Fix for 12af2b171d

Optimise sort_rrset for the case where the RR type no canonicalisation.
Fix to 75e2f0aec33e58ef5b8d4d107d821c215a52827c
2021-01-22 22:26:25 +00:00 · 2021-01-22 18:50:43 +00:00 · 2021-01-22 18:24:03 +00:00 · 2021-01-22 17:30:27 +00:00 · 2021-01-17 23:35:24 +00:00 · 2021-01-15 22:21:52 +00:00
83 changed files with 12398 additions and 8658 deletions
--- a/150
+++ b/150
@@ -1,3 +1,149 @@
+version 2.83
+	Use the values of --min-port and --max-port in outgoing
+	TCP connections to upstream DNS servers.
+
+	Fix a remote buffer overflow problem in the DNSSEC code. Any
+	dnsmasq with DNSSEC compiled in and enabled is vulnerable to this,
+	referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683
+	CVE-2020-25687.
+
+	Be sure to only accept UDP DNS query replies at the address
+	from which the query was originated. This keeps as much entropy
+	in the {query-ID, random-port} tuple as possible, to help defeat
+	cache poisoning attacks. Refer: CVE-2020-25684.
+
+	Use the SHA-256 hash function to verify that DNS answers
+	received are for the questions originally asked. This replaces
+	the slightly insecure SHA-1 (when compiled with DNSSEC) or
+	the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
+
+	Handle multiple identical near simultaneous DNS queries better.
+	Previously, such queries would all be forwarded
+	independently. This is, in theory, inefficent but in practise
+	not a problem, _except_ that is means that an answer for any
+	of the forwarded queries will be accepted and cached.
+	An attacker can send a query multiple times, and for each repeat,
+	another {port, ID} becomes capable of accepting the answer he is
+	sending in the blind, to random IDs and ports. The chance of a
+	succesful attack is therefore multiplied by the number of repeats
+	of the query. The new behaviour detects repeated queries and
+	merely stores the clients sending repeats so that when the
+	first query completes, the answer can be sent to all the
+	clients who asked. Refer: CVE-2020-25686.
+	
+
+version 2.82
+	Improve behaviour in the face of network interfaces which come
+	and go and change index. Thanks to Petr Mensik for the patch.
+
+	Convert hard startup failure on NETLINK_NO_ENOBUFS under qemu-user
+	to a warning.
+
+	Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option.
+
+	Fix crash under heavy TCP connection load introduced in 2.81.
+	Thanks to Frank for good work chasing this down.
+
+	Change default lease time for DHCPv6 to one day.
+
+	Alter calculation of preferred and valid times in router
+	advertisements, so that these do not have a floor applied
+	of the lease time in the dhcp-range if this is not explicitly
+	specified and is merely the default.
+	Thanks to Martin-Éric Racine for suggestions on this.
+
+	
+version 2.81
+	Improve cache behaviour for TCP connections. For ease of
+	implementation, dnsmasq has always forked a new process to handle
+	each incoming TCP connection. A side-effect of this is that
+	any DNS queries answered from TCP connections are not cached:
+	when TCP connections were rare, this was not a problem.
+	With the coming of DNSSEC, it is now the case that some
+	DNSSEC queries have answers which spill to TCP, and if,
+	for instance, this applies to the keys for the root, then
+	those never get cached, and performance is very bad.
+	This fix passes cache entries back from the TCP child process to
+	the main server process, and fixes the problem.
+
+	Remove the NO_FORK compile-time option, and support for uclinux.
+	In an era where everything has an MMU, this looks like
+	an anachronism, and it adds to (Ok, multiplies!) the
+	combinatorial explosion of compile-time options. Thanks to
+	Kevin Darbyshire-Bryant for the patch.
+
+	Fix line-counting when reading /etc/hosts and friends; for
+	correct error messages. Thanks to Christian Rosentreter
+	for reporting this.
+
+	Fix bug in DNS non-terminal code, added in 2.80, which could
+	sometimes cause a NODATA rather than an NXDOMAIN reply.
+	Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
+	for spotting and diagnosing the bug and providing patches.
+
+	Support TCP-fastopen (RFC-7413) on both incoming and
+	outgoing TCP connections, if supported and enabled in the OS.
+
+	Improve kernel-capability manipulation code under Linux. Dnsmasq
+	now fails early if a required capability is not available, and
+	tries not to request capabilities not required by its
+	configuration.
+
+	Add --shared-network config. This enables allocation of addresses
+	by the DHCP server in subnets where the server (or relay) does not
+	have an interface on the network in that subnet. Many thanks to
+	kamp.de for sponsoring this feature.
+	
+	Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
+	validation check got borked in commit 2b38e382 and release 2.80.
+	Thanks to Tomasz Szajner for spotting this.
+
+	Fix compilation against nettle version 3.5 and later.
+
+	Fix spurious DNSSEC validation failures when the auth section
+	of a reply contains unsigned RRs from a signed zone, 
+	with the exception that NSEC and NSEC3 RRs must always be signed.
+        Thanks to Tore Anderson for spotting and diagnosing the bug.
+
+	Add --dhcp-ignore-clid. This disables reading of DHCP client
+	identifier option (option 61), so clients are only identified by
+	MAC addresses.
+
+	Fix a bug which stopped --dhcp-name-match from working when a hostname
+	is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
+
+	Fix bug which caused very rarely caused zero-length DHCPv6 packets.
+	Thanks to Dereck Higgins for spotting this.
+
+	Add --tftp-single-port option.
+
+	Enhance --conf-dir to load files in a deterministic order. Thanks to
+	Evgenii Seliavka for the suggestion and initial patch.
+
+	In the router advert code, handle case where we have two
+	different interfaces on the same IPv6 net, and we are doing
+	RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
+	for spotting this case and making the initial patch.
+
+	Support prefixed ranges of ipv6 addresses in dhcp-host.
+	This eases problems chain-netbooting, where each link in the
+	chain requests an address using a different UID. With a single
+	address, only one gets the "static" address, but with this
+	fix, enough addresses can be reserved for all the stages of the
+	boot. Many thanks to Harald Jensås for his work on this idea and
+	earlier patches.
+
+	Add filtering by tag of --dhcp-host directives. Based on a patch
+	by Harald Jensås.
+
+	Allow empty server spec in --rev-server, to match --server.
+	
+	Remove DSA signature verification from DNSSEC, as specified in
+	RFC 8624. Thanks to Loganaden Velvindron for the original patch.
+
+	Add --script-on-renewal option.
+
+	
 version 2.80
 	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method
 	for the initial patch and motivation.
@@ -64,6 +210,10 @@ version 2.80
 	now always forward, and never answer from the cache. This
 	allows "dig +trace" command to work. 
 	
+	Include in the example config file a formulation which
+	stops DHCP clients from claiming the DNS name "wpad".
+	This is a fix for the CERT Vulnerability VU#598349.
+
 	
 version 2.79
 	Fix parsing of CNAME arguments, which are confused by extra spaces.
--- a/13
+++ b/13
@@ -53,7 +53,7 @@ top?=$(CURDIR)

 dbus_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` 
 dbus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` 
-ubus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS $(PKG_CONFIG) --copy -lubox -lubus`
+ubus_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'`
 idn_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` 
 idn_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` 
 idn2_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2`
@@ -62,8 +62,10 @@ ct_cflags =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CON
 ct_libs =       `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
 lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.2` 
 lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.2` 
-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
-nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
+nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --cflags 'nettle hogweed' \
+                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`
+nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --libs 'nettle hogweed' \
+                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
 gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
 sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
 version =     -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
@@ -77,7 +79,8 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
       helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
       dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
       domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
-       poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o
+       poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
+       metrics.o hash_questions.o

 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
       dns-protocol.h radv-protocol.h ip6addr.h metrics.h
@@ -111,7 +114,7 @@ all-i18n : $(BUILDDIR)
 top="$(top)" \
 i18n=-DLOCALEDIR=\'\"$(LOCALEDIR)\"\' \
 build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
- build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)"  \
+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs)"  \
 -f $(top)/Makefile dnsmasq
 	for f in `cd $(PO); echo *.po`; do \
 		cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \
--- a/bld/Android.mk
+++ b/bld/Android.mk
@@ -11,7 +11,7 @@ LOCAL_SRC_FILES :=  bpf.c cache.c dbus.c dhcp.c dnsmasq.c \
 		    radv.c slaac.c auth.c ipset.c domain.c \
 	            dnssec.c dnssec-openssl.c blockdata.c tables.c \
 		    loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \
-		    crypto.c dump.c ubus.c
+		    crypto.c dump.c ubus.c metrics.c hash_questions.c

 LOCAL_MODULE := dnsmasq

--- a/bld/pkg-wrapper
+++ b/bld/pkg-wrapper
@@ -1,33 +1,37 @@
 #!/bin/sh

-search=$1
-shift
-pkg=$1
-shift
-op=$1
-shift
-
 in=`cat`

-if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
-    echo $in | grep $search >/dev/null 2>&1; then
-# Nasty, nasty, in --copy, arg 2 is another config to search for, use with NO_GMP
+search()
+{
+    grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \
+    echo $in | grep $1 >/dev/null 2>&1
+}
+
+while [ "$#" -gt 0 ]; do
+    search=$1
+    pkg=$2
+    op=$3
+    lib=$4
+    shift 4
+if search "$search"; then
+
+# Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP
    if [ $op = "--copy" ]; then
-	if grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \
-            echo $in | grep $pkg >/dev/null 2>&1; then
+	if [ -z "$pkg" ]; then
+	    pkg="$lib"
+	elif search "$pkg"; then
 	    pkg=""
 	else 
-	    pkg="$*"
+	    pkg="$lib"
 	fi
-    elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
-	      echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
-	pkg=`$pkg  --static $op $*`
+    elif search "${search}_STATIC"; then
+	pkg=`$pkg  --static $op $lib`
    else
-	pkg=`$pkg $op $*`
+	pkg=`$pkg $op $lib`
    fi
-
-    if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
-	echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
+    
+    if search "${search}_STATIC"; then
 	if [ $op = "--libs" ] || [ $op = "--copy" ]; then
 	    echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic"
 	else
@@ -38,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
    fi
 fi

+done
--- a/contrib/lease-tools/dhcp_lease_time.c
+++ b/contrib/lease-tools/dhcp_lease_time.c
@@ -83,7 +83,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt
          if (p >= end - 2)
            return NULL; /* malformed packet */
          opt_len = option_len(p);
-          if (end - p >= (2 + opt_len))
+          if (end - p < (2 + opt_len))
            return NULL; /* malformed packet */
          if (*p == opt && opt_len >= minsize)
            return p;
--- a/contrib/lease-tools/dhcp_release.c
+++ b/contrib/lease-tools/dhcp_release.c
@@ -178,7 +178,7 @@ static int is_same_net(struct in_addr a, struct in_addr b, struct in_addr mask)
  return (a.s_addr & mask.s_addr) == (b.s_addr & mask.s_addr);
 }

-static struct in_addr find_interface(struct in_addr client, int fd, unsigned int index)
+static struct in_addr find_interface(struct in_addr client, int fd, unsigned int index, int ifrfd, struct ifreq *ifr)
 {
  struct sockaddr_nl addr;
  struct nlmsghdr *h;
@@ -218,7 +218,17 @@ static struct in_addr find_interface(struct in_addr client, int fd, unsigned int

      for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len))
 	if (h->nlmsg_type == NLMSG_DONE)
-	  exit(0);
+          {
+	    /* No match found, return first address as src/dhcp.c code does */
+	    ifr->ifr_addr.sa_family = AF_INET;
+	    if (ioctl(ifrfd, SIOCGIFADDR, ifr) != -1)
+	      return ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr;
+	    else
+	      {
+		fprintf(stderr, "error: local IPv4 address not found\n");
+		exit(1);
+	      }
+          }
 	else if (h->nlmsg_type == RTM_NEWADDR)
          {
            struct ifaddrmsg *ifa = NLMSG_DATA(h);  
@@ -285,7 +295,7 @@ int main(int argc, char **argv)
    }
  
  lease.s_addr = inet_addr(argv[2]);
-  server = find_interface(lease, nl, if_nametoindex(argv[1]));
+  server = find_interface(lease, nl, if_nametoindex(argv[1]), fd, &ifr);
  
  memset(&packet, 0, sizeof(packet));
 
--- a/contrib/reverse-dns/README
+++ b/contrib/reverse-dns/README
@@ -14,5 +14,5 @@ log-facility=/var/log/dnsmasq.log

 in the dnsmasq configuration.

-The script runs on debian (with ash installed) and on busybox.
+The script runs on debian (with dash installed) and on busybox.

--- a/contrib/reverse-dns/reverse_replace.sh
+++ b/contrib/reverse-dns/reverse_replace.sh
@@ -1,4 +1,4 @@
-#!/bin/ash
+#!/bin/dash
 # $Id: reverse_replace.sh 18 2015-03-01 16:12:35Z jo $
 #
 # Usage e.g.: netstat -n -4 | reverse_replace.sh 
--- a/contrib/systemd/dnsmasq.service
+++ b/contrib/systemd/dnsmasq.service
@@ -1,5 +1,8 @@
 [Unit]
 Description=dnsmasq - A lightweight DHCP and caching DNS server
+After=network.target
+Before=network-online.target nss-lookup.target
+Wants=nss-lookup.target

 [Service]
 Type=dbus
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,52 @@
+dnsmasq (2.83-1) unstable; urgency=high
+
+   * New upstream.
+   * Includes fixes to CVE-2020-25681 - CVE-2020-25687 inclusive.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Fri, 15 Jan 2021 22:22:41 +0000
+
+dnsmasq (2.82-1) unstable; urgency=low
+
+   * New upstream.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Fri, 26 Jun 2020 22:22:41 +0000
+
+dnsmasq (2.81-4) unstable; urgency=low
+
+   * Remove runit support when building for Ubuntu. (closes: #960401)
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Fri, 26 Jun 2020 21:52:44 +0000
+
+dnsmasq (2.81-3) unstable; urgency=low
+
+   * Fixes to control file for bug 958100
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Sun, 19 Apr 2020 21:44:12 +0000
+
+dnsmasq (2.81-2) unstable; urgency=low
+
+   * Fix FTBFS on kFreeBSD. (closes: #958100)
+	
+ -- Simon Kelley <simon@thekelleys.org.uk>  Sat, 18 Apr 2020 18:34:15 +0000
+
+dnsmasq (2.81-1) unstable; urgency=low
+
+   * New upstream.
+   * Fix nodocs/nodoc confusion in rules. (closes: #922758)
+   * Add Vcs-* fields to control. (closes: #922422)
+   * Add systemd support for multiple daemon instances. (closes: #914305)
+   * Add note explaining that ENABLED is SYSV-init only. (closes: #914755)
+   * Replace ash with dash in contrib/reverse-dns. (closes: #920224)
+   * Move to libidn2. (closes: #932695)
+   * Fix RA problem with two interfaces on same net, but RA service on
+     only one of the interfaces. (closes: #949565)
+   * Fix breakage of dig +trace. (closes: #942363)
+   * Fix build faliure with newer Nettle libraries. (closes: #940985)
+   * Support runscript init-system (closes: #929884)
+   * Security fix for CVE-2019-14834 (closes: #948373)
+	
+ -- Simon Kelley <simon@thekelleys.org.uk>  Wed, 8 Apr 2020 17:33:15 +0000
+
 dnsmasq (2.80-1) unstable; urgency=low

   * New upstream. (closes: #837602) (closes: #794640) (closes: #794636)
--- a/debian/control
+++ b/debian/control
@@ -2,19 +2,23 @@ Source: dnsmasq
 Section: net
 Priority: optional
 Build-depends: gettext, libnetfilter-conntrack-dev [linux-any],
-               libidn11-dev, libdbus-1-dev (>=0.61), libgmp-dev, 
-               nettle-dev (>=2.4-3), libbsd-dev [!linux-any],
-	       liblua5.2-dev
+               libidn2-dev, libdbus-1-dev (>=0.61), libgmp-dev, 
+               nettle-dev (>=2.4-3), libbsd-dev [kfreebsd-any],
+	       liblua5.2-dev, dh-runit, debhelper-compat (= 10),
+               pkg-config
 Maintainer: Simon Kelley <simon@thekelleys.org.uk>
 Homepage: http://www.thekelleys.org.uk/dnsmasq/doc.html
+Vcs-Git: http://thekelleys.org.uk/git/dnsmasq.git
+Vcs-Browser: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git
 Standards-Version: 3.9.8

 Package: dnsmasq
 Architecture: all
 Depends: netbase, dnsmasq-base,
-         init-system-helpers (>= 1.18~), lsb-base (>= 3.0-6)
+         init-system-helpers (>= 1.18~), lsb-base (>= 3.0-6), ${misc:Depends}
 Suggests: resolvconf
-Conflicts: resolvconf (<<1.15)
+Breaks: ${runit:Breaks}
+Conflicts: resolvconf (<<1.15), ${runit:Conflicts}
 Description: Small caching DNS proxy and DHCP/TFTP server
 Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP
 server. It is designed to provide DNS and optionally, DHCP, to a 
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+dnsmasq is Copyright (c) 2000-2020 Simon Kelley

 It was downloaded from: http://www.thekelleys.org.uk/dnsmasq/

--- a/debian/default
+++ b/debian/default
@@ -1,13 +1,15 @@
-# This file has five functions: 
-# 1) to completely disable starting dnsmasq, 
-# 2) to set DOMAIN_SUFFIX by running `dnsdomainname` 
+# This file has six functions:
+# 1) to completely disable starting this dnsmasq instance
+# 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
 # 3) to select an alternative config file
 #    by setting DNSMASQ_OPTS to --conf-file=<file>
 # 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
 #    more configuration variables.
 # 5) to stop the resolvconf package from controlling dnsmasq's
 #    idea of which upstream nameservers to use.
-# For upgraders from very old versions, all the shell variables set 
+# 6) to avoid using this dnsmasq instance as the system's default resolver
+#    by setting DNSMASQ_EXCEPT="lo"
+# For upgraders from very old versions, all the shell variables set
 # here in previous versions are still honored by the init script
 # so if you just keep your old version of this file nothing will break.

@@ -15,6 +17,8 @@
 #DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"

 # Whether or not to run the dnsmasq daemon; set to 0 to disable.
+# Note that this is only valid when using SYSV init. For systemd,
+# use "systemctl disable dnsmasq"
 ENABLED=1

 # By default search this drop directory for configuration options.
@@ -24,10 +28,15 @@ ENABLED=1
 # in backups made by dpkg.
 CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new

-# If the resolvconf package is installed, dnsmasq will use its output 
-# rather than the contents of /etc/resolv.conf to find upstream 
+# If the resolvconf package is installed, dnsmasq will use its output
+# rather than the contents of /etc/resolv.conf to find upstream
 # nameservers. Uncommenting this line inhibits this behaviour.
-# Note that including a "resolv-file=<filename>" line in 
+# Note that including a "resolv-file=<filename>" line in
 # /etc/dnsmasq.conf is not enough to override resolvconf if it is
 # installed: the line below must be uncommented.
 #IGNORE_RESOLVCONF=yes
+
+# If the resolvconf package is installed, dnsmasq will tell resolvconf
+# to use dnsmasq under 127.0.0.1 as the system's default resolver.
+# Uncommenting this line inhibits this behaviour.
+#DNSMASQ_EXCEPT="lo"
--- a/debian/dnsmasq.runit
+++ b/debian/dnsmasq.runit
@@ -0,0 +1 @@
+debian/dnsmasq.runscript name=dnsmasq,logscript,presubj
--- a/debian/dnsmasq.runscript/finish
+++ b/debian/dnsmasq.runscript/finish
@@ -0,0 +1,5 @@
+#!/bin/sh -eu
+if [ -x /sbin/resolvconf ] ; then
+	/sbin/resolvconf -d lo.dnsmasq
+fi
+
--- a/debian/dnsmasq.runscript/run
+++ b/debian/dnsmasq.runscript/run
@@ -0,0 +1,43 @@
+#!/lib/runit/invoke-run
+
+readonly name=dnsmasq
+readonly daemon=/usr/sbin/dnsmasq
+readonly marker=/usr/share/dnsmasq/installed-marker
+
+test -e "${marker}" || exec sv down "${name}"
+test -x "${daemon}" || exec sv down "${name}"
+
+if [ ! "${RESOLV_CONF:-}" ] &&
+   [ "${IGNORE_RESOLVCONF:-}" != "yes" ] &&
+   [ -x /sbin/resolvconf ]
+then
+	RESOLV_CONF=/run/dnsmasq/resolv.conf
+fi
+
+# This tells dnsmasq to ignore DNS requests that don't come from a local network.
+# It's automatically ignored if  --interface --except-interface, --listen-address 
+# or --auth-server exist in the configuration, so for most installations, it will
+# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
+# from being vulnerable to DNS-reflection attacks.
+
+DNSMASQ_OPTS="${DNSMASQ_OPTS:-} --local-service"
+
+# If the dns-root-data package is installed, then the trust anchors will be 
+# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
+# --trust-anchor options.
+
+ROOT_DS="/usr/share/dns/root.ds"
+
+if [ -f $ROOT_DS ]; then
+    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
+fi
+
+mkdir -p /run/dnsmasq
+chown dnsmasq:nogroup /run/dnsmasq
+[ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
+exec "${daemon}" \
+	--keep-in-foreground \
+	--log-facility=/dev/stdout \
+	${RESOLV_CONF:+ -r $RESOLV_CONF} \
+	${DNSMASQ_OPTS} \
+	-u dnsmasq
--- a/debian/init
+++ b/debian/init
@@ -15,53 +15,54 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 DAEMON=/usr/sbin/dnsmasq
 NAME=dnsmasq
 DESC="DNS forwarder and DHCP server"
+INSTANCE="${2}"

 # Most configuration options in /etc/default/dnsmasq are deprecated
 # but still honoured.
 ENABLED=1
-if [ -r /etc/default/$NAME ]; then
-	. /etc/default/$NAME
+if [ -r /etc/default/${NAME}${INSTANCE:+.${INSTANCE}} ]; then
+    . /etc/default/${NAME}${INSTANCE:+.${INSTANCE}}
 fi

-# Get the system locale, so that messages are in the correct language, and the 
+# Get the system locale, so that messages are in the correct language, and the
 # charset for IDN is correct
 if [ -r /etc/default/locale ]; then
-        . /etc/default/locale
-        export LANG
+    . /etc/default/locale
+    export LANG
 fi

 # The following test ensures the dnsmasq service is not started, when the
-# package 'dnsmasq' is removed but not purged, even if the dnsmasq-base 
+# package 'dnsmasq' is removed but not purged, even if the dnsmasq-base
 # package is still in place.
 test -e /usr/share/dnsmasq/installed-marker || exit 0
- 
-test -x $DAEMON || exit 0
+
+test -x ${DAEMON} || exit 0

 # Provide skeleton LSB log functions for backports which don't have LSB functions.
 if [ -f /lib/lsb/init-functions ]; then
-         . /lib/lsb/init-functions
+    . /lib/lsb/init-functions
 else
-         log_warning_msg () {
-            echo "${@}."
-         }
+    log_warning_msg () {
+        echo "${@}."
+    }

-         log_success_msg () {
-            echo "${@}."
-         }
+    log_success_msg () {
+        echo "${@}."
+    }

-         log_daemon_msg () {
-            echo -n "${1}: $2"
-         }
+    log_daemon_msg () {
+        echo -n "${1}: ${2}"
+    }

-	 log_end_msg () {
-            if [ $1 -eq 0 ]; then
-              echo "."
-            elif [ $1 -eq 255 ]; then
-              /bin/echo -e " (warning)."
-            else
-              /bin/echo -e " failed!"
-            fi
-         }
+    log_end_msg () {
+        if [ "${1}" -eq 0 ]; then
+            echo "."
+        elif [ "${1}" -eq 255 ]; then
+            /bin/echo -e " (warning)."
+        else
+            /bin/echo -e " failed!"
+        fi
+    }
 fi

 # RESOLV_CONF:
@@ -73,76 +74,76 @@ fi
 # filename is set there then this inhibits the use of the resolvconf-provided
 # information.
 #
-# Note that if the resolvconf package is installed it is not possible to 
+# Note that if the resolvconf package is installed it is not possible to
 # override it just by configuration in /etc/dnsmasq.conf, it is necessary
 # to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.

-if [ ! "$RESOLV_CONF" ] &&
-   [ "$IGNORE_RESOLVCONF" != "yes" ] &&
+if [ ! "${RESOLV_CONF}" ] &&
+   [ "${IGNORE_RESOLVCONF}" != "yes" ] &&
   [ -x /sbin/resolvconf ]
 then
-	RESOLV_CONF=/run/dnsmasq/resolv.conf
+    RESOLV_CONF=/run/dnsmasq/resolv.conf
 fi

-for INTERFACE in $DNSMASQ_INTERFACE; do
-	DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -i $INTERFACE"
+for INTERFACE in ${DNSMASQ_INTERFACE}; do
+    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -i ${INTERFACE}"
 done

-for INTERFACE in $DNSMASQ_EXCEPT; do
-	DNSMASQ_INTERFACES="$DNSMASQ_INTERFACES -I $INTERFACE"
+for INTERFACE in ${DNSMASQ_EXCEPT}; do
+    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -I ${INTERFACE}"
 done

-if [ ! "$DNSMASQ_USER" ]; then
+if [ ! "${DNSMASQ_USER}" ]; then
   DNSMASQ_USER="dnsmasq"
 fi

 # This tells dnsmasq to ignore DNS requests that don't come from a local network.
-# It's automatically ignored if  --interface --except-interface, --listen-address 
+# It's automatically ignored if --interface --except-interface, --listen-address
 # or --auth-server exist in the configuration, so for most installations, it will
 # have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
 # from being vulnerable to DNS-reflection attacks.

-DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service"
+DNSMASQ_OPTS="${DNSMASQ_OPTS} --local-service"

-# If the dns-root-data package is installed, then the trust anchors will be 
-# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
+# If the dns-root-data package is installed, then the trust anchors will be
+# available in ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
 # --trust-anchor options.

 ROOT_DS="/usr/share/dns/root.ds"

-if [ -f $ROOT_DS ]; then
+if [ -f ${ROOT_DS} ]; then
    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
 fi

 start()
 {
-        # Return
-	#   0 if daemon has been started
-	#   1 if daemon was already running
-	#   2 if daemon could not be started
+    # Return
+    #   0 if daemon has been started
+    #   1 if daemon was already running
+    #   2 if daemon could not be started

-        # /run may be volatile, so we need to ensure that
-        # /run/dnsmasq exists here as well as in postinst
-        if [ ! -d /run/dnsmasq ]; then
-           mkdir /run/dnsmasq || return 2
-           chown dnsmasq:nogroup /run/dnsmasq || return 2
-        fi
-	[ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
-	
-	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null || return 1
-	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON -- \
-		-x /run/dnsmasq/$NAME.pid \
-	        ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
-		${MAILTARGET:+ -t $MAILTARGET} \
-		${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
-		${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
-		${DHCP_LEASE:+ -l $DHCP_LEASE} \
-		${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
-		${RESOLV_CONF:+ -r $RESOLV_CONF} \
-		${CACHESIZE:+ -c $CACHESIZE} \
-	        ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
-		${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} \
-		|| return 2
+    # /run may be volatile, so we need to ensure that
+    # /run/dnsmasq exists here as well as in postinst
+    if [ ! -d /run/dnsmasq ]; then
+        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
+        chown dnsmasq:nogroup /run/dnsmasq || return 2
+    fi
+    [ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
+
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null || return 1
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} -- \
+        -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
+        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
+        ${MAILTARGET:+ -t ${MAILTARGET}} \
+        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
+        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
+        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
+        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
+        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
+        ${CACHESIZE:+ -c ${CACHESIZE}} \
+        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
+        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} \
+        || return 2
 }

 start_resolvconf()
@@ -150,172 +151,175 @@ start_resolvconf()
 # If interface "lo" is explicitly disabled in /etc/default/dnsmasq
 # Then dnsmasq won't be providing local DNS, so don't add it to
 # the resolvconf server set.
-	for interface in $DNSMASQ_EXCEPT
-	do
-		[ $interface = lo ] && return
-	done
+    for interface in ${DNSMASQ_EXCEPT}; do
+        [ ${interface} = lo ] && return
+    done

-# Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
-	if grep -qs '^port=0' /etc/dnsmasq.conf; then
-		return
-	fi
+    # Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
+    if grep -qs '^port=0' /etc/dnsmasq.conf; then
+        return
+    fi

-        if [ -x /sbin/resolvconf ] ; then
-		echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.$NAME
-	fi
-	return 0
+    if [ -x /sbin/resolvconf ] ; then
+        echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.${NAME}${INSTANCE:+.${INSTANCE}}
+    fi
+    return 0
 }

 stop()
 {
-	# Return
-	#   0 if daemon has been stopped
-	#   1 if daemon was already stopped
-	#   2 if daemon could not be stopped
-	#   other if a failure occurred
-	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/$NAME.pid --name $NAME
+    # Return
+    #   0 if daemon has been stopped
+    #   1 if daemon was already stopped
+    #   2 if daemon could not be stopped
+    #   other if a failure occurred
+    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --name ${NAME}
 }

 stop_resolvconf()
 {
-	if [ -x /sbin/resolvconf ] ; then
-		/sbin/resolvconf -d lo.$NAME
-	fi
-	return 0
+    if [ -x /sbin/resolvconf ] ; then
+        /sbin/resolvconf -d lo.${NAME}${INSTANCE:+.${INSTANCE}}
+    fi
+    return 0
 }

 status()
 {
-	# Return
-	#   0 if daemon is running
-	#   1 if daemon is dead and pid file exists
-	#   3 if daemon is not running
-	#   4 if daemon status is unknown
-	start-stop-daemon --start --quiet --pidfile /run/dnsmasq/$NAME.pid --exec $DAEMON --test > /dev/null
-	case "$?" in
-		0) [ -e "/run/dnsmasq/$NAME.pid" ] && return 1 ; return 3 ;;
-		1) return 0 ;;
-		*) return 4 ;;
-	esac
+    # Return
+    #   0 if daemon is running
+    #   1 if daemon is dead and pid file exists
+    #   3 if daemon is not running
+    #   4 if daemon status is unknown
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null
+    case "${?}" in
+      0) [ -e "/run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid" ] && return 1 ; return 3 ;;
+      1) return 0 ;;
+      *) return 4 ;;
+    esac
 }

-case "$1" in
+case "${1}" in
  start)
-	test "$ENABLED" != "0" || exit 0
-	log_daemon_msg "Starting $DESC" "$NAME"
-	start
-	case "$?" in
-		0)
-			log_end_msg 0
-			start_resolvconf
-			exit 0
-			;;
-		1)
-			log_success_msg "(already running)"
-			exit 0
-			;;
-		*)
-			log_end_msg 1
-			exit 1
-			;;
-	esac
-	;;
+    test "${ENABLED}" != "0" || exit 0
+    log_daemon_msg "Starting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    start
+    case "${?}" in
+      0)
+        log_end_msg 0
+        start_resolvconf
+        exit 0
+        ;;
+      1)
+        log_success_msg "(already running)"
+        exit 0
+        ;;
+      *)
+        log_end_msg 1
+        exit 1
+        ;;
+    esac
+    ;;
  stop)
-	stop_resolvconf
-	if [ "$ENABLED" != "0" ]; then
-             log_daemon_msg "Stopping $DESC" "$NAME"
-	fi
-	stop
-        RETVAL="$?"
-	if [ "$ENABLED" = "0" ]; then
-	    case "$RETVAL" in
-	       0) log_daemon_msg "Stopping $DESC" "$NAME"; log_end_msg 0 ;;
-            esac 
-	    exit 0
-	fi
-	case "$RETVAL" in
-		0) log_end_msg 0 ; exit 0 ;;
-		1) log_warning_msg "(not running)" ; exit 0 ;;
-		*) log_end_msg 1; exit 1 ;;
-	esac
-	;;
+    stop_resolvconf
+    if [ "${ENABLED}" != "0" ]; then
+        log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    fi
+    stop
+    RETVAL="${?}"
+    if [ "${ENABLED}" = "0" ]; then
+        case "${RETVAL}" in
+          0) log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"; log_end_msg 0 ;;
+        esac
+        exit 0
+    fi
+    case "${RETVAL}" in
+      0) log_end_msg 0 ; exit 0 ;;
+      1) log_warning_msg "(not running)" ; exit 0 ;;
+      *) log_end_msg 1; exit 1 ;;
+    esac
+    ;;
+  checkconfig)
+    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
+    RETVAL="${?}"
+    exit ${RETVAL}
+    ;;
  restart|force-reload)
-	test "$ENABLED" != "0" || exit 1
-	$DAEMON --test ${CONFIG_DIR:+ -7 $CONFIG_DIR} ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} >/dev/null 2>&1
-	if [ $? -ne 0 ]; then
-	    NAME="configuration syntax check"
-	    RETVAL="2"
-	else   
-	    stop_resolvconf
-	    stop
-	    RETVAL="$?"
-        fi
-	log_daemon_msg "Restarting $DESC" "$NAME"
-	case "$RETVAL" in
-		0|1)
-		        sleep 2
-			start
-			case "$?" in
-				0)
-					log_end_msg 0
-					start_resolvconf
-					exit 0
-					;;
-			        *)
-					log_end_msg 1
-					exit 1
-					;;
-			esac
-			;;
-		*)
-			log_end_msg 1
-			exit 1
-			;;
-	esac
-	;;
+    test "${ENABLED}" != "0" || exit 1
+    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
+    if [ ${?} -ne 0 ]; then
+        NAME="configuration syntax check"
+        RETVAL="2"
+    else
+        stop_resolvconf
+        stop
+        RETVAL="${?}"
+    fi
+    log_daemon_msg "Restarting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    case "${RETVAL}" in
+      0|1)
+        sleep 2
+        start
+        case "${?}" in
+          0)
+            log_end_msg 0
+            start_resolvconf
+            exit 0
+            ;;
+          *)
+            log_end_msg 1
+            exit 1
+            ;;
+        esac
+        ;;
+      *)
+        log_end_msg 1
+        exit 1
+        ;;
+    esac
+    ;;
  status)
-	log_daemon_msg "Checking $DESC" "$NAME"
-	status
-	case "$?" in
-		0) log_success_msg "(running)" ; exit 0 ;;
-		1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
-		3) log_success_msg "(not running)" ; exit 3 ;;
-		*) log_success_msg "(unknown)" ; exit 4 ;;
-	esac
-	;;
+    log_daemon_msg "Checking ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    status
+    case "${?}" in
+      0) log_success_msg "(running)" ; exit 0 ;;
+      1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
+      3) log_success_msg "(not running)" ; exit 3 ;;
+      *) log_success_msg "(unknown)" ; exit 4 ;;
+    esac
+    ;;
  dump-stats)
-        kill -s USR1 `cat /run/dnsmasq/$NAME.pid`
-	;;
+    kill -s USR1 `cat /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid`
+    ;;
  systemd-start-resolvconf)
-	start_resolvconf
-	;;
+    start_resolvconf
+    ;;
  systemd-stop-resolvconf)
-	stop_resolvconf
-	;;
+    stop_resolvconf
+    ;;
  systemd-exec)
-# /run may be volatile, so we need to ensure that
-        # /run/dnsmasq exists here as well as in postinst
-        if [ ! -d /run/dnsmasq ]; then
-           mkdir /run/dnsmasq || return 2
-           chown dnsmasq:nogroup /run/dnsmasq || return 2
-        fi
-	exec $DAEMON -x /run/dnsmasq/$NAME.pid \
-	    ${MAILHOSTNAME:+ -m $MAILHOSTNAME} \
-	    ${MAILTARGET:+ -t $MAILTARGET} \
-	    ${DNSMASQ_USER:+ -u $DNSMASQ_USER} \
-	    ${DNSMASQ_INTERFACES:+ $DNSMASQ_INTERFACES} \
-	    ${DHCP_LEASE:+ -l $DHCP_LEASE} \
-	    ${DOMAIN_SUFFIX:+ -s $DOMAIN_SUFFIX} \
-	    ${RESOLV_CONF:+ -r $RESOLV_CONF} \
-	    ${CACHESIZE:+ -c $CACHESIZE} \
-	    ${CONFIG_DIR:+ -7 $CONFIG_DIR} \
-	    ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS} 
-	;;
+    # /run may be volatile, so we need to ensure that
+    # /run/dnsmasq exists here as well as in postinst
+    if [ ! -d /run/dnsmasq ]; then
+        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
+        chown dnsmasq:nogroup /run/dnsmasq || return 2
+    fi
+    exec ${DAEMON} -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
+        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
+        ${MAILTARGET:+ -t ${MAILTARGET}} \
+        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
+        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
+        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
+        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
+        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
+        ${CACHESIZE:+ -c ${CACHESIZE}} \
+        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
+        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}}
+    ;;
  *)
-	echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|dump-stats|status}" >&2
-	exit 3
-	;;
+    echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload|dump-stats|status}" >&2
+    exit 3
+    ;;
 esac

 exit 0
-
--- a/debian/rules
+++ b/debian/rules
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 # debian/rules file - for dnsmasq.
-# Copyright 2001-2018 by Simon Kelley
+# Copyright 2001-2020 by Simon Kelley
 # Based on the sample in the debian hello package which carries the following:
 # Copyright 1994,1995 by Ian Jackson.
 # I hereby give you perpetual unlimited permission to copy,
@@ -49,7 +49,7 @@ ifeq (,$(filter nodbus,$(DEB_BUILD_OPTIONS)))
 endif

 ifeq (,$(filter noidn, $(DEB_BUILD_OPTIONS)))
-	DEB_COPTS += -DHAVE_IDN
+	DEB_COPTS += -DHAVE_LIBIDN2
 endif

 ifeq (,$(filter noconntrack,$(DEB_BUILD_OPTIONS)))
@@ -98,9 +98,10 @@ ifeq (,$(filter nodnssec,$(DEB_BUILD_OPTIONS)))
     DEB_COPTS += -DHAVE_DNSSEC
 endif

-ifneq ($(DEB_HOST_ARCH_OS),linux)
+ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
     # For strlcpy in FreeBSD
-     LDFLAGS += -lbsd
+     LIBS += $(shell ${PKG_CONFIG} --libs libbsd-overlay)
+     CFLAGS += $(shell ${PKG_CONFIG} --cflags libbsd-overlay)
 endif

 define build_tree
@@ -129,6 +130,8 @@ define add_docs
 	gzip -9n $1/usr/share/doc/$(package)/changelog.archive
 	install -m 644 dbus/DBus-interface $1/usr/share/doc/$(package)/.
 	gzip -9n $1/usr/share/doc/$(package)/DBus-interface	
+	install -m 644 debian/systemd_howto $1/usr/share/doc/$(package)/.
+	gzip -9n $1/usr/share/doc/$(package)/systemd_howto
 	gzip -9n $1/usr/share/man/man8/dnsmasq.8
 	for f in $1/usr/share/man/*; do \
 		if [ -f $$f/man8/dnsmasq.8 ]; then \
@@ -161,18 +164,26 @@ binary-indep:	checkroot
 	rm -rf debian/trees/daemon
 	install -m 755 \
 	        -d debian/trees/daemon/DEBIAN \
-		-d debian/trees/daemon/usr/share/doc \
+		-d debian/trees/daemon/usr/share/doc/dnsmasq \
 	        -d debian/trees/daemon/etc/init.d \
 		-d debian/trees/daemon/etc/dnsmasq.d \
 	        -d debian/trees/daemon/etc/resolvconf/update.d \
 		-d debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d \
 		-d debian/trees/daemon/usr/share/dnsmasq \
+		-d debian/trees/daemon/usr/share/doc/dnsmasq \
 	        -d debian/trees/daemon/etc/default \
 		-d debian/trees/daemon/lib/systemd/system \
 		-d debian/trees/daemon/usr/lib/tmpfiles.d \
                -d debian/trees/daemon/etc/insserv.conf.d
 	install -m 644 debian/conffiles debian/trees/daemon/DEBIAN
 	install -m 755 debian/postinst debian/postrm debian/prerm debian/trees/daemon/DEBIAN
+	if ! dpkg-vendor --derives-from Ubuntu; then \
+                rm -f debian/dnsmasq.postinst.debhelper debian/dnsmasq.postrm.debhelper; \
+	      	dh_runit -pdnsmasq -Pdebian/trees/daemon; \
+		cat debian/dnsmasq.postinst.debhelper >> debian/trees/daemon/DEBIAN/postinst; \
+		cat debian/dnsmasq.postrm.debhelper   >> debian/trees/daemon/DEBIAN/postrm; \
+		cd debian/trees/daemon && find etc/sv -type f -printf '/%p\n' >>DEBIAN/conffiles; \
+	fi
 	install -m 755 debian/init debian/trees/daemon/etc/init.d/dnsmasq
 	install -m 755 debian/resolvconf debian/trees/daemon/etc/resolvconf/update.d/dnsmasq
 	install -m 755 debian/resolvconf-package debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d/dnsmasq
@@ -181,11 +192,14 @@ binary-indep:	checkroot
 	install -m 644 dnsmasq.conf.example debian/trees/daemon/etc/dnsmasq.conf
 	install -m 644 debian/readme.dnsmasq.d debian/trees/daemon/etc/dnsmasq.d/README
 	install -m 644 debian/systemd.service debian/trees/daemon/lib/systemd/system/dnsmasq.service
+	install -m 644 debian/systemd@.service debian/trees/daemon/lib/systemd/system/dnsmasq@.service
 	install -m 644 debian/tmpfiles.conf debian/trees/daemon/usr/lib/tmpfiles.d/dnsmasq.conf
 	install -m 644 debian/insserv debian/trees/daemon/etc/insserv.conf.d/dnsmasq
-	ln -s $(package) debian/trees/daemon/usr/share/doc/dnsmasq
+	install -m 644 debian/copyright debian/trees/daemon/usr/share/doc/dnsmasq/copyright
+	install -m 644 debian/changelog debian/trees/daemon/usr/share/doc/dnsmasq/changelog.Debian
+	gzip -9n debian/trees/daemon/usr/share/doc/dnsmasq/changelog.Debian
 	cd debian/trees/daemon && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums	
-	dpkg-gencontrol $(PACKAGE_VERSION) -T -pdnsmasq -Pdebian/trees/daemon
+	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/dnsmasq.substvars -pdnsmasq -Pdebian/trees/daemon
 	find debian/trees/daemon -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
 	chown -R root.root debian/trees/daemon
 	chmod -R g-ws debian/trees/daemon
@@ -193,8 +207,8 @@ binary-indep:	checkroot

 binary-arch:	checkroot 
 	$(call build_tree,debian/trees/base)
-	make $(TARGET) BUILDDIR=debian/build/no-lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG)
-ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS)))
+	make $(TARGET) BUILDDIR=debian/build/no-lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
+ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
 	$(call add_docs,debian/trees/base)
 else	
 	rm -rf debian/trees/base/usr/share/man
@@ -212,8 +226,8 @@ endif
 	dpkg --build debian/trees/base ..

