added unbound to external deps

13 files changed, 7769 insertions, 0 deletions

diff --git a/external/unbound/daemon/acl_list.c b/external/unbound/daemon/acl_list.c
new file mode 100644
index 000000000..84d099ca5
--- /dev/null
+++ b/external/unbound/daemon/acl_list.c
@@ -0,0 +1,180 @@
+/*
+ * daemon/acl_list.h - client access control storage for the server.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file helps the server keep out queries from outside sources, that
+ * should not be answered.
+ */
+#include "config.h"
+#include "daemon/acl_list.h"
+#include "util/regional.h"
+#include "util/log.h"
+#include "util/config_file.h"
+#include "util/net_help.h"
+
+struct acl_list* 
+acl_list_create(void)
+{
+	struct acl_list* acl = (struct acl_list*)calloc(1,
+		sizeof(struct acl_list));
+	if(!acl)
+		return NULL;
+	acl->region = regional_create();
+	if(!acl->region) {
+		acl_list_delete(acl);
+		return NULL;
+	}
+	return acl;
+}
+
+void 
+acl_list_delete(struct acl_list* acl)
+{
+	if(!acl) 
+		return;
+	regional_destroy(acl->region);
+	free(acl);
+}
+
+/** insert new address into acl_list structure */
+static int
+acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr, 
+	socklen_t addrlen, int net, enum acl_access control, 
+	int complain_duplicates)
+{
+	struct acl_addr* node = regional_alloc(acl->region,
+		sizeof(struct acl_addr));
+	if(!node)
+		return 0;
+	node->control = control;
+	if(!addr_tree_insert(&acl->tree, &node->node, addr, addrlen, net)) {
+		if(complain_duplicates)
+			verbose(VERB_QUERY, "duplicate acl address ignored.");
+	}
+	return 1;
+}
+
+/** apply acl_list string */
+static int
+acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
+	int complain_duplicates)
+{
+	struct sockaddr_storage addr;
+	int net;
+	socklen_t addrlen;
+	enum acl_access control;
+	if(strcmp(s2, "allow") == 0)
+		control = acl_allow;
+	else if(strcmp(s2, "deny") == 0)
+		control = acl_deny;
+	else if(strcmp(s2, "refuse") == 0)
+		control = acl_refuse;
+	else if(strcmp(s2, "deny_non_local") == 0)
+		control = acl_deny_non_local;
+	else if(strcmp(s2, "refuse_non_local") == 0)
+		control = acl_refuse_non_local;
+	else if(strcmp(s2, "allow_snoop") == 0)
+		control = acl_allow_snoop;
+	else {
+		log_err("access control type %s unknown", str);
+		return 0;
+	}
+	if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
+		log_err("cannot parse access control: %s %s", str, s2);
+		return 0;
+	}
+	if(!acl_list_insert(acl, &addr, addrlen, net, control, 
+		complain_duplicates)) {
+		log_err("out of memory");
+		return 0;
+	}
+	return 1;
+}
+
+/** read acl_list config */
+static int 
+read_acl_list(struct acl_list* acl, struct config_file* cfg)
+{
+	struct config_str2list* p;
+	for(p = cfg->acls; p; p = p->next) {
+		log_assert(p->str && p->str2);
+		if(!acl_list_str_cfg(acl, p->str, p->str2, 1))
+			return 0;
+	}
+	return 1;
+}
+
+int 
+acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg)
+{
+	regional_free_all(acl->region);
+	addr_tree_init(&acl->tree);
+	if(!read_acl_list(acl, cfg))
+		return 0;
+	/* insert defaults, with '0' to ignore them if they are duplicates */
+	if(!acl_list_str_cfg(acl, "0.0.0.0/0", "refuse", 0))
+		return 0;
+	if(!acl_list_str_cfg(acl, "127.0.0.0/8", "allow", 0))
+		return 0;
+	if(cfg->do_ip6) {
+		if(!acl_list_str_cfg(acl, "::0/0", "refuse", 0))
+			return 0;
+		if(!acl_list_str_cfg(acl, "::1", "allow", 0))
+			return 0;
+		if(!acl_list_str_cfg(acl, "::ffff:127.0.0.1", "allow", 0))
+			return 0;
+	}
+	addr_tree_init_parents(&acl->tree);
+	return 1;
+}
+
+enum acl_access 
+acl_list_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
+        socklen_t addrlen)
+{
+	struct acl_addr* r = (struct acl_addr*)addr_tree_lookup(&acl->tree,
+		addr, addrlen);
+	if(r) return r->control;
+	return acl_deny;
+}
+
+size_t 
+acl_list_get_mem(struct acl_list* acl)
+{
+	if(!acl) return 0;
+	return sizeof(*acl) + regional_get_mem(acl->region);
+}
diff --git a/external/unbound/daemon/acl_list.h b/external/unbound/daemon/acl_list.h
new file mode 100644
index 000000000..2323697d5
--- /dev/null
+++ b/external/unbound/daemon/acl_list.h
@@ -0,0 +1,129 @@
+/*
+ * daemon/acl_list.h - client access control storage for the server.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file keeps track of the list of clients that are allowed to 
+ * access the server.
+ */
+
+#ifndef DAEMON_ACL_LIST_H
+#define DAEMON_ACL_LIST_H
+#include "util/storage/dnstree.h"
+struct config_file;
+struct regional;
+
+/**
+ * Enumeration of access control options for an address range.
+ * Allow or deny access.
+ */
+enum acl_access {
+	/** disallow any access whatsoever, drop it */
+	acl_deny = 0,
+	/** disallow access, send a polite 'REFUSED' reply */
+	acl_refuse,
+	/** disallow any access to zones that aren't local, drop it */
+	acl_deny_non_local,
+	/** disallow access to zones that aren't local, 'REFUSED' reply */
+	acl_refuse_non_local,
+	/** allow full access for recursion (+RD) queries */
+	acl_allow,
+	/** allow full access for all queries, recursion and cache snooping */
+	acl_allow_snoop
+};
+
+/**
+ * Access control storage structure
+ */
+struct acl_list {
+	/** regional for allocation */
+	struct regional* region;
+	/** 
+	 * Tree of the addresses that are allowed/blocked.
+	 * contents of type acl_addr.
+	 */
+	rbtree_t tree;
+};
+
+/**
+ *
+ * An address span with access control information
+ */
+struct acl_addr {
+	/** node in address tree */
+	struct addr_tree_node node;
+	/** access control on this netblock */
+	enum acl_access control;
+};
+
+/**
+ * Create acl structure 
+ * @return new structure or NULL on error.
+ */
+struct acl_list* acl_list_create(void);
+
+/**
+ * Delete acl structure.
+ * @param acl: to delete.
+ */
+void acl_list_delete(struct acl_list* acl);
+
+/**
+ * Process access control config.
+ * @param acl: where to store.
+ * @param cfg: config options.
+ * @return 0 on error.
+ */
+int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg);
+
+/**
+ * Lookup address to see its access control status.
+ * @param acl: structure for address storage.
+ * @param addr: address to check
+ * @param addrlen: length of addr.
+ * @return: what to do with message from this address.
+ */
+enum acl_access acl_list_lookup(struct acl_list* acl, 
+	struct sockaddr_storage* addr, socklen_t addrlen);
+
+/**
+ * Get memory used by acl structure.
+ * @param acl: structure for address storage.
+ * @return bytes in use.
+ */
+size_t acl_list_get_mem(struct acl_list* acl);
+
+#endif /* DAEMON_ACL_LIST_H */
diff --git a/external/unbound/daemon/cachedump.c b/external/unbound/daemon/cachedump.c
new file mode 100644
index 000000000..cf5b1a12c
--- /dev/null
+++ b/external/unbound/daemon/cachedump.c
@@ -0,0 +1,886 @@
+/*
+ * daemon/cachedump.c - dump the cache to text format.
+ *
+ * Copyright (c) 2008, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains functions to read and write the cache(s)
+ * to text format.
+ */
+#include "config.h"
+#include <openssl/ssl.h>
+#include "daemon/cachedump.h"
+#include "daemon/remote.h"
+#include "daemon/worker.h"
+#include "services/cache/rrset.h"
+#include "services/cache/dns.h"
+#include "services/cache/infra.h"
+#include "util/data/msgreply.h"
+#include "util/regional.h"
+#include "util/net_help.h"
+#include "util/data/dname.h"
+#include "iterator/iterator.h"
+#include "iterator/iter_delegpt.h"
+#include "iterator/iter_utils.h"
+#include "iterator/iter_fwd.h"
+#include "iterator/iter_hints.h"
+#include "ldns/sbuffer.h"
+#include "ldns/wire2str.h"
+#include "ldns/str2wire.h"
+
+/** dump one rrset zonefile line */
+static int
+dump_rrset_line(SSL* ssl, struct ub_packed_rrset_key* k, time_t now, size_t i)
+{
+	char s[65535];
+	if(!packed_rr_to_string(k, i, now, s, sizeof(s))) {
+		return ssl_printf(ssl, "BADRR\n");
+	}
+	return ssl_printf(ssl, "%s", s);
+}
+
+/** dump rrset key and data info */
+static int
+dump_rrset(SSL* ssl, struct ub_packed_rrset_key* k, 
+	struct packed_rrset_data* d, time_t now)
+{
+	size_t i;
+	/* rd lock held by caller */
+	if(!k || !d) return 1;
+	if(d->ttl < now) return 1; /* expired */
+
+	/* meta line */
+	if(!ssl_printf(ssl, ";rrset%s " ARG_LL "d %u %u %d %d\n",
+		(k->rk.flags & PACKED_RRSET_NSEC_AT_APEX)?" nsec_apex":"",
+		(long long)(d->ttl - now),
+		(unsigned)d->count, (unsigned)d->rrsig_count,
+		(int)d->trust, (int)d->security
+		)) 
+		return 0;
+	for(i=0; i<d->count + d->rrsig_count; i++) {
+		if(!dump_rrset_line(ssl, k, now, i))
+			return 0;
+	}
+	return 1;
+}
+
+/** dump lruhash rrset cache */
+static int
+dump_rrset_lruhash(SSL* ssl, struct lruhash* h, time_t now)
+{
+	struct lruhash_entry* e;
+	/* lruhash already locked by caller */
+	/* walk in order of lru; best first */
+	for(e=h->lru_start; e; e = e->lru_next) {
+		lock_rw_rdlock(&e->lock);
+		if(!dump_rrset(ssl, (struct ub_packed_rrset_key*)e->key,
+			(struct packed_rrset_data*)e->data, now)) {
+			lock_rw_unlock(&e->lock);
+			return 0;
+		}
+		lock_rw_unlock(&e->lock);
+	}
+	return 1;
+}
+
+/** dump rrset cache */
+static int
+dump_rrset_cache(SSL* ssl, struct worker* worker)
+{
+	struct rrset_cache* r = worker->env.rrset_cache;
+	size_t slab;
+	if(!ssl_printf(ssl, "START_RRSET_CACHE\n")) return 0;
+	for(slab=0; slab<r->table.size; slab++) {
+		lock_quick_lock(&r->table.array[slab]->lock);
+		if(!dump_rrset_lruhash(ssl, r->table.array[slab],
+			*worker->env.now)) {
+			lock_quick_unlock(&r->table.array[slab]->lock);
+			return 0;
+		}
+		lock_quick_unlock(&r->table.array[slab]->lock);
+	}
+	return ssl_printf(ssl, "END_RRSET_CACHE\n");
+}
+
+/** dump message to rrset reference */
+static int
+dump_msg_ref(SSL* ssl, struct ub_packed_rrset_key* k)
+{
+	char* nm, *tp, *cl;
+	nm = sldns_wire2str_dname(k->rk.dname, k->rk.dname_len);
+	tp = sldns_wire2str_type(ntohs(k->rk.type));
+	cl = sldns_wire2str_class(ntohs(k->rk.rrset_class));
+	if(!nm || !cl || !tp) {
+		free(nm);
+		free(tp);
+		free(cl);
+		return ssl_printf(ssl, "BADREF\n");
+	}
+	if(!ssl_printf(ssl, "%s %s %s %d\n", nm, cl, tp, (int)k->rk.flags)) {
+		free(nm);
+		free(tp);
+		free(cl);
+		return 0;
+	}
+	free(nm);
+	free(tp);
+	free(cl);
+
+	return 1;
+}
+
+/** dump message entry */
+static int
+dump_msg(SSL* ssl, struct query_info* k, struct reply_info* d, 
+	time_t now)
+{
+	size_t i;
+	char* nm, *tp, *cl;
+	if(!k || !d) return 1;
+	if(d->ttl < now) return 1; /* expired */
+	
+	nm = sldns_wire2str_dname(k->qname, k->qname_len);
+	tp = sldns_wire2str_type(k->qtype);
+	cl = sldns_wire2str_class(k->qclass);
+	if(!nm || !tp || !cl) {
+		free(nm);
+		free(tp);
+		free(cl);
+		return 1; /* skip this entry */
+	}
+	if(!rrset_array_lock(d->ref, d->rrset_count, now)) {
+		/* rrsets have timed out or do not exist */
+		free(nm);
+		free(tp);
+		free(cl);
+		return 1; /* skip this entry */
+	}
+	
+	/* meta line */
+	if(!ssl_printf(ssl, "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u\n",
+			nm, cl, tp,
+			(int)d->flags, (int)d->qdcount, 
+			(long long)(d->ttl-now), (int)d->security,
+			(unsigned)d->an_numrrsets, 
+			(unsigned)d->ns_numrrsets,
+			(unsigned)d->ar_numrrsets)) {
+		free(nm);
+		free(tp);
+		free(cl);
+		rrset_array_unlock(d->ref, d->rrset_count);
+		return 0;
+	}
+	free(nm);
+	free(tp);
+	free(cl);
+	
+	for(i=0; i<d->rrset_count; i++) {
+		if(!dump_msg_ref(ssl, d->rrsets[i])) {
+			rrset_array_unlock(d->ref, d->rrset_count);
+			return 0;
+		}
+	}
+	rrset_array_unlock(d->ref, d->rrset_count);
+
+	return 1;
+}
+
+/** copy msg to worker pad */
+static int
+copy_msg(struct regional* region, struct lruhash_entry* e, 
+	struct query_info** k, struct reply_info** d)
+{
+	struct reply_info* rep = (struct reply_info*)e->data;
+	*d = (struct reply_info*)regional_alloc_init(region, e->data,
+		sizeof(struct reply_info) + 
+		sizeof(struct rrset_ref) * (rep->rrset_count-1) +
+		sizeof(struct ub_packed_rrset_key*) * rep->rrset_count);
+	if(!*d)
+		return 0;
+	(*d)->rrsets = (struct ub_packed_rrset_key**)(void *)(
+		(uint8_t*)(&((*d)->ref[0])) + 
+		sizeof(struct rrset_ref) * rep->rrset_count);
+	*k = (struct query_info*)regional_alloc_init(region, 
+		e->key, sizeof(struct query_info));
+	if(!*k)
+		return 0;
+	(*k)->qname = regional_alloc_init(region, 
+		(*k)->qname, (*k)->qname_len);
+	return (*k)->qname != NULL;
+}
+
+/** dump lruhash msg cache */
+static int
+dump_msg_lruhash(SSL* ssl, struct worker* worker, struct lruhash* h)
+{
+	struct lruhash_entry* e;
+	struct query_info* k;
+	struct reply_info* d;
+
+	/* lruhash already locked by caller */
+	/* walk in order of lru; best first */
+	for(e=h->lru_start; e; e = e->lru_next) {
+		regional_free_all(worker->scratchpad);
+		lock_rw_rdlock(&e->lock);
+		/* make copy of rrset in worker buffer */
+		if(!copy_msg(worker->scratchpad, e, &k, &d)) {
+			lock_rw_unlock(&e->lock);
+			return 0;
+		}
+		lock_rw_unlock(&e->lock);
+		/* release lock so we can lookup the rrset references 
+		 * in the rrset cache */
+		if(!dump_msg(ssl, k, d, *worker->env.now)) {
+			return 0;
+		}
+	}
+	return 1;
+}
+
+/** dump msg cache */
+static int
+dump_msg_cache(SSL* ssl, struct worker* worker)
+{
+	struct slabhash* sh = worker->env.msg_cache;
+	size_t slab;
+	if(!ssl_printf(ssl, "START_MSG_CACHE\n")) return 0;
+	for(slab=0; slab<sh->size; slab++) {
+		lock_quick_lock(&sh->array[slab]->lock);
+		if(!dump_msg_lruhash(ssl, worker, sh->array[slab])) {
+			lock_quick_unlock(&sh->array[slab]->lock);
+			return 0;
+		}
+		lock_quick_unlock(&sh->array[slab]->lock);
+	}
+	return ssl_printf(ssl, "END_MSG_CACHE\n");
+}
+
+int
+dump_cache(SSL* ssl, struct worker* worker)
+{
+	if(!dump_rrset_cache(ssl, worker))
+		return 0;
+	if(!dump_msg_cache(ssl, worker))
+		return 0;
+	return ssl_printf(ssl, "EOF\n");
+}
+
+/** read a line from ssl into buffer */
+static int
+ssl_read_buf(SSL* ssl, sldns_buffer* buf)
+{
+	return ssl_read_line(ssl, (char*)sldns_buffer_begin(buf), 
+		sldns_buffer_capacity(buf));
+}
+
+/** check fixed text on line */
+static int
+read_fixed(SSL* ssl, sldns_buffer* buf, const char* str)
+{
+	if(!ssl_read_buf(ssl, buf)) return 0;
+	return (strcmp((char*)sldns_buffer_begin(buf), str) == 0);
+}
+
+/** load an RR into rrset */
+static int
+load_rr(SSL* ssl, sldns_buffer* buf, struct regional* region,
+	struct ub_packed_rrset_key* rk, struct packed_rrset_data* d,
+	unsigned int i, int is_rrsig, int* go_on, time_t now)
+{
+	uint8_t rr[LDNS_RR_BUF_SIZE];
+	size_t rr_len = sizeof(rr), dname_len = 0;
+	int status;
+
+	/* read the line */
+	if(!ssl_read_buf(ssl, buf))
+		return 0;
+	if(strncmp((char*)sldns_buffer_begin(buf), "BADRR\n", 6) == 0) {
+		*go_on = 0;
+		return 1;
+	}
+	status = sldns_str2wire_rr_buf((char*)sldns_buffer_begin(buf), rr,
+		&rr_len, &dname_len, 3600, NULL, 0, NULL, 0);
+	if(status != 0) {
+		log_warn("error cannot parse rr: %s: %s",
+			sldns_get_errorstr_parse(status),
+			(char*)sldns_buffer_begin(buf));
+		return 0;
+	}
+	if(is_rrsig && sldns_wirerr_get_type(rr, rr_len, dname_len)
+		!= LDNS_RR_TYPE_RRSIG) {
+		log_warn("error expected rrsig but got %s",
+			(char*)sldns_buffer_begin(buf));
+		return 0;
+	}
+
+	/* convert ldns rr into packed_rr */
+	d->rr_ttl[i] = (time_t)sldns_wirerr_get_ttl(rr, rr_len, dname_len) + now;
+	sldns_buffer_clear(buf);
+	d->rr_len[i] = sldns_wirerr_get_rdatalen(rr, rr_len, dname_len)+2;
+	d->rr_data[i] = (uint8_t*)regional_alloc_init(region, 
+		sldns_wirerr_get_rdatawl(rr, rr_len, dname_len), d->rr_len[i]);
+	if(!d->rr_data[i]) {
+		log_warn("error out of memory");
+		return 0;
+	}
+
+	/* if first entry, fill the key structure */
+	if(i==0) {
+		rk->rk.type = htons(sldns_wirerr_get_type(rr, rr_len, dname_len));
+		rk->rk.rrset_class = htons(sldns_wirerr_get_class(rr, rr_len, dname_len));
+		rk->rk.dname_len = dname_len;
+		rk->rk.dname = regional_alloc_init(region, rr, dname_len);
+		if(!rk->rk.dname) {
+			log_warn("error out of memory");
+			return 0;
+		}
+	}
+
+	return 1;
+}
+
+/** move entry into cache */
+static int
+move_into_cache(struct ub_packed_rrset_key* k, 
+	struct packed_rrset_data* d, struct worker* worker)
+{
+	struct ub_packed_rrset_key* ak;
+	struct packed_rrset_data* ad;
+	size_t s, i, num = d->count + d->rrsig_count;
+	struct rrset_ref ref;
+	uint8_t* p;
+
+	ak = alloc_special_obtain(&worker->alloc);
+	if(!ak) {
+		log_warn("error out of memory");
+		return 0;
+	}
+	ak->entry.data = NULL;
+	ak->rk = k->rk;
+	ak->entry.hash = rrset_key_hash(&k->rk);
+	ak->rk.dname = (uint8_t*)memdup(k->rk.dname, k->rk.dname_len);
+	if(!ak->rk.dname) {
+		log_warn("error out of memory");
+		ub_packed_rrset_parsedelete(ak, &worker->alloc);
+		return 0;
+	}
+	s = sizeof(*ad) + (sizeof(size_t) + sizeof(uint8_t*) + 
+		sizeof(time_t))* num;
+	for(i=0; i<num; i++)
+		s += d->rr_len[i];
+	ad = (struct packed_rrset_data*)malloc(s);
+	if(!ad) {
+		log_warn("error out of memory");
+		ub_packed_rrset_parsedelete(ak, &worker->alloc);
+		return 0;
+	}
+	p = (uint8_t*)ad;
+	memmove(p, d, sizeof(*ad));
+	p += sizeof(*ad);
+	memmove(p, &d->rr_len[0], sizeof(size_t)*num);
+	p += sizeof(size_t)*num;
+	memmove(p, &d->rr_data[0], sizeof(uint8_t*)*num);
+	p += sizeof(uint8_t*)*num;
+	memmove(p, &d->rr_ttl[0], sizeof(time_t)*num);
+	p += sizeof(time_t)*num;
+	for(i=0; i<num; i++) {
+		memmove(p, d->rr_data[i], d->rr_len[i]);
+		p += d->rr_len[i];
+	}
+	packed_rrset_ptr_fixup(ad);
+
+	ak->entry.data = ad;
+
+	ref.key = ak;
+	ref.id = ak->id;
+	(void)rrset_cache_update(worker->env.rrset_cache, &ref,
+		&worker->alloc, *worker->env.now);
+	return 1;
+}
+
+/** load an rrset entry */
+static int
+load_rrset(SSL* ssl, sldns_buffer* buf, struct worker* worker)
+{
+	char* s = (char*)sldns_buffer_begin(buf);
+	struct regional* region = worker->scratchpad;
+	struct ub_packed_rrset_key* rk;
+	struct packed_rrset_data* d;
+	unsigned int rr_count, rrsig_count, trust, security;
+	long long ttl;
+	unsigned int i;
+	int go_on = 1;
+	regional_free_all(region);
+
+	rk = (struct ub_packed_rrset_key*)regional_alloc_zero(region, 
+		sizeof(*rk));
+	d = (struct packed_rrset_data*)regional_alloc_zero(region, sizeof(*d));
+	if(!rk || !d) {
+		log_warn("error out of memory");
+		return 0;
+	}
+
+	if(strncmp(s, ";rrset", 6) != 0) {
+		log_warn("error expected ';rrset' but got %s", s);
+		return 0;
+	}
+	s += 6;
+	if(strncmp(s, " nsec_apex", 10) == 0) {
+		s += 10;
+		rk->rk.flags |= PACKED_RRSET_NSEC_AT_APEX;
+	}
+	if(sscanf(s, " " ARG_LL "d %u %u %u %u", &ttl, &rr_count, &rrsig_count,
+		&trust, &security) != 5) {
+		log_warn("error bad rrset spec %s", s);
+		return 0;
+	}
+	if(rr_count == 0 && rrsig_count == 0) {
+		log_warn("bad rrset without contents");
+		return 0;
+	}
+	d->count = (size_t)rr_count;
+	d->rrsig_count = (size_t)rrsig_count;
+	d->security = (enum sec_status)security;
+	d->trust = (enum rrset_trust)trust;
+	d->ttl = (time_t)ttl + *worker->env.now;
+
+	d->rr_len = regional_alloc_zero(region, 
+		sizeof(size_t)*(d->count+d->rrsig_count));
+	d->rr_ttl = regional_alloc_zero(region, 
+		sizeof(time_t)*(d->count+d->rrsig_count));
+	d->rr_data = regional_alloc_zero(region, 
+		sizeof(uint8_t*)*(d->count+d->rrsig_count));
+	if(!d->rr_len || !d->rr_ttl || !d->rr_data) {
+		log_warn("error out of memory");
+		return 0;
+	}
+	
+	/* read the rr's themselves */
+	for(i=0; i<rr_count; i++) {
+		if(!load_rr(ssl, buf, region, rk, d, i, 0, 
+			&go_on, *worker->env.now)) {
+			log_warn("could not read rr %u", i);
+			return 0;
+		}
+	}
+	for(i=0; i<rrsig_count; i++) {
+		if(!load_rr(ssl, buf, region, rk, d, i+rr_count, 1, 
+			&go_on, *worker->env.now)) {
+			log_warn("could not read rrsig %u", i);
+			return 0;
+		}
+	}
+	if(!go_on) {
+		/* skip this entry */
+		return 1;
+	}
+
+	return move_into_cache(rk, d, worker);
+}
+
+/** load rrset cache */
+static int
+load_rrset_cache(SSL* ssl, struct worker* worker)
+{
+	sldns_buffer* buf = worker->env.scratch_buffer;
+	if(!read_fixed(ssl, buf, "START_RRSET_CACHE")) return 0;
+	while(ssl_read_buf(ssl, buf) && 
+		strcmp((char*)sldns_buffer_begin(buf), "END_RRSET_CACHE")!=0) {
+		if(!load_rrset(ssl, buf, worker))
+			return 0;
+	}
+	return 1;
+}
+
+/** read qinfo from next three words */
+static char*
+load_qinfo(char* str, struct query_info* qinfo, struct regional* region)
+{
+	/* s is part of the buf */
+	char* s = str;
+	uint8_t rr[LDNS_RR_BUF_SIZE];
+	size_t rr_len = sizeof(rr), dname_len = 0;
+	int status;
+
+	/* skip three words */
+	s = strchr(str, ' ');
+	if(s) s = strchr(s+1, ' ');
+	if(s) s = strchr(s+1, ' ');
+	if(!s) {
+		log_warn("error line too short, %s", str);
+		return NULL;
+	}
+	s[0] = 0;
+	s++;
+
+	/* parse them */
+	status = sldns_str2wire_rr_question_buf(str, rr, &rr_len, &dname_len,
+		NULL, 0, NULL, 0);
+	if(status != 0) {
+		log_warn("error cannot parse: %s %s",
+			sldns_get_errorstr_parse(status), str);
+		return NULL;
+	}
+	qinfo->qtype = sldns_wirerr_get_type(rr, rr_len, dname_len);
+	qinfo->qclass = sldns_wirerr_get_class(rr, rr_len, dname_len);
+	qinfo->qname_len = dname_len;
+	qinfo->qname = (uint8_t*)regional_alloc_init(region, rr, dname_len);
+	if(!qinfo->qname) {
+		log_warn("error out of memory");
+		return NULL;
+	}
+
+	return s;
+}
+
+/** load a msg rrset reference */
+static int
+load_ref(SSL* ssl, sldns_buffer* buf, struct worker* worker, 
+	struct regional *region, struct ub_packed_rrset_key** rrset, 
+	int* go_on)
+{
+	char* s = (char*)sldns_buffer_begin(buf);
+	struct query_info qinfo;
+	unsigned int flags;
+	struct ub_packed_rrset_key* k;
+
+	/* read line */
+	if(!ssl_read_buf(ssl, buf))
+		return 0;
+	if(strncmp(s, "BADREF", 6) == 0) {
+		*go_on = 0; /* its bad, skip it and skip message */
+		return 1;
+	}
+
+	s = load_qinfo(s, &qinfo, region);
+	if(!s) {
+		return 0;
+	}
+	if(sscanf(s, " %u", &flags) != 1) {
+		log_warn("error cannot parse flags: %s", s);
+		return 0;
+	}
+
+	/* lookup in cache */
+	k = rrset_cache_lookup(worker->env.rrset_cache, qinfo.qname,
+		qinfo.qname_len, qinfo.qtype, qinfo.qclass,
+		(uint32_t)flags, *worker->env.now, 0);
+	if(!k) {
+		/* not found or expired */
+		*go_on = 0;
+		return 1;
+	}
+
+	/* store in result */
+	*rrset = packed_rrset_copy_region(k, region, *worker->env.now);
+	lock_rw_unlock(&k->entry.lock);
+
+	return (*rrset != NULL);
+}
+
+/** load a msg entry */
+static int
+load_msg(SSL* ssl, sldns_buffer* buf, struct worker* worker)
+{
+	struct regional* region = worker->scratchpad;
+	struct query_info qinf;
+	struct reply_info rep;
+	char* s = (char*)sldns_buffer_begin(buf);
+	unsigned int flags, qdcount, security, an, ns, ar;
+	long long ttl;
+	size_t i;
+	int go_on = 1;
+
+	regional_free_all(region);
+
+	if(strncmp(s, "msg ", 4) != 0) {
+		log_warn("error expected msg but got %s", s);
+		return 0;
+	}
+	s += 4;
+	s = load_qinfo(s, &qinf, region);
+	if(!s) {
+		return 0;
+	}
+
+	/* read remainder of line */
+	if(sscanf(s, " %u %u " ARG_LL "d %u %u %u %u", &flags, &qdcount, &ttl, 
+		&security, &an, &ns, &ar) != 7) {
+		log_warn("error cannot parse numbers: %s", s);
+		return 0;
+	}
+	rep.flags = (uint16_t)flags;
+	rep.qdcount = (uint16_t)qdcount;
+	rep.ttl = (time_t)ttl;
+	rep.prefetch_ttl = PREFETCH_TTL_CALC(rep.ttl);
+	rep.security = (enum sec_status)security;
+	rep.an_numrrsets = (size_t)an;
+	rep.ns_numrrsets = (size_t)ns;
+	rep.ar_numrrsets = (size_t)ar;
+	rep.rrset_count = (size_t)an+(size_t)ns+(size_t)ar;
+	rep.rrsets = (struct ub_packed_rrset_key**)regional_alloc_zero(
+		region, sizeof(struct ub_packed_rrset_key*)*rep.rrset_count);
+
+	/* fill repinfo with references */
+	for(i=0; i<rep.rrset_count; i++) {
+		if(!load_ref(ssl, buf, worker, region, &rep.rrsets[i], 
+			&go_on)) {
+			return 0;
+		}
+	}
+
+	if(!go_on) 
+		return 1; /* skip this one, not all references satisfied */
+
+	if(!dns_cache_store(&worker->env, &qinf, &rep, 0, 0, 0, NULL)) {
+		log_warn("error out of memory");
+		return 0;
+	}
+	return 1;
+}
+
+/** load msg cache */
+static int
+load_msg_cache(SSL* ssl, struct worker* worker)
+{
+	sldns_buffer* buf = worker->env.scratch_buffer;
+	if(!read_fixed(ssl, buf, "START_MSG_CACHE")) return 0;
+	while(ssl_read_buf(ssl, buf) && 
+		strcmp((char*)sldns_buffer_begin(buf), "END_MSG_CACHE")!=0) {
+		if(!load_msg(ssl, buf, worker))
+			return 0;
+	}
+	return 1;
+}
+
+int
+load_cache(SSL* ssl, struct worker* worker)
+{
+	if(!load_rrset_cache(ssl, worker))
+		return 0;
+	if(!load_msg_cache(ssl, worker))
+		return 0;
+	return read_fixed(ssl, worker->env.scratch_buffer, "EOF");
+}
+
+/** print details on a delegation point */
+static void
+print_dp_details(SSL* ssl, struct worker* worker, struct delegpt* dp)
+{
+	char buf[257];
+	struct delegpt_addr* a;
+	int lame, dlame, rlame, rto, edns_vs, to, delay,
+		tA = 0, tAAAA = 0, tother = 0;
+	long long entry_ttl;
+	struct rtt_info ri;
+	uint8_t edns_lame_known;
+	for(a = dp->target_list; a; a = a->next_target) {
+		addr_to_str(&a->addr, a->addrlen, buf, sizeof(buf));
+		if(!ssl_printf(ssl, "%-16s\t", buf))
+			return;
+		if(a->bogus) {
+			if(!ssl_printf(ssl, "Address is BOGUS. ")) 
+				return;
+		}
+		/* lookup in infra cache */
+		delay=0;
+		entry_ttl = infra_get_host_rto(worker->env.infra_cache,
+			&a->addr, a->addrlen, dp->name, dp->namelen,
+			&ri, &delay, *worker->env.now, &tA, &tAAAA, &tother);
+		if(entry_ttl == -2 && ri.rto >= USEFUL_SERVER_TOP_TIMEOUT) {
+			if(!ssl_printf(ssl, "expired, rto %d msec, tA %d "
+				"tAAAA %d tother %d.\n", ri.rto, tA, tAAAA,
+				tother))
+				return;
+			continue;
+		}
+		if(entry_ttl == -1 || entry_ttl == -2) {
+			if(!ssl_printf(ssl, "not in infra cache.\n"))
+				return;
+			continue; /* skip stuff not in infra cache */
+		}
+
+		/* uses type_A because most often looked up, but other
+		 * lameness won't be reported then */
+		if(!infra_get_lame_rtt(worker->env.infra_cache, 
+			&a->addr, a->addrlen, dp->name, dp->namelen,
+			LDNS_RR_TYPE_A, &lame, &dlame, &rlame, &rto,
+			*worker->env.now)) {
+			if(!ssl_printf(ssl, "not in infra cache.\n"))
+				return;
+			continue; /* skip stuff not in infra cache */
+		}
+		if(!ssl_printf(ssl, "%s%s%s%srto %d msec, ttl " ARG_LL "d, "
+			"ping %d var %d rtt %d, tA %d, tAAAA %d, tother %d",
+			lame?"LAME ":"", dlame?"NoDNSSEC ":"",
+			a->lame?"AddrWasParentSide ":"",
+			rlame?"NoAuthButRecursive ":"", rto, entry_ttl,
+			ri.srtt, ri.rttvar, rtt_notimeout(&ri),
+			tA, tAAAA, tother))
+			return;
+		if(delay)
+			if(!ssl_printf(ssl, ", probedelay %d", delay))
+				return;
+		if(infra_host(worker->env.infra_cache, &a->addr, a->addrlen,
+			dp->name, dp->namelen, *worker->env.now, &edns_vs,
+			&edns_lame_known, &to)) {
+			if(edns_vs == -1) {
+				if(!ssl_printf(ssl, ", noEDNS%s.",
+					edns_lame_known?" probed":" assumed"))
+					return;
+			} else {
+				if(!ssl_printf(ssl, ", EDNS %d%s.", edns_vs,
+					edns_lame_known?" probed":" assumed"))
+					return;
+			}
+		}
+		if(!ssl_printf(ssl, "\n"))
+			return;
+	}
+}
+
+/** print main dp info */
+static void
+print_dp_main(SSL* ssl, struct delegpt* dp, struct dns_msg* msg)
+{
+	size_t i, n_ns, n_miss, n_addr, n_res, n_avail;
+
+	/* print the dp */
+	if(msg)
+	    for(i=0; i<msg->rep->rrset_count; i++) {
+		struct ub_packed_rrset_key* k = msg->rep->rrsets[i];
+		struct packed_rrset_data* d = 
+			(struct packed_rrset_data*)k->entry.data;
+		if(d->security == sec_status_bogus) {
+			if(!ssl_printf(ssl, "Address is BOGUS:\n"))
+				return;
+		}
+		if(!dump_rrset(ssl, k, d, 0))
+			return;
+	    }
+	delegpt_count_ns(dp, &n_ns, &n_miss);
+	delegpt_count_addr(dp, &n_addr, &n_res, &n_avail);
+	/* since dp has not been used by iterator, all are available*/
+	if(!ssl_printf(ssl, "Delegation with %d names, of which %d "
+		"can be examined to query further addresses.\n"
+		"%sIt provides %d IP addresses.\n", 
+		(int)n_ns, (int)n_miss, (dp->bogus?"It is BOGUS. ":""),
+		(int)n_addr))
+		return;
+}
+
+int print_deleg_lookup(SSL* ssl, struct worker* worker, uint8_t* nm,
+	size_t nmlen, int ATTR_UNUSED(nmlabs))
+{
+	/* deep links into the iterator module */
+	struct delegpt* dp;
+	struct dns_msg* msg;
+	struct regional* region = worker->scratchpad;
+	char b[260];
+	struct query_info qinfo;
+	struct iter_hints_stub* stub;
+	regional_free_all(region);
+	qinfo.qname = nm;
+	qinfo.qname_len = nmlen;
+	qinfo.qtype = LDNS_RR_TYPE_A;
+	qinfo.qclass = LDNS_RR_CLASS_IN;
+
+	dname_str(nm, b);
+	if(!ssl_printf(ssl, "The following name servers are used for lookup "
+		"of %s\n", b)) 
+		return 0;
+	
+	dp = forwards_lookup(worker->env.fwds, nm, qinfo.qclass);
+	if(dp) {
+		if(!ssl_printf(ssl, "forwarding request:\n"))
+			return 0;
+		print_dp_main(ssl, dp, NULL);
+		print_dp_details(ssl, worker, dp);
+		return 1;
+	}
+	
+	while(1) {
+		dp = dns_cache_find_delegation(&worker->env, nm, nmlen, 
+			qinfo.qtype, qinfo.qclass, region, &msg, 
+			*worker->env.now);
+		if(!dp) {
+			return ssl_printf(ssl, "no delegation from "
+				"cache; goes to configured roots\n");
+		}
+		/* go up? */
+		if(iter_dp_is_useless(&qinfo, BIT_RD, dp)) {
+			print_dp_main(ssl, dp, msg);
+			print_dp_details(ssl, worker, dp);
+			if(!ssl_printf(ssl, "cache delegation was "
+				"useless (no IP addresses)\n"))
+				return 0;
+			if(dname_is_root(nm)) {
+				/* goes to root config */
+				return ssl_printf(ssl, "no delegation from "
+					"cache; goes to configured roots\n");
+			} else {
+				/* useless, goes up */
+				nm = dp->name;
+				nmlen = dp->namelen;
+				dname_remove_label(&nm, &nmlen);
+				dname_str(nm, b);
+				if(!ssl_printf(ssl, "going up, lookup %s\n", b))
+					return 0;
+				continue;
+			}
+		} 
+		stub = hints_lookup_stub(worker->env.hints, nm, qinfo.qclass,
+			dp);
+		if(stub) {
+			if(stub->noprime) {
+				if(!ssl_printf(ssl, "The noprime stub servers "
+					"are used:\n"))
+					return 0;
+			} else {
+				if(!ssl_printf(ssl, "The stub is primed "
+						"with servers:\n"))
+					return 0;
+			}
+			print_dp_main(ssl, stub->dp, NULL);
+			print_dp_details(ssl, worker, stub->dp);
+		} else {
+			print_dp_main(ssl, dp, msg);
+			print_dp_details(ssl, worker, dp);
+		}
+		break;
+	}
+
+	return 1;
+}
diff --git a/external/unbound/daemon/cachedump.h b/external/unbound/daemon/cachedump.h
new file mode 100644
index 000000000..0f2feabcb
--- /dev/null
+++ b/external/unbound/daemon/cachedump.h
@@ -0,0 +1,107 @@
+/*
+ * daemon/cachedump.h - dump the cache to text format.
