wireformat, GLDNS_RDF_TYPE_NONE, GLDNS_RR_NO_COMPRESS, 0 }
@@ -713,18 +736,18 @@ gldns_get_rr_type_by_name(const char *name)
 
 	/* special cases for query types */
 	if (strlen(name) == 4 && strncasecmp(name, "IXFR", 4) == 0) {
-		return 251;
+		return GLDNS_RR_TYPE_IXFR;
 	} else if (strlen(name) == 4 && strncasecmp(name, "AXFR", 4) == 0) {
-		return 252;
+		return GLDNS_RR_TYPE_AXFR;
 	} else if (strlen(name) == 5 && strncasecmp(name, "MAILB", 5) == 0) {
-		return 253;
+		return GLDNS_RR_TYPE_MAILB;
 	} else if (strlen(name) == 5 && strncasecmp(name, "MAILA", 5) == 0) {
-		return 254;
+		return GLDNS_RR_TYPE_MAILA;
 	} else if (strlen(name) == 3 && strncasecmp(name, "ANY", 3) == 0) {
-		return 255;
+		return GLDNS_RR_TYPE_ANY;
 	}
 
-	return 0;
+	return (enum gldns_enum_rr_type)0;
 }
 
 gldns_rr_class

src/gldns/rrdef.h

@@ -38,7 +38,7 @@ extern "C" {
 #define GLDNS_KEY_REVOKE_KEY 0x0080 /* used to revoke KSK, rfc 5011 */
 
 /* The first fields are contiguous and can be referenced instantly */
-#define GLDNS_RDATA_FIELD_DESCRIPTORS_COMMON 259
+#define GLDNS_RDATA_FIELD_DESCRIPTORS_COMMON 260
 
 /** lookuptable for rr classes  */
 extern struct gldns_struct_lookup_table* gldns_rr_classes;
@@ -182,9 +182,7 @@ enum gldns_enum_rr_type
 	GLDNS_RR_TYPE_NSEC3PARAM = 51, /* RFC 5155 */
 	GLDNS_RR_TYPE_NSEC3PARAMS = 51,
 	GLDNS_RR_TYPE_TLSA = 52, /* RFC 6698 */
-	GLDNS_RR_TYPE_SMIMEA = 53, /* draft-ietf-dane-smime, TLSA-like but may
-				     be extended */
-
+	GLDNS_RR_TYPE_SMIMEA = 53, /* RFC 8162 */
 	GLDNS_RR_TYPE_HIP = 55, /* RFC 5205 */
 
 	/** draft-reid-dnsext-zs */
@@ -197,6 +195,9 @@ enum gldns_enum_rr_type
 	GLDNS_RR_TYPE_CDNSKEY = 60, /** RFC 7344 */
 	GLDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
 	GLDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */
+	GLDNS_RR_TYPE_ZONEMD = 63, /* RFC8976 */
+	GLDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */
+	GLDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */
 
 	GLDNS_RR_TYPE_SPF = 99, /* RFC 4408 */
 
@@ -227,7 +228,8 @@ enum gldns_enum_rr_type
 	GLDNS_RR_TYPE_URI = 256, /* RFC 7553 */
 	GLDNS_RR_TYPE_CAA = 257, /* RFC 6844 */
 	GLDNS_RR_TYPE_AVC = 258,
-	GLDNS_RR_TYPE_DOA = 259,
+	GLDNS_RR_TYPE_DOA = 259, /* draft-durand-doa-over-dns */
+	GLDNS_RR_TYPE_AMTRELAY = 260, /* draft-ietf-mboned-driad-amt-discovery */
 
 	/** DNSSEC Trust Authorities */
 	GLDNS_RR_TYPE_TA = 32768,
@@ -352,11 +354,19 @@ enum gldns_enum_rdf_type
          */
         GLDNS_RDF_TYPE_LONG_STR,
 
+	/* draft-ietf-mboned-driad-amt-discovery */
+	GLDNS_RDF_TYPE_AMTRELAY,
+
 	/** TSIG extended 16bit error value */
 	GLDNS_RDF_TYPE_TSIGERROR,
 
+	/* draft-ietf-dnsop-svcb-https-05:
+	 * each SvcParam consisting of a SvcParamKey=SvcParamValue pair or
+	 * a standalone SvcParamKey */
+	GLDNS_RDF_TYPE_SVCPARAM,
+
         /* Aliases */
-        GLDNS_RDF_TYPE_BITMAP = GLDNS_RDF_TYPE_NSEC
+        GLDNS_RDF_TYPE_BITMAP = GLDNS_RDF_TYPE_NSEC,
 };
 typedef enum gldns_enum_rdf_type gldns_rdf_type;
 
@@ -429,10 +439,43 @@ enum gldns_enum_edns_option
 	GLDNS_EDNS_N3U = 7, /* RFC6975 */
 	GLDNS_EDNS_CLIENT_SUBNET = 8, /* RFC7871 */
 	GLDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
-	GLDNS_EDNS_PADDING = 12 /* RFC7830 */
+	GLDNS_EDNS_PADDING = 12, /* RFC7830 */
+	GLDNS_EDNS_EDE = 15, /* RFC8914 */
+	GLDNS_EDNS_CLIENT_TAG = 16 /* draft-bellis-dnsop-edns-tags-01 */
 };
 typedef enum gldns_enum_edns_option gldns_edns_option;
 
+enum gldns_enum_ede_code
+{
+	GLDNS_EDE_NONE = -1, /* EDE undefined for internal use */
+	GLDNS_EDE_OTHER = 0,
+	GLDNS_EDE_UNSUPPORTED_DNSKEY_ALG = 1,
+	GLDNS_EDE_UNSUPPORTED_DS_DIGEST = 2,
+	GLDNS_EDE_STALE_ANSWER = 3,
+	GLDNS_EDE_FORGED_ANSWER = 4,
+	GLDNS_EDE_DNSSEC_INDETERMINATE = 5,
+	GLDNS_EDE_DNSSEC_BOGUS = 6,
+	GLDNS_EDE_SIGNATURE_EXPIRED = 7,
+	GLDNS_EDE_SIGNATURE_NOT_YET_VALID = 8,
+	GLDNS_EDE_DNSKEY_MISSING = 9,
+	GLDNS_EDE_RRSIGS_MISSING = 10,
+	GLDNS_EDE_NO_ZONE_KEY_BIT_SET = 11,
+	GLDNS_EDE_NSEC_MISSING = 12,
+	GLDNS_EDE_CACHED_ERROR = 13,
+	GLDNS_EDE_NOT_READY = 14,
+	GLDNS_EDE_BLOCKED = 15,
+	GLDNS_EDE_CENSORED = 16,
+	GLDNS_EDE_FILTERED = 17,
+	GLDNS_EDE_PROHIBITED = 18,
+	GLDNS_EDE_STALE_NXDOMAIN_ANSWER = 19,
+	GLDNS_EDE_NOT_AUTHORITATIVE = 20,
+	GLDNS_EDE_NOT_SUPPORTED = 21,
+	GLDNS_EDE_NO_REACHABLE_AUTHORITY = 22,
+	GLDNS_EDE_NETWORK_ERROR = 23,
+	GLDNS_EDE_INVALID_DATA = 24,
+};
+typedef enum gldns_enum_ede_code gldns_ede_code;
+
 #define GLDNS_EDNS_MASK_DO_BIT 0x8000
 
 /** TSIG and TKEY extended rcodes (16bit), 0-15 are the normal rcodes. */

src/gldns/str2wire.c

@@ -24,12 +24,14 @@
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
 #endif
+#include <stdlib.h>
 
+/** bits for the offset */
+#define RET_OFFSET_MASK (((unsigned)(~GLDNS_WIREPARSE_MASK))>>GLDNS_WIREPARSE_SHIFT)
 /** return an error */
-#define RET_ERR(e, off) ((int)((e)|((off)<<GLDNS_WIREPARSE_SHIFT)))
+#define RET_ERR(e, off) ((int)(((e)&GLDNS_WIREPARSE_MASK)|(((off)&RET_OFFSET_MASK)<<GLDNS_WIREPARSE_SHIFT)))
 /** Move parse error but keep its ID */
 #define RET_ERR_SHIFT(e, move) RET_ERR(GLDNS_WIREPARSE_ERROR(e), GLDNS_WIREPARSE_OFFSET(e)+(move));
-#define GLDNS_IP6ADDRLEN      (128/8)
 
 /*
  * No special care is taken, all dots are translated into
@@ -80,7 +82,7 @@ static int gldns_str2wire_dname_buf_rel(const char* str, uint8_t* buf,
 	for (s = str; *s; s++, q++) {
 		if (q >= buf + *olen)
 			return RET_ERR(GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL, q-buf);
-		if (q > buf + GLDNS_MAX_DOMAINLEN)
+		if (q >= buf + GLDNS_MAX_DOMAINLEN)
 			return RET_ERR(GLDNS_WIREPARSE_ERR_DOMAINNAME_OVERFLOW, q-buf);
 		switch (*s) {
 		case '.':
@@ -117,7 +119,7 @@ static int gldns_str2wire_dname_buf_rel(const char* str, uint8_t* buf,
 		if(rel) *rel = 1;
 		if (q >= buf + *olen)
 			return RET_ERR(GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL, q-buf);
-		if (q > buf + GLDNS_MAX_DOMAINLEN) {
+		if (q >= buf + GLDNS_MAX_DOMAINLEN) {
 			return RET_ERR(GLDNS_WIREPARSE_ERR_DOMAINNAME_OVERFLOW, q-buf);
 		}
                 if (label_len > GLDNS_MAX_LABELLEN) {
@@ -150,6 +152,10 @@ int gldns_str2wire_dname_buf_origin(const char* str, uint8_t* buf, size_t* len,
 	if(s) return s;
 
 	if(rel && origin && dlen > 0) {
+		if((unsigned)dlen >= 0x00ffffffU ||
+			(unsigned)origin_len >= 0x00ffffffU)
+			/* guard against integer overflow in addition */
+			return RET_ERR(GLDNS_WIREPARSE_ERR_GENERAL, *len);
 		if(dlen + origin_len - 1 > GLDNS_MAX_DOMAINLEN)
 			return RET_ERR(GLDNS_WIREPARSE_ERR_DOMAINNAME_OVERFLOW,
 				GLDNS_MAX_DOMAINLEN);
@@ -168,7 +174,9 @@ uint8_t* gldns_str2wire_dname(const char* str, size_t* len)
 	uint8_t dname[GLDNS_MAX_DOMAINLEN+1];
 	*len = sizeof(dname);
 	if(gldns_str2wire_dname_buf(str, dname, len) == 0) {
-		uint8_t* r = (uint8_t*)malloc(*len);
+		uint8_t* r;
+		if(*len > sizeof(dname)) return NULL;
+		r = (uint8_t*)malloc(*len);
 		if(r) return memcpy(r, dname, *len);
 	}
 	*len = 0;
@@ -187,7 +195,10 @@ rrinternal_get_owner(gldns_buffer* strbuf, uint8_t* rr, size_t* len,
 			gldns_buffer_position(strbuf));
 	}
 
-	if(strcmp(token, "@") == 0) {
+	if(token_len < 2) /* make sure there is space to read "@" or "" */
+		return RET_ERR(GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
+			gldns_buffer_position(strbuf));
+	if(token[0]=='@' && token[1]=='\0') {
 		uint8_t* tocopy;
 		if (origin) {
 			*dname_len = origin_len;
@@ -239,11 +250,16 @@ rrinternal_get_ttl(gldns_buffer* strbuf, char* token, size_t token_len,
 	int* not_there, uint32_t* ttl, uint32_t default_ttl)
 {
 	const char* endptr;
+	int overflow;
 	if(gldns_bget_token(strbuf, token, "\t\n ", token_len) == -1) {
 		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_TTL,
 			gldns_buffer_position(strbuf));
 	}
-	*ttl = (uint32_t) gldns_str2period(token, &endptr);
+	*ttl = (uint32_t) gldns_str2period(token, &endptr, &overflow);
+	if(overflow) {
+		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW,
+			gldns_buffer_position(strbuf));
+	}
 
 	if (strlen(token) > 0 && !isdigit((unsigned char)token[0])) {
 		*not_there = 1;
@@ -363,7 +379,8 @@ rrinternal_get_quoted(gldns_buffer* strbuf, const char** delimiters,
 
 		/* skip spaces */
 		while(gldns_buffer_remaining(strbuf) > 0 &&
-			*(gldns_buffer_current(strbuf)) == ' ') {
+			(*(gldns_buffer_current(strbuf)) == ' ' ||
+			*(gldns_buffer_current(strbuf)) == '\t')) {
 			gldns_buffer_skip(strbuf, 1);
 		}
 
@@ -535,9 +552,10 @@ gldns_parse_rdf_token(gldns_buffer* strbuf, char* token, size_t token_len,
 {
 	size_t slen;
 
-	/* skip spaces */
+	/* skip spaces and tabs */
 	while(gldns_buffer_remaining(strbuf) > 0 && !*quoted &&
-		*(gldns_buffer_current(strbuf)) == ' ') {
+		(*(gldns_buffer_current(strbuf)) == ' ' ||
+		*(gldns_buffer_current(strbuf)) == '\t')) {
 		gldns_buffer_skip(strbuf, 1);
 	}
 
@@ -593,7 +611,10 @@ gldns_affix_token(gldns_buffer* strbuf, char* token, size_t* token_len,
 	size_t addstrlen = 0;
 
 	/* add space */
-	if(addlen < 1) return 0;
+	/* when addlen < 2, the token buffer is full considering the NULL byte
+	 * from strlen and will lead to buffer overflow with the second
+	 * assignment below. */
+	if(addlen < 2) return 0;
 	token[*token_strlen] = ' ';
 	token[++(*token_strlen)] = 0;
 
@@ -606,6 +627,122 @@ gldns_affix_token(gldns_buffer* strbuf, char* token, size_t* token_len,
 	return 1;
 }
 
+static int gldns_str2wire_svcparam_key_cmp(const void *a, const void *b)
+{
+	return gldns_read_uint16(*(uint8_t**) a)
+	     - gldns_read_uint16(*(uint8_t**) b);
+}
+
+/**
+ * Add constraints to the SVCB RRs which involve the whole set
+ */
+static int gldns_str2wire_check_svcbparams(uint8_t* rdata, uint16_t rdata_len)
+{
+	size_t   nparams = 0, i;
+	uint8_t  new_rdata[GLDNS_MAX_RDFLEN];
+	uint8_t* new_rdata_ptr = new_rdata;
+	uint8_t* svcparams[MAX_NUMBER_OF_SVCPARAMS];
+	uint8_t* rdata_ptr = rdata;
+	uint16_t rdata_remaining = rdata_len;
+
+	/* find the SvcParams */
+	while (rdata_remaining) {
+		uint16_t svcbparam_len;
+
+		svcparams[nparams] = rdata_ptr;
+		if (rdata_remaining < 4)
+			return GLDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA;
+		svcbparam_len = gldns_read_uint16(rdata_ptr + 2);
+		rdata_remaining -= 4;
+		rdata_ptr += 4;
+
+		if (rdata_remaining < svcbparam_len)
+			return GLDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA;
+		rdata_remaining -= svcbparam_len;
+		rdata_ptr += svcbparam_len;
+
+		nparams += 1;
+		if (nparams >= MAX_NUMBER_OF_SVCPARAMS)
+			return GLDNS_WIREPARSE_ERR_SVCB_TOO_MANY_PARAMS;
+	}
+
+	/* In draft-ietf-dnsop-svcb-https-06 Section 7:
+	 *
+	 *     In wire format, the keys are represented by their numeric
+	 *     values in network byte order, concatenated in ascending order.
+	 */
+	qsort((void *)svcparams
+	     ,nparams
+	     ,sizeof(uint8_t*)
+	     ,gldns_str2wire_svcparam_key_cmp);
+
+
+	/* The code below revolves around semantic errors in the SVCParam set.
+	 * So long as we do not distinguish between running Unbound as a primary
+	 * or as a secondary, we default to secondary behavior and we ignore the
+	 * semantic errors. */
+
+#ifdef SVCB_SEMANTIC_ERRORS
+	{
+		uint8_t* mandatory = NULL;
+		/* In draft-ietf-dnsop-svcb-https-06 Section 7:
+		 *
+		 *     Keys (...) MUST NOT appear more than once.
+		 *
+		 * If they key has already been seen, we have a duplicate
+		 */
+		for(i=0; i < nparams; i++) {
+			uint16_t key = gldns_read_uint16(svcparams[i]);
+			if(i + 1 < nparams && key == gldns_read_uint16(svcparams[i+1]))
+				return GLDNS_WIREPARSE_ERR_SVCB_DUPLICATE_KEYS;
+			if(key == SVCB_KEY_MANDATORY)
+				mandatory = svcparams[i];
+		}
+
+		/* 4. verify that all the SvcParamKeys in mandatory are present */
+		if(mandatory) {
+			/* Divide by sizeof(uint16_t)*/
+			uint16_t mandatory_nkeys = gldns_read_uint16(mandatory + 2) / sizeof(uint16_t);
+
+			/* Guaranteed by gldns_str2wire_svcparam_key_value */
+			assert(mandatory_nkeys > 0);
+
+			for(i=0; i < mandatory_nkeys; i++) {
+				uint16_t mandatory_key = gldns_read_uint16(
+					mandatory
+					+ 2 * sizeof(uint16_t)
+					+ i * sizeof(uint16_t));
+				uint8_t found = 0;
+				size_t j;
+
+				for(j=0; j < nparams; j++) {
+					if(mandatory_key == gldns_read_uint16(svcparams[j])) {
+						found = 1;
+						break;
+					}
+				}
+
+				if(!found)
+					return GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_MISSING_PARAM;
+			}
+		}
+	}
+#endif
+	/* Write rdata in correct order */
+	for (i = 0; i < nparams; i++) {
+		uint16_t svcparam_len = gldns_read_uint16(svcparams[i] + 2)
+		                      + 2 * sizeof(uint16_t);
+
+		if ((unsigned)(new_rdata_ptr - new_rdata) + svcparam_len > sizeof(new_rdata))
+			return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+		memcpy(new_rdata_ptr, svcparams[i], svcparam_len);
+		new_rdata_ptr += svcparam_len;
+	}
+	memcpy(rdata, new_rdata, rdata_len);
+	return GLDNS_WIREPARSE_ERR_OK;
+}
+
 /** parse rdata from string into rr buffer(-remainder after dname). */
 static int
 rrinternal_parse_rdata(gldns_buffer* strbuf, char* token, size_t token_len,
@@ -645,7 +782,8 @@ rrinternal_parse_rdata(gldns_buffer* strbuf, char* token, size_t token_len,
 
 		/* unknown RR data */
 		if(token_strlen>=2 && strncmp(token, "\\#", 2) == 0 &&
-			!quoted && (token_strlen == 2 || token[2]==' ')) {
+			!quoted && (token_strlen == 2 || token[2]==' ' ||
+			token[2]=='\t')) {
 			was_unknown_rr_format = 1;
 			if((status=rrinternal_parse_unknown(strbuf, token,
 				token_len, rr, rr_len, &rr_cur_len, 
@@ -703,6 +841,42 @@ rrinternal_parse_rdata(gldns_buffer* strbuf, char* token, size_t token_len,
 	/* write rdata length */
 	gldns_write_uint16(rr+dname_len+8, (uint16_t)(rr_cur_len-dname_len-10));
 	*rr_len = rr_cur_len;
+	/* SVCB/HTTPS handling  */
+	if (rr_type == GLDNS_RR_TYPE_SVCB || rr_type == GLDNS_RR_TYPE_HTTPS) {
+		size_t rdata_len = rr_cur_len - dname_len - 10;
+		uint8_t *rdata = rr+dname_len + 10;
+		
+		/* skip 1st rdata field SvcPriority (uint16_t) */
+		if (rdata_len < sizeof(uint16_t))
+			return GLDNS_WIREPARSE_ERR_OK;
+
+		rdata_len -= sizeof(uint16_t);
+		rdata += sizeof(uint16_t);
+
+		/* skip 2nd rdata field dname */
+		while (rdata_len && *rdata != 0) {
+			uint8_t label_len;
+
+			if (*rdata & 0xC0)
+				return GLDNS_WIREPARSE_ERR_OK;
+
+			label_len = *rdata + 1;
+			if (rdata_len < label_len)
+				return GLDNS_WIREPARSE_ERR_OK;
+
+			rdata_len -= label_len;
+			rdata += label_len;
+		}
+		/* The root label is one more character, so smaller
+		 * than 1 + 1 means no Svcparam Keys */
+		if (rdata_len < 2 || *rdata != 0)
+			return GLDNS_WIREPARSE_ERR_OK;
+
+		rdata_len -= 1;
+		rdata += 1;
+		return gldns_str2wire_check_svcbparams(rdata, rdata_len);
+
+	}
 	return GLDNS_WIREPARSE_ERR_OK;
 }
 