 	$(call build_tree,debian/trees/lua-base)
-	make $(TARGET) BUILDDIR=debian/build/lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/lua-base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="-DHAVE_LUASCRIPT $(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG)
-ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS)))
+	make $(TARGET) BUILDDIR=debian/build/lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/lua-base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="-DHAVE_LUASCRIPT $(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
+ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
 	$(call add_docs,debian/trees/lua-base)
 else	
 	rm -rf debian/trees/lua-base/usr/share/man
@@ -239,14 +253,14 @@ ifeq ($(DEB_HOST_ARCH_OS),linux)
 	install -m 755 -d debian/trees/utils/DEBIAN \
 	               -d debian/trees/utils/usr/bin \
                       -d debian/trees/utils/usr/share/doc/dnsmasq-utils
-ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS)))
+ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
 	install -m 755 -d debian/trees/utils/usr/share/man/man1
 endif
-	make -C contrib/lease-tools PREFIX=/usr DESTDIR=`pwd`/debian/trees/utils CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG)
+	make -C contrib/lease-tools PREFIX=/usr DESTDIR=`pwd`/debian/trees/utils CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
 	install -m 755 contrib/lease-tools/dhcp_release debian/trees/utils/usr/bin/dhcp_release
 	install -m 755 contrib/lease-tools/dhcp_release6 debian/trees/utils/usr/bin/dhcp_release6
 	install -m 755 contrib/lease-tools/dhcp_lease_time debian/trees/utils/usr/bin/dhcp_lease_time
-ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS)))
+ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
 	install -m 644 contrib/lease-tools/dhcp_release.1 debian/trees/utils/usr/share/man/man1/dhcp_release.1
 	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_release.1
 	install -m 644 contrib/lease-tools/dhcp_release6.1 debian/trees/utils/usr/share/man/man1/dhcp_release6.1
--- a/debian/systemd.service
+++ b/debian/systemd.service
@@ -10,7 +10,7 @@ Type=forking
 PIDFile=/run/dnsmasq/dnsmasq.pid

 # Test the config file and refuse starting if it is not valid.
-ExecStartPre=/usr/sbin/dnsmasq --test
+ExecStartPre=/etc/init.d/dnsmasq checkconfig

 # We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
 # wrapper picking up extra configuration files and then execs dnsmasq
@@ -19,8 +19,8 @@ ExecStart=/etc/init.d/dnsmasq systemd-exec

 # The systemd-*-resolvconf functions configure (and deconfigure)
 # resolvconf to work with the dnsmasq DNS server. They're called like
-# this to get correct error handling (ie don't start-resolvconf if the 
-# dnsmasq daemon fails to start.
+# this to get correct error handling (ie don't start-resolvconf if the
+# dnsmasq daemon fails to start).
 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
 ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf

--- a/debian/systemd@.service
+++ b/debian/systemd@.service
@@ -0,0 +1,31 @@
+[Unit]
+Description=dnsmasq (%i) - A lightweight DHCP and caching DNS server
+Requires=network.target
+Wants=nss-lookup.target
+Before=nss-lookup.target
+After=network.target
+
+[Service]
+Type=forking
+PIDFile=/run/dnsmasq/dnsmasq.%i.pid
+
+# Test the config file and refuse starting if it is not valid.
+ExecStartPre=/etc/init.d/dnsmasq checkconfig "%i"
+
+# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
+# wrapper picking up extra configuration files and then execs dnsmasq
+# itself, when called with the "systemd-exec" function.
+ExecStart=/etc/init.d/dnsmasq systemd-exec "%i"
+
+# The systemd-*-resolvconf functions configure (and deconfigure)
+# resolvconf to work with the dnsmasq DNS server. They're called like
+# this to get correct error handling (ie don't start-resolvconf if the
+# dnsmasq daemon fails to start).
+ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf "%i"
+ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf "%i"
+
+
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
--- a/debian/systemd_howto
+++ b/debian/systemd_howto
@@ -0,0 +1,41 @@
+HOWTO
+=====
+dnsmasq comes with the possibility to run multiple systemd service instances on the same machine.
+There is the main service which is enabled by default via `systemctl enable dnsmasq.service` and uses the configuration from `/etc/default/dnsmasq`.
+
+Additional service instances can be enabled via `systemctl enable dnsmasq@<instance name>.service` that use the configuration from `/etc/default/dnsmasq.<instance name>`.
+It is recommended to use a separate configuration file and directory for each instance.
+Additionally make sure that all instances use either different ports and/or ip addresses to avoid binding collisions.
+
+Example setup for an instance called "alt"
+#1 File `/etc/dnsmasq.alt.conf` copied from `/etc/dnsmasq.conf`
+#2 Directory `/etc/dnsmasq.alt.d`
+#3 File `/etc/default/dnsmasq.alt` copied from `/etc/default/dnsmasq` with following adaptions:
+   * The options DNSMASQ_OPTS and CONFIG_DIR point to the correct configuration file and directory.
+     DNSMASQ_OPTS="... --conf-file=/etc/dnsmasq.alt.conf ..."
+     CONFIG_DIR=/etc/dnsmasq.alt.d,.dpkg-dist,.dpkg-old,.dpkg-new
+   * The option DNSMASQ_EXCEPT must contain "lo" to avoid that an instance becomes the machine's DNS resolver.
+     DNSMASQ_EXCEPT="lo"
+  * If the additional instance should bind to all IP addresses of a specific interface, e.g. "dnsalt01", then the following addition could be used:
+    DNSMASQ_OPTS="... --bind-dynamic --interface=dnsalt01 ..."
+    Additionally the main instance must be stopped from binding to interfaces that are used by other instances:
+    DNSMASQ_OPTS="... --bind-dynamic --except-interface=dnsalt* ..."
+  * If the additional instance should not use the machine's DNS resolver, normally that's the dnsmasq main instance, as upstream server, then the following addition could be used:
+    IGNORE_RESOLVCONF=yes
+#4 Enable additional instance via `systemctl enable dnsmasq@alt.service`
+#5 Start additional instance without reboot via `systemctl start dnsmasq@alt.service`
+
+
+
+TODO
+====
+#1 - Found shortcoming on 2019-03-10
+Only the option DNSMASQ_EXCEPT="lo" avoids that an DNS instance will be set as the machine's DNS resolver.
+This may interfere with the wish to run an additional instance on a different port on the localhost addresses.
+My suggestion in the initial Debian report [1] was to specify an explicit variable for this.
+
+[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914305#5
+
+
+#2 - Preferred configuration way
+Should the variables DNSMASQ_INTERFACE and DNSMASQ_EXCEPT be used instead of --interface and --except-interface?  (while "lo" still has to be in DNSMASQ_EXCEPT as of now)
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -672,3 +672,8 @@

 # Include all files in a directory which end in .conf
 #conf-dir=/etc/dnsmasq.d/,*.conf
+
+# If a DHCP client claims that its name is "wpad", ignore that.
+# This fixes a security hole. see CERT Vulnerability VU#598349
+#dhcp-name-match=set:wpad-ignore,wpad
+#dhcp-ignore-names=tag:wpad-ignore
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -1,4 +1,4 @@
-.TH DNSMASQ 8
+.TH DNSMASQ 8 2020-04-05
 .SH NAME
 dnsmasq \- A lightweight DHCP and caching DNS server.
 .SH SYNOPSIS
@@ -231,7 +231,7 @@ options always override the others. The comments about interface labels for
 .B --listen-address
 apply here.
 .TP
-.B --auth-server=<domain>,<interface>|<ip-address>
+.B --auth-server=<domain>,[<interface>|<ip-address>...]
 Enable DNS authoritative mode for queries arriving at an interface or address. Note that the interface or address
 need not be mentioned in 
 .B --interface
@@ -244,7 +244,7 @@ specified interface. The <domain> is the "glue record". It should
 resolve in the global DNS to an A and/or AAAA record which points to
 the address dnsmasq is listening on. When an interface is specified,
 it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6
-addresses associated with the interface.
+addresses associated with the interface. Since any defined authoritative zones are also available as part of the normal recusive DNS service supplied by dnsmasq, it can make sense to have an --auth-server declaration with no interfaces or address, but simply specifying the primary external nameserver.
 .TP
 .B --local-service
 Accept DNS queries only from hosts whose address is on a local subnet,
@@ -366,10 +366,13 @@ been built with DBus support. If the service name is given, dnsmasq
 provides service at that name, rather than the default which is 
 .B uk.org.thekelleys.dnsmasq
 .TP 
-.B --enable-ubus
+.B --enable-ubus[=<service-name>]
 Enable dnsmasq UBus interface. It sends notifications via UBus on
 DHCPACK and DHCPRELEASE events. Furthermore it offers metrics.
-Requires that dnsmasq has been built with UBus support.
+Requires that dnsmasq has been built with UBus support. If the service
+name is given, dnsmasq provides service at that namespace, rather than
+the default which is
+.B dnsmasq
 .TP
 .B \-o, --strict-order
 By default, dnsmasq will send queries to any of the upstream servers
@@ -395,11 +398,13 @@ were previously disabled.
 .TP
 .B --stop-dns-rebind
 Reject (and log) addresses from upstream nameservers which are in the
-private IP ranges. This blocks an attack where a browser behind a
-firewall is used to probe machines on the local network.
+private ranges. This blocks an attack where a browser behind a
+firewall is used to probe machines on the local network. For IPv6, the
+private range covers the IPv4-mapped addresses in private space plus
+all link-local (LL) and site-local (ULA) addresses.
 .TP
 .B --rebind-localhost-ok
-Exempt 127.0.0.0/8 from rebinding checks. This address range is
+Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address range is
 returned by realtime black hole servers, so blocking it may disable
 these services.
 .TP 
@@ -423,7 +428,7 @@ Tells dnsmasq to never forward A or AAAA queries for plain names, without dots
 or domain parts, to upstream nameservers. If the name is not known
 from /etc/hosts or DHCP then a "not found" answer is returned.
 .TP
-.B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
+.B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<source-ip>|<interface>[#<port>]]
 Specify IP address of upstream servers directly. Setting this flag does
 not suppress reading of /etc/resolv.conf, use \fB--no-resolv\fP to do that. If one or more
 optional domains are given, that server is used only for those domains
@@ -484,7 +489,7 @@ source address specified but the port may be specified directly as
 part of the source address. Forcing queries to an interface is not
 implemented on all platforms supported by dnsmasq.
 .TP
-.B --rev-server=<ip-address>/<prefix-len>,<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
+.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<source-ip>|<interface>[#<port>]]
 This is functionally the same as 
 .B --server, 
 but provides some syntactic sugar to make specifying address-to-name queries easier. For example
@@ -515,7 +520,7 @@ address of 0.0.0.0 and its IPv6 equivalent of :: so
 \fB--address=/example.com/#\fP will return NULL addresses for example.com and
 its subdomains. This is partly syntactic sugar for \fB--address=/example.com/0.0.0.0\fP
 and \fB--address=/example.com/::\fP but is also more efficient than including both
-as seperate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.
+as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.
 .TP
 .B --ipset=/<domain>[/<domain>...]/<ipset>[,<ipset>...]
 Places the resolved IP addresses of queries for one or more domains in
@@ -603,12 +608,9 @@ Return a CAA DNS record, as specified in RFC6844.
 .TP
 .B --cname=<cname>,[<cname>,]<target>[,<TTL>]
 Return a CNAME record which indicates that <cname> is really
-<target>. There are significant limitations on the target; it must be a
-DNS name which is known to dnsmasq from /etc/hosts (or additional
-hosts files), from DHCP, from \fB--interface-name\fP or from another
-.B --cname.
-If the target does not satisfy this
-criteria, the whole cname is ignored. The cname must be unique, but it
+<target>. There is a significant limitation on the target; it must be a
+DNS record which is known to dnsmasq and NOT a DNS record which comes from
+an upstream server. The cname must be unique, but it
 is permissible to have more than one cname pointing to the same target. Indeed
 it's possible to declare multiple cnames to a target in a single line, like so:
 .B --cname=cname1,cname2,target
@@ -677,7 +679,7 @@ given for \fB--add-subnet\fP applies to \fB--add-mac\fP too. An alternative enco
 MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter.
 .TP
 .B --add-cpe-id=<string>
-Add an arbitrary identifying string to o DNS queries which are
+Add an arbitrary identifying string to DNS queries which are
 forwarded upstream.
 .TP 
 .B --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]
@@ -690,8 +692,8 @@ still marks the request so that no upstream nameserver will add client
 address information either. The default is zero for both IPv4 and
 IPv6. Note that upstream nameservers may be configured to return
 different results based on this information, but the dnsmasq cache
-does not take account. If a dnsmasq instance is configured such that
-different results may be encountered, caching should be disabled.
+does not take account. Caching is therefore disabled for such replies,
+unless the subnet address being added is constant.

 For example,
 .B --add-subnet=24,96
@@ -751,7 +753,7 @@ fast.

 Versions of dnsmasq prior to 2.80 defaulted to not checking unsigned replies, and used 
 .B --dnssec-check-unsigned
-to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to explicitly select no checking. The new default is because switching off checking for unsigned replies is inherently dangerous. Not only does it open the possiblity of forged replies, but it allows everything to appear to be working even when the upstream namesevers do not support DNSSEC, and in this case no DNSSEC validation at all is occuring.
+to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to explicitly select no checking. The new default is because switching off checking for unsigned replies is inherently dangerous. Not only does it open the possiblity of forged replies, but it allows everything to appear to be working even when the upstream namesevers do not support DNSSEC, and in this case no DNSSEC validation at all is occurring.
 .TP
 .B --dnssec-no-timecheck
 DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an
@@ -774,9 +776,12 @@ over system restarts. The timestamp file is created after dnsmasq has dropped ro
 unprivileged user that dnsmasq runs as.
 .TP
 .B --proxy-dnssec
-Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it.  This is an 
+Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients.  This is an 
 alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between 
-dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
+dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. Note that caching the
+Authenticated Data bit correctly in all cases is not technically possible. If the AD bit is to be relied upon
+when using this option, then the cache should be disabled using --cache-size=0. In most cases, enabling DNSSEC validation
+within dnsmasq is a better option. See --dnssec for details.
 .TP
 .B --dnssec-debug
 Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries, 
@@ -827,7 +832,8 @@ authoritative zones as dnsmasq.
 .B --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
 Specify the addresses of secondary servers which are allowed to
 initiate zone transfer (AXFR) requests for zones for which dnsmasq is
-authoritative. If this option is not given, then AXFR requests will be
+authoritative. If this option is not given but --auth-sec-servers is,
+then AXFR requests will be
 accepted from any secondary. Specifying
 .B --auth-peer
 without
@@ -855,7 +861,7 @@ in
 options. If the lease time is given, then leases
 will be given for that length of time. The lease time is in seconds,
 or minutes (eg 45m) or hours (eg 1h) or "infinite". If not given,
-the default lease time is one hour. The
+the default lease time is one hour for IPv4 and one day for IPv6. The
 minimum lease time is two minutes. For IPv6 ranges, the lease time
 maybe "deprecated"; this sets the preferred lifetime sent in a DHCP
 lease or router advertisement to zero, which causes clients to use
@@ -903,7 +909,7 @@ then the address can be simply ::
 The optional 
 .B set:<tag> 
 sets an alphanumeric label which marks this network so that
-dhcp options may be specified on a per-network basis. 
+DHCP options may be specified on a per-network basis.
 When it is prefixed with 'tag:' instead, then its meaning changes from setting
 a tag to matching it. Only one tag may be set, but more than one tag
 may be matched.
@@ -974,7 +980,7 @@ is also included, as described in RFC-3775 section 7.3.
 tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.

 .TP
-.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
+.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
 Specify per host parameters for the DHCP server. This allows a machine
 with a particular hardware address to be always allocated the same
 hostname, IP address and lease time. A hostname specified like this
@@ -1007,12 +1013,19 @@ allowed to specify the client ID as text, like this:

 A single
 .B --dhcp-host
-may contain an IPv4 address or an IPv6 address, or both. IPv6 addresses must be bracketed by square brackets thus:
+may contain an IPv4 address or one or more IPv6 addresses, or both. IPv6 addresses must be bracketed by square brackets thus:
 .B --dhcp-host=laptop,[1234::56]
 IPv6 addresses may contain only the host-identifier part:
 .B --dhcp-host=laptop,[::56]
-in which case they act as wildcards in constructed dhcp ranges, with
-the appropriate network part inserted. 
+in which case they act as wildcards in constructed DHCP ranges, with
+the appropriate network part inserted. For IPv6, an address may include a prefix length:
+.B --dhcp-host=laptop,[1234:50/126]
+which (in this case) specifies four addresses, 1234::50 to 1234::53. This (an the ability
+to specify multiple addresses) is useful
+when a host presents either a consistent name or hardware-ID, but varying DUIDs, since it allows
+dnsmasq to honour the static address allocation but assign a different adddress for each DUID. This
+typically occurs when chain netbooting, as each stage of the chain gets in turn allocates an address.
+
 Note that in IPv6 DHCP, the hardware address may not be
 available, though it normally is for direct-connected clients, or
 clients using DHCP relays which support RFC 6939.
@@ -1052,6 +1065,9 @@ ignore requests from unknown machines using
 .B --dhcp-ignore=tag:!known
 If the host matches only a \fB--dhcp-host\fP directive which cannot
 be used because it specifies an address on different subnet, the tag "known-othernet" is set.
+
+The tag:<tag> construct filters which dhcp-host directives are used. Tagged directives are used in preference to untagged ones.
+
 Ethernet addresses (but not client-ids) may have
 wildcard bytes, so for example 
 .B --dhcp-host=00:20:e0:3b:13:*,ignore 
@@ -1338,7 +1354,7 @@ vendor-identifying vendor classes for the specified enterprise. Please
 see RFC 3925 for more details of these rare and interesting beasts.
 .TP
 .B --dhcp-name-match=set:<tag>,<name>[*]
-Set the tag if the given name is supplied by a dhcp client. There may be a single trailing wildcard *, which has the usual meaning. Combined with dhcp-ignore or dhcp-ignore-names this gives the ability to ignore certain clients by name, or disallow certain hostnames from being claimed by a client.
+Set the tag if the given name is supplied by a DHCP client. There may be a single trailing wildcard *, which has the usual meaning. Combined with dhcp-ignore or dhcp-ignore-names this gives the ability to ignore certain clients by name, or disallow certain hostnames from being claimed by a client.
 .TP
 .B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
 Perform boolean operations on tags. Any tag appearing as set:<tag> is set if
@@ -1404,6 +1420,12 @@ address, and setting this flag enables this mode. Note that in the
 sequential mode, clients which allow a lease to expire are much more
 likely to move IP address; for this reason it should not be generally used.
 .TP
+.B --dhcp-ignore-clid
+Dnsmasq is reading 'client identifier' (RFC 2131) option sent by clients
+(if available) to identify clients. This allow to serve same IP address
+for a host using several interfaces. Use this option to disable 'client identifier'
+reading, i.e. to always identify a host using the MAC address.
+.TP
 .B --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>|<server_name>]
 Most uses of PXE boot-ROMS simply allow the PXE
 system to obtain an IP address and then download the file specified by
@@ -1458,6 +1480,22 @@ to allow netbooting. This mode is enabled using the
 .B proxy
 keyword in
 .B --dhcp-range.
+.TP
+.B --dhcp-pxe-vendor=<vendor>[,...]
+According to UEFI and PXE specifications, DHCP packets between PXE clients and
+proxy PXE servers should have 
+.I PXEClient 
+in their vendor-class field. However, the firmware of computers from a few
+vendors is customized to carry a different identifier in that field. This option
+is used to consider such identifiers valid for identifying PXE clients. For 
+instance
+
+.B --dhcp-pxe-vendor=PXEClient,HW-Client
+
+will enable dnsmasq to also provide proxy PXE service to those PXE clients with
+.I HW-Client
+in as their identifier.
+>>>>>>> 907def3... pxe: support pxe clients with custom vendor-class
 .TP  
 .B \-X, --dhcp-lease-max=<number>
 Limits dnsmasq to the specified maximum number of DHCP leases. The
@@ -1537,7 +1575,8 @@ address of the host (or DUID for IPv6) , the IP address, and the hostname,
 if known. "add" means a lease has been created, "del" means it has
 been destroyed, "old" is a notification of an existing lease when
 dnsmasq starts or a change to MAC address or hostname of an existing
-lease (also, lease length or expiry and client-id, if \fB--leasefile-ro\fP is set).
+lease (also, lease length or expiry and client-id, if \fB--leasefile-ro\fP is set
+and lease expiry if \fB--script-on-renewal\fP is set).
 If the MAC address is from a network type other than ethernet,
 it will have the network type prepended, eg "06-01:23:45:67:89:ab" for
 token ring. The process is run as root (assuming that dnsmasq was originally run as
@@ -1727,6 +1766,10 @@ stdout and exit with zero exit code. Setting this
 option also forces the leasechange script to be called on changes
 to the client-id and lease length and expiry time.
 .TP
+.B --script-on-renewal
+Call the DHCP script when the lease expiry time changes, for instance when the
+lease is renewed.
+.TP
 .B --bridge-interface=<interface>,<alias>[,<alias>]
 Treat DHCP (v4 and v6) requests and IPv6 Router Solicit packets
 arriving at any of the <alias> interfaces as if they had arrived at
@@ -1739,6 +1782,36 @@ wildcard can be used in each <alias>.
 It is permissible to add more than one alias using more than one \fB--bridge-interface\fP option since
 \fB--bridge-interface=int1,alias1,alias2\fP is exactly equivalent to
 \fB--bridge-interface=int1,alias1 --bridge-interface=int1,alias2\fP
+.TP
+.B --shared-network=<interface>,<addr>
+.PD 0
+.TP
+.B --shared-network=<addr>,<addr>
+.PD 1v
+The DHCP server determines which DHCP ranges are useable for allocating an
+address to a DHCP client based on the network from which the DHCP request arrives,
+and the IP configuration of the server's interface on that network. The shared-network
+option extends the available subnets (and therefore DHCP ranges) beyond the
+subnets configured on the arrival interface.
+
+The first argument is either the
+name of an interface, or an address that is configured on a local interface, and the
+second argument is an address which defines another subnet on which addresses can be allocated.
+
+To be useful, there must be a suitable dhcp-range which allows address allocation on this subnet
+and this dhcp-range MUST include the netmask.
+
+Using shared-network also needs extra
+consideration of routing. Dnsmasq does not have the usual information that it uses to
+determine the default route, so the default route option (or other routing) MUST be
+configured manually. The client must have a route to the server: if the two-address form
+of shared-network is used, this needs to be to the first specified address. If the interface,address
+form is used, there must be a route to all of the addresses configured on the interface.
+
+The two-address form of shared-network is also usable with a DHCP relay: the first address
+is the address of the relay and the second, as before, specifies an extra subnet which
+addresses may be allocated from.
+
 .TP
 .B \-s, --domain=<domain>[,<address range>[,local]]
 Specifies DNS domains for the DHCP server. Domains may be be given 
@@ -1747,7 +1820,7 @@ firstly it causes the DHCP server to return the domain to any hosts
 which request it, and secondly it sets the domain which it is legal
 for DHCP-configured hosts to claim. The intention is to constrain
 hostnames so that an untrusted host on the LAN cannot advertise 
-its name via dhcp as e.g. "microsoft.com" and capture traffic not 
+its name via DHCP as e.g. "microsoft.com" and capture traffic not 
 meant for it. If no domain suffix is specified, then any DHCP
 hostname with a domain part (ie with a period) will be disallowed 
 and logged. If suffix is specified, then hostnames with a domain 
@@ -1828,7 +1901,7 @@ The interval between router advertisements may be set (in seconds) with
 .B --ra-param=eth0,60.
 The lifetime of the route may be changed or set to zero, which allows
 a router to advertise prefixes but not a route via itself. 
-.B --ra-parm=eth0,0,0
+.B --ra-param=eth0,0,0
 (A value of zero for the interval means the default value.) All four parameters may be set at once.
 .B --ra-param=eth0,mtu:1280,low,60,1200

@@ -1838,7 +1911,7 @@ The mtu: parameter may be an arbitrary interface name, in which case the MTU val
 for (eg) advertising the MTU of a WAN interface on the other interfaces of a router.
 .TP
 .B --dhcp-reply-delay=[tag:<tag>,]<integer>
-Delays sending DHCPOFFER and proxydhcp replies for at least the specified number of seconds.
+Delays sending DHCPOFFER and PROXYDHCP replies for at least the specified number of seconds.
 This can be used as workaround for bugs in PXE boot firmware that does not function properly when
 receiving an instant reply.
 This option takes into account the time already spent waiting (e.g. performing ping check) if any.
@@ -1918,10 +1991,16 @@ specifies a range of ports for use by TFTP transfers. This can be
 useful when TFTP has to traverse a firewall. The start of the range
 cannot be lower than 1025 unless dnsmasq is running as root. The number
 of concurrent TFTP connections is limited by the size of the port range. 
-.TP  
+.TP
+.B --tftp-single-port
+Run in a mode where the TFTP server uses ONLY the well-known port (69) for its end
+of the TFTP transfer. This allows TFTP to work when there in NAT is the path between client and server. Note that
+this is not strictly compliant with the RFCs specifying the TFTP protocol: use at your own risk.
+.TP
 .B \-C, --conf-file=<file>
-Specify a different configuration file. The \fB--conf-file\fP option is also allowed in
-configuration files, to include multiple configuration files. A
+Specify a configuration file. The presence of this option stops dnsmasq from reading the default configuration
+file (normally /etc/dnsmasq.conf). Multiple files may be specified by repeating the option
+either on the command line or in configuration files. A
 filename of "-" causes dnsmasq to read configuration from stdin.
 .TP
 .B \-7, --conf-dir=<directory>[,<file-extension>......],
@@ -1933,7 +2012,7 @@ which have that extension are loaded. So
 .B --conf-dir=/path/to/dir,*.conf
 loads all files with the suffix .conf in /path/to/dir. This flag may be given on the command
 line or in a configuration file. If giving it on the command line, be sure to
-escape * characters.
+escape * characters. Files are loaded in alphabetical order of filename.
 .TP
 .B --servers-file=<file>
 A special case of 
@@ -1968,7 +2047,7 @@ and
 .I /etc/ethers 
 and any file given by \fB--dhcp-hostsfile\fP, \fB--dhcp-hostsdir\fP, \fB--dhcp-optsfile\fP,
 \fB--dhcp-optsdir\fP, \fB--addn-hosts\fP or \fB--hostsdir\fP.
-The dhcp lease change script is called for all
+The DHCP lease change script is called for all
 existing DHCP leases. If 
 .B
 --no-poll
@@ -2146,7 +2225,6 @@ as is the tag "bootp", allowing some control over the options returned to
 different classes of hosts.

 .SH AUTHORITATIVE CONFIGURATION
-.PP 
 Configuring dnsmasq to act as an authoritative DNS server is
 complicated by the fact that it involves configuration of external DNS
 servers to provide delegation. We will walk through three scenarios of
@@ -2316,7 +2394,6 @@ used, and must match the zone's domain.


 .SH EXIT CODES
-.PP
 0 - Dnsmasq successfully forked into the background, or terminated
 normally if backgrounding is not enabled.
 .PP
--- a/man/fr/dnsmasq.8
+++ b/man/fr/dnsmasq.8
@@ -1354,6 +1354,13 @@ Veuillez noter que dans ce mode séquentiel, les clients qui laissent expirer
 leur bail ont beaucoup plus de chance de voir leur adresse IP changer, aussi
 cette option ne devrait pas être utilisée dans un cas général.
 .TP
+.B --dhcp-ignore-clid
+Dnsmasq lit l'option 'client identifier' (RFC 2131) envoyée par les clients
+(si disponible) afin d'identifier les clients. Cela permet de distribuer la
+même adresse IP à un client utilisant plusieurs interfaces. Activer cette option
+désactive la lecture du 'client identifier', afin de toujours identifier un client
+en utilisant l'adresse MAC.
+.TP
 .B --pxe-service=[tag:<label>,]<CSA>,<entrée de menu>[,<nom de fichier>|<type de service de démarrage>][,<adresse de serveur>|<nom de serveur>]
 La plupart des ROMS de démarrage PXE ne permettent au système PXE que la simple
 obtention d'une adresse IP, le téléchargement du fichier spécifié dans
@@ -1774,7 +1781,7 @@ Un intervalle (en secondes) entre les annonces routeur peut être fourni par :
 .B --ra-param=eth0,60.
 La durée de vie de la route peut être changée ou mise à zéro, auquel cas
 le routeur peut annoncer les préfixes mais pas de route :
-.B --ra-parm=eth0,0,0
+.B --ra-param=eth0,0,0
 (une valeur de zéro pour l'intervalle signifie qu'il garde la valeur par défaut).
 Ces quatre paramètres peuvent être configurés en une fois :
 .B --ra-param=eth0,mtu:1280,low,60,1200
--- a/po/de.po
+++ b/po/de.po
--- a/po/es.po
+++ b/po/es.po
--- a/po/fi.po
+++ b/po/fi.po
--- a/po/fr.po
+++ b/po/fr.po
--- a/po/id.po
+++ b/po/id.po
--- a/po/it.po
+++ b/po/it.po
--- a/po/no.po
+++ b/po/no.po
--- a/po/pl.po
+++ b/po/pl.po
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
--- a/po/ro.po
+++ b/po/ro.po
--- a/src/arp.c
+++ b/src/arp.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -28,7 +28,7 @@ struct arp_record {
  unsigned short hwlen, status;
  int family;
  unsigned char hwaddr[DHCP_CHADDR_MAX]; 
-  struct all_addr addr;
+  union all_addr addr;
  struct arp_record *next;
 };

@@ -44,11 +44,6 @@ static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *p
  if (maclen > DHCP_CHADDR_MAX)
    return 1;

-#ifndef HAVE_IPV6
-  if (family != AF_INET)
-    return 1;
-#endif
-
  /* Look for existing entry */
  for (arp = arps; arp; arp = arp->next)
    {
@@ -57,16 +52,14 @@ static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *p
      
      if (family == AF_INET)
 	{
-	  if (arp->addr.addr.addr4.s_addr != ((struct in_addr *)addrp)->s_addr)
+	  if (arp->addr.addr4.s_addr != ((struct in_addr *)addrp)->s_addr)
 	    continue;
 	}
-#ifdef HAVE_IPV6
      else
 	{
-	  if (!IN6_ARE_ADDR_EQUAL(&arp->addr.addr.addr6, (struct in6_addr *)addrp))
+	  if (!IN6_ARE_ADDR_EQUAL(&arp->addr.addr6, (struct in6_addr *)addrp))
 	    continue;
 	}
-#endif

      if (arp->status == ARP_EMPTY)
 	{
@@ -102,11 +95,9 @@ static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *p
      arp->family = family;
      memcpy(arp->hwaddr, mac, maclen);
      if (family == AF_INET)
-	arp->addr.addr.addr4.s_addr = ((struct in_addr *)addrp)->s_addr;
-#ifdef HAVE_IPV6
+	arp->addr.addr4.s_addr = ((struct in_addr *)addrp)->s_addr;
      else
-	memcpy(&arp->addr.addr.addr6, addrp, IN6ADDRSZ);
-#endif
+	memcpy(&arp->addr.addr6, addrp, IN6ADDRSZ);
    }
  
  return 1;
@@ -133,14 +124,12 @@ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
 	    continue;
 	    
 	  if (arp->family == AF_INET &&
-	      arp->addr.addr.addr4.s_addr != addr->in.sin_addr.s_addr)
+	      arp->addr.addr4.s_addr != addr->in.sin_addr.s_addr)
 	    continue;
 	    
-#ifdef HAVE_IPV6
 	  if (arp->family == AF_INET6 && 
-	      !IN6_ARE_ADDR_EQUAL(&arp->addr.addr.addr6, &addr->in6.sin6_addr))
+	      !IN6_ARE_ADDR_EQUAL(&arp->addr.addr6, &addr->in6.sin6_addr))
 	    continue;
-#endif
 	  
 	  /* Only accept positive entries unless in lazy mode. */
 	  if (arp->status != ARP_EMPTY || lazy || updated)
@@ -202,11 +191,9 @@ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
      arp->hwlen = 0;

      if (addr->sa.sa_family == AF_INET)
-	arp->addr.addr.addr4.s_addr = addr->in.sin_addr.s_addr;
-#ifdef HAVE_IPV6
+	arp->addr.addr4.s_addr = addr->in.sin_addr.s_addr;
      else
-	memcpy(&arp->addr.addr.addr6, &addr->in6.sin6_addr, IN6ADDRSZ);
-#endif
+	memcpy(&arp->addr.addr6, &addr->in6.sin6_addr, IN6ADDRSZ);
    }
 	  
   return 0;
--- a/src/auth.c
+++ b/src/auth.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -18,32 +18,30 @@

 #ifdef HAVE_AUTH

-static struct addrlist *find_addrlist(struct addrlist *list, int flag, struct all_addr *addr_u)
+static struct addrlist *find_addrlist(struct addrlist *list, int flag, union all_addr *addr_u)
 {
  do {
    if (!(list->flags & ADDRLIST_IPV6))
      {
-	struct in_addr netmask, addr = addr_u->addr.addr4;
+	struct in_addr netmask, addr = addr_u->addr4;
 	
 	if (!(flag & F_IPV4))
 	  continue;
 	
 	netmask.s_addr = htonl(~(in_addr_t)0 << (32 - list->prefixlen));
 	
-	if  (is_same_net(addr, list->addr.addr.addr4, netmask))
+	if  (is_same_net(addr, list->addr.addr4, netmask))
 	  return list;
      }
-#ifdef HAVE_IPV6
-    else if (is_same_net6(&(addr_u->addr.addr6), &list->addr.addr.addr6, list->prefixlen))
+    else if (is_same_net6(&(addr_u->addr6), &list->addr.addr6, list->prefixlen))
      return list;
-#endif
    
  } while ((list = list->next));
  
  return NULL;
 }

-static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+static struct addrlist *find_subnet(struct auth_zone *zone, int flag, union all_addr *addr_u)
 {
  if (!zone->subnet)
    return NULL;
@@ -51,7 +49,7 @@ static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all
  return find_addrlist(zone->subnet, flag, addr_u);
 }

-static struct addrlist *find_exclude(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+static struct addrlist *find_exclude(struct auth_zone *zone, int flag, union all_addr *addr_u)
 {
  if (!zone->exclude)
    return NULL;
@@ -59,7 +57,7 @@ static struct addrlist *find_exclude(struct auth_zone *zone, int flag, struct al
  return find_addrlist(zone->exclude, flag, addr_u);
 }

-static int filter_zone(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+static int filter_zone(struct auth_zone *zone, int flag, union all_addr *addr_u)
 {
  if (find_exclude(zone, flag, addr_u))
    return 0;
@@ -115,7 +113,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
  struct txt_record *txt;
  struct interface_name *intr;
  struct naptr *na;
-  struct all_addr addr;
+  union all_addr addr;
  struct cname *a, *candidate;
  unsigned int wclen;
  
@@ -131,7 +129,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n

  for (q = ntohs(header->qdcount); q != 0; q--)
    {
-      unsigned short flag = 0;
+      unsigned int flag = 0;
      int found = 0;
      int cname_wildcard = 0;
  
@@ -180,7 +178,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		struct addrlist *addrlist;
 		
 		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
-		  if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr.addr4.s_addr == addrlist->addr.addr.addr4.s_addr)
+		  if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr4.s_addr == addrlist->addr.addr4.s_addr)
 		    break;
 		
 		if (addrlist)
@@ -189,14 +187,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
 		    intr = intr->next;
 	      }
-#ifdef HAVE_IPV6
 	  else if (flag == F_IPV6)
 	    for (intr = daemon->int_names; intr; intr = intr->next)
 	      {
 		struct addrlist *addrlist;
 		
 		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
-		  if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr.addr6, &addrlist->addr.addr.addr6))
+		  if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr6, &addrlist->addr.addr6))
 		    break;
 		
 		if (addrlist)
@@ -205,7 +202,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
 		    intr = intr->next;
 	      }
-#endif
 	  
 	  if (intr)
 	    {
@@ -378,10 +374,8 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
       if (qtype == T_A)
 	 flag = F_IPV4;
       
-#ifdef HAVE_IPV6
       if (qtype == T_AAAA)
 	 flag = F_IPV6;
-#endif
       
       for (intr = daemon->int_names; intr; intr = intr->next)
 	 if ((rc = hostname_issubdomain(name, intr->name)))
@@ -395,10 +389,9 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		 if (((addrlist->flags & ADDRLIST_IPV6)  ? T_AAAA : T_A) == qtype &&
 		     (local_query || filter_zone(zone, flag, &addrlist->addr)))
 		   {
-#ifdef HAVE_IPV6
 		     if (addrlist->flags & ADDRLIST_REVONLY)
 		       continue;
-#endif
+
 		     found = 1;
 		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
@@ -424,13 +417,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      
 	      if (peer_addr->sa.sa_family == AF_INET)
 		peer_addr->in.sin_port = 0;
-#ifdef HAVE_IPV6
 	      else
 		{
 		  peer_addr->in6.sin6_port = 0; 
 		  peer_addr->in6.sin6_scope_id = 0;
 		}
-#endif
 	      
 	      for (peers = daemon->auth_peers; peers; peers = peers->next)
 		if (sockaddr_isequal(peer_addr, &peers->addr))
@@ -442,10 +433,8 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		{
 		  if (peer_addr->sa.sa_family == AF_INET)
 		    inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
-#ifdef HAVE_IPV6
 		  else
 		    inet_ntop(AF_INET6, &peer_addr->in6.sin6_addr, daemon->addrbuff, ADDRSTRLEN); 
-#endif
 		  
 		  my_syslog(LOG_WARNING, _("ignoring zone transfer request from %s"), daemon->addrbuff);
 		  return 0;
@@ -479,10 +468,10 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  { 
 		    nxdomain = 0;
 		    if ((crecp->flags & flag) && 
-			(local_query || filter_zone(zone, flag, &(crecp->addr.addr))))
+			(local_query || filter_zone(zone, flag, &(crecp->addr))))
 		      {
 			*cut = '.'; /* restore domain part */
-			log_query(crecp->flags, name, &crecp->addr.addr, record_source(crecp->uid));
+			log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid));
 			*cut  = 0; /* remove domain part */
 			found = 1;
 			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
@@ -502,9 +491,9 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    do
 	      { 
 		 nxdomain = 0;
-		 if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr.addr))))
+		 if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr))))
 		   {
-		     log_query(crecp->flags, name, &crecp->addr.addr, record_source(crecp->uid));
+		     log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid));
 		     found = 1;
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					     daemon->auth_ttl, NULL, qtype, C_IN, 
@@ -591,7 +580,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n

 	  if (!(subnet->flags & ADDRLIST_IPV6))
 	    {
-	      in_addr_t a = ntohl(subnet->addr.addr.addr4.s_addr) >> 8;
+	      in_addr_t a = ntohl(subnet->addr.addr4.s_addr) >> 8;
 	      char *p = name;
 	      
 	      if (subnet->prefixlen >= 24)
@@ -603,7 +592,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      p += sprintf(p, "%u.in-addr.arpa", a & 0xff);
 	      
 	    }
-#ifdef HAVE_IPV6
 	  else
 	    {
 	      char *p = name;
@@ -611,13 +599,12 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      
 	      for (i = subnet->prefixlen-1; i >= 0; i -= 4)
 		{ 
-		  int dig = ((unsigned char *)&subnet->addr.addr.addr6)[i>>3];
+		  int dig = ((unsigned char *)&subnet->addr.addr6)[i>>3];
 		  p += sprintf(p, "%.1x.", (i>>2) & 1 ? dig & 15 : dig >> 4);
 		}
 	      p += sprintf(p, "ip6.arpa");
 	      
 	    }
-#endif
 	}
      
      /* handle NS and SOA in auth section or for explicit queries */
@@ -641,16 +628,20 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	{
 	  struct name_list *secondary;
 	  
-	  newoffset = ansp - (unsigned char *)header;
-	  if (add_resource_record(header, limit, &trunc, -offset, &ansp, 
-				  daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, daemon->authserver))
+	  /* Only include the machine running dnsmasq if it's acting as an auth server */
+	  if (daemon->authinterface)
 	    {
-	      if (offset == 0) 
-		offset = newoffset;
-	      if (ns) 
-		anscount++;
-	      else
-		authcount++;
+	      newoffset = ansp - (unsigned char *)header;
+	      if (add_resource_record(header, limit, &trunc, -offset, &ansp, 
+				      daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, daemon->authserver))
+		{
+		  if (offset == 0) 
+		    offset = newoffset;
+		  if (ns) 
+		    anscount++;
+		  else
+		    authcount++;
+		}
 	    }

 	  if (!subnet)
@@ -754,14 +745,12 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 					  daemon->auth_ttl, NULL, T_A, C_IN, "4", cut ? intr->name : NULL, &addrlist->addr))
 		    anscount++;
 		
-#ifdef HAVE_IPV6
 		for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) 
 		  if ((addrlist->flags & ADDRLIST_IPV6) && 
 		      (local_query || filter_zone(zone, F_IPV6, &addrlist->addr)) &&
 		      add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
 					  daemon->auth_ttl, NULL, T_AAAA, C_IN, "6", cut ? intr->name : NULL, &addrlist->addr))
 		    anscount++;
-#endif		    
 		
 		/* restore config data */
 		if (cut)
@@ -798,38 +787,26 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		    {
 		      char *cache_name = cache_get_name(crecp);
 		      if (!strchr(cache_name, '.') && 
-			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr))))
-			{
-			  qtype = T_A;
-#ifdef HAVE_IPV6
-			  if (crecp->flags & F_IPV6)
-			    qtype = T_AAAA;
-#endif
-			  if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
-						  daemon->auth_ttl, NULL, qtype, C_IN, 
-						  (crecp->flags & F_IPV4) ? "4" : "6", cache_name, &crecp->addr))
-			    anscount++;
-			}
+			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr))) &&
+			  add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+					      daemon->auth_ttl, NULL, (crecp->flags & F_IPV6) ? T_AAAA : T_A, C_IN, 
+					      (crecp->flags & F_IPV4) ? "4" : "6", cache_name, &crecp->addr))
+			anscount++;
 		    }
 		  
 		  if ((crecp->flags & F_HOSTS) || (((crecp->flags & F_DHCP) && option_bool(OPT_DHCP_FQDN))))
 		    {
 		      strcpy(name, cache_get_name(crecp));
 		      if (in_zone(zone, name, &cut) && 
-			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr.addr))))
+			  (local_query || filter_zone(zone, (crecp->flags & (F_IPV6 | F_IPV4)), &(crecp->addr))))
 			{
-			  qtype = T_A;
-#ifdef HAVE_IPV6
-			  if (crecp->flags & F_IPV6)
-			    qtype = T_AAAA;
-#endif
-			   if (cut)
-			     *cut = 0;
+			  if (cut)
+			    *cut = 0;

-			   if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
-						   daemon->auth_ttl, NULL, qtype, C_IN, 
-						   (crecp->flags & F_IPV4) ? "4" : "6", cut ? name : NULL, &crecp->addr))
-			     anscount++;
+			  if (add_resource_record(header, limit, &trunc, -axfroffset, &ansp, 
+						  daemon->auth_ttl, NULL, (crecp->flags & F_IPV6) ? T_AAAA : T_A, C_IN, 
+						  (crecp->flags & F_IPV4) ? "4" : "6", cut ? name : NULL, &crecp->addr))
+			    anscount++;
 			}
 		    }
 		}
@@ -863,6 +840,9 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
      header->hb4 &= ~HB4_RA;
    }

+  /* data is never DNSSEC signed. */
+  header->hb4 &= ~HB4_AD;
+
  /* authoritative */
  if (auth)
    header->hb3 |= HB3_AA;
--- a/src/blockdata.c
+++ b/src/blockdata.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -16,8 +16,6 @@

 #include "dnsmasq.h"

-#ifdef HAVE_DNSSEC
-
 static struct blockdata *keyblock_free;
 static unsigned int blockdata_count, blockdata_hwm, blockdata_alloced;

@@ -54,14 +52,13 @@ void blockdata_init(void)

 void blockdata_report(void)
 {
-  if (option_bool(OPT_DNSSEC_VALID))
-    my_syslog(LOG_INFO, _("DNSSEC memory in use %u, max %u, allocated %u"), 
-	      blockdata_count * sizeof(struct blockdata),  
-	      blockdata_hwm * sizeof(struct blockdata),  
-	      blockdata_alloced * sizeof(struct blockdata));
+  my_syslog(LOG_INFO, _("pool memory in use %u, max %u, allocated %u"), 
+	    blockdata_count * sizeof(struct blockdata),  
+	    blockdata_hwm * sizeof(struct blockdata),  
+	    blockdata_alloced * sizeof(struct blockdata));
 } 

-struct blockdata *blockdata_alloc(char *data, size_t len)
+static struct blockdata *blockdata_alloc_real(int fd, char *data, size_t len)
 {
  struct blockdata *block, *ret = NULL;
  struct blockdata **prev = &ret;
@@ -89,8 +86,17 @@ struct blockdata *blockdata_alloc(char *data, size_t len)
 	blockdata_hwm = blockdata_count; 
      
      blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
-      memcpy(block->key, data, blen);
-      data += blen;
+      if (data)
+	{
+	  memcpy(block->key, data, blen);
+	  data += blen;
+	}
+      else if (!read_write(fd, block->key, blen, 1))
+	{
+	  /* failed read free partial chain */
+	  blockdata_free(ret);
+	  return NULL;
+	}
      len -= blen;
      *prev = block;
      prev = &block->next;
@@ -100,6 +106,10 @@ struct blockdata *blockdata_alloc(char *data, size_t len)
  return ret;
 }

+struct blockdata *blockdata_alloc(char *data, size_t len)
+{
+  return blockdata_alloc_real(0, data, len);
+}

 void blockdata_free(struct blockdata *blocks)
 {
@@ -148,5 +158,20 @@ void *blockdata_retrieve(struct blockdata *block, size_t len, void *data)

  return data;
 }
- 
-#endif
+
+
+void blockdata_write(struct blockdata *block, size_t len, int fd)
+{
+  for (; len > 0 && block; block = block->next)
+    {
+      size_t blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
+      read_write(fd, block->key, blen, 0);
+      len -= blen;
+    }
+}
+
+struct blockdata *blockdata_read(int fd, size_t len)
+{
+  return blockdata_alloc_real(fd, NULL, len);
+}
+
--- a/src/bpf.c
+++ b/src/bpf.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -31,9 +31,7 @@
 #  include <net/if_var.h> 
 #endif
 #include <netinet/in_var.h>
-#ifdef HAVE_IPV6
-#  include <netinet6/in6_var.h>
-#endif
+#include <netinet6/in6_var.h>

 #ifndef SA_SIZE
 #define SA_SIZE(sa)                                             \
@@ -44,7 +42,7 @@

 #ifdef HAVE_BSD_NETWORK
 static int del_family = 0;
-static struct all_addr del_addr;
+static union all_addr del_addr;
 #endif

 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
@@ -121,7 +119,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
  if (getifaddrs(&head) == -1)
    return 0;

-#if defined(HAVE_BSD_NETWORK) && defined(HAVE_IPV6)
+#if defined(HAVE_BSD_NETWORK)
  if (family == AF_INET6)
    fd = socket(PF_INET6, SOCK_DGRAM, 0);
 #endif
@@ -141,7 +139,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	      struct in_addr addr, netmask, broadcast;
 	      addr = ((struct sockaddr_in *) addrs->ifa_addr)->sin_addr;
 #ifdef HAVE_BSD_NETWORK
-	      if (del_family == AF_INET && del_addr.addr.addr4.s_addr == addr.s_addr)
+	      if (del_family == AF_INET && del_addr.addr4.s_addr == addr.s_addr)
 		continue;
 #endif
 	      netmask = ((struct sockaddr_in *) addrs->ifa_netmask)->sin_addr;
@@ -152,7 +150,6 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	      if (!((*callback)(addr, iface_index, NULL, netmask, broadcast, parm)))
 		goto err;
 	    }
-#ifdef HAVE_IPV6
 	  else if (family == AF_INET6)
 	    {
 	      struct in6_addr *addr = &((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_addr;
@@ -162,7 +159,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	      u32 valid = 0xffffffff, preferred = 0xffffffff;
 	      int flags = 0;
 #ifdef HAVE_BSD_NETWORK
-	      if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr.addr6, addr))
+	      if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr6, addr))
 		continue;
 #endif
 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
@@ -219,7 +216,6 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 				(int) preferred, (int)valid, parm)))
 		goto err;	      
 	    }
-#endif /* HAVE_IPV6 */

