14 August 2020: Wouter
	- Add edns0 and trust-ad options when writing resolvconf to point
	  to 127.0.0.1, because unbound is set up to validate and supports
	  EDNS0.  Fixes #2 and #5.

25 June 2018: Wouter
	- Release 0.17.

22 June 2018: Wouter
	- Fix for infinite loop in update_connection_zones.

21 June 2018: Wouter
	- Release 0.16.
	- trunk is 0.17 in development.

14 June 2018: Wouter
	- Add check on shell commandline arguments, to make sure domain names
	  and IP addresses passed to it do not contain escape characters.

7 June 2018: Wouter
	- Fix that update_connection_zones does not use item after free.
	- Fix declare before code warnings.
	- Use pclose for popen fds.
	- Use snprintf instead of sprintf to fixed buffer.
	- Fix gcc buffer size for snprintf warning (in dnssec-trigger update
	  code, not the patch set from 14may).

23 May 2018: Wouter
	- string_list, sprint with null termination and correct buffer check.

18 May 2018: Wouter
	- More review fixes, store.c, error log and fixup of getline return,
	  and not variable use before declaration.  Spelling, strdup,
	  bool removal for portability.  Removed unsigned comparison warning.

14 May 2018: Wouter
	- Patch set from Martin Sehnoutka,
	  It migrates the functionality currently provided by the script
	  into the daemon. the "update" command from the script is available
	  in the daemon as "update_all", so that they can live side by side.
	- Modify the build system:
A new configure option 'with-forward-zones-support' was introduced, that
enables configuration of forward and local zones directly from the
daemon as opposed to the script. Without this option, there is almost no
change.

The new functionality of the daemon can be triggered by the "update_all"
command, which is now used in NM dispatcher script and systemd service
file. Some configuration options were migrated from the script to the
daemon as well.

Finally a testing suite was introduced using the cmocka library.
	- Introduce string_buffer and string_list types:
	String buffer is a fat pointer and list is a single linked list of fat
char pointers.
	- Import JSON parsing library (BSD-MIT license).
	- Connection list module:
A connection is a struct encapsulating the concept of "connection" as
known from NetworkManager. It is used to extract information about
global resolvers, DNS search zones and in the future about reverse zones
corresponding to the network address.
	- Function to parse JSON into connection list
	- Lock module, used to serialize execution in the script
This was introduced as a compatibility feature with the script, but once
the script is gone, this can be safely removed.
	- Store module - persistent storage used by the script
The script uses few files stored on disk in order to create a persistent
cache of configured global forwarders and forward zones. This was
introduced as a compatibility module with the script. Again it can be
removed once the compatibility is not needed any more.
	- Testing suite for previously introduced modules
It can be executed using 'make test' and it can be also used in CI.
	- New configuration options, that were in the script
	- Hook unbound control
It uses 'unbound-control' binary instead of the socket, so this should
probably be rewritten if possible.
	- Reimplement update command from script in riggerd
	- add testing file for global forwarders cache

	- Fixes and modifications from Wouter:
	  - removed -vvv option from dnssec-triggerd daemon start script.
	  - removed unaligned memcpy

26 February 2018: Wouter
	- Fix that NXDOMAIN for _probe.uk.uk is deemed allright.

23 February 2018: Wouter
	- port of dnssec-trigger-script to libnm.

6 December 2017: Wouter
	- release 0.15 tag.
	- trunk has version 0.16.
	- Fix example.conf default printout text replacement.

11 October 2017: Wouter
	- Fix SSL_OP_NO_SSLv2 logic for setting the option.

10 October 2017: Wouter
	- release 0.14 tag
	- trunk has version 0.15.
	- annotate switch fallthrough for gcc 7.2.

2 October 2017: Wouter
	- Fix OSX install to exclude var and not set tar timestamps.
	- Fix compile warning on gcc 7.2.
	- Fix makedist.sh for openssl 1.1 and ldns 1.7.
	- Fix keygen.exe for openssl 1.1 API.

22 August 2017: Wouter
	- Fix no NSEC3 in nodata reply: kr.com always fails to validate, uses
	  uk.uk instead.
	- updated root servers list.

4 July 2017: Wouter
	- Allow strings longer than 2 characters for the HTTP probe.
	  Patch from Tomas Hozza.

6 January 2017: Wouter
	- For windows, include the libgcc_s_sjlj-1.dll and
	  libwinpthread-1.dll

15 December 2016: Wouter
	- 0.13 release tag.
	- trunk has 0.14.
	- Fix osx installer to detect 10.12 (Sierra) so that icon is
	  displayed correctly after reinstall.

28 November 2016: Wouter
	- Updated acx_nlnetlabs.m4 for openssl-1.1.0 compatibility.
	- Patch for openssl-1.1.0 compilation.

