Tighten syntax checking for dhcp-range and clarify man page.

Fix broken DNSMASQ_USER<x> envvars in script with more than one class.
Tidy parsing code.
2016-03-03 20:33:54 +00:00 · 2016-03-01 18:58:01 +00:00 · 2016-03-01 17:06:07 +00:00 · 2016-03-01 17:00:26 +00:00 · 2016-03-01 16:32:30 +00:00 · 2016-03-01 16:19:23 +00:00
63 changed files with 3865 additions and 3108 deletions
--- a/77
+++ b/77
@@ -1,3 +1,80 @@
+version 2.76
+            Include 0.0.0.0/8 in DNS rebind checks. This range 
+	    translates to hosts on  the local network, or, at 
+	    least, 0.0.0.0 accesses the local host, so could
+	    be targets for DNS rebinding. See RFC 5735 section 3 
+	    for details. Thanks to Stephen Röttger for the bug report.
+
+	    Enhance --add-subnet to allow arbitrary subnet addresses.
+            Thanks to Ed Barsley for the patch.
+
+	    Respect the --no-resolv flag in inotify code. Fixes bug
+	    which caused dnsmasq to fail to start if a resolv-file 
+	    was a dangling symbolic link, even of --no-resolv set.
+	    Thanks to Alexander Kurtz for spotting the problem.
+
+	    Fix crash when an A or AAAA record is defined locally,
+	    in a hosts file, and an upstream server sends a reply
+	    that the same name is empty. Thanks to Edwin Török for
+	    the patch.
+
+	    Fix failure to correctly calculate cache-size when 
+	    reading a hosts-file fails. Thanks to André Glüpker 
+	    for the patch.
+
+	    Fix wrong answer to simple name query when --domain-needed
+	    set, but no upstream servers configured. Dnsmasq returned
+	    REFUSED, in this case, when it should be the same as when
+	    upstream servers are configured - NOERROR. Thanks to 
+	    Allain Legacy for spotting the problem.
+
+	    Return REFUSED when running out of forwarding table slots,
+	    not SERVFAIL.
+
+            Add --max-port configuration. Thanks to Hans Dedecker for
+	    the patch.
+
+	    Add --script-arp and two new functions for the dhcp-script.
+	    These are "arp" and "arp-old" which announce the arrival and
+	    removal of entries in the ARP or nieghbour tables.
+
+	    Extend --add-mac to allow a new encoding of the MAC address 
+	    as base64, by configurting --add-mac=base64
+ 
+	    Add --add-cpe-id option.
+
+            Don't crash with divide-by-zero if an IPv6 dhcp-range
+	    is declared as a whole /64.
+	    (ie xx::0 to xx::ffff:ffff:ffff:ffff) 
+	    Thanks to Laurent Bendel for spotting this problem.
+
+	    Add support for a TTL parameter in --host-record and
+	    --cname.
+
+	    Add --dhcp-ttl option.
+
+	    Add --tftp-mtu option. Thanks to Patrick McLean for the 
+	    initial patch.
+
+
+version 2.75
+            Fix reversion on 2.74 which caused 100% CPU use when a 
+	    dhcp-script is configured. Thanks to Adrian Davey for
+	    reporting the bug and testing the fix.
+
+	
+version 2.74
+            Fix reversion in 2.73 where --conf-file would attempt to
+	    read the default file, rather than no file.
+
+	    Fix inotify code to handle dangling symlinks better and
+	    not SEGV in some circumstances.
+
+	    DNSSEC fix. In the case of a signed CNAME generated by a
+	    wildcard which pointed to an unsigned domain, the wrong
+            status would be logged, and some necessary checks omitted.
+	
+
 version 2.73
            Fix crash at startup when an empty suffix is supplied to
 	    --conf-dir, also trivial memory leak. Thanks to 
--- a/5
+++ b/5
@@ -1,4 +1,4 @@
-# dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+# dnsmasq is Copyright (c) 2000-2016 Simon Kelley
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@@ -73,7 +73,8 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
       dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
       helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
       dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
-       domain.o dnssec.o blockdata.o tables.o loop.o inotify.o
+       domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
+       poll.o rrfilter.o edns0.o arp.o

 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
       dns-protocol.h radv-protocol.h ip6addr.h
--- a/bld/Android.mk
+++ b/bld/Android.mk
@@ -10,7 +10,7 @@ LOCAL_SRC_FILES :=  bpf.c cache.c dbus.c dhcp.c dnsmasq.c \
 		    dhcp6.c rfc3315.c dhcp-common.c outpacket.c \
 		    radv.c slaac.c auth.c ipset.c domain.c \
 	            dnssec.c dnssec-openssl.c blockdata.c tables.c \
-		    loop.c inotify.c
+		    loop.c inotify.c poll.c rrfilter.c edns0.c arp.c

 LOCAL_MODULE := dnsmasq

--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,29 @@
+dnsmasq (2.76-1) unstable; urgency=low
+
+   * New upstream. (closes: #798586)
+   * Use /run/dnsmasq directly, rather than relying on link from /var/run
+     to avoid problems before /var is mounted. (closes: #800351)
+	
+ -- Simon Kelley <simon@thekelleys.org.uk>  Thur, 10 Sep 2015 23:07:21 +0000
+
+dnsmasq (2.75-1) unstable; urgency=low
+
+   * New upstream. (closes: #794095)
+	
+ -- Simon Kelley <simon@thekelleys.org.uk>  Thur, 30 Jul 2015 20:58:31 +0000
+
+dnsmasq (2.74-1) unstable; urgency=low
+
+   * New upstream. (LP: #1468611)
+	
+ -- Simon Kelley <simon@thekelleys.org.uk>  Wed, 15 Jul 2015 21:54:11 +0000
+
+dnsmasq (2.73-2) unstable; urgency=low
+
+   * Fix behaviour of empty --conf-file (closes: #790341)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Thu, 7 Jul 2015 21:46:42 +0000
+
 dnsmasq (2.73-1) unstable; urgency=low

   * New upstream. (closes: #786996)
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+dnsmasq is Copyright (c) 2000-2016 Simon Kelley

 It was downloaded from: http://www.thekelleys.org.uk/dnsmasq/

--- a/debian/dnsmasq-base.postinst
+++ b/debian/dnsmasq-base.postinst
@@ -17,8 +17,8 @@ if [ "$1" = "configure" ]; then
  # dnsmasq-base, but it's much easier to create it here so that
  # we don't have synchronisation issues with the creation of the
  # dnsmasq user. 
-  if [ ! -d /var/run/dnsmasq ]; then
-    mkdir /var/run/dnsmasq
-    chown dnsmasq:nogroup /var/run/dnsmasq
+  if [ ! -d /run/dnsmasq ]; then
+    mkdir /run/dnsmasq
+    chown dnsmasq:nogroup /run/dnsmasq
  fi
 fi
--- a/debian/dnsmasq-base.postrm
+++ b/debian/dnsmasq-base.postrm
@@ -7,5 +7,5 @@ if [ purge = "$1" ]; then
  else
     echo >&2 "not removing dnsmasq system account because deluser command was not found"
  fi
-  rm -rf /var/run/dnsmasq
+  rm -rf /run/dnsmasq
 fi
--- a/debian/init
+++ b/debian/init
@@ -81,7 +81,7 @@ if [ ! "$RESOLV_CONF" ] &&
   [ "$IGNORE_RESOLVCONF" != "yes" ] &&
   [ -x /sbin/resolvconf ]
 then
-	RESOLV_CONF=/var/run/dnsmasq/resolv.conf
+	RESOLV_CONF=/run/dnsmasq/resolv.conf
 fi

 for INTERFACE in $DNSMASQ_INTERFACE; do
@@ -121,16 +121,16 @@ start()
 	#   1 if daemon was already running
 	#   2 if daemon could not be started

-        # /var/run may be volatile, so we need to ensure that
-        # /var/run/dnsmasq exists here as well as in postinst
-        if [ ! -d /var/run/dnsmasq ]; then
-           mkdir /var/run/dnsmasq || return 2
-           chown dnsmasq:nogroup /var/run/dnsmasq || return 2
+        # /run may be volatile, so we need to ensure that
+        # /run/dnsmasq exists here as well as in postinst
+        if [ ! -d /run/dnsmasq ]; then
+           mkdir /run/dnsmasq || return 2
+           chown dnsmasq:nogroup /run/dnsmasq || return 2
        fi

-	start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null || return 1
-	start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON -- \
-		-x /var/run/dnsmasq/$NAME.pid \
+	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null || return 1
+	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON -- \
+		-x /run/dnsmasq/$NAME.pid \
 	        ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
 		${MAILTARGET:+ -t $MAILTARGET} \
 		${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
@@ -167,7 +167,7 @@ stop()
 	#   1 if daemon was already stopped
 	#   2 if daemon could not be stopped
 	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /var/run/dnsmasq/$NAME.pid --name $NAME
+	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/$NAME.pid --name $NAME
 }

 stop_resolvconf()
@@ -185,9 +185,9 @@ status()
 	#   1 if daemon is dead and pid file exists
 	#   3 if daemon is not running
 	#   4 if daemon status is unknown
-	start-stop-daemon --start --quiet --pidfile /var/run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null
+	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null
 	case "$?" in
-		0) [ -e "/var/run/dnsmasq/$NAME.pid" ] && return 1 ; return 3 ;;
+		0) [ -e "/run/dnsmasq/$NAME.pid" ] && return 1 ; return 3 ;;
 		1) return 0 ;;
 		*) return 4 ;;
 	esac
@@ -278,7 +278,7 @@ case "$1" in
 	esac
 	;;
  dump-stats)
-        kill -s USR1 `cat /var/run/dnsmasq/$NAME.pid`
+        kill -s USR1 `cat /run/dnsmasq/$NAME.pid`
 	;;
  systemd-start-resolvconf)
 	start_resolvconf
@@ -287,13 +287,13 @@ case "$1" in
 	stop_resolvconf
 	;;
  systemd-exec)
-# /var/run may be volatile, so we need to ensure that
-        # /var/run/dnsmasq exists here as well as in postinst
-        if [ ! -d /var/run/dnsmasq ]; then
-           mkdir /var/run/dnsmasq || return 2
-           chown dnsmasq:nogroup /var/run/dnsmasq || return 2
+# /run may be volatile, so we need to ensure that
+        # /run/dnsmasq exists here as well as in postinst
+        if [ ! -d /run/dnsmasq ]; then
+           mkdir /run/dnsmasq || return 2
+           chown dnsmasq:nogroup /run/dnsmasq || return 2
        fi
-	exec $DAEMON -x /var/run/dnsmasq/$NAME.pid \
+	exec $DAEMON -x /run/dnsmasq/$NAME.pid \
 	    ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
 	    ${MAILTARGET:+ -t $MAILTARGET} \
 	    ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
--- a/debian/postinst
+++ b/debian/postinst
@@ -21,7 +21,7 @@ if [ -x /etc/init.d/dnsmasq ]; then
   update-rc.d dnsmasq defaults 15 85 >/dev/null

   if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
-      if [ -e /var/run/dnsmasq/dnsmasq.pid ]; then
+      if [ -e /run/dnsmasq/dnsmasq.pid ]; then
          ACTION=restart
      else
          ACTION=start
--- a/debian/resolvconf
+++ b/debian/resolvconf
@@ -13,7 +13,7 @@

 set -e

-RUN_DIR="/var/run/dnsmasq"
+RUN_DIR="/run/dnsmasq"
 RSLVRLIST_FILE="${RUN_DIR}/resolv.conf"
 TMP_FILE="${RSLVRLIST_FILE}_new.$$"
 MY_NAME_FOR_RESOLVCONF="dnsmasq"
--- a/debian/rules
+++ b/debian/rules
@@ -134,7 +134,6 @@ binary-arch:	checkroot
 		-d debian/base/etc/dbus-1/system.d \
 	        -d debian/base/usr/share/doc/$(package) \
 		-d debian/base/usr/share/doc/$(package)/examples \
-	        -d debian/base/var/run \
 		-d debian/base/usr/share/$(package) \
 	        -d debian/base/var/lib/misc
 	make $(TARGET) PREFIX=/usr DESTDIR=`pwd`/debian/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=gcc
--- a/debian/systemd.service
+++ b/debian/systemd.service
@@ -4,7 +4,7 @@ Requires=network.target

 [Service]
 Type=forking
-PIDFile=/var/run/dnsmasq/dnsmasq.pid
+PIDFile=/run/dnsmasq/dnsmasq.pid

 # Test the config file and refuse starting if it is not valid.
 ExecStartPre=/usr/sbin/dnsmasq --test
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -60,7 +60,7 @@ in the same way as for DHCP-derived names. Note that this does not
 apply to domain names in cnames, PTR records, TXT records etc.
 .TP
 .B \-T, --local-ttl=<time>
-When replying with information from /etc/hosts or the DHCP leases
+When replying with information from /etc/hosts or configuration or the DHCP leases
 file dnsmasq by default sets the time-to-live field to zero, meaning
 that the requester should not itself cache the information. This is
 the correct thing to do in almost all situations. This option allows a
@@ -68,6 +68,9 @@ time-to-live (in seconds) to be given for these replies. This will
 reduce the load on the server at the expense of clients using stale
 data under some circumstances.
 .TP
+.B --dhcp-ttl=<time>
+As for --local-ttl, but affects only replies with information from DHCP leases. If both are given, --dhcp-ttl applies for DHCP information, and --local-ttl for others. Setting this to zero eliminates the effect of --local-ttl for DHCP.
+.TP
 .B --neg-ttl=<time>
 Negative replies from upstream servers normally contain time-to-live
 information in SOA records which dnsmasq uses for caching. If the
@@ -174,6 +177,13 @@ queries. Dnsmasq picks random ports as source for outbound queries:
 when this option is given, the ports used will always to larger
 than that specified. Useful for systems behind firewalls. 
 .TP
+.B --max-port=<port>
+Use ports lower than that given as source for outbound DNS queries.
+Dnsmasq picks random ports as source for outbound queries:
+when this option is given, the ports used will always be lower
+than that specified. Useful for systems behind firewalls.
+.TP
+
 .B \-i, --interface=<interface name>
 Listen only on the specified interface(s). Dnsmasq automatically adds
 the loopback (local) interface to the list of interfaces to use when
@@ -405,7 +415,10 @@ xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving  the flag
 .B -S /internal.thekelleys.org.uk/192.168.1.1 
 will send all queries for
 internal machines to that nameserver, everything else will go to the
-servers in /etc/resolv.conf. An empty domain specification,
+servers in /etc/resolv.conf. DNSSEC validation is turned off for such
+private nameservers, UNLESS a
+.B --trust-anchor
+is specified for the domain in question. An empty domain specification,
 .B // 
 has the special meaning of "unqualified names only" ie names without any
 dots in them. A non-standard port may be specified as 
@@ -519,7 +532,7 @@ zone files: the port, weight and priority numbers are in a different
 order. More than one SRV record for a given service/domain is allowed,
 all that match are returned.
 .TP
-.B --host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>]
+.B --host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>]
 Add A, AAAA and PTR records to the DNS. This adds one or more names to
 the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may
 appear in more than one 
@@ -536,6 +549,10 @@ is in effect. Short and long names may appear in the same
 .B host-record,
 eg. 
 .B --host-record=laptop,laptop.thekelleys.org,192.168.0.1,1234::100
+
+If the time-to-live is given, it overrides the default, which is zero
+or the value of --local-ttl. The value is a positive integer and gives 
+the time-to-live in seconds.
 .TP
 .B \-Y, --txt-record=<name>[[,<text>],<text>]
 Return a TXT DNS record. The value of TXT record is a set of strings,
@@ -549,7 +566,7 @@ Return a PTR DNS record.
 .B --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<replacement>]
 Return an NAPTR DNS record, as specified in RFC3403.
 .TP
-.B --cname=<cname>,<target>
+.B --cname=<cname>,<target>[,<TTL>]
 Return a CNAME record which indicates that <cname> is really
 <target>. There are significant limitations on the target; it must be a
 DNS name which is known to dnsmasq from /etc/hosts (or additional
@@ -558,6 +575,10 @@ hosts files), from DHCP, from --interface-name or from another
 If the target does not satisfy this
 criteria, the whole cname is ignored. The cname must be unique, but it
 is permissable to have more than one cname pointing to the same target.
+
+If the time-to-live is given, it overrides the default, which is zero
+or the value of -local-ttl. The value is a positive integer and gives 
+the time-to-live in seconds.
 .TP
 .B --dns-rr=<name>,<RR-number>,[<hex data>]
 Return an arbitrary DNS Resource Record. The number is the type of the
@@ -594,7 +615,7 @@ configured a zero is added in front of the label. ::1 becomes 0--1.
 The address range can be of the form
 <ip address>,<ip address> or <ip address>/<netmask>
 .TP
-.B --add-mac
+.B --add-mac[=base64|text]
 Add the MAC address of the requestor to DNS queries which are
 forwarded upstream. This may be used to DNS filtering by the upstream
 server. The MAC address can only be added if the requestor is on the same
@@ -602,19 +623,34 @@ subnet as the dnsmasq server. Note that the mechanism used to achieve this (an E
 is not yet standardised, so this should be considered
 experimental. Also note that exposing MAC addresses in this way may
 have security and privacy implications. The warning about caching
-given for --add-subnet applies to --add-mac too.
+given for --add-subnet applies to --add-mac too. An alternative encoding of the 
+MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter.
+.TP
+.B --add-cpe-id=<string>
+Add a arbitrary identifying string to o DNS queries which are
+forwarded upstream.
 .TP 
-.B --add-subnet[[=<IPv4 prefix length>],<IPv6 prefix length>]
-Add the subnet address of the requestor to the DNS queries which are
-forwarded upstream. The amount of the address forwarded depends on the
-prefix length parameter: 32 (128 for IPv6) forwards the whole address,
-zero forwards none of it but still marks the request so that no
-upstream nameserver will add client address information either. The
-default is zero for both IPv4 and IPv6. Note that upstream nameservers
-may be configured to return different results based on this
-information, but the dnsmasq cache does not take account. If a dnsmasq
-instance is configured such that different results may be encountered,
-caching should be disabled.
+.B --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]
+Add a subnet address to the DNS queries which are forwarded
+upstream. If an address is specified in the flag, it will be used,
+otherwise, the address of the requestor will be used. The amount of
+the address forwarded depends on the prefix length parameter: 32 (128
+for IPv6) forwards the whole address, zero forwards none of it but
+still marks the request so that no upstream nameserver will add client
+address information either. The default is zero for both IPv4 and
+IPv6. Note that upstream nameservers may be configured to return
+different results based on this information, but the dnsmasq cache
+does not take account. If a dnsmasq instance is configured such that
+different results may be encountered, caching should be disabled.
+
+For example,
+.B --add-subnet=24,96
+will add the /24 and /96 subnets of the requestor for IPv4 and IPv6 requestors, respectively.
+.B --add-subnet=1.2.3.4/24
+will add 1.2.3.0/24 for IPv4 requestors and ::/0 for IPv6 requestors.
+.B --add-subnet=1.2.3.4/24,1.2.3.4/24
+will add 1.2.3.0/24 for both IPv4 and IPv6 requestors.
+
 .TP
 .B \-c, --cache-size=<cachesize>
 Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.
@@ -654,7 +690,7 @@ Provide DS records to act a trust anchors for DNSSEC
 validation. Typically these will be the DS record(s) for Zone Signing
 key(s) of the root zone,
 but trust anchors for limited domains are also possible. The current
-root-zone trust anchors may be donwloaded from https://data.iana.org/root-anchors/root-anchors.xml 
+root-zone trust anchors may be downloaded from https://data.iana.org/root-anchors/root-anchors.xml 
 .TP
 .B --dnssec-check-unsigned
 As a default, dnsmasq does not check that unsigned DNS replies are
@@ -747,7 +783,7 @@ compiled in and the kernel must have conntrack support
 included and configured. This option cannot be combined with
 --query-port. 
 .TP
-.B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>][,<mode>][,<netmask>[,<broadcast>]][,<lease time>]
+.B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>][,<netmask>[,<broadcast>]][,<lease time>]
 .TP
 .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>]

@@ -1523,11 +1559,11 @@ At dnsmasq startup, the script will be invoked for
 all existing leases as they are read from the lease file. Expired
 leases will be called with "del" and others with "old". When dnsmasq
 receives a HUP signal, the script will be invoked for existing leases
-with an "old " event.
+with an "old" event.


-There are two further actions which may appear as the first argument
-to the script, "init" and "tftp". More may be added in the future, so
+There are four further actions which may appear as the first argument
+to the script, "init", "arp-add", "arp-del" and "tftp". More may be added in the future, so
 scripts should be written to ignore unknown actions. "init" is
 described below in 
 .B --leasefile-ro
@@ -1535,6 +1571,11 @@ The "tftp" action is invoked when a TFTP file transfer completes: the
 arguments are the file size in bytes, the address to which the file
 was sent, and the complete pathname of the file.
 
+The "arp-add" and "arp-del" actions are only called if enabled with
+.B --script-arp
+They are are supplied with a MAC address and IP address as arguments. "arp-add" indicates
+the arrival of a new entry in the ARP or neighbour table, and "arp-del" indicates the deletion of same.
+
 .TP
 .B --dhcp-luascript=<path>
 Specify a script written in Lua, to be run when leases are created,
@@ -1581,10 +1622,24 @@ table holds the tags
 .B file_name
 and 
 .B file_size.
+
+The 
+.B arp
+and
+.B arp-old
+functions are called only when enabled with
+.B --script-arp
+and have a table which holds the tags
+.B mac_addres
+and
+.B client_address.
 .TP
 .B --dhcp-scriptuser
 Specify the user as which to run the lease-change script or Lua script. This defaults to root, but can be changed to another user using this flag. 
-.TP 
+.TP
+.B --script-arp
+Enable the "arp" and "arp-old" functions in the dhcp-script and dhcp-luascript.
+.TP
 .B \-9, --leasefile-ro
 Completely suppress use of the lease database file. The file will not
 be created, read, or written. Change the way the lease-change
@@ -1677,15 +1732,15 @@ creation are handled by a different protocol. When DHCP is in use,
 only a subset of this is needed, and dnsmasq can handle it, using
 existing DHCP configuration to provide most data. When RA is enabled,
 dnsmasq will advertise a prefix for each dhcp-range, with default
-router and recursive DNS server as the relevant link-local address on 
-the machine running dnsmasq. By default, he "managed address" bits are set, and
+router  as the relevant link-local address on 
+the machine running dnsmasq. By default, the "managed address" bits are set, and
 the "use SLAAC" bit is reset. This can be changed for individual
 subnets with the mode keywords described in
 .B --dhcp-range.
 RFC6106 DNS parameters are included in the advertisements. By default,
 the relevant link-local address of the machine running dnsmasq is sent
 as recursive DNS server. If provided, the DHCPv6 options dns-server and
-domain-search are used for RDNSS and DNSSL.
+domain-search are used for the DNS server (RDNSS) and the domain serach list (DNSSL).
 .TP
 .B --ra-param=<interface>,[high|low],[[<ra-interval>],<router lifetime>]
 Set non-default values for router advertisements sent via an
@@ -1755,6 +1810,10 @@ require about (2*n) + 10 descriptors. If
 .B --tftp-port-range
 is given, that can affect the number of concurrent connections.
 .TP
+.B --tftp-mtu=<mtu size>
+Use size as the ceiling of the MTU supported by the intervening network when 
+negotiating TFTP blocksize, overriding the MTU setting of the local interface  if it is larger.
+.TP
 .B --tftp-no-blocksize
 Stop the TFTP server from negotiating the "blocksize" option with a
 client. Some buggy clients request this option but then behave badly
--- a/po/de.po
+++ b/po/de.po
@@ -9,10 +9,10 @@
 # Simon Kelley <simon@thekelleys.org.uk>, 2005.
 msgid ""
 msgstr ""
-"Project-Id-Version: dnsmasq 2.73\n"
+"Project-Id-Version: dnsmasq 2.74\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2009-06-18 12:24+0100\n"
-"PO-Revision-Date: 2015-01-19 15:43+0100\n"
+"PO-Revision-Date: 2015-07-22 23:07+0200\n"
 "Last-Translator: Conrad Kostecki <ck@conrad-kostecki.de>\n"
 "Language-Team: German <de@li.org>\n"
 "Language: de\n"
@@ -20,7 +20,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Poedit 1.7.3\n"
+"X-Generator: Poedit 1.8.3\n"
 "X-Poedit-SourceCharset: UTF-8\n"

 #: cache.c:523
@@ -191,14 +191,12 @@ msgid "Read DHCP option specs from file."
 msgstr "DHCP-Optionen aus Datei lesen."

 #: option.c:348
-#, fuzzy
 msgid "Read DHCP host specs from a directory."
-msgstr "DHCP-Host-Angaben aus Datei lesen."
+msgstr "DHCP-Host-Angaben aus einem Verzeichnis lesen."

 #: option.c:349
-#, fuzzy
 msgid "Read DHCP options from a directory."
-msgstr "DHCP-Optionen aus Datei lesen."
+msgstr "DHCP-Optionen aus einem Verzeichnis lesen."

 #: option.c:350
 msgid "Evaluate conditional tag expression."
@@ -215,9 +213,8 @@ msgid "Specify a hosts file to be read in addition to %s."
 msgstr "Hosts-Datei festlegen, die zusätzlich zu %s gelesen wird."

 #: option.c:353
-#, fuzzy
 msgid "Read hosts files from a directory."
-msgstr "DHCP-Host-Angaben aus Datei lesen."
+msgstr "DHCP-Host-Dateien aus einem Verzeichnis lesen."

 #: option.c:354
 msgid "Specify interface(s) to listen on."
@@ -361,14 +358,12 @@ msgid "Specify time-to-live in seconds for maximum TTL to send to clients."
 msgstr "Gültigkeitsdauer in Sekunden für Caching negativer Ergebnisse festlegen."

 #: option.c:388
-#, fuzzy
 msgid "Specify time-to-live ceiling for cache."
-msgstr "Gültigkeitsdauer in Sekunden für Caching negativer Ergebnisse festlegen."
+msgstr "Spezifiziere time-to-live ceiling für Cache."

 #: option.c:389
-#, fuzzy
 msgid "Specify time-to-live floor for cache."
-msgstr "Gültigkeitsdauer in Sekunden für Caching negativer Ergebnisse festlegen."
+msgstr "Spezifiziere time-to-live floor für Cache."

 #: option.c:390
 #, c-format
@@ -514,7 +509,7 @@ msgstr "Zugriff nur auf Dateien gestatten, die dem dnsmasq aufrufenden Benutzer

 #: option.c:424
 msgid "Do not terminate the service if TFTP directories are inaccessible."
-msgstr ""
+msgstr "Der Dienst sollte nicht beendet werden, wenn die TFTP-Verzeichnisse nicht zugreifbar sind."

 #: option.c:425
 #, c-format
@@ -704,7 +699,7 @@ msgstr "DNSSEC Signatur-Zeitstempel nicht prüfen, bis erstmalig der Cache neuge

 #: option.c:471
 msgid "Timestamp file to verify system clock for DNSSEC"
-msgstr ""
+msgstr "Zeitstempel-Datei für die Verifizierung der Systemuhrzeit für DNSSEC"

 #: option.c:473
 msgid "Specify DHCPv6 prefix class"
@@ -736,7 +731,7 @@ msgstr "Erkennen und Entfernen von DNS-Weiterleitungsschleifen"

 #: option.c:481
 msgid "Ignore DNS responses containing ipaddr."
-msgstr ""
+msgstr "Ignoriere DNS-Antworten, welche ipaddr enthalten."

 #: option.c:683
 #, c-format
@@ -1237,15 +1232,13 @@ msgstr "Benutze Namensserver %s#%d"

 #: dnsmasq.c:163
 msgid "dhcp-hostsdir, dhcp-optsdir and hostsdir are not supported on this platform"
-msgstr ""
+msgstr "dhcp-hostsdir, dhcp-optsdir und hostsdir sind auf dieser Plattform nicht unterstüzt"

 #: dnsmasq.c:170
-#, fuzzy
 msgid "no trust anchors provided for DNSSEC"
 msgstr "Keine Vertrauensursprünge (Trust Anchor) für DNSSEC verfügbar"

 #: dnsmasq.c:173
-#, fuzzy
 msgid "cannot reduce cache size from default when DNSSEC enabled"
 msgstr "Kann die Standard Cachegröße nicht verkleinern, wenn DNSSEC aktiviert ist"

@@ -1258,14 +1251,12 @@ msgid "TFTP server not available: set HAVE_TFTP in src/config.h"
 msgstr "TFTP-Server nicht verfügbar, setzen Sie HAVE_TFTP in src/config.h"

 #: dnsmasq.c:186
-#, fuzzy
 msgid "cannot use --conntrack AND --query-port"
 msgstr "Kann nicht --conntrack UND --query-port einsetzen"

 #: dnsmasq.c:189
-#, fuzzy
 msgid "conntrack support not available: set HAVE_CONNTRACK in src/config.h"
-msgstr "Conntrack-Unterstützung nicht verfügbar: setze HAVE_CONNTRACK in src/config.h"
+msgstr "Conntrack-Unterstützung nicht verfügbar: Aktiviere HAVE_CONNTRACK in src/config.h"

 #: dnsmasq.c:194
 msgid "asychronous logging is not available under Solaris"
@@ -1280,9 +1271,8 @@ msgid "authoritative DNS not available: set HAVE_AUTH in src/config.h"
 msgstr "Authoritatives DNS nicht verfügbar: Es muss HAVE_AUTH in src/config.h gesetzt sein"

 #: dnsmasq.c:209
-#, fuzzy
 msgid "loop detection not available: set HAVE_LOOP in src/config.h"
-msgstr "Loop-Erkennung nicht verfügbar, setzen Sie HAVE_LOOP in src/config.h"
+msgstr "Loop-Erkennung nicht verfügbar, Aktiviere HAVE_LOOP in src/config.h"

 #: dnsmasq.c:217
 msgid "zone serial must be configured in --auth-soa"
@@ -1367,9 +1357,8 @@ msgid "DNSSEC signature timestamps not checked until first cache reload"
 msgstr "DNSSEC Signatur-Zeitstempel werden erst ab dem ersten Neuladen des Caches überprüft"

 #: dnsmasq.c:733
-#, fuzzy
 msgid "DNSSEC signature timestamps not checked until system time valid"
-msgstr "DNSSEC Signatur-Zeitstempel werden erst ab dem ersten Neuladen des Caches überprüft"
+msgstr "DNSSEC Signatur-Zeitstempel werden erst überprüft, sobald die Systemuhrzeit gültig ist"

 #: dnsmasq.c:738
 #, c-format
@@ -1423,12 +1412,12 @@ msgstr "sicherer Modus"
 #: dnsmasq.c:813
 #, c-format
 msgid "warning: %s inaccessible"
-msgstr ""
+msgstr "Warnung: %s nicht zugreifbar"

 #: dnsmasq.c:817
-#, fuzzy, c-format
+#, c-format
 msgid "warning: TFTP directory %s inaccessible"
-msgstr "Das TFTP-Verzeichnis %s ist nicht zugreifbar: %s"
+msgstr "Warnung: Das TFTP-Verzeichnis %s ist nicht zugreifbar"

 #: dnsmasq.c:843
 #, c-format
@@ -1485,9 +1474,9 @@ msgid "TFTP directory %s inaccessible: %s"
 msgstr "Das TFTP-Verzeichnis %s ist nicht zugreifbar: %s"

 #: dnsmasq.c:1216
-#, fuzzy, c-format
+#, c-format
 msgid "cannot create timestamp file %s: %s"
-msgstr "kann Lease-Datei %s nicht öffnen: %s"
+msgstr "Kann keine timestamp-Datei %s erzeugen: %s "

 #: dnsmasq.c:1237
 msgid "now checking DNSSEC signature timestamps"
@@ -1806,12 +1795,12 @@ msgstr "Versuch, via DBus eine IPv6-Serveradresse zu setzen: keine IPv6-Unterst
 #: dbus.c:439
 #, c-format
 msgid "Enabling --%s option from D-Bus"
-msgstr ""
+msgstr "Aktiviere --%s Option von D-Bus"

 #: dbus.c:444
 #, c-format
 msgid "Disabling --%s option from D-Bus"
-msgstr ""
+msgstr "Deaktiviere --%s Option von D-Bus"

 #: dbus.c:691
 msgid "setting upstream servers from DBus"
@@ -2087,9 +2076,9 @@ msgid "failed to create IPset control socket: %s"
 msgstr "konnte IPset-Kontroll-Socket nicht erzeugen: %s"

 #: dnssec.c:449 dnssec.c:493
-#, fuzzy, c-format
+#, c-format
 msgid "failed to update mtime on %s: %s"
-msgstr "kann die Prozessidentifikations-(PID)-Datei %s nicht öffnen: %s"
+msgstr "kann die mtime nicht auf %s aktualisieren: %s"

 #: blockdata.c:58
 #, c-format
@@ -2140,34 +2129,34 @@ msgid "%d addresses %s"
 msgstr "%d Adressen %s"

 #: inotify.c:46
-#, fuzzy, c-format
+#, c-format
 msgid "failed to create inotify: %s"
-msgstr "kann Helfer nicht erzeugen: %s"
+msgstr "Kann kein inotify erzeugen: %s"

 #: inotify.c:60
-#, fuzzy, c-format
+#, c-format
 msgid "cannot cannonicalise resolv-file %s: %s"
-msgstr "kann Lease-Datei %s nicht öffnen: %s"
+msgstr "Kann die resolv-file %s nicht kanonisieren: %s"

 #: inotify.c:72
 #, c-format
 msgid "directory %s for resolv-file is missing, cannot poll"
-msgstr ""
+msgstr "Verzeichnis %s für resolv-file fehlt, kann nicht pollen"

 #: inotify.c:75 inotify.c:112
-#, fuzzy, c-format
+#, c-format
 msgid "failed to create inotify for %s: %s"
-msgstr "Konnte Empfangs-Socket für %s: %s nicht erzeugen"
+msgstr "Konnte inotify für %s: %s nicht erzeugen"

 #: inotify.c:97
-#, fuzzy, c-format
+#, c-format
 msgid "bad dynamic directory %s: %s"
-msgstr "Kann auf Verzeichnis %s nicht zugreifen: %s"
+msgstr "fehlerhaftes dynamisches Verzeichnis %s: %s"

 #: inotify.c:197
 #, c-format
 msgid "inotify, new or changed file %s"
-msgstr ""
+msgstr "inotify, neue oder geänderte Datei %s"

 #~ msgid "no interface with address %s"
 #~ msgstr "keine Schnittstelle mit Adresse %s"
--- a/po/es.po
+++ b/po/es.po
@@ -1129,35 +1129,35 @@ msgstr "pruebe -w"
 msgid "bad command line options: %s"
 msgstr "opciones de línea de comandos erróneas: %s"

-#: option.c:4544
+#: option.c:4541
 #, c-format
 msgid "cannot get host-name: %s"
 msgstr "no se puede obtener host-name (nombre de host): %s"

-#: option.c:4572
+#: option.c:4569
 msgid "only one resolv.conf file allowed in no-poll mode."
 msgstr "solo un archivo resolv.conf está permitido en modo no-poll."

-#: option.c:4582
+#: option.c:4579
 msgid "must have exactly one resolv.conf to read domain from."
 msgstr "debe haber exáctamente un resolv.conf desde donde leer dominio."