 #ifdef HAVE_DHCP6      
 	  else if (family == AF_LINK)
@@ -426,11 +422,9 @@ void route_sock(void)
 	       {
 		 del_family = sa->sa_family;
 		 if (del_family == AF_INET)
-		   del_addr.addr.addr4 = ((struct sockaddr_in *)sa)->sin_addr;
-#ifdef HAVE_IPV6
+		   del_addr.addr4 = ((struct sockaddr_in *)sa)->sin_addr;
 		 else if (del_family == AF_INET6)
-		   del_addr.addr.addr6 = ((struct sockaddr_in6 *)sa)->sin6_addr;
-#endif
+		   del_addr.addr6 = ((struct sockaddr_in6 *)sa)->sin6_addr;
 		 else
 		   del_family = 0;
 	       }
--- a/src/cache.c
+++ b/src/cache.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -26,6 +26,8 @@ static union bigname *big_free = NULL;
 static int bignames_left, hash_size;

 static void make_non_terminals(struct crec *source);
+static struct crec *really_insert(char *name, union all_addr *addr, unsigned short class,
+				  time_t now,  unsigned long ttl, unsigned int flags);

 /* type->string mapping: this is also used by the name-hash function as a mixing table. */
 static const struct {
@@ -196,15 +198,20 @@ static void cache_hash(struct crec *crecp)
  *up = crecp;
 }

-#ifdef HAVE_DNSSEC
 static void cache_blockdata_free(struct crec *crecp)
 {
-  if (crecp->flags & F_DNSKEY)
-    blockdata_free(crecp->addr.key.keydata);
-  else if ((crecp->flags & F_DS) && !(crecp->flags & F_NEG))
-    blockdata_free(crecp->addr.ds.keydata);
-}
+  if (!(crecp->flags & F_NEG))
+    {
+      if (crecp->flags & F_SRV)
+	blockdata_free(crecp->addr.srv.target);
+#ifdef HAVE_DNSSEC
+      else if (crecp->flags & F_DNSKEY)
+	blockdata_free(crecp->addr.key.keydata);
+      else if (crecp->flags & F_DS)
+	blockdata_free(crecp->addr.ds.keydata);
 #endif
+    }
+}

 static void cache_free(struct crec *crecp)
 {
@@ -228,9 +235,7 @@ static void cache_free(struct crec *crecp)
      crecp->flags &= ~F_BIGNAME;
    }

-#ifdef HAVE_DNSSEC
  cache_blockdata_free(crecp);
-#endif
 }    

 /* insert a new cache entry at the head of the list (youngest entry) */
@@ -271,10 +276,10 @@ char *cache_get_name(struct crec *crecp)

 char *cache_get_cname_target(struct crec *crecp)
 {
-  if (crecp->addr.cname.uid != SRC_INTERFACE)
+  if (crecp->addr.cname.is_name_ptr)
+     return crecp->addr.cname.target.name;
+  else
    return cache_get_name(crecp->addr.cname.target.cache);
-
-  return crecp->addr.cname.target.int_name->name;
 }


@@ -304,13 +309,13 @@ struct crec *cache_enumerate(int init)

 static int is_outdated_cname_pointer(struct crec *crecp)
 {
-  if (!(crecp->flags & F_CNAME) || crecp->addr.cname.uid == SRC_INTERFACE)
+  if (!(crecp->flags & F_CNAME) || crecp->addr.cname.is_name_ptr)
    return 0;
  
  /* NB. record may be reused as DS or DNSKEY, where uid is 
     overloaded for something completely different */
  if (crecp->addr.cname.target.cache && 
-      (crecp->addr.cname.target.cache->flags & (F_IPV4 | F_IPV6 | F_CNAME)) &&
+      !(crecp->addr.cname.target.cache->flags & (F_DNSKEY | F_DS)) &&
      crecp->addr.cname.uid == crecp->addr.cname.target.cache->uid)
    return 0;
  
@@ -328,8 +333,8 @@ static int is_expired(time_t now, struct crec *crecp)
  return 1;
 }

-static struct crec *cache_scan_free(char *name, struct all_addr *addr, time_t now, unsigned short flags,
-				    struct crec **target_crec, unsigned int *target_uid)
+static struct crec *cache_scan_free(char *name, union all_addr *addr, unsigned short class, time_t now,
+				    unsigned int flags, struct crec **target_crec, unsigned int *target_uid)
 {
  /* Scan and remove old entries.
     If (flags & F_FORWARD) then remove any forward entries for name and any expired
@@ -348,6 +353,8 @@ static struct crec *cache_scan_free(char *name, struct all_addr *addr, time_t no
     This entry will get re-used with the same name, to preserve CNAMEs. */
 
  struct crec *crecp, **up;
+
+  (void)class;
  
  if (flags & F_FORWARD)
    {
@@ -356,7 +363,7 @@ static struct crec *cache_scan_free(char *name, struct all_addr *addr, time_t no
 	  if ((crecp->flags & F_FORWARD) && hostname_isequal(cache_get_name(crecp), name))
 	    {
 	      /* Don't delete DNSSEC in favour of a CNAME, they can co-exist */
-	      if ((flags & crecp->flags & (F_IPV4 | F_IPV6)) || 
+	      if ((flags & crecp->flags & (F_IPV4 | F_IPV6 | F_SRV)) || 
 		  (((crecp->flags | flags) & F_CNAME) && !(crecp->flags & (F_DNSKEY | F_DS))))
 		{
 		  if (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG))
@@ -379,7 +386,7 @@ static struct crec *cache_scan_free(char *name, struct all_addr *addr, time_t no
 	      
 #ifdef HAVE_DNSSEC
 	      /* Deletion has to be class-sensitive for DS and DNSKEY */
-	      if ((flags & crecp->flags & (F_DNSKEY | F_DS)) && crecp->uid == addr->addr.dnssec.class)
+	      if ((flags & crecp->flags & (F_DNSKEY | F_DS)) && crecp->uid == class)
 		{
 		  if (crecp->flags & F_CONFIG)
 		    return crecp;
@@ -408,11 +415,8 @@ static struct crec *cache_scan_free(char *name, struct all_addr *addr, time_t no
  else
    {
      int i;
-#ifdef HAVE_IPV6
      int addrlen = (flags & F_IPV6) ? IN6ADDRSZ : INADDRSZ;
-#else
-      int addrlen = INADDRSZ;
-#endif 
+
      for (i = 0; i < hash_size; i++)
 	for (crecp = hash_table[i], up = &hash_table[i]; 
 	     crecp && ((crecp->flags & F_REVERSE) || !(crecp->flags & F_IMMORTAL));
@@ -429,7 +433,7 @@ static struct crec *cache_scan_free(char *name, struct all_addr *addr, time_t no
 	  else if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) &&
 		   (flags & crecp->flags & F_REVERSE) && 
 		   (flags & crecp->flags & (F_IPV4 | F_IPV6)) &&
-		   memcmp(&crecp->addr.addr, addr, addrlen) == 0)
+		   memcmp(&crecp->addr, addr, addrlen) == 0)
 	    {
 	      *up = crecp->hash_next;
 	      cache_unlink(crecp);
@@ -464,9 +468,40 @@ void cache_start_insert(void)
  new_chain = NULL;
  insert_error = 0;
 }
- 
-struct crec *cache_insert(char *name, struct all_addr *addr, 
-			  time_t now,  unsigned long ttl, unsigned short flags)
+
+struct crec *cache_insert(char *name, union all_addr *addr, unsigned short class,
+			  time_t now,  unsigned long ttl, unsigned int flags)
+{
+#ifdef HAVE_DNSSEC
+  if (flags & (F_DNSKEY | F_DS)) 
+    {
+      /* The DNSSEC validation process works by getting needed records into the
+	 cache, then retrying the validation until they are all in place.
+	 This can be messed up by very short TTLs, and _really_ messed up by
+	 zero TTLs, so we force the TTL to be at least long enough to do a validation.
+	 Ideally, we should use some kind of reference counting so that records are
+	 locked until the validation that asked for them is complete, but this
+	 is much easier, and just as effective. */
+      if (ttl < DNSSEC_MIN_TTL)
+	ttl = DNSSEC_MIN_TTL;
+    }
+  else
+#endif
+    {
+      /* Don't log DNSSEC records here, done elsewhere */
+      log_query(flags | F_UPSTREAM, name, addr, NULL);
+      if (daemon->max_cache_ttl != 0 && daemon->max_cache_ttl < ttl)
+	ttl = daemon->max_cache_ttl;
+      if (daemon->min_cache_ttl != 0 && daemon->min_cache_ttl > ttl)
+	ttl = daemon->min_cache_ttl;
+    }	
+  
+  return really_insert(name, addr, class, now, ttl, flags);
+}
+
+
+static struct crec *really_insert(char *name, union all_addr *addr, unsigned short class,
+				  time_t now,  unsigned long ttl, unsigned int flags)
 {
  struct crec *new, *target_crec = NULL;
  union bigname *big_name = NULL;
@@ -474,42 +509,36 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
  int free_avail = 0;
  unsigned int target_uid;
  
-  /* Don't log DNSSEC records here, done elsewhere */
-  if (flags & (F_IPV4 | F_IPV6 | F_CNAME))
-    {
-      log_query(flags | F_UPSTREAM, name, addr, NULL);
-      /* Don't mess with TTL for DNSSEC records. */
-      if (daemon->max_cache_ttl != 0 && daemon->max_cache_ttl < ttl)
-	ttl = daemon->max_cache_ttl;
-      if (daemon->min_cache_ttl != 0 && daemon->min_cache_ttl > ttl)
-	ttl = daemon->min_cache_ttl;
-    }
-
  /* if previous insertion failed give up now. */
  if (insert_error)
    return NULL;
+
+  /* we don't cache zero-TTL records. */
+  if (ttl == 0)
+    {
+      insert_error = 1;
+      return NULL;
+    }
  
  /* First remove any expired entries and entries for the name/address we
     are currently inserting. */
-  if ((new = cache_scan_free(name, addr, now, flags, &target_crec, &target_uid)))
+  if ((new = cache_scan_free(name, addr, class, now, flags, &target_crec, &target_uid)))
    {
      /* We're trying to insert a record over one from 
 	 /etc/hosts or DHCP, or other config. If the 
-	 existing record is for an A or AAAA and
+	 existing record is for an A or AAAA or CNAME and
 	 the record we're trying to insert is the same, 
 	 just drop the insert, but don't error the whole process. */
      if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD) && addr)
 	{
 	  if ((flags & F_IPV4) && (new->flags & F_IPV4) &&
-	      new->addr.addr.addr.addr4.s_addr == addr->addr.addr4.s_addr)
+	      new->addr.addr4.s_addr == addr->addr4.s_addr)
 	    return new;
-#ifdef HAVE_IPV6
 	  else if ((flags & F_IPV6) && (new->flags & F_IPV6) &&
-		   IN6_ARE_ADDR_EQUAL(&new->addr.addr.addr.addr6, &addr->addr.addr6))
+		   IN6_ARE_ADDR_EQUAL(&new->addr.addr6, &addr->addr6))
 	    return new;
-#endif
 	}
-      
+
      insert_error = 1;
      return NULL;
    }
@@ -549,21 +578,14 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
      
      if (freed_all)
 	{
-	  struct all_addr free_addr = new->addr.addr;;
-	  
-#ifdef HAVE_DNSSEC
-	  /* For DNSSEC records, addr holds class. */
-	  if (new->flags & (F_DS | F_DNSKEY))
-	    free_addr.addr.dnssec.class = new->uid;
-#endif
-	  
+	  /* For DNSSEC records, uid holds class. */
 	  free_avail = 1; /* Must be free space now. */
-	  cache_scan_free(cache_get_name(new), &free_addr, now, new->flags, NULL, NULL);
+	  cache_scan_free(cache_get_name(new), &new->addr, new->uid, now, new->flags, NULL, NULL);
 	  daemon->metrics[METRIC_DNS_CACHE_LIVE_FREED]++;
 	}
      else
 	{
-	  cache_scan_free(NULL, NULL, now, 0, NULL, NULL);
+	  cache_scan_free(NULL, NULL, class, now, 0, NULL, NULL);
 	  freed_all = 1;
 	}
    }
@@ -611,15 +633,13 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
  else
    *cache_get_name(new) = 0;

-  if (addr)
-    {
 #ifdef HAVE_DNSSEC
-      if (flags & (F_DS | F_DNSKEY))
-	new->uid = addr->addr.dnssec.class;
-      else
+  if (flags & (F_DS | F_DNSKEY))
+    new->uid = class;
 #endif
-	new->addr.addr = *addr;	
-    }
+
+  if (addr)
+    new->addr = *addr;	

  new->ttd = now + (time_t)ttl;
  new->next = new_chain;
@@ -645,12 +665,145 @@ void cache_end_insert(void)
 	  cache_hash(new_chain);
 	  cache_link(new_chain);
 	  daemon->metrics[METRIC_DNS_CACHE_INSERTED]++;
+
+	  /* If we're a child process, send this cache entry up the pipe to the master.
+	     The marshalling process is rather nasty. */
+	  if (daemon->pipe_to_parent != -1)
+	    {
+	      char *name = cache_get_name(new_chain);
+	      ssize_t m = strlen(name);
+	      unsigned int flags = new_chain->flags;
+#ifdef HAVE_DNSSEC
+	      u16 class = new_chain->uid;
+#endif
+	      
+	      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
+	      read_write(daemon->pipe_to_parent, (unsigned char *)name, m, 0);
+	      read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->ttd, sizeof(new_chain->ttd), 0);
+	      read_write(daemon->pipe_to_parent, (unsigned  char *)&flags, sizeof(flags), 0);
+
+	      if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_SRV))
+		read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr, sizeof(new_chain->addr), 0);
+	      if (flags & F_SRV)
+		{
+		  /* A negative SRV entry is possible and has no data, obviously. */
+		  if (!(flags & F_NEG))
+		    blockdata_write(new_chain->addr.srv.target, new_chain->addr.srv.targetlen, daemon->pipe_to_parent);
+		}
+#ifdef HAVE_DNSSEC
+	      if (flags & F_DNSKEY)
+		{
+		  read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
+		  blockdata_write(new_chain->addr.key.keydata, new_chain->addr.key.keylen, daemon->pipe_to_parent);
+		}
+	      else if (flags & F_DS)
+		{
+		  read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
+		  /* A negative DS entry is possible and has no data, obviously. */
+		  if (!(flags & F_NEG))
+		    blockdata_write(new_chain->addr.ds.keydata, new_chain->addr.ds.keylen, daemon->pipe_to_parent);
+		}
+#endif
+	    }
 	}
+      
      new_chain = tmp;
    }
+
+  /* signal end of cache insert in master process */
+  if (daemon->pipe_to_parent != -1)
+    {
+      ssize_t m = -1;
+      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
+    }
+      
  new_chain = NULL;
 }

+
+/* A marshalled cache entry arrives on fd, read, unmarshall and insert into cache of master process. */
+int cache_recv_insert(time_t now, int fd)
+{
+  ssize_t m;
+  union all_addr addr;
+  unsigned long ttl;
+  time_t ttd;
+  unsigned int flags;
+  struct crec *crecp = NULL;
+  
+  cache_start_insert();
+  
+  while(1)
+    {
+ 
+      if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1))
+	return 0;
+      
+      if (m == -1)
+	{
+	  cache_end_insert();
+	  return 1;
+	}
+
+      if (!read_write(fd, (unsigned char *)daemon->namebuff, m, 1) ||
+	  !read_write(fd, (unsigned char *)&ttd, sizeof(ttd), 1) ||
+	  !read_write(fd, (unsigned char *)&flags, sizeof(flags), 1))
+	return 0;
+
+      daemon->namebuff[m] = 0;
+
+      ttl = difftime(ttd, now);
+      
+      if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_SRV))
+	{
+	  unsigned short class = C_IN;
+
+	  if (!read_write(fd, (unsigned char *)&addr, sizeof(addr), 1))
+	    return 0;
+
+	  if ((flags & F_SRV) && !(flags & F_NEG) && !(addr.srv.target = blockdata_read(fd, addr.srv.targetlen)))
+	    return 0;
+	
+#ifdef HAVE_DNSSEC
+	   if (flags & F_DNSKEY)
+	     {
+	       if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
+		   !(addr.key.keydata = blockdata_read(fd, addr.key.keylen)))
+		 return 0;
+	     }
+	   else  if (flags & F_DS)
+	     {
+	        if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
+		    (!(flags & F_NEG) && !(addr.key.keydata = blockdata_read(fd, addr.key.keylen))))
+		  return 0;
+	     }
+#endif
+	       
+	  crecp = really_insert(daemon->namebuff, &addr, class, now, ttl, flags);
+	}
+      else if (flags & F_CNAME)
+	{
+	  struct crec *newc = really_insert(daemon->namebuff, NULL, C_IN, now, ttl, flags);
+	  /* This relies on the fact that the target of a CNAME immediately precedes
+	     it because of the order of extraction in extract_addresses, and
+	     the order reversal on the new_chain. */
+	  if (newc)
+	    {
+	       newc->addr.cname.is_name_ptr = 0;
+	       
+	       if (!crecp)
+		 newc->addr.cname.target.cache = NULL;
+	       else
+		{
+		  next_uid(crecp);
+		  newc->addr.cname.target.cache = crecp;
+		  newc->addr.cname.uid = crecp->uid;
+		}
+	    }
+	}
+    }
+}
+	
 int cache_find_non_terminal(char *name, time_t now)
 {
  struct crec *crecp;
@@ -659,6 +812,7 @@ int cache_find_non_terminal(char *name, time_t now)
    if (!is_outdated_cname_pointer(crecp) &&
 	!is_expired(now, crecp) &&
 	(crecp->flags & F_FORWARD) &&
+	!(crecp->flags & F_NXDOMAIN) && 
 	hostname_isequal(name, cache_get_name(crecp)))
      return 1;

@@ -679,7 +833,7 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi
      /* first search, look for relevant entries and push to top of list
 	 also free anything which has expired */
      struct crec *next, **up, **insert = NULL, **chainp = &ans;
-      unsigned short ins_flags = 0;
+      unsigned int ins_flags = 0;
      
      for (up = hash_bucket(name), crecp = *up; crecp; crecp = next)
 	{
@@ -752,15 +906,11 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi
  return NULL;
 }

-struct crec *cache_find_by_addr(struct crec *crecp, struct all_addr *addr, 
+struct crec *cache_find_by_addr(struct crec *crecp, union all_addr *addr, 
 				time_t now, unsigned int prot)
 {
  struct crec *ans;
-#ifdef HAVE_IPV6
  int addrlen = (prot == F_IPV6) ? IN6ADDRSZ : INADDRSZ;
-#else
-  int addrlen = INADDRSZ;
-#endif
  
  if (crecp) /* iterating */
    ans = crecp->next;
@@ -780,7 +930,7 @@ struct crec *cache_find_by_addr(struct crec *crecp, struct all_addr *addr,
 	   if (!is_expired(now, crecp))
 	     {      
 	       if ((crecp->flags & prot) &&
-		   memcmp(&crecp->addr.addr, addr, addrlen) == 0)
+		   memcmp(&crecp->addr, addr, addrlen) == 0)
 		 {	    
 		   if (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG))
 		     {
@@ -811,54 +961,26 @@ struct crec *cache_find_by_addr(struct crec *crecp, struct all_addr *addr,
  if (ans && 
      (ans->flags & F_REVERSE) &&
      (ans->flags & prot) &&
-      memcmp(&ans->addr.addr, addr, addrlen) == 0)
+      memcmp(&ans->addr, addr, addrlen) == 0)
    return ans;
  
  return NULL;
 }

-static void add_hosts_cname(struct crec *target)
-{
-  struct crec *crec;
-  struct cname *a;
-  
-  for (a = daemon->cnames; a; a = a->next)
-    if (a->alias[1] != '*' &&
-	hostname_isequal(cache_get_name(target), a->target) &&
-	(crec = whine_malloc(SIZEOF_POINTER_CREC)))
-      {
-	crec->flags = F_FORWARD | F_IMMORTAL | F_NAMEP | F_CONFIG | F_CNAME;
-	crec->ttd = a->ttl;
-	crec->name.namep = a->alias;
-	crec->addr.cname.target.cache = target;
-	next_uid(target);
-	crec->addr.cname.uid = target->uid;
-	crec->uid = UID_NONE;
-	cache_hash(crec);
-	make_non_terminals(crec);
-	
-	add_hosts_cname(crec); /* handle chains */
-      }
-}
-  
-static void add_hosts_entry(struct crec *cache, struct all_addr *addr, int addrlen, 
+static void add_hosts_entry(struct crec *cache, union all_addr *addr, int addrlen, 
 			    unsigned int index, struct crec **rhash, int hashsz)
 {
  struct crec *lookup = cache_find_by_name(NULL, cache_get_name(cache), 0, cache->flags & (F_IPV4 | F_IPV6));
-  int i, nameexists = 0;
+  int i;
  unsigned int j; 

  /* Remove duplicates in hosts files. */
-  if (lookup && (lookup->flags & F_HOSTS))
+  if (lookup && (lookup->flags & F_HOSTS) && memcmp(&lookup->addr, addr, addrlen) == 0)
    {
-      nameexists = 1;
-      if (memcmp(&lookup->addr.addr, addr, addrlen) == 0)
-	{
-	  free(cache);
-	  return;
-	}
+      free(cache);
+      return;
    }
-  
+    
  /* Ensure there is only one address -> name mapping (first one trumps) 
     We do this by steam here, The entries are kept in hash chains, linked
     by ->next (which is unused at this point) held in hash buckets in
@@ -884,7 +1006,7 @@ static void add_hosts_entry(struct crec *cache, struct all_addr *addr, int addrl
      
      for (lookup = rhash[j]; lookup; lookup = lookup->next)
 	if ((lookup->flags & cache->flags & (F_IPV4 | F_IPV6)) &&
-	    memcmp(&lookup->addr.addr, addr, addrlen) == 0)
+	    memcmp(&lookup->addr, addr, addrlen) == 0)
 	  {
 	    cache->flags &= ~F_REVERSE;
 	    break;
@@ -906,13 +1028,9 @@ static void add_hosts_entry(struct crec *cache, struct all_addr *addr, int addrl
    }

  cache->uid = index;
-  memcpy(&cache->addr.addr, addr, addrlen);  
+  memcpy(&cache->addr, addr, addrlen);  
  cache_hash(cache);
  make_non_terminals(cache);
-  
-  /* don't need to do alias stuff for second and subsequent addresses. */
-  if (!nameexists)
-    add_hosts_cname(cache);
 }

 static int eatspace(FILE *f)
@@ -935,7 +1053,7 @@ static int eatspace(FILE *f)
 	}

      if (c == '\n')
-	nl = 1;
+	nl++;
    }
 }
 	 
@@ -946,7 +1064,7 @@ static int gettok(FILE *f, char *token)
  while (1)
    {
      if ((c = getc(f)) == EOF)
-	return (count == 0) ? EOF : 1;
+	return (count == 0) ? -1 : 1;

      if (isspace(c) || c == '#')
 	{
@@ -966,9 +1084,9 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size, struct cr
 {  
  FILE *f = fopen(filename, "r");
  char *token = daemon->namebuff, *domain_suffix = NULL;
-  int addr_count = 0, name_count = cache_size, lineno = 0;
-  unsigned short flags = 0;
-  struct all_addr addr;
+  int addr_count = 0, name_count = cache_size, lineno = 1;
+  unsigned int flags = 0;
+  union all_addr addr;
  int atnl, addrlen = 0;

  if (!f)
@@ -977,31 +1095,28 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size, struct cr
      return cache_size;
    }
  
-  eatspace(f);
+  lineno += eatspace(f);
  
-  while ((atnl = gettok(f, token)) != EOF)
+  while ((atnl = gettok(f, token)) != -1)
    {
-      lineno++;
-      
      if (inet_pton(AF_INET, token, &addr) > 0)
 	{
 	  flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV4;
 	  addrlen = INADDRSZ;
-	  domain_suffix = get_domain(addr.addr.addr4);
+	  domain_suffix = get_domain(addr.addr4);
 	}
-#ifdef HAVE_IPV6
      else if (inet_pton(AF_INET6, token, &addr) > 0)
 	{
 	  flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV6;
 	  addrlen = IN6ADDRSZ;
-	  domain_suffix = get_domain6(&addr.addr.addr6);
+	  domain_suffix = get_domain6(&addr.addr6);
 	}
-#endif
      else
 	{
 	  my_syslog(LOG_ERR, _("bad address at %s line %d"), filename, lineno); 
 	  while (atnl == 0)
 	    atnl = gettok(f, token);
+	  lineno += atnl;
 	  continue;
 	}
      
@@ -1020,7 +1135,7 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size, struct cr
 	  int fqdn, nomem;
 	  char *canon;
 	  
-	  if ((atnl = gettok(f, token)) == EOF)
+	  if ((atnl = gettok(f, token)) == -1)
 	    break;

 	  fqdn = !!strchr(token, '.');
@@ -1053,6 +1168,8 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size, struct cr
 	  else if (!nomem)
 	    my_syslog(LOG_ERR, _("bad name at %s line %d"), filename, lineno); 
 	}
+
+      lineno += atnl;
    } 

  fclose(f);
@@ -1073,7 +1190,12 @@ void cache_reload(void)
  struct host_record *hr;
  struct name_list *nl;
  struct cname *a;
+  struct crec lrec;
+  struct mx_srv_record *mx;
+  struct txt_record *txt;
  struct interface_name *intr;
+  struct ptr_record *ptr;
+  struct naptr *naptr;
 #ifdef HAVE_DNSSEC
  struct ds_config *ds;
 #endif
@@ -1084,9 +1206,8 @@ void cache_reload(void)
  for (i=0; i<hash_size; i++)
    for (cache = hash_table[i], up = &hash_table[i]; cache; cache = tmp)
      {
-#ifdef HAVE_DNSSEC
 	cache_blockdata_free(cache);
-#endif
+
 	tmp = cache->hash_next;
 	if (cache->flags & (F_HOSTS | F_CONFIG))
 	  {
@@ -1107,24 +1228,21 @@ void cache_reload(void)
 	  up = &cache->hash_next;
      }
  
-  /* Add CNAMEs to interface_names to the cache */
+  /* Add locally-configured CNAMEs to the cache */
  for (a = daemon->cnames; a; a = a->next)
-    for (intr = daemon->int_names; intr; intr = intr->next)
-      if (a->alias[1] != '*' &&
-	  hostname_isequal(a->target, intr->name) &&
-	  ((cache = whine_malloc(SIZEOF_POINTER_CREC))))
-	{
-	  cache->flags = F_FORWARD | F_NAMEP | F_CNAME | F_IMMORTAL | F_CONFIG;
-	  cache->ttd = a->ttl;
-	  cache->name.namep = a->alias;
-	  cache->addr.cname.target.int_name = intr;
-	  cache->addr.cname.uid = SRC_INTERFACE;
-	  cache->uid = UID_NONE;
-	  cache_hash(cache);
-	  make_non_terminals(cache);
-	  add_hosts_cname(cache); /* handle chains */
-	}
-
+    if (a->alias[1] != '*' &&
+	((cache = whine_malloc(SIZEOF_POINTER_CREC))))
+      {
+	cache->flags = F_FORWARD | F_NAMEP | F_CNAME | F_IMMORTAL | F_CONFIG;
+	cache->ttd = a->ttl;
+	cache->name.namep = a->alias;
+	cache->addr.cname.target.name = a->target;
+	cache->addr.cname.is_name_ptr = 1;
+	cache->uid = UID_NONE;
+	cache_hash(cache);
+	make_non_terminals(cache);
+      }
+  
 #ifdef HAVE_DNSSEC
  for (ds = daemon->ds; ds; ds = ds->next)
    if ((cache = whine_malloc(SIZEOF_POINTER_CREC)) &&
@@ -1153,24 +1271,23 @@ void cache_reload(void)
  for (hr = daemon->host_records; hr; hr = hr->next)
    for (nl = hr->names; nl; nl = nl->next)
      {
-	if (hr->addr.s_addr != 0 &&
+	if ((hr->flags & HR_4) &&
 	    (cache = whine_malloc(SIZEOF_POINTER_CREC)))
 	  {
 	    cache->name.namep = nl->name;
 	    cache->ttd = hr->ttl;
 	    cache->flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV4 | F_NAMEP | F_CONFIG;
-	    add_hosts_entry(cache, (struct all_addr *)&hr->addr, INADDRSZ, SRC_CONFIG, (struct crec **)daemon->packet, revhashsz);
+	    add_hosts_entry(cache, (union all_addr *)&hr->addr, INADDRSZ, SRC_CONFIG, (struct crec **)daemon->packet, revhashsz);
 	  }
-#ifdef HAVE_IPV6
-	if (!IN6_IS_ADDR_UNSPECIFIED(&hr->addr6) &&
+
+	if ((hr->flags & HR_6) &&
 	    (cache = whine_malloc(SIZEOF_POINTER_CREC)))
 	  {
 	    cache->name.namep = nl->name;
 	    cache->ttd = hr->ttl;
 	    cache->flags = F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV6 | F_NAMEP | F_CONFIG;
-	    add_hosts_entry(cache, (struct all_addr *)&hr->addr6, IN6ADDRSZ, SRC_CONFIG, (struct crec **)daemon->packet, revhashsz);
+	    add_hosts_entry(cache, (union all_addr *)&hr->addr6, IN6ADDRSZ, SRC_CONFIG, (struct crec **)daemon->packet, revhashsz);
 	  }
-#endif
      }
 	
  if (option_bool(OPT_NO_HOSTS) && !daemon->addn_hosts)
@@ -1188,7 +1305,40 @@ void cache_reload(void)
 	if (!(ah->flags & AH_INACTIVE))
 	  total_size = read_hostsfile(ah->fname, ah->index, total_size, (struct crec **)daemon->packet, revhashsz);
    }
+  
+  /* Make non-terminal records for all locally-define RRs */
+  lrec.flags = F_FORWARD | F_CONFIG | F_NAMEP | F_IMMORTAL;
+  
+  for (txt = daemon->txt; txt; txt = txt->next)
+    {
+      lrec.name.namep = txt->name;
+      make_non_terminals(&lrec);
+    }

+  for (naptr = daemon->naptr; naptr; naptr = naptr->next)
+    {
+      lrec.name.namep = naptr->name;
+      make_non_terminals(&lrec);
+    }
+
+  for (mx = daemon->mxnames; mx; mx = mx->next)
+    {
+      lrec.name.namep = mx->name;
+      make_non_terminals(&lrec);
+    }
+
+  for (intr = daemon->int_names; intr; intr = intr->next)
+    {
+      lrec.name.namep = intr->name;
+      make_non_terminals(&lrec);
+    }
+  
+  for (ptr = daemon->ptr; ptr; ptr = ptr->next)
+    {
+      lrec.name.namep = ptr->name;
+      make_non_terminals(&lrec);
+    }
+  
 #ifdef HAVE_INOTIFY
  set_dynamic_inotify(AH_HOSTS, total_size, (struct crec **)daemon->packet, revhashsz);
 #endif
@@ -1203,7 +1353,7 @@ struct in_addr a_record_from_hosts(char *name, time_t now)
  
  while ((crecp = cache_find_by_name(crecp, name, now, F_IPV4)))
    if (crecp->flags & F_HOSTS)
-      return *(struct in_addr *)&crecp->addr;
+      return crecp->addr.addr4;

  my_syslog(MS_DHCP | LOG_WARNING, _("No IPv4 address found for %s"), name);
  
@@ -1228,54 +1378,19 @@ void cache_unhash_dhcp(void)
 	up = &cache->hash_next;
 }

-static void add_dhcp_cname(struct crec *target, time_t ttd)
-{
-  struct crec *aliasc;
-  struct cname *a;
-  
-  for (a = daemon->cnames; a; a = a->next)
-    if (a->alias[1] != '*' &&
-	hostname_isequal(cache_get_name(target), a->target))
-      {
-	if ((aliasc = dhcp_spare))
-	  dhcp_spare = dhcp_spare->next;
-	else /* need new one */
-	  aliasc = whine_malloc(SIZEOF_POINTER_CREC);
-	
-	if (aliasc)
-	  {
-	    aliasc->flags = F_FORWARD | F_NAMEP | F_DHCP | F_CNAME | F_CONFIG;
-	    if (ttd == 0)
-	      aliasc->flags |= F_IMMORTAL;
-	    else
-	      aliasc->ttd = ttd;
-	    aliasc->name.namep = a->alias;
-	    aliasc->addr.cname.target.cache = target;
-	    next_uid(target);
-	    aliasc->addr.cname.uid = target->uid;
-	    aliasc->uid = UID_NONE;
-	    cache_hash(aliasc);
-	    make_non_terminals(aliasc);
-	    add_dhcp_cname(aliasc, ttd);
-	  }
-      }
-}
-
 void cache_add_dhcp_entry(char *host_name, int prot,
-			  struct all_addr *host_address, time_t ttd) 
+			  union all_addr *host_address, time_t ttd) 
 {
  struct crec *crec = NULL, *fail_crec = NULL;
-  unsigned short flags = F_IPV4;
+  unsigned int flags = F_IPV4;
  int in_hosts = 0;
  size_t addrlen = sizeof(struct in_addr);

-#ifdef HAVE_IPV6
  if (prot == AF_INET6)
    {
      flags = F_IPV6;
      addrlen = sizeof(struct in6_addr);
    }
-#endif
  
  inet_ntop(prot, host_address, daemon->addrbuff, ADDRSTRLEN);
  
@@ -1288,14 +1403,14 @@ void cache_add_dhcp_entry(char *host_name, int prot,
 	    my_syslog(MS_DHCP | LOG_WARNING, 
 		      _("%s is a CNAME, not giving it to the DHCP lease of %s"),
 		      host_name, daemon->addrbuff);
-	  else if (memcmp(&crec->addr.addr, host_address, addrlen) == 0)
+	  else if (memcmp(&crec->addr, host_address, addrlen) == 0)
 	    in_hosts = 1;
 	  else
 	    fail_crec = crec;
 	}
      else if (!(crec->flags & F_DHCP))
 	{
-	  cache_scan_free(host_name, NULL, 0, crec->flags & (flags | F_CNAME | F_FORWARD), NULL, NULL);
+	  cache_scan_free(host_name, NULL, C_IN, 0, crec->flags & (flags | F_CNAME | F_FORWARD), NULL, NULL);
 	  /* scan_free deletes all addresses associated with name */
 	  break;
 	}
@@ -1308,7 +1423,7 @@ void cache_add_dhcp_entry(char *host_name, int prot,
  /* Name in hosts, address doesn't match */
  if (fail_crec)
    {
-      inet_ntop(prot, &fail_crec->addr.addr, daemon->namebuff, MAXDNAME);
+      inet_ntop(prot, &fail_crec->addr, daemon->namebuff, MAXDNAME);
      my_syslog(MS_DHCP | LOG_WARNING, 
 		_("not giving name %s to the DHCP lease of %s because "
 		  "the name exists in %s with address %s"), 
@@ -1317,12 +1432,12 @@ void cache_add_dhcp_entry(char *host_name, int prot,
      return;
    }	  
  
-  if ((crec = cache_find_by_addr(NULL, (struct all_addr *)host_address, 0, flags)))
+  if ((crec = cache_find_by_addr(NULL, (union all_addr *)host_address, 0, flags)))
    {
      if (crec->flags & F_NEG)
 	{
 	  flags |= F_REVERSE;
-	  cache_scan_free(NULL, (struct all_addr *)host_address, 0, flags, NULL, NULL);
+	  cache_scan_free(NULL, (union all_addr *)host_address, C_IN, 0, flags, NULL, NULL);
 	}
    }
  else
@@ -1340,13 +1455,11 @@ void cache_add_dhcp_entry(char *host_name, int prot,
 	crec->flags |= F_IMMORTAL;
      else
 	crec->ttd = ttd;
-      crec->addr.addr = *host_address;
+      crec->addr = *host_address;
      crec->name.namep = host_name;
      crec->uid = UID_NONE;
      cache_hash(crec);
      make_non_terminals(crec);
-
-      add_dhcp_cname(crec, ttd);
    }
 }
 #endif
@@ -1378,7 +1491,7 @@ static void make_non_terminals(struct crec *source)
      if (!is_outdated_cname_pointer(crecp) &&
 	  (crecp->flags & F_FORWARD) &&
 	  (crecp->flags & type) &&
-	  !(crecp->flags & (F_IPV4 | F_IPV6 | F_CNAME | F_DNSKEY | F_DS)) && 
+	  !(crecp->flags & (F_IPV4 | F_IPV6 | F_CNAME | F_SRV | F_DNSKEY | F_DS)) && 
 	  hostname_isequal(name, cache_get_name(crecp)))
 	{
 	  *up = crecp->hash_next;
@@ -1435,7 +1548,7 @@ static void make_non_terminals(struct crec *source)

      if (crecp)
 	{
-	  crecp->flags = (source->flags | F_NAMEP) & ~(F_IPV4 | F_IPV6 | F_CNAME | F_DNSKEY | F_DS | F_REVERSE);
+	  crecp->flags = (source->flags | F_NAMEP) & ~(F_IPV4 | F_IPV6 | F_CNAME | F_SRV | F_DNSKEY | F_DS | F_REVERSE);
 	  crecp->ttd = source->ttd;
 	  crecp->name.namep = name;
 	  
@@ -1568,9 +1681,8 @@ void dump_cache(time_t now)
 #ifdef HAVE_AUTH
  my_syslog(LOG_INFO, _("queries for authoritative zones %u"), daemon->metrics[METRIC_DNS_AUTH_ANSWERED]);
 #endif
-#ifdef HAVE_DNSSEC
+
  blockdata_report();
-#endif

  /* sum counts from different records for same server */
  for (serv = daemon->servers; serv; serv = serv->next)
@@ -1612,6 +1724,17 @@ void dump_cache(time_t now)
 	    p += sprintf(p, "%-30.30s ", sanitise(n));
 	    if ((cache->flags & F_CNAME) && !is_outdated_cname_pointer(cache))
 	      a = sanitise(cache_get_cname_target(cache));
+	    else if ((cache->flags & F_SRV) && !(cache->flags & F_NEG))
+	      {
+		int targetlen = cache->addr.srv.targetlen;
+		ssize_t len = sprintf(a, "%u %u %u ", cache->addr.srv.priority,
+				      cache->addr.srv.weight, cache->addr.srv.srvport);
+
+		if (targetlen > (40 - len))
+		  targetlen = 40 - len;
+		blockdata_retrieve(cache->addr.srv.target, targetlen, a + len);
+		a[len + targetlen] = 0;		
+	      }
 #ifdef HAVE_DNSSEC
 	    else if (cache->flags & F_DS)
 	      {
@@ -1627,11 +1750,9 @@ void dump_cache(time_t now)
 	      { 
 		a = daemon->addrbuff;
 		if (cache->flags & F_IPV4)
-		  inet_ntop(AF_INET, &cache->addr.addr, a, ADDRSTRLEN);
-#ifdef HAVE_IPV6
+		  inet_ntop(AF_INET, &cache->addr, a, ADDRSTRLEN);
 		else if (cache->flags & F_IPV6)
-		  inet_ntop(AF_INET6, &cache->addr.addr, a, ADDRSTRLEN);
-#endif
+		  inet_ntop(AF_INET6, &cache->addr, a, ADDRSTRLEN);
 	      }

 	    if (cache->flags & F_IPV4)
@@ -1640,6 +1761,8 @@ void dump_cache(time_t now)
 	      t = "6";
 	    else if (cache->flags & F_CNAME)
 	      t = "C";
+	    else if (cache->flags & F_SRV)
+	      t = "V";
 #ifdef HAVE_DNSSEC
 	    else if (cache->flags & F_DS)
 	      t = "S";
@@ -1744,7 +1867,7 @@ char *querystr(char *desc, unsigned short type)
  return buff ? buff : "";
 }

-void log_query(unsigned int flags, char *name, struct all_addr *addr, char *arg)
+void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg)
 {
  char *source, *dest = daemon->addrbuff;
  char *verb = "is";
@@ -1757,10 +1880,10 @@ void log_query(unsigned int flags, char *name, struct all_addr *addr, char *arg)
  if (addr)
    {
      if (flags & F_KEYTAG)
-	sprintf(daemon->addrbuff, arg, addr->addr.log.keytag, addr->addr.log.algo, addr->addr.log.digest);
+	sprintf(daemon->addrbuff, arg, addr->log.keytag, addr->log.algo, addr->log.digest);
      else if (flags & F_RCODE)
 	{
-	  unsigned int rcode = addr->addr.rcode.rcode;
+	  unsigned int rcode = addr->log.rcode;

 	   if (rcode == SERVFAIL)
 	     dest = "SERVFAIL";
@@ -1772,14 +1895,9 @@ void log_query(unsigned int flags, char *name, struct all_addr *addr, char *arg)
 	     sprintf(daemon->addrbuff, "%u", rcode);
 	}
      else
-	{
-#ifdef HAVE_IPV6
-	  inet_ntop(flags & F_IPV4 ? AF_INET : AF_INET6,
-		    addr, daemon->addrbuff, ADDRSTRLEN);
-#else
-	  strncpy(daemon->addrbuff, inet_ntoa(addr->addr.addr4), ADDRSTRLEN);  
-#endif
-	}
+	inet_ntop(flags & F_IPV4 ? AF_INET : AF_INET6,
+		  addr, daemon->addrbuff, ADDRSTRLEN);
+      
    }
  else
    dest = arg;
@@ -1806,6 +1924,8 @@ void log_query(unsigned int flags, char *name, struct all_addr *addr, char *arg)
    }
  else if (flags & F_CNAME)
    dest = "<CNAME>";
+  else if (flags & F_SRV)
+    dest = "<SRV>";
  else if (flags & F_RRNAME)
    dest = arg;
    
--- a/src/config.h
+++ b/src/config.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -40,9 +40,11 @@
 #define DHCP_PACKET_MAX 16384 /* hard limit on DHCP packet size */
 #define SMALLDNAME 50 /* most domain names are smaller than this */
 #define CNAME_CHAIN 10 /* chains longer than this atr dropped for loop protection */
+#define DNSSEC_MIN_TTL 60 /* DNSKEY and DS records in cache last at least this long */
 #define HOSTSFILE "/etc/hosts"
 #define ETHERSFILE "/etc/ethers"
-#define DEFLEASE 3600 /* default lease time, 1 hour */
+#define DEFLEASE 3600 /* default DHCPv4 lease time, one hour */
+#define DEFLEASE6 (3600*24) /* default lease time for DHCPv6. One day. */
 #define CHUSER "nobody"
 #define CHGRP "dip"
 #define TFTP_MAX_CONNECTIONS 50 /* max simultaneous connections */
@@ -50,6 +52,7 @@
 #define RANDFILE "/dev/urandom"
 #define DNSMASQ_SERVICE "uk.org.thekelleys.dnsmasq" /* Default - may be overridden by config */
 #define DNSMASQ_PATH "/uk/org/thekelleys/dnsmasq"
+#define DNSMASQ_UBUS_NAME "dnsmasq" /* Default - may be overridden by config */
 #define AUTH_TTL 600 /* default TTL for auth DNS */
 #define SOA_REFRESH 1200 /* SOA refresh default */
 #define SOA_RETRY 180 /* SOA retry default */
@@ -117,6 +120,9 @@ HAVE_AUTH
   define this to include the facility to act as an authoritative DNS
   server for one or more zones.

+HAVE_NETTLEHASH
+   include just hash function from nettle, but no DNSSEC.
+
 HAVE_DNSSEC
   include DNSSEC validator.

