Bump debian version.

.gitignore

@@ -0,0 +1,13 @@
+src/*.o
+src/*.mo
+src/dnsmasq.pot
+src/dnsmasq
+src/.configured
+contrib/wrt/dhcp_lease_time
+contrib/wrt/dhcp_release
+debian/base/
+debian/daemon/
+debian/files
+debian/substvars
+debian/utils-substvars
+debian/utils/

CHANGELOG

@@ -3,6 +3,12 @@ version 2.65
 	    TCP which are not for A and AAAA and which were directed to
 	    non-default servers. Thanks to Niax for the bug report.
 
+	    Fix failure to build with DHCP support excluded. Thanks to 
+	    Gustavo Zacarias for the patch.
+	    
+	    Fix nasty regression in 2.64 which completely broke cacheing.
+
+
 version 2.64
             Handle DHCP FQDN options with all flag bits zero and
             --dhcp-client-update set. Thanks to Bernd Krumbroeck for

bld/get-version

@@ -17,7 +17,7 @@ elif grep '\$Format:%d\$' $1/VERSION >/dev/null 2>&1; then
 # unsubstituted VERSION, but no git available.
     echo UNKNOWN
 else
-     vers=`cat $1/VERSION | sed 's/[(), ]/,/ g' | tr ',' '\n' | grep $v[0-9]`
+     vers=`cat $1/VERSION | sed 's/[(), ]/,/ g' | tr ',' '\n' | grep ^v[0-9]`
 
      if [ $? -eq 0 ]; then
          echo "${vers}" | sort | head -n 1 | sed 's/^v//'

debian/changelog

@@ -1,8 +1,14 @@
+dnsmasq (2.66-1) unstable; urgency=low
+
+   * New upstream.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Fri, 14 Dec 2012 11:58:41 +0000
+
 dnsmasq (2.65-1) unstable; urgency=low
 
    * New upstream.
 
- -- Simon Kelley <simon@thekelleys.org.uk>  Tue, 4 Dec 2012 20:58:12 +0000
+ -- Simon Kelley <simon@thekelleys.org.uk>  Fri, 14 Dec 2012 11:34:12 +0000
 
 dnsmasq (2.64-1) unstable; urgency=low
 

src/auth.c

@@ -72,7 +72,7 @@ static int in_zone(struct auth_zone *zone, char *name, char **cut)
 }
 
 
-size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now) 
+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr) 
 {
   char *name = daemon->namebuff;
   unsigned char *p, *ansp;
@@ -84,7 +84,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   struct auth_zone *zone = NULL;
   struct subnet *subnet = NULL;
   char *cut;
-
+  struct mx_srv_record *rec, *move, **up;
+  struct txt_record *txt;
+  struct interface_name *intr;
+  struct naptr *na;
+  struct all_addr addr;
+  struct cname *a;
+  
   if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
     return 0;
   
@@ -99,13 +105,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
     {
       unsigned short flag = 0;
       int found = 0;
-      struct mx_srv_record *rec, *move, **up;
-      struct txt_record *txt;
-      struct interface_name *intr;
-      struct naptr *na;
-      struct all_addr addr;
-      struct cname *a;
-
+  
       /* save pointer to name for copying into answers */
       nameoffset = p - (unsigned char *)header;
 
@@ -345,30 +345,62 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	flag = F_IPV6;
 #endif
 