8 June 2016: Wouter
	- Tomas Hozza (3):
	  dnssec-trigger-script: Use ducktaping when restarting NM, instead of
	  checking the sysfs
	  dnssec-trigger-script: Silence the calls to chattr
	  Improved text in the panel GUI when insecure mode is forced

9 December 2015: Wouter
	- Remove kickstarts of daemons because daemon died for test user.

8 December 2015: Wouter
	- Fixup compile on OSX with static SSL for makedist mac build.
	- OSX hide unbound user from login screen.
	- Attempt to stop panels and kickstart daemons on OSX.

7 December 2015: Wouter
	- Remove stuff from osx installer that logs out the user.

4 December 2015: Wouter
	- Fixup osx gui panel start code for new osx.  installer talks about
	  new locations and set permissions on key files and add to the path
	  the /usr/local/sbin directory during install.
	  Do not link RiggerStatusItem to /usr/local/opt/openssl/lib.

3 December 2015: Wouter
	- chmod key files for unbound, dnssec-trigger control and ldns in
	  /usr/local.  For OSX.
	- Fixup installer for creation of missing keys, and also start
	  panel in osx userspace.

26 November 2015: Wouter
	- Fix Makefile for use of /Library, which seems okay for new OSX.
	- makedist prints checksums on OSX.

6 November 2015: Wouter
	- new acx_nlnetlabs.m4 version and it has the libdl fix.
	- Fix lint warnings about int and size_t conversion.
	- Fixes to make the installer work on OSX-ElCapitan.

6 October 2015: Wouter
	- Patch for preliminary Mac OSX 10.11 support (from Philip Paeps).
	- Move plists into uidir on OSX (/usr/local/share), and set usr/local
	  in makedist for OSX.

1 October 2015: Wouter
	- default keysize for control is 3072 on windows.

31 August 2015: Wouter
	- Changed windows setup compression to be more transparent.

16 July 2015: Wouter
	- Patches from Tomas Hozza for systemd service files:
	  Set PIDFile in the dnssec-triggerd.service file.
	  Remove restorecon call in dnssec-triggerd-keygen.service.

14 July 2015: Wouter
	- Patches from Tomas Hozza for dnssec-trigger-script:
	  Use one import on one line as defined by PEP8.
	  Use path to DEVNULL from os module.
	  Move the main functionality into main() function to enable testing.
	  Use existing API in NM for distinguishing VPN connections.
	  Construct NMClient as advised by the documentation.
	  Forbid Python from searching local dirs and using env variables.
	  Set low max negative cache TTL to prevent possible user issues.
	  Send SIGHUP to NM if it is new enough instead of restarting it.
	  Set the required version in GI before importing NMClient.

13 July 2015: Wouter
	- Fix #618: create sha1 and sha256 hashes for created binaries,
	  fixed in makedist.sh.

10 July 2015: Wouter
	- Renamed 'open resolvers' to 'relay resolvers' in the explanatory
	  text what dnssec-trigger is doing.  Resolvers from DHCP can also
	  be public resolvers, so the term relay resolver is used for an
	  open resolver that performs transport layer adjustment.

8 April 2015: Wouter
	- Patches from Tomas Hozza for dnssec-trigger-script:
	  Add newlines between classes to conform with PEP-8 and
	   increase readability.
	  Add/remove local zones in Unbound when configuring
	   reverse addr forward zones.

7 April 2015: Wouter
	- Patch from Tomas Hozza:
		dnssec-trigger-script: Don't configure RFC1918 zones
		if there are no global forwarders.

12 March 2015: Wouter
	- Patches from Tomas Hozza (7):
		dnssec-trigger-script: Fix wrong default value in configuration
		dnssec-trigger-script: Fix formatting errors
		dnssec-trigger-script: Remove unused class
		Allow to select the default Python interpretter during build
		Fix 01-dnssec-trigger NOT to hardcode shell path
		dnssec-trigger-script: Fix typo when adding search domains
		dnssec-trigger-control-setup: Use 3072 bit keys

26 January 2015: Wouter
	- Patches from Pavel Simerda:
		dnssec-trigger-script: check for paths, not files
			https://bugzilla.redhat.com/show_bug.cgi?id=1183975
		dnssec-trigger-script: fix secure/insecure forward zone
			switching
			https://bugzilla.redhat.com/show_bug.cgi?id=1185796
		dnssec.conf: clean up the dnssec.conf comments
		dnssec-trigger-script: log dnssec-trigger-control and
			unbound-control calls
		dnssec-trigger-script: use a global config object
		dnssec-trigger-script: add option to set search domains
			in /etc/resolv.conf
			https://bugzilla.redhat.com/show_bug.cgi?id=1130502
		dnssec-trigger-script: add (undocumented) option to avoid
			flushing positive answers
			https://bugzilla.redhat.com/show_bug.cgi?id=1105685
		dnssec-trigger-script: use private address ranges
			https://bugzilla.redhat.com/show_bug.cgi?id=1128310