-#: option.c:4585 network.c:1507 dhcp.c:777
+#: option.c:4582 network.c:1507 dhcp.c:777
 #, fuzzy, c-format
 msgid "failed to read %s: %s"
 msgstr "no se pudo leer %s: %s"

-#: option.c:4602
+#: option.c:4599
 #, c-format
 msgid "no search directive found in %s"
 msgstr "ninguna directiva de búsqueda encontrada en %s"

-#: option.c:4623
+#: option.c:4620
 #, fuzzy
 msgid "there must be a default domain when --dhcp-fqdn is set"
 msgstr "debe haber un dominio predeterminado cuando --dhcp-fqdn está fijado"

-#: option.c:4632
+#: option.c:4629
 msgid "syntax check OK"
 msgstr "revisión de sintaxis OK"

@@ -1180,11 +1180,11 @@ msgstr "servidor DNS %s rechaz
 msgid "possible DNS-rebind attack detected: %s"
 msgstr "posible ataque de revinculación DNS detectado"

-#: forward.c:1209 forward.c:1785
+#: forward.c:1209 forward.c:1815
 msgid "Ignoring query from non-local network"
 msgstr ""

-#: forward.c:2256
+#: forward.c:2286
 #, fuzzy, c-format
 msgid "Maximum number of concurrent DNS queries reached (max: %d)"
 msgstr "Número máximo de búsquedas DNS simultáneas alcanzado. (%s por predeterminado)"
@@ -1348,7 +1348,7 @@ msgstr "no se pudo encontrar lista de interfases: %s"
 msgid "unknown interface %s"
 msgstr "interfase desconocida %s"

-#: dnsmasq.c:354 dnsmasq.c:1037
+#: dnsmasq.c:354 dnsmasq.c:997
 #, c-format
 msgid "DBus error: %s"
 msgstr "error DBus: %s"
@@ -1448,122 +1448,122 @@ msgstr "Anuncio de router IPv6 habilitado"
 msgid "DHCP, sockets bound exclusively to interface %s"
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "root is "
 msgstr "root está "

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 #, fuzzy
 msgid "enabled"
 msgstr "habilitado"

-#: dnsmasq.c:810
+#: dnsmasq.c:806
 msgid "secure mode"
 msgstr "modo seguro"

-#: dnsmasq.c:813
+#: dnsmasq.c:809
 #, c-format
 msgid "warning: %s inaccessible"
 msgstr ""

-#: dnsmasq.c:817
+#: dnsmasq.c:813
 #, fuzzy, c-format
 msgid "warning: TFTP directory %s inaccessible"
 msgstr "directorio TFTP % inaccesible: %s"

-#: dnsmasq.c:843
+#: dnsmasq.c:839
 #, c-format
 msgid "restricting maximum simultaneous TFTP transfers to %d"
 msgstr "limitando número máximo de transferencias TFTP simultáneas a %d"

-#: dnsmasq.c:1039
+#: dnsmasq.c:999
 msgid "connected to system DBus"
 msgstr "conectado a DBus de sistema"

-#: dnsmasq.c:1189
+#: dnsmasq.c:1149
 #, c-format
 msgid "cannot fork into background: %s"
 msgstr "no se puede hacer fork en background: %s"

-#: dnsmasq.c:1192
+#: dnsmasq.c:1152
 #, fuzzy, c-format
 msgid "failed to create helper: %s"
 msgstr "no se pudo crear ayudante: %s"

-#: dnsmasq.c:1195
+#: dnsmasq.c:1155
 #, fuzzy, c-format
 msgid "setting capabilities failed: %s"
 msgstr "configuración de capacidades ha fallado: %s"

-#: dnsmasq.c:1198
+#: dnsmasq.c:1158
 #, fuzzy, c-format
 msgid "failed to change user-id to %s: %s"
 msgstr "no se pudo cambiar user-id a %s: %s"

-#: dnsmasq.c:1201
+#: dnsmasq.c:1161
 #, fuzzy, c-format
 msgid "failed to change group-id to %s: %s"
 msgstr "no se pudo cambiar group-id a %s: %s"

-#: dnsmasq.c:1204
+#: dnsmasq.c:1164
 #, fuzzy, c-format
 msgid "failed to open pidfile %s: %s"
 msgstr "no se pudo abrir archivo PID %s: %s"

-#: dnsmasq.c:1207
+#: dnsmasq.c:1167
 #, fuzzy, c-format
 msgid "cannot open log %s: %s"
 msgstr "no se puede abrir registro %s: %s"

-#: dnsmasq.c:1210
+#: dnsmasq.c:1170
 #, fuzzy, c-format
 msgid "failed to load Lua script: %s"
 msgstr "no se pudo cargar script Lua %s: %s"

-#: dnsmasq.c:1213
+#: dnsmasq.c:1173
 #, c-format
 msgid "TFTP directory %s inaccessible: %s"
 msgstr "directorio TFTP % inaccesible: %s"

-#: dnsmasq.c:1216
+#: dnsmasq.c:1176
 #, fuzzy, c-format
 msgid "cannot create timestamp file %s: %s"
 msgstr "no se puede abrir o crear archivo de concesión %s: %s"

-#: dnsmasq.c:1237
+#: dnsmasq.c:1197
 msgid "now checking DNSSEC signature timestamps"
 msgstr ""

-#: dnsmasq.c:1304
+#: dnsmasq.c:1264
 #, fuzzy, c-format
 msgid "script process killed by signal %d"
 msgstr "proceso script eliminado por señal %d"

-#: dnsmasq.c:1308
+#: dnsmasq.c:1268
 #, fuzzy, c-format
 msgid "script process exited with status %d"
 msgstr "proceso script salió con con estado %d"

-#: dnsmasq.c:1312
+#: dnsmasq.c:1272
 #, fuzzy, c-format
 msgid "failed to execute %s: %s"
 msgstr "no se pudo ejecutar %s: %s"

-#: dnsmasq.c:1367
+#: dnsmasq.c:1327
 msgid "exiting on receipt of SIGTERM"
 msgstr "saliendo al recibir SIGTERM"

-#: dnsmasq.c:1395
+#: dnsmasq.c:1355
 #, fuzzy, c-format
 msgid "failed to access %s: %s"
 msgstr "no se pudo acceder %s: %s"

-#: dnsmasq.c:1425
+#: dnsmasq.c:1385
 #, c-format
 msgid "reading %s"
 msgstr "leyendo %s"

-#: dnsmasq.c:1436
+#: dnsmasq.c:1396
 #, fuzzy, c-format
 msgid "no servers found in %s, will retry"
 msgstr "ningún servidor encontrado en %s, se reintentará"
@@ -1918,7 +1918,7 @@ msgstr "desbordamiento: %d entradas de registro perdidas"
 msgid "log failed: %s"
 msgstr "registro falló: %s"

-#: log.c:472
+#: log.c:469
 msgid "FAILED to start up"
 msgstr "el inicio ha FALLADO"

@@ -2177,36 +2177,45 @@ msgstr ""
 msgid "%d addresses %s"
 msgstr "dirección IP errónea"

-#: inotify.c:46
+#: inotify.c:59
+#, fuzzy, c-format
+msgid "cannot access path %s: %s"
+msgstr "no se puede acceder %s: %s"
+
+#: inotify.c:92
 #, fuzzy, c-format
 msgid "failed to create inotify: %s"
 msgstr "no se pudo crear ayudante: %s"

-#: inotify.c:60
-#, fuzzy, c-format
-msgid "cannot cannonicalise resolv-file %s: %s"
-msgstr "no se puede abrir o crear archivo de concesión %s: %s"
+#: inotify.c:105
+#, c-format
+msgid "too many symlinks following %s"
+msgstr ""

-#: inotify.c:72
+#: inotify.c:121
 #, c-format
 msgid "directory %s for resolv-file is missing, cannot poll"
 msgstr ""

-#: inotify.c:75 inotify.c:112
+#: inotify.c:125 inotify.c:162
 #, fuzzy, c-format
 msgid "failed to create inotify for %s: %s"
 msgstr "no se pudo crear un zócalo de escucha: %s"

-#: inotify.c:97
+#: inotify.c:147
 #, fuzzy, c-format
 msgid "bad dynamic directory %s: %s"
 msgstr "no se puede acceder a directorio %s: %s"

-#: inotify.c:197
+#: inotify.c:247
 #, c-format
 msgid "inotify, new or changed file %s"
 msgstr ""

+#, fuzzy
+#~ msgid "cannot cannonicalise resolv-file %s: %s"
+#~ msgstr "no se puede abrir o crear archivo de concesión %s: %s"
+
 #~ msgid "no interface with address %s"
 #~ msgstr "ninguna interfase con dirección %s"

--- a/po/fi.po
+++ b/po/fi.po
@@ -1068,34 +1068,34 @@ msgstr ""
 msgid "bad command line options: %s"
 msgstr ""

-#: option.c:4544
+#: option.c:4541
 #, c-format
 msgid "cannot get host-name: %s"
 msgstr ""

-#: option.c:4572
+#: option.c:4569
 msgid "only one resolv.conf file allowed in no-poll mode."
 msgstr ""

-#: option.c:4582
+#: option.c:4579
 msgid "must have exactly one resolv.conf to read domain from."
 msgstr ""

-#: option.c:4585 network.c:1507 dhcp.c:777
+#: option.c:4582 network.c:1507 dhcp.c:777
 #, c-format
 msgid "failed to read %s: %s"
 msgstr ""

-#: option.c:4602
+#: option.c:4599
 #, c-format
 msgid "no search directive found in %s"
 msgstr ""

-#: option.c:4623
+#: option.c:4620
 msgid "there must be a default domain when --dhcp-fqdn is set"
 msgstr ""

-#: option.c:4632
+#: option.c:4629
 msgid "syntax check OK"
 msgstr ""

@@ -1118,11 +1118,11 @@ msgstr ""
 msgid "possible DNS-rebind attack detected: %s"
 msgstr ""

-#: forward.c:1209 forward.c:1785
+#: forward.c:1209 forward.c:1815
 msgid "Ignoring query from non-local network"
 msgstr ""

-#: forward.c:2256
+#: forward.c:2286
 #, c-format
 msgid "Maximum number of concurrent DNS queries reached (max: %d)"
 msgstr ""
@@ -1278,7 +1278,7 @@ msgstr ""
 msgid "unknown interface %s"
 msgstr ""

-#: dnsmasq.c:354 dnsmasq.c:1037
+#: dnsmasq.c:354 dnsmasq.c:997
 #, c-format
 msgid "DBus error: %s"
 msgstr ""
@@ -1377,121 +1377,121 @@ msgstr ""
 msgid "DHCP, sockets bound exclusively to interface %s"
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "root is "
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "enabled"
 msgstr ""

-#: dnsmasq.c:810
+#: dnsmasq.c:806
 msgid "secure mode"
 msgstr ""

-#: dnsmasq.c:813
+#: dnsmasq.c:809
 #, c-format
 msgid "warning: %s inaccessible"
 msgstr ""

-#: dnsmasq.c:817
+#: dnsmasq.c:813
 #, c-format
 msgid "warning: TFTP directory %s inaccessible"
 msgstr ""

-#: dnsmasq.c:843
+#: dnsmasq.c:839
 #, c-format
 msgid "restricting maximum simultaneous TFTP transfers to %d"
 msgstr ""

-#: dnsmasq.c:1039
+#: dnsmasq.c:999
 msgid "connected to system DBus"
 msgstr ""

-#: dnsmasq.c:1189
+#: dnsmasq.c:1149
 #, c-format
 msgid "cannot fork into background: %s"
 msgstr ""

-#: dnsmasq.c:1192
+#: dnsmasq.c:1152
 #, c-format
 msgid "failed to create helper: %s"
 msgstr ""

-#: dnsmasq.c:1195
+#: dnsmasq.c:1155
 #, c-format
 msgid "setting capabilities failed: %s"
 msgstr ""

-#: dnsmasq.c:1198
+#: dnsmasq.c:1158
 #, c-format
 msgid "failed to change user-id to %s: %s"
 msgstr ""

-#: dnsmasq.c:1201
+#: dnsmasq.c:1161
 #, c-format
 msgid "failed to change group-id to %s: %s"
 msgstr ""

-#: dnsmasq.c:1204
+#: dnsmasq.c:1164
 #, c-format
 msgid "failed to open pidfile %s: %s"
 msgstr ""

-#: dnsmasq.c:1207
+#: dnsmasq.c:1167
 #, c-format
 msgid "cannot open log %s: %s"
 msgstr ""

-#: dnsmasq.c:1210
+#: dnsmasq.c:1170
 #, c-format
 msgid "failed to load Lua script: %s"
 msgstr ""

-#: dnsmasq.c:1213
+#: dnsmasq.c:1173
 #, c-format
 msgid "TFTP directory %s inaccessible: %s"
 msgstr ""

-#: dnsmasq.c:1216
+#: dnsmasq.c:1176
 #, c-format
 msgid "cannot create timestamp file %s: %s"
 msgstr ""

-#: dnsmasq.c:1237
+#: dnsmasq.c:1197
 msgid "now checking DNSSEC signature timestamps"
 msgstr ""

-#: dnsmasq.c:1304
+#: dnsmasq.c:1264
 #, c-format
 msgid "script process killed by signal %d"
 msgstr ""

-#: dnsmasq.c:1308
+#: dnsmasq.c:1268
 #, c-format
 msgid "script process exited with status %d"
 msgstr ""

-#: dnsmasq.c:1312
+#: dnsmasq.c:1272
 #, c-format
 msgid "failed to execute %s: %s"
 msgstr ""

-#: dnsmasq.c:1367
+#: dnsmasq.c:1327
 msgid "exiting on receipt of SIGTERM"
 msgstr ""

-#: dnsmasq.c:1395
+#: dnsmasq.c:1355
 #, c-format
 msgid "failed to access %s: %s"
 msgstr ""

-#: dnsmasq.c:1425
+#: dnsmasq.c:1385
 #, c-format
 msgid "reading %s"
 msgstr ""

-#: dnsmasq.c:1436
+#: dnsmasq.c:1396
 #, c-format
 msgid "no servers found in %s, will retry"
 msgstr ""
@@ -1846,7 +1846,7 @@ msgstr ""
 msgid "log failed: %s"
 msgstr ""

-#: log.c:472
+#: log.c:469
 msgid "FAILED to start up"
 msgstr ""

@@ -2101,32 +2101,37 @@ msgstr ""
 msgid "%d addresses %s"
 msgstr ""

-#: inotify.c:46
+#: inotify.c:59
+#, c-format
+msgid "cannot access path %s: %s"
+msgstr ""
+
+#: inotify.c:92
 #, c-format
 msgid "failed to create inotify: %s"
 msgstr ""

-#: inotify.c:60
+#: inotify.c:105
 #, c-format
-msgid "cannot cannonicalise resolv-file %s: %s"
+msgid "too many symlinks following %s"
 msgstr ""

-#: inotify.c:72
+#: inotify.c:121
 #, c-format
 msgid "directory %s for resolv-file is missing, cannot poll"
 msgstr ""

-#: inotify.c:75 inotify.c:112
+#: inotify.c:125 inotify.c:162
 #, c-format
 msgid "failed to create inotify for %s: %s"
 msgstr ""

-#: inotify.c:97
+#: inotify.c:147
 #, c-format
 msgid "bad dynamic directory %s: %s"
 msgstr ""

-#: inotify.c:197
+#: inotify.c:247
 #, c-format
 msgid "inotify, new or changed file %s"
 msgstr ""
--- a/po/fr.po
+++ b/po/fr.po
@@ -1111,34 +1111,34 @@ msgstr "essayez avec -w"
 msgid "bad command line options: %s"
 msgstr "mauvaises options en ligne de commande : %s."

-#: option.c:4544
+#: option.c:4541
 #, c-format
 msgid "cannot get host-name: %s"
 msgstr "ne peut pas obtenir le nom de la machine : %s"

-#: option.c:4572
+#: option.c:4569
 msgid "only one resolv.conf file allowed in no-poll mode."
 msgstr "seul un fichier resolv.conf est autorisé dans le mode no-poll"

-#: option.c:4582
+#: option.c:4579
 msgid "must have exactly one resolv.conf to read domain from."
 msgstr "un fichier resolv.conf (et un seul) est nécessaire pour y récuperer le nom de domaine."

-#: option.c:4585 network.c:1507 dhcp.c:777
+#: option.c:4582 network.c:1507 dhcp.c:777
 #, c-format
 msgid "failed to read %s: %s"
 msgstr "impossible de lire %s : %s"

-#: option.c:4602
+#: option.c:4599
 #, c-format
 msgid "no search directive found in %s"
 msgstr "pas de directive de recherche trouvée dans %s"

-#: option.c:4623
+#: option.c:4620
 msgid "there must be a default domain when --dhcp-fqdn is set"
 msgstr "un domaine par défaut doit être spécifié lorsque l'option --dhcp-fqdn est utilisée"

-#: option.c:4632
+#: option.c:4629
 msgid "syntax check OK"
 msgstr "vérification de syntaxe OK"

@@ -1161,11 +1161,11 @@ msgstr "le serveur de nom %s a refus
 msgid "possible DNS-rebind attack detected: %s"
 msgstr "détection d'une possible attaque de type DNS-rebind: %s"

-#: forward.c:1209 forward.c:1785
+#: forward.c:1209 forward.c:1815
 msgid "Ignoring query from non-local network"
 msgstr ""

-#: forward.c:2256
+#: forward.c:2286
 #, c-format
 msgid "Maximum number of concurrent DNS queries reached (max: %d)"
 msgstr "Nombre maximum de requêtes DNS concurrentes atteint (maximum : %d)."
@@ -1328,7 +1328,7 @@ msgstr "impossible de trouver la liste des interfaces : %s"
 msgid "unknown interface %s"
 msgstr "interface %s inconnue"

-#: dnsmasq.c:354 dnsmasq.c:1037
+#: dnsmasq.c:354 dnsmasq.c:997
 #, c-format
 msgid "DBus error: %s"
 msgstr "Erreur DBus : %s"
@@ -1428,123 +1428,123 @@ msgstr "annonces de routeur IPv6 activ
 msgid "DHCP, sockets bound exclusively to interface %s"
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "root is "
 msgstr "root est"

 #
-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "enabled"
 msgstr "activé"

-#: dnsmasq.c:810
+#: dnsmasq.c:806
 msgid "secure mode"
 msgstr "mode sécurisé"

-#: dnsmasq.c:813
+#: dnsmasq.c:809
 #, c-format
 msgid "warning: %s inaccessible"
 msgstr ""

-#: dnsmasq.c:817
+#: dnsmasq.c:813
 #, fuzzy, c-format
 msgid "warning: TFTP directory %s inaccessible"
 msgstr "répertoire TFTP %s inaccessible : %s"

-#: dnsmasq.c:843
+#: dnsmasq.c:839
 #, c-format
 msgid "restricting maximum simultaneous TFTP transfers to %d"
 msgstr "le nombre maximum de transferts TFTP simultanés sera restreint à %d"

-#: dnsmasq.c:1039
+#: dnsmasq.c:999
 msgid "connected to system DBus"
 msgstr "connecté au systeme DBus"

-#: dnsmasq.c:1189
+#: dnsmasq.c:1149
 #, c-format
 msgid "cannot fork into background: %s"
 msgstr "Ne peut se lancer en tâche de fond : %s"

-#: dnsmasq.c:1192
+#: dnsmasq.c:1152
 #, c-format
 msgid "failed to create helper: %s"
 msgstr "impossible de créer le 'helper' : %s"

-#: dnsmasq.c:1195
+#: dnsmasq.c:1155
 #, c-format
 msgid "setting capabilities failed: %s"
 msgstr "impossible de configurer la capacité %s"

-#: dnsmasq.c:1198
+#: dnsmasq.c:1158
 #, c-format
 msgid "failed to change user-id to %s: %s"
 msgstr "Impossible de changer l'identifiant utilisateur pour %s : %s"

-#: dnsmasq.c:1201
+#: dnsmasq.c:1161
 #, c-format
 msgid "failed to change group-id to %s: %s"
 msgstr "Impossible de changer l'identifiant de groupe pour %s : %s"

-#: dnsmasq.c:1204
+#: dnsmasq.c:1164
 #, c-format
 msgid "failed to open pidfile %s: %s"
 msgstr "impossible de lire le fichier de PID %s : %s"

-#: dnsmasq.c:1207
+#: dnsmasq.c:1167
 #, c-format
 msgid "cannot open log %s: %s"
 msgstr "Ne peut ouvrir le fichier de log %s : %s"

 #
-#: dnsmasq.c:1210
+#: dnsmasq.c:1170
 #, c-format
 msgid "failed to load Lua script: %s"
 msgstr "impossible de charger le script Lua : %s"

-#: dnsmasq.c:1213
+#: dnsmasq.c:1173
 #, c-format
 msgid "TFTP directory %s inaccessible: %s"
 msgstr "répertoire TFTP %s inaccessible : %s"

-#: dnsmasq.c:1216
+#: dnsmasq.c:1176
 #, fuzzy, c-format
 msgid "cannot create timestamp file %s: %s"
 msgstr "ne peut ouvrir ou créer le fichiers de baux %s : %s"

-#: dnsmasq.c:1237
+#: dnsmasq.c:1197
 msgid "now checking DNSSEC signature timestamps"
 msgstr ""

-#: dnsmasq.c:1304
+#: dnsmasq.c:1264
 #, c-format
 msgid "script process killed by signal %d"
 msgstr "Le script a été terminé par le signal %d"

-#: dnsmasq.c:1308
+#: dnsmasq.c:1268
 #, c-format
 msgid "script process exited with status %d"
 msgstr "Le script s'est terminé avec le statut %d"

-#: dnsmasq.c:1312
+#: dnsmasq.c:1272
 #, c-format
 msgid "failed to execute %s: %s"
 msgstr "impossible d'exécuter à %s : %s"

-#: dnsmasq.c:1367
+#: dnsmasq.c:1327
 msgid "exiting on receipt of SIGTERM"
 msgstr "sortie sur réception du signal SIGTERM"

-#: dnsmasq.c:1395
+#: dnsmasq.c:1355
 #, c-format
 msgid "failed to access %s: %s"
 msgstr "impossible d'accéder à %s : %s"

-#: dnsmasq.c:1425
+#: dnsmasq.c:1385
 #, c-format
 msgid "reading %s"
 msgstr "Lecture de %s"

-#: dnsmasq.c:1436
+#: dnsmasq.c:1396
 #, c-format
 msgid "no servers found in %s, will retry"
 msgstr "aucun serveur trouvé dans %s, va réessayer"
@@ -1899,7 +1899,7 @@ msgstr "d
 msgid "log failed: %s"
 msgstr "trace perdue : %s"

-#: log.c:472
+#: log.c:469
 msgid "FAILED to start up"
 msgstr "IMPOSSIBLE de démarrer"

@@ -2155,36 +2155,45 @@ msgstr ""
 msgid "%d addresses %s"
 msgstr "mauvaise adresse"

-#: inotify.c:46
+#: inotify.c:59
+#, fuzzy, c-format
+msgid "cannot access path %s: %s"
+msgstr "Ne peut pas lire %s : %s"
+
+#: inotify.c:92
 #, fuzzy, c-format
 msgid "failed to create inotify: %s"
 msgstr "impossible de créer le 'helper' : %s"

-#: inotify.c:60
-#, fuzzy, c-format
-msgid "cannot cannonicalise resolv-file %s: %s"
-msgstr "ne peut ouvrir ou créer le fichiers de baux %s : %s"
+#: inotify.c:105
+#, c-format
+msgid "too many symlinks following %s"
+msgstr ""

-#: inotify.c:72
+#: inotify.c:121
 #, c-format
 msgid "directory %s for resolv-file is missing, cannot poll"
 msgstr ""

-#: inotify.c:75 inotify.c:112
+#: inotify.c:125 inotify.c:162
 #, fuzzy, c-format
 msgid "failed to create inotify for %s: %s"
 msgstr "impossible de créer une socket d'écoute pour %s : %s"

-#: inotify.c:97
+#: inotify.c:147
 #, fuzzy, c-format
 msgid "bad dynamic directory %s: %s"
 msgstr "Ne peut pas lire le répertoire %s : %s"

-#: inotify.c:197
+#: inotify.c:247
 #, c-format
 msgid "inotify, new or changed file %s"
 msgstr ""

+#, fuzzy
+#~ msgid "cannot cannonicalise resolv-file %s: %s"
+#~ msgstr "ne peut ouvrir ou créer le fichiers de baux %s : %s"
+
 #~ msgid "Always send frequent router-advertisements"
 #~ msgstr "Envoyer des annonces de routeurs fréquentes"

--- a/po/id.po
+++ b/po/id.po
@@ -1263,38 +1263,38 @@ msgid "bad command line options: %s"
 msgstr "pilihan baris perintah salah: %s."

 # OK
-#: option.c:4544
+#: option.c:4541
 #, c-format
 msgid "cannot get host-name: %s"
 msgstr "tidak bisa mendapatkan host-name: %s"

 # OK
-#: option.c:4572
+#: option.c:4569
 msgid "only one resolv.conf file allowed in no-poll mode."
 msgstr "hanya satu file resolv.conf yang diperbolehkan dalam modus no-poll."

 # OK
-#: option.c:4582
+#: option.c:4579
 msgid "must have exactly one resolv.conf to read domain from."
 msgstr "harus mempunyai tepat satu resolv.conf untuk mendapatkan nama domain."

 # OK
-#: option.c:4585 network.c:1507 dhcp.c:777
+#: option.c:4582 network.c:1507 dhcp.c:777
 #, fuzzy, c-format
 msgid "failed to read %s: %s"
 msgstr "gagal membaca %s: %s"

 # OK
-#: option.c:4602
+#: option.c:4599
 #, c-format
 msgid "no search directive found in %s"
 msgstr "tidak ditemukan direktif search di %s"

-#: option.c:4623
+#: option.c:4620
 msgid "there must be a default domain when --dhcp-fqdn is set"
 msgstr ""

-#: option.c:4632
+#: option.c:4629
 msgid "syntax check OK"
 msgstr ""

@@ -1319,12 +1319,12 @@ msgstr "nameserver %s menolak melakukan resolusi rekursif"
 msgid "possible DNS-rebind attack detected: %s"
 msgstr ""

-#: forward.c:1209 forward.c:1785
+#: forward.c:1209 forward.c:1815
 msgid "Ignoring query from non-local network"
 msgstr ""

 # OK
-#: forward.c:2256
+#: forward.c:2286
 #, fuzzy, c-format
 msgid "Maximum number of concurrent DNS queries reached (max: %d)"
 msgstr "Sebutkan jumlah maksimum lease DHCP (default %s)."
@@ -1506,7 +1506,7 @@ msgid "unknown interface %s"
 msgstr "antarmuka tidak dikenal %s"

 # OK
-#: dnsmasq.c:354 dnsmasq.c:1037
+#: dnsmasq.c:354 dnsmasq.c:997
 #, c-format
 msgid "DBus error: %s"
 msgstr "DBus error: %s"
@@ -1617,135 +1617,135 @@ msgstr ""
 msgid "DHCP, sockets bound exclusively to interface %s"
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "root is "
 msgstr ""

 # OK
-#: dnsmasq.c:808
+#: dnsmasq.c:804
 #, fuzzy
 msgid "enabled"
 msgstr "di disable"

-#: dnsmasq.c:810
+#: dnsmasq.c:806
 msgid "secure mode"
 msgstr ""

-#: dnsmasq.c:813
+#: dnsmasq.c:809
 #, c-format
 msgid "warning: %s inaccessible"
 msgstr ""

-#: dnsmasq.c:817
+#: dnsmasq.c:813
 #, c-format
 msgid "warning: TFTP directory %s inaccessible"
 msgstr ""

-#: dnsmasq.c:843
+#: dnsmasq.c:839
 #, c-format
 msgid "restricting maximum simultaneous TFTP transfers to %d"
 msgstr ""

 # OK
-#: dnsmasq.c:1039
+#: dnsmasq.c:999
 msgid "connected to system DBus"
 msgstr "terhubung ke sistem DBus"

-#: dnsmasq.c:1189
+#: dnsmasq.c:1149
 #, c-format
 msgid "cannot fork into background: %s"
 msgstr ""

 # OK
-#: dnsmasq.c:1192
+#: dnsmasq.c:1152
 #, fuzzy, c-format
 msgid "failed to create helper: %s"
 msgstr "gagal membaca %s: %s"

-#: dnsmasq.c:1195
+#: dnsmasq.c:1155
 #, c-format
 msgid "setting capabilities failed: %s"
 msgstr ""

 # OK
-#: dnsmasq.c:1198
+#: dnsmasq.c:1158
 #, fuzzy, c-format
 msgid "failed to change user-id to %s: %s"
 msgstr "gagal memuat nama-nama dari %s: %s"

 # OK
-#: dnsmasq.c:1201
+#: dnsmasq.c:1161
 #, fuzzy, c-format
 msgid "failed to change group-id to %s: %s"
 msgstr "gagal memuat nama-nama dari %s: %s"

 # OK
-#: dnsmasq.c:1204
+#: dnsmasq.c:1164
 #, fuzzy, c-format
 msgid "failed to open pidfile %s: %s"
 msgstr "gagal membaca %s: %s"

 # OK
-#: dnsmasq.c:1207
+#: dnsmasq.c:1167
 #, fuzzy, c-format
 msgid "cannot open log %s: %s"
 msgstr "tidak bisa membuka %s:%s"

 # OK
-#: dnsmasq.c:1210
+#: dnsmasq.c:1170
 #, fuzzy, c-format
 msgid "failed to load Lua script: %s"
 msgstr "gagal memuat %S: %s"

-#: dnsmasq.c:1213
+#: dnsmasq.c:1173
 #, c-format
 msgid "TFTP directory %s inaccessible: %s"
 msgstr ""

 # OK
-#: dnsmasq.c:1216
+#: dnsmasq.c:1176
 #, fuzzy, c-format
 msgid "cannot create timestamp file %s: %s"
 msgstr "tidak dapat membuka atau membuat file lease: %s"

-#: dnsmasq.c:1237
+#: dnsmasq.c:1197
 msgid "now checking DNSSEC signature timestamps"
 msgstr ""

-#: dnsmasq.c:1304
+#: dnsmasq.c:1264
 #, c-format
 msgid "script process killed by signal %d"
 msgstr ""

-#: dnsmasq.c:1308
+#: dnsmasq.c:1268
 #, c-format
 msgid "script process exited with status %d"
 msgstr ""

 # OK
-#: dnsmasq.c:1312
+#: dnsmasq.c:1272
 #, fuzzy, c-format
 msgid "failed to execute %s: %s"
 msgstr "gagal mengakses %s: %s"

-#: dnsmasq.c:1367
+#: dnsmasq.c:1327
 msgid "exiting on receipt of SIGTERM"
 msgstr "keluar karena menerima SIGTERM"

 # OK
-#: dnsmasq.c:1395
+#: dnsmasq.c:1355
 #, fuzzy, c-format
 msgid "failed to access %s: %s"
 msgstr "gagal mengakses %s: %s"

 # OK
-#: dnsmasq.c:1425
+#: dnsmasq.c:1385
 #, c-format
 msgid "reading %s"
 msgstr "membaca %s"

 # OK
-#: dnsmasq.c:1436
+#: dnsmasq.c:1396
 #, fuzzy, c-format
 msgid "no servers found in %s, will retry"
 msgstr "tidak ditemukan direktif search di %s"
@@ -2146,7 +2146,7 @@ msgid "log failed: %s"
 msgstr ""

 # OK
-#: log.c:472
+#: log.c:469
 msgid "FAILED to start up"
 msgstr "GAGAL untuk memulai"

@@ -2432,39 +2432,49 @@ msgid "%d addresses %s"
 msgstr "membaca %s - %d alamat"

 # OK
-#: inotify.c:46
+#: inotify.c:59
+#, fuzzy, c-format
+msgid "cannot access path %s: %s"
+msgstr "tidak bisa membaca %s: %s"
+
+# OK
+#: inotify.c:92
 #, fuzzy, c-format
 msgid "failed to create inotify: %s"
 msgstr "gagal membaca %s: %s"

-# OK
-#: inotify.c:60
-#, fuzzy, c-format
-msgid "cannot cannonicalise resolv-file %s: %s"
-msgstr "tidak dapat membuka atau membuat file lease: %s"
+#: inotify.c:105
+#, c-format
+msgid "too many symlinks following %s"
+msgstr ""

-#: inotify.c:72
+#: inotify.c:121
 #, c-format
 msgid "directory %s for resolv-file is missing, cannot poll"
 msgstr ""

 # OK
-#: inotify.c:75 inotify.c:112
+#: inotify.c:125 inotify.c:162
 #, fuzzy, c-format
 msgid "failed to create inotify for %s: %s"
 msgstr "gagal membuat socket: %s "

 # OK
-#: inotify.c:97
+#: inotify.c:147
 #, fuzzy, c-format
 msgid "bad dynamic directory %s: %s"
 msgstr "tidak bisa membaca %s: %s"

-#: inotify.c:197
+#: inotify.c:247
 #, c-format
 msgid "inotify, new or changed file %s"
 msgstr ""

+# OK
+#, fuzzy
+#~ msgid "cannot cannonicalise resolv-file %s: %s"
+#~ msgstr "tidak dapat membuka atau membuat file lease: %s"
+
 # OK
 #~ msgid "duplicate IP address %s in dhcp-config directive."
 #~ msgstr "alamat IP kembar %s dalam direktif dhcp-config"
--- a/po/it.po
+++ b/po/it.po
@@ -1068,34 +1068,34 @@ msgstr ""
 msgid "bad command line options: %s"
 msgstr ""

-#: option.c:4544
+#: option.c:4541
 #, c-format
 msgid "cannot get host-name: %s"
 msgstr ""

-#: option.c:4572
+#: option.c:4569
 msgid "only one resolv.conf file allowed in no-poll mode."
 msgstr ""

-#: option.c:4582
+#: option.c:4579
 msgid "must have exactly one resolv.conf to read domain from."
 msgstr ""

-#: option.c:4585 network.c:1507 dhcp.c:777
+#: option.c:4582 network.c:1507 dhcp.c:777
 #, c-format
 msgid "failed to read %s: %s"
 msgstr ""

-#: option.c:4602
+#: option.c:4599
 #, c-format
 msgid "no search directive found in %s"
 msgstr ""

-#: option.c:4623
+#: option.c:4620
 msgid "there must be a default domain when --dhcp-fqdn is set"
 msgstr ""

-#: option.c:4632
+#: option.c:4629
 msgid "syntax check OK"
 msgstr ""

@@ -1118,11 +1118,11 @@ msgstr ""
 msgid "possible DNS-rebind attack detected: %s"
 msgstr ""

-#: forward.c:1209 forward.c:1785
+#: forward.c:1209 forward.c:1815
 msgid "Ignoring query from non-local network"
 msgstr ""

-#: forward.c:2256
+#: forward.c:2286
 #, c-format
 msgid "Maximum number of concurrent DNS queries reached (max: %d)"
 msgstr ""
@@ -1278,7 +1278,7 @@ msgstr ""
 msgid "unknown interface %s"
 msgstr ""

-#: dnsmasq.c:354 dnsmasq.c:1037
+#: dnsmasq.c:354 dnsmasq.c:997
 #, c-format
 msgid "DBus error: %s"
 msgstr ""
@@ -1377,121 +1377,121 @@ msgstr ""
 msgid "DHCP, sockets bound exclusively to interface %s"
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "root is "
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "enabled"
 msgstr ""

-#: dnsmasq.c:810
+#: dnsmasq.c:806
 msgid "secure mode"
 msgstr ""

-#: dnsmasq.c:813
+#: dnsmasq.c:809
 #, c-format
 msgid "warning: %s inaccessible"
 msgstr ""

-#: dnsmasq.c:817
+#: dnsmasq.c:813
 #, c-format
 msgid "warning: TFTP directory %s inaccessible"
 msgstr ""

-#: dnsmasq.c:843
+#: dnsmasq.c:839
 #, c-format
 msgid "restricting maximum simultaneous TFTP transfers to %d"
 msgstr ""

-#: dnsmasq.c:1039
+#: dnsmasq.c:999
 msgid "connected to system DBus"
 msgstr ""

-#: dnsmasq.c:1189
+#: dnsmasq.c:1149
 #, c-format
 msgid "cannot fork into background: %s"
 msgstr ""

-#: dnsmasq.c:1192
+#: dnsmasq.c:1152
 #, c-format
 msgid "failed to create helper: %s"
 msgstr ""

-#: dnsmasq.c:1195
+#: dnsmasq.c:1155
 #, c-format
 msgid "setting capabilities failed: %s"
 msgstr ""

-#: dnsmasq.c:1198
+#: dnsmasq.c:1158
 #, c-format
 msgid "failed to change user-id to %s: %s"
 msgstr ""

-#: dnsmasq.c:1201
+#: dnsmasq.c:1161
 #, c-format
 msgid "failed to change group-id to %s: %s"
 msgstr ""

-#: dnsmasq.c:1204
+#: dnsmasq.c:1164
 #, c-format
 msgid "failed to open pidfile %s: %s"
 msgstr ""

-#: dnsmasq.c:1207
+#: dnsmasq.c:1167
 #, c-format
 msgid "cannot open log %s: %s"
 msgstr ""

-#: dnsmasq.c:1210
+#: dnsmasq.c:1170
 #, c-format
 msgid "failed to load Lua script: %s"
 msgstr ""

-#: dnsmasq.c:1213
+#: dnsmasq.c:1173
 #, c-format
 msgid "TFTP directory %s inaccessible: %s"
 msgstr ""

-#: dnsmasq.c:1216
+#: dnsmasq.c:1176
 #, c-format
 msgid "cannot create timestamp file %s: %s"
 msgstr ""

-#: dnsmasq.c:1237
+#: dnsmasq.c:1197
 msgid "now checking DNSSEC signature timestamps"
 msgstr ""

-#: dnsmasq.c:1304
+#: dnsmasq.c:1264
 #, c-format
 msgid "script process killed by signal %d"
 msgstr ""

-#: dnsmasq.c:1308
+#: dnsmasq.c:1268
 #, c-format
 msgid "script process exited with status %d"
 msgstr ""

-#: dnsmasq.c:1312
+#: dnsmasq.c:1272
 #, c-format
 msgid "failed to execute %s: %s"
 msgstr ""

-#: dnsmasq.c:1367
+#: dnsmasq.c:1327
 msgid "exiting on receipt of SIGTERM"
 msgstr ""

-#: dnsmasq.c:1395
+#: dnsmasq.c:1355
 #, c-format
 msgid "failed to access %s: %s"
 msgstr ""

-#: dnsmasq.c:1425
+#: dnsmasq.c:1385
 #, c-format
 msgid "reading %s"
 msgstr ""

-#: dnsmasq.c:1436
+#: dnsmasq.c:1396
 #, c-format
 msgid "no servers found in %s, will retry"
 msgstr ""
@@ -1846,7 +1846,7 @@ msgstr ""
 msgid "log failed: %s"
 msgstr ""

-#: log.c:472
+#: log.c:469
 msgid "FAILED to start up"
 msgstr ""

@@ -2101,32 +2101,37 @@ msgstr ""
 msgid "%d addresses %s"
 msgstr ""

-#: inotify.c:46
+#: inotify.c:59
+#, c-format
+msgid "cannot access path %s: %s"
+msgstr ""
+
+#: inotify.c:92
 #, c-format
 msgid "failed to create inotify: %s"
 msgstr ""

-#: inotify.c:60
+#: inotify.c:105
 #, c-format
-msgid "cannot cannonicalise resolv-file %s: %s"
+msgid "too many symlinks following %s"
 msgstr ""

-#: inotify.c:72
+#: inotify.c:121
 #, c-format
 msgid "directory %s for resolv-file is missing, cannot poll"
 msgstr ""

-#: inotify.c:75 inotify.c:112
+#: inotify.c:125 inotify.c:162
 #, c-format
 msgid "failed to create inotify for %s: %s"
 msgstr ""

-#: inotify.c:97
+#: inotify.c:147
 #, c-format
 msgid "bad dynamic directory %s: %s"
 msgstr ""

-#: inotify.c:197
+#: inotify.c:247
 #, c-format
 msgid "inotify, new or changed file %s"
 msgstr ""
--- a/po/no.po
+++ b/po/no.po
@@ -1121,34 +1121,34 @@ msgstr ""
 msgid "bad command line options: %s"
 msgstr "dårlige kommandlinje opsjoner: %s."