@@ -131,7 +137,6 @@ HAVE_INOTIFY

 NO_ID
   Don't report *.bind CHAOS info to clients, forward such requests upstream instead.
-NO_IPV6
 NO_TFTP
 NO_DHCP
 NO_DHCP6
@@ -141,8 +146,8 @@ NO_AUTH
 NO_DUMPFILE
 NO_INOTIFY
   these are available to explicitly disable compile time options which would 
-   otherwise be enabled automatically (HAVE_IPV6, >2Gb file sizes) or 
-   which are enabled  by default in the distributed source tree. Building dnsmasq
+   otherwise be enabled automatically or which are enabled  by default 
+   in the distributed source tree. Building dnsmasq
   with something like "make COPTS=-DNO_SCRIPT" will do the trick.
 NO_GMP
   Don't use and link against libgmp, Useful if nettle is built with --enable-mini-gmp.
@@ -185,6 +190,7 @@ RESOLVFILE
 /* #define HAVE_IDN */
 /* #define HAVE_LIBIDN2 */
 /* #define HAVE_CONNTRACK */
+/* #define HAVE_NETTLEHASH */
 /* #define HAVE_DNSSEC */


@@ -240,27 +246,13 @@ HAVE_SOCKADDR_SA_LEN
   defined if struct sockaddr has sa_len field (*BSD) 
 */

-/* Must precede __linux__ since uClinux defines __linux__ too. */
-#if defined(__uClinux__)
-#define HAVE_LINUX_NETWORK
-#define HAVE_GETOPT_LONG
-#undef HAVE_SOCKADDR_SA_LEN
-/* Never use fork() on uClinux. Note that this is subtly different from the
-   --keep-in-foreground option, since it also  suppresses forking new 
-   processes for TCP connections and disables the call-a-script on leasechange
-   system. It's intended for use on MMU-less kernels. */
-#define NO_FORK
-
-#elif defined(__UCLIBC__)
+#if defined(__UCLIBC__)
 #define HAVE_LINUX_NETWORK
 #if defined(__UCLIBC_HAS_GNU_GETOPT__) || \
   ((__UCLIBC_MAJOR__==0) && (__UCLIBC_MINOR__==9) && (__UCLIBC_SUBLEVEL__<21))
 #    define HAVE_GETOPT_LONG
 #endif
 #undef HAVE_SOCKADDR_SA_LEN
-#if !defined(__ARCH_HAS_MMU__) && !defined(__UCLIBC_HAS_MMU__)
-#  define NO_FORK
-#endif
 #if defined(__UCLIBC_HAS_IPV6__)
 #  ifndef IPV6_V6ONLY
 #    define IPV6_V6ONLY 26
@@ -288,11 +280,16 @@ HAVE_SOCKADDR_SA_LEN
 #define HAVE_BSD_NETWORK
 #define HAVE_GETOPT_LONG
 #define HAVE_SOCKADDR_SA_LEN
+#define NO_IPSET
 /* Define before sys/socket.h is included so we get socklen_t */
 #define _BSD_SOCKLEN_T_
 /* Select the RFC_3542 version of the IPv6 socket API. 
   Define before netinet6/in6.h is included. */
-#define __APPLE_USE_RFC_3542 
+#define __APPLE_USE_RFC_3542
+/* Required for Mojave. */
+#ifndef SOL_TCP
+#  define SOL_TCP IPPROTO_TCP
+#endif
 #define NO_IPSET

 #elif defined(__NetBSD__)
@@ -308,29 +305,9 @@ HAVE_SOCKADDR_SA_LEN
 
 #endif

-/* Decide if we're going to support IPv6 */
-/* We assume that systems which don't have IPv6
-   headers don't have ntop and pton either */
-
-#if defined(INET6_ADDRSTRLEN) && defined(IPV6_V6ONLY)
-#  define HAVE_IPV6
-#  define ADDRSTRLEN INET6_ADDRSTRLEN
-#else
-#  if !defined(INET_ADDRSTRLEN)
-#      define INET_ADDRSTRLEN 16 /* 4*3 + 3 dots + NULL */
-#  endif
-#  undef HAVE_IPV6
-#  define ADDRSTRLEN INET_ADDRSTRLEN
-#endif
-
-
 /* rules to implement compile-time option dependencies and 
   the NO_XXX flags */

-#ifdef NO_IPV6
-#undef HAVE_IPV6
-#endif
-
 #ifdef NO_TFTP
 #undef HAVE_TFTP
 #endif
@@ -340,7 +317,7 @@ HAVE_SOCKADDR_SA_LEN
 #undef HAVE_DHCP6
 #endif

-#if defined(NO_DHCP6) || !defined(HAVE_IPV6)
+#if defined(NO_DHCP6)
 #undef HAVE_DHCP6
 #endif

@@ -349,7 +326,7 @@ HAVE_SOCKADDR_SA_LEN
 #define HAVE_DHCP
 #endif

-#if defined(NO_SCRIPT) || defined(NO_FORK)
+#if defined(NO_SCRIPT)
 #undef HAVE_SCRIPT
 #undef HAVE_LUASCRIPT
 #endif
@@ -385,9 +362,6 @@ HAVE_SOCKADDR_SA_LEN
 #ifdef DNSMASQ_COMPILE_OPTS

 static char *compile_opts = 
-#ifndef HAVE_IPV6
-"no-"
-#endif
 "IPv6 "
 #ifndef HAVE_GETOPT_LONG
 "no-"
@@ -396,13 +370,14 @@ static char *compile_opts =
 #ifdef HAVE_BROKEN_RTC
 "no-RTC "
 #endif
-#ifdef NO_FORK
-"no-MMU "
-#endif
 #ifndef HAVE_DBUS
 "no-"
 #endif
 "DBus "
+#ifndef HAVE_UBUS
+"no-"
+#endif
+"UBus "
 #ifndef LOCALEDIR
 "no-"
 #endif
@@ -449,6 +424,10 @@ static char *compile_opts =
 "no-"
 #endif
 "auth "
+#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC)
+"no-"
+#endif
+"nettlehash "
 #ifndef HAVE_DNSSEC
 "no-"
 #endif
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,7 +24,7 @@ static int gotit = 0; /* yuck */

 static int callback(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data);

-int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr, int istcp, unsigned int *markp)
+int get_incoming_mark(union mysockaddr *peer_addr, union all_addr *local_addr, int istcp, unsigned int *markp)
 {
  struct nf_conntrack *ct;
  struct nfct_handle *h;
@@ -36,21 +36,19 @@ int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr,
      nfct_set_attr_u8(ct, ATTR_L4PROTO, istcp ? IPPROTO_TCP : IPPROTO_UDP);
      nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(daemon->port));
      
-#ifdef HAVE_IPV6
      if (peer_addr->sa.sa_family == AF_INET6)
 	{
 	  nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET6);
 	  nfct_set_attr(ct, ATTR_IPV6_SRC, peer_addr->in6.sin6_addr.s6_addr);
 	  nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in6.sin6_port);
-	  nfct_set_attr(ct, ATTR_IPV6_DST, local_addr->addr.addr6.s6_addr);
+	  nfct_set_attr(ct, ATTR_IPV6_DST, local_addr->addr6.s6_addr);
 	}
      else
-#endif
 	{
 	  nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET);
 	  nfct_set_attr_u32(ct, ATTR_IPV4_SRC, peer_addr->in.sin_addr.s_addr);
 	  nfct_set_attr_u16(ct, ATTR_PORT_SRC, peer_addr->in.sin_port);
-	  nfct_set_attr_u32(ct, ATTR_IPV4_DST, local_addr->addr.addr4.s_addr);
+	  nfct_set_attr_u32(ct, ATTR_IPV4_DST, local_addr->addr4.s_addr);
 	}
      
      
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -19,10 +19,15 @@
 #ifdef HAVE_DNSSEC

 #include <nettle/rsa.h>
-#include <nettle/dsa.h>
 #include <nettle/ecdsa.h>
 #include <nettle/ecc-curve.h>
 #include <nettle/eddsa.h>
+#if NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR >= 6
+#  include <nettle/gostdsa.h>
+#endif
+#endif
+
+#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
 #include <nettle/nettle-meta.h>
 #include <nettle/bignum.h>

@@ -165,6 +170,10 @@ int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **diges

  return 1;
 }
+
+#endif
+
+#ifdef HAVE_DNSSEC
  
 static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
 			      unsigned char *digest, size_t digest_len, int algo)
@@ -207,8 +216,6 @@ static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len,
  
  switch (algo)
    {
-    case 1:
-      return nettle_rsa_md5_verify_digest(key, digest, sig_mpz);
    case 5: case 7:
      return nettle_rsa_sha1_verify_digest(key, digest, sig_mpz);
    case 8:
@@ -220,50 +227,6 @@ static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len,
  return 0;
 }  

-static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
-			      unsigned char *digest, size_t digest_len, int algo)
-{
-  unsigned char *p;
-  unsigned int t;
-
-  static mpz_t y;
-  static struct dsa_params *params = NULL;
-  static struct dsa_signature *sig_struct;
-  
-  (void)digest_len;
-
-  if (params == NULL)
-    {
-      if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))) || 
-	  !(params = whine_malloc(sizeof(struct dsa_params)))) 
-	return 0;
-      
-      mpz_init(y);
-      nettle_dsa_params_init(params);
-      nettle_dsa_signature_init(sig_struct);
-    }
-  
-  if ((sig_len < 41) || !(p = blockdata_retrieve(key_data, key_len, NULL)))
-    return 0;
-  
-  t = *p++;
-  
-  if (key_len < (213 + (t * 24)))
-    return 0;
-  
-  mpz_import(params->q, 20, 1, 1, 0, 0, p); p += 20;
-  mpz_import(params->p, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
-  mpz_import(params->g, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
-  mpz_import(y, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
-  
-  mpz_import(sig_struct->r, 20, 1, 1, 0, 0, sig+1);
-  mpz_import(sig_struct->s, 20, 1, 1, 0, 0, sig+21);
-  
-  (void)algo;
-  
-  return nettle_dsa_verify(params, y, digest_len, digest, sig_struct);
-} 
- 
 static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len, 
 				unsigned char *sig, size_t sig_len,
 				unsigned char *digest, size_t digest_len, int algo)
@@ -275,6 +238,10 @@ static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len
  static struct ecc_point *key_256 = NULL, *key_384 = NULL;
  static mpz_t x, y;
  static struct dsa_signature *sig_struct;
+#if NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR < 4
+#define nettle_get_secp_256r1() (&nettle_secp_256r1)
+#define nettle_get_secp_384r1() (&nettle_secp_384r1)
+#endif
  
  if (!sig_struct)
    {
@@ -294,7 +261,7 @@ static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len
 	  if (!(key_256 = whine_malloc(sizeof(struct ecc_point))))
 	    return 0;
 	  
-	  nettle_ecc_point_init(key_256, &nettle_secp_256r1);
+	  nettle_ecc_point_init(key_256, nettle_get_secp_256r1());
 	}
      
      key = key_256;
@@ -307,7 +274,7 @@ static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len
 	  if (!(key_384 = whine_malloc(sizeof(struct ecc_point))))
 	    return 0;
 	  
-	  nettle_ecc_point_init(key_384, &nettle_secp_384r1);
+	  nettle_ecc_point_init(key_384, nettle_get_secp_384r1());
 	}
      
      key = key_384;
@@ -334,15 +301,54 @@ static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len
  return nettle_ecdsa_verify(key, digest_len, digest, sig_struct);
 }

+#if NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR >= 6
+static int dnsmasq_gostdsa_verify(struct blockdata *key_data, unsigned int key_len, 
+				  unsigned char *sig, size_t sig_len,
+				  unsigned char *digest, size_t digest_len, int algo)
+{
+  unsigned char *p;
+  
+  static struct ecc_point *gost_key = NULL;
+  static mpz_t x, y;
+  static struct dsa_signature *sig_struct;
+
+  if (algo != 12 ||
+      sig_len != 64 || key_len != 64 ||
+      !(p = blockdata_retrieve(key_data, key_len, NULL)))
+    return 0;
+  
+  if (!sig_struct)
+    {
+      if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))) ||
+	  !(gost_key = whine_malloc(sizeof(struct ecc_point))))
+	return 0;
+      
+      nettle_dsa_signature_init(sig_struct);
+      nettle_ecc_point_init(gost_key, nettle_get_gost_gc256b());
+      mpz_init(x);
+      mpz_init(y);
+    }
+    
+  mpz_import(x, 32 , 1, 1, 0, 0, p);
+  mpz_import(y, 32 , 1, 1, 0, 0, p + 32);
+
+  if (!ecc_point_set(gost_key, x, y))
+    return 0;
+  
+  mpz_import(sig_struct->r, 32, 1, 1, 0, 0, sig);
+  mpz_import(sig_struct->s, 32, 1, 1, 0, 0, sig + 32);
+  
+  return nettle_gostdsa_verify(gost_key, digest_len, digest, sig_struct);
+}
+#endif
+
 static int dnsmasq_eddsa_verify(struct blockdata *key_data, unsigned int key_len, 
 				unsigned char *sig, size_t sig_len,
 				unsigned char *digest, size_t digest_len, int algo)
 {
  unsigned char *p;
   
-  if (key_len != ED25519_KEY_SIZE ||
-      sig_len != ED25519_SIGNATURE_SIZE ||
-      digest_len != sizeof(struct null_hash_digest) ||
+  if (digest_len != sizeof(struct null_hash_digest) ||
      !(p = blockdata_retrieve(key_data, key_len, NULL)))
    return 0;
  
@@ -353,13 +359,27 @@ static int dnsmasq_eddsa_verify(struct blockdata *key_data, unsigned int key_len
  switch (algo)
    {
    case 15:
+      if (key_len != ED25519_KEY_SIZE ||
+	  sig_len != ED25519_SIGNATURE_SIZE)
+	return 0;
+
      return ed25519_sha512_verify(p,
 				   ((struct null_hash_digest *)digest)->len,
 				   ((struct null_hash_digest *)digest)->buff,
 				   sig);
+      
+#if NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR >= 6
    case 16:
-      /* Ed448 when available */
-      return 0;
+      if (key_len != ED448_KEY_SIZE ||
+	  sig_len != ED448_SIGNATURE_SIZE)
+	return 0;
+
+      return ed448_shake256_verify(p,
+				   ((struct null_hash_digest *)digest)->len,
+				   ((struct null_hash_digest *)digest)->buff,
+				   sig);
+#endif
+
    }

  return 0;
@@ -369,19 +389,21 @@ static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key
 			     unsigned char *digest, size_t digest_len, int algo)
 {
    
-  /* Enure at runtime that we have support for this digest */
+  /* Ensure at runtime that we have support for this digest */
  if (!hash_find(algo_digest_name(algo)))
    return NULL;
  
  /* This switch defines which sig algorithms we support, can't introspect Nettle for that. */
  switch (algo)
    {
-    case 1: case 5: case 7: case 8: case 10:
+    case 5: case 7: case 8: case 10:
      return dnsmasq_rsa_verify;
+
+#if NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR >= 6
+    case 12:
+      return dnsmasq_gostdsa_verify;
+#endif
      
-    case 3: case 6: 
-      return dnsmasq_dsa_verify;
-    
    case 13: case 14:
      return dnsmasq_ecdsa_verify;

@@ -432,17 +454,17 @@ char *algo_digest_name(int algo)
    {
    case 1: return NULL;          /* RSA/MD5 - Must Not Implement.  RFC 6944 para 2.3. */
    case 2: return NULL;          /* Diffie-Hellman */
-    case 3: return "sha1";        /* DSA/SHA1 */ 
+    case 3: return NULL; ;        /* DSA/SHA1 - Must Not Implement. RFC 8624 section 3.1 */ 
    case 5: return "sha1";        /* RSA/SHA1 */
-    case 6: return "sha1";        /* DSA-NSEC3-SHA1 */
+    case 6: return NULL;          /* DSA-NSEC3-SHA1 - Must Not Implement. RFC 8624 section 3.1 */
    case 7: return "sha1";        /* RSASHA1-NSEC3-SHA1 */
    case 8: return "sha256";      /* RSA/SHA-256 */
    case 10: return "sha512";     /* RSA/SHA-512 */
-    case 12: return NULL;         /* ECC-GOST */
+    case 12: return "gosthash94"; /* ECC-GOST */
    case 13: return "sha256";     /* ECDSAP256SHA256 */
    case 14: return "sha384";     /* ECDSAP384SHA384 */ 	
    case 15: return "null_hash";  /* ED25519 */
-    case 16: return NULL;         /* ED448 */
+    case 16: return "null_hash";  /* ED448 */
    default: return NULL;
    }
 }
--- a/src/dbus.c
+++ b/src/dbus.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -185,9 +185,6 @@ static void dbus_read_servers(DBusMessage *message)
 		}
 	    }

-#ifndef HAVE_IPV6
-	  my_syslog(LOG_WARNING, _("attempt to set an IPv6 server address via DBus - no IPv6 support"));
-#else
 	  if (i == sizeof(struct in6_addr))
 	    {
 	      memcpy(&addr.in6.sin6_addr, p, sizeof(struct in6_addr));
@@ -202,7 +199,6 @@ static void dbus_read_servers(DBusMessage *message)
              source_addr.in6.sin6_port = htons(daemon->query_port);
 	      skip = 0;
 	    }
-#endif
 	}
      else
 	/* At the end */
@@ -241,7 +237,7 @@ static DBusMessage *dbus_reply_server_loop(DBusMessage *message)
  for (serv = daemon->servers; serv; serv = serv->next)
    if (serv->flags & SERV_LOOP)
      {
-	prettyprint_addr(&serv->addr, daemon->addrbuff);
+	(void)prettyprint_addr(&serv->addr, daemon->addrbuff);
 	dbus_message_iter_append_basic (&args_iter, DBUS_TYPE_STRING, &daemon->addrbuff);
      }
  
@@ -460,7 +456,7 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
  int clid_len, hostname_len, hw_len, hw_type;
  dbus_uint32_t expires, ia_id;
  dbus_bool_t is_temporary;
-  struct all_addr addr;
+  union all_addr addr;
  time_t now = dnsmasq_time();
  unsigned char dhcp_chaddr[DHCP_CHADDR_MAX];

@@ -530,20 +526,20 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)

  dbus_message_iter_get_basic(&iter, &is_temporary);

-  if (inet_pton(AF_INET, ipaddr, &addr.addr.addr4))
+  if (inet_pton(AF_INET, ipaddr, &addr.addr4))
    {
      if (ia_id != 0 || is_temporary)
 	return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
 				      "ia_id and is_temporary must be zero for IPv4 lease");
      
-      if (!(lease = lease_find_by_addr(addr.addr.addr4)))
-    	lease = lease4_allocate(addr.addr.addr4);
+      if (!(lease = lease_find_by_addr(addr.addr4)))
+    	lease = lease4_allocate(addr.addr4);
    }
 #ifdef HAVE_DHCP6
-  else if (inet_pton(AF_INET6, ipaddr, &addr.addr.addr6))
+  else if (inet_pton(AF_INET6, ipaddr, &addr.addr6))
    {
-      if (!(lease = lease6_find_by_addr(&addr.addr.addr6, 128, 0)))
-	lease = lease6_allocate(&addr.addr.addr6,
+      if (!(lease = lease6_find_by_addr(&addr.addr6, 128, 0)))
+	lease = lease6_allocate(&addr.addr6,
 				is_temporary ? LEASE_TA : LEASE_NA);
      lease_set_iaid(lease, ia_id);
    }
@@ -574,7 +570,7 @@ static DBusMessage *dbus_del_lease(DBusMessage* message)
  DBusMessageIter iter;
  const char *ipaddr;
  DBusMessage *reply;
-  struct all_addr addr;
+  union all_addr addr;
  dbus_bool_t ret = 1;
  time_t now = dnsmasq_time();

@@ -588,11 +584,11 @@ static DBusMessage *dbus_del_lease(DBusMessage* message)
   
  dbus_message_iter_get_basic(&iter, &ipaddr);

-  if (inet_pton(AF_INET, ipaddr, &addr.addr.addr4))
-    lease = lease_find_by_addr(addr.addr.addr4);
+  if (inet_pton(AF_INET, ipaddr, &addr.addr4))
+    lease = lease_find_by_addr(addr.addr4);
 #ifdef HAVE_DHCP6
-  else if (inet_pton(AF_INET6, ipaddr, &addr.addr.addr6))
-    lease = lease6_find_by_addr(&addr.addr.addr6, 128, 0);
+  else if (inet_pton(AF_INET6, ipaddr, &addr.addr6))
+    lease = lease6_find_by_addr(&addr.addr6, 128, 0);
 #endif
  else
    return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
--- a/src/dhcp-common.c
+++ b/src/dhcp-common.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -38,7 +38,7 @@ void dhcp_common_init(void)

 ssize_t recv_dhcp_packet(int fd, struct msghdr *msg)
 {  
-  ssize_t sz;
+  ssize_t sz, new_sz;
 
  while (1)
    {
@@ -65,9 +65,18 @@ ssize_t recv_dhcp_packet(int fd, struct msghdr *msg)
 	}
    }
  
-  while ((sz = recvmsg(fd, msg, 0)) == -1 && errno == EINTR);
+  while ((new_sz = recvmsg(fd, msg, 0)) == -1 && errno == EINTR);
+
+  /* Some kernels seem to ignore MSG_PEEK, and dequeue the packet anyway. 
+     If that happens we get EAGAIN here because the socket is non-blocking.
+     Use the result of the original testing recvmsg as long as the buffer
+     was big enough. There's a small race here that may lose the odd packet,
+     but it's UDP anyway. */
  
-  return (msg->msg_flags & MSG_TRUNC) ? -1 : sz;
+  if (new_sz == -1 && (errno == EWOULDBLOCK || errno == EAGAIN))
+    new_sz = sz;
+  
+  return (msg->msg_flags & MSG_TRUNC) ? -1 : new_sz;
 }

 struct dhcp_netid *run_tag_if(struct dhcp_netid *tags)
@@ -271,35 +280,45 @@ static int is_config_in_context(struct dhcp_context *context, struct dhcp_config
 {
  if (!context) /* called via find_config() from lease_update_from_configs() */
    return 1; 
-
-  if (!(config->flags & (CONFIG_ADDR | CONFIG_ADDR6)))
-    return 1;
  
 #ifdef HAVE_DHCP6
-  if ((context->flags & CONTEXT_V6) && (config->flags & CONFIG_WILDCARD))
-    return 1;
-#endif
+  if (context->flags & CONTEXT_V6)
+    {
+       struct addrlist *addr_list;

-  for (; context; context = context->current)
-#ifdef HAVE_DHCP6
-    if (context->flags & CONTEXT_V6) 
-      {
-	if ((config->flags & CONFIG_ADDR6) && is_same_net6(&config->addr6, &context->start6, context->prefix))
-	  return 1;
-      }
-    else 
+       if (!(config->flags & CONFIG_ADDR6))
+	 return 1;
+       
+        for (; context; context = context->current)
+	  for (addr_list = config->addr6; addr_list; addr_list = addr_list->next)
+	    {
+	      if ((addr_list->flags & ADDRLIST_WILDCARD) && context->prefix == 64)
+		return 1;
+	      
+	      if (is_same_net6(&addr_list->addr.addr6, &context->start6, context->prefix))
+		return 1;
+	    }
+    }
+  else
 #endif
-      if ((config->flags & CONFIG_ADDR) && is_same_net(config->addr, context->start, context->netmask))
+    {
+      if (!(config->flags & CONFIG_ADDR))
 	return 1;
+      
+      for (; context; context = context->current)
+	if ((config->flags & CONFIG_ADDR) && is_same_net(config->addr, context->start, context->netmask))
+	  return 1;
+    }

  return 0;
 }

-struct dhcp_config *find_config(struct dhcp_config *configs,
-				struct dhcp_context *context,
-				unsigned char *clid, int clid_len,
-				unsigned char *hwaddr, int hw_len, 
-				int hw_type, char *hostname)
+static struct dhcp_config *find_config_match(struct dhcp_config *configs,
+					     struct dhcp_context *context,
+					     unsigned char *clid, int clid_len,
+					     unsigned char *hwaddr, int hw_len, 
+					     int hw_type, char *hostname,
+					     struct dhcp_netid *tags, int tag_not_needed)
 {
  int count, new;
  struct dhcp_config *config, *candidate; 
@@ -311,7 +330,9 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 	{
 	  if (config->clid_len == clid_len && 
 	      memcmp(config->clid, clid, clid_len) == 0 &&
-	      is_config_in_context(context, config))
+	      is_config_in_context(context, config) &&
+	      match_netid(config->filter, tags, tag_not_needed))
+	    
 	    return config;
 	  
 	  /* dhcpcd prefixes ASCII client IDs by zero which is wrong, but we try and
@@ -319,7 +340,8 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
 	     see lease_update_from_configs() */
 	  if ((!context || !(context->flags & CONTEXT_V6)) && *clid == 0 && config->clid_len == clid_len-1  &&
 	      memcmp(config->clid, clid+1, clid_len-1) == 0 &&
-	      is_config_in_context(context, config))
+	      is_config_in_context(context, config) &&
+	      match_netid(config->filter, tags, tag_not_needed))
 	    return config;
 	}
  
@@ -327,14 +349,16 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
  if (hwaddr)
    for (config = configs; config; config = config->next)
      if (config_has_mac(config, hwaddr, hw_len, hw_type) &&
-	  is_config_in_context(context, config))
+	  is_config_in_context(context, config) &&
+	  match_netid(config->filter, tags, tag_not_needed))
 	return config;
  
  if (hostname && context)
    for (config = configs; config; config = config->next)
      if ((config->flags & CONFIG_NAME) && 
 	  hostname_isequal(config->hostname, hostname) &&
-	  is_config_in_context(context, config))
+	  is_config_in_context(context, config) &&
+	  match_netid(config->filter, tags, tag_not_needed))
 	return config;

  
@@ -343,7 +367,8 @@ struct dhcp_config *find_config(struct dhcp_config *configs,

  /* use match with fewest wildcard octets */
  for (candidate = NULL, count = 0, config = configs; config; config = config->next)
-    if (is_config_in_context(context, config))
+    if (is_config_in_context(context, config) &&
+	match_netid(config->filter, tags, tag_not_needed))
      for (conf_addr = config->hwaddr; conf_addr; conf_addr = conf_addr->next)
 	if (conf_addr->wildcard_mask != 0 &&
 	    conf_addr->hwaddr_len == hw_len &&	
@@ -357,6 +382,21 @@ struct dhcp_config *find_config(struct dhcp_config *configs,
  return candidate;
 }

+/* Find tagged configs first. */
+struct dhcp_config *find_config(struct dhcp_config *configs,
+				struct dhcp_context *context,
+				unsigned char *clid, int clid_len,
+				unsigned char *hwaddr, int hw_len, 
+				int hw_type, char *hostname, struct dhcp_netid *tags)
+{
+  struct dhcp_config *ret = find_config_match(configs, context, clid, clid_len, hwaddr, hw_len, hw_type, hostname, tags, 0);
+
+  if (!ret)
+    ret = find_config_match(configs, context, clid, clid_len, hwaddr, hw_len, hw_type, hostname, tags, 1);
+
+  return ret;
+}
+
 void dhcp_update_configs(struct dhcp_config *configs)
 {
  /* Some people like to keep all static IP addresses in /etc/hosts.
@@ -371,8 +411,14 @@ void dhcp_update_configs(struct dhcp_config *configs)
  int prot = AF_INET;

  for (config = configs; config; config = config->next)
+  {
    if (config->flags & CONFIG_ADDR_HOSTS)
-      config->flags &= ~(CONFIG_ADDR | CONFIG_ADDR6 | CONFIG_ADDR_HOSTS);
+      config->flags &= ~(CONFIG_ADDR | CONFIG_ADDR_HOSTS);
+#ifdef HAVE_DHCP6
+    if (config->flags & CONFIG_ADDR6_HOSTS)
+      config->flags &= ~(CONFIG_ADDR6 | CONFIG_ADDR6_HOSTS);
+#endif
+  }

 #ifdef HAVE_DHCP6 
 again:  
@@ -403,30 +449,41 @@ void dhcp_update_configs(struct dhcp_config *configs)
 		  crec = cache_find_by_name(crec, config->hostname, 0, cacheflags);
 		if (!crec)
 		  continue; /* should be never */
-		inet_ntop(prot, &crec->addr.addr, daemon->addrbuff, ADDRSTRLEN);
+		inet_ntop(prot, &crec->addr, daemon->addrbuff, ADDRSTRLEN);
 		my_syslog(MS_DHCP | LOG_WARNING, _("%s has more than one address in hostsfile, using %s for DHCP"), 
 			  config->hostname, daemon->addrbuff);
 	      }
 	    
 	    if (prot == AF_INET && 
-		(!(conf_tmp = config_find_by_address(configs, crec->addr.addr.addr.addr4)) || conf_tmp == config))
+		(!(conf_tmp = config_find_by_address(configs, crec->addr.addr4)) || conf_tmp == config))
 	      {
-		config->addr = crec->addr.addr.addr.addr4;
+		config->addr = crec->addr.addr4;
 		config->flags |= CONFIG_ADDR | CONFIG_ADDR_HOSTS;
 		continue;
 	      }

 #ifdef HAVE_DHCP6
 	    if (prot == AF_INET6 && 
-		(!(conf_tmp = config_find_by_address6(configs, &crec->addr.addr.addr.addr6, 128, 0)) || conf_tmp == config))
+		(!(conf_tmp = config_find_by_address6(configs, NULL, 0, &crec->addr.addr6)) || conf_tmp == config))
 	      {
-		memcpy(&config->addr6, &crec->addr.addr.addr.addr6, IN6ADDRSZ);
-		config->flags |= CONFIG_ADDR6 | CONFIG_ADDR_HOSTS;
+		/* host must have exactly one address if comming from /etc/hosts. */
+		if (!config->addr6 && (config->addr6 = whine_malloc(sizeof(struct addrlist))))
+		  {
+		    config->addr6->next = NULL;
+		    config->addr6->flags = 0;
+		  }
+
+		if (config->addr6 && !config->addr6->next && !(config->addr6->flags & (ADDRLIST_WILDCARD|ADDRLIST_PREFIX)))
+		  {
+		    memcpy(&config->addr6->addr.addr6, &crec->addr.addr6, IN6ADDRSZ);
+		    config->flags |= CONFIG_ADDR6 | CONFIG_ADDR6_HOSTS;
+		  }
+	    
 		continue;
 	      }
 #endif

-	    inet_ntop(prot, &crec->addr.addr, daemon->addrbuff, ADDRSTRLEN);
+	    inet_ntop(prot, &crec->addr, daemon->addrbuff, ADDRSTRLEN);
 	    my_syslog(MS_DHCP | LOG_WARNING, _("duplicate IP address %s (%s) in dhcp-config directive"), 
 		      daemon->addrbuff, config->hostname);
 	    
@@ -570,6 +627,7 @@ static const struct opttab_t {
  { "sip-server", 120, 0 },
  { "classless-static-route", 121, 0 },
  { "vendor-id-encap", 125, 0 },
+  { "tftp-server-address", 150, OT_ADDR_LIST },
  { "server-ip-address", 255, OT_ADDR_LIST }, /* special, internal only, sets siaddr */
  { NULL, 0, 0 }
 };
@@ -600,7 +658,7 @@ static const struct opttab_t opttab6[] = {
  { "sntp-server", 31,  OT_ADDR_LIST },
  { "information-refresh-time", 32, OT_TIME },
  { "FQDN", 39, OT_INTERNAL | OT_RFC1035_NAME },
-  { "ntp-server", 56,  0 },
+  { "ntp-server", 56, 0 /* OT_ADDR_LIST | OT_RFC1035_NAME */ },
  { "bootfile-url", 59, OT_NAME },
  { "bootfile-param", 60, OT_CSTRING },
  { NULL, 0, 0 }
@@ -693,7 +751,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 	    
 	    if (ot[o].size & OT_ADDR_LIST) 
 	      {
-		struct all_addr addr;
+		union all_addr addr;
 		int addr_len = INADDRSZ;

 #ifdef HAVE_DHCP6
--- a/src/dhcp-protocol.h
+++ b/src/dhcp-protocol.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -310,7 +310,7 @@ void dhcp_packet(time_t now, int pxe_fd)
      parm.relay_local.s_addr = 0;
      parm.ind = iface_index;
      
-      if (!iface_check(AF_INET, (struct all_addr *)&iface_addr, ifr.ifr_name, NULL))
+      if (!iface_check(AF_INET, (union all_addr *)&iface_addr, ifr.ifr_name, NULL))
 	{
 	  /* If we failed to match the primary address of the interface, see if we've got a --listen-address
 	     for a secondary */
@@ -401,7 +401,8 @@ void dhcp_packet(time_t now, int pxe_fd)
      pkt = (struct in_pktinfo *)CMSG_DATA(cmptr);
      pkt->ipi_ifindex = rcvd_iface_index;
      pkt->ipi_spec_dst.s_addr = 0;
-      msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
+      msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo));
+      cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
      cmptr->cmsg_level = IPPROTO_IP;
      cmptr->cmsg_type = IP_PKTINFO;

@@ -507,33 +508,83 @@ static int check_listen_addrs(struct in_addr local, int if_index, char *label,

   Note that the current chain may be superseded later for configured hosts or those coming via gateways. */

-static int complete_context(struct in_addr local, int if_index, char *label,
-			    struct in_addr netmask, struct in_addr broadcast, void *vparam)
+static void guess_range_netmask(struct in_addr addr, struct in_addr netmask)
 {
  struct dhcp_context *context;
-  struct dhcp_relay *relay;
-  struct iface_param *param = vparam;

-  (void)label;
-  
  for (context = daemon->dhcp; context; context = context->next)
-    {
-      if (!(context->flags & CONTEXT_NETMASK) &&
-	  (is_same_net(local, context->start, netmask) ||
-	   is_same_net(local, context->end, netmask)))
+    if (!(context->flags & CONTEXT_NETMASK) &&
+	(is_same_net(addr, context->start, netmask) ||
+	 is_same_net(addr, context->end, netmask)))
      { 
 	if (context->netmask.s_addr != netmask.s_addr &&
-	    !(is_same_net(local, context->start, netmask) &&
-	      is_same_net(local, context->end, netmask)))
+	    !(is_same_net(addr, context->start, netmask) &&
+	      is_same_net(addr, context->end, netmask)))
 	  {
 	    strcpy(daemon->dhcp_buff, inet_ntoa(context->start));
 	    strcpy(daemon->dhcp_buff2, inet_ntoa(context->end));
 	    my_syslog(MS_DHCP | LOG_WARNING, _("DHCP range %s -- %s is not consistent with netmask %s"),
 		      daemon->dhcp_buff, daemon->dhcp_buff2, inet_ntoa(netmask));
 	  }	
- 	context->netmask = netmask;
+	context->netmask = netmask;
      }
+}
+
+static int complete_context(struct in_addr local, int if_index, char *label,
+			    struct in_addr netmask, struct in_addr broadcast, void *vparam)
+{
+  struct dhcp_context *context;
+  struct dhcp_relay *relay;
+  struct iface_param *param = vparam;
+  struct shared_network *share;
+  
+  (void)label;
+
+  for (share = daemon->shared_networks; share; share = share->next)
+    {
      
+#ifdef HAVE_DHCP6
+      if (share->shared_addr.s_addr == 0)
+	continue;
+#endif
+      
+      if (share->if_index != 0)
+	{
+	  if (share->if_index != if_index)
+	    continue;
+	}
+      else
+	{
+	  if (share->match_addr.s_addr != local.s_addr)
+	    continue;
+	}
+
+      for (context = daemon->dhcp; context; context = context->next)
+	{
+	  if (context->netmask.s_addr != 0 &&
+	      is_same_net(share->shared_addr, context->start, context->netmask) &&
+	      is_same_net(share->shared_addr, context->end, context->netmask))
+	    {
+	      /* link it onto the current chain if we've not seen it before */
+	      if (context->current == context)
+		{
+		  /* For a shared network, we have no way to guess what the default route should be. */
+		  context->router.s_addr = 0;
+		  context->local = local; /* Use configured address for Server Identifier */
+		  context->current = param->current;
+		  param->current = context;
+		}
+	      
+	      if (!(context->flags & CONTEXT_BRDCAST))
+		context->broadcast.s_addr  = context->start.s_addr | ~context->netmask.s_addr;
+	    }		
+	}
+    }
+
+  guess_range_netmask(local, netmask);
+  
+  for (context = daemon->dhcp; context; context = context->next)
+    {
      if (context->netmask.s_addr != 0 &&
 	  is_same_net(local, context->start, context->netmask) &&
 	  is_same_net(local, context->end, context->netmask))
@@ -558,7 +609,7 @@ static int complete_context(struct in_addr local, int if_index, char *label,
    }

  for (relay = daemon->relay4; relay; relay = relay->next)
-    if (if_index == param->ind && relay->local.addr.addr4.s_addr == local.s_addr && relay->current == relay &&
+    if (if_index == param->ind && relay->local.addr4.s_addr == local.s_addr && relay->current == relay &&
 	(param->relay_local.s_addr == 0 || param->relay_local.s_addr == local.s_addr))
      {
 	relay->current = param->relay;
@@ -765,24 +816,33 @@ int address_allocate(struct dhcp_context *context,
 		(!IN_CLASSC(ntohl(addr.s_addr)) || 
 		 ((ntohl(addr.s_addr) & 0xff) != 0xff && ((ntohl(addr.s_addr) & 0xff) != 0x0))))
 	      {
-		struct ping_result *r;
-		
-		if ((r = do_icmp_ping(now, addr, j, loopback)))
- 		  {
-		    /* consec-ip mode: we offered this address for another client
-		       (different hash) recently, don't offer it to this one. */
-		    if (!option_bool(OPT_CONSEC_ADDR) || r->hash == j)
-		      {
-			*addrp = addr;
-			return 1;
-		      }
-		  }
+		/* in consec-ip mode, skip addresses equal to
+		   the number of addresses rejected by clients. This
+		   should avoid the same client being offered the same
+		   address after it has rjected it. */
+		if (option_bool(OPT_CONSEC_ADDR) && c->addr_epoch)
+		  c->addr_epoch--;
 		else
 		  {
-		    /* address in use: perturb address selection so that we are
-		       less likely to try this address again. */
-		    if (!option_bool(OPT_CONSEC_ADDR))
-		      c->addr_epoch++;
+		    struct ping_result *r;
+		    
+		    if ((r = do_icmp_ping(now, addr, j, loopback)))
+		      {
+			/* consec-ip mode: we offered this address for another client
+			   (different hash) recently, don't offer it to this one. */
+			if (!option_bool(OPT_CONSEC_ADDR) || r->hash == j)
+			  {
+			    *addrp = addr;
+			    return 1;
+			  }
+		      }
+		    else
+		      {
+			/* address in use: perturb address selection so that we are
+			   less likely to try this address again. */
+			if (!option_bool(OPT_CONSEC_ADDR))
+			  c->addr_epoch++;
+		      }
 		  }
 	      }
 	    
@@ -971,7 +1031,7 @@ char *host_from_dns(struct in_addr addr)
  if (daemon->port == 0)
    return NULL; /* DNS disabled. */
  
-  lookup = cache_find_by_addr(NULL, (struct all_addr *)&addr, 0, F_IPV4);
+  lookup = cache_find_by_addr(NULL, (union all_addr *)&addr, 0, F_IPV4);

  if (lookup && (lookup->flags & F_HOSTS))
    {
@@ -1000,25 +1060,25 @@ char *host_from_dns(struct in_addr addr)
 static int  relay_upstream4(struct dhcp_relay *relay, struct dhcp_packet *mess, size_t sz, int iface_index)
 {
  /* ->local is same value for all relays on ->current chain */
-  struct all_addr from;
+  union all_addr from;
  
  if (mess->op != BOOTREQUEST)
    return 0;

  /* source address == relay address */
-  from.addr.addr4 = relay->local.addr.addr4;
+  from.addr4 = relay->local.addr4;
  
  /* already gatewayed ? */
  if (mess->giaddr.s_addr)
    {
      /* if so check if by us, to stomp on loops. */
-      if (mess->giaddr.s_addr == relay->local.addr.addr4.s_addr)
+      if (mess->giaddr.s_addr == relay->local.addr4.s_addr)
 	return 1;
    }
  else
    {
      /* plug in our address */
-      mess->giaddr.s_addr = relay->local.addr.addr4.s_addr;
+      mess->giaddr.s_addr = relay->local.addr4.s_addr;
    }

  if ((mess->hops++) > 20)
@@ -1029,7 +1089,7 @@ static int  relay_upstream4(struct dhcp_relay *relay, struct dhcp_packet *mess,
      union mysockaddr to;
      
      to.sa.sa_family = AF_INET;
-      to.in.sin_addr = relay->server.addr.addr4;
+      to.in.sin_addr = relay->server.addr4;
      to.in.sin_port = htons(daemon->dhcp_server_port);
      
      send_from(daemon->dhcpfd, 0, (char *)mess, sz, &to, &from, 0);
@@ -1037,7 +1097,7 @@ static int  relay_upstream4(struct dhcp_relay *relay, struct dhcp_packet *mess,
      if (option_bool(OPT_LOG_OPTS))
 	{
 	  inet_ntop(AF_INET, &relay->local, daemon->addrbuff, ADDRSTRLEN);
-	  my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay %s -> %s"), daemon->addrbuff, inet_ntoa(relay->server.addr.addr4));
+	  my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay %s -> %s"), daemon->addrbuff, inet_ntoa(relay->server.addr4));
 	}
      
      /* Save this for replies */
@@ -1057,7 +1117,7 @@ static struct dhcp_relay *relay_reply4(struct dhcp_packet *mess, char *arrival_i

  for (relay = daemon->relay4; relay; relay = relay->next)
    {
-      if (mess->giaddr.s_addr == relay->local.addr.addr4.s_addr)
+      if (mess->giaddr.s_addr == relay->local.addr4.s_addr)
 	{
 	  if (!relay->interface || wildcard_match(relay->interface, arrival_interface))
 	    return relay->iface_index != 0 ? relay : NULL;
--- a/src/dhcp6-protocol.h
+++ b/src/dhcp6-protocol.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -59,12 +59,12 @@
 #define OPTION6_REMOTE_ID       37
 #define OPTION6_SUBSCRIBER_ID   38
 #define OPTION6_FQDN            39
+#define OPTION6_NTP_SERVER      56
 #define OPTION6_CLIENT_MAC      79

-/* replace this with the real number when allocated.
-   defining this also enables the relevant code. */ 
-/* #define OPTION6_PREFIX_CLASS    99 */
-
+#define NTP_SUBOPTION_SRV_ADDR  1
+#define NTP_SUBOPTION_MC_ADDR   2
+#define NTP_SUBOPTION_SRV_FQDN  3

 #define DHCP6SUCCESS     0
 #define DHCP6UNSPEC      1
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -135,7 +135,14 @@ void dhcp6_packet(time_t now)
  if (!indextoname(daemon->dhcp6fd, if_index, ifr.ifr_name))
    return;

-  if ((port = relay_reply6(&from, sz, ifr.ifr_name)) == 0)
+  if ((port = relay_reply6(&from, sz, ifr.ifr_name)) != 0)
+    {
+      from.sin6_port = htons(port);
+      while (retry_send(sendto(daemon->dhcp6fd, daemon->outpacket.iov_base, 
+			       save_counter(-1), 0, (struct sockaddr *)&from, 
+			       sizeof(from))));
+    }
+  else
    {
      struct dhcp_bridge *bridge, *alias;

@@ -233,21 +240,23 @@ void dhcp6_packet(time_t now)
      port = dhcp6_reply(parm.current, if_index, ifr.ifr_name, &parm.fallback, 
 			 &parm.ll_addr, &parm.ula_addr, sz, &from.sin6_addr, now);
      
+      /* The port in the source address of the original request should
+	 be correct, but at least once client sends from the server port,
+	 so we explicitly send to the client port to a client, and the
+	 server port to a relay. */
+      if (port != 0)
+	{
+	  from.sin6_port = htons(port);
+	  while (retry_send(sendto(daemon->dhcp6fd, daemon->outpacket.iov_base, 
+				   save_counter(-1), 0, (struct sockaddr *)&from, 
+				   sizeof(from))));
+	}
+
+      /* These need to be called _after_ we send DHCPv6 packet, since lease_update_file()
+	 may trigger sending an RA packet, which overwrites our buffer. */
      lease_update_file(now);
      lease_update_dns(0);
    }
-			  
-  /* The port in the source address of the original request should
-     be correct, but at least once client sends from the server port,
-     so we explicitly send to the client port to a client, and the
-     server port to a relay. */
-  if (port != 0)
-    {
-      from.sin6_port = htons(port);
-      while (retry_send(sendto(daemon->dhcp6fd, daemon->outpacket.iov_base, 
-			       save_counter(0), 0, (struct sockaddr *)&from, 
-			       sizeof(from))));
-    }
 }

 void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, unsigned int *maclenp, unsigned int *mactypep, time_t now)
@@ -299,106 +308,136 @@ static int complete_context6(struct in6_addr *local,  int prefix,
 			     unsigned int valid, void *vparam)
 {
  struct dhcp_context *context;
+  struct shared_network *share;
  struct dhcp_relay *relay;
  struct iface_param *param = vparam;
  struct iname *tmp;
 
  (void)scope; /* warning */
  
-  if (if_index == param->ind)
-    {
-      if (IN6_IS_ADDR_LINKLOCAL(local))
-	param->ll_addr = *local;
-      else if (IN6_IS_ADDR_ULA(local))
-	param->ula_addr = *local;
-
-      if (!IN6_IS_ADDR_LOOPBACK(local) &&
-	  !IN6_IS_ADDR_LINKLOCAL(local) &&
-	  !IN6_IS_ADDR_MULTICAST(local))
-	{
-	  /* if we have --listen-address config, see if the 
-	     arrival interface has a matching address. */
-	  for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
-	    if (tmp->addr.sa.sa_family == AF_INET6 &&
-		IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, local))
-	      param->addr_match = 1;
-	  
-	  /* Determine a globally address on the arrival interface, even
-	     if we have no matching dhcp-context, because we're only
-	     allocating on remote subnets via relays. This
-	     is used as a default for the DNS server option. */
-	  param->fallback = *local;
-	  
-	  for (context = daemon->dhcp6; context; context = context->next)
-	    {
-	      if ((context->flags & CONTEXT_DHCP) &&
-		  !(context->flags & (CONTEXT_TEMPLATE | CONTEXT_OLD)) &&
-		  prefix <= context->prefix &&
-		  is_same_net6(local, &context->start6, context->prefix) &&
-		  is_same_net6(local, &context->end6, context->prefix))
-		{
-		  
-		  
-		  /* link it onto the current chain if we've not seen it before */
-		  if (context->current == context)
-		    {
-		      struct dhcp_context *tmp, **up;
-		      
-		      /* use interface values only for constructed contexts */
-		      if (!(context->flags & CONTEXT_CONSTRUCTED))
-			preferred = valid = 0xffffffff;
-		      else if (flags & IFACE_DEPRECATED)
-			preferred = 0;
-		      
-		      if (context->flags & CONTEXT_DEPRECATE)
-			preferred = 0;
-		      
-		      /* order chain, longest preferred time first */
-		      for (up = &param->current, tmp = param->current; tmp; tmp = tmp->current)
-			if (tmp->preferred <= preferred)
-			  break;
-			else
-			  up = &tmp->current;
-		      
-		      context->current = *up;
-		      *up = context;
-		      context->local6 = *local;
-		      context->preferred = preferred;
-		      context->valid = valid;
-		    }
-		}
-	    }
-	}
-
-      for (relay = daemon->relay6; relay; relay = relay->next)
-	if (IN6_ARE_ADDR_EQUAL(local, &relay->local.addr.addr6) && relay->current == relay &&
-	    (IN6_IS_ADDR_UNSPECIFIED(&param->relay_local) || IN6_ARE_ADDR_EQUAL(local, &param->relay_local)))
-	  {
-	    relay->current = param->relay;
-	    param->relay = relay;
-	    param->relay_local = *local;
-	  }
+  if (if_index != param->ind)
+    return 1;
+  
+  if (IN6_IS_ADDR_LINKLOCAL(local))
+    param->ll_addr = *local;
+  else if (IN6_IS_ADDR_ULA(local))
+    param->ula_addr = *local;
      