+ *
+ * Copyright (c) 2008, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains functions to read and write the cache(s)
+ * to text format.
+ *
+ * The format of the file is as follows:
+ * [RRset cache]
+ * [Message cache]
+ * EOF		-- fixed string "EOF" before end of the file.
+ *
+ * The RRset cache is:
+ * START_RRSET_CACHE
+ * [rrset]*
+ * END_RRSET_CACHE
+ *
+ * rrset is:
+ * ;rrset [nsec_apex] TTL rr_count rrsig_count trust security
+ * resource records, one per line, in zonefile format
+ * rrsig records, one per line, in zonefile format
+ * If the text conversion fails, BADRR is printed on the line.
+ *
+ * The Message cache is:
+ * START_MSG_CACHE
+ * [msg]*
+ * END_MSG_CACHE
+ *
+ * msg is:
+ * msg name class type flags qdcount ttl security an ns ar
+ * list of rrset references, one per line. If conversion fails, BADREF
+ * reference is:
+ * name class type flags
+ *
+ * Expired cache entries are not printed.
+ */
+
+#ifndef DAEMON_DUMPCACHE_H
+#define DAEMON_DUMPCACHE_H
+struct worker;
+
+/**
+ * Dump cache(s) to text
+ * @param ssl: to print to
+ * @param worker: worker that is available (buffers, etc) and has 
+ * 	ptrs to the caches.
+ * @return false on ssl print error.
+ */
+int dump_cache(SSL* ssl, struct worker* worker);
+
+/**
+ * Load cache(s) from text 
+ * @param ssl: to read from 
+ * @param worker: worker that is available (buffers, etc) and has 
+ * 	ptrs to the caches.
+ * @return false on ssl error.
+ */
+int load_cache(SSL* ssl, struct worker* worker);
+
+/**
+ * Print the delegation used to lookup for this name.
+ * @param ssl: to read from 
+ * @param worker: worker that is available (buffers, etc) and has 
+ * 	ptrs to the caches.
+ * @param nm: name to lookup
+ * @param nmlen: length of name.
+ * @param nmlabs: labels in name.
+ * @return false on ssl error.
+ */
+int print_deleg_lookup(SSL* ssl, struct worker* worker, uint8_t* nm,
+	size_t nmlen, int nmlabs);
+
+#endif /* DAEMON_DUMPCACHE_H */
diff --git a/external/unbound/daemon/daemon.c b/external/unbound/daemon/daemon.c
new file mode 100644
index 000000000..f693a0285
--- /dev/null
+++ b/external/unbound/daemon/daemon.c
@@ -0,0 +1,693 @@
+/*
+ * daemon/daemon.c - collection of workers that handles requests.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * The daemon consists of global settings and a number of workers.
+ */
+
+#include "config.h"
+#ifdef HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
+
+#ifdef HAVE_OPENSSL_RAND_H
+#include <openssl/rand.h>
+#endif
+
+#ifdef HAVE_OPENSSL_CONF_H
+#include <openssl/conf.h>
+#endif
+
+#ifdef HAVE_OPENSSL_ENGINE_H
+#include <openssl/engine.h>
+#endif
+
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
+#include <sys/time.h>
+
+#ifdef HAVE_NSS
+/* nss3 */
+#include "nss.h"
+#endif
+
+#include "daemon/daemon.h"
+#include "daemon/worker.h"
+#include "daemon/remote.h"
+#include "daemon/acl_list.h"
+#include "util/log.h"
+#include "util/config_file.h"
+#include "util/data/msgreply.h"
+#include "util/storage/lookup3.h"
+#include "util/storage/slabhash.h"
+#include "services/listen_dnsport.h"
+#include "services/cache/rrset.h"
+#include "services/cache/infra.h"
+#include "services/localzone.h"
+#include "services/modstack.h"
+#include "util/module.h"
+#include "util/random.h"
+#include "util/tube.h"
+#include "util/net_help.h"
+#include "ldns/keyraw.h"
+#include <signal.h>
+
+/** How many quit requests happened. */
+static int sig_record_quit = 0;
+/** How many reload requests happened. */
+static int sig_record_reload = 0;
+
+#if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
+/** cleaner ssl memory freeup */
+static void* comp_meth = NULL;
+#endif
+#ifdef LEX_HAS_YYLEX_DESTROY
+/** remove buffers for parsing and init */
+int ub_c_lex_destroy(void);
+#endif
+
+/** used when no other sighandling happens, so we don't die
+  * when multiple signals in quick succession are sent to us. 
+  * @param sig: signal number.
+  * @return signal handler return type (void or int).
+  */
+static RETSIGTYPE record_sigh(int sig)
+{
+#ifdef LIBEVENT_SIGNAL_PROBLEM
+	/* cannot log, verbose here because locks may be held */
+	/* quit on signal, no cleanup and statistics, 
+	   because installed libevent version is not threadsafe */
+	exit(0);
+#endif 
+	switch(sig)
+	{
+		case SIGTERM:
+#ifdef SIGQUIT
+		case SIGQUIT:
+#endif
+#ifdef SIGBREAK
+		case SIGBREAK:
+#endif
+		case SIGINT:
+			sig_record_quit++;
+			break;
+#ifdef SIGHUP
+		case SIGHUP:
+			sig_record_reload++;
+			break;
+#endif
+#ifdef SIGPIPE
+		case SIGPIPE:
+			break;
+#endif
+		default:
+			/* ignoring signal */
+			break;
+	}
+}
+
+/** 
+ * Signal handling during the time when netevent is disabled.
+ * Stores signals to replay later.
+ */
+static void
+signal_handling_record(void)
+{
+	if( signal(SIGTERM, record_sigh) == SIG_ERR ||
+#ifdef SIGQUIT
+		signal(SIGQUIT, record_sigh) == SIG_ERR ||
+#endif
+#ifdef SIGBREAK
+		signal(SIGBREAK, record_sigh) == SIG_ERR ||
+#endif
+#ifdef SIGHUP
+		signal(SIGHUP, record_sigh) == SIG_ERR ||
+#endif
+#ifdef SIGPIPE
+		signal(SIGPIPE, SIG_IGN) == SIG_ERR ||
+#endif
+		signal(SIGINT, record_sigh) == SIG_ERR
+		)
+		log_err("install sighandler: %s", strerror(errno));
+}
+
+/**
+ * Replay old signals.
+ * @param wrk: worker that handles signals.
+ */
+static void
+signal_handling_playback(struct worker* wrk)
+{
+#ifdef SIGHUP
+	if(sig_record_reload)
+		worker_sighandler(SIGHUP, wrk);
+#endif
+	if(sig_record_quit)
+		worker_sighandler(SIGTERM, wrk);
+	sig_record_quit = 0;
+	sig_record_reload = 0;
+}
+
+struct daemon* 
+daemon_init(void)
+{
+	struct daemon* daemon = (struct daemon*)calloc(1, 
+		sizeof(struct daemon));
+#ifdef USE_WINSOCK
+	int r;
+	WSADATA wsa_data;
+#endif
+	if(!daemon)
+		return NULL;
+#ifdef USE_WINSOCK
+	r = WSAStartup(MAKEWORD(2,2), &wsa_data);
+	if(r != 0) {
+		fatal_exit("could not init winsock. WSAStartup: %s",
+			wsa_strerror(r));
+	}
+#endif /* USE_WINSOCK */
+	signal_handling_record();
+	checklock_start();
+#ifdef HAVE_SSL
+	ERR_load_crypto_strings();
+	ERR_load_SSL_strings();
+#  ifdef HAVE_OPENSSL_CONFIG
+	OPENSSL_config("unbound");
+#  endif
+#  ifdef USE_GOST
+	(void)sldns_key_EVP_load_gost_id();
+#  endif
+	OpenSSL_add_all_algorithms();
+#  if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS
+	/* grab the COMP method ptr because openssl leaks it */
+	comp_meth = (void*)SSL_COMP_get_compression_methods();
+#  endif
+	(void)SSL_library_init();
+#  if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+	if(!ub_openssl_lock_init())
+		fatal_exit("could not init openssl locks");
+#  endif
+#elif defined(HAVE_NSS)
+	if(NSS_NoDB_Init(NULL) != SECSuccess)
+		fatal_exit("could not init NSS");
+#endif /* HAVE_SSL or HAVE_NSS */
+#ifdef HAVE_TZSET
+	/* init timezone info while we are not chrooted yet */
+	tzset();
+#endif
+	/* open /dev/random if needed */
+	ub_systemseed((unsigned)time(NULL)^(unsigned)getpid()^0xe67);
+	daemon->need_to_exit = 0;
+	modstack_init(&daemon->mods);
+	if(!(daemon->env = (struct module_env*)calloc(1, 
+		sizeof(*daemon->env)))) {
+		free(daemon);
+		return NULL;
+	}
+	alloc_init(&daemon->superalloc, NULL, 0);
+	daemon->acl = acl_list_create();
+	if(!daemon->acl) {
+		free(daemon->env);
+		free(daemon);
+		return NULL;
+	}
+	if(gettimeofday(&daemon->time_boot, NULL) < 0)
+		log_err("gettimeofday: %s", strerror(errno));
+	daemon->time_last_stat = daemon->time_boot;
+	return daemon;	
+}
+
+int 
+daemon_open_shared_ports(struct daemon* daemon)
+{
+	log_assert(daemon);
+	if(daemon->cfg->port != daemon->listening_port) {
+		size_t i;
+		struct listen_port* p0;
+		daemon->reuseport = 0;
+		/* free and close old ports */
+		if(daemon->ports != NULL) {
+			for(i=0; i<daemon->num_ports; i++)
+				listening_ports_free(daemon->ports[i]);
+			free(daemon->ports);
+			daemon->ports = NULL;
+		}
+		/* see if we want to reuseport */
+#ifdef SO_REUSEPORT
+		if(daemon->cfg->so_reuseport && daemon->cfg->num_threads > 0)
+			daemon->reuseport = 1;
+#endif
+		/* try to use reuseport */
+		p0 = listening_ports_open(daemon->cfg, &daemon->reuseport);
+		if(!p0) {
+			listening_ports_free(p0);
+			return 0;
+		}
+		if(daemon->reuseport) {
+			/* reuseport was successful, allocate for it */
+			daemon->num_ports = (size_t)daemon->cfg->num_threads;
+		} else {
+			/* do the normal, singleportslist thing,
+			 * reuseport not enabled or did not work */
+			daemon->num_ports = 1;
+		}
+		if(!(daemon->ports = (struct listen_port**)calloc(
+			daemon->num_ports, sizeof(*daemon->ports)))) {
+			listening_ports_free(p0);
+			return 0;
+		}
+		daemon->ports[0] = p0;
+		if(daemon->reuseport) {
+			/* continue to use reuseport */
+			for(i=1; i<daemon->num_ports; i++) {
+				if(!(daemon->ports[i]=
+					listening_ports_open(daemon->cfg,
+						&daemon->reuseport))
+					|| !daemon->reuseport ) {
+					for(i=0; i<daemon->num_ports; i++)
+						listening_ports_free(daemon->ports[i]);
+					free(daemon->ports);
+					daemon->ports = NULL;
+					return 0;
+				}
+			}
+		}
+		daemon->listening_port = daemon->cfg->port;
+	}
+	if(!daemon->cfg->remote_control_enable && daemon->rc_port) {
+		listening_ports_free(daemon->rc_ports);
+		daemon->rc_ports = NULL;
+		daemon->rc_port = 0;
+	}
+	if(daemon->cfg->remote_control_enable && 
+		daemon->cfg->control_port != daemon->rc_port) {
+		listening_ports_free(daemon->rc_ports);
+		if(!(daemon->rc_ports=daemon_remote_open_ports(daemon->cfg)))
+			return 0;
+		daemon->rc_port = daemon->cfg->control_port;
+	}
+	return 1;
+}
+
+/**
+ * Setup modules. setup module stack.
+ * @param daemon: the daemon
+ */
+static void daemon_setup_modules(struct daemon* daemon)
+{
+	daemon->env->cfg = daemon->cfg;
+	daemon->env->alloc = &daemon->superalloc;
+	daemon->env->worker = NULL;
+	daemon->env->need_to_validate = 0; /* set by module init below */
+	if(!modstack_setup(&daemon->mods, daemon->cfg->module_conf, 
+		daemon->env)) {
+		fatal_exit("failed to setup modules");
+	}
+}
+
+/**
+ * Obtain allowed port numbers, concatenate the list, and shuffle them
+ * (ready to be handed out to threads).
+ * @param daemon: the daemon. Uses rand and cfg.
+ * @param shufport: the portlist output.
+ * @return number of ports available.
+ */
+static int daemon_get_shufport(struct daemon* daemon, int* shufport)
+{
+	int i, n, k, temp;
+	int avail = 0;
+	for(i=0; i<65536; i++) {
+		if(daemon->cfg->outgoing_avail_ports[i]) {
+			shufport[avail++] = daemon->cfg->
+				outgoing_avail_ports[i];
+		}
+	}
+	if(avail == 0)
+		fatal_exit("no ports are permitted for UDP, add "
+			"with outgoing-port-permit");
+        /* Knuth shuffle */
+	n = avail;
+	while(--n > 0) {
+		k = ub_random_max(daemon->rand, n+1); /* 0<= k<= n */
+		temp = shufport[k];
+		shufport[k] = shufport[n];
+		shufport[n] = temp;
+	}
+	return avail;
+}
+
+/**
+ * Allocate empty worker structures. With backptr and thread-number,
+ * from 0..numthread initialised. Used as user arguments to new threads.
+ * Creates the daemon random generator if it does not exist yet.
+ * The random generator stays existing between reloads with a unique state.
+ * @param daemon: the daemon with (new) config settings.
+ */
+static void 
+daemon_create_workers(struct daemon* daemon)
+{
+	int i, numport;
+	int* shufport;
+	log_assert(daemon && daemon->cfg);
+	if(!daemon->rand) {
+		unsigned int seed = (unsigned int)time(NULL) ^ 
+			(unsigned int)getpid() ^ 0x438;
+		daemon->rand = ub_initstate(seed, NULL);
+		if(!daemon->rand)
+			fatal_exit("could not init random generator");
+	}
+	hash_set_raninit((uint32_t)ub_random(daemon->rand));
+	shufport = (int*)calloc(65536, sizeof(int));
+	if(!shufport)
+		fatal_exit("out of memory during daemon init");
+	numport = daemon_get_shufport(daemon, shufport);
+	verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
+	
+	daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
+	daemon->workers = (struct worker**)calloc((size_t)daemon->num, 
+		sizeof(struct worker*));
+	if(daemon->cfg->dnstap) {
+#ifdef USE_DNSTAP
+		daemon->dtenv = dt_create(daemon->cfg->dnstap_socket_path,
+			(unsigned int)daemon->num);
+		if (!daemon->dtenv)
+			fatal_exit("dt_create failed");
+		dt_apply_cfg(daemon->dtenv, daemon->cfg);
+#else
+		fatal_exit("dnstap enabled in config but not built with dnstap support");
+#endif
+	}
+	for(i=0; i<daemon->num; i++) {
+		if(!(daemon->workers[i] = worker_create(daemon, i,
+			shufport+numport*i/daemon->num, 
+			numport*(i+1)/daemon->num - numport*i/daemon->num)))
+			/* the above is not ports/numthr, due to rounding */
+			fatal_exit("could not create worker");
+	}
+	free(shufport);
+}
+
+#ifdef THREADS_DISABLED
+/**
+ * Close all pipes except for the numbered thread.
+ * @param daemon: daemon to close pipes in.
+ * @param thr: thread number 0..num-1 of thread to skip.
+ */
+static void close_other_pipes(struct daemon* daemon, int thr)
+{
+	int i;
+	for(i=0; i<daemon->num; i++)
+		if(i!=thr) {
+			if(i==0) {
+				/* only close read part, need to write stats */
+				tube_close_read(daemon->workers[i]->cmd);
+			} else {
+				/* complete close channel to others */
+				tube_delete(daemon->workers[i]->cmd);
+				daemon->workers[i]->cmd = NULL;
+			}
+		}
+}
+#endif /* THREADS_DISABLED */
+
+/**
+ * Function to start one thread. 
+ * @param arg: user argument.
+ * @return: void* user return value could be used for thread_join results.
+ */
+static void* 
+thread_start(void* arg)
+{
+	struct worker* worker = (struct worker*)arg;
+	int port_num = 0;
+	log_thread_set(&worker->thread_num);
+	ub_thread_blocksigs();
+#ifdef THREADS_DISABLED
+	/* close pipe ends used by main */
+	tube_close_write(worker->cmd);
+	close_other_pipes(worker->daemon, worker->thread_num);
+#endif
+#ifdef SO_REUSEPORT
+	if(worker->daemon->cfg->so_reuseport)
+		port_num = worker->thread_num;
+	else
+		port_num = 0;
+#endif
+	if(!worker_init(worker, worker->daemon->cfg,
+			worker->daemon->ports[port_num], 0))
+		fatal_exit("Could not initialize thread");
+
+	worker_work(worker);
+	return NULL;
+}
+
+/**
+ * Fork and init the other threads. Main thread returns for special handling.
+ * @param daemon: the daemon with other threads to fork.
+ */
+static void
+daemon_start_others(struct daemon* daemon)
+{
+	int i;
+	log_assert(daemon);
+	verbose(VERB_ALGO, "start threads");
+	/* skip i=0, is this thread */
+	for(i=1; i<daemon->num; i++) {
+		ub_thread_create(&daemon->workers[i]->thr_id,
+			thread_start, daemon->workers[i]);
+#ifdef THREADS_DISABLED
+		/* close pipe end of child */
+		tube_close_read(daemon->workers[i]->cmd);
+#endif /* no threads */
+	}
+}
+
+/**
+ * Stop the other threads.
+ * @param daemon: the daemon with other threads.
+ */
+static void
+daemon_stop_others(struct daemon* daemon)
+{
+	int i;
+	log_assert(daemon);
+	verbose(VERB_ALGO, "stop threads");
+	/* skip i=0, is this thread */
+	/* use i=0 buffer for sending cmds; because we are #0 */
+	for(i=1; i<daemon->num; i++) {
+		worker_send_cmd(daemon->workers[i], worker_cmd_quit);
+	}
+	/* wait for them to quit */
+	for(i=1; i<daemon->num; i++) {
+		/* join it to make sure its dead */
+		verbose(VERB_ALGO, "join %d", i);
+		ub_thread_join(daemon->workers[i]->thr_id);
+		verbose(VERB_ALGO, "join success %d", i);
+	}
+}
+
+void 
+daemon_fork(struct daemon* daemon)
+{
+	log_assert(daemon);
+	if(!acl_list_apply_cfg(daemon->acl, daemon->cfg))
+		fatal_exit("Could not setup access control list");
+	if(!(daemon->local_zones = local_zones_create()))
+		fatal_exit("Could not create local zones: out of memory");
+	if(!local_zones_apply_cfg(daemon->local_zones, daemon->cfg))
+		fatal_exit("Could not set up local zones");
+
+	/* setup modules */
+	daemon_setup_modules(daemon);
+
+	/* first create all the worker structures, so we can pass
+	 * them to the newly created threads. 
+	 */
+	daemon_create_workers(daemon);
+
+#if defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)
+	/* in libev the first inited base gets signals */
+	if(!worker_init(daemon->workers[0], daemon->cfg, daemon->ports[0], 1))
+		fatal_exit("Could not initialize main thread");
+#endif
+	
+	/* Now create the threads and init the workers.
+	 * By the way, this is thread #0 (the main thread).
+	 */
+	daemon_start_others(daemon);
+
+	/* Special handling for the main thread. This is the thread
+	 * that handles signals and remote control.
+	 */
+#if !(defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP))
+	/* libevent has the last inited base get signals (or any base) */
+	if(!worker_init(daemon->workers[0], daemon->cfg, daemon->ports[0], 1))
+		fatal_exit("Could not initialize main thread");
+#endif
+	signal_handling_playback(daemon->workers[0]);
+
+	/* Start resolver service on main thread. */
+	log_info("start of service (%s).", PACKAGE_STRING);
+	worker_work(daemon->workers[0]);
+	log_info("service stopped (%s).", PACKAGE_STRING);
+
+	/* we exited! a signal happened! Stop other threads */
+	daemon_stop_others(daemon);
+
+	daemon->need_to_exit = daemon->workers[0]->need_to_exit;
+}
+
+void 
+daemon_cleanup(struct daemon* daemon)
+{
+	int i;
+	log_assert(daemon);
+	/* before stopping main worker, handle signals ourselves, so we
+	   don't die on multiple reload signals for example. */
+	signal_handling_record();
+	log_thread_set(NULL);
+	/* clean up caches because
+	 * a) RRset IDs will be recycled after a reload, causing collisions
+	 * b) validation config can change, thus rrset, msg, keycache clear 
+	 * The infra cache is kept, the timing and edns info is still valid */
+	slabhash_clear(&daemon->env->rrset_cache->table);
+	slabhash_clear(daemon->env->msg_cache);
+	local_zones_delete(daemon->local_zones);
+	daemon->local_zones = NULL;
+	/* key cache is cleared by module desetup during next daemon_init() */
+	daemon_remote_clear(daemon->rc);
+	for(i=0; i<daemon->num; i++)
+		worker_delete(daemon->workers[i]);
+	free(daemon->workers);
+	daemon->workers = NULL;
+	daemon->num = 0;
+#ifdef USE_DNSTAP
+	dt_delete(daemon->dtenv);
+#endif
+	daemon->cfg = NULL;
+}
+
+void 
+daemon_delete(struct daemon* daemon)
+{
+	size_t i;
+	if(!daemon)
+		return;
+	modstack_desetup(&daemon->mods, daemon->env);
+	daemon_remote_delete(daemon->rc);
+	for(i = 0; i < daemon->num_ports; i++)
+		listening_ports_free(daemon->ports[i]);
+	free(daemon->ports);
+	listening_ports_free(daemon->rc_ports);
+	if(daemon->env) {
+		slabhash_delete(daemon->env->msg_cache);
+		rrset_cache_delete(daemon->env->rrset_cache);
+		infra_delete(daemon->env->infra_cache);
+	}
+	ub_randfree(daemon->rand);
+	alloc_clear(&daemon->superalloc);
+	acl_list_delete(daemon->acl);
+	free(daemon->chroot);
+	free(daemon->pidfile);
+	free(daemon->env);
+#ifdef HAVE_SSL
+	SSL_CTX_free((SSL_CTX*)daemon->listen_sslctx);
+	SSL_CTX_free((SSL_CTX*)daemon->connect_sslctx);
+#endif
+	free(daemon);
+#ifdef LEX_HAS_YYLEX_DESTROY
+	/* lex cleanup */
+	ub_c_lex_destroy();
+#endif
+	/* libcrypto cleanup */
+#ifdef HAVE_SSL
+#  if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST)
+	sldns_key_EVP_unload_gost();
+#  endif
+#  if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS && HAVE_DECL_SK_SSL_COMP_POP_FREE
+#    ifndef S_SPLINT_S
+	sk_SSL_COMP_pop_free(comp_meth, (void(*)())CRYPTO_free);
+#    endif
+#  endif
+#  ifdef HAVE_OPENSSL_CONFIG
+	EVP_cleanup();
+	ENGINE_cleanup();
+	CONF_modules_free();
+#  endif
+	CRYPTO_cleanup_all_ex_data(); /* safe, no more threads right now */
+	ERR_remove_state(0);
+	ERR_free_strings();
+	RAND_cleanup();
+#  if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED)
+	ub_openssl_lock_delete();
+#  endif
+#elif defined(HAVE_NSS)
+	NSS_Shutdown();
+#endif /* HAVE_SSL or HAVE_NSS */
+	checklock_stop();
+#ifdef USE_WINSOCK
+	if(WSACleanup() != 0) {
+		log_err("Could not WSACleanup: %s", 
+			wsa_strerror(WSAGetLastError()));
+	}
+#endif
+}
+
+void daemon_apply_cfg(struct daemon* daemon, struct config_file* cfg)
+{
+        daemon->cfg = cfg;
+	config_apply(cfg);
+	if(!daemon->env->msg_cache ||
+	   cfg->msg_cache_size != slabhash_get_size(daemon->env->msg_cache) ||
+	   cfg->msg_cache_slabs != daemon->env->msg_cache->size) {
+		slabhash_delete(daemon->env->msg_cache);
+		daemon->env->msg_cache = slabhash_create(cfg->msg_cache_slabs,
+			HASH_DEFAULT_STARTARRAY, cfg->msg_cache_size,
+			msgreply_sizefunc, query_info_compare,
+			query_entry_delete, reply_info_delete, NULL);
+		if(!daemon->env->msg_cache) {
+			fatal_exit("malloc failure updating config settings");
+		}
+	}
+	if((daemon->env->rrset_cache = rrset_cache_adjust(
+		daemon->env->rrset_cache, cfg, &daemon->superalloc)) == 0)
+		fatal_exit("malloc failure updating config settings");
+	if((daemon->env->infra_cache = infra_adjust(daemon->env->infra_cache,
+		cfg))==0)
+		fatal_exit("malloc failure updating config settings");
+}
diff --git a/external/unbound/daemon/daemon.h b/external/unbound/daemon/daemon.h
new file mode 100644
index 000000000..86ddab1df
--- /dev/null
+++ b/external/unbound/daemon/daemon.h
@@ -0,0 +1,164 @@
+/*
+ * daemon/daemon.h - collection of workers that handles requests.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * The daemon consists of global settings and a number of workers.
+ */
+
+#ifndef DAEMON_H
+#define DAEMON_H
+
+#include "util/locks.h"
+#include "util/alloc.h"
+#include "services/modstack.h"
+#ifdef UB_ON_WINDOWS
+#  include "util/winsock_event.h"
+#endif
+struct config_file;
+struct worker;
+struct listen_port;
+struct slabhash;
+struct module_env;
+struct rrset_cache;
+struct acl_list;
+struct local_zones;
+struct ub_randstate;
+struct daemon_remote;
+
+#include "dnstap/dnstap_config.h"
+#ifdef USE_DNSTAP
+struct dt_env;
+#endif
+
+/**
+ * Structure holding worker list.
+ * Holds globally visible information.
