Description: <short summary of the patch>
 TODO: Put a short summary on the line above and replace this paragraph
 with a longer explanation of this change. Complete the meta-information
 with other relevant fields (see below for details). To make it easier, the
 information below has been extracted from the changelog. Adjust it or drop
 it.
 .
 unbound (1.6.0-3+deb9u2) stretch; urgency=high
 .
   * Cherry-pick upstream commit svn r4441, "patch for CVE-2017-15105:
     vulnerability in the processing of wildcard synthesized NSEC records."
   * Cherry-pick upstream commit svn r4528, "Added tests with wildcard
     expanded NSEC records (CVE-2017-15105 test)".
Author: Robert Edmonds <edmonds@debian.org>

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: https://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: 2018-02-28

--- unbound-1.6.0.orig/acx_python.m4
+++ unbound-1.6.0/acx_python.m4
@@ -43,7 +43,12 @@ $ac_distutils_result])
                 if test -n "${python_path}"; then
                         python_path="-I$python_path"
                 fi
-                PYTHON_CPPFLAGS=$python_path
+                python_multiarch_path=`$PYTHON -c "import distutils.sysconfig; \
+                        print(distutils.sysconfig.get_python_inc(plat_specific=1));"`
+                if test -n "${python_multiarch_path}"; then
+                        python_multiarch_path="-I$python_multiarch_path"
+                fi
+                PYTHON_CPPFLAGS="$python_path $python_multiarch_path"
         fi
         AC_MSG_RESULT([$PYTHON_CPPFLAGS])
         AC_SUBST([PYTHON_CPPFLAGS])
--- unbound-1.6.0.orig/doc/unbound.conf.5.in
+++ unbound-1.6.0/doc/unbound.conf.5.in
@@ -1205,7 +1205,7 @@ section for options.  To setup the corre
 \fIunbound\-control\-setup\fR(8) utility.
 .TP 5
 .B control\-enable: \fI<yes or no>
-The option is used to enable remote control, default is "no".
+The option is used to enable remote control, default is "yes".
 If turned off, the server does not listen for control commands.
 .TP 5
 .B control\-interface: \fI<ip address or path>
--- unbound-1.6.0.orig/smallapp/unbound-anchor.c
+++ unbound-1.6.0/smallapp/unbound-anchor.c
@@ -241,7 +241,10 @@ static const char*
 get_builtin_ds(void)
 {
 	return
-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
+/* anchor 19036 is from 2010 */
+/* anchor 20326 is from 2017 */
+". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
+". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
 }
 
 /** print hex data */
--- unbound-1.6.0.orig/smallapp/unbound-control-setup.sh.in
+++ unbound-1.6.0/smallapp/unbound-control-setup.sh.in
@@ -155,6 +155,6 @@ chmod o-rw $SVR_BASE.pem $SVR_BASE.key $
 rm -f request.cfg
 rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"
 
-echo "Setup success. Certificates created. Enable in unbound.conf file to use"
+echo "Setup success. Certificates created."
 
