iterator" by default.  Pointed out by Patrik Lundin.

ok jung@ stephan@
tweaks and ok sthen@

and use it as the default location for the DNSSEC root key. Update default
config for this location.
With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:
#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

such a manpage does not currently exist. Requested by jmc@

increase root to 9(+1).
ok deraadt (and a thank you to miod for helping to reduce the set of
architectures harmed by this)

this hardware alive is becoming increasingly difficult, and I should heed the
message sent by the three disks which have died on me over the last few days.
Noone sane will mourn these ports anyway. So long, and thanks for the fish.

disallow them itself. ok deraadt@ millert@, gsoares@ and aja@ like it too.
("nobody" still needs to be listed).

tree results in one-true-ppp not coming into existance.  This code is
essentially un-audited and quite dangerous.
ok claudio sthen

(namespace pollution!) or talking about its opinion on code.
ok krw@

Add a log socket in /var/www/dev/log if nginx is enabled, it is needed as
the openlog() call is done after chrooting.
ok brad@ florian@ deraadt@

to the port list in net.inet.tcp.baddynamic. Service name taken from IANA
service-names-port-numbers.txt.
If anyone's interested in adding AF_UNIX support for comms between unbound
and unbound-control, that would very welcome.
OK brad@ deraadt@

OK krw@, gilles@, lteo@, tedu@, todd@, benno@, sthen@
"The time is right." and much help getting the show on
the road deraadt@

OK krw@, gilles@, lteo@, tedu@, todd@, benno@, sthen@
"The time is right." and much help getting the show on
the road deraadt@

ok todd

ok deraadt gilles todd

No.
Well, then tell them to stay out of the way.
ok deraadt

noticed by jsg, and important enough to make release

'miniroot and maxiroot')..
from chris

existing swap partition for an easier initial installation.

has fun effects on some manpages under some circumstances, as found out
by sthen@: the gindent manpage looks like shit when seen with that new
default man.conf on an uft8 terminal, e.g., quotes combine with the
previous character to yield accented letters for no reason.
this should be handled calmly after release, not rushed in at the last
minute (okay deraadt@)

add a more complete check for the rounds parameter. ok deraadt

ok deraadt@ bentley@