-      if (qtype == T_SOA && !cut)
+      if (!cut)
 	{
-	  soa = 1; /* inhibits auth section */
-	  found = 1;
-	  log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>");
+	  nxdomain = 0;
+	  
+	  if (qtype == T_SOA)
+	    {
+	      soa = 1; /* inhibits auth section */
+	      found = 1;
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>");
+	    }
+      	  else if (qtype == T_AXFR)
+	    {
+	      if (daemon->auth_peers)
+		{
+		  struct iname *peers;
+		  
+		  if (peer_addr->sa.sa_family == AF_INET)
+		    peer_addr->in.sin_port = 0;
+#ifdef HAVE_IPV6
+		  else
+		    peer_addr->in6.sin6_port = 0; 
+#endif
+		  
+		  for (peers = daemon->auth_peers; peers; peers = peers->next)
+		    if (sockaddr_isequal(peer_addr, &peers->addr))
+		      break;
+		  
+		  if (!peers)
+		    {
+		      if (peer_addr->sa.sa_family == AF_INET)
+			inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
+#ifdef HAVE_IPV6
+		      else
+			inet_ntop(AF_INET6, &peer_addr->in6.sin6_addr, daemon->addrbuff, ADDRSTRLEN); 
+#endif
+		      
+		      my_syslog(LOG_WARNING, _("ignoring zone transfer request from %s"), daemon->addrbuff);
+		      return 0;
+		    }
+		}
+	      
+	      soa = 1; /* inhibits auth section */
+	      ns = 1; /* ensure we include NS records! */
+	      axfr = 1;
+	      found = 1;
+	      axfroffset = nameoffset;
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>");
+	    }
+      	  else if (qtype == T_NS)
+	    {
+	      ns = 1; /* inhibits auth section */
+	      found = 1;
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>"); 
+	    }
 	}
       
-      if (qtype == T_AXFR && !cut)
-	{
-	  soa = 1; /* inhibits auth section */
-	  axfr = 1;
-	  found = 1;
-	  axfroffset = nameoffset;
-	  log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>");
-	}
-      
-      if (qtype == T_NS && !cut)
-	{
-	  ns = 1; /* inhibits auth section */
-	  found = 1;
-	  log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>"); 
-	}
-      
-      
       if (!option_bool(OPT_DHCP_FQDN) && cut)
 	{	  
 	  *cut = 0; /* remove domain part */
@@ -423,7 +455,8 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   if (auth)
     {
       char *authname;
-      
+      int newoffset, offset = 0;
+
       if (!subnet)
 	authname = zone->domain;
       else
@@ -464,17 +497,8 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	}
       
       /* handle NS and SOA in auth section or for explicit queries */
-      if ((anscount != 0 || ns) && 
-	  add_resource_record(header, limit, &trunc, 0, &ansp, 
-			      daemon->auth_ttl, NULL, T_NS, C_IN, "d", authname, daemon->authserver))
-	{
-	  if (ns) 
-	    anscount++;
-	  else
-	    authcount++;
-	}
-      
-      if ((anscount == 0 || soa) &&
+       newoffset = ansp - (unsigned char *)header;
+       if (((anscount == 0 && !ns) || soa) &&
 	  add_resource_record(header, limit, &trunc, 0, &ansp, 
 			      daemon->auth_ttl, NULL, T_SOA, C_IN, "ddlllll",
 			      authname, daemon->authserver,  daemon->hostmaster,
@@ -482,14 +506,149 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 			      daemon->soa_retry, daemon->soa_expiry, 
 			      daemon->auth_ttl))
 	{
+	  offset = newoffset;
 	  if (soa)
 	    anscount++;
 	  else
 	    authcount++;
 	}
+      
+      if (anscount != 0 || ns)
+	{
+	  struct name_list *secondary;
+	  
+	  newoffset = ansp - (unsigned char *)header;
+	  if (add_resource_record(header, limit, &trunc, -offset, &ansp, 
+				  daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, daemon->authserver))
+	    {
+	      if (offset == 0) 
+		offset = newoffset;
+	      if (ns) 
+		anscount++;
+	      else
+		authcount++;
+	    }
 