@@ -889,12 +1063,15 @@ int gldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 		return s;
 	} else if(strncmp(line, "$TTL", 4) == 0 && isspace((unsigned char)line[4])) {
 		const char* end = NULL;
+		int overflow = 0;
 		strlcpy((char*)rr, line, *len);
 		*len = 0;
 		*dname_len = 0;
 		if(!parse_state) return GLDNS_WIREPARSE_ERR_OK;
 		parse_state->default_ttl = gldns_str2period(
-			gldns_strip_ws(line+5), &end);
+			gldns_strip_ws(line+5), &end, &overflow);
+		if(overflow)
+			return GLDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW;
 	} else if (strncmp(line, "$INCLUDE", 8) == 0) {
 		strlcpy((char*)rr, line, *len);
 		*len = 0;
@@ -920,11 +1097,533 @@ int gldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
 			memmove(parse_state->prev_rr, rr, *dname_len);
 			parse_state->prev_rr_len = (*dname_len);
 		}
+		if(r == GLDNS_WIREPARSE_ERR_OK && parse_state) {
+			parse_state->default_ttl = gldns_wirerr_get_ttl(
+				rr, *len, *dname_len);
+		}
 		return r;
 	}
 	return GLDNS_WIREPARSE_ERR_OK;
 }
 
+static int
+gldns_str2wire_svcparam_key_lookup(const char *key, size_t key_len)
+{
+	char buf[64];
+	char *endptr;
+	unsigned long int key_value;
+
+	if (key_len >= 4  && key_len <= 8 && !strncmp(key, "key", 3)) {
+		memcpy(buf, key + 3, key_len - 3);
+		buf[key_len - 3] = 0;
+		key_value = strtoul(buf, &endptr, 10);
+
+		if (endptr > buf	/* digits seen */
+		&& *endptr == 0		/* no non-digit chars after digits */
+		&&  key_value <= 65535)	/* no overflow */
+			return key_value;
+
+	} else switch (key_len) {
+	case sizeof("mandatory")-1:
+		if (!strncmp(key, "mandatory", sizeof("mandatory")-1))
+			return SVCB_KEY_MANDATORY;
+		if (!strncmp(key, "echconfig", sizeof("echconfig")-1))
+			return SVCB_KEY_ECH; /* allow "echconfig" as well as "ech" */
+		break;
+
+	case sizeof("alpn")-1:
+		if (!strncmp(key, "alpn", sizeof("alpn")-1))
+			return SVCB_KEY_ALPN;
+		if (!strncmp(key, "port", sizeof("port")-1))
+			return SVCB_KEY_PORT;
+		break;
+
+	case sizeof("no-default-alpn")-1:
+		if (!strncmp( key  , "no-default-alpn"
+		            , sizeof("no-default-alpn")-1))
+			return SVCB_KEY_NO_DEFAULT_ALPN;
+		break;
+
+	case sizeof("ipv4hint")-1:
+		if (!strncmp(key, "ipv4hint", sizeof("ipv4hint")-1))
+			return SVCB_KEY_IPV4HINT;
+		if (!strncmp(key, "ipv6hint", sizeof("ipv6hint")-1))
+			return SVCB_KEY_IPV6HINT;
+		break;
+
+	case sizeof("ech")-1:
+		if (!strncmp(key, "ech", sizeof("ech")-1))
+			return SVCB_KEY_ECH;
+		break;
+
+	default:
+		break;
+	}
+
+	/* Although the returned value might be used by the caller,
+	 * the parser has erred, so the zone will not be loaded.
+	 */
+	return -1;
+}
+
+static int
+gldns_str2wire_svcparam_port(const char* val, uint8_t* rd, size_t* rd_len)
+{
+	unsigned long int port;
+	char *endptr;
+
+	if (*rd_len < 6)
+		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+	port = strtoul(val, &endptr, 10);
+
+	if (endptr > val	/* digits seen */
+	&& *endptr == 0		/* no non-digit chars after digits */
+	&&  port <= 65535) {	/* no overflow */
+
+		gldns_write_uint16(rd, SVCB_KEY_PORT);
+		gldns_write_uint16(rd + 2, sizeof(uint16_t));
+		gldns_write_uint16(rd + 4, port);
+		*rd_len = 6;
+
+		return GLDNS_WIREPARSE_ERR_OK;
+	}
+
+	return GLDNS_WIREPARSE_ERR_SVCB_PORT_VALUE_SYNTAX;
+}
+
+static int
+gldns_str2wire_svcbparam_ipv4hint(const char* val, uint8_t* rd, size_t* rd_len)
+{
+	size_t count;
+	char ip_str[INET_ADDRSTRLEN+1];
+	char *next_ip_str;
+	size_t i;
+
+	for (i = 0, count = 1; val[i]; i++) {
+		if (val[i] == ',')
+			count += 1;
+		if (count > SVCB_MAX_COMMA_SEPARATED_VALUES) {
+			return GLDNS_WIREPARSE_ERR_SVCB_IPV4_TOO_MANY_ADDRESSES;
+		}
+	}
+
+	if (*rd_len < (GLDNS_IP4ADDRLEN * count) + 4)
+		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+	/* count is number of comma's in val + 1; so the actual number of IPv4
+	 * addresses in val
+	 */
+	gldns_write_uint16(rd, SVCB_KEY_IPV4HINT);
+	gldns_write_uint16(rd + 2, GLDNS_IP4ADDRLEN * count);
+	*rd_len = 4;
+
+	while (count) {
+		if (!(next_ip_str = strchr(val, ','))) {
+			if (inet_pton(AF_INET, val, rd + *rd_len) != 1)
+				break;
+			*rd_len += GLDNS_IP4ADDRLEN;
+
+			assert(count == 1);
+
+		} else if (next_ip_str - val >= (int)sizeof(ip_str))
+			break;
+
+		else {
+			memcpy(ip_str, val, next_ip_str - val);
+			ip_str[next_ip_str - val] = 0;
+			if (inet_pton(AF_INET, ip_str, rd + *rd_len) != 1) {
+				break;
+			}
+			*rd_len += GLDNS_IP4ADDRLEN;
+
+			val = next_ip_str + 1;
+		}
+		count--;
+	}
+	if (count) /* verify that we parsed all values */
+		return GLDNS_WIREPARSE_ERR_SYNTAX_IP4;
+
+	return GLDNS_WIREPARSE_ERR_OK;
+}
+
+static int
+gldns_str2wire_svcbparam_ipv6hint(const char* val, uint8_t* rd, size_t* rd_len)
+{
+	size_t count;
+	char ip_str[INET6_ADDRSTRLEN+1];
+	char *next_ip_str;
+	size_t i;
+
+	for (i = 0, count = 1; val[i]; i++) {
+		if (val[i] == ',')
+			count += 1;
+		if (count > SVCB_MAX_COMMA_SEPARATED_VALUES) {
+			return GLDNS_WIREPARSE_ERR_SVCB_IPV6_TOO_MANY_ADDRESSES;
+		}
+	}
+
+	if (*rd_len < (GLDNS_IP6ADDRLEN * count) + 4)
+		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+	/* count is number of comma's in val + 1; so the actual number of IPv6
+	 * addresses in val
+	 */
+	gldns_write_uint16(rd, SVCB_KEY_IPV6HINT);
+	gldns_write_uint16(rd + 2, GLDNS_IP6ADDRLEN * count);
+	*rd_len = 4;
+
+	while (count) {
+		if (!(next_ip_str = strchr(val, ','))) {
+			if (inet_pton(AF_INET6, val, rd + *rd_len) != 1)
+				break;
+			*rd_len += GLDNS_IP6ADDRLEN;
+
+			assert(count == 1);
+
+		} else if (next_ip_str - val >= (int)sizeof(ip_str))
+			break;
+
+		else {
+			memcpy(ip_str, val, next_ip_str - val);
+			ip_str[next_ip_str - val] = 0;
+			if (inet_pton(AF_INET6, ip_str, rd + *rd_len) != 1) {
+				break;
+			}
+			*rd_len += GLDNS_IP6ADDRLEN;
+
+			val = next_ip_str + 1;
+		}
+		count--;
+	}
+	if (count) /* verify that we parsed all values */
+		return GLDNS_WIREPARSE_ERR_SYNTAX_IP6;
+
+	return GLDNS_WIREPARSE_ERR_OK;
+}
+
+/* compare function used for sorting uint16_t's */
+static int
+gldns_network_uint16_cmp(const void *a, const void *b)
+{
+	return ((int)gldns_read_uint16(a)) - ((int)gldns_read_uint16(b));
+}
+
+static int
+gldns_str2wire_svcbparam_mandatory(const char* val, uint8_t* rd, size_t* rd_len)
+{
+	size_t i, count, val_len;
+	char* next_key;
+
+	val_len = strlen(val);
+
+	for (i = 0, count = 1; val[i]; i++) {
+		if (val[i] == ',')
+			count += 1;
+		if (count > SVCB_MAX_COMMA_SEPARATED_VALUES) {
+			return GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_TOO_MANY_KEYS;
+		}
+	}
+	if (sizeof(uint16_t) * (count + 2) > *rd_len)
+		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+	gldns_write_uint16(rd, SVCB_KEY_MANDATORY);
+	gldns_write_uint16(rd + 2, sizeof(uint16_t) * count);
+	*rd_len = 4;
+
+	while (1) {
+		int svcparamkey;
+
+		if (!(next_key = strchr(val, ','))) {
+			svcparamkey = gldns_str2wire_svcparam_key_lookup(val, val_len);
+
+			if (svcparamkey < 0) {
+				return GLDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY;
+			}
+
+			gldns_write_uint16(rd + *rd_len, svcparamkey);
+			*rd_len += 2;
+			break;
+		} else {
+			svcparamkey = gldns_str2wire_svcparam_key_lookup(val, next_key - val);
+
+			if (svcparamkey < 0) {
+				return GLDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY;
+			}
+
+			gldns_write_uint16(rd + *rd_len,
+				svcparamkey);
+			*rd_len += 2;
+		}
+
+		val_len -= next_key - val + 1;
+		val = next_key + 1; /* skip the comma */
+	}
+
+	/* In draft-ietf-dnsop-svcb-https-06 Section 7:
+	 *
+	 *    "In wire format, the keys are represented by their numeric
+	 *     values in network byte order, concatenated in ascending order."
+	 */
+	qsort((void *)(rd + 4), count, sizeof(uint16_t), gldns_network_uint16_cmp);
+
+	/* The code below revolves around semantic errors in the SVCParam set.
+	 * So long as we do not distinguish between running Unbound as a primary
+	 * or as a secondary, we default to secondary behavior and we ignore the
+	 * semantic errors. */
+#ifdef SVCB_SEMANTIC_ERRORS
+	/* In draft-ietf-dnsop-svcb-https-06 Section 8
+	 * automatically mandatory MUST NOT appear in its own value-list
+	 */
+	if (gldns_read_uint16(rd + 4) == SVCB_KEY_MANDATORY)
+		return GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_IN_MANDATORY;
+
+	/* Guarantee key uniqueness. After the sort we only need to
+	 * compare neighbouring keys */
+	if (count > 1) {
+		for (i = 0; i < count - 1; i++) {
+			uint8_t* current_pos = (rd + 4 + (sizeof(uint16_t) * i));
+			uint16_t key = gldns_read_uint16(current_pos);
+
+			if (key == gldns_read_uint16(current_pos + 2)) {
+				return GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_DUPLICATE_KEY;
+			}
+		}
+	}
+#endif
+	return GLDNS_WIREPARSE_ERR_OK;
+}
+
+static int
+gldns_str2wire_svcbparam_ech_value(const char* val, uint8_t* rd, size_t* rd_len)
+{
+	uint8_t buffer[GLDNS_MAX_RDFLEN];
+	int wire_len;
+
+	/* single 0 represents empty buffer */
+	if(strcmp(val, "0") == 0) {
+		if (*rd_len < 4)
+			return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+		gldns_write_uint16(rd, SVCB_KEY_ECH);
+		gldns_write_uint16(rd + 2, 0);
+
+		return GLDNS_WIREPARSE_ERR_OK;
+	}
+
+	wire_len = gldns_b64_pton(val, buffer, GLDNS_MAX_RDFLEN);
+
+	if (wire_len <= 0) {
+		return GLDNS_WIREPARSE_ERR_SYNTAX_B64;
+	} else if ((unsigned)wire_len + 4 > *rd_len) {
+		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+	} else {
+		gldns_write_uint16(rd, SVCB_KEY_ECH);
+		gldns_write_uint16(rd + 2, wire_len);
+		memcpy(rd + 4, buffer, wire_len);
+		*rd_len = 4 + wire_len;
+
+		return GLDNS_WIREPARSE_ERR_OK;
+	}
+}
+
+static const char*
+gldns_str2wire_svcbparam_parse_next_unescaped_comma(const char *val)
+{
+	while (*val) {
+		/* Only return when the comma is not escaped*/
+		if (*val == '\\'){
+			++val;
+			if (!*val)
+				break;
+		} else if (*val == ',')
+				return val;
+
+		val++;
+	}
+	return NULL;
+}
+
+/* The source is already properly unescaped, this double unescaping is purely to allow for
+ * comma's in comma separated alpn lists.
+ * 
+ * In draft-ietf-dnsop-svcb-https-06 Section 7:
+ * To enable simpler parsing, this SvcParamValue MUST NOT contain escape sequences.
+ */
+static size_t
+gldns_str2wire_svcbparam_parse_copy_unescaped(uint8_t *dst,
+	const char *src, size_t len)
+{
+	uint8_t *orig_dst = dst;
+
+	while (len) {
+		if (*src == '\\') {
+			src++;
+			len--;
+			if (!len)
+				break;
+		}
+		*dst++ = *src++;
+		len--;
+	}
+	return (size_t)(dst - orig_dst);
+}
+
+static int
+gldns_str2wire_svcbparam_alpn_value(const char* val,
+	uint8_t* rd, size_t* rd_len)
+{
+	uint8_t     unescaped_dst[GLDNS_MAX_RDFLEN];
+	uint8_t    *dst = unescaped_dst;
+	const char *next_str;
+	size_t      str_len;
+	size_t      dst_len;
+	size_t      val_len;
+	
+	val_len = strlen(val);
+
+	if (val_len > sizeof(unescaped_dst)) {
+		return GLDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE;
+	}
+	while (val_len) {
+		size_t key_len;
+
+		str_len = (next_str = gldns_str2wire_svcbparam_parse_next_unescaped_comma(val))
+		        ? (size_t)(next_str - val) : val_len;
+
+		if (str_len > 255) {
+			return GLDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE;
+		}
+
+		key_len = gldns_str2wire_svcbparam_parse_copy_unescaped(dst + 1, val, str_len);
+		*dst++ = key_len;
+		 dst  += key_len;
+
+		if (!next_str)
+			break;
+
+		/* skip the comma in the next iteration */
+		val_len -= next_str - val + 1;
+		val = next_str + 1;
+	}
+	dst_len = dst - unescaped_dst;
+	if (*rd_len < 4 + dst_len)
+		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+	gldns_write_uint16(rd, SVCB_KEY_ALPN);
+	gldns_write_uint16(rd + 2, dst_len);
+	memcpy(rd + 4, unescaped_dst, dst_len);
+	*rd_len = 4 + dst_len;
+	
+	return GLDNS_WIREPARSE_ERR_OK;
+}
+
+static int
+gldns_str2wire_svcparam_value(const char *key, size_t key_len,
+	const char *val, uint8_t* rd, size_t* rd_len)
+{
+	size_t str_len;
+	int svcparamkey = gldns_str2wire_svcparam_key_lookup(key, key_len);
+
+	if (svcparamkey < 0) {
+		return GLDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY;
+	}
+
+	/* key without value */
+	if (val == NULL) {
+		switch (svcparamkey) {
+#ifdef SVCB_SEMANTIC_ERRORS
+		case SVCB_KEY_MANDATORY:
+		case SVCB_KEY_ALPN:
+		case SVCB_KEY_PORT:
+		case SVCB_KEY_IPV4HINT:
+		case SVCB_KEY_IPV6HINT:
+			return GLDNS_WIREPARSE_ERR_SVCB_MISSING_PARAM;
+#endif
+		default:
+			if (*rd_len < 4)
+				return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+			gldns_write_uint16(rd, svcparamkey);
+			gldns_write_uint16(rd + 2, 0);
+			*rd_len = 4;
+
+			return GLDNS_WIREPARSE_ERR_OK;
+		}
+	}
+
+	/* value is non-empty */
+	switch (svcparamkey) {
+	case SVCB_KEY_PORT:
+		return gldns_str2wire_svcparam_port(val, rd, rd_len);
+	case SVCB_KEY_IPV4HINT:
+		return gldns_str2wire_svcbparam_ipv4hint(val, rd, rd_len);
+	case SVCB_KEY_IPV6HINT:
+		return gldns_str2wire_svcbparam_ipv6hint(val, rd, rd_len);
+	case SVCB_KEY_MANDATORY:
+		return gldns_str2wire_svcbparam_mandatory(val, rd, rd_len);
+#ifdef SVCB_SEMANTIC_ERRORS
+	case SVCB_KEY_NO_DEFAULT_ALPN:
+		return GLDNS_WIREPARSE_ERR_SVCB_NO_DEFAULT_ALPN_VALUE;
+#endif
+	case SVCB_KEY_ECH:
+		return gldns_str2wire_svcbparam_ech_value(val, rd, rd_len);
+	case SVCB_KEY_ALPN:
+		return gldns_str2wire_svcbparam_alpn_value(val, rd, rd_len);
+	default:
+		str_len = strlen(val);
+		if (*rd_len < 4 + str_len)
+			return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+		gldns_write_uint16(rd, svcparamkey);
+		gldns_write_uint16(rd + 2, str_len);
+		memcpy(rd + 4, val, str_len);
+		*rd_len = 4 + str_len;
+
+		return GLDNS_WIREPARSE_ERR_OK;
+	}
+
+	return GLDNS_WIREPARSE_ERR_GENERAL;
+}
+
+static int gldns_str2wire_svcparam_buf(const char* str, uint8_t* rd, size_t* rd_len)
+{
+	const char* eq_pos;
+	char unescaped_val[GLDNS_MAX_RDFLEN];
+	char* val_out = unescaped_val;
+	const char* val_in;
+
+	eq_pos = strchr(str, '=');
+
+	/* case: key=value */
+	if (eq_pos != NULL && eq_pos[1]) {
+		val_in = eq_pos + 1;
+		
+		/* unescape characters and "" blocks */
+		if (*val_in == '"') {
+			val_in++;
+			while (*val_in != '"'
+			&& (size_t)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
+			&& gldns_parse_char( (uint8_t*) val_out, &val_in)) {
+				val_out++;
+			}
+		} else {
+			while ((size_t)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
+			&& gldns_parse_char( (uint8_t*) val_out, &val_in)) {
+				val_out++;
+			}
+		}
+		*val_out = 0;
+
+		return gldns_str2wire_svcparam_value(str, eq_pos - str, 
+		                                         unescaped_val[0] ? unescaped_val : NULL, rd, rd_len);
+	}
+	/* case: key= */
+	else if (eq_pos != NULL && !(eq_pos[1])) { 
+		return gldns_str2wire_svcparam_value(str, eq_pos - str, NULL, rd, rd_len);
+	}
+	/* case: key */
+	else {
+		return gldns_str2wire_svcparam_value(str, strlen(str), NULL, rd, rd_len);
+	}
+}
+
 int gldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
 	gldns_rdf_type rdftype)
 {
@@ -997,6 +1696,10 @@ int gldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
 		return gldns_str2wire_hip_buf(str, rd, len);
 	case GLDNS_RDF_TYPE_INT16_DATA:
 		return gldns_str2wire_int16_data_buf(str, rd, len);
+	case GLDNS_RDF_TYPE_AMTRELAY:
+		return gldns_str2wire_amtrelay_buf(str, rd, len);
+	case GLDNS_RDF_TYPE_SVCPARAM:
+		return gldns_str2wire_svcparam_buf(str, rd, len);
 	case GLDNS_RDF_TYPE_UNKNOWN:
 	case GLDNS_RDF_TYPE_SERVICE:
 		return GLDNS_WIREPARSE_ERR_NOT_IMPL;
@@ -1094,7 +1797,7 @@ int gldns_str2wire_str_buf(const char* str, uint8_t* rd, size_t* len)
 	while(gldns_parse_char(&ch, &s)) {
 		if(sl >= 255)
 			return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR, s-str);
-		if(*len < sl+1)
+		if(*len < sl+2)
 			return RET_ERR(GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
 				s-str);
 		rd[++sl] = ch;
@@ -1225,6 +1928,17 @@ int gldns_str2wire_b32_ext_buf(const char* str, uint8_t* rd, size_t* len)
 	return GLDNS_WIREPARSE_ERR_OK;
 }
 