+ */
+struct daemon {
+	/** The config settings */
+	struct config_file* cfg;
+	/** the chroot dir in use, NULL if none */
+	char* chroot;
+	/** pidfile that is used */
+	char* pidfile;
+	/** port number that has ports opened. */
+	int listening_port;
+	/** array of listening ports, opened.  Listening ports per worker,
+	 * or just one element[0] shared by the worker threads. */
+	struct listen_port** ports;
+	/** size of ports array */
+	size_t num_ports;
+	/** reuseport is enabled if true */
+	int reuseport;
+	/** port number for remote that has ports opened. */
+	int rc_port;
+	/** listening ports for remote control */
+	struct listen_port* rc_ports;
+	/** remote control connections management (for first worker) */
+	struct daemon_remote* rc;
+	/** ssl context for listening to dnstcp over ssl, and connecting ssl */
+	void* listen_sslctx, *connect_sslctx;
+	/** num threads allocated */
+	int num;
+	/** the worker entries */
+	struct worker** workers;
+	/** do we need to exit unbound (or is it only a reload?) */
+	int need_to_exit;
+	/** master random table ; used for port div between threads on reload*/
+	struct ub_randstate* rand;
+	/** master allocation cache */
+	struct alloc_cache superalloc;
+	/** the module environment master value, copied and changed by threads*/
+	struct module_env* env;
+	/** stack of module callbacks */
+	struct module_stack mods;
+	/** access control, which client IPs are allowed to connect */
+	struct acl_list* acl;
+	/** local authority zones */
+	struct local_zones* local_zones;
+	/** last time of statistics printout */
+	struct timeval time_last_stat;
+	/** time when daemon started */
+	struct timeval time_boot;
+#ifdef USE_DNSTAP
+	/** the dnstap environment master value, copied and changed by threads*/
+	struct dt_env* dtenv;
+#endif
+};
+
+/**
+ * Initialize daemon structure.
+ * @return: The daemon structure, or NULL on error.
+ */
+struct daemon* daemon_init(void);
+
+/**
+ * Open shared listening ports (if needed).
+ * The cfg member pointer must have been set for the daemon.
+ * @param daemon: the daemon.
+ * @return: false on error.
+ */
+int daemon_open_shared_ports(struct daemon* daemon);
+
+/**
+ * Fork workers and start service.
+ * When the routine exits, it is no longer forked.
+ * @param daemon: the daemon.
+ */
+void daemon_fork(struct daemon* daemon);
+
+/**
+ * Close off the worker thread information.
+ * Bring the daemon back into state ready for daemon_fork again.
+ * @param daemon: the daemon.
+ */
+void daemon_cleanup(struct daemon* daemon);
+
+/**
+ * Delete workers, close listening ports.
+ * @param daemon: the daemon.
+ */
+void daemon_delete(struct daemon* daemon);
+
+/**
+ * Apply config settings.
+ * @param daemon: the daemon.
+ * @param cfg: new config settings.
+ */
+void daemon_apply_cfg(struct daemon* daemon, struct config_file* cfg);
+
+#endif /* DAEMON_H */
diff --git a/external/unbound/daemon/remote.c b/external/unbound/daemon/remote.c
new file mode 100644
index 000000000..100aa8be1
--- /dev/null
+++ b/external/unbound/daemon/remote.c
@@ -0,0 +1,2449 @@
+/*
+ * daemon/remote.c - remote control for the unbound daemon.
+ *
+ * Copyright (c) 2008, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains the remote control functionality for the daemon.
+ * The remote control can be performed using either the commandline
+ * unbound-control tool, or a SSLv3/TLS capable web browser. 
+ * The channel is secured using SSLv3 or TLSv1, and certificates.
+ * Both the server and the client(control tool) have their own keys.
+ */
+#include "config.h"
+#ifdef HAVE_OPENSSL_ERR_H
+#include <openssl/err.h>
+#endif
+#include <ctype.h>
+#include "daemon/remote.h"
+#include "daemon/worker.h"
+#include "daemon/daemon.h"
+#include "daemon/stats.h"
+#include "daemon/cachedump.h"
+#include "util/log.h"
+#include "util/config_file.h"
+#include "util/net_help.h"
+#include "util/module.h"
+#include "services/listen_dnsport.h"
+#include "services/cache/rrset.h"
+#include "services/cache/infra.h"
+#include "services/mesh.h"
+#include "services/localzone.h"
+#include "util/storage/slabhash.h"
+#include "util/fptr_wlist.h"
+#include "util/data/dname.h"
+#include "validator/validator.h"
+#include "validator/val_kcache.h"
+#include "validator/val_kentry.h"
+#include "validator/val_anchor.h"
+#include "iterator/iterator.h"
+#include "iterator/iter_fwd.h"
+#include "iterator/iter_hints.h"
+#include "iterator/iter_delegpt.h"
+#include "services/outbound_list.h"
+#include "services/outside_network.h"
+#include "ldns/str2wire.h"
+#include "ldns/parseutil.h"
+#include "ldns/wire2str.h"
+#include "ldns/sbuffer.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#  include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+/* just for portability */
+#ifdef SQ
+#undef SQ
+#endif
+
+/** what to put on statistics lines between var and value, ": " or "=" */
+#define SQ "="
+/** if true, inhibits a lot of =0 lines from the stats output */
+static const int inhibit_zero = 1;
+
+/** subtract timers and the values do not overflow or become negative */
+static void
+timeval_subtract(struct timeval* d, const struct timeval* end, 
+	const struct timeval* start)
+{
+#ifndef S_SPLINT_S
+	time_t end_usec = end->tv_usec;
+	d->tv_sec = end->tv_sec - start->tv_sec;
+	if(end_usec < start->tv_usec) {
+		end_usec += 1000000;
+		d->tv_sec--;
+	}
+	d->tv_usec = end_usec - start->tv_usec;
+#endif
+}
+
+/** divide sum of timers to get average */
+static void
+timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
+{
+#ifndef S_SPLINT_S
+	size_t leftover;
+	if(d == 0) {
+		avg->tv_sec = 0;
+		avg->tv_usec = 0;
+		return;
+	}
+	avg->tv_sec = sum->tv_sec / d;
+	avg->tv_usec = sum->tv_usec / d;
+	/* handle fraction from seconds divide */
+	leftover = sum->tv_sec - avg->tv_sec*d;
+	avg->tv_usec += (leftover*1000000)/d;
+#endif
+}
+
+struct daemon_remote*
+daemon_remote_create(struct config_file* cfg)
+{
+	char* s_cert;
+	char* s_key;
+	struct daemon_remote* rc = (struct daemon_remote*)calloc(1, 
+		sizeof(*rc));
+	if(!rc) {
+		log_err("out of memory in daemon_remote_create");
+		return NULL;
+	}
+	rc->max_active = 10;
+
+	if(!cfg->remote_control_enable) {
+		rc->ctx = NULL;
+		return rc;
+	}
+	rc->ctx = SSL_CTX_new(SSLv23_server_method());
+	if(!rc->ctx) {
+		log_crypto_err("could not SSL_CTX_new");
+		free(rc);
+		return NULL;
+	}
+	/* no SSLv2 because has defects */
+	if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
+		log_crypto_err("could not set SSL_OP_NO_SSLv2");
+		daemon_remote_delete(rc);
+		return NULL;
+	}
+	s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
+	s_key = fname_after_chroot(cfg->server_key_file, cfg, 1);
+	if(!s_cert || !s_key) {
+		log_err("out of memory in remote control fname");
+		goto setup_error;
+	}
+	verbose(VERB_ALGO, "setup SSL certificates");
+	if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) {
+		log_err("Error for server-cert-file: %s", s_cert);
+		log_crypto_err("Error in SSL_CTX use_certificate_file");
+		goto setup_error;
+	}
+	if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
+		log_err("Error for server-key-file: %s", s_key);
+		log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
+		goto setup_error;
+	}
+	if(!SSL_CTX_check_private_key(rc->ctx)) {
+		log_err("Error for server-key-file: %s", s_key);
+		log_crypto_err("Error in SSL_CTX check_private_key");
+		goto setup_error;
+	}
+	if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
+		log_crypto_err("Error setting up SSL_CTX verify locations");
+	setup_error:
+		free(s_cert);
+		free(s_key);
+		daemon_remote_delete(rc);
+		return NULL;
+	}
+	SSL_CTX_set_client_CA_list(rc->ctx, SSL_load_client_CA_file(s_cert));
+	SSL_CTX_set_verify(rc->ctx, SSL_VERIFY_PEER, NULL);
+	free(s_cert);
+	free(s_key);
+
+	return rc;
+}
+
+void daemon_remote_clear(struct daemon_remote* rc)
+{
+	struct rc_state* p, *np;
+	if(!rc) return;
+	/* but do not close the ports */
+	listen_list_delete(rc->accept_list);
+	rc->accept_list = NULL;
+	/* do close these sockets */
+	p = rc->busy_list;
+	while(p) {
+		np = p->next;
+		if(p->ssl)
+			SSL_free(p->ssl);
+		comm_point_delete(p->c);
+		free(p);
+		p = np;
+	}
+	rc->busy_list = NULL;
+	rc->active = 0;
+	rc->worker = NULL;
+}
+
+void daemon_remote_delete(struct daemon_remote* rc)
+{
+	if(!rc) return;
+	daemon_remote_clear(rc);
+	if(rc->ctx) {
+		SSL_CTX_free(rc->ctx);
+	}
+	free(rc);
+}
+
+/**
+ * Add and open a new control port
+ * @param ip: ip str
+ * @param nr: port nr
+ * @param list: list head
+ * @param noproto_is_err: if lack of protocol support is an error.
+ * @return false on failure.
+ */
+static int
+add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err)
+{
+	struct addrinfo hints;
+	struct addrinfo* res;
+	struct listen_port* n;
+	int noproto;
+	int fd, r;
+	char port[15];
+	snprintf(port, sizeof(port), "%d", nr);
+	port[sizeof(port)-1]=0;
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+	if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) {
+#ifdef USE_WINSOCK
+		if(!noproto_is_err && r == EAI_NONAME) {
+			/* tried to lookup the address as name */
+			return 1; /* return success, but do nothing */
+		}
+#endif /* USE_WINSOCK */
+                log_err("control interface %s:%s getaddrinfo: %s %s",
+			ip?ip:"default", port, gai_strerror(r),
+#ifdef EAI_SYSTEM
+			r==EAI_SYSTEM?(char*)strerror(errno):""
+#else
+			""
+#endif
+			);
+		return 0;
+	}
+
+	/* open fd */
+	fd = create_tcp_accept_sock(res, 1, &noproto, 0);
+	freeaddrinfo(res);
+	if(fd == -1 && noproto) {
+		if(!noproto_is_err)
+			return 1; /* return success, but do nothing */
+		log_err("cannot open control interface %s %d : "
+			"protocol not supported", ip, nr);
+		return 0;
+	}
+	if(fd == -1) {
+		log_err("cannot open control interface %s %d", ip, nr);
+		return 0;
+	}
+
+	/* alloc */
+	n = (struct listen_port*)calloc(1, sizeof(*n));
+	if(!n) {
+#ifndef USE_WINSOCK
+		close(fd);
+#else
+		closesocket(fd);
+#endif
+		log_err("out of memory");
+		return 0;
+	}
+	n->next = *list;
+	*list = n;
+	n->fd = fd;
+	return 1;
+}
+
+struct listen_port* daemon_remote_open_ports(struct config_file* cfg)
+{
+	struct listen_port* l = NULL;
+	log_assert(cfg->remote_control_enable && cfg->control_port);
+	if(cfg->control_ifs) {
+		struct config_strlist* p;
+		for(p = cfg->control_ifs; p; p = p->next) {
+			if(!add_open(p->str, cfg->control_port, &l, 1)) {
+				listening_ports_free(l);
+				return NULL;
+			}
+		}
+	} else {
+		/* defaults */
+		if(cfg->do_ip6 &&
+			!add_open("::1", cfg->control_port, &l, 0)) {
+			listening_ports_free(l);
+			return NULL;
+		}
+		if(cfg->do_ip4 &&
+			!add_open("127.0.0.1", cfg->control_port, &l, 1)) {
+			listening_ports_free(l);
+			return NULL;
+		}
+	}
+	return l;
+}
+
+/** open accept commpoint */
+static int
+accept_open(struct daemon_remote* rc, int fd)
+{
+	struct listen_list* n = (struct listen_list*)malloc(sizeof(*n));
+	if(!n) {
+		log_err("out of memory");
+		return 0;
+	}
+	n->next = rc->accept_list;
+	rc->accept_list = n;
+	/* open commpt */
+	n->com = comm_point_create_raw(rc->worker->base, fd, 0, 
+		&remote_accept_callback, rc);
+	if(!n->com)
+		return 0;
+	/* keep this port open, its fd is kept in the rc portlist */
+	n->com->do_not_close = 1;
+	return 1;
+}
+
+int daemon_remote_open_accept(struct daemon_remote* rc, 
+	struct listen_port* ports, struct worker* worker)
+{
+	struct listen_port* p;
+	rc->worker = worker;
+	for(p = ports; p; p = p->next) {
+		if(!accept_open(rc, p->fd)) {
+			log_err("could not create accept comm point");
+			return 0;
+		}
+	}
+	return 1;
+}
+
+void daemon_remote_stop_accept(struct daemon_remote* rc)
+{
+	struct listen_list* p;
+	for(p=rc->accept_list; p; p=p->next) {
+		comm_point_stop_listening(p->com);	
+	}
+}
+
+void daemon_remote_start_accept(struct daemon_remote* rc)
+{
+	struct listen_list* p;
+	for(p=rc->accept_list; p; p=p->next) {
+		comm_point_start_listening(p->com, -1, -1);	
+	}
+}
+
+int remote_accept_callback(struct comm_point* c, void* arg, int err, 
+	struct comm_reply* ATTR_UNUSED(rep))
+{
+	struct daemon_remote* rc = (struct daemon_remote*)arg;
+	struct sockaddr_storage addr;
+	socklen_t addrlen;
+	int newfd;
+	struct rc_state* n;
+	if(err != NETEVENT_NOERROR) {
+		log_err("error %d on remote_accept_callback", err);
+		return 0;
+	}
+	/* perform the accept */
+	newfd = comm_point_perform_accept(c, &addr, &addrlen);
+	if(newfd == -1)
+		return 0;
+	/* create new commpoint unless we are servicing already */
+	if(rc->active >= rc->max_active) {
+		log_warn("drop incoming remote control: too many connections");
+	close_exit:
+#ifndef USE_WINSOCK
+		close(newfd);
+#else
+		closesocket(newfd);
+#endif
+		return 0;
+	}
+
+	/* setup commpoint to service the remote control command */
+	n = (struct rc_state*)calloc(1, sizeof(*n));
+	if(!n) {
+		log_err("out of memory");
+		goto close_exit;
+	}
+	/* start in reading state */
+	n->c = comm_point_create_raw(rc->worker->base, newfd, 0, 
+		&remote_control_callback, n);
+	if(!n->c) {
+		log_err("out of memory");
+		free(n);
+		goto close_exit;
+	}
+	log_addr(VERB_QUERY, "new control connection from", &addr, addrlen);
+	n->c->do_not_close = 0;
+	comm_point_stop_listening(n->c);
+	comm_point_start_listening(n->c, -1, REMOTE_CONTROL_TCP_TIMEOUT);
+	memcpy(&n->c->repinfo.addr, &addr, addrlen);
+	n->c->repinfo.addrlen = addrlen;
+	n->shake_state = rc_hs_read;
+	n->ssl = SSL_new(rc->ctx);
+	if(!n->ssl) {
+		log_crypto_err("could not SSL_new");
+		comm_point_delete(n->c);
+		free(n);
+		goto close_exit;
+	}
+	SSL_set_accept_state(n->ssl);
+        (void)SSL_set_mode(n->ssl, SSL_MODE_AUTO_RETRY);
+	if(!SSL_set_fd(n->ssl, newfd)) {
+		log_crypto_err("could not SSL_set_fd");
+		SSL_free(n->ssl);
+		comm_point_delete(n->c);
+		free(n);
+		goto close_exit;
+	}
+
+	n->rc = rc;
+	n->next = rc->busy_list;
+	rc->busy_list = n;
+	rc->active ++;
+
+	/* perform the first nonblocking read already, for windows, 
+	 * so it can return wouldblock. could be faster too. */
+	(void)remote_control_callback(n->c, n, NETEVENT_NOERROR, NULL);
+	return 0;
+}
+
+/** delete from list */
+static void
+state_list_remove_elem(struct rc_state** list, struct comm_point* c)
+{
+	while(*list) {
+		if( (*list)->c == c) {
+			*list = (*list)->next;
+			return;
+		}
+		list = &(*list)->next;
+	}
+}
+
+/** decrease active count and remove commpoint from busy list */
+static void
+clean_point(struct daemon_remote* rc, struct rc_state* s)
+{
+	state_list_remove_elem(&rc->busy_list, s->c);
+	rc->active --;
+	if(s->ssl) {
+		SSL_shutdown(s->ssl);
+		SSL_free(s->ssl);
+	}
+	comm_point_delete(s->c);
+	free(s);
+}
+
+int
+ssl_print_text(SSL* ssl, const char* text)
+{
+	int r;
+	if(!ssl) 
+		return 0;
+	ERR_clear_error();
+	if((r=SSL_write(ssl, text, (int)strlen(text))) <= 0) {
+		if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
+			verbose(VERB_QUERY, "warning, in SSL_write, peer "
+				"closed connection");
+			return 0;
+		}
+		log_crypto_err("could not SSL_write");
+		return 0;
+	}
+	return 1;
+}
+
+/** print text over the ssl connection */
+static int
+ssl_print_vmsg(SSL* ssl, const char* format, va_list args)
+{
+	char msg[1024];
+	vsnprintf(msg, sizeof(msg), format, args);
+	return ssl_print_text(ssl, msg);
+}
+
+/** printf style printing to the ssl connection */
+int ssl_printf(SSL* ssl, const char* format, ...)
+{
+	va_list args;
+	int ret;
+	va_start(args, format);
+	ret = ssl_print_vmsg(ssl, format, args);
+	va_end(args);
+	return ret;
+}
+
+int
+ssl_read_line(SSL* ssl, char* buf, size_t max)
+{
+	int r;
+	size_t len = 0;
+	if(!ssl)
+		return 0;
+	while(len < max) {
+		ERR_clear_error();
+		if((r=SSL_read(ssl, buf+len, 1)) <= 0) {
+			if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
+				buf[len] = 0;
+				return 1;
+			}
+			log_crypto_err("could not SSL_read");
+			return 0;
+		}
+		if(buf[len] == '\n') {
+			/* return string without \n */
+			buf[len] = 0;
+			return 1;
+		}
+		len++;
+	}
+	buf[max-1] = 0;
+	log_err("control line too long (%d): %s", (int)max, buf);
+	return 0;
+}
+
+/** skip whitespace, return new pointer into string */
+static char*
+skipwhite(char* str)
+{
+	/* EOS \0 is not a space */
+	while( isspace(*str) ) 
+		str++;
+	return str;
+}
+
+/** send the OK to the control client */
+static void send_ok(SSL* ssl)
+{
+	(void)ssl_printf(ssl, "ok\n");
+}
+
+/** do the stop command */
+static void
+do_stop(SSL* ssl, struct daemon_remote* rc)
+{
+	rc->worker->need_to_exit = 1;
+	comm_base_exit(rc->worker->base);
+	send_ok(ssl);
+}
+
+/** do the reload command */
+static void
+do_reload(SSL* ssl, struct daemon_remote* rc)
+{
+	rc->worker->need_to_exit = 0;
+	comm_base_exit(rc->worker->base);
+	send_ok(ssl);
+}
+
+/** do the verbosity command */
+static void
+do_verbosity(SSL* ssl, char* str)
+{
+	int val = atoi(str);
+	if(val == 0 && strcmp(str, "0") != 0) {
+		ssl_printf(ssl, "error in verbosity number syntax: %s\n", str);
+		return;
+	}
+	verbosity = val;
+	send_ok(ssl);
+}
+
+/** print stats from statinfo */
+static int
+print_stats(SSL* ssl, const char* nm, struct stats_info* s)
+{
+	struct timeval avg;
+	if(!ssl_printf(ssl, "%s.num.queries"SQ"%lu\n", nm, 
+		(unsigned long)s->svr.num_queries)) return 0;
+	if(!ssl_printf(ssl, "%s.num.cachehits"SQ"%lu\n", nm, 
+		(unsigned long)(s->svr.num_queries 
+			- s->svr.num_queries_missed_cache))) return 0;
+	if(!ssl_printf(ssl, "%s.num.cachemiss"SQ"%lu\n", nm, 
+		(unsigned long)s->svr.num_queries_missed_cache)) return 0;
+	if(!ssl_printf(ssl, "%s.num.prefetch"SQ"%lu\n", nm, 
+		(unsigned long)s->svr.num_queries_prefetch)) return 0;
+	if(!ssl_printf(ssl, "%s.num.recursivereplies"SQ"%lu\n", nm, 
+		(unsigned long)s->mesh_replies_sent)) return 0;
+	if(!ssl_printf(ssl, "%s.requestlist.avg"SQ"%g\n", nm,
+		(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
+			(double)s->svr.sum_query_list_size/
+			(s->svr.num_queries_missed_cache+
+			s->svr.num_queries_prefetch) : 0.0)) return 0;
+	if(!ssl_printf(ssl, "%s.requestlist.max"SQ"%lu\n", nm,
+		(unsigned long)s->svr.max_query_list_size)) return 0;
+	if(!ssl_printf(ssl, "%s.requestlist.overwritten"SQ"%lu\n", nm,
+		(unsigned long)s->mesh_jostled)) return 0;
+	if(!ssl_printf(ssl, "%s.requestlist.exceeded"SQ"%lu\n", nm,
+		(unsigned long)s->mesh_dropped)) return 0;
+	if(!ssl_printf(ssl, "%s.requestlist.current.all"SQ"%lu\n", nm,
+		(unsigned long)s->mesh_num_states)) return 0;
+	if(!ssl_printf(ssl, "%s.requestlist.current.user"SQ"%lu\n", nm,
+		(unsigned long)s->mesh_num_reply_states)) return 0;
+	timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent);
+	if(!ssl_printf(ssl, "%s.recursion.time.avg"SQ ARG_LL "d.%6.6d\n", nm,
+		(long long)avg.tv_sec, (int)avg.tv_usec)) return 0;
+	if(!ssl_printf(ssl, "%s.recursion.time.median"SQ"%g\n", nm, 
+		s->mesh_time_median)) return 0;
+	return 1;
+}
+
+/** print stats for one thread */
+static int
+print_thread_stats(SSL* ssl, int i, struct stats_info* s)
+{
+	char nm[16];
+	snprintf(nm, sizeof(nm), "thread%d", i);
+	nm[sizeof(nm)-1]=0;
+	return print_stats(ssl, nm, s);
+}
+
+/** print long number */
+static int
+print_longnum(SSL* ssl, const char* desc, size_t x)
+{
+	if(x > 1024*1024*1024) {
+		/* more than a Gb */
+		size_t front = x / (size_t)1000000;
+		size_t back = x % (size_t)1000000;
+		return ssl_printf(ssl, "%s%u%6.6u\n", desc, 
+			(unsigned)front, (unsigned)back);
+	} else {
+		return ssl_printf(ssl, "%s%lu\n", desc, (unsigned long)x);
+	}
+}
+
+/** print mem stats */
+static int
+print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
+{
+	int m;
+	size_t msg, rrset, val, iter;
+#ifdef HAVE_SBRK
+	extern void* unbound_start_brk;
+	void* cur = sbrk(0);
+	if(!print_longnum(ssl, "mem.total.sbrk"SQ, 
+		(size_t)((char*)cur - (char*)unbound_start_brk))) return 0;
+#endif /* HAVE_SBRK */
+	msg = slabhash_get_mem(daemon->env->msg_cache);
+	rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
+	val=0;
+	iter=0;
+	m = modstack_find(&worker->env.mesh->mods, "validator");
+	if(m != -1) {
+		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
+			mods.mod[m]->get_mem));
+		val = (*worker->env.mesh->mods.mod[m]->get_mem)
+			(&worker->env, m);
+	}
+	m = modstack_find(&worker->env.mesh->mods, "iterator");
+	if(m != -1) {
+		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
+			mods.mod[m]->get_mem));
+		iter = (*worker->env.mesh->mods.mod[m]->get_mem)
+			(&worker->env, m);
+	}
+
+	if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
+		return 0;
+	if(!print_longnum(ssl, "mem.cache.message"SQ, msg))
+		return 0;
+	if(!print_longnum(ssl, "mem.mod.iterator"SQ, iter))
+		return 0;
+	if(!print_longnum(ssl, "mem.mod.validator"SQ, val))
+		return 0;
+	return 1;
+}
+
+/** print uptime stats */
+static int
+print_uptime(SSL* ssl, struct worker* worker, int reset)
+{
+	struct timeval now = *worker->env.now_tv;
+	struct timeval up, dt;
+	timeval_subtract(&up, &now, &worker->daemon->time_boot);
+	timeval_subtract(&dt, &now, &worker->daemon->time_last_stat);
+	if(reset)
+		worker->daemon->time_last_stat = now;
+	if(!ssl_printf(ssl, "time.now"SQ ARG_LL "d.%6.6d\n", 
+		(long long)now.tv_sec, (unsigned)now.tv_usec)) return 0;
+	if(!ssl_printf(ssl, "time.up"SQ ARG_LL "d.%6.6d\n", 
+		(long long)up.tv_sec, (unsigned)up.tv_usec)) return 0;
+	if(!ssl_printf(ssl, "time.elapsed"SQ ARG_LL "d.%6.6d\n", 
+		(long long)dt.tv_sec, (unsigned)dt.tv_usec)) return 0;
+	return 1;
+}
+
+/** print extended histogram */
+static int
+print_hist(SSL* ssl, struct stats_info* s)
+{
+	struct timehist* hist;
+	size_t i;
+	hist = timehist_setup();
+	if(!hist) {
+		log_err("out of memory");
+		return 0;
+	}
+	timehist_import(hist, s->svr.hist, NUM_BUCKETS_HIST);
+	for(i=0; i<hist->num; i++) {
+		if(!ssl_printf(ssl, 
+			"histogram.%6.6d.%6.6d.to.%6.6d.%6.6d=%lu\n",
+			(int)hist->buckets[i].lower.tv_sec,
+			(int)hist->buckets[i].lower.tv_usec,
+			(int)hist->buckets[i].upper.tv_sec,
+			(int)hist->buckets[i].upper.tv_usec,
+			(unsigned long)hist->buckets[i].count)) {
+			timehist_delete(hist);
+			return 0;
+		}
+	}
+	timehist_delete(hist);
+	return 1;
+}
+
+/** print extended stats */
+static int
+print_ext(SSL* ssl, struct stats_info* s)
+{
+	int i;
+	char nm[16];
+	const sldns_rr_descriptor* desc;
+	const sldns_lookup_table* lt;
+	/* TYPE */
+	for(i=0; i<STATS_QTYPE_NUM; i++) {
+		if(inhibit_zero && s->svr.qtype[i] == 0)
+			continue;
+		desc = sldns_rr_descript((uint16_t)i);
+		if(desc && desc->_name) {
+			snprintf(nm, sizeof(nm), "%s", desc->_name);
+		} else if (i == LDNS_RR_TYPE_IXFR) {
+			snprintf(nm, sizeof(nm), "IXFR");
+		} else if (i == LDNS_RR_TYPE_AXFR) {
+			snprintf(nm, sizeof(nm), "AXFR");
+		} else if (i == LDNS_RR_TYPE_MAILA) {
+			snprintf(nm, sizeof(nm), "MAILA");
+		} else if (i == LDNS_RR_TYPE_MAILB) {
+			snprintf(nm, sizeof(nm), "MAILB");
+		} else if (i == LDNS_RR_TYPE_ANY) {
+			snprintf(nm, sizeof(nm), "ANY");
+		} else {
+			snprintf(nm, sizeof(nm), "TYPE%d", i);
+		}
+		if(!ssl_printf(ssl, "num.query.type.%s"SQ"%lu\n", 
+			nm, (unsigned long)s->svr.qtype[i])) return 0;
+	}
+	if(!inhibit_zero || s->svr.qtype_big) {
+		if(!ssl_printf(ssl, "num.query.type.other"SQ"%lu\n", 
+			(unsigned long)s->svr.qtype_big)) return 0;
+	}
+	/* CLASS */
+	for(i=0; i<STATS_QCLASS_NUM; i++) {
+		if(inhibit_zero && s->svr.qclass[i] == 0)
+			continue;
+		lt = sldns_lookup_by_id(sldns_rr_classes, i);
+		if(lt && lt->name) {
+			snprintf(nm, sizeof(nm), "%s", lt->name);
+		} else {
+			snprintf(nm, sizeof(nm), "CLASS%d", i);
+		}
+		if(!ssl_printf(ssl, "num.query.class.%s"SQ"%lu\n", 
+			nm, (unsigned long)s->svr.qclass[i])) return 0;
+	}
+	if(!inhibit_zero || s->svr.qclass_big) {
+		if(!ssl_printf(ssl, "num.query.class.other"SQ"%lu\n", 
+			(unsigned long)s->svr.qclass_big)) return 0;
+	}
+	/* OPCODE */
+	for(i=0; i<STATS_OPCODE_NUM; i++) {
+		if(inhibit_zero && s->svr.qopcode[i] == 0)
+			continue;
+		lt = sldns_lookup_by_id(sldns_opcodes, i);
+		if(lt && lt->name) {
+			snprintf(nm, sizeof(nm), "%s", lt->name);
+		} else {
+			snprintf(nm, sizeof(nm), "OPCODE%d", i);
+		}
+		if(!ssl_printf(ssl, "num.query.opcode.%s"SQ"%lu\n", 
+			nm, (unsigned long)s->svr.qopcode[i])) return 0;
+	}
+	/* transport */
+	if(!ssl_printf(ssl, "num.query.tcp"SQ"%lu\n", 
+		(unsigned long)s->svr.qtcp)) return 0;
+	if(!ssl_printf(ssl, "num.query.tcpout"SQ"%lu\n", 
+		(unsigned long)s->svr.qtcp_outgoing)) return 0;
+	if(!ssl_printf(ssl, "num.query.ipv6"SQ"%lu\n", 
+		(unsigned long)s->svr.qipv6)) return 0;
+	/* flags */
+	if(!ssl_printf(ssl, "num.query.flags.QR"SQ"%lu\n", 
+		(unsigned long)s->svr.qbit_QR)) return 0;
+	if(!ssl_printf(ssl, "num.query.flags.AA"SQ"%lu\n", 
+		(unsigned long)s->svr.qbit_AA)) return 0;
+	if(!ssl_printf(ssl, "num.query.flags.TC"SQ"%lu\n", 
+		(unsigned long)s->svr.qbit_TC)) return 0;
+	if(!ssl_printf(ssl, "num.query.flags.RD"SQ"%lu\n", 
+		(unsigned long)s->svr.qbit_RD)) return 0;
+	if(!ssl_printf(ssl, "num.query.flags.RA"SQ"%lu\n", 
+		(unsigned long)s->svr.qbit_RA)) return 0;
+	if(!ssl_printf(ssl, "num.query.flags.Z"SQ"%lu\n", 
+		(unsigned long)s->svr.qbit_Z)) return 0;
+	if(!ssl_printf(ssl, "num.query.flags.AD"SQ"%lu\n", 
+		(unsigned long)s->svr.qbit_AD)) return 0;
+	if(!ssl_printf(ssl, "num.query.flags.CD"SQ"%lu\n", 
+		(unsigned long)s->svr.qbit_CD)) return 0;
+	if(!ssl_printf(ssl, "num.query.edns.present"SQ"%lu\n", 
+		(unsigned long)s->svr.qEDNS)) return 0;
+	if(!ssl_printf(ssl, "num.query.edns.DO"SQ"%lu\n", 
+		(unsigned long)s->svr.qEDNS_DO)) return 0;
+
+	/* RCODE */
+	for(i=0; i<STATS_RCODE_NUM; i++) {
+		if(inhibit_zero && s->svr.ans_rcode[i] == 0)
+			continue;
+		lt = sldns_lookup_by_id(sldns_rcodes, i);
+		if(lt && lt->name) {
+			snprintf(nm, sizeof(nm), "%s", lt->name);
+		} else {
+			snprintf(nm, sizeof(nm), "RCODE%d", i);
+		}
+		if(!ssl_printf(ssl, "num.answer.rcode.%s"SQ"%lu\n", 
