Index: head/dns/autotrust/Makefile
===================================================================
--- head/dns/autotrust/Makefile	(revision 408046)
+++ head/dns/autotrust/Makefile	(revision 408047)
@@ -1,35 +1,35 @@
 # Created by: Jaap Akkerhuis <jaap@nlnetlabs.nl>
 # $FreeBSD$
 
 PORTNAME=	autotrust
 PORTVERSION=	0.3.1
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	dns
 MASTER_SITES=	http://www.nlnetlabs.nl/downloads/autotrust/
 
 MAINTAINER=	jaap@NLnetLabs.nl
 COMMENT=	Tool to automatically update DNSSEC trust anchors
 
 LIB_DEPENDS+=	libldns.so:${PORTSDIR}/dns/ldns \
 		libunbound.so:${PORTSDIR}/dns/unbound
 
 GNU_CONFIGURE=	yes
 CFLAGS=		-I${LOCALBASE}/include
 LDFLAGS+=	-L${LOCALBASE}/lib -pthread
 
 PLIST_FILES=	sbin/autotrust man/man8/autotrust.8.gz \
 		etc/autotrust/autotrust.conf.sample
 
 do-patch:
 	${REINPLACE_CMD} \
 		'45s!=!\?=!; \
 		46s!^\(CFLAGS \)\(= -I.\) @CFLAGS@!\1+\2!' \
 		${WRKSRC}/Makefile.in
 
 do-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/${PORTNAME} ${STAGEDIR}${PREFIX}/sbin
 	@${MKDIR} ${STAGEDIR}${ETCDIR}
 	${INSTALL_DATA} ${WRKSRC}/${PORTNAME}.conf.sample ${STAGEDIR}${ETCDIR}
 	${INSTALL_MAN} ${WRKSRC}/${PORTNAME}.8 ${STAGEDIR}${MANPREFIX}/man/man8
 
 .include <bsd.port.mk>
Index: head/dns/getdns/Makefile
===================================================================
--- head/dns/getdns/Makefile	(revision 408046)
+++ head/dns/getdns/Makefile	(revision 408047)
@@ -1,60 +1,61 @@
 # Created by: Ryan Steinmetz <zi@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=	getdns
 PORTVERSION=	0.9.0
+PORTREVISION=	1
 CATEGORIES=	dns ipv6
 MASTER_SITES=	https://getdnsapi.net/dist/ \
     		https://mirrors.rit.edu/zi/ \
 		http://getdnsapi.net/dist/ \
 		http://mirrors.rit.edu/zi/
 
 MAINTAINER=	zi@FreeBSD.org
 COMMENT=	Modern asynchronous DNS API
 
 LICENSE=	BSD3CLAUSE
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
 LIB_DEPENDS=	libexpat.so:${PORTSDIR}/textproc/expat2 \
     		libidn.so:${PORTSDIR}/dns/libidn \
 		libldns.so:${PORTSDIR}/dns/ldns \
 		libunbound.so:${PORTSDIR}/dns/unbound
 
 USES=		libtool
 USE_LDCONFIG=	yes
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--with-libidn=${LOCALBASE} --docdir=${DOCSDIR} \
 		--with-trust-anchor=${LOCALBASE}/etc/unbound/root.key
 
 PLIST_SUB+=	PORTVERSION="${PORTVERSION}"
 SUB_FILES+=	pkg-message
 
 OPTIONS_SUB=	yes
 OPTIONS_DEFINE=	EXAMPLES DOCS LIBEV LIBUV LIBEVENT
 
 LIBEV_DESC=	Build with libev extension
 LIBUV_DESC=	Build with libuv extension
 LIBEVENT_DESC=	Build with libevent extension
 
 LIBEV_LIB_DEPENDS=	libev.so:${PORTSDIR}/devel/libev
 LIBEV_CONFIGURE_WITH=	libev
 LIBUV_LIB_DEPENDS=	libuv.so:${PORTSDIR}/devel/libuv
 LIBUV_CONFIGURE_WITH=	libuv
 LIBEVENT_LIB_DEPENDS=	libevent.so:${PORTSDIR}/devel/libevent2
 LIBEVENT_CONFIGURE_WITH=libevent
 
 .include <bsd.port.options.mk>
 
 post-patch:
 	${REINPLACE_CMD} -e 's|libdir)/pkgconfig|prefix)/libdata/pkgconfig|' \
 		${WRKSRC}/Makefile.in
 	${REINPLACE_CMD} -Ee 's,^(sharedoc = ).*,\1${WRKDIR}/doc,' \
 	    	-e '/echo .\*\*\*/d' ${WRKSRC}/Makefile.in
 
 post-install:
 .if ${PORT_OPTIONS:MEXAMPLES}
 	(cd ${WRKSRC}/spec/example && ${COPYTREE_SHARE} . ${STAGEDIR}${EXAMPLESDIR}/)
 .endif
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libgetdns.so.*
 
 .include <bsd.port.mk>
Index: head/dns/unbound/Makefile
===================================================================
--- head/dns/unbound/Makefile	(revision 408046)
+++ head/dns/unbound/Makefile	(revision 408047)
@@ -1,138 +1,135 @@
 # Created by: Sergey Matveychuk <sem@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=	unbound
-PORTVERSION=	1.5.5
+PORTVERSION=	1.5.7
 CATEGORIES=	dns
 MASTER_SITES=	http://unbound.net/downloads/
 
 MAINTAINER=	sem@FreeBSD.org
 COMMENT=	Validating, recursive, and caching DNS resolver
 
 LICENSE=	BSD3CLAUSE
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
-USES+=		autoreconf cpe gmake libtool
+USES+=		autoreconf cpe libtool
 CPE_VENDOR=	nlnetlabs
 USE_OPENSSL=	yes
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS+=--with-ssl=${OPENSSLBASE} --with-libexpat=${LOCALBASE}
 USE_LDCONFIG=	yes
 
 USERS=		${PORTNAME}
 GROUPS=		${PORTNAME}
 
 USE_RC_SUBR=	unbound
 
 PORTDOCS=	CREDITS Changelog FEATURES LICENSE README README.svn \
 		README.tests TODO control_proto_spec.txt ietf67-design-02.odp \
 		ietf67-design-02.pdf requirements.txt
 PLIST_SUB+=	PYTHON=${PYTHON} MUNIN=${MUNIN}
 
 OPTIONS_DEFINE=	THREADS PYTHON GOST ECDSA MUNIN DOCS LIBEVENT FILTER_AAAA
 OPTIONS_DEFAULT=THREADS ECDSA
 
 LIBEVENT_DESC=	Build against libevent
 GOST_DESC=	Enable GOST support (requires OpenSSL >= 1.0)
 ECDSA_DESC=	Enable ECDSA (elliptic curve) support (OpenSSL >= 1.0)
 MUNIN_DESC=	Install Munin plugin
 FILTER_AAAA_DESC=	Build with AAAA filter functionality (contrib)
 