+/** see if the string ends, or ends in whitespace */
+static int
+gldns_is_last_of_string(const char* str)
+{
+	if(*str == 0) return 1;
+	while(isspace((unsigned char)*str))
+		str++;
+	if(*str == 0) return 1;
+	return 0;
+}
+
 int gldns_str2wire_hex_buf(const char* str, uint8_t* rd, size_t* len)
 {
 	const char* s = str;
@@ -1234,7 +1948,7 @@ int gldns_str2wire_hex_buf(const char* str, uint8_t* rd, size_t* len)
 			s++;
 			continue;
 		}
-		if(dlen == 0 && *s == '0' && *(s+1) == 0) {
+		if(dlen == 0 && *s == '0' && gldns_is_last_of_string(s+1)) {
 			*len = 0;
 			return GLDNS_WIREPARSE_ERR_OK;
 		}
@@ -1456,9 +2170,13 @@ int gldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len)
 int gldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len)
 {
 	const char* end;
-	uint32_t p = gldns_str2period(str, &end);
+	int overflow;
+	uint32_t p = gldns_str2period(str, &end, &overflow);
 	if(*end != 0)
 		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_PERIOD, end-str);
+	if(overflow)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW,
+			end-str);
 	if(*len < 4)
 		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
 	gldns_write_uint32(rd, p);
@@ -1471,13 +2189,17 @@ static int
 loc_parse_cm(char* my_str, char** endstr, uint8_t* m, uint8_t* e)
 {
 	uint32_t meters = 0, cm = 0, val;
+	char* cm_endstr;
 	while (isblank((unsigned char)*my_str)) {
 		my_str++;
 	}
 	meters = (uint32_t)strtol(my_str, &my_str, 10);
 	if (*my_str == '.') {
 		my_str++;
-		cm = (uint32_t)strtol(my_str, &my_str, 10);
+		cm = (uint32_t)strtol(my_str, &cm_endstr, 10);
+		if(cm_endstr == my_str + 1)
+			cm *= 10;
+		my_str = cm_endstr;
 	}
 	if (meters >= 1) {
 		*e = 2;
@@ -2084,6 +2806,8 @@ int gldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len)
 	char* s;
 	int n;
 	n = strtol(str, &s, 10);
+	if(n < 0) /* negative number not allowed */
+		return GLDNS_WIREPARSE_ERR_SYNTAX;
 	if(*len < ((size_t)n)+2)
 		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
 	if(n > 65535)
@@ -2107,3 +2831,77 @@ int gldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len)
 	*len = ((size_t)n)+2;
 	return GLDNS_WIREPARSE_ERR_OK;
 }
+
+int gldns_str2wire_amtrelay_buf(const char* str, uint8_t* rd, size_t* len)
+{
+	size_t relay_len = 0;
+	int s;
+	uint8_t relay_type;
+	char token[512];
+	gldns_buffer strbuf;
+	gldns_buffer_init_frm_data(&strbuf, (uint8_t*)str, strlen(str));
+
+	if(*len < 2)
+		return GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+	/* precedence */
+	if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	rd[0] = (uint8_t)atoi(token);
+	/* discovery_optional */
+	if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	if ((token[0] != '0' && token[0] != '1') || token[1] != 0)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+
+	rd[1] = *token == '1' ? 0x80 : 0x00;
+	/* relay_type */
+	if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	relay_type = (uint8_t)atoi(token);
+	if (relay_type > 0x7F)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	rd[1] |= relay_type;
+
+	if (relay_type == 0) {
+		*len = 2;
+		return GLDNS_WIREPARSE_ERR_OK;
+	}
+	/* relay */
+	if(gldns_bget_token(&strbuf, token, "\t\n ", sizeof(token)) <= 0)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	if(relay_type == 1) {
+		/* IP4 */
+		relay_len = *len - 2;
+		s = gldns_str2wire_a_buf(token, rd+2, &relay_len);
+		if(s) return RET_ERR_SHIFT(s, gldns_buffer_position(&strbuf));
+	} else if(relay_type == 2) {
+		/* IP6 */
+		relay_len = *len - 2;
+		s = gldns_str2wire_aaaa_buf(token, rd+2, &relay_len);
+		if(s) return RET_ERR_SHIFT(s, gldns_buffer_position(&strbuf));
+	} else if(relay_type == 3) {
+		/* DNAME */
+		relay_len = *len - 2;
+		s = gldns_str2wire_dname_buf(token, rd+2, &relay_len);
+		if(s) return RET_ERR_SHIFT(s, gldns_buffer_position(&strbuf));
+	} else {
+		/* unknown gateway type */
+		return RET_ERR(GLDNS_WIREPARSE_ERR_INVALID_STR,
+			gldns_buffer_position(&strbuf));
+	}
+	/* double check for size */
+	if(*len < 2 + relay_len)
+		return RET_ERR(GLDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL,
+			gldns_buffer_position(&strbuf));
+
+	*len = 2 + relay_len;
+	return GLDNS_WIREPARSE_ERR_OK;
+}
+
+

src/gldns/str2wire.h

@@ -23,10 +23,27 @@ extern "C" {
 #endif
 struct gldns_struct_lookup_table;
 
+#define GLDNS_IP4ADDRLEN      (32/8)
+#define GLDNS_IP6ADDRLEN      (128/8)
+
 /** buffer to read an RR, cannot be larger than 64K because of packet size */
 #define GLDNS_RR_BUF_SIZE 65535 /* bytes */
 #define GLDNS_DEFAULT_TTL	3600
 
+/* SVCB keys currently defined in draft-ietf-dnsop-svcb-https */
+#define SVCB_KEY_MANDATORY		0
+#define SVCB_KEY_ALPN			1
+#define SVCB_KEY_NO_DEFAULT_ALPN	2
+#define SVCB_KEY_PORT			3
+#define SVCB_KEY_IPV4HINT		4
+#define SVCB_KEY_ECH			5
+#define SVCB_KEY_IPV6HINT		6
+#define SVCPARAMKEY_COUNT		7
+
+#define MAX_NUMBER_OF_SVCPARAMS	64
+
+#define SVCB_MAX_COMMA_SEPARATED_VALUES	1000
+
 /*
  * To convert class and type to string see
  * gldns_get_rr_class_by_name(str)
@@ -170,7 +187,7 @@ uint8_t* gldns_wirerr_get_rdatawl(uint8_t* rr, size_t len, size_t dname_len);
 #define GLDNS_WIREPARSE_MASK 0x0fff
 #define GLDNS_WIREPARSE_SHIFT 12
 #define GLDNS_WIREPARSE_ERROR(e) ((e)&GLDNS_WIREPARSE_MASK)
-#define GLDNS_WIREPARSE_OFFSET(e) (((e)&~GLDNS_WIREPARSE_MASK)>>GLDNS_WIREPARSE_SHIFT)
+#define GLDNS_WIREPARSE_OFFSET(e) ((((unsigned)(e))&~GLDNS_WIREPARSE_MASK)>>GLDNS_WIREPARSE_SHIFT)
 /* use lookuptable to get error string, gldns_wireparse_errors */
 #define GLDNS_WIREPARSE_ERR_OK 0
 #define GLDNS_WIREPARSE_ERR_GENERAL 342
@@ -204,6 +221,20 @@ uint8_t* gldns_wirerr_get_rdatawl(uint8_t* rr, size_t len, size_t dname_len);
 #define GLDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW 370
 #define GLDNS_WIREPARSE_ERR_INCLUDE 371
 #define GLDNS_WIREPARSE_ERR_PARENTHESIS 372
+#define GLDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY 373
+#define GLDNS_WIREPARSE_ERR_SVCB_MISSING_PARAM 374
+#define GLDNS_WIREPARSE_ERR_SVCB_TOO_MANY_PARAMS 375
+#define GLDNS_WIREPARSE_ERR_SVCB_DUPLICATE_KEYS 376
+#define GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_TOO_MANY_KEYS 377
+#define GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_MISSING_PARAM 378
+#define GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_DUPLICATE_KEY 379
+#define GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_IN_MANDATORY 380
+#define GLDNS_WIREPARSE_ERR_SVCB_PORT_VALUE_SYNTAX 381
+#define GLDNS_WIREPARSE_ERR_SVCB_IPV4_TOO_MANY_ADDRESSES 382
+#define GLDNS_WIREPARSE_ERR_SVCB_IPV6_TOO_MANY_ADDRESSES 383
+#define GLDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE 384
+#define GLDNS_WIREPARSE_ERR_SVCB_NO_DEFAULT_ALPN_VALUE 385
+#define GLDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA 386
 
 /**
  * Get reference to a constant string for the (parse) error.
@@ -554,6 +585,15 @@ int gldns_str2wire_hip_buf(const char* str, uint8_t* rd, size_t* len);
  */
 int gldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len);
 
+/**
+ * Convert rdf of type GLDNS_RDF_TYPE_AMTRELAY from string to wireformat.
+ * @param str: the text to convert for this rdata element.
+ * @param rd: rdata buffer for the wireformat.
+ * @param len: length of rd buffer on input, used length on output.
+ * @return 0 on success, error on failure.
+ */
+int gldns_str2wire_amtrelay_buf(const char* str, uint8_t* rd, size_t* len);
+
 /**
  * Strip whitespace from the start and the end of line.
  * @param line: modified with 0 to shorten it.

src/gldns/wire2str.c

@@ -14,6 +14,7 @@
  * Contains functions to translate the wireformat to text
  * representation, as well as functions to print them.
  */
+#include <stdlib.h>
 #include "config.h"
 #include "gldns/wire2str.h"
 #include "gldns/str2wire.h"
@@ -25,7 +26,9 @@
 #ifdef HAVE_TIME_H
 #include <time.h>
 #endif
+#ifdef HAVE_SYS_TIME_H
 #include <sys/time.h>
+#endif
 #include <stdarg.h>
 #include <ctype.h>
 #ifdef HAVE_NETDB_H
@@ -148,6 +151,30 @@ static gldns_lookup_table gldns_wireparse_errors_data[] = {
 	{ GLDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW, "Syntax error, integer overflow" },
 	{ GLDNS_WIREPARSE_ERR_INCLUDE, "$INCLUDE directive was seen in the zone" },
 	{ GLDNS_WIREPARSE_ERR_PARENTHESIS, "Parse error, parenthesis mismatch" },
+	{ GLDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY, "Unknown SvcParamKey"},
+	{ GLDNS_WIREPARSE_ERR_SVCB_MISSING_PARAM, "SvcParam is missing a SvcParamValue"},
+	{ GLDNS_WIREPARSE_ERR_SVCB_DUPLICATE_KEYS, "Duplicate SVCB key found"},
+	{ GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_TOO_MANY_KEYS, "Too many keys in mandatory" },
+	{ GLDNS_WIREPARSE_ERR_SVCB_TOO_MANY_PARAMS,
+		"Too many SvcParams. Unbound only allows 63 entries" },
+	{ GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_MISSING_PARAM,
+		"Mandatory SvcParamKey is missing"},
+	{ GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_DUPLICATE_KEY,
+		"Keys in SvcParam mandatory MUST be unique" },
+	{ GLDNS_WIREPARSE_ERR_SVCB_MANDATORY_IN_MANDATORY, 
+		"mandatory MUST not be included as mandatory parameter" },
+	{ GLDNS_WIREPARSE_ERR_SVCB_PORT_VALUE_SYNTAX,
+		"Could not parse port SvcParamValue" },
+	{ GLDNS_WIREPARSE_ERR_SVCB_IPV4_TOO_MANY_ADDRESSES,
+		"Too many IPv4 addresses in ipv4hint" },
+	{ GLDNS_WIREPARSE_ERR_SVCB_IPV6_TOO_MANY_ADDRESSES,
+		"Too many IPv6 addresses in ipv6hint" },
+	{ GLDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE,
+		"Alpn strings need to be smaller than 255 chars"},
+	{ GLDNS_WIREPARSE_ERR_SVCB_NO_DEFAULT_ALPN_VALUE,
+		"No-default-alpn should not have a value" },
+	{ GLDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA,
+		"General SVCParam error" },
 	{ 0, NULL }
 };
 gldns_lookup_table* gldns_wireparse_errors = gldns_wireparse_errors_data;
@@ -169,6 +196,7 @@ static gldns_lookup_table gldns_edns_options_data[] = {
 	{ 8, "edns-client-subnet" },
 	{ 11, "edns-tcp-keepalive"},
 	{ 12, "Padding" },
+	{ 15, "EDE"},
 	{ 0, NULL}
 };
 gldns_lookup_table* gldns_edns_options = gldns_edns_options_data;
@@ -195,6 +223,12 @@ static gldns_lookup_table gldns_tsig_errors_data[] = {
 };
 gldns_lookup_table* gldns_tsig_errors = gldns_tsig_errors_data;
 
+/* draft-ietf-dnsop-svcb-https-06: 6. Initial SvcParamKeys */
+const char *svcparamkey_strs[] = {
+	"mandatory", "alpn", "no-default-alpn", "port",
+	"ipv4hint", "ech", "ipv6hint"
+};
+
 char* gldns_wire2str_pkt(uint8_t* data, size_t len)
 {
 	size_t slen = (size_t)gldns_wire2str_pkt_buf(data, len, NULL, 0);
@@ -252,13 +286,13 @@ int gldns_wire2str_pkt_buf(uint8_t* d, size_t dlen, char* s, size_t slen)
 int gldns_wire2str_rr_buf(uint8_t* d, size_t dlen, char* s, size_t slen)
 {
 	/* use arguments as temporary variables */
-	return gldns_wire2str_rr_scan(&d, &dlen, &s, &slen, NULL, 0);
+	return gldns_wire2str_rr_scan(&d, &dlen, &s, &slen, NULL, 0, NULL);
 }
 
 int gldns_wire2str_rrquestion_buf(uint8_t* d, size_t dlen, char* s, size_t slen)
 {
 	/* use arguments as temporary variables */
-	return gldns_wire2str_rrquestion_scan(&d, &dlen, &s, &slen, NULL, 0);
+	return gldns_wire2str_rrquestion_scan(&d, &dlen, &s, &slen, NULL, 0, NULL);
 }
 
 int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
@@ -266,13 +300,13 @@ int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
 {
 	/* use arguments as temporary variables */
 	return gldns_wire2str_rdata_scan(&rdata, &rdata_len, &str, &str_len,
-		rrtype, NULL, 0);
+		rrtype, NULL, 0, NULL);
 }
 
 int gldns_wire2str_rr_unknown_buf(uint8_t* d, size_t dlen, char* s, size_t slen)
 {
 	/* use arguments as temporary variables */
-	return gldns_wire2str_rr_unknown_scan(&d, &dlen, &s, &slen, NULL, 0);
+	return gldns_wire2str_rr_unknown_scan(&d, &dlen, &s, &slen, NULL, 0, NULL);
 }
 
 int gldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rrlen, size_t dname_len,
@@ -310,7 +344,7 @@ int gldns_wire2str_opcode_buf(int opcode, char* s, size_t slen)
 int gldns_wire2str_dname_buf(uint8_t* d, size_t dlen, char* s, size_t slen)
 {
 	/* use arguments as temporary variables */
-	return gldns_wire2str_dname_scan(&d, &dlen, &s, &slen, NULL, 0);
+	return gldns_wire2str_dname_scan(&d, &dlen, &s, &slen, NULL, 0, NULL);
 }
 
 int gldns_str_vprint(char** str, size_t* slen, const char* format, va_list args)
@@ -365,7 +399,7 @@ static int print_remainder_hex(const char* pref, uint8_t** d, size_t* dlen,
 
 int gldns_wire2str_pkt_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen)
 {
-	int w = 0;
+	int w = 0, comprloop = 0;
 	unsigned qdcount, ancount, nscount, arcount, i;
 	uint8_t* pkt = *d;
 	size_t pktlen = *dlen;
@@ -382,25 +416,25 @@ int gldns_wire2str_pkt_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen)
 	w += gldns_str_print(s, slen, ";; QUESTION SECTION:\n");
 	for(i=0; i<qdcount; i++) {
 		w += gldns_wire2str_rrquestion_scan(d, dlen, s, slen,
-			pkt, pktlen);
+			pkt, pktlen, &comprloop);
 		if(!*dlen) break;
 	}
 	w += gldns_str_print(s, slen, "\n");
 	w += gldns_str_print(s, slen, ";; ANSWER SECTION:\n");
 	for(i=0; i<ancount; i++) {
-		w += gldns_wire2str_rr_scan(d, dlen, s, slen, pkt, pktlen);
+		w += gldns_wire2str_rr_scan(d, dlen, s, slen, pkt, pktlen, &comprloop);
 		if(!*dlen) break;
 	}
 	w += gldns_str_print(s, slen, "\n");
 	w += gldns_str_print(s, slen, ";; AUTHORITY SECTION:\n");
 	for(i=0; i<nscount; i++) {
-		w += gldns_wire2str_rr_scan(d, dlen, s, slen, pkt, pktlen);
+		w += gldns_wire2str_rr_scan(d, dlen, s, slen, pkt, pktlen, &comprloop);
 		if(!*dlen) break;
 	}
 	w += gldns_str_print(s, slen, "\n");
 	w += gldns_str_print(s, slen, ";; ADDITIONAL SECTION:\n");
 	for(i=0; i<arcount; i++) {
-		w += gldns_wire2str_rr_scan(d, dlen, s, slen, pkt, pktlen);
+		w += gldns_wire2str_rr_scan(d, dlen, s, slen, pkt, pktlen, &comprloop);
 		if(!*dlen) break;
 	}
 	/* other fields: WHEN(time), SERVER(IP) not available here. */
@@ -449,7 +483,7 @@ static int gldns_rr_tcttl_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 }
 
 int gldns_wire2str_rr_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
-	uint8_t* pkt, size_t pktlen)
+	uint8_t* pkt, size_t pktlen, int* comprloop)
 {
 	int w = 0;
 	uint8_t* rr = *d;
@@ -464,7 +498,7 @@ int gldns_wire2str_rr_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 
 	/* try to scan the rdata with pretty-printing, but if that fails, then
 	 * scan the rdata as an unknown RR type */
-	w += gldns_wire2str_dname_scan(d, dlen, s, slen, pkt, pktlen);
+	w += gldns_wire2str_dname_scan(d, dlen, s, slen, pkt, pktlen, comprloop);
 	w += gldns_str_print(s, slen, "\t");
 	dname_off = rrlen-(*dlen);
 	if(*dlen == 4) {
@@ -508,7 +542,8 @@ int gldns_wire2str_rr_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 		w += print_remainder_hex(";Error partial rdata 0x", d, dlen, s, slen);
 		return w + gldns_str_print(s, slen, "\n");
 	}
-	w += gldns_wire2str_rdata_scan(d, &rdlen, s, slen, rrtype, pkt, pktlen);
+	w += gldns_wire2str_rdata_scan(d, &rdlen, s, slen, rrtype, pkt, pktlen,
+		comprloop);
 	(*dlen) -= (ordlen-rdlen);
 