21 January 2015: Wouter
	- Patches from Pavel Simerda:
		dnssec-trigger-script: clean up servers as well, for restart
		dnssec-trigger-script: prefer VPN nameservers over default ones

13 January 2015: Wouter
	- Update OSX resolvehook to flush dns caches for new OSX release
	  with "discoveryutil udnsflushcaches" and "discoveryutil
	  mdnsflushcache".
	- Patches from Pavel Simerda:
		dnssec-trigger-script: The accepted version of NetworkManager
			patch uses `resolv.conf` instead of
			`resolv.conf.default`,
			https://bugzilla.gnome.org/show_bug.cgi?id=732941
		dnssec-trigger-script: Leaking file descriptors is bad,
			especially when selinux or similar tool is used.
			https://bugzilla.redhat.com/show_bug.cgi?id=1147705
		dnssec-trigger-script: Use a regular file unless
			use_resolv_secure_conf_symlink is set. Always
			install /var/run/dnssec-trigger/resolv.conf for
			comparison.  Guard all of those regular files using
			immutable attribute.  
			https://bugzilla.redhat.com/show_bug.cgi?id=1165126
		dnssec-trigger-script: fix desktop file paths.
			

21 November 2014: Wouter
	- Patches from Pavel Simerda:
		dnssec-trigger-script: lock --update-* methods only
			The original locking was a bit too broad for future
			development.
		dnssec-trigger-script: improve /etc/dnssec.conf handling
			Minor changes that make future /etc/dnssec.conf
			extensions easier.
		dnssec-trigger-script: support 'debug' option in
		  /etc/dnssec.conf
			With that you can get the debugging output even
			for instances run by systemd, dnssec-triggerd
			and NetworkManager dispatcher.
		dnssec-trigger-script: clean up resolv.conf backup and
		  restore
			Clean up the code a bit so that later additions
			dont turn it into a mess.
		dnssec-trigger-script: use
		  /var/run/NetworkManager/resolv.conf.default
			Avoid restarting NetworkManager just to restore
			/etc/resolv.conf when a simple symlink would
			do. This is only done when the NetworkManager's
			private resolv.conf actually exists.
		allow the resolv.conf hooks be handled by
		  dnssec-trigger-script
		dnssec-trigger-script: handle resolv.conf events from the
		  daemon
			The new implementation doesn't write directly to
			/etc/resolv.conf and instead it writes a temporary
			file and then replaces the /etc/resolv.conf
			using POSIX `rename()`.
		dnssec-trigger-script: support /etc/resolv.conf and
		  /etc/resolv-secure.conf symlinks
			This is an experimental feature and is
			turned off by default. You need to put the
			following to /etc/dnssec.conf to activate it:
			use_resolv_conf_symlink=yes
		probe: use wildcard probing domains
			This change might need to be revisited to see
			whether we need to check both known wildcard
			and known non-wildcard domains.
	- Fix #629: bad if test in net_help for ctx_load_verify_locations.

31 July 2014: Wouter
	- Patch from Pavel Simerda: improve dnssec-trigger-script locking and
	  avoid a dependency.

15 July 2014: Wouter
	- Fix NetworkManager script fails t parse nmcli version as of
	  0.9.10.0, patch from Gerald Turner.

3 July 2014: Wouter
	- Patches from Ondrej Sury (from the Debian package):
	  Remove some ugly bashisms from the script.
	  Fixes static paths that right be mismatched (f.e. on multiarch
	  system).
	  Fix IndexError in dnssec-trigger-script, when there less then 4
	  resolvers since you use 3xfields.pop(0) before that.
	  Fix release date in makedist manpage to be more stable.
	  Do substitutions in makefile, more autoconf'y
	  Fixup dnssec-triggerd.service from Makefile.in

1 July 2014: Wouter
	- Better fix for pidof that sets PATH for networkmanager dispatcher
	  script (from Ondrej Sury).

30 June 2014: Wouter
	- Add --with-pidof=/usr/sbin/pidof where you can set the location
	  of the pidof command to use in the Networkmanager script,
	  /usr/bin/pidof or /usr/sbin/pidof (depending no your distribution).

25 June 2014: Wouter
	- Patches from Pavel Simerda:
	  improve systemctl call.
	  serialize script instances.

23 June 2014: Wouter
	- Patches from Pavel Simerda:
	  Fixup for python2.
	  fix a race condition with NetworkManager restart.
	  don't fail on empty connection list.
	  move legacy connection handling to the cleanup phase.
	  don't block on systemctl restart NetworkManager.