-#: option.c:4544
+#: option.c:4541
 #, c-format
 msgid "cannot get host-name: %s"
 msgstr "klarer ikke å få vertsnavn: %s"

-#: option.c:4572
+#: option.c:4569
 msgid "only one resolv.conf file allowed in no-poll mode."
 msgstr "kun en resolv.conf fil tillat i no-poll modus."

-#: option.c:4582
+#: option.c:4579
 msgid "must have exactly one resolv.conf to read domain from."
 msgstr "må ha nøyaktig en resolv.conf å lese domene fra."

-#: option.c:4585 network.c:1507 dhcp.c:777
+#: option.c:4582 network.c:1507 dhcp.c:777
 #, fuzzy, c-format
 msgid "failed to read %s: %s"
 msgstr "feilet å lese %s: %s"

-#: option.c:4602
+#: option.c:4599
 #, c-format
 msgid "no search directive found in %s"
 msgstr "intet søke direktiv funnet i %s"

-#: option.c:4623
+#: option.c:4620
 msgid "there must be a default domain when --dhcp-fqdn is set"
 msgstr ""

-#: option.c:4632
+#: option.c:4629
 msgid "syntax check OK"
 msgstr ""

@@ -1171,11 +1171,11 @@ msgstr "navnetjener %s nektet
 msgid "possible DNS-rebind attack detected: %s"
 msgstr ""

-#: forward.c:1209 forward.c:1785
+#: forward.c:1209 forward.c:1815
 msgid "Ignoring query from non-local network"
 msgstr ""

-#: forward.c:2256
+#: forward.c:2286
 #, fuzzy, c-format
 msgid "Maximum number of concurrent DNS queries reached (max: %d)"
 msgstr "Spesifiser maksimum antall DHCP leier (standard er %s)"
@@ -1336,7 +1336,7 @@ msgstr "feilet
 msgid "unknown interface %s"
 msgstr "ukjent tilknytning (interface) %s"

-#: dnsmasq.c:354 dnsmasq.c:1037
+#: dnsmasq.c:354 dnsmasq.c:997
 #, c-format
 msgid "DBus error: %s"
 msgstr "DBus feil: %s"
@@ -1436,122 +1436,122 @@ msgstr ""
 msgid "DHCP, sockets bound exclusively to interface %s"
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "root is "
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 #, fuzzy
 msgid "enabled"
 msgstr "deaktivert"

-#: dnsmasq.c:810
+#: dnsmasq.c:806
 msgid "secure mode"
 msgstr ""

-#: dnsmasq.c:813
+#: dnsmasq.c:809
 #, c-format
 msgid "warning: %s inaccessible"
 msgstr ""

-#: dnsmasq.c:817
+#: dnsmasq.c:813
 #, c-format
 msgid "warning: TFTP directory %s inaccessible"
 msgstr ""

-#: dnsmasq.c:843
+#: dnsmasq.c:839
 #, c-format
 msgid "restricting maximum simultaneous TFTP transfers to %d"
 msgstr ""

-#: dnsmasq.c:1039
+#: dnsmasq.c:999
 msgid "connected to system DBus"
 msgstr "tilkoblet til system DBus"

-#: dnsmasq.c:1189
+#: dnsmasq.c:1149
 #, c-format
 msgid "cannot fork into background: %s"
 msgstr ""

-#: dnsmasq.c:1192
+#: dnsmasq.c:1152
 #, fuzzy, c-format
 msgid "failed to create helper: %s"
 msgstr "feilet å lese %s: %s"

-#: dnsmasq.c:1195
+#: dnsmasq.c:1155
 #, c-format
 msgid "setting capabilities failed: %s"
 msgstr ""

-#: dnsmasq.c:1198
+#: dnsmasq.c:1158
 #, fuzzy, c-format
 msgid "failed to change user-id to %s: %s"
 msgstr "feilet å laste navn fra %s: %s"

-#: dnsmasq.c:1201
+#: dnsmasq.c:1161
 #, fuzzy, c-format
 msgid "failed to change group-id to %s: %s"
 msgstr "feilet å laste navn fra %s: %s"

-#: dnsmasq.c:1204
+#: dnsmasq.c:1164
 #, fuzzy, c-format
 msgid "failed to open pidfile %s: %s"
 msgstr "feilet å lese %s: %s"

-#: dnsmasq.c:1207
+#: dnsmasq.c:1167
 #, fuzzy, c-format
 msgid "cannot open log %s: %s"
 msgstr "kan ikke åpne %s:%s"

-#: dnsmasq.c:1210
+#: dnsmasq.c:1170
 #, fuzzy, c-format
 msgid "failed to load Lua script: %s"
 msgstr "feilet å laste %s: %s"

-#: dnsmasq.c:1213
+#: dnsmasq.c:1173
 #, c-format
 msgid "TFTP directory %s inaccessible: %s"
 msgstr ""

-#: dnsmasq.c:1216
+#: dnsmasq.c:1176
 #, fuzzy, c-format
 msgid "cannot create timestamp file %s: %s"
 msgstr "kan ikke åpne eller lage leie fil: %s"

-#: dnsmasq.c:1237
+#: dnsmasq.c:1197
 msgid "now checking DNSSEC signature timestamps"
 msgstr ""

-#: dnsmasq.c:1304
+#: dnsmasq.c:1264
 #, c-format
 msgid "script process killed by signal %d"
 msgstr ""

-#: dnsmasq.c:1308
+#: dnsmasq.c:1268
 #, c-format
 msgid "script process exited with status %d"
 msgstr ""

-#: dnsmasq.c:1312
+#: dnsmasq.c:1272
 #, fuzzy, c-format
 msgid "failed to execute %s: %s"
 msgstr "feilet å få tilgang til %s: %s"

-#: dnsmasq.c:1367
+#: dnsmasq.c:1327
 msgid "exiting on receipt of SIGTERM"
 msgstr "avslutter etter mottak av SIGTERM"

-#: dnsmasq.c:1395
+#: dnsmasq.c:1355
 #, fuzzy, c-format
 msgid "failed to access %s: %s"
 msgstr "feilet å få tilgang til %s: %s"

-#: dnsmasq.c:1425
+#: dnsmasq.c:1385
 #, c-format
 msgid "reading %s"
 msgstr "leser %s"

-#: dnsmasq.c:1436
+#: dnsmasq.c:1396
 #, fuzzy, c-format
 msgid "no servers found in %s, will retry"
 msgstr "intet søke direktiv funnet i %s"
@@ -1906,7 +1906,7 @@ msgstr ""
 msgid "log failed: %s"
 msgstr ""

-#: log.c:472
+#: log.c:469
 msgid "FAILED to start up"
 msgstr "FEILET å starte opp"

@@ -2165,36 +2165,45 @@ msgstr ""
 msgid "%d addresses %s"
 msgstr "les %s - %d adresser"

-#: inotify.c:46
+#: inotify.c:59
+#, fuzzy, c-format
+msgid "cannot access path %s: %s"
+msgstr "kan ikke lese %s: %s"
+
+#: inotify.c:92
 #, fuzzy, c-format
 msgid "failed to create inotify: %s"
 msgstr "feilet å lese %s: %s"

-#: inotify.c:60
-#, fuzzy, c-format
-msgid "cannot cannonicalise resolv-file %s: %s"
-msgstr "kan ikke åpne eller lage leie fil: %s"
+#: inotify.c:105
+#, c-format
+msgid "too many symlinks following %s"
+msgstr ""

-#: inotify.c:72
+#: inotify.c:121
 #, c-format
 msgid "directory %s for resolv-file is missing, cannot poll"
 msgstr ""

-#: inotify.c:75 inotify.c:112
+#: inotify.c:125 inotify.c:162
 #, fuzzy, c-format
 msgid "failed to create inotify for %s: %s"
 msgstr "feilet å lage lytte socket: %s"

-#: inotify.c:97
+#: inotify.c:147
 #, fuzzy, c-format
 msgid "bad dynamic directory %s: %s"
 msgstr "kan ikke lese %s: %s"

-#: inotify.c:197
+#: inotify.c:247
 #, c-format
 msgid "inotify, new or changed file %s"
 msgstr ""

+#, fuzzy
+#~ msgid "cannot cannonicalise resolv-file %s: %s"
+#~ msgstr "kan ikke åpne eller lage leie fil: %s"
+
 #~ msgid "duplicate IP address %s in dhcp-config directive."
 #~ msgstr "dubliserte IP adresser i %s dhcp-config direktiv."

--- a/po/pl.po
+++ b/po/pl.po
@@ -3,14 +3,14 @@
 # This file is put in the public domain.
 #
 # Tomasz Sochański <nerdhero@gmail.com>, 2005.
-# Jan Psota <jasiupsota@gmail.com>, 2008, 2009, 2010, 2011, 2013.
+# Jan Psota <jasiupsota@gmail.com>, 2008-2015.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: pl\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2009-06-10 20:57+0100\n"
-"PO-Revision-Date: 2014-09-23 12:45+0100\n"
+"PO-Revision-Date: 2015-07-15 02:08+0100\n"
 "Last-Translator: Jan Psota <jasiupsota@gmail.com>\n"
 "Language-Team: polski <>\n"
 "Language: pl\n"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n!=1);\n"
-"X-Generator: Poedit 1.6.9\n"
+"X-Generator: Poedit 1.5.5\n"
 "X-Language: pl_PL\n"

 #: cache.c:523
@@ -185,14 +185,12 @@ msgid "Read DHCP option specs from file."
 msgstr "Wskazanie pliku z wartościami 'dhcp-option='."

 #: option.c:348
-#, fuzzy
 msgid "Read DHCP host specs from a directory."
-msgstr "Wskazanie pliku z wartościami 'dhcp-host='."
+msgstr "Odczyt specyfikacji hostów dla DHCP z katalogu."

 #: option.c:349
-#, fuzzy
 msgid "Read DHCP options from a directory."
-msgstr "Wskazanie pliku z wartościami 'dhcp-option='."
+msgstr "Odczyt opcji DHCP z katalogu."

 #: option.c:350
 msgid "Evaluate conditional tag expression."
@@ -209,9 +207,8 @@ msgid "Specify a hosts file to be read in addition to %s."
 msgstr "Wskazanie dodatkowego pliku 'hosts' oprócz %s."

 #: option.c:353
-#, fuzzy
 msgid "Read hosts files from a directory."
-msgstr "Wskazanie pliku z wartościami 'dhcp-host='."
+msgstr "Odczyt pliku hostów z katalogu."

 #: option.c:354
 msgid "Specify interface(s) to listen on."
@@ -355,14 +352,12 @@ msgid "Specify time-to-live in seconds for maximum TTL to send to clients."
 msgstr "Ograniczenie maksymalnego czasu ważności odpowiedzi (TTL) podawanego klientom [w sekundach]."

 #: option.c:388
-#, fuzzy
 msgid "Specify time-to-live ceiling for cache."
-msgstr "Określenie (w sekundach) czasu ważności negatywnych odpowiedzi."
+msgstr "Określenie górnej granicy czasu ważności dla wpisów w pamięci podręcznej."

 #: option.c:389
-#, fuzzy
 msgid "Specify time-to-live floor for cache."
-msgstr "Określenie (w sekundach) czasu ważności negatywnych odpowiedzi."
+msgstr "Określenie dolnej granicy czasu ważności dla wpisów w pamięci podręcznej."

 #: option.c:390
 #, c-format
@@ -508,7 +503,7 @@ msgstr "Ograniczenie dostępu do plików przez TFTP do tych, których właścici

 #: option.c:424
 msgid "Do not terminate the service if TFTP directories are inaccessible."
-msgstr ""
+msgstr "Nieprzerywanie działania serwisu mimo braku dostępu do katalogów TFTP."

 #: option.c:425
 #, c-format
@@ -697,7 +692,7 @@ msgstr "Wyłączenie sprawdzania sygnatur czasowych DNSSEC do pierwszego przeła

 #: option.c:471
 msgid "Timestamp file to verify system clock for DNSSEC"
-msgstr ""
+msgstr "Plik znacznika czasu do weryfikacji zegara systemowego dla potrzeb DNSSEC."

 #: option.c:473
 msgid "Specify DHCPv6 prefix class"
@@ -729,7 +724,7 @@ msgstr "Wykrywanie i usuwanie pętli zapytań DNS."

 #: option.c:481
 msgid "Ignore DNS responses containing ipaddr."
-msgstr ""
+msgstr "Ignorowanie odpowiedzi DNS zawierających ipaddr."

 #: option.c:683
 #, c-format
@@ -1082,34 +1077,34 @@ msgstr "spróbuj: -w"
 msgid "bad command line options: %s"
 msgstr "nieprawidłowa opcja w linii poleceń %s"

-#: option.c:4544
+#: option.c:4541
 #, c-format
 msgid "cannot get host-name: %s"
 msgstr "nie można pobrać nazwy hosta: %s"

-#: option.c:4572
+#: option.c:4569
 msgid "only one resolv.conf file allowed in no-poll mode."
 msgstr "w trybie no-poll można wskazać najwyżej jeden plik resolv.conf."

-#: option.c:4582
+#: option.c:4579
 msgid "must have exactly one resolv.conf to read domain from."
 msgstr "musisz mieć dokładnie jeden plik resolv.conf do odczytu domen."

-#: option.c:4585 network.c:1507 dhcp.c:777
+#: option.c:4582 network.c:1507 dhcp.c:777
 #, c-format
 msgid "failed to read %s: %s"
 msgstr "nie udało się odczytać %s: %s"

-#: option.c:4602
+#: option.c:4599
 #, c-format
 msgid "no search directive found in %s"
 msgstr "brak wytycznych wyszukiwania w %s"

-#: option.c:4623
+#: option.c:4620
 msgid "there must be a default domain when --dhcp-fqdn is set"
 msgstr "w przypadku używania --dhcp-fqdn trzeba wskazać domyślną domenę"

-#: option.c:4632
+#: option.c:4629
 msgid "syntax check OK"
 msgstr "składnia sprawdzona, jest prawidłowa"

@@ -1132,11 +1127,11 @@ msgstr "serwer nazw %s odmawia wykonania zapytania rekurencyjnego"
 msgid "possible DNS-rebind attack detected: %s"
 msgstr "prawdopodobnie wykryto atak DNS-rebind: %s"

-#: forward.c:1209 forward.c:1785
+#: forward.c:1209 forward.c:1815
 msgid "Ignoring query from non-local network"
 msgstr "Ignorowanie zapytań z sieci pozalokalnych."

-#: forward.c:2256
+#: forward.c:2286
 #, c-format
 msgid "Maximum number of concurrent DNS queries reached (max: %d)"
 msgstr "Osiągnięto graniczną ilość jednocześnie obsługiwanych zapytań DNS (maks: %d)"
@@ -1228,17 +1223,15 @@ msgstr "używam serwera nazw %s#%d"

 #: dnsmasq.c:163
 msgid "dhcp-hostsdir, dhcp-optsdir and hostsdir are not supported on this platform"
-msgstr ""
+msgstr "dhcp-hostsdir, dhcp-optsdir i hostsdir nie znajdują zastosowania na tej platformie"

 #: dnsmasq.c:170
-#, fuzzy
 msgid "no trust anchors provided for DNSSEC"
-msgstr "Nie wskazano punktów zaufania dla DNSSEC."
+msgstr "nie wskazano punktów zaufania dla DNSSEC"

 #: dnsmasq.c:173
-#, fuzzy
 msgid "cannot reduce cache size from default when DNSSEC enabled"
-msgstr "Brak możliwości zmniejszenia pamięci podręcznej poniżej wielkości domyślnej w przypadku używania DNSSEC."
+msgstr "brak możliwości zmniejszenia pamięci podręcznej poniżej wielkości domyślnej w przypadku używania DNSSEC"

 #: dnsmasq.c:175
 msgid "DNSSEC not available: set HAVE_DNSSEC in src/config.h"
@@ -1249,14 +1242,12 @@ msgid "TFTP server not available: set HAVE_TFTP in src/config.h"
 msgstr "Serwer TFTP nie został wkompilowany -- ustaw HAVE_TFTP w src/config.h"

 #: dnsmasq.c:186
-#, fuzzy
 msgid "cannot use --conntrack AND --query-port"
-msgstr "--conntrack i --query-port wykluczają się wzajemnie"
+msgstr "--conntrack i --query-port wzajemnie się wykluczają"

 #: dnsmasq.c:189
-#, fuzzy
 msgid "conntrack support not available: set HAVE_CONNTRACK in src/config.h"
-msgstr "Wsparcie dla przekazywania znaczników połączeń (conntrack) nie zostało wkompilowane - ustaw HAVE_CONNTRACK w src/config.h"
+msgstr "wsparcie przekazywania znaczników połączeń (conntrack) nie zostało wkompilowane - ustaw HAVE_CONNTRACK w src/config.h"

 #: dnsmasq.c:194
 msgid "asychronous logging is not available under Solaris"
@@ -1271,9 +1262,8 @@ msgid "authoritative DNS not available: set HAVE_AUTH in src/config.h"
 msgstr "tryb autorytatywny DNS-a niedostępny - ustaw HAVE_AUTH w src/config.h"

 #: dnsmasq.c:209
-#, fuzzy
 msgid "loop detection not available: set HAVE_LOOP in src/config.h"
-msgstr "Wykrywanie pętli zapytań nie zostało wkompilowane - ustaw HAVE_LOOP w src/config.h"
+msgstr "wykrywanie pętli zapytań nie zostało wkompilowane - ustaw HAVE_LOOP w src/config.h"

 #: dnsmasq.c:217
 msgid "zone serial must be configured in --auth-soa"
@@ -1297,7 +1287,7 @@ msgstr "błąd podczas tworzenia listy interfejsów sieciowych: %s"
 msgid "unknown interface %s"
 msgstr "nieznany interfejs %s"

-#: dnsmasq.c:354 dnsmasq.c:1037
+#: dnsmasq.c:354 dnsmasq.c:997
 #, c-format
 msgid "DBus error: %s"
 msgstr "błąd DBus: %s"
@@ -1357,14 +1347,13 @@ msgid "DNSSEC signature timestamps not checked until first cache reload"
 msgstr "sprawdzanie sygnatur czasowych DNSSEC wyłączone do czasu przeładowania pamięci podręcznej"

 #: dnsmasq.c:733
-#, fuzzy
 msgid "DNSSEC signature timestamps not checked until system time valid"
-msgstr "sprawdzanie sygnatur czasowych DNSSEC wyłączone do czasu przeładowania pamięci podręcznej"
+msgstr "sprawdzanie sygnatur czasowych DNSSEC wyłączone do czasu zsynchronizowania się zegara systemowego"

 #: dnsmasq.c:738
 #, c-format
 msgid "warning: failed to change owner of %s: %s"
-msgstr "UWAGA! Nie udało się zmienić użytkownika pliku %s: %s"
+msgstr "uwaga: nie udało się zmienić użytkownika pliku %s: %s"

 #: dnsmasq.c:742
 msgid "setting --bind-interfaces option because of OS limitations"
@@ -1397,121 +1386,121 @@ msgstr "anonsowanie rutera IPv6 włączone"
 msgid "DHCP, sockets bound exclusively to interface %s"
 msgstr "DHCP, gniazda dowiązane na wyłączność interfejsowi %s"

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "root is "
 msgstr "z głównym katalogiem w "

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "enabled"
 msgstr "włączony"

-#: dnsmasq.c:810
+#: dnsmasq.c:806
 msgid "secure mode"
 msgstr "w trybie bezpiecznym"

-#: dnsmasq.c:813
+#: dnsmasq.c:809
 #, c-format
 msgid "warning: %s inaccessible"
-msgstr ""
+msgstr "uwaga: %s niedostępny"

-#: dnsmasq.c:817
-#, fuzzy, c-format
+#: dnsmasq.c:813
+#, c-format
 msgid "warning: TFTP directory %s inaccessible"
-msgstr "katalog TFTP %s nie jest dostępny: %s"
+msgstr "uwaga: katalog TFTP %s nie jest dostępny"

-#: dnsmasq.c:843
+#: dnsmasq.c:839
 #, c-format
 msgid "restricting maximum simultaneous TFTP transfers to %d"
 msgstr "ograniczam ilość jednoczesnych przesłań TFTP do %d"

-#: dnsmasq.c:1039
+#: dnsmasq.c:999
 msgid "connected to system DBus"
 msgstr "podłączono do DBus-a"

-#: dnsmasq.c:1189
+#: dnsmasq.c:1149
 #, c-format
 msgid "cannot fork into background: %s"
 msgstr "nie potrafię przełączyć się do pracy w tle: %s"

-#: dnsmasq.c:1192
+#: dnsmasq.c:1152
 #, c-format
 msgid "failed to create helper: %s"
 msgstr "nie udało się utworzyć procesu pomocniczego: %s"

-#: dnsmasq.c:1195
+#: dnsmasq.c:1155
 #, c-format
 msgid "setting capabilities failed: %s"
 msgstr "nie powiodło się ustawianie ograniczeń (capabilities): %s"

-#: dnsmasq.c:1198
+#: dnsmasq.c:1158
 #, c-format
 msgid "failed to change user-id to %s: %s"
 msgstr "nie udało się zmienić użytkownika procesu na %s: %s"

-#: dnsmasq.c:1201
+#: dnsmasq.c:1161
 #, c-format
 msgid "failed to change group-id to %s: %s"
 msgstr "nie udało się zmienić grupy procesu na %s: %s"

-#: dnsmasq.c:1204
+#: dnsmasq.c:1164
 #, c-format
 msgid "failed to open pidfile %s: %s"
 msgstr "nie udało się otworzyć pliku z PID-em %s: %s"

-#: dnsmasq.c:1207
+#: dnsmasq.c:1167
 #, c-format
 msgid "cannot open log %s: %s"
 msgstr "nie udało się otworzyć logu %s: %s"

-#: dnsmasq.c:1210
+#: dnsmasq.c:1170
 #, c-format
 msgid "failed to load Lua script: %s"
 msgstr "nie udało się wczytać skryptu Lua: %s"

-#: dnsmasq.c:1213
+#: dnsmasq.c:1173
 #, c-format
 msgid "TFTP directory %s inaccessible: %s"
 msgstr "katalog TFTP %s nie jest dostępny: %s"

-#: dnsmasq.c:1216
-#, fuzzy, c-format
+#: dnsmasq.c:1176
+#, c-format
 msgid "cannot create timestamp file %s: %s"
-msgstr "nie potrafię otworzyć albo utworzyć pliku dzierżaw %s: %s"
+msgstr "nie potrafię utworzyć pliku znacznika czasu %s: %s"

-#: dnsmasq.c:1237
+#: dnsmasq.c:1197
 msgid "now checking DNSSEC signature timestamps"
 msgstr "trwa sprawdzanie sygnatur czasowych podpisów DNSSEC"

-#: dnsmasq.c:1304
+#: dnsmasq.c:1264
 #, c-format
 msgid "script process killed by signal %d"
 msgstr "skrypt został zabity sygnałem %d"

-#: dnsmasq.c:1308
+#: dnsmasq.c:1268
 #, c-format
 msgid "script process exited with status %d"
 msgstr "skrypt zakończył się z kodem powrotu %d"

-#: dnsmasq.c:1312
+#: dnsmasq.c:1272
 #, c-format
 msgid "failed to execute %s: %s"
 msgstr "nie udało się uruchomić %s: %s"

-#: dnsmasq.c:1367
+#: dnsmasq.c:1327
 msgid "exiting on receipt of SIGTERM"
 msgstr "zakończyłem działanie z powodu odebrania SIGTERM"

-#: dnsmasq.c:1395
+#: dnsmasq.c:1355
 #, c-format
 msgid "failed to access %s: %s"
 msgstr "brak dostępu do %s: %s"

-#: dnsmasq.c:1425
+#: dnsmasq.c:1385
 #, c-format
 msgid "reading %s"
 msgstr "czytanie %s"

-#: dnsmasq.c:1436
+#: dnsmasq.c:1396
 #, c-format
 msgid "no servers found in %s, will retry"
 msgstr "w %s nie znalazłem serwerów, spróbuję ponownie później"
@@ -1789,12 +1778,12 @@ msgstr "próba ustawienia adresu IPv6 serwera przez DBus, ale brak obsługi IPv6
 #: dbus.c:439
 #, c-format
 msgid "Enabling --%s option from D-Bus"
-msgstr ""
+msgstr "opcja --%s została właśnie aktywowana za pomocą D-Bus"

 #: dbus.c:444
 #, c-format
 msgid "Disabling --%s option from D-Bus"
-msgstr ""
+msgstr "opcja --%s została właśnie dezaktywowana za pomocą D-Bus"

 #: dbus.c:691
 msgid "setting upstream servers from DBus"
@@ -1866,7 +1855,7 @@ msgstr "przepełnienie: stracono %d wpisów do logów"
 msgid "log failed: %s"
 msgstr "nie udało się zapisać komunikatów do %s"

-#: log.c:472
+#: log.c:469
 msgid "FAILED to start up"
 msgstr "BŁĄD: nie udało się uruchomić dnsmasq-a"

@@ -2069,9 +2058,9 @@ msgid "failed to create IPset control socket: %s"
 msgstr "nie powiodło się otwieranie gniazda sterującego IPset: %s"

 #: dnssec.c:449 dnssec.c:493
-#, fuzzy, c-format
+#, c-format
 msgid "failed to update mtime on %s: %s"
-msgstr "nie udało się otworzyć pliku z PID-em %s: %s"
+msgstr "nie udało się uaktualnić znacznika czasu pliku %s: %s"

 #: blockdata.c:58
 #, c-format
@@ -2121,35 +2110,44 @@ msgstr "uwaga: DIOCR%sADDRS: %s"
 msgid "%d addresses %s"
 msgstr "%d adresów %s"

-#: inotify.c:46
-#, fuzzy, c-format
-msgid "failed to create inotify: %s"
-msgstr "nie udało się utworzyć procesu pomocniczego: %s"
-
-#: inotify.c:60
-#, fuzzy, c-format
-msgid "cannot cannonicalise resolv-file %s: %s"
-msgstr "nie potrafię otworzyć albo utworzyć pliku dzierżaw %s: %s"
-
-#: inotify.c:72
+#: inotify.c:59
 #, c-format
-msgid "directory %s for resolv-file is missing, cannot poll"
-msgstr ""
-
-#: inotify.c:75 inotify.c:112
-#, fuzzy, c-format
-msgid "failed to create inotify for %s: %s"
-msgstr "nie udało się otworzyć gniazda %s: %s"
-
-#: inotify.c:97
-#, fuzzy, c-format
-msgid "bad dynamic directory %s: %s"
+msgid "cannot access path %s: %s"
 msgstr "brak dostępu do katalogu %s: %s"

-#: inotify.c:197
+#: inotify.c:92
+#, c-format
+msgid "failed to create inotify: %s"
+msgstr "nie udało się uruchomić powiadamiania inotify: %s"
+
+#: inotify.c:105
+#, c-format
+msgid "too many symlinks following %s"
+msgstr "zbyt wiele odniesień począwszy od %s"
+
+#: inotify.c:121
+#, c-format
+msgid "directory %s for resolv-file is missing, cannot poll"
+msgstr "katalog %s z resolv-file nie istnieje - nie ma czego odpytywać"
+
+#: inotify.c:125 inotify.c:162
+#, c-format
+msgid "failed to create inotify for %s: %s"
+msgstr "nie udało się utworzyć powiadamiania dla %s: %s"
+
+#: inotify.c:147
+#, c-format
+msgid "bad dynamic directory %s: %s"
+msgstr "zły katalog dynamiczny %s: %s"
+
+#: inotify.c:247
 #, c-format
 msgid "inotify, new or changed file %s"
-msgstr ""
+msgstr "inotify: pojawił się lub uległ zmianie plik %s"
+
+#, fuzzy
+#~ msgid "cannot cannonicalise resolv-file %s: %s"
+#~ msgstr "nie potrafię otworzyć albo utworzyć pliku dzierżaw %s: %s"

 #~ msgid "Always send frequent router-advertisements"
 #~ msgstr "Rozsyłanie wielokrotne anonsów rutera (RA)"
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
@@ -1068,34 +1068,34 @@ msgstr ""
 msgid "bad command line options: %s"
 msgstr ""

-#: option.c:4544
+#: option.c:4541
 #, c-format
 msgid "cannot get host-name: %s"
 msgstr ""

-#: option.c:4572
+#: option.c:4569
 msgid "only one resolv.conf file allowed in no-poll mode."
 msgstr ""

-#: option.c:4582
+#: option.c:4579
 msgid "must have exactly one resolv.conf to read domain from."
 msgstr ""

-#: option.c:4585 network.c:1507 dhcp.c:777
+#: option.c:4582 network.c:1507 dhcp.c:777
 #, c-format
 msgid "failed to read %s: %s"
 msgstr ""

-#: option.c:4602
+#: option.c:4599
 #, c-format
 msgid "no search directive found in %s"
 msgstr ""

-#: option.c:4623
+#: option.c:4620
 msgid "there must be a default domain when --dhcp-fqdn is set"
 msgstr ""

-#: option.c:4632
+#: option.c:4629
 msgid "syntax check OK"
 msgstr ""

@@ -1118,11 +1118,11 @@ msgstr ""
 msgid "possible DNS-rebind attack detected: %s"
 msgstr ""

-#: forward.c:1209 forward.c:1785
+#: forward.c:1209 forward.c:1815
 msgid "Ignoring query from non-local network"
 msgstr ""

-#: forward.c:2256
+#: forward.c:2286
 #, c-format
 msgid "Maximum number of concurrent DNS queries reached (max: %d)"
 msgstr ""
@@ -1278,7 +1278,7 @@ msgstr ""
 msgid "unknown interface %s"
 msgstr ""

-#: dnsmasq.c:354 dnsmasq.c:1037
+#: dnsmasq.c:354 dnsmasq.c:997
 #, c-format
 msgid "DBus error: %s"
 msgstr ""
@@ -1377,121 +1377,121 @@ msgstr ""
 msgid "DHCP, sockets bound exclusively to interface %s"
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "root is "
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "enabled"
 msgstr ""

-#: dnsmasq.c:810
+#: dnsmasq.c:806
 msgid "secure mode"
 msgstr ""

-#: dnsmasq.c:813
+#: dnsmasq.c:809
 #, c-format
 msgid "warning: %s inaccessible"
 msgstr ""

-#: dnsmasq.c:817
+#: dnsmasq.c:813
 #, c-format
 msgid "warning: TFTP directory %s inaccessible"
 msgstr ""

-#: dnsmasq.c:843
+#: dnsmasq.c:839
 #, c-format
 msgid "restricting maximum simultaneous TFTP transfers to %d"
 msgstr ""

-#: dnsmasq.c:1039
+#: dnsmasq.c:999
 msgid "connected to system DBus"
 msgstr ""

-#: dnsmasq.c:1189
+#: dnsmasq.c:1149
 #, c-format
 msgid "cannot fork into background: %s"
 msgstr ""

-#: dnsmasq.c:1192
+#: dnsmasq.c:1152
 #, c-format
 msgid "failed to create helper: %s"
 msgstr ""

-#: dnsmasq.c:1195
+#: dnsmasq.c:1155
 #, c-format
 msgid "setting capabilities failed: %s"
 msgstr ""

-#: dnsmasq.c:1198
+#: dnsmasq.c:1158
 #, c-format
 msgid "failed to change user-id to %s: %s"
 msgstr ""

-#: dnsmasq.c:1201
+#: dnsmasq.c:1161
 #, c-format
 msgid "failed to change group-id to %s: %s"
 msgstr ""

-#: dnsmasq.c:1204
+#: dnsmasq.c:1164
 #, c-format
 msgid "failed to open pidfile %s: %s"
 msgstr ""

-#: dnsmasq.c:1207
+#: dnsmasq.c:1167
 #, c-format
 msgid "cannot open log %s: %s"
 msgstr ""

-#: dnsmasq.c:1210
+#: dnsmasq.c:1170
 #, c-format
 msgid "failed to load Lua script: %s"
 msgstr ""

-#: dnsmasq.c:1213
+#: dnsmasq.c:1173
 #, c-format
 msgid "TFTP directory %s inaccessible: %s"
 msgstr ""

-#: dnsmasq.c:1216
+#: dnsmasq.c:1176
 #, c-format
 msgid "cannot create timestamp file %s: %s"
 msgstr ""

-#: dnsmasq.c:1237
+#: dnsmasq.c:1197
 msgid "now checking DNSSEC signature timestamps"
 msgstr ""

-#: dnsmasq.c:1304
+#: dnsmasq.c:1264
 #, c-format
 msgid "script process killed by signal %d"
 msgstr ""

-#: dnsmasq.c:1308
+#: dnsmasq.c:1268
 #, c-format
 msgid "script process exited with status %d"
 msgstr ""

-#: dnsmasq.c:1312
+#: dnsmasq.c:1272
 #, c-format
 msgid "failed to execute %s: %s"
 msgstr ""

-#: dnsmasq.c:1367
+#: dnsmasq.c:1327
 msgid "exiting on receipt of SIGTERM"
 msgstr ""

-#: dnsmasq.c:1395
+#: dnsmasq.c:1355
 #, c-format
 msgid "failed to access %s: %s"
 msgstr ""

-#: dnsmasq.c:1425
+#: dnsmasq.c:1385
 #, c-format
 msgid "reading %s"
 msgstr ""

-#: dnsmasq.c:1436
+#: dnsmasq.c:1396
 #, c-format
 msgid "no servers found in %s, will retry"
 msgstr ""
@@ -1846,7 +1846,7 @@ msgstr ""
 msgid "log failed: %s"
 msgstr ""

-#: log.c:472
+#: log.c:469
 msgid "FAILED to start up"
 msgstr ""

@@ -2101,32 +2101,37 @@ msgstr ""
 msgid "%d addresses %s"
 msgstr ""

-#: inotify.c:46
+#: inotify.c:59
+#, c-format
+msgid "cannot access path %s: %s"
+msgstr ""
+
+#: inotify.c:92
 #, c-format
 msgid "failed to create inotify: %s"
 msgstr ""

-#: inotify.c:60
+#: inotify.c:105
 #, c-format
-msgid "cannot cannonicalise resolv-file %s: %s"
+msgid "too many symlinks following %s"
 msgstr ""

-#: inotify.c:72
+#: inotify.c:121
 #, c-format
 msgid "directory %s for resolv-file is missing, cannot poll"
 msgstr ""

-#: inotify.c:75 inotify.c:112
+#: inotify.c:125 inotify.c:162
 #, c-format
 msgid "failed to create inotify for %s: %s"
 msgstr ""

-#: inotify.c:97
+#: inotify.c:147
 #, c-format
 msgid "bad dynamic directory %s: %s"
 msgstr ""

-#: inotify.c:197
+#: inotify.c:247
 #, c-format
 msgid "inotify, new or changed file %s"
 msgstr ""
--- a/po/ro.po
+++ b/po/ro.po
@@ -1119,34 +1119,34 @@ msgstr ""
 msgid "bad command line options: %s"
 msgstr "opţiuni în linie de comandă invalide: %s."