 	/* default comment */
@@ -519,11 +554,11 @@ int gldns_wire2str_rr_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 }
 
 int gldns_wire2str_rrquestion_scan(uint8_t** d, size_t* dlen, char** s,
-	size_t* slen, uint8_t* pkt, size_t pktlen)
+	size_t* slen, uint8_t* pkt, size_t pktlen, int* comprloop)
 {
 	int w = 0;
 	uint16_t t, c;
-	w += gldns_wire2str_dname_scan(d, dlen, s, slen, pkt, pktlen);
+	w += gldns_wire2str_dname_scan(d, dlen, s, slen, pkt, pktlen, comprloop);
 	w += gldns_str_print(s, slen, "\t");
 	if(*dlen < 4) {
 		if(*dlen == 0)
@@ -543,11 +578,11 @@ int gldns_wire2str_rrquestion_scan(uint8_t** d, size_t* dlen, char** s,
 }
 
 int gldns_wire2str_rr_unknown_scan(uint8_t** d, size_t* dlen, char** s,
-	size_t* slen, uint8_t* pkt, size_t pktlen)
+	size_t* slen, uint8_t* pkt, size_t pktlen, int* comprloop)
 {
 	size_t rdlen, ordlen;
 	int w = 0;
-	w += gldns_wire2str_dname_scan(d, dlen, s, slen, pkt, pktlen);
+	w += gldns_wire2str_dname_scan(d, dlen, s, slen, pkt, pktlen, comprloop);
 	w += gldns_str_print(s, slen, "\t");
 	w += gldns_rr_tcttl_scan(d, dlen, s, slen);
 	w += gldns_str_print(s, slen, "\t");
@@ -585,6 +620,7 @@ static int rr_comment_dnskey(char** s, size_t* slen, uint8_t* rr,
 	if(rrlen < dname_off + 10) return 0;
 	rdlen = gldns_read_uint16(rr+dname_off+8);
 	if(rrlen < dname_off + 10 + rdlen) return 0;
+	if(rdlen < 2) return 0;
 	rdata = rr + dname_off + 10;
 	flags = (int)gldns_read_uint16(rdata);
 	w += gldns_str_print(s, slen, " ;{");
@@ -698,7 +734,8 @@ int gldns_wire2str_header_scan(uint8_t** d, size_t* dlen, char** s,
 }
 
 int gldns_wire2str_rdata_scan(uint8_t** d, size_t* dlen, char** s,
-	size_t* slen, uint16_t rrtype, uint8_t* pkt, size_t pktlen)
+	size_t* slen, uint16_t rrtype, uint8_t* pkt, size_t pktlen,
+	int* comprloop)
 {
 	/* try to prettyprint, but if that fails, use unknown format */
 	uint8_t* origd = *d;
@@ -724,7 +761,7 @@ int gldns_wire2str_rdata_scan(uint8_t** d, size_t* dlen, char** s,
 		if(r_cnt != 0)
 			w += gldns_str_print(s, slen, " ");
 		n = gldns_wire2str_rdf_scan(d, dlen, s, slen, rdftype,
-			pkt, pktlen);
+			pkt, pktlen, comprloop);
 		if(n == -1) {
 		failed:
 			/* failed, use unknown format */
@@ -775,21 +812,28 @@ static int dname_char_print(char** s, size_t* slen, uint8_t c)
 }
 
 int gldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
-	uint8_t* pkt, size_t pktlen)
+	uint8_t* pkt, size_t pktlen, int* comprloop)
 {
 	int w = 0;
 	/* spool labels onto the string, use compression if its there */
 	uint8_t* pos = *d;
 	unsigned i, counter=0;
-	const unsigned maxcompr = 1000; /* loop detection, max compr ptrs */
+	unsigned maxcompr = 1000; /* loop detection, max compr ptrs */
 	int in_buf = 1;
+	size_t dname_len = 0;
+	if(comprloop) {
+		if(*comprloop != 0)
+			maxcompr = 30; /* for like ipv6 reverse name, per label */
+		if(*comprloop > 4)
+			maxcompr = 4; /* just don't want to spend time, any more */
+	}
 	if(*dlen == 0) return gldns_str_print(s, slen, "ErrorMissingDname");
 	if(*pos == 0) {
 		(*d)++;
 		(*dlen)--;
 		return gldns_str_print(s, slen, ".");
 	}
-	while(*pos) {
+	while((!pkt || pos < pkt+pktlen) && *pos) {
 		/* read label length */
 		uint8_t labellen = *pos++;
 		if(in_buf) { (*d)++; (*dlen)--; }
@@ -810,9 +854,12 @@ int gldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 			if(!pkt || target >= pktlen)
 				return w + gldns_str_print(s, slen,
 					"ErrorComprPtrOutOfBounds");
-			if(counter++ > maxcompr)
+			if(counter++ > maxcompr) {
+				if(comprloop && *comprloop < 10)
+					(*comprloop)++;
 				return w + gldns_str_print(s, slen,
 					"ErrorComprPtrLooped");
+			}
 			in_buf = 0;
 			pos = pkt+target;
 			continue;
@@ -829,6 +876,16 @@ int gldns_wire2str_dname_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 			labellen = (uint8_t)*dlen;
 		else if(!in_buf && pos+(size_t)labellen > pkt+pktlen)
 			labellen = (uint8_t)(pkt + pktlen - pos);
+		dname_len += ((size_t)labellen)+1;
+		if(dname_len > GLDNS_MAX_DOMAINLEN) {
+			/* dname_len counts the uncompressed length we have
+			 * seen so far, and the domain name has become too
+			 * long, prevent the loop from printing overly long
+			 * content. */
+			w += gldns_str_print(s, slen,
+				"ErrorDomainNameTooLong");
+			return w;
+		}
 		for(i=0; i<(unsigned)labellen; i++) {
 			w += dname_char_print(s, slen, *pos++);
 		}
@@ -927,15 +984,262 @@ int gldns_wire2str_ttl_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen)
 	return gldns_str_print(s, slen, "%u", (unsigned)ttl);
 }
 
+static int
+gldns_print_svcparamkey(char** s, size_t* slen, uint16_t svcparamkey)
+{
+	if (svcparamkey < SVCPARAMKEY_COUNT) {
+		return gldns_str_print(s, slen, "%s", svcparamkey_strs[svcparamkey]);
+	}
+	else {
+		return gldns_str_print(s, slen, "key%d", (int)svcparamkey);
+	}
+}
+
+static int gldns_wire2str_svcparam_port2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	int w = 0;
+
+	if (data_len != 2)
+		return -1; /* wireformat error, a short is 2 bytes */
+	w = gldns_str_print(s, slen, "=%d", (int)gldns_read_uint16(data));
+
+	return w;
+}
+
+static int gldns_wire2str_svcparam_ipv4hint2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	char ip_str[INET_ADDRSTRLEN + 1];
+
+	int w = 0;
+
+	assert(data_len > 0);
+
+	if ((data_len % GLDNS_IP4ADDRLEN) == 0) {
+		if (inet_ntop(AF_INET, data, ip_str, sizeof(ip_str)) == NULL)
+			return -1; /* wireformat error, incorrect size or inet family */
+
+		w += gldns_str_print(s, slen, "=%s", ip_str);
+		data += GLDNS_IP4ADDRLEN;
+
+		while ((data_len -= GLDNS_IP4ADDRLEN) > 0) {
+			if (inet_ntop(AF_INET, data, ip_str, sizeof(ip_str)) == NULL)
+				return -1; /* wireformat error, incorrect size or inet family */
+
+			w += gldns_str_print(s, slen, ",%s", ip_str);
+			data += GLDNS_IP4ADDRLEN;
+		}
+	} else
+		return -1;
+
+	return w;
+}
+
+static int gldns_wire2str_svcparam_ipv6hint2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	char ip_str[INET6_ADDRSTRLEN + 1];
+
+	int w = 0;
+
+	assert(data_len > 0);
+
+	if ((data_len % GLDNS_IP6ADDRLEN) == 0) {
+		if (inet_ntop(AF_INET6, data, ip_str, sizeof(ip_str)) == NULL)
+			return -1; /* wireformat error, incorrect size or inet family */
+
+		w += gldns_str_print(s, slen, "=%s", ip_str);
+		data += GLDNS_IP6ADDRLEN;
+
+		while ((data_len -= GLDNS_IP6ADDRLEN) > 0) {
+			if (inet_ntop(AF_INET6, data, ip_str, sizeof(ip_str)) == NULL)
+				return -1; /* wireformat error, incorrect size or inet family */
+
+			w += gldns_str_print(s, slen, ",%s", ip_str);
+			data += GLDNS_IP6ADDRLEN;
+		}
+	} else
+		return -1;
+
+	return w;
+}
+
+static int gldns_wire2str_svcparam_mandatory2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	int w = 0;
+
+	assert(data_len > 0);
+
+	if (data_len % sizeof(uint16_t))
+		return -1; /* wireformat error, data_len must be multiple of shorts */
+	w += gldns_str_print(s, slen, "=");
+	w += gldns_print_svcparamkey(s, slen, gldns_read_uint16(data));
+	data += 2;
+
+	while ((data_len -= sizeof(uint16_t))) {
+		w += gldns_str_print(s, slen, ",");
+		w += gldns_print_svcparamkey(s, slen, gldns_read_uint16(data));
+		data += 2;
+	}
+
+	return w;
+}
+
+static int gldns_wire2str_svcparam_alpn2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	uint8_t *dp = (void *)data;
+	int w = 0;
+
+	assert(data_len > 0); /* Guaranteed by gldns_wire2str_svcparam_scan */
+
+	w += gldns_str_print(s, slen, "=\"");
+	while (data_len) {
+		/* alpn is list of length byte (str_len) followed by a string of that size */
+		uint8_t i, str_len = *dp++;
+
+		if (str_len > --data_len)
+			return -1;
+
+		for (i = 0; i < str_len; i++) {
+			if (dp[i] == '"' || dp[i] == '\\')
+				w += gldns_str_print(s, slen, "\\\\\\%c", dp[i]);
+
+			else if (dp[i] == ',')
+				w += gldns_str_print(s, slen, "\\\\%c", dp[i]);
+
+			else if (!isprint(dp[i]))
+				w += gldns_str_print(s, slen, "\\%03u", (unsigned) dp[i]);
+
+			else
+				w += gldns_str_print(s, slen, "%c", dp[i]);
+		}
+		dp += str_len;
+		if ((data_len -= str_len))
+			w += gldns_str_print(s, slen, "%s", ",");
+	}
+	w += gldns_str_print(s, slen, "\"");
+	
+	return w;
+}
+
+static int gldns_wire2str_svcparam_ech2str(char** s,
+	size_t* slen, uint16_t data_len, uint8_t* data)
+{
+	int size;
+	int w = 0;
+
+	assert(data_len > 0); /* Guaranteed by gldns_wire2str_svcparam_scan */
+
+	w += gldns_str_print(s, slen, "=\"");
+
+	if ((size = gldns_b64_ntop(data, data_len, *s, *slen)) < 0)
+		return -1;
+
+	(*s) += size;
+	(*slen) -= size;
+
+	w += gldns_str_print(s, slen, "\"");	
+
+	return w + size;
+}
+
+int gldns_wire2str_svcparam_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen)
+{
+	uint8_t ch;
+	uint16_t svcparamkey, data_len;
+	int written_chars = 0;
+	int r, i;
+
+	/* verify that we have enough data to read svcparamkey and data_len */
+	if(*dlen < 4)
+		return -1;
+
+	svcparamkey = gldns_read_uint16(*d);
+	data_len = gldns_read_uint16(*d+2);
+	*d    += 4;
+	*dlen -= 4;
+
+	/* verify that we have data_len data */
+	if (data_len > *dlen)
+		return -1; 
+
+	written_chars += gldns_print_svcparamkey(s, slen, svcparamkey);
+	if (!data_len) {
+
+	 	/* Some SvcParams MUST have values */
+	 	switch (svcparamkey) {
+	 	case SVCB_KEY_ALPN:
+	 	case SVCB_KEY_PORT:
+	 	case SVCB_KEY_IPV4HINT:
+	 	case SVCB_KEY_IPV6HINT:
+	 	case SVCB_KEY_MANDATORY:
+	 		return -1;
+	 	default:
+	 		return written_chars;
+	 	}
+	}
+
+	switch (svcparamkey) {
+	case SVCB_KEY_PORT:
+		r = gldns_wire2str_svcparam_port2str(s, slen, data_len, *d);
+		break;
+	case SVCB_KEY_IPV4HINT:
+		r = gldns_wire2str_svcparam_ipv4hint2str(s, slen, data_len, *d);
+		break;
+	case SVCB_KEY_IPV6HINT:
+		r = gldns_wire2str_svcparam_ipv6hint2str(s, slen, data_len, *d);
+		break;
+	case SVCB_KEY_MANDATORY:
+		r = gldns_wire2str_svcparam_mandatory2str(s, slen, data_len, *d);
+		break;
+	case SVCB_KEY_NO_DEFAULT_ALPN:
+		return -1;  /* wireformat error, should not have a value */
+	case SVCB_KEY_ALPN:
+		r = gldns_wire2str_svcparam_alpn2str(s, slen, data_len, *d);
+		break;
+	case SVCB_KEY_ECH:
+		r = gldns_wire2str_svcparam_ech2str(s, slen, data_len, *d);
+		break;
+	default:
+		r = gldns_str_print(s, slen, "=\"");
+
+		for (i = 0; i < data_len; i++) {
+			ch = (*d)[i];
+
+			if (ch == '"' || ch == '\\')
+				r += gldns_str_print(s, slen, "\\%c", ch);
+
+			else if (!isprint(ch))
+				r += gldns_str_print(s, slen, "\\%03u", (unsigned) ch);
+
+			else
+				r += gldns_str_print(s, slen, "%c", ch);
+
+		}
+		r += gldns_str_print(s, slen, "\"");
+		break;
+	}
+	if (r <= 0)
+		return -1; /* wireformat error */
+	
+	written_chars += r;
+	*d    += data_len;
+	*dlen -= data_len;
+	return written_chars;
+}
+
 int gldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
-	int rdftype, uint8_t* pkt, size_t pktlen)
+	int rdftype, uint8_t* pkt, size_t pktlen, int* comprloop)
 {
 	if(*dlen == 0) return 0;
 	switch(rdftype) {
 	case GLDNS_RDF_TYPE_NONE:
 		return 0;
 	case GLDNS_RDF_TYPE_DNAME:
-		return gldns_wire2str_dname_scan(d, dlen, s, slen, pkt, pktlen);
+		return gldns_wire2str_dname_scan(d, dlen, s, slen, pkt, pktlen, comprloop);
 	case GLDNS_RDF_TYPE_INT8:
 		return gldns_wire2str_int8_scan(d, dlen, s, slen);
 	case GLDNS_RDF_TYPE_INT16:
@@ -987,7 +1291,7 @@ int gldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 		return gldns_wire2str_atma_scan(d, dlen, s, slen);
 	case GLDNS_RDF_TYPE_IPSECKEY:
 		return gldns_wire2str_ipseckey_scan(d, dlen, s, slen, pkt,
-			pktlen);
+			pktlen, comprloop);
 	case GLDNS_RDF_TYPE_HIP:
 		return gldns_wire2str_hip_scan(d, dlen, s, slen);
 	case GLDNS_RDF_TYPE_INT16_DATA:
@@ -1004,6 +1308,11 @@ int gldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
 		return gldns_wire2str_tag_scan(d, dlen, s, slen);
 	case GLDNS_RDF_TYPE_LONG_STR:
 		return gldns_wire2str_long_str_scan(d, dlen, s, slen);
+	case GLDNS_RDF_TYPE_AMTRELAY:
+		return gldns_wire2str_amtrelay_scan(d, dlen, s, slen, pkt,
+			pktlen, comprloop);
+	case GLDNS_RDF_TYPE_SVCPARAM:
+		return gldns_wire2str_svcparam_scan(d, dlen, s, slen);
 	case GLDNS_RDF_TYPE_TSIGERROR:
 		return gldns_wire2str_tsigerror_scan(d, dlen, s, slen);
 	}
@@ -1065,7 +1374,11 @@ int gldns_wire2str_tsigtime_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 	d4 = (*d)[4];
 	d5 = (*d)[5];
 	tsigtime = (d0<<40) | (d1<<32) | (d2<<24) | (d3<<16) | (d4<<8) | d5;
-	w = gldns_str_print(s, sl, "%"PRIu64, (uint64_t)tsigtime);
+#ifndef USE_WINSOCK
+	w = gldns_str_print(s, sl, "%llu", (long long)tsigtime);
+#else
+	w = gldns_str_print(s, sl, "%I64u", (long long)tsigtime);
+#endif
 	(*d)+=6;
 	(*dl)-=6;
 	return w;
@@ -1525,7 +1838,7 @@ int gldns_wire2str_atma_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 
 /* internal scan routine that can modify arguments on failure */
 static int gldns_wire2str_ipseckey_scan_internal(uint8_t** d, size_t* dl,
-	char** s, size_t* sl, uint8_t* pkt, size_t pktlen)
+	char** s, size_t* sl, uint8_t* pkt, size_t pktlen, int* comprloop)
 {
 	/* http://www.ietf.org/internet-drafts/draft-ietf-ipseckey-rr-12.txt*/
 	uint8_t precedence, gateway_type, algorithm;
@@ -1553,7 +1866,7 @@ static int gldns_wire2str_ipseckey_scan_internal(uint8_t** d, size_t* dl,
 		w += gldns_wire2str_aaaa_scan(d, dl, s, sl);
 		break;
 	case 3: /* dname */
-		w += gldns_wire2str_dname_scan(d, dl, s, sl, pkt, pktlen);
+		w += gldns_wire2str_dname_scan(d, dl, s, sl, pkt, pktlen, comprloop);
 		break;
 	default: /* unknown */
 		return -1;
@@ -1567,12 +1880,12 @@ static int gldns_wire2str_ipseckey_scan_internal(uint8_t** d, size_t* dl,
 }
 
 int gldns_wire2str_ipseckey_scan(uint8_t** d, size_t* dl, char** s, size_t* sl,
-	uint8_t* pkt, size_t pktlen)
+	uint8_t* pkt, size_t pktlen, int* comprloop)
 {
 	uint8_t* od = *d;
 	char* os = *s;
 	size_t odl = *dl, osl = *sl;
-	int w=gldns_wire2str_ipseckey_scan_internal(d, dl, s, sl, pkt, pktlen);
+	int w=gldns_wire2str_ipseckey_scan_internal(d, dl, s, sl, pkt, pktlen, comprloop);
 	if(w == -1) {
 		*d = od;
 		*s = os;
@@ -1703,6 +2016,61 @@ int gldns_wire2str_long_str_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 	return w;
 }
 
+/* internal scan routine that can modify arguments on failure */
+static int gldns_wire2str_amtrelay_scan_internal(uint8_t** d, size_t* dl,
+	char** s, size_t* sl, uint8_t* pkt, size_t pktlen, int* comprloop)
+{
+	/* https://www.ietf.org/id/draft-ietf-mboned-driad-amt-discovery-01.txt */
+	uint8_t precedence, discovery_optional, relay_type;
+	int w = 0;
+
+	if(*dl < 2) return -1;
+	precedence = (*d)[0];
+	discovery_optional= (*d)[1] >> 7;
+	relay_type = (*d)[1] % 0x7F;
+	if(relay_type > 3)
+		return -1; /* unknown */
+	(*d)+=2;
+	(*dl)-=2;
+	w += gldns_str_print(s, sl, "%d %d %d ",
+		(int)precedence, (int)discovery_optional, (int)relay_type);
+
+	switch(relay_type) {
+	case 0: /* no relay */
+		break;
+	case 1: /* ip4 */
+		w += gldns_wire2str_a_scan(d, dl, s, sl);
+		break;
+	case 2: /* ip6 */
+		w += gldns_wire2str_aaaa_scan(d, dl, s, sl);
+		break;
+	case 3: /* dname */
+		w += gldns_wire2str_dname_scan(d, dl, s, sl, pkt, pktlen, comprloop);
+		break;
+	default: /* unknown */
+		return -1;
+	}
+	return w;
+}
+
+int gldns_wire2str_amtrelay_scan(uint8_t** d, size_t* dl, char** s, size_t* sl,
+	uint8_t* pkt, size_t pktlen, int* comprloop)
+{
+	uint8_t* od = *d;
+	char* os = *s;
+	size_t odl = *dl, osl = *sl;
+	int w=gldns_wire2str_amtrelay_scan_internal(d, dl, s, sl, pkt, pktlen, comprloop);
+	if(w == -1) {
+		*d = od;
+		*s = os;
+		*dl = odl;
+		*sl = osl;
+		return -1;
+	}
+	return w;
+}
+
+
 int gldns_wire2str_tsigerror_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
 {
 	gldns_lookup_table *lt;
@@ -1752,8 +2120,13 @@ int gldns_wire2str_edns_llq_print(char** s, size_t* sl, uint8_t* data,
 	if(error_code < llq_errors_num)
 		w += gldns_str_print(s, sl, " %s", llq_errors[error_code]);
 	else	w += gldns_str_print(s, sl, " error %d", (int)error_code);
-	w += gldns_str_print(s, sl, " id %"PRIx64" lease-life %lu",
-		(uint64_t)llq_id, (unsigned long)lease_life);
+#ifndef USE_WINSOCK
+	w += gldns_str_print(s, sl, " id %llx lease-life %lu",
+		(unsigned long long)llq_id, (unsigned long)lease_life);
+#else
+	w += gldns_str_print(s, sl, " id %I64x lease-life %lu",
+		(unsigned long long)llq_id, (unsigned long)lease_life);
+#endif
 	return w;
 }
 
@@ -1899,8 +2272,8 @@ int gldns_wire2str_edns_subnet_print(char** s, size_t* sl, uint8_t* data,
 	return w;
 }
 
-int gldns_wire2str_edns_keepalive_print(char** s, size_t* sl, uint8_t* data,
-	size_t len)
+static int gldns_wire2str_edns_keepalive_print(char** s, size_t* sl,
+	uint8_t* data, size_t len)
 {
 	int w = 0;
 	uint16_t timeout;

src/gldns/wire2str.h

@@ -59,7 +59,7 @@ char* gldns_wire2str_pkt(uint8_t* data, size_t len);
 char* gldns_wire2str_rr(uint8_t* rr, size_t len);
 
 /**
- * Conver wire dname to a string.
+ * Convert wire dname to a string.
  * @param dname: the dname in uncompressed wireformat.
  * @param dname_len: length of the dname.
  * @return string or NULL on failure.
@@ -156,10 +156,11 @@ int gldns_wire2str_pkt_scan(uint8_t** data, size_t* data_len, char** str,
  * @param str_len: length of string buffer.
  * @param pkt: packet for decompression, if NULL no decompression.
  * @param pktlen: length of packet buffer.
+ * @param comprloop: if pkt, bool detects compression loops.
  * @return number of characters (except null) needed to print.
  */
 int gldns_wire2str_rr_scan(uint8_t** data, size_t* data_len, char** str,
-	size_t* str_len, uint8_t* pkt, size_t pktlen);
+	size_t* str_len, uint8_t* pkt, size_t pktlen, int* comprloop);
 
 /**
  * Scan wireformat question rr to string, with user buffers.
@@ -170,10 +171,11 @@ int gldns_wire2str_rr_scan(uint8_t** data, size_t* data_len, char** str,
  * @param str_len: length of string buffer.
  * @param pkt: packet for decompression, if NULL no decompression.
  * @param pktlen: length of packet buffer.
+ * @param comprloop: if pkt, bool detects compression loops.
  * @return number of characters (except null) needed to print.
  */
 int gldns_wire2str_rrquestion_scan(uint8_t** data, size_t* data_len, char** str,
-	size_t* str_len, uint8_t* pkt, size_t pktlen);
+	size_t* str_len, uint8_t* pkt, size_t pktlen, int* comprloop);
 