20 June 2014: Wouter
	- Patches from Pavel Simerda:
	  fix bug that prevents calling dnssec-trigger-control
	  submit (https://bugzilla.redhat.com/show_bug.cgi?id=1105896)
	  avoid dependency on pidof
	  handle missing resolv.conf backup gracefully
	  upgrade zone cache format at startup (
	  https://bugzilla.redhat.com/show_bug.cgi?id=1111143)
	  always log to stderr

4 June 2014: Wouter
	- Patch from Pavel Simerda. This, among other things, allows to
	  restart unbound and/or dnssec-trigger without restarting
	  NetworkManager when it's configured not to touch the DNS.
	  And, avoid Filenotfounderror not available in python 2,
	  https://bugzilla.redhat.com/show_bug.cgi?id=1100794
	  And fix unbound output parser
	  https://bugzilla.redhat.com/show_bug.cgi?id=1100796

22 May 2014: Wouter
	- release 0.12.
	- trunk is 0.13 in development.
	- updated authority server addresses builtin to dnssec-trigger for
	  d root server (ipv4) and c root server (ipv6) for its tests.

7 May 2014: Wouter
	- Updated dnssec-trigger-script.in to distinguish secure and
	  insecure zones, and to flush the unbound cache on DNS server
	  list changes. (from Pavel Simerda).

15 April 2014: Wouter
	- Change the ip-address of tcp and ssl service from broer.nlnetlabs.nl
	  to zus.nlnetlabs.nl (we changed netblocks).  The new ip address
	  and new certificate fingerprint (because of ssl heartbleed vuln)
	  are in the example.conf file.  The cert was only used for transport
	  and not for authentication, so its change was low priority.

8 April 2014: Wouter
	- Patch for dnssec-trigger-script.in --async flag from Pavel Simerda,
	  stops dnssec-trigger-script to block on networkmanager, which is
	  good in cases when networkmanager blocks on the script.

28 March 2014: Wouter
	- Patch from Pavel Simerda that incorporates contrib items into
	  the build install system.  Systemd scripts, dnssec-trigger-script,
	  dnssec.conf.

24 March 2014: Wouter
	- Renamed 01-dnssec-trigger-hook to 01-dnssec-trigger with the
	  networkmanager naming scheme.  (From Pavel Simerda).
	- put contrib/01-dnssec-trigger into 01-dnssec-trigger.in

24 March 2014: Wouter
	- Removed files obsoleted by patch from Pavel Simerda:
	  contrib/01-dnssec-trigger-hook-new_nm
	  (replaced with dnssec-trigger-script and 01-dnssec-trigger)
	  fedora/dnssec-triggerd.service
	  (new version in contrib)
	  fedora/dnssec-triggerd-resolvconf-handle.service
	  (handled by dnssec-triggerd.service directly)
	  fedora/dnssec-trigger.spec
	  (spec files are maintained separately)
	  fedora/dnssec-triggerd-keygen.service
	  (new version in contrib)
	  fedora/dnssec-triggerd-resolvconf-handle.sh
	  (handled by dnssec-trigger-script directly)
	  fedora/dnssec-triggerd.init
	  (only used in epel6 which hasn't been updated for ages)

21 March 2014: Wouter
	- Patch from Pavel Simerda: better integration with NetworkManager and
	  distributions, added in contrib.

13 February 2014: Wouter
	- Patches from Tomass Hozza; Explicitly-use-Python2-interpreter,
	  Fix-situation-when-connection-is-going-down,
	  resolv.conf-backup-script-restart-NM-to-handle-resolv.conf,
	  Update-systemd-service-files-to-latest-version-used.

7 February 2014: Wouter
	- Fix #551: Change Regents to Copyright holder in License.

28 January 2014: Wouter
	- Added patch to networkmanager dispatcher script and also
	  an example dnssec.conf file from Tomas Hozza.

21 January 2014: Wouter
	- Added contrib networkmanager dispatcher script from Tomas Hozza.

25 November 2013: Wouter
	- Added fedora/dnssec-trigger-resolvconf-handle.sh from Tomas
	  Hozza, that will backup and restore resolv.conf for use in
	  systemd.service scripts and networkmanager scripts.

15 November 2013: Wouter
	- Patch from Tomas Hozza that improves text in dialogs (on linux).

14 November 2013: Wouter
	- Fix NM dispatcher script to work with NM >= 0.9.9.0 (Thanks Tomas
	  Hozza).

26 August 2013: Wouter
	- Fix#522: Errors found by static analysis of source from Tomas Hozza.

6 August 2013: Wouter
	- Patch from Tomas Hozza to improve the networkmanager connect
	  script for VPN connections.  It adds forward zones for the VPN
	  over the VPN connection.

3 May 2013: Wouter
	- Update acx_nlnetlabs.m4 to deal with newer mingw and sleep.

2 May 2013: Wouter
	- Fixup new glib deprecated calls.

1 May 2013: Wouter
	- Let system dealloc feed and feed_lock on OSX and Linux/BSD.

22 April 2013: Wouter
	- Fixup OSX backquote backslashes.  Removed wrong OSX version from
	  its installer text.

19 April 2013: Wouter
	- Fixup snprintf return value usage.

8 April 2013: Wouter
	- OSX wake listener implementation.
	- patch for OSX that passes all domains from search to the OS (from
	  Phil Pennock).