 exit 0
--- unbound-1.6.0.orig/testcode/unitverify.c
+++ unbound-1.6.0/testcode/unitverify.c
@@ -186,7 +186,9 @@ verifytest_rrset(struct module_env* env,
 			ntohs(rrset->rk.rrset_class));
 	}
 	setup_sigalg(dnskey, sigalg); /* check all algorithms in the dnskey */
-	sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason);
+	/* ok to give null as qstate here, won't be used for answer section. */
+	sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason,
+		LDNS_SECTION_ANSWER, NULL);
 	if(vsig) {
 		printf("verify outcome is: %s %s\n", sec_status_to_string(sec),
 			reason?reason:"");
--- /dev/null
+++ unbound-1.6.0/testdata/val_nodata_failwc.rpl
@@ -0,0 +1,71 @@
+; config options
+; The island of trust is at nsecwc.nlnetlabs.nl
+server:
+	trust-anchor: "nsecwc.nlnetlabs.nl.	10024	IN	DS	565 8 2 0C15C04C022700C8713028F6F64CF2343DE627B8F83CDA1C421C65DB 52908A2E"
+	val-override-date: "20181202115531"
+	target-fetch-policy: "0 0 0 0 0"
+	fake-sha1: yes
+	trust-anchor-signaling: no
+stub-zone:
+	name: "nsecwc.nlnetlabs.nl"
+	stub-addr: "185.49.140.60"
+
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with nodata response with wildcard expanded NSEC record, original NSEC owner does not provide proof for QNAME. CVE-2017-15105 test.
+
+ ; ns.example.com.                                                                
+RANGE_BEGIN 0 100                                                                
+	ADDRESS 185.49.140.60
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+nsecwc.nlnetlabs.nl. IN DNSKEY
+SECTION ANSWER
+nsecwc.nlnetlabs.nl.	3600	IN	DNSKEY	257 3 8 AwEAAbTluF4BfJ/FT7Ak5a3VvYG1AqhT8FXxOsVwGTyueyE/hW+fMFMd QlLMf2Lf/gmsnFgn/p7GDmJBLlPTATmLeP3isvAZbK3MDEP2O5UjTVmt LZriTv8xfxYW6emCM54EQjWii64BFWrOeLm9zQqzyaLl53CbIIXqiacV KPteh8GX
+nsecwc.nlnetlabs.nl.	3600	IN	RRSIG	DNSKEY 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. q3bG4e8EtvXKDcNWcyYHeQxLF9l9aJKdmeSubyN6Qc3UVHugd6t3YSxD hlD+g43y7FcdnNHdAPh/jpgC4wtOb5J+5XAuESDHwesmIXOCTJjrb+A8 r+xQK+vsY8FhNZ2r81JZ/KQ/+TcCS5tbYeNZQgENduWAxgGiw3fdrMOV xiU=
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+_25._tcp.mail.nsecwc.nlnetlabs.nl. IN	TLSA
+SECTION ANSWER
+SECTION AUTHORITY
+nsecwc.nlnetlabs.nl.	3600	IN	SOA	ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
+nsecwc.nlnetlabs.nl.	3600	IN	RRSIG	SOA 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. bYibpCDg1LgrnYJgVahgu94LBqLIcNs4iC0SW8LV7pTI1hhuFKbLkO2O ekPdkJAWmu/KTytf8D+cdcK6X/9VS8QCVIF5S0hraHtNezu0f1B5ztg3 7Rqy+uJSucNKoykueAsz2z43GMgO0rGH3bqM7+3ii8p2E2rhzqEtG/D3 qyY=
+; NSEC has a label lenght of 3, indication that the original owner name is:
+; *.nsecwc.nlnetlabs.nl. The NSEC therefore does no prove the NODATA answer.
+_25._tcp.mail.nsecwc.nlnetlabs.nl. 3600	IN NSEC	delegation.nsecwc.nlnetlabs.nl. TXT RRSIG NSEC
+_25._tcp.mail.nsecwc.nlnetlabs.nl. 3600	IN RRSIG NSEC 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. ddy1MRbshFuFJswlouNGHsZUF/tYu8BOCztY2JuHeTMyWL7rhRKp73q/ 1RAXMwywKsynT5ioY0bMtEQszeIEn29IYaPDHieLAobjF6BMu1kO7U2/ oEBrSHM/fx28BcaM5G4nfCIm3BlhQhWvk1NDHLn3Q26x4hF/dnmFOUet aXw=
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+_25._tcp.mail.nsecwc.nlnetlabs.nl. IN   TLSA
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+_25._tcp.mail.nsecwc.nlnetlabs.nl. IN   TLSA
+SECTION ANSWER
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+SCENARIO_END
--- /dev/null
+++ unbound-1.6.0/testdata/val_nx_failwc.rpl
@@ -0,0 +1,69 @@
+; config options
+; The island of trust is at nsecwc.nlnetlabs.nl
+server:
+	trust-anchor: "nsecwc.nlnetlabs.nl.	10024	IN	DS	565 8 2 0C15C04C022700C8713028F6F64CF2343DE627B8F83CDA1C421C65DB 52908A2E"
+	val-override-date: "20181202115531"
+	target-fetch-policy: "0 0 0 0 0"
+	fake-sha1: yes
+	trust-anchor-signaling: no
+stub-zone:
+	name: "nsecwc.nlnetlabs.nl"
+	stub-addr: "185.49.140.60"
+
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with nxdomain response with wildcard expanded NSEC record, original NSEC owner does not provide proof for QNAME. CVE-2017-15105 test.
+
+ ; ns.example.com.                                                                
+RANGE_BEGIN 0 100                                                                
+	ADDRESS 185.49.140.60
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+nsecwc.nlnetlabs.nl. IN DNSKEY
+SECTION ANSWER
+nsecwc.nlnetlabs.nl.	3600	IN	DNSKEY	257 3 8 AwEAAbTluF4BfJ/FT7Ak5a3VvYG1AqhT8FXxOsVwGTyueyE/hW+fMFMd QlLMf2Lf/gmsnFgn/p7GDmJBLlPTATmLeP3isvAZbK3MDEP2O5UjTVmt LZriTv8xfxYW6emCM54EQjWii64BFWrOeLm9zQqzyaLl53CbIIXqiacV KPteh8GX
+nsecwc.nlnetlabs.nl.	3600	IN	RRSIG	DNSKEY 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. q3bG4e8EtvXKDcNWcyYHeQxLF9l9aJKdmeSubyN6Qc3UVHugd6t3YSxD hlD+g43y7FcdnNHdAPh/jpgC4wtOb5J+5XAuESDHwesmIXOCTJjrb+A8 r+xQK+vsY8FhNZ2r81JZ/KQ/+TcCS5tbYeNZQgENduWAxgGiw3fdrMOV xiU=
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NXDOMAIN
+SECTION QUESTION
+a.nsecwc.nlnetlabs.nl. IN	TXT
+SECTION ANSWER
+SECTION AUTHORITY
+!.nsecwc.nlnetlabs.nl.	3600	IN	NSEC	delegation.nsecwc.nlnetlabs.nl. TXT RRSIG NSEC
+!.nsecwc.nlnetlabs.nl.	3600	IN	RRSIG	NSEC 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. ddy1MRbshFuFJswlouNGHsZUF/tYu8BOCztY2JuHeTMyWL7rhRKp73q/ 1RAXMwywKsynT5ioY0bMtEQszeIEn29IYaPDHieLAobjF6BMu1kO7U2/ oEBrSHM/fx28BcaM5G4nfCIm3BlhQhWvk1NDHLn3Q26x4hF/dnmFOUet aXw=
+nsecwc.nlnetlabs.nl.	3600	IN	SOA	ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
+nsecwc.nlnetlabs.nl.	3600	IN	RRSIG	SOA 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. bYibpCDg1LgrnYJgVahgu94LBqLIcNs4iC0SW8LV7pTI1hhuFKbLkO2O ekPdkJAWmu/KTytf8D+cdcK6X/9VS8QCVIF5S0hraHtNezu0f1B5ztg3 7Rqy+uJSucNKoykueAsz2z43GMgO0rGH3bqM7+3ii8p2E2rhzqEtG/D3 qyY=
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+a.nsecwc.nlnetlabs.nl. IN   TXT
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+a.nsecwc.nlnetlabs.nl. IN   TXT
+SECTION ANSWER
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+SCENARIO_END
--- unbound-1.6.0.orig/util/config_file.c
+++ unbound-1.6.0/util/config_file.c
@@ -149,7 +149,7 @@ config_create(void)
 	init_outgoing_availports(cfg->outgoing_avail_ports, 65536);
 	if(!(cfg->username = strdup(UB_USERNAME))) goto error_exit;
 #ifdef HAVE_CHROOT
-	if(!(cfg->chrootdir = strdup(CHROOT_DIR))) goto error_exit;
+	if(!(cfg->chrootdir = strdup(""))) goto error_exit;
 #endif
 	if(!(cfg->directory = strdup(RUN_DIR))) goto error_exit;
 	if(!(cfg->logfile = strdup(""))) goto error_exit;
@@ -219,7 +219,7 @@ config_create(void)
 	cfg->unblock_lan_zones = 0;
 	cfg->insecure_lan_zones = 0;
 	cfg->python_script = NULL;
-	cfg->remote_control_enable = 0;
+	cfg->remote_control_enable = 1;
 	cfg->control_ifs = NULL;
 	cfg->control_port = UNBOUND_CONTROL_PORT;
 	cfg->remote_control_use_cert = 1;
--- unbound-1.6.0.orig/util/configparser.y
+++ unbound-1.6.0/util/configparser.y
@@ -1201,9 +1201,16 @@ server_fake_dsa: VAR_FAKE_DSA STRING_ARG
 		OUTYY(("P(server_fake_dsa:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else fake_dsa = (strcmp($2, "yes")==0);
-		if(fake_dsa)
-			log_warn("test option fake_dsa is enabled");
+		else {
+			int fake_dsa_val = strcmp($2, "yes")==0;
+			if(fake_dsa_val)
+#ifdef HAVE_SSL
+				log_warn("test option fake_dsa is enabled");
+			fake_dsa = fake_dsa_val;
+#else
+				log_warn("test option fake_dsa is ignored");
+#endif
+		}
 		free($2);
 	}
 	;
--- unbound-1.6.0.orig/validator/autotrust.c
+++ unbound-1.6.0/validator/autotrust.c
@@ -1227,17 +1227,20 @@ void autr_write_file(struct module_env*
  * @param ve: validator environment (with options) for verification.
  * @param tp: trust point to verify with
  * @param rrset: DNSKEY rrset to verify.
+ * @param qstate: qstate with region.
  * @return false on failure, true if verification successful.
  */
 static int
 verify_dnskey(struct module_env* env, struct val_env* ve,
-        struct trust_anchor* tp, struct ub_packed_rrset_key* rrset)
+        struct trust_anchor* tp, struct ub_packed_rrset_key* rrset,
+	struct module_qstate* qstate)
 {
 	char* reason = NULL;
 	uint8_t sigalg[ALGO_NEEDS_MAX+1];
 	int downprot = env->cfg->harden_algo_downgrade;
 	enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset,
-		tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason);
+		tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason,
+		qstate);
 	/* sigalg is ignored, it returns algorithms signalled to exist, but
 	 * in 5011 there are no other rrsets to check.  if downprot is
 	 * enabled, then it checks that the DNSKEY is signed with all
@@ -1276,7 +1279,8 @@ min_expiry(struct module_env* env, struc
 /** Is rr self-signed revoked key */
 static int
 rr_is_selfsigned_revoked(struct module_env* env, struct val_env* ve,
-	struct ub_packed_rrset_key* dnskey_rrset, size_t i)
+	struct ub_packed_rrset_key* dnskey_rrset, size_t i,
+	struct module_qstate* qstate)
 {
 	enum sec_status sec;
 	char* reason = NULL;
@@ -1285,7 +1289,7 @@ rr_is_selfsigned_revoked(struct module_e
 	/* no algorithm downgrade protection necessary, if it is selfsigned
 	 * revoked it can be removed. */
 	sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, i, 
-		&reason);
+		&reason, LDNS_SECTION_ANSWER, qstate);
 	return (sec == sec_status_secure);
 }
 