 /**
  * Scan wireformat RR to string in unknown RR format, with user buffers.
@@ -184,10 +186,11 @@ int gldns_wire2str_rrquestion_scan(uint8_t** data, size_t* data_len, char** str,
  * @param str_len: length of string buffer.
  * @param pkt: packet for decompression, if NULL no decompression.
  * @param pktlen: length of packet buffer.
+ * @param comprloop: if pkt, bool detects compression loops.
  * @return number of characters (except null) needed to print.
  */
 int gldns_wire2str_rr_unknown_scan(uint8_t** data, size_t* data_len, char** str,
-	size_t* str_len, uint8_t* pkt, size_t pktlen);
+	size_t* str_len, uint8_t* pkt, size_t pktlen, int* comprloop);
 
 /**
  * Print to string the RR-information comment in default format,
@@ -228,10 +231,12 @@ int gldns_wire2str_header_scan(uint8_t** data, size_t* data_len, char** str,
  * @param rrtype: RR type of Rdata, host format.
  * @param pkt: packet for decompression, if NULL no decompression.
  * @param pktlen: length of packet buffer.
+ * @param comprloop: if pkt, bool detects compression loops.
  * @return number of characters (except null) needed to print.
  */
 int gldns_wire2str_rdata_scan(uint8_t** data, size_t* data_len, char** str,
-	size_t* str_len, uint16_t rrtype, uint8_t* pkt, size_t pktlen);
+	size_t* str_len, uint16_t rrtype, uint8_t* pkt, size_t pktlen,
+	int* comprloop);
 
 /**
  * Scan wireformat rdata to string in unknown format, with user buffers.
@@ -254,10 +259,17 @@ int gldns_wire2str_rdata_unknown_scan(uint8_t** data, size_t* data_len,
  * @param str_len: length of string buffer.
  * @param pkt: packet for decompression, if NULL no decompression.
  * @param pktlen: length of packet buffer.
+ * @param comprloop: inout bool, that is set true if compression loop failure
+ * 	happens.  Pass in 0, if passsed in as true, a lower bound is set
+ * 	on compression loops to stop arbitrary long packet parse times.
+ * 	This is meant so you can set it to 0 at the start of a list of dnames,
+ * 	and then scan all of them in sequence, if a loop happens, it becomes
+ * 	true and then it becomes more strict for the next dnames in the list.
+ * 	You can leave it at NULL if there is no pkt (pkt is NULL too).
  * @return number of characters (except null) needed to print.
  */
 int gldns_wire2str_dname_scan(uint8_t** data, size_t* data_len, char** str,
-	size_t* str_len, uint8_t* pkt, size_t pktlen);
+	size_t* str_len, uint8_t* pkt, size_t pktlen, int* comprloop);
 
 /**
  * Scan wireformat rr type to string, with user buffers.
@@ -482,6 +494,18 @@ int gldns_wire2str_opcode_buf(int opcode, char* str, size_t len);
 int gldns_wire2str_dname_buf(uint8_t* dname, size_t dname_len, char* str,
 	size_t len);
 
+/**
+ * Convert wire SVCB to a string with user buffer.
+ * @param d: the SVCB data in uncompressed wireformat.
+ * @param dlen: length of the SVCB data.
+ * @param s: the string to write to.
+ * @param slen: length of string.
+ * @return the number of characters for this element, excluding zerobyte.
+ * 	Is larger or equal than str_len if output was truncated.
+ */
+int gldns_wire2str_svcparam_scan(uint8_t** d, size_t* dlen, char** s,
+	size_t* slen);
+
 /**
  * Scan wireformat rdf field to string, with user buffers.
  * It shifts the arguments to move along (see gldns_wire2str_pkt_scan).
@@ -492,11 +516,13 @@ int gldns_wire2str_dname_buf(uint8_t* dname, size_t dname_len, char* str,
  * @param rdftype: the type of the rdata field, enum gldns_rdf_type.
  * @param pkt: packet for decompression, if NULL no decompression.
  * @param pktlen: length of packet buffer.
+ * @param comprloop: if pkt, bool detects compression loops.
  * @return number of characters (except null) needed to print.
  * 	Can return -1 on failure.
  */
 int gldns_wire2str_rdf_scan(uint8_t** data, size_t* data_len, char** str,
-	size_t* str_len, int rdftype, uint8_t* pkt, size_t pktlen);
+	size_t* str_len, int rdftype, uint8_t* pkt, size_t pktlen,
+	int* comprloop);
 
 /**
  * Scan wireformat int8 field to string, with user buffers.
@@ -793,11 +819,12 @@ int gldns_wire2str_atma_scan(uint8_t** data, size_t* data_len, char** str,
  * @param str_len: length of string buffer.
  * @param pkt: packet for decompression, if NULL no decompression.
  * @param pktlen: length of packet buffer.
+ * @param comprloop: if pkt, bool detects compression loops.
  * @return number of characters (except null) needed to print.
  * 	Can return -1 on failure.
  */
 int gldns_wire2str_ipseckey_scan(uint8_t** data, size_t* data_len, char** str,
-	size_t* str_len, uint8_t* pkt, size_t pktlen);
+	size_t* str_len, uint8_t* pkt, size_t pktlen, int* comprloop);
 
 /**
  * Scan wireformat HIP (algo, HIT, pubkey) field to string, with user buffers.
@@ -916,6 +943,22 @@ int gldns_wire2str_tag_scan(uint8_t** data, size_t* data_len, char** str,
 int gldns_wire2str_long_str_scan(uint8_t** data, size_t* data_len, char** str,
 	size_t* str_len);
 
+/**
+ * Scan wireformat AMTRELAY field to string, with user buffers.
+ * It shifts the arguments to move along (see gldns_wire2str_pkt_scan).
+ * @param data: wireformat data.
+ * @param data_len: length of data buffer.
+ * @param str: string buffer.
+ * @param str_len: length of string buffer.
+ * @param pkt: packet for decompression, if NULL no decompression.
+ * @param pktlen: length of packet buffer.
+ * @param comprloop: if pkt, bool detects compression loops.
+ * @return number of characters (except null) needed to print.
+ * 	Can return -1 on failure.
+ */
+int gldns_wire2str_amtrelay_scan(uint8_t** data, size_t* data_len, char** str,
+	size_t* str_len, uint8_t* pkt, size_t pktlen, int* comprloop);
+
 /**
  * Print EDNS LLQ option data to string.  User buffers, moves string pointers.
  * @param str: string buffer.

src/gnutls/keyraw-internal.c

@@ -0,0 +1,15 @@
+/*
+ * keyraw.c - raw key operations and conversions - OpenSSL version
+ *
+ * (c) NLnet Labs, 2004-2008
+ *
+ * See the file LICENSE for the license
+ */
+/**
+ * \file
+ * Implementation of raw DNSKEY functions (work on wire rdata).
+ */
+
+#include "config.h"
+#include "gldns/keyraw.h"
+#include "gldns/rrdef.h"

src/gnutls/keyraw-internal.h

@@ -0,0 +1,31 @@
+/*
+ * keyraw.h -- raw key and signature access and conversion - OpenSSL
+ *
+ * Copyright (c) 2005-2008, NLnet Labs. All rights reserved.
+ *
+ * See LICENSE for the license.
+ *
+ */
+
+/**
+ * \file
+ *
+ * raw key and signature access and conversion
+ *
+ * Since those functions heavily rely op cryptographic operations,
+ * this module is dependent on openssl.
+ * 
+ */
+ 
+#ifndef GLDNS_KEYRAW_INTERNAL_H
+#define GLDNS_KEYRAW_INTERNAL_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* GLDNS_KEYRAW_INTERNAL_H */

src/gnutls/pubkey-pinning-internal.c

@@ -0,0 +1,59 @@
+/**
+ *
+ * /brief functions for dealing with pubkey pinsets
+ *
+ */
+
+/*
+ * Copyright (c) 2015 ACLU
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "context.h"
+#include <nettle/base64.h>
+
+#include "types-internal.h"
+
+#include "pubkey-pinning.h"
+
+/**
+ ** Interfaces from pubkey-pinning.h
+ **/
+
+getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size)
+{
+	struct base64_decode_ctx ctx;
+	uint8_t* lim = res + res_size;
+
+	base64_decode_init(&ctx);
+
+	for(; *str != '\0' && res < lim; ++str) {
+		int r = base64_decode_single(&ctx, res, *str);
+		if (r == -1 )
+			return GETDNS_RETURN_GENERIC_ERROR;
+		res += r;
+	}
+	return (res == lim) ? GETDNS_RETURN_GOOD : GETDNS_RETURN_GENERIC_ERROR;
+}

src/gnutls/tls-internal.h

@@ -0,0 +1,97 @@
+/**
+ *
+ * \file tls-internal.h
+ * @brief getdns TLS implementation-specific items
+ */
+
+/*
+ * Copyright (c) 2018-2019, NLnet Labs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _GETDNS_TLS_INTERNAL_H
+#define _GETDNS_TLS_INTERNAL_H
+
+#include <stdbool.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include <gnutls/dane.h>
+
+#include "getdns/getdns.h"
+
+#define SHA_DIGEST_LENGTH	20
+#define SHA224_DIGEST_LENGTH	28
+#define SHA256_DIGEST_LENGTH	32
+#define SHA384_DIGEST_LENGTH	48
+#define SHA512_DIGEST_LENGTH	64
+
+#define GETDNS_TLS_MAX_DIGEST_LENGTH	(SHA512_DIGEST_LENGTH)
+
+#define HAVE_TLS_CTX_CURVES_LIST	0
+#define HAVE_TLS_CONN_CURVES_LIST	0
+
+/* Forward declare type. */
+struct getdns_log_config;
+
+typedef struct _getdns_tls_context {
+	struct mem_funcs* mfs;
+	char* cipher_list;
+	char* cipher_suites;
+	char* curve_list;
+	gnutls_protocol_t min_tls;
+	gnutls_protocol_t max_tls;
+	char* ca_trust_file;
+	char* ca_trust_path;
+	const struct getdns_log_config* log;
+} _getdns_tls_context;
+
+typedef struct _getdns_tls_connection {
+	gnutls_session_t tls;
+	gnutls_certificate_credentials_t cred;
+	int shutdown;
+	_getdns_tls_context* ctx;
+	struct mem_funcs* mfs;
+	char* cipher_list;
+	char* cipher_suites;
+	char* curve_list;
+	gnutls_protocol_t min_tls;
+	gnutls_protocol_t max_tls;
+	dane_query_t dane_query;
+	dane_state_t dane_state;
+	char* tlsa;
+	const struct getdns_log_config* log;
+} _getdns_tls_connection;
+
+typedef struct _getdns_tls_session {
+	gnutls_datum_t tls;
+} _getdns_tls_session;
+
+typedef struct _getdns_tls_x509
+{
+	gnutls_datum_t tls;
+} _getdns_tls_x509;
+
+#endif /* _GETDNS_TLS_INTERNAL_H */