27 March 2013: Wouter
	- update makedist for new svn and new crosscompile environment.

26 March 2013: Wouter
	- Update configure, install-sh with newer autoconf.

7 March 2013: Wouter
	- bug 489: removed Application deprecated keyword from .desktop file.

31 July 2012: Wouter
	- Fixup uniqueid for Mountain Lion OSX 10.8 release, you have to
	  run the installer again (upgrade or uninstall-reinstall).

2 July 2012: Wouter
	- Fix networkmanager hook to detect if it has to use the new
	  commandline syntax of networkmanager 0.9.4.

15 June 2012: Wouter
	- Fix crash on read of ssl443 entry without a hash.
	- Squelch address family not supported errors (on low verbosity).

8 June 2012: Wouter
	- Fix OSX user panel stop and start in reinstall, also fix for double
	  popups during reinstall.
	- lint clean.

7 June 2012: Wouter
	- tag 0.11 release.
	- trunk is 0.12 is development.
	- log correct type in timeout for TXT.
	- restart panels on install on OSX.

6 June 2012: Wouter
	- fix permissions on root key for OSX.

5 June 2012: Wouter
	- wait for old daemon to stop in osx install at setdns.sh.
	- fix OSX unbound to be able to write root.key from the chroot.
	- manpage for check-updates option.

1 June 2012: Wouter
	- Http redirect support, for plain http check, in case hotspot has
	  a proxy that starts giving the internet contents.
	- GUI for OSX for software updates.
	- fix osx execl for software install.
	- update tray icon for osx software install.
	- fix osx comma in multiple DNS servers.
	- fix update installer

31 May 2012: Wouter
	- Fix bug in processing tray icon results from daemon.
	- url can contain numerical IP address and port number, in http
	  implementation.

22 May 2012: Wouter
	- Fix windows upgrade to preserve config files and to preserve the
	  installed (or not-installed) startmenu links.
	- Fix to not mess up the config files on a reinstall on windows.

21 May 2012: Wouter
	- windows runs installer from userspace.
	- windows dnssectrigger depends on unbound for boot invocation,
	  this fixes an error where it cannot tell unbound what to do.
	- fix updater for double callback due to retry and double reply.
	- fix slash in downloaded file and executed file (windows).
	- linebuffer for dnssec-trigger-control stdout, for results printout.

18 May 2012: Wouter
	- improved printout of SSL_ERROR_SYSCALL errors.
	- do not print interface-unknown and conn-reset errors upon system
	  restart for windows, only printed on high verbosity.

2 April 2012: Wouter
	- Remove debug print from update code.
	- Add debug prints to update code.
	- Fix FIONBIO error on windows.

30 March 2012: Wouter
	- windows implementation for update dialog and selfupdate.
	- work on osx update dialog and selfupdate.
	- lint clean.

29 March 2012: Wouter
	- fix exit of panel and threads
	- fix read multiple persist actions in one SSL packet frame.
	- gtk gui to ask for install of new software.  No unix action exists.

26 March 2012: Wouter
	- lock unlock and delete at exit of panel is improved.

15 March 2012: Wouter
	- configure windows detects GetAdaptersAdresses (XP and later).
	- snapshot for test.
	- Fix compatibility with VirtualBox on Windows, that messes with the
	  network adapters.  Solution works on windows XP and later (detected
	  by configure).
	- Fix trayicon on windows high DPI settings to look better.
	- silence connect() http errors, unless verbosity 2.
	- stop other download if one succeeds (happy eyeballs) on selfupdate.

13 March 2012: Wouter
	- self update work.

12 March 2012: Wouter
	- self update work.

9 March 2012: Wouter
	- update osx config to new config template.
	- login-command and login-location man page entries.
	- windows shows browser on login.
	- debug prints removed from http.

8 March 2012: Wouter
	- OSX GUI for no web access dialog.
	- OSX update dnssec-trigger.conf with new url settings.
	- OSX fix the double-window shown bug, bug in NSWindow deminiaturize func.
	- open web browser to login to a hot spot.

7 March 2012: Wouter
	- print syntax error for url config items.
	- skip_http control command.
	- raise dialog to top on GTK.
	- GTK gui for hot spot sign on.
	- workon windows GUI for no web hot spot sign on.

6 March 2012: Wouter
	- Fix memleak in new config url content.
	- Fix probe count when http is done.
	- probe logic that keeps track of http_insecure mode.
	- retry every 10 seconds for 5 minutes in http_insecure mode.
	- fix test_tcp, test_ssl, unsafe commands.
	- fix to show failed address lookups in probe results.

5 March 2012: Wouter
	- distinguish 2xx, 3xx and other (404) http rcodes.
	- config file contains the expected content of the urls.
	- ssl can list multiple hashes (for certificate rollover).