-#: option.c:4544
+#: option.c:4541
 #, c-format
 msgid "cannot get host-name: %s"
 msgstr "nu pot citi numele maşinii: %s"

-#: option.c:4572
+#: option.c:4569
 msgid "only one resolv.conf file allowed in no-poll mode."
 msgstr "se permite un singur fişier resolv.conf în modul no-poll"

-#: option.c:4582
+#: option.c:4579
 msgid "must have exactly one resolv.conf to read domain from."
 msgstr "am nevoie de un singur resolv.conf din care să citesc numele domeniului."

-#: option.c:4585 network.c:1507 dhcp.c:777
+#: option.c:4582 network.c:1507 dhcp.c:777
 #, fuzzy, c-format
 msgid "failed to read %s: %s"
 msgstr "nu pot citi %s: %s"

-#: option.c:4602
+#: option.c:4599
 #, c-format
 msgid "no search directive found in %s"
 msgstr "nu s-a găsit nici un criteriu de căutare în %s"

-#: option.c:4623
+#: option.c:4620
 msgid "there must be a default domain when --dhcp-fqdn is set"
 msgstr ""

-#: option.c:4632
+#: option.c:4629
 msgid "syntax check OK"
 msgstr ""

@@ -1169,11 +1169,11 @@ msgstr "serverul DNS %s refuză interogările recursive"
 msgid "possible DNS-rebind attack detected: %s"
 msgstr ""

-#: forward.c:1209 forward.c:1785
+#: forward.c:1209 forward.c:1815
 msgid "Ignoring query from non-local network"
 msgstr ""

-#: forward.c:2256
+#: forward.c:2286
 #, fuzzy, c-format
 msgid "Maximum number of concurrent DNS queries reached (max: %d)"
 msgstr "Specifică numărul maxim de împrumuturi DHCP (implicit %s)."
@@ -1334,7 +1334,7 @@ msgstr "enumerarea interfeţelor a eşuat: %s"
 msgid "unknown interface %s"
 msgstr "interfaţă necunoscută %s"

-#: dnsmasq.c:354 dnsmasq.c:1037
+#: dnsmasq.c:354 dnsmasq.c:997
 #, c-format
 msgid "DBus error: %s"
 msgstr "eroare DBus: %s"
@@ -1435,124 +1435,124 @@ msgstr ""
 msgid "DHCP, sockets bound exclusively to interface %s"
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 msgid "root is "
 msgstr ""

-#: dnsmasq.c:808
+#: dnsmasq.c:804
 #, fuzzy
 msgid "enabled"
 msgstr "dezactivat"

-#: dnsmasq.c:810
+#: dnsmasq.c:806
 msgid "secure mode"
 msgstr ""

-#: dnsmasq.c:813
+#: dnsmasq.c:809
 #, c-format
 msgid "warning: %s inaccessible"
 msgstr ""

-#: dnsmasq.c:817
+#: dnsmasq.c:813
 #, c-format
 msgid "warning: TFTP directory %s inaccessible"
 msgstr ""

-#: dnsmasq.c:843
+#: dnsmasq.c:839
 #, c-format
 msgid "restricting maximum simultaneous TFTP transfers to %d"
 msgstr ""

-#: dnsmasq.c:1039
+#: dnsmasq.c:999
 msgid "connected to system DBus"
 msgstr "magistrala sistem Dbus conectată"

-#: dnsmasq.c:1189
+#: dnsmasq.c:1149
 #, c-format
 msgid "cannot fork into background: %s"
 msgstr ""

-#: dnsmasq.c:1192
+#: dnsmasq.c:1152
 #, fuzzy, c-format
 msgid "failed to create helper: %s"
 msgstr "nu pot citi %s: %s"

-#: dnsmasq.c:1195
+#: dnsmasq.c:1155
 #, c-format
 msgid "setting capabilities failed: %s"
 msgstr ""

 # for compatibility purposes the letters â, ă, ş, ţ and î can be written as their look-alike correspondent.
-#: dnsmasq.c:1198
+#: dnsmasq.c:1158
 #, fuzzy, c-format
 msgid "failed to change user-id to %s: %s"
 msgstr "încărcarea numelor din %s: %s a eşuat"

 # for compatibility purposes the letters â, ă, ş, ţ and î can be written as their look-alike correspondent.
-#: dnsmasq.c:1201
+#: dnsmasq.c:1161
 #, fuzzy, c-format
 msgid "failed to change group-id to %s: %s"
 msgstr "încărcarea numelor din %s: %s a eşuat"

-#: dnsmasq.c:1204
+#: dnsmasq.c:1164
 #, fuzzy, c-format
 msgid "failed to open pidfile %s: %s"
 msgstr "nu pot citi %s: %s"

-#: dnsmasq.c:1207
+#: dnsmasq.c:1167
 #, fuzzy, c-format
 msgid "cannot open log %s: %s"
 msgstr "nu pot deschide %s:%s"

-#: dnsmasq.c:1210
+#: dnsmasq.c:1170
 #, fuzzy, c-format
 msgid "failed to load Lua script: %s"
 msgstr "nu pot încărca %s: %s"

-#: dnsmasq.c:1213
+#: dnsmasq.c:1173
 #, c-format
 msgid "TFTP directory %s inaccessible: %s"
 msgstr ""

-#: dnsmasq.c:1216
+#: dnsmasq.c:1176
 #, fuzzy, c-format
 msgid "cannot create timestamp file %s: %s"
 msgstr "nu pot creea sau deschide fişierul cu împrumuturi: %s"

-#: dnsmasq.c:1237
+#: dnsmasq.c:1197
 msgid "now checking DNSSEC signature timestamps"
 msgstr ""

-#: dnsmasq.c:1304
+#: dnsmasq.c:1264
 #, c-format
 msgid "script process killed by signal %d"
 msgstr ""

-#: dnsmasq.c:1308
+#: dnsmasq.c:1268
 #, c-format
 msgid "script process exited with status %d"
 msgstr ""

-#: dnsmasq.c:1312
+#: dnsmasq.c:1272
 #, fuzzy, c-format
 msgid "failed to execute %s: %s"
 msgstr "accesarea serverului %s a eşuat: %s"

-#: dnsmasq.c:1367
+#: dnsmasq.c:1327
 msgid "exiting on receipt of SIGTERM"
 msgstr "am primit SIGTERM, am terminat"

-#: dnsmasq.c:1395
+#: dnsmasq.c:1355
 #, fuzzy, c-format
 msgid "failed to access %s: %s"
 msgstr "accesarea serverului %s a eşuat: %s"

-#: dnsmasq.c:1425
+#: dnsmasq.c:1385
 #, c-format
 msgid "reading %s"
 msgstr "citesc %s"

-#: dnsmasq.c:1436
+#: dnsmasq.c:1396
 #, fuzzy, c-format
 msgid "no servers found in %s, will retry"
 msgstr "nu s-a găsit nici un criteriu de căutare în %s"
@@ -1907,7 +1907,7 @@ msgstr ""
 msgid "log failed: %s"
 msgstr ""

-#: log.c:472
+#: log.c:469
 msgid "FAILED to start up"
 msgstr "pornirea A EŞUAT"

@@ -2166,36 +2166,45 @@ msgstr ""
 msgid "%d addresses %s"
 msgstr "citesc %s - %d adrese"

-#: inotify.c:46
+#: inotify.c:59
+#, fuzzy, c-format
+msgid "cannot access path %s: %s"
+msgstr "nu pot citi %s: %s"
+
+#: inotify.c:92
 #, fuzzy, c-format
 msgid "failed to create inotify: %s"
 msgstr "nu pot citi %s: %s"

-#: inotify.c:60
-#, fuzzy, c-format
-msgid "cannot cannonicalise resolv-file %s: %s"
-msgstr "nu pot creea sau deschide fişierul cu împrumuturi: %s"
+#: inotify.c:105
+#, c-format
+msgid "too many symlinks following %s"
+msgstr ""

-#: inotify.c:72
+#: inotify.c:121
 #, c-format
 msgid "directory %s for resolv-file is missing, cannot poll"
 msgstr ""

-#: inotify.c:75 inotify.c:112
+#: inotify.c:125 inotify.c:162
 #, fuzzy, c-format
 msgid "failed to create inotify for %s: %s"
 msgstr "creearea socket-ului de ascultare a eşuat: %s"

-#: inotify.c:97
+#: inotify.c:147
 #, fuzzy, c-format
 msgid "bad dynamic directory %s: %s"
 msgstr "nu pot citi %s: %s"

-#: inotify.c:197
+#: inotify.c:247
 #, c-format
 msgid "inotify, new or changed file %s"
 msgstr ""

+#, fuzzy
+#~ msgid "cannot cannonicalise resolv-file %s: %s"
+#~ msgstr "nu pot creea sau deschide fişierul cu împrumuturi: %s"
+
 #~ msgid "duplicate IP address %s in dhcp-config directive."
 #~ msgstr "adresă IP duplicat %s în declaraţia dhcp-config."

--- a/src/arp.c
+++ b/src/arp.c
@@ -0,0 +1,247 @@
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+/* Time between forced re-loads from kernel. */
+#define INTERVAL 90
+
+#define ARP_MARK  0
+#define ARP_FOUND 1  /* Confirmed */
+#define ARP_NEW   2  /* Newly created */
+#define ARP_EMPTY 3  /* No MAC addr */
+
+struct arp_record {
+  unsigned short hwlen, status;
+  int family;
+  unsigned char hwaddr[DHCP_CHADDR_MAX]; 
+  struct all_addr addr;
+  struct arp_record *next;
+};
+
+static struct arp_record *arps = NULL, *old = NULL, *freelist = NULL;
+static time_t last = 0;
+
+static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv)
+{
+  struct arp_record *arp;
+
+  (void)parmv;
+
+  if (maclen > DHCP_CHADDR_MAX)
+    return 1;
+
+#ifndef HAVE_IPV6
+  if (family != AF_INET)
+    return 1;
+#endif
+
+  /* Look for existing entry */
+  for (arp = arps; arp; arp = arp->next)
+    {
+      if (family != arp->family || arp->status == ARP_NEW)
+	continue;
+      
+      if (family == AF_INET)
+	{
+	  if (arp->addr.addr.addr4.s_addr != ((struct in_addr *)addrp)->s_addr)
+	    continue;
+	}
+#ifdef HAVE_IPV6
+      else
+	{
+	  if (!IN6_ARE_ADDR_EQUAL(&arp->addr.addr.addr6, (struct in6_addr *)addrp))
+	    continue;
+	}
+#endif
+
+      if (arp->status == ARP_EMPTY)
+	{
+	  /* existing address, was negative. */
+	  arp->status = ARP_NEW;
+	  arp->hwlen = maclen;
+	  memcpy(arp->hwaddr, mac, maclen);
+	}
+      else if (arp->hwlen == maclen && memcmp(arp->hwaddr, mac, maclen) == 0)
+	/* Existing entry matches - confirm. */
+	arp->status = ARP_FOUND;
+      else
+	continue;
+      
+      break;
+    }
+
+  if (!arp)
+    {
+      /* New entry */
+      if (freelist)
+	{
+	  arp = freelist;
+	  freelist = freelist->next;
+	}
+      else if (!(arp = whine_malloc(sizeof(struct arp_record))))
+	return 1;
+      
+      arp->next = arps;
+      arps = arp;
+      arp->status = ARP_NEW;
+      arp->hwlen = maclen;
+      arp->family = family;
+      memcpy(arp->hwaddr, mac, maclen);
+      if (family == AF_INET)
+	arp->addr.addr.addr4.s_addr = ((struct in_addr *)addrp)->s_addr;
+#ifdef HAVE_IPV6
+      else
+	memcpy(&arp->addr.addr.addr6, addrp, IN6ADDRSZ);
+#endif
+    }
+  
+  return 1;
+}
+
+/* If in lazy mode, we cache absence of ARP entries. */
+int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
+{
+  struct arp_record *arp, *tmp, **up;
+  int updated = 0;
+
+ again:
+  
+  /* If the database is less then INTERVAL old, look in there */
+  if (difftime(now, last) < INTERVAL)
+    {
+      /* addr == NULL -> just make cache up-to-date */
+      if (!addr)
+	return 0;
+
+      for (arp = arps; arp; arp = arp->next)
+	{
+	  if (addr->sa.sa_family == arp->family)
+	    {
+	      if (arp->addr.addr.addr4.s_addr != addr->in.sin_addr.s_addr)
+		continue;
+	    }
+#ifdef HAVE_IPV6
+	  else
+	    {
+	      if (!IN6_ARE_ADDR_EQUAL(&arp->addr.addr.addr6, &addr->in6.sin6_addr))
+		continue;
+	    }
+#endif
+	  
+	  /* Only accept positive entries unless in lazy mode. */
+	  if (arp->status != ARP_EMPTY || lazy || updated)
+	    {
+	      if (mac && arp->hwlen != 0)
+		memcpy(mac, arp->hwaddr, arp->hwlen);
+	      return arp->hwlen;
+	    }
+	}
+    }
+
+  /* Not found, try the kernel */
+  if (!updated)
+     {
+       updated = 1;
+       last = now;
+
+       /* Mark all non-negative entries */
+       for (arp = arps; arp; arp = arp->next)
+	 if (arp->status != ARP_EMPTY)
+	   arp->status = ARP_MARK;
+       
+       iface_enumerate(AF_UNSPEC, NULL, filter_mac);
+       
+       /* Remove all unconfirmed entries to old list. */
+       for (arp = arps, up = &arps; arp; arp = tmp)
+	 {
+	   tmp = arp->next;
+	   
+	   if (arp->status == ARP_MARK)
+	     {
+	       *up = arp->next;
+	       arp->next = old;
+	       old = arp;
+	     }
+	   else
+	     up = &arp->next;
+	 }
+
+       goto again;
+     }
+
+  /* record failure, so we don't consult the kernel each time
+     we're asked for this address */
+  if (freelist)
+    {
+      arp = freelist;
+      freelist = freelist->next;
+    }
+  else
+    arp = whine_malloc(sizeof(struct arp_record));
+  
+  if (arp)
+    {      
+      arp->next = arps;
+      arps = arp;
+      arp->status = ARP_EMPTY;
+      arp->family = addr->sa.sa_family;
+      arp->hwlen = 0;
+
+      if (addr->sa.sa_family == AF_INET)
+	arp->addr.addr.addr4.s_addr = addr->in.sin_addr.s_addr;
+#ifdef HAVE_IPV6
+      else
+	memcpy(&arp->addr.addr.addr6, &addr->in6.sin6_addr, IN6ADDRSZ);
+#endif
+    }
+	  
+   return 0;
+}
+
+int do_arp_script_run(void)
+{
+  struct arp_record *arp;
+  
+  /* Notify any which went, then move to free list */
+  if (old)
+    {
+#ifdef HAVE_SCRIPT
+      if (option_bool(OPT_SCRIPT_ARP))
+	queue_arp(ACTION_ARP_DEL, old->hwaddr, old->hwlen, old->family, &old->addr);
+#endif
+      arp = old;
+      old = arp->next;
+      arp->next = freelist;
+      freelist = arp;
+      return 1;
+    }
+
+  for (arp = arps; arp; arp = arp->next)
+    if (arp->status == ARP_NEW)
+      {
+#ifdef HAVE_SCRIPT
+	if (option_bool(OPT_SCRIPT_ARP))
+	  queue_arp(ACTION_ARP, arp->hwaddr, arp->hwlen, arp->family, &arp->addr);
+#endif
+	arp->status = ARP_FOUND;
+	return 1;
+      }
+
+  return 0;
+}
+
+
--- a/src/auth.c
+++ b/src/auth.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -81,7 +81,8 @@ int in_zone(struct auth_zone *zone, char *name, char **cut)
 }


-size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, int local_query) 
+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, 
+		   int local_query, int do_bit, int have_pseudoheader) 
 {
  char *name = daemon->namebuff;
  unsigned char *p, *ansp;
@@ -820,6 +821,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
  header->ancount = htons(anscount);
  header->nscount = htons(authcount);
  header->arcount = htons(0);
+
+  /* Advertise our packet size limit in our reply */
+  if (have_pseudoheader)
+    return add_pseudoheader(header,  ansp - (unsigned char *)header, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+
  return ansp - (unsigned char *)header;
 }
  
--- a/src/blockdata.c
+++ b/src/blockdata.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/bpf.c
+++ b/src/bpf.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -20,7 +20,9 @@
 #include <ifaddrs.h>

 #include <sys/param.h>
+#if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
 #include <sys/sysctl.h>
+#endif
 #include <net/if.h>
 #include <net/route.h>
 #include <net/if_dl.h>
--- a/src/cache.c
+++ b/src/cache.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -189,12 +189,7 @@ static void cache_hash(struct crec *crecp)
 static void cache_blockdata_free(struct crec *crecp)
 {
  if (crecp->flags & F_DNSKEY)
-    {
-      if (crecp->flags & F_DS)
-	blockdata_free(crecp->addr.sig.keydata);
-      else
-	blockdata_free(crecp->addr.key.keydata);
-    }
+    blockdata_free(crecp->addr.key.keydata);
  else if ((crecp->flags & F_DS) && !(crecp->flags & F_NEG))
    blockdata_free(crecp->addr.ds.keydata);
 }
@@ -369,13 +364,8 @@ static struct crec *cache_scan_free(char *name, struct all_addr *addr, time_t no
 		}
 	      
 #ifdef HAVE_DNSSEC
-	      /* Deletion has to be class-sensitive for DS, DNSKEY, RRSIG, also 
-		 type-covered sensitive for  RRSIG */
-	      if ((flags & (F_DNSKEY | F_DS)) &&
-		  (flags & (F_DNSKEY | F_DS)) == (crecp->flags & (F_DNSKEY | F_DS)) &&
-		  crecp->uid == addr->addr.dnssec.class &&
-		  (!((flags & (F_DS | F_DNSKEY)) == (F_DS | F_DNSKEY)) || 
-		   crecp->addr.sig.type_covered == addr->addr.dnssec.type))
+	      /* Deletion has to be class-sensitive for DS and DNSKEY */
+	      if ((flags & crecp->flags & (F_DNSKEY | F_DS)) && crecp->uid == addr->addr.dnssec.class)
 		{
 		  if (crecp->flags & F_CONFIG)
 		    return crecp;
@@ -481,7 +471,7 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
 	 existing record is for an A or AAAA and
 	 the record we're trying to insert is the same, 
 	 just drop the insert, but don't error the whole process. */
-      if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD))
+      if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD) && addr)
 	{
 	  if ((flags & F_IPV4) && (new->flags & F_IPV4) &&
 	      new->addr.addr.addr.addr4.s_addr == addr->addr.addr4.s_addr)
@@ -532,13 +522,9 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
 	    struct all_addr free_addr = new->addr.addr;;

 #ifdef HAVE_DNSSEC
-	    /* For DNSSEC records, addr holds class and type_covered for RRSIG */
+	    /* For DNSSEC records, addr holds class. */
 	    if (new->flags & (F_DS | F_DNSKEY))
-	      {
-		free_addr.addr.dnssec.class = new->uid;
-		if ((new->flags & (F_DS | F_DNSKEY)) == (F_DS | F_DNSKEY))
-		  free_addr.addr.dnssec.type = new->addr.sig.type_covered;
-	      }
+	      free_addr.addr.dnssec.class = new->uid;
 #endif
 	    
 	    free_avail = 1; /* Must be free space now. */
@@ -653,9 +639,6 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi
 	  if (!is_expired(now, crecp) && !is_outdated_cname_pointer(crecp))
 	    {
 	      if ((crecp->flags & F_FORWARD) && 
-#ifdef HAVE_DNSSEC
-		  (((crecp->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) || (prot & F_NSIGMATCH)) &&
-#endif
 		  (crecp->flags & prot) &&
 		  hostname_isequal(cache_get_name(crecp), name))
 		{
@@ -713,9 +696,6 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi

  if (ans && 
      (ans->flags & F_FORWARD) &&
-#ifdef HAVE_DNSSEC
-      (((ans->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) || (prot & F_NSIGMATCH)) &&
-#endif
      (ans->flags & prot) &&     
      hostname_isequal(cache_get_name(ans), name))
    return ans;
@@ -798,6 +778,7 @@ static void add_hosts_cname(struct crec *target)
 	(crec = whine_malloc(sizeof(struct crec))))
      {
 	crec->flags = F_FORWARD | F_IMMORTAL | F_NAMEP | F_CONFIG | F_CNAME;
+	crec->ttd = a->ttl;
 	crec->name.namep = a->alias;
 	crec->addr.cname.target.cache = target;
 	crec->addr.cname.uid = target->uid;
@@ -939,7 +920,7 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size, struct cr
  if (!f)
    {
      my_syslog(LOG_ERR, _("failed to load names from %s: %s"), filename, strerror(errno));
-      return 0;
+      return cache_size;
    }
  
  eatspace(f);
@@ -1001,6 +982,7 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size, struct cr
 		  strcat(cache->name.sname, ".");
 		  strcat(cache->name.sname, domain_suffix);
 		  cache->flags = flags;
+		  cache->ttd = daemon->local_ttl;
 		  add_hosts_entry(cache, &addr, addrlen, index, rhash, hashsz);
 		  name_count++;
 		}
@@ -1008,6 +990,7 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size, struct cr
 		{
 		  strcpy(cache->name.sname, canon);
 		  cache->flags = flags;
+		  cache->ttd = daemon->local_ttl;
 		  add_hosts_entry(cache, &addr, addrlen, index, rhash, hashsz);
 		  name_count++;
 		}
@@ -1077,6 +1060,7 @@ void cache_reload(void)
 	  ((cache = whine_malloc(sizeof(struct crec)))))
 	{
 	  cache->flags = F_FORWARD | F_NAMEP | F_CNAME | F_IMMORTAL | F_CONFIG;
+	  cache->ttd = a->ttl;
 	  cache->name.namep = a->alias;
 	  cache->addr.cname.target.int_name = intr;
 	  cache->addr.cname.uid = SRC_INTERFACE;
@@ -1091,6 +1075,7 @@ void cache_reload(void)
 	(cache->addr.ds.keydata = blockdata_alloc(ds->digest, ds->digestlen)))
      {
 	cache->flags = F_FORWARD | F_IMMORTAL | F_DS | F_CONFIG | F_NAMEP;
+	cache->ttd = daemon->local_ttl;
 	cache->name.namep = ds->name;
 	cache->addr.ds.keylen = ds->digestlen;
 	cache->addr.ds.algo = ds->algo;
@@ -1115,6 +1100,7 @@ void cache_reload(void)
 	    (cache = whine_malloc(sizeof(struct crec))))
 	  {
 	    cache->name.namep = nl->name;
+	    cache->ttd = hr->ttl;
 	    cache->flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV4 | F_NAMEP | F_CONFIG;
 	    add_hosts_entry(cache, (struct all_addr *)&hr->addr, INADDRSZ, SRC_CONFIG, (struct crec **)daemon->packet, revhashsz);
 	  }
@@ -1123,6 +1109,7 @@ void cache_reload(void)
 	    (cache = whine_malloc(sizeof(struct crec))))
 	  {
 	    cache->name.namep = nl->name;
+	    cache->ttd = hr->ttl;
 	    cache->flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV6 | F_NAMEP | F_CONFIG;
 	    add_hosts_entry(cache, (struct all_addr *)&hr->addr6, IN6ADDRSZ, SRC_CONFIG, (struct crec **)daemon->packet, revhashsz);
 	  }
@@ -1472,11 +1459,7 @@ void dump_cache(time_t now)
 #ifdef HAVE_DNSSEC
 	    else if (cache->flags & F_DS)
 	      {
-		if (cache->flags & F_DNSKEY)
-		  /* RRSIG */
-		  sprintf(a, "%5u %3u %s", cache->addr.sig.keytag,
-			  cache->addr.sig.algo, querystr("", cache->addr.sig.type_covered));
-		else if (!(cache->flags & F_NEG))
+		if (!(cache->flags & F_NEG))
 		  sprintf(a, "%5u %3u %3u", cache->addr.ds.keytag,
 			  cache->addr.ds.algo, cache->addr.ds.digest);
 	      }
@@ -1502,8 +1485,6 @@ void dump_cache(time_t now)
 	    else if (cache->flags & F_CNAME)
 	      t = "C";
 #ifdef HAVE_DNSSEC
-	    else if ((cache->flags & (F_DS | F_DNSKEY)) == (F_DS | F_DNSKEY))
-	      t = "G"; /* DNSKEY and DS set -> RRISG */
 	    else if (cache->flags & F_DS)
 	      t = "S";
 	    else if (cache->flags & F_DNSKEY)
@@ -1606,7 +1587,7 @@ void log_query(unsigned int flags, char *name, struct all_addr *addr, char *arg)
  if (addr)
    {
      if (flags & F_KEYTAG)
-	sprintf(daemon->addrbuff, arg, addr->addr.keytag);
+	sprintf(daemon->addrbuff, arg, addr->addr.log.keytag, addr->addr.log.algo, addr->addr.log.digest);
      else
 	{
 #ifdef HAVE_IPV6
--- a/src/config.h
+++ b/src/config.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -337,7 +337,7 @@ HAVE_SOCKADDR_SA_LEN
 #define HAVE_DHCP
 #endif

-#if defined(NO_SCRIPT) || !defined(HAVE_DHCP) || defined(NO_FORK)
+#if defined(NO_SCRIPT) || defined(NO_FORK)
 #undef HAVE_SCRIPT
 #undef HAVE_LUASCRIPT
 #endif
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/dbus.c
+++ b/src/dbus.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -749,8 +749,7 @@ char *dbus_init(void)
 }
 

-void set_dbus_listeners(int *maxfdp,
-			fd_set *rset, fd_set *wset, fd_set *eset)
+void set_dbus_listeners(void)
 {
  struct watch *w;
  
@@ -760,19 +759,17 @@ void set_dbus_listeners(int *maxfdp,
 	unsigned int flags = dbus_watch_get_flags(w->watch);
 	int fd = dbus_watch_get_unix_fd(w->watch);
 	
-	bump_maxfd(fd, maxfdp);
-	
 	if (flags & DBUS_WATCH_READABLE)
-	  FD_SET(fd, rset);
+	  poll_listen(fd, POLLIN);
 	
 	if (flags & DBUS_WATCH_WRITABLE)
-	  FD_SET(fd, wset);
+	  poll_listen(fd, POLLOUT);
 	
-	FD_SET(fd, eset);
+	poll_listen(fd, POLLERR);
      }
 }

-void check_dbus_listeners(fd_set *rset, fd_set *wset, fd_set *eset)
+void check_dbus_listeners()
 {
  DBusConnection *connection = (DBusConnection *)daemon->dbus;
  struct watch *w;
@@ -783,13 +780,13 @@ void check_dbus_listeners(fd_set *rset, fd_set *wset, fd_set *eset)
 	unsigned int flags = 0;
 	int fd = dbus_watch_get_unix_fd(w->watch);
 	
-	if (FD_ISSET(fd, rset))
+	if (poll_check(fd, POLLIN))
 	  flags |= DBUS_WATCH_READABLE;
 	
-	if (FD_ISSET(fd, wset))
+	if (poll_check(fd, POLLOUT))
 	  flags |= DBUS_WATCH_WRITABLE;
 	
-	if (FD_ISSET(fd, eset))
+	if (poll_check(fd, POLLERR))
 	  flags |= DBUS_WATCH_ERROR;

 	if (flags != 0)
--- a/src/dhcp-common.c
+++ b/src/dhcp-common.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -599,7 +599,7 @@ static const struct opttab_t opttab6[] = {
  { "sntp-server", 31,  OT_ADDR_LIST },
  { "information-refresh-time", 32, OT_TIME },
  { "FQDN", 39, OT_INTERNAL | OT_RFC1035_NAME },
-  { "ntp-server", 56,  OT_ADDR_LIST },
+  { "ntp-server", 56,  0 },
  { "bootfile-url", 59, OT_NAME },
  { "bootfile-param", 60, OT_CSTRING },
  { NULL, 0, 0 }
--- a/src/dhcp-protocol.h
+++ b/src/dhcp-protocol.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -452,8 +452,13 @@ void dhcp_packet(time_t now, int pxe_fd)
 #endif
  
  while(retry_send(sendmsg(fd, &msg, 0)));
+
+  /* This can fail when, eg, iptables DROPS destination 255.255.255.255 */
+  if (errno != 0)
+    my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"),
+	      inet_ntoa(dest.sin_addr), strerror(errno));
 }
- 
+
 /* check against secondary interface addresses */
 static int check_listen_addrs(struct in_addr local, int if_index, char *label,
 			      struct in_addr netmask, struct in_addr broadcast, void *vparam)
--- a/src/dhcp6-protocol.h
+++ b/src/dhcp6-protocol.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -27,17 +27,10 @@ struct iface_param {
  int ind, addr_match;
 };

-struct mac_param {
-  struct in6_addr *target;
-  unsigned char *mac;
-  unsigned int maclen;
-};
-

 static int complete_context6(struct in6_addr *local,  int prefix,
 			     int scope, int if_index, int flags, 
 			     unsigned int preferred, unsigned int valid, void *vparam);
-static int find_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv);
 static int make_duid1(int index, unsigned int type, char *mac, size_t maclen, void *parm); 

 void dhcp6_init(void)
@@ -227,7 +220,7 @@ void dhcp6_packet(time_t now)
 	  inet_pton(AF_INET6, ALL_SERVERS, &all_servers);
 	  
 	  if (!IN6_ARE_ADDR_EQUAL(&dst_addr, &all_servers))
-	    relay_upstream6(parm.relay, sz, &from.sin6_addr, from.sin6_scope_id);
+	    relay_upstream6(parm.relay, sz, &from.sin6_addr, from.sin6_scope_id, now);
 	  return;
 	}
      
@@ -257,16 +250,15 @@ void dhcp6_packet(time_t now)
    }
 }

-void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, unsigned int *maclenp, unsigned int *mactypep)
+void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, unsigned int *maclenp, unsigned int *mactypep, time_t now)
 {
  /* Recieving a packet from a host does not populate the neighbour
     cache, so we send a neighbour discovery request if we can't 
     find the sender. Repeat a few times in case of packet loss. */
  
  struct neigh_packet neigh;
-  struct sockaddr_in6 addr;
-  struct mac_param mac_param;
-  int i;
+  union mysockaddr addr;
+  int i, maclen;

  neigh.type = ND_NEIGHBOR_SOLICIT;
  neigh.code = 0;
@@ -277,55 +269,31 @@ void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, unsi
   
  memset(&addr, 0, sizeof(addr));
 #ifdef HAVE_SOCKADDR_SA_LEN
-  addr.sin6_len = sizeof(struct sockaddr_in6);
+  addr.in6.sin6_len = sizeof(struct sockaddr_in6);
 #endif
-  addr.sin6_family = AF_INET6;
-  addr.sin6_port = htons(IPPROTO_ICMPV6);
-  addr.sin6_addr = *client;
-  addr.sin6_scope_id = iface;
-  
-  mac_param.target = client;
-  mac_param.maclen = 0;
-  mac_param.mac = mac;
+  addr.in6.sin6_family = AF_INET6;
+  addr.in6.sin6_port = htons(IPPROTO_ICMPV6);
+  addr.in6.sin6_addr = *client;
+  addr.in6.sin6_scope_id = iface;
  
  for (i = 0; i < 5; i++)
    {
      struct timespec ts;
      
-      iface_enumerate(AF_UNSPEC, &mac_param, find_mac);
-      
-      if (mac_param.maclen != 0)
+      if ((maclen = find_mac(&addr, mac, 0, now)) != 0)
 	break;
-      
-      sendto(daemon->icmp6fd, &neigh, sizeof(neigh), 0, (struct sockaddr *)&addr, sizeof(addr));
+	  
+      sendto(daemon->icmp6fd, &neigh, sizeof(neigh), 0, &addr.sa, sizeof(addr));
      
      ts.tv_sec = 0;
      ts.tv_nsec = 100000000; /* 100ms */
      nanosleep(&ts, NULL);
    }

-  *maclenp = mac_param.maclen;
+  *maclenp = maclen;
  *mactypep = ARPHRD_ETHER;
 }
    
-static int find_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv)
-{
-  struct mac_param *parm = parmv;
-  
-  if (family == AF_INET6 && IN6_ARE_ADDR_EQUAL(parm->target, (struct in6_addr *)addrp))
-    {
-      if (maclen <= DHCP_CHADDR_MAX)
-	{
-	  parm->maclen = maclen;
-	  memcpy(parm->mac, mac, maclen);
-	}
-      
-      return 0; /* found, abort */
-    }
-  
-  return 1;
-}
-
 static int complete_context6(struct in6_addr *local,  int prefix,
 			     int scope, int if_index, int flags, unsigned int preferred, 
 			     unsigned int valid, void *vparam)
@@ -466,7 +434,16 @@ struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned c
 	    /* seed is largest extant lease addr in this context */
 	    start = lease_find_max_addr6(c) + serial;
 	  else
-	    start = addr6part(&c->start6) + ((j + c->addr_epoch) % (1 + addr6part(&c->end6) - addr6part(&c->start6)));
+	    {
+	      u64 range = 1 + addr6part(&c->end6) - addr6part(&c->start6);
+	      u64 offset = j + c->addr_epoch;
+
+	      /* don't divide by zero if range is whole 2^64 */
+	      if (range != 0)
+		offset = offset % range;
+
+	      start = addr6part(&c->start6) + offset;
+	    }

 	  /* iterate until we find a free address. */
 	  addr = start;
--- a/src/dns-protocol.h
+++ b/src/dns-protocol.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -16,6 +16,7 @@

 #define NAMESERVER_PORT 53
 #define TFTP_PORT       69
+#define MAX_PORT        65535u

 #define IN6ADDRSZ       16
 #define INADDRSZ        4
@@ -77,6 +78,8 @@

 #define EDNS0_OPTION_MAC            65001 /* dyndns.org temporary assignment */
 #define EDNS0_OPTION_CLIENT_SUBNET  8     /* IANA */
+#define EDNS0_OPTION_NOMDEVICEID    65073 /* Nominum temporary assignment */
+#define EDNS0_OPTION_NOMCPEID       65074 /* Nominum temporary assignment */

 struct dns_header {
  u16 id;
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +24,8 @@ struct daemon *daemon;
 static volatile pid_t pid = 0;
 static volatile int pipewrite;

-static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp);
-static void check_dns_listeners(fd_set *set, time_t now);
+static int set_dns_listeners(time_t now);
+static void check_dns_listeners(time_t now);
 static void sig_handler(int sig);
 static void async_event(int pipe, time_t now);
 static void fatal_event(struct event_desc *ev, char *msg);
@@ -91,8 +91,11 @@ int main (int argc, char **argv)
  if (daemon->edns_pktsz < PACKETSZ)
    daemon->edns_pktsz = PACKETSZ;

-  daemon->packet_buff_sz = daemon->edns_pktsz > DNSMASQ_PACKETSZ ? 
-    daemon->edns_pktsz : DNSMASQ_PACKETSZ;
+  /* Min buffer size: we check after adding each record, so there must be 
+     memory for the largest packet, and the largest record so the
+     min for DNS is PACKETSZ+MAXDNAME+RRFIXEDSZ which is < 1000.
+     This might be increased is EDNS packet size if greater than the minimum. */ 
+  daemon->packet_buff_sz = daemon->edns_pktsz + MAXDNAME + RRFIXEDSZ;
  daemon->packet = safe_malloc(daemon->packet_buff_sz);
  
  daemon->addrbuff = safe_malloc(ADDRSTRLEN);
@@ -166,8 +169,16 @@ int main (int argc, char **argv)
  if (option_bool(OPT_DNSSEC_VALID))
    {
 #ifdef HAVE_DNSSEC
-      if (!daemon->ds)
-	die(_("no trust anchors provided for DNSSEC"), NULL, EC_BADCONF);
+      struct ds_config *ds;
+
+      /* Must have at least a root trust anchor, or the DNSSEC code
+	 can loop forever. */
+      for (ds = daemon->ds; ds; ds = ds->next)
+	if (ds->name[0] == 0)
+	  break;
+
+      if (!ds)
+	die(_("no root trust anchor provided for DNSSEC"), NULL, EC_BADCONF);
      
      if (daemon->cachesize < CACHESIZ)
 	die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
@@ -208,7 +219,13 @@ int main (int argc, char **argv)
  if (option_bool(OPT_LOOP_DETECT))
    die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF);
 #endif
-  
+
+  if (daemon->max_port != MAX_PORT && daemon->min_port == 0)
+    daemon->min_port = 1024u;
+
+  if (daemon->max_port < daemon->min_port)
+    die(_("max_port cannot be smaller than min_port"), NULL, EC_BADCONF);
+
  now = dnsmasq_time();