src/gnutls/tls.c

@@ -0,0 +1,894 @@
+/**
+ *
+ * \file tls.c
+ * @brief getdns TLS functions
+ */
+
+/*
+ * Copyright (c) 2018-2020, NLnet Labs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <gnutls/x509.h>
+
+#include "config.h"
+
+#include "debug.h"
+#include "context.h"
+
+#include "tls.h"
+
+/*
+ * Cipher suites recommended in RFC7525.
+ *
+ * The following strings generate a list with the same ciphers that are
+ * generated by the equivalent string in the OpenSSL version of this file.
+ */
+static char const * const _getdns_tls_context_default_cipher_list =
+	"+ECDHE-RSA:+ECDHE-ECDSA:+AEAD";
+
+static char const * const _getdns_tls_context_default_cipher_suites =
+	"+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305";
+
+static char const * const _getdns_tls_connection_opportunistic_cipher_list =
+	"NORMAL";
+
+static char const * const _getdns_tls_priorities[] = {
+	NULL,			/* No protocol */
+	NULL,		/* SSL3 - no available keyword. */
+	"+VERS-TLS1.0",	/* TLS1.0 */
+	"+VERS-TLS1.1",	/* TLS1.1 */
+	"+VERS-TLS1.2",	/* TLS1.2 */
+	"+VERS-TLS1.3",	/* TLS1.3 */
+};
+
+static char* getdns_strdup(struct mem_funcs* mfs, const char* s)
+{
+	char* res;
+
+	if (!s)
+		return NULL;
+
+	res = GETDNS_XMALLOC(*mfs, char, strlen(s) + 1);
+	if (!res)
+		return NULL;
+	strcpy(res, s);
+	return res;
+}
+
+static char* getdns_priappend(struct mem_funcs* mfs, char* s1, const char* s2)
+{
+	char* res;
+
+	if (!s1)
+		return getdns_strdup(mfs, s2);
+	if (!s2)
+		return s1;
+
+	res = GETDNS_XMALLOC(*mfs, char, strlen(s1) + strlen(s2) + 2);
+	if (!res)
+		return NULL;
+	strcpy(res, s1);
+	strcat(res, ":");
+	strcat(res, s2);
+	GETDNS_FREE(*mfs, s1);
+	return res;
+}
+
+static int set_connection_ciphers(_getdns_tls_connection* conn)
+{
+	char* pri = NULL;
+	int res;
+
+	pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-ALL"
+	    /* Remove all the weak ones */
+	    ":-SIGN-RSA-MD5"
+	    ":-SIGN-RSA-SHA1:-SIGN-RSA-SHA224:-SIGN-RSA-SHA256"
+	    ":-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256"
+#if GNUTLS_VERSION_NUMBER >= 0x030505
+	    ":-SIGN-ECDSA-SHA1:-SIGN-ECDSA-SHA224:-SIGN-ECDSA-SHA256"
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030601
+	    ":-SIGN-RSA-PSS-SHA256"
+#endif
+	);
+
+	if (conn->cipher_suites)
+		pri = getdns_priappend(conn->mfs, pri, conn->cipher_suites);
+	else if (conn->ctx->cipher_suites)
+		pri = getdns_priappend(conn->mfs, pri, conn->ctx->cipher_suites);
+
+	if (conn->cipher_list)
+		pri = getdns_priappend(conn->mfs, pri, conn->cipher_list);
+	else if (conn->ctx->cipher_list)
+		pri = getdns_priappend(conn->mfs, pri, conn->ctx->cipher_list);
+
+	if (conn->curve_list)
+		pri = getdns_priappend(conn->mfs, pri, conn->curve_list);
+	else if (conn->ctx->curve_list)
+		pri = getdns_priappend(conn->mfs, pri, conn->ctx->curve_list);
+	else
+#if GNUTLS_VERSION_NUMBER >= 0x030605
+		pri = getdns_priappend(conn->mfs, pri, "+GROUP-EC-ALL");
+#else
+		pri = getdns_priappend(conn->mfs, pri, "+CURVE-ALL");
+#endif
+
+	gnutls_protocol_t min = conn->min_tls;
+	gnutls_protocol_t max = conn->max_tls;
+	if (!min) min = conn->ctx->min_tls;
+	if (!max) max = conn->ctx->max_tls;
+
+	if (!min && !max) {
+		pri = getdns_priappend(conn->mfs, pri, "+VERS-TLS-ALL");
+	} else {
+		if (!max) max = GNUTLS_TLS_VERSION_MAX;
+
+		for (gnutls_protocol_t i = min; i <= max; ++i)
+			pri = getdns_priappend(conn->mfs, pri, _getdns_tls_priorities[i]);
+	}
+	if (pri) {
+		res = gnutls_priority_set_direct(conn->tls, pri, NULL);
+		_getdns_log(conn->log
+			    , GETDNS_LOG_UPSTREAM_STATS
+			    , (res == GNUTLS_E_SUCCESS ? GETDNS_LOG_DEBUG : GETDNS_LOG_ERR)
+			    , "%s: %s %s (%s)\n"
+			    , STUB_DEBUG_SETUP_TLS
+			    , "Configuring TLS connection with "
+			    , pri
+			    , gnutls_strerror(res));
+	}
+	else
+		res = gnutls_set_default_priority(conn->tls);
+	GETDNS_FREE(*conn->mfs, pri);
+
+	return res;
+}
+
+static getdns_return_t error_may_want_read_write(_getdns_tls_connection* conn, int err)
+{
+	switch (err) {
+	case GNUTLS_E_INTERRUPTED:
+	case GNUTLS_E_AGAIN:
+	case GNUTLS_E_WARNING_ALERT_RECEIVED:
+	case GNUTLS_E_GOT_APPLICATION_DATA:
+		if (gnutls_record_get_direction(conn->tls) == 0)
+			return GETDNS_RETURN_TLS_WANT_READ;
+		else
+			return GETDNS_RETURN_TLS_WANT_WRITE;
+	case GNUTLS_E_FATAL_ALERT_RECEIVED:
+		_getdns_log( conn->log
+		           , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR
+		           , "%s %s %d (%s)\n"
+		           , STUB_DEBUG_SETUP_TLS
+		           , "Error in TLS handshake"
+		           , (int)gnutls_alert_get(conn->tls)
+			   , gnutls_alert_get_name(gnutls_alert_get(conn->tls))
+			   );
+		/* fallthrough */
+	default:
+		return GETDNS_RETURN_GENERIC_ERROR;
+	}
+}
+
+static getdns_return_t get_gnu_mac_algorithm(int algorithm, gnutls_mac_algorithm_t* gnualg)
+{
+	switch (algorithm) {
+	case GETDNS_HMAC_MD5   : *gnualg = GNUTLS_MAC_MD5   ; break;
+	case GETDNS_HMAC_SHA1  : *gnualg = GNUTLS_MAC_SHA1  ; break;
+	case GETDNS_HMAC_SHA224: *gnualg = GNUTLS_MAC_SHA224; break;
+	case GETDNS_HMAC_SHA256: *gnualg = GNUTLS_MAC_SHA256; break;
+	case GETDNS_HMAC_SHA384: *gnualg = GNUTLS_MAC_SHA384; break;
+	case GETDNS_HMAC_SHA512: *gnualg = GNUTLS_MAC_SHA512; break;
+	default                : return GETDNS_RETURN_GENERIC_ERROR;
+	}
+
+	return GETDNS_RETURN_GOOD;
+}
+
+static gnutls_protocol_t _getdns_tls_version2gnutls_version(getdns_tls_version_t v)
+{
+	switch (v) {
+	case GETDNS_SSL3  : return GNUTLS_SSL3;
+	case GETDNS_TLS1  : return GNUTLS_TLS1;
+	case GETDNS_TLS1_1: return GNUTLS_TLS1_1;
+	case GETDNS_TLS1_2: return GNUTLS_TLS1_2;
+#if GNUTLS_VERSION_NUMBER >= 0x030605
+	case GETDNS_TLS1_3: return GNUTLS_TLS1_3;
+#endif
+	default           : return GNUTLS_TLS_VERSION_MAX;
+	}
+}
+
+static _getdns_tls_x509* _getdns_tls_x509_new(struct mem_funcs* mfs, gnutls_datum_t cert)
+{
+	_getdns_tls_x509* res;
+
+	res = GETDNS_MALLOC(*mfs, _getdns_tls_x509);
+	if (res)
+		res->tls = cert;
+
+	return res;
+}
+
+void _getdns_tls_init()
+{
+	gnutls_global_init();
+}
+
+_getdns_tls_context* _getdns_tls_context_new(struct mem_funcs* mfs, const getdns_log_config* log)
+{
+	_getdns_tls_context* res;
+
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_context)))
+		return NULL;
+
+	res->mfs = mfs;
+	res->cipher_list = res->cipher_suites = res->curve_list = NULL;
+	res->min_tls = res->max_tls = 0;
+	res->ca_trust_file = NULL;
+	res->ca_trust_path = NULL;
+	res->log = log;
+
+	return res;
+}
+
+getdns_return_t _getdns_tls_context_free(struct mem_funcs* mfs, _getdns_tls_context* ctx)
+{
+	if (!ctx)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	GETDNS_FREE(*mfs, ctx->ca_trust_path);
+	GETDNS_FREE(*mfs, ctx->ca_trust_file);
+	GETDNS_FREE(*mfs, ctx->curve_list);
+	GETDNS_FREE(*mfs, ctx->cipher_suites);
+	GETDNS_FREE(*mfs, ctx->cipher_list);
+	GETDNS_FREE(*mfs, ctx);
+	return GETDNS_RETURN_GOOD;
+}
+
+void _getdns_tls_context_pinset_init(_getdns_tls_context* ctx)
+{
+	(void) ctx; /* unused parameter */
+}
+
+getdns_return_t _getdns_tls_context_set_min_max_tls_version(_getdns_tls_context* ctx, getdns_tls_version_t min, getdns_tls_version_t max)
+{
+	if (!ctx)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	ctx->min_tls = _getdns_tls_version2gnutls_version(min);
+	ctx->max_tls = _getdns_tls_version2gnutls_version(max);
+	return GETDNS_RETURN_GOOD;
+}
+
+const char* _getdns_tls_context_get_default_cipher_list()
+{
+	return _getdns_tls_context_default_cipher_list;
+}
+
+getdns_return_t _getdns_tls_context_set_cipher_list(_getdns_tls_context* ctx, const char* list)
+{
+	if (!ctx)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (!list)
+		list = _getdns_tls_context_default_cipher_list;
+
+	GETDNS_FREE(*ctx->mfs, ctx->cipher_list);
+	ctx->cipher_list = getdns_strdup(ctx->mfs, list);
+	return GETDNS_RETURN_GOOD;
+}
+
+const char* _getdns_tls_context_get_default_cipher_suites()
+{
+	return _getdns_tls_context_default_cipher_suites;
+}
+
+getdns_return_t _getdns_tls_context_set_cipher_suites(_getdns_tls_context* ctx, const char* list)
+{
+	if (!ctx)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (!list)
+		list = _getdns_tls_context_default_cipher_suites;
+
+	GETDNS_FREE(*ctx->mfs, ctx->cipher_suites);
+	ctx->cipher_suites = getdns_strdup(ctx->mfs, list);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_context_set_curves_list(_getdns_tls_context* ctx, const char* list)
+{
+	if (!ctx)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	GETDNS_FREE(*ctx->mfs, ctx->curve_list);
+	ctx->curve_list = getdns_strdup(ctx->mfs, list);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* file, const char* path)
+{
+	if (!ctx)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	GETDNS_FREE(*ctx->mfs, ctx->ca_trust_file);
+	ctx->ca_trust_file = getdns_strdup(ctx->mfs, file);
+	GETDNS_FREE(*ctx->mfs, ctx->ca_trust_path);
+	ctx->ca_trust_path = getdns_strdup(ctx->mfs, path);
+	return GETDNS_RETURN_GOOD;
+}
+
+void _getdns_gnutls_stub_log(int level, const char *msg)
+{
+	DEBUG_STUB("GnuTLS log (%.2d): %s", level, msg);
+}
+
+_getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd, const getdns_log_config* log)
+{
+	_getdns_tls_connection* res;
+
+	if (!ctx)
+		return NULL;
+
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_connection)))
+		return NULL;
+
+	res->shutdown = 0;
+	res->ctx = ctx;
+	res->mfs = mfs;
+	res->cred = NULL;
+	res->tls = NULL;
+	res->cipher_list = res->cipher_suites = res->curve_list = NULL;
+	res->min_tls = res->max_tls = 0;
+	res->dane_state = NULL;
+	res->dane_query = NULL;
+	res->tlsa = NULL;
+	res->log = log;
+
+	if (gnutls_certificate_allocate_credentials(&res->cred) != GNUTLS_E_SUCCESS)
+		goto failed;
+
+	if (!ctx->ca_trust_file && !ctx->ca_trust_path)
+		gnutls_certificate_set_x509_system_trust(res->cred);
+	else {
+		if (ctx->ca_trust_file)
+			gnutls_certificate_set_x509_trust_file(res->cred, ctx->ca_trust_file, GNUTLS_X509_FMT_PEM);
+		if (ctx->ca_trust_path)
+			gnutls_certificate_set_x509_trust_dir(res->cred, ctx->ca_trust_path, GNUTLS_X509_FMT_PEM);
+	}
+
+	gnutls_global_set_log_level(99);
+	gnutls_global_set_log_function(_getdns_gnutls_stub_log);
+	if (gnutls_init(&res->tls, GNUTLS_CLIENT | GNUTLS_NONBLOCK | GNUTLS_NO_SIGNAL) != GNUTLS_E_SUCCESS)
+		goto failed;
+	if (set_connection_ciphers(res) != GNUTLS_E_SUCCESS) {
+
+		goto failed;
+	}
+	if (gnutls_credentials_set(res->tls, GNUTLS_CRD_CERTIFICATE, res->cred) != GNUTLS_E_SUCCESS)
+		goto failed;
+	if (dane_state_init(&res->dane_state, DANE_F_IGNORE_DNSSEC) != DANE_E_SUCCESS)
+		goto failed;
+
+	gnutls_datum_t proto;
+	proto.data = (unsigned char *)"dot";
+	proto.size = 3;
+	if (gnutls_alpn_set_protocols(res->tls, &proto, 1, 0) != GNUTLS_E_SUCCESS)
+		goto failed;
+
+	gnutls_transport_set_int(res->tls, fd);
+	return res;
+
+failed:
+	_getdns_tls_connection_free(mfs, res);
+	return NULL;
+}
+
+getdns_return_t _getdns_tls_connection_free(struct mem_funcs* mfs, _getdns_tls_connection* conn)
+{
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (conn->dane_query)
+		dane_query_deinit(conn->dane_query);
+	if (conn->dane_state)
+		dane_state_deinit(conn->dane_state);
+	if (conn->tls)
+		gnutls_deinit(conn->tls);
+	if (conn->cred)
+		gnutls_certificate_free_credentials(conn->cred);
+	GETDNS_FREE(*mfs, conn->tlsa);
+	GETDNS_FREE(*mfs, conn->curve_list);
+	GETDNS_FREE(*mfs, conn->cipher_suites);
+	GETDNS_FREE(*mfs, conn->cipher_list);
+	GETDNS_FREE(*mfs, conn);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_shutdown(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (conn->shutdown == 0) {
+		gnutls_bye(conn->tls, GNUTLS_SHUT_WR);
+		conn->shutdown++;
+	} else {
+		gnutls_bye(conn->tls, GNUTLS_SHUT_RDWR);
+		conn->shutdown++;
+	}
+
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_set_min_max_tls_version(_getdns_tls_connection* conn, getdns_tls_version_t min, getdns_tls_version_t max)
+{
+	if (!conn)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	conn->min_tls = _getdns_tls_version2gnutls_version(min);
+	conn->max_tls = _getdns_tls_version2gnutls_version(max);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_set_cipher_list(_getdns_tls_connection* conn, const char* list)
+{
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (!list)
+		list = _getdns_tls_connection_opportunistic_cipher_list;
+
+	GETDNS_FREE(*conn->mfs, conn->cipher_list);
+	conn->cipher_list = getdns_strdup(conn->mfs, list);
+	if (set_connection_ciphers(conn) == GNUTLS_E_SUCCESS)
+		return GETDNS_RETURN_GOOD;
+	else
+		return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+getdns_return_t _getdns_tls_connection_set_cipher_suites(_getdns_tls_connection* conn, const char* list)
+{
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	GETDNS_FREE(*conn->mfs, conn->cipher_list);
+	conn->cipher_suites = getdns_strdup(conn->mfs, list);
+	if (set_connection_ciphers(conn) == GNUTLS_E_SUCCESS)
+		return GETDNS_RETURN_GOOD;
+	else
+		return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* conn, const char* list)
+{
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	GETDNS_FREE(*conn->mfs, conn->curve_list);
+	conn->curve_list = getdns_strdup(conn->mfs, list);
+	if (set_connection_ciphers(conn) == GNUTLS_E_SUCCESS)
+		return GETDNS_RETURN_GOOD;
+	else
+		return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s)
+{
+	int r;
+
+	if (!conn || !conn->tls || !s)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	r = gnutls_session_set_data(conn->tls, s->tls.data, s->tls.size);
+	if (r != GNUTLS_E_SUCCESS)
+		return GETDNS_RETURN_GENERIC_ERROR;
+	return GETDNS_RETURN_GOOD;
+}
+
+_getdns_tls_session* _getdns_tls_connection_get_session(struct mem_funcs* mfs, _getdns_tls_connection* conn)
+{
+	_getdns_tls_session* res;
+	int r;
+
+	if (!conn || !conn->tls)
+		return NULL;
+
+	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_session)))
+		return NULL;
+
+	r = gnutls_session_get_data2(conn->tls, &res->tls);
+	if (r != GNUTLS_E_SUCCESS) {
+		GETDNS_FREE(*mfs, res);
+		return NULL;
+	}
+
+	return res;
+}
+
+const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->tls)
+		return NULL;
+
+	return gnutls_protocol_get_name(gnutls_protocol_get_version(conn->tls));
+}
+
+getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn)
+{
+	int r;
+
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	r = gnutls_handshake(conn->tls);
+	if (r == GNUTLS_E_SUCCESS) {
+		return GETDNS_RETURN_GOOD;
+	}
+	else
+		return error_may_want_read_write(conn, r);
+}
+
+_getdns_tls_x509* _getdns_tls_connection_get_peer_certificate(struct mem_funcs* mfs, _getdns_tls_connection* conn)
+{
+	const gnutls_datum_t *cert_list;
+	unsigned int cert_list_size;
+
+	if (!conn || !conn->tls)
+		return NULL;
+
+	cert_list = gnutls_certificate_get_peers(conn->tls, &cert_list_size);
+	if (cert_list == NULL)
+		return NULL;
+
+	return _getdns_tls_x509_new(mfs, *cert_list);
+}
+
+getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	if (gnutls_session_is_resumed(conn->tls) != 0)
+		return GETDNS_RETURN_GOOD;
+	else
+		return GETDNS_RETURN_TLS_CONNECTION_FRESH;
+}
+
+getdns_return_t _getdns_tls_connection_setup_hostname_auth(_getdns_tls_connection* conn, const char* auth_name)
+{
+	int r;
+
+	if (!conn || !conn->tls || !auth_name)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	r = gnutls_server_name_set(conn->tls, GNUTLS_NAME_DNS, auth_name, strlen(auth_name));
+	if (r != GNUTLS_E_SUCCESS)
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	gnutls_session_set_verify_cert(conn->tls, auth_name, 0);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_set_host_pinset(_getdns_tls_connection* conn, const char* auth_name, const sha256_pin_t* pinset)
+{
+	int r;
+
+	if (!conn || !conn->tls || !auth_name)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	size_t npins = 0;
+	for (const sha256_pin_t* pin = pinset; pin; pin = pin->next)
+		npins++;
+
+	GETDNS_FREE(*conn->mfs, conn->tlsa);
+	conn->tlsa = GETDNS_XMALLOC(*conn->mfs, char, npins * (SHA256_DIGEST_LENGTH + 3) * 2);
+	if (!conn->tlsa)
+		return GETDNS_RETURN_GENERIC_ERROR;
+
+	char** dane_data = GETDNS_XMALLOC(*conn->mfs, char*, npins * 2 + 1);
+	if (!dane_data)
+		return GETDNS_RETURN_GENERIC_ERROR;
+	int* dane_data_len = GETDNS_XMALLOC(*conn->mfs, int, npins * 2 + 1);
+	if (!dane_data_len) {
+		GETDNS_FREE(*conn->mfs, dane_data);
+		return GETDNS_RETURN_GENERIC_ERROR;
+	}
+
+	char** dane_p = dane_data;
+	int* dane_len_p = dane_data_len;
+	char* p = conn->tlsa;
+	for (const sha256_pin_t* pin = pinset; pin; pin = pin->next) {
+		*dane_p++ = p;
+		*dane_len_p++ = SHA256_DIGEST_LENGTH + 3;
+		p[0] = DANE_CERT_USAGE_LOCAL_CA;
+		p[1] = DANE_CERT_PK;
+		p[2] = DANE_MATCH_SHA2_256;
+		memcpy(&p[3], pin->pin, SHA256_DIGEST_LENGTH);
+		p += SHA256_DIGEST_LENGTH + 3;
+
+		*dane_p++ = p;
+		*dane_len_p++ = SHA256_DIGEST_LENGTH + 3;
+		p[0] = DANE_CERT_USAGE_LOCAL_EE;
+		p[1] = DANE_CERT_PK;
+		p[2] = DANE_MATCH_SHA2_256;
+		memcpy(&p[3], pin->pin, SHA256_DIGEST_LENGTH);
+		p += SHA256_DIGEST_LENGTH + 3;
+	}
+	*dane_p = NULL;
+
+	if (conn->dane_query)
+		dane_query_deinit(conn->dane_query);
+	r = dane_raw_tlsa(conn->dane_state, &conn->dane_query, dane_data, dane_data_len, 0, 0);
+	GETDNS_FREE(*conn->mfs, dane_data_len);
+	GETDNS_FREE(*conn->mfs, dane_data);
+
+	return (r == DANE_E_SUCCESS) ? GETDNS_RETURN_GOOD : GETDNS_RETURN_GENERIC_ERROR;
+}
+
+getdns_return_t _getdns_tls_connection_certificate_verify(_getdns_tls_connection* conn, long* errnum, const char** errmsg)
+{
+	if (!conn || !conn->tls)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	/* If no pinset, no DANE info to check. */
+	if (!conn->dane_query)
+		return GETDNS_RETURN_GOOD;
+
+	/* Most of the internals of dane_verify_session_crt() */
+
+	const gnutls_datum_t* cert_list;
+	unsigned int cert_list_size = 0;
+	unsigned int type;
+	int ret;
+	const gnutls_datum_t* cl;
+	gnutls_datum_t* new_cert_list = NULL;
+	int clsize;
+	unsigned int verify;
+
+	cert_list = gnutls_certificate_get_peers(conn->tls, &cert_list_size);
+	if (cert_list_size == 0) {
+		*errnum = 1;
+		*errmsg = "No peer certificate";
+		return GETDNS_RETURN_GENERIC_ERROR;
+        }
+	cl = cert_list;
+
+        type = gnutls_certificate_type_get(conn->tls);
+
+        /* this list may be incomplete, try to get the self-signed CA if any */
+        if (cert_list_size > 0) {
+                gnutls_x509_crt_t crt, ca;
+                gnutls_certificate_credentials_t sc;
+
+                ret = gnutls_x509_crt_init(&crt);
+                if (ret < 0)
+                        goto failsafe;
+
+                ret = gnutls_x509_crt_import(crt, &cert_list[cert_list_size-1], GNUTLS_X509_FMT_DER);
+                if (ret < 0) {
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+
+                /* if it is already self signed continue normally */
+                ret = gnutls_x509_crt_check_issuer(crt, crt);
+                if (ret != 0) {
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+
+                /* chain does not finish in a self signed cert, try to obtain the issuer */
+                ret = gnutls_credentials_get(conn->tls, GNUTLS_CRD_CERTIFICATE, (void**)&sc);
+                if (ret < 0) {
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+
+                ret = gnutls_certificate_get_issuer(sc, crt, &ca, 0);
+                if (ret < 0) {
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+
+                /* make the new list */
+                new_cert_list = GETDNS_XMALLOC(*conn->mfs, gnutls_datum_t, cert_list_size + 1);
+                if (new_cert_list == NULL) {
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+
+                memcpy(new_cert_list, cert_list, cert_list_size*sizeof(gnutls_datum_t));
+		cl = new_cert_list;
+
+                ret = gnutls_x509_crt_export2(ca, GNUTLS_X509_FMT_DER, &new_cert_list[cert_list_size]);
+                if (ret < 0) {
+                        GETDNS_FREE(*conn->mfs, new_cert_list);
+                        gnutls_x509_crt_deinit(crt);
+                        goto failsafe;
+                }
+	}
+
+failsafe:
+
+	clsize = cert_list_size;
+	if (cl == new_cert_list)
+		clsize += 1;
+
+	ret = dane_verify_crt_raw(conn->dane_state, cl, clsize, type, conn->dane_query, 0, 0, &verify);
+
+	if (new_cert_list) {
+		gnutls_free(new_cert_list[cert_list_size].data);
+		GETDNS_FREE(*conn->mfs, new_cert_list);
+	}
+
+	if (ret != DANE_E_SUCCESS) {
+		*errnum = ret;
+		*errmsg = dane_strerror(ret);
+		return GETDNS_RETURN_GENERIC_ERROR;
+	}
+
+	if (verify != 0) {
+		if (verify & DANE_VERIFY_CERT_DIFFERS) {
+			*errnum = 3;
+			*errmsg = "Pinset validation: Certificate differs";
+		} else if (verify &  DANE_VERIFY_CA_CONSTRAINTS_VIOLATED) {
+			*errnum = 2;
+			*errmsg = "Pinset validation: CA constraints violated";
+		} else {
+			*errnum = 4;
+			*errmsg = "Pinset validation: Unknown DANE info";
+		}
+		return GETDNS_RETURN_GENERIC_ERROR;
+	}
+
+	return GETDNS_RETURN_GOOD;
+}
+
+
+getdns_return_t _getdns_tls_connection_read(_getdns_tls_connection* conn, uint8_t* buf, size_t to_read, size_t* read)
+{
+	ssize_t sread;
+
+	if (!conn || !conn->tls || !read)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	sread = gnutls_record_recv(conn->tls, buf, to_read);
+	if (sread < 0)
+		return error_may_want_read_write(conn, sread);
+
+	*read = sread;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_connection_write(_getdns_tls_connection* conn, uint8_t* buf, size_t to_write, size_t* written)
+{
+	int swritten;
+
+	if (!conn || !conn->tls || !written)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	swritten = gnutls_record_send(conn->tls, buf, to_write);
+	if (swritten < 0)
+		return error_may_want_read_write(conn, swritten);
+
+	*written = swritten;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_session_free(struct mem_funcs* mfs, _getdns_tls_session* s)
+{
+	if (!s)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (s->tls.data)
+		gnutls_free(s->tls.data);
+	GETDNS_FREE(*mfs, s);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict)
+{
+	if (! getdns_dict_set_int(
+	    dict, "gnutls_version_number", GNUTLS_VERSION_NUMBER)
+
+	    && ! getdns_dict_util_set_string(
+	    dict, "gnutls_version_string", GNUTLS_VERSION)
+		)
+		return GETDNS_RETURN_GOOD;
+	return GETDNS_RETURN_GENERIC_ERROR;
+}
+
+void _getdns_tls_x509_free(struct mem_funcs* mfs, _getdns_tls_x509* cert)
+{
+	if (cert)
+		GETDNS_FREE(*mfs, cert);
+}
+
+int _getdns_tls_x509_to_der(struct mem_funcs* mfs, _getdns_tls_x509* cert, getdns_bindata* bindata)
+{
+	gnutls_x509_crt_t crt;
+	size_t s;
+
+	if (!cert || gnutls_x509_crt_init(&crt) != GNUTLS_E_SUCCESS)
+		return 0;
+
+	gnutls_x509_crt_import(crt, &cert->tls, GNUTLS_X509_FMT_DER);
+	gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER, NULL, &s);
+
+	if (!bindata) {
+		gnutls_x509_crt_deinit(crt);
+		return s;
+	}
+
+	bindata->data = GETDNS_XMALLOC(*mfs, uint8_t, s);
+	if (!bindata->data) {
+		gnutls_x509_crt_deinit(crt);
+		return 0;
+	}
+
+	gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER, bindata->data, &s);
+	bindata->size = s;
+	gnutls_x509_crt_deinit(crt);
+	return s;
+}
+
+unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size)
+{
+	gnutls_mac_algorithm_t alg;
+	unsigned int md_len;
+	unsigned char* res;
+
+	if (get_gnu_mac_algorithm(algorithm, &alg) != GETDNS_RETURN_GOOD)
+		return NULL;
+
+	md_len = gnutls_hmac_get_len(alg);
+	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, md_len);
+	if (!res)
+		return NULL;
+
+	(void) gnutls_hmac_fast(alg, key, key_size, data, data_size, res);
+
+	if (output_size)
+		*output_size = md_len;
+	return res;
+}
+
+void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
+{
+	gnutls_hash_fast(GNUTLS_DIG_SHA1, data, data_size, buf);
+}
+
+void _getdns_tls_cookie_sha256(uint32_t secret, void* addr, size_t addrlen, unsigned char* buf, size_t* buflen)
+{
+	gnutls_hash_hd_t digest;
+
+	gnutls_hash_init(&digest, GNUTLS_DIG_SHA256);
+	gnutls_hash(digest, &secret, sizeof(secret));
+	gnutls_hash(digest, addr, addrlen);
+	gnutls_hash_deinit(digest, buf);
+	*buflen = gnutls_hash_get_len(GNUTLS_DIG_SHA256);
+}
+
+/* tls.c */