2 March 2012: Wouter
	- http check is performed, nonblocking.  Lookup of addres(es), A, AAAA
	  to the (up to 5) DHCP DNS resolvers.  3 urls are checked, until one
	  connects, then it checks content.  IP4 and IP6, until first works.
	- url for ster.nlnetlabs.nl and fedoraproject.org added in config.
	- absolute sbindir in netconfig hooks.

23 Feb 2012: Wouter
	- fedora package files updated.

22 Feb 2012: Wouter
	- Fix Fedora bug with no DNS servers in resolv.conf with absolute path
	  in networkmanager hook script.
	- The .desktop entry name without 'panel'.

17 Feb 2012: Wouter
	- and osx status icon file changed.
	- release 0.10
	- trunk is 0.11 under development.

16 Feb 2012: Wouter
	- Do not show the insecure and hotspot windows at the same time.
	- Fix for OSX to show the popups on top of the other windows.
	- alert icon easier to read.

25 Jan 2012: Wouter
	- version set to 0.10: dnssec-trigger is experimental.

23 Jan 2012: Wouter
	- updated acx.nlnetlabs.m4 for gcc 4.6 compat for portability tests.

19 Jan 2012: Wouter
	- show package version in probe results dialog.

17 Jan 2012: Wouter
	- do not just refresh the systray, but entire desktop (for windows).
	- fix dnssec-trigger-control error printout if SSL files fail.
	- dnssec-trigger-control uses registry config location (for windows).
	- install script removes leftover trayicons using direct windows API.

14 Jan 2012: Wouter
	- show version number in add-removeprograms configpanel (windows).
	- refresh systray after install to solve stray tray icon (for windows).

13 Jan 2012: Wouter
	- Use Processes.dll code (can be freely used, source provided) for
	  kill process in windows NSIS installer.  Compiled to 6kb (not 50kb).
	  Processes.dll was made by Andrei Ciubotaru.
	- Attempt to add DHCPv6 support for windows.
	- If hotspot-signon, set override servers right away on a network
	  change, so the user does not have to wait for 10 seconds after a
	  change of the wifi.

10 Jan 2012: Wouter
	- truncate pidfile portable to windows.

6 Jan 2012: Wouter
	- truncate pidfile (just like NSD fix, in case directory not owned).

19 Dec 2011: Wouter
	- wait some more during reinstall on windows, to help race condition.
	- release 0.9
	- trunk is 1.0 under development.

16 Dec 2011: Wouter
	- attempt to fix endless loop on windows (reported by Alan Clegg).
	- windows installer waits for services to come to a full stop.

15 Dec 2011: Wouter
	- detailprints in windows installer and uninstaller.
	- stoppanels waits for the connection of the panel to close, this
	  may remove re-install race conditions.

14 Dec 2011: Wouter
	- Set hook throttleinterval to 1 second, this reduces the osx wakeup
	  and bootup wrong probes because the hook was throttled for 10 seconds.

13 Dec 2011: Wouter
	- release 0.8.
	- trunk is 0.9 under development.

12 Dec 2011: Wouter
	- Fix apple brick by installer, because of tarfile inclusion of
	  extended attributes that overwrote system dir extended attributes.

5 Dec 2011: Wouter
	- sigHUP reloads config and reopens logfile for log rotation support.
	- acxnlnetlabs updated to version 17.
	- fix fedora16 windows crosscompile.
	- fix double definition of malloc.

2 Dec 2011: Wouter
	- configure generated with autoconf 2.6.8.

30 Nov 2011: Wouter
	- Fix where race condition could cause blacklist of open resolver.
	- Fix to flush_infra and flush_requestlist when we use open resolver,
	  the proxy that causes this to be used as fallback has polluted those
	  entries (possibly).

29 Nov 2011: Wouter
	- Fix bug where no IPv6 causes wrong test results, notably SSL, due
	  to the error report code.

13 Nov 2011: Wouter
	- control unsafe shows the dialog popup again.

9 Nov 2011: Wouter
	- Fix that if network down (nothing pings) then it picks disconnect,
	  for slow bootup where the machine has the previous network settings.

8 Nov 2011: Wouter
	- the test_tcp and test_ssl command do not have the 20-sec tcpretry
	  once timer, so that the test can try unbound.
	- config for new open resolver (port 80 TCP, port 443 SSL).  No more
	  probe plain tcp on port 443.

7 Nov 2011: Wouter
	- fixed the OSX installer problem, launchd does not load userspace
	  agents without hacks, and has side-effects that enables boot-start.
	- more detailed logging at verbosity 4 (prints wire and dig output).

4 Nov 2011: Wouter
	- on OSX update config if old (no ssl443).
	- on OSX install config file before attempting to modify it.