+			nm, (unsigned long)s->svr.ans_rcode[i])) return 0;
+	}
+	if(!inhibit_zero || s->svr.ans_rcode_nodata) {
+		if(!ssl_printf(ssl, "num.answer.rcode.nodata"SQ"%lu\n", 
+			(unsigned long)s->svr.ans_rcode_nodata)) return 0;
+	}
+	/* validation */
+	if(!ssl_printf(ssl, "num.answer.secure"SQ"%lu\n", 
+		(unsigned long)s->svr.ans_secure)) return 0;
+	if(!ssl_printf(ssl, "num.answer.bogus"SQ"%lu\n", 
+		(unsigned long)s->svr.ans_bogus)) return 0;
+	if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n", 
+		(unsigned long)s->svr.rrset_bogus)) return 0;
+	/* threat detection */
+	if(!ssl_printf(ssl, "unwanted.queries"SQ"%lu\n", 
+		(unsigned long)s->svr.unwanted_queries)) return 0;
+	if(!ssl_printf(ssl, "unwanted.replies"SQ"%lu\n", 
+		(unsigned long)s->svr.unwanted_replies)) return 0;
+	/* cache counts */
+	if(!ssl_printf(ssl, "msg.cache.count"SQ"%u\n",
+		(unsigned)s->svr.msg_cache_count)) return 0;
+	if(!ssl_printf(ssl, "rrset.cache.count"SQ"%u\n",
+		(unsigned)s->svr.rrset_cache_count)) return 0;
+	if(!ssl_printf(ssl, "infra.cache.count"SQ"%u\n",
+		(unsigned)s->svr.infra_cache_count)) return 0;
+	if(!ssl_printf(ssl, "key.cache.count"SQ"%u\n",
+		(unsigned)s->svr.key_cache_count)) return 0;
+	return 1;
+}
+
+/** do the stats command */
+static void
+do_stats(SSL* ssl, struct daemon_remote* rc, int reset)
+{
+	struct daemon* daemon = rc->worker->daemon;
+	struct stats_info total;
+	struct stats_info s;
+	int i;
+	log_assert(daemon->num > 0);
+	/* gather all thread statistics in one place */
+	for(i=0; i<daemon->num; i++) {
+		server_stats_obtain(rc->worker, daemon->workers[i], &s, reset);
+		if(!print_thread_stats(ssl, i, &s))
+			return;
+		if(i == 0)
+			total = s;
+		else	server_stats_add(&total, &s);
+	}
+	/* print the thread statistics */
+	total.mesh_time_median /= (double)daemon->num;
+	if(!print_stats(ssl, "total", &total)) 
+		return;
+	if(!print_uptime(ssl, rc->worker, reset))
+		return;
+	if(daemon->cfg->stat_extended) {
+		if(!print_mem(ssl, rc->worker, daemon)) 
+			return;
+		if(!print_hist(ssl, &total))
+			return;
+		if(!print_ext(ssl, &total))
+			return;
+	}
+}
+
+/** parse commandline argument domain name */
+static int
+parse_arg_name(SSL* ssl, char* str, uint8_t** res, size_t* len, int* labs)
+{
+	uint8_t nm[LDNS_MAX_DOMAINLEN+1];
+	size_t nmlen = sizeof(nm);
+	int status;
+	*res = NULL;
+	*len = 0;
+	*labs = 0;
+	status = sldns_str2wire_dname_buf(str, nm, &nmlen);
+	if(status != 0) {
+		ssl_printf(ssl, "error cannot parse name %s at %d: %s\n", str,
+			LDNS_WIREPARSE_OFFSET(status),
+			sldns_get_errorstr_parse(status));
+		return 0;
+	}
+	*res = memdup(nm, nmlen);
+	if(!*res) {
+		ssl_printf(ssl, "error out of memory\n");
+		return 0;
+	}
+	*labs = dname_count_size_labels(*res, len);
+	return 1;
+}
+
+/** find second argument, modifies string */
+static int
+find_arg2(SSL* ssl, char* arg, char** arg2)
+{
+	char* as = strchr(arg, ' ');
+	char* at = strchr(arg, '\t');
+	if(as && at) {
+		if(at < as)
+			as = at;
+		as[0]=0;
+		*arg2 = skipwhite(as+1);
+	} else if(as) {
+		as[0]=0;
+		*arg2 = skipwhite(as+1);
+	} else if(at) {
+		at[0]=0;
+		*arg2 = skipwhite(at+1);
+	} else {
+		ssl_printf(ssl, "error could not find next argument "
+			"after %s\n", arg);
+		return 0;
+	}
+	return 1;
+}
+
+/** Add a new zone */
+static void
+do_zone_add(SSL* ssl, struct worker* worker, char* arg)
+{
+	uint8_t* nm;
+	int nmlabs;
+	size_t nmlen;
+	char* arg2;
+	enum localzone_type t;
+	struct local_zone* z;
+	if(!find_arg2(ssl, arg, &arg2))
+		return;
+	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
+		return;
+	if(!local_zone_str2type(arg2, &t)) {
+		ssl_printf(ssl, "error not a zone type. %s\n", arg2);
+		free(nm);
+		return;
+	}
+	lock_rw_wrlock(&worker->daemon->local_zones->lock);
+	if((z=local_zones_find(worker->daemon->local_zones, nm, nmlen, 
+		nmlabs, LDNS_RR_CLASS_IN))) {
+		/* already present in tree */
+		lock_rw_wrlock(&z->lock);
+		z->type = t; /* update type anyway */
+		lock_rw_unlock(&z->lock);
+		free(nm);
+		lock_rw_unlock(&worker->daemon->local_zones->lock);
+		send_ok(ssl);
+		return;
+	}
+	if(!local_zones_add_zone(worker->daemon->local_zones, nm, nmlen, 
+		nmlabs, LDNS_RR_CLASS_IN, t)) {
+		lock_rw_unlock(&worker->daemon->local_zones->lock);
+		ssl_printf(ssl, "error out of memory\n");
+		return;
+	}
+	lock_rw_unlock(&worker->daemon->local_zones->lock);
+	send_ok(ssl);
+}
+
+/** Remove a zone */
+static void
+do_zone_remove(SSL* ssl, struct worker* worker, char* arg)
+{
+	uint8_t* nm;
+	int nmlabs;
+	size_t nmlen;
+	struct local_zone* z;
+	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
+		return;
+	lock_rw_wrlock(&worker->daemon->local_zones->lock);
+	if((z=local_zones_find(worker->daemon->local_zones, nm, nmlen, 
+		nmlabs, LDNS_RR_CLASS_IN))) {
+		/* present in tree */
+		local_zones_del_zone(worker->daemon->local_zones, z);
+	}
+	lock_rw_unlock(&worker->daemon->local_zones->lock);
+	free(nm);
+	send_ok(ssl);
+}
+
+/** Add new RR data */
+static void
+do_data_add(SSL* ssl, struct worker* worker, char* arg)
+{
+	if(!local_zones_add_RR(worker->daemon->local_zones, arg)) {
+		ssl_printf(ssl,"error in syntax or out of memory, %s\n", arg);
+		return;
+	}
+	send_ok(ssl);
+}
+
+/** Remove RR data */
+static void
+do_data_remove(SSL* ssl, struct worker* worker, char* arg)
+{
+	uint8_t* nm;
+	int nmlabs;
+	size_t nmlen;
+	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
+		return;
+	local_zones_del_data(worker->daemon->local_zones, nm,
+		nmlen, nmlabs, LDNS_RR_CLASS_IN);
+	free(nm);
+	send_ok(ssl);
+}
+
+/** cache lookup of nameservers */
+static void
+do_lookup(SSL* ssl, struct worker* worker, char* arg)
+{
+	uint8_t* nm;
+	int nmlabs;
+	size_t nmlen;
+	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
+		return;
+	(void)print_deleg_lookup(ssl, worker, nm, nmlen, nmlabs);
+	free(nm);
+}
+
+/** flush something from rrset and msg caches */
+static void
+do_cache_remove(struct worker* worker, uint8_t* nm, size_t nmlen,
+	uint16_t t, uint16_t c)
+{
+	hashvalue_t h;
+	struct query_info k;
+	rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c, 0);
+	if(t == LDNS_RR_TYPE_SOA)
+		rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c,
+			PACKED_RRSET_SOA_NEG);
+	k.qname = nm;
+	k.qname_len = nmlen;
+	k.qtype = t;
+	k.qclass = c;
+	h = query_info_hash(&k);
+	slabhash_remove(worker->env.msg_cache, h, &k);
+}
+
+/** flush a type */
+static void
+do_flush_type(SSL* ssl, struct worker* worker, char* arg)
+{
+	uint8_t* nm;
+	int nmlabs;
+	size_t nmlen;
+	char* arg2;
+	uint16_t t;
+	if(!find_arg2(ssl, arg, &arg2))
+		return;
+	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
+		return;
+	t = sldns_get_rr_type_by_name(arg2);
+	do_cache_remove(worker, nm, nmlen, t, LDNS_RR_CLASS_IN);
+	
+	free(nm);
+	send_ok(ssl);
+}
+
+/** flush statistics */
+static void
+do_flush_stats(SSL* ssl, struct worker* worker)
+{
+	worker_stats_clear(worker);
+	send_ok(ssl);
+}
+
+/**
+ * Local info for deletion functions
+ */
+struct del_info {
+	/** worker */
+	struct worker* worker;
+	/** name to delete */
+	uint8_t* name;
+	/** length */
+	size_t len;
+	/** labels */
+	int labs;
+	/** now */
+	time_t now;
+	/** time to invalidate to */
+	time_t expired;
+	/** number of rrsets removed */
+	size_t num_rrsets;
+	/** number of msgs removed */
+	size_t num_msgs;
+	/** number of key entries removed */
+	size_t num_keys;
+	/** length of addr */
+	socklen_t addrlen;
+	/** socket address for host deletion */
+	struct sockaddr_storage addr;
+};
+
+/** callback to delete hosts in infra cache */
+static void
+infra_del_host(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct infra_key* k = (struct infra_key*)e->key;
+	if(sockaddr_cmp(&inf->addr, inf->addrlen, &k->addr, k->addrlen) == 0) {
+		struct infra_data* d = (struct infra_data*)e->data;
+		d->probedelay = 0;
+		d->timeout_A = 0;
+		d->timeout_AAAA = 0;
+		d->timeout_other = 0;
+		rtt_init(&d->rtt);
+		if(d->ttl >= inf->now) {
+			d->ttl = inf->expired;
+			inf->num_keys++;
+		}
+	}
+}
+
+/** flush infra cache */
+static void
+do_flush_infra(SSL* ssl, struct worker* worker, char* arg)
+{
+	struct sockaddr_storage addr;
+	socklen_t len;
+	struct del_info inf;
+	if(strcmp(arg, "all") == 0) {
+		slabhash_clear(worker->env.infra_cache->hosts);
+		send_ok(ssl);
+		return;
+	}
+	if(!ipstrtoaddr(arg, UNBOUND_DNS_PORT, &addr, &len)) {
+		(void)ssl_printf(ssl, "error parsing ip addr: '%s'\n", arg);
+		return;
+	}
+	/* delete all entries from cache */
+	/* what we do is to set them all expired */
+	inf.worker = worker;
+	inf.name = 0;
+	inf.len = 0;
+	inf.labs = 0;
+	inf.now = *worker->env.now;
+	inf.expired = *worker->env.now;
+	inf.expired -= 3; /* handle 3 seconds skew between threads */
+	inf.num_rrsets = 0;
+	inf.num_msgs = 0;
+	inf.num_keys = 0;
+	inf.addrlen = len;
+	memmove(&inf.addr, &addr, len);
+	slabhash_traverse(worker->env.infra_cache->hosts, 1, &infra_del_host,
+		&inf);
+	send_ok(ssl);
+}
+
+/** flush requestlist */
+static void
+do_flush_requestlist(SSL* ssl, struct worker* worker)
+{
+	mesh_delete_all(worker->env.mesh);
+	send_ok(ssl);
+}
+
+/** callback to delete rrsets in a zone */
+static void
+zone_del_rrset(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key;
+	if(dname_subdomain_c(k->rk.dname, inf->name)) {
+		struct packed_rrset_data* d = 
+			(struct packed_rrset_data*)e->data;
+		if(d->ttl >= inf->now) {
+			d->ttl = inf->expired;
+			inf->num_rrsets++;
+		}
+	}
+}
+
+/** callback to delete messages in a zone */
+static void
+zone_del_msg(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct msgreply_entry* k = (struct msgreply_entry*)e->key;
+	if(dname_subdomain_c(k->key.qname, inf->name)) {
+		struct reply_info* d = (struct reply_info*)e->data;
+		if(d->ttl >= inf->now) {
+			d->ttl = inf->expired;
+			inf->num_msgs++;
+		}
+	}
+}
+
+/** callback to delete keys in zone */
+static void
+zone_del_kcache(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct key_entry_key* k = (struct key_entry_key*)e->key;
+	if(dname_subdomain_c(k->name, inf->name)) {
+		struct key_entry_data* d = (struct key_entry_data*)e->data;
+		if(d->ttl >= inf->now) {
+			d->ttl = inf->expired;
+			inf->num_keys++;
+		}
+	}
+}
+
+/** remove all rrsets and keys from zone from cache */
+static void
+do_flush_zone(SSL* ssl, struct worker* worker, char* arg)
+{
+	uint8_t* nm;
+	int nmlabs;
+	size_t nmlen;
+	struct del_info inf;
+	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
+		return;
+	/* delete all RRs and key entries from zone */
+	/* what we do is to set them all expired */
+	inf.worker = worker;
+	inf.name = nm;
+	inf.len = nmlen;
+	inf.labs = nmlabs;
+	inf.now = *worker->env.now;
+	inf.expired = *worker->env.now;
+	inf.expired -= 3; /* handle 3 seconds skew between threads */
+	inf.num_rrsets = 0;
+	inf.num_msgs = 0;
+	inf.num_keys = 0;
+	slabhash_traverse(&worker->env.rrset_cache->table, 1, 
+		&zone_del_rrset, &inf);
+
+	slabhash_traverse(worker->env.msg_cache, 1, &zone_del_msg, &inf);
+
+	/* and validator cache */
+	if(worker->env.key_cache) {
+		slabhash_traverse(worker->env.key_cache->slab, 1, 
+			&zone_del_kcache, &inf);
+	}
+
+	free(nm);
+
+	(void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
+		"and %lu key entries\n", (unsigned long)inf.num_rrsets, 
+		(unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
+}
+
+/** callback to delete bogus rrsets */
+static void
+bogus_del_rrset(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
+	if(d->security == sec_status_bogus) {
+		d->ttl = inf->expired;
+		inf->num_rrsets++;
+	}
+}
+
+/** callback to delete bogus messages */
+static void
+bogus_del_msg(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct reply_info* d = (struct reply_info*)e->data;
+	if(d->security == sec_status_bogus) {
+		d->ttl = inf->expired;
+		inf->num_msgs++;
+	}
+}
+
+/** callback to delete bogus keys */
+static void
+bogus_del_kcache(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct key_entry_data* d = (struct key_entry_data*)e->data;
+	if(d->isbad) {
+		d->ttl = inf->expired;
+		inf->num_keys++;
+	}
+}
+
+/** remove all bogus rrsets, msgs and keys from cache */
+static void
+do_flush_bogus(SSL* ssl, struct worker* worker)
+{
+	struct del_info inf;
+	/* what we do is to set them all expired */
+	inf.worker = worker;
+	inf.now = *worker->env.now;
+	inf.expired = *worker->env.now;
+	inf.expired -= 3; /* handle 3 seconds skew between threads */
+	inf.num_rrsets = 0;
+	inf.num_msgs = 0;
+	inf.num_keys = 0;
+	slabhash_traverse(&worker->env.rrset_cache->table, 1, 
+		&bogus_del_rrset, &inf);
+
+	slabhash_traverse(worker->env.msg_cache, 1, &bogus_del_msg, &inf);
+
+	/* and validator cache */
+	if(worker->env.key_cache) {
+		slabhash_traverse(worker->env.key_cache->slab, 1, 
+			&bogus_del_kcache, &inf);
+	}
+
+	(void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
+		"and %lu key entries\n", (unsigned long)inf.num_rrsets, 
+		(unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
+}
+
+/** callback to delete negative and servfail rrsets */
+static void
+negative_del_rrset(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key;
+	struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
+	/* delete the parentside negative cache rrsets,
+	 * these are namerserver rrsets that failed lookup, rdata empty */
+	if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 &&
+		d->rrsig_count == 0 && d->rr_len[0] == 0) {
+		d->ttl = inf->expired;
+		inf->num_rrsets++;
+	}
+}
+
+/** callback to delete negative and servfail messages */
+static void
+negative_del_msg(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct reply_info* d = (struct reply_info*)e->data;
+	/* rcode not NOERROR: NXDOMAIN, SERVFAIL, ..: an nxdomain or error
+	 * or NOERROR rcode with ANCOUNT==0: a NODATA answer */
+	if(FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) {
+		d->ttl = inf->expired;
+		inf->num_msgs++;
+	}
+}
+
+/** callback to delete negative key entries */
+static void
+negative_del_kcache(struct lruhash_entry* e, void* arg)
+{
+	/* entry is locked */
+	struct del_info* inf = (struct del_info*)arg;
+	struct key_entry_data* d = (struct key_entry_data*)e->data;
+	/* could be bad because of lookup failure on the DS, DNSKEY, which
+	 * was nxdomain or servfail, and thus a result of negative lookups */
+	if(d->isbad) {
+		d->ttl = inf->expired;
+		inf->num_keys++;
+	}
+}
+
+/** remove all negative(NODATA,NXDOMAIN), and servfail messages from cache */
+static void
+do_flush_negative(SSL* ssl, struct worker* worker)
+{
+	struct del_info inf;
+	/* what we do is to set them all expired */
+	inf.worker = worker;
+	inf.now = *worker->env.now;
+	inf.expired = *worker->env.now;
+	inf.expired -= 3; /* handle 3 seconds skew between threads */
+	inf.num_rrsets = 0;
+	inf.num_msgs = 0;
+	inf.num_keys = 0;
+	slabhash_traverse(&worker->env.rrset_cache->table, 1, 
+		&negative_del_rrset, &inf);
+
+	slabhash_traverse(worker->env.msg_cache, 1, &negative_del_msg, &inf);
+
+	/* and validator cache */
+	if(worker->env.key_cache) {
+		slabhash_traverse(worker->env.key_cache->slab, 1, 
+			&negative_del_kcache, &inf);
+	}
+
+	(void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
+		"and %lu key entries\n", (unsigned long)inf.num_rrsets, 
+		(unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
+}
+
+/** remove name rrset from cache */
+static void
+do_flush_name(SSL* ssl, struct worker* w, char* arg)
+{
+	uint8_t* nm;
+	int nmlabs;
+	size_t nmlen;
+	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
+		return;
+	do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_A, LDNS_RR_CLASS_IN);
+	do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_AAAA, LDNS_RR_CLASS_IN);
+	do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
+	do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SOA, LDNS_RR_CLASS_IN);
+	do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_CNAME, LDNS_RR_CLASS_IN);
+	do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_DNAME, LDNS_RR_CLASS_IN);
+	do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_MX, LDNS_RR_CLASS_IN);
+	do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_PTR, LDNS_RR_CLASS_IN);
+	do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SRV, LDNS_RR_CLASS_IN);
+	do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NAPTR, LDNS_RR_CLASS_IN);
+	
+	free(nm);
+	send_ok(ssl);
+}
+
+/** printout a delegation point info */
+static int
+ssl_print_name_dp(SSL* ssl, const char* str, uint8_t* nm, uint16_t dclass,
+	struct delegpt* dp)
+{
+	char buf[257];
+	struct delegpt_ns* ns;
+	struct delegpt_addr* a;
+	int f = 0;
+	if(str) { /* print header for forward, stub */
+		char* c = sldns_wire2str_class(dclass);
+		dname_str(nm, buf);
+		if(!ssl_printf(ssl, "%s %s %s ", buf, (c?c:"CLASS??"), str)) {
+			free(c);
+			return 0;
+		}
+		free(c);
+	}
+	for(ns = dp->nslist; ns; ns = ns->next) {
+		dname_str(ns->name, buf);
+		if(!ssl_printf(ssl, "%s%s", (f?" ":""), buf))
+			return 0;
+		f = 1;
+	}
+	for(a = dp->target_list; a; a = a->next_target) {
+		addr_to_str(&a->addr, a->addrlen, buf, sizeof(buf));
+		if(!ssl_printf(ssl, "%s%s", (f?" ":""), buf))
+			return 0;
+		f = 1;
+	}
+	return ssl_printf(ssl, "\n");
+}
+
+
+/** print root forwards */
+static int
+print_root_fwds(SSL* ssl, struct iter_forwards* fwds, uint8_t* root)
+{
+	struct delegpt* dp;
+	dp = forwards_lookup(fwds, root, LDNS_RR_CLASS_IN);
+	if(!dp)
+		return ssl_printf(ssl, "off (using root hints)\n");
+	/* if dp is returned it must be the root */
+	log_assert(query_dname_compare(dp->name, root)==0);
+	return ssl_print_name_dp(ssl, NULL, root, LDNS_RR_CLASS_IN, dp);
+}
+
+/** parse args into delegpt */
+static struct delegpt*
+parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names)
+{
+	/* parse args and add in */
+	char* p = args;
+	char* todo;
+	struct delegpt* dp = delegpt_create_mlc(nm);
+	struct sockaddr_storage addr;
+	socklen_t addrlen;
+	if(!dp) {
+		(void)ssl_printf(ssl, "error out of memory\n");
+		return NULL;
+	}
+	while(p) {
+		todo = p;
+		p = strchr(p, ' '); /* find next spot, if any */
+		if(p) {
+			*p++ = 0;	/* end this spot */
+			p = skipwhite(p); /* position at next spot */
+		}
+		/* parse address */
+		if(!extstrtoaddr(todo, &addr, &addrlen)) {
+			if(allow_names) {
+				uint8_t* n = NULL;
+				size_t ln;
+				int lb;
+				if(!parse_arg_name(ssl, todo, &n, &ln, &lb)) {
+					(void)ssl_printf(ssl, "error cannot "
+						"parse IP address or name "
+						"'%s'\n", todo);
+					delegpt_free_mlc(dp);
+					return NULL;
+				}
+				if(!delegpt_add_ns_mlc(dp, n, 0)) {
+					(void)ssl_printf(ssl, "error out of memory\n");
+					free(n);
+					delegpt_free_mlc(dp);
+					return NULL;
+				}
+				free(n);
+
+			} else {
+				(void)ssl_printf(ssl, "error cannot parse"
+					" IP address '%s'\n", todo);
+				delegpt_free_mlc(dp);
+				return NULL;
+			}
+		} else {
+			/* add address */
+			if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0)) {
+				(void)ssl_printf(ssl, "error out of memory\n");
+				delegpt_free_mlc(dp);
+				return NULL;
+			}
+		}
+	}
+	return dp;
+}
+
+/** do the status command */
+static void
+do_forward(SSL* ssl, struct worker* worker, char* args)
+{
+	struct iter_forwards* fwd = worker->env.fwds;
+	uint8_t* root = (uint8_t*)"\000";
+	if(!fwd) {
+		(void)ssl_printf(ssl, "error: structure not allocated\n");
+		return;
+	}
+	if(args == NULL || args[0] == 0) {
+		(void)print_root_fwds(ssl, fwd, root);
+		return;
+	}
+	/* set root forwards for this thread. since we are in remote control
+	 * the actual mesh is not running, so we can freely edit it. */
+	/* delete all the existing queries first */
+	mesh_delete_all(worker->env.mesh);
+	if(strcmp(args, "off") == 0) {
+		forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, root);
+	} else {
+		struct delegpt* dp;
+		if(!(dp = parse_delegpt(ssl, args, root, 0)))
+			return;
+		if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
+			(void)ssl_printf(ssl, "error out of memory\n");
+			return;
+		}
+	}
+	send_ok(ssl);
+}
+
+static int
+parse_fs_args(SSL* ssl, char* args, uint8_t** nm, struct delegpt** dp,
+	int* insecure, int* prime)
+{
+	char* zonename;
+	char* rest;
+	size_t nmlen;
+	int nmlabs;
+	/* parse all -x args */
+	while(args[0] == '+') {
+		if(!find_arg2(ssl, args, &rest))
+			return 0;
+		while(*(++args) != 0) {
+			if(*args == 'i' && insecure)
+				*insecure = 1;
+			else if(*args == 'p' && prime)
+				*prime = 1;
+			else {
+				(void)ssl_printf(ssl, "error: unknown option %s\n", args);
+				return 0;
+			}
+		}
+		args = rest;
+	}
+	/* parse name */
+	if(dp) {
+		if(!find_arg2(ssl, args, &rest))
+			return 0;
+		zonename = args;
+		args = rest;
+	} else	zonename = args;
+	if(!parse_arg_name(ssl, zonename, nm, &nmlen, &nmlabs))
+		return 0;
+
+	/* parse dp */
+	if(dp) {
+		if(!(*dp = parse_delegpt(ssl, args, *nm, 1))) {
+			free(*nm);
+			return 0;
+		}
+	}
+	return 1;
+}
+
+/** do the forward_add command */
+static void
+do_forward_add(SSL* ssl, struct worker* worker, char* args)
+{
+	struct iter_forwards* fwd = worker->env.fwds;
+	int insecure = 0;
+	uint8_t* nm = NULL;
+	struct delegpt* dp = NULL;
+	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL))
+		return;
+	if(insecure && worker->env.anchors) {
+		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
+			nm)) {
+			(void)ssl_printf(ssl, "error out of memory\n");
+			delegpt_free_mlc(dp);
+			free(nm);
+			return;
+		}
+	}
+	if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
+		(void)ssl_printf(ssl, "error out of memory\n");
+		free(nm);
+		return;
+	}
+	free(nm);
+	send_ok(ssl);
+}
+
+/** do the forward_remove command */
+static void
+do_forward_remove(SSL* ssl, struct worker* worker, char* args)
+{
+	struct iter_forwards* fwd = worker->env.fwds;
+	int insecure = 0;
+	uint8_t* nm = NULL;
+	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
+		return;
+	if(insecure && worker->env.anchors)
+		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
+			nm);
+	forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, nm);
+	free(nm);
+	send_ok(ssl);
+}
+
+/** do the stub_add command */
+static void
+do_stub_add(SSL* ssl, struct worker* worker, char* args)
+{
+	struct iter_forwards* fwd = worker->env.fwds;
+	int insecure = 0, prime = 0;
+	uint8_t* nm = NULL;
+	struct delegpt* dp = NULL;
+	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime))
+		return;
+	if(insecure && worker->env.anchors) {
+		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
+			nm)) {
+			(void)ssl_printf(ssl, "error out of memory\n");
+			delegpt_free_mlc(dp);
+			free(nm);
+			return;
+		}
+	}
+	if(!forwards_add_stub_hole(fwd, LDNS_RR_CLASS_IN, nm)) {
+		if(insecure && worker->env.anchors)
+			anchors_delete_insecure(worker->env.anchors,
+				LDNS_RR_CLASS_IN, nm);
+		(void)ssl_printf(ssl, "error out of memory\n");
+		delegpt_free_mlc(dp);
+		free(nm);
+		return;
+	}
+	if(!hints_add_stub(worker->env.hints, LDNS_RR_CLASS_IN, dp, !prime)) {
+		(void)ssl_printf(ssl, "error out of memory\n");
+		forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm);
+		if(insecure && worker->env.anchors)
+			anchors_delete_insecure(worker->env.anchors,
+				LDNS_RR_CLASS_IN, nm);
+		free(nm);
+		return;
+	}
+	free(nm);
+	send_ok(ssl);
+}
+
+/** do the stub_remove command */
+static void
+do_stub_remove(SSL* ssl, struct worker* worker, char* args)
+{
+	struct iter_forwards* fwd = worker->env.fwds;
+	int insecure = 0;
+	uint8_t* nm = NULL;
+	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
+		return;
+	if(insecure && worker->env.anchors)
+		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
+			nm);
+	forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm);
+	hints_delete_stub(worker->env.hints, LDNS_RR_CLASS_IN, nm);
+	free(nm);
+	send_ok(ssl);
+}
+
+/** do the insecure_add command */
+static void
+do_insecure_add(SSL* ssl, struct worker* worker, char* arg)
+{
+	size_t nmlen;
+	int nmlabs;
+	uint8_t* nm = NULL;
+	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
+		return;
+	if(worker->env.anchors) {
+		if(!anchors_add_insecure(worker->env.anchors,
+			LDNS_RR_CLASS_IN, nm)) {
+			(void)ssl_printf(ssl, "error out of memory\n");
+			free(nm);
+			return;
+		}
+	}
+	free(nm);
+	send_ok(ssl);
+}
+
+/** do the insecure_remove command */
+static void
+do_insecure_remove(SSL* ssl, struct worker* worker, char* arg)
+{
+	size_t nmlen;
+	int nmlabs;
+	uint8_t* nm = NULL;
+	if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
+		return;
+	if(worker->env.anchors)
+		anchors_delete_insecure(worker->env.anchors,
+			LDNS_RR_CLASS_IN, nm);
+	free(nm);
+	send_ok(ssl);
+}
+
+/** do the status command */
+static void
+do_status(SSL* ssl, struct worker* worker)
+{
+	int i;
+	time_t uptime;
+	if(!ssl_printf(ssl, "version: %s\n", PACKAGE_VERSION))
+		return;
+	if(!ssl_printf(ssl, "verbosity: %d\n", verbosity))
+		return;
+	if(!ssl_printf(ssl, "threads: %d\n", worker->daemon->num))
+		return;
+	if(!ssl_printf(ssl, "modules: %d [", worker->daemon->mods.num))
+		return;
+	for(i=0; i<worker->daemon->mods.num; i++) {
+		if(!ssl_printf(ssl, " %s", worker->daemon->mods.mod[i]->name))
+			return;
+	}
+	if(!ssl_printf(ssl, " ]\n"))
+		return;
+	uptime = (time_t)time(NULL) - (time_t)worker->daemon->time_boot.tv_sec;
+	if(!ssl_printf(ssl, "uptime: " ARG_LL "d seconds\n", (long long)uptime))
+		return;
+	if(!ssl_printf(ssl, "options:%s%s\n" , 
+		(worker->daemon->reuseport?" reuseport":""),
+		(worker->daemon->rc->accept_list?" control(ssl)":"")))
+		return;
+	if(!ssl_printf(ssl, "unbound (pid %d) is running...\n",
+		(int)getpid()))
+		return;
+}
+
+/** get age for the mesh state */
+static void
+get_mesh_age(struct mesh_state* m, char* buf, size_t len, 
+	struct module_env* env)
+{
+	if(m->reply_list) {
+		struct timeval d;
+		struct mesh_reply* r = m->reply_list;