 .include <bsd.port.options.mk>
 
 LIB_DEPENDS+=	libexpat.so:${PORTSDIR}/textproc/expat2 \
 		libldns.so:${PORTSDIR}/dns/ldns
 
 STRIP_FILES=	.libs/libunbound.so unbound-checkconf unbound \
 		unbound-control .libs/unbound-host .libs/unbound-anchor
 
 .if ${PORT_OPTIONS:MPYTHON}
 USES+=		python:2
 CONFIGURE_ARGS+=--with-pyunbound=yes --with-pythonmodule=yes LDFLAGS="-L${LOCALBASE}/lib"
 BUILD_DEPENDS+=	swig:${PORTSDIR}/devel/swig13
 STRIP_FILES+=	.libs/_unbound.so
 PYTHON=
 .else
 PYTHON=		"@comment "
 .endif
 
 .if ${PORT_OPTIONS:MGOST}
 . if ${OPSYS} == FreeBSD && ${OSVERSION} < 1000015
 WITH_OPENSSL_PORT=	yes
 . endif
 DEPENDS_ARGS+=	WITH_GOST=yes
 .else
 CONFIGURE_ARGS+=--disable-gost
 .endif
 
 .if ${PORT_OPTIONS:MECDSA}
 DEPENDS_ARGS+=	WITH_ECDSA=yes
 .else
 CONFIGURE_ARGS+=--disable-ecdsa
 .endif
 
 .if ${PORT_OPTIONS:MMUNIN}
 SUB_FILES+=	pkg-message
 MUNIN_ALL=	hits queue memory by_type by_class by_opcode by_rcode \
 		by_flags histogram
 MUNIN=
 .else
 MUNIN=		"@comment "
 .endif
 
 .if ${PORT_OPTIONS:MLIBEVENT}
 LIB_DEPENDS+=	libevent.so:${PORTSDIR}/devel/libevent2
 USES+=		pkgconfig
 CONFIGURE_ARGS+=--with-libevent
 CPPFLAGS+=	$$(pkg-config libevent --cflags-only-I)
 LDFLAGS+=	$$(pkg-config libevent --libs-only-L)
 .else
 CONFIGURE_ARGS+=--with-libevent=no
 .endif
 
 .if empty(PORT_OPTIONS:MTHREADS)
 CONFIGURE_ARGS+=--without-pthreads
 .endif
 
 post-patch:
-	@${MKDIR} ${WRKSRC}/balancer
 	@${RM} ${WRKSRC}/util/configlexer.c
 	@${REINPLACE_CMD} -e 's|if test ! -e $$(DESTDIR)$$(configfile); then || ; \
 		s|$$(configfile); fi|$$(configfile).sample|' \
 		${WRKSRC}/Makefile.in
 .if ${PORT_OPTIONS:MFILTER_AAAA}
 	${CAT} ${WRKSRC}/contrib/aaaa-filter-iterator.patch | ${PATCH} -d ${WRKSRC} -p1 -s
 .endif
 
 post-build:
 	@for s in ${STRIP_FILES}; do ${STRIP_CMD} ${WRKSRC}/$$s; done
 
 post-install:
 .if ${PORT_OPTIONS:MPYTHON}
 	@${STRIP_CMD} ${STAGEDIR}${PYTHON_SITELIBDIR}/_unbound.so
 .endif
 .if ${PORT_OPTIONS:MMUNIN}
 	@${MKDIR} ${STAGEDIR}${PREFIX}/share/munin/plugins
 	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/munin/plugins
 	@${INSTALL_SCRIPT} ${WRKDIR}/unbound-${PORTVERSION}/contrib/unbound_munin_\
 		${STAGEDIR}${PREFIX}/share/munin/plugins/
 	@for i in ${MUNIN_ALL}; do\
 		${LN} -fs ${PREFIX}/share/munin/plugins/unbound_munin_\
 			${STAGEDIR}${PREFIX}/etc/munin/plugins/unbound_munin_$$i ;\
 	done
 	@${ECHO_MSG}
 	@${ECHO_MSG} "============================================================="
 	@${CAT} ${WRKDIR}/pkg-message
 	@${ECHO_MSG} "============================================================="
 .endif
-.if ${PORT_OPTIONS:MDOCS}
-	@${MKDIR} ${STAGEDIR}${DOCSDIR}; \
-	for f in ${PORTDOCS}; do \
-		cd ${WRKSRC}/doc && ${INSTALL_DATA} $${f} ${STAGEDIR}${DOCSDIR}/; \
-	done
-.endif
+
+post-install-DOCS-on:
+	${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${PORTDOCS:S|^|${WRKSRC}/doc/|} ${STAGEDIR}${DOCSDIR}
 