3 Nov 2011: Wouter
	- remove error dialog at end of osx install.

2 Nov 2011: Wouter
	- check ssl fingerprint of servers.
	- remind user on make install about ssl443.

1 Nov 2011: Wouter
	- probe ssl servers (nlnetlabs default server configured).

31 Oct 2011: Wouter
	- do not log errors for unclean ssl close.

28 Oct 2011: Wouter
	- documentation fixes
	- osx dmg install fix for 10.6 packager (start of userspace panel).
	  also framework for debug logging in postflight of packager.
	  10.6 packages work on 10.7.  10.7 packages work on 10.7.
	- tag 0.7
	- trunk is 0.8 under development.
	- macinstall, launch unbound-anchor at boot (update if offline months)
	- echo in Makefile and newline if no probe performed.

27 Oct 2011: Wouter
	- osx dmg install and uninstall works.
	- for caches, also test if NSEC3 is present for QTYPE=NULL nodata.

26 Oct 2011: Wouter
	- uninstall command for OSX (put in the DMG).

25 Oct 2011: Wouter
	- fix echo at end of make install.
	- osx makepackage, donated by Carsten Strotmann.

22 Oct 2011: Wouter
	- fix unknown options for dnssec-trigger-panel, prints version too.

21 Oct 2011: Wouter
	- Add @ to echo in Makefile.
	- print error on control unknown command, and exit status 1.
	- tag 0.6
	- trunk is 0.7 under development.
	- fix that setup hint is not printed on a reinstall.
	- stop executables before re-install of dnssec-trigger.
	- tested to work on winXP (thanks Jan-Piet Mens).
	- fix printout of 1970 date, instead that no probe was performed.

18 Oct 2011: Wouter
	- Manpage fixes
	- can build outside of sourcedir.
	- libappindicator support, for Ubuntu Unity desktop GUI.

17 Oct 2011: Wouter
	- Fix insecure mode after dnstcp443 has been probed.
	- Fix OS-race on Linux/BSD, it sets immutable settings on install, and
	  checks this regularly (and fixes if necessary).

13 Oct 2011: Wouter
	- the dnssec-trigger-panel (gtk2) works on the XFCE desktop.
	- windows package works, tested Vista.
	- osx fix for insecure mode.

12 Oct 2011: Wouter
	- makes resolv.conf immutable and restores on uninstall.

10 Oct 2011: Wouter
	- detect transparent proxies and avoid them.

29 Sep 2011: Wouter
	- mac cocoa gui for hotspot signon.
	- 0.5 release.

28 Sep 2011: Wouter
	- nsis uninstall welcome image.
	- gtk menu item and dialog for hotspot signon.
	- win32 menu item and dialog for hotspot signon.
	- install unbound with dnssec-trigger on windows.  Reduced install
	  size and available for configuration by installer.exe.

27 Sep 2011: Wouter
	- for windows, get unbound-control config and path from registry.
	- new IP6 address for the service at nlnetlabs.
	- fix for windows busy loop in dnssectriggerd.
	- do not log error for RPC server not started in windows.

26 Sep 2011: Wouter
	- tentative fix for windows loop bug: if wlanapi.dll does not load.

23 Sep 2011: Wouter
	- windows README is a proper .txt files for dos.
	- 0.4 release.
	- trunk is 0.5 in development.

22 Sep 2011: Wouter
	- dnssec-trigger-control reprobe command from the commandline.
	- dnssec-trigger-control hotspot_signon, forces insecure mode for
	  a sign-on.  The reprobe command can be used to stop forced_insecure.
	- added probe tcp80 and tcp443 as last resort.
	- retry for insecure and disconnect cases with exponential backoff,
	  start 10 seconds, max 24h.
	- tcp retry after 20 seconds, in case more opens up or it was slow.

21 Sep 2011: Wouter
	- ignore UDP without QR flag: some DNS caches send echoes of the query
	  back initially.  If we ignore them we catch a (100 msec later)
	  correct answer later.  (or timeout if no answer comes).
	- if probe is in progress it prints that in status.
	- if no DNS servers via DHCP it prints that in status.
	- antialiased fonts in windows native gui.

20 Sep 2011: Wouter
	- fix configure --with-gui, it did not change the gui but hooks.
	- refactor GUI panel SSL feed to be more portable.
	- fix stop command.
	- native windows GUI.
	- status 'dark' is now called 'nodnssec'.

19 Sep 2011: Wouter
	- fix so that if it cannot bind socket the server fails to start.
	- fix so that on OSX no zombie process remains.
	- kill -HUP performs a reload on UNIX. It only reload the strings
	  and that config, it keeps the running probe results and open
	  sockets to panels and certificates.
	- include pangorc, pango.modules, loaders.cache (for gdk) and
	  the pango-basic-win32.dll and gdk png loader dll (if present)
	  in the windows installer.
	- panel.exe uses the windows gui subsystem.  Include more pixloaders.
	- added fedora spec and init script.