src/install-sh

@@ -1,527 +0,0 @@
-#!/bin/sh
-# install - install a program, script, or datafile
-
-scriptversion=2011-11-20.07; # UTC
-
-# This originates from X11R5 (mit/util/scripts/install.sh), which was
-# later released in X11R6 (xc/config/util/install.sh) with the
-# following copyright and license.
-#
-# Copyright (C) 1994 X Consortium
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to
-# deal in the Software without restriction, including without limitation the
-# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-# sell copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
-# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
-# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
-# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-# Except as contained in this notice, the name of the X Consortium shall not
-# be used in advertising or otherwise to promote the sale, use or other deal-
-# ings in this Software without prior written authorization from the X Consor-
-# tium.
-#
-#
-# FSF changes to this file are in the public domain.
-#
-# Calling this script install-sh is preferred over install.sh, to prevent
-# 'make' implicit rules from creating a file called install from it
-# when there is no Makefile.
-#
-# This script is compatible with the BSD install script, but was written
-# from scratch.
-
-nl='
-'
-IFS=" ""	$nl"
-
-# set DOITPROG to echo to test this script
-
-# Don't use :- since 4.3BSD and earlier shells don't like it.
-doit=${DOITPROG-}
-if test -z "$doit"; then
-  doit_exec=exec
-else
-  doit_exec=$doit
-fi
-
-# Put in absolute file names if you don't have them in your path;
-# or use environment vars.
-
-chgrpprog=${CHGRPPROG-chgrp}
-chmodprog=${CHMODPROG-chmod}
-chownprog=${CHOWNPROG-chown}
-cmpprog=${CMPPROG-cmp}
-cpprog=${CPPROG-cp}
-mkdirprog=${MKDIRPROG-mkdir}
-mvprog=${MVPROG-mv}
-rmprog=${RMPROG-rm}
-stripprog=${STRIPPROG-strip}
-
-posix_glob='?'
-initialize_posix_glob='
-  test "$posix_glob" != "?" || {
-    if (set -f) 2>/dev/null; then
-      posix_glob=
-    else
-      posix_glob=:
-    fi
-  }
-'
-
-posix_mkdir=
-
-# Desired mode of installed file.
-mode=0755
-
-chgrpcmd=
-chmodcmd=$chmodprog
-chowncmd=
-mvcmd=$mvprog
-rmcmd="$rmprog -f"
-stripcmd=
-
-src=
-dst=
-dir_arg=
-dst_arg=
-
-copy_on_change=false
-no_target_directory=
-
-usage="\
-Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
-   or: $0 [OPTION]... SRCFILES... DIRECTORY
-   or: $0 [OPTION]... -t DIRECTORY SRCFILES...
-   or: $0 [OPTION]... -d DIRECTORIES...
-
-In the 1st form, copy SRCFILE to DSTFILE.
-In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
-In the 4th, create DIRECTORIES.
-
-Options:
-     --help     display this help and exit.
-     --version  display version info and exit.
-
-  -c            (ignored)
-  -C            install only if different (preserve the last data modification time)
-  -d            create directories instead of installing files.
-  -g GROUP      $chgrpprog installed files to GROUP.
-  -m MODE       $chmodprog installed files to MODE.
-  -o USER       $chownprog installed files to USER.
-  -s            $stripprog installed files.
-  -t DIRECTORY  install into DIRECTORY.
-  -T            report an error if DSTFILE is a directory.
-
-Environment variables override the default commands:
-  CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
-  RMPROG STRIPPROG
-"
-
-while test $# -ne 0; do
-  case $1 in
-    -c) ;;
-
-    -C) copy_on_change=true;;
-
-    -d) dir_arg=true;;
-
-    -g) chgrpcmd="$chgrpprog $2"
-	shift;;
-
-    --help) echo "$usage"; exit $?;;
-
-    -m) mode=$2
-	case $mode in
-	  *' '* | *'	'* | *'
-'*	  | *'*'* | *'?'* | *'['*)
-	    echo "$0: invalid mode: $mode" >&2
-	    exit 1;;
-	esac
-	shift;;
-
-    -o) chowncmd="$chownprog $2"
-	shift;;
-
-    -s) stripcmd=$stripprog;;
-
-    -t) dst_arg=$2
-	# Protect names problematic for 'test' and other utilities.
-	case $dst_arg in
-	  -* | [=\(\)!]) dst_arg=./$dst_arg;;
-	esac
-	shift;;
-
-    -T) no_target_directory=true;;
-
-    --version) echo "$0 $scriptversion"; exit $?;;
-
-    --)	shift
-	break;;
-
-    -*)	echo "$0: invalid option: $1" >&2
-	exit 1;;
-
-    *)  break;;
-  esac
-  shift
-done
-
-if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
-  # When -d is used, all remaining arguments are directories to create.
-  # When -t is used, the destination is already specified.
-  # Otherwise, the last argument is the destination.  Remove it from $@.
-  for arg
-  do
-    if test -n "$dst_arg"; then
-      # $@ is not empty: it contains at least $arg.
-      set fnord "$@" "$dst_arg"
-      shift # fnord
-    fi
-    shift # arg
-    dst_arg=$arg
-    # Protect names problematic for 'test' and other utilities.
-    case $dst_arg in
-      -* | [=\(\)!]) dst_arg=./$dst_arg;;
-    esac
-  done
-fi
-
-if test $# -eq 0; then
-  if test -z "$dir_arg"; then
-    echo "$0: no input file specified." >&2
-    exit 1
-  fi
-  # It's OK to call 'install-sh -d' without argument.
-  # This can happen when creating conditional directories.
-  exit 0
-fi
-
-if test -z "$dir_arg"; then
-  do_exit='(exit $ret); exit $ret'
-  trap "ret=129; $do_exit" 1
-  trap "ret=130; $do_exit" 2
-  trap "ret=141; $do_exit" 13
-  trap "ret=143; $do_exit" 15
-
-  # Set umask so as not to create temps with too-generous modes.
-  # However, 'strip' requires both read and write access to temps.
-  case $mode in
-    # Optimize common cases.
-    *644) cp_umask=133;;
-    *755) cp_umask=22;;
-
-    *[0-7])
-      if test -z "$stripcmd"; then
-	u_plus_rw=
-      else
-	u_plus_rw='% 200'
-      fi
-      cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
-    *)
-      if test -z "$stripcmd"; then
-	u_plus_rw=
-      else
-	u_plus_rw=,u+rw
-      fi
-      cp_umask=$mode$u_plus_rw;;
-  esac
-fi
-
-for src
-do
-  # Protect names problematic for 'test' and other utilities.
-  case $src in
-    -* | [=\(\)!]) src=./$src;;
-  esac
-
-  if test -n "$dir_arg"; then
-    dst=$src
-    dstdir=$dst
-    test -d "$dstdir"
-    dstdir_status=$?
-  else
-
-    # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
-    # might cause directories to be created, which would be especially bad
-    # if $src (and thus $dsttmp) contains '*'.
-    if test ! -f "$src" && test ! -d "$src"; then
-      echo "$0: $src does not exist." >&2
-      exit 1
-    fi
-
-    if test -z "$dst_arg"; then
-      echo "$0: no destination specified." >&2
-      exit 1
-    fi
-    dst=$dst_arg
-
-    # If destination is a directory, append the input filename; won't work
-    # if double slashes aren't ignored.
-    if test -d "$dst"; then
-      if test -n "$no_target_directory"; then
-	echo "$0: $dst_arg: Is a directory" >&2
-	exit 1
-      fi
-      dstdir=$dst
-      dst=$dstdir/`basename "$src"`
-      dstdir_status=0
-    else
-      # Prefer dirname, but fall back on a substitute if dirname fails.
-      dstdir=`
-	(dirname "$dst") 2>/dev/null ||
-	expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	     X"$dst" : 'X\(//\)[^/]' \| \
-	     X"$dst" : 'X\(//\)$' \| \
-	     X"$dst" : 'X\(/\)' \| . 2>/dev/null ||
-	echo X"$dst" |
-	    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
-		   s//\1/
-		   q
-		 }
-		 /^X\(\/\/\)[^/].*/{
-		   s//\1/
-		   q
-		 }
-		 /^X\(\/\/\)$/{
-		   s//\1/
-		   q
-		 }
-		 /^X\(\/\).*/{
-		   s//\1/
-		   q
-		 }
-		 s/.*/./; q'
-      `
-
-      test -d "$dstdir"
-      dstdir_status=$?
-    fi
-  fi
-
-  obsolete_mkdir_used=false
-
-  if test $dstdir_status != 0; then
-    case $posix_mkdir in
-      '')
-	# Create intermediate dirs using mode 755 as modified by the umask.
-	# This is like FreeBSD 'install' as of 1997-10-28.
-	umask=`umask`
-	case $stripcmd.$umask in
-	  # Optimize common cases.
-	  *[2367][2367]) mkdir_umask=$umask;;
-	  .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;
-
-	  *[0-7])
-	    mkdir_umask=`expr $umask + 22 \
-	      - $umask % 100 % 40 + $umask % 20 \
-	      - $umask % 10 % 4 + $umask % 2
-	    `;;
-	  *) mkdir_umask=$umask,go-w;;
-	esac
-
-	# With -d, create the new directory with the user-specified mode.
-	# Otherwise, rely on $mkdir_umask.
-	if test -n "$dir_arg"; then
-	  mkdir_mode=-m$mode
-	else
-	  mkdir_mode=
-	fi
-
-	posix_mkdir=false
-	case $umask in
-	  *[123567][0-7][0-7])
-	    # POSIX mkdir -p sets u+wx bits regardless of umask, which
-	    # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
-	    ;;
-	  *)
-	    tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
-	    trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0
-
-	    if (umask $mkdir_umask &&
-		exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1
-	    then
-	      if test -z "$dir_arg" || {
-		   # Check for POSIX incompatibilities with -m.
-		   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
-		   # other-writable bit of parent directory when it shouldn't.
-		   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
-		   ls_ld_tmpdir=`ls -ld "$tmpdir"`
-		   case $ls_ld_tmpdir in
-		     d????-?r-*) different_mode=700;;
-		     d????-?--*) different_mode=755;;
-		     *) false;;
-		   esac &&
-		   $mkdirprog -m$different_mode -p -- "$tmpdir" && {
-		     ls_ld_tmpdir_1=`ls -ld "$tmpdir"`
-		     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
-		   }
-		 }
-	      then posix_mkdir=:
-	      fi
-	      rmdir "$tmpdir/d" "$tmpdir"
-	    else
-	      # Remove any dirs left behind by ancient mkdir implementations.
-	      rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null
-	    fi
-	    trap '' 0;;
-	esac;;
-    esac
-
-    if
-      $posix_mkdir && (
-	umask $mkdir_umask &&
-	$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
-      )
-    then :
-    else
-
-      # The umask is ridiculous, or mkdir does not conform to POSIX,
-      # or it failed possibly due to a race condition.  Create the
-      # directory the slow way, step by step, checking for races as we go.
-
-      case $dstdir in
-	/*) prefix='/';;
-	[-=\(\)!]*) prefix='./';;
-	*)  prefix='';;
-      esac
-
-      eval "$initialize_posix_glob"
-
-      oIFS=$IFS
-      IFS=/
-      $posix_glob set -f
-      set fnord $dstdir
-      shift
-      $posix_glob set +f
-      IFS=$oIFS
-
-      prefixes=
-
-      for d
-      do
-	test X"$d" = X && continue
-
-	prefix=$prefix$d
-	if test -d "$prefix"; then
-	  prefixes=
-	else
-	  if $posix_mkdir; then
-	    (umask=$mkdir_umask &&
-	     $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
-	    # Don't fail if two instances are running concurrently.
-	    test -d "$prefix" || exit 1
-	  else
-	    case $prefix in
-	      *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
-	      *) qprefix=$prefix;;
-	    esac
-	    prefixes="$prefixes '$qprefix'"
-	  fi
-	fi
-	prefix=$prefix/
-      done
-
-      if test -n "$prefixes"; then
-	# Don't fail if two instances are running concurrently.
-	(umask $mkdir_umask &&
-	 eval "\$doit_exec \$mkdirprog $prefixes") ||
-	  test -d "$dstdir" || exit 1
-	obsolete_mkdir_used=true
-      fi
-    fi
-  fi
-
-  if test -n "$dir_arg"; then
-    { test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
-    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
-    { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
-      test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
-  else
-
-    # Make a couple of temp file names in the proper directory.
-    dsttmp=$dstdir/_inst.$$_
-    rmtmp=$dstdir/_rm.$$_
-
-    # Trap to clean up those temp files at exit.
-    trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
-
-    # Copy the file name to the temp name.
-    (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
-
-    # and set any options; do chmod last to preserve setuid bits.
-    #
-    # If any of these fail, we abort the whole thing.  If we want to
-    # ignore errors from any of these, just make sure not to ignore
-    # errors from the above "$doit $cpprog $src $dsttmp" command.
-    #
-    { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
-    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
-    { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
-    { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
-
-    # If -C, don't bother to copy if it wouldn't change the file.
-    if $copy_on_change &&
-       old=`LC_ALL=C ls -dlL "$dst"	2>/dev/null` &&
-       new=`LC_ALL=C ls -dlL "$dsttmp"	2>/dev/null` &&
-
-       eval "$initialize_posix_glob" &&
-       $posix_glob set -f &&
-       set X $old && old=:$2:$4:$5:$6 &&
-       set X $new && new=:$2:$4:$5:$6 &&
-       $posix_glob set +f &&
-
-       test "$old" = "$new" &&
-       $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
-    then
-      rm -f "$dsttmp"
-    else
-      # Rename the file to the real destination.
-      $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
-
-      # The rename failed, perhaps because mv can't rename something else
-      # to itself, or perhaps because mv is so ancient that it does not
-      # support -f.
-      {
-	# Now remove or move aside any old file at destination location.
-	# We try this two ways since rm can't unlink itself on some
-	# systems and the destination file might be busy for other
-	# reasons.  In this case, the final cleanup might fail but the new
-	# file should still install successfully.
-	{
-	  test ! -f "$dst" ||
-	  $doit $rmcmd -f "$dst" 2>/dev/null ||
-	  { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
-	    { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
-	  } ||
-	  { echo "$0: cannot unlink or rename $dst" >&2
-	    (exit 1); exit 1
-	  }
-	} &&
-
-	# Now rename the file to the real destination.
-	$doit $mvcmd "$dsttmp" "$dst"
-      }
-    fi || exit 1
-
-    trap '' 0
-  fi
-done
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "scriptversion="
-# time-stamp-format: "%:y-%02m-%02d.%02H"
-# time-stamp-time-zone: "UTC"
-# time-stamp-end: "; # UTC"
-# End:

src/jsmn

@@ -1 +1 @@
-Subproject commit c831c3869f56a571a79a3cbf58e0a366e588e256
+Subproject commit 686a240cc8186a9a799ebafb0b32e67991b5abfc

src/libgetdns.symbols

@@ -30,15 +30,20 @@ getdns_context_get_resolution_type
 getdns_context_get_resolvconf
 getdns_context_get_round_robin_upstreams
 getdns_context_get_suffix
+getdns_context_get_tcp_send_timeout
 getdns_context_get_timeout
 getdns_context_get_tls_authentication
 getdns_context_get_tls_backoff_time
 getdns_context_get_tls_ca_file
 getdns_context_get_tls_ca_path
 getdns_context_get_tls_cipher_list
+getdns_context_get_tls_ciphersuites
 getdns_context_get_tls_connection_retries
 getdns_context_get_tls_curves_list
+getdns_context_get_tls_max_version
+getdns_context_get_tls_min_version
 getdns_context_get_tls_query_padding_blocksize
+getdns_context_get_trust_anchors_backoff_time
 getdns_context_get_trust_anchors_url
 getdns_context_get_trust_anchors_verify_CA
 getdns_context_get_trust_anchors_verify_email
@@ -74,15 +79,20 @@ getdns_context_set_resolvconf
 getdns_context_set_return_dnssec_status
 getdns_context_set_round_robin_upstreams
 getdns_context_set_suffix
+getdns_context_set_tcp_send_timeout
 getdns_context_set_timeout
 getdns_context_set_tls_authentication
 getdns_context_set_tls_backoff_time
 getdns_context_set_tls_ca_file
 getdns_context_set_tls_ca_path
 getdns_context_set_tls_cipher_list
+getdns_context_set_tls_ciphersuites
 getdns_context_set_tls_connection_retries
 getdns_context_set_tls_curves_list
+getdns_context_set_tls_max_version
+getdns_context_set_tls_min_version
 getdns_context_set_tls_query_padding_blocksize
+getdns_context_set_trust_anchors_backoff_time
 getdns_context_set_trust_anchors_url
 getdns_context_set_trust_anchors_verify_CA
 getdns_context_set_trust_anchors_verify_email
@@ -90,6 +100,7 @@ getdns_context_set_update_callback
 getdns_context_set_upstream_recursive_servers
 getdns_context_set_use_threads
 getdns_context_unset_edns_maximum_udp_payload_size
+getdns_context_unset_tcp_send_timeout
 getdns_convert_alabel_to_ulabel
 getdns_convert_dns_name_to_fqdn
 getdns_convert_fqdn_to_dns_name

src/list.c

@@ -418,7 +418,7 @@ getdns_list_create_with_memory_functions(void *(*malloc)(size_t),
 
 /*-------------------------- getdns_list_create_with_context */
 struct getdns_list *
-getdns_list_create_with_context(struct getdns_context *context)
+getdns_list_create_with_context(const getdns_context *context)
 {
 	if (context)
 		return getdns_list_create_with_extended_memory_functions(

src/mk-const-info.c.sh

@@ -14,7 +14,7 @@ cat > const-info.c << END_OF_HEAD
 static struct const_info consts_info[] = {
 	{   -1, NULL, "/* <unknown getdns value> */" },
 END_OF_HEAD
-gawk '/^[ 	]+GETDNS_[A-Z_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z_]+[ 	]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/  && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
+gawk --non-decimal-data '/^[ 	]+GETDNS_[A-Z0-9_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z0-9_]+[ 	]+(0[xX][0-9a-fA-F]+|[0-9]+)/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/  && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z0-9_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
 cat >> const-info.c << END_OF_TAIL
 };
 
@@ -49,7 +49,7 @@ getdns_get_errorstr_by_id(uint16_t err)
 
 static struct const_name_info consts_name_info[] = {
 END_OF_TAIL
-gawk '/^[ 	]+GETDNS_[A-Z_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z_]+[ 	]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
+gawk --non-decimal-data '/^[ 	]+GETDNS_[A-Z0-9_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z0-9_]+[ 	]+(0[xX][0-9a-fA-F]+|[0-9]+)/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z0-9_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
 cat >> const-info.c << END_OF_TAIL
 };
 

src/mk-symfiles.sh

@@ -3,7 +3,7 @@
 write_symbols() {
 	OUTPUT=$1
 	shift
-	grep 'getdns_[0-9a-zA-Z_]*(' $* | grep -v '^#' | grep -v 'INLINE' | grep -v 'getdns_extra\.h\.in: \* if' \
+	grep -h 'getdns_[0-9a-zA-Z_]*(' $* | grep -v '^#' | grep -v 'INLINE' | grep -v '^ \* if' \
 	| sed -e 's/(.*$//g' -e 's/^.*getdns_/getdns_/g' | LC_ALL=C sort | uniq > $OUTPUT
 }
 