 regression-test: build
 	cd ${WRKSRC} && ${MAKE} test
 
 .include <bsd.port.mk>
Index: head/dns/unbound/distinfo
===================================================================
--- head/dns/unbound/distinfo	(revision 408046)
+++ head/dns/unbound/distinfo	(revision 408047)
@@ -1,2 +1,2 @@
-SHA256 (unbound-1.5.5.tar.gz) = f3bd7d3bc9519e8717abdc35c26cb2d84c3c3a3e2cd657604307e6860b37da5e
-SIZE (unbound-1.5.5.tar.gz) = 4849969
+SHA256 (unbound-1.5.7.tar.gz) = 4b2088e5aa81a2d48f6337c30c1cf7e99b2e2dc4f92e463b3bee626eee731ca8
+SIZE (unbound-1.5.7.tar.gz) = 4859573
Index: head/dns/unbound/files/patch-contrib-aaaa-filter-iterator.patch
===================================================================
--- head/dns/unbound/files/patch-contrib-aaaa-filter-iterator.patch	(revision 408046)
+++ head/dns/unbound/files/patch-contrib-aaaa-filter-iterator.patch	(revision 408047)
@@ -1,39 +1,345 @@
---- contrib/aaaa-filter-iterator.patch.orig	2015-08-19 18:27:55.176868361 +0300
-+++ contrib/aaaa-filter-iterator.patch	2015-08-19 18:28:04.744973136 +0300
-@@ -16,14 +16,14 @@
-  on your private network, and are not allowed to be returned for public
- --- unbound-1.4.17.orig/util/config_file.c
- +++ unbound-1.4.17/util/config_file.c
+--- contrib/aaaa-filter-iterator.patch.orig	2016-01-04 12:57:42 UTC
++++ contrib/aaaa-filter-iterator.patch
+@@ -1,8 +1,10 @@
+---- unbound-1.4.17.orig/doc/unbound.conf.5.in
+-+++ unbound-1.4.17/doc/unbound.conf.5.in
+-@@ -519,6 +519,13 @@ authority servers and checks if the repl
+- Disabled by default. 
+- This feature is an experimental implementation of draft dns\-0x20.
++Index: trunk/doc/unbound.conf.5.in
++===================================================================
++--- trunk/doc/unbound.conf.5.in	(revision 3587)
+++++ trunk/doc/unbound.conf.5.in	(working copy)
++@@ -593,6 +593,13 @@
++ possible. Best effort approach, full QNAME and original QTYPE will be sent when
++ upstream replies with a RCODE other than NOERROR. Default is off.
+  .TP
+ +.B aaaa\-filter: \fI<yes or no>
+ +Activate behavior similar to BIND's AAAA-filter.
+@@ -13,20 +15,12 @@
+ +.TP
+  .B private\-address: \fI<IP address or subnet>
+  Give IPv4 of IPv6 addresses or classless subnets. These are addresses
+- on your private network, and are not allowed to be returned for public
+---- unbound-1.4.17.orig/util/config_file.c
+-+++ unbound-1.4.17/util/config_file.c
 -@@ -160,6 +160,7 @@ config_create(void)
 - 	cfg->harden_below_nxdomain = 0;
-+@@ -174,6 +174,7 @@
-  	cfg->harden_referral_path = 0;
-+ 	cfg->harden_algo_downgrade = 1;
-  	cfg->use_caps_bits_for_id = 0;
- +	cfg->aaaa_filter = 0; /* ASN: default is disabled */
-+ 	cfg->caps_whitelist = NULL;
-  	cfg->private_address = NULL;
-  	cfg->private_domain = NULL;
+- 	cfg->harden_referral_path = 0;
+- 	cfg->use_caps_bits_for_id = 0;
+-+	cfg->aaaa_filter = 0; /* ASN: default is disabled */
+- 	cfg->private_address = NULL;
+- 	cfg->private_domain = NULL;
 - 	cfg->unwanted_threshold = 0;
- --- unbound-1.4.17.orig/iterator/iter_scrub.c
- +++ unbound-1.4.17/iterator/iter_scrub.c
- @@ -580,6 +580,32 @@ static int sanitize_nsec_is_overreach(st
-@@ -329,15 +329,15 @@
+---- unbound-1.4.17.orig/iterator/iter_scrub.c
+-+++ unbound-1.4.17/iterator/iter_scrub.c
+-@@ -580,6 +580,32 @@ static int sanitize_nsec_is_overreach(st
++ on your private network, and are not allowed to be returned for
++Index: trunk/iterator/iter_scrub.c
++===================================================================
++--- trunk/iterator/iter_scrub.c	(revision 3587)
+++++ trunk/iterator/iter_scrub.c	(working copy)
++@@ -617,6 +617,32 @@
+  }
+  
+  /**
+@@ -38,7 +32,7 @@
+ + */
+ +static int
+ +asn_lookup_a_record_from_cache(struct query_info* qinfo,
+-+	struct module_env* env, struct iter_env* ie)
+++	struct module_env* env, struct iter_env* ATTR_UNUSED(ie))
+ +{
+ +	struct ub_packed_rrset_key* akey;
+ +
+@@ -59,7 +53,7 @@
+   * Given a response event, remove suspect RRsets from the response.
+   * "Suspect" rrsets are potentially poison. Note that this routine expects
+   * the response to be in a "normalized" state -- that is, all "irrelevant"
+-@@ -598,6 +625,7 @@ scrub_sanitize(ldns_buffer* pkt, struct
++@@ -635,6 +661,7 @@
+  	struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
+  	struct iter_env* ie)
+  {
+@@ -67,7 +61,7 @@
+  	int del_addi = 0; /* if additional-holding rrsets are deleted, we
+  		do not trust the normalized additional-A-AAAA any more */
+  	struct rrset_parse* rrset, *prev;
+-@@ -633,6 +661,13 @@ scrub_sanitize(ldns_buffer* pkt, struct
++@@ -670,6 +697,13 @@
+  		rrset = rrset->rrset_all_next;
+  	}
+  
+@@ -81,7 +75,7 @@
+  	/* At this point, we brutally remove ALL rrsets that aren't 
+  	 * children of the originating zone. The idea here is that, 
+  	 * as far as we know, the server that we contacted is ONLY 
+-@@ -644,6 +679,24 @@ scrub_sanitize(ldns_buffer* pkt, struct
++@@ -681,6 +715,24 @@
+  	rrset = msg->rrset_first;
+  	while(rrset) {
+  
+@@ -105,10 +99,24 @@
+ +
+  		/* remove private addresses */
+  		if( (rrset->type == LDNS_RR_TYPE_A || 
+- 			rrset->type == LDNS_RR_TYPE_AAAA) &&
+---- unbound-1.4.17.orig/iterator/iterator.c
+-+++ unbound-1.4.17/iterator/iterator.c
+-@@ -1579,6 +1579,53 @@ processDSNSFind(struct module_qstate* qs
++ 			rrset->type == LDNS_RR_TYPE_AAAA)) {
++Index: trunk/iterator/iter_utils.c
++===================================================================
++--- trunk/iterator/iter_utils.c	(revision 3587)
+++++ trunk/iterator/iter_utils.c	(working copy)
++@@ -175,6 +175,7 @@
++ 	}
++ 	iter_env->supports_ipv6 = cfg->do_ip6;
++ 	iter_env->supports_ipv4 = cfg->do_ip4;
+++	iter_env->aaaa_filter = cfg->aaaa_filter;
++ 	return 1;
++ }
++ 
++Index: trunk/iterator/iterator.c
++===================================================================
++--- trunk/iterator/iterator.c	(revision 3587)
+++++ trunk/iterator/iterator.c	(working copy)
++@@ -1776,6 +1776,53 @@
+  