  /* Create a serial at startup if not configured. */
@@ -242,8 +259,11 @@ int main (int argc, char **argv)
  /* Note that order matters here, we must call lease_init before
     creating any file descriptors which shouldn't be leaked
     to the lease-script init process. We need to call common_init
-     before lease_init to allocate buffers it uses.*/
-  if (daemon->dhcp || daemon->doing_dhcp6 || daemon->relay4 || daemon->relay6)
+     before lease_init to allocate buffers it uses.
+     The script subsystem relies on DHCP buffers, hence the last two
+     conditions below. */  
+  if (daemon->dhcp || daemon->doing_dhcp6 || daemon->relay4 || 
+      daemon->relay6 || option_bool(OPT_TFTP) || option_bool(OPT_SCRIPT_ARP))
    {
      dhcp_common_init();
      if (daemon->dhcp || daemon->doing_dhcp6)
@@ -541,17 +561,21 @@ int main (int argc, char **argv)
     {       
       /* open  stdout etc to /dev/null */
       int nullfd = open("/dev/null", O_RDWR);
-       dup2(nullfd, STDOUT_FILENO);
-       dup2(nullfd, STDERR_FILENO);
-       dup2(nullfd, STDIN_FILENO);
-       close(nullfd);
+       if (nullfd != -1)
+	 {
+	   dup2(nullfd, STDOUT_FILENO);
+	   dup2(nullfd, STDERR_FILENO);
+	   dup2(nullfd, STDIN_FILENO);
+	   close(nullfd);
+	 }
     }
   
   /* if we are to run scripts, we need to fork a helper before dropping root. */
  daemon->helperfd = -1;
 #ifdef HAVE_SCRIPT 
-  if ((daemon->dhcp || daemon->dhcp6) && (daemon->lease_change_command || daemon->luascript))
-    daemon->helperfd = create_helper(pipewrite, err_pipe[1], script_uid, script_gid, max_fd);
+  if ((daemon->dhcp || daemon->dhcp6 || option_bool(OPT_TFTP) || option_bool(OPT_SCRIPT_ARP)) && 
+      (daemon->lease_change_command || daemon->luascript))
+      daemon->helperfd = create_helper(pipewrite, err_pipe[1], script_uid, script_gid, max_fd);
 #endif

  if (!option_bool(OPT_DEBUG) && getuid() == 0)   
@@ -799,10 +823,6 @@ int main (int argc, char **argv)
  if (option_bool(OPT_TFTP))
    {
      struct tftp_prefix *p;
-#ifdef FD_SETSIZE
-      if (FD_SETSIZE < (unsigned)max_fd)
-	max_fd = FD_SETSIZE;
-#endif

      my_syslog(MS_TFTP | LOG_INFO, "TFTP %s%s %s", 
 		daemon->tftp_prefix ? _("root is ") : _("enabled"),
@@ -862,126 +882,100 @@ int main (int argc, char **argv)
  
  while (1)
    {
-      int maxfd = -1;
-      struct timeval t, *tp = NULL;
-      fd_set rset, wset, eset;
+      int t, timeout = -1;
      
-      FD_ZERO(&rset);
-      FD_ZERO(&wset);
-      FD_ZERO(&eset);
+      poll_reset();
      
      /* if we are out of resources, find how long we have to wait
 	 for some to come free, we'll loop around then and restart
 	 listening for queries */
-      if ((t.tv_sec = set_dns_listeners(now, &rset, &maxfd)) != 0)
-	{
-	  t.tv_usec = 0;
-	  tp = &t;
-	}
+      if ((t = set_dns_listeners(now)) != 0)
+	timeout = t * 1000;

      /* Whilst polling for the dbus, or doing a tftp transfer, wake every quarter second */
      if (daemon->tftp_trans ||
 	  (option_bool(OPT_DBUS) && !daemon->dbus))
-	{
-	  t.tv_sec = 0;
-	  t.tv_usec = 250000;
-	  tp = &t;
-	}
+	timeout = 250;
+
      /* Wake every second whilst waiting for DAD to complete */
      else if (is_dad_listeners())
-	{
-	  t.tv_sec = 1;
-	  t.tv_usec = 0;
-	  tp = &t;
-	}
+	timeout = 1000;

 #ifdef HAVE_DBUS
-      set_dbus_listeners(&maxfd, &rset, &wset, &eset);
+      set_dbus_listeners();
 #endif	
  
 #ifdef HAVE_DHCP
      if (daemon->dhcp || daemon->relay4)
 	{
-	  FD_SET(daemon->dhcpfd, &rset);
-	  bump_maxfd(daemon->dhcpfd, &maxfd);
+	  poll_listen(daemon->dhcpfd, POLLIN);
 	  if (daemon->pxefd != -1)
-	    {
-	      FD_SET(daemon->pxefd, &rset);
-	      bump_maxfd(daemon->pxefd, &maxfd);
-	    }
+	    poll_listen(daemon->pxefd, POLLIN);
 	}
 #endif

 #ifdef HAVE_DHCP6
      if (daemon->doing_dhcp6 || daemon->relay6)
-	{
-	  FD_SET(daemon->dhcp6fd, &rset);
-	  bump_maxfd(daemon->dhcp6fd, &maxfd);
-	}
-
+	poll_listen(daemon->dhcp6fd, POLLIN);
+	
      if (daemon->doing_ra)
-	{
-	  FD_SET(daemon->icmp6fd, &rset);
-	  bump_maxfd(daemon->icmp6fd, &maxfd); 
-	}
+	poll_listen(daemon->icmp6fd, POLLIN); 
 #endif
    
 #ifdef HAVE_INOTIFY
      if (daemon->inotifyfd != -1)
-	{
-	  FD_SET(daemon->inotifyfd, &rset);
-	  bump_maxfd(daemon->inotifyfd, &maxfd);
-	}
+	poll_listen(daemon->inotifyfd, POLLIN);
 #endif

 #if defined(HAVE_LINUX_NETWORK)
-      FD_SET(daemon->netlinkfd, &rset);
-      bump_maxfd(daemon->netlinkfd, &maxfd);
+      poll_listen(daemon->netlinkfd, POLLIN);
 #elif defined(HAVE_BSD_NETWORK)
-      FD_SET(daemon->routefd, &rset);
-      bump_maxfd(daemon->routefd, &maxfd);
+      poll_listen(daemon->routefd, POLLIN);
 #endif
      
-      FD_SET(piperead, &rset);
-      bump_maxfd(piperead, &maxfd);
+      poll_listen(piperead, POLLIN);

-#ifdef HAVE_DHCP
-#  ifdef HAVE_SCRIPT
-      while (helper_buf_empty() && do_script_run(now));
+#ifdef HAVE_SCRIPT
+#    ifdef HAVE_DHCP
+      while (helper_buf_empty() && do_script_run(now)); 
+#    endif
+
+      /* Refresh cache */
+      if (option_bool(OPT_SCRIPT_ARP))
+	find_mac(NULL, NULL, 0, now);
+      while (helper_buf_empty() && do_arp_script_run());

 #    ifdef HAVE_TFTP
      while (helper_buf_empty() && do_tftp_script_run());
 #    endif

      if (!helper_buf_empty())
-	{
-	  FD_SET(daemon->helperfd, &wset);
-	  bump_maxfd(daemon->helperfd, &maxfd);
-	}
-#  else
+	poll_listen(daemon->helperfd, POLLOUT);
+#else
      /* need this for other side-effects */
+#    ifdef HAVE_DHCP
      while (do_script_run(now));
+#    endif
+
+      while (do_arp_script_run());

 #    ifdef HAVE_TFTP 
      while (do_tftp_script_run());
 #    endif

-#  endif
 #endif
+
   
      /* must do this just before select(), when we know no
 	 more calls to my_syslog() can occur */
-      set_log_writer(&wset, &maxfd);
+      set_log_writer();
+      
+      if (do_poll(timeout) < 0)
+	continue;
      
-      if (select(maxfd+1, &rset, &wset, &eset, tp) < 0)
-	{
-	  /* otherwise undefined after error */
-	  FD_ZERO(&rset); FD_ZERO(&wset); FD_ZERO(&eset);
-	}
-
      now = dnsmasq_time();

-      check_log_writer(&wset);
+      check_log_writer(0);

      /* prime. */
      enumerate_interfaces(1);
@@ -997,15 +991,15 @@ int main (int argc, char **argv)
 	}

 #if defined(HAVE_LINUX_NETWORK)
-      if (FD_ISSET(daemon->netlinkfd, &rset))
+      if (poll_check(daemon->netlinkfd, POLLIN))
 	netlink_multicast();
 #elif defined(HAVE_BSD_NETWORK)
-      if (FD_ISSET(daemon->routefd, &rset))
+      if (poll_check(daemon->routefd, POLLIN))
 	route_sock();
 #endif

 #ifdef HAVE_INOTIFY
-      if  (daemon->inotifyfd != -1 && FD_ISSET(daemon->inotifyfd, &rset) && inotify_check(now))
+      if  (daemon->inotifyfd != -1 && poll_check(daemon->inotifyfd, POLLIN) && inotify_check(now))
 	{
 	  if (daemon->port != 0 && !option_bool(OPT_NO_POLL))
 	    poll_resolv(1, 1, now);
@@ -1025,7 +1019,7 @@ int main (int argc, char **argv)
 	}
 #endif

-      if (FD_ISSET(piperead, &rset))
+      if (poll_check(piperead, POLLIN))
 	async_event(piperead, now);
      
 #ifdef HAVE_DBUS
@@ -1038,34 +1032,34 @@ int main (int argc, char **argv)
 	  if (daemon->dbus)
 	    my_syslog(LOG_INFO, _("connected to system DBus"));
 	}
-      check_dbus_listeners(&rset, &wset, &eset);
+      check_dbus_listeners();
 #endif
      
-      check_dns_listeners(&rset, now);
+      check_dns_listeners(now);

 #ifdef HAVE_TFTP
-      check_tftp_listeners(&rset, now);
+      check_tftp_listeners(now);
 #endif      

 #ifdef HAVE_DHCP
      if (daemon->dhcp || daemon->relay4)
 	{
-	  if (FD_ISSET(daemon->dhcpfd, &rset))
+	  if (poll_check(daemon->dhcpfd, POLLIN))
 	    dhcp_packet(now, 0);
-	  if (daemon->pxefd != -1 && FD_ISSET(daemon->pxefd, &rset))
+	  if (daemon->pxefd != -1 && poll_check(daemon->pxefd, POLLIN))
 	    dhcp_packet(now, 1);
 	}

 #ifdef HAVE_DHCP6
-      if ((daemon->doing_dhcp6 || daemon->relay6) && FD_ISSET(daemon->dhcp6fd, &rset))
+      if ((daemon->doing_dhcp6 || daemon->relay6) && poll_check(daemon->dhcp6fd, POLLIN))
 	dhcp6_packet(now);

-      if (daemon->doing_ra && FD_ISSET(daemon->icmp6fd, &rset))
+      if (daemon->doing_ra && poll_check(daemon->icmp6fd, POLLIN))
 	icmp6_packet(now);
 #endif

 #  ifdef HAVE_SCRIPT
-      if (daemon->helperfd != -1 && FD_ISSET(daemon->helperfd, &wset))
+      if (daemon->helperfd != -1 && poll_check(daemon->helperfd, POLLOUT))
 	helper_write();
 #  endif
 #endif
@@ -1344,7 +1338,7 @@ static void async_event(int pipe, time_t now)
 	  if (daemon->tcp_pids[i] != 0)
 	    kill(daemon->tcp_pids[i], SIGALRM);
 	
-#if defined(HAVE_SCRIPT)
+#if defined(HAVE_SCRIPT) && defined(HAVE_DHCP)
 	/* handle pending lease transitions */
 	if (daemon->helperfd != -1)
 	  {
@@ -1361,6 +1355,15 @@ static void async_event(int pipe, time_t now)
 	if (daemon->lease_stream)
 	  fclose(daemon->lease_stream);

+#ifdef HAVE_DNSSEC
+	/* update timestamp file on TERM if time is considered valid */
+	if (daemon->back_to_the_future)
+	  {
+	     if (utime(daemon->timestamp_file, NULL) == -1)
+		my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno));
+	  }
+#endif
+
 	if (daemon->runfile)
 	  unlink(daemon->runfile);
 	
@@ -1470,7 +1473,7 @@ void clear_cache_and_reload(time_t now)
 #endif
 }

-static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp)
+static int set_dns_listeners(time_t now)
 {
  struct serverfd *serverfdp;
  struct listener *listener;
@@ -1482,8 +1485,7 @@ static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp)
  for (transfer = daemon->tftp_trans; transfer; transfer = transfer->next)
    {
      tftp++;
-      FD_SET(transfer->sockfd, set);
-      bump_maxfd(transfer->sockfd, maxfdp);
+      poll_listen(transfer->sockfd, POLLIN);
    }
 #endif
  
@@ -1492,45 +1494,32 @@ static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp)
    get_new_frec(now, &wait, 0);
  
  for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
-    {
-      FD_SET(serverfdp->fd, set);
-      bump_maxfd(serverfdp->fd, maxfdp);
-    }
-
+    poll_listen(serverfdp->fd, POLLIN);
+    
  if (daemon->port != 0 && !daemon->osport)
    for (i = 0; i < RANDOM_SOCKS; i++)
      if (daemon->randomsocks[i].refcount != 0)
-	{
-	  FD_SET(daemon->randomsocks[i].fd, set);
-	  bump_maxfd(daemon->randomsocks[i].fd, maxfdp);
-	}
-  
+	poll_listen(daemon->randomsocks[i].fd, POLLIN);
+	  
  for (listener = daemon->listeners; listener; listener = listener->next)
    {
      /* only listen for queries if we have resources */
      if (listener->fd != -1 && wait == 0)
-	{
-	  FD_SET(listener->fd, set);
-	  bump_maxfd(listener->fd, maxfdp);
-	}
-
+	poll_listen(listener->fd, POLLIN);
+	
      /* death of a child goes through the select loop, so
 	 we don't need to explicitly arrange to wake up here */
      if  (listener->tcpfd != -1)
 	for (i = 0; i < MAX_PROCS; i++)
 	  if (daemon->tcp_pids[i] == 0)
 	    {
-	      FD_SET(listener->tcpfd, set);
-	      bump_maxfd(listener->tcpfd, maxfdp);
+	      poll_listen(listener->tcpfd, POLLIN);
 	      break;
 	    }

 #ifdef HAVE_TFTP
      if (tftp <= daemon->tftp_max && listener->tftpfd != -1)
-	{
-	  FD_SET(listener->tftpfd, set);
-	  bump_maxfd(listener->tftpfd, maxfdp);
-	}
+	poll_listen(listener->tftpfd, POLLIN);
 #endif

    }
@@ -1538,33 +1527,33 @@ static int set_dns_listeners(time_t now, fd_set *set, int *maxfdp)
  return wait;
 }

-static void check_dns_listeners(fd_set *set, time_t now)
+static void check_dns_listeners(time_t now)
 {
  struct serverfd *serverfdp;
  struct listener *listener;
  int i;

  for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
-    if (FD_ISSET(serverfdp->fd, set))
+    if (poll_check(serverfdp->fd, POLLIN))
      reply_query(serverfdp->fd, serverfdp->source_addr.sa.sa_family, now);
  
  if (daemon->port != 0 && !daemon->osport)
    for (i = 0; i < RANDOM_SOCKS; i++)
      if (daemon->randomsocks[i].refcount != 0 && 
-	  FD_ISSET(daemon->randomsocks[i].fd, set))
+	  poll_check(daemon->randomsocks[i].fd, POLLIN))
 	reply_query(daemon->randomsocks[i].fd, daemon->randomsocks[i].family, now);
  
  for (listener = daemon->listeners; listener; listener = listener->next)
    {
-      if (listener->fd != -1 && FD_ISSET(listener->fd, set))
+      if (listener->fd != -1 && poll_check(listener->fd, POLLIN))
 	receive_query(listener, now); 
      
 #ifdef HAVE_TFTP     
-      if (listener->tftpfd != -1 && FD_ISSET(listener->tftpfd, set))
+      if (listener->tftpfd != -1 && poll_check(listener->tftpfd, POLLIN))
 	tftp_request(listener, now);
 #endif

-      if (listener->tcpfd != -1 && FD_ISSET(listener->tcpfd, set))
+      if (listener->tcpfd != -1 && poll_check(listener->tcpfd, POLLIN))
 	{
 	  int confd, client_ok = 1;
 	  struct irec *iface = NULL;
@@ -1755,14 +1744,22 @@ int icmp_ping(struct in_addr addr)
     better not use any resources our caller has in use...)
     but we remain deaf to signals or further DHCP packets. */

-  int fd;
+  /* There can be a problem using dnsmasq_time() to end the loop, since
+     it's not monotonic, and can go backwards if the system clock is
+     tweaked, leading to the code getting stuck in this loop and
+     ignoring DHCP requests. To fix this, we check to see if select returned
+     as a result of a timeout rather than a socket becoming available. We
+     only allow this to happen as many times as it takes to get to the wait time
+     in quarter-second chunks. This provides a fallback way to end loop. */ 
+
+  int fd, rc;
  struct sockaddr_in saddr;
  struct { 
    struct ip ip;
    struct icmp icmp;
  } packet;
  unsigned short id = rand16();
-  unsigned int i, j;
+  unsigned int i, j, timeout_count;
  int gotreply = 0;
  time_t start, now;

@@ -1794,53 +1791,44 @@ int icmp_ping(struct in_addr addr)
  while (retry_send(sendto(fd, (char *)&packet.icmp, sizeof(struct icmp), 0, 
 			   (struct sockaddr *)&saddr, sizeof(saddr))));
  
-  for (now = start = dnsmasq_time(); 
-       difftime(now, start) < (float)PING_WAIT;)
+  for (now = start = dnsmasq_time(), timeout_count = 0; 
+       (difftime(now, start) < (float)PING_WAIT) && (timeout_count < PING_WAIT * 4);)
    {
-      struct timeval tv;
-      fd_set rset, wset;
      struct sockaddr_in faddr;
-      int maxfd = fd; 
      socklen_t len = sizeof(faddr);
      
-      tv.tv_usec = 250000;
-      tv.tv_sec = 0; 
-      
-      FD_ZERO(&rset);
-      FD_ZERO(&wset);
-      FD_SET(fd, &rset);
-      set_dns_listeners(now, &rset, &maxfd);
-      set_log_writer(&wset, &maxfd);
+      poll_reset();
+      poll_listen(fd, POLLIN);
+      set_dns_listeners(now);
+      set_log_writer();
      
 #ifdef HAVE_DHCP6
      if (daemon->doing_ra)
-	{
-	  FD_SET(daemon->icmp6fd, &rset);
-	  bump_maxfd(daemon->icmp6fd, &maxfd); 
-	}
+	poll_listen(daemon->icmp6fd, POLLIN); 
 #endif
      
-      if (select(maxfd+1, &rset, &wset, NULL, &tv) < 0)
-	{
-	  FD_ZERO(&rset);
-	  FD_ZERO(&wset);
-	}
+      rc = do_poll(250);
+      
+      if (rc < 0)
+	continue;
+      else if (rc == 0)
+	timeout_count++;

      now = dnsmasq_time();

-      check_log_writer(&wset);
-      check_dns_listeners(&rset, now);
+      check_log_writer(0);
+      check_dns_listeners(now);

 #ifdef HAVE_DHCP6
-      if (daemon->doing_ra && FD_ISSET(daemon->icmp6fd, &rset))
+      if (daemon->doing_ra && poll_check(daemon->icmp6fd, POLLIN))
 	icmp6_packet(now);
 #endif
      
 #ifdef HAVE_TFTP
-      check_tftp_listeners(&rset, now);
+      check_tftp_listeners(now);
 #endif

-      if (FD_ISSET(fd, &rset) &&
+      if (poll_check(fd, POLLIN) &&
 	  recvfrom(fd, &packet, sizeof(packet), 0,
 		   (struct sockaddr *)&faddr, &len) == sizeof(packet) &&
 	  saddr.sin_addr.s_addr == faddr.sin_addr.s_addr &&
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -14,7 +14,7 @@
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

-#define COPYRIGHT "Copyright (c) 2000-2015 Simon Kelley" 
+#define COPYRIGHT "Copyright (c) 2000-2016 Simon Kelley"

 #ifndef NO_LARGEFILE
 /* Ensure we can use files >2GB (log files may grow this big) */
@@ -82,7 +82,7 @@ typedef unsigned long long u64;
 #if defined(HAVE_SOLARIS_NETWORK)
 #  include <sys/sockio.h>
 #endif
-#include <sys/select.h>
+#include <sys/poll.h>
 #include <sys/wait.h>
 #include <sys/time.h>
 #include <sys/un.h>
@@ -117,6 +117,7 @@ typedef unsigned long long u64;
 #include <sys/uio.h>
 #include <syslog.h>
 #include <dirent.h>
+#include <utime.h>
 #ifndef HAVE_LINUX_NETWORK
 #  include <net/if_dl.h>
 #endif
@@ -178,13 +179,6 @@ struct event_desc {
 #define EC_MISC        5
 #define EC_INIT_OFFSET 10

-/* Min buffer size: we check after adding each record, so there must be 
-   memory for the largest packet, and the largest record so the
-   min for DNS is PACKETSZ+MAXDNAME+RRFIXEDSZ which is < 1000.
-   This might be increased is EDNS packet size if greater than the minimum.
-*/
-#define DNSMASQ_PACKETSZ PACKETSZ+MAXDNAME+RRFIXEDSZ
-
 /* Trust the compiler dead-code eliminator.... */
 #define option_bool(x) (((x) < 32) ? daemon->options & (1u << (x)) : daemon->options2 & (1u << ((x) - 32)))

@@ -241,7 +235,10 @@ struct event_desc {
 #define OPT_LOOP_DETECT    50
 #define OPT_EXTRALOG       51
 #define OPT_TFTP_NO_FAIL   52
-#define OPT_LAST           53
+#define OPT_SCRIPT_ARP     53
+#define OPT_MAC_B64        54
+#define OPT_MAC_HEX        55
+#define OPT_LAST           56

 /* extra flags for my_syslog, we use a couple of facilities since they are known 
   not to occupy the same bits as priorities, no matter how syslog.h is set up. */
@@ -255,8 +252,10 @@ struct all_addr {
    struct in6_addr addr6;
 #endif
    /* for log_query */
-    unsigned int keytag;
-    /* for cache_insert if RRSIG, DNSKEY, DS */
+    struct {
+      unsigned short keytag, algo, digest;
+    } log; 
+    /* for cache_insert of DNSKEY, DS */
    struct {
      unsigned short class, type;
    } dnssec;      
@@ -309,6 +308,7 @@ struct ptr_record {
 };

 struct cname {
+  int ttl;
  char *alias, *target;
  struct cname *next;
 }; 
@@ -345,6 +345,7 @@ struct auth_zone {


 struct host_record {
+  int ttl;
  struct name_list {
    char *name;
    struct name_list *next;
@@ -397,14 +398,9 @@ struct crec {
      unsigned char algo;
      unsigned char digest; 
    } ds; 
-    struct {
-      struct blockdata *keydata;
-      unsigned short keylen, type_covered, keytag;
-      char algo;
-    } sig;
  } addr;
  time_t ttd; /* time to die */
-  /* used as class if DNSKEY/DS/RRSIG, index to source for F_HOSTS */
+  /* used as class if DNSKEY/DS, index to source for F_HOSTS */
  unsigned int uid; 
  unsigned short flags;
  union {
@@ -444,8 +440,7 @@ struct crec {
 #define F_SECSTAT   (1u<<24)
 #define F_NO_RR     (1u<<25)
 #define F_IPSET     (1u<<26)
-#define F_NSIGMATCH (1u<<27)
-#define F_NOEXTRA   (1u<<28)
+#define F_NOEXTRA   (1u<<27)

 /* Values of uid in crecs with F_CONFIG bit set. */
 #define SRC_INTERFACE 0
@@ -486,6 +481,7 @@ union mysockaddr {
 #define SERV_NO_REBIND      2048  /* inhibit dns-rebind protection */
 #define SERV_FROM_FILE      4096  /* read from --servers-file */
 #define SERV_LOOP           8192  /* server causes forwarding loop */
+#define SERV_DO_DNSSEC     16384  /* Validate DNSSEC when using this server */

 struct serverfd {
  int fd;
@@ -540,6 +536,13 @@ struct iname {
  struct iname *next;
 };

+/* subnet parameters from command line */
+struct mysubnet {
+  union mysockaddr addr;
+  int addr_used;
+  int mask;
+};
+
 /* resolv-file parms from command-line */
 struct resolvc {
  struct resolvc *next;
@@ -578,12 +581,8 @@ struct hostsfile {
 #define STAT_NEED_KEY           5
 #define STAT_TRUNCATED          6
 #define STAT_SECURE_WILDCARD    7
-#define STAT_NO_SIG             8
-#define STAT_NO_DS              9
-#define STAT_NO_NS             10
-#define STAT_NEED_DS_NEG       11
-#define STAT_CHASE_CNAME       12
-#define STAT_INSECURE_DS       13
+#define STAT_OK                 8
+#define STAT_ABANDONED          9

 #define FREC_NOREBIND           1
 #define FREC_CHECKING_DISABLED  2
@@ -593,8 +592,8 @@ struct hostsfile {
 #define FREC_AD_QUESTION       32
 #define FREC_DO_QUESTION       64
 #define FREC_ADDED_PHEADER    128
-#define FREC_CHECK_NOSIGN     256
-#define FREC_TEST_PKTSZ       512
+#define FREC_TEST_PKTSZ       256
+#define FREC_HAS_EXTRADATA    512        

 #ifdef HAVE_DNSSEC
 #define HASH_SIZE 20 /* SHA-1 digest size */
@@ -618,9 +617,7 @@ struct frec {
 #ifdef HAVE_DNSSEC 
  int class, work_counter;
  struct blockdata *stash; /* Saved reply, whilst we validate */
-  struct blockdata *orig_domain; /* domain of original query, whilst
-				    we're seeing is if in unsigned domain */
-  size_t stash_len, name_start, name_len;
+  size_t stash_len;
  struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */
  struct frec *blocking_query; /* Query which is blocking us. */
 #endif
@@ -642,6 +639,8 @@ struct frec {
 #define ACTION_OLD           3
 #define ACTION_ADD           4
 #define ACTION_TFTP          5
+#define ACTION_ARP           6
+#define ACTION_ARP_DEL       7

 #define LEASE_NEW            1  /* newly created */
 #define LEASE_CHANGED        2  /* modified */
@@ -934,9 +933,9 @@ extern struct daemon {
  struct auth_zone *auth_zones;
  struct interface_name *int_names;
  char *mxtarget;
-  int addr4_netmask;
-  int addr6_netmask;
-  char *lease_file; 
+  struct mysubnet *add_subnet4;
+  struct mysubnet *add_subnet6;
+  char *lease_file;
  char *username, *groupname, *scriptuser;
  char *luascript;
  char *authserver, *hostmaster;
@@ -955,8 +954,9 @@ extern struct daemon {
  char *log_file; /* optional log file */
  int max_logs;  /* queue limit */
  int cachesize, ftabsize;
-  int port, query_port, min_port;
-  unsigned long local_ttl, neg_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl;
+  int port, query_port, min_port, max_port;
+  unsigned long local_ttl, neg_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl, dhcp_ttl, use_dhcp_ttl;
+  char *dns_client_id;
  struct hostsfile *addn_hosts;
  struct dhcp_context *dhcp, *dhcp6;
  struct ra_interface *ra_interfaces;
@@ -975,7 +975,7 @@ extern struct daemon {
  struct dhcp_netid_list *dhcp_ignore, *dhcp_ignore_names, *dhcp_gen_names; 
  struct dhcp_netid_list *force_broadcast, *bootp_dynamic;
  struct hostsfile *dhcp_hosts_file, *dhcp_opts_file, *dynamic_dirs;
-  int dhcp_max, tftp_max;
+  int dhcp_max, tftp_max, tftp_mtu;
  int dhcp_server_port, dhcp_client_port;
  int start_tftp_port, end_tftp_port; 
  unsigned int min_leasetime;
@@ -992,6 +992,7 @@ extern struct daemon {
 #endif
 #ifdef HAVE_DNSSEC
  struct ds_config *ds;
+  int back_to_the_future;
  char *timestamp_file;
 #endif

@@ -1117,22 +1118,14 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *namebuff,
 		      int no_cache, int secure, int *doctored);
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
 		      struct in_addr local_addr, struct in_addr local_netmask, 
-		      time_t now, int *ad_reqd, int *do_bit);
+		      time_t now, int ad_reqd, int do_bit, int have_pseudoheader);
 int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name, 
 			     struct bogus_addr *addr, time_t now);
 int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr);
-unsigned char *find_pseudoheader(struct dns_header *header, size_t plen,
-				 size_t *len, unsigned char **p, int *is_sign);
 int check_for_local_domain(char *name, time_t now);
 unsigned int questions_crc(struct dns_header *header, size_t plen, char *buff);
 size_t resize_packet(struct dns_header *header, size_t plen, 
 		  unsigned char *pheader, size_t hlen);
-size_t add_mac(struct dns_header *header, size_t plen, char *limit, union mysockaddr *l3);
-size_t add_source_addr(struct dns_header *header, size_t plen, char *limit, union mysockaddr *source);
-#ifdef HAVE_DNSSEC
-size_t add_do_bit(struct dns_header *header, size_t plen, char *limit);
-#endif
-int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer);
 int add_resource_record(struct dns_header *header, char *limit, int *truncp,
 			int nameoffset, unsigned char **pp, unsigned long ttl, 
 			int *offset, unsigned short type, unsigned short class, char *format, ...);
@@ -1145,16 +1138,17 @@ int private_net(struct in_addr addr, int ban_localhost);
 /* auth.c */
 #ifdef HAVE_AUTH
 size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, 
-		   time_t now, union mysockaddr *peer_addr, int local_query);
+		   time_t now, union mysockaddr *peer_addr, int local_query,
+		   int do_bit, int have_pseudoheader);
 int in_zone(struct auth_zone *zone, char *name, char **cut);
 #endif

 /* dnssec.c */
-size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, int class, int type, union mysockaddr *addr, int edns_pktsz);
+size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int type, union mysockaddr *addr, int edns_pktsz);
 int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t n, char *name, char *keyname, int class);
 int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
-int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer, int *nons);
-int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname);
+int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class,
+			  int check_unsigned, int *neganswer, int *nons);
 int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen);
 size_t filter_rrsigs(struct dns_header *header, size_t plen);
 unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name);
@@ -1191,7 +1185,6 @@ int memcmp_masked(unsigned char *a, unsigned char *b, int len,
 		  unsigned int mask);
 int expand_buf(struct iovec *iov, size_t size);
 char *print_mac(char *buff, unsigned char *mac, int len);
-void bump_maxfd(int fd, int *max);
 int read_write(int fd, unsigned char *packet, int size, int rw);

 int wildcard_match(const char* wildcard, const char* match);
@@ -1202,8 +1195,8 @@ void die(char *message, char *arg1, int exit_code);
 int log_start(struct passwd *ent_pw, int errfd);
 int log_reopen(char *log_file);
 void my_syslog(int priority, const char *format, ...);
-void set_log_writer(fd_set *set, int *maxfdp);
-void check_log_writer(fd_set *set);
+void set_log_writer(void);
+void check_log_writer(int force);
 void flush_log(void);

 /* option.c */
@@ -1366,8 +1359,8 @@ int iface_enumerate(int family, void *parm, int (callback)());
 /* dbus.c */
 #ifdef HAVE_DBUS
 char *dbus_init(void);
-void check_dbus_listeners(fd_set *rset, fd_set *wset, fd_set *eset);
-void set_dbus_listeners(int *maxfdp, fd_set *rset, fd_set *wset, fd_set *eset);
+void check_dbus_listeners(void);
+void set_dbus_listeners(void);
 #  ifdef HAVE_DHCP
 void emit_dbus_signal(int action, struct dhcp_lease *lease, char *hostname);
 #  endif
@@ -1388,13 +1381,15 @@ void queue_script(int action, struct dhcp_lease *lease,
 #ifdef HAVE_TFTP
 void queue_tftp(off_t file_len, char *filename, union mysockaddr *peer);
 #endif
+void queue_arp(int action, unsigned char *mac, int maclen,
+	       int family, struct all_addr *addr);
 int helper_buf_empty(void);
 #endif

 /* tftp.c */
 #ifdef HAVE_TFTP
 void tftp_request(struct listener *listen, time_t now);
-void check_tftp_listeners(fd_set *rset, time_t now);
+void check_tftp_listeners(time_t now);
 int do_tftp_script_run(void);
 #endif

@@ -1424,7 +1419,7 @@ struct dhcp_config *config_find_by_address6(struct dhcp_config *configs, struct
 void make_duid(time_t now);
 void dhcp_construct_contexts(time_t now);
 void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, 
-		    unsigned int *maclenp, unsigned int *mactypep);
+		    unsigned int *maclenp, unsigned int *mactypep, time_t now);
 #endif
  