+	  if (!subnet)
+	    for (secondary = daemon->secondary_forward_server; secondary; secondary = secondary->next)
+	      if (add_resource_record(header, limit, &trunc, offset, &ansp, 
+				      daemon->auth_ttl, NULL, T_NS, C_IN, "d", secondary->name))
+		{
+		  if (ns) 
+		    anscount++;
+		  else
+		    authcount++;
+		}
+	}
+      
       if (axfr)
 	{
+	  for (rec = daemon->mxnames; rec; rec = rec->next)
+	    if (in_zone(zone, rec->name, &cut))
+	      {
+		if (cut)
+		   *cut = 0;
+
+		if (rec->issrv)
+		  {
+		    if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl,
+					    NULL, T_SRV, C_IN, "sssd", cut ? rec->name : NULL,
+					    rec->priority, rec->weight, rec->srvport, rec->target))
+		      
+		      anscount++;
+		  }
+		else
+		  {
+		    if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl,
+					    NULL, T_MX, C_IN, "sd", cut ? rec->name : NULL, rec->weight, rec->target))
+		      anscount++;
+		  }
+		
+		/* restore config data */
+		if (cut)
+		  *cut = '.';
+	      }
+	      
+	  for (txt = daemon->rr; txt; txt = txt->next)
+	    if (in_zone(zone, txt->name, &cut))
+	      {
+		if (cut)
+		  *cut = 0;
+		
+		if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl,
+					NULL, txt->class, C_IN, "t",  cut ? txt->name : NULL, txt->len, txt->txt))
+		  anscount++;
+		
+		/* restore config data */
+		if (cut)
+		  *cut = '.';
+	      }
+	  
+	  for (txt = daemon->txt; txt; txt = txt->next)
+	    if (txt->class == C_IN && in_zone(zone, txt->name, &cut))
+	      {
+		if (cut)
+		  *cut = 0;
+		
+		if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl,
+					NULL, T_TXT, C_IN, "t", cut ? txt->name : NULL, txt->len, txt->txt))
+		  anscount++;
+		
+		/* restore config data */
+		if (cut)
+		  *cut = '.';
+	      }
+	  
+	  for (na = daemon->naptr; na; na = na->next)
+	    if (in_zone(zone, na->name, &cut))
+	      {
+		if (cut)
+		  *cut = 0;
+		
+		if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, daemon->auth_ttl, 
+					NULL, T_NAPTR, C_IN, "sszzzd", cut ? na->name : NULL,
+					na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
+		  anscount++;
+		
+		/* restore config data */
+		if (cut)
+		  *cut = '.'; 
+	      }
+	  
+	  for (intr = daemon->int_names; intr; intr = intr->next)
+	    if (in_zone(zone, intr->name, &cut) && (addr.addr.addr4 = get_ifaddr(intr->intr)).s_addr != (in_addr_t) -1)
+	      {
+		if (cut)
+		  *cut = 0;
+		
+		if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+					daemon->auth_ttl, NULL, T_A, C_IN, "4", cut ? intr->name : NULL, &addr))
+		  anscount++;
+		
+		/* restore config data */
+		if (cut)
+		  *cut = '.'; 
+	      }
+	  
+	  for (a = daemon->cnames; a; a = a->next)
+	    if (in_zone(zone, a->alias, &cut))
+	      {
+		strcpy(name, a->target);
+		if (!strchr(name, '.'))
+		  {
+		    strcat(name, ".");
+		    strcat(name, zone->domain);
+		  }
+		
+		if (cut)
+		  *cut = 0;
+		
+		if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+					daemon->auth_ttl, NULL,
+					T_CNAME, C_IN, "d",  cut ? a->alias : NULL, name))
+		  anscount++;
+	      }
+	
 	  cache_enumerate(1);
 	  while ((crecp = cache_enumerate(0)))
 	    {
@@ -525,20 +684,12 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 			    qtype = T_AAAA;
 #endif
 			   if (cut)
-			     {
-			       *cut = 0;
-			       if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
-						       daemon->auth_ttl, NULL, qtype, C_IN, 
-						       (crecp->flags & F_IPV4) ? "4" : "6", name, &crecp->addr))
-				 anscount++;
-			     }
-			   else
-			     {
-			       if (add_resource_record(header, limit, &trunc, axfroffset, &ansp, 
-						       daemon->auth_ttl, NULL, qtype, C_IN, 
-						       (crecp->flags & F_IPV4) ? "4" : "6", &crecp->addr))
-				 anscount++;  
-			     }
+			     *cut = 0;
+
+			   if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+						   daemon->auth_ttl, NULL, qtype, C_IN, 
+						   (crecp->flags & F_IPV4) ? "4" : "6", cut ? name : NULL, &crecp->addr))
+			     anscount++;
 			}
 		    }
 		}
@@ -555,7 +706,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	
 	}
   