@@ -1501,7 +1505,7 @@ init_events(struct trust_anchor* tp)
 static void
 check_contains_revoked(struct module_env* env, struct val_env* ve,
 	struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
-	int* changed)
+	int* changed, struct module_qstate* qstate)
 {
 	struct packed_rrset_data* dd = (struct packed_rrset_data*)
 		dnskey_rrset->entry.data;
@@ -1521,7 +1525,7 @@ check_contains_revoked(struct module_env
 		}
 		if(!ta)
 			continue; /* key not found */
-		if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i)) {
+		if(rr_is_selfsigned_revoked(env, ve, dnskey_rrset, i, qstate)) {
 			/* checked if there is an rrsig signed by this key. */
 			/* same keytag, but stored can be revoked already, so 
 			 * compare keytags, with +0 or +128(REVOKE flag) */
@@ -1571,6 +1575,11 @@ key_matches_a_ds(struct module_env* env,
 			verbose(VERB_ALGO, "DS match attempt failed");
 			continue;
 		}
+		/* match of hash is sufficient for bootstrap of trust point */
+		(void)reason;
+		(void)ve;
+		return 1;
+		/* no need to check RRSIG, DS hash already matched with source
 		if(dnskey_verify_rrset(env, ve, dnskey_rrset, 
 			dnskey_rrset, key_idx, &reason) == sec_status_secure) {
 			return 1;
@@ -1578,6 +1587,7 @@ key_matches_a_ds(struct module_env* env,
 			verbose(VERB_ALGO, "DS match failed because the key "
 				"does not verify the keyset: %s", reason);
 		}
+		*/
 	}
 	return 0;
 }
@@ -2112,7 +2122,8 @@ autr_tp_remove(struct module_env* env, s
 }
 
 int autr_process_prime(struct module_env* env, struct val_env* ve,
-	struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset)
+	struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
+	struct module_qstate* qstate)
 {
 	int changed = 0;
 	log_assert(tp && tp->autr);
@@ -2153,7 +2164,7 @@ int autr_process_prime(struct module_env
 		return 1; /* trust point exists */
 	}
 	/* check for revoked keys to remove immediately */
-	check_contains_revoked(env, ve, tp, dnskey_rrset, &changed);
+	check_contains_revoked(env, ve, tp, dnskey_rrset, &changed, qstate);
 	if(changed) {
 		verbose(VERB_ALGO, "autotrust: revokedkeys, reassemble");
 		if(!autr_assemble(tp)) {
@@ -2169,7 +2180,7 @@ int autr_process_prime(struct module_env
 		}
 	}
 	/* verify the dnskey rrset and see if it is valid. */
-	if(!verify_dnskey(env, ve, tp, dnskey_rrset)) {
+	if(!verify_dnskey(env, ve, tp, dnskey_rrset, qstate)) {
 		verbose(VERB_ALGO, "autotrust: dnskey did not verify.");
 		/* only increase failure count if this is not the first prime,
 		 * this means there was a previous successful probe */
--- unbound-1.6.0.orig/validator/autotrust.h
+++ unbound-1.6.0/validator/autotrust.h
@@ -47,6 +47,7 @@ struct val_anchors;
 struct trust_anchor;
 struct ub_packed_rrset_key;
 struct module_env;
+struct module_qstate;
 struct val_env;
 struct sldns_buffer;
 
@@ -188,12 +189,14 @@ void autr_point_delete(struct trust_anch
  * @param tp: trust anchor to process.
  * @param dnskey_rrset: DNSKEY rrset probed (can be NULL if bad prime result).
  * 	allocated in a region. Has not been validated yet.
+ * @param qstate: qstate with region.
  * @return false if trust anchor was revoked completely.
  * 	Otherwise logs errors to log, does not change return value.
  * 	On errors, likely the trust point has been unchanged.
  */
 int autr_process_prime(struct module_env* env, struct val_env* ve,
-	struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset);
+	struct trust_anchor* tp, struct ub_packed_rrset_key* dnskey_rrset,
+	struct module_qstate* qstate);
 