+		/* last reply is the oldest */
+		while(r && r->next)
+			r = r->next;
+		timeval_subtract(&d, env->now_tv, &r->start_time);
+		snprintf(buf, len, ARG_LL "d.%6.6d",
+			(long long)d.tv_sec, (int)d.tv_usec);
+	} else {
+		snprintf(buf, len, "-");
+	}
+}
+
+/** get status of a mesh state */
+static void
+get_mesh_status(struct mesh_area* mesh, struct mesh_state* m, 
+	char* buf, size_t len)
+{
+	enum module_ext_state s = m->s.ext_state[m->s.curmod];
+	const char *modname = mesh->mods.mod[m->s.curmod]->name;
+	size_t l;
+	if(strcmp(modname, "iterator") == 0 && s == module_wait_reply &&
+		m->s.minfo[m->s.curmod]) {
+		/* break into iterator to find out who its waiting for */
+		struct iter_qstate* qstate = (struct iter_qstate*)
+			m->s.minfo[m->s.curmod];
+		struct outbound_list* ol = &qstate->outlist;
+		struct outbound_entry* e;
+		snprintf(buf, len, "%s wait for", modname);
+		l = strlen(buf);
+		buf += l; len -= l;
+		if(ol->first == NULL)
+			snprintf(buf, len, " (empty_list)");
+		for(e = ol->first; e; e = e->next) {
+			snprintf(buf, len, " ");
+			l = strlen(buf);
+			buf += l; len -= l;
+			addr_to_str(&e->qsent->addr, e->qsent->addrlen, 
+				buf, len);
+			l = strlen(buf);
+			buf += l; len -= l;
+		}
+	} else if(s == module_wait_subquery) {
+		/* look in subs from mesh state to see what */
+		char nm[257];
+		struct mesh_state_ref* sub;
+		snprintf(buf, len, "%s wants", modname);
+		l = strlen(buf);
+		buf += l; len -= l;
+		if(m->sub_set.count == 0)
+			snprintf(buf, len, " (empty_list)");
+		RBTREE_FOR(sub, struct mesh_state_ref*, &m->sub_set) {
+			char* t = sldns_wire2str_type(sub->s->s.qinfo.qtype);
+			char* c = sldns_wire2str_class(sub->s->s.qinfo.qclass);
+			dname_str(sub->s->s.qinfo.qname, nm);
+			snprintf(buf, len, " %s %s %s", (t?t:"TYPE??"),
+				(c?c:"CLASS??"), nm);
+			l = strlen(buf);
+			buf += l; len -= l;
+			free(t);
+			free(c);
+		}
+	} else {
+		snprintf(buf, len, "%s is %s", modname, strextstate(s));
+	}
+}
+
+/** do the dump_requestlist command */
+static void
+do_dump_requestlist(SSL* ssl, struct worker* worker)
+{
+	struct mesh_area* mesh;
+	struct mesh_state* m;
+	int num = 0;
+	char buf[257];
+	char timebuf[32];
+	char statbuf[10240];
+	if(!ssl_printf(ssl, "thread #%d\n", worker->thread_num))
+		return;
+	if(!ssl_printf(ssl, "#   type cl name    seconds    module status\n"))
+		return;
+	/* show worker mesh contents */
+	mesh = worker->env.mesh;
+	if(!mesh) return;
+	RBTREE_FOR(m, struct mesh_state*, &mesh->all) {
+		char* t = sldns_wire2str_type(m->s.qinfo.qtype);
+		char* c = sldns_wire2str_class(m->s.qinfo.qclass);
+		dname_str(m->s.qinfo.qname, buf);
+		get_mesh_age(m, timebuf, sizeof(timebuf), &worker->env);
+		get_mesh_status(mesh, m, statbuf, sizeof(statbuf));
+		if(!ssl_printf(ssl, "%3d %4s %2s %s %s %s\n", 
+			num, (t?t:"TYPE??"), (c?c:"CLASS??"), buf, timebuf,
+			statbuf)) {
+			free(t);
+			free(c);
+			return;
+		}
+		num++;
+		free(t);
+		free(c);
+	}
+}
+
+/** structure for argument data for dump infra host */
+struct infra_arg {
+	/** the infra cache */
+	struct infra_cache* infra;
+	/** the SSL connection */
+	SSL* ssl;
+	/** the time now */
+	time_t now;
+	/** ssl failure? stop writing and skip the rest.  If the tcp
+	 * connection is broken, and writes fail, we then stop writing. */
+	int ssl_failed;
+};
+
+/** callback for every host element in the infra cache */
+static void
+dump_infra_host(struct lruhash_entry* e, void* arg)
+{
+	struct infra_arg* a = (struct infra_arg*)arg;
+	struct infra_key* k = (struct infra_key*)e->key;
+	struct infra_data* d = (struct infra_data*)e->data;
+	char ip_str[1024];
+	char name[257];
+	if(a->ssl_failed)
+		return;
+	addr_to_str(&k->addr, k->addrlen, ip_str, sizeof(ip_str));
+	dname_str(k->zonename, name);
+	/* skip expired stuff (only backed off) */
+	if(d->ttl < a->now) {
+		if(d->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT) {
+			if(!ssl_printf(a->ssl, "%s %s expired rto %d\n", ip_str,
+				name, d->rtt.rto))  {
+				a->ssl_failed = 1;
+				return;
+			}
+		}
+		return;
+	}
+	if(!ssl_printf(a->ssl, "%s %s ttl %lu ping %d var %d rtt %d rto %d "
+		"tA %d tAAAA %d tother %d "
+		"ednsknown %d edns %d delay %d lame dnssec %d rec %d A %d "
+		"other %d\n", ip_str, name, (unsigned long)(d->ttl - a->now),
+		d->rtt.srtt, d->rtt.rttvar, rtt_notimeout(&d->rtt), d->rtt.rto,
+		d->timeout_A, d->timeout_AAAA, d->timeout_other,
+		(int)d->edns_lame_known, (int)d->edns_version,
+		(int)(a->now<d->probedelay?d->probedelay-a->now:0),
+		(int)d->isdnsseclame, (int)d->rec_lame, (int)d->lame_type_A,
+		(int)d->lame_other)) {
+		a->ssl_failed = 1;
+		return;
+	}
+}
+
+/** do the dump_infra command */
+static void
+do_dump_infra(SSL* ssl, struct worker* worker)
+{
+	struct infra_arg arg;
+	arg.infra = worker->env.infra_cache;
+	arg.ssl = ssl;
+	arg.now = *worker->env.now;
+	arg.ssl_failed = 0;
+	slabhash_traverse(arg.infra->hosts, 0, &dump_infra_host, (void*)&arg);
+}
+
+/** do the log_reopen command */
+static void
+do_log_reopen(SSL* ssl, struct worker* worker)
+{
+	struct config_file* cfg = worker->env.cfg;
+	send_ok(ssl);
+	log_init(cfg->logfile, cfg->use_syslog, cfg->chrootdir);
+}
+
+/** do the set_option command */
+static void
+do_set_option(SSL* ssl, struct worker* worker, char* arg)
+{
+	char* arg2;
+	if(!find_arg2(ssl, arg, &arg2))
+		return;
+	if(!config_set_option(worker->env.cfg, arg, arg2)) {
+		(void)ssl_printf(ssl, "error setting option\n");
+		return;
+	}
+	send_ok(ssl);
+}
+
+/* routine to printout option values over SSL */
+void remote_get_opt_ssl(char* line, void* arg)
+{
+	SSL* ssl = (SSL*)arg;
+	(void)ssl_printf(ssl, "%s\n", line);
+}
+
+/** do the get_option command */
+static void
+do_get_option(SSL* ssl, struct worker* worker, char* arg)
+{
+	int r;
+	r = config_get_option(worker->env.cfg, arg, remote_get_opt_ssl, ssl);
+	if(!r) {
+		(void)ssl_printf(ssl, "error unknown option\n");
+		return;
+	}
+}
+
+/** do the list_forwards command */
+static void
+do_list_forwards(SSL* ssl, struct worker* worker)
+{
+	/* since its a per-worker structure no locks needed */
+	struct iter_forwards* fwds = worker->env.fwds;
+	struct iter_forward_zone* z;
+	struct trust_anchor* a;
+	int insecure;
+	RBTREE_FOR(z, struct iter_forward_zone*, fwds->tree) {
+		if(!z->dp) continue; /* skip empty marker for stub */
+
+		/* see if it is insecure */
+		insecure = 0;
+		if(worker->env.anchors &&
+			(a=anchor_find(worker->env.anchors, z->name,
+			z->namelabs, z->namelen,  z->dclass))) {
+			if(!a->keylist && !a->numDS && !a->numDNSKEY)
+				insecure = 1;
+			lock_basic_unlock(&a->lock);
+		}
+
+		if(!ssl_print_name_dp(ssl, (insecure?"forward +i":"forward"),
+			z->name, z->dclass, z->dp))
+			return;
+	}
+}
+
+/** do the list_stubs command */
+static void
+do_list_stubs(SSL* ssl, struct worker* worker)
+{
+	struct iter_hints_stub* z;
+	struct trust_anchor* a;
+	int insecure;
+	char str[32];
+	RBTREE_FOR(z, struct iter_hints_stub*, &worker->env.hints->tree) {
+
+		/* see if it is insecure */
+		insecure = 0;
+		if(worker->env.anchors &&
+			(a=anchor_find(worker->env.anchors, z->node.name,
+			z->node.labs, z->node.len,  z->node.dclass))) {
+			if(!a->keylist && !a->numDS && !a->numDNSKEY)
+				insecure = 1;
+			lock_basic_unlock(&a->lock);
+		}
+
+		snprintf(str, sizeof(str), "stub %sprime%s",
+			(z->noprime?"no":""), (insecure?" +i":""));
+		if(!ssl_print_name_dp(ssl, str, z->node.name,
+			z->node.dclass, z->dp))
+			return;
+	}
+}
+
+/** do the list_local_zones command */
+static void
+do_list_local_zones(SSL* ssl, struct worker* worker)
+{
+	struct local_zones* zones = worker->daemon->local_zones;
+	struct local_zone* z;
+	char buf[257];
+	lock_rw_rdlock(&zones->lock);
+	RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
+		lock_rw_rdlock(&z->lock);
+		dname_str(z->name, buf);
+		if(!ssl_printf(ssl, "%s %s\n", buf, 
+			local_zone_type2str(z->type))) {
+			/* failure to print */
+			lock_rw_unlock(&z->lock);
+			lock_rw_unlock(&zones->lock);
+			return;
+		}
+		lock_rw_unlock(&z->lock);
+	}
+	lock_rw_unlock(&zones->lock);
+}
+
+/** do the list_local_data command */
+static void
+do_list_local_data(SSL* ssl, struct worker* worker)
+{
+	struct local_zones* zones = worker->daemon->local_zones;
+	struct local_zone* z;
+	struct local_data* d;
+	struct local_rrset* p;
+	char* s = (char*)sldns_buffer_begin(worker->env.scratch_buffer);
+	size_t slen = sldns_buffer_capacity(worker->env.scratch_buffer);
+	lock_rw_rdlock(&zones->lock);
+	RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
+		lock_rw_rdlock(&z->lock);
+		RBTREE_FOR(d, struct local_data*, &z->data) {
+			for(p = d->rrsets; p; p = p->next) {
+				struct packed_rrset_data* d =
+					(struct packed_rrset_data*)p->rrset->entry.data;
+				size_t i;
+				for(i=0; i<d->count + d->rrsig_count; i++) {
+					if(!packed_rr_to_string(p->rrset, i,
+						0, s, slen)) {
+						if(!ssl_printf(ssl, "BADRR\n"))
+							return;
+					}
+				        if(!ssl_printf(ssl, "%s\n", s))
+						return;
+				}
+			}
+		}
+		lock_rw_unlock(&z->lock);
+	}
+	lock_rw_unlock(&zones->lock);
+}
+
+/** tell other processes to execute the command */
+static void
+distribute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd)
+{
+	int i;
+	if(!cmd || !ssl) 
+		return;
+	/* skip i=0 which is me */
+	for(i=1; i<rc->worker->daemon->num; i++) {
+		worker_send_cmd(rc->worker->daemon->workers[i],
+			worker_cmd_remote);
+		if(!tube_write_msg(rc->worker->daemon->workers[i]->cmd,
+			(uint8_t*)cmd, strlen(cmd)+1, 0)) {
+			ssl_printf(ssl, "error could not distribute cmd\n");
+			return;
+		}
+	}
+}
+
+/** check for name with end-of-string, space or tab after it */
+static int
+cmdcmp(char* p, const char* cmd, size_t len)
+{
+	return strncmp(p,cmd,len)==0 && (p[len]==0||p[len]==' '||p[len]=='\t');
+}
+
+/** execute a remote control command */
+static void
+execute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd, 
+	struct worker* worker)
+{
+	char* p = skipwhite(cmd);
+	/* compare command */
+	if(cmdcmp(p, "stop", 4)) {
+		do_stop(ssl, rc);
+		return;
+	} else if(cmdcmp(p, "reload", 6)) {
+		do_reload(ssl, rc);
+		return;
+	} else if(cmdcmp(p, "stats_noreset", 13)) {
+		do_stats(ssl, rc, 0);
+		return;
+	} else if(cmdcmp(p, "stats", 5)) {
+		do_stats(ssl, rc, 1);
+		return;
+	} else if(cmdcmp(p, "status", 6)) {
+		do_status(ssl, worker);
+		return;
+	} else if(cmdcmp(p, "dump_cache", 10)) {
+		(void)dump_cache(ssl, worker);
+		return;
+	} else if(cmdcmp(p, "load_cache", 10)) {
+		if(load_cache(ssl, worker)) send_ok(ssl);
+		return;
+	} else if(cmdcmp(p, "list_forwards", 13)) {
+		do_list_forwards(ssl, worker);
+		return;
+	} else if(cmdcmp(p, "list_stubs", 10)) {
+		do_list_stubs(ssl, worker);
+		return;
+	} else if(cmdcmp(p, "list_local_zones", 16)) {
+		do_list_local_zones(ssl, worker);
+		return;
+	} else if(cmdcmp(p, "list_local_data", 15)) {
+		do_list_local_data(ssl, worker);
+		return;
+	} else if(cmdcmp(p, "stub_add", 8)) {
+		/* must always distribute this cmd */
+		if(rc) distribute_cmd(rc, ssl, cmd);
+		do_stub_add(ssl, worker, skipwhite(p+8));
+		return;
+	} else if(cmdcmp(p, "stub_remove", 11)) {
+		/* must always distribute this cmd */
+		if(rc) distribute_cmd(rc, ssl, cmd);
+		do_stub_remove(ssl, worker, skipwhite(p+11));
+		return;
+	} else if(cmdcmp(p, "forward_add", 11)) {
+		/* must always distribute this cmd */
+		if(rc) distribute_cmd(rc, ssl, cmd);
+		do_forward_add(ssl, worker, skipwhite(p+11));
+		return;
+	} else if(cmdcmp(p, "forward_remove", 14)) {
+		/* must always distribute this cmd */
+		if(rc) distribute_cmd(rc, ssl, cmd);
+		do_forward_remove(ssl, worker, skipwhite(p+14));
+		return;
+	} else if(cmdcmp(p, "insecure_add", 12)) {
+		/* must always distribute this cmd */
+		if(rc) distribute_cmd(rc, ssl, cmd);
+		do_insecure_add(ssl, worker, skipwhite(p+12));
+		return;
+	} else if(cmdcmp(p, "insecure_remove", 15)) {
+		/* must always distribute this cmd */
+		if(rc) distribute_cmd(rc, ssl, cmd);
+		do_insecure_remove(ssl, worker, skipwhite(p+15));
+		return;
+	} else if(cmdcmp(p, "forward", 7)) {
+		/* must always distribute this cmd */
+		if(rc) distribute_cmd(rc, ssl, cmd);
+		do_forward(ssl, worker, skipwhite(p+7));
+		return;
+	} else if(cmdcmp(p, "flush_stats", 11)) {
+		/* must always distribute this cmd */
+		if(rc) distribute_cmd(rc, ssl, cmd);
+		do_flush_stats(ssl, worker);
+		return;
+	} else if(cmdcmp(p, "flush_requestlist", 17)) {
+		/* must always distribute this cmd */
+		if(rc) distribute_cmd(rc, ssl, cmd);
+		do_flush_requestlist(ssl, worker);
+		return;
+	} else if(cmdcmp(p, "lookup", 6)) {
+		do_lookup(ssl, worker, skipwhite(p+6));
+		return;
+	}
+
+#ifdef THREADS_DISABLED
+	/* other processes must execute the command as well */
+	/* commands that should not be distributed, returned above. */
+	if(rc) { /* only if this thread is the master (rc) thread */
+		/* done before the code below, which may split the string */
+		distribute_cmd(rc, ssl, cmd);
+	}
+#endif
+	if(cmdcmp(p, "verbosity", 9)) {
+		do_verbosity(ssl, skipwhite(p+9));
+	} else if(cmdcmp(p, "local_zone_remove", 17)) {
+		do_zone_remove(ssl, worker, skipwhite(p+17));
+	} else if(cmdcmp(p, "local_zone", 10)) {
+		do_zone_add(ssl, worker, skipwhite(p+10));
+	} else if(cmdcmp(p, "local_data_remove", 17)) {
+		do_data_remove(ssl, worker, skipwhite(p+17));
+	} else if(cmdcmp(p, "local_data", 10)) {
+		do_data_add(ssl, worker, skipwhite(p+10));
+	} else if(cmdcmp(p, "flush_zone", 10)) {
+		do_flush_zone(ssl, worker, skipwhite(p+10));
+	} else if(cmdcmp(p, "flush_type", 10)) {
+		do_flush_type(ssl, worker, skipwhite(p+10));
+	} else if(cmdcmp(p, "flush_infra", 11)) {
+		do_flush_infra(ssl, worker, skipwhite(p+11));
+	} else if(cmdcmp(p, "flush", 5)) {
+		do_flush_name(ssl, worker, skipwhite(p+5));
+	} else if(cmdcmp(p, "dump_requestlist", 16)) {
+		do_dump_requestlist(ssl, worker);
+	} else if(cmdcmp(p, "dump_infra", 10)) {
+		do_dump_infra(ssl, worker);
+	} else if(cmdcmp(p, "log_reopen", 10)) {
+		do_log_reopen(ssl, worker);
+	} else if(cmdcmp(p, "set_option", 10)) {
+		do_set_option(ssl, worker, skipwhite(p+10));
+	} else if(cmdcmp(p, "get_option", 10)) {
+		do_get_option(ssl, worker, skipwhite(p+10));
+	} else if(cmdcmp(p, "flush_bogus", 11)) {
+		do_flush_bogus(ssl, worker);
+	} else if(cmdcmp(p, "flush_negative", 14)) {
+		do_flush_negative(ssl, worker);
+	} else {
+		(void)ssl_printf(ssl, "error unknown command '%s'\n", p);
+	}
+}
+
+void 
+daemon_remote_exec(struct worker* worker)
+{
+	/* read the cmd string */
+	uint8_t* msg = NULL;
+	uint32_t len = 0;
+	if(!tube_read_msg(worker->cmd, &msg, &len, 0)) {
+		log_err("daemon_remote_exec: tube_read_msg failed");
+		return;
+	}
+	verbose(VERB_ALGO, "remote exec distributed: %s", (char*)msg);
+	execute_cmd(NULL, NULL, (char*)msg, worker);
+	free(msg);
+}
+
+/** handle remote control request */
+static void
+handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
+{
+	int r;
+	char pre[10];
+	char magic[7];
+	char buf[1024];
+#ifdef USE_WINSOCK
+	/* makes it possible to set the socket blocking again. */
+	/* basically removes it from winsock_event ... */
+	WSAEventSelect(s->c->fd, NULL, 0);
+#endif
+	fd_set_block(s->c->fd);
+
+	/* try to read magic UBCT[version]_space_ string */
+	ERR_clear_error();
+	if((r=SSL_read(ssl, magic, (int)sizeof(magic)-1)) <= 0) {
+		if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN)
+			return;
+		log_crypto_err("could not SSL_read");
+		return;
+	}
+	magic[6] = 0;
+	if( r != 6 || strncmp(magic, "UBCT", 4) != 0) {
+		verbose(VERB_QUERY, "control connection has bad magic string");
+		/* probably wrong tool connected, ignore it completely */
+		return;
+	}
+
+	/* read the command line */
+	if(!ssl_read_line(ssl, buf, sizeof(buf))) {
+		return;
+	}
+	snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION);
+	if(strcmp(magic, pre) != 0) {
+		verbose(VERB_QUERY, "control connection had bad "
+			"version %s, cmd: %s", magic, buf);
+		ssl_printf(ssl, "error version mismatch\n");
+		return;
+	}
+	verbose(VERB_DETAIL, "control cmd: %s", buf);
+
+	/* figure out what to do */
+	execute_cmd(rc, ssl, buf, rc->worker);
+}
+
+int remote_control_callback(struct comm_point* c, void* arg, int err, 
+	struct comm_reply* ATTR_UNUSED(rep))
+{
+	struct rc_state* s = (struct rc_state*)arg;
+	struct daemon_remote* rc = s->rc;
+	int r;
+	if(err != NETEVENT_NOERROR) {
+		if(err==NETEVENT_TIMEOUT) 
+			log_err("remote control timed out");
+		clean_point(rc, s);
+		return 0;
+	}
+	/* (continue to) setup the SSL connection */
+	ERR_clear_error();
+	r = SSL_do_handshake(s->ssl);
+	if(r != 1) {
+		int r2 = SSL_get_error(s->ssl, r);
+		if(r2 == SSL_ERROR_WANT_READ) {
+			if(s->shake_state == rc_hs_read) {
+				/* try again later */
+				return 0;
+			}
+			s->shake_state = rc_hs_read;
+			comm_point_listen_for_rw(c, 1, 0);
+			return 0;
+		} else if(r2 == SSL_ERROR_WANT_WRITE) {
+			if(s->shake_state == rc_hs_write) {
+				/* try again later */
+				return 0;
+			}
+			s->shake_state = rc_hs_write;
+			comm_point_listen_for_rw(c, 0, 1);
+			return 0;
+		} else {
+			if(r == 0)
+				log_err("remote control connection closed prematurely");
+			log_addr(1, "failed connection from",
+				&s->c->repinfo.addr, s->c->repinfo.addrlen);
+			log_crypto_err("remote control failed ssl");
+			clean_point(rc, s);
+			return 0;
+		}
+	}
+	s->shake_state = rc_none;
+
+	/* once handshake has completed, check authentication */
+	if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
+		X509* x = SSL_get_peer_certificate(s->ssl);
+		if(!x) {
+			verbose(VERB_DETAIL, "remote control connection "
+				"provided no client certificate");
+			clean_point(rc, s);
+			return 0;
+		}
+		verbose(VERB_ALGO, "remote control connection authenticated");
+		X509_free(x);
+	} else {
+		verbose(VERB_DETAIL, "remote control connection failed to "
+			"authenticate with client certificate");
+		clean_point(rc, s);
+		return 0;
+	}
+
+	/* if OK start to actually handle the request */
+	handle_req(rc, s, s->ssl);
+
+	verbose(VERB_ALGO, "remote control operation completed");
+	clean_point(rc, s);
+	return 0;
+}
diff --git a/external/unbound/daemon/remote.h b/external/unbound/daemon/remote.h
new file mode 100644
index 000000000..cc670b701
--- /dev/null
+++ b/external/unbound/daemon/remote.h
@@ -0,0 +1,189 @@
+/*
+ * daemon/remote.h - remote control for the unbound daemon.
+ *
+ * Copyright (c) 2008, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains the remote control functionality for the daemon.
+ * The remote control can be performed using either the commandline
+ * unbound-control tool, or a SSLv3/TLS capable web browser. 
+ * The channel is secured using SSLv3 or TLSv1, and certificates.
+ * Both the server and the client(control tool) have their own keys.
+ */
+
+#ifndef DAEMON_REMOTE_H
+#define DAEMON_REMOTE_H
+#ifdef HAVE_OPENSSL_SSL_H
+#include "openssl/ssl.h"
+#endif
+struct config_file;
+struct listen_list;
+struct listen_port;
+struct worker;
+struct comm_reply;
+struct comm_point;
+struct daemon_remote;
+
+/** number of seconds timeout on incoming remote control handshake */
+#define REMOTE_CONTROL_TCP_TIMEOUT 120
+
+/**
+ * a busy control command connection, SSL state
+ */
+struct rc_state {
+	/** the next item in list */
+	struct rc_state* next;
+	/** the commpoint */
+	struct comm_point* c;
+	/** in the handshake part */
+	enum { rc_none, rc_hs_read, rc_hs_write } shake_state;
+#ifdef HAVE_SSL
+	/** the ssl state */
+	SSL* ssl;
+#endif
+	/** the rc this is part of */
+	struct daemon_remote* rc;
+};
+
+/**
+ * The remote control tool state.
+ * The state is only created for the first thread, other threads
+ * are called from this thread.  Only the first threads listens to
+ * the control port.  The other threads do not, but are called on the
+ * command channel(pipe) from the first thread.
+ */
+struct daemon_remote {
+	/** the worker for this remote control */
+	struct worker* worker;
+	/** commpoints for accepting remote control connections */
+	struct listen_list* accept_list;
+	/** number of active commpoints that are handling remote control */
+	int active;
+	/** max active commpoints */
+	int max_active;
+	/** current commpoints busy; should be a short list, malloced */
+	struct rc_state* busy_list;
+#ifdef HAVE_SSL
+	/** the SSL context for creating new SSL streams */
+	SSL_CTX* ctx;
+#endif
+};
+
+/**
+ * Create new remote control state for the daemon.
+ * @param cfg: config file with key file settings.
+ * @return new state, or NULL on failure.
+ */
+struct daemon_remote* daemon_remote_create(struct config_file* cfg);
+
+/**
+ * remote control state to delete.
+ * @param rc: state to delete.
+ */
+void daemon_remote_delete(struct daemon_remote* rc);
+
+/**
+ * remote control state to clear up. Busy and accept points are closed.
+ * Does not delete the rc itself, or the ssl context (with its keys).
+ * @param rc: state to clear.
+ */
+void daemon_remote_clear(struct daemon_remote* rc);
+
+/**
+ * Open and create listening ports for remote control.
+ * @param cfg: config options.
+ * @return list of ports or NULL on failure.
+ *	can be freed with listening_ports_free().
+ */
+struct listen_port* daemon_remote_open_ports(struct config_file* cfg);
+
+/**
+ * Setup comm points for accepting remote control connections.
+ * @param rc: state
+ * @param ports: already opened ports.
+ * @param worker: worker with communication base. and links to command channels.
+ * @return false on error.
+ */
+int daemon_remote_open_accept(struct daemon_remote* rc, 
+	struct listen_port* ports, struct worker* worker);
+
+/**
+ * Stop accept handlers for TCP (until enabled again)
+ * @param rc: state
+ */
+void daemon_remote_stop_accept(struct daemon_remote* rc);
+
+/**
+ * Stop accept handlers for TCP (until enabled again)
+ * @param rc: state
+ */
+void daemon_remote_start_accept(struct daemon_remote* rc);
+
+/**
+ * Handle nonthreaded remote cmd execution.
+ * @param worker: this worker (the remote worker).
+ */
+void daemon_remote_exec(struct worker* worker);
+
+#ifdef HAVE_SSL
+/** 
+ * Print fixed line of text over ssl connection in blocking mode
+ * @param ssl: print to
+ * @param text: the text.
+ * @return false on connection failure.
+ */
+int ssl_print_text(SSL* ssl, const char* text);
+
+/** 
+ * printf style printing to the ssl connection
+ * @param ssl: the SSL connection to print to. Blocking.
+ * @param format: printf style format string.
+ * @return success or false on a network failure.
+ */
+int ssl_printf(SSL* ssl, const char* format, ...)
+        ATTR_FORMAT(printf, 2, 3);
+
+/**
+ * Read until \n is encountered
+ * If SSL signals EOF, the string up to then is returned (without \n).
+ * @param ssl: the SSL connection to read from. blocking.
+ * @param buf: buffer to read to.
+ * @param max: size of buffer.
+ * @return false on connection failure.
+ */
+int ssl_read_line(SSL* ssl, char* buf, size_t max);
+#endif /* HAVE_SSL */
+
+#endif /* DAEMON_REMOTE_H */
diff --git a/external/unbound/daemon/stats.c b/external/unbound/daemon/stats.c
new file mode 100644
index 000000000..d3f41de03
--- /dev/null
+++ b/external/unbound/daemon/stats.c
@@ -0,0 +1,321 @@
+/*
+ * daemon/stats.c - collect runtime performance indicators.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file describes the data structure used to collect runtime performance
+ * numbers. These 'statistics' may be of interest to the operator.
+ */
+#include "config.h"
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
+#include <sys/time.h>
+#include <sys/types.h>
+#include "daemon/stats.h"
+#include "daemon/worker.h"
+#include "daemon/daemon.h"
+#include "services/mesh.h"
+#include "services/outside_network.h"
+#include "util/config_file.h"
+#include "util/tube.h"
+#include "util/timehist.h"
+#include "util/net_help.h"
+#include "validator/validator.h"
+#include "ldns/sbuffer.h"
+#include "services/cache/rrset.h"
+#include "services/cache/infra.h"
+#include "validator/val_kcache.h"
+
+/** add timers and the values do not overflow or become negative */
+static void
+timeval_add(struct timeval* d, const struct timeval* add)
+{
+#ifndef S_SPLINT_S
+	d->tv_sec += add->tv_sec;
+	d->tv_usec += add->tv_usec;
+	if(d->tv_usec > 1000000) {
+		d->tv_usec -= 1000000;
+		d->tv_sec++;
+	}
+#endif
+}
+
+void server_stats_init(struct server_stats* stats, struct config_file* cfg)
+{
+	memset(stats, 0, sizeof(*stats));
+	stats->extended = cfg->stat_extended;
+}
+
+void server_stats_querymiss(struct server_stats* stats, struct worker* worker)
+{
+	stats->num_queries_missed_cache++;
+	stats->sum_query_list_size += worker->env.mesh->all.count;
+	if(worker->env.mesh->all.count > stats->max_query_list_size)
+		stats->max_query_list_size = worker->env.mesh->all.count;
+}
+
+void server_stats_prefetch(struct server_stats* stats, struct worker* worker)
+{
+	stats->num_queries_prefetch++;
+	/* changes the query list size so account that, like a querymiss */
+	stats->sum_query_list_size += worker->env.mesh->all.count;
+	if(worker->env.mesh->all.count > stats->max_query_list_size)
+		stats->max_query_list_size = worker->env.mesh->all.count;
+}
+
+void server_stats_log(struct server_stats* stats, struct worker* worker,
+	int threadnum)
+{
+	log_info("server stats for thread %d: %u queries, "
+		"%u answers from cache, %u recursions, %u prefetch", 
+		threadnum, (unsigned)stats->num_queries, 
+		(unsigned)(stats->num_queries - 
+			stats->num_queries_missed_cache),
+		(unsigned)stats->num_queries_missed_cache,
+		(unsigned)stats->num_queries_prefetch);
+	log_info("server stats for thread %d: requestlist max %u avg %g "
+		"exceeded %u jostled %u", threadnum,
+		(unsigned)stats->max_query_list_size,
+		(stats->num_queries_missed_cache+stats->num_queries_prefetch)?