-    }
+}
   
   /* done all questions, set up header and return length of result */
   /* clear authoritative and truncated flags, set QR flag */

src/cache.c

@@ -394,7 +394,7 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
   int freed_all = flags & F_REVERSE;
   int free_avail = 0;
 
-  if(daemon->max_cache_ttl < ttl)
+  if (daemon->max_cache_ttl != 0 && daemon->max_cache_ttl < ttl)
     ttl = daemon->max_cache_ttl;
 
   /* Don't log keys */

src/dnsmasq.h

@@ -755,13 +755,15 @@ extern struct daemon {
   char *lease_file; 
   char *username, *groupname, *scriptuser;
   char *luascript;
-  char *authserver, *authinterface, *hostmaster;
+  char *authserver, *hostmaster;
+  struct iname *authinterface;
+  struct name_list *secondary_forward_server;
   int group_set, osport;
   char *domain_suffix;
   struct cond_domain *cond_domain;
   char *runfile; 
   char *lease_change_command;
-  struct iname *if_names, *if_addrs, *if_except, *dhcp_except;
+  struct iname *if_names, *if_addrs, *if_except, *dhcp_except, *auth_peers;
   struct bogus_addr *bogus_addr;
   struct server *servers;
   int log_fac; /* log facility */
@@ -901,14 +903,14 @@ size_t resize_packet(struct dns_header *header, size_t plen,
 size_t add_mac(struct dns_header *header, size_t plen, char *limit, union mysockaddr *l3);
 int add_resource_record(struct dns_header *header, char *limit, int *truncp,
 			int nameoffset, unsigned char **pp, unsigned long ttl, 
-			unsigned int *offset, unsigned short type, unsigned short class, char *format, ...);
+			int *offset, unsigned short type, unsigned short class, char *format, ...);
 unsigned char *skip_questions(struct dns_header *header, size_t plen);
 int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, 
 		 char *name, int isExtract, int extrabytes);
 int in_arpa_name_2_addr(char *namein, struct all_addr *addrp);
 
 /* auth.c */
-size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now);
+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr);
 
 /* util.c */
 void rand_init(void);

src/forward.c

@@ -814,7 +814,7 @@ void receive_query(struct listener *listen, time_t now)
 
   if (auth_dns)
     {
-      m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now);
+      m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr);
       if (m >= 1)
 	send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
 		  (char *)header, m, &source_addr, &dst_addr, if_index);
@@ -904,7 +904,7 @@ unsigned char *tcp_request(int confd, time_t now,
 	dst_addr_4.s_addr = 0;
       
       if (auth_dns)
-	m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now);
+	m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr);
       else
 	{
 	  /* m > 0 if answered from cache */
@@ -1043,7 +1043,8 @@ unsigned char *tcp_request(int confd, time_t now,
       
       c1 = m>>8;
       c2 = m;
-      if (!read_write(confd, &c1, 1, 0) ||
+      if (m == 0 ||
+	  !read_write(confd, &c1, 1, 0) ||
 	  !read_write(confd, &c2, 1, 0) || 
 	  !read_write(confd, packet, m, 0))
 	return packet;

src/lease.c

@@ -420,6 +420,11 @@ void lease_update_dns(int force)
 
   if (daemon->port != 0 && (dns_dirty || force))
     {
+#ifndef HAVE_BROKEN_RTC
+      /* force transfer to authoritative secondaries */
+      daemon->soa_sn++;
+#endif
+      
       cache_unhash_dhcp();
 
       for (lease = leases; lease; lease = lease->next)

src/network.c

@@ -114,17 +114,9 @@ int iface_check(int family, struct all_addr *addr, char *name, int *auth)
 