 /**
  * Debug printout of rfc5011 tracked anchors
--- unbound-1.6.0.orig/validator/val_nsec.c
+++ unbound-1.6.0/validator/val_nsec.c
@@ -176,7 +176,7 @@ val_nsec_proves_no_ds(struct ub_packed_r
 static int
 nsec_verify_rrset(struct module_env* env, struct val_env* ve, 
 	struct ub_packed_rrset_key* nsec, struct key_entry_key* kkey, 
-	char** reason)
+	char** reason, struct module_qstate* qstate)
 {
 	struct packed_rrset_data* d = (struct packed_rrset_data*)
 		nsec->entry.data;
@@ -185,7 +185,8 @@ nsec_verify_rrset(struct module_env* env
 	rrset_check_sec_status(env->rrset_cache, nsec, *env->now);
 	if(d->security == sec_status_secure)
 		return 1;
-	d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason);
+	d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason,
+		LDNS_SECTION_AUTHORITY, qstate);
 	if(d->security == sec_status_secure) {
 		rrset_update_sec_status(env->rrset_cache, nsec, *env->now);
 		return 1;
@@ -196,7 +197,8 @@ nsec_verify_rrset(struct module_env* env
 enum sec_status 
 val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, 
 	struct query_info* qinfo, struct reply_info* rep, 
-	struct key_entry_key* kkey, time_t* proof_ttl, char** reason)
+	struct key_entry_key* kkey, time_t* proof_ttl, char** reason,
+	struct module_qstate* qstate)
 {
 	struct ub_packed_rrset_key* nsec = reply_find_rrset_section_ns(
 		rep, qinfo->qname, qinfo->qname_len, LDNS_RR_TYPE_NSEC, 
@@ -213,7 +215,7 @@ val_nsec_prove_nodata_dsreply(struct mod
 	 * 1) this is a delegation point and there is no DS
 	 * 2) this is not a delegation point */
 	if(nsec) {
-		if(!nsec_verify_rrset(env, ve, nsec, kkey, reason)) {
+		if(!nsec_verify_rrset(env, ve, nsec, kkey, reason, qstate)) {
 			verbose(VERB_ALGO, "NSEC RRset for the "
 				"referral did not verify.");
 			return sec_status_bogus;
@@ -242,7 +244,8 @@ val_nsec_prove_nodata_dsreply(struct mod
 		i++) {
 		if(rep->rrsets[i]->rk.type != htons(LDNS_RR_TYPE_NSEC))
 			continue;
-		if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason)) {
+		if(!nsec_verify_rrset(env, ve, rep->rrsets[i], kkey, reason,
+			qstate)) {
 			verbose(VERB_ALGO, "NSEC for empty non-terminal "
 				"did not verify.");
 			return sec_status_bogus;
--- unbound-1.6.0.orig/validator/val_nsec.h
+++ unbound-1.6.0/validator/val_nsec.h
@@ -46,6 +46,7 @@
 #include "util/data/packed_rrset.h"
 struct val_env;
 struct module_env;
+struct module_qstate;
 struct ub_packed_rrset_key;
 struct reply_info;
 struct query_info;
@@ -64,6 +65,7 @@ struct key_entry_key;
  * @param kkey: key entry to use for verification of signatures.
  * @param proof_ttl: if secure, the TTL of how long this proof lasts.
  * @param reason: string explaining why bogus.
+ * @param qstate: qstate with region.
  * @return security status.
  *	SECURE: proved absence of DS.
  *	INSECURE: proved that this was not a delegation point.
@@ -73,7 +75,7 @@ struct key_entry_key;
 enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
 	struct val_env* ve, struct query_info* qinfo, 
 	struct reply_info* rep, struct key_entry_key* kkey,
-	time_t* proof_ttl, char** reason);
+	time_t* proof_ttl, char** reason, struct module_qstate* qstate);
 
 /** 
  * nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
--- unbound-1.6.0.orig/validator/val_nsec3.c
+++ unbound-1.6.0/validator/val_nsec3.c
@@ -1285,7 +1285,7 @@ nsec3_prove_wildcard(struct module_env*
 static int
 list_is_secure(struct module_env* env, struct val_env* ve, 
 	struct ub_packed_rrset_key** list, size_t num,
-	struct key_entry_key* kkey, char** reason)
+	struct key_entry_key* kkey, char** reason, struct module_qstate* qstate)
 {
 	struct packed_rrset_data* d;
 	size_t i;
@@ -1299,7 +1299,7 @@ list_is_secure(struct module_env* env, s
 		if(d->security == sec_status_secure)
 			continue;
 		d->security = val_verify_rrset_entry(env, ve, list[i], kkey,
-			reason);
+			reason, LDNS_SECTION_AUTHORITY, qstate);
 		if(d->security != sec_status_secure) {
 			verbose(VERB_ALGO, "NSEC3 did not verify");
 			return 0;
@@ -1312,7 +1312,8 @@ list_is_secure(struct module_env* env, s
 enum sec_status
 nsec3_prove_nods(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key** list, size_t num,
-	struct query_info* qinfo, struct key_entry_key* kkey, char** reason)
+	struct query_info* qinfo, struct key_entry_key* kkey, char** reason,
+	struct module_qstate* qstate)
 {
 	rbtree_t ct;
 	struct nsec3_filter flt;
@@ -1325,7 +1326,7 @@ nsec3_prove_nods(struct module_env* env,
 		*reason = "no valid NSEC3s";
 		return sec_status_bogus; /* no valid NSEC3s, bogus */
 	}
-	if(!list_is_secure(env, ve, list, num, kkey, reason))
+	if(!list_is_secure(env, ve, list, num, kkey, reason, qstate))
 		return sec_status_bogus; /* not all NSEC3 records secure */
 	rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */
 	filter_init(&flt, list, num, qinfo); /* init RR iterator */
--- unbound-1.6.0.orig/validator/val_nsec3.h
+++ unbound-1.6.0/validator/val_nsec3.h
@@ -71,6 +71,7 @@
 struct val_env;
 struct regional;
 struct module_env;
+struct module_qstate;
 struct ub_packed_rrset_key;
 struct reply_info;
 struct query_info;
@@ -185,6 +186,7 @@ nsec3_prove_wildcard(struct module_env*
  * @param qinfo: query that is verified for.
  * @param kkey: key entry that signed the NSEC3s.
  * @param reason: string for bogus result.
+ * @param qstate: qstate with region.
  * @return:
  * 	sec_status SECURE of the proposition is proven by the NSEC3 RRs, 
  * 	BOGUS if not, INSECURE if all of the NSEC3s could be validly ignored.
@@ -194,7 +196,8 @@ nsec3_prove_wildcard(struct module_env*
 enum sec_status
 nsec3_prove_nods(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key** list, size_t num, 
-	struct query_info* qinfo, struct key_entry_key* kkey, char** reason);
+	struct query_info* qinfo, struct key_entry_key* kkey, char** reason,
+	struct module_qstate* qstate);
 