 /* rfc3315.c */
@@ -1432,7 +1427,8 @@ void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac,
 unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *iface_name,  
 			   struct in6_addr *fallback, struct in6_addr *ll_addr, struct in6_addr *ula_addr,
 			   size_t sz, struct in6_addr *client_addr, time_t now);
-void relay_upstream6(struct dhcp_relay *relay, ssize_t sz, struct in6_addr *peer_address, u32 scope_id);
+void relay_upstream6(struct dhcp_relay *relay, ssize_t sz, struct in6_addr *peer_address, 
+		     u32 scope_id, time_t now);

 unsigned short relay_reply6( struct sockaddr_in6 *peer, ssize_t sz, char *arrival_interface);
 #endif
@@ -1511,3 +1507,28 @@ void inotify_dnsmasq_init();
 int inotify_check(time_t now);
 void set_dynamic_inotify(int flag, int total_size, struct crec **rhash, int revhashsz);
 #endif
+
+/* poll.c */
+void poll_reset(void);
+int poll_check(int fd, short event);
+void poll_listen(int fd, short event);
+int do_poll(int timeout);
+
+/* rrfilter.c */
+size_t rrfilter(struct dns_header *header, size_t plen, int mode);
+u16 *rrfilter_desc(int type);
+int expand_workspace(unsigned char ***wkspc, int *szp, int new);
+
+/* edns0.c */
+unsigned char *find_pseudoheader(struct dns_header *header, size_t plen,
+				   size_t *len, unsigned char **p, int *is_sign, int *is_last);
+size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit, 
+			unsigned short udp_sz, int optno, unsigned char *opt, size_t optlen, int set_do, int replace);
+size_t add_do_bit(struct dns_header *header, size_t plen, unsigned char *limit);
+size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *limit, 
+			union mysockaddr *source, time_t now, int *check_subnet);
+int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer);
+
+/* arp.c */
+int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now);
+int do_arp_script_run(void);
--- a/src/dnssec.c
+++ b/src/dnssec.c
--- a/src/domain.c
+++ b/src/domain.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/edns0.c
+++ b/src/edns0.c
@@ -0,0 +1,426 @@
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+unsigned char *find_pseudoheader(struct dns_header *header, size_t plen, size_t  *len, unsigned char **p, int *is_sign, int *is_last)
+{
+  /* See if packet has an RFC2671 pseudoheader, and if so return a pointer to it. 
+     also return length of pseudoheader in *len and pointer to the UDP size in *p
+     Finally, check to see if a packet is signed. If it is we cannot change a single bit before
+     forwarding. We look for TSIG in the addition section, and TKEY queries (for GSS-TSIG) */
+  
+  int i, arcount = ntohs(header->arcount);
+  unsigned char *ansp = (unsigned char *)(header+1);
+  unsigned short rdlen, type, class;
+  unsigned char *ret = NULL;
+
+  if (is_sign)
+    {
+      *is_sign = 0;
+
+      if (OPCODE(header) == QUERY)
+	{
+	  for (i = ntohs(header->qdcount); i != 0; i--)
+	    {
+	      if (!(ansp = skip_name(ansp, header, plen, 4)))
+		return NULL;
+	      
+	      GETSHORT(type, ansp); 
+	      GETSHORT(class, ansp);
+	      
+	      if (class == C_IN && type == T_TKEY)
+		*is_sign = 1;
+	    }
+	}
+    }
+  else
+    {
+      if (!(ansp = skip_questions(header, plen)))
+	return NULL;
+    }
+    
+  if (arcount == 0)
+    return NULL;
+  
+  if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount), header, plen)))
+    return NULL; 
+  
+  for (i = 0; i < arcount; i++)
+    {
+      unsigned char *save, *start = ansp;
+      if (!(ansp = skip_name(ansp, header, plen, 10)))
+	return NULL; 
+
+      GETSHORT(type, ansp);
+      save = ansp;
+      GETSHORT(class, ansp);
+      ansp += 4; /* TTL */
+      GETSHORT(rdlen, ansp);
+      if (!ADD_RDLEN(header, ansp, plen, rdlen))
+	return NULL;
+      if (type == T_OPT)
+	{
+	  if (len)
+	    *len = ansp - start;
+
+	  if (p)
+	    *p = save;
+	  
+	  if (is_last)
+	    *is_last = (i == arcount-1);
+
+	  ret = start;
+	}
+      else if (is_sign && 
+	       i == arcount - 1 && 
+	       class == C_ANY && 
+	       type == T_TSIG)
+	*is_sign = 1;
+    }
+  
+  return ret;
+}
+ 
+size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit, 
+			unsigned short udp_sz, int optno, unsigned char *opt, size_t optlen, int set_do, int replace)
+{ 
+  unsigned char *lenp, *datap, *p, *udp_len, *buff = NULL;
+  int rdlen = 0, is_sign, is_last;
+  unsigned short flags = set_do ? 0x8000 : 0, rcode = 0;
+
+  p = find_pseudoheader(header, plen, NULL, &udp_len, &is_sign, &is_last);
+  
+  if (is_sign)
+    return plen;
+
+  if (p)
+    {
+      /* Existing header */
+      int i;
+      unsigned short code, len;
+
+      p = udp_len;
+      GETSHORT(udp_sz, p);
+      GETSHORT(rcode, p);
+      GETSHORT(flags, p);
+
+      if (set_do)
+	{
+	  p -= 2;
+	  flags |= 0x8000;
+	  PUTSHORT(flags, p);
+	}
+
+      lenp = p;
+      GETSHORT(rdlen, p);
+      if (!CHECK_LEN(header, p, plen, rdlen))
+	return plen; /* bad packet */
+      datap = p;
+
+       /* no option to add */
+      if (optno == 0)
+	return plen;
+      	  
+      /* check if option already there */
+      for (i = 0; i + 4 < rdlen;)
+	{
+	  GETSHORT(code, p);
+	  GETSHORT(len, p);
+	  
+	  /* malformed option, delete the whole OPT RR and start again. */
+	  if (i + len > rdlen)
+	    {
+	      rdlen = 0;
+	      is_last = 0;
+	      break;
+	    }
+	  
+	  if (code == optno)
+	    {
+	      if (!replace)
+		return plen;
+
+	      /* delete option if we're to replace it. */
+	      p -= 4;
+	      rdlen -= len + 4;
+	      memcpy(p, p+len+4, rdlen - i);
+	      PUTSHORT(rdlen, lenp);
+	      lenp -= 2;
+	    }
+	  else
+	    {
+	      p += len;
+	      i += len + 4;
+	    }
+	}
+
+      /* If we're going to extend the RR, it has to be the last RR in the packet */
+      if (!is_last)
+	{
+	  /* First, take a copy of the options. */
+	  if (rdlen != 0 && (buff = whine_malloc(rdlen)))
+	    memcpy(buff, datap, rdlen);	      
+	  
+	  /* now, delete OPT RR */
+	  plen = rrfilter(header, plen, 0);
+	  
+	  /* Now, force addition of a new one */
+	  p = NULL;	  
+	}
+    }
+  
+  if (!p)
+    {
+      /* We are (re)adding the pseudoheader */
+      if (!(p = skip_questions(header, plen)) ||
+	  !(p = skip_section(p, 
+			     ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 
+			     header, plen)))
+	return plen;
+      *p++ = 0; /* empty name */
+      PUTSHORT(T_OPT, p);
+      PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
+      PUTSHORT(rcode, p);    /* extended RCODE and version */
+      PUTSHORT(flags, p); /* DO flag */
+      lenp = p;
+      PUTSHORT(rdlen, p);    /* RDLEN */
+      datap = p;
+      /* Copy back any options */
+      if (buff)
+	{
+	  memcpy(p, buff, rdlen);
+	  free(buff);
+	  p += rdlen;
+	}
+      header->arcount = htons(ntohs(header->arcount) + 1);
+    }
+  
+  if (((ssize_t)optlen) > (limit - (p + 4)))
+    return plen; /* Too big */
+  
+  /* Add new option */
+  if (optno != 0)
+    {
+      PUTSHORT(optno, p);
+      PUTSHORT(optlen, p);
+      memcpy(p, opt, optlen);
+      p += optlen;  
+      PUTSHORT(p - datap, lenp);
+    }
+  return p - (unsigned char *)header;
+}
+
+size_t add_do_bit(struct dns_header *header, size_t plen, unsigned char *limit)
+{
+  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, 0, NULL, 0, 1, 0);
+}
+
+static unsigned char char64(unsigned char c)
+{
+  return "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"[c & 0x3f];
+}
+
+static void encoder(unsigned char *in, char *out)
+{
+  out[0] = char64(in[0]>>2);
+  out[1] = char64((in[0]<<4) | (in[1]>>4));
+  out[2] = char64((in[1]<<2) | (in[2]>>6));
+  out[3] = char64(in[2]);
+}
+
+static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *l3, time_t now)
+{
+  int maclen;
+  unsigned char mac[DHCP_CHADDR_MAX];
+  char encode[18]; /* handle 6 byte MACs */
+
+  if ((maclen = find_mac(l3, mac, 1, now)) == 6)
+    {
+      if (option_bool(OPT_MAC_HEX))
+	print_mac(encode, mac, maclen);
+      else
+	{
+	  encoder(mac, encode);
+	  encoder(mac+3, encode+4);
+	  encode[8] = 0;
+	}
+      plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_NOMDEVICEID, (unsigned char *)encode, strlen(encode), 0, 1); 
+    }
+
+  return plen; 
+}
+
+
+static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *l3, time_t now)
+{
+  int maclen;
+  unsigned char mac[DHCP_CHADDR_MAX];
+
+  if ((maclen = find_mac(l3, mac, 1, now)) != 0)
+    plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, 0); 
+    
+  return plen; 
+}
+
+struct subnet_opt {
+  u16 family;
+  u8 source_netmask, scope_netmask;
+#ifdef HAVE_IPV6 
+  u8 addr[IN6ADDRSZ];
+#else
+  u8 addr[INADDRSZ];
+#endif
+};
+
+static void *get_addrp(union mysockaddr *addr, const short family) 
+{
+#ifdef HAVE_IPV6
+  if (family == AF_INET6)
+    return &addr->in6.sin6_addr;
+#endif
+
+  return &addr->in.sin_addr;
+}
+
+static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
+{
+  /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
+  
+  int len;
+  void *addrp;
+  int sa_family = source->sa.sa_family;
+
+  opt->source_netmask = 0;
+  opt->scope_netmask = 0;
+
+#ifdef HAVE_IPV6
+  if (source->sa.sa_family == AF_INET6 && daemon->add_subnet6)
+    {
+      opt->source_netmask = daemon->add_subnet6->mask;
+      if (daemon->add_subnet6->addr_used) 
+	{
+	  sa_family = daemon->add_subnet6->addr.sa.sa_family;
+	  addrp = get_addrp(&daemon->add_subnet6->addr, sa_family);
+	} 
+      else 
+	addrp = &source->in6.sin6_addr;
+    }
+#endif
+
+  if (source->sa.sa_family == AF_INET && daemon->add_subnet4)
+    {
+      opt->source_netmask = daemon->add_subnet4->mask;
+      if (daemon->add_subnet4->addr_used)
+	{
+	  sa_family = daemon->add_subnet4->addr.sa.sa_family;
+	  addrp = get_addrp(&daemon->add_subnet4->addr, sa_family);
+	} 
+	else 
+	  addrp = &source->in.sin_addr;
+    }
+  
+#ifdef HAVE_IPV6
+  opt->family = htons(sa_family == AF_INET6 ? 2 : 1);
+#else
+  opt->family = htons(1);
+#endif
+  
+  len = 0;
+  
+  if (opt->source_netmask != 0)
+    {
+      len = ((opt->source_netmask - 1) >> 3) + 1;
+      memcpy(opt->addr, addrp, len);
+      if (opt->source_netmask & 7)
+	opt->addr[len-1] &= 0xff << (8 - (opt->source_netmask & 7));
+    }
+  
+  return len + 4;
+}
+ 
+static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *source)
+{
+  /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
+  
+  int len;
+  struct subnet_opt opt;
+  
+  len = calc_subnet_opt(&opt, source);
+  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, 0);
+}
+
+int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer)
+{
+  /* Section 9.2, Check that subnet option in reply matches. */
+  
+  int len, calc_len;
+  struct subnet_opt opt;
+  unsigned char *p;
+  int code, i, rdlen;
+  
+   calc_len = calc_subnet_opt(&opt, peer);
+   
+   if (!(p = skip_name(pseudoheader, header, plen, 10)))
+     return 1;
+   
+   p += 8; /* skip UDP length and RCODE */
+   
+   GETSHORT(rdlen, p);
+   if (!CHECK_LEN(header, p, plen, rdlen))
+     return 1; /* bad packet */
+   
+   /* check if option there */
+   for (i = 0; i + 4 < rdlen; i += len + 4)
+     {
+       GETSHORT(code, p);
+       GETSHORT(len, p);
+       if (code == EDNS0_OPTION_CLIENT_SUBNET)
+	 {
+	   /* make sure this doesn't mismatch. */
+	   opt.scope_netmask = p[3];
+	   if (len != calc_len || memcmp(p, &opt, len) != 0)
+	     return 0;
+	 }
+       p += len;
+     }
+   
+   return 1;
+}
+
+size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *limit, 
+			union mysockaddr *source, time_t now, int *check_subnet)    
+{
+  *check_subnet = 0;
+
+  if (option_bool(OPT_ADD_MAC))
+    plen  = add_mac(header, plen, limit, source, now);
+  
+  if (option_bool(OPT_MAC_B64) || option_bool(OPT_MAC_HEX))
+    plen = add_dns_client(header, plen, limit, source, now);
+
+  if (daemon->dns_client_id)
+    plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_NOMCPEID, 
+			    (unsigned char *)daemon->dns_client_id, strlen(daemon->dns_client_id), 0, 1);
+  
+  if (option_bool(OPT_CLIENT_SUBNET))
+    {
+      plen = add_source_addr(header, plen, limit, source); 
+      *check_subnet = 1;
+    }
+	  
+  return plen;
+}
--- a/src/forward.c
+++ b/src/forward.c
--- a/src/helper.c
+++ b/src/helper.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -219,7 +219,18 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	  action_str = "tftp";
 	  is6 = (data.flags != AF_INET);
 	}
-      else
+      else if (data.action == ACTION_ARP)
+	{
+	  action_str = "arp-add";
+	  is6 = (data.flags != AF_INET);
+	}
+       else if (data.action == ACTION_ARP_DEL)
+	{
+	  action_str = "arp-del";
+	  is6 = (data.flags != AF_INET);
+	  data.action = ACTION_ARP;
+	}
+       else 
 	continue;

      	
@@ -289,7 +300,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
    
      if (!is6)
 	inet_ntop(AF_INET, &data.addr, daemon->addrbuff, ADDRSTRLEN);
-#ifdef HAVE_DHCP6
+#ifdef HAVE_IPV6
      else
 	inet_ntop(AF_INET6, &data.addr6, daemon->addrbuff, ADDRSTRLEN);
 #endif
@@ -321,6 +332,22 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 		  lua_call(lua, 2, 0);	/* pass 2 values, expect 0 */
 		}
 	    }
+	  else if (data.action == ACTION_ARP)
+	    {
+	      lua_getglobal(lua, "arp"); 
+	      if (lua_type(lua, -1) != LUA_TFUNCTION)
+		lua_pop(lua, 1); /* arp function optional */
+	      else
+		{
+		  lua_pushstring(lua, action_str); /* arg1 - action */
+		  lua_newtable(lua);               /* arg2 - data table */
+		  lua_pushstring(lua, daemon->addrbuff);
+		  lua_setfield(lua, -2, "client_address");
+		  lua_pushstring(lua, daemon->dhcp_buff);
+		  lua_setfield(lua, -2, "mac_address");
+		  lua_call(lua, 2, 0);	/* pass 2 values, expect 0 */
+		}
+	    }
 	  else
 	    {
 	      lua_getglobal(lua, "lease");     /* function to call */
@@ -478,7 +505,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	  continue;
 	}
      
-      if (data.action != ACTION_TFTP)
+      if (data.action != ACTION_TFTP && data.action != ACTION_ARP)
 	{
 #ifdef HAVE_DHCP6
 	  my_setenv("DNSMASQ_IAID", is6 ? daemon->dhcp_buff3 : NULL, &err);
@@ -550,10 +577,9 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	  my_setenv("DNSMASQ_OLD_HOSTNAME", data.action == ACTION_OLD_HOSTNAME ? hostname : NULL, &err);
 	  if (data.action == ACTION_OLD_HOSTNAME)
 	    hostname = NULL;
-	}
-
-      my_setenv("DNSMASQ_LOG_DHCP", option_bool(OPT_LOG_OPTS) ? "1" : NULL, &err);
-      
+	  
+	  my_setenv("DNSMASQ_LOG_DHCP", option_bool(OPT_LOG_OPTS) ? "1" : NULL, &err);
+    }
      /* we need to have the event_fd around if exec fails */
      if ((i = fcntl(event_fd, F_GETFD)) != -1)
 	fcntl(event_fd, F_SETFD, i | FD_CLOEXEC);
@@ -563,8 +589,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
      if (err == 0)
 	{
 	  execl(daemon->lease_change_command, 
-		p ? p+1 : daemon->lease_change_command,
-		action_str, is6 ? daemon->packet : daemon->dhcp_buff, 
+		p ? p+1 : daemon->lease_change_command, action_str, 
+		(is6 && data.action != ACTION_ARP) ? daemon->packet : daemon->dhcp_buff, 
 		daemon->addrbuff, hostname, (char*)NULL);
 	  err = errno;
 	}
@@ -760,6 +786,30 @@ void queue_tftp(off_t file_len, char *filename, union mysockaddr *peer)
 }
 #endif

+void queue_arp(int action, unsigned char *mac, int maclen, int family, struct all_addr *addr)
+{
+  /* no script */
+  if (daemon->helperfd == -1)
+    return;
+  
+  buff_alloc(sizeof(struct script_data));
+  memset(buf, 0, sizeof(struct script_data));
+
+  buf->action = action;
+  buf->hwaddr_len = maclen;
+  buf->hwaddr_type =  ARPHRD_ETHER; 
+  if ((buf->flags = family) == AF_INET)
+    buf->addr = addr->addr.addr4;
+#ifdef HAVE_IPV6
+  else
+    buf->addr6 = addr->addr.addr6;
+#endif
+  
+  memcpy(buf->hwaddr, mac, maclen);
+  
+  bytes_in_buf = sizeof(struct script_data);
+}
+
 int helper_buf_empty(void)
 {
  return bytes_in_buf == 0;
--- a/src/inotify.c
+++ b/src/inotify.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -18,6 +18,7 @@
 #ifdef HAVE_INOTIFY

 #include <sys/inotify.h>
+#include <sys/param.h> /* For MAXSYMLINKS */

 /* the strategy is to set a inotify on the directories containing
   resolv files, for any files in the directory which are close-write 
@@ -35,31 +36,82 @@
 static char *inotify_buffer;
 #define INOTIFY_SZ (sizeof(struct inotify_event) + NAME_MAX + 1)

+/* If path is a symbolic link, return the path it
+   points to, made absolute if relative.
+   If path doesn't exist or is not a symlink, return NULL.
+   Return value is malloc'ed */
+static char *my_readlink(char *path)
+{
+  ssize_t rc, size = 64;
+  char *buf;
+
+  while (1)
+    {
+      buf = safe_malloc(size);
+      rc = readlink(path, buf, (size_t)size);
+      
+      if (rc == -1)
+	{
+	  /* Not link or doesn't exist. */
+	  if (errno == EINVAL || errno == ENOENT)
+	    return NULL;
+	  else
+	    die(_("cannot access path %s: %s"), path, EC_MISC);
+	}
+      else if (rc < size-1)
+	{
+	  char *d;
+	  
+	  buf[rc] = 0;
+	  if (buf[0] != '/' && ((d = strrchr(path, '/'))))
+	    {
+	      /* Add path to relative link */
+	      char *new_buf = safe_malloc((d - path) + strlen(buf) + 2);
+	      *(d+1) = 0;
+	      strcpy(new_buf, path);
+	      strcat(new_buf, buf);
+	      free(buf);
+	      buf = new_buf;
+	    }
+	  return buf;
+	}
+
+      /* Buffer too small, increase and retry */
+      size += 64;
+      free(buf);
+    }
+}
+
 void inotify_dnsmasq_init()
 {
  struct resolvc *res;
-
  inotify_buffer = safe_malloc(INOTIFY_SZ);
  daemon->inotifyfd = inotify_init1(IN_NONBLOCK | IN_CLOEXEC);
  
  if (daemon->inotifyfd == -1)
    die(_("failed to create inotify: %s"), NULL, EC_MISC);
+
+  if (option_bool(OPT_NO_RESOLV))
+    return;
  
  for (res = daemon->resolv_files; res; res = res->next)
    {
-      char *d = NULL, *path;
-      
-      if (!(path = realpath(res->name, NULL)))
+      char *d, *new_path, *path = safe_malloc(strlen(res->name) + 1);
+      int links = MAXSYMLINKS;
+
+      strcpy(path, res->name);
+
+      /* Follow symlinks until we reach a non-symlink, or a non-existant file. */
+      while ((new_path = my_readlink(path)))
 	{
-	  /* realpath will fail if the file doesn't exist, but
-	     dnsmasq copes with missing files, so fall back 
-	     and assume that symlinks are not in use in that case. */
-	  if (errno == ENOENT)
-	    path = res->name;
-	  else
-	    die(_("cannot cannonicalise resolv-file %s: %s"), res->name, EC_MISC); 
+	  if (links-- == 0)
+	    die(_("too many symlinks following %s"), res->name, EC_MISC);
+	  free(path);
+	  path = new_path;
 	}
-      
+
+      res->wd = -1;
+
      if ((d = strrchr(path, '/')))
 	{
 	  *d = 0; /* make path just directory */
@@ -70,10 +122,11 @@ void inotify_dnsmasq_init()
 	  
 	  if (res->wd == -1 && errno == ENOENT)
 	    die(_("directory %s for resolv-file is missing, cannot poll"), res->name, EC_MISC);
-	  
-	  if (res->wd == -1)
-	    die(_("failed to create inotify for %s: %s"), res->name, EC_MISC);
-	}
+	}	  
+	 
+      if (res->wd == -1)
+	die(_("failed to create inotify for %s: %s"), res->name, EC_MISC);
+	
    }
 }

--- a/src/ip6addr.h
+++ b/src/ip6addr.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/lease.c
+++ b/src/lease.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1110,18 +1110,22 @@ int do_script_run(time_t now)
 }

 #ifdef HAVE_SCRIPT
+/* delim == -1 -> delim = 0, but embeded 0s, creating extra records, are OK. */
 void lease_add_extradata(struct dhcp_lease *lease, unsigned char *data, unsigned int len, int delim)
 {
  unsigned int i;
  
-  /* check for embeded NULLs */
-  for (i = 0; i < len; i++)
-    if (data[i] == 0)
-      {
-	len = i;
-	break;
-      }
-
+  if (delim == -1)
+    delim = 0;
+  else
+    /* check for embeded NULLs */
+    for (i = 0; i < len; i++)
+      if (data[i] == 0)
+	{
+	  len = i;
+	  break;
+	}
+  
  if ((lease->extradata_size - lease->extradata_len) < (len + 1))
    {
      size_t newsz = lease->extradata_len + len + 100;
--- a/src/log.c
+++ b/src/log.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -421,18 +421,15 @@ void my_syslog(int priority, const char *format, ...)
    } 
 }

-void set_log_writer(fd_set *set, int *maxfdp)
+void set_log_writer(void)
 {
  if (entries && log_fd != -1 && connection_good)
-    {
-      FD_SET(log_fd, set);
-      bump_maxfd(log_fd, maxfdp);
-    }
+    poll_listen(log_fd, POLLOUT);
 }

-void check_log_writer(fd_set *set)
+void check_log_writer(int force)
 {
-  if (log_fd != -1 && (!set || FD_ISSET(log_fd, set)))
+  if (log_fd != -1 && (force || poll_check(log_fd, POLLOUT)))
    log_write();
 }

--- a/src/loop.c
+++ b/src/loop.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -288,7 +288,8 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 		rta = RTA_NEXT(rta, len1);
 	      }

-	    if (inaddr && mac && callback_ok)
+	    if (!(neigh->ndm_state & (NUD_NOARP | NUD_INCOMPLETE | NUD_FAILED)) &&
+		inaddr && mac && callback_ok)
 	      if (!((*callback)(neigh->ndm_family, inaddr, mac, maclen, parm)))
 		callback_ok = 0;
 	  }
--- a/src/network.c
+++ b/src/network.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1076,23 +1076,30 @@ void join_multicast(int dienow)
 	    
 	    if ((daemon->doing_dhcp6 || daemon->relay6) &&
 		setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
-	      err = 1;
+	      err = errno;
 	    
 	    inet_pton(AF_INET6, ALL_SERVERS, &mreq.ipv6mr_multiaddr);
 	    
 	    if (daemon->doing_dhcp6 && 
 		setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
-	      err = 1;
+	      err = errno;
 	    
 	    inet_pton(AF_INET6, ALL_ROUTERS, &mreq.ipv6mr_multiaddr);
 	    
 	    if (daemon->doing_ra &&
 		setsockopt(daemon->icmp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
-	      err = 1;
+	      err = errno;
 	    
 	    if (err)
 	      {
 		char *s = _("interface %s failed to join DHCPv6 multicast group: %s");
+		errno = err;
+
+#ifdef HAVE_LINUX_NETWORK
+		if (errno == ENOMEM)
+		  my_syslog(LOG_ERR, _("try increasing /proc/sys/net/core/optmem_max"));
+#endif
+
 		if (dienow)
 		  die(s, iface->name, EC_BADNET);
 		else
@@ -1112,7 +1119,7 @@ int random_sock(int family)
  if ((fd = socket(family, SOCK_DGRAM, 0)) != -1)
    {
      union mysockaddr addr;
-      unsigned int ports_avail = 65536u - (unsigned short)daemon->min_port;
+      unsigned int ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1;
      int tries = ports_avail < 30 ? 3 * ports_avail : 100;

      memset(&addr, 0, sizeof(addr));
@@ -1125,8 +1132,8 @@ int random_sock(int family)
 	  {
 	    unsigned short port = rand16();
 	    
-	    if (daemon->min_port != 0)
-	      port = htons(daemon->min_port + (port % ((unsigned short)ports_avail)));
+            if (daemon->min_port != 0 || daemon->max_port != MAX_PORT)
+              port = htons(daemon->min_port + (port % ((unsigned short)ports_avail)));
 	    
 	    if (family == AF_INET) 
 	      {
@@ -1423,12 +1430,43 @@ void check_servers(void)
  if (!option_bool(OPT_NOWILD))
    enumerate_interfaces(0);
  
+#ifdef HAVE_DNSSEC
+ /* Disable DNSSEC validation when using server=/domain/.... servers
+    unless there's a configured trust anchor. */
+  for (serv = daemon->servers; serv; serv = serv->next)
+    serv->flags |= SERV_DO_DNSSEC;
+#endif
+
  for (serv = daemon->servers; serv; serv = serv->next)
    {
-       if (!(serv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)))
+      if (!(serv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)))
 	{
-	  port = prettyprint_addr(&serv->addr, daemon->namebuff);
+#ifdef HAVE_DNSSEC
+	  if (option_bool(OPT_DNSSEC_VALID))
+	    { 
+	      if (serv->flags & SERV_HAS_DOMAIN)
+		{
+		  struct ds_config *ds;
+		  char *domain = serv->domain;
+		  
+		  /* .example.com is valid */
+		  while (*domain == '.')
+		    domain++;
+		  
+		  for (ds = daemon->ds; ds; ds = ds->next)
+		    if (ds->name[0] != 0 && hostname_isequal(domain, ds->name))
+		      break;
+		  
+		  if (!ds)
+		    serv->flags &= ~SERV_DO_DNSSEC;
+		}
+	      else if (serv->flags & SERV_FOR_NODOTS) 
+		serv->flags &= ~SERV_DO_DNSSEC;
+	    }
+#endif

+	  port = prettyprint_addr(&serv->addr, daemon->namebuff);
+	  
 	  /* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
 	  if (serv->addr.sa.sa_family == AF_INET &&
 	      serv->addr.in.sin_addr.s_addr == 0)
@@ -1464,7 +1502,11 @@ void check_servers(void)
 	{
 	  if (serv->flags & (SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_USE_RESOLV))
 	    {
-	      char *s1, *s2;
+	      char *s1, *s2, *s3 = "";
+#ifdef HAVE_DNSSEC
+	      if (option_bool(OPT_DNSSEC_VALID) && !(serv->flags & SERV_DO_DNSSEC))
+		s3 = _("(no DNSSEC)");
+#endif
 	      if (!(serv->flags & SERV_HAS_DOMAIN))
 		s1 = _("unqualified"), s2 = _("names");
 	      else if (strlen(serv->domain) == 0)
@@ -1477,7 +1519,7 @@ void check_servers(void)
 	      else if (serv->flags & SERV_USE_RESOLV)
 		my_syslog(LOG_INFO, _("using standard nameservers for %s %s"), s1, s2);
 	      else 
-		my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s"), daemon->namebuff, port, s1, s2);
+		my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s %s"), daemon->namebuff, port, s1, s2, s3);
 	    }
 #ifdef HAVE_LOOP
 	  else if (serv->flags & SERV_LOOP)
--- a/src/option.c
+++ b/src/option.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -154,7 +154,12 @@ struct myoption {
 #define LOPT_HOST_INOTIFY  342
 #define LOPT_DNSSEC_STAMP  343
 #define LOPT_TFTP_NO_FAIL  344
-
+#define LOPT_MAXPORT       345
+#define LOPT_CPE_ID        346
+#define LOPT_SCRIPT_ARP    347
+#define LOPT_DHCPTTL       348
+#define LOPT_TFTP_MTU      349
+ 
 #ifdef HAVE_GETOPT_LONG
 static const struct option opts[] =  
 #else
@@ -240,6 +245,7 @@ static const struct myoption opts[] =
    { "tftp-unique-root", 0, 0, LOPT_APREF },
    { "tftp-root", 1, 0, LOPT_PREFIX },
    { "tftp-max", 1, 0, LOPT_TFTP_MAX },
+    { "tftp-mtu", 1, 0, LOPT_TFTP_MTU },
    { "tftp-lowercase", 0, 0, LOPT_TFTP_LC },
    { "ptr-record", 1, 0, LOPT_PTR },
    { "naptr-record", 1, 0, LOPT_NAPTR },
@@ -270,6 +276,7 @@ static const struct myoption opts[] =
    { "dhcp-alternate-port", 2, 0, LOPT_ALTPORT },
    { "dhcp-scriptuser", 1, 0, LOPT_SCRIPTUSR },
    { "min-port", 1, 0, LOPT_MINPORT },
+    { "max-port", 1, 0, LOPT_MAXPORT },
    { "dhcp-fqdn", 0, 0, LOPT_DHCP_FQDN },
    { "cname", 1, 0, LOPT_CNAME },
    { "pxe-prompt", 1, 0, LOPT_PXE_PROMT },
@@ -279,8 +286,9 @@ static const struct myoption opts[] =
    { "dhcp-proxy", 2, 0, LOPT_PROXY },
    { "dhcp-generate-names", 2, 0, LOPT_GEN_NAMES },
    { "rebind-localhost-ok", 0, 0,  LOPT_LOC_REBND },
-    { "add-mac", 0, 0, LOPT_ADD_MAC },
+    { "add-mac", 2, 0, LOPT_ADD_MAC },
    { "add-subnet", 2, 0, LOPT_ADD_SBNET },
+    { "add-cpe-id", 1, 0 , LOPT_CPE_ID },
    { "proxy-dnssec", 0, 0, LOPT_DNSSEC },
    { "dhcp-sequential-ip", 0, 0,  LOPT_INCR_ADDR },
    { "conntrack", 0, 0, LOPT_CONNTRACK },
@@ -313,6 +321,8 @@ static const struct myoption opts[] =
    { "quiet-dhcp6", 0, 0, LOPT_QUIET_DHCP6 },
    { "quiet-ra", 0, 0, LOPT_QUIET_RA },
    { "dns-loop-detect", 0, 0, LOPT_LOOP_DETECT },
+    { "script-arp", 0, 0, LOPT_SCRIPT_ARP },
+    { "dhcp-ttl", 1, 0 , LOPT_DHCPTTL },
    { NULL, 0, 0, 0 }
  };

@@ -410,6 +420,7 @@ static struct {
  { '6', ARG_ONE, "<path>", gettext_noop("Shell script to run on DHCP lease creation and destruction."), NULL },
  { LOPT_LUASCRIPT, ARG_DUP, "path", gettext_noop("Lua script to run on DHCP lease creation and destruction."), NULL },
  { LOPT_SCRIPTUSR, ARG_ONE, "<username>", gettext_noop("Run lease-change scripts as this user."), NULL },
+  { LOPT_SCRIPT_ARP, OPT_SCRIPT_ARP, NULL, gettext_noop("Call dhcp-script with changes to local ARP table."), NULL },
  { '7', ARG_DUP, "<path>", gettext_noop("Read configuration from all the files in this directory."), NULL },
  { '8', ARG_ONE, "<facilty>|<file>", gettext_noop("Log to this syslog facility or file. (defaults to DAEMON)"), NULL },
  { '9', OPT_LEASE_RO, NULL, gettext_noop("Do not use leasefile."), NULL },
@@ -423,6 +434,7 @@ static struct {
  { LOPT_SECURE, OPT_TFTP_SECURE, NULL, gettext_noop("Allow access only to files owned by the user running dnsmasq."), NULL },
  { LOPT_TFTP_NO_FAIL, OPT_TFTP_NO_FAIL, NULL, gettext_noop("Do not terminate the service if TFTP directories are inaccessible."), NULL },
  { LOPT_TFTP_MAX, ARG_ONE, "<integer>", gettext_noop("Maximum number of conncurrent TFTP transfers (defaults to %s)."), "#" },
+  { LOPT_TFTP_MTU, ARG_ONE, "<integer>", gettext_noop("Maximum MTU to use for TFTP transfers."), NULL },
  { LOPT_NOBLOCK, OPT_TFTP_NOBLOCK, NULL, gettext_noop("Disable the TFTP blocksize extension."), NULL },
  { LOPT_TFTP_LC, OPT_TFTP_LC, NULL, gettext_noop("Convert TFTP filenames to lowercase"), NULL },
  { LOPT_TFTPPORTS, ARG_ONE, "<start>,<end>", gettext_noop("Ephemeral port range for use by TFTP transfers."), NULL },
@@ -436,23 +448,25 @@ static struct {
  { LOPT_ALTPORT, ARG_ONE, "[=<ports>]", gettext_noop("Use alternative ports for DHCP."), NULL },
  { LOPT_NAPTR, ARG_DUP, "<name>,<naptr>", gettext_noop("Specify NAPTR DNS record."), NULL },
  { LOPT_MINPORT, ARG_ONE, "<port>", gettext_noop("Specify lowest port available for DNS query transmission."), NULL },
+  { LOPT_MAXPORT, ARG_ONE, "<port>", gettext_noop("Specify highest port available for DNS query transmission."), NULL },
  { LOPT_DHCP_FQDN, OPT_DHCP_FQDN, NULL, gettext_noop("Use only fully qualified domain names for DHCP clients."), NULL },
  { LOPT_GEN_NAMES, ARG_DUP, "[=tag:<tag>]", gettext_noop("Generate hostnames based on MAC address for nameless clients."), NULL},
  { LOPT_PROXY, ARG_DUP, "[=<ipaddr>]...", gettext_noop("Use these DHCP relays as full proxies."), NULL },
  { LOPT_RELAY, ARG_DUP, "<local-addr>,<server>[,<interface>]", gettext_noop("Relay DHCP requests to a remote server"), NULL},
-  { LOPT_CNAME, ARG_DUP, "<alias>,<target>", gettext_noop("Specify alias name for LOCAL DNS name."), NULL },
+  { LOPT_CNAME, ARG_DUP, "<alias>,<target>[,<ttl>]", gettext_noop("Specify alias name for LOCAL DNS name."), NULL },
  { LOPT_PXE_PROMT, ARG_DUP, "<prompt>,[<timeout>]", gettext_noop("Prompt to send to PXE clients."), NULL },
  { LOPT_PXE_SERV, ARG_DUP, "<service>", gettext_noop("Boot service for PXE menu."), NULL },
  { LOPT_TEST, 0, NULL, gettext_noop("Check configuration syntax."), NULL },
-  { LOPT_ADD_MAC, OPT_ADD_MAC, NULL, gettext_noop("Add requestor's MAC address to forwarded DNS queries."), NULL },
-  { LOPT_ADD_SBNET, ARG_ONE, "<v4 pref>[,<v6 pref>]", gettext_noop("Add requestor's IP subnet to forwarded DNS queries."), NULL },
+  { LOPT_ADD_MAC, ARG_DUP, "[=base64|text]", gettext_noop("Add requestor's MAC address to forwarded DNS queries."), NULL },
+  { LOPT_ADD_SBNET, ARG_ONE, "<v4 pref>[,<v6 pref>]", gettext_noop("Add specified IP subnet to forwarded DNS queries."), NULL },
+  { LOPT_CPE_ID, ARG_ONE, "<text>", gettext_noop("Add client identification to forwarded DNS queries."), NULL },
  { LOPT_DNSSEC, OPT_DNSSEC_PROXY, NULL, gettext_noop("Proxy DNSSEC validation results from upstream nameservers."), NULL },
  { LOPT_INCR_ADDR, OPT_CONSEC_ADDR, NULL, gettext_noop("Attempt to allocate sequential IP addresses to DHCP clients."), NULL },
  { LOPT_CONNTRACK, OPT_CONNTRACK, NULL, gettext_noop("Copy connection-track mark from queries to upstream connections."), NULL },
  { LOPT_FQDN, OPT_FQDN_UPDATE, NULL, gettext_noop("Allow DHCP clients to do their own DDNS updates."), NULL },
  { LOPT_RA, OPT_RA, NULL, gettext_noop("Send router-advertisements for interfaces doing DHCPv6"), NULL },
  { LOPT_DUID, ARG_ONE, "<enterprise>,<duid>", gettext_noop("Specify DUID_EN-type DHCPv6 server DUID"), NULL },
-  { LOPT_HOST_REC, ARG_DUP, "<name>,<address>", gettext_noop("Specify host (A/AAAA and PTR) records"), NULL },
+  { LOPT_HOST_REC, ARG_DUP, "<name>,<address>[,<ttl>]", gettext_noop("Specify host (A/AAAA and PTR) records"), NULL },
  { LOPT_RR, ARG_DUP, "<name>,<RR-number>,[<data>]", gettext_noop("Specify arbitrary DNS resource record"), NULL },
  { LOPT_CLVERBIND, OPT_CLEVERBIND, NULL, gettext_noop("Bind to interfaces in use - check for new interfaces"), NULL },
  { LOPT_AUTHSERV, ARG_ONE, "<NS>,<interface>", gettext_noop("Export local names to global DNS"), NULL },
@@ -476,9 +490,10 @@ static struct {
  { LOPT_QUIET_DHCP, OPT_QUIET_DHCP, NULL, gettext_noop("Do not log routine DHCP."), NULL },
  { LOPT_QUIET_DHCP6, OPT_QUIET_DHCP6, NULL, gettext_noop("Do not log routine DHCPv6."), NULL },
  { LOPT_QUIET_RA, OPT_QUIET_RA, NULL, gettext_noop("Do not log RA."), NULL },
-  { LOPT_LOCAL_SERVICE, OPT_LOCAL_SERVICE, NULL, gettext_noop("Accept queries only from directly-connected networks"), NULL },
-  { LOPT_LOOP_DETECT, OPT_LOOP_DETECT, NULL, gettext_noop("Detect and remove DNS forwarding loops"), NULL },
+  { LOPT_LOCAL_SERVICE, OPT_LOCAL_SERVICE, NULL, gettext_noop("Accept queries only from directly-connected networks."), NULL },
+  { LOPT_LOOP_DETECT, OPT_LOOP_DETECT, NULL, gettext_noop("Detect and remove DNS forwarding loops."), NULL },
  { LOPT_IGNORE_ADDR, ARG_DUP, "<ipaddr>", gettext_noop("Ignore DNS responses containing ipaddr."), NULL }, 
+  { LOPT_DHCPTTL, ARG_ONE, "<ttl>", gettext_noop("Set TTL in DNS responses with DHCP-derived addresses."), NULL }, 
  { 0, 0, NULL, NULL, NULL }
 }; 