+  	return 0;
+  }
+@@ -128,7 +136,7 @@
+ + */
+ +static int
+ +asn_processQueryAAAA(struct module_qstate* qstate, struct iter_qstate* iq,
+-+	struct iter_env* ie, int id)
+++	struct iter_env* ATTR_UNUSED(ie), int id)
+ +{
+ +	struct module_qstate* subq = NULL;
+ +
+@@ -162,7 +170,7 @@
+  	
+  /** 
+   * This is the request event state where the request will be sent to one of
+-@@ -1626,6 +1673,13 @@ processQueryTargets(struct module_qstate
++@@ -1823,6 +1870,13 @@
+  		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+  	}
+  	
+@@ -176,7 +184,7 @@
+  	/* Make sure we have a delegation point, otherwise priming failed
+  	 * or another failure occurred */
+  	if(!iq->dp) {
+-@@ -2568,6 +2622,62 @@ processFinished(struct module_qstate* qs
++@@ -2922,6 +2976,61 @@
+  	return 0;
+  }
+  
+@@ -195,9 +203,8 @@
+ +asn_processAAAAResponse(struct module_qstate* qstate, int id,
+ +	struct module_qstate* super)
+ +{
+-+	struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];
+++	/*struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];*/
+ +	struct iter_qstate* super_iq = (struct iter_qstate*)super->minfo[id];
+-+	struct ub_packed_rrset_key* rrset;
+ +	struct delegpt_ns* dpns = NULL;
+ +	int error = (qstate->return_rcode != LDNS_RCODE_NOERROR);
+ +
+@@ -239,7 +246,7 @@
+  /*
+   * Return priming query results to interestes super querystates.
+   * 
+-@@ -2587,6 +2697,9 @@ iter_inform_super(struct module_qstate*
++@@ -2941,6 +3050,9 @@
+  	else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
+  		super->minfo[id])->state == DSNS_FIND_STATE)
+  		processDSNSResponse(qstate, id, super);
+@@ -249,7 +256,7 @@
+  	else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
+  		error_supers(qstate, id, super);
+  	else if(qstate->is_priming)
+-@@ -2624,6 +2737,9 @@ iter_handle(struct module_qstate* qstate
++@@ -2978,6 +3090,9 @@
+  			case INIT_REQUEST_3_STATE:
+  				cont = processInitRequest3(qstate, iq, id);
+  				break;
+@@ -259,7 +266,7 @@
+  			case QUERYTARGETS_STATE:
+  				cont = processQueryTargets(qstate, iq, ie, id);
+  				break;
+-@@ -2863,6 +2979,8 @@ iter_state_to_string(enum iter_state sta
++@@ -3270,6 +3385,8 @@
+  		return "INIT REQUEST STATE (stage 2)";
+  	case INIT_REQUEST_3_STATE:
+  		return "INIT REQUEST STATE (stage 3)";
+@@ -268,7 +275,7 @@
+  	case QUERYTARGETS_STATE :
+  		return "QUERY TARGETS STATE";
+  	case PRIME_RESP_STATE :
+-@@ -2887,6 +3005,7 @@ iter_state_is_responsestate(enum iter_st
++@@ -3294,6 +3411,7 @@
+  		case INIT_REQUEST_STATE :
+  		case INIT_REQUEST_2_STATE :
+  		case INIT_REQUEST_3_STATE :
+@@ -276,29 +283,21 @@
+  		case QUERYTARGETS_STATE :
+  		case COLLECT_CLASS_STATE :
+  			return 0;
+---- unbound-1.4.17.orig/iterator/iter_utils.c
+-+++ unbound-1.4.17/iterator/iter_utils.c
+-@@ -128,6 +128,7 @@ iter_apply_cfg(struct iter_env* iter_env
+- 	}
+- 	iter_env->supports_ipv6 = cfg->do_ip6;
+- 	iter_env->supports_ipv4 = cfg->do_ip4;
+-+	iter_env->aaaa_filter = cfg->aaaa_filter;
+- 	return 1;
+- }
+- 
+---- unbound-1.4.17.orig/iterator/iterator.h
+-+++ unbound-1.4.17/iterator/iterator.h
+-@@ -110,6 +110,9 @@ struct iter_env {
+- 	 * array of max_dependency_depth+1 size.
++Index: trunk/iterator/iterator.h
++===================================================================
++--- trunk/iterator/iterator.h	(revision 3587)
+++++ trunk/iterator/iterator.h	(working copy)
++@@ -113,6 +113,9 @@
+  	 */
+  	int* target_fetch_policy;
+-+
++ 
+ +	/** ASN: AAAA-filter flag */
+ +	int aaaa_filter;
+++
++ 	/** ip6.arpa dname in wireformat, used for qname-minimisation */
++ 	uint8_t* ip6arpa_dname;
   };
- --- unbound-1.4.17.orig/util/config_file.h
- +++ unbound-1.4.17/util/config_file.h
+- 
+- /**
+-@@ -135,6 +138,14 @@ enum iter_state {
++@@ -163,6 +166,14 @@
+  	INIT_REQUEST_3_STATE,
+  
+  	/**
+@@ -312,8 +311,8 @@
+ +	/**
+  	 * Each time a delegation point changes for a given query or a 
+  	 * query times out and/or wakes up, this state is (re)visited. 
+- 	 * This state is responsible for iterating through a list of 
+-@@ -309,6 +320,13 @@ struct iter_qstate {
++ 	 * This state is reponsible for iterating through a list of 
++@@ -346,6 +357,13 @@
+  	 */
+  	int refetch_glue;
+  
+@@ -326,31 +325,61 @@
+ +
+  	/** list of pending queries to authoritative servers. */
+  	struct outbound_list outlist;
+- };
+---- unbound-1.4.17.orig/util/config_file.h
+-+++ unbound-1.4.17/util/config_file.h
 -@@ -169,6 +169,8 @@ struct config_file {
 - 	int harden_referral_path;
-+@@ -180,6 +180,8 @@
++ 
++Index: trunk/pythonmod/interface.i
++===================================================================
++--- trunk/pythonmod/interface.i	(revision 3587)
+++++ trunk/pythonmod/interface.i	(working copy)
++@@ -632,6 +632,7 @@
++    int harden_dnssec_stripped;
++    int harden_referral_path;
++    int use_caps_bits_for_id;
+++   int aaaa_filter; /* ASN */
++    struct config_strlist* private_address;
++    struct config_strlist* private_domain;
++    size_t unwanted_threshold;
++Index: trunk/util/config_file.c
++===================================================================
++--- trunk/util/config_file.c	(revision 3587)
+++++ trunk/util/config_file.c	(working copy)
++@@ -176,6 +176,7 @@
++ 	cfg->harden_referral_path = 0;
++ 	cfg->harden_algo_downgrade = 0;
++ 	cfg->use_caps_bits_for_id = 0;
+++	cfg->aaaa_filter = 0; /* ASN: default is disabled */
++ 	cfg->caps_whitelist = NULL;
++ 	cfg->private_address = NULL;
++ 	cfg->private_domain = NULL;
++Index: trunk/util/config_file.h
++===================================================================
++--- trunk/util/config_file.h	(revision 3587)
+++++ trunk/util/config_file.h	(working copy)
++@@ -179,6 +179,8 @@
++ 	int harden_algo_downgrade;
   	/** use 0x20 bits in query as random ID bits */
   	int use_caps_bits_for_id;
-+ 	/** 0x20 whitelist, domains that do not use capsforid */
  +	/** ASN: enable AAAA filter? */
  +	int aaaa_filter;