+			(double)stats->sum_query_list_size/
+			(stats->num_queries_missed_cache+
+			stats->num_queries_prefetch) : 0.0,
+		(unsigned)worker->env.mesh->stats_dropped,
+		(unsigned)worker->env.mesh->stats_jostled);
+}
+
+/** get rrsets bogus number from validator */
+static size_t
+get_rrset_bogus(struct worker* worker)
+{
+	int m = modstack_find(&worker->env.mesh->mods, "validator");
+	struct val_env* ve;
+	size_t r;
+	if(m == -1)
+		return 0;
+	ve = (struct val_env*)worker->env.modinfo[m];
+	lock_basic_lock(&ve->bogus_lock);
+	r = ve->num_rrset_bogus;
+	if(!worker->env.cfg->stat_cumulative)
+		ve->num_rrset_bogus = 0;
+	lock_basic_unlock(&ve->bogus_lock);
+	return r;
+}
+
+void
+server_stats_compile(struct worker* worker, struct stats_info* s, int reset)
+{
+	int i;
+
+	s->svr = worker->stats;
+	s->mesh_num_states = worker->env.mesh->all.count;
+	s->mesh_num_reply_states = worker->env.mesh->num_reply_states;
+	s->mesh_jostled = worker->env.mesh->stats_jostled;
+	s->mesh_dropped = worker->env.mesh->stats_dropped;
+	s->mesh_replies_sent = worker->env.mesh->replies_sent;
+	s->mesh_replies_sum_wait = worker->env.mesh->replies_sum_wait;
+	s->mesh_time_median = timehist_quartile(worker->env.mesh->histogram,
+		0.50);
+
+	/* add in the values from the mesh */
+	s->svr.ans_secure += worker->env.mesh->ans_secure;
+	s->svr.ans_bogus += worker->env.mesh->ans_bogus;
+	s->svr.ans_rcode_nodata += worker->env.mesh->ans_nodata;
+	for(i=0; i<16; i++)
+		s->svr.ans_rcode[i] += worker->env.mesh->ans_rcode[i];
+	timehist_export(worker->env.mesh->histogram, s->svr.hist, 
+		NUM_BUCKETS_HIST);
+	/* values from outside network */
+	s->svr.unwanted_replies = worker->back->unwanted_replies;
+	s->svr.qtcp_outgoing = worker->back->num_tcp_outgoing;
+
+	/* get and reset validator rrset bogus number */
+	s->svr.rrset_bogus = get_rrset_bogus(worker);
+
+	/* get cache sizes */
+	s->svr.msg_cache_count = count_slabhash_entries(worker->env.msg_cache);
+	s->svr.rrset_cache_count = count_slabhash_entries(&worker->env.rrset_cache->table);
+	s->svr.infra_cache_count = count_slabhash_entries(worker->env.infra_cache->hosts);
+	if(worker->env.key_cache)
+		s->svr.key_cache_count = count_slabhash_entries(worker->env.key_cache->slab);
+	else	s->svr.key_cache_count = 0;
+
+	if(reset && !worker->env.cfg->stat_cumulative) {
+		worker_stats_clear(worker);
+	}
+}
+
+void server_stats_obtain(struct worker* worker, struct worker* who,
+	struct stats_info* s, int reset)
+{
+	uint8_t *reply = NULL;
+	uint32_t len = 0;
+	if(worker == who) {
+		/* just fill it in */
+		server_stats_compile(worker, s, reset);
+		return;
+	}
+	/* communicate over tube */
+	verbose(VERB_ALGO, "write stats cmd");
+	if(reset)
+		worker_send_cmd(who, worker_cmd_stats);
+	else 	worker_send_cmd(who, worker_cmd_stats_noreset);
+	verbose(VERB_ALGO, "wait for stats reply");
+	if(!tube_read_msg(worker->cmd, &reply, &len, 0))
+		fatal_exit("failed to read stats over cmd channel");
+	if(len != (uint32_t)sizeof(*s))
+		fatal_exit("stats on cmd channel wrong length %d %d",
+			(int)len, (int)sizeof(*s));
+	memcpy(s, reply, (size_t)len);
+	free(reply);
+}
+
+void server_stats_reply(struct worker* worker, int reset)
+{
+	struct stats_info s;
+	server_stats_compile(worker, &s, reset);
+	verbose(VERB_ALGO, "write stats replymsg");
+	if(!tube_write_msg(worker->daemon->workers[0]->cmd, 
+		(uint8_t*)&s, sizeof(s), 0))
+		fatal_exit("could not write stat values over cmd channel");
+}
+
+void server_stats_add(struct stats_info* total, struct stats_info* a)
+{
+	total->svr.num_queries += a->svr.num_queries;
+	total->svr.num_queries_missed_cache += a->svr.num_queries_missed_cache;
+	total->svr.num_queries_prefetch += a->svr.num_queries_prefetch;
+	total->svr.sum_query_list_size += a->svr.sum_query_list_size;
+	/* the max size reached is upped to higher of both */
+	if(a->svr.max_query_list_size > total->svr.max_query_list_size)
+		total->svr.max_query_list_size = a->svr.max_query_list_size;
+
+	if(a->svr.extended) {
+		int i;
+		total->svr.qtype_big += a->svr.qtype_big;
+		total->svr.qclass_big += a->svr.qclass_big;
+		total->svr.qtcp += a->svr.qtcp;
+		total->svr.qtcp_outgoing += a->svr.qtcp_outgoing;
+		total->svr.qipv6 += a->svr.qipv6;
+		total->svr.qbit_QR += a->svr.qbit_QR;
+		total->svr.qbit_AA += a->svr.qbit_AA;
+		total->svr.qbit_TC += a->svr.qbit_TC;
+		total->svr.qbit_RD += a->svr.qbit_RD;
+		total->svr.qbit_RA += a->svr.qbit_RA;
+		total->svr.qbit_Z += a->svr.qbit_Z;
+		total->svr.qbit_AD += a->svr.qbit_AD;
+		total->svr.qbit_CD += a->svr.qbit_CD;
+		total->svr.qEDNS += a->svr.qEDNS;
+		total->svr.qEDNS_DO += a->svr.qEDNS_DO;
+		total->svr.ans_rcode_nodata += a->svr.ans_rcode_nodata;
+		total->svr.ans_secure += a->svr.ans_secure;
+		total->svr.ans_bogus += a->svr.ans_bogus;
+		total->svr.rrset_bogus += a->svr.rrset_bogus;
+		total->svr.unwanted_replies += a->svr.unwanted_replies;
+		total->svr.unwanted_queries += a->svr.unwanted_queries;
+		for(i=0; i<STATS_QTYPE_NUM; i++)
+			total->svr.qtype[i] += a->svr.qtype[i];
+		for(i=0; i<STATS_QCLASS_NUM; i++)
+			total->svr.qclass[i] += a->svr.qclass[i];
+		for(i=0; i<STATS_OPCODE_NUM; i++)
+			total->svr.qopcode[i] += a->svr.qopcode[i];
+		for(i=0; i<STATS_RCODE_NUM; i++)
+			total->svr.ans_rcode[i] += a->svr.ans_rcode[i];
+		for(i=0; i<NUM_BUCKETS_HIST; i++)
+			total->svr.hist[i] += a->svr.hist[i];
+	}
+
+	total->mesh_num_states += a->mesh_num_states;
+	total->mesh_num_reply_states += a->mesh_num_reply_states;
+	total->mesh_jostled += a->mesh_jostled;
+	total->mesh_dropped += a->mesh_dropped;
+	total->mesh_replies_sent += a->mesh_replies_sent;
+	timeval_add(&total->mesh_replies_sum_wait, &a->mesh_replies_sum_wait);
+	/* the medians are averaged together, this is not as accurate as
+	 * taking the median over all of the data, but is good and fast
+	 * added up here, division later*/
+	total->mesh_time_median += a->mesh_time_median;
+}
+
+void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
+	uint16_t qtype, uint16_t qclass, struct edns_data* edns,
+	struct comm_reply* repinfo)
+{
+	uint16_t flags = sldns_buffer_read_u16_at(c->buffer, 2);
+	if(qtype < STATS_QTYPE_NUM)
+		stats->qtype[qtype]++;
+	else	stats->qtype_big++;
+	if(qclass < STATS_QCLASS_NUM)
+		stats->qclass[qclass]++;
+	else	stats->qclass_big++;
+	stats->qopcode[ LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) ]++;
+	if(c->type != comm_udp)
+		stats->qtcp++;
+	if(repinfo && addr_is_ip6(&repinfo->addr, repinfo->addrlen))
+		stats->qipv6++;
+	if( (flags&BIT_QR) )
+		stats->qbit_QR++;
+	if( (flags&BIT_AA) )
+		stats->qbit_AA++;
+	if( (flags&BIT_TC) )
+		stats->qbit_TC++;
+	if( (flags&BIT_RD) )
+		stats->qbit_RD++;
+	if( (flags&BIT_RA) )
+		stats->qbit_RA++;
+	if( (flags&BIT_Z) )
+		stats->qbit_Z++;
+	if( (flags&BIT_AD) )
+		stats->qbit_AD++;
+	if( (flags&BIT_CD) )
+		stats->qbit_CD++;
+	if(edns->edns_present) {
+		stats->qEDNS++;
+		if( (edns->bits & EDNS_DO) )
+			stats->qEDNS_DO++;
+	}
+}
+
+void server_stats_insrcode(struct server_stats* stats, sldns_buffer* buf)
+{
+	if(stats->extended && sldns_buffer_limit(buf) != 0) {
+		int r = (int)LDNS_RCODE_WIRE( sldns_buffer_begin(buf) );
+		stats->ans_rcode[r] ++;
+		if(r == 0 && LDNS_ANCOUNT( sldns_buffer_begin(buf) ) == 0)
+			stats->ans_rcode_nodata ++;
+	}
+}
diff --git a/external/unbound/daemon/stats.h b/external/unbound/daemon/stats.h
new file mode 100644
index 000000000..5ea00a0da
--- /dev/null
+++ b/external/unbound/daemon/stats.h
@@ -0,0 +1,246 @@
+/*
+ * daemon/stats.h - collect runtime performance indicators.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file describes the data structure used to collect runtime performance
+ * numbers. These 'statistics' may be of interest to the operator.
+ */
+
+#ifndef DAEMON_STATS_H
+#define DAEMON_STATS_H
+#include "util/timehist.h"
+struct worker;
+struct config_file;
+struct comm_point;
+struct comm_reply;
+struct edns_data;
+struct sldns_buffer;
+
+/** number of qtype that is stored for in array */
+#define STATS_QTYPE_NUM 256
+/** number of qclass that is stored for in array */
+#define STATS_QCLASS_NUM 256
+/** number of rcodes in stats */
+#define STATS_RCODE_NUM 16
+/** number of opcodes in stats */
+#define STATS_OPCODE_NUM 16
+
+/** per worker statistics */
+struct server_stats {
+	/** number of queries from clients received. */
+	size_t num_queries;
+	/** number of queries that had a cache-miss. */
+	size_t num_queries_missed_cache;
+	/** number of prefetch queries - cachehits with prefetch */
+	size_t num_queries_prefetch;
+
+	/**
+	 * Sum of the querylistsize of the worker for 
+	 * every query that missed cache. To calculate average.
+	 */
+	size_t sum_query_list_size;
+	/** max value of query list size reached. */
+	size_t max_query_list_size;
+
+	/** Extended stats below (bool) */
+	int extended;
+
+	/** qtype stats */
+	size_t qtype[STATS_QTYPE_NUM];
+	/** bigger qtype values not in array */
+	size_t qtype_big;
+	/** qclass stats */
+	size_t qclass[STATS_QCLASS_NUM];
+	/** bigger qclass values not in array */
+	size_t qclass_big;
+	/** query opcodes */
+	size_t qopcode[STATS_OPCODE_NUM];
+	/** number of queries over TCP */
+	size_t qtcp;
+	/** number of outgoing queries over TCP */
+	size_t qtcp_outgoing;
+	/** number of queries over IPv6 */
+	size_t qipv6;
+	/** number of queries with QR bit */
+	size_t qbit_QR;
+	/** number of queries with AA bit */
+	size_t qbit_AA;
+	/** number of queries with TC bit */
+	size_t qbit_TC;
+	/** number of queries with RD bit */
+	size_t qbit_RD;
+	/** number of queries with RA bit */
+	size_t qbit_RA;
+	/** number of queries with Z bit */
+	size_t qbit_Z;
+	/** number of queries with AD bit */
+	size_t qbit_AD;
+	/** number of queries with CD bit */
+	size_t qbit_CD;
+	/** number of queries with EDNS OPT record */
+	size_t qEDNS;
+	/** number of queries with EDNS with DO flag */
+	size_t qEDNS_DO;
+	/** answer rcodes */
+	size_t ans_rcode[STATS_RCODE_NUM];
+	/** answers with pseudo rcode 'nodata' */
+	size_t ans_rcode_nodata;
+	/** answers that were secure (AD) */
+	size_t ans_secure;
+	/** answers that were bogus (withheld as SERVFAIL) */
+	size_t ans_bogus;
+	/** rrsets marked bogus by validator */
+	size_t rrset_bogus;
+	/** unwanted traffic received on server-facing ports */
+	size_t unwanted_replies;
+	/** unwanted traffic received on client-facing ports */
+	size_t unwanted_queries;
+
+	/** histogram data exported to array 
+	 * if the array is the same size, no data is lost, and
+	 * if all histograms are same size (is so by default) then
+	 * adding up works well. */
+	size_t hist[NUM_BUCKETS_HIST];
+	
+	/** number of message cache entries */
+	size_t msg_cache_count;
+	/** number of rrset cache entries */
+	size_t rrset_cache_count;
+	/** number of infra cache entries */
+	size_t infra_cache_count;
+	/** number of key cache entries */
+	size_t key_cache_count;
+};
+
+/** 
+ * Statistics to send over the control pipe when asked
+ * This struct is made to be memcpied, sent in binary.
+ */
+struct stats_info {
+	/** the thread stats */
+	struct server_stats svr;
+
+	/** mesh stats: current number of states */
+	size_t mesh_num_states;
+	/** mesh stats: current number of reply (user) states */
+	size_t mesh_num_reply_states;
+	/** mesh stats: number of reply states overwritten with a new one */
+	size_t mesh_jostled;
+	/** mesh stats: number of incoming queries dropped */
+	size_t mesh_dropped;
+	/** mesh stats: replies sent */
+	size_t mesh_replies_sent;
+	/** mesh stats: sum of waiting times for the replies */
+	struct timeval mesh_replies_sum_wait;
+	/** mesh stats: median of waiting times for replies (in sec) */
+	double mesh_time_median;
+};
+
+/** 
+ * Initialize server stats to 0.
+ * @param stats: what to init (this is alloced by the caller).
+ * @param cfg: with extended statistics option.
+ */
+void server_stats_init(struct server_stats* stats, struct config_file* cfg);
+
+/** add query if it missed the cache */
+void server_stats_querymiss(struct server_stats* stats, struct worker* worker);
+
+/** add query if was cached and also resulted in a prefetch */
+void server_stats_prefetch(struct server_stats* stats, struct worker* worker);
+
+/** display the stats to the log */
+void server_stats_log(struct server_stats* stats, struct worker* worker,
+	int threadnum);
+
+/**
+ * Obtain the stats info for a given thread. Uses pipe to communicate.
+ * @param worker: the worker that is executing (the first worker).
+ * @param who: on who to get the statistics info.
+ * @param s: the stats block to fill in.
+ * @param reset: if stats can be reset.
+ */
+void server_stats_obtain(struct worker* worker, struct worker* who,
+	struct stats_info* s, int reset);
+
+/**
+ * Compile stats into structure for this thread worker.
+ * Also clears the statistics counters (if that is set by config file).
+ * @param worker: the worker to compile stats for, also the executing worker.
+ * @param s: stats block.
+ * @param reset: if true, depending on config stats are reset.
+ * 	if false, statistics are not reset.
+ */
+void server_stats_compile(struct worker* worker, struct stats_info* s, 
+	int reset);
+
+/**
+ * Send stats over comm tube in reply to query cmd
+ * @param worker: this worker.
+ * @param reset: if true, depending on config stats are reset.
+ * 	if false, statistics are not reset.
+ */
+void server_stats_reply(struct worker* worker, int reset);
+
+/**
+ * Addup stat blocks.
+ * @param total: sum of the two entries.
+ * @param a: to add to it.
+ */
+void server_stats_add(struct stats_info* total, struct stats_info* a);
+
+/**
+ * Add stats for this query
+ * @param stats: the stats
+ * @param c: commpoint with type and buffer.
+ * @param qtype: query type
+ * @param qclass: query class
+ * @param edns: edns record
+ * @param repinfo: reply info with remote address
+ */
+void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
+	uint16_t qtype, uint16_t qclass, struct edns_data* edns, 
+	struct comm_reply* repinfo);
+
+/**
+ * Add rcode for this query.
+ * @param stats: the stats
+ * @param buf: buffer with rcode. If buffer is length0: not counted.
+ */
+void server_stats_insrcode(struct server_stats* stats, struct sldns_buffer* buf);
+
+#endif /* DAEMON_STATS_H */
diff --git a/external/unbound/daemon/unbound.c b/external/unbound/daemon/unbound.c
new file mode 100644
index 000000000..a53fe954d
--- /dev/null
+++ b/external/unbound/daemon/unbound.c
@@ -0,0 +1,780 @@
+/*
+ * daemon/unbound.c - main program for unbound DNS resolver daemon.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/**
+ * \file
+ *
+ * Main program to start the DNS resolver daemon.
+ */
+
+#include "config.h"
+#ifdef HAVE_GETOPT_H
+#include <getopt.h>
+#endif
+#include <sys/time.h>
+#include "util/log.h"
+#include "daemon/daemon.h"
+#include "daemon/remote.h"
+#include "util/config_file.h"
+#include "util/storage/slabhash.h"
+#include "services/listen_dnsport.h"
+#include "services/cache/rrset.h"
+#include "services/cache/infra.h"
+#include "util/fptr_wlist.h"
+#include "util/data/msgreply.h"
+#include "util/module.h"
+#include "util/net_help.h"
+#include <signal.h>
+#include <fcntl.h>
+#include <openssl/crypto.h>
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+
+#ifndef S_SPLINT_S
+/* splint chokes on this system header file */
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#endif /* S_SPLINT_S */
+#ifdef HAVE_LOGIN_CAP_H
+#include <login_cap.h>
+#endif
+
+#ifdef USE_MINI_EVENT
+#  ifdef USE_WINSOCK
+#    include "util/winsock_event.h"
+#  else
+#    include "util/mini_event.h"
+#  endif
+#else
+#  ifdef HAVE_EVENT_H
+#    include <event.h>
+#  else
+#    include "event2/event.h"
+#    include "event2/event_struct.h"
+#    include "event2/event_compat.h"
+#  endif
+#endif
+
+#ifdef UB_ON_WINDOWS
+#  include "winrc/win_svc.h"
+#endif
+
+#ifdef HAVE_NSS
+/* nss3 */
+#  include "nss.h"
+#endif
+
+#ifdef HAVE_SBRK
+/** global debug value to keep track of heap memory allocation */
+void* unbound_start_brk = 0;
+#endif
+
+#if !defined(HAVE_EVENT_BASE_GET_METHOD) && (defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP))
+static const char* ev_backend2str(int b)
+{
+	switch(b) {
+	case EVBACKEND_SELECT:	return "select";
+	case EVBACKEND_POLL:	return "poll";
+	case EVBACKEND_EPOLL:	return "epoll";
+	case EVBACKEND_KQUEUE:	return "kqueue";
+	case EVBACKEND_DEVPOLL: return "devpoll";
+	case EVBACKEND_PORT:	return "evport";
+	}
+	return "unknown";
+}
+#endif
+
+/** get the event system in use */
+static void get_event_sys(const char** n, const char** s, const char** m)
+{
+#ifdef USE_WINSOCK
+	*n = "event";
+	*s = "winsock";
+	*m = "WSAWaitForMultipleEvents";
+#elif defined(USE_MINI_EVENT)
+	*n = "mini-event";
+	*s = "internal";
+	*m = "select";
+#else
+	struct event_base* b;
+	*s = event_get_version();
+#  ifdef HAVE_EVENT_BASE_GET_METHOD
+	*n = "libevent";
+	b = event_base_new();
+	*m = event_base_get_method(b);
+#  elif defined(HAVE_EV_LOOP) || defined(HAVE_EV_DEFAULT_LOOP)
+	*n = "libev";
+	b = (struct event_base*)ev_default_loop(EVFLAG_AUTO);
+	*m = ev_backend2str(ev_backend((struct ev_loop*)b));
+#  else
+	*n = "unknown";
+	*m = "not obtainable";
+	b = NULL;
+#  endif
+#  ifdef HAVE_EVENT_BASE_FREE
+	event_base_free(b);
+#  endif
+#endif
+}
+
+/** print usage. */
+static void usage()
+{
+	const char** m;
+	const char *evnm="event", *evsys="", *evmethod="";
+	printf("usage:  unbound [options]\n");
+	printf("	start unbound daemon DNS resolver.\n");
+	printf("-h	this help\n");
+	printf("-c file	config file to read instead of %s\n", CONFIGFILE);
+	printf("	file format is described in unbound.conf(5).\n");
+	printf("-d	do not fork into the background.\n");
+	printf("-v	verbose (more times to increase verbosity)\n");
+#ifdef UB_ON_WINDOWS
+	printf("-w opt	windows option: \n");
+	printf("   	install, remove - manage the services entry\n");
+	printf("   	service - used to start from services control panel\n");
+#endif
+	printf("Version %s\n", PACKAGE_VERSION);
+	get_event_sys(&evnm, &evsys, &evmethod);
+	printf("linked libs: %s %s (it uses %s), %s\n", 
+		evnm, evsys, evmethod,
+#ifdef HAVE_SSL
+		SSLeay_version(SSLEAY_VERSION)
+#elif defined(HAVE_NSS)
+		NSS_GetVersion()
+#endif
+		);
+	printf("linked modules:");
+	for(m = module_list_avail(); *m; m++)
+		printf(" %s", *m);
+	printf("\n");
+	printf("BSD licensed, see LICENSE in source package for details.\n");
+	printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
+}
+
+#ifndef unbound_testbound
+int replay_var_compare(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
+{
+        log_assert(0);
+        return 0;
+}
+#endif
+
+/** check file descriptor count */
+static void
+checkrlimits(struct config_file* cfg)
+{
+#ifndef S_SPLINT_S
+#ifdef HAVE_GETRLIMIT
+	/* list has number of ports to listen to, ifs number addresses */
+	int list = ((cfg->do_udp?1:0) + (cfg->do_tcp?1 + 
+			(int)cfg->incoming_num_tcp:0));
+	size_t listen_ifs = (size_t)(cfg->num_ifs==0?
+		((cfg->do_ip4 && !cfg->if_automatic?1:0) + 
+		 (cfg->do_ip6?1:0)):cfg->num_ifs);
+	size_t listen_num = list*listen_ifs;
+	size_t outudpnum = (size_t)cfg->outgoing_num_ports;
+	size_t outtcpnum = cfg->outgoing_num_tcp;
+	size_t misc = 4; /* logfile, pidfile, stdout... */
+	size_t perthread_noudp = listen_num + outtcpnum + 
+		2/*cmdpipe*/ + 2/*libevent*/ + misc; 
+	size_t perthread = perthread_noudp + outudpnum;
+
+#if !defined(HAVE_PTHREAD) && !defined(HAVE_SOLARIS_THREADS)
+	int numthread = 1; /* it forks */
+#else
+	int numthread = (cfg->num_threads?cfg->num_threads:1);
+#endif
+	size_t total = numthread * perthread + misc;
+	size_t avail;
+	struct rlimit rlim;
+
+	if(total > 1024 && 
+		strncmp(event_get_version(), "mini-event", 10) == 0) {
+		log_warn("too many file descriptors requested. The builtin"
+			"mini-event cannot handle more than 1024. Config "
+			"for less fds or compile with libevent");
+		if(numthread*perthread_noudp+15 > 1024)
+			fatal_exit("too much tcp. not enough fds.");
+		cfg->outgoing_num_ports = (int)((1024 
+			- numthread*perthread_noudp 
+			- 10 /* safety margin */) /numthread);
+		log_warn("continuing with less udp ports: %u",
+			cfg->outgoing_num_ports);
+		total = 1024;
+	}
+	if(perthread > 64 && 
+		strncmp(event_get_version(), "winsock-event", 13) == 0) {
+		log_err("too many file descriptors requested. The winsock"
+			" event handler cannot handle more than 64 per "
+			" thread. Config for less fds");
+		if(perthread_noudp+2 > 64)
+			fatal_exit("too much tcp. not enough fds.");
+		cfg->outgoing_num_ports = (int)((64 
+			- perthread_noudp 
+			- 2/* safety margin */));
+		log_warn("continuing with less udp ports: %u",
+			cfg->outgoing_num_ports);
+		total = numthread*(perthread_noudp+
+			(size_t)cfg->outgoing_num_ports)+misc;
+	}
+	if(getrlimit(RLIMIT_NOFILE, &rlim) < 0) {
+		log_warn("getrlimit: %s", strerror(errno));
+		return;
+	}
+	if(rlim.rlim_cur == (rlim_t)RLIM_INFINITY)
+		return;
+	if((size_t)rlim.rlim_cur < total) {
+		avail = (size_t)rlim.rlim_cur;
+		rlim.rlim_cur = (rlim_t)(total + 10);
+		rlim.rlim_max = (rlim_t)(total + 10);
+#ifdef HAVE_SETRLIMIT
+		if(setrlimit(RLIMIT_NOFILE, &rlim) < 0) {
+			log_warn("setrlimit: %s", strerror(errno));
+#endif
+			log_warn("cannot increase max open fds from %u to %u",
+				(unsigned)avail, (unsigned)total+10);
+			/* check that calculation below does not underflow,
+			 * with 15 as margin */
+			if(numthread*perthread_noudp+15 > avail)
+				fatal_exit("too much tcp. not enough fds.");
+			cfg->outgoing_num_ports = (int)((avail 
+				- numthread*perthread_noudp 
+				- 10 /* safety margin */) /numthread);
+			log_warn("continuing with less udp ports: %u",
+				cfg->outgoing_num_ports);
+			log_warn("increase ulimit or decrease threads, "
+				"ports in config to remove this warning");
+			return;
+#ifdef HAVE_SETRLIMIT
+		}
+#endif
+		log_warn("increased limit(open files) from %u to %u",
+			(unsigned)avail, (unsigned)total+10);
+	}
+#else	
+	(void)cfg;
+#endif /* HAVE_GETRLIMIT */
+#endif /* S_SPLINT_S */
+}
+
+/** set verbosity, check rlimits, cache settings */
+static void
+apply_settings(struct daemon* daemon, struct config_file* cfg, 
+	int cmdline_verbose, int debug_mode)
+{
+	/* apply if they have changed */
+	verbosity = cmdline_verbose + cfg->verbosity;
+	if (debug_mode > 1) {
+		cfg->use_syslog = 0;
+		cfg->logfile = NULL;
+	}
+	daemon_apply_cfg(daemon, cfg);
+	checkrlimits(cfg);
+}
+
+#ifdef HAVE_KILL
+/** Read existing pid from pidfile. 
+ * @param file: file name of pid file.
+ * @return: the pid from the file or -1 if none.
+ */
+static pid_t
+readpid (const char* file)
+{
+	int fd;
+	pid_t pid;
+	char pidbuf[32];
+	char* t;
+	ssize_t l;
+
+	if ((fd = open(file, O_RDONLY)) == -1) {
+		if(errno != ENOENT)
+			log_err("Could not read pidfile %s: %s",
+				file, strerror(errno));
+		return -1;
+	}
+
+	if (((l = read(fd, pidbuf, sizeof(pidbuf)))) == -1) {
+		if(errno != ENOENT)
+			log_err("Could not read pidfile %s: %s",
+				file, strerror(errno));
+		close(fd);
+		return -1;
+	}
+
+	close(fd);
+
+	/* Empty pidfile means no pidfile... */
+	if (l == 0) {
+		return -1;
+	}
+
+	pidbuf[sizeof(pidbuf)-1] = 0;
+	pid = (pid_t)strtol(pidbuf, &t, 10);
+	
+	if (*t && *t != '\n') {
+		return -1;
+	}
+	return pid;
+}
+
+/** write pid to file. 
+ * @param pidfile: file name of pid file.
+ * @param pid: pid to write to file.
+ */
+static void
+writepid (const char* pidfile, pid_t pid)
+{
+	FILE* f;
+
+	if ((f = fopen(pidfile, "w")) ==  NULL ) {
+		log_err("cannot open pidfile %s: %s", 
+			pidfile, strerror(errno));
+		return;
+	}
+	if(fprintf(f, "%lu\n", (unsigned long)pid) < 0) {
+		log_err("cannot write to pidfile %s: %s", 
+			pidfile, strerror(errno));
+	}
+	fclose(f);
+}
+
+/**
+ * check old pid file.
+ * @param pidfile: the file name of the pid file.
+ * @param inchroot: if pidfile is inchroot and we can thus expect to
+ *	be able to delete it.
+ */
+static void
+checkoldpid(char* pidfile, int inchroot)
+{
+	pid_t old;
+	if((old = readpid(pidfile)) != -1) {
+		/* see if it is still alive */
+		if(kill(old, 0) == 0 || errno == EPERM)
+			log_warn("unbound is already running as pid %u.", 
+				(unsigned)old);
+		else	if(inchroot)
+			log_warn("did not exit gracefully last time (%u)", 
+				(unsigned)old);
+	}
+}
+#endif /* HAVE_KILL */
+
+/** detach from command line */
+static void
+detach(void)
+{
+#if defined(HAVE_DAEMON) && !defined(DEPRECATED_DAEMON)
+	/* use POSIX daemon(3) function */
+	if(daemon(1, 0) != 0)
+		fatal_exit("daemon failed: %s", strerror(errno));
+#else /* no HAVE_DAEMON */
+#ifdef HAVE_FORK
+	int fd;
+	/* Take off... */
+	switch (fork()) {
+		case 0:
+			break;
+		case -1:
+			fatal_exit("fork failed: %s", strerror(errno));
+		default:
+			/* exit interactive session */
+			exit(0);
+	}
+	/* detach */
+#ifdef HAVE_SETSID
+	if(setsid() == -1)
+		fatal_exit("setsid() failed: %s", strerror(errno));
+#endif
+	if ((fd = open("/dev/null", O_RDWR, 0)) != -1) {
+		(void)dup2(fd, STDIN_FILENO);
+		(void)dup2(fd, STDOUT_FILENO);
+		(void)dup2(fd, STDERR_FILENO);
+		if (fd > 2)
+			(void)close(fd);
+	}
+#endif /* HAVE_FORK */
+#endif /* HAVE_DAEMON */
+}
+
+/** daemonize, drop user priviliges and chroot if needed */
+static void
+perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
+	const char** cfgfile)
+{
+#ifdef HAVE_GETPWNAM
+	struct passwd *pwd = NULL;
+	uid_t uid;
+	gid_t gid;
+	/* initialize, but not to 0 (root) */
+	memset(&uid, 112, sizeof(uid));
+	memset(&gid, 112, sizeof(gid));
+	log_assert(cfg);
+
+	if(cfg->username && cfg->username[0]) {
+		if((pwd = getpwnam(cfg->username)) == NULL)
+			fatal_exit("user '%s' does not exist.", cfg->username);
+		uid = pwd->pw_uid;
+		gid = pwd->pw_gid;
+		/* endpwent below, in case we need pwd for setusercontext */
+	}
+#endif
+
+	/* init syslog (as root) if needed, before daemonize, otherwise
+	 * a fork error could not be printed since daemonize closed stderr.*/
+	if(cfg->use_syslog) {
+		log_init(cfg->logfile, cfg->use_syslog, cfg->chrootdir);
+	}
+	/* if using a logfile, we cannot open it because the logfile would
+	 * be created with the wrong permissions, we cannot chown it because
+	 * we cannot chown system logfiles, so we do not open at all.
+	 * So, using a logfile, the user does not see errors unless -d is
+	 * given to unbound on the commandline. */
+
+	/* read ssl keys while superuser and outside chroot */
+#ifdef HAVE_SSL
+	if(!(daemon->rc = daemon_remote_create(cfg)))
+		fatal_exit("could not set up remote-control");
+	if(cfg->ssl_service_key && cfg->ssl_service_key[0]) {
+		if(!(daemon->listen_sslctx = listen_sslctx_create(
+			cfg->ssl_service_key, cfg->ssl_service_pem, NULL)))
+			fatal_exit("could not set up listen SSL_CTX");
+	}
+	if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, NULL)))
+		fatal_exit("could not set up connect SSL_CTX");
+#endif
+
+#ifdef HAVE_KILL
+	/* check old pid file before forking */
+	if(cfg->pidfile && cfg->pidfile[0]) {
+		/* calculate position of pidfile */
+		if(cfg->pidfile[0] == '/')
+			daemon->pidfile = strdup(cfg->pidfile);
+		else	daemon->pidfile = fname_after_chroot(cfg->pidfile, 
+				cfg, 1);
+		if(!daemon->pidfile)
+			fatal_exit("pidfile alloc: out of memory");
+		checkoldpid(daemon->pidfile,
+			/* true if pidfile is inside chrootdir, or nochroot */
+			!(cfg->chrootdir && cfg->chrootdir[0]) ||
+			(cfg->chrootdir && cfg->chrootdir[0] &&
+			strncmp(daemon->pidfile, cfg->chrootdir,
+				strlen(cfg->chrootdir))==0));
+	}
+#endif
+
+	/* daemonize because pid is needed by the writepid func */
+	if(!debug_mode && cfg->do_daemonize) {
+		detach();
+	}
+
+	/* write new pidfile (while still root, so can be outside chroot) */
+#ifdef HAVE_KILL
+	if(cfg->pidfile && cfg->pidfile[0]) {
+		writepid(daemon->pidfile, getpid());
+		if(!(cfg->chrootdir && cfg->chrootdir[0]) || 
+			(cfg->chrootdir && cfg->chrootdir[0] && 
+			strncmp(daemon->pidfile, cfg->chrootdir, 
+			strlen(cfg->chrootdir))==0)) {
+			/* delete of pidfile could potentially work,
+			 * chown to get permissions */
+			if(cfg->username && cfg->username[0]) {
+			  if(chown(daemon->pidfile, uid, gid) == -1) {
+				log_err("cannot chown %u.%u %s: %s",
+					(unsigned)uid, (unsigned)gid,
+					daemon->pidfile, strerror(errno));
+			  }
+			}
+		}
+	}
+#else
+	(void)daemon;
+#endif
+
+	/* Set user context */
+#ifdef HAVE_GETPWNAM
+	if(cfg->username && cfg->username[0]) {
+#ifdef HAVE_SETUSERCONTEXT
+		/* setusercontext does initgroups, setuid, setgid, and
+		 * also resource limits from login config, but we
+		 * still call setresuid, setresgid to be sure to set all uid*/
+		if(setusercontext(NULL, pwd, uid, (unsigned)
+			LOGIN_SETALL & ~LOGIN_SETUSER & ~LOGIN_SETGROUP) != 0)
+			log_warn("unable to setusercontext %s: %s",
+				cfg->username, strerror(errno));
+#endif /* HAVE_SETUSERCONTEXT */
+	}
+#endif /* HAVE_GETPWNAM */
+
+	/* box into the chroot */
+#ifdef HAVE_CHROOT
+	if(cfg->chrootdir && cfg->chrootdir[0]) {
+		if(chdir(cfg->chrootdir)) {
+			fatal_exit("unable to chdir to chroot %s: %s",
+				cfg->chrootdir, strerror(errno));
+		}
+		verbose(VERB_QUERY, "chdir to %s", cfg->chrootdir);
+		if(chroot(cfg->chrootdir))
+			fatal_exit("unable to chroot to %s: %s", 
+				cfg->chrootdir, strerror(errno));
+		if(chdir("/"))
+			fatal_exit("unable to chdir to / in chroot %s: %s",
+				cfg->chrootdir, strerror(errno));
+		verbose(VERB_QUERY, "chroot to %s", cfg->chrootdir);
+		if(strncmp(*cfgfile, cfg->chrootdir, 
+			strlen(cfg->chrootdir)) == 0) 
+			(*cfgfile) += strlen(cfg->chrootdir);
+
+		/* adjust stored pidfile for chroot */
+		if(daemon->pidfile && daemon->pidfile[0] && 
+			strncmp(daemon->pidfile, cfg->chrootdir,
+			strlen(cfg->chrootdir))==0) {
+			char* old = daemon->pidfile;
+			daemon->pidfile = strdup(old+strlen(cfg->chrootdir));
+			free(old);
+			if(!daemon->pidfile)
+				log_err("out of memory in pidfile adjust");
+		}
+		daemon->chroot = strdup(cfg->chrootdir);
+		if(!daemon->chroot)
+			log_err("out of memory in daemon chroot dir storage");
+	}
+#else
+	(void)cfgfile;
+#endif
+	/* change to working directory inside chroot */
+	if(cfg->directory && cfg->directory[0]) {
+		char* dir = cfg->directory;
+		if(cfg->chrootdir && cfg->chrootdir[0] &&
+			strncmp(dir, cfg->chrootdir, 
+			strlen(cfg->chrootdir)) == 0)
+			dir += strlen(cfg->chrootdir);
+		if(dir[0]) {
+			if(chdir(dir)) {
+				fatal_exit("Could not chdir to %s: %s",
+					dir, strerror(errno));
+			}
+			verbose(VERB_QUERY, "chdir to %s", dir);
+		}
+	}
+
+	/* drop permissions after chroot, getpwnam, pidfile, syslog done*/
+#ifdef HAVE_GETPWNAM
+	if(cfg->username && cfg->username[0]) {
+#  ifdef HAVE_INITGROUPS
+		if(initgroups(cfg->username, gid) != 0)
+			log_warn("unable to initgroups %s: %s",
+				cfg->username, strerror(errno));
+#  endif /* HAVE_INITGROUPS */
+		endpwent();
+
+#ifdef HAVE_SETRESGID
+		if(setresgid(gid,gid,gid) != 0)
+#elif defined(HAVE_SETREGID) && !defined(DARWIN_BROKEN_SETREUID)
+		if(setregid(gid,gid) != 0)
+#else /* use setgid */
+		if(setgid(gid) != 0)
+#endif /* HAVE_SETRESGID */
+			fatal_exit("unable to set group id of %s: %s", 
+				cfg->username, strerror(errno));
+#ifdef HAVE_SETRESUID
+		if(setresuid(uid,uid,uid) != 0)
+#elif defined(HAVE_SETREUID) && !defined(DARWIN_BROKEN_SETREUID)
+		if(setreuid(uid,uid) != 0)
+#else /* use setuid */
+		if(setuid(uid) != 0)
+#endif /* HAVE_SETRESUID */
+			fatal_exit("unable to set user id of %s: %s", 
+				cfg->username, strerror(errno));
+		verbose(VERB_QUERY, "drop user privileges, run as %s", 
+			cfg->username);
+	}
+#endif /* HAVE_GETPWNAM */
+	/* file logging inited after chroot,chdir,setuid is done so that 
+	 * it would succeed on SIGHUP as well */
+	if(!cfg->use_syslog)
+		log_init(cfg->logfile, cfg->use_syslog, cfg->chrootdir);
+}
+
+/**
+ * Run the daemon. 