 /**
  * Prove NXDOMAIN or NODATA.
--- unbound-1.6.0.orig/validator/val_sigcrypt.c
+++ unbound-1.6.0/validator/val_sigcrypt.c
@@ -479,7 +479,8 @@ int algo_needs_missing(struct algo_needs
 enum sec_status 
 dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
-	uint8_t* sigalg, char** reason)
+	uint8_t* sigalg, char** reason, sldns_pkt_section section, 
+	struct module_qstate* qstate)
 {
 	enum sec_status sec;
 	size_t i, num;
@@ -506,7 +507,7 @@ dnskeyset_verify_rrset(struct module_env
 	}
 	for(i=0; i<num; i++) {
 		sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset, 
-			dnskey, i, &sortree, reason);
+			dnskey, i, &sortree, reason, section, qstate);
 		/* see which algorithm has been fixed up */
 		if(sec == sec_status_secure) {
 			if(!sigalg)
@@ -547,7 +548,8 @@ void algo_needs_reason(struct module_env
 enum sec_status 
 dnskey_verify_rrset(struct module_env* env, struct val_env* ve,
         struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
-	size_t dnskey_idx, char** reason)
+	size_t dnskey_idx, char** reason, sldns_pkt_section section,
+	struct module_qstate* qstate)
 {
 	enum sec_status sec;
 	size_t i, num, numchecked = 0;
@@ -571,7 +573,8 @@ dnskey_verify_rrset(struct module_env* e
 		buf_canon = 0;
 		sec = dnskey_verify_rrset_sig(env->scratch, 
 			env->scratch_buffer, ve, *env->now, rrset, 
-			dnskey, dnskey_idx, i, &sortree, &buf_canon, reason);
+			dnskey, dnskey_idx, i, &sortree, &buf_canon, reason,
+			section, qstate);
 		if(sec == sec_status_secure)
 			return sec;
 		numchecked ++;
@@ -585,7 +588,8 @@ enum sec_status
 dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve, 
 	time_t now, struct ub_packed_rrset_key* rrset, 
 	struct ub_packed_rrset_key* dnskey, size_t sig_idx, 
-	struct rbtree_t** sortree, char** reason)
+	struct rbtree_t** sortree, char** reason, sldns_pkt_section section,
+	struct module_qstate* qstate)
 {
 	/* find matching keys and check them */
 	enum sec_status sec = sec_status_bogus;
@@ -610,7 +614,7 @@ dnskeyset_verify_rrset_sig(struct module
 		/* see if key verifies */
 		sec = dnskey_verify_rrset_sig(env->scratch, 
 			env->scratch_buffer, ve, now, rrset, dnskey, i, 
-			sig_idx, sortree, &buf_canon, reason);
+			sig_idx, sortree, &buf_canon, reason, section, qstate);
 		if(sec == sec_status_secure)
 			return sec;
 	}
@@ -1115,12 +1119,15 @@ int rrset_canonical_equal(struct regiona
  * 	signer name length.
  * @param sortree: if NULL is passed a new sorted rrset tree is built.
  * 	Otherwise it is reused.
+ * @param section: section of packet where this rrset comes from.
+ * @param qstate: qstate with region.
  * @return false on alloc error.
  */
 static int
 rrset_canonical(struct regional* region, sldns_buffer* buf, 
 	struct ub_packed_rrset_key* k, uint8_t* sig, size_t siglen,
-	struct rbtree_t** sortree)
+	struct rbtree_t** sortree, sldns_pkt_section section,
+	struct module_qstate* qstate)
 {
 	struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
 	uint8_t* can_owner = NULL;
@@ -1169,6 +1176,20 @@ rrset_canonical(struct regional* region,
 		canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]);
 	}
 	sldns_buffer_flip(buf);
+
+	/* Replace RR owner with canonical owner for NSEC records in authority
+	 * section, to prevent that a wildcard synthesized NSEC can be used in
+	 * the non-existence proves. */
+	if(ntohs(k->rk.type) == LDNS_RR_TYPE_NSEC &&
+		section == LDNS_SECTION_AUTHORITY) {
+		k->rk.dname = regional_alloc_init(qstate->region, can_owner,
+			can_owner_len);
+		if(!k->rk.dname)
+			return 0;
+		k->rk.dname_len = can_owner_len;
+	}
+	
+
 	return 1;
 }
 
@@ -1312,7 +1333,8 @@ dnskey_verify_rrset_sig(struct regional*
 	struct val_env* ve, time_t now,
         struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey,
         size_t dnskey_idx, size_t sig_idx,
-	struct rbtree_t** sortree, int* buf_canon, char** reason)
+	struct rbtree_t** sortree, int* buf_canon, char** reason,
+	sldns_pkt_section section, struct module_qstate* qstate)
 {
 	enum sec_status sec;
 	uint8_t* sig;		/* RRSIG rdata */
@@ -1411,7 +1433,7 @@ dnskey_verify_rrset_sig(struct regional*
 		/* create rrset canonical format in buffer, ready for 
 		 * signature */
 		if(!rrset_canonical(region, buf, rrset, sig+2, 
-			18 + signer_len, sortree)) {
+			18 + signer_len, sortree, section, qstate)) {
 			log_err("verify: failed due to alloc error");
 			return sec_status_unchecked;
 		}
--- unbound-1.6.0.orig/validator/val_sigcrypt.h
+++ unbound-1.6.0/validator/val_sigcrypt.h
@@ -44,8 +44,10 @@
 #ifndef VALIDATOR_VAL_SIGCRYPT_H
 #define VALIDATOR_VAL_SIGCRYPT_H
 #include "util/data/packed_rrset.h"
+#include "sldns/pkthdr.h"
 struct val_env;
 struct module_env;
+struct module_qstate;
 struct ub_packed_rrset_key;
 struct rbtree_t;
 struct regional;
@@ -237,13 +239,16 @@ uint16_t dnskey_get_flags(struct ub_pack
  * @param sigalg: if nonNULL provide downgrade protection otherwise one
  *   algorithm is enough.
  * @param reason: if bogus, a string returned, fixed or alloced in scratch.
+ * @param section: section of packet where this rrset comes from.
+ * @param qstate: qstate with region.
  * @return SECURE if one key in the set verifies one rrsig.
  *	UNCHECKED on allocation errors, unsupported algorithms, malformed data,
  *	and BOGUS on verification failures (no keys match any signatures).
  */
 enum sec_status dnskeyset_verify_rrset(struct module_env* env, 
 	struct val_env* ve, struct ub_packed_rrset_key* rrset, 
-	struct ub_packed_rrset_key* dnskey, uint8_t* sigalg, char** reason);
+	struct ub_packed_rrset_key* dnskey, uint8_t* sigalg, char** reason,
+	sldns_pkt_section section, struct module_qstate* qstate);
 