src/openssl/keyraw-internal.c

@@ -0,0 +1,645 @@
+/*
+ * keyraw.c - raw key operations and conversions - OpenSSL version
+ *
+ * (c) NLnet Labs, 2004-2008
+ *
+ * See the file LICENSE for the license
+ */
+/**
+ * \file
+ * Implementation of raw DNSKEY functions (work on wire rdata).
+ */
+
+#include "config.h"
+#include "gldns/keyraw.h"
+#include "gldns/rrdef.h"
+
+#ifdef HAVE_SSL
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/md5.h>
+#ifdef HAVE_OPENSSL_CONF_H
+#include <openssl/conf.h>
+#endif
+#ifdef HAVE_OPENSSL_ENGINE_H
+#include <openssl/engine.h>
+#endif
+#ifdef HAVE_OPENSSL_BN_H
+#include <openssl/bn.h>
+#endif
+#ifdef HAVE_OPENSSL_PARAM_BUILD_H
+#  include <openssl/param_build.h>
+#else
+#  ifdef HAVE_OPENSSL_RSA_H
+#  include <openssl/rsa.h>
+#  endif
+#  ifdef HAVE_OPENSSL_DSA_H
+#  include <openssl/dsa.h>
+#  endif
+#endif
+#ifdef HAVE_OPENSSL_DSA_H
+#include <openssl/dsa.h>
+#endif
+#ifdef HAVE_OPENSSL_RSA_H
+#include <openssl/rsa.h>
+#endif
+#endif /* HAVE_SSL */
+
+#ifdef HAVE_SSL
+#ifdef USE_GOST
+
+/** store GOST engine reference loaded into OpenSSL library */
+#if defined(OPENSSL_NO_ENGINE) || OPENSSL_VERSION_NUMBER > 0x30000000
+int
+gldns_key_EVP_load_gost_id(void)
+{
+	return 0;
+}
+void gldns_key_EVP_unload_gost(void)
+{
+}
+#else
+ENGINE* gldns_gost_engine = NULL;
+
+int
+gldns_key_EVP_load_gost_id(void)
+{
+	static int gost_id = 0;
+	const EVP_PKEY_ASN1_METHOD* meth;
+	ENGINE* e;
+
+	if(gost_id) return gost_id;
+
+	/* see if configuration loaded gost implementation from other engine*/
+	meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
+	if(meth) {
+		EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
+		return gost_id;
+	}
+
+	/* see if engine can be loaded already */
+	e = ENGINE_by_id("gost");
+	if(!e) {
+		/* load it ourself, in case statically linked */
+		ENGINE_load_builtin_engines();
+		ENGINE_load_dynamic();
+		e = ENGINE_by_id("gost");
+	}
+	if(!e) {
+		/* no gost engine in openssl */
+		return 0;
+	}
+	if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+		ENGINE_finish(e);
+		ENGINE_free(e);
+		return 0;
+	}
+
+	meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
+	if(!meth) {
+		/* algo not found */
+		ENGINE_finish(e);
+		ENGINE_free(e);
+		return 0;
+	}
+        /* Note: do not ENGINE_finish and ENGINE_free the acquired engine
+         * on some platforms this frees up the meth and unloads gost stuff */
+        gldns_gost_engine = e;
+	
+	EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
+	return gost_id;
+} 
+
+void gldns_key_EVP_unload_gost(void)
+{
+        if(gldns_gost_engine) {
+                ENGINE_finish(gldns_gost_engine);
+                ENGINE_free(gldns_gost_engine);
+                gldns_gost_engine = NULL;
+        }
+}
+#endif /* ifndef OPENSSL_NO_ENGINE */
+#endif /* USE_GOST */
+
+/* Retrieve params as BIGNUM from raw buffer */
+static int
+gldns_key_dsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** p,
+	BIGNUM** q, BIGNUM** g, BIGNUM** y)
+{
+	uint8_t T;
+	uint16_t length;
+	uint16_t offset;
+
+	if(len == 0)
+		return 0;
+	T = (uint8_t)key[0];
+	length = (64 + T * 8);
+	offset = 1;
+
+	if (T > 8) {
+		return 0;
+	}
+	if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
+		return 0;
+
+	*q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
+	offset += SHA_DIGEST_LENGTH;
+
+	*p = BN_bin2bn(key+offset, (int)length, NULL);
+	offset += length;
+
+	*g = BN_bin2bn(key+offset, (int)length, NULL);
+	offset += length;
+
+	*y = BN_bin2bn(key+offset, (int)length, NULL);
+
+	if(!*q || !*p || !*g || !*y) {
+		BN_free(*q);
+		BN_free(*p);
+		BN_free(*g);
+		BN_free(*y);
+		return 0;
+	}
+	return 1;
+}
+
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
+DSA *
+gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
+{
+	DSA *dsa;
+	BIGNUM *Q=NULL, *P=NULL, *G=NULL, *Y=NULL;
+	if(!gldns_key_dsa_buf_bignum(key, len, &P, &Q, &G, &Y)) {
+		return NULL;
+	}
+	/* create the key and set its properties */
+	if(!(dsa = DSA_new())) {
+		return NULL;
+	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || \
+        (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f)
+#ifndef S_SPLINT_S
+	dsa->p = P;
+	dsa->q = Q;
+	dsa->g = G;
+	dsa->pub_key = Y;
+#endif /* splint */
+
+#else /* OPENSSL_VERSION_NUMBER */
+	if (!DSA_set0_pqg(dsa, P, Q, G)) {
+		/* QPG not yet attached, need to free */
+		BN_free(Q);
+		BN_free(P);
+		BN_free(G);
+
+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+	if (!DSA_set0_key(dsa, Y, NULL)) {
+		/* QPG attached, cleaned up by DSA_fre() */
+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+#endif
+
+	return dsa;
+}
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
+
+EVP_PKEY *gldns_key_dsa2pkey_raw(unsigned char* key, size_t len)
+{
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+	EVP_PKEY* evp_key = NULL;
+	EVP_PKEY_CTX* ctx;
+	BIGNUM *p=NULL, *q=NULL, *g=NULL, *y=NULL;
+	OSSL_PARAM_BLD* param_bld;
+	OSSL_PARAM* params = NULL;
+	if(!gldns_key_dsa_buf_bignum(key, len, &p, &q, &g, &y)) {
+		return NULL;
+	}
+
+	param_bld = OSSL_PARAM_BLD_new();
+	if(!param_bld) {
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_BN(param_bld, "p", p) ||
+	   !OSSL_PARAM_BLD_push_BN(param_bld, "g", g) ||
+	   !OSSL_PARAM_BLD_push_BN(param_bld, "q", q) ||
+	   !OSSL_PARAM_BLD_push_BN(param_bld, "pub", y)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	OSSL_PARAM_BLD_free(param_bld);
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+	if(!ctx) {
+		OSSL_PARAM_free(params);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(p);
+		BN_free(q);
+		BN_free(g);
+		BN_free(y);
+		return NULL;
+	}
+
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	BN_free(p);
+	BN_free(q);
+	BN_free(g);
+	BN_free(y);
+	return evp_key;
+#else
+	DSA* dsa;
+	EVP_PKEY* evp_key = EVP_PKEY_new();
+	if(!evp_key) {
+		return NULL;
+	}
+	dsa = gldns_key_buf2dsa_raw(key, len);
+	if(!dsa) {
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) {
+		DSA_free(dsa);
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	return evp_key;
+#endif
+}
+
+/* Retrieve params as BIGNUM from raw buffer, n is modulus, e is exponent */
+static int
+gldns_key_rsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** n,
+	BIGNUM** e)
+{
+	uint16_t offset;
+	uint16_t exp;
+	uint16_t int16;
+
+	if (len == 0)
+		return 0;
+	if (key[0] == 0) {
+		if(len < 3)
+			return 0;
+		memmove(&int16, key+1, 2);
+		exp = ntohs(int16);
+		offset = 3;
+	} else {
+		exp = key[0];
+		offset = 1;
+	}
+
+	/* key length at least one */
+	if(len < (size_t)offset + exp + 1)
+		return 0;
+
+	/* Exponent */
+	*e = BN_new();
+	if(!*e) return 0;
+	(void) BN_bin2bn(key+offset, (int)exp, *e);
+	offset += exp;
+
+	/* Modulus */
+	*n = BN_new();
+	if(!*n) {
+		BN_free(*e);
+		return 0;
+	}
+	/* length of the buffer must match the key length! */
+	(void) BN_bin2bn(key+offset, (int)(len - offset), *n);
+	return 1;
+}
+
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
+RSA *
+gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
+{
+	BIGNUM* modulus = NULL;
+	BIGNUM* exponent = NULL;
+	RSA *rsa;
+	if(!gldns_key_rsa_buf_bignum(key, len, &modulus, &exponent))
+		return NULL;
+	rsa = RSA_new();
+	if(!rsa) {
+		BN_free(exponent);
+		BN_free(modulus);
+		return NULL;
+	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || \
+        (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f)
+#ifndef S_SPLINT_S
+	rsa->n = modulus;
+	rsa->e = exponent;
+#endif /* splint */
+
+#else /* OPENSSL_VERSION_NUMBER */
+	if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
+		BN_free(exponent);
+		BN_free(modulus);
+		RSA_free(rsa);
+		return NULL;
+	}
+#endif
+
+	return rsa;
+}
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
+
+EVP_PKEY* gldns_key_rsa2pkey_raw(unsigned char* key, size_t len)
+{
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+	EVP_PKEY* evp_key = NULL;
+	EVP_PKEY_CTX* ctx;
+	BIGNUM *n=NULL, *e=NULL;
+	OSSL_PARAM_BLD* param_bld;
+	OSSL_PARAM* params = NULL;
+
+	if(!gldns_key_rsa_buf_bignum(key, len, &n, &e)) {
+		return NULL;
+	}
+
+	param_bld = OSSL_PARAM_BLD_new();
+	if(!param_bld) {
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_BN(param_bld, "n", n)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_BN(param_bld, "e", e)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	OSSL_PARAM_BLD_free(param_bld);
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+	if(!ctx) {
+		OSSL_PARAM_free(params);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		BN_free(n);
+		BN_free(e);
+		return NULL;
+	}
+
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	BN_free(n);
+	BN_free(e);
+	return evp_key;
+#else
+	RSA* rsa;
+	EVP_PKEY *evp_key = EVP_PKEY_new();
+	if(!evp_key) {
+		return NULL;
+	}
+	rsa = gldns_key_buf2rsa_raw(key, len);
+	if(!rsa) {
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
+		RSA_free(rsa);
+		EVP_PKEY_free(evp_key);
+		return NULL;
+	}
+	return evp_key;
+#endif
+}
+
+#ifdef USE_GOST
+EVP_PKEY*
+gldns_gost2pkey_raw(unsigned char* key, size_t keylen)
+{
+	/* prefix header for X509 encoding */
+	uint8_t asn[37] = { 0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85, 
+		0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07, 0x2a, 0x85, 
+		0x03, 0x02, 0x02, 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 
+		0x02, 0x02, 0x1e, 0x01, 0x03, 0x43, 0x00, 0x04, 0x40};
+	unsigned char encoded[37+64];
+	const unsigned char* pp;
+	if(keylen != 64) {
+		/* key wrong size */
+		return NULL;
+	}
+
+	/* create evp_key */
+	memmove(encoded, asn, 37);
+	memmove(encoded+37, key, 64);
+	pp = (unsigned char*)&encoded[0];
+
+	return d2i_PUBKEY(NULL, &pp, (int)sizeof(encoded));
+}
+#endif /* USE_GOST */
+
+#ifdef USE_ECDSA
+EVP_PKEY*
+gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
+{
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
+	EVP_PKEY *evp_key = NULL;
+	EVP_PKEY_CTX* ctx;
+	OSSL_PARAM_BLD* param_bld;
+	OSSL_PARAM* params = NULL;
+	char* group = NULL;
+
+	/* check length, which uncompressed must be 2 bignums */
+	if(algo == GLDNS_ECDSAP256SHA256) {
+		if(keylen != 2*256/8) return NULL;
+		group = "prime256v1";
+	} else if(algo == GLDNS_ECDSAP384SHA384) {
+		if(keylen != 2*384/8) return NULL;
+		group = "P-384";
+	} else {
+		return NULL;
+	}
+	if(keylen+1 > sizeof(buf)) { /* sanity check */
+		return NULL;
+	}
+	/* prepend the 0x04 for uncompressed format */
+	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
+	memmove(buf+1, key, keylen);
+
+	param_bld = OSSL_PARAM_BLD_new();
+	if(!param_bld) {
+		return NULL;
+	}
+	if(!OSSL_PARAM_BLD_push_utf8_string(param_bld, "group", group, 0) ||
+	   !OSSL_PARAM_BLD_push_octet_string(param_bld, "pub", buf, keylen+1)) {
+		OSSL_PARAM_BLD_free(param_bld);
+		return NULL;
+	}
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	OSSL_PARAM_BLD_free(param_bld);
+
+	ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
+	if(!ctx) {
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+		EVP_PKEY_CTX_free(ctx);
+		OSSL_PARAM_free(params);
+		return NULL;
+	}
+	EVP_PKEY_CTX_free(ctx);
+	OSSL_PARAM_free(params);
+	return evp_key;
+#else
+	unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
+        const unsigned char* pp = buf;
+        EVP_PKEY *evp_key;
+        EC_KEY *ec;
+	/* check length, which uncompressed must be 2 bignums */
+        if(algo == GLDNS_ECDSAP256SHA256) {
+		if(keylen != 2*256/8) return NULL;
+                ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+        } else if(algo == GLDNS_ECDSAP384SHA384) {
+		if(keylen != 2*384/8) return NULL;
+                ec = EC_KEY_new_by_curve_name(NID_secp384r1);
+        } else    ec = NULL;
+        if(!ec) return NULL;
+	if(keylen+1 > sizeof(buf)) { /* sanity check */
+                EC_KEY_free(ec);
+		return NULL;
+	}
+	/* prepend the 0x02 (from docs) (or actually 0x04 from implementation
+	 * of openssl) for uncompressed data */
+	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
+	memmove(buf+1, key, keylen);
+        if(!o2i_ECPublicKey(&ec, &pp, (int)keylen+1)) {
+                EC_KEY_free(ec);
+                return NULL;
+        }
+        evp_key = EVP_PKEY_new();
+        if(!evp_key) {
+                EC_KEY_free(ec);
+                return NULL;
+        }
+        if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) {
+		EVP_PKEY_free(evp_key);
+		EC_KEY_free(ec);
+		return NULL;
+	}
+        return evp_key;
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
+}
+#endif /* USE_ECDSA */
+
+#ifdef USE_ED25519
+EVP_PKEY*
+gldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
+{
+	/* ASN1 for ED25519 is 302a300506032b6570032100 <32byteskey> */
+	uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+		0x70, 0x03, 0x21, 0x00};
+	int pre_len = 12;
+	uint8_t buf[256];
+	EVP_PKEY *evp_key;
+	/* pp gets modified by d2i() */
+	const unsigned char* pp = (unsigned char*)buf;
+	if(keylen != 32 || keylen + pre_len > sizeof(buf))
+		return NULL; /* wrong length */
+	memmove(buf, pre, pre_len);
+	memmove(buf+pre_len, key, keylen);
+	evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
+	return evp_key;
+}
+#endif /* USE_ED25519 */
+
+#ifdef USE_ED448
+EVP_PKEY*
+gldns_ed4482pkey_raw(const unsigned char* key, size_t keylen)
+{
+	/* ASN1 for ED448 is 3043300506032b6571033a00 <57byteskey> */
+	uint8_t pre[] = {0x30, 0x43, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+		0x71, 0x03, 0x3a, 0x00};
+        int pre_len = 12;
+	uint8_t buf[256];
+        EVP_PKEY *evp_key;
+	/* pp gets modified by d2i() */
+        const unsigned char* pp = (unsigned char*)buf;
+	if(keylen != 57 || keylen + pre_len > sizeof(buf))
+		return NULL; /* wrong length */
+	memmove(buf, pre, pre_len);
+	memmove(buf+pre_len, key, keylen);
+	evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
+        return evp_key;
+}
+#endif /* USE_ED448 */
+
+int
+gldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
+	const EVP_MD* md)
+{
+	EVP_MD_CTX* ctx;
+	ctx = EVP_MD_CTX_create();
+	if(!ctx)
+		return 0;
+	if(!EVP_DigestInit_ex(ctx, md, NULL) ||
+		!EVP_DigestUpdate(ctx, data, len) ||
+		!EVP_DigestFinal_ex(ctx, dest, NULL)) {
+		EVP_MD_CTX_destroy(ctx);
+		return 0;
+	}
+	EVP_MD_CTX_destroy(ctx);
+	return 1;
+}
+#endif /* HAVE_SSL */

src/openssl/keyraw-internal.h

@@ -0,0 +1,130 @@
+/*
+ * keyraw.h -- raw key and signature access and conversion - OpenSSL
+ *
+ * Copyright (c) 2005-2008, NLnet Labs. All rights reserved.
+ *
+ * See LICENSE for the license.
+ *
+ */
+
+/**
+ * \file
+ *
+ * raw key and signature access and conversion
+ *
+ * Since those functions heavily rely op cryptographic operations,
+ * this module is dependent on openssl.
+ * 
+ */
+ 
+#ifndef GLDNS_KEYRAW_INTERNAL_H
+#define GLDNS_KEYRAW_INTERNAL_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+#if GLDNS_BUILD_CONFIG_HAVE_SSL
+#  include <openssl/ssl.h>
+#  include <openssl/evp.h>
+
+/** 
+ * Get the PKEY id for GOST, loads GOST into openssl as a side effect.
+ * Only available if GOST is compiled into the library and openssl.
+ * \return the gost id for EVP_CTX creation.
+ */
+int gldns_key_EVP_load_gost_id(void);
+
+/** Release the engine reference held for the GOST engine. */
+void gldns_key_EVP_unload_gost(void);
+
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
+/**
+ * Like gldns_key_buf2dsa, but uses raw buffer.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return a DSA * structure with the key material
+ */
+DSA *gldns_key_buf2dsa_raw(unsigned char* key, size_t len);
+#endif
+
+/**
+ * Converts a holding buffer with DSA key material to EVP PKEY in openssl.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY *gldns_key_dsa2pkey_raw(unsigned char* key, size_t len);
+
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with GOST.
+ * \param[in] key data to convert
+ * \param[in] keylen length of the key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* gldns_gost2pkey_raw(unsigned char* key, size_t keylen);
+
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with ECDSA.
+ * \param[in] key data to convert
+ * \param[in] keylen length of the key data
+ * \param[in] algo precise algorithm to initialize ECC group values.
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* gldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
+
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
+/**
+ * Like gldns_key_buf2rsa, but uses raw buffer.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return a RSA * structure with the key material
+ */
+RSA *gldns_key_buf2rsa_raw(unsigned char* key, size_t len);
+#endif
+
+/**
+ * Converts a holding buffer with RSA key material to EVP PKEY in openssl.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* gldns_key_rsa2pkey_raw(unsigned char* key, size_t len);
+
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with ED25519.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* gldns_ed255192pkey_raw(const unsigned char* key, size_t len);
+
+/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with ED448.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* gldns_ed4482pkey_raw(const unsigned char* key, size_t len);
+
+/**
+ * Utility function to calculate hash using generic EVP_MD pointer.
+ * \param[in] data the data to hash.
+ * \param[in] len  length of data.
+ * \param[out] dest the destination of the hash, must be large enough.
+ * \param[in] md the message digest to use.
+ * \return true if worked, false on failure.
+ */
+int gldns_digest_evp(unsigned char* data, unsigned int len, 
+	unsigned char* dest, const EVP_MD* md);
+
+#endif /* GLDNS_BUILD_CONFIG_HAVE_SSL */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* GLDNS_KEYRAW_INTERNAL_H */

src/openssl/pubkey-pinning-internal.c

@@ -0,0 +1,90 @@
+/**
+ *
+ * /brief functions for Public Key Pinning
+ *
+ */
+
+/*
+ * Copyright (c) 2015, Daniel Kahn Gillmor
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * getdns Public Key Pinning
+ * 
+ * a public key pinset is a list of dicts.  each dict should have a
+ * "digest" and a "value".
+ * 
+ * "digest": a string indicating the type of digest. at the moment, we
+ *           only support a "digest" of "sha256".
+ * 
+ * "value": a binary representation of the digest provided.
+ * 
+ * given a such a pinset, we should be able to validate a chain
+ * properly according to section 2.6 of RFC 7469.
+ */
+#include "config.h"
+#include "debug.h"
+#include <getdns/getdns.h>
+#include <openssl/evp.h>
+#include <openssl/bio.h>
+#include <openssl/sha.h>
+#include <openssl/x509.h>
+#include <string.h>
+#include "context.h"
+#include "util-internal.h"
+
+#include "pubkey-pinning-internal.h"
+
+/* we only support sha256 at the moment.  adding support for another
+   digest is more complex than just adding another entry here. in
+   particular, you'll probably need a match for a particular cert
+   against all supported algorithms.  better to wait on doing that
+   until it is a better-understood problem (i.e. wait until hpkp is
+   updated and follow the guidance in rfc7469bis)
+*/
+
+/* b64 turns every 3 octets (or fraction thereof) into 4 octets */
+#define B64_ENCODED_SHA256_LENGTH (((SHA256_DIGEST_LENGTH + 2)/3)  * 4)
+getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size)
+{
+	BIO *bio = NULL;
+	char inbuf[B64_ENCODED_SHA256_LENGTH + 1];
+	getdns_return_t ret = GETDNS_RETURN_GOOD;
+
+	/* openssl needs a trailing newline to base64 decode */
+	memcpy(inbuf, str, B64_ENCODED_SHA256_LENGTH);
+	inbuf[B64_ENCODED_SHA256_LENGTH] = '\n';
+	
+	bio = BIO_push(BIO_new(BIO_f_base64()),
+		       BIO_new_mem_buf(inbuf, sizeof(inbuf)));
+	if (BIO_read(bio, res, res_size) != (int) res_size)
+		ret = GETDNS_RETURN_GENERIC_ERROR;
+
+	BIO_free_all(bio);
+	return ret;
+}
+
+/* pubkey-pinning.c */

src/openssl/tls-internal.h

@@ -0,0 +1,84 @@
+/**
+ *
+ * \file tls-internal.h
+ * @brief getdns TLS implementation-specific items
+ */
+
+/*
+ * Copyright (c) 2018-2019, NLnet Labs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _GETDNS_TLS_INTERNAL_H
+#define _GETDNS_TLS_INTERNAL_H
+
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/ssl.h>
+#include <openssl/x509.h>
+
+#include "getdns/getdns.h"
+
+#ifndef HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
+#define HAVE_TLS_CTX_CURVES_LIST	0
+#else
+#define HAVE_TLS_CTX_CURVES_LIST	(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST)
+#endif
+#ifndef HAVE_DECL_SSL_SET1_CURVES_LIST
+#define HAVE_TLS_CONN_CURVES_LIST	0
+#else
+#define HAVE_TLS_CONN_CURVES_LIST	(HAVE_DECL_SSL_SET1_CURVES_LIST)
+#endif
+
+#define GETDNS_TLS_MAX_DIGEST_LENGTH	(EVP_MAX_MD_SIZE)
+
+/* Forward declare type. */
+struct sha256_pin;
+struct getdns_log_config;
+
+typedef struct _getdns_tls_context {
+	SSL_CTX* ssl;
+	const struct getdns_log_config* log;
+} _getdns_tls_context;
+
+typedef struct _getdns_tls_connection {
+	SSL* ssl;
+	const struct getdns_log_config* log;
+#if defined(USE_DANESSL)
+	const char* auth_name;
+	const struct sha256_pin* pinset;
+#endif
+} _getdns_tls_connection;
+
+typedef struct _getdns_tls_session {
+	SSL_SESSION* ssl;
+} _getdns_tls_session;
+
+typedef struct _getdns_tls_x509
+{
+	X509* ssl;
+} _getdns_tls_x509;
+
+#endif /* _GETDNS_TLS_INTERNAL_H */