   /* Note: have to check all and not bail out early, so that we set the
      "used" flags. */
-
+  
   if (auth)
-    {
-      if (daemon->authinterface && strcmp(daemon->authinterface, name) == 0)
-	{
-	  *auth = 1;
-	  return 1;
-	}
-      else 
-	*auth = 0;
-    }	
+    *auth = 0;
   
   if (daemon->if_names || daemon->if_addrs)
     {
@@ -134,25 +126,48 @@ int iface_check(int family, struct all_addr *addr, char *name, int *auth)
 	if (tmp->name && (strcmp(tmp->name, name) == 0))
 	  ret = tmp->used = 1;
 	        
-      for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
-	if (tmp->addr.sa.sa_family == family)
-	  {
-	    if (family == AF_INET &&
-		tmp->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
-	      ret = tmp->used = 1;
+      if (addr)
+	for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
+	  if (tmp->addr.sa.sa_family == family)
+	    {
+	      if (family == AF_INET &&
+		  tmp->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
+		ret = tmp->used = 1;
 #ifdef HAVE_IPV6
-	    else if (family == AF_INET6 &&
-		     IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, 
-					&addr->addr.addr6))
-	      ret = tmp->used = 1;
+	      else if (family == AF_INET6 &&
+		       IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, 
+					  &addr->addr.addr6))
+		ret = tmp->used = 1;
 #endif
-	  }          
+	    }          
     }
   
   for (tmp = daemon->if_except; tmp; tmp = tmp->next)
     if (tmp->name && (strcmp(tmp->name, name) == 0))
       ret = 0;
     
+
+  for (tmp = daemon->authinterface; tmp; tmp = tmp->next)
+    if (tmp->name)
+      {
+	if (strcmp(tmp->name, name) == 0)
+	  break;
+      }
+    else if (addr && tmp->addr.sa.sa_family == AF_INET && family == AF_INET &&
+	     tmp->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
+      break;
+#ifdef HAVE_IPV6
+    else if (addr && tmp->addr.sa.sa_family == AF_INET6 && family == AF_INET6 &&
+	     IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, &addr->addr.addr6))
+      break;
+#endif      
+
+  if (tmp && auth) 
+    {
+      *auth = 1;
+      ret = 1;
+    }
+
   return ret; 
 }
       

src/option.c

@@ -123,8 +123,10 @@ struct myoption {
 #define LOPT_MAXCTTL   312
 #define LOPT_AUTHZONE  313
 #define LOPT_AUTHSERV  314
-#define LOPT_AUTHTTL  315
+#define LOPT_AUTHTTL   315
 #define LOPT_AUTHSOA   316
+#define LOPT_AUTHSFS   317
+#define LOPT_AUTHPEER  318
 
 #ifdef HAVE_GETOPT_LONG
 static const struct option opts[] =  
@@ -255,6 +257,8 @@ static const struct myoption opts[] =
     { "auth-server", 1, 0, LOPT_AUTHSERV },
     { "auth-ttl", 1, 0, LOPT_AUTHTTL },
     { "auth-soa", 1, 0, LOPT_AUTHSOA },
+    { "auth-sec-servers", 1, 0, LOPT_AUTHSFS },
+    { "auth-peer", 1, 0, LOPT_AUTHPEER }, 
     { NULL, 0, 0, 0 }
   };
 