 /** 
  * verify rrset against one specific dnskey (from rrset) 
@@ -253,12 +258,15 @@ enum sec_status dnskeyset_verify_rrset(s
  * @param dnskey: DNSKEY rrset, keyset.
  * @param dnskey_idx: which key from the rrset to try.
  * @param reason: if bogus, a string returned, fixed or alloced in scratch.
+ * @param section: section of packet where this rrset comes from.
+ * @param qstate: qstate with region.
  * @return secure if *this* key signs any of the signatures on rrset.
  *	unchecked on error or and bogus on bad signature.
  */
 enum sec_status dnskey_verify_rrset(struct module_env* env, 
 	struct val_env* ve, struct ub_packed_rrset_key* rrset, 
-	struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, char** reason);
+	struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, char** reason,
+	sldns_pkt_section section, struct module_qstate* qstate);
 
 /** 
  * verify rrset, with dnskey rrset, for a specific rrsig in rrset
@@ -271,13 +279,16 @@ enum sec_status dnskey_verify_rrset(stru
  * @param sortree: reused sorted order. Stored in region. Pass NULL at start,
  * 	and for a new rrset.
  * @param reason: if bogus, a string returned, fixed or alloced in scratch.
+ * @param section: section of packet where this rrset comes from.
+ * @param qstate: qstate with region.
  * @return secure if any key signs *this* signature. bogus if no key signs it,
  *	or unchecked on error.
  */
 enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env, 
 	struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, 
 	struct ub_packed_rrset_key* dnskey, size_t sig_idx, 
-	struct rbtree_t** sortree, char** reason);
+	struct rbtree_t** sortree, char** reason, sldns_pkt_section section,
+	struct module_qstate* qstate);
 
 /** 
  * verify rrset, with specific dnskey(from set), for a specific rrsig 
@@ -295,6 +306,8 @@ enum sec_status dnskeyset_verify_rrset_s
  * 	pass false at start. pass old value only for same rrset and same
  * 	signature (but perhaps different key) for reuse.
  * @param reason: if bogus, a string returned, fixed or alloced in scratch.
+ * @param section: section of packet where this rrset comes from.
+ * @param qstate: qstate with region.
  * @return secure if this key signs this signature. unchecked on error or 
  *	bogus if it did not validate.
  */
@@ -302,7 +315,8 @@ enum sec_status dnskey_verify_rrset_sig(
 	struct sldns_buffer* buf, struct val_env* ve, time_t now,
 	struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, 
 	size_t dnskey_idx, size_t sig_idx,
-	struct rbtree_t** sortree, int* buf_canon, char** reason);
+	struct rbtree_t** sortree, int* buf_canon, char** reason,
+	sldns_pkt_section section, struct module_qstate* qstate);
 
 /**
  * canonical compare for two tree entries
--- unbound-1.6.0.orig/validator/val_utils.c
+++ unbound-1.6.0/validator/val_utils.c
@@ -334,7 +334,8 @@ rrset_get_ttl(struct ub_packed_rrset_key
 enum sec_status 
 val_verify_rrset(struct module_env* env, struct val_env* ve,
         struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
-	uint8_t* sigalg, char** reason)
+	uint8_t* sigalg, char** reason, sldns_pkt_section section,
+	struct module_qstate* qstate)
 {
 	enum sec_status sec;
 	struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
@@ -356,7 +357,8 @@ val_verify_rrset(struct module_env* env,
 	}
 	log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname,
 		ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class));
-	sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason);
+	sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason,
+		section, qstate);
 	verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec));
 	regional_free_all(env->scratch);
 
@@ -389,7 +391,7 @@ val_verify_rrset(struct module_env* env,
 enum sec_status 
 val_verify_rrset_entry(struct module_env* env, struct val_env* ve,
         struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey,
-	char** reason)
+	char** reason, sldns_pkt_section section, struct module_qstate* qstate)
 {
 	/* temporary dnskey rrset-key */
 	struct ub_packed_rrset_key dnskey;
@@ -402,7 +404,8 @@ val_verify_rrset_entry(struct module_env
 	dnskey.rk.dname_len = kkey->namelen;
 	dnskey.entry.key = &dnskey;
 	dnskey.entry.data = kd->rrset_data;
-	sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason);
+	sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason,
+		section, qstate);
 	return sec;
 }
 
@@ -410,7 +413,8 @@ val_verify_rrset_entry(struct module_env
 static enum sec_status
 verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve, 
 	struct ub_packed_rrset_key* dnskey_rrset, 
-        struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason)
+        struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason,
+	struct module_qstate* qstate)
 {
 	enum sec_status sec = sec_status_bogus;
 	size_t i, num, numchecked = 0, numhashok = 0;
@@ -441,7 +445,7 @@ verify_dnskeys_with_ds_rr(struct module_
 		/* Otherwise, we have a match! Make sure that the DNSKEY 
 		 * verifies *with this key*  */
 		sec = dnskey_verify_rrset(env, ve, dnskey_rrset, 
-			dnskey_rrset, i, reason);
+			dnskey_rrset, i, reason, LDNS_SECTION_ANSWER, qstate);
 		if(sec == sec_status_secure) {
 			return sec;
 		}
@@ -477,7 +481,8 @@ int val_favorite_ds_algo(struct ub_packe
 enum sec_status 
 val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key* dnskey_rrset,
-	struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason)
+	struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
+	struct module_qstate* qstate)
 {
 	/* as long as this is false, we can consider this DS rrset to be
 	 * equivalent to no DS rrset. */
@@ -514,7 +519,7 @@ val_verify_DNSKEY_with_DS(struct module_
 		has_useful_ds = 1;
 