-    }          
- 
- return 1;
+  if (IN6_IS_ADDR_LOOPBACK(local) ||
+      IN6_IS_ADDR_LINKLOCAL(local) ||
+      IN6_IS_ADDR_MULTICAST(local))
+    return 1;
+  
+  /* if we have --listen-address config, see if the 
+     arrival interface has a matching address. */
+  for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
+    if (tmp->addr.sa.sa_family == AF_INET6 &&
+	IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, local))
+      param->addr_match = 1;
+  
+  /* Determine a globally address on the arrival interface, even
+     if we have no matching dhcp-context, because we're only
+     allocating on remote subnets via relays. This
+     is used as a default for the DNS server option. */
+  param->fallback = *local;
+  
+  for (context = daemon->dhcp6; context; context = context->next)
+    if ((context->flags & CONTEXT_DHCP) &&
+	!(context->flags & (CONTEXT_TEMPLATE | CONTEXT_OLD)) &&
+	prefix <= context->prefix &&
+	context->current == context)
+      {
+	if (is_same_net6(local, &context->start6, context->prefix) &&
+	    is_same_net6(local, &context->end6, context->prefix))
+	  {
+	    struct dhcp_context *tmp, **up;
+	    
+	    /* use interface values only for constructed contexts */
+	    if (!(context->flags & CONTEXT_CONSTRUCTED))
+	      preferred = valid = 0xffffffff;
+	    else if (flags & IFACE_DEPRECATED)
+	      preferred = 0;
+		    
+	    if (context->flags & CONTEXT_DEPRECATE)
+	      preferred = 0;
+	    
+	    /* order chain, longest preferred time first */
+	    for (up = &param->current, tmp = param->current; tmp; tmp = tmp->current)
+	      if (tmp->preferred <= preferred)
+		break;
+	      else
+		up = &tmp->current;
+	    
+	    context->current = *up;
+	    *up = context;
+	    context->local6 = *local;
+	    context->preferred = preferred;
+	    context->valid = valid;
+	  }
+	else
+	  {
+	    for (share = daemon->shared_networks; share; share = share->next)
+	      {
+		/* IPv4 shared_address - ignore */
+		if (share->shared_addr.s_addr != 0)
+		  continue;
+			
+		if (share->if_index != 0)
+		  {
+		    if (share->if_index != if_index)
+		      continue;
+		  }
+		else
+		  {
+		    if (!IN6_ARE_ADDR_EQUAL(&share->match_addr6, local))
+		      continue;
+		  }
+		
+		if (is_same_net6(&share->shared_addr6, &context->start6, context->prefix) &&
+		    is_same_net6(&share->shared_addr6, &context->end6, context->prefix))
+		  {
+		    context->current = param->current;
+		    param->current = context;
+		    context->local6 = *local;
+		    context->preferred = context->flags & CONTEXT_DEPRECATE ? 0 :0xffffffff;
+		    context->valid = 0xffffffff;
+		  }
+	      }
+	  }      
+      }
+
+  for (relay = daemon->relay6; relay; relay = relay->next)
+    if (IN6_ARE_ADDR_EQUAL(local, &relay->local.addr6) && relay->current == relay &&
+	(IN6_IS_ADDR_UNSPECIFIED(&param->relay_local) || IN6_ARE_ADDR_EQUAL(local, &param->relay_local)))
+      {
+	relay->current = param->relay;
+	param->relay = relay;
+	param->relay_local = *local;
+      }
+     
+  return 1;
 }

-struct dhcp_config *config_find_by_address6(struct dhcp_config *configs, struct in6_addr *net, int prefix, u64 addr)
+struct dhcp_config *config_find_by_address6(struct dhcp_config *configs, struct in6_addr *net, int prefix,  struct in6_addr *addr)
 {
  struct dhcp_config *config;
  
  for (config = configs; config; config = config->next)
-    if ((config->flags & CONFIG_ADDR6) &&
-	is_same_net6(&config->addr6, net, prefix) &&
-	(prefix == 128 || addr6part(&config->addr6) == addr))
-      return config;
+    if (config->flags & CONFIG_ADDR6)
+      {
+	struct addrlist *addr_list;
+	
+	for (addr_list = config->addr6; addr_list; addr_list = addr_list->next)
+	  if ((!net || is_same_net6(&addr_list->addr.addr6, net, prefix) || ((addr_list->flags & ADDRLIST_WILDCARD) && prefix == 64)) &&
+	      is_same_net6(&addr_list->addr.addr6, addr, (addr_list->flags & ADDRLIST_PREFIX) ? addr_list->prefixlen : 128))
+	    return config;
+      }
  
  return NULL;
 }

 struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned char *clid, int clid_len, int temp_addr,
-				       int iaid, int serial, struct dhcp_netid *netids, int plain_range, struct in6_addr *ans)   
+				       unsigned int iaid, int serial, struct dhcp_netid *netids, int plain_range, struct in6_addr *ans)
 {
  /* Find a free address: exclude anything in use and anything allocated to
     a particular hwaddr/clientid/hostname in our configuration.
@@ -431,8 +470,15 @@ struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned c
      else
 	{ 
 	  if (!temp_addr && option_bool(OPT_CONSEC_ADDR))
-	    /* seed is largest extant lease addr in this context */
-	    start = lease_find_max_addr6(c) + serial;
+	    {
+	      /* seed is largest extant lease addr in this context,
+		 skip addresses equal to the number of addresses rejected
+		 by clients. This should avoid the same client being offered the same
+		 address after it has rjected it. */
+	      start = lease_find_max_addr6(c) + 1 + serial + c->addr_epoch;
+	      if (c->addr_epoch)
+		c->addr_epoch--;
+	    }
 	  else
 	    {
 	      u64 range = 1 + addr6part(&c->end6) - addr6part(&c->start6);
@@ -453,16 +499,15 @@ struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned c
 	    for (d = context; d; d = d->current)
 	      if (addr == addr6part(&d->local6))
 		break;
+	    
+	    *ans = c->start6;
+	    setaddr6part (ans, addr);

 	    if (!d &&
 		!lease6_find_by_addr(&c->start6, c->prefix, addr) && 
-		!config_find_by_address6(daemon->dhcp_conf, &c->start6, c->prefix, addr))
-	      {
-		*ans = c->start6;
-		setaddr6part (ans, addr);
-		return c;
-	      }
-	
+		!config_find_by_address6(daemon->dhcp_conf, &c->start6, c->prefix, ans))
+	      return c;
+	    
 	    addr++;
 	    
 	    if (addr  == addr6part(&c->end6) + 1)
@@ -516,27 +561,6 @@ struct dhcp_context *address6_valid(struct dhcp_context *context,
  return NULL;
 }

-int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr)
-{
-  if (!config || !(config->flags & CONFIG_ADDR6))
-    return 0;
-
-  if ((config->flags & CONFIG_WILDCARD) && context->prefix == 64)
-    {
-      *addr = context->start6;
-      setaddr6part(addr, addr6part(&config->addr6));
-      return 1;
-    }
-  
-  if (is_same_net6(&context->start6, &config->addr6, context->prefix))
-    {
-      *addr = config->addr6;
-      return 1;
-    }
-  
-  return 0;
-}
-
 void make_duid(time_t now)
 {
  (void)now;
@@ -617,7 +641,8 @@ static int construct_worker(struct in6_addr *local, int prefix,
  char ifrn_name[IFNAMSIZ];
  struct in6_addr start6, end6;
  struct dhcp_context *template, *context;
-
+  struct iname *tmp;
+  
  (void)scope;
  (void)flags;
  (void)valid;
@@ -636,9 +661,15 @@ static int construct_worker(struct in6_addr *local, int prefix,
  if (flags & IFACE_DEPRECATED)
    return 1;

-  if (!indextoname(daemon->icmp6fd, if_index, ifrn_name))
-    return 0;
+  /* Ignore interfaces where we're not doing RA/DHCP6 */
+  if (!indextoname(daemon->icmp6fd, if_index, ifrn_name) ||
+      !iface_check(AF_LOCAL, NULL, ifrn_name, NULL))
+    return 1;
  
+  for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
+    if (tmp->name && wildcard_match(tmp->name, ifrn_name))
+      return 1;
+
  for (template = daemon->dhcp6; template; template = template->next)
    if (!(template->flags & (CONTEXT_TEMPLATE | CONTEXT_CONSTRUCTED)))
      {
@@ -648,7 +679,7 @@ static int construct_worker(struct in6_addr *local, int prefix,
 	    is_same_net6(local, &template->end6, template->prefix))
 	  {
 	    /* First time found, do fast RA. */
-	    if (template->if_index != if_index || !IN6_ARE_ADDR_EQUAL(&template->local6, local))
+	    if (template->if_index == 0)
 	      {
 		ra_start_unsolicited(param->now, template);
 		param->newone = 1;
--- a/src/dns-protocol.h
+++ b/src/dns-protocol.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -52,8 +52,13 @@ int main (int argc, char **argv)
 #if defined(HAVE_LINUX_NETWORK)
  cap_user_header_t hdr = NULL;
  cap_user_data_t data = NULL;
+  int need_cap_net_admin = 0;
+  int need_cap_net_raw = 0;
+  int need_cap_net_bind_service = 0;
  char *bound_device = NULL;
  int did_bind = 0;
+  struct server *serv;
+  char *netlink_warn;
 #endif 
 #if defined(HAVE_DHCP) || defined(HAVE_DHCP6)
  struct dhcp_context *context;
@@ -85,11 +90,15 @@ int main (int argc, char **argv)
  sigaction(SIGPIPE, &sigact, NULL);

  umask(022); /* known umask, create leases and pid files as 0644 */
- 
+
  rand_init(); /* Must precede read_opts() */
  
  read_opts(argc, argv, compile_opts);
 
+#ifdef HAVE_LINUX_NETWORK
+  daemon->kernel_version = kernel_version();
+#endif
+
  if (daemon->edns_pktsz < PACKETSZ)
    daemon->edns_pktsz = PACKETSZ;

@@ -122,7 +131,7 @@ int main (int argc, char **argv)
      daemon->workspacename = safe_malloc(MAXDNAME * 2);
      /* one char flag per possible RR in answer section (may get extended). */
      daemon->rr_status_sz = 64;
-      daemon->rr_status = safe_malloc(daemon->rr_status_sz);
+      daemon->rr_status = safe_malloc(sizeof(*daemon->rr_status) * daemon->rr_status_sz);
    }
 #endif

@@ -134,20 +143,18 @@ int main (int argc, char **argv)
    }
 #endif
  
-  /* Close any file descriptors we inherited apart from std{in|out|err} 
-     
-     Ensure that at least stdin, stdout and stderr (fd 0, 1, 2) exist,
+  /* Ensure that at least stdin, stdout and stderr (fd 0, 1, 2) exist,
     otherwise file descriptors we create can end up being 0, 1, or 2 
     and then get accidentally closed later when we make 0, 1, and 2 
     open to /dev/null. Normally we'll be started with 0, 1 and 2 open, 
     but it's not guaranteed. By opening /dev/null three times, we 
     ensure that we're not using those fds for real stuff. */
-  for (i = 0; i < max_fd; i++)
-    if (i != STDOUT_FILENO && i != STDERR_FILENO && i != STDIN_FILENO)
-      close(i);
-    else
-      open("/dev/null", O_RDWR); 
-
+  for (i = 0; i < 3; i++)
+    open("/dev/null", O_RDWR); 
+  
+  /* Close any file descriptors we inherited apart from std{in|out|err} */
+  close_fds(max_fd, -1, -1, -1);
+  
 #ifndef HAVE_LINUX_NETWORK
 #  if !(defined(IP_RECVDSTADDR) && defined(IP_RECVIF) && defined(IP_SENDSRCADDR))
  if (!option_bool(OPT_NOWILD))
@@ -216,7 +223,7 @@ int main (int argc, char **argv)
 #endif

 #ifndef HAVE_AUTH
-  if (daemon->authserver || daemon->auth_zones)
+  if (daemon->auth_zones)
    die(_("authoritative DNS not available: set HAVE_AUTH in src/config.h"), NULL, EC_BADCONF);
 #endif

@@ -235,13 +242,20 @@ int main (int argc, char **argv)

  now = dnsmasq_time();

-  /* Create a serial at startup if not configured. */
-  if (daemon->auth_zones && daemon->soa_sn == 0)
+  if (daemon->auth_zones)
+    {
+      if (!daemon->authserver)
+	die(_("--auth-server required when an auth zone is defined."), NULL, EC_BADCONF);
+
+      /* Create a serial at startup if not configured. */
 #ifdef HAVE_BROKEN_RTC
-    die(_("zone serial must be configured in --auth-soa"), NULL, EC_BADCONF);
+      if (daemon->soa_sn == 0)
+	die(_("zone serial must be configured in --auth-soa"), NULL, EC_BADCONF);
 #else
-  daemon->soa_sn = now;
+      if (daemon->soa_sn == 0)
+	daemon->soa_sn = now;
 #endif
+    }
  
 #ifdef HAVE_DHCP6
  if (daemon->dhcp6)
@@ -278,11 +292,24 @@ int main (int argc, char **argv)
    }
  
  if (daemon->dhcp || daemon->relay4)
-    dhcp_init();
+    {
+      dhcp_init();
+#   ifdef HAVE_LINUX_NETWORK
+      if (!option_bool(OPT_NO_PING))
+	need_cap_net_raw = 1;
+      need_cap_net_admin = 1;
+#   endif
+    }
  
 #  ifdef HAVE_DHCP6
  if (daemon->doing_ra || daemon->doing_dhcp6 || daemon->relay6)
-    ra_init(now);
+    {
+      ra_init(now);
+#   ifdef HAVE_LINUX_NETWORK
+      need_cap_net_raw = 1;
+      need_cap_net_admin = 1;
+#   endif
+    }
  
  if (daemon->doing_dhcp6 || daemon->relay6)
    dhcp6_init();
@@ -292,11 +319,16 @@ int main (int argc, char **argv)

 #ifdef HAVE_IPSET
  if (daemon->ipsets)
-    ipset_init();
+    {
+      ipset_init();
+#  ifdef HAVE_LINUX_NETWORK
+      need_cap_net_admin = 1;
+#  endif
+    }
 #endif

 #if  defined(HAVE_LINUX_NETWORK)
-  netlink_init();
+  netlink_warn = netlink_init();
 #elif defined(HAVE_BSD_NETWORK)
  route_init();
 #endif
@@ -359,9 +391,7 @@ int main (int argc, char **argv)
    {
      cache_init();

-#ifdef HAVE_DNSSEC
      blockdata_init();
-#endif
    }

 #ifdef HAVE_INOTIFY
@@ -394,6 +424,16 @@ int main (int argc, char **argv)
  die(_("DBus not available: set HAVE_DBUS in src/config.h"), NULL, EC_BADCONF);
 #endif

+  if (option_bool(OPT_UBUS))
+#ifdef HAVE_UBUS
+    {
+      daemon->ubus = NULL;
+      ubus_init();
+    }
+#else
+  die(_("UBus not available: set HAVE_UBUS in src/config.h"), NULL, EC_BADCONF);
+#endif
+
  if (daemon->port != 0)
    pre_allocate_sfds();

@@ -435,28 +475,81 @@ int main (int argc, char **argv)
    }

 #if defined(HAVE_LINUX_NETWORK)
+  /* We keep CAP_NETADMIN (for ARP-injection) and
+     CAP_NET_RAW (for icmp) if we're doing dhcp,
+     if we have yet to bind ports because of DAD, 
+     or we're doing it dynamically, we need CAP_NET_BIND_SERVICE. */
+  if ((is_dad_listeners() || option_bool(OPT_CLEVERBIND)) &&
+      (option_bool(OPT_TFTP) || (daemon->port != 0 && daemon->port <= 1024)))
+    need_cap_net_bind_service = 1;
+
+  /* usptream servers which bind to an interface call SO_BINDTODEVICE
+     for each TCP connection, so need CAP_NET_RAW */
+  for (serv = daemon->servers; serv; serv = serv->next)
+    if (serv->interface[0] != 0)
+      need_cap_net_raw = 1;
+
+  /* If we're doing Dbus or UBus, the above can be set dynamically,
+     (as can ports) so always (potentially) needed. */
+#ifdef HAVE_DBUS
+  if (option_bool(OPT_DBUS))
+    {
+      need_cap_net_bind_service = 1;
+      need_cap_net_raw = 1;
+    }
+#endif
+
+#ifdef HAVE_UBUS
+  if (option_bool(OPT_UBUS))
+    {
+      need_cap_net_bind_service = 1;
+      need_cap_net_raw = 1;
+    }
+#endif
+  
  /* determine capability API version here, while we can still
     call safe_malloc */
-  if (ent_pw && ent_pw->pw_uid != 0)
+  int capsize = 1; /* for header version 1 */
+  char *fail = NULL;
+  
+  hdr = safe_malloc(sizeof(*hdr));
+  
+  /* find version supported by kernel */
+  memset(hdr, 0, sizeof(*hdr));
+  capget(hdr, NULL);
+  
+  if (hdr->version != LINUX_CAPABILITY_VERSION_1)
    {
-      int capsize = 1; /* for header version 1 */
-      hdr = safe_malloc(sizeof(*hdr));
-
-      /* find version supported by kernel */
-      memset(hdr, 0, sizeof(*hdr));
-      capget(hdr, NULL);
-      
-      if (hdr->version != LINUX_CAPABILITY_VERSION_1)
-	{
-	  /* if unknown version, use largest supported version (3) */
-	  if (hdr->version != LINUX_CAPABILITY_VERSION_2)
-	    hdr->version = LINUX_CAPABILITY_VERSION_3;
-	  capsize = 2;
-	}
-      
-      data = safe_malloc(sizeof(*data) * capsize);
-      memset(data, 0, sizeof(*data) * capsize);
+      /* if unknown version, use largest supported version (3) */
+      if (hdr->version != LINUX_CAPABILITY_VERSION_2)
+	hdr->version = LINUX_CAPABILITY_VERSION_3;
+      capsize = 2;
    }
+  
+  data = safe_malloc(sizeof(*data) * capsize);
+  capget(hdr, data); /* Get current values, for verification */
+
+  if (need_cap_net_admin && !(data->permitted & (1 << CAP_NET_ADMIN)))
+    fail = "NET_ADMIN";
+  else if (need_cap_net_raw && !(data->permitted & (1 << CAP_NET_RAW)))
+    fail = "NET_RAW";
+  else if (need_cap_net_bind_service && !(data->permitted & (1 << CAP_NET_BIND_SERVICE)))
+    fail = "NET_BIND_SERVICE";
+  
+  if (fail)
+    die(_("process is missing required capability %s"), fail, EC_MISC);
+
+  /* Now set bitmaps to set caps after daemonising */
+  memset(data, 0, sizeof(*data) * capsize);
+  
+  if (need_cap_net_admin)
+    data->effective |= (1 << CAP_NET_ADMIN);
+  if (need_cap_net_raw)
+    data->effective |= (1 << CAP_NET_RAW);
+  if (need_cap_net_bind_service)
+    data->effective |= (1 << CAP_NET_BIND_SERVICE);
+  
+  data->permitted = data->effective;  
 #endif

  /* Use a pipe to carry signals and other events back to the event loop 
@@ -478,7 +571,6 @@ int main (int argc, char **argv)
      if (chdir("/") != 0)
 	die(_("cannot chdir to filesystem root: %s"), NULL, EC_MISC); 

-#ifndef NO_FORK      
      if (!option_bool(OPT_NO_FORK))
 	{
 	  pid_t pid;
@@ -497,7 +589,7 @@ int main (int argc, char **argv)
 	      char *msg;

 	      /* close our copy of write-end */
-	      while (retry_send(close(err_pipe[1])));
+	      close(err_pipe[1]);
 	      
 	      /* check for errors after the fork */
 	      if (read_event(err_pipe[0], &ev, &msg))
@@ -506,7 +598,7 @@ int main (int argc, char **argv)
 	      _exit(EC_GOOD);
 	    } 
 	  
-	  while (retry_send(close(err_pipe[0])));
+	  close(err_pipe[0]);

 	  /* NO calls to die() from here on. */
 	  
@@ -518,7 +610,6 @@ int main (int argc, char **argv)
 	  if (pid != 0)
 	    _exit(0);
 	}
-#endif
            
      /* write pidfile _after_ forking ! */
      if (daemon->runfile)
@@ -569,8 +660,7 @@ int main (int argc, char **argv)
 		err = 1;
 	      else
 		{
-		  while (retry_send(close(fd)));
-		  if (errno != 0)
+		  if (close(fd) == -1)
 		    err = 1;
 		}
 	    }
@@ -623,18 +713,9 @@ int main (int argc, char **argv)
      if (ent_pw && ent_pw->pw_uid != 0)
 	{     
 #if defined(HAVE_LINUX_NETWORK)	  
-	  /* On linux, we keep CAP_NETADMIN (for ARP-injection) and
-	     CAP_NET_RAW (for icmp) if we're doing dhcp. If we have yet to bind 
-	     ports because of DAD, or we're doing it dynamically,
-	     we need CAP_NET_BIND_SERVICE too. */
-	  if (is_dad_listeners() || option_bool(OPT_CLEVERBIND))
-	    data->effective = data->permitted = data->inheritable =
-	      (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | 
-	      (1 << CAP_SETUID) | (1 << CAP_NET_BIND_SERVICE);
-	  else
-	    data->effective = data->permitted = data->inheritable =
-	      (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | (1 << CAP_SETUID);
-	  
+	  /* Need to be able to drop root. */
+	  data->effective |= (1 << CAP_SETUID);
+	  data->permitted |= (1 << CAP_SETUID);
 	  /* Tell kernel to not clear capabilities when dropping root */
 	  if (capset(hdr, data) == -1 || prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1)
 	    bad_capabilities = errno;
@@ -675,15 +756,10 @@ int main (int argc, char **argv)
 	    }     

 #ifdef HAVE_LINUX_NETWORK
-	  if (is_dad_listeners() || option_bool(OPT_CLEVERBIND))
-	   data->effective = data->permitted =
-	     (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | (1 << CAP_NET_BIND_SERVICE);
-	 else
-	   data->effective = data->permitted = 
-	     (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW);
-	  data->inheritable = 0;
+	  data->effective &= ~(1 << CAP_SETUID);
+	  data->permitted &= ~(1 << CAP_SETUID);
 	  
-	  /* lose the setuid and setgid capabilities */
+	  /* lose the setuid capability */
 	  if (capset(hdr, data) == -1)
 	    {
 	      send_event(err_pipe[1], EVENT_CAP_ERR, errno, NULL);
@@ -772,6 +848,16 @@ int main (int argc, char **argv)
    }
 #endif

+#ifdef HAVE_UBUS
+  if (option_bool(OPT_UBUS))
+    {
+      if (daemon->ubus)
+        my_syslog(LOG_INFO, _("UBus support enabled: connected to system bus"));
+      else
+        my_syslog(LOG_INFO, _("UBus support enabled: bus connection pending"));
+    }
+#endif
+
 #ifdef HAVE_DNSSEC
  if (option_bool(OPT_DNSSEC_VALID))
    {
@@ -861,6 +947,9 @@ int main (int argc, char **argv)
 #  ifdef HAVE_LINUX_NETWORK
  if (did_bind)
    my_syslog(MS_DHCP | LOG_INFO, _("DHCP, sockets bound exclusively to interface %s"), bound_device);
+
+  if (netlink_warn)
+    my_syslog(LOG_WARNING, netlink_warn);
 #  endif

  /* after dhcp_construct_contexts */
@@ -873,10 +962,11 @@ int main (int argc, char **argv)
    {
      struct tftp_prefix *p;

-      my_syslog(MS_TFTP | LOG_INFO, "TFTP %s%s %s", 
+      my_syslog(MS_TFTP | LOG_INFO, "TFTP %s%s %s %s", 
 		daemon->tftp_prefix ? _("root is ") : _("enabled"),
-		daemon->tftp_prefix ? daemon->tftp_prefix: "",
-		option_bool(OPT_TFTP_SECURE) ? _("secure mode") : "");
+		daemon->tftp_prefix ? daemon->tftp_prefix : "",
+		option_bool(OPT_TFTP_SECURE) ? _("secure mode") : "",
+		option_bool(OPT_SINGLE_PORT) ? _("single port mode") : "");

      if (tftp_prefix_missing)
 	my_syslog(MS_TFTP | LOG_WARNING, _("warning: %s inaccessible"), daemon->tftp_prefix);
@@ -894,7 +984,7 @@ int main (int argc, char **argv)
      
      if (max_fd < 0)
 	max_fd = 5;
-      else if (max_fd < 100)
+      else if (max_fd < 100 && !option_bool(OPT_SINGLE_PORT))
 	max_fd = max_fd/2;
      else
 	max_fd = max_fd - 20;
@@ -917,12 +1007,16 @@ int main (int argc, char **argv)

  /* finished start-up - release original process */
  if (err_pipe[1] != -1)
-    while (retry_send(close(err_pipe[1])));
+    close(err_pipe[1]);
  
  if (daemon->port != 0)
    check_servers();
  
  pid = getpid();
+
+  daemon->pipe_to_parent = -1;
+  for (i = 0; i < MAX_PROCS; i++)
+    daemon->tcp_pipes[i] = -1;
  
 #ifdef HAVE_INOTIFY
  /* Using inotify, have to select a resolv file at startup */
@@ -956,7 +1050,7 @@ int main (int argc, char **argv)

 #ifdef HAVE_UBUS
      if (option_bool(OPT_UBUS))
-	  set_ubus_listeners();
+        set_ubus_listeners();
 #endif
 	  
 #ifdef HAVE_DHCP
@@ -1020,7 +1114,7 @@ int main (int argc, char **argv)
 #endif

   
-      /* must do this just before select(), when we know no
+      /* must do this just before do_poll(), when we know no
 	 more calls to my_syslog() can occur */
      set_log_writer();
      
@@ -1091,7 +1185,15 @@ int main (int argc, char **argv)

 #ifdef HAVE_UBUS
      if (option_bool(OPT_UBUS))
-        check_ubus_listeners();
+        {
+          /* if we didn't create a UBus connection, retry now. */
+          if (!daemon->ubus)
+            {
+              ubus_init();
+            }
+
+          check_ubus_listeners();
+        }
 #endif

      check_dns_listeners(now);
@@ -1439,7 +1541,7 @@ static void async_event(int pipe, time_t now)
 	    do {
 	      helper_write();
 	    } while (!helper_buf_empty() || do_script_run(now));
-	    while (retry_send(close(daemon->helperfd)));
+	    close(daemon->helperfd);
 	  }
 #endif
 	
@@ -1575,16 +1677,17 @@ static int set_dns_listeners(time_t now)
 #ifdef HAVE_TFTP
  int  tftp = 0;
  struct tftp_transfer *transfer;
-  for (transfer = daemon->tftp_trans; transfer; transfer = transfer->next)
-    {
-      tftp++;
-      poll_listen(transfer->sockfd, POLLIN);
-    }
+  if (!option_bool(OPT_SINGLE_PORT))
+    for (transfer = daemon->tftp_trans; transfer; transfer = transfer->next)
+      {
+	tftp++;
+	poll_listen(transfer->sockfd, POLLIN);
+      }
 #endif
  
  /* will we be able to get memory? */
  if (daemon->port != 0)
-    get_new_frec(now, &wait, 0);
+    get_new_frec(now, &wait, NULL);
  
  for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
    poll_listen(serverfdp->fd, POLLIN);
@@ -1604,19 +1707,25 @@ static int set_dns_listeners(time_t now)
 	 we don't need to explicitly arrange to wake up here */
      if  (listener->tcpfd != -1)
 	for (i = 0; i < MAX_PROCS; i++)
-	  if (daemon->tcp_pids[i] == 0)
+	  if (daemon->tcp_pids[i] == 0 && daemon->tcp_pipes[i] == -1)
 	    {
 	      poll_listen(listener->tcpfd, POLLIN);
 	      break;
 	    }

 #ifdef HAVE_TFTP
+      /* tftp == 0 in single-port mode. */
      if (tftp <= daemon->tftp_max && listener->tftpfd != -1)
 	poll_listen(listener->tftpfd, POLLIN);
 #endif

    }
  
+  if (!option_bool(OPT_DEBUG))
+    for (i = 0; i < MAX_PROCS; i++)
+      if (daemon->tcp_pipes[i] != -1)
+	poll_listen(daemon->tcp_pipes[i], POLLIN);
+  
  return wait;
 }

@@ -1625,7 +1734,8 @@ static void check_dns_listeners(time_t now)
  struct serverfd *serverfdp;
  struct listener *listener;
  int i;
-
+  int pipefd[2];
+  
  for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
    if (poll_check(serverfdp->fd, POLLIN))
      reply_query(serverfdp->fd, serverfdp->source_addr.sa.sa_family, now);
@@ -1635,7 +1745,24 @@ static void check_dns_listeners(time_t now)
      if (daemon->randomsocks[i].refcount != 0 && 
 	  poll_check(daemon->randomsocks[i].fd, POLLIN))
 	reply_query(daemon->randomsocks[i].fd, daemon->randomsocks[i].family, now);
-  
+
+  /* Races. The child process can die before we read all of the data from the
+     pipe, or vice versa. Therefore send tcp_pids to zero when we wait() the 
+     process, and tcp_pipes to -1 and close the FD when we read the last
+     of the data - indicated by cache_recv_insert returning zero.
+     The order of these events is indeterminate, and both are needed
+     to free the process slot. Once the child process has gone, poll()
+     returns POLLHUP, not POLLIN, so have to check for both here. */
+  if (!option_bool(OPT_DEBUG))
+    for (i = 0; i < MAX_PROCS; i++)
+      if (daemon->tcp_pipes[i] != -1 &&
+	  poll_check(daemon->tcp_pipes[i], POLLIN | POLLHUP) &&
+	  !cache_recv_insert(now, daemon->tcp_pipes[i]))
+	{
+	  close(daemon->tcp_pipes[i]);
+	  daemon->tcp_pipes[i] = -1;	
+	}
+	
  for (listener = daemon->listeners; listener; listener = listener->next)
    {
      if (listener->fd != -1 && poll_check(listener->fd, POLLIN))
@@ -1661,7 +1788,7 @@ static void check_dns_listeners(time_t now)
 	  
 	  if (getsockname(confd, (struct sockaddr *)&tcp_addr, &tcp_len) == -1)
 	    {
-	      while (retry_send(close(confd)));
+	      close(confd);
 	      continue;
 	    }
 	  
@@ -1689,15 +1816,16 @@ static void check_dns_listeners(time_t now)
 	      if ((if_index = tcp_interface(confd, tcp_addr.sa.sa_family)) != 0 &&
 		  indextoname(listener->tcpfd, if_index, intr_name))
 		{
-		  struct all_addr addr;
-		  addr.addr.addr4 = tcp_addr.in.sin_addr;
-#ifdef HAVE_IPV6
+		  union all_addr addr;
+		  
 		  if (tcp_addr.sa.sa_family == AF_INET6)
-		    addr.addr.addr6 = tcp_addr.in6.sin6_addr;
-#endif
+		    addr.addr6 = tcp_addr.in6.sin6_addr;
+		  else
+		    addr.addr4 = tcp_addr.in.sin_addr;
 		  
 		  for (iface = daemon->interfaces; iface; iface = iface->next)
-		    if (iface->index == if_index)
+		    if (iface->index == if_index &&
+		        iface->addr.sa.sa_family == tcp_addr.sa.sa_family)
 		      break;
 		  
 		  if (!iface && !loopback_exception(listener->tcpfd, tcp_addr.sa.sa_family, &addr, intr_name))
@@ -1726,27 +1854,48 @@ static void check_dns_listeners(time_t now)
 	  if (!client_ok)
 	    {
 	      shutdown(confd, SHUT_RDWR);
-	      while (retry_send(close(confd)));
+	      close(confd);
 	    }
-#ifndef NO_FORK
-	  else if (!option_bool(OPT_DEBUG) && (p = fork()) != 0)
+	  else if (!option_bool(OPT_DEBUG) && pipe(pipefd) == 0 && (p = fork()) != 0)
 	    {
-	      if (p != -1)
+	      close(pipefd[1]); /* parent needs read pipe end. */
+	      if (p == -1)
+		close(pipefd[0]);
+	      else
 		{
 		  int i;
+#ifdef HAVE_LINUX_NETWORK
+		  /* The child process inherits the netlink socket, 
+		     which it never uses, but when the parent (us) 
+		     uses it in the future, the answer may go to the 
+		     child, resulting in the parent blocking
+		     forever awaiting the result. To avoid this
+		     the child closes the netlink socket, but there's
+		     a nasty race, since the parent may use netlink
+		     before the child has done the close.
+		     
+		     To avoid this, the parent blocks here until a 
+		     single byte comes back up the pipe, which
+		     is sent by the child after it has closed the
+		     netlink socket. */
+		  
+		  unsigned char a;
+		  read_write(pipefd[0], &a, 1, 1);
+#endif
+
 		  for (i = 0; i < MAX_PROCS; i++)
-		    if (daemon->tcp_pids[i] == 0)
+		    if (daemon->tcp_pids[i] == 0 && daemon->tcp_pipes[i] == -1)
 		      {
 			daemon->tcp_pids[i] = p;
+			daemon->tcp_pipes[i] = pipefd[0];
 			break;
 		      }
 		}
-	      while (retry_send(close(confd)));
+	      close(confd);

 	      /* The child can use up to TCP_MAX_QUERIES ids, so skip that many. */
 	      daemon->log_id += TCP_MAX_QUERIES;
 	    }
-#endif
 	  else
 	    {
 	      unsigned char *buff;
@@ -1754,7 +1903,7 @@ static void check_dns_listeners(time_t now)
 	      int flags;
 	      struct in_addr netmask;
 	      int auth_dns;
-
+	   
 	      if (iface)
 		{
 		  netmask = iface->netmask;
@@ -1766,12 +1915,21 @@ static void check_dns_listeners(time_t now)
 		  auth_dns = 0;
 		}

-#ifndef NO_FORK
 	      /* Arrange for SIGALRM after CHILD_LIFETIME seconds to
 		 terminate the process. */
 	      if (!option_bool(OPT_DEBUG))
-		alarm(CHILD_LIFETIME);
-#endif
+		{
+#ifdef HAVE_LINUX_NETWORK
+		  /* See comment above re: netlink socket. */
+		  unsigned char a = 0;
+
+		  close(daemon->netlinkfd);
+		  read_write(pipefd[1], &a, 1, 0);
+#endif		  
+		  alarm(CHILD_LIFETIME);
+		  close(pipefd[0]); /* close read end in child. */
+		  daemon->pipe_to_parent = pipefd[1];
+		}

 	      /* start with no upstream connections. */
 	      for (s = daemon->servers; s; s = s->next)
@@ -1786,7 +1944,7 @@ static void check_dns_listeners(time_t now)
 	      buff = tcp_request(confd, now, &tcp_addr, netmask, auth_dns);
 	       
 	      shutdown(confd, SHUT_RDWR);
-	      while (retry_send(close(confd)));
+	      close(confd);
 	      
 	      if (buff)
 		free(buff);
@@ -1795,15 +1953,15 @@ static void check_dns_listeners(time_t now)
 		if (s->tcpfd != -1)
 		  {
 		    shutdown(s->tcpfd, SHUT_RDWR);
-		    while (retry_send(close(s->tcpfd)));
+		    close(s->tcpfd);
 		  }
-#ifndef NO_FORK		   
+	      
 	      if (!option_bool(OPT_DEBUG))
 		{
+		  close(daemon->pipe_to_parent);
 		  flush_log();
 		  _exit(0);
 		}
-#endif
 	    }
 	}
    }
@@ -1873,7 +2031,7 @@ int icmp_ping(struct in_addr addr)
  gotreply = delay_dhcp(dnsmasq_time(), PING_WAIT, fd, addr.s_addr, id);

 #if defined(HAVE_LINUX_NETWORK) || defined(HAVE_SOLARIS_NETWORK)
-  while (retry_send(close(fd)));
+  close(fd);
 #else
  opt = 1;
  setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &opt, sizeof(opt));
@@ -1960,6 +2118,4 @@ int delay_dhcp(time_t start, int sec, int fd, uint32_t addr, unsigned short id)

  return 0;
 }
-#endif
-
- 
+#endif /* HAVE_DHCP */
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -14,7 +14,7 @@
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

-#define COPYRIGHT "Copyright (c) 2000-2018 Simon Kelley"
+#define COPYRIGHT "Copyright (c) 2000-2020 Simon Kelley"

 /* We do defines that influence behavior of stdio.h, so complain
   if included too early. */
@@ -95,7 +95,11 @@ typedef unsigned long long u64;
 #if defined(HAVE_SOLARIS_NETWORK)
 #  include <sys/sockio.h>
 #endif
-#include <sys/poll.h>
+#if defined(HAVE_POLL_H)
+#  include <poll.h>
+#else
+#  include <sys/poll.h>
+#endif
 #include <sys/wait.h>
 #include <sys/time.h>
 #include <sys/un.h>
@@ -126,10 +130,9 @@ typedef unsigned long long u64;
 #include <net/if_arp.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
-#ifdef HAVE_IPV6
 #include <netinet/ip6.h>
-#endif
 #include <netinet/ip_icmp.h>
+#include <netinet/tcp.h>
 #include <sys/uio.h>
 #include <syslog.h>
 #include <dirent.h>
@@ -138,6 +141,8 @@ typedef unsigned long long u64;
 #endif

 #if defined(HAVE_LINUX_NETWORK)
+#include <linux/version.h>
+#include <linux/sockios.h>
 #include <linux/capability.h>
 /* There doesn't seem to be a universally-available 
   userspace header for these. */
@@ -152,13 +157,15 @@ extern int capget(cap_user_header_t header, cap_user_data_t data);
 #include <priv.h>
 #endif

-#ifdef HAVE_DNSSEC
+#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
 #  include <nettle/nettle-meta.h>
 #endif

 /* daemon is function in the C library.... */
 #define daemon dnsmasq_daemon

+#define ADDRSTRLEN INET6_ADDRSTRLEN
+
 /* Async event queue */
 struct event_desc {
  int event, data, msg_sz;
@@ -200,9 +207,6 @@ struct event_desc {
 #define EC_MISC        5
 #define EC_INIT_OFFSET 10

-/* Trust the compiler dead-code eliminator.... */
-#define option_bool(x) (((x) < 32) ? daemon->options & (1u << (x)) : daemon->options2 & (1u << ((x) - 32)))
-
 #define OPT_BOGUSPRIV      0
 #define OPT_FILTER         1
 #define OPT_LOG            2
@@ -262,7 +266,16 @@ struct event_desc {
 #define OPT_TFTP_APREF_MAC 56
 #define OPT_RAPID_COMMIT   57
 #define OPT_UBUS           58
-#define OPT_LAST           59
+#define OPT_IGNORE_CLID    59
+#define OPT_SINGLE_PORT    60
+#define OPT_LEASE_RENEW    61
+#define OPT_LAST           62
+
+#define OPTION_BITS (sizeof(unsigned int)*8)
+#define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
+#define option_var(x) (daemon->options[(x) / OPTION_BITS])
+#define option_val(x) ((1u) << ((x) % OPTION_BITS))
+#define option_bool(x) (option_var(x) & option_val(x))

 /* extra flags for my_syslog, we use a couple of facilities since they are known 
   not to occupy the same bits as priorities, no matter how syslog.h is set up. */
@@ -270,27 +283,44 @@ struct event_desc {
 #define MS_DHCP   LOG_DAEMON
 #define MS_SCRIPT LOG_MAIL

-struct all_addr {
-  union {
-    struct in_addr addr4;
-#ifdef HAVE_IPV6
-    struct in6_addr addr6;
-#endif
-    /* for log_query */
-    struct {
-      unsigned short keytag, algo, digest;
-    } log;
-    /* for log_query */
-    struct {
-      unsigned int rcode;
-    } rcode;
-    /* for cache_insert of DNSKEY, DS */
-    struct {
-      unsigned short class, type;
-    } dnssec;      
-  } addr;
+/* Note that this is used widely as a container for IPv4/IPv6 addresses,
+   so for that reason, was well as to avoid wasting memory in almost every
+   cache entry, the other variants should not be larger than
+   sizeof(struct in6_addr) - 16 bytes.
+*/
+union all_addr {
+  struct in_addr addr4;
+  struct in6_addr addr6;
+  struct {
+    union {
+      struct crec *cache;
+      char *name;
+    } target;
+    unsigned int uid;
+    int is_name_ptr;  /* disciminates target union */
+  } cname;
+  struct {
+    struct blockdata *keydata;
+    unsigned short keylen, flags, keytag;
+    unsigned char algo;
+  } key; 
+  struct {
+    struct blockdata *keydata;
+    unsigned short keylen, keytag;
+    unsigned char algo;
+    unsigned char digest; 
+  } ds;
+  struct {
+    struct blockdata *target;
+    unsigned short targetlen, srvport, priority, weight;
+  } srv;
+  /* for log_query */
+  struct {
+    unsigned short keytag, algo, digest, rcode;
+  } log;
 };

+
 struct bogus_addr {
  struct in_addr addr;
  struct bogus_addr *next;
@@ -350,13 +380,17 @@ struct ds_config {
  struct ds_config *next;
 };

-#define ADDRLIST_LITERAL 1
-#define ADDRLIST_IPV6    2
-#define ADDRLIST_REVONLY 4
+#define ADDRLIST_LITERAL  1
+#define ADDRLIST_IPV6     2
+#define ADDRLIST_REVONLY  4
+#define ADDRLIST_PREFIX   8
+#define ADDRLIST_WILDCARD 16
+#define ADDRLIST_DECLINED 32

 struct addrlist {
-  struct all_addr addr;
-  int flags, prefixlen; 
+  union all_addr addr;
+  int flags, prefixlen;
+  time_t decline_time;
  struct addrlist *next;
 };

@@ -375,17 +409,17 @@ struct auth_zone {
  struct auth_zone *next;
 };

+#define HR_6 1
+#define HR_4 2

 struct host_record {
-  int ttl;
+  int ttl, flags;
  struct name_list {
    char *name;
    struct name_list *next;
  } *names;
  struct in_addr addr;
-#ifdef HAVE_IPV6
  struct in6_addr addr6;
-#endif
  struct host_record *next;
 };

@@ -409,32 +443,11 @@ struct blockdata {

 struct crec { 
  struct crec *next, *prev, *hash_next;
-  /* union is 16 bytes when doing IPv6, 8 bytes on 32 bit machines without IPv6 */
-  union {
-    struct all_addr addr;
-    struct {
-      union {
-	struct crec *cache;
-	struct interface_name *int_name;
-      } target;
-      unsigned int uid; /* 0 if union is interface-name */
-    } cname;
-    struct {
-      struct blockdata *keydata;
-      unsigned short keylen, flags, keytag;
-      unsigned char algo;
-    } key; 
-    struct {
-      struct blockdata *keydata;
-      unsigned short keylen, keytag;
-      unsigned char algo;
-      unsigned char digest; 
-    } ds; 
-  } addr;
+  union all_addr addr;
  time_t ttd; /* time to die */
  /* used as class if DNSKEY/DS, index to source for F_HOSTS */
  unsigned int uid; 
-  unsigned short flags;
+  unsigned int flags;
  union {
    char sname[SMALLDNAME];
    union bigname *bname;
@@ -461,9 +474,6 @@ struct crec {
 #define F_CONFIG    (1u<<13)
 #define F_DS        (1u<<14)
 #define F_DNSSECOK  (1u<<15)
-
-/* below here are only valid as args to log_query: cache
-   entries are limited to 16 bits */
 #define F_UPSTREAM  (1u<<16)
 #define F_RRNAME    (1u<<17)
 #define F_SERVER    (1u<<18)
@@ -476,15 +486,12 @@ struct crec {
 #define F_NO_RR     (1u<<25)
 #define F_IPSET     (1u<<26)
 #define F_NOEXTRA   (1u<<27)
-#define F_SERVFAIL  (1u<<28)
+#define F_SERVFAIL  (1u<<28) /* currently unused. */
 #define F_RCODE     (1u<<29)
+#define F_SRV       (1u<<30)

 #define UID_NONE      0
 /* Values of uid in crecs with F_CONFIG bit set. */
-/* cname to uid SRC_INTERFACE are to interface names,
-   so use UID_NONE for that to eliminate clashes with
-   any other uid */
-#define SRC_INTERFACE UID_NONE
 #define SRC_CONFIG    1
 #define SRC_HOSTS     2
 #define SRC_AH        3
@@ -496,9 +503,7 @@ struct crec {
 union mysockaddr {
  struct sockaddr sa;
  struct sockaddr_in in;
-#if defined(HAVE_IPV6)
  struct sockaddr_in6 in6;
-#endif
 };

 /* bits in flag param to IPv6 callbacks from iface_enumerate() */
@@ -567,7 +572,8 @@ struct irec {
 };

 struct listener {
-  int fd, tcpfd, tftpfd, family;
+  int fd, tcpfd, tftpfd, used;
+  union mysockaddr addr;
  struct irec *iface; /* only sometimes valid for non-wildcard */
  struct listener *next;
 };
@@ -647,25 +653,26 @@ struct hostsfile {
 #define FREC_DO_QUESTION       64
 #define FREC_ADDED_PHEADER    128
 #define FREC_TEST_PKTSZ       256
-#define FREC_HAS_EXTRADATA    512        
+#define FREC_HAS_EXTRADATA    512
+#define FREC_HAS_PHEADER     1024
+#define FREC_NO_CACHE        2048