@@ -722,6 +737,20 @@ static void do_usage(void)

 #define ret_err(x) do { strcpy(errstr, (x)); return 0; } while (0)

+static char *parse_mysockaddr(char *arg, union mysockaddr *addr) 
+{
+  if (inet_pton(AF_INET, arg, &addr->in.sin_addr) > 0)
+    addr->sa.sa_family = AF_INET;
+#ifdef HAVE_IPV6
+  else if (inet_pton(AF_INET6, arg, &addr->in6.sin6_addr) > 0)
+    addr->sa.sa_family = AF_INET6;
+#endif
+  else
+    return _("bad address");
+   
+  return NULL;
+}
+
 char *parse_server(char *arg, union mysockaddr *addr, union mysockaddr *source_addr, char *interface, int *flags)
 {
  int source_port = 0, serv_port = NAMESERVER_PORT;
@@ -1501,10 +1530,16 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 		li = opt_malloc(sizeof(struct list));
 		if (*arg == '*')
 		  {
-		    li->next = match_suffix;
-		    match_suffix = li;
-		    /* Have to copy: buffer is overwritten */
-		    li->suffix = opt_string_alloc(arg+1);
+		    /* "*" with no suffix is a no-op */
+		    if (arg[1] == 0)
+		      free(li);
+		    else
+		      {
+			li->next = match_suffix;
+			match_suffix = li;
+			/* Have to copy: buffer is overwritten */
+			li->suffix = opt_string_alloc(arg+1);
+		      }
 		  }
 		else
 		  {
@@ -1585,7 +1620,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	    li = match_suffix->next;
 	    free(match_suffix->suffix);
 	    free(match_suffix);
-	  }    
+	  }
 	break;
      }

@@ -1593,10 +1628,46 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
      set_option_bool(OPT_CLIENT_SUBNET);
      if (arg)
 	{
+          char *err, *end;
 	  comma = split(arg);
-	  if (!atoi_check(arg, &daemon->addr4_netmask) || 
-	      (comma && !atoi_check(comma, &daemon->addr6_netmask)))
-	     ret_err(gen_err);
+
+          struct mysubnet* new = opt_malloc(sizeof(struct mysubnet));
+          if ((end = split_chr(arg, '/')))
+	    {
+	      /* has subnet+len */
+	      err = parse_mysockaddr(arg, &new->addr);
+	      if (err)
+		ret_err(err);
+	      if (!atoi_check(end, &new->mask))
+		ret_err(gen_err);
+	      new->addr_used = 1;
+	    } 
+	  else if (!atoi_check(arg, &new->mask))
+	    ret_err(gen_err);
+	    
+          daemon->add_subnet4 = new;
+
+          if (comma)
+            {
+	      new = opt_malloc(sizeof(struct mysubnet));
+	      if ((end = split_chr(comma, '/')))
+		{
+		  /* has subnet+len */
+                  err = parse_mysockaddr(comma, &new->addr);
+                  if (err)
+                    ret_err(err);
+                  if (!atoi_check(end, &new->mask))
+                    ret_err(gen_err);
+                  new->addr_used = 1;
+                }
+              else
+                {
+                  if (!atoi_check(comma, &new->mask))
+                    ret_err(gen_err);
+                }
+          
+	      daemon->add_subnet6 = new;
+	    }
 	}
      break;

@@ -1919,11 +1990,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 		  comma = split(arg); 
 		  daemon->soa_retry = (u32)atoi(arg);
 		  if (comma)
-		    {
-		      arg = comma;
-		      comma = split(arg); 
-		      daemon->soa_expiry = (u32)atoi(arg);
-		    }
+		    daemon->soa_expiry = (u32)atoi(comma);
 		}
 	    }
 	}
@@ -2095,6 +2162,26 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	}
      break;
      
+    case LOPT_CPE_ID: /* --add-dns-client */
+      if (arg)
+	daemon->dns_client_id = opt_string_alloc(arg);
+      break;
+
+    case LOPT_ADD_MAC: /* --add-mac */
+      if (!arg)
+	set_option_bool(OPT_ADD_MAC);
+      else
+	{
+	  unhide_metas(arg);
+	  if (strcmp(arg, "base64") == 0)
+	    set_option_bool(OPT_MAC_B64);
+	  else if (strcmp(arg, "text") == 0)
+	    set_option_bool(OPT_MAC_HEX);
+	  else
+	    ret_err(gen_err);
+	}
+      break;
+
    case 'u':  /* --user */
      daemon->username = opt_string_alloc(arg);
      break;
@@ -2448,6 +2535,11 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	ret_err(gen_err);
      break;

+    case LOPT_MAXPORT:  /* --max-port */
+      if (!atoi_check16(arg, &daemon->max_port))
+	ret_err(gen_err);
+      break;
+
    case '0':  /* --dns-forward-max */
      if (!atoi_check(arg, &daemon->ftabsize))
 	ret_err(gen_err);
@@ -2491,6 +2583,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
    case LOPT_MINCTTL: /* --min-cache-ttl */
    case LOPT_MAXCTTL: /* --max-cache-ttl */
    case LOPT_AUTHTTL: /* --auth-ttl */
+    case LOPT_DHCPTTL: /* --dhcp-ttl */
      {
 	int ttl;
 	if (!atoi_check(arg, &ttl))
@@ -2509,6 +2602,11 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	  daemon->max_cache_ttl = (unsigned long)ttl;
 	else if (option == LOPT_AUTHTTL)
 	  daemon->auth_ttl = (unsigned long)ttl;
+	else if (option == LOPT_DHCPTTL)
+	  {
+	    daemon->dhcp_ttl = (unsigned long)ttl;
+	    daemon->use_dhcp_ttl = 1;
+	  }
 	else
 	  daemon->local_ttl = (unsigned long)ttl;
 	break;
@@ -2527,6 +2625,11 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	ret_err(gen_err);
      break;  

+    case LOPT_TFTP_MTU:  /*  --tftp-mtu */
+      if (!atoi_check(arg, &daemon->tftp_mtu))
+	ret_err(gen_err);
+      break;
+
    case LOPT_PREFIX: /* --tftp-prefix */
      comma = split(arg);
      if (comma)
@@ -2669,13 +2772,14 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 		leasepos = 3;
 		if (!is_same_net(new->start, new->end, new->netmask))
 		  ret_err(_("inconsistent DHCP range"));
-	      }
+		
 	    
-	    if (k >= 4 && strchr(a[3], '.') &&  
-		(inet_pton(AF_INET, a[3], &new->broadcast) > 0))
-	      {
-		new->flags |= CONTEXT_BRDCAST;
-		leasepos = 4;
+		if (k >= 4 && strchr(a[3], '.') &&  
+		    (inet_pton(AF_INET, a[3], &new->broadcast) > 0))
+		  {
+		    new->flags |= CONTEXT_BRDCAST;
+		    leasepos = 4;
+		  }
 	      }
 	  }
 #ifdef HAVE_DHCP6
@@ -2765,6 +2869,9 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	
 	if (leasepos < k)
 	  {
+	    if (leasepos != k-1)
+	      ret_err(_("bad dhcp-range"));
+	    
 	    if (strcmp(a[leasepos], "infinite") == 0)
 	      new->lease_time = 0xffffffff;
 	    else if (strcmp(a[leasepos], "deprecated") == 0)
@@ -2859,7 +2966,6 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 			}

 		      if (len == -1)
-
 			ret_err(_("bad hex constant"));
 		      else if ((new->clid = opt_malloc(len)))
 			{
@@ -3603,12 +3709,15 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
    case LOPT_CNAME: /* --cname */
      {
 	struct cname *new;
-	char *alias;
-	char *target;
+	char *alias, *target, *ttls;
+	int ttl = -1;

 	if (!(comma = split(arg)))
 	  ret_err(gen_err);
 	
+	if ((ttls = split(comma)) && !atoi_check(ttls, &ttl))
+	  ret_err(_("bad TTL"));
+	
 	alias = canonicalise_opt(arg);
 	target = canonicalise_opt(comma);
 	    
@@ -3624,6 +3733,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	    daemon->cnames = new;
 	    new->alias = alias;
 	    new->target = target;
+	    new->ttl = ttl;
 	  }
      
 	break;
@@ -3797,13 +3907,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 		    if (!atoi_check16(arg, &priority))
 		      ret_err(_("invalid priority"));
 			
-		    if (comma)
-		      {
-			arg = comma;
-			comma = split(arg);
-			if (!atoi_check16(arg, &weight))
-			  ret_err(_("invalid weight"));
-		      }
+		    if (comma && !atoi_check16(comma, &weight))
+		      ret_err(_("invalid weight"));
 		  }
 	      }
 	  }
@@ -3824,14 +3929,22 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
      {
 	struct host_record *new = opt_malloc(sizeof(struct host_record));
 	memset(new, 0, sizeof(struct host_record));
-	
+	new->ttl = -1;
+
 	if (!arg || !(comma = split(arg)))
 	  ret_err(_("Bad host-record"));
 	
 	while (arg)
 	  {
 	    struct all_addr addr;
-	    if (inet_pton(AF_INET, arg, &addr))
+	    char *dig;
+
+	    for (dig = arg; *dig != 0; dig++)
+	      if (*dig < '0' || *dig > '9')
+		break;
+	    if (*dig == 0)
+	      new->ttl = atoi(arg);
+	    else if (inet_pton(AF_INET, arg, &addr))
 	      new->addr = addr.addr.addr4;
 #ifdef HAVE_IPV6
 	    else if (inet_pton(AF_INET6, arg, &addr))
@@ -4371,7 +4484,7 @@ void read_opts(int argc, char **argv, char *compile_opts)
 {
  char *buff = opt_malloc(MAXDNAME);
  int option, conffile_opt = '7', testmode = 0;
-  char *arg, *conffile = NULL;
+  char *arg, *conffile = CONFFILE;
      
  opterr = 0;

@@ -4398,6 +4511,7 @@ void read_opts(int argc, char **argv, char *compile_opts)
  daemon->soa_refresh = SOA_REFRESH;
  daemon->soa_retry = SOA_RETRY;
  daemon->soa_expiry = SOA_EXPIRY;
+  daemon->max_port = MAX_PORT;

  add_txt("version.bind", "dnsmasq-" VERSION, 0 );
  add_txt("authors.bind", "Simon Kelley", 0);
@@ -4488,11 +4602,8 @@ void read_opts(int argc, char **argv, char *compile_opts)
  if (conffile)
    {
      one_file(conffile, conffile_opt);
-      free(conffile);
-    }
-  else
-    {
-      one_file(CONFFILE, conffile_opt);
+      if (conffile_opt == 0)
+	free(conffile);
    }

  /* port might not be known when the address is parsed - fill in here */
@@ -4514,7 +4625,25 @@ void read_opts(int argc, char **argv, char *compile_opts)
 	    }
 	} 
    }
-  
+
+  if (daemon->host_records)
+    {
+      struct host_record *hr;
+      
+      for (hr = daemon->host_records; hr; hr = hr->next)
+	if (hr->ttl == -1)
+	  hr->ttl = daemon->local_ttl;
+    }
+
+  if (daemon->cnames)
+    {
+      struct cname *cn;
+      
+      for (cn = daemon->cnames; cn; cn = cn->next)
+	if (cn->ttl == -1)
+	  cn->ttl = daemon->local_ttl;
+    }
+
  if (daemon->if_addrs)
    {  
      struct iname *tmp;
--- a/src/outpacket.c
+++ b/src/outpacket.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/poll.c
+++ b/src/poll.c
@@ -0,0 +1,125 @@
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "dnsmasq.h"
+
+/* Wrapper for poll(). Allocates and extends array of struct pollfds,
+   keeps them in fd order so that we can set and test conditions on
+   fd using a simple but efficient binary chop. */
+
+/* poll_reset()
+   poll_listen(fd, event)
+   .
+   .
+   poll_listen(fd, event);
+
+   hits = do_poll(timeout);
+
+   if (poll_check(fd, event)
+    .
+    .
+
+   if (poll_check(fd, event)
+    .
+    .
+
+    event is OR of POLLIN, POLLOUT, POLLERR, etc
+*/
+
+static struct pollfd *pollfds = NULL;
+static nfds_t nfds, arrsize = 0;
+
+/* Binary search. Returns either the pollfd with fd, or
+   if the fd doesn't match, or return equals nfds, the entry
+   to the left of which a new record should be inserted. */
+static nfds_t fd_search(int fd)
+{
+  nfds_t left, right, mid;
+  
+  if ((right = nfds) == 0)
+    return 0;
+  
+  left = 0;
+  
+  while (1)
+    {
+      if (right == left + 1)
+	return (pollfds[left].fd >= fd) ? left : right;
+      
+      mid = (left + right)/2;
+      
+      if (pollfds[mid].fd > fd)
+	right = mid;
+      else 
+	left = mid;
+    }
+}
+
+void poll_reset(void)
+{
+  nfds = 0;
+}
+
+int do_poll(int timeout)
+{
+  return poll(pollfds, nfds, timeout);
+}
+
+int poll_check(int fd, short event)
+{
+  nfds_t i = fd_search(fd);
+  
+  if (i < nfds && pollfds[i].fd == fd)
+    return pollfds[i].revents & event;
+
+  return 0;
+}
+
+void poll_listen(int fd, short event)
+{
+   nfds_t i = fd_search(fd);
+  
+   if (i < nfds && pollfds[i].fd == fd)
+     pollfds[i].events |= event;
+   else
+     {
+       if (arrsize != nfds)
+	 memmove(&pollfds[i+1], &pollfds[i], (nfds - i) * sizeof(struct pollfd));
+       else
+	 {
+	   /* Array too small, extend. */
+	   struct pollfd *new;
+
+	   arrsize = (arrsize == 0) ? 64 : arrsize * 2;
+
+	   if (!(new = whine_malloc(arrsize * sizeof(struct pollfd))))
+	     return;
+
+	   if (pollfds)
+	     {
+	       memcpy(new, pollfds, i * sizeof(struct pollfd));
+	       memcpy(&new[i+1], &pollfds[i], (nfds - i) * sizeof(struct pollfd));
+	       free(pollfds);
+	     }
+	   
+	   pollfds = new;
+	 }
+       
+       pollfds[i].fd = fd;
+       pollfds[i].events = event;
+       nfds++;
+     }
+}
--- a/src/radv-protocol.h
+++ b/src/radv-protocol.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/radv.c
+++ b/src/radv.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -28,11 +28,12 @@

 struct ra_param {
  time_t now;
-  int ind, managed, other, found_context, first, adv_router;
+  int ind, managed, other, first, adv_router;
  char *if_name;
  struct dhcp_netid *tags;
  struct in6_addr link_local, link_global, ula;
  unsigned int glob_pref_time, link_pref_time, ula_pref_time, adv_interval, prio;
+  struct dhcp_context *found_context;
 };

 struct search_param {
@@ -251,7 +252,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
  parm.ind = iface;
  parm.managed = 0;
  parm.other = 0;
-  parm.found_context = 0;
+  parm.found_context = NULL;
  parm.adv_router = 0;
  parm.if_name = iface_name;
  parm.first = 1;
@@ -308,8 +309,14 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
 	  unsigned int old = difftime(now, context->address_lost_time);
 	  
 	  if (old > context->saved_valid)
-	    {
+	    { 
 	      /* We've advertised this enough, time to go */
+	     
+	      /* If this context held the timeout, and there's another context in use
+		 transfer the timeout there. */
+	      if (context->ra_time != 0 && parm.found_context && parm.found_context->ra_time == 0)
+		new_timeout(parm.found_context, iface_name, now);
+	      
 	      *up = context->next;
 	      free(context);
 	    }
@@ -636,8 +643,10 @@ static int add_prefixes(struct in6_addr *local,  int prefix,
                    off_link = (context->flags & CONTEXT_RA_OFF_LINK);
 		  }

-		param->first = 0;	
-		param->found_context = 1;
+		param->first = 0;
+		/* found_context is the _last_ one we found, so if there's 
+		   more than one, it's not the first. */
+		param->found_context = context;
 	      }

 	  /* configured time is ceiling */
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -408,331 +408,22 @@ size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *phea
  return ansp - (unsigned char *)header;
 }

-unsigned char *find_pseudoheader(struct dns_header *header, size_t plen, size_t  *len, unsigned char **p, int *is_sign)
-{
-  /* See if packet has an RFC2671 pseudoheader, and if so return a pointer to it. 
-     also return length of pseudoheader in *len and pointer to the UDP size in *p
-     Finally, check to see if a packet is signed. If it is we cannot change a single bit before
-     forwarding. We look for SIG and TSIG in the addition section, and TKEY queries (for GSS-TSIG) */
-  
-  int i, arcount = ntohs(header->arcount);
-  unsigned char *ansp = (unsigned char *)(header+1);
-  unsigned short rdlen, type, class;
-  unsigned char *ret = NULL;
-
-  if (is_sign)
-    {
-      *is_sign = 0;
-
-      if (OPCODE(header) == QUERY)
-	{
-	  for (i = ntohs(header->qdcount); i != 0; i--)
-	    {
-	      if (!(ansp = skip_name(ansp, header, plen, 4)))
-		return NULL;
-	      
-	      GETSHORT(type, ansp); 
-	      GETSHORT(class, ansp);
-	      
-	      if (class == C_IN && type == T_TKEY)
-		*is_sign = 1;
-	    }
-	}
-    }
-  else
-    {
-      if (!(ansp = skip_questions(header, plen)))
-	return NULL;
-    }
-    
-  if (arcount == 0)
-    return NULL;
-  
-  if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount), header, plen)))
-    return NULL; 
-  
-  for (i = 0; i < arcount; i++)
-    {
-      unsigned char *save, *start = ansp;
-      if (!(ansp = skip_name(ansp, header, plen, 10)))
-	return NULL; 
-
-      GETSHORT(type, ansp);
-      save = ansp;
-      GETSHORT(class, ansp);
-      ansp += 4; /* TTL */
-      GETSHORT(rdlen, ansp);
-      if (!ADD_RDLEN(header, ansp, plen, rdlen))
-	return NULL;
-      if (type == T_OPT)
-	{
-	  if (len)
-	    *len = ansp - start;
-	  if (p)
-	    *p = save;
-	  ret = start;
-	}
-      else if (is_sign && 
-	       i == arcount - 1 && 
-	       class == C_ANY && 
-	       type == T_TSIG)
-	*is_sign = 1;
-    }
-  
-  return ret;
-}
-
-struct macparm {
-  unsigned char *limit;
-  struct dns_header *header;
-  size_t plen;
-  union mysockaddr *l3;
-};
- 
-static size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit, 
-			       int optno, unsigned char *opt, size_t optlen, int set_do)
-{ 
-  unsigned char *lenp, *datap, *p;
-  int rdlen, is_sign;
-  
-  if (!(p = find_pseudoheader(header, plen, NULL, NULL, &is_sign)))
-    {
-      if (is_sign)
-	return plen;
-
-      /* We are adding the pseudoheader */
-      if (!(p = skip_questions(header, plen)) ||
-	  !(p = skip_section(p, 
-			     ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 
-			     header, plen)))
-	return plen;
-      *p++ = 0; /* empty name */
-      PUTSHORT(T_OPT, p);
-      PUTSHORT(SAFE_PKTSZ, p); /* max packet length, this will be overwritten */
-      PUTSHORT(0, p);    /* extended RCODE and version */
-      PUTSHORT(set_do ? 0x8000 : 0, p); /* DO flag */
-      lenp = p;
-      PUTSHORT(0, p);    /* RDLEN */
-      rdlen = 0;
-      if (((ssize_t)optlen) > (limit - (p + 4)))
-	return plen; /* Too big */
-      header->arcount = htons(ntohs(header->arcount) + 1);
-      datap = p;
-    }
-  else
-    {
-      int i;
-      unsigned short code, len, flags;
-      
-      /* Must be at the end, if exists */
-      if (ntohs(header->arcount) != 1 ||
-	  is_sign ||
-	  (!(p = skip_name(p, header, plen, 10))))
-	return plen;
-      
-      p += 6; /* skip UDP length and RCODE */
-      GETSHORT(flags, p);
-      if (set_do)
-	{
-	  p -=2;
-	  PUTSHORT(flags | 0x8000, p);
-	}
-
-      lenp = p;
-      GETSHORT(rdlen, p);
-      if (!CHECK_LEN(header, p, plen, rdlen))
-	return plen; /* bad packet */
-      datap = p;
-
-       /* no option to add */
-      if (optno == 0)
-	return plen;
-      	  
-      /* check if option already there */
-      for (i = 0; i + 4 < rdlen; i += len + 4)
-	{
-	  GETSHORT(code, p);
-	  GETSHORT(len, p);
-	  if (code == optno)
-	    return plen;
-	  p += len;
-	}
-      
-      if (((ssize_t)optlen) > (limit - (p + 4)))
-	return plen; /* Too big */
-    }
-  
-  if (optno != 0)
-    {
-      PUTSHORT(optno, p);
-      PUTSHORT(optlen, p);
-      memcpy(p, opt, optlen);
-      p += optlen;  
-    }
-
-  PUTSHORT(p - datap, lenp);
-  return p - (unsigned char *)header;
-  
-}
-
-static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv)
-{
-  struct macparm *parm = parmv;
-  int match = 0;
-    
-  if (family == parm->l3->sa.sa_family)
-    {
-      if (family == AF_INET && memcmp(&parm->l3->in.sin_addr, addrp, INADDRSZ) == 0)
-	match = 1;
-#ifdef HAVE_IPV6
-      else
-	if (family == AF_INET6 && memcmp(&parm->l3->in6.sin6_addr, addrp, IN6ADDRSZ) == 0)
-	  match = 1;
-#endif
-    }
- 
-  if (!match)
-    return 1; /* continue */
-
-  parm->plen = add_pseudoheader(parm->header, parm->plen, parm->limit,  EDNS0_OPTION_MAC, (unsigned char *)mac, maclen, 0);
-  
-  return 0; /* done */
-}	      
-     
-size_t add_mac(struct dns_header *header, size_t plen, char *limit, union mysockaddr *l3)
-{
-  struct macparm parm;
-     
-/* Must have an existing pseudoheader as the only ar-record, 
-   or have no ar-records. Must also not be signed */
-   
-  if (ntohs(header->arcount) > 1)
-    return plen;
-
-  parm.header = header;
-  parm.limit = (unsigned char *)limit;
-  parm.plen = plen;
-  parm.l3 = l3;
-
-  iface_enumerate(AF_UNSPEC, &parm, filter_mac);
-  
-  return parm.plen; 
-}
-
-struct subnet_opt {
-  u16 family;
-  u8 source_netmask, scope_netmask;
-#ifdef HAVE_IPV6 
-  u8 addr[IN6ADDRSZ];
-#else
-  u8 addr[INADDRSZ];
-#endif
-};
-
-static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
-{
-  /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
-  
-  int len;
-  void *addrp;
-
-#ifdef HAVE_IPV6
-  if (source->sa.sa_family == AF_INET6)
-    {
-      opt->family = htons(2);
-      opt->source_netmask = daemon->addr6_netmask;
-      addrp = &source->in6.sin6_addr;
-    }
-  else
-#endif
-    {
-      opt->family = htons(1);
-      opt->source_netmask = daemon->addr4_netmask;
-      addrp = &source->in.sin_addr;
-    }
-  
-  opt->scope_netmask = 0;
-  len = 0;
-  
-  if (opt->source_netmask != 0)
-    {
-      len = ((opt->source_netmask - 1) >> 3) + 1;
-      memcpy(opt->addr, addrp, len);
-      if (opt->source_netmask & 7)
-	opt->addr[len-1] &= 0xff << (8 - (opt->source_netmask & 7));
-    }
-
-  return len + 4;
-}
- 
-size_t add_source_addr(struct dns_header *header, size_t plen, char *limit, union mysockaddr *source)
-{
-  /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
-  
-  int len;
-  struct subnet_opt opt;
-  
-  len = calc_subnet_opt(&opt, source);
-  return add_pseudoheader(header, plen, (unsigned char *)limit, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0);
-}
-
-#ifdef HAVE_DNSSEC
-size_t add_do_bit(struct dns_header *header, size_t plen, char *limit)
-{
-  return add_pseudoheader(header, plen, (unsigned char *)limit, 0, NULL, 0, 1);
-}
-#endif
-
-int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer)
-{
-  /* Section 9.2, Check that subnet option in reply matches. */
-
-
- int len, calc_len;
-  struct subnet_opt opt;
-  unsigned char *p;
-  int code, i, rdlen;
-  
-   calc_len = calc_subnet_opt(&opt, peer);
-   
-   if (!(p = skip_name(pseudoheader, header, plen, 10)))
-     return 1;
-   
-   p += 8; /* skip UDP length and RCODE */
-   
-   GETSHORT(rdlen, p);
-   if (!CHECK_LEN(header, p, plen, rdlen))
-     return 1; /* bad packet */
-   
-   /* check if option there */
-   for (i = 0; i + 4 < rdlen; i += len + 4)
-     {
-       GETSHORT(code, p);
-       GETSHORT(len, p);
-       if (code == EDNS0_OPTION_CLIENT_SUBNET)
-	 {
-	   /* make sure this doesn't mismatch. */
-	   opt.scope_netmask = p[3];
-	   if (len != calc_len || memcmp(p, &opt, len) != 0)
-	     return 0;
-	 }
-       p += len;
-     }
-   
-   return 1;
-}
-
 /* is addr in the non-globally-routed IP space? */ 
 int private_net(struct in_addr addr, int ban_localhost) 
 {
  in_addr_t ip_addr = ntohl(addr.s_addr);

  return
-    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ || 
-    ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
+    (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost)  /* 127.0.0.0/8    (loopback) */ ||
+    ((ip_addr & 0xFF000000) == 0x00000000)  /* RFC 5735 section 3. "here" network */ ||
    ((ip_addr & 0xFF000000) == 0x0A000000)  /* 10.0.0.0/8     (private)  */ ||
    ((ip_addr & 0xFFF00000) == 0xAC100000)  /* 172.16.0.0/12  (private)  */ ||
-    ((ip_addr & 0xFFFF0000) == 0xA9FE0000)  /* 169.254.0.0/16 (zeroconf) */ ;
+    ((ip_addr & 0xFFFF0000) == 0xC0A80000)  /* 192.168.0.0/16 (private)  */ ||
+    ((ip_addr & 0xFFFF0000) == 0xA9FE0000)  /* 169.254.0.0/16 (zeroconf) */ ||
+    ((ip_addr & 0xFFFFFF00) == 0xC0000200)  /* 192.0.2.0/24   (test-net) */ ||
+    ((ip_addr & 0xFFFFFF00) == 0xC6336400)  /* 198.51.100.0/24(test-net) */ ||
+    ((ip_addr & 0xFFFFFF00) == 0xCB007100)  /* 203.0.113.0/24 (test-net) */ ||
+    ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF)  /* 255.255.255.255/32 (broadcast)*/ ;
 }

 static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, char *name, int *doctored)
@@ -1205,9 +896,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
  header->nscount = htons(0);
  header->arcount = htons(0);
  header->ancount = htons(0); /* no answers unless changed below */
-  if (flags == F_NEG)
-    SET_RCODE(header, SERVFAIL); /* couldn't get memory */
-  else if (flags == F_NOERR)
+  if (flags == F_NOERR)
    SET_RCODE(header, NOERROR); /* empty domain */
  else if (flags == F_NXDOMAIN)
    SET_RCODE(header, NXDOMAIN);
@@ -1244,11 +933,9 @@ int check_for_local_domain(char *name, time_t now)
  struct naptr *naptr;

  /* Note: the call to cache_find_by_name is intended to find any record which matches
-     ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting both F_DS and F_DNSKEY,
-     cache_find_by name ordinarily only returns records with an exact match on those bits (ie
-     for the call below, only DS records). The F_NSIGMATCH bit changes this behaviour */
+     ie A, AAAA, CNAME. */

-  if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME | F_DS | F_NO_RR | F_NSIGMATCH)) &&
+  if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME |F_NO_RR)) &&
      (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)))
    return 1;
  
@@ -1480,11 +1167,23 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
 static unsigned long crec_ttl(struct crec *crecp, time_t now)
 {
  /* Return 0 ttl for DHCP entries, which might change
-     before the lease expires. */
+     before the lease expires, unless configured otherwise. */

-  if  (crecp->flags & (F_IMMORTAL | F_DHCP))
-    return daemon->local_ttl;
+  if (crecp->flags & F_DHCP)
+    {
+      int conf_ttl = daemon->use_dhcp_ttl ? daemon->dhcp_ttl : daemon->local_ttl;
+      
+      /* Apply ceiling of actual lease length to configured TTL. */
+      if (!(crecp->flags & F_IMMORTAL) && (crecp->ttd - now) < conf_ttl)
+	return crecp->ttd - now;
+      
+      return conf_ttl;
+    }	  
  
+  /* Immortal entries other than DHCP are local, and hold TTL in TTD field. */
+  if (crecp->flags & F_IMMORTAL)
+    return crecp->ttd;
+
  /* Return the Max TTL value if it is lower then the actual TTL */
  if (daemon->max_ttl == 0 || ((unsigned)(crecp->ttd - now) < daemon->max_ttl))
    return crecp->ttd - now;
@@ -1496,54 +1195,37 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now)
 /* return zero if we can't answer from cache, or packet size if we can */
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
 		      struct in_addr local_addr, struct in_addr local_netmask, 
-		      time_t now, int *ad_reqd, int *do_bit) 
+		      time_t now, int ad_reqd, int do_bit, int have_pseudoheader) 
 {
  char *name = daemon->namebuff;
-  unsigned char *p, *ansp, *pheader;
+  unsigned char *p, *ansp;
  unsigned int qtype, qclass;
  struct all_addr addr;
  int nameoffset;
  unsigned short flag;
  int q, ans, anscount = 0, addncount = 0;
-  int dryrun = 0, sec_reqd = 0, have_pseudoheader = 0;
+  int dryrun = 0;
  struct crec *crecp;
  int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
  struct mx_srv_record *rec;
  size_t len;
- 
+  
+  if (ntohs(header->ancount) != 0 ||
+      ntohs(header->nscount) != 0 ||
+      ntohs(header->qdcount) == 0 || 
+      OPCODE(header) != QUERY )
+    return 0;
+  
  /* Don't return AD set if checking disabled. */
  if (header->hb4 & HB4_CD)
    sec_data = 0;
  
-  /* RFC 6840 5.7 */
-  *ad_reqd = header->hb4 & HB4_AD;
-  *do_bit = 0;
-
-  /* If there is an RFC2671 pseudoheader then it will be overwritten by
+  /* If there is an  additional data section then it will be overwritten by
     partial replies, so we have to do a dry run to see if we can answer
-     the query. We check to see if the do bit is set, if so we always
-     forward rather than answering from the cache, which doesn't include
-     security information, unless we're in DNSSEC validation mode. */
+     the query. */
+  if (ntohs(header->arcount) != 0)
+    dryrun = 1;

-  if (find_pseudoheader(header, qlen, NULL, &pheader, NULL))
-    { 
-      unsigned short flags;
-      
-      have_pseudoheader = 1;
-
-      pheader += 4; /* udp size, ext_rcode */
-      GETSHORT(flags, pheader);
-      
-      if ((sec_reqd = flags & 0x8000))
-	*do_bit = 1;/* do bit */ 
-
-      *ad_reqd = 1;
-      dryrun = 1;
-    }
-
-  if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
-    return 0;
-  
  for (rec = daemon->mxnames; rec; rec = rec->next)
    rec->offset = 0;
  
@@ -1567,11 +1249,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
      GETSHORT(qtype, p); 
      GETSHORT(qclass, p);

-      /* Don't filter RRSIGS from answers to ANY queries, even if do-bit
-	 not set. */
-      if (qtype == T_ANY)
-	*do_bit = 1;
-
      ans = 0; /* have we answered this question */
      
      if (qtype == T_TXT || qtype == T_ANY)
@@ -1605,98 +1282,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	    }
 	}

-#ifdef HAVE_DNSSEC
-      if (option_bool(OPT_DNSSEC_VALID) && (qtype == T_DNSKEY || qtype == T_DS))
-	{
-	  int gotone = 0;
-	  struct blockdata *keydata;
-
-	  /* Do we have RRSIG? Can't do DS or DNSKEY otherwise. */
-	  if (sec_reqd)
-	    {
-	      crecp = NULL;
-	      while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS)))
-		if (crecp->uid == qclass && crecp->addr.sig.type_covered == qtype)
-		  break;
-	    }
-	  
-	  if (!sec_reqd || crecp)
-	    {
-	      if (qtype == T_DS)
-		{
-		  crecp = NULL;
-		  while ((crecp = cache_find_by_name(crecp, name, now, F_DS)))
-		    if (crecp->uid == qclass)
-		      {
-			gotone = 1; 
-			if (!dryrun)
-			  {
-			    if (crecp->flags & F_NEG)
-			      {
-				if (crecp->flags & F_NXDOMAIN)
-				  nxdomain = 1;
-				log_query(F_UPSTREAM, name, NULL, "no DS");	
-			      }
-			    else if ((keydata = blockdata_retrieve(crecp->addr.ds.keydata, crecp->addr.ds.keylen, NULL)))
-			      {			     			      
-				struct all_addr a;
-				a.addr.keytag =  crecp->addr.ds.keytag;
-				log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DS keytag %u");
-				if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-							crec_ttl(crecp, now), &nameoffset,
-							T_DS, qclass, "sbbt", 
-							crecp->addr.ds.keytag, crecp->addr.ds.algo, 
-							crecp->addr.ds.digest, crecp->addr.ds.keylen, keydata))
-				  anscount++;
-				
-			      } 
-			  }
-		      }
-		}
-	      else /* DNSKEY */
-		{
-		  crecp = NULL;
-		  while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY)))
-		    if (crecp->uid == qclass)
-		      {
-			gotone = 1;
-			if (!dryrun && (keydata = blockdata_retrieve(crecp->addr.key.keydata, crecp->addr.key.keylen, NULL)))
-			  {			     			      
-			    struct all_addr a;
-			    a.addr.keytag =  crecp->addr.key.keytag;
-			    log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DNSKEY keytag %u");
-			    if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-						    crec_ttl(crecp, now), &nameoffset,
-						    T_DNSKEY, qclass, "sbbt", 
-						    crecp->addr.key.flags, 3, crecp->addr.key.algo, crecp->addr.key.keylen, keydata))
-			      anscount++;
-			  }
-		      }
-		}
-	    }
-	  
-	  /* Now do RRSIGs */
-	  if (gotone)
-	    {
-	      ans = 1;
-	      auth = 0;
-	      if (!dryrun && sec_reqd)
-		{
-		  crecp = NULL;
-		  while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS)))
-		    if (crecp->uid == qclass && crecp->addr.sig.type_covered == qtype &&
-			(keydata = blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig.keylen, NULL)))
-		      {
-			add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-					    crec_ttl(crecp, now), &nameoffset,
-					    T_RRSIG, qclass, "t", crecp->addr.sig.keylen, keydata);
-			anscount++;
-		      }
-		}
-	    }
-	}
-#endif	     
-      
      if (qclass == C_IN)
 	{
 	  struct txt_record *t;
@@ -1705,6 +1290,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	    if ((t->class == qtype || qtype == T_ANY) && hostname_isequal(name, t->name))
 	      {
 		ans = 1;
+		sec_data = 0;
 		if (!dryrun)
 		  {
 		    log_query(F_CONFIG | F_RRNAME, name, NULL, "<RR>");
@@ -1761,6 +1347,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	      
 	      if (intr)
 		{
+		  sec_data = 0;
 		  ans = 1;
 		  if (!dryrun)
 		    {
@@ -1774,6 +1361,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	      else if (ptr)
 		{
 		  ans = 1;
+		  sec_data = 0;
 		  if (!dryrun)
 		    {
 		      log_query(F_CONFIG | F_RRNAME, name, NULL, "<PTR>");
@@ -1788,38 +1376,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		}
 	      else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa)))
 		{
-		  if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd)
-		    {
-		      if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK)))
-			crecp = NULL;
-#ifdef HAVE_DNSSEC
-		      else if (crecp->flags & F_DNSSECOK)
-			{
-			  int gotsig = 0;
-			  struct crec *rr_crec = NULL;
-
-			  while ((rr_crec = cache_find_by_name(rr_crec, name, now, F_DS | F_DNSKEY)))
-			    {
-			      if (rr_crec->addr.sig.type_covered == T_PTR && rr_crec->uid == C_IN)
-				{
-				  char *sigdata = blockdata_retrieve(rr_crec->addr.sig.keydata, rr_crec->addr.sig.keylen, NULL);
-				  gotsig = 1;
-				  
-				  if (!dryrun && 
-				      add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-							  rr_crec->ttd - now, &nameoffset,
-							  T_RRSIG, C_IN, "t", crecp->addr.sig.keylen, sigdata))
-				    anscount++;
-				}
-			    } 
-			  
-			  if (!gotsig)
-			    crecp = NULL;
-			}
-#endif
-		    }
-
-		  if (crecp)
+		  /* Don't use cache when DNSSEC data required, unless we know that
+		     the zone is unsigned, which implies that we're doing
+		     validation. */
+		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || 
+		      !do_bit || 
+		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
 		    {
 		      do 
 			{ 
@@ -1829,19 +1391,19 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 			  
 			  if (!(crecp->flags & F_DNSSECOK))
 			    sec_data = 0;
-			  
+			   
+			  ans = 1;
+			   
 			  if (crecp->flags & F_NEG)
 			    {
-			      ans = 1;
 			      auth = 0;
 			      if (crecp->flags & F_NXDOMAIN)
 				nxdomain = 1;
 			      if (!dryrun)
 				log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL);
 			    }
-			  else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd || option_bool(OPT_DNSSEC_VALID))
+			  else
 			    {
-			      ans = 1;
 			      if (!(crecp->flags & (F_HOSTS | F_DHCP)))
 				auth = 0;
 			      if (!dryrun)
@@ -1861,6 +1423,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	      else if (is_rev_synth(is_arpa, &addr, name))
 		{
 		  ans = 1;
+		  sec_data = 0;
 		  if (!dryrun)
 		    {
 		      log_query(F_CONFIG | F_REVERSE | is_arpa, name, &addr, NULL); 
@@ -1877,6 +1440,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		{
 		  /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */
 		  ans = 1;
+		  sec_data = 0;
 		  nxdomain = 1;
 		  if (!dryrun)
 		    log_query(F_CONFIG | F_REVERSE | F_IPV4 | F_NEG | F_NXDOMAIN, 
@@ -1924,6 +1488,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		  if (i == 4)
 		    {
 		      ans = 1;
+		      sec_data = 0;
 		      if (!dryrun)
 			{
 			  addr.addr.addr4.s_addr = htonl(a);
@@ -1962,6 +1527,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 				continue;
 #endif	
 			      ans = 1;	
+			      sec_data = 0;
 			      if (!dryrun)
 				{
 				  gotit = 1;
@@ -2001,48 +1567,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		      crecp = save;
 		    }

