ok florian@ jung@ sthen@

opens the log before chrooting, but this handles the case where syslogd is
restarted during Unbound's runtime.

"A collision attack published in 2007 can find collisions for full
MD4 in less than two hash operations."
ok deraadt@, man pages ok jmc@

use better constant for salt size.
always copy ":" to gerror, in case somebody is dumb enough to overwrite it
timingsafe_bcmp before somebody whines about strcmp

add some friendlier functions.
move the classic static data api into wrapper functions.
a few more changes to come...

iterator" by default.  Pointed out by Patrik Lundin.

ok jung@ stephan@
tweaks and ok sthen@

and use it as the default location for the DNSSEC root key. Update default
config for this location.
With this, the only step required to enable DNSSEC validation is to
uncomment these default config entries and restart:
#module-config: "validator iterator"
#auto-trust-anchor-file: "/var/unbound/db/root.key"
There is no longer a requirement to run unbound-anchor manually to
update the root key. The rc.d script will take care of updates at boot,
and Unbound will manage the file itself at runtime.
Test with "dig test.dnssec-or-not.net txt @127.0.0.1" or similar.

such a manpage does not currently exist. Requested by jmc@

increase root to 9(+1).
ok deraadt (and a thank you to miod for helping to reduce the set of
architectures harmed by this)

this hardware alive is becoming increasingly difficult, and I should heed the
message sent by the three disks which have died on me over the last few days.
Noone sane will mourn these ports anyway. So long, and thanks for the fish.

disallow them itself. ok deraadt@ millert@, gsoares@ and aja@ like it too.
("nobody" still needs to be listed).

tree results in one-true-ppp not coming into existance.  This code is
essentially un-audited and quite dangerous.
ok claudio sthen

(namespace pollution!) or talking about its opinion on code.
ok krw@

Add a log socket in /var/www/dev/log if nginx is enabled, it is needed as
the openlog() call is done after chrooting.
ok brad@ florian@ deraadt@

to the port list in net.inet.tcp.baddynamic. Service name taken from IANA
service-names-port-numbers.txt.
If anyone's interested in adding AF_UNIX support for comms between unbound
and unbound-control, that would very welcome.
OK brad@ deraadt@

OK krw@, gilles@, lteo@, tedu@, todd@, benno@, sthen@
"The time is right." and much help getting the show on
the road deraadt@

OK krw@, gilles@, lteo@, tedu@, todd@, benno@, sthen@
"The time is right." and much help getting the show on
the road deraadt@

ok todd

ok deraadt gilles todd

No.
Well, then tell them to stay out of the way.
ok deraadt

noticed by jsg, and important enough to make release