16 Sep 2011: Wouter
	- fix OSX get of DHCP options to use ipconfig API instead of faulty
	  awk parse.

15 Sep 2011: Wouter
	- fix makefile dependencies for sed-ed output.
	- tag 0.3. (0.2 was distributed with different contents).
	- trunk has 0.4

14 Sep 2011: Wouter
	- icons in higher bitdepth, install and uninstall icons.
	- stoppanels control command for installers to update that panel exe.
	- tag 0.2
	- trunk has 0.3

13 Sep 2011: Wouter
	- pick up SSID (for windows, OSX) to filter trigger with, so an SSID
	  change from the wlan triggers a reprobe.
	- set windres resource files, icons, log-format, useradmpermission
	  and setup.exe script with NSIS, it includes dlls.

12 Sep 2011: Wouter
	- fix fd leaked every second by panel if the daemon was down.
	- more robust outq_delete function in code notation.
	- do not print ID values if mismatch (enabled on verbosity 4).
	- print time of probe with results.
	- fix double-close of FD in acceptfailure case.
	- close log file when daemon exits.

9 Sep 2011: Wouter
	- can override nameserver settings on windows (needs administrator
	  permissions) and clears them away (back to the default) on exit.
	- fix not enough detection of network changes on OSX.
	- get a probe after start on OSX.
	- fix submit of disconnect state, submit "".
	- fix resolvconf writes on OSX: more chance of winning resolv.conf
	  which is a small race what with setting scutil at the same time,
	  and sets it after userlogin because OSX reprobes at user login.

8 Sep 2011: Wouter
	- Fix that windows DHCP hook fires less often: only if list of network
	  and GUID of adapter and IPs changes.
	- unbound-control execute hook.
	- reshook for windows.

7 Sep 2011: Wouter
	- dnssec-triggerd can run as a windows service.
	- windows DHCP hook on network changes.
	- support nm-tool NetworkManager (older version).

6 Sep 2011: Wouter
	- dnssec-trigger-keygen that works without shellscripts.  Can also
	  generate for unbound.
	- keygen for windows compiled (it works on other ports, but they have
	  shell scripts).

2 Sep 2011: Wouter
	- GUI tray icon works on windows.
	- minimal theme on windows.

1 Sep 2011: Wouter
	- install backups and uninstall restores resolv.conf.
	- watch on OSX the network.plist and airport.plist files and not
	  the entire directory, which changes too often.
	- README and BSD LICENSE.
	- renamed plist nl.nlnetlabs.x

31 Aug 2011: Wouter
	- cocoa and gtk build and install and uninstall make targets
	- GTK autostart .desktop entry.
	- man page.

30 Aug 2011: Wouter
	- osx xcode status item.
	- you can test the Cocoa GUI with: cd osx/RiggerStatusItem/
	  Build/Release and then open RiggerStatusItem.app --args -c /full/
	  path/to/test.conf.  And have full paths inside test.conf as well.

26 Aug 2011: Wouter
	- status control command shows the latest probe results (and exits).
	- use full path for unbound-control (for install in /opt of unbound).
	- icons at 22px on OSX.
	- osx dir and osx fixes: full paths, flush cache when secure again.
	- use scutil to set DNS on osx.

25 Aug 2011: Wouter
	- OSX launchd and loginitem installed.

24 Aug 2011: Wouter
	- configure fixed --with.. and test for sleep and random.

23 Aug 2011: Wouter
	- configure adapted for windows compile.
	- panel compiles and GUI shows with libGTK+-2.0 on windows.

18 Aug 2011: Wouter
	- INSTALL instructions.
	- fixed for ldns linkage.
	- fix generated key permissions, world readable for user keys.
	- tag 0.1

17 Aug 2011: Wouter
	- noaction option that takes no action but pretends.
	- fix linefeed in resolv.conf printout.
	- unsafe test option works reliably.
	- fix dialog destroy that deletes the dialog.
	- alert icon has nicer exclamation mark.
	- added configfile and example.conf.
	- Reprobe command.

16 Aug 2011: Wouter
	- detect localhost in DHCP DNS servers and skip them, because a loop
	  from the resolver to itself is not good.  Since localhost resolver
	  may probe as a good DNS cache itself easily.
	- can detect network disconnect and acts appropriately (very quiet).
	- fix bug with active number of connections.
	- fix nice exit for panel on quit.
	- present insecure or disconnect choice.
	- unbound control hooks.
	- resolv.conf hooks.

15 Aug 2011: Wouter
	- log with time in readable format (to logfile), detects strftime.
	- removed debug printouts.
	- menu is positioned neatly under the statusicon.
	- result window has icon set and a title.
	- fix unref for result_window by reffing it in the init function.
	- stop using deprecated glib function for tooltip.
	- lint fixes.
	- can handle NSEC DS denials if a zone is (temporarily) insecure,
	  detects that the denial is from the parent and contains NSEC.

12 Aug 2011: Wouter
	- persistant SSL connections to the server.

11 Aug 2011: Wouter
	- detection probes code.

10 Aug 2011: Wouter
	- working osx script, netconfig script and networkmanager script.

9 Aug 2011: Wouter
	- daemon code.

8 Aug 2011: Wouter
	- import of mismash of files from Unbound (BSD licensed).