-		  /* If the client asked for DNSSEC and we can't provide RRSIGs, either
-		     because we've not doing DNSSEC or the cached answer is signed by negative,
-		     don't answer from the cache, forward instead. */
-		  if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd)
-		    {
-		      if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK)))
-			crecp = NULL;
-#ifdef HAVE_DNSSEC
-		      else if (crecp->flags & F_DNSSECOK)
-			{
-			  /* We're returning validated data, need to return the RRSIG too. */
-			  struct crec *rr_crec = NULL;
-			  int sigtype = type;
-			  /* The signature may have expired even though the data is still in cache, 
-			     forward instead of answering from cache if so. */
-			  int gotsig = 0;
-			  
-			  if (crecp->flags & F_CNAME)
-			    sigtype = T_CNAME;
-			  
-			  while ((rr_crec = cache_find_by_name(rr_crec, name, now, F_DS | F_DNSKEY)))
-			    {
-			      if (rr_crec->addr.sig.type_covered == sigtype && rr_crec->uid == C_IN)
-				{
-				  char *sigdata = blockdata_retrieve(rr_crec->addr.sig.keydata, rr_crec->addr.sig.keylen, NULL);
-				  gotsig = 1;
-				  
-				  if (!dryrun && 
-				      add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-							  rr_crec->ttd - now, &nameoffset,
-							  T_RRSIG, C_IN, "t", rr_crec->addr.sig.keylen, sigdata))
-				    anscount++;
-				}
-			    }
-			  
-			  if (!gotsig)
-			    crecp = NULL;
-			}
-#endif
-		    }		 
-
-		  if (crecp)
+		  /* If the client asked for DNSSEC  don't use cached data. */
+		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
 		    do
 		      { 
 			/* don't answer wildcard queries with data not from /etc/hosts
@@ -2076,17 +1602,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 			
 			if (crecp->flags & F_NEG)
 			  {
-			    /* We don't cache NSEC records, so if a DNSSEC-validated negative answer
-			       is cached and the client wants DNSSEC, forward rather than answering from the cache */
-			    if (!sec_reqd || !(crecp->flags & F_DNSSECOK))
-			      {
-				ans = 1;
-				auth = 0;
-				if (crecp->flags & F_NXDOMAIN)
-				  nxdomain = 1;
-				if (!dryrun)
-				  log_query(crecp->flags, name, NULL, NULL);
-			      }
+			    ans = 1;
+			    auth = 0;
+			    if (crecp->flags & F_NXDOMAIN)
+			      nxdomain = 1;
+			    if (!dryrun)
+			      log_query(crecp->flags, name, NULL, NULL);
 			  }
 			else 
 			  {
@@ -2324,14 +1845,14 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,

  len = ansp - (unsigned char *)header;
  
+  /* Advertise our packet size limit in our reply */
  if (have_pseudoheader)
-    len = add_pseudoheader(header, len, (unsigned char *)limit, 0, NULL, 0, sec_reqd);
+    len = add_pseudoheader(header, len, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
  
-  if (*ad_reqd && sec_data)
+  if (ad_reqd && sec_data)
    header->hb4 |= HB4_AD;
  else
    header->hb4 &= ~HB4_AD;
  
  return len;
 }
-
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1308,7 +1308,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		      /* If the user-class option started as counted strings, the first byte will be zero. */
 		      if (len != 0 && ucp[0] == 0)
 			ucp++, len--;
-		      lease_add_extradata(lease, ucp, len, 0);
+		      lease_add_extradata(lease, ucp, len, -1);
 		    }
 		}
 #endif
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -130,7 +130,7 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
      MAC address from the local ND cache. */
      
      if (!state->link_address)
-	get_client_mac(client_addr, state->interface, state->mac, &state->mac_len, &state->mac_type);
+	get_client_mac(client_addr, state->interface, state->mac, &state->mac_len, &state->mac_type, now);
      else
 	{
 	  struct dhcp_context *c;
@@ -1320,15 +1320,15 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
      
      if (opt_cfg->opt == OPTION6_REFRESH_TIME)
 	done_refresh = 1;
+       
+      if (opt_cfg->opt == OPTION6_DNS_SERVER)
+	done_dns = 1;
      
      if (opt_cfg->flags & DHOPT_ADDR6)
 	{
 	  int len, j;
 	  struct in6_addr *a;
 	  
-	  if (opt_cfg->opt == OPTION6_DNS_SERVER)
-	    done_dns = 1;
-	  
 	  for (a = (struct in6_addr *)opt_cfg->val, len = opt_cfg->len, j = 0; 
 	       j < opt_cfg->len; j += IN6ADDRSZ, a++)
 	    if ((IN6_IS_ADDR_ULA_ZERO(a) && IN6_IS_ADDR_UNSPECIFIED(state->ula_addr)) ||
@@ -2054,7 +2054,8 @@ static unsigned int opt6_uint(unsigned char *opt, int offset, int size)
  return ret;
 } 

-void relay_upstream6(struct dhcp_relay *relay, ssize_t sz, struct in6_addr *peer_address, u32 scope_id)
+void relay_upstream6(struct dhcp_relay *relay, ssize_t sz, 
+		     struct in6_addr *peer_address, u32 scope_id, time_t now)
 {
  /* ->local is same value for all relays on ->current chain */
  
@@ -2068,7 +2069,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz, struct in6_addr *peer
  unsigned char mac[DHCP_CHADDR_MAX];

  inet_pton(AF_INET6, ALL_SERVERS, &multicast);
-  get_client_mac(peer_address, scope_id, mac, &maclen, &mactype);
+  get_client_mac(peer_address, scope_id, mac, &maclen, &mactype, now);

  /* source address == relay address */
  from.addr.addr6 = relay->local.addr.addr6;
--- a/src/rrfilter.c
+++ b/src/rrfilter.c
@@ -0,0 +1,339 @@
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* Code to safely remove RRs from an DNS answer */ 
+
+#include "dnsmasq.h"
+
+/* Go through a domain name, find "pointers" and fix them up based on how many bytes
+   we've chopped out of the packet, or check they don't point into an elided part.  */
+static int check_name(unsigned char **namep, struct dns_header *header, size_t plen, int fixup, unsigned char **rrs, int rr_count)
+{
+  unsigned char *ansp = *namep;
+
+  while(1)
+    {
+      unsigned int label_type;
+      
+      if (!CHECK_LEN(header, ansp, plen, 1))
+	return 0;
+      
+      label_type = (*ansp) & 0xc0;
+
+      if (label_type == 0xc0)
+	{
+	  /* pointer for compression. */
+	  unsigned int offset;
+	  int i;
+	  unsigned char *p;
+	  
+	  if (!CHECK_LEN(header, ansp, plen, 2))
+	    return 0;
+
+	  offset = ((*ansp++) & 0x3f) << 8;
+	  offset |= *ansp++;
+
+	  p = offset + (unsigned char *)header;
+	  
+	  for (i = 0; i < rr_count; i++)
+	    if (p < rrs[i])
+	      break;
+	    else
+	      if (i & 1)
+		offset -= rrs[i] - rrs[i-1];
+
+	  /* does the pointer end up in an elided RR? */
+	  if (i & 1)
+	    return 0;
+
+	  /* No, scale the pointer */
+	  if (fixup)
+	    {
+	      ansp -= 2;
+	      *ansp++ = (offset >> 8) | 0xc0;
+	      *ansp++ = offset & 0xff;
+	    }
+	  break;
+	}
+      else if (label_type == 0x80)
+	return 0; /* reserved */
+      else if (label_type == 0x40)
+	{
+	  /* Extended label type */
+	  unsigned int count;
+	  
+	  if (!CHECK_LEN(header, ansp, plen, 2))
+	    return 0;
+	  
+	  if (((*ansp++) & 0x3f) != 1)
+	    return 0; /* we only understand bitstrings */
+	  
+	  count = *(ansp++); /* Bits in bitstring */
+	  
+	  if (count == 0) /* count == 0 means 256 bits */
+	    ansp += 32;
+	  else
+	    ansp += ((count-1)>>3)+1;
+	}
+      else
+	{ /* label type == 0 Bottom six bits is length */
+	  unsigned int len = (*ansp++) & 0x3f;
+	  
+	  if (!ADD_RDLEN(header, ansp, plen, len))
+	    return 0;
+
+	  if (len == 0)
+	    break; /* zero length label marks the end. */
+	}
+    }
+
+  *namep = ansp;
+
+  return 1;
+}
+
+/* Go through RRs and check or fixup the domain names contained within */
+static int check_rrs(unsigned char *p, struct dns_header *header, size_t plen, int fixup, unsigned char **rrs, int rr_count)
+{
+  int i, j, type, class, rdlen;
+  unsigned char *pp;
+  
+  for (i = 0; i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount); i++)
+    {
+      pp = p;
+
+      if (!(p = skip_name(p, header, plen, 10)))
+	return 0;
+      
+      GETSHORT(type, p); 
+      GETSHORT(class, p);
+      p += 4; /* TTL */
+      GETSHORT(rdlen, p);
+
+      /* If this RR is to be elided, don't fix up its contents */
+      for (j = 0; j < rr_count; j += 2)
+	if (rrs[j] == pp)
+	  break;
+
+      if (j >= rr_count)
+	{
+	  /* fixup name of RR */
+	  if (!check_name(&pp, header, plen, fixup, rrs, rr_count))
+	    return 0;
+	  
+	  if (class == C_IN)
+	    {
+	      u16 *d;
+ 
+	      for (pp = p, d = rrfilter_desc(type); *d != (u16)-1; d++)
+		{
+		  if (*d != 0)
+		    pp += *d;
+		  else if (!check_name(&pp, header, plen, fixup, rrs, rr_count))
+		    return 0;
+		}
+	    }
+	}
+      
+      if (!ADD_RDLEN(header, p, plen, rdlen))
+	return 0;
+    }
+  
+  return 1;
+}
+	
+
+/* mode is 0 to remove EDNS0, 1 to filter DNSSEC RRs */
+size_t rrfilter(struct dns_header *header, size_t plen, int mode)
+{
+  static unsigned char **rrs;
+  static int rr_sz = 0;
+
+  unsigned char *p = (unsigned char *)(header+1);
+  int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns, chop_ar;
+
+  if (ntohs(header->qdcount) != 1 ||
+      !(p = skip_name(p, header, plen, 4)))
+    return plen;
+  
+  GETSHORT(qtype, p);
+  GETSHORT(qclass, p);
+
+  /* First pass, find pointers to start and end of all the records we wish to elide:
+     records added for DNSSEC, unless explicity queried for */
+  for (rr_found = 0, chop_ns = 0, chop_an = 0, chop_ar = 0, i = 0; 
+       i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount);
+       i++)
+    {
+      unsigned char *pstart = p;
+      int type, class;
+
+      if (!(p = skip_name(p, header, plen, 10)))
+	return plen;
+      
+      GETSHORT(type, p); 
+      GETSHORT(class, p);
+      p += 4; /* TTL */
+      GETSHORT(rdlen, p);
+        
+      if (!ADD_RDLEN(header, p, plen, rdlen))
+	return plen;
+
+      /* Don't remove the answer. */
+      if (i < ntohs(header->ancount) && type == qtype && class == qclass)
+	continue;
+      
+      if (mode == 0) /* EDNS */
+	{
+	  /* EDNS mode, remove T_OPT from additional section only */
+	  if (i < (ntohs(header->nscount) + ntohs(header->ancount)) || type != T_OPT)
+	    continue;
+	}
+      else if (type != T_NSEC && type != T_NSEC3 && type != T_RRSIG)
+	/* DNSSEC mode, remove SIGs and NSECs from all three sections. */
+	continue;
+      
+      
+      if (!expand_workspace(&rrs, &rr_sz, rr_found + 1))
+	return plen; 
+      
+      rrs[rr_found++] = pstart;
+      rrs[rr_found++] = p;
+      
+      if (i < ntohs(header->ancount))
+	chop_an++;
+      else if (i < (ntohs(header->nscount) + ntohs(header->ancount)))
+	chop_ns++;
+      else
+	chop_ar++;
+    }
+  
+  /* Nothing to do. */
+  if (rr_found == 0)
+    return plen;
+
+  /* Second pass, look for pointers in names in the records we're keeping and make sure they don't
+     point to records we're going to elide. This is theoretically possible, but unlikely. If
+     it happens, we give up and leave the answer unchanged. */
+  p = (unsigned char *)(header+1);
+  
+  /* question first */
+  if (!check_name(&p, header, plen, 0, rrs, rr_found))
+    return plen;
+  p += 4; /* qclass, qtype */
+  
+  /* Now answers and NS */
+  if (!check_rrs(p, header, plen, 0, rrs, rr_found))
+    return plen;
+  
+  /* Third pass, elide records */
+  for (p = rrs[0], i = 1; i < rr_found; i += 2)
+    {
+      unsigned char *start = rrs[i];
+      unsigned char *end = (i != rr_found - 1) ? rrs[i+1] : ((unsigned char *)header) + plen;
+      
+      memmove(p, start, end-start);
+      p += end-start;
+    }
+     
+  plen = p - (unsigned char *)header;
+  header->ancount = htons(ntohs(header->ancount) - chop_an);
+  header->nscount = htons(ntohs(header->nscount) - chop_ns);
+  header->arcount = htons(ntohs(header->arcount) - chop_ar);
+
+  /* Fourth pass, fix up pointers in the remaining records */
+  p = (unsigned char *)(header+1);
+  
+  check_name(&p, header, plen, 1, rrs, rr_found);
+  p += 4; /* qclass, qtype */
+  
+  check_rrs(p, header, plen, 1, rrs, rr_found);
+  
+  return plen;
+}
+
+/* This is used in the DNSSEC code too, hence it's exported */
+u16 *rrfilter_desc(int type)
+{
+  /* List of RRtypes which include domains in the data.
+     0 -> domain
+     integer -> no of plain bytes
+     -1 -> end
+
+     zero is not a valid RRtype, so the final entry is returned for
+     anything which needs no mangling.
+  */
+  
+  static u16 rr_desc[] = 
+    { 
+      T_NS, 0, -1, 
+      T_MD, 0, -1,
+      T_MF, 0, -1,
+      T_CNAME, 0, -1,
+      T_SOA, 0, 0, -1,
+      T_MB, 0, -1,
+      T_MG, 0, -1,
+      T_MR, 0, -1,
+      T_PTR, 0, -1,
+      T_MINFO, 0, 0, -1,
+      T_MX, 2, 0, -1,
+      T_RP, 0, 0, -1,
+      T_AFSDB, 2, 0, -1,
+      T_RT, 2, 0, -1,
+      T_SIG, 18, 0, -1,
+      T_PX, 2, 0, 0, -1,
+      T_NXT, 0, -1,
+      T_KX, 2, 0, -1,
+      T_SRV, 6, 0, -1,
+      T_DNAME, 0, -1,
+      0, -1 /* wildcard/catchall */
+    }; 
+  
+  u16 *p = rr_desc;
+  
+  while (*p != type && *p != 0)
+    while (*p++ != (u16)-1);
+
+  return p+1;
+}
+
+int expand_workspace(unsigned char ***wkspc, int *szp, int new)
+{
+  unsigned char **p;
+  int old = *szp;
+
+  if (old >= new+1)
+    return 1;
+
+  if (new >= 100)
+    return 0;
+
+  new += 5;
+  
+  if (!(p = whine_malloc(new * sizeof(unsigned char *))))
+    return 0;  
+  
+  if (old != 0 && *wkspc)
+    {
+      memcpy(p, *wkspc, old * sizeof(unsigned char *));
+      free(*wkspc);
+    }
+  
+  *wkspc = p;
+  *szp = new;
+
+  return 1;
+}
--- a/src/slaac.c
+++ b/src/slaac.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/tftp.c
+++ b/src/tftp.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -103,8 +103,10 @@ void tftp_request(struct listener *listen, time_t now)
      if (listen->iface)
 	{
 	  addr = listen->iface->addr;
-	  mtu = listen->iface->mtu;
 	  name = listen->iface->name;
+	  mtu = listen->iface->mtu;
+	  if (daemon->tftp_mtu != 0 && daemon->tftp_mtu < mtu)
+	    mtu = daemon->tftp_mtu;
 	}
      else
 	{
@@ -234,9 +236,17 @@ void tftp_request(struct listener *listen, time_t now)

      strncpy(ifr.ifr_name, name, IF_NAMESIZE);
      if (ioctl(listen->tftpfd, SIOCGIFMTU, &ifr) != -1)
-	mtu = ifr.ifr_mtu;      
+	{
+	  mtu = ifr.ifr_mtu;  
+	  if (daemon->tftp_mtu != 0 && daemon->tftp_mtu < mtu)
+	    mtu = daemon->tftp_mtu;    
+	}
    }

+  /* Failed to get interface mtu - can use configured value. */
+  if (mtu == 0)
+    mtu = daemon->tftp_mtu;
+
  if (name)
    {
      /* check for per-interface prefix */ 
@@ -502,7 +512,7 @@ static struct tftp_file *check_tftp_fileperm(ssize_t *len, char *prefix)
  return NULL;
 }

-void check_tftp_listeners(fd_set *rset, time_t now)
+void check_tftp_listeners(time_t now)
 {
  struct tftp_transfer *transfer, *tmp, **up;
  ssize_t len;
@@ -518,7 +528,7 @@ void check_tftp_listeners(fd_set *rset, time_t now)
      
      prettyprint_addr(&transfer->peer, daemon->addrbuff);
     
-      if (FD_ISSET(transfer->sockfd, rset))
+      if (poll_check(transfer->sockfd, POLLIN))
 	{
 	  /* we overwrote the buffer... */
 	  daemon->srv_save = NULL;
--- a/src/util.c
+++ b/src/util.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -570,12 +570,6 @@ char *print_mac(char *buff, unsigned char *mac, int len)
  return buff;
 }

-void bump_maxfd(int fd, int *max)
-{
-  if (fd > *max)
-    *max = fd;
-}
-
 /* rc is return from sendto and friends.
   Return 1 if we should retry.
   Set errno to zero if we succeeded. */
Author	SHA1	Message	Date
Simon Kelley	fa79466c2a	Tighten syntax checking for dhcp-range and clarify man page.	2016-03-03 20:33:54 +00:00
Simon Kelley	a93bd4b016	Fix broken DNSMASQ_USER<x> envvars in script with more than one class.	2016-03-01 18:58:01 +00:00
Simon Kelley	407a1f3e95	Tidy parsing code.	2016-03-01 17:06:07 +00:00
Simon Kelley	4b6af5d53f	Fix pointer declaration botch.	2016-03-01 17:00:26 +00:00
Simon Kelley	7aa3f9af66	format fix.	2016-03-01 16:32:30 +00:00
Simon Kelley	f7cf749943	Check return code from open()	2016-03-01 16:19:23 +00:00
Simon Kelley	aa300f7167	Fix typo in last commit.	2016-03-01 15:19:13 +00:00
Simon Kelley	c7f3bd2ac8	Replace incoming EDNS0_OPTION_NOMDEVICEID and EDNS0_OPTION_NOMCPEID options.	2016-02-28 21:48:34 +00:00
Simon Kelley	22fe2fd038	Fix --add-subnet when returning empty or default subnet.	2016-02-28 17:07:10 +00:00
Simon Kelley	7480aeffc8	Apply ceiling of lease length to TTL when --dhcp-ttl in use.	2016-02-26 21:58:20 +00:00
Simon Kelley	bec366b404	Add --tftp-mtu option.	2016-02-24 22:03:26 +00:00
Simon Kelley	e06e6e34bf	Update CHANGELOG.	2016-02-24 21:26:16 +00:00
Simon Kelley	832e47beab	Add --dhcp-ttl option.	2016-02-24 21:24:45 +00:00
Simon Kelley	df3d54f776	Add TTL parameter to --host-record and --cname.	2016-02-24 21:03:38 +00:00
Simon Kelley	22c0f4fe87	Fix previous commit.	2016-02-17 22:12:31 +00:00
Simon Kelley	9e4cf47ee8	Add --add-mac=text option.	2016-02-17 20:26:32 +00:00
Simon Kelley	fdc97e1383	Avoid divide-by-zero when dhcp-range is a whole /64	2016-02-13 17:47:17 +00:00
S L	a18bf3149a	Avoid losing timer when deleting a RA context.	2016-02-12 17:36:20 +00:00
Simon Kelley	1566bacb2c	Fix breakage in ARP code when IPV6 support not compiled in.	2016-02-05 14:48:25 +00:00
Simon Kelley	e6e751b066	Make names of ARP script actions consistent.	2016-02-01 17:59:07 +00:00
Andy Stormont	8de875f0fb	Fix FTBFS on illumos	2016-02-01 12:07:57 +00:00
Chris Novakovic	4ace25c5d6	Treat REFUSED (not SERVFAIL) as an unsuccessful upstream response Commit `51967f9807` began treating SERVFAIL as a successful response from an upstream server (thus ignoring future responses to the query from other upstream servers), but a typo in that commit means that REFUSED responses are accidentally being treated as successful instead of SERVFAIL responses. This commit corrects this typo and provides the behaviour intended by commit `51967f9`: SERVFAIL responses are considered successful (and will be sent back to the requester), while REFUSED responses are considered unsuccessful (and dnsmasq will wait for responses from other upstream servers that haven't responded yet).	2016-01-25 21:54:35 +00:00
Simon Kelley	1e5051228d	Final form of configuration for EDNS0 MAC-address code.	2016-01-25 21:29:23 +00:00
Hans Dedecker	926332a764	Add --max-port config option.	2016-01-23 10:48:12 +00:00
Simon Kelley	d05dd58de1	Fix wrong reply to simple name when --domain-needed set and no servers configured. Also return REFUSED and not SERVFAIL when out of memory. Thanks to Allain Legacy for problem report.	2016-01-19 21:23:30 +00:00
Simon Kelley	f7443d76f7	Fix problems in last commit when DNSSEC not enabled.	2016-01-19 20:29:57 +00:00
Simon Kelley	f344dbc622	Complete DNSSEC server-selection code and set conntrack on DNSSEC queries.	2016-01-18 18:11:54 +00:00
Simon Kelley	f4d0c660ca	Fix sporadic crash in find_mac() - hwlen must be zero for empty entries.	2016-01-18 12:51:08 +00:00
Simon Kelley	1801a29226	Fix botch in forward.c flags code. Thanks to Matthias Anfree for spotting this.	2016-01-17 21:53:57 +00:00
Simon Kelley	92be34a407	Complete work to allow DNSSEC validation with private DNS servers.	2016-01-16 18:39:54 +00:00
Simon Kelley	bb58f63ce5	arp.c tidy up.	2016-01-14 19:23:10 +00:00
Simon Kelley	367341f745	Disable DNSSEC for server=/domain/.. servers unless trust-anchor provided.	2016-01-12 15:58:23 +00:00
André Glüpker	eddf365284	Fix bad cache-size calculation when hosts-file read fails.	2016-01-12 12:54:17 +00:00
Simon Kelley	a63b8b89e6	DNSSEC: Handle non-root trust anchors, and check we have a root trust anchor.	2016-01-12 11:28:58 +00:00
Simon Kelley	5757371d43	Inhibit DNSSEC validation when forwarding to private servers for a domain. server=/example.com/<ip-of-server> The rationale is that the chain-of-trust will not be complete to private servers. If it was, it would not be necessary to access the server direct.	2016-01-11 22:50:00 +00:00
Simon Kelley	b633de9413	Fix FTBFS when scripts excluded at compilation time.	2016-01-06 22:51:17 +00:00
Simon Kelley	c49778df4a	Update copyright notices. Happy new year!	2016-01-06 18:52:33 +00:00
Simon Kelley	53a9173fc0	Handle building with script support enabled and DHCP disabled.	2016-01-06 17:59:13 +00:00
Simon Kelley	d917275e48	Fix botch in new arp-cache linked-list code resulting in 100% CPU spin.	2016-01-04 17:17:41 +00:00
Simon Kelley	cc7cb0b893	Fix datatype-sixe botch which broke DNSSEC sig timestamps when far in the future.	2016-01-04 16:04:51 +00:00
Simon Kelley	ec0628c4b2	Trivial code tweak.	2015-12-31 20:55:39 +00:00
Simon Kelley	97b1d25764	Correct logic for when to start helper.	2015-12-31 18:52:38 +00:00
Simon Kelley	33702ab1f8	First complete version of DNS-client-id EDNS0 and ARP tracking code.	2015-12-28 23:17:15 +00:00
Simon Kelley	11867dc28c	Cache access to the kernel's ARP table.	2015-12-23 16:15:58 +00:00
Simon Kelley	d3a8b39c7d	More EDNS0 packet-size tweaks.	2015-12-23 12:27:37 +00:00
Simon Kelley	15379ea1f2	Log signature algo with DNSKEY and DS, also digest with DS.	2015-12-21 18:31:55 +00:00
Simon Kelley	efef497b89	Fix build failure when DNSSEC code omitted.	2015-12-21 17:30:44 +00:00
Simon Kelley	5aa5f0ff2f	Truncate DNS replies >512 bytes that the client isn't expecting.	2015-12-21 17:20:35 +00:00
Simon Kelley	5bb88f0963	Handle extending EDNS0 OPT RR.	2015-12-21 16:23:47 +00:00
Simon Kelley	1d03016bbc	Split EDNS0 stuff into its own source file.	2015-12-21 14:17:06 +00:00
Simon Kelley	ce5732e84f	NSEC3 check: RFC5155 para 8.2	2015-12-20 21:39:19 +00:00
Simon Kelley	a86fdf437e	Minor tweak to previous commit.	2015-12-20 21:19:20 +00:00
Simon Kelley	3e86d316c4	Nasty, rare and obscure off-by-one in DNSSEC hostname_cmp().	2015-12-20 20:50:05 +00:00
Simon Kelley	d67ecac59d	More tweaks in handling unknown DNSSEC algorithms.	2015-12-20 20:44:23 +00:00
Simon Kelley	fa14bec83b	Major tidy up of EDNS0 handling and computation/use of udp packet size.	2015-12-20 17:12:16 +00:00
Simon Kelley	14a4ae883d	Do a better job of determining which DNSSEC sig algos are supported.	2015-12-17 17:29:57 +00:00
Simon Kelley	3b799c826d	Fix brace botch in dnssec_validate_ds() Thanks to Michał Kępień for spotting this.	2015-12-17 16:58:04 +00:00
Simon Kelley	b40f26c019	Tidy up DNSSEC non-existence code. Check zone status is NSEC proof bad.	2015-12-17 11:57:26 +00:00
Simon Kelley	dd4ad9ac7e	Tweaks to EDNS0 handling in DNS replies.	2015-12-17 10:44:58 +00:00
Simon Kelley	2dbba34b2c	DNSSEC validation tweak. A zone which has at least one key with an algorithm we don't support should be considered as insecure.	2015-12-16 13:41:58 +00:00
Simon Kelley	c2bcd1e183	Generalise RR-filtering code, for use with EDNS0.	2015-12-15 17:25:21 +00:00
Simon Kelley	d64c81fff7	Move code which caches DS records to a more logical place.	2015-12-15 16:11:06 +00:00
Simon Kelley	93be5b1e02	Abandon caching RRSIGs and returning them from cache. The list of exceptions to being able to locally answer cached data for validated records when DNSSEC data is requested was getting too long, so don't ever do that. This means that the cache no longer has to hold RRSIGS and allows us to lose lots of code. Note that cached validated answers are still returned as long as do=0	2015-12-15 12:04:40 +00:00
Simon Kelley	9a31b68b59	Major rationalisation of DNSSEC validation. Much gnarly special-case code removed and replaced with correct general implementaion. Checking of zone-status moved to DNSSEC code, where it should be, vastly simplifying query-forwarding code.	2015-12-15 10:20:39 +00:00
Simon Kelley	0007ee9064	Fix crash at start up with conf-dir=/path,* Thanks to Brian Carpenter and American Fuzzy Lop for finding the bug.	2015-11-21 21:47:41 +00:00
Simon Kelley	67ab3285b5	Handle unknown DS hash algos correctly. When we can validate a DS RRset, but don't speak the hash algo it contains, treat that the same as an NSEC/3 proving that the DS doesn't exist. 4025 5.2	2015-11-20 23:20:47 +00:00
Edwin Török	41a8d9e99b	Fix crash when empty address from DNS overlays A record from hosts.	2015-11-14 17:55:41 +00:00
Simon Kelley	90477fb794	Update list of subnet for --bogus-priv RFC6303 specifies & recommends following zones not be forwarded to globally facing servers. +------------------------------+-----------------------+ \| Zone \| Description \| +------------------------------+-----------------------+ \| 0.IN-ADDR.ARPA \| IPv4 "THIS" NETWORK \| \| 127.IN-ADDR.ARPA \| IPv4 Loopback NETWORK \| \| 254.169.IN-ADDR.ARPA \| IPv4 LINK LOCAL \| \| 2.0.192.IN-ADDR.ARPA \| IPv4 TEST-NET-1 \| \| 100.51.198.IN-ADDR.ARPA \| IPv4 TEST-NET-2 \| \| 113.0.203.IN-ADDR.ARPA \| IPv4 TEST-NET-3 \| \| 255.255.255.255.IN-ADDR.ARPA \| IPv4 BROADCAST \| +------------------------------+-----------------------+ Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>	2015-10-20 21:21:32 +01:00
Simon Kelley	98079ea898	Catch errors from sendmsg in DHCP code. Logs, eg, iptables DROPS of dest 255.255.255.255	2015-10-13 20:32:21 +01:00
Simon Kelley	4790115455	Use /run/dnsmasq instead of /var/run/dnsmasq in Debian package.	2015-09-29 22:54:41 +01:00
Simon Kelley	27b78d990b	Rationalise `5e3e464ac4`	2015-09-26 21:40:45 +01:00
Simon Kelley	77607cbea0	Respect the --no-resolv flag in inotify code.	2015-09-10 23:08:43 +01:00
Simon Kelley	102208df69	DHCPv6 option 56 does not hold an address list. (RFC 5908).	2015-09-10 21:50:00 +01:00
Simon Kelley	6de81f1250	Handle signed dangling CNAME replies to DS queries.	2015-09-09 22:51:13 +01:00
Simon Kelley	20fd11e11a	Clarify man page on RDNSS set in router advertisement.	2015-08-26 22:48:13 +01:00
Simon Kelley	9cdcfe9f19	Suggest solution to ENOMEM error with IPv6 multicast.	2015-08-26 22:38:08 +01:00
Simon Kelley	5e3e464ac4	Fix behaviour of empty dhcp-option=option6:dns-server, which should inhibit sending option.	2015-08-25 23:08:39 +01:00
Simon Kelley	3a3965ac21	Don't answer non-auth queries for auth zones locally when --localise-queries set.	2015-08-09 17:45:06 +01:00
Ed Bardsley	a7369bef8a	Enhance --add-subnet to allow arbitary subnet addresses.	2015-08-05 21:17:18 +01:00
Simon Kelley	d2aa7dfbb6	Include 0.0.0.0/8 in DNS rebind checks.	2015-08-03 21:52:12 +01:00
Simon Kelley	63ec5d1264	Fix new poll() code for helper pipe. Removed CPU-spin.	2015-07-30 20:59:07 +01:00
Simon Kelley	f6381cf482	Declare utime().	2015-07-27 19:48:43 +01:00
Kevin Darbyshire-Bryant	34b5d19488	Update DNSSEC timestamp file on process TERM.	2015-07-27 19:34:23 +01:00
Conrad Kostecki	d6cb7e4815	Update german translation	2015-07-27 19:22:49 +01:00
Simon Kelley	d389e0191b	DNSSEC fix: correct logic for signed records in unsigned DNS space.	2015-07-27 18:56:43 +01:00
Simon Kelley	d3699bb6bc	Small tweak to DNSSEC fix.	2015-07-16 22:37:37 +01:00
Simon Kelley	13480e8c2a	DNSSEC fix, signed wildcard CNAME to unsigned domain.	2015-07-16 22:23:13 +01:00
Jan Psota	5b3b93f80a	Update Polish translation.	2015-07-15 19:57:47 +01:00
Simon Kelley	b69e845b1c	Close Lauchpad bug in Debian changelog.	2015-07-15 19:54:50 +01:00
Simon Kelley	90c3822bfa	Grow pollfds array exponentially.	2015-07-13 12:47:52 +01:00
Simon Kelley	c895a0626d	Merge messages for translations.	2015-07-12 21:27:40 +01:00
Simon Kelley	b842bc97bb	Use poll() instead of select() to remove limits on open file descriptors.	2015-07-12 21:09:11 +01:00
Simon Kelley	0f38fa05a6	Log message typo.	2015-07-08 22:42:14 +01:00
Simon Kelley	45c5cb1f8f	Fix compilation warning.	2015-07-08 22:40:57 +01:00
Simon Kelley	f6d6956261	Test for overflowing platform FD_SET size.	2015-07-08 22:38:13 +01:00
Simon Kelley	60176c7bf4	Bump version in Debian changelog.	2015-07-07 21:54:55 +01:00
Simon Kelley	362c9303da	Fix inotify code to handle dangling symlinks better.	2015-07-06 21:48:49 +01:00
Simon Kelley	5e95a552ee	Avoid hanngs in DHCP ping code when system time goes backwards.	2015-07-05 22:31:30 +01:00
Simon Kelley	90cb222551	--conf-file should read no file, not try and read the default file.	2015-07-05 21:59:10 +01:00
Ján Sáreník	850163288d	Manpage typo fix.	2015-07-05 21:23:27 +01:00