++ 	/** 0x20 whitelist, domains that do not use capsforid */
 + 	struct config_strlist* caps_whitelist;
   	/** strip away these private addrs from answers, no DNS Rebinding */
-  	struct config_strlist* private_address;
+- 	struct config_strlist* private_address;
 - 	/** allow domain (and subdomains) to use private address space */
- --- unbound-1.4.17.orig/util/configlexer.lex
- +++ unbound-1.4.17/util/configlexer.lex
- @@ -177,6 +177,7 @@ harden-below-nxdomain{COLON}	{ YDVAR(1,
+---- unbound-1.4.17.orig/util/configlexer.lex
+-+++ unbound-1.4.17/util/configlexer.lex
+-@@ -177,6 +177,7 @@ harden-below-nxdomain{COLON}	{ YDVAR(1,
+- harden-referral-path{COLON}	{ YDVAR(1, VAR_HARDEN_REFERRAL_PATH) }
++Index: trunk/util/configlexer.lex
++===================================================================
++--- trunk/util/configlexer.lex	(revision 3587)
+++++ trunk/util/configlexer.lex	(working copy)
++@@ -267,6 +267,7 @@
+  use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
++ caps-whitelist{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
+  unwanted-reply-threshold{COLON}	{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
+ +aaaa-filter{COLON}		{ YDVAR(1, VAR_AAAA_FILTER) }
+  private-address{COLON}		{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
+  private-domain{COLON}		{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
+  prefetch-key{COLON}		{ YDVAR(1, VAR_PREFETCH_KEY) }
+---- unbound-1.4.17.orig/util/configparser.y
+-+++ unbound-1.4.17/util/configparser.y
+-@@ -92,6 +92,7 @@ extern struct config_parser_state* cfg_p
++Index: trunk/util/configparser.y
++===================================================================
++--- trunk/util/configparser.y	(revision 3587)
+++++ trunk/util/configparser.y	(working copy)
++@@ -92,6 +92,7 @@
+  %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
+  %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
+  %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
+@@ -358,7 +387,7 @@
+  %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
+  %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
+  %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
+-@@ -151,6 +152,7 @@ content_server: server_num_threads | ser
++@@ -169,6 +170,7 @@
+  	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
+  	server_harden_referral_path | server_private_address |
+  	server_private_domain | server_extended_statistics | 
+@@ -366,8 +395,8 @@
+  	server_local_data_ptr | server_jostle_timeout | 
+  	server_unwanted_reply_threshold | server_log_time_ascii | 
+  	server_domain_insecure | server_val_sig_skew_min | 
+-@@ -802,6 +803,15 @@ server_use_caps_for_id: VAR_USE_CAPS_FOR
+- 		free($2);
++@@ -893,6 +895,15 @@
++ 			yyerror("out of memory");
+  	}
+  	;
+ +server_aaaa_filter: VAR_AAAA_FILTER STRING_ARG
+@@ -382,13 +411,3 @@
+  server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG
+  	{
+  		OUTYY(("P(server_private_address:%s)\n", $2));
+---- unbound-1.4.17.orig/pythonmod/interface.i
+-+++ unbound-1.4.17/pythonmod/interface.i
+-@@ -626,6 +626,7 @@ struct config_file {
+-    int harden_dnssec_stripped;
+-    int harden_referral_path;
+-    int use_caps_bits_for_id;
+-+   int aaaa_filter; /* ASN */
+-    struct config_strlist* private_address;
+-    struct config_strlist* private_domain;
+-    size_t unwanted_threshold;
Index: head/dns/unbound/pkg-plist
===================================================================
--- head/dns/unbound/pkg-plist	(revision 408046)
+++ head/dns/unbound/pkg-plist	(revision 408047)
@@ -1,64 +1,64 @@
 etc/unbound/unbound.conf.sample
 include/unbound.h
-lib/libunbound.so.2.3.8
+lib/libunbound.so.2.3.10
 lib/libunbound.so.2
 lib/libunbound.so
 lib/libunbound.a
 man/man1/unbound-host.1.gz
 man/man3/libunbound.3.gz
 man/man3/ub_cancel.3.gz
 man/man3/ub_ctx.3.gz
 man/man3/ub_ctx_add_ta.3.gz
 man/man3/ub_ctx_add_ta_file.3.gz
 man/man3/ub_ctx_async.3.gz
 man/man3/ub_ctx_config.3.gz
 man/man3/ub_ctx_create.3.gz
 man/man3/ub_ctx_data_add.3.gz
 man/man3/ub_ctx_data_remove.3.gz
 man/man3/ub_ctx_debuglevel.3.gz
 man/man3/ub_ctx_debugout.3.gz
 man/man3/ub_ctx_delete.3.gz
 man/man3/ub_ctx_get_option.3.gz
 man/man3/ub_ctx_hosts.3.gz
 man/man3/ub_ctx_print_local_zones.3.gz
 man/man3/ub_ctx_resolvconf.3.gz
 man/man3/ub_ctx_set_fwd.3.gz
 man/man3/ub_ctx_set_option.3.gz
 man/man3/ub_ctx_trustedkeys.3.gz
 man/man3/ub_ctx_zone_add.3.gz
 man/man3/ub_ctx_zone_remove.3.gz
 man/man3/ub_fd.3.gz
 man/man3/ub_poll.3.gz
 man/man3/ub_process.3.gz
 man/man3/ub_resolve.3.gz
 man/man3/ub_resolve_async.3.gz
 man/man3/ub_resolve_free.3.gz
 man/man3/ub_result.3.gz
 man/man3/ub_strerror.3.gz
 man/man3/ub_wait.3.gz
 man/man5/unbound.conf.5.gz
 man/man8/unbound-anchor.8.gz
 man/man8/unbound-checkconf.8.gz
 man/man8/unbound-control-setup.8.gz
 man/man8/unbound-control.8.gz
 man/man8/unbound.8.gz
 sbin/unbound
 sbin/unbound-anchor
 sbin/unbound-checkconf
 sbin/unbound-control
 sbin/unbound-control-setup
 sbin/unbound-host
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/_unbound.so
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/unbound.py
 %%PYTHON%%%%PYTHON_SITELIBDIR%%/unboundmodule.py
 %%MUNIN%%etc/munin/plugins/unbound_munin_by_class
 %%MUNIN%%etc/munin/plugins/unbound_munin_by_flags
 %%MUNIN%%etc/munin/plugins/unbound_munin_by_opcode
 %%MUNIN%%etc/munin/plugins/unbound_munin_by_rcode
 %%MUNIN%%etc/munin/plugins/unbound_munin_by_type
 %%MUNIN%%etc/munin/plugins/unbound_munin_histogram
 %%MUNIN%%etc/munin/plugins/unbound_munin_hits
 %%MUNIN%%etc/munin/plugins/unbound_munin_memory
 %%MUNIN%%etc/munin/plugins/unbound_munin_queue
 %%MUNIN%%share/munin/plugins/unbound_munin_
 @dir(unbound,,) %%ETCDIR%%
Index: head/mail/opendkim/Makefile
===================================================================
--- head/mail/opendkim/Makefile	(revision 408046)
+++ head/mail/opendkim/Makefile	(revision 408047)
@@ -1,180 +1,180 @@
 # Created by: Hirohisa Yamaguchi <umq@ueo.co.jp>
 # $FreeBSD$
 