@@ -391,6 +395,8 @@ static struct {
   { LOPT_AUTHZONE, ARG_DUP, "<domain>,<subnet>[,<subnet>]", gettext_noop("Domain to export to global DNS"), NULL },
   { LOPT_AUTHTTL, ARG_ONE, "<integer>", gettext_noop("Set TTL for authoritative replies"), NULL },
   { LOPT_AUTHSOA, ARG_ONE, "<serial>[,...]", gettext_noop("Set authoritive zone information"), NULL },
+  { LOPT_AUTHSFS, ARG_DUP, "<NS>[,<NS>...]", gettext_noop("Secondary authoritative nameservers for forward domains"), NULL },
+  { LOPT_AUTHPEER, ARG_DUP, "<ipaddr>[,<ipaddr>...]", gettext_noop("Peers which are allowed to do zone transfer"), NULL },
   { 0, 0, NULL, NULL, NULL }
 }; 
 
@@ -617,24 +623,6 @@ static void do_usage(void)
 
 #define ret_err(x) do { strcpy(errstr, (x)); return 0; } while (0)
 
-#ifdef HAVE_DHCP
-
-static int is_tag_prefix(char *arg)
-{
-  if (arg && (strstr(arg, "net:") == arg || strstr(arg, "tag:") == arg))
-    return 1;
-  
-  return 0;
-}
-
-static char *set_prefix(char *arg)
-{
-   if (strstr(arg, "set:") == arg)
-     return arg+4;
-   
-   return arg;
-}
-
 char *parse_server(char *arg, union mysockaddr *addr, union mysockaddr *source_addr, char *interface, int *flags)
 {
   int source_port = 0, serv_port = NAMESERVER_PORT;
@@ -722,6 +710,24 @@ char *parse_server(char *arg, union mysockaddr *addr, union mysockaddr *source_a
   return NULL;
 }
 
+#ifdef HAVE_DHCP
+
+static int is_tag_prefix(char *arg)
+{
+  if (arg && (strstr(arg, "net:") == arg || strstr(arg, "tag:") == arg))
+    return 1;
+  
+  return 0;
+}
+
+static char *set_prefix(char *arg)
+{
+   if (strstr(arg, "set:") == arg)
+     return arg+4;
+   
+   return arg;
+}
+
 /* This is too insanely large to keep in-line in the switch */
 static int parse_dhcp_opt(char *errstr, char *arg, int flags)
 {
@@ -1525,7 +1531,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	    new->next = daemon->dhcp_hosts_file;
 	    daemon->dhcp_hosts_file = new;
 	  }
-	else if (option ==  LOPT_DHCP_OPTS)
+	else if (option == LOPT_DHCP_OPTS)
 	  {
 	    new->next = daemon->dhcp_opts_file;
 	    daemon->dhcp_opts_file = new;
@@ -1538,10 +1544,44 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	ret_err(gen_err);
       
       daemon->authserver = opt_string_alloc(arg);
-      daemon->authinterface = opt_string_alloc(comma);
-      
+      arg = comma;
+      do {
+	struct iname *new = opt_malloc(sizeof(struct iname));
+	comma = split(arg);
+	new->name = NULL;
+	unhide_metas(arg);
+	if ((new->addr.in.sin_addr.s_addr = inet_addr(arg)) != (in_addr_t)-1)
+	  new->addr.sa.sa_family = AF_INET;
+#ifdef HAVE_IPV6
+	else if (inet_pton(AF_INET6, arg, &new->addr.in6.sin6_addr) > 0)
+	  new->addr.sa.sa_family = AF_INET6;
+#endif
+	else
+	  new->name = opt_string_alloc(arg);
+	
+	new->next = daemon->authinterface;
+	daemon->authinterface = new;
+	
+	arg = comma;
+      } while (arg);
+            
       break;
-      
+
+    case LOPT_AUTHSFS: /* --auth-sec-servers */
+      {
+	struct name_list *new;
+
+	do {
+	  comma = split(arg);
+	  new = opt_malloc(sizeof(struct name_list));
+	  new->name = opt_string_alloc(arg);
+	  new->next = daemon->secondary_forward_server;
+	  daemon->secondary_forward_server = new;
+	  arg = comma;
+	} while (arg);
+	break;
+      }
+	
     case LOPT_AUTHZONE: /* --auth-zone */
       {
 	struct auth_zone *new;
@@ -1550,7 +1590,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	if (!comma)
 	  ret_err(gen_err);
 	