 		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 
-			ds_rrset, i, reason);
+			ds_rrset, i, reason, qstate);
 		if(sec == sec_status_secure) {
 			if(!sigalg || algo_needs_set_secure(&needs,
 				(uint8_t)ds_get_key_algo(ds_rrset, i))) {
@@ -547,11 +552,12 @@ val_verify_DNSKEY_with_DS(struct module_
 struct key_entry_key* 
 val_verify_new_DNSKEYs(struct regional* region, struct module_env* env, 
 	struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 
-	struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason)
+	struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
+	struct module_qstate* qstate)
 {
 	uint8_t sigalg[ALGO_NEEDS_MAX+1];
 	enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve, 
-		dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason);
+		dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason, qstate);
 
 	if(sec == sec_status_secure) {
 		return key_entry_create_rrset(region, 
@@ -573,7 +579,8 @@ enum sec_status
 val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key* dnskey_rrset,
 	struct ub_packed_rrset_key* ta_ds,
-	struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason)
+	struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
+	struct module_qstate* qstate)
 {
 	/* as long as this is false, we can consider this anchor to be
 	 * equivalent to no anchor. */
@@ -624,7 +631,7 @@ val_verify_DNSKEY_with_TA(struct module_
 		has_useful_ta = 1;
 
 		sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 
-			ta_ds, i, reason);
+			ta_ds, i, reason, qstate);
 		if(sec == sec_status_secure) {
 			if(!sigalg || algo_needs_set_secure(&needs,
 				(uint8_t)ds_get_key_algo(ta_ds, i))) {
@@ -650,7 +657,7 @@ val_verify_DNSKEY_with_TA(struct module_
 		has_useful_ta = 1;
 
 		sec = dnskey_verify_rrset(env, ve, dnskey_rrset,
-			ta_dnskey, i, reason);
+			ta_dnskey, i, reason, LDNS_SECTION_ANSWER, qstate);
 		if(sec == sec_status_secure) {
 			if(!sigalg || algo_needs_set_secure(&needs,
 				(uint8_t)dnskey_get_algo(ta_dnskey, i))) {
@@ -684,12 +691,12 @@ val_verify_new_DNSKEYs_with_ta(struct re
 	struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 
 	struct ub_packed_rrset_key* ta_ds_rrset,
 	struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot,
-	char** reason)
+	char** reason, struct module_qstate* qstate)
 {
 	uint8_t sigalg[ALGO_NEEDS_MAX+1];
 	enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, 
 		dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset,
-		downprot?sigalg:NULL, reason);
+		downprot?sigalg:NULL, reason, qstate);
 
 	if(sec == sec_status_secure) {
 		return key_entry_create_rrset(region, 
--- unbound-1.6.0.orig/validator/val_utils.h
+++ unbound-1.6.0/validator/val_utils.h
@@ -42,10 +42,12 @@
 #ifndef VALIDATOR_VAL_UTILS_H
 #define VALIDATOR_VAL_UTILS_H
 #include "util/data/packed_rrset.h"
+#include "sldns/pkthdr.h"
 struct query_info;
 struct reply_info;
 struct val_env;
 struct module_env;
+struct module_qstate;
 struct ub_packed_rrset_key;
 struct key_entry_key;
 struct regional;
@@ -120,11 +122,14 @@ void val_find_signer(enum val_classifica
  * @param sigalg: if nonNULL provide downgrade protection otherwise one
  *   algorithm is enough.  Algo list is constructed in here.
  * @param reason: reason of failure. Fixed string or alloced in scratch.
+ * @param section: section of packet where this rrset comes from.
+ * @param qstate: qstate with region.
  * @return security status of verification.
  */
 enum sec_status val_verify_rrset(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys,
-	uint8_t* sigalg, char** reason);
+	uint8_t* sigalg, char** reason, sldns_pkt_section section,
+	struct module_qstate* qstate);
 
 /**
  * Verify RRset with keys from a keyset.
@@ -133,11 +138,14 @@ enum sec_status val_verify_rrset(struct
  * @param rrset: what to verify
  * @param kkey: key_entry to verify with.
  * @param reason: reason of failure. Fixed string or alloced in scratch.
+ * @param section: section of packet where this rrset comes from.
+ * @param qstate: qstate with region.
  * @return security status of verification.
  */
 enum sec_status val_verify_rrset_entry(struct module_env* env, 
 	struct val_env* ve, struct ub_packed_rrset_key* rrset, 
-	struct key_entry_key* kkey, char** reason);
+	struct key_entry_key* kkey, char** reason, sldns_pkt_section section,
+	struct module_qstate* qstate);
 
 /**
  * Verify DNSKEYs with DS rrset. Like val_verify_new_DNSKEYs but
@@ -150,13 +158,15 @@ enum sec_status val_verify_rrset_entry(s
  *   algorithm is enough.  The list of signalled algorithms is returned,
  *   must have enough space for ALGO_NEEDS_MAX+1.
  * @param reason: reason of failure. Fixed string or alloced in scratch.
+ * @param qstate: qstate with region.
  * @return: sec_status_secure if a DS matches.
  *     sec_status_insecure if end of trust (i.e., unknown algorithms).
  *     sec_status_bogus if it fails.
  */
 enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env, 
 	struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 
-	struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason);
+	struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason,
+	struct module_qstate* qstate);
 
 /**
  * Verify DNSKEYs with DS and DNSKEY rrset.  Like val_verify_DNSKEY_with_DS
@@ -170,6 +180,7 @@ enum sec_status val_verify_DNSKEY_with_D
  *   algorithm is enough.  The list of signalled algorithms is returned,
  *   must have enough space for ALGO_NEEDS_MAX+1.
  * @param reason: reason of failure. Fixed string or alloced in scratch.
+ * @param qstate: qstate with region.
  * @return: sec_status_secure if a DS matches.
  *     sec_status_insecure if end of trust (i.e., unknown algorithms).
  *     sec_status_bogus if it fails.
@@ -177,7 +188,8 @@ enum sec_status val_verify_DNSKEY_with_D
 enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env, 
 	struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, 
 	struct ub_packed_rrset_key* ta_ds,
-	struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason);
+	struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason,
+	struct module_qstate* qstate);
 
