update unbound from upstream

4 files changed, 20 insertions, 9 deletions

diff --git a/external/unbound/daemon/cachedump.c b/external/unbound/daemon/cachedump.c
index cf5b1a12c..20a46ae4d 100644
--- a/external/unbound/daemon/cachedump.c
+++ b/external/unbound/daemon/cachedump.c
@@ -664,7 +664,7 @@ load_msg(SSL* ssl, sldns_buffer* buf, struct worker* worker)
 	if(!go_on) 
 		return 1; /* skip this one, not all references satisfied */
 
-	if(!dns_cache_store(&worker->env, &qinf, &rep, 0, 0, 0, NULL)) {
+	if(!dns_cache_store(&worker->env, &qinf, &rep, 0, 0, 0, NULL, flags)) {
 		log_warn("error out of memory");
 		return 0;
 	}
diff --git a/external/unbound/daemon/remote.c b/external/unbound/daemon/remote.c
index 100aa8be1..ff3d769d4 100644
--- a/external/unbound/daemon/remote.c
+++ b/external/unbound/daemon/remote.c
@@ -38,8 +38,8 @@
  *
  * This file contains the remote control functionality for the daemon.
  * The remote control can be performed using either the commandline
- * unbound-control tool, or a SSLv3/TLS capable web browser. 
- * The channel is secured using SSLv3 or TLSv1, and certificates.
+ * unbound-control tool, or a TLS capable web browser. 
+ * The channel is secured using TLSv1, and certificates.
  * Both the server and the client(control tool) have their own keys.
  */
 #include "config.h"
@@ -154,12 +154,17 @@ daemon_remote_create(struct config_file* cfg)
 		free(rc);
 		return NULL;
 	}
-	/* no SSLv2 because has defects */
+	/* no SSLv2, SSLv3 because has defects */
 	if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
 		log_crypto_err("could not set SSL_OP_NO_SSLv2");
 		daemon_remote_delete(rc);
 		return NULL;
 	}
+	if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
+		log_crypto_err("could not set SSL_OP_NO_SSLv3");
+		daemon_remote_delete(rc);
+		return NULL;
+	}
 	s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
 	s_key = fname_after_chroot(cfg->server_key_file, cfg, 1);
 	if(!s_cert || !s_key) {
@@ -558,7 +563,7 @@ static char*
 skipwhite(char* str)
 {
 	/* EOS \0 is not a space */
-	while( isspace(*str) ) 
+	while( isspace((unsigned char)*str) ) 
 		str++;
 	return str;
 }
@@ -849,7 +854,8 @@ print_ext(SSL* ssl, struct stats_info* s)
 
 	/* RCODE */
 	for(i=0; i<STATS_RCODE_NUM; i++) {
-		if(inhibit_zero && s->svr.ans_rcode[i] == 0)
+		/* Always include RCODEs 0-5 */
+		if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
 			continue;
 		lt = sldns_lookup_by_id(sldns_rcodes, i);
 		if(lt && lt->name) {
@@ -1089,8 +1095,13 @@ do_cache_remove(struct worker* worker, uint8_t* nm, size_t nmlen,
 	k.qname_len = nmlen;
 	k.qtype = t;
 	k.qclass = c;
-	h = query_info_hash(&k);
+	h = query_info_hash(&k, 0);
 	slabhash_remove(worker->env.msg_cache, h, &k);
+	if(t == LDNS_RR_TYPE_AAAA) {
+		/* for AAAA also flush dns64 bit_cd packet */
+		h = query_info_hash(&k, BIT_CD);
+		slabhash_remove(worker->env.msg_cache, h, &k);
+	}
 }
 
 /** flush a type */
diff --git a/external/unbound/daemon/unbound.c b/external/unbound/daemon/unbound.c
index a53fe954d..5ded5a964 100644
--- a/external/unbound/daemon/unbound.c
+++ b/external/unbound/daemon/unbound.c
@@ -287,7 +287,7 @@ checkrlimits(struct config_file* cfg)
 #ifdef HAVE_SETRLIMIT
 		}
 #endif
-		log_warn("increased limit(open files) from %u to %u",
+		verbose(VERB_ALGO, "increased limit(open files) from %u to %u",
 			(unsigned)avail, (unsigned)total+10);
 	}
 #else	
diff --git a/external/unbound/daemon/worker.c b/external/unbound/daemon/worker.c
index f90676213..59ae9dfce 100644
--- a/external/unbound/daemon/worker.c
+++ b/external/unbound/daemon/worker.c
@@ -935,7 +935,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			&repinfo->addr, repinfo->addrlen);
 		goto send_reply;
 	}
-	h = query_info_hash(&qinfo);
+	h = query_info_hash(&qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
 	if((e=slabhash_lookup(worker->env.msg_cache, h, &qinfo, 0))) {
 		/* answer from cache - we have acquired a readlock on it */
 		if(answer_from_cache(worker, &qinfo,