-	new = safe_malloc(sizeof(struct auth_zone));
+	new = opt_malloc(sizeof(struct auth_zone));
 	new->domain = opt_string_alloc(arg);
 	new->subnet = NULL;
 	new->next = daemon->auth_zones;
@@ -1560,7 +1600,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	  {
 	    int prefixlen = 0;
 	    char *prefix;
-	    struct subnet *subnet =  safe_malloc(sizeof(struct subnet));
+	    struct subnet *subnet =  opt_malloc(sizeof(struct subnet));
 	    
 	    subnet->next = new->subnet;
 	    new->subnet = subnet;
@@ -1639,7 +1679,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	    {
 	      if (comma)
 		{
-		  struct cond_domain *new = safe_malloc(sizeof(struct cond_domain));
+		  struct cond_domain *new = opt_malloc(sizeof(struct cond_domain));
 		  char *netpart;
 
 		  unhide_metas(comma);
@@ -1853,14 +1893,15 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
       }
       
     case 'a':  /* --listen-address */
+    case LOPT_AUTHPEER: /* --auth-peer */
       do {
 	struct iname *new = opt_malloc(sizeof(struct iname));
 	comma = split(arg);
 	unhide_metas(arg);
-	new->next = daemon->if_addrs;
 	if (arg && (new->addr.in.sin_addr.s_addr = inet_addr(arg)) != (in_addr_t)-1)
 	  {
 	    new->addr.sa.sa_family = AF_INET;
+	    new->addr.in.sin_port = 0;
 #ifdef HAVE_SOCKADDR_SA_LEN
 	    new->addr.in.sin_len = sizeof(new->addr.in);
 #endif
@@ -1871,6 +1912,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	    new->addr.sa.sa_family = AF_INET6;
 	    new->addr.in6.sin6_flowinfo = 0;
 	    new->addr.in6.sin6_scope_id = 0;
+	    new->addr.in6.sin6_port = 0;
 #ifdef HAVE_SOCKADDR_SA_LEN
 	    new->addr.in6.sin6_len = sizeof(new->addr.in6);
 #endif
@@ -1880,7 +1922,16 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	  ret_err(gen_err);
 
 	new->used = 0;
-	daemon->if_addrs = new;
+	if (option == 'a')
+	  {
+	    new->next = daemon->if_addrs;
+	    daemon->if_addrs = new;
+	  }
+	else
+	  {
+	    new->next = daemon->auth_peers;
+	    daemon->auth_peers = new;
+	  } 
 	arg = comma;
       } while (arg);
       break;

src/rfc1035.c

@@ -1186,7 +1186,7 @@ int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name,
 }
 
 int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp, 
-			unsigned long ttl, unsigned int *offset, unsigned short type, unsigned short class, char *format, ...)
+			unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...)
 {
   va_list ap;
   unsigned char *sav, *p = *pp;
@@ -1206,7 +1206,9 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
     }
   else
     {
-      p = do_rfc1035_name(p, va_arg(ap, char *));
+      char *name = va_arg(ap, char *);
+      if (name)
+	p = do_rfc1035_name(p, name);
       if (nameoffset < 0)
 	{
 	  PUTSHORT(-nameoffset | 0xc000, p);
@@ -1699,7 +1701,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		  ans = found = 1;
 		  if (!dryrun)
 		    {
-		      unsigned int offset;
+		      int offset;
 		      log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>");
 		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
 					      &offset, T_MX, C_IN, "sd", rec->weight, rec->target))
@@ -1737,7 +1739,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		    found = ans = 1;
 		    if (!dryrun)
 		      {
-			unsigned int offset;
+			int offset;
 			log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>");
 			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, 
 						&offset, T_SRV, C_IN, "sssd",