 PORTNAME=		opendkim
 PORTVERSION=		2.10.3
-PORTREVISION=		1
+PORTREVISION=		2
 CATEGORIES=		mail security
 MASTER_SITES=		SF/${PORTNAME} \
 			SF/${PORTNAME}/Previous%20Releases \
 			ftp://ftpmirror.uk/freebsd-ports/${PORTNAME}/
 
 MAINTAINER=		freebsd-ports@dan.me.uk
 COMMENT=		DKIM library and milter implementation
 
 LICENSE=		BSD3CLAUSE SENDMAIL
 LICENSE_COMB=		multi
 
 LICENSE_FILE_SENDMAIL=	${WRKSRC}/LICENSE.Sendmail
 LICENSE_GROUPS_SENDMAIL=	FSF OSI
 LICENSE_NAME_SENDMAIL=	Sendmail Open Source License
 LICENSE_PERMS_SENDMAIL=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
 
 GNU_CONFIGURE=	yes
 NO_OPTIONS_SORT=yes
 USES=		libtool perl5 pkgconfig shebangfix
 USE_PERL5=	run
 SHEBANG_FILES=	opendkim/opendkim-genkey* reputation/opendkim-* stats/opendkim-* \
 		reprrd/opendkim-reprrdimport*
 USE_OPENSSL=	yes
 USE_LDCONFIG=	yes
 
 PORTDOCS=	*
 
 CONFIGURE_ARGS+=	--without-tre
 
 OPTIONS_SUB=		yes
 OPTIONS_SINGLE=		RESOLV
 OPTIONS_SINGLE_RESOLV=	STOCK_RESOLVER UNBOUND
 OPTIONS_DEFINE=		FILTER CURL GNUTLS JANSSON LDNS LMDB LUA MEMCACHED \
 			BDB_BASE OPENDBX OPENLDAP POPAUTH QUERY_CACHE SASL
 OPTIONS_DEFAULT=	FILTER LUA UNBOUND
 
 STOCK_RESOLVER_DESC=	Use the stock resolver library
 
 UNBOUND_DESC=		Use unbound DNS library
 UNBOUND_CONFIGURE_WITH=	unbound
 UNBOUND_LIB_DEPENDS=	libunbound.so:${PORTSDIR}/dns/unbound
 
 FILTER_DESC=		OpenDKIM filter, requires libmilter/Sendmail
 FILTER_USE=		RC_SUBR=milter-opendkim
 
 CURL_DESC=		Use cURL for web queries
 CURL_CONFIGURE_WITH=	libcurl
 CURL_LIB_DEPENDS=	libcurl.so:${PORTSDIR}/ftp/curl
 
 GNUTLS_DESC=		Use GnuTLS instead of OpenSSL
 GNUTLS_LIB_DEPENDS=	libgnutls.so:${PORTSDIR}/security/gnutls
 GNUTLS_CONFIGURE_WITH=	gnutls
 GNUTLS_CONFIGURE_OFF=	--with-openssl=${OPENSSLBASE}
 
 JANSSON_DESC=		Statistics and other output as JSON data
 JANSSON_CONFIGURE_WITH=	libjansson
 JANSSON_LIB_DEPENDS=	libjansson.so:${PORTSDIR}/devel/jansson
 
 LDNS_DESC=		Use LDNS library for DNS queries
 LDNS_CONFIGURE_WITH=	ldns
 LDNS_LIB_DEPENDS=	libldns.so:${PORTSDIR}/dns/ldns
 
 LMDB_DESC=		Use Lightning Memory-Mapped DB key-value store
 LMDB_CONFIGURE_WITH=	lmdb
 LMDB_LIB_DEPENDS=	liblmdb.so:${PORTSDIR}/databases/lmdb
 
 LUA_DESC=		Describe filter policy with lua
 LUA_CONFIGURE_WITH=	lua
 LUA_USES=		lua
 
 MEMCACHED_DESC=		Use memcached as a data set
 MEMCACHED_CONFIGURE_WITH=	libmemcached
 MEMCACHED_LIB_DEPENDS=	libmemcached.so:${PORTSDIR}/databases/libmemcached
 
 BDB_BASE_DESC=		Use Berkeley DB from base
 
 OPENDBX_DESC=		Store filter policies via OpenDBX
 OPENDBX_CONFIGURE_WITH=	odbx
 OPENDBX_LIB_DEPENDS=	libopendbx.so:${PORTSDIR}/databases/opendbx
 
 OPENLDAP_DESC=		Store filter policies in LDAP
 OPENLDAP_CONFIGURE_WITH=openldap
 OPENLDAP_USE=		OPENLDAP=yes
 
 POPAUTH_DESC=		Use POP authentication DB
 POPAUTH_CONFIGURE_ENABLE=	popauth
 
 QUERY_CACHE_DESC=	Cache DNS query results locally
 QUERY_CACHE_CONFIGURE_ENABLE=	query_cache
 
 SASL_DESC=		Enable SASL authentication with LDAP
 SASL_CONFIGURE_WITH=	sasl
 
 DOCS_CONFIGURE_ON=	--docdir=${WRKDIR}/doc
 
 MAKE_ARGS+=	pkgconfigdir="${PREFIX}/libdata/pkgconfig"
 MAKE_ENV=	INSTALL_STRIP_FLAG=${STRIP}
 
 .include "${.CURDIR}/Makefile.options"
 
 .include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MSASL} && ${PORT_OPTIONS:MOPENLDAP}
 WANT_OPENLDAP_SASL=	yes
 .endif
 
 .if ${PORT_OPTIONS:MFILTER}
 SUB_FILES=		pkg-message
 WITHOUT_MILTER_CFLAGS=	yes
 WITHOUT_MILTER_LDFLAGS=	yes
 .include "${PORTSDIR}/mail/sendmail/bsd.milter.mk"
 CONFIGURE_ARGS+=	--with-milter=${MILTERBASE}
 .endif
 
 .if ${PORT_OPTIONS:MLUA_ONLY_SIGNING} || \
     ${PORT_OPTIONS:MRBL}
 .if !${PORT_OPTIONS:MLUA}
 IGNORE= options LUA_ONLY_SIGNING and RBL require LUA as well
 .endif
 .endif
 
 .if ${PORT_OPTIONS:MREPUTATION}
 .if !${PORT_OPTIONS:MCURL} || !${PORT_OPTIONS:MJANSSON}
 IGNORE= option REPUTATION requires CURL and JANSSON as well
 .endif
 .endif
 
 .if ${PORT_OPTIONS:MSTATSEXT}
 .if !${PORT_OPTIONS:MSTATS} || !${PORT_OPTIONS:MLUA}
 IGNORE= option STATSEXT requires STATS and LUA as well
 .endif
 .endif
 