+ * @param cfgfile: the config file name.
+ * @param cmdline_verbose: verbosity resulting from commandline -v.
+ *    These increase verbosity as specified in the config file.
+ * @param debug_mode: if set, do not daemonize.
+ */
+static void 
+run_daemon(const char* cfgfile, int cmdline_verbose, int debug_mode)
+{
+	struct config_file* cfg = NULL;
+	struct daemon* daemon = NULL;
+	int done_setup = 0;
+
+	if(!(daemon = daemon_init()))
+		fatal_exit("alloc failure");
+	while(!daemon->need_to_exit) {
+		if(done_setup)
+			verbose(VERB_OPS, "Restart of %s.", PACKAGE_STRING);
+		else	verbose(VERB_OPS, "Start of %s.", PACKAGE_STRING);
+
+		/* config stuff */
+		if(!(cfg = config_create()))
+			fatal_exit("Could not alloc config defaults");
+		if(!config_read(cfg, cfgfile, daemon->chroot)) {
+			if(errno != ENOENT)
+				fatal_exit("Could not read config file: %s",
+					cfgfile);
+			log_warn("Continuing with default config settings");
+		}
+		apply_settings(daemon, cfg, cmdline_verbose, debug_mode);
+	
+		/* prepare */
+		if(!daemon_open_shared_ports(daemon))
+			fatal_exit("could not open ports");
+		if(!done_setup) { 
+			perform_setup(daemon, cfg, debug_mode, &cfgfile); 
+			done_setup = 1; 
+		} else {
+			/* reopen log after HUP to facilitate log rotation */
+			if(!cfg->use_syslog)
+				log_init(cfg->logfile, 0, cfg->chrootdir);
+		}
+		/* work */
+		daemon_fork(daemon);
+
+		/* clean up for restart */
+		verbose(VERB_ALGO, "cleanup.");
+		daemon_cleanup(daemon);
+		config_delete(cfg);
+	}
+	verbose(VERB_ALGO, "Exit cleanup.");
+	/* this unlink may not work if the pidfile is located outside
+	 * of the chroot/workdir or we no longer have permissions */
+	if(daemon->pidfile) {
+		int fd;
+		/* truncate pidfile */
+		fd = open(daemon->pidfile, O_WRONLY | O_TRUNC, 0644);
+		if(fd != -1)
+			close(fd);
+		/* delete pidfile */
+		unlink(daemon->pidfile);
+	}
+	daemon_delete(daemon);
+}
+
+/** getopt global, in case header files fail to declare it. */
+extern int optind;
+/** getopt global, in case header files fail to declare it. */
+extern char* optarg;
+
+/**
+ * main program. Set options given commandline arguments.
+ * @param argc: number of commandline arguments.
+ * @param argv: array of commandline arguments.
+ * @return: exit status of the program.
+ */
+int 
+main(int argc, char* argv[])
+{
+	int c;
+	const char* cfgfile = CONFIGFILE;
+	const char* winopt = NULL;
+	int cmdline_verbose = 0;
+	int debug_mode = 0;
+#ifdef UB_ON_WINDOWS
+	int cmdline_cfg = 0;
+#endif
+
+#ifdef HAVE_SBRK
+	/* take debug snapshot of heap */
+	unbound_start_brk = sbrk(0);
+#endif
+
+	log_init(NULL, 0, NULL);
+	log_ident_set(strrchr(argv[0],'/')?strrchr(argv[0],'/')+1:argv[0]);
+	/* parse the options */
+	while( (c=getopt(argc, argv, "c:dhvw:")) != -1) {
+		switch(c) {
+		case 'c':
+			cfgfile = optarg;
+#ifdef UB_ON_WINDOWS
+			cmdline_cfg = 1;
+#endif
+			break;
+		case 'v':
+			cmdline_verbose ++;
+			verbosity++;
+			break;
+		case 'd':
+			debug_mode++;
+			break;
+		case 'w':
+			winopt = optarg;
+			break;
+		case '?':
+		case 'h':
+		default:
+			usage();
+			return 1;
+		}
+	}
+	argc -= optind;
+	argv += optind;
+
+	if(winopt) {
+#ifdef UB_ON_WINDOWS
+		wsvc_command_option(winopt, cfgfile, cmdline_verbose, 
+			cmdline_cfg);
+#else
+		fatal_exit("option not supported");
+#endif
+	}
+
+	if(argc != 0) {
+		usage();
+		return 1;
+	}
+
+	run_daemon(cfgfile, cmdline_verbose, debug_mode);
+	log_init(NULL, 0, NULL); /* close logfile */
+	return 0;
+}
diff --git a/external/unbound/daemon/worker.c b/external/unbound/daemon/worker.c
new file mode 100644
index 000000000..f90676213
--- /dev/null
+++ b/external/unbound/daemon/worker.c
@@ -0,0 +1,1452 @@
+/*
+ * daemon/worker.c - worker that handles a pending list of requests.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file implements the worker that handles callbacks on events, for
+ * pending requests.
+ */
+#include "config.h"
+#include "util/log.h"
+#include "util/net_help.h"
+#include "util/random.h"
+#include "daemon/worker.h"
+#include "daemon/daemon.h"
+#include "daemon/remote.h"
+#include "daemon/acl_list.h"
+#include "util/netevent.h"
+#include "util/config_file.h"
+#include "util/module.h"
+#include "util/regional.h"
+#include "util/storage/slabhash.h"
+#include "services/listen_dnsport.h"
+#include "services/outside_network.h"
+#include "services/outbound_list.h"
+#include "services/cache/rrset.h"
+#include "services/cache/infra.h"
+#include "services/cache/dns.h"
+#include "services/mesh.h"
+#include "services/localzone.h"
+#include "util/data/msgparse.h"
+#include "util/data/msgencode.h"
+#include "util/data/dname.h"
+#include "util/fptr_wlist.h"
+#include "util/tube.h"
+#include "iterator/iter_fwd.h"
+#include "iterator/iter_hints.h"
+#include "validator/autotrust.h"
+#include "validator/val_anchor.h"
+#include "libunbound/context.h"
+#include "libunbound/libworker.h"
+#include "ldns/sbuffer.h"
+
+#ifdef HAVE_SYS_TYPES_H
+#  include <sys/types.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#include <signal.h>
+#ifdef UB_ON_WINDOWS
+#include "winrc/win_svc.h"
+#endif
+
+/** Size of an UDP datagram */
+#define NORMAL_UDP_SIZE	512 /* bytes */
+
+/** 
+ * seconds to add to prefetch leeway.  This is a TTL that expires old rrsets
+ * earlier than they should in order to put the new update into the cache.
+ * This additional value is to make sure that if not all TTLs are equal in
+ * the message to be updated(and replaced), that rrsets with up to this much
+ * extra TTL are also replaced.  This means that the resulting new message
+ * will have (most likely) this TTL at least, avoiding very small 'split
+ * second' TTLs due to operators choosing relative primes for TTLs (or so).
+ * Also has to be at least one to break ties (and overwrite cached entry).
+ */
+#define PREFETCH_EXPIRY_ADD 60
+
+#ifdef UNBOUND_ALLOC_STATS
+/** measure memory leakage */
+static void
+debug_memleak(size_t accounted, size_t heap, 
+	size_t total_alloc, size_t total_free)
+{
+	static int init = 0;
+	static size_t base_heap, base_accounted, base_alloc, base_free;
+	size_t base_af, cur_af, grow_af, grow_acc;
+	if(!init) {
+		init = 1;
+		base_heap = heap;
+		base_accounted = accounted;
+		base_alloc = total_alloc;
+		base_free = total_free;
+	}
+	base_af = base_alloc - base_free;
+	cur_af = total_alloc - total_free;
+	grow_af = cur_af - base_af;
+	grow_acc = accounted - base_accounted;
+	log_info("Leakage: %d leaked. growth: %u use, %u acc, %u heap",
+		(int)(grow_af - grow_acc), (unsigned)grow_af, 
+		(unsigned)grow_acc, (unsigned)(heap - base_heap));
+}
+
+/** give debug heap size indication */
+static void
+debug_total_mem(size_t calctotal)
+{
+#ifdef HAVE_SBRK
+	extern void* unbound_start_brk;
+	extern size_t unbound_mem_alloc, unbound_mem_freed;
+	void* cur = sbrk(0);
+	int total = cur-unbound_start_brk;
+	log_info("Total heap memory estimate: %u  total-alloc: %u  "
+		"total-free: %u", (unsigned)total, 
+		(unsigned)unbound_mem_alloc, (unsigned)unbound_mem_freed);
+	debug_memleak(calctotal, (size_t)total, 
+		unbound_mem_alloc, unbound_mem_freed);
+#else
+	(void)calctotal;
+#endif /* HAVE_SBRK */
+}
+#endif /* UNBOUND_ALLOC_STATS */
+
+/** Report on memory usage by this thread and global */
+static void
+worker_mem_report(struct worker* ATTR_UNUSED(worker), 
+	struct serviced_query* ATTR_UNUSED(cur_serv))
+{
+#ifdef UNBOUND_ALLOC_STATS
+	/* debug func in validator module */
+	size_t total, front, back, mesh, msg, rrset, infra, ac, superac;
+	size_t me, iter, val, anch;
+	int i;
+	if(verbosity < VERB_ALGO) 
+		return;
+	front = listen_get_mem(worker->front);
+	back = outnet_get_mem(worker->back);
+	msg = slabhash_get_mem(worker->env.msg_cache);
+	rrset = slabhash_get_mem(&worker->env.rrset_cache->table);
+	infra = infra_get_mem(worker->env.infra_cache);
+	mesh = mesh_get_mem(worker->env.mesh);
+	ac = alloc_get_mem(&worker->alloc);
+	superac = alloc_get_mem(&worker->daemon->superalloc);
+	anch = anchors_get_mem(worker->env.anchors);
+	iter = 0;
+	val = 0;
+	for(i=0; i<worker->env.mesh->mods.num; i++) {
+		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
+			mods.mod[i]->get_mem));
+		if(strcmp(worker->env.mesh->mods.mod[i]->name, "validator")==0)
+			val += (*worker->env.mesh->mods.mod[i]->get_mem)
+				(&worker->env, i);
+		else	iter += (*worker->env.mesh->mods.mod[i]->get_mem)
+				(&worker->env, i);
+	}
+	me = sizeof(*worker) + sizeof(*worker->base) + sizeof(*worker->comsig)
+		+ comm_point_get_mem(worker->cmd_com) 
+		+ sizeof(worker->rndstate) 
+		+ regional_get_mem(worker->scratchpad) 
+		+ sizeof(*worker->env.scratch_buffer) 
+		+ sldns_buffer_capacity(worker->env.scratch_buffer)
+		+ forwards_get_mem(worker->env.fwds)
+		+ hints_get_mem(worker->env.hints);
+	if(worker->thread_num == 0)
+		me += acl_list_get_mem(worker->daemon->acl);
+	if(cur_serv) {
+		me += serviced_get_mem(cur_serv);
+	}
+	total = front+back+mesh+msg+rrset+infra+iter+val+ac+superac+me;
+	log_info("Memory conditions: %u front=%u back=%u mesh=%u msg=%u "
+		"rrset=%u infra=%u iter=%u val=%u anchors=%u "
+		"alloccache=%u globalalloccache=%u me=%u",
+		(unsigned)total, (unsigned)front, (unsigned)back, 
+		(unsigned)mesh, (unsigned)msg, (unsigned)rrset, 
+		(unsigned)infra, (unsigned)iter, (unsigned)val, (unsigned)anch,
+		(unsigned)ac, (unsigned)superac, (unsigned)me);
+	debug_total_mem(total);
+#else /* no UNBOUND_ALLOC_STATS */
+	size_t val = 0;
+	int i;
+	if(verbosity < VERB_QUERY)
+		return;
+	for(i=0; i<worker->env.mesh->mods.num; i++) {
+		fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
+			mods.mod[i]->get_mem));
+		if(strcmp(worker->env.mesh->mods.mod[i]->name, "validator")==0)
+			val += (*worker->env.mesh->mods.mod[i]->get_mem)
+				(&worker->env, i);
+	}
+	verbose(VERB_QUERY, "cache memory msg=%u rrset=%u infra=%u val=%u",
+		(unsigned)slabhash_get_mem(worker->env.msg_cache),
+		(unsigned)slabhash_get_mem(&worker->env.rrset_cache->table),
+		(unsigned)infra_get_mem(worker->env.infra_cache),
+		(unsigned)val);
+#endif /* UNBOUND_ALLOC_STATS */
+}
+
+void 
+worker_send_cmd(struct worker* worker, enum worker_commands cmd)
+{
+	uint32_t c = (uint32_t)htonl(cmd);
+	if(!tube_write_msg(worker->cmd, (uint8_t*)&c, sizeof(c), 0)) {
+		log_err("worker send cmd %d failed", (int)cmd);
+	}
+}
+
+int 
+worker_handle_reply(struct comm_point* c, void* arg, int error, 
+	struct comm_reply* reply_info)
+{
+	struct module_qstate* q = (struct module_qstate*)arg;
+	struct worker* worker = q->env->worker;
+	struct outbound_entry e;
+	e.qstate = q;
+	e.qsent = NULL;
+
+	if(error != 0) {
+		mesh_report_reply(worker->env.mesh, &e, reply_info, error);
+		worker_mem_report(worker, NULL);
+		return 0;
+	}
+	/* sanity check. */
+	if(!LDNS_QR_WIRE(sldns_buffer_begin(c->buffer))
+		|| LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) != 
+			LDNS_PACKET_QUERY
+		|| LDNS_QDCOUNT(sldns_buffer_begin(c->buffer)) > 1) {
+		/* error becomes timeout for the module as if this reply
+		 * never arrived. */
+		mesh_report_reply(worker->env.mesh, &e, reply_info, 
+			NETEVENT_TIMEOUT);
+		worker_mem_report(worker, NULL);
+		return 0;
+	}
+	mesh_report_reply(worker->env.mesh, &e, reply_info, NETEVENT_NOERROR);
+	worker_mem_report(worker, NULL);
+	return 0;
+}
+
+int 
+worker_handle_service_reply(struct comm_point* c, void* arg, int error, 
+	struct comm_reply* reply_info)
+{
+	struct outbound_entry* e = (struct outbound_entry*)arg;
+	struct worker* worker = e->qstate->env->worker;
+	struct serviced_query *sq = e->qsent;
+
+	verbose(VERB_ALGO, "worker svcd callback for qstate %p", e->qstate);
+	if(error != 0) {
+		mesh_report_reply(worker->env.mesh, e, reply_info, error);
+		worker_mem_report(worker, sq);
+		return 0;
+	}
+	/* sanity check. */
+	if(!LDNS_QR_WIRE(sldns_buffer_begin(c->buffer))
+		|| LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) != 
+			LDNS_PACKET_QUERY
+		|| LDNS_QDCOUNT(sldns_buffer_begin(c->buffer)) > 1) {
+		/* error becomes timeout for the module as if this reply
+		 * never arrived. */
+		verbose(VERB_ALGO, "worker: bad reply handled as timeout");
+		mesh_report_reply(worker->env.mesh, e, reply_info, 
+			NETEVENT_TIMEOUT);
+		worker_mem_report(worker, sq);
+		return 0;
+	}
+	mesh_report_reply(worker->env.mesh, e, reply_info, NETEVENT_NOERROR);
+	worker_mem_report(worker, sq);
+	return 0;
+}
+
+/** check request sanity.
+ * @param pkt: the wire packet to examine for sanity.
+ * @param worker: parameters for checking.
+ * @return error code, 0 OK, or -1 discard.
+*/
+static int 
+worker_check_request(sldns_buffer* pkt, struct worker* worker)
+{
+	if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) {
+		verbose(VERB_QUERY, "request too short, discarded");
+		return -1;
+	}
+	if(sldns_buffer_limit(pkt) > NORMAL_UDP_SIZE && 
+		worker->daemon->cfg->harden_large_queries) {
+		verbose(VERB_QUERY, "request too large, discarded");
+		return -1;
+	}
+	if(LDNS_QR_WIRE(sldns_buffer_begin(pkt))) {
+		verbose(VERB_QUERY, "request has QR bit on, discarded");
+		return -1;
+	}
+	if(LDNS_TC_WIRE(sldns_buffer_begin(pkt))) {
+		LDNS_TC_CLR(sldns_buffer_begin(pkt));
+		verbose(VERB_QUERY, "request bad, has TC bit on");
+		return LDNS_RCODE_FORMERR;
+	}
+	if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY) {
+		verbose(VERB_QUERY, "request unknown opcode %d", 
+			LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)));
+		return LDNS_RCODE_NOTIMPL;
+	}
+	if(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1) {
+		verbose(VERB_QUERY, "request wrong nr qd=%d", 
+			LDNS_QDCOUNT(sldns_buffer_begin(pkt)));
+		return LDNS_RCODE_FORMERR;
+	}
+	if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) != 0) {
+		verbose(VERB_QUERY, "request wrong nr an=%d", 
+			LDNS_ANCOUNT(sldns_buffer_begin(pkt)));
+		return LDNS_RCODE_FORMERR;
+	}
+	if(LDNS_NSCOUNT(sldns_buffer_begin(pkt)) != 0) {
+		verbose(VERB_QUERY, "request wrong nr ns=%d", 
+			LDNS_NSCOUNT(sldns_buffer_begin(pkt)));
+		return LDNS_RCODE_FORMERR;
+	}
+	if(LDNS_ARCOUNT(sldns_buffer_begin(pkt)) > 1) {
+		verbose(VERB_QUERY, "request wrong nr ar=%d", 
+			LDNS_ARCOUNT(sldns_buffer_begin(pkt)));
+		return LDNS_RCODE_FORMERR;
+	}
+	return 0;
+}
+
+void 
+worker_handle_control_cmd(struct tube* ATTR_UNUSED(tube), uint8_t* msg,
+	size_t len, int error, void* arg)
+{
+	struct worker* worker = (struct worker*)arg;
+	enum worker_commands cmd;
+	if(error != NETEVENT_NOERROR) {
+		free(msg);
+		if(error == NETEVENT_CLOSED)
+			comm_base_exit(worker->base);
+		else	log_info("control event: %d", error);
+		return;
+	}
+	if(len != sizeof(uint32_t)) {
+		fatal_exit("bad control msg length %d", (int)len);
+	}
+	cmd = sldns_read_uint32(msg);
+	free(msg);
+	switch(cmd) {
+	case worker_cmd_quit:
+		verbose(VERB_ALGO, "got control cmd quit");
+		comm_base_exit(worker->base);
+		break;
+	case worker_cmd_stats:
+		verbose(VERB_ALGO, "got control cmd stats");
+		server_stats_reply(worker, 1);
+		break;
+	case worker_cmd_stats_noreset:
+		verbose(VERB_ALGO, "got control cmd stats_noreset");
+		server_stats_reply(worker, 0);
+		break;
+	case worker_cmd_remote:
+		verbose(VERB_ALGO, "got control cmd remote");
+		daemon_remote_exec(worker);
+		break;
+	default:
+		log_err("bad command %d", (int)cmd);
+		break;
+	}
+}
+
+/** check if a delegation is secure */
+static enum sec_status
+check_delegation_secure(struct reply_info *rep) 
+{
+	/* return smallest security status */
+	size_t i;
+	enum sec_status sec = sec_status_secure;
+	enum sec_status s;
+	size_t num = rep->an_numrrsets + rep->ns_numrrsets;
+	/* check if answer and authority are OK */
+	for(i=0; i<num; i++) {
+		s = ((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
+			->security;
+		if(s < sec)
+			sec = s;
+	}
+	/* in additional, only unchecked triggers revalidation */
+	for(i=num; i<rep->rrset_count; i++) {
+		s = ((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
+			->security;
+		if(s == sec_status_unchecked)
+			return s;
+	}
+	return sec;
+}
+
+/** remove nonsecure from a delegation referral additional section */
+static void
+deleg_remove_nonsecure_additional(struct reply_info* rep)
+{
+	/* we can simply edit it, since we are working in the scratch region */
+	size_t i;
+	enum sec_status s;
+
+	for(i = rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
+		s = ((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
+			->security;
+		if(s != sec_status_secure) {
+			memmove(rep->rrsets+i, rep->rrsets+i+1, 
+				sizeof(struct ub_packed_rrset_key*)* 
+				(rep->rrset_count - i - 1));
+			rep->ar_numrrsets--; 
+			rep->rrset_count--;
+			i--;
+		}
+	}
+}
+
+/** answer nonrecursive query from the cache */
+static int
+answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
+	uint16_t id, uint16_t flags, struct comm_reply* repinfo, 
+	struct edns_data* edns)
+{
+	/* for a nonrecursive query return either:
+	 * 	o an error (servfail; we try to avoid this)
+	 * 	o a delegation (closest we have; this routine tries that)
+	 * 	o the answer (checked by answer_from_cache) 
+	 *
+	 * So, grab a delegation from the rrset cache. 
+	 * Then check if it needs validation, if so, this routine fails,
+	 * so that iterator can prime and validator can verify rrsets.
+	 */
+	uint16_t udpsize = edns->udp_size;
+	int secure = 0;
+	time_t timenow = *worker->env.now;
+	int must_validate = (!(flags&BIT_CD) || worker->env.cfg->ignore_cd)
+		&& worker->env.need_to_validate;
+	struct dns_msg *msg = NULL;
+	struct delegpt *dp;
+
+	dp = dns_cache_find_delegation(&worker->env, qinfo->qname, 
+		qinfo->qname_len, qinfo->qtype, qinfo->qclass,
+		worker->scratchpad, &msg, timenow);
+	if(!dp) { /* no delegation, need to reprime */
+		regional_free_all(worker->scratchpad);
+		return 0;
+	}
+	if(must_validate) {
+		switch(check_delegation_secure(msg->rep)) {
+		case sec_status_unchecked:
+			/* some rrsets have not been verified yet, go and 
+			 * let validator do that */
+			regional_free_all(worker->scratchpad);
+			return 0;
+		case sec_status_bogus:
+			/* some rrsets are bogus, reply servfail */
+			edns->edns_version = EDNS_ADVERTISED_VERSION;
+			edns->udp_size = EDNS_ADVERTISED_SIZE;
+			edns->ext_rcode = 0;
+			edns->bits &= EDNS_DO;
+			error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
+				&msg->qinfo, id, flags, edns);
+			regional_free_all(worker->scratchpad);
+			if(worker->stats.extended) {
+				worker->stats.ans_bogus++;
+				worker->stats.ans_rcode[LDNS_RCODE_SERVFAIL]++;
+			}
+			return 1;
+		case sec_status_secure:
+			/* all rrsets are secure */
+			/* remove non-secure rrsets from the add. section*/
+			if(worker->env.cfg->val_clean_additional)
+				deleg_remove_nonsecure_additional(msg->rep);
+			secure = 1;
+			break;
+		case sec_status_indeterminate:
+		case sec_status_insecure:
+		default:
+			/* not secure */
+			secure = 0;
+			break;
+		}
+	}
+	/* return this delegation from the cache */
+	edns->edns_version = EDNS_ADVERTISED_VERSION;
+	edns->udp_size = EDNS_ADVERTISED_SIZE;
+	edns->ext_rcode = 0;
+	edns->bits &= EDNS_DO;
+	msg->rep->flags |= BIT_QR|BIT_RA;
+	if(!reply_info_answer_encode(&msg->qinfo, msg->rep, id, flags, 
+		repinfo->c->buffer, 0, 1, worker->scratchpad,
+		udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) {
+		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
+			&msg->qinfo, id, flags, edns);
+	}
+	regional_free_all(worker->scratchpad);
+	if(worker->stats.extended) {
+		if(secure) worker->stats.ans_secure++;
+		server_stats_insrcode(&worker->stats, repinfo->c->buffer);
+	}
+	return 1;
+}
+
+/** answer query from the cache */
+static int
+answer_from_cache(struct worker* worker, struct query_info* qinfo,
+	struct reply_info* rep, uint16_t id, uint16_t flags, 
+	struct comm_reply* repinfo, struct edns_data* edns)
+{
+	time_t timenow = *worker->env.now;
+	uint16_t udpsize = edns->udp_size;
+	int secure;
+	int must_validate = (!(flags&BIT_CD) || worker->env.cfg->ignore_cd)
+		&& worker->env.need_to_validate;
+	/* see if it is possible */
+	if(rep->ttl < timenow) {
+		/* the rrsets may have been updated in the meantime.
+		 * we will refetch the message format from the
+		 * authoritative server 
+		 */
+		return 0;
+	}
+	if(!rrset_array_lock(rep->ref, rep->rrset_count, timenow))
+		return 0;
+	/* locked and ids and ttls are OK. */
+	/* check CNAME chain (if any) */
+	if(rep->an_numrrsets > 0 && (rep->rrsets[0]->rk.type == 
+		htons(LDNS_RR_TYPE_CNAME) || rep->rrsets[0]->rk.type == 
+		htons(LDNS_RR_TYPE_DNAME))) {
+		if(!reply_check_cname_chain(rep)) {
+			/* cname chain invalid, redo iterator steps */
+			verbose(VERB_ALGO, "Cache reply: cname chain broken");
+		bail_out:
+			rrset_array_unlock_touch(worker->env.rrset_cache, 
+				worker->scratchpad, rep->ref, rep->rrset_count);
+			regional_free_all(worker->scratchpad);
+			return 0;
+		}
+	}
+	/* check security status of the cached answer */
+	if( rep->security == sec_status_bogus && must_validate) {
+		/* BAD cached */
+		edns->edns_version = EDNS_ADVERTISED_VERSION;
+		edns->udp_size = EDNS_ADVERTISED_SIZE;
+		edns->ext_rcode = 0;
+		edns->bits &= EDNS_DO;
+		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
+			qinfo, id, flags, edns);
+		rrset_array_unlock_touch(worker->env.rrset_cache, 
+			worker->scratchpad, rep->ref, rep->rrset_count);
+		regional_free_all(worker->scratchpad);
+		if(worker->stats.extended) {
+			worker->stats.ans_bogus ++;
+			worker->stats.ans_rcode[LDNS_RCODE_SERVFAIL] ++;
+		}
+		return 1;
+	} else if( rep->security == sec_status_unchecked && must_validate) {
+		verbose(VERB_ALGO, "Cache reply: unchecked entry needs "
+			"validation");
+		goto bail_out; /* need to validate cache entry first */
+	} else if(rep->security == sec_status_secure) {
+		if(reply_all_rrsets_secure(rep))
+			secure = 1;
+		else	{
+			if(must_validate) {
+				verbose(VERB_ALGO, "Cache reply: secure entry"
+					" changed status");
+				goto bail_out; /* rrset changed, re-verify */
+			}
+			secure = 0;
+		}
+	} else	secure = 0;
+
+	edns->edns_version = EDNS_ADVERTISED_VERSION;
+	edns->udp_size = EDNS_ADVERTISED_SIZE;
+	edns->ext_rcode = 0;
+	edns->bits &= EDNS_DO;
+	if(!reply_info_answer_encode(qinfo, rep, id, flags, 
+		repinfo->c->buffer, timenow, 1, worker->scratchpad,
+		udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) {
+		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
+			qinfo, id, flags, edns);
+	}
+	/* cannot send the reply right now, because blocking network syscall
+	 * is bad while holding locks. */
+	rrset_array_unlock_touch(worker->env.rrset_cache, worker->scratchpad,
+		rep->ref, rep->rrset_count);
+	regional_free_all(worker->scratchpad);
+	if(worker->stats.extended) {
+		if(secure) worker->stats.ans_secure++;
+		server_stats_insrcode(&worker->stats, repinfo->c->buffer);
+	}
+	/* go and return this buffer to the client */
+	return 1;
+}
+
+/** Reply to client and perform prefetch to keep cache up to date */
+static void
+reply_and_prefetch(struct worker* worker, struct query_info* qinfo, 
+	uint16_t flags, struct comm_reply* repinfo, time_t leeway)
+{
+	/* first send answer to client to keep its latency 
+	 * as small as a cachereply */
+	comm_point_send_reply(repinfo);
+	server_stats_prefetch(&worker->stats, worker);
+	
+	/* create the prefetch in the mesh as a normal lookup without
+	 * client addrs waiting, which has the cache blacklisted (to bypass
+	 * the cache and go to the network for the data). */
+	/* this (potentially) runs the mesh for the new query */
+	mesh_new_prefetch(worker->env.mesh, qinfo, flags, leeway + 
+		PREFETCH_EXPIRY_ADD);
+}
+
+/**
+ * Fill CH class answer into buffer. Keeps query.
+ * @param pkt: buffer
+ * @param str: string to put into text record (<255).
+ * @param edns: edns reply information.
+ */
+static void
+chaos_replystr(sldns_buffer* pkt, const char* str, struct edns_data* edns)
+{
+	size_t len = strlen(str);
+	unsigned int rd = LDNS_RD_WIRE(sldns_buffer_begin(pkt));
+	unsigned int cd = LDNS_CD_WIRE(sldns_buffer_begin(pkt));
+	if(len>255) len=255; /* cap size of TXT record */
+	sldns_buffer_clear(pkt);
+	sldns_buffer_skip(pkt, (ssize_t)sizeof(uint16_t)); /* skip id */
+	sldns_buffer_write_u16(pkt, (uint16_t)(BIT_QR|BIT_RA));
+	if(rd) LDNS_RD_SET(sldns_buffer_begin(pkt));
+	if(cd) LDNS_CD_SET(sldns_buffer_begin(pkt));
+	sldns_buffer_write_u16(pkt, 1); /* qdcount */
+	sldns_buffer_write_u16(pkt, 1); /* ancount */
+	sldns_buffer_write_u16(pkt, 0); /* nscount */
+	sldns_buffer_write_u16(pkt, 0); /* arcount */
+	(void)query_dname_len(pkt); /* skip qname */
+	sldns_buffer_skip(pkt, (ssize_t)sizeof(uint16_t)); /* skip qtype */
+	sldns_buffer_skip(pkt, (ssize_t)sizeof(uint16_t)); /* skip qclass */
+	sldns_buffer_write_u16(pkt, 0xc00c); /* compr ptr to query */
+	sldns_buffer_write_u16(pkt, LDNS_RR_TYPE_TXT);
+	sldns_buffer_write_u16(pkt, LDNS_RR_CLASS_CH);
+	sldns_buffer_write_u32(pkt, 0); /* TTL */
+	sldns_buffer_write_u16(pkt, sizeof(uint8_t) + len);
+	sldns_buffer_write_u8(pkt, len);
+	sldns_buffer_write(pkt, str, len);
+	sldns_buffer_flip(pkt);
+	edns->edns_version = EDNS_ADVERTISED_VERSION;
+	edns->udp_size = EDNS_ADVERTISED_SIZE;
+	edns->bits &= EDNS_DO;
+	attach_edns_record(pkt, edns);
+}
+
+/**
+ * Answer CH class queries.