-#ifdef HAVE_DNSSEC
-#define HASH_SIZE 20 /* SHA-1 digest size */
-#else
-#define HASH_SIZE sizeof(int)
-#endif
+#define HASH_SIZE 32 /* SHA-256 digest size */

 struct frec {
-  union mysockaddr source;
-  struct all_addr dest;
+  struct frec_src {
+    union mysockaddr source;
+    union all_addr dest;
+    unsigned int iface, log_id;
+    int fd;
+    unsigned short orig_id;
+    struct frec_src *next;
+  } frec_src;
  struct server *sentto; /* NULL means free */
  struct randfd *rfd4;
-#ifdef HAVE_IPV6
  struct randfd *rfd6;
-#endif
-  unsigned int iface;
-  unsigned short orig_id, new_id;
-  int log_id, fd, forwardall, flags;
+  unsigned short new_id;
+  int forwardall, flags;
  time_t time;
  unsigned char *hash[HASH_SIZE];
 #ifdef HAVE_DNSSEC 
@@ -704,6 +711,7 @@ struct frec {
 #define LEASE_NA            32  /* IPv6 no-temporary lease */
 #define LEASE_TA            64  /* IPv6 temporary lease */
 #define LEASE_HAVE_HWADDR  128  /* Have set hwaddress */
+#define LEASE_EXP_CHANGED  256  /* Lease expiry time changed */

 struct dhcp_lease {
  int clid_len;          /* length of client identifier */
@@ -725,7 +733,7 @@ struct dhcp_lease {
  int new_prefixlen;     /* and its prefix length */
 #ifdef HAVE_DHCP6
  struct in6_addr addr6;
-  int iaid;
+  unsigned int iaid;
  struct slaac_address {
    struct in6_addr addr;
    time_t ping_time;
@@ -772,8 +780,9 @@ struct dhcp_config {
  unsigned char *clid;   /* clientid */
  char *hostname, *domain;
  struct dhcp_netid_list *netid;
+  struct dhcp_netid *filter;
 #ifdef HAVE_DHCP6
-  struct in6_addr addr6;
+  struct addrlist *addr6;
 #endif
  struct in_addr addr;
  time_t decline_time;
@@ -795,7 +804,7 @@ struct dhcp_config {
 #define CONFIG_DECLINED       1024    /* address declined by client */
 #define CONFIG_BANK           2048    /* from dhcp hosts file */
 #define CONFIG_ADDR6          4096
-#define CONFIG_WILDCARD       8192
+#define CONFIG_ADDR6_HOSTS   16384    /* address added by from /etc/hosts */

 struct dhcp_opt {
  int opt, len, flags;
@@ -823,6 +832,7 @@ struct dhcp_opt {
 #define DHOPT_RFC3925         2048
 #define DHOPT_TAGOK           4096
 #define DHOPT_ADDR6           8192
+#define DHOPT_VENDOR_PXE     16384

 struct dhcp_boot {
  char *file, *sname, *tftp_sname;
@@ -846,6 +856,8 @@ struct pxe_service {
  struct pxe_service *next;
 };

+#define DHCP_PXE_DEF_VENDOR      "PXEClient"
+
 #define MATCH_VENDOR     1
 #define MATCH_USER       2
 #define MATCH_CIRCUIT    3
@@ -861,6 +873,11 @@ struct dhcp_vendor {
  struct dhcp_vendor *next;
 };

+struct dhcp_pxe_vendor {
+  char *data;
+  struct dhcp_pxe_vendor *next;
+};
+
 struct dhcp_mac {
  unsigned int mask;
  int hwaddr_len, hwaddr_type;
@@ -877,21 +894,11 @@ struct dhcp_bridge {
 struct cond_domain {
  char *domain, *prefix;
  struct in_addr start, end;
-#ifdef HAVE_IPV6
  struct in6_addr start6, end6;
-#endif
  int is6, indexed;
  struct cond_domain *next;
 }; 

-#ifdef OPTION6_PREFIX_CLASS 
-struct prefix_class {
-  int class;
-  struct dhcp_netid tag;
-  struct prefix_class *next;
-};
-#endif
-
 struct ra_interface {
  char *name;
  char *mtu_name;
@@ -917,6 +924,16 @@ struct dhcp_context {
  struct dhcp_context *next, *current;
 };

+struct shared_network {
+  int if_index;
+  struct in_addr match_addr, shared_addr;
+#ifdef HAVE_DHCP6
+  /* shared_addr == 0 for IP6 entries. */
+  struct in6_addr match_addr6, shared_addr6;
+#endif
+  struct shared_network *next;
+};
+
 #define CONTEXT_STATIC         (1u<<0)
 #define CONTEXT_NETMASK        (1u<<1)
 #define CONTEXT_BRDCAST        (1u<<2)
@@ -936,6 +953,7 @@ struct dhcp_context {
 #define CONTEXT_OLD            (1u<<16)
 #define CONTEXT_V6             (1u<<17)
 #define CONTEXT_RA_OFF_LINK    (1u<<18)
+#define CONTEXT_SETLEASE       (1u<<19)

 struct ping_result {
  struct in_addr addr;
@@ -959,6 +977,8 @@ struct tftp_transfer {
  unsigned int block, blocksize, expansion;
  off_t offset;
  union mysockaddr peer;
+  union all_addr source;
+  int if_index;
  char opt_blocksize, opt_transize, netascii, carrylf;
  struct tftp_file *file;
  struct tftp_transfer *next;
@@ -977,7 +997,7 @@ struct tftp_prefix {
 };

 struct dhcp_relay {
-  struct all_addr local, server;
+  union all_addr local, server;
  char *interface; /* Allowable interface for replies from server, and dest for IPv6 multicast */
  int iface_index; /* working - interface in which requests arrived, for return */
  struct dhcp_relay *current, *next;
@@ -988,7 +1008,7 @@ extern struct daemon {
     config file arguments. All set (including defaults)
     in option.c */

-  unsigned int options, options2;
+  unsigned int options[OPTION_SIZE];
  struct resolvc default_resolv, *resolv_files;
  time_t last_resolv;
  char *servers_file;
@@ -1031,6 +1051,7 @@ extern struct daemon {
  struct dhcp_config *dhcp_conf;
  struct dhcp_opt *dhcp_opts, *dhcp_match, *dhcp_opts6, *dhcp_match6;
  struct dhcp_match_name *dhcp_name_match;
+  struct dhcp_pxe_vendor *dhcp_pxe_vendors;
  struct dhcp_vendor *dhcp_vendors;
  struct dhcp_mac *dhcp_macs;
  struct dhcp_boot *boot_config;
@@ -1056,13 +1077,11 @@ extern struct daemon {
  unsigned int duid_enterprise, duid_config_len;
  unsigned char *duid_config;
  char *dbus_name;
+  char *ubus_name;
  char *dump_file;
  int dump_mask;
  unsigned long soa_sn, soa_refresh, soa_retry, soa_expiry;
  u32 metrics[__METRIC_MAX];
-#ifdef OPTION6_PREFIX_CLASS 
-  struct prefix_class *prefix_classes;
-#endif
 #ifdef HAVE_DNSSEC
  struct ds_config *ds;
  char *timestamp_file;
@@ -1075,12 +1094,14 @@ extern struct daemon {
 #ifdef HAVE_DNSSEC
  char *keyname; /* MAXDNAME size buffer */
  char *workspacename; /* ditto */
-  char *rr_status; /* flags for individual RRs */
+  unsigned long *rr_status; /* ceiling in TTL from DNSSEC or zero for insecure */
  int rr_status_sz;
  int dnssec_no_time_check;
  int back_to_the_future;
 #endif
  struct frec *frec_list;
+  struct frec_src *free_frec_src;
+  int frec_src_count;
  struct serverfd *sfds;
  struct irec *interfaces;
  struct listener *listeners;
@@ -1091,6 +1112,8 @@ extern struct daemon {
  size_t packet_len;       /*      "        "        */
  struct randfd *rfd_save; /*      "        "        */
  pid_t tcp_pids[MAX_PROCS];
+  int tcp_pipes[MAX_PROCS];
+  int pipe_to_parent;
  struct randfd randomsocks[RANDOM_SOCKS];
  int v6pktinfo; 
  struct addrlist *interface_addrs; /* list of all addresses/prefix lengths associated with all local interfaces */
@@ -1103,7 +1126,7 @@ extern struct daemon {
  int inotifyfd;
 #endif
 #if defined(HAVE_LINUX_NETWORK)
-  int netlinkfd;
+  int netlinkfd, kernel_version;
 #elif defined(HAVE_BSD_NETWORK)
  int dhcp_raw_fd, dhcp_icmp_fd, routefd;
 #endif
@@ -1112,6 +1135,7 @@ extern struct daemon {
  struct ping_result *ping_results;
  FILE *lease_stream;
  struct dhcp_bridge *bridges;
+  struct shared_network *shared_networks;
 #ifdef HAVE_DHCP6
  int duid_len;
  unsigned char *duid;
@@ -1124,6 +1148,11 @@ extern struct daemon {
 #ifdef HAVE_DBUS
  struct watch *watches;
 #endif
+  /* UBus stuff */
+#ifdef HAVE_UBUS
+  /* void * here to avoid depending on ubus headers outside ubus.c */
+  void *ubus;
+#endif

  /* TFTP stuff */
  struct tftp_transfer *tftp_trans, *tftp_done_trans;
@@ -1141,21 +1170,22 @@ extern struct daemon {
 /* cache.c */
 void cache_init(void);
 void next_uid(struct crec *crecp);
-void log_query(unsigned int flags, char *name, struct all_addr *addr, char *arg); 
+void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg); 
 char *record_source(unsigned int index);
 char *querystr(char *desc, unsigned short type);
 int cache_find_non_terminal(char *name, time_t now);
 struct crec *cache_find_by_addr(struct crec *crecp,
-				struct all_addr *addr, time_t now, 
+				union all_addr *addr, time_t now, 
 				unsigned int prot);
 struct crec *cache_find_by_name(struct crec *crecp, 
 				char *name, time_t now, unsigned int prot);
 void cache_end_insert(void);
 void cache_start_insert(void);
-struct crec *cache_insert(char *name, struct all_addr *addr,
-			  time_t now, unsigned long ttl, unsigned short flags);
+int cache_recv_insert(time_t now, int fd);
+struct crec *cache_insert(char *name, union all_addr *addr, unsigned short class, 
+			  time_t now, unsigned long ttl, unsigned int flags);
 void cache_reload(void);
-void cache_add_dhcp_entry(char *host_name, int prot, struct all_addr *host_address, time_t ttd);
+void cache_add_dhcp_entry(char *host_name, int prot, union all_addr *host_address, time_t ttd);
 struct in_addr a_record_from_hosts(char *name, time_t now);
 void cache_unhash_dhcp(void);
 void dump_cache(time_t now);
@@ -1169,21 +1199,19 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size,
 		   struct crec **rhash, int hashsz);

 /* blockdata.c */
-#ifdef HAVE_DNSSEC
 void blockdata_init(void);
 void blockdata_report(void);
 struct blockdata *blockdata_alloc(char *data, size_t len);
 void *blockdata_retrieve(struct blockdata *block, size_t len, void *data);
+struct blockdata *blockdata_read(int fd, size_t len);
+void blockdata_write(struct blockdata *block, size_t len, int fd);
 void blockdata_free(struct blockdata *blocks);
-#endif

 /* domain.c */
 char *get_domain(struct in_addr addr);
-#ifdef HAVE_IPV6
 char *get_domain6(struct in6_addr *addr);
-#endif
-int is_name_synthetic(int flags, char *name, struct all_addr *addr);
-int is_rev_synth(int flag, struct all_addr *addr, char *name);
+int is_name_synthetic(int flags, char *name, union all_addr *addr);
+int is_rev_synth(int flag, union all_addr *addr, char *name);

 /* rfc1035.c */
 int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, 
@@ -1194,7 +1222,7 @@ unsigned char *skip_section(unsigned char *ansp, int count, struct dns_header *h
 unsigned int extract_request(struct dns_header *header, size_t qlen, 
 			       char *name, unsigned short *typep);
 size_t setup_reply(struct dns_header *header, size_t  qlen,
-		   struct all_addr *addrp, unsigned int flags,
+		   union all_addr *addrp, unsigned int flags,
 		   unsigned long ttl);
 int extract_addresses(struct dns_header *header, size_t qlen, char *name,
 		      time_t now, char **ipsets, int is_sign, int check_rebind,
@@ -1206,16 +1234,12 @@ int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name,
 			     struct bogus_addr *baddr, time_t now);
 int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr);
 int check_for_local_domain(char *name, time_t now);
-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name);
 size_t resize_packet(struct dns_header *header, size_t plen, 
 		  unsigned char *pheader, size_t hlen);
 int add_resource_record(struct dns_header *header, char *limit, int *truncp,
 			int nameoffset, unsigned char **pp, unsigned long ttl, 
 			int *offset, unsigned short type, unsigned short class, char *format, ...);
-unsigned char *skip_questions(struct dns_header *header, size_t plen);
-int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, 
-		 char *name, int isExtract, int extrabytes);
-int in_arpa_name_2_addr(char *namein, struct all_addr *addrp);
+int in_arpa_name_2_addr(char *namein, union all_addr *addrp);
 int private_net(struct in_addr addr, int ban_localhost);

 /* auth.c */
@@ -1227,16 +1251,18 @@ int in_zone(struct auth_zone *zone, char *name, char **cut);
 #endif

 /* dnssec.c */
-size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int type, union mysockaddr *addr, int edns_pktsz);
+size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int type, int edns_pktsz);
 int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
 int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
 int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class,
-			  int check_unsigned, int *neganswer, int *nons);
+			  int check_unsigned, int *neganswer, int *nons, int *nsec_ttl);
 int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen);
 size_t filter_rrsigs(struct dns_header *header, size_t plen);
-unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name);
 int setup_timestamp(void);

+/* hash_questions.c */
+unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name);
+
 /* crypto.c */
 const struct nettle_hash *hash_find(char *name);
 int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp);
@@ -1265,11 +1291,9 @@ int hostname_issubdomain(char *a, char *b);
 time_t dnsmasq_time(void);
 int netmask_length(struct in_addr mask);
 int is_same_net(struct in_addr a, struct in_addr b, struct in_addr mask);
-#ifdef HAVE_IPV6
 int is_same_net6(struct in6_addr *a, struct in6_addr *b, int prefixlen);
 u64 addr6part(struct in6_addr *addr);
 void setaddr6part(struct in6_addr *addr, u64 host);
-#endif
 int retry_send(ssize_t rc);
 void prettyprint_time(char *buf, unsigned int t);
 int prettyprint_addr(union mysockaddr *addr, char *buf);
@@ -1280,9 +1304,12 @@ int memcmp_masked(unsigned char *a, unsigned char *b, int len,
 int expand_buf(struct iovec *iov, size_t size);
 char *print_mac(char *buff, unsigned char *mac, int len);
 int read_write(int fd, unsigned char *packet, int size, int rw);
-
+void close_fds(long max_fd, int spare1, int spare2, int spare3);
 int wildcard_match(const char* wildcard, const char* match);
 int wildcard_matchn(const char* wildcard, const char* match, int num);
+#ifdef HAVE_LINUX_NETWORK
+int kernel_version(void);
+#endif

 /* log.c */
 void die(char *message, char *arg1, int exit_code) ATTRIBUTE_NORETURN;
@@ -1314,9 +1341,9 @@ void receive_query(struct listener *listen, time_t now);
 unsigned char *tcp_request(int confd, time_t now,
 			   union mysockaddr *local_addr, struct in_addr netmask, int auth_dns);
 void server_gone(struct server *server);
-struct frec *get_new_frec(time_t now, int *wait, int force);
+struct frec *get_new_frec(time_t now, int *wait, struct frec *force);
 int send_from(int fd, int nowild, char *packet, size_t len, 
-	       union mysockaddr *to, struct all_addr *source,
+	       union mysockaddr *to, union all_addr *source,
 	       unsigned int iface);
 void resend_query(void);
 struct randfd *allocate_rfd(int family);
@@ -1343,14 +1370,12 @@ void warn_bound_listeners(void);
 void warn_wild_labels(void);
 void warn_int_names(void);
 int is_dad_listeners(void);
-int iface_check(int family, struct all_addr *addr, char *name, int *auth);
-int loopback_exception(int fd, int family, struct all_addr *addr, char *name);
-int label_exception(int index, int family, struct all_addr *addr);
+int iface_check(int family, union all_addr *addr, char *name, int *auth);
+int loopback_exception(int fd, int family, union all_addr *addr, char *name);
+int label_exception(int index, int family, union all_addr *addr);
 int fix_fd(int fd);
 int tcp_interface(int fd, int af);
-#ifdef HAVE_IPV6
 int set_ipv6pktinfo(int fd);
-#endif
 #ifdef HAVE_DHCP6
 void join_multicast(int dienow);
 #endif
@@ -1388,14 +1413,15 @@ struct dhcp_lease *lease4_allocate(struct in_addr addr);
 #ifdef HAVE_DHCP6
 struct dhcp_lease *lease6_allocate(struct in6_addr *addrp, int lease_type);
 struct dhcp_lease *lease6_find(unsigned char *clid, int clid_len, 
-			       int lease_type, int iaid, struct in6_addr *addr);
+			       int lease_type, unsigned int iaid, struct in6_addr *addr);
 void lease6_reset(void);
-struct dhcp_lease *lease6_find_by_client(struct dhcp_lease *first, int lease_type, unsigned char *clid, int clid_len, int iaid);
+struct dhcp_lease *lease6_find_by_client(struct dhcp_lease *first, int lease_type,
+					 unsigned char *clid, int clid_len, unsigned int iaid);
 struct dhcp_lease *lease6_find_by_addr(struct in6_addr *net, int prefix, u64 addr);
 u64 lease_find_max_addr6(struct dhcp_context *context);
 void lease_ping_reply(struct in6_addr *sender, unsigned char *packet, char *interface);
 void lease_update_slaac(time_t now);
-void lease_set_iaid(struct dhcp_lease *lease, int iaid);
+void lease_set_iaid(struct dhcp_lease *lease, unsigned int iaid);
 void lease_make_duid(time_t now);
 #endif
 void lease_set_hwaddr(struct dhcp_lease *lease, const unsigned char *hwaddr,
@@ -1441,7 +1467,7 @@ void clear_cache_and_reload(time_t now);

 /* netlink.c */
 #ifdef HAVE_LINUX_NETWORK
-void netlink_init(void);
+char *netlink_init(void);
 void netlink_multicast(void);
 #endif

@@ -1469,6 +1495,7 @@ void emit_dbus_signal(int action, struct dhcp_lease *lease, char *hostname);

 /* ubus.c */
 #ifdef HAVE_UBUS
+void ubus_init(void);
 void set_ubus_listeners(void);
 void check_ubus_listeners(void);
 void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface);
@@ -1477,7 +1504,7 @@ void ubus_event_bcast(const char *type, const char *mac, const char *ip, const c
 /* ipset.c */
 #ifdef HAVE_IPSET
 void ipset_init(void);
-int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags, int remove);
+int add_to_ipset(const char *setname, const union all_addr *ipaddr, int flags, int remove);
 #endif

 /* helper.c */
@@ -1490,7 +1517,7 @@ void queue_script(int action, struct dhcp_lease *lease,
 void queue_tftp(off_t file_len, char *filename, union mysockaddr *peer);
 #endif
 void queue_arp(int action, unsigned char *mac, int maclen,
-	       int family, struct all_addr *addr);
+	       int family, union all_addr *addr);
 int helper_buf_empty(void);
 #endif

@@ -1503,7 +1530,7 @@ int do_tftp_script_run(void);

 /* conntrack.c */
 #ifdef HAVE_CONNTRACK
-int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr,
+int get_incoming_mark(union mysockaddr *peer_addr, union all_addr *local_addr,
 		      int istcp, unsigned int *markp);
 #endif

@@ -1512,8 +1539,7 @@ int get_incoming_mark(union mysockaddr *peer_addr, struct all_addr *local_addr,
 void dhcp6_init(void);
 void dhcp6_packet(time_t now);
 struct dhcp_context *address6_allocate(struct dhcp_context *context,  unsigned char *clid, int clid_len, int temp_addr,
-				       int iaid, int serial, struct dhcp_netid *netids, int plain_range, struct in6_addr *ans);
-int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr);
+				       unsigned int iaid, int serial, struct dhcp_netid *netids, int plain_range, struct in6_addr *ans);
 struct dhcp_context *address6_available(struct dhcp_context *context, 
 					struct in6_addr *taddr,
 					struct dhcp_netid *netids,
@@ -1523,7 +1549,7 @@ struct dhcp_context *address6_valid(struct dhcp_context *context,
 				    struct dhcp_netid *netids,
 				    int plain_range);
 struct dhcp_config *config_find_by_address6(struct dhcp_config *configs, struct in6_addr *net, 
-					    int prefix, u64 addr);
+					    int prefix, struct in6_addr *addr);
 void make_duid(time_t now);
 void dhcp_construct_contexts(time_t now);
 void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, 
@@ -1556,13 +1582,12 @@ void dhcp_update_configs(struct dhcp_config *configs);
 void display_opts(void);
 int lookup_dhcp_opt(int prot, char *name);
 int lookup_dhcp_len(int prot, int val);
-char *option_string(int prot, unsigned int opt, unsigned char *val, 
-		    int opt_len, char *buf, int buf_len);
 struct dhcp_config *find_config(struct dhcp_config *configs,
 				struct dhcp_context *context,
 				unsigned char *clid, int clid_len,
 				unsigned char *hwaddr, int hw_len, 
-				int hw_type, char *hostname);
+				int hw_type, char *hostname,
+				struct dhcp_netid *filter);
 int config_has_mac(struct dhcp_config *config, unsigned char *hwaddr, int len, int type);
 #ifdef HAVE_LINUX_NETWORK
 char *whichdevice(void);
@@ -1635,7 +1660,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
 			unsigned short udp_sz, int optno, unsigned char *opt, size_t optlen, int set_do, int replace);
 size_t add_do_bit(struct dns_header *header, size_t plen, unsigned char *limit);
 size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *limit, 
-			union mysockaddr *source, time_t now, int *check_subnet);
+			union mysockaddr *source, time_t now, int *check_subnet, int *cacheable);
 int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer);

 /* arp.c */
--- a/src/dnssec.c
+++ b/src/dnssec.c
--- a/src/domain.c
+++ b/src/domain.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -18,21 +18,14 @@


 static struct cond_domain *search_domain(struct in_addr addr, struct cond_domain *c);
-#ifdef HAVE_IPV6
 static struct cond_domain *search_domain6(struct in6_addr *addr, struct cond_domain *c);
-#endif


-int is_name_synthetic(int flags, char *name, struct all_addr *addr)
+int is_name_synthetic(int flags, char *name, union all_addr *addr)
 {
  char *p;
  struct cond_domain *c = NULL;
-  int prot = AF_INET;
-
-#ifdef HAVE_IPV6
-  if (flags & F_IPV6)
-    prot = AF_INET6;
-#endif
+  int prot = (flags & F_IPV6) ? AF_INET6 : AF_INET;

  for (c = daemon->synth_domains; c; c = c->next)
    {
@@ -80,11 +73,10 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 		   if (!c->is6 &&
 		      index <= ntohl(c->end.s_addr) - ntohl(c->start.s_addr))
 		    {
-		      addr->addr.addr4.s_addr = htonl(ntohl(c->start.s_addr) + index);
+		      addr->addr4.s_addr = htonl(ntohl(c->start.s_addr) + index);
 		      found = 1;
 		    }
-		}
-#ifdef HAVE_IPV6 
+		} 
 	      else
 		{
 		  u64 index = atoll(tail);
@@ -93,12 +85,11 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 		      index <= addr6part(&c->end6) - addr6part(&c->start6))
 		    {
 		      u64 start = addr6part(&c->start6);
-		      addr->addr.addr6 = c->start6;
-		      setaddr6part(&addr->addr.addr6, start + index);
+		      addr->addr6 = c->start6;
+		      setaddr6part(&addr->addr6, start + index);
 		      found = 1;
 		    }
 		}
-#endif
 	    }
 	}
      else
@@ -111,10 +102,8 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 	      if ((c >='0' && c <= '9') || c == '-')
 		continue;
 	      
-#ifdef HAVE_IPV6
 	      if (prot == AF_INET6 && ((c >='A' && c <= 'F') || (c >='a' && c <= 'f'))) 
 		continue;
-#endif
 	      
 	      break;
 	    }
@@ -124,7 +113,6 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 	  
 	  *p = 0;	
 	  
-#ifdef HAVE_IPV6
 	  if (prot == AF_INET6 && strstr(tail, "--ffff-") == tail)
 	    {
 	      /* special hack for v4-mapped. */
@@ -134,7 +122,6 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 		  *p = '.';
 	    }
 	  else
-#endif
 	    {
 	      /* swap . or : for - */
 	      for (p = tail; *p; p++)
@@ -142,10 +129,8 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 		  {
 		    if (prot == AF_INET)
 		      *p = '.';
-#ifdef HAVE_IPV6
 		    else
 		      *p = ':';
-#endif
 		  }
 	    }
 	  
@@ -154,22 +139,20 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 	      if (prot == AF_INET)
 		{
 		  if (!c->is6 &&
-		      ntohl(addr->addr.addr4.s_addr) >= ntohl(c->start.s_addr) &&
-		      ntohl(addr->addr.addr4.s_addr) <= ntohl(c->end.s_addr))
+		      ntohl(addr->addr4.s_addr) >= ntohl(c->start.s_addr) &&
+		      ntohl(addr->addr4.s_addr) <= ntohl(c->end.s_addr))
 		    found = 1;
 		}
-#ifdef HAVE_IPV6
 	      else
 		{
-		  u64 addrpart = addr6part(&addr->addr.addr6);
+		  u64 addrpart = addr6part(&addr->addr6);
 		  
 		  if (c->is6 &&
-		      is_same_net6(&addr->addr.addr6, &c->start6, 64) &&
+		      is_same_net6(&addr->addr6, &c->start6, 64) &&
 		      addrpart >= addr6part(&c->start6) &&
 		      addrpart <= addr6part(&c->end6))
 		    found = 1;
 		}
-#endif
 	    }

 	}
@@ -190,18 +173,18 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
 }


-int is_rev_synth(int flag, struct all_addr *addr, char *name)
+int is_rev_synth(int flag, union all_addr *addr, char *name)
 {
   struct cond_domain *c;

-   if (flag & F_IPV4 && (c = search_domain(addr->addr.addr4, daemon->synth_domains))) 
+   if (flag & F_IPV4 && (c = search_domain(addr->addr4, daemon->synth_domains))) 
     {
       char *p;
       
       *name = 0;
       if (c->indexed)
 	 {
-	   unsigned int index = ntohl(addr->addr.addr4.s_addr) - ntohl(c->start.s_addr);
+	   unsigned int index = ntohl(addr->addr4.s_addr) - ntohl(c->start.s_addr);
 	   snprintf(name, MAXDNAME, "%s%u", c->prefix ? c->prefix : "", index);
 	 }
       else
@@ -209,7 +192,7 @@ int is_rev_synth(int flag, struct all_addr *addr, char *name)
 	   if (c->prefix)
 	     strncpy(name, c->prefix, MAXDNAME - ADDRSTRLEN);
       
-       	   inet_ntop(AF_INET, &addr->addr.addr4, name + strlen(name), ADDRSTRLEN);
+       	   inet_ntop(AF_INET, &addr->addr4, name + strlen(name), ADDRSTRLEN);
 	   for (p = name; *p; p++)
 	     if (*p == '.')
 	       *p = '-';
@@ -221,15 +204,14 @@ int is_rev_synth(int flag, struct all_addr *addr, char *name)
       return 1;
     }

-#ifdef HAVE_IPV6
-   if (flag & F_IPV6 && (c = search_domain6(&addr->addr.addr6, daemon->synth_domains))) 
+   if ((flag & F_IPV6) && (c = search_domain6(&addr->addr6, daemon->synth_domains))) 
     {
       char *p;
       
       *name = 0;
       if (c->indexed)
 	 {
-	   u64 index = addr6part(&addr->addr.addr6) - addr6part(&c->start6);
+	   u64 index = addr6part(&addr->addr6) - addr6part(&c->start6);
 	   snprintf(name, MAXDNAME, "%s%llu", c->prefix ? c->prefix : "", index);
 	 }
       else
@@ -237,14 +219,14 @@ int is_rev_synth(int flag, struct all_addr *addr, char *name)
 	   if (c->prefix)
 	     strncpy(name, c->prefix, MAXDNAME - ADDRSTRLEN);
       
-	   inet_ntop(AF_INET6, &addr->addr.addr6, name + strlen(name), ADDRSTRLEN);
+	   inet_ntop(AF_INET6, &addr->addr6, name + strlen(name), ADDRSTRLEN);

 	   /* IPv6 presentation address can start with ":", but valid domain names
 	      cannot start with "-" so prepend a zero in that case. */
 	   if (!c->prefix && *name == ':')
 	     {
 	       *name = '0';
-	       inet_ntop(AF_INET6, &addr->addr.addr6, name+1, ADDRSTRLEN);
+	       inet_ntop(AF_INET6, &addr->addr6, name+1, ADDRSTRLEN);
 	     }
 	   
 	   /* V4-mapped have periods.... */
@@ -259,7 +241,6 @@ int is_rev_synth(int flag, struct all_addr *addr, char *name)
       
       return 1;
     }
-#endif
   
   return 0;
 }
@@ -286,7 +267,7 @@ char *get_domain(struct in_addr addr)
  return daemon->domain_suffix;
 } 

-#ifdef HAVE_IPV6
+
 static struct cond_domain *search_domain6(struct in6_addr *addr, struct cond_domain *c)
 {
  u64 addrpart = addr6part(addr);
@@ -310,4 +291,3 @@ char *get_domain6(struct in6_addr *addr)

  return daemon->domain_suffix;
 } 
-#endif
--- a/src/dump.c
+++ b/src/dump.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -82,10 +82,8 @@ void dump_init(void)
 void dump_packet(int mask, void *packet, size_t len, union mysockaddr *src, union mysockaddr *dst)
 {
  struct ip ip;
-#ifdef HAVE_IPV6
  struct ip6_hdr ip6;
  int family;
-#endif
  struct udphdr {
    u16 uh_sport;               /* source port */
    u16 uh_dport;               /* destination port */
@@ -105,7 +103,6 @@ void dump_packet(int mask, void *packet, size_t len, union mysockaddr *src, unio
  /* So wireshark can Id the packet. */
  udp.uh_sport = udp.uh_dport = htons(NAMESERVER_PORT);

-#ifdef HAVE_IPV6
  if (src)
    family = src->sa.sa_family;
  else
@@ -135,11 +132,14 @@ void dump_packet(int mask, void *packet, size_t len, union mysockaddr *src, unio
 	}
            
      /* start UDP checksum */
-      for (sum = 0, i = 0; i < IN6ADDRSZ; i++)
-	sum += ((u16 *)&ip6.ip6_src)[i];
+      for (sum = 0, i = 0; i < IN6ADDRSZ; i+=2)
+	{
+	  sum += ip6.ip6_src.s6_addr[i] + (ip6.ip6_src.s6_addr[i+1] << 8) ;
+	  sum += ip6.ip6_dst.s6_addr[i] + (ip6.ip6_dst.s6_addr[i+1] << 8) ;
+	  
+	}
    }
  else
-#endif
    {
      iphdr = &ip;
      ipsz = sizeof(ip);
--- a/src/edns0.c
+++ b/src/edns0.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -264,7 +264,8 @@ static void encoder(unsigned char *in, char *out)
  out[3] = char64(in[2]);
 }

-static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *l3, time_t now)
+static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned char *limit,
+			     union mysockaddr *l3, time_t now, int *cacheablep)
 {
  int maclen, replace = 2; /* can't get mac address, just delete any incoming. */
  unsigned char mac[DHCP_CHADDR_MAX];
@@ -273,6 +274,7 @@ static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned ch
  if ((maclen = find_mac(l3, mac, 1, now)) == 6)
    {
      replace = 1;
+      *cacheablep = 0;

      if (option_bool(OPT_MAC_HEX))
 	print_mac(encode, mac, maclen);
@@ -288,49 +290,47 @@ static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned ch
 }


-static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *l3, time_t now)
+static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *limit,
+		      union mysockaddr *l3, time_t now, int *cacheablep)
 {
  int maclen;
  unsigned char mac[DHCP_CHADDR_MAX];

  if ((maclen = find_mac(l3, mac, 1, now)) != 0)
-    plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, 0); 
-    
+    {
+      *cacheablep = 0;
+      plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, 0); 
+    }
+  
  return plen; 
 }

 struct subnet_opt {
  u16 family;
-  u8 source_netmask, scope_netmask;
-#ifdef HAVE_IPV6 
+  u8 source_netmask, scope_netmask; 
  u8 addr[IN6ADDRSZ];
-#else
-  u8 addr[INADDRSZ];
-#endif
 };

 static void *get_addrp(union mysockaddr *addr, const short family) 
 {
-#ifdef HAVE_IPV6
  if (family == AF_INET6)
    return &addr->in6.sin6_addr;
-#endif

  return &addr->in.sin_addr;
 }

-static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
+static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source, int *cacheablep)
 {
  /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
  
  int len;
  void *addrp = NULL;
  int sa_family = source->sa.sa_family;
-
+  int cacheable = 0;
+  
  opt->source_netmask = 0;
  opt->scope_netmask = 0;
-
-#ifdef HAVE_IPV6
+    
  if (source->sa.sa_family == AF_INET6 && daemon->add_subnet6)
    {
      opt->source_netmask = daemon->add_subnet6->mask;
@@ -338,11 +338,11 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
 	{
 	  sa_family = daemon->add_subnet6->addr.sa.sa_family;
 	  addrp = get_addrp(&daemon->add_subnet6->addr, sa_family);
+	  cacheable = 1;
 	} 
      else 
 	addrp = &source->in6.sin6_addr;
    }
-#endif

  if (source->sa.sa_family == AF_INET && daemon->add_subnet4)
    {
@@ -351,18 +351,13 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
 	{
 	  sa_family = daemon->add_subnet4->addr.sa.sa_family;
 	  addrp = get_addrp(&daemon->add_subnet4->addr, sa_family);
+	  cacheable = 1; /* Address is constant */
 	} 
 	else 
 	  addrp = &source->in.sin_addr;
    }
  
-#ifdef HAVE_IPV6
  opt->family = htons(sa_family == AF_INET6 ? 2 : 1);
-#else
-  opt->family = htons(1);
-#endif
-  
-  len = 0;
  
  if (addrp && opt->source_netmask != 0)
    {
@@ -371,18 +366,26 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
      if (opt->source_netmask & 7)
 	opt->addr[len-1] &= 0xff << (8 - (opt->source_netmask & 7));
    }
+  else
+    {
+      cacheable = 1; /* No address ever supplied. */
+      len = 0;
+    }
+
+  if (cacheablep)
+    *cacheablep = cacheable;
  
  return len + 4;
 }
 
-static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *source)
+static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *source, int *cacheable)
 {
  /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
  
  int len;
  struct subnet_opt opt;
  
-  len = calc_subnet_opt(&opt, source);
+  len = calc_subnet_opt(&opt, source, cacheable);
  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, 0);
 }

@@ -395,18 +398,18 @@ int check_source(struct dns_header *header, size_t plen, unsigned char *pseudohe
  unsigned char *p;
  int code, i, rdlen;
  
-   calc_len = calc_subnet_opt(&opt, peer);
+  calc_len = calc_subnet_opt(&opt, peer, NULL);
   
-   if (!(p = skip_name(pseudoheader, header, plen, 10)))
-     return 1;
-   
-   p += 8; /* skip UDP length and RCODE */
-   
-   GETSHORT(rdlen, p);
-   if (!CHECK_LEN(header, p, plen, rdlen))
-     return 1; /* bad packet */
-   
-   /* check if option there */
+  if (!(p = skip_name(pseudoheader, header, plen, 10)))
+    return 1;
+  
+  p += 8; /* skip UDP length and RCODE */
+  
+  GETSHORT(rdlen, p);
+  if (!CHECK_LEN(header, p, plen, rdlen))
+    return 1; /* bad packet */
+  
+  /* check if option there */
   for (i = 0; i + 4 < rdlen; i += len + 4)
     {
       GETSHORT(code, p);
@@ -424,24 +427,28 @@ int check_source(struct dns_header *header, size_t plen, unsigned char *pseudohe
   return 1;
 }

+/* Set *check_subnet if we add a client subnet option, which needs to checked 
+   in the reply. Set *cacheable to zero if we add an option which the answer
+   may depend on. */
 size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *limit, 
-			union mysockaddr *source, time_t now, int *check_subnet)    
+			union mysockaddr *source, time_t now, int *check_subnet, int *cacheable)    
 {
  *check_subnet = 0;
-
+  *cacheable = 1;
+  
  if (option_bool(OPT_ADD_MAC))
-    plen  = add_mac(header, plen, limit, source, now);
+    plen  = add_mac(header, plen, limit, source, now, cacheable);
  
  if (option_bool(OPT_MAC_B64) || option_bool(OPT_MAC_HEX))
-    plen = add_dns_client(header, plen, limit, source, now);
-
+    plen = add_dns_client(header, plen, limit, source, now, cacheable);
+  
  if (daemon->dns_client_id)
    plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_NOMCPEID, 
 			    (unsigned char *)daemon->dns_client_id, strlen(daemon->dns_client_id), 0, 1);
  
  if (option_bool(OPT_CLIENT_SUBNET))
    {
-      plen = add_source_addr(header, plen, limit, source); 
+      plen = add_source_addr(header, plen, limit, source, cacheable); 
      *check_subnet = 1;
    }
 	  
--- a/src/forward.c
+++ b/src/forward.c
--- a/src/hash_questions.c
+++ b/src/hash_questions.c
@@ -0,0 +1,281 @@
+/* Copyright (c) 2012-2020 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+/* Hash the question section. This is used to safely detect query 
+   retransmission and to detect answers to questions we didn't ask, which 
+   might be poisoning attacks. Note that we decode the name rather 
+   than CRC the raw bytes, since replies might be compressed differently. 
+   We ignore case in the names for the same reason. 
+
+   The hash used is SHA-256. If we're building with DNSSEC support,
+   we use the Nettle cypto library. If not, we prefer not to
+   add a dependency on Nettle, and use a stand-alone implementaion. 
+*/
+
+#include "dnsmasq.h"
+
+#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH)
+unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
+{
+  int q;
+  unsigned char *p = (unsigned char *)(header+1);
+  const struct nettle_hash *hash;
+  void *ctx;
+  unsigned char *digest;
+  
+  if (!(hash = hash_find("sha256")) || !hash_init(hash, &ctx, &digest))
+    {
+      /* don't think this can ever happen. */
+      static unsigned char dummy[HASH_SIZE];
+      static int warned = 0;
+
+      if (!warned)
+	my_syslog(LOG_ERR, _("Failed to create SHA-256 hash object"));
+      warned = 1;
+     
+      return dummy;
+    }
+  
+  for (q = ntohs(header->qdcount); q != 0; q--) 
+    {
+      char *cp, c;
+
+      if (!extract_name(header, plen, &p, name, 1, 4))
+	break; /* bad packet */
+
+      for (cp = name; (c = *cp); cp++)
+	 if (c >= 'A' && c <= 'Z')
+	   *cp += 'a' - 'A';
+
+      hash->update(ctx, cp - name, (unsigned char *)name);
+      /* CRC the class and type as well */
+      hash->update(ctx, 4, p);
+
+      p += 4;
+      if (!CHECK_LEN(header, p, plen, 0))
+	break; /* bad packet */
+    }
+  
+  hash->digest(ctx, hash->digest_size, digest);
+  return digest;
+}
+
+#else /* HAVE_DNSSEC */
+
+#define SHA256_BLOCK_SIZE 32            // SHA256 outputs a 32 byte digest
+typedef unsigned char BYTE;             // 8-bit byte
+typedef unsigned int  WORD;             // 32-bit word, change to "long" for 16-bit machines
+
+typedef struct {
+  BYTE data[64];
+  WORD datalen;
+  unsigned long long bitlen;
+  WORD state[8];
+} SHA256_CTX;
+
+static void sha256_init(SHA256_CTX *ctx);
+static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len);
+static void sha256_final(SHA256_CTX *ctx, BYTE hash[]);
+
+
+unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
+{
+  int q;
+  unsigned char *p = (unsigned char *)(header+1);
+  SHA256_CTX ctx;
+  static BYTE digest[SHA256_BLOCK_SIZE];
+  
+  sha256_init(&ctx);
+    
+  for (q = ntohs(header->qdcount); q != 0; q--) 
+    {
+      char *cp, c;
+
+      if (!extract_name(header, plen, &p, name, 1, 4))
+	break; /* bad packet */
+
+      for (cp = name; (c = *cp); cp++)
+	 if (c >= 'A' && c <= 'Z')
+	   *cp += 'a' - 'A';
+
+      sha256_update(&ctx, (BYTE *)name, cp - name);
+      /* CRC the class and type as well */
+      sha256_update(&ctx, (BYTE *)p, 4);
+
+      p += 4;
+      if (!CHECK_LEN(header, p, plen, 0))
+	break; /* bad packet */
+    }
+  
+  sha256_final(&ctx, digest);
+  return (unsigned char *)digest;
+}
+
+/* Code from here onwards comes from https://github.com/B-Con/crypto-algorithms
+   and was written by Brad Conte (brad@bradconte.com), to whom all credit is given.
+
+   This code is in the public domain, and the copyright notice at the head of this 
+   file does not apply to it.
+*/
+
+
+/****************************** MACROS ******************************/
+#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b))))
+#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b))))
+
+#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
+#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22))
+#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25))
+#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3))
+#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10))
+
+/**************************** VARIABLES *****************************/
+static const WORD k[64] = {
+			   0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
+			   0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
+			   0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
+			   0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
+			   0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
+			   0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
+			   0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
+			   0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
+};
+
+/*********************** FUNCTION DEFINITIONS ***********************/
+static void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
+{
+  WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
+  
+  for (i = 0, j = 0; i < 16; ++i, j += 4)
+    m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
+  for ( ; i < 64; ++i)
+    m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
+
+  a = ctx->state[0];
+  b = ctx->state[1];
+  c = ctx->state[2];
+  d = ctx->state[3];
+  e = ctx->state[4];
+  f = ctx->state[5];
+  g = ctx->state[6];
+  h = ctx->state[7];
+
+  for (i = 0; i < 64; ++i)
+    {
+      t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i];
+      t2 = EP0(a) + MAJ(a,b,c);
+      h = g;
+      g = f;
+      f = e;
+      e = d + t1;
+      d = c;
+      c = b;
+      b = a;
+      a = t1 + t2;
+    }
+  
+  ctx->state[0] += a;
+  ctx->state[1] += b;
+  ctx->state[2] += c;
+  ctx->state[3] += d;
+  ctx->state[4] += e;
+  ctx->state[5] += f;
+  ctx->state[6] += g;
+  ctx->state[7] += h;
+}
+
+static void sha256_init(SHA256_CTX *ctx)
+{
+  ctx->datalen = 0;
+  ctx->bitlen = 0;
+  ctx->state[0] = 0x6a09e667;
+  ctx->state[1] = 0xbb67ae85;
+  ctx->state[2] = 0x3c6ef372;
+  ctx->state[3] = 0xa54ff53a;
+  ctx->state[4] = 0x510e527f;
+  ctx->state[5] = 0x9b05688c;
+  ctx->state[6] = 0x1f83d9ab;
+  ctx->state[7] = 0x5be0cd19;
+}
+
+static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len)
+{
+  WORD i;
+  
+  for (i = 0; i < len; ++i)
+    {
+      ctx->data[ctx->datalen] = data[i];
+      ctx->datalen++;
+      if (ctx->datalen == 64) {
+	sha256_transform(ctx, ctx->data);
+	ctx->bitlen += 512;
+	ctx->datalen = 0;
+      }
+    }
+}
+
+static void sha256_final(SHA256_CTX *ctx, BYTE hash[])
+{
+  WORD i;
+  
+  i = ctx->datalen;
+
+  // Pad whatever data is left in the buffer.
+  if (ctx->datalen < 56)
+    {
+      ctx->data[i++] = 0x80;
+      while (i < 56)
+	ctx->data[i++] = 0x00;
+    }
+  else
+    {
+      ctx->data[i++] = 0x80;
+      while (i < 64)
+	ctx->data[i++] = 0x00;
+      sha256_transform(ctx, ctx->data);
+      memset(ctx->data, 0, 56);
+    }
+  
+  // Append to the padding the total message's length in bits and transform.
+  ctx->bitlen += ctx->datalen * 8;
+  ctx->data[63] = ctx->bitlen;
+  ctx->data[62] = ctx->bitlen >> 8;
+  ctx->data[61] = ctx->bitlen >> 16;
+  ctx->data[60] = ctx->bitlen >> 24;
+  ctx->data[59] = ctx->bitlen >> 32;
+  ctx->data[58] = ctx->bitlen >> 40;
+  ctx->data[57] = ctx->bitlen >> 48;
+  ctx->data[56] = ctx->bitlen >> 56;
+  sha256_transform(ctx, ctx->data);
+  
+  // Since this implementation uses little endian byte ordering and SHA uses big endian,
+  // reverse all the bytes when copying the final state to the output hash.
+  for (i = 0; i < 4; ++i)
+    {
+      hash[i]      = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 4]  = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 8]  = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff;
+      hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff;
+    }
+}
+
+#endif
--- a/src/helper.c
+++ b/src/helper.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -64,11 +64,10 @@ struct script_data
 #ifdef HAVE_TFTP
  off_t file_len;
 #endif
-#ifdef HAVE_IPV6
  struct in6_addr addr6;
-#endif
 #ifdef HAVE_DHCP6
-  int iaid, vendorclass_count;
+  int vendorclass_count;
+  unsigned int iaid;
 #endif
  unsigned char hwaddr[DHCP_CHADDR_MAX];
  char interface[IF_NAMESIZE];
@@ -82,7 +81,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
  pid_t pid;
  int i, pipefd[2];
  struct sigaction sigact;
-
+  unsigned char *alloc_buff = NULL;
+  
  /* create the pipe through which the main program sends us commands,
     then fork our process. */
  if (pipe(pipefd) == -1 || !fix_fd(pipefd[1]) || (pid = fork()) == -1)
@@ -131,12 +131,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
     Don't close err_fd, in case the lua-init fails.
     Note that we have to do this before lua init
     so we don't close any lua fds. */
-  for (max_fd--; max_fd >= 0; max_fd--)
-    if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO && 
-	max_fd != STDIN_FILENO && max_fd != pipefd[0] && 
-	max_fd != event_fd && max_fd != err_fd)
-      close(max_fd);
-
+  close_fds(max_fd, pipefd[0], event_fd, err_fd);
+  
 #ifdef HAVE_LUASCRIPT
  if (daemon->luascript)
    {
@@ -188,11 +184,16 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
      struct script_data data;
      char *p, *action_str, *hostname = NULL, *domain = NULL;
      unsigned char *buf = (unsigned char *)daemon->namebuff;
-      unsigned char *end, *extradata, *alloc_buff = NULL;
+      unsigned char *end, *extradata;
      int is6, err = 0;
      int pipeout[2];