 /**
  * Verify new DNSKEYs with DS rrset. The DS contains hash values that should
@@ -192,6 +204,7 @@ enum sec_status val_verify_DNSKEY_with_T
  * @param downprot: if true provide downgrade protection otherwise one
  *   algorithm is enough.
  * @param reason: reason of failure. Fixed string or alloced in scratch.
+ * @param qstate: qstate with region.
  * @return a KeyEntry. This will either contain the now trusted
  *         dnskey_rrset, a "null" key entry indicating that this DS
  *         rrset/DNSKEY pair indicate an secure end to the island of trust
@@ -205,7 +218,8 @@ enum sec_status val_verify_DNSKEY_with_T
 struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region, 
 	struct module_env* env, struct val_env* ve, 
 	struct ub_packed_rrset_key* dnskey_rrset, 
-	struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason);
+	struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason,
+	struct module_qstate* qstate);
 
 
 /**
@@ -220,6 +234,7 @@ struct key_entry_key* val_verify_new_DNS
  * @param downprot: if true provide downgrade protection otherwise one
  *   algorithm is enough.
  * @param reason: reason of failure. Fixed string or alloced in scratch.
+ * @param qstate: qstate with region.
  * @return a KeyEntry. This will either contain the now trusted
  *         dnskey_rrset, a "null" key entry indicating that this DS
  *         rrset/DNSKEY pair indicate an secure end to the island of trust
@@ -235,7 +250,7 @@ struct key_entry_key* val_verify_new_DNS
 	struct ub_packed_rrset_key* dnskey_rrset, 
 	struct ub_packed_rrset_key* ta_ds_rrset, 
 	struct ub_packed_rrset_key* ta_dnskey_rrset,
-	int downprot, char** reason);
+	int downprot, char** reason, struct module_qstate* qstate);
 
 /**
  * Determine if DS rrset is usable for validator or not.
@@ -252,7 +267,7 @@ int val_dsset_isusable(struct ub_packed_
  * the result of a wildcard expansion. If so, return the name of the
  * generating wildcard.
  * 
- * @param rrset The rrset to chedck.
+ * @param rrset The rrset to check.
  * @param wc: the wildcard name, if the rrset was synthesized from a wildcard.
  *         unchanged if not.  The wildcard name, without "*." in front, is 
  *         returned. This is a pointer into the rrset owner name.
--- unbound-1.6.0.orig/validator/validator.c
+++ unbound-1.6.0/validator/validator.c
@@ -490,7 +490,8 @@ validate_msg_signatures(struct module_qs
 		}
 
 		/* Verify the answer rrset */
-		sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason);
+		sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason,
+			LDNS_SECTION_ANSWER, qstate);
 		/* If the (answer) rrset failed to validate, then this 
 		 * message is BAD. */
 		if(sec != sec_status_secure) {
@@ -519,7 +520,8 @@ validate_msg_signatures(struct module_qs
 	for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
 		chase_reply->ns_numrrsets; i++) {
 		s = chase_reply->rrsets[i];
-		sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason);
+		sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason,
+			LDNS_SECTION_AUTHORITY, qstate);
 		/* If anything in the authority section fails to be secure, 
 		 * we have a bad message. */
 		if(sec != sec_status_secure) {
@@ -545,7 +547,7 @@ validate_msg_signatures(struct module_qs
 		val_find_rrset_signer(s, &sname, &slen);
 		if(sname && query_dname_compare(sname, key_entry->name)==0)
 			(void)val_verify_rrset_entry(env, ve, s, key_entry,
-				&reason);
+				&reason, LDNS_SECTION_ADDITIONAL, qstate);
 		/* the additional section can fail to be secure, 
 		 * it is optional, check signature in case we need
 		 * to clean the additional section later. */
@@ -2389,7 +2391,7 @@ primeResponseToKE(struct ub_packed_rrset
 	/* attempt to verify with trust anchor DS and DNSKEY */
 	kkey = val_verify_new_DNSKEYs_with_ta(qstate->region, qstate->env, ve, 
 		dnskey_rrset, ta->ds_rrset, ta->dnskey_rrset, downprot,
-		&reason);
+		&reason, qstate);
 	if(!kkey) {
 		log_err("out of memory: verifying prime TA");
 		return NULL;
@@ -2479,7 +2481,7 @@ ds_response_to_ke(struct module_qstate*
 		/* Verify only returns BOGUS or SECURE. If the rrset is 
 		 * bogus, then we are done. */
 		sec = val_verify_rrset_entry(qstate->env, ve, ds, 
-			vq->key_entry, &reason);
+			vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate);
 		if(sec != sec_status_secure) {
 			verbose(VERB_DETAIL, "DS rrset in DS response did "
 				"not verify");
@@ -2526,7 +2528,7 @@ ds_response_to_ke(struct module_qstate*
 		/* Try to prove absence of the DS with NSEC */
 		sec = val_nsec_prove_nodata_dsreply(
 			qstate->env, ve, qinfo, msg->rep, vq->key_entry, 
-			&proof_ttl, &reason);
+			&proof_ttl, &reason, qstate);
 		switch(sec) {
 			case sec_status_secure:
 				verbose(VERB_DETAIL, "NSEC RRset for the "
@@ -2554,7 +2556,8 @@ ds_response_to_ke(struct module_qstate*
 
 		sec = nsec3_prove_nods(qstate->env, ve, 
 			msg->rep->rrsets + msg->rep->an_numrrsets,
-			msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason);
+			msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason,
+			qstate);
 		switch(sec) {
 			case sec_status_insecure:
 				/* case insecure also continues to unsigned
@@ -2615,7 +2618,7 @@ ds_response_to_ke(struct module_qstate*
 			goto return_bogus;
 		}
 		sec = val_verify_rrset_entry(qstate->env, ve, cname, 
-			vq->key_entry, &reason);
+			vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate);
 		if(sec == sec_status_secure) {
 			verbose(VERB_ALGO, "CNAME validated, "
 				"proof that DS does not exist");
@@ -2781,7 +2784,7 @@ process_dnskey_response(struct module_qs
 	}
 	downprot = qstate->env->cfg->harden_algo_downgrade;
 	vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env,
-		ve, dnskey, vq->ds_rrset, downprot, &reason);
+		ve, dnskey, vq->ds_rrset, downprot, &reason, qstate);
 
 	if(!vq->key_entry) {
 		log_err("out of memory in verify new DNSKEYs");
@@ -2856,7 +2859,8 @@ process_prime_response(struct module_qst
 			ta->dclass);
 	}
 	if(ta->autr) {
-		if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset)) {
+		if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset,
+			qstate)) {
 			/* trust anchor revoked, restart with less anchors */
 			vq->state = VAL_INIT_STATE;
 			vq->trust_anchor_name = NULL;