+ * @param w: worker
+ * @param qinfo: query info. Pointer into packet buffer.
+ * @param edns: edns info from query.
+ * @param pkt: packet buffer.
+ * @return: true if a reply is to be sent.
+ */
+static int
+answer_chaos(struct worker* w, struct query_info* qinfo, 
+	struct edns_data* edns, sldns_buffer* pkt)
+{
+	struct config_file* cfg = w->env.cfg;
+	if(qinfo->qtype != LDNS_RR_TYPE_ANY && qinfo->qtype != LDNS_RR_TYPE_TXT)
+		return 0;
+	if(query_dname_compare(qinfo->qname, 
+		(uint8_t*)"\002id\006server") == 0 ||
+		query_dname_compare(qinfo->qname, 
+		(uint8_t*)"\010hostname\004bind") == 0)
+	{
+		if(cfg->hide_identity) 
+			return 0;
+		if(cfg->identity==NULL || cfg->identity[0]==0) {
+			char buf[MAXHOSTNAMELEN+1];
+			if (gethostname(buf, MAXHOSTNAMELEN) == 0) {
+				buf[MAXHOSTNAMELEN] = 0;
+				chaos_replystr(pkt, buf, edns);
+			} else 	{
+				log_err("gethostname: %s", strerror(errno));
+				chaos_replystr(pkt, "no hostname", edns);
+			}
+		}
+		else 	chaos_replystr(pkt, cfg->identity, edns);
+		return 1;
+	}
+	if(query_dname_compare(qinfo->qname, 
+		(uint8_t*)"\007version\006server") == 0 ||
+		query_dname_compare(qinfo->qname, 
+		(uint8_t*)"\007version\004bind") == 0)
+	{
+		if(cfg->hide_version) 
+			return 0;
+		if(cfg->version==NULL || cfg->version[0]==0)
+			chaos_replystr(pkt, PACKAGE_STRING, edns);
+		else 	chaos_replystr(pkt, cfg->version, edns);
+		return 1;
+	}
+	return 0;
+}
+
+static int
+deny_refuse(struct comm_point* c, enum acl_access acl,
+	enum acl_access deny, enum acl_access refuse,
+	struct worker* worker, struct comm_reply* repinfo)
+{
+	if(acl == deny) {
+		comm_point_drop_reply(repinfo);
+		if(worker->stats.extended)
+			worker->stats.unwanted_queries++;
+		return 0;
+	} else if(acl == refuse) {
+		log_addr(VERB_ALGO, "refused query from",
+			&repinfo->addr, repinfo->addrlen);
+		log_buf(VERB_ALGO, "refuse", c->buffer);
+		if(worker->stats.extended)
+			worker->stats.unwanted_queries++;
+		if(worker_check_request(c->buffer, worker) == -1) {
+			comm_point_drop_reply(repinfo);
+			return 0; /* discard this */
+		}
+		sldns_buffer_set_limit(c->buffer, LDNS_HEADER_SIZE);
+		sldns_buffer_write_at(c->buffer, 4, 
+			(uint8_t*)"\0\0\0\0\0\0\0\0", 8);
+		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
+		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), 
+			LDNS_RCODE_REFUSED);
+		return 1;
+	}
+
+	return -1;
+}
+
+static int
+deny_refuse_all(struct comm_point* c, enum acl_access acl,
+	struct worker* worker, struct comm_reply* repinfo)
+{
+	return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo);
+}
+
+static int
+deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
+	struct worker* worker, struct comm_reply* repinfo)
+{
+	return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local, worker, repinfo);
+}
+
+int 
+worker_handle_request(struct comm_point* c, void* arg, int error,
+	struct comm_reply* repinfo)
+{
+	struct worker* worker = (struct worker*)arg;
+	int ret;
+	hashvalue_t h;
+	struct lruhash_entry* e;
+	struct query_info qinfo;
+	struct edns_data edns;
+	enum acl_access acl;
+	int rc = 0;
+
+	if(error != NETEVENT_NOERROR) {
+		/* some bad tcp query DNS formats give these error calls */
+		verbose(VERB_ALGO, "handle request called with err=%d", error);
+		return 0;
+	}
+#ifdef USE_DNSTAP
+	if(worker->dtenv.log_client_query_messages)
+		dt_msg_send_client_query(&worker->dtenv, &repinfo->addr, c->type,
+			c->buffer);
+#endif
+	acl = acl_list_lookup(worker->daemon->acl, &repinfo->addr, 
+		repinfo->addrlen);
+	if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1)
+	{
+		if(ret == 1)
+			goto send_reply;
+		return ret;
+	}
+	if((ret=worker_check_request(c->buffer, worker)) != 0) {
+		verbose(VERB_ALGO, "worker check request: bad query.");
+		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		if(ret != -1) {
+			LDNS_QR_SET(sldns_buffer_begin(c->buffer));
+			LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret);
+			return 1;
+		}
+		comm_point_drop_reply(repinfo);
+		return 0;
+	}
+	worker->stats.num_queries++;
+	/* see if query is in the cache */
+	if(!query_info_parse(&qinfo, c->buffer)) {
+		verbose(VERB_ALGO, "worker parse request: formerror.");
+		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		sldns_buffer_rewind(c->buffer);
+		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
+		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), 
+			LDNS_RCODE_FORMERR);
+		server_stats_insrcode(&worker->stats, c->buffer);
+		goto send_reply;
+	}
+	if(worker->env.cfg->log_queries) {
+		char ip[128];
+		addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
+		log_nametypeclass(0, ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
+	}
+	if(qinfo.qtype == LDNS_RR_TYPE_AXFR || 
+		qinfo.qtype == LDNS_RR_TYPE_IXFR) {
+		verbose(VERB_ALGO, "worker request: refused zone transfer.");
+		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		sldns_buffer_rewind(c->buffer);
+		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
+		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), 
+			LDNS_RCODE_REFUSED);
+		if(worker->stats.extended) {
+			worker->stats.qtype[qinfo.qtype]++;
+			server_stats_insrcode(&worker->stats, c->buffer);
+		}
+		goto send_reply;
+	}
+	if((ret=parse_edns_from_pkt(c->buffer, &edns)) != 0) {
+		verbose(VERB_ALGO, "worker parse edns: formerror.");
+		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		sldns_buffer_rewind(c->buffer);
+		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
+		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret);
+		server_stats_insrcode(&worker->stats, c->buffer);
+		goto send_reply;
+	}
+	if(edns.edns_present && edns.edns_version != 0) {
+		edns.ext_rcode = (uint8_t)(EDNS_RCODE_BADVERS>>4);
+		edns.edns_version = EDNS_ADVERTISED_VERSION;
+		edns.udp_size = EDNS_ADVERTISED_SIZE;
+		edns.bits &= EDNS_DO;
+		verbose(VERB_ALGO, "query with bad edns version.");
+		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,
+			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
+			sldns_buffer_read_u16_at(c->buffer, 2), NULL);
+		attach_edns_record(c->buffer, &edns);
+		goto send_reply;
+	}
+	if(edns.edns_present && edns.udp_size < NORMAL_UDP_SIZE &&
+		worker->daemon->cfg->harden_short_bufsize) {
+		verbose(VERB_QUERY, "worker request: EDNS bufsize %d ignored",
+			(int)edns.udp_size);
+		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		edns.udp_size = NORMAL_UDP_SIZE;
+	}
+	if(edns.udp_size > worker->daemon->cfg->max_udp_size &&
+		c->type == comm_udp) {
+		verbose(VERB_QUERY,
+			"worker request: max UDP reply size modified"
+			" (%d to max-udp-size)", (int)edns.udp_size);
+		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		edns.udp_size = worker->daemon->cfg->max_udp_size;
+	}
+	if(edns.udp_size < LDNS_HEADER_SIZE) {
+		verbose(VERB_ALGO, "worker request: edns is too small.");
+		log_addr(VERB_CLIENT, "from", &repinfo->addr, repinfo->addrlen);
+		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
+		LDNS_TC_SET(sldns_buffer_begin(c->buffer));
+		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), 
+			LDNS_RCODE_SERVFAIL);
+		sldns_buffer_set_position(c->buffer, LDNS_HEADER_SIZE);
+		sldns_buffer_write_at(c->buffer, 4, 
+			(uint8_t*)"\0\0\0\0\0\0\0\0", 8);
+		sldns_buffer_flip(c->buffer);
+		goto send_reply;
+	}
+	if(worker->stats.extended)
+		server_stats_insquery(&worker->stats, c, qinfo.qtype,
+			qinfo.qclass, &edns, repinfo);
+	if(c->type != comm_udp)
+		edns.udp_size = 65535; /* max size for TCP replies */
+	if(qinfo.qclass == LDNS_RR_CLASS_CH && answer_chaos(worker, &qinfo,
+		&edns, c->buffer)) {
+		server_stats_insrcode(&worker->stats, c->buffer);
+		goto send_reply;
+	}
+	if(local_zones_answer(worker->daemon->local_zones, &qinfo, &edns, 
+		c->buffer, worker->scratchpad)) {
+		regional_free_all(worker->scratchpad);
+		if(sldns_buffer_limit(c->buffer) == 0) {
+			comm_point_drop_reply(repinfo);
+			return 0;
+		}
+		server_stats_insrcode(&worker->stats, c->buffer);
+		goto send_reply;
+	}
+
+	/* We've looked in our local zones. If the answer isn't there, we
+	 * might need to bail out based on ACLs now. */
+	if((ret=deny_refuse_non_local(c, acl, worker, repinfo)) != -1)
+	{
+		if(ret == 1)
+			goto send_reply;
+		return ret;
+	}
+
+	/* If this request does not have the recursion bit set, verify
+	 * ACLs allow the snooping. */
+	if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&
+		acl != acl_allow_snoop ) {
+		sldns_buffer_set_limit(c->buffer, LDNS_HEADER_SIZE);
+		sldns_buffer_write_at(c->buffer, 4, 
+			(uint8_t*)"\0\0\0\0\0\0\0\0", 8);
+		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
+		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), 
+			LDNS_RCODE_REFUSED);
+		sldns_buffer_flip(c->buffer);
+		server_stats_insrcode(&worker->stats, c->buffer);
+		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
+			&repinfo->addr, repinfo->addrlen);
+		goto send_reply;
+	}
+	h = query_info_hash(&qinfo);
+	if((e=slabhash_lookup(worker->env.msg_cache, h, &qinfo, 0))) {
+		/* answer from cache - we have acquired a readlock on it */
+		if(answer_from_cache(worker, &qinfo, 
+			(struct reply_info*)e->data, 
+			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer), 
+			sldns_buffer_read_u16_at(c->buffer, 2), repinfo, 
+			&edns)) {
+			/* prefetch it if the prefetch TTL expired */
+			if(worker->env.cfg->prefetch && *worker->env.now >=
+				((struct reply_info*)e->data)->prefetch_ttl) {
+				time_t leeway = ((struct reply_info*)e->
+					data)->ttl - *worker->env.now;
+				lock_rw_unlock(&e->lock);
+				reply_and_prefetch(worker, &qinfo, 
+					sldns_buffer_read_u16_at(c->buffer, 2),
+					repinfo, leeway);
+				rc = 0;
+				goto send_reply_rc;
+			}
+			lock_rw_unlock(&e->lock);
+			goto send_reply;
+		}
+		verbose(VERB_ALGO, "answer from the cache failed");
+		lock_rw_unlock(&e->lock);
+	}
+	if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) {
+		if(answer_norec_from_cache(worker, &qinfo,
+			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer), 
+			sldns_buffer_read_u16_at(c->buffer, 2), repinfo, 
+			&edns)) {
+			goto send_reply;
+		}
+		verbose(VERB_ALGO, "answer norec from cache -- "
+			"need to validate or not primed");
+	}
+	sldns_buffer_rewind(c->buffer);
+	server_stats_querymiss(&worker->stats, worker);
+
+	if(verbosity >= VERB_CLIENT) {
+		if(c->type == comm_udp)
+			log_addr(VERB_CLIENT, "udp request from",
+				&repinfo->addr, repinfo->addrlen);
+		else	log_addr(VERB_CLIENT, "tcp request from",
+				&repinfo->addr, repinfo->addrlen);
+	}
+
+	/* grab a work request structure for this new request */
+	mesh_new_client(worker->env.mesh, &qinfo, 
+		sldns_buffer_read_u16_at(c->buffer, 2),
+		&edns, repinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer));
+	worker_mem_report(worker, NULL);
+	return 0;
+
+send_reply:
+	rc = 1;
+send_reply_rc:
+#ifdef USE_DNSTAP
+	if(worker->dtenv.log_client_response_messages)
+		dt_msg_send_client_response(&worker->dtenv, &repinfo->addr,
+			c->type, c->buffer);
+#endif
+	return rc;
+}
+
+void 
+worker_sighandler(int sig, void* arg)
+{
+	/* note that log, print, syscalls here give race conditions. 
+	 * And cause hangups if the log-lock is held by the application. */
+	struct worker* worker = (struct worker*)arg;
+	switch(sig) {
+#ifdef SIGHUP
+		case SIGHUP:
+			comm_base_exit(worker->base);
+			break;
+#endif
+		case SIGINT:
+			worker->need_to_exit = 1;
+			comm_base_exit(worker->base);
+			break;
+#ifdef SIGQUIT
+		case SIGQUIT:
+			worker->need_to_exit = 1;
+			comm_base_exit(worker->base);
+			break;
+#endif
+		case SIGTERM:
+			worker->need_to_exit = 1;
+			comm_base_exit(worker->base);
+			break;
+		default:
+			/* unknown signal, ignored */
+			break;
+	}
+}
+
+/** restart statistics timer for worker, if enabled */
+static void
+worker_restart_timer(struct worker* worker)
+{
+	if(worker->env.cfg->stat_interval > 0) {
+		struct timeval tv;
+#ifndef S_SPLINT_S
+		tv.tv_sec = worker->env.cfg->stat_interval;
+		tv.tv_usec = 0;
+#endif
+		comm_timer_set(worker->stat_timer, &tv);
+	}
+}
+
+void worker_stat_timer_cb(void* arg)
+{
+	struct worker* worker = (struct worker*)arg;
+	server_stats_log(&worker->stats, worker, worker->thread_num);
+	mesh_stats(worker->env.mesh, "mesh has");
+	worker_mem_report(worker, NULL);
+	if(!worker->daemon->cfg->stat_cumulative) {
+		worker_stats_clear(worker);
+	}
+	/* start next timer */
+	worker_restart_timer(worker);
+}
+
+void worker_probe_timer_cb(void* arg)
+{
+	struct worker* worker = (struct worker*)arg;
+	struct timeval tv;
+#ifndef S_SPLINT_S
+	tv.tv_sec = (time_t)autr_probe_timer(&worker->env);
+	tv.tv_usec = 0;
+#endif
+	if(tv.tv_sec != 0)
+		comm_timer_set(worker->env.probe_timer, &tv);
+}
+
+struct worker* 
+worker_create(struct daemon* daemon, int id, int* ports, int n)
+{
+	unsigned int seed;
+	struct worker* worker = (struct worker*)calloc(1, 
+		sizeof(struct worker));
+	if(!worker) 
+		return NULL;
+	worker->numports = n;
+	worker->ports = (int*)memdup(ports, sizeof(int)*n);
+	if(!worker->ports) {
+		free(worker);
+		return NULL;
+	}
+	worker->daemon = daemon;
+	worker->thread_num = id;
+	if(!(worker->cmd = tube_create())) {
+		free(worker->ports);
+		free(worker);
+		return NULL;
+	}
+	/* create random state here to avoid locking trouble in RAND_bytes */
+	seed = (unsigned int)time(NULL) ^ (unsigned int)getpid() ^
+		(((unsigned int)worker->thread_num)<<17);
+		/* shift thread_num so it does not match out pid bits */
+	if(!(worker->rndstate = ub_initstate(seed, daemon->rand))) {
+		seed = 0;
+		log_err("could not init random numbers.");
+		tube_delete(worker->cmd);
+		free(worker->ports);
+		free(worker);
+		return NULL;
+	}
+	seed = 0;
+#ifdef USE_DNSTAP
+	if(daemon->cfg->dnstap) {
+		log_assert(daemon->dtenv != NULL);
+		memcpy(&worker->dtenv, daemon->dtenv, sizeof(struct dt_env));
+		if(!dt_init(&worker->dtenv))
+			fatal_exit("dt_init failed");
+	}
+#endif
+	return worker;
+}
+
+int
+worker_init(struct worker* worker, struct config_file *cfg, 
+	struct listen_port* ports, int do_sigs)
+{
+#ifdef USE_DNSTAP
+	struct dt_env* dtenv = &worker->dtenv;
+#else
+	void* dtenv = NULL;
+#endif
+	worker->need_to_exit = 0;
+	worker->base = comm_base_create(do_sigs);
+	if(!worker->base) {
+		log_err("could not create event handling base");
+		worker_delete(worker);
+		return 0;
+	}
+	comm_base_set_slow_accept_handlers(worker->base, &worker_stop_accept,
+		&worker_start_accept, worker);
+	if(do_sigs) {
+#ifdef SIGHUP
+		ub_thread_sig_unblock(SIGHUP);
+#endif
+		ub_thread_sig_unblock(SIGINT);
+#ifdef SIGQUIT
+		ub_thread_sig_unblock(SIGQUIT);
+#endif
+		ub_thread_sig_unblock(SIGTERM);
+#ifndef LIBEVENT_SIGNAL_PROBLEM
+		worker->comsig = comm_signal_create(worker->base, 
+			worker_sighandler, worker);
+		if(!worker->comsig 
+#ifdef SIGHUP
+			|| !comm_signal_bind(worker->comsig, SIGHUP)
+#endif
+#ifdef SIGQUIT
+			|| !comm_signal_bind(worker->comsig, SIGQUIT)
+#endif
+			|| !comm_signal_bind(worker->comsig, SIGTERM)
+			|| !comm_signal_bind(worker->comsig, SIGINT)) {
+			log_err("could not create signal handlers");
+			worker_delete(worker);
+			return 0;
+		}
+#endif /* LIBEVENT_SIGNAL_PROBLEM */
+		if(!daemon_remote_open_accept(worker->daemon->rc, 
+			worker->daemon->rc_ports, worker)) {
+			worker_delete(worker);
+			return 0;
+		}
+#ifdef UB_ON_WINDOWS
+		wsvc_setup_worker(worker);
+#endif /* UB_ON_WINDOWS */
+	} else { /* !do_sigs */
+		worker->comsig = NULL;
+	}
+	worker->front = listen_create(worker->base, ports,
+		cfg->msg_buffer_size, (int)cfg->incoming_num_tcp, 
+		worker->daemon->listen_sslctx, dtenv, worker_handle_request,
+		worker);
+	if(!worker->front) {
+		log_err("could not create listening sockets");
+		worker_delete(worker);
+		return 0;
+	}
+	worker->back = outside_network_create(worker->base,
+		cfg->msg_buffer_size, (size_t)cfg->outgoing_num_ports, 
+		cfg->out_ifs, cfg->num_out_ifs, cfg->do_ip4, cfg->do_ip6, 
+		cfg->do_tcp?cfg->outgoing_num_tcp:0, 
+		worker->daemon->env->infra_cache, worker->rndstate,
+		cfg->use_caps_bits_for_id, worker->ports, worker->numports,
+		cfg->unwanted_threshold, &worker_alloc_cleanup, worker,
+		cfg->do_udp, worker->daemon->connect_sslctx, cfg->delay_close,
+		dtenv);
+	if(!worker->back) {
+		log_err("could not create outgoing sockets");
+		worker_delete(worker);
+		return 0;
+	}
+	/* start listening to commands */
+	if(!tube_setup_bg_listen(worker->cmd, worker->base,
+		&worker_handle_control_cmd, worker)) {
+		log_err("could not create control compt.");
+		worker_delete(worker);
+		return 0;
+	}
+	worker->stat_timer = comm_timer_create(worker->base, 
+		worker_stat_timer_cb, worker);
+	if(!worker->stat_timer) {
+		log_err("could not create statistics timer");
+	}
+
+	/* we use the msg_buffer_size as a good estimate for what the 
+	 * user wants for memory usage sizes */
+	worker->scratchpad = regional_create_custom(cfg->msg_buffer_size);
+	if(!worker->scratchpad) {
+		log_err("malloc failure");
+		worker_delete(worker);
+		return 0;
+	}
+
+	server_stats_init(&worker->stats, cfg);
+	alloc_init(&worker->alloc, &worker->daemon->superalloc, 
+		worker->thread_num);
+	alloc_set_id_cleanup(&worker->alloc, &worker_alloc_cleanup, worker);
+	worker->env = *worker->daemon->env;
+	comm_base_timept(worker->base, &worker->env.now, &worker->env.now_tv);
+	if(worker->thread_num == 0)
+		log_set_time(worker->env.now);
+	worker->env.worker = worker;
+	worker->env.send_query = &worker_send_query;
+	worker->env.alloc = &worker->alloc;
+	worker->env.rnd = worker->rndstate;
+	worker->env.scratch = worker->scratchpad;
+	worker->env.mesh = mesh_create(&worker->daemon->mods, &worker->env);
+	worker->env.detach_subs = &mesh_detach_subs;
+	worker->env.attach_sub = &mesh_attach_sub;
+	worker->env.kill_sub = &mesh_state_delete;
+	worker->env.detect_cycle = &mesh_detect_cycle;
+	worker->env.scratch_buffer = sldns_buffer_new(cfg->msg_buffer_size);
+	if(!(worker->env.fwds = forwards_create()) ||
+		!forwards_apply_cfg(worker->env.fwds, cfg)) {
+		log_err("Could not set forward zones");
+		worker_delete(worker);
+		return 0;
+	}
+	if(!(worker->env.hints = hints_create()) ||
+		!hints_apply_cfg(worker->env.hints, cfg)) {
+		log_err("Could not set root or stub hints");
+		worker_delete(worker);
+		return 0;
+	}
+	/* one probe timer per process -- if we have 5011 anchors */
+	if(autr_get_num_anchors(worker->env.anchors) > 0
+#ifndef THREADS_DISABLED
+		&& worker->thread_num == 0
+#endif
+		) {
+		struct timeval tv;
+		tv.tv_sec = 0;
+		tv.tv_usec = 0;
+		worker->env.probe_timer = comm_timer_create(worker->base,
+			worker_probe_timer_cb, worker);
+		if(!worker->env.probe_timer) {
+			log_err("could not create 5011-probe timer");
+		} else {
+			/* let timer fire, then it can reset itself */
+			comm_timer_set(worker->env.probe_timer, &tv);
+		}
+	}
+	if(!worker->env.mesh || !worker->env.scratch_buffer) {
+		worker_delete(worker);
+		return 0;
+	}
+	worker_mem_report(worker, NULL);
+	/* if statistics enabled start timer */
+	if(worker->env.cfg->stat_interval > 0) {
+		verbose(VERB_ALGO, "set statistics interval %d secs", 
+			worker->env.cfg->stat_interval);
+		worker_restart_timer(worker);
+	}
+	return 1;
+}
+
+void 
+worker_work(struct worker* worker)
+{
+	comm_base_dispatch(worker->base);
+}
+
+void 
+worker_delete(struct worker* worker)
+{
+	if(!worker) 
+		return;
+	if(worker->env.mesh && verbosity >= VERB_OPS) {
+		server_stats_log(&worker->stats, worker, worker->thread_num);
+		mesh_stats(worker->env.mesh, "mesh has");
+		worker_mem_report(worker, NULL);
+	}
+	outside_network_quit_prepare(worker->back);
+	mesh_delete(worker->env.mesh);
+	sldns_buffer_free(worker->env.scratch_buffer);
+	forwards_delete(worker->env.fwds);
+	hints_delete(worker->env.hints);
+	listen_delete(worker->front);
+	outside_network_delete(worker->back);
+	comm_signal_delete(worker->comsig);
+	tube_delete(worker->cmd);
+	comm_timer_delete(worker->stat_timer);
+	comm_timer_delete(worker->env.probe_timer);
+	free(worker->ports);
+	if(worker->thread_num == 0) {
+		log_set_time(NULL);
+#ifdef UB_ON_WINDOWS
+		wsvc_desetup_worker(worker);
+#endif /* UB_ON_WINDOWS */
+	}
+	comm_base_delete(worker->base);
+	ub_randfree(worker->rndstate);
+	alloc_clear(&worker->alloc);
+	regional_destroy(worker->scratchpad);
+	free(worker);
+}
+
+struct outbound_entry*
+worker_send_query(uint8_t* qname, size_t qnamelen, uint16_t qtype,
+	uint16_t qclass, uint16_t flags, int dnssec, int want_dnssec,
+	int nocaps, struct sockaddr_storage* addr, socklen_t addrlen,
+	uint8_t* zone, size_t zonelen, struct module_qstate* q)
+{
+	struct worker* worker = q->env->worker;
+	struct outbound_entry* e = (struct outbound_entry*)regional_alloc(
+		q->region, sizeof(*e));
+	if(!e) 
+		return NULL;
+	e->qstate = q;
+	e->qsent = outnet_serviced_query(worker->back, qname,
+		qnamelen, qtype, qclass, flags, dnssec, want_dnssec, nocaps,
+		q->env->cfg->tcp_upstream, q->env->cfg->ssl_upstream, addr,
+		addrlen, zone, zonelen, worker_handle_service_reply, e,
+		worker->back->udp_buff);
+	if(!e->qsent) {
+		return NULL;
+	}
+	return e;
+}
+
+void 
+worker_alloc_cleanup(void* arg)
+{
+	struct worker* worker = (struct worker*)arg;
+	slabhash_clear(&worker->env.rrset_cache->table);
+	slabhash_clear(worker->env.msg_cache);
+}
+
+void worker_stats_clear(struct worker* worker)
+{
+	server_stats_init(&worker->stats, worker->env.cfg);
+	mesh_stats_clear(worker->env.mesh);
+	worker->back->unwanted_replies = 0;
+	worker->back->num_tcp_outgoing = 0;
+}
+
+void worker_start_accept(void* arg)
+{
+	struct worker* worker = (struct worker*)arg;
+	listen_start_accept(worker->front);
+	if(worker->thread_num == 0)
+		daemon_remote_start_accept(worker->daemon->rc);
+}
+
+void worker_stop_accept(void* arg)
+{
+	struct worker* worker = (struct worker*)arg;
+	listen_stop_accept(worker->front);
+	if(worker->thread_num == 0)
+		daemon_remote_stop_accept(worker->daemon->rc);
+}
+
+/* --- fake callbacks for fptr_wlist to work --- */
+struct outbound_entry* libworker_send_query(uint8_t* ATTR_UNUSED(qname), 
+	size_t ATTR_UNUSED(qnamelen), uint16_t ATTR_UNUSED(qtype), 
+	uint16_t ATTR_UNUSED(qclass), uint16_t ATTR_UNUSED(flags), 
+	int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec),
+	int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr), 
+	socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone),
+	size_t ATTR_UNUSED(zonelen), struct module_qstate* ATTR_UNUSED(q))
+{
+	log_assert(0);
+	return 0;
+}
+
+int libworker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
+	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
+        struct comm_reply* ATTR_UNUSED(reply_info))
+{
+	log_assert(0);
+	return 0;
+}
+
+int libworker_handle_service_reply(struct comm_point* ATTR_UNUSED(c), 
+	void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
+        struct comm_reply* ATTR_UNUSED(reply_info))
+{
+	log_assert(0);
+	return 0;
+}
+
+void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
+        uint8_t* ATTR_UNUSED(buffer), size_t ATTR_UNUSED(len),
+        int ATTR_UNUSED(error), void* ATTR_UNUSED(arg))
+{
+	log_assert(0);
+}
+
+void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
+        sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+	char* ATTR_UNUSED(why_bogus))
+{
+	log_assert(0);
+}
+
+void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
+        sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+	char* ATTR_UNUSED(why_bogus))
+{
+	log_assert(0);
+}
+
+void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
+        sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
+	char* ATTR_UNUSED(why_bogus))
+{
+	log_assert(0);
+}
+
+int context_query_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
+{
+	log_assert(0);
+	return 0;
+}
+
+int order_lock_cmp(const void* ATTR_UNUSED(e1), const void* ATTR_UNUSED(e2))
+{
+        log_assert(0);
+        return 0;
+}
+
+int codeline_cmp(const void* ATTR_UNUSED(a), const void* ATTR_UNUSED(b))
+{
+        log_assert(0);
+        return 0;
+}
+
diff --git a/external/unbound/daemon/worker.h b/external/unbound/daemon/worker.h
new file mode 100644
index 000000000..ff69bc1ac
--- /dev/null
+++ b/external/unbound/daemon/worker.h
@@ -0,0 +1,173 @@
+/*
+ * daemon/worker.h - worker that handles a pending list of requests.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file describes the worker structure that holds a list of 
+ * pending requests and handles them.
+ */
+
+#ifndef DAEMON_WORKER_H
+#define DAEMON_WORKER_H
+
+#include "libunbound/worker.h"
+#include "util/netevent.h"
+#include "util/locks.h"
+#include "util/alloc.h"
+#include "util/data/msgreply.h"
+#include "util/data/msgparse.h"
+#include "daemon/stats.h"
+#include "util/module.h"
+#include "dnstap/dnstap.h"
+struct listen_dnsport;
+struct outside_network;
+struct config_file;
+struct daemon;
+struct listen_port;
+struct ub_randstate;
+struct regional;
+struct tube;
+struct daemon_remote;
+
+/** worker commands */
+enum worker_commands {
+	/** make the worker quit */
+	worker_cmd_quit,
+	/** obtain statistics */
+	worker_cmd_stats,
+	/** obtain statistics without statsclear */
+	worker_cmd_stats_noreset,
+	/** execute remote control command */
+	worker_cmd_remote
+};
+
+/**
+ * Structure holding working information for unbound.
+ * Holds globally visible information.
+ */
+struct worker {
+	/** the thread number (in daemon array). First in struct for debug. */
+	int thread_num;
+	/** global shared daemon structure */
+	struct daemon* daemon;
+	/** thread id */
+	ub_thread_t thr_id;
+	/** pipe, for commands for this worker */
+	struct tube* cmd;
+	/** the event base this worker works with */
+	struct comm_base* base;
+	/** the frontside listening interface where request events come in */
+	struct listen_dnsport* front;
+	/** the backside outside network interface to the auth servers */
+	struct outside_network* back;
+	/** ports to be used by this worker. */
+	int* ports;
+	/** number of ports for this worker */
+	int numports;
+	/** the signal handler */
+	struct comm_signal* comsig;
+	/** commpoint to listen to commands. */
+	struct comm_point* cmd_com;
+	/** timer for statistics */
+	struct comm_timer* stat_timer;
+
+	/** random() table for this worker. */
+	struct ub_randstate* rndstate;
+	/** do we need to restart or quit (on signal) */
+	int need_to_exit;
+	/** allocation cache for this thread */
+	struct alloc_cache alloc;
+	/** per thread statistics */
+	struct server_stats stats;
+	/** thread scratch regional */
+	struct regional* scratchpad;
+
+	/** module environment passed to modules, changed for this thread */
+	struct module_env env;
+
+#ifdef USE_DNSTAP
+	/** dnstap environment, changed for this thread */
+	struct dt_env dtenv;
+#endif
+};
+
+/**
+ * Create the worker structure. Bare bones version, zeroed struct,
+ * with backpointers only. Use worker_init on it later.
+ * @param daemon: the daemon that this worker thread is part of.
+ * @param id: the thread number from 0.. numthreads-1.
+ * @param ports: the ports it is allowed to use, array.
+ * @param n: the number of ports.
+ * @return: the new worker or NULL on alloc failure.
+ */
+struct worker* worker_create(struct daemon* daemon, int id, int* ports, int n);
+
+/**
+ * Initialize worker.
+ * Allocates event base, listens to ports
+ * @param worker: worker to initialize, created with worker_create.
+ * @param cfg: configuration settings.
+ * @param ports: list of shared query ports.
+ * @param do_sigs: if true, worker installs signal handlers.
+ * @return: false on error.
+ */
+int worker_init(struct worker* worker, struct config_file *cfg, 
+	struct listen_port* ports, int do_sigs);
+
+/**
+ * Make worker work.
+ */
+void worker_work(struct worker* worker);
+
+/**
+ * Delete worker.
+ */
+void worker_delete(struct worker* worker);
+
+/**
+ * Send a command to a worker. Uses blocking writes.
+ * @param worker: worker to send command to.
+ * @param cmd: command to send.
+ */
+void worker_send_cmd(struct worker* worker, enum worker_commands cmd);
+
+/**
+ * Init worker stats - includes server_stats_init, outside network and mesh.
+ * @param worker: the worker to init
+ */
+void worker_stats_clear(struct worker* worker);
+
+#endif /* DAEMON_WORKER_H */