-      free(alloc_buff);
+      /* Free rarely-allocated memory from previous iteration. */
+      if (alloc_buff)
+	{
+	  free(alloc_buff);
+	  alloc_buff = NULL;
+	}
      
      /* we read zero bytes when pipe closed: this is our signal to exit */ 
      if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1))
@@ -302,10 +303,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
    
      if (!is6)
 	inet_ntop(AF_INET, &data.addr, daemon->addrbuff, ADDRSTRLEN);
-#ifdef HAVE_IPV6
      else
 	inet_ntop(AF_INET6, &data.addr6, daemon->addrbuff, ADDRSTRLEN);
-#endif

 #ifdef HAVE_TFTP
      /* file length */
@@ -826,10 +825,8 @@ void queue_tftp(off_t file_len, char *filename, union mysockaddr *peer)

  if ((buf->flags = peer->sa.sa_family) == AF_INET)
    buf->addr = peer->in.sin_addr;
-#ifdef HAVE_IPV6
  else
    buf->addr6 = peer->in6.sin6_addr;
-#endif

  memcpy((unsigned char *)(buf+1), filename, filename_len);
  
@@ -837,7 +834,7 @@ void queue_tftp(off_t file_len, char *filename, union mysockaddr *peer)
 }
 #endif

-void queue_arp(int action, unsigned char *mac, int maclen, int family, struct all_addr *addr)
+void queue_arp(int action, unsigned char *mac, int maclen, int family, union all_addr *addr)
 {
  /* no script */
  if (daemon->helperfd == -1)
@@ -850,11 +847,9 @@ void queue_arp(int action, unsigned char *mac, int maclen, int family, struct al
  buf->hwaddr_len = maclen;
  buf->hwaddr_type =  ARPHRD_ETHER; 
  if ((buf->flags = family) == AF_INET)
-    buf->addr = addr->addr.addr4;
-#ifdef HAVE_IPV6
+    buf->addr = addr->addr4;
  else
-    buf->addr6 = addr->addr.addr6;
-#endif
+    buf->addr6 = addr->addr6;
  
  memcpy(buf->hwaddr, mac, maclen);
  
--- a/src/inotify.c
+++ b/src/inotify.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/ip6addr.h
+++ b/src/ip6addr.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/ipset.c
+++ b/src/ipset.c
@@ -22,9 +22,7 @@
 #include <errno.h>
 #include <sys/types.h>
 #include <sys/socket.h>
-#include <sys/utsname.h>
 #include <arpa/inet.h>
-#include <linux/version.h>
 #include <linux/netlink.h>

 /* We want to be able to compile against old header files
@@ -87,20 +85,7 @@ static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, con

 void ipset_init(void)
 {
-  struct utsname utsname;
-  int version;
-  char *split;
-  
-  if (uname(&utsname) < 0)
-    die(_("failed to find kernel version: %s"), NULL, EC_MISC);
-  
-  split = strtok(utsname.release, ".");
-  version = (split ? atoi(split) : 0);
-  split = strtok(NULL, ".");
-  version = version * 256 + (split ? atoi(split) : 0);
-  split = strtok(NULL, ".");
-  version = version * 256 + (split ? atoi(split) : 0);
-  old_kernel = (version < KERNEL_VERSION(2,6,32));
+  old_kernel = (daemon->kernel_version < KERNEL_VERSION(2,6,32));
  
  if (old_kernel && (ipset_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) != -1)
    return;
@@ -114,19 +99,14 @@ void ipset_init(void)
  die (_("failed to create IPset control socket: %s"), NULL, EC_MISC);
 }

-static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int af, int remove)
+static int new_add_to_ipset(const char *setname, const union all_addr *ipaddr, int af, int remove)
 {
  struct nlmsghdr *nlh;
  struct my_nfgenmsg *nfg;
  struct my_nlattr *nested[2];
  uint8_t proto;
-  int addrsz = INADDRSZ;
+  int addrsz = (af == AF_INET6) ? IN6ADDRSZ : INADDRSZ;

-#ifdef HAVE_IPV6
-  if (af == AF_INET6)
-    addrsz = IN6ADDRSZ;
-#endif
-    
  if (strlen(setname) >= IPSET_MAXNAMELEN) 
    {
      errno = ENAMETOOLONG;
@@ -157,7 +137,7 @@ static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
  nested[1]->nla_type = NLA_F_NESTED | IPSET_ATTR_IP;
  add_attr(nlh, 
 	   (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER,
-	   addrsz, &ipaddr->addr);
+	   addrsz, ipaddr);
  nested[1]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[1];
  nested[0]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[0];
 	
@@ -168,7 +148,7 @@ static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
 }


-static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int remove)
+static int old_add_to_ipset(const char *setname, const union all_addr *ipaddr, int remove)
 {
  socklen_t size;
  struct ip_set_req_adt_get {
@@ -200,7 +180,7 @@ static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr,
    return -1;
  req_adt.op = remove ? 0x102 : 0x101;
  req_adt.index = req_adt_get.set.index;
-  req_adt.ip = ntohl(ipaddr->addr.addr4.s_addr);
+  req_adt.ip = ntohl(ipaddr->addr4.s_addr);
  if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0)
    return -1;
  
@@ -209,11 +189,10 @@ static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr,



-int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags, int remove)
+int add_to_ipset(const char *setname, const union all_addr *ipaddr, int flags, int remove)
 {
  int ret = 0, af = AF_INET;

-#ifdef HAVE_IPV6
  if (flags & F_IPV6)
    {
      af = AF_INET6;
@@ -224,7 +203,6 @@ int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags,
 	  ret = -1;
 	}
    }
-#endif
  
  if (ret != -1) 
    ret = old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
--- a/src/lease.c
+++ b/src/lease.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,7 +24,7 @@ static int dns_dirty, file_dirty, leases_left;
 static int read_leases(time_t now, FILE *leasestream)
 {
  unsigned long ei;
-  struct all_addr addr;
+  union all_addr addr;
  struct dhcp_lease *lease;
  int clid_len, hw_len, hw_type;
  int items;
@@ -60,11 +60,16 @@ static int read_leases(time_t now, FILE *leasestream)
 	
 	if (fscanf(leasestream, " %64s %255s %764s",
 		   daemon->namebuff, daemon->dhcp_buff, daemon->packet) != 3)
-	  return 0;
-	
-	if (inet_pton(AF_INET, daemon->namebuff, &addr.addr.addr4))
 	  {
-	    if ((lease = lease4_allocate(addr.addr.addr4)))
+	    my_syslog(MS_DHCP | LOG_WARNING, _("ignoring invalid line in lease database: %s %s %s %s ..."),
+		      daemon->dhcp_buff3, daemon->dhcp_buff2,
+		      daemon->namebuff, daemon->dhcp_buff);
+	    continue;
+	  }
+		
+	if (inet_pton(AF_INET, daemon->namebuff, &addr.addr4))
+	  {
+	    if ((lease = lease4_allocate(addr.addr4)))
 	      domain = get_domain(lease->addr);
 	    
 	    hw_len = parse_hex(daemon->dhcp_buff2, (unsigned char *)daemon->dhcp_buff2, DHCP_CHADDR_MAX, NULL, &hw_type);
@@ -73,7 +78,7 @@ static int read_leases(time_t now, FILE *leasestream)
 	      hw_type = ARPHRD_ETHER; 
 	  }
 #ifdef HAVE_DHCP6
-	else if (inet_pton(AF_INET6, daemon->namebuff, &addr.addr.addr6))
+	else if (inet_pton(AF_INET6, daemon->namebuff, &addr.addr6))
 	  {
 	    char *s = daemon->dhcp_buff2;
 	    int lease_type = LEASE_NA;
@@ -84,7 +89,7 @@ static int read_leases(time_t now, FILE *leasestream)
 		s++;
 	      }
 	    
-	    if ((lease = lease6_allocate(&addr.addr.addr6, lease_type)))
+	    if ((lease = lease6_allocate(&addr.addr6, lease_type)))
 	      {
 		lease_set_iaid(lease, strtoul(s, NULL, 10));
 		domain = get_domain6(&lease->addr6);
@@ -92,7 +97,12 @@ static int read_leases(time_t now, FILE *leasestream)
 	  }
 #endif
 	else
-	  return 0;
+	  {
+	    my_syslog(MS_DHCP | LOG_WARNING, _("ignoring invalid line in lease database, bad address: %s"),
+		      daemon->namebuff);
+	    continue;
+	  }
+	

 	if (!lease)
 	  die (_("too many stored leases"), NULL, EC_MISC);
@@ -172,10 +182,8 @@ void lease_init(time_t now)
  if (leasestream)
    {
      if (!read_leases(now, leasestream))
-	my_syslog(MS_DHCP | LOG_ERR, _("failed to parse lease database, invalid line: %s %s %s %s ..."),
-		  daemon->dhcp_buff3, daemon->dhcp_buff2,
-		  daemon->namebuff, daemon->dhcp_buff);
-
+	my_syslog(MS_DHCP | LOG_ERR, _("failed to parse lease database cleanly"));
+      
      if (ferror(leasestream))
 	die(_("failed to read lease file %s: %s"), daemon->lease_file, EC_FILE);
    }
@@ -222,7 +230,7 @@ void lease_update_from_configs(void)
    if (lease->flags & (LEASE_TA | LEASE_NA))
      continue;
    else if ((config = find_config(daemon->dhcp_conf, NULL, lease->clid, lease->clid_len, 
-				   lease->hwaddr, lease->hwaddr_len, lease->hwaddr_type, NULL)) && 
+				   lease->hwaddr, lease->hwaddr_len, lease->hwaddr_type, NULL, NULL)) && 
 	     (config->flags & CONFIG_NAME) &&
 	     (!(config->flags & CONFIG_ADDR) || config->addr.s_addr == lease->addr.s_addr))
      lease_set_hostname(lease, config->hostname, 1, get_domain(lease->addr), NULL);
@@ -514,28 +522,28 @@ void lease_update_dns(int force)
 		if (slaac->backoff == 0)
 		  {
 		    if (lease->fqdn)
-		      cache_add_dhcp_entry(lease->fqdn, AF_INET6, (struct all_addr *)&slaac->addr, lease->expires);
+		      cache_add_dhcp_entry(lease->fqdn, AF_INET6, (union all_addr *)&slaac->addr, lease->expires);
 		    if (!option_bool(OPT_DHCP_FQDN) && lease->hostname)
-		      cache_add_dhcp_entry(lease->hostname, AF_INET6, (struct all_addr *)&slaac->addr, lease->expires);
+		      cache_add_dhcp_entry(lease->hostname, AF_INET6, (union all_addr *)&slaac->addr, lease->expires);
 		  }
 	    }
 	  
 	  if (lease->fqdn)
 	    cache_add_dhcp_entry(lease->fqdn, prot, 
-				 prot == AF_INET ? (struct all_addr *)&lease->addr : (struct all_addr *)&lease->addr6,
+				 prot == AF_INET ? (union all_addr *)&lease->addr : (union all_addr *)&lease->addr6,
 				 lease->expires);
 	     
 	  if (!option_bool(OPT_DHCP_FQDN) && lease->hostname)
 	    cache_add_dhcp_entry(lease->hostname, prot, 
-				 prot == AF_INET ? (struct all_addr *)&lease->addr : (struct all_addr *)&lease->addr6, 
+				 prot == AF_INET ? (union all_addr *)&lease->addr : (union all_addr *)&lease->addr6, 
 				 lease->expires);
       
 #else
 	  if (lease->fqdn)
-	    cache_add_dhcp_entry(lease->fqdn, prot, (struct all_addr *)&lease->addr, lease->expires);
+	    cache_add_dhcp_entry(lease->fqdn, prot, (union all_addr *)&lease->addr, lease->expires);
 	  
 	  if (!option_bool(OPT_DHCP_FQDN) && lease->hostname)
-	    cache_add_dhcp_entry(lease->hostname, prot, (struct all_addr *)&lease->addr, lease->expires);
+	    cache_add_dhcp_entry(lease->hostname, prot, (union all_addr *)&lease->addr, lease->expires);
 #endif
 	}
      
@@ -550,7 +558,7 @@ void lease_prune(struct dhcp_lease *target, time_t now)
  for (lease = leases, up = &leases; lease; lease = tmp)
    {
      tmp = lease->next;
-      if ((lease->expires != 0 && difftime(now, lease->expires) > 0) || lease == target)
+      if ((lease->expires != 0 && difftime(now, lease->expires) >= 0) || lease == target)
 	{
 	  file_dirty = 1;
 	  if (lease->hostname)
@@ -627,7 +635,8 @@ struct dhcp_lease *lease_find_by_addr(struct in_addr addr)
 #ifdef HAVE_DHCP6
 /* find address for {CLID, IAID, address} */
 struct dhcp_lease *lease6_find(unsigned char *clid, int clid_len, 
-			       int lease_type, int iaid, struct in6_addr *addr)
+			       int lease_type, unsigned int iaid,
+			       struct in6_addr *addr)
 {
  struct dhcp_lease *lease;
  
@@ -659,7 +668,9 @@ void lease6_reset(void)
 }

 /* enumerate all leases belonging to {CLID, IAID} */
-struct dhcp_lease *lease6_find_by_client(struct dhcp_lease *first, int lease_type, unsigned char *clid, int clid_len, int iaid)
+struct dhcp_lease *lease6_find_by_client(struct dhcp_lease *first, int lease_type,
+					 unsigned char *clid, int clid_len,
+					 unsigned int iaid)
 {
  struct dhcp_lease *lease;

@@ -825,7 +836,7 @@ void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now)
      dns_dirty = 1;
      lease->expires = exp;
 #ifndef HAVE_BROKEN_RTC
-      lease->flags |= LEASE_AUX_CHANGED;
+      lease->flags |= LEASE_AUX_CHANGED | LEASE_EXP_CHANGED;
      file_dirty = 1;
 #endif
    }
@@ -841,7 +852,7 @@ void lease_set_expires(struct dhcp_lease *lease, unsigned int len, time_t now)
 } 

 #ifdef HAVE_DHCP6
-void lease_set_iaid(struct dhcp_lease *lease, int iaid)
+void lease_set_iaid(struct dhcp_lease *lease, unsigned int iaid)
 {
  if (lease->iaid != iaid)
    {
@@ -1125,7 +1136,8 @@ int do_script_run(time_t now)
  
  for (lease = leases; lease; lease = lease->next)
    if ((lease->flags & (LEASE_NEW | LEASE_CHANGED)) || 
-	((lease->flags & LEASE_AUX_CHANGED) && option_bool(OPT_LEASE_RO)))
+	((lease->flags & LEASE_AUX_CHANGED) && option_bool(OPT_LEASE_RO)) ||
+	((lease->flags & LEASE_EXP_CHANGED) && option_bool(OPT_LEASE_RENEW)))
      {
 #ifdef HAVE_SCRIPT
 	queue_script((lease->flags & LEASE_NEW) ? ACTION_ADD : ACTION_OLD, lease, 
@@ -1135,7 +1147,7 @@ int do_script_run(time_t now)
 	emit_dbus_signal((lease->flags & LEASE_NEW) ? ACTION_ADD : ACTION_OLD, lease,
 			 lease->fqdn ? lease->fqdn : lease->hostname);
 #endif
-	lease->flags &= ~(LEASE_NEW | LEASE_CHANGED | LEASE_AUX_CHANGED);
+	lease->flags &= ~(LEASE_NEW | LEASE_CHANGED | LEASE_AUX_CHANGED | LEASE_EXP_CHANGED);
 	
 	/* this is used for the "add" call, then junked, since they're not in the database */
 	free(lease->extradata);
--- a/src/log.c
+++ b/src/log.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/loop.c
+++ b/src/loop.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/metrics.c
+++ b/src/metrics.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/metrics.h
+++ b/src/metrics.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley
   
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -22,6 +22,15 @@
 #include <linux/netlink.h>
 #include <linux/rtnetlink.h>

+/* Blergh. Radv does this, so that's our excuse. */
+#ifndef SOL_NETLINK
+#define SOL_NETLINK 270
+#endif
+
+#ifndef NETLINK_NO_ENOBUFS
+#define NETLINK_NO_ENOBUFS 5
+#endif
+
 /* linux 2.6.19 buggers up the headers, patch it up here. */ 
 #ifndef IFA_RTA
 #  define IFA_RTA(r)  \
@@ -40,10 +49,11 @@ static u32 netlink_pid;

 static void nl_async(struct nlmsghdr *h);

-void netlink_init(void)
+char *netlink_init(void)
 {
  struct sockaddr_nl addr;
  socklen_t slen = sizeof(addr);
+  int opt = 1;

  addr.nl_family = AF_NETLINK;
  addr.nl_pad = 0;
@@ -51,11 +61,10 @@ void netlink_init(void)
  addr.nl_groups = RTMGRP_IPV4_ROUTE;
  if (option_bool(OPT_CLEVERBIND))
    addr.nl_groups |= RTMGRP_IPV4_IFADDR;  
-#ifdef HAVE_IPV6
  addr.nl_groups |= RTMGRP_IPV6_ROUTE;
  if (option_bool(OPT_CLEVERBIND))
    addr.nl_groups |= RTMGRP_IPV6_IFADDR;
-#endif
+
 #ifdef HAVE_DHCP6
  if (daemon->doing_ra || daemon->doing_dhcp6)
    addr.nl_groups |= RTMGRP_IPV6_IFADDR;
@@ -75,12 +84,19 @@ void netlink_init(void)
  if (daemon->netlinkfd == -1 || 
      getsockname(daemon->netlinkfd, (struct sockaddr *)&addr, &slen) == -1)
    die(_("cannot create netlink socket: %s"), NULL, EC_MISC);
-   
+  
+  
  /* save pid assigned by bind() and retrieved by getsockname() */ 
  netlink_pid = addr.nl_pid;
  
  iov.iov_len = 100;
  iov.iov_base = safe_malloc(iov.iov_len);
+  
+  if (daemon->kernel_version >= KERNEL_VERSION(2,6,30) &&
+      setsockopt(daemon->netlinkfd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &opt, sizeof(opt)) == -1)
+    return _("warning: failed to set NETLINK_NO_ENOBUFS on netlink socket");
+  
+  return NULL;
 }

 static ssize_t netlink_recv(void)
@@ -235,7 +251,6 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 		      if (!((*callback)(addr, ifa->ifa_index, label,  netmask, broadcast, parm)))
 			callback_ok = 0;
 		  }
-#ifdef HAVE_IPV6
 		else if (ifa->ifa_family == AF_INET6)
 		  {
 		    struct in6_addr *addrp = NULL;
@@ -270,7 +285,6 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 					(int) preferred, (int)valid, parm)))
 			callback_ok = 0;
 		  }
-#endif
 	      }
 	  }
 	else if (h->nlmsg_type == RTM_NEWNEIGH && family == AF_UNSPEC)
@@ -363,7 +377,9 @@ static void nl_async(struct nlmsghdr *h)
 	 failing. */ 
      struct rtmsg *rtm = NLMSG_DATA(h);
      
-      if (rtm->rtm_type == RTN_UNICAST && rtm->rtm_scope == RT_SCOPE_LINK)
+      if (rtm->rtm_type == RTN_UNICAST && rtm->rtm_scope == RT_SCOPE_LINK &&
+	  (rtm->rtm_table == RT_TABLE_MAIN ||
+	   rtm->rtm_table == RT_TABLE_LOCAL))
 	queue_event(EVENT_NEWROUTE);
    }
  else if (h->nlmsg_type == RTM_NEWADDR || h->nlmsg_type == RTM_DELADDR) 
--- a/src/network.c
+++ b/src/network.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -109,7 +109,7 @@ int indextoname(int fd, int index, char *name)

 #endif

-int iface_check(int family, struct all_addr *addr, char *name, int *auth)
+int iface_check(int family, union all_addr *addr, char *name, int *auth)
 {
  struct iname *tmp;
  int ret = 1, match_addr = 0;
@@ -135,14 +135,12 @@ int iface_check(int family, struct all_addr *addr, char *name, int *auth)
 	  if (tmp->addr.sa.sa_family == family)
 	    {
 	      if (family == AF_INET &&
-		  tmp->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
+		  tmp->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
 		ret = match_addr = tmp->used = 1;
-#ifdef HAVE_IPV6
 	      else if (family == AF_INET6 &&
 		       IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, 
-					  &addr->addr.addr6))
+					  &addr->addr6))
 		ret = match_addr = tmp->used = 1;
-#endif
 	    }          
    }
  
@@ -160,13 +158,11 @@ int iface_check(int family, struct all_addr *addr, char *name, int *auth)
 	  break;
      }
    else if (addr && tmp->addr.sa.sa_family == AF_INET && family == AF_INET &&
-	     tmp->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
+	     tmp->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
      break;
-#ifdef HAVE_IPV6
    else if (addr && tmp->addr.sa.sa_family == AF_INET6 && family == AF_INET6 &&
-	     IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, &addr->addr.addr6))
+	     IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, &addr->addr6))
      break;
-#endif      

  if (tmp && auth) 
    {
@@ -183,7 +179,7 @@ int iface_check(int family, struct all_addr *addr, char *name, int *auth)
   an interface other than the loopback. Accept packet if it arrived via a loopback 
   interface, even when we're not accepting packets that way, as long as the destination
   address is one we're believing. Interface list must be up-to-date before calling. */
-int loopback_exception(int fd, int family, struct all_addr *addr, char *name)    
+int loopback_exception(int fd, int family, union all_addr *addr, char *name)    
 {
  struct ifreq ifr;
  struct irec *iface;
@@ -197,14 +193,11 @@ int loopback_exception(int fd, int family, struct all_addr *addr, char *name)
 	  {
 	    if (family == AF_INET)
 	      {
-		if (iface->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
+		if (iface->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
 		  return 1;
 	      }
-#ifdef HAVE_IPV6
-	    else if (IN6_ARE_ADDR_EQUAL(&iface->addr.in6.sin6_addr, &addr->addr.addr6))
+	    else if (IN6_ARE_ADDR_EQUAL(&iface->addr.in6.sin6_addr, &addr->addr6))
 	      return 1;
-#endif
-	    
 	  }
    }
  return 0;
@@ -214,7 +207,7 @@ int loopback_exception(int fd, int family, struct all_addr *addr, char *name)
   on the relevant address, but the name of the arrival interface, derived from the
   index won't match the config. Check that we found an interface address for the arrival 
   interface: daemon->interfaces must be up-to-date. */
-int label_exception(int index, int family, struct all_addr *addr)
+int label_exception(int index, int family, union all_addr *addr)
 {
  struct irec *iface;

@@ -224,7 +217,7 @@ int label_exception(int index, int family, struct all_addr *addr)

  for (iface = daemon->interfaces; iface; iface = iface->next)
    if (iface->index == index && iface->addr.sa.sa_family == AF_INET &&
-	iface->addr.in.sin_addr.s_addr == addr->addr.addr4.s_addr)
+	iface->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
      return 1;

  return 0;
@@ -289,22 +282,18 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
 	  
 	  if (addr->sa.sa_family == AF_INET)
 	    {
-	      al->addr.addr.addr4 = addr->in.sin_addr;
+	      al->addr.addr4 = addr->in.sin_addr;
 	      al->flags = 0;
 	    }
-#ifdef HAVE_IPV6
 	  else
 	    {
-	      al->addr.addr.addr6 = addr->in6.sin6_addr;
+	      al->addr.addr6 = addr->in6.sin6_addr;
 	      al->flags = ADDRLIST_IPV6;
 	    } 
-#endif
 	}
    }
  
-#ifdef HAVE_IPV6
  if (addr->sa.sa_family != AF_INET6 || !IN6_IS_ADDR_LINKLOCAL(&addr->in6.sin6_addr))
-#endif
    {
      struct interface_name *int_name;
      struct addrlist *al;
@@ -332,12 +321,11 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
 		      al->next = zone->subnet;
 		      zone->subnet = al;
 		      al->prefixlen = prefixlen;
-		      al->addr.addr.addr4 = addr->in.sin_addr;
+		      al->addr.addr4 = addr->in.sin_addr;
 		      al->flags = 0;
 		    }
 		}
 	      
-#ifdef HAVE_IPV6
 	      if (addr->sa.sa_family == AF_INET6 && (name->flags & AUTH6))
 		{
 		  if (param->spare)
@@ -353,12 +341,10 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
 		      al->next = zone->subnet;
 		      zone->subnet = al;
 		      al->prefixlen = prefixlen;
-		      al->addr.addr.addr6 = addr->in6.sin6_addr;
+		      al->addr.addr6 = addr->in6.sin6_addr;
 		      al->flags = ADDRLIST_IPV6;
 		    }
 		} 
-#endif
-	      
 	    }
 #endif
       
@@ -383,20 +369,18 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
 		
 		if (addr->sa.sa_family == AF_INET)
 		  {
-		    al->addr.addr.addr4 = addr->in.sin_addr;
+		    al->addr.addr4 = addr->in.sin_addr;
 		    al->flags = 0;
 		  }
-#ifdef HAVE_IPV6
 		else
 		 {
-		    al->addr.addr.addr6 = addr->in6.sin6_addr;
+		    al->addr.addr6 = addr->in6.sin6_addr;
 		    al->flags = ADDRLIST_IPV6;
 		    /* Privacy addresses and addresses still undergoing DAD and deprecated addresses
 		       don't appear in forward queries, but will in reverse ones. */
 		    if (!(iface_flags & IFACE_PERMANENT) || (iface_flags & (IFACE_DEPRECATED | IFACE_TENTATIVE)))
 		      al->flags |= ADDRLIST_REVONLY;
 		 } 
-#endif
 	      }
 	  }
    }
@@ -404,10 +388,11 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
  /* check whether the interface IP has been added already 
     we call this routine multiple times. */
  for (iface = daemon->interfaces; iface; iface = iface->next) 
-    if (sockaddr_isequal(&iface->addr, addr))
+    if (sockaddr_isequal(&iface->addr, addr) && iface->index == if_index)
      {
 	iface->dad = !!(iface_flags & IFACE_TENTATIVE);
 	iface->found = 1; /* for garbage collection */
+	iface->netmask = netmask;
 	return 1;
      }

@@ -435,14 +420,12 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
    }
  
  if (addr->sa.sa_family == AF_INET &&
-      !iface_check(AF_INET, (struct all_addr *)&addr->in.sin_addr, label, &auth_dns))
+      !iface_check(AF_INET, (union all_addr *)&addr->in.sin_addr, label, &auth_dns))
    return 1;

-#ifdef HAVE_IPV6
  if (addr->sa.sa_family == AF_INET6 &&
-      !iface_check(AF_INET6, (struct all_addr *)&addr->in6.sin6_addr, label, &auth_dns))
+      !iface_check(AF_INET6, (union all_addr *)&addr->in6.sin6_addr, label, &auth_dns))
    return 1;
-#endif
    
 #ifdef HAVE_DHCP
  /* No DHCP where we're doing auth DNS. */
@@ -501,7 +484,6 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
  return 0;
 }

-#ifdef HAVE_IPV6
 static int iface_allowed_v6(struct in6_addr *local, int prefix, 
 			    int scope, int if_index, int flags, 
 			    int preferred, int valid, void *vparam)
@@ -529,7 +511,6 @@ static int iface_allowed_v6(struct in6_addr *local, int prefix,
  
  return iface_allowed((struct iface_param *)vparam, if_index, NULL, &addr, netmask, prefix, flags);
 }
-#endif

 static int iface_allowed_v4(struct in_addr local, int if_index, char *label,
 			    struct in_addr netmask, struct in_addr broadcast, void *vparam)
@@ -552,7 +533,82 @@ static int iface_allowed_v4(struct in_addr local, int if_index, char *label,

  return iface_allowed((struct iface_param *)vparam, if_index, label, &addr, netmask, prefix, 0);
 }
-   
+
+/*
+ * Clean old interfaces no longer found.
+ */
+static void clean_interfaces()
+{
+  struct irec *iface;
+  struct irec **up = &daemon->interfaces;
+
+  for (iface = *up; iface; iface = *up)
+  {
+    if (!iface->found && !iface->done)
+      {
+        *up = iface->next;
+        free(iface->name);
+        free(iface);
+      }
+    else
+      {
+        up = &iface->next;
+      }
+  }
+}
+
+/** Release listener if no other interface needs it.
+ *
+ * @return 1 if released, 0 if still required
+ */
+static int release_listener(struct listener *l)
+{
+  if (l->used > 1)
+    {
+      struct irec *iface;
+      for (iface = daemon->interfaces; iface; iface = iface->next)
+	if (iface->done && sockaddr_isequal(&l->addr, &iface->addr))
+	  {
+	    if (iface->found)
+	      {
+		/* update listener to point to active interface instead */
+		if (!l->iface->found)
+		  l->iface = iface;
+	      }
+	    else
+	      {
+		l->used--;
+		iface->done = 0;
+	      }
+	  }
+
+      /* Someone is still using this listener, skip its deletion */
+      if (l->used > 0)
+	return 0;
+    }
+
+  if (l->iface->done)
+    {
+      int port;
+
+      port = prettyprint_addr(&l->iface->addr, daemon->addrbuff);
+      my_syslog(LOG_DEBUG, _("stopped listening on %s(#%d): %s port %d"),
+		l->iface->name, l->iface->index, daemon->addrbuff, port);
+      /* In case it ever returns */
+      l->iface->done = 0;
+    }
+
+  if (l->fd != -1)
+    close(l->fd);
+  if (l->tcpfd != -1)
+    close(l->tcpfd);
+  if (l->tftpfd != -1)
+    close(l->tftpfd);
+
+  free(l);
+  return 1;
+}
+
 int enumerate_interfaces(int reset)
 {
  static struct addrlist *spare = NULL;
@@ -633,9 +689,7 @@ int enumerate_interfaces(int reset)

  param.spare = spare;
  
-#ifdef HAVE_IPV6
  ret = iface_enumerate(AF_INET6, &param, iface_allowed_v6);
-#endif

  if (ret)
    ret = iface_enumerate(AF_INET, &param, iface_allowed_v4); 
@@ -652,6 +706,7 @@ int enumerate_interfaces(int reset)
 	 in OPT_CLEVERBIND mode, that at listener will just disappear after
 	 a call to enumerate_interfaces, this is checked OK on all calls. */
      struct listener *l, *tmp, **up;
+      int freed = 0;
      
      for (up = &daemon->listeners, l = daemon->listeners; l; l = tmp)
 	{
@@ -659,25 +714,17 @@ int enumerate_interfaces(int reset)
 	  
 	  if (!l->iface || l->iface->found)
 	    up = &l->next;
-	  else
+	  else if (release_listener(l))
 	    {
-	      *up = l->next;
-	      
-	      /* In case it ever returns */
-	      l->iface->done = 0;
-	      
-	      if (l->fd != -1)
-		close(l->fd);
-	      if (l->tcpfd != -1)
-		close(l->tcpfd);
-	      if (l->tftpfd != -1)
-		close(l->tftpfd);
-	      
-	      free(l);
+	      *up = tmp;
+	      freed = 1;
 	    }
 	}
+
+      if (freed)
+	clean_interfaces();
    }
-  
+
  errno = errsave;
  spare = param.spare;
    
@@ -740,16 +787,19 @@ static int make_sock(union mysockaddr *addr, int type, int dienow)
  if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1 || !fix_fd(fd))
    goto err;
  
-#ifdef HAVE_IPV6
  if (family == AF_INET6 && setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &opt, sizeof(opt)) == -1)
    goto err;
-#endif
  
  if ((rc = bind(fd, (struct sockaddr *)addr, sa_len(addr))) == -1)
    goto err;
  
  if (type == SOCK_STREAM)
    {
+#ifdef TCP_FASTOPEN
+      int qlen = 5;                           
+      setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen));
+#endif
+      
      if (listen(fd, TCP_BACKLOG) == -1)
 	goto err;
    }
@@ -767,15 +817,12 @@ static int make_sock(union mysockaddr *addr, int type, int dienow)
 #endif
 	}
    }
-#ifdef HAVE_IPV6
  else if (!set_ipv6pktinfo(fd))
    goto err;
-#endif
  
  return fd;
 }

-#ifdef HAVE_IPV6  
 int set_ipv6pktinfo(int fd)
 {
  int opt = 1;
@@ -802,12 +849,13 @@ int set_ipv6pktinfo(int fd)

  return 0;
 }
-#endif


 /* Find the interface on which a TCP connection arrived, if possible, or zero otherwise. */
 int tcp_interface(int fd, int af)
 { 
+  (void)fd; /* suppress potential unused warning */
+  (void)af; /* suppress potential unused warning */
  int if_index = 0;

 #ifdef HAVE_LINUX_NETWORK
@@ -842,7 +890,6 @@ int tcp_interface(int fd, int af)
 	      }
 	}
    }
-#ifdef HAVE_IPV6
  else
    {
      /* Only the RFC-2292 API has the ability to find the interface for TCP connections,
@@ -874,7 +921,6 @@ int tcp_interface(int fd, int af)
              }
 	}
    }
-#endif /* IPV6 */
 #endif /* Linux */
 
  return if_index;
@@ -904,7 +950,6 @@ static struct listener *create_listeners(union mysockaddr *addr, int do_tftp, in
 	  tftpfd = make_sock(addr, SOCK_DGRAM, dienow);
 	  addr->in.sin_port = save;
 	}
-#  ifdef HAVE_IPV6
      else
 	{
 	  short save = addr->in6.sin6_port;
@@ -912,7 +957,6 @@ static struct listener *create_listeners(union mysockaddr *addr, int do_tftp, in
 	  tftpfd = make_sock(addr, SOCK_DGRAM, dienow);
 	  addr->in6.sin6_port = save;
 	}  
-#  endif
    }
 #endif

@@ -920,10 +964,11 @@ static struct listener *create_listeners(union mysockaddr *addr, int do_tftp, in
    {
      l = safe_malloc(sizeof(struct listener));
      l->next = NULL;
-      l->family = addr->sa.sa_family;
      l->fd = fd;
      l->tcpfd = tcpfd;
-      l->tftpfd = tftpfd;	
+      l->tftpfd = tftpfd;
+      l->addr = *addr;
+      l->used = 1;
      l->iface = NULL;
    }

@@ -945,11 +990,10 @@ void create_wildcard_listeners(void)

  l = create_listeners(&addr, !!option_bool(OPT_TFTP), 1);

-#ifdef HAVE_IPV6
  memset(&addr, 0, sizeof(addr));
-#  ifdef HAVE_SOCKADDR_SA_LEN
+#ifdef HAVE_SOCKADDR_SA_LEN
  addr.in6.sin6_len = sizeof(addr.in6);
-#  endif
+#endif
  addr.in6.sin6_family = AF_INET6;
  addr.in6.sin6_addr = in6addr_any;
  addr.in6.sin6_port = htons(daemon->port);
@@ -959,25 +1003,52 @@ void create_wildcard_listeners(void)
    l->next = l6;
  else 
    l = l6;
-#endif

  daemon->listeners = l;
 }

+static struct listener *find_listener(union mysockaddr *addr)
+{
+  struct listener *l;
+  for (l = daemon->listeners; l; l = l->next)
+    if (sockaddr_isequal(&l->addr, addr))
+      return l;
+  return NULL;
+}
+
 void create_bound_listeners(int dienow)
 {
  struct listener *new;
  struct irec *iface;
  struct iname *if_tmp;
+  struct listener *existing;

  for (iface = daemon->interfaces; iface; iface = iface->next)
-    if (!iface->done && !iface->dad && iface->found &&
-	(new = create_listeners(&iface->addr, iface->tftp_ok, dienow)))
+    if (!iface->done && !iface->dad && iface->found)
      {
-	new->iface = iface;
-	new->next = daemon->listeners;
-	daemon->listeners = new;
-	iface->done = 1;
+	existing = find_listener(&iface->addr);
+	if (existing)
+	  {
+	    iface->done = 1;
+	    existing->used++; /* increase usage counter */
+	  }
+	else if ((new = create_listeners(&iface->addr, iface->tftp_ok, dienow)))
+	  {
+	    new->iface = iface;
+	    new->next = daemon->listeners;
+	    daemon->listeners = new;
+	    iface->done = 1;
+
+	    /* Don't log the initial set of listen addresses created
+               at startup, since this is happening before the logging
+               system is initialised and the sign-on printed. */
+            if (!dienow)
+              {
+		int port = prettyprint_addr(&iface->addr, daemon->addrbuff);
+		my_syslog(LOG_DEBUG, _("listening on %s(#%d): %s port %d"),
+			  iface->name, iface->index, daemon->addrbuff, port);
+	      }
+	  }
      }

  /* Check for --listen-address options that haven't been used because there's
@@ -997,6 +1068,12 @@ void create_bound_listeners(int dienow)
      {
 	new->next = daemon->listeners;
 	daemon->listeners = new;
+
+	if (!dienow)
+	  {
+	    int port = prettyprint_addr(&if_tmp->addr, daemon->addrbuff);
+	    my_syslog(LOG_DEBUG, _("listening on %s port %d"), daemon->addrbuff, port);
+	  }
      }
 }

@@ -1159,7 +1236,6 @@ int random_sock(int family)
 		addr.in.sin_len = sizeof(struct sockaddr_in);
 #endif
 	      }
-#ifdef HAVE_IPV6
 	    else
 	      {
 		addr.in6.sin6_addr = in6addr_any; 
@@ -1168,7 +1244,6 @@ int random_sock(int family)
 		addr.in6.sin6_len = sizeof(struct sockaddr_in6);
 #endif
 	      }
-#endif
 	    
 	    if (bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == 0)
 	      return fd;
@@ -1187,19 +1262,46 @@ int random_sock(int family)
 int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp)
 {
  union mysockaddr addr_copy = *addr;
+  unsigned short port;
+  int tries = 1, done = 0;
+  unsigned int ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1;
+ 
+  if (addr_copy.sa.sa_family == AF_INET)
+    port = addr_copy.in.sin_port;
+  else
+    port = addr_copy.in6.sin6_port;

  /* cannot set source _port_ for TCP connections. */
  if (is_tcp)
+    port = 0;
+
+  /* Bind a random port within the range given by min-port and max-port */
+  if (port == 0)
    {
-      if (addr_copy.sa.sa_family == AF_INET)
-	addr_copy.in.sin_port = 0;
-#ifdef HAVE_IPV6
-      else
-	addr_copy.in6.sin6_port = 0;
-#endif
+      tries = ports_avail < 30 ? 3 * ports_avail : 100;
+      port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail)));
    }
  
-  if (bind(fd, (struct sockaddr *)&addr_copy, sa_len(&addr_copy)) == -1)
+  while (tries--)
+    {
+      if (addr_copy.sa.sa_family == AF_INET)
+	addr_copy.in.sin_port = port;
+      else
+	addr_copy.in6.sin6_port = port;
+
+      if (bind(fd, (struct sockaddr *)&addr_copy, sa_len(&addr_copy)) != -1)
+	{
+	  done = 1;
+	  break;
+	}
+      
+      if (errno != EADDRINUSE && errno != EACCES)
+	return 0;
+      
+      port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail)));
+    }
+
+  if (!done)
    return 0;

  if (!is_tcp && ifindex > 0)
@@ -1211,7 +1313,7 @@ int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifind
          return setsockopt(fd, IPPROTO_IP, IP_UNICAST_IF, &ifindex_opt, sizeof(ifindex_opt)) == 0;
        }
 #endif
-#if defined(HAVE_IPV6) && defined (IPV6_UNICAST_IF)
+#if defined (IPV6_UNICAST_IF)
      if (addr_copy.sa.sa_family == AF_INET6)
        {
          uint32_t ifindex_opt = htonl(ifindex);
@@ -1220,6 +1322,7 @@ int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifind
 #endif
    }

+  (void)intname; /* suppress potential unused warning */
 #if defined(SO_BINDTODEVICE)
  if (intname[0] != 0 &&
      setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, intname, IF_NAMESIZE) == -1)
@@ -1247,12 +1350,10 @@ static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
 	  addr->in.sin_port == htons(0)) 
 	return NULL;

-#ifdef HAVE_IPV6
      if (addr->sa.sa_family == AF_INET6 &&
 	  memcmp(&addr->in6.sin6_addr, &in6addr_any, sizeof(in6addr_any)) == 0 &&
 	  addr->in6.sin6_port == htons(0)) 
 	return NULL;
-#endif
    }

  if (intname && strlen(intname) != 0)
@@ -1315,7 +1416,7 @@ void pre_allocate_sfds(void)
 #endif
      if ((sfd = allocate_sfd(&addr, "")))
 	sfd->preallocated = 1;
-#ifdef HAVE_IPV6
+
      memset(&addr, 0, sizeof(addr));
      addr.in6.sin6_family = AF_INET6;
      addr.in6.sin6_addr = in6addr_any;
@@ -1325,7 +1426,6 @@ void pre_allocate_sfds(void)
 #endif
      if ((sfd = allocate_sfd(&addr, "")))
 	sfd->preallocated = 1;
-#endif
    }
  
  for (srv = daemon->servers; srv; srv = srv->next)
@@ -1334,7 +1434,7 @@ void pre_allocate_sfds(void)
 	errno != 0 &&
 	option_bool(OPT_NOWILD))
      {
-	prettyprint_addr(&srv->source_addr, daemon->namebuff);
+	(void)prettyprint_addr(&srv->source_addr, daemon->namebuff);
 	if (srv->interface[0] != 0)
 	  {
 	    strcat(daemon->namebuff, " ");
@@ -1576,7 +1676,7 @@ void check_servers(void)
 		{
 		  count--;
 		  if (++locals <= LOCALS_LOGGED)
-			my_syslog(LOG_INFO, _("using local addresses only for %s %s"), s1, s2);
+			my_syslog(LOG_INFO, _("using only locally-known addresses for %s %s"), s1, s2);
 	        }
 	      else if (serv->flags & SERV_USE_RESOLV)
 		my_syslog(LOG_INFO, _("using standard nameservers for %s %s"), s1, s2);
@@ -1658,7 +1758,6 @@ int reload_servers(char *fname)
 	  source_addr.in.sin_addr.s_addr = INADDR_ANY;
 	  source_addr.in.sin_port = htons(daemon->query_port);
 	}
-#ifdef HAVE_IPV6
      else 
 	{	
 	  int scope_index = 0;
@@ -1686,10 +1785,6 @@ int reload_servers(char *fname)
 	  else
 	    continue;
 	}
-#else /* IPV6 */
-      else
-	continue;
-#endif 

      add_update_server(SERV_FROM_RESOLV, &addr, &source_addr, NULL, NULL);
      gotone = 1;
--- a/src/option.c
+++ b/src/option.c
--- a/src/outpacket.c
+++ b/src/outpacket.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/poll.c
+++ b/src/poll.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/radv-protocol.h
+++ b/src/radv-protocol.h
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/radv.c
+++ b/src/radv.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -288,7 +288,10 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
      context->netid.next = &context->netid;
    }

-  if (!iface_enumerate(AF_INET6, &parm, add_prefixes))
+  /* If no link-local address then we can't advertise since source address of
+     advertisement must be link local address: RFC 4861 para 6.1.2. */
+  if (!iface_enumerate(AF_INET6, &parm, add_prefixes) ||
+      parm.link_pref_time == 0)
    return;

  /* Find smallest preferred time within address classes,
@@ -412,7 +415,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
  if (mtu == 0)
    {
      char *mtu_name = ra_param ? ra_param->mtu_name : NULL;
-      sprintf(daemon->namebuff, "/proc/sys/net/ipv6/conf/%s/mtu", mtu_name ? : iface_name);
+      sprintf(daemon->namebuff, "/proc/sys/net/ipv6/conf/%s/mtu", mtu_name ? mtu_name : iface_name);
      if ((f = fopen(daemon->namebuff, "r")))
        {
          if (fgets(daemon->namebuff, MAXDNAME, f))
@@ -623,8 +626,11 @@ static int add_prefixes(struct in6_addr *local,  int prefix,
 		    real_prefix = context->prefix;
 		  }

-		/* find floor time, don't reduce below 3 * RA interval. */
-		if (time > context->lease_time)
+		/* find floor time, don't reduce below 3 * RA interval.
+		   If the lease time has been left as default, don't
+		   use that as a floor. */
+		if ((context->flags & CONTEXT_SETLEASE) &&
+		    time > context->lease_time)
 		  {
 		    time = context->lease_time;
 		    if (time < ((unsigned int)(3 * param->adv_interval)))
@@ -888,11 +894,21 @@ static int iface_search(struct in6_addr *local,  int prefix,
 {
  struct search_param *param = vparam;
  struct dhcp_context *context;
-
+  struct iname *tmp;
+  
  (void)scope;
  (void)preferred;
  (void)valid;
- 
+
+  /* ignore interfaces we're not doing DHCP on. */
+  if (!indextoname(daemon->icmp6fd, if_index, param->name) ||
+      !iface_check(AF_LOCAL, NULL, param->name, NULL))
+    return 1;
+
+  for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
+    if (tmp->name && wildcard_match(tmp->name, param->name))
+      return 1;
+
  for (context = daemon->dhcp6; context; context = context->next)
    if (!(context->flags & (CONTEXT_TEMPLATE | CONTEXT_OLD)) &&
 	prefix <= context->prefix &&
@@ -904,17 +920,9 @@ static int iface_search(struct in6_addr *local,  int prefix,
 	/* found an interface that's overdue for RA determine new 
 	   timeout value and arrange for RA to be sent unless interface is
 	   still doing DAD.*/
-	
 	if (!(flags & IFACE_TENTATIVE))
 	  param->iface = if_index;
 	
-	/* should never fail */
-	if (!indextoname(daemon->icmp6fd, if_index, param->name))
-	  {
-	    param->iface = 0;
-	    return 0;
-	  }
-	
 	new_timeout(context, param->name, param->now);
 	
 	/* zero timers for other contexts on the same subnet, so they don't timeout 
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -143,7 +143,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
 
 /* Max size of input string (for IPv6) is 75 chars.) */
 #define MAXARPANAME 75
-int in_arpa_name_2_addr(char *namein, struct all_addr *addrp)
+int in_arpa_name_2_addr(char *namein, union all_addr *addrp)
 {
  int j;
  char name[MAXARPANAME+1], *cp1;
@@ -153,7 +153,7 @@ int in_arpa_name_2_addr(char *namein, struct all_addr *addrp)
  if (strlen(namein) > MAXARPANAME)
    return 0;

-  memset(addrp, 0, sizeof(struct all_addr));
+  memset(addrp, 0, sizeof(union all_addr));

  /* turn name into a series of asciiz strings */
  /* j counts no. of labels */
@@ -198,7 +198,6 @@ int in_arpa_name_2_addr(char *namein, struct all_addr *addrp)

      return F_IPV4;
    }
-#ifdef HAVE_IPV6
  else if (hostname_isequal(penchunk, "ip6") && 
 	   (hostname_isequal(lastchunk, "int") || hostname_isequal(lastchunk, "arpa")))
    {
@@ -235,7 +234,7 @@ int in_arpa_name_2_addr(char *namein, struct all_addr *addrp)
 	      if (*(cp1+1) || !isxdigit((unsigned char)*cp1))
 		return 0;
 	      
-	      for (j = sizeof(struct all_addr)-1; j>0; j--)
+	      for (j = sizeof(struct in6_addr)-1; j>0; j--)
 		addr[j] = (addr[j] >> 4) | (addr[j-1] << 4);
 	      addr[0] = (addr[0] >> 4) | (strtol(cp1, NULL, 16) << 4);
 	    }
@@ -243,7 +242,6 @@ int in_arpa_name_2_addr(char *namein, struct all_addr *addrp)
 	  return F_IPV6;
 	}
    }
-#endif
  
  return 0;
 }
@@ -335,55 +333,6 @@ unsigned char *skip_section(unsigned char *ansp, int count, struct dns_header *h
  return ansp;
 }

-/* CRC the question section. This is used to safely detect query 
-   retransmission and to detect answers to questions we didn't ask, which 
-   might be poisoning attacks. Note that we decode the name rather 
-   than CRC the raw bytes, since replies might be compressed differently. 
-   We ignore case in the names for the same reason. Return all-ones
-   if there is not question section. */
-#ifndef HAVE_DNSSEC
-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name)
-{
-  int q;
-  unsigned int crc = 0xffffffff;
-  unsigned char *p1, *p = (unsigned char *)(header+1);
-
-  for (q = ntohs(header->qdcount); q != 0; q--) 
-    {
-      if (!extract_name(header, plen, &p, name, 1, 4))
-	return crc; /* bad packet */
-      
-      for (p1 = (unsigned char *)name; *p1; p1++)
-	{
-	  int i = 8;
-	  char c = *p1;
-
-	  if (c >= 'A' && c <= 'Z')
-	    c += 'a' - 'A';
-
-	  crc ^= c << 24;
-	  while (i--)
-	    crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
-	}
-      
-      /* CRC the class and type as well */
-      for (p1 = p; p1 < p+4; p1++)
-	{
-	  int i = 8;
-	  crc ^= *p1 << 24;
-	  while (i--)
-	    crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
-	}
-
-      p += 4;
-      if (!CHECK_LEN(header, p, plen, 0))
-	return crc; /* bad packet */
-    }
-
-  return crc;
-}
-#endif
-
 size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen)
 {
  unsigned char *ansp = skip_questions(header, plen);
@@ -426,7 +375,6 @@ int private_net(struct in_addr addr, int ban_localhost)
    ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF)  /* 255.255.255.255/32 (broadcast)*/ ;
 }

-#ifdef HAVE_IPV6
 static int private_net6(struct in6_addr *a)
 {
  return 
@@ -436,8 +384,6 @@ static int private_net6(struct in6_addr *a)
    ((unsigned char *)a)[0] == 0xfd ||   /* RFC 6303 4.4 */
    ((u32 *)a)[0] == htonl(0x20010db8); /* RFC 6303 4.6 */
 }
-#endif
-

 static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, char *name, int *doctored)
 {
@@ -590,7 +536,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
  unsigned char *p, *p1, *endrr, *namep;
  int i, j, qtype, qclass, aqtype, aqclass, ardlen, res, searched_soa = 0;
  unsigned long ttl = 0;
-  struct all_addr addr;
+  union all_addr addr;
 #ifdef HAVE_IPSET
  char **ipsets_cur;
 #else
@@ -613,7 +559,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 #ifdef HAVE_DNSSEC
 	  if (option_bool(OPT_DNSSEC_VALID))
 	    for (i = 0; i < ntohs(header->ancount); i++)
-	      if (daemon->rr_status[i])
+	      if (daemon->rr_status[i] != 0)
 		return 0;
 #endif
 	}
@@ -686,13 +632,16 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 		      if (!extract_name(header, qlen, &p1, name, 1, 0))
 			return 0;
 #ifdef HAVE_DNSSEC
-		      if (option_bool(OPT_DNSSEC_VALID) && daemon->rr_status[j])
+		      if (option_bool(OPT_DNSSEC_VALID) && daemon->rr_status[j] != 0)
 			{
 			  /* validated RR anywhere in CNAME chain, don't cache. */
 			  if (cname_short || aqtype == T_CNAME)
 			    return 0;

 			  secflag = F_DNSSECOK;
+			  /* limit TTL based on signature. */
+			  if (daemon->rr_status[j] < cttl)
+			    cttl = daemon->rr_status[j];
 			}
 #endif

@@ -706,7 +655,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 			  goto cname_loop;
 			}
 		      
-		      cache_insert(name, &addr, now, cttl, name_encoding | secflag | F_REVERSE);
+		      cache_insert(name, &addr, C_IN, now, cttl, name_encoding | secflag | F_REVERSE);
 		      found = 1; 
 		    }
 		  
@@ -724,28 +673,28 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 		  ttl = find_soa(header, qlen, NULL, doctored);
 		}
 	      if (ttl)
-		cache_insert(NULL, &addr, now, ttl, name_encoding | F_REVERSE | F_NEG | flags | (secure ?  F_DNSSECOK : 0));	
+		cache_insert(NULL, &addr, C_IN, now, ttl, name_encoding | F_REVERSE | F_NEG | flags | (secure ?  F_DNSSECOK : 0));	
 	    }
 	}
      else
 	{
 	  /* everything other than PTR */
 	  struct crec *newc;
-	  int addrlen;
+	  int addrlen = 0;

 	  if (qtype == T_A)
 	    {
 	      addrlen = INADDRSZ;
 	      flags |= F_IPV4;
 	    }
-#ifdef HAVE_IPV6
 	  else if (qtype == T_AAAA)
 	    {
 	      addrlen = IN6ADDRSZ;
 	      flags |= F_IPV6;
 	    }
-#endif
-	  else 
+	  else if (qtype == T_SRV)
+	    flags |= F_SRV;
+	  else
 	    continue;
 	    
 	cname_loop1:
@@ -773,19 +722,24 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 	      if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == qtype))
 		{
 #ifdef HAVE_DNSSEC
-		  if (option_bool(OPT_DNSSEC_VALID) && daemon->rr_status[j])
+		  if (option_bool(OPT_DNSSEC_VALID) && daemon->rr_status[j] != 0)
+		    {
 		      secflag = F_DNSSECOK;
+
+		      /* limit TTl based on sig. */
+		      if (daemon->rr_status[j] < attl)
+			attl = daemon->rr_status[j];
+		    }
 #endif		  
 		  if (aqtype == T_CNAME)
 		    {
 		      if (!cname_count--)
 			return 0; /* looped CNAMES */
-		      newc = cache_insert(name, NULL, now, attl, F_CNAME | F_FORWARD | secflag);
-		      if (newc)
+
+		      if ((newc = cache_insert(name, NULL, C_IN, now, attl, F_CNAME | F_FORWARD | secflag)))
 			{
 			  newc->addr.cname.target.cache = NULL;
-			  /* anything other than zero, to avoid being mistaken for CNAME to interface-name */ 
-			  newc->addr.cname.uid = 1; 
+			  newc->addr.cname.is_name_ptr = 0; 
 			  if (cpp)
 			    {
 			      next_uid(newc);
@@ -798,51 +752,87 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 		      if (attl < cttl)
 			cttl = attl;
 		      
+		      namep = p1;
 		      if (!extract_name(header, qlen, &p1, name, 1, 0))
 			return 0;
+		      
 		      goto cname_loop1;
 		    }
 		  else if (!(flags & F_NXDOMAIN))
 		    {
 		      found = 1;
 		      
-		      /* copy address into aligned storage */
-		      if (!CHECK_LEN(header, p1, qlen, addrlen))
-			return 0; /* bad packet */
-		      memcpy(&addr, p1, addrlen);
-		      
-		      /* check for returned address in private space */
-		      if (check_rebind)
+		      if (flags & F_SRV)
 			{
-			  if ((flags & F_IPV4) &&
-			      private_net(addr.addr.addr4, !option_bool(OPT_LOCAL_REBIND)))
-			    return 1;
-			  
-#ifdef HAVE_IPV6
-			  if ((flags & F_IPV6) &&
-			      IN6_IS_ADDR_V4MAPPED(&addr.addr.addr6))
+			   unsigned char *tmp = namep;
+
+			   if (!CHECK_LEN(header, p1, qlen, 6))
+			     return 0; /* bad packet */
+			   GETSHORT(addr.srv.priority, p1);
+			   GETSHORT(addr.srv.weight, p1);
+			   GETSHORT(addr.srv.srvport, p1);
+			   if (!extract_name(header, qlen, &p1, name, 1, 0))
+			     return 0;
+			   addr.srv.targetlen = strlen(name) + 1; /* include terminating zero */
+			   if (!(addr.srv.target = blockdata_alloc(name, addr.srv.targetlen)))
+			     return 0;
+			   
+			   /* we overwrote the original name, so get it back here. */
+			   if (!extract_name(header, qlen, &tmp, name, 1, 0))
+			     return 0;
+			}
+		      else
+			{
+			  /* copy address into aligned storage */
+			  if (!CHECK_LEN(header, p1, qlen, addrlen))
+			    return 0; /* bad packet */
+			  memcpy(&addr, p1, addrlen);
+		      
+			  /* check for returned address in private space */
+			  if (check_rebind)
 			    {
-			      struct in_addr v4;
-			      v4.s_addr = ((const uint32_t *) (&addr.addr.addr6))[3];
-			      if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
+			      if ((flags & F_IPV4) &&
+				  private_net(addr.addr4, !option_bool(OPT_LOCAL_REBIND)))
 				return 1;
+
+			      /* Block IPv4-mapped IPv6 addresses in private IPv4 address space */
+			      if (flags & F_IPV6)
+				{
+				  if (IN6_IS_ADDR_V4MAPPED(&addr.addr6))
+				    {
+				      struct in_addr v4;
+				      v4.s_addr = ((const uint32_t *) (&addr.addr6))[3];
+				      if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
+					return 1;
+				    }
+
+				  /* Check for link-local (LL) and site-local (ULA) IPv6 addresses */
+				  if (IN6_IS_ADDR_LINKLOCAL(&addr.addr6) ||
+				      IN6_IS_ADDR_SITELOCAL(&addr.addr6))
+				    return 1;
+
+				  /* Check for the IPv6 loopback address (::1) when
+				     option rebind-localhost-ok is NOT set */
+				  if (!option_bool(OPT_LOCAL_REBIND) &&
+				      IN6_IS_ADDR_LOOPBACK(&addr.addr6))
+				    return 1;
+				}
 			    }
-#endif
-			}
-		      
+
 #ifdef HAVE_IPSET
-		      if (ipsets && (flags & (F_IPV4 | F_IPV6)))
-			{
-			  ipsets_cur = ipsets;
-			  while (*ipsets_cur)
+			  if (ipsets && (flags & (F_IPV4 | F_IPV6)))
 			    {
-			      log_query((flags & (F_IPV4 | F_IPV6)) | F_IPSET, name, &addr, *ipsets_cur);
-			      add_to_ipset(*ipsets_cur++, &addr, flags, 0);
+			      ipsets_cur = ipsets;
+			      while (*ipsets_cur)
+				{
+				  log_query((flags & (F_IPV4 | F_IPV6)) | F_IPSET, name, &addr, *ipsets_cur);
+				  add_to_ipset(*ipsets_cur++, &addr, flags, 0);
+				}
 			    }
-			}
 #endif
+			}
 		      
-		      newc = cache_insert(name, &addr, now, attl, flags | F_FORWARD | secflag);
+		      newc = cache_insert(name, &addr, C_IN, now, attl, flags | F_FORWARD | secflag);
 		      if (newc && cpp)
 			{
 			  next_uid(newc);
@@ -869,7 +859,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 		 pointing at this, inherit its TTL */
 	      if (ttl || cpp)
 		{
-		  newc = cache_insert(name, NULL, now, ttl ? ttl : cttl, F_FORWARD | F_NEG | flags | (secure ? F_DNSSECOK : 0));	
+		  newc = cache_insert(name, NULL, C_IN, now, ttl ? ttl : cttl, F_FORWARD | F_NEG | flags | (secure ? F_DNSSECOK : 0));	
 		  if (newc && cpp)
 		    {
 		      next_uid(newc);
@@ -925,12 +915,19 @@ unsigned int extract_request(struct dns_header *header, size_t qlen, char *name,
      if (qtype == T_ANY)
 	return  F_IPV4 | F_IPV6;
    }
+
+  /* F_DNSSECOK as agument to search_servers() inhibits forwarding
+     to servers for domains without a trust anchor. This make the
+     behaviour for DS and DNSKEY queries we forward the same
+     as for DS and DNSKEY queries we originate. */
+  if (qtype == T_DS || qtype == T_DNSKEY)
+    return F_DNSSECOK;
  
  return F_QUERY;
 }

 size_t setup_reply(struct dns_header *header, size_t qlen,
-		struct all_addr *addrp, unsigned int flags, unsigned long ttl)
+		   union all_addr *addrp, unsigned int flags, unsigned long ttl)
 {
  unsigned char *p;
  
@@ -938,9 +935,9 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
    return 0;
  
  /* clear authoritative and truncated flags, set QR flag */
-  header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
-  /* set RA flag */
-  header->hb4 |= HB4_RA;
+  header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC )) | HB3_QR;
+  /* clear AD flag, set RA flag */
+  header->hb4 = (header->hb4 & ~HB4_AD) | HB4_RA;

  header->nscount = htons(0);
  header->arcount = htons(0);
@@ -951,8 +948,8 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
    SET_RCODE(header, NXDOMAIN);
  else if (flags == F_SERVFAIL)
    {
-      struct all_addr a;
-      a.addr.rcode.rcode = SERVFAIL;
+      union all_addr a;
+      a.log.rcode = SERVFAIL;
      log_query(F_CONFIG | F_RCODE, "error", &a, NULL);
      SET_RCODE(header, SERVFAIL);
    }
@@ -966,7 +963,6 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
 	  add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp);
 	}
      
-#ifdef HAVE_IPV6
      if (flags & F_IPV6)
 	{
 	  SET_RCODE(header, NOERROR);
@@ -974,12 +970,11 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
 	  header->hb3 |= HB3_AA;
 	  add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_AAAA, C_IN, "6", addrp);
 	}
-#endif
    }
  else /* nowhere to forward to */
    {
-      struct all_addr a;
-      a.addr.rcode.rcode = REFUSED;
+      union all_addr a;
+      a.log.rcode = REFUSED;
      log_query(F_CONFIG | F_RCODE, "error", &a, NULL);
      SET_RCODE(header, REFUSED);
    }
@@ -1058,7 +1053,7 @@ int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name,
 		/* Found a bogus address. Insert that info here, since there no SOA record
 		   to get the ttl from in the normal processing */
 		cache_start_insert();
-		cache_insert(name, NULL, now, ttl, F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN);
+		cache_insert(name, NULL, C_IN, now, ttl, F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN);
 		cache_end_insert();
 		
 		return 1;
@@ -1164,14 +1159,12 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp, int
  for (; *format; format++)
    switch (*format)
      {
-#ifdef HAVE_IPV6
      case '6':
        CHECK_LIMIT(IN6ADDRSZ);
 	sval = va_arg(ap, char *); 
 	memcpy(p, sval, IN6ADDRSZ);
 	p += IN6ADDRSZ;
 	break;
-#endif
 	
      case '4':
        CHECK_LIMIT(INADDRSZ);
@@ -1273,7 +1266,11 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now)
  else
    return daemon->max_ttl;
 }
-  
+
+static int cache_validated(const struct crec *crecp)
+{
+  return (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK));
+}

 /* return zero if we can't answer from cache, or packet size if we can */
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
@@ -1283,21 +1280,21 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
  char *name = daemon->namebuff;
  unsigned char *p, *ansp;
  unsigned int qtype, qclass;
-  struct all_addr addr;
+  union all_addr addr;
  int nameoffset;
  unsigned short flag;
  int q, ans, anscount = 0, addncount = 0;
  int dryrun = 0;
  struct crec *crecp;
-  int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
+  int nxdomain = 0, notimp = 0, auth = 1, trunc = 0, sec_data = 1;
  struct mx_srv_record *rec;
  size_t len;
+  int rd_bit = (header->hb3 & HB3_RD);

  /* never answer queries with RD unset, to avoid cache snooping. */
-  if (!(header->hb3 & HB3_RD) ||
-      ntohs(header->ancount) != 0 ||
+  if (ntohs(header->ancount) != 0 ||
      ntohs(header->nscount) != 0 ||
-      ntohs(header->qdcount) == 0 || 
+      ntohs(header->qdcount) == 0 ||
      OPCODE(header) != QUERY )
    return 0;

@@ -1324,6 +1321,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,

  for (q = ntohs(header->qdcount); q != 0; q--)
    {
+      int count = 255; /* catch loops */
+      
      /* save pointer to name for copying into answers */
      nameoffset = p - (unsigned char *)header;

@@ -1335,7 +1334,37 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
      GETSHORT(qclass, p);

      ans = 0; /* have we answered this question */
-      
+
+      while (--count != 0 && (crecp = cache_find_by_name(NULL, name, now, F_CNAME)))
+	{
+	  char *cname_target = cache_get_cname_target(crecp);
+
+	  /* If the client asked for DNSSEC  don't use cached data. */
+	  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
+	      (rd_bit && (!do_bit || cache_validated(crecp))))
+	    {
+	      if (crecp->flags & F_CONFIG || qtype == T_CNAME)
+		ans = 1;
+
+	      if (!(crecp->flags & F_DNSSECOK))
+		sec_data = 0;
+
+	      if (!dryrun)
+		{
+		  log_query(crecp->flags, name, NULL, record_source(crecp->uid));
+		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+					  crec_ttl(crecp, now), &nameoffset,
+					  T_CNAME, C_IN, "d", cname_target))
+		    anscount++;
+		}
+
+	    }
+	  else
+	    return 0; /* give up if any cached CNAME in chain can't be used for DNSSEC reasons. */
+
+	  strcpy(name, cname_target);
+	}
+	  
      if (qtype == T_TXT || qtype == T_ANY)
 	{
 	  struct txt_record *t;
@@ -1343,12 +1372,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	    {
 	      if (t->class == qclass && hostname_isequal(name, t->name))
 		{
-		  ans = 1;
+		  ans = 1, sec_data = 0;
 		  if (!dryrun)
 		    {
 		      unsigned long ttl = daemon->local_ttl;
 		      int ok = 1;
-		      log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>");
 #ifndef NO_ID
 		      /* Dynamically generate stat record */
 		      if (t->stat != 0)
@@ -1358,16 +1386,37 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 			    ok = 0;
 			}
 #endif
-		      if (ok && add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-						    ttl, NULL,
-						    T_TXT, t->class, "t", t->len, t->txt))
-			anscount++;
-
+		      if (ok)
+			{
+			  log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>");
+			  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+						  ttl, NULL,
+						  T_TXT, t->class, "t", t->len, t->txt))
+			    anscount++;
+			}
 		    }
 		}
 	    }
 	}

+      if (qclass == C_CHAOS)
+	{
+	  /* don't forward *.bind and *.server chaos queries - always reply with NOTIMP */
+	  if (hostname_issubdomain("bind", name) || hostname_issubdomain("server", name))
+	    {
+	      if (!ans)
+		{
+		  notimp = 1, auth = 0;
+		  if (!dryrun)
+		    {
+		       addr.log.rcode = NOTIMP;
+		       log_query(F_CONFIG | F_RCODE, name, &addr, NULL);
+		    }
+		  ans = 1, sec_data = 0;
+		}
+	    }
+	}
+
      if (qclass == C_IN)
 	{
 	  struct txt_record *t;
@@ -1404,7 +1453,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		    struct addrlist *addrlist;
 		    
 		    for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
-		      if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr.addr4.s_addr == addrlist->addr.addr.addr4.s_addr)
+		      if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr4.s_addr == addrlist->addr.addr4.s_addr)
 			break;
 		    
 		    if (addrlist)
@@ -1413,14 +1462,13 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		      while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
 			intr = intr->next;
 		  }
-#ifdef HAVE_IPV6
 	      else if (is_arpa == F_IPV6)
 		for (intr = daemon->int_names; intr; intr = intr->next)
 		  {
 		    struct addrlist *addrlist;
 		    
 		    for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
-		      if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr.addr6, &addrlist->addr.addr.addr6))
+		      if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr6, &addrlist->addr.addr6))
 			break;
 		    
 		    if (addrlist)
@@ -1429,7 +1477,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		      while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
 			intr = intr->next;
 		  }
-#endif
 	      
 	      if (intr)
 		{
@@ -1465,9 +1512,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		  /* Don't use cache when DNSSEC data required, unless we know that
 		     the zone is unsigned, which implies that we're doing
 		     validation. */
-		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || 
-		      !do_bit || 
-		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
+		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
+		      (rd_bit && (!do_bit || cache_validated(crecp)) ))
 		    {
 		      do 
 			{ 
@@ -1521,10 +1567,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		    }
 		}
 	      else if (option_bool(OPT_BOGUSPRIV) && (
-#ifdef HAVE_IPV6
-		       (is_arpa == F_IPV6 && private_net6(&addr.addr.addr6)) ||
-#endif
-		       (is_arpa == F_IPV4 && private_net(addr.addr.addr4, 1))))
+		       (is_arpa == F_IPV6 && private_net6(&addr.addr6)) ||
+		       (is_arpa == F_IPV4 && private_net(addr.addr4, 1))))
 		{
 		  struct server *serv;
 		  unsigned int namelen = strlen(name);
@@ -1561,24 +1605,16 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		    }
 		}
 	    }
-	  
+
 	  for (flag = F_IPV4; flag; flag = (flag == F_IPV4) ? F_IPV6 : 0)
 	    {
-	      unsigned short type = T_A;
+	      unsigned short type = (flag == F_IPV6) ? T_AAAA : T_A;
 	      struct interface_name *intr;

-	      if (flag == F_IPV6)
-#ifdef HAVE_IPV6
-		type = T_AAAA;
-#else
-	        break;
-#endif
-	      
 	      if (qtype != type && qtype != T_ANY)
 		continue;
 	      
 	      /* interface name stuff */
-	    intname_restart:
 	      for (intr = daemon->int_names; intr; intr = intr->next)
 		if (hostname_isequal(name, intr->name))
 		  break;
@@ -1596,31 +1632,26 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		    for (intr = daemon->int_names; intr; intr = intr->next)
 		      if (hostname_isequal(name, intr->name))
 			for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
-#ifdef HAVE_IPV6
-			  if (!(addrlist->flags & ADDRLIST_IPV6))
-#endif
-			    if (is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask))
-			      {
-				localise = 1;
-				break;
-			      }
+			  if (!(addrlist->flags & ADDRLIST_IPV6) && 
+			      is_same_net(addrlist->addr.addr4, local_addr, local_netmask))
+			    {
+			      localise = 1;
+			      break;
+			    }
 		  
 		  for (intr = daemon->int_names; intr; intr = intr->next)
 		    if (hostname_isequal(name, intr->name))
 		      {
 			for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
-#ifdef HAVE_IPV6
 			  if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type)
-#endif
 			    {
 			      if (localise && 
-				  !is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask))
+				  !is_same_net(addrlist->addr.addr4, local_addr, local_netmask))
 				continue;

-#ifdef HAVE_IPV6
 			      if (addrlist->flags & ADDRLIST_REVONLY)
 				continue;
-#endif	
+
 			      ans = 1;	
 			      sec_data = 0;
 			      if (!dryrun)
@@ -1641,8 +1672,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		  continue;
 		}

-	    cname_restart:
-	      if ((crecp = cache_find_by_name(NULL, name, now, flag | F_CNAME | (dryrun ? F_NO_RR : 0))))
+	      if ((crecp = cache_find_by_name(NULL, name, now, flag | (dryrun ? F_NO_RR : 0))))
 		{
 		  int localise = 0;
 		  
@@ -1653,19 +1683,18 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		      struct crec *save = crecp;
 		      do {
 			if ((crecp->flags & F_HOSTS) &&
-			    is_same_net(*((struct in_addr *)&crecp->addr), local_addr, local_netmask))
+			    is_same_net(crecp->addr.addr4, local_addr, local_netmask))
 			  {
 			    localise = 1;
 			    break;
 			  } 
-			} while ((crecp = cache_find_by_name(crecp, name, now, flag | F_CNAME)));
+			} while ((crecp = cache_find_by_name(crecp, name, now, flag)));
 		      crecp = save;
 		    }

 		  /* If the client asked for DNSSEC  don't use cached data. */
 		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
-		      !do_bit ||
-		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
+		      (rd_bit && (!do_bit || cache_validated(crecp)) ))
 		    do
 		      { 
 			/* don't answer wildcard queries with data not from /etc/hosts
@@ -1676,27 +1705,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 			if (!(crecp->flags & F_DNSSECOK))
 			  sec_data = 0;
 			
-			if (crecp->flags & F_CNAME)
-			  {
-			    char *cname_target = cache_get_cname_target(crecp);
-			    
-			    if (!dryrun)
-			      {
-				log_query(crecp->flags, name, NULL, record_source(crecp->uid));
-				if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-							crec_ttl(crecp, now), &nameoffset,
-							T_CNAME, C_IN, "d", cname_target))
-				  anscount++;
-			      }
-			    
-			    strcpy(name, cname_target);
-			    /* check if target interface_name */
-			    if (crecp->addr.cname.uid == SRC_INTERFACE)
-			      goto intname_restart;
-			    else
-			      goto cname_restart;
-			  }
-			
 			if (crecp->flags & F_NEG)
 			  {
 			    ans = 1;
@@ -1712,7 +1720,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 			       filter here. */
 			    if (localise && 
 				(crecp->flags & F_HOSTS) &&
-				!is_same_net(*((struct in_addr *)&crecp->addr), local_addr, local_netmask))
+				!is_same_net(crecp->addr.addr4, local_addr, local_netmask))
 			      continue;
 			    
 			    if (!(crecp->flags & (F_HOSTS | F_DHCP)))
@@ -1721,7 +1729,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 			    ans = 1;
 			    if (!dryrun)
 			      {
-				log_query(crecp->flags & ~F_REVERSE, name, &crecp->addr.addr,
+				log_query(crecp->flags & ~F_REVERSE, name, &crecp->addr,
 					  record_source(crecp->uid));
 				
 				if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
@@ -1730,11 +1738,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 				  anscount++;
 			      }
 			  }
-		      } while ((crecp = cache_find_by_name(crecp, name, now, flag | F_CNAME)));
+		      } while ((crecp = cache_find_by_name(crecp, name, now, flag)));
 		}
 	      else if (is_name_synthetic(flag, name, &addr))
 		{
-		  ans = 1;
+		  ans = 1, sec_data = 0;
 		  if (!dryrun)
 		    {
 		      log_query(F_FORWARD | F_CONFIG | flag, name, &addr, NULL);
@@ -1745,52 +1753,33 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		}
 	    }

-	  if (qtype == T_CNAME || qtype == T_ANY)
-	    {
-	      if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
-		  (qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
-		  ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
-		{
-		  if (!(crecp->flags & F_DNSSECOK))
-		    sec_data = 0;
-		  
-		  ans = 1;
-		  if (!dryrun)
-		    {
-		      log_query(crecp->flags, name, NULL, record_source(crecp->uid));
-		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-					      crec_ttl(crecp, now), &nameoffset,
-					      T_CNAME, C_IN, "d", cache_get_cname_target(crecp)))
-			anscount++;
-		    }
-		}
-	    }
-
 	  if (qtype == T_MX || qtype == T_ANY)
 	    {
 	      int found = 0;
 	      for (rec = daemon->mxnames; rec; rec = rec->next)
 		if (!rec->issrv && hostname_isequal(name, rec->name))
 		  {
-		  ans = found = 1;
-		  if (!dryrun)
-		    {
-		      int offset;
-		      log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>");
-		      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
-					      &offset, T_MX, C_IN, "sd", rec->weight, rec->target))
-			{
-			  anscount++;
-			  if (rec->target)
-			    rec->offset = offset;
-			}
-		    }
+		    ans = found = 1;
+		    sec_data = 0;
+		    if (!dryrun)
+		      {
+			int offset;
+			log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>");
+			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
+						&offset, T_MX, C_IN, "sd", rec->weight, rec->target))
+			  {
+			    anscount++;
+			    if (rec->target)
+			      rec->offset = offset;
+			  }
+		      }
 		  }
 	      
-	      if (!found && (option_bool(OPT_SELFMX) || option_bool(OPT_LOCALMX)) && 
+	      if (!found && (option_bool(OPT_SELFMX) || option_bool(OPT_LOCALMX)) &&
 		  cache_find_by_name(NULL, name, now, F_HOSTS | F_DHCP | F_NO_RR))
 		{ 
 		  ans = 1;
+		  sec_data = 0;
 		  if (!dryrun)
 		    {
 		      log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>");
@@ -1811,6 +1800,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		if (rec->issrv && hostname_isequal(name, rec->name))
 		  {
 		    found = ans = 1;
+		    sec_data = 0;
 		    if (!dryrun)
 		      {
 			int offset;
@@ -1843,10 +1833,45 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		  *up = move;
 		  move->next = NULL;
 		}
-	      
+
+	      if (!found)
+		{
+		  if ((crecp = cache_find_by_name(NULL, name, now, F_SRV | (dryrun ? F_NO_RR : 0))) &&
+		      rd_bit && (!do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
+		    {
+		      if (!(crecp->flags & F_DNSSECOK))
+			sec_data = 0;
+		      
+		      auth = 0;
+		      found = ans = 1;
+		      
+		      do {
+			if (crecp->flags & F_NEG)
+			  {
+			    if (crecp->flags & F_NXDOMAIN)
+			      nxdomain = 1;
+			    if (!dryrun)
+			      log_query(crecp->flags, name, NULL, NULL);
+			  }
+			else if (!dryrun)
+			  {
+			    char *target = blockdata_retrieve(crecp->addr.srv.target, crecp->addr.srv.targetlen, NULL);
+			    log_query(crecp->flags, name, NULL, 0);
+			    
+			    if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+						    crec_ttl(crecp, now), NULL, T_SRV, C_IN, "sssd",
+						    crecp->addr.srv.priority, crecp->addr.srv.weight, crecp->addr.srv.srvport,
+						    target))
+			      anscount++;
+			  }
+		      } while ((crecp = cache_find_by_name(crecp, name, now, F_SRV)));
+		    }
+		}
+
 	      if (!found && option_bool(OPT_FILTER) && (qtype == T_SRV || (qtype == T_ANY && strchr(name, '_'))))
 		{
 		  ans = 1;
+		  sec_data = 0;
 		  if (!dryrun)
 		    log_query(F_CONFIG | F_NEG, name, NULL, NULL);
 		}
@@ -1859,6 +1884,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		if (hostname_isequal(name, na->name))
 		  {
 		    ans = 1;
+		    sec_data = 0;
 		    if (!dryrun)
 		      {
 			log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>");
@@ -1871,11 +1897,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	    }
 	  
 	  if (qtype == T_MAILB)
-	    ans = 1, nxdomain = 1;
+	    ans = 1, nxdomain = 1, sec_data = 0;

 	  if (qtype == T_SOA && option_bool(OPT_FILTER))
 	    {
-	      ans = 1; 
+	      ans = 1;
+	      sec_data = 0;
 	      if (!dryrun)
 		log_query(F_CONFIG | F_NEG, name, &addr, NULL);
 	    }
@@ -1904,11 +1931,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	crecp = NULL;
 	while ((crecp = cache_find_by_name(crecp, rec->target, now, F_IPV4 | F_IPV6)))
 	  {
-#ifdef HAVE_IPV6
 	    int type =  crecp->flags & F_IPV4 ? T_A : T_AAAA;
-#else
-	    int type = T_A;
-#endif
+
 	    if (crecp->flags & F_NEG)
 	      continue;

@@ -1935,6 +1959,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
  
  if (nxdomain)
    SET_RCODE(header, NXDOMAIN);
+  else if (notimp)
+    SET_RCODE(header, NOTIMP);
  else
    SET_RCODE(header, NOERROR); /* no error */
  header->ancount = htons(anscount);
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -30,7 +30,7 @@ static struct in_addr server_id(struct dhcp_context *context, struct in_addr ove
 static unsigned int calc_time(struct dhcp_context *context, struct dhcp_config *config, unsigned char *opt);
 static void option_put(struct dhcp_packet *mess, unsigned char *end, int opt, int len, unsigned int val);
 static void option_put_string(struct dhcp_packet *mess, unsigned char *end, 
-			      int opt, char *string, int null_term);
+			      int opt, const char *string, int null_term);
 static struct in_addr option_addr(unsigned char *opt);
 static unsigned int option_uint(unsigned char *opt, int offset, int size);
 static void log_packet(char *type, void *addr, unsigned char *ext_mac, 
@@ -54,17 +54,19 @@ static void do_options(struct dhcp_context *context,
 		       int vendor_class_len,
 		       time_t now,
 		       unsigned int lease_time,
-		       unsigned short fuzz);
+		       unsigned short fuzz,
+		       const char *pxevendor);


 static void match_vendor_opts(unsigned char *opt, struct dhcp_opt *dopt); 
 static int do_encap_opts(struct dhcp_opt *opt, int encap, int flag, struct dhcp_packet *mess, unsigned char *end, int null_term);
-static void pxe_misc(struct dhcp_packet *mess, unsigned char *end, unsigned char *uuid);
+static void pxe_misc(struct dhcp_packet *mess, unsigned char *end, unsigned char *uuid, const char *pxevendor);
 static int prune_vendor_opts(struct dhcp_netid *netid);
 static struct dhcp_opt *pxe_opts(int pxe_arch, struct dhcp_netid *netid, struct in_addr local, time_t now);
 struct dhcp_boot *find_boot(struct dhcp_netid *netid);
 static int pxe_uefi_workaround(int pxe_arch, struct dhcp_netid *netid, struct dhcp_packet *mess, struct in_addr local, time_t now, int pxe);
 static void apply_delay(u32 xid, time_t recvtime, struct dhcp_netid *netid);
+static int is_pxe_client(struct dhcp_packet *mess, size_t sz, const char **pxe_vendor);

 size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		  size_t sz, time_t now, int unicast_dest, int loopback,
@@ -76,6 +78,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
  struct dhcp_mac *mac;
  struct dhcp_netid_list *id_list;
  int clid_len = 0, ignore = 0, do_classes = 0, rapid_commit = 0, selecting = 0, pxearch = -1;
+  const char *pxevendor = NULL;
  struct dhcp_packet *mess = (struct dhcp_packet *)daemon->dhcp_packet.iov_base;
  unsigned char *end = (unsigned char *)(mess + 1); 
  unsigned char *real_end = (unsigned char *)(mess + 1); 
@@ -234,7 +237,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	subnet_addr = option_addr(opt);
      
      /* If there is no client identifier option, use the hardware address */
-      if ((opt = option_find(mess, sz, OPTION_CLIENT_ID, 1)))
+      if (!option_bool(OPT_IGNORE_CLID) && (opt = option_find(mess, sz, OPTION_CLIENT_ID, 1)))
 	{
 	  clid_len = option_len(opt);
 	  clid = option_ptr(opt, 0);
@@ -274,8 +277,9 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
  if (mess->giaddr.s_addr || subnet_addr.s_addr || mess->ciaddr.s_addr)
    {
      struct dhcp_context *context_tmp, *context_new = NULL;
+      struct shared_network *share = NULL;
      struct in_addr addr;
-      int force = 0;
+      int force = 0, via_relay = 0;
      
      if (subnet_addr.s_addr)
 	{
@@ -286,6 +290,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	{
 	  addr = mess->giaddr;
 	  force = 1;
+	  via_relay = 1;
 	}
      else
 	{
@@ -302,42 +307,65 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	} 
 		
      if (!context_new)
-	for (context_tmp = daemon->dhcp; context_tmp; context_tmp = context_tmp->next)
-	  {
-	    struct in_addr netmask = context_tmp->netmask;
+	{
+	  for (context_tmp = daemon->dhcp; context_tmp; context_tmp = context_tmp->next)
+	    {
+	      struct in_addr netmask = context_tmp->netmask;
+	      
+	      /* guess the netmask for relayed networks */
+	      if (!(context_tmp->flags & CONTEXT_NETMASK) && context_tmp->netmask.s_addr == 0)
+		{
+		  if (IN_CLASSA(ntohl(context_tmp->start.s_addr)) && IN_CLASSA(ntohl(context_tmp->end.s_addr)))
+		    netmask.s_addr = htonl(0xff000000);
+		  else if (IN_CLASSB(ntohl(context_tmp->start.s_addr)) && IN_CLASSB(ntohl(context_tmp->end.s_addr)))
+		    netmask.s_addr = htonl(0xffff0000);
+		  else if (IN_CLASSC(ntohl(context_tmp->start.s_addr)) && IN_CLASSC(ntohl(context_tmp->end.s_addr)))
+		    netmask.s_addr = htonl(0xffffff00); 
+		}

-	    /* guess the netmask for relayed networks */
-	    if (!(context_tmp->flags & CONTEXT_NETMASK) && context_tmp->netmask.s_addr == 0)
-	      {
-		if (IN_CLASSA(ntohl(context_tmp->start.s_addr)) && IN_CLASSA(ntohl(context_tmp->end.s_addr)))
-		  netmask.s_addr = htonl(0xff000000);
-		else if (IN_CLASSB(ntohl(context_tmp->start.s_addr)) && IN_CLASSB(ntohl(context_tmp->end.s_addr)))
-		  netmask.s_addr = htonl(0xffff0000);
-		else if (IN_CLASSC(ntohl(context_tmp->start.s_addr)) && IN_CLASSC(ntohl(context_tmp->end.s_addr)))
-		  netmask.s_addr = htonl(0xffffff00); 
-	      }
-	    
-	    /* This section fills in context mainly when a client which is on a remote (relayed)
-	       network renews a lease without using the relay, after dnsmasq has restarted. */
-	    if (netmask.s_addr != 0  && 
-		is_same_net(addr, context_tmp->start, netmask) &&
-		is_same_net(addr, context_tmp->end, netmask))
-	      {
-		context_tmp->netmask = netmask;
-		if (context_tmp->local.s_addr == 0)
-		  context_tmp->local = fallback;
-		if (context_tmp->router.s_addr == 0)
-		  context_tmp->router = mess->giaddr;
-	   
-		/* fill in missing broadcast addresses for relayed ranges */
-		if (!(context_tmp->flags & CONTEXT_BRDCAST) && context_tmp->broadcast.s_addr == 0 )
-		  context_tmp->broadcast.s_addr = context_tmp->start.s_addr | ~context_tmp->netmask.s_addr;
-		
-		context_tmp->current = context_new;
-		context_new = context_tmp;
-	      }
-	  }
-      
+	      /* check to see is a context is OK because of a shared address on
+		 the relayed subnet. */
+	      if (via_relay)
+		for (share = daemon->shared_networks; share; share = share->next)
+		  {
+#ifdef HAVE_DHCP6
+		    if (share->shared_addr.s_addr == 0)
+		      continue;
+#endif
+		    if (share->if_index != 0 ||
+			share->match_addr.s_addr != mess->giaddr.s_addr)
+		      continue;
+		    
+		    if (netmask.s_addr != 0  && 
+			is_same_net(share->shared_addr, context_tmp->start, netmask) &&
+			is_same_net(share->shared_addr, context_tmp->end, netmask))
+		      break;
+		  }
+	      
+	      /* This section fills in context mainly when a client which is on a remote (relayed)
+		 network renews a lease without using the relay, after dnsmasq has restarted. */
+	      if (share ||
+		  (netmask.s_addr != 0  && 
+		   is_same_net(addr, context_tmp->start, netmask) &&
+		   is_same_net(addr, context_tmp->end, netmask)))
+		{
+		  context_tmp->netmask = netmask;
+		  if (context_tmp->local.s_addr == 0)
+		    context_tmp->local = fallback;
+		  if (context_tmp->router.s_addr == 0 && !share)
+		    context_tmp->router = mess->giaddr;
+		  
+		  /* fill in missing broadcast addresses for relayed ranges */
+		  if (!(context_tmp->flags & CONTEXT_BRDCAST) && context_tmp->broadcast.s_addr == 0 )
+		    context_tmp->broadcast.s_addr = context_tmp->start.s_addr | ~context_tmp->netmask.s_addr;
+		  
+		  context_tmp->current = context_new;
+		  context_new = context_tmp;
+		}
+	      
+	    }
+	}
+	  
      if (context_new || force)
 	context = context_new; 
    }
@@ -388,7 +416,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		for (o2 = offset + 5; o2 < offset + len + 5; o2 += elen + 1)
 		  { 
 		    elen = option_uint(opt, o2, 1);
-		    if ((o2 + elen + 1 <= option_len(opt)) &&
+		    if ((o2 + elen + 1 <= (unsigned)option_len(opt)) &&
 			(match = match_bytes(o, option_ptr(opt, o2 + 1), elen)))
 		      break;
 		  }
@@ -479,7 +507,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
  mess->op = BOOTREPLY;
  
  config = find_config(daemon->dhcp_conf, context, clid, clid_len, 
-		       mess->chaddr, mess->hlen, mess->htype, NULL);
+		       mess->chaddr, mess->hlen, mess->htype, NULL, run_tag_if(netid));

  /* set "known" tag for known hosts */
  if (config)
@@ -489,7 +517,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
      netid = &known_id;
    }
  else if (find_config(daemon->dhcp_conf, NULL, clid, clid_len, 
-		       mess->chaddr, mess->hlen, mess->htype, NULL))
+		       mess->chaddr, mess->hlen, mess->htype, NULL, run_tag_if(netid)))
    {
      known_id.net = "known-othernet";
      known_id.next = netid;
@@ -622,7 +650,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	      
 	      clear_packet(mess, end);
 	      do_options(context, mess, end, NULL, hostname, get_domain(mess->yiaddr), 
-			 netid, subnet_addr, 0, 0, -1, NULL, vendor_class_len, now, 0xffffffff, 0);
+			 netid, subnet_addr, 0, 0, -1, NULL, vendor_class_len, now, 0xffffffff, 0, NULL);
 	    }
 	}
      
@@ -703,12 +731,10 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
  if (client_hostname)
    {
      struct dhcp_match_name *m;
-      size_t nl = strlen(client_hostname); 
+      size_t nl = strlen(client_hostname);
      
      if (option_bool(OPT_LOG_OPTS))
 	my_syslog(MS_DHCP | LOG_INFO, _("%u client provides name: %s"), ntohl(mess->xid), client_hostname);
-
-
      for (m = daemon->dhcp_name_match; m; m = m->next)
 	{
 	  size_t ml = strlen(m->name);
@@ -721,14 +747,14 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	      save = client_hostname[ml];
 	      client_hostname[ml] = 0;
 	    }
-
+	  
 	  if (hostname_isequal(client_hostname, m->name) &&
 	      (save == 0 || m->wildcard))
 	    {
 	      m->netid->next = netid;
 	      netid = m->netid;
 	    }
-
+	  
 	  if (save != 0)
 	    client_hostname[ml] = save;
 	}
@@ -750,6 +776,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
      if (strlen(client_hostname) != 0)
 	{
 	  hostname = client_hostname;
+	  
 	  if (!config)
 	    {
 	      /* Search again now we have a hostname. 
@@ -757,7 +784,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		 to avoid impersonation by name. */
 	      struct dhcp_config *new = find_config(daemon->dhcp_conf, context, NULL, 0,
 						    mess->chaddr, mess->hlen, 
-						    mess->htype, hostname);
+						    mess->htype, hostname, run_tag_if(netid));
 	      if (new && !have_config(new, CONFIG_CLID) && !new->hwaddr)
 		{
 		  config = new;
@@ -811,9 +838,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
    clid = NULL;
          
  /* Check if client is PXE client. */
-  if (daemon->enable_pxe && 
-      (opt = option_find(mess, sz, OPTION_VENDOR_ID, 9)) && 
-      strncmp(option_ptr(opt, 0), "PXEClient", 9) == 0)
+  if (daemon->enable_pxe &&
+      is_pxe_client(mess, sz, &pxevendor))
    {
      if ((opt = option_find(mess, sz, OPTION_PXE_UUID, 17)))
 	{
@@ -875,7 +901,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	  
 	  option_put(mess, end, OPTION_MESSAGE_TYPE, 1, DHCPACK);
 	  option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ, htonl(context->local.s_addr));
-	  pxe_misc(mess, end, uuid);
+	  pxe_misc(mess, end, uuid, pxevendor);
 	  
 	  prune_vendor_opts(tagif_netid);
 	  opt71.val = save71;
@@ -955,7 +981,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		  option_put(mess, end, OPTION_MESSAGE_TYPE, 1, 
 			     mess_type == DHCPDISCOVER ? DHCPOFFER : DHCPACK);
 		  option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ, htonl(tmp->local