 .if ${PORT_OPTIONS:MPOPAUTH}             \
 	|| ${PORT_OPTIONS:MQUERY_CACHE}  \
 	|| ${PORT_OPTIONS:MLDAP_CACHING} \
 	|| ${PORT_OPTIONS:MREPUTATION}   \
 	|| ${PORT_OPTIONS:MSTATS}
 . if ${PORT_OPTIONS:MBDB_BASE}
 CONFIGURE_ARGS+=	--with-db-lib=c
 . else
 CONFIGURE_ARGS+=	--with-db-incdir=${BDB_INCLUDE_DIR} \
 			--with-db-libdir=${BDB_LIB_DIR}     \
 			--with-db-lib=${BDB_LIB_NAME}
 USE_BDB=		40+
 . endif
 .endif
 
 .if ${PORT_OPTIONS:MCODECOVERAGE}
 LDFLAGS+=		-lpthread
 .endif
 
 pre-configure:
 	${REINPLACE_CMD} -e '/LIBLUA_LIBS/s/lua5\.[0-9]/lua-${LUA_VER}/' \
 	    -e '/PKG_CONFIG/s/lua5\.[0-9]/lua-${LUA_VER}/'		 \
 	    -e '/PKG_CONFIG/s/cyrussasl/libsasl2/'			 \
 	    ${WRKSRC}/configure
 
 post-patch:
 .if ${PORT_OPTIONS:MLCOV}
 	${CP} ${FILESDIR}/lcov-helper.sh ${WRKSRC}/libopendkim/tests/
 	${CP} ${FILESDIR}/lcov-helper.sh ${WRKSRC}/opendkim/tests/
 	${FIND} ${WRKSRC} -type f -name \*-helper.sh -exec ${CHMOD} 755 {} +
 .endif
 
 post-install:
 	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/mail
 	${INSTALL_DATA} ${WRKSRC}/opendkim/opendkim.conf.sample \
 	    ${STAGEDIR}${PREFIX}/etc/mail/
 
 regression-test: build
 	cd ${WRKSRC} ; ${MAKE} check
 
 .include <bsd.port.mk>
Index: head/security/gnutls/Makefile
===================================================================
--- head/security/gnutls/Makefile	(revision 408046)
+++ head/security/gnutls/Makefile	(revision 408047)
@@ -1,71 +1,71 @@
 # $FreeBSD$
 
 PORTNAME=	gnutls
 PORTVERSION=	3.3.17.1
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security net
 MASTER_SITES=	GNUPG/gnutls/v${PORTVERSION:R:R}
 
 MAINTAINER=	bdrewery@FreeBSD.org
 COMMENT=	GNU Transport Layer Security library
 
 LICENSE=	GPLv3 LGPL21
 LICENSE_COMB=	multi
 LICENSE_FILE_GPLv3=	${WRKSRC}/COPYING
 LICENSE_FILE_LGPL21=	${WRKSRC}/COPYING.LESSER
 
 LIB_DEPENDS=	libnettle.so:${PORTSDIR}/security/nettle \
 		libtasn1.so:${PORTSDIR}/security/libtasn1
 BUILD_DEPENDS+=	${LOCALBASE}/share/certs/ca-root-nss.crt:${PORTSDIR}/security/ca_root_nss
 RUN_DEPENDS+=	${LOCALBASE}/share/certs/ca-root-nss.crt:${PORTSDIR}/security/ca_root_nss
 
 USES=		cpe gmake iconv libtool makeinfo pathfix pkgconfig tar:xz
 USE_LDCONFIG=	yes
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--disable-guile \
 		--disable-silent-rules \
 		--enable-local-libopts
 CPPFLAGS+=	-I${LOCALBASE}/include
 LDFLAGS+=	-L${LOCALBASE}/lib
 MAKE_ENV=	MAKEINFOFLAGS=--no-split
 
 CPE_VENDOR=	gnu
 
 OPTIONS_DEFINE=		CRYWRAP EXAMPLES LIBDANE NLS P11KIT TPM ZLIB
 OPTIONS_DEFAULT=	CRYWRAP P11KIT TPM ZLIB
 OPTIONS_SUB=		yes
 
 CRYWRAP_DESC=			Enable Crywrap TLS proxy service
 CRYWRAP_LIB_DEPENDS=		libidn.so:${PORTSDIR}/dns/libidn
 CRYWRAP_CONFIGURE_ENABLE=	crywrap
 
 LIBDANE_DESC=			DNSSEC support for DANE (danetool --check)
 LIBDANE_LIB_DEPENDS=		libunbound.so:${PORTSDIR}/dns/unbound
 LIBDANE_CONFIGURE_ENABLE=	libdane
 
 NLS_CONFIGURE_ENABLE=	nls
 NLS_USES=		gettext
 
 P11KIT_DESC=		PKCS\#11 and p11-kit support
 P11KIT_CONFIGURE_WITH=	p11-kit
 P11KIT_LIB_DEPENDS=	libp11-kit.so:${PORTSDIR}/security/p11-kit
 
 TPM_DESC=		TPM (trousers) support
 TPM_CONFIGURE_WITH=	tpm
 TPM_LIB_DEPENDS=	libtspi.so:${PORTSDIR}/security/trousers
 
 ZLIB_CONFIGURE_WITH=	zlib
 
 INFO=		gnutls gnutls-guile
 
 post-patch:
 	@${RM} ${WRKSRC}/doc/*.info*
 	${SED} -i '' -e 's|^+_NORETURN_H|_NORETURN_H|' \
 	  ${WRKSRC}/src/libopts/Makefile.in
 
 post-install:
 	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
 	${INSTALL_DATA} ${WRKSRC}/doc/examples/*.[ch] ${STAGEDIR}${EXAMPLESDIR}
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libgnutls*.so.*
 
 .include <bsd.port.mk>
Index: head/security/strongswan/Makefile
===================================================================
--- head/security/strongswan/Makefile	(revision 408046)
+++ head/security/strongswan/Makefile	(revision 408047)
@@ -1,139 +1,139 @@
 # Created by: Riaan Kruger <riaank@gmail.com>
 # $FreeBSD$
 
 PORTNAME=	strongswan
 PORTVERSION=	5.3.5
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	http://download.strongswan.org/ \
 		http://download2.strongswan.org/
 
 MAINTAINER=	strongswan@nanoteq.com
 COMMENT=	Open Source IKEv2 IPsec-based VPN solution
 
 LICENSE=	GPLv2
 
 USES=		cpe execinfo libtool:keepla pkgconfig tar:bzip2
 USE_OPENSSL=	yes
 USE_RC_SUBR=	strongswan
 GNU_CONFIGURE=	yes
 USE_LDCONFIG=	${PREFIX}/lib/ipsec
 INSTALL_TARGET=	install-strip
 
 CONFIGURE_ARGS=	--enable-kernel-pfkey \
 		--enable-kernel-pfroute  \
 		--disable-kernel-netlink  \
 		--disable-scripts  \
 		--disable-gmp \
 		--enable-openssl \
 		--enable-eap-identity \
 		--enable-eap-md5 \
 		--enable-eap-tls \
 		--enable-eap-mschapv2 \
 		--enable-eap-peap \
 		--enable-eap-ttls \
 		--enable-md4 \
 		--enable-blowfish \
 		--enable-addrblock \
 		--enable-whitelist \
 		--enable-cmd \
 		--with-group=wheel  \
 		--with-lib-prefix=${PREFIX}
 
 OPTIONS_DEFINE=	CURL EAPAKA3GPP2 EAPDYNAMIC EAPRADIUS EAPSIMFILE GCM IKEv1 \
 		IPSECKEY KERNELLIBIPSEC LOADTESTER LDAP MYSQL PKI SCEP SMP \
 		SQLITE SWANCTL TESTVECTOR UNBOUND UNITY VICI XAUTH
 OPTIONS_DEFAULT=	IKEv1 BUILTIN
 OPTIONS_SINGLE=	PRINTF_HOOKS
 OPTIONS_SINGLE_PRINTF_HOOKS=	BUILTIN VSTR LIBC
 OPTIONS_SUB=	yes
 CURL_DESC=	Enable CURL to fetch CRL/OCSP
 EAPAKA3GPP2_DESC=	Enable EAP AKA with 3gpp2 backend
 EAPDYNAMIC_DESC=	Enable EAP dynamic proxy module
 EAPRADIUS_DESC=		Enable EAP Radius proxy authentication
 EAPSIMFILE_DESC=	Enable EAP SIM with file backend
 GCM_DESC=		Enable GCM AEAD wrapper crypto plugin
 IKEv1_DESC=	Enable IKEv1 support
 IPSECKEY_DESC=	Enable authentication with IPSECKEY resource records with DNSSEC
 KERNELLIBIPSEC_DESC=	Enable IPSec userland backend
 LOADTESTER_DESC=	Enable load testing plugin
 TESTVECTOR_DESC=	Enable crypto test vectors
 PKI_DESC=	Enable PKI tools
 SCEP_DESC=	Enable Simple Certificate Enrollment Protocol
 SMP_DESC=	Enable XML-based management protocol (DEPRECATED)
 SWANCTL_DESC=	Install swanctl
 UNBOUND_DESC=	Enable DNSSEC-enabled resolver
 UNITY_DESC=	Enable Cisco Unity extension plugin
 VICI_DESC=	Enable VICI management protocol
 XAUTH_DESC=	Enable XAuth password verification
 BUILTIN_DESC=	Use builtin printf hooks
 LIBC_DESC=	Use libc printf hooks
 VSTR_DESC=	Use devel/vstr printf hooks
 
 # Extra options
 CURL_CONFIGURE_ON=	--enable-curl
 CURL_LIB_DEPENDS=	libcurl.so:${PORTSDIR}/ftp/curl
 EAPAKA3GPP2_CONFIGURE_ON=	--enable-eap-aka --enable-eap-aka-3gpp2
 EAPAKA3GPP2_LIB_DEPENDS=libgmp.so:${PORTSDIR}/math/gmp
 EAPDYNAMIC_CONFIGURE_ON=--enable-eap-dynamic
 EAPRADIUS_CONFIGURE_ON=	--enable-eap-radius
 EAPSIMFILE_CONFIGURE_ON=--enable-eap-sim --enable-eap-sim-file
 GCM_CONFIGURE_ON=	--enable-gcm
 IKEv1_CONFIGURE_OFF=	--disable-ikev1
 IPSECKEY_CONFIGURE_ON=	--enable-ipseckey
 KERNELLIBIPSEC_CONFIGURE_ON=	--enable-kernel-libipsec
 LOADTESTER_CONFIGURE_ON=--enable-load-tester
 LDAP_CONFIGURE_ON=	--enable-ldap
 LDAP_USE=		OPENLDAP=yes
 MYSQL_CONFIGURE_ON=	--enable-mysql
 MYSQL_USE=		MYSQL=yes
 SMP_LIB_DEPENDS=	libxml2.so:${PORTSDIR}/textproc/libxml2
 SMP_CONFIGURE_ON=	--enable-smp
 SWANCTL_CONFIGURE_ON=	--enable-swanctl
 SQLITE_CONFIGURE_ON=	--enable-sqlite
 SQLITE_LIB_DEPENDS=	libsqlite3.so:${PORTSDIR}/databases/sqlite3
 TESTVECTOR_CONFIGURE_ON=--enable-test-vectors
 PKI_CONFIGURE_OFF=	--disable-pki
 SCEP_CONFIGURE_OFF=	--disable-scepclient
 UNBOUND_CONFIGURE_ON=	--enable-unbound
 UNBOUND_LIB_DEPENDS=	libunbound.so:${PORTSDIR}/dns/unbound
 UNITY_CONFIGURE_ON=	--enable-unity
 VICI_CONFIGURE_ON=	--enable-vici
 XAUTH_CONFIGURE_ON=	--enable-xauth-eap --enable-xauth-generic
 BUILTIN_CONFIGURE_ON=	--with-printf-hooks=builtin
 LIBC_CONFIGURE_ON=	--with-printf-hooks=glibc
 VSTR_CONFIGURE_ON=	--with-printf-hooks=vstr
 VSTR_LIB_DEPENDS=	libvstr.so:devel/vstr
 
 .include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MEAPSIMFILE} || ${PORT_OPTIONS:MEAPAKA3GPP2}
 PLIST_SUB+=	SIMAKA=""
 .else
 PLIST_SUB+=	SIMAKA="@comment "
 .endif
 
 .if ${PORT_OPTIONS:MMYSQL} || ${PORT_OPTIONS:MSQLITE}
 CONFIGURE_ARGS+=	--enable-attr-sql --enable-sql
 PLIST_SUB+=	SQL=""
 .else
 PLIST_SUB+=	SQL="@comment "
 .endif
 
 .if ${PORT_OPTIONS:MIKEv1} || ${PORT_OPTIONS:MXAUTH}
 PLIST_SUB+=	XAUTHGEN=""
 .else
 PLIST_SUB+=	XAUTHGEN="@comment "
 .endif
 
 post-install:
 .if ${PORT_OPTIONS:MVICI}
 	${INSTALL_DATA} ${WRKSRC}/src/libcharon/plugins/vici/libvici.h \
 		${STAGEDIR}${PREFIX}/include
 .endif
 .if ${PORT_OPTIONS:MSWANCTL}
 	${MV} ${STAGEDIR}${PREFIX}/etc/swanctl/swanctl.conf \
 		${STAGEDIR}${PREFIX}/etc/swanctl/swanctl.conf.sample
 .endif
 
 .include <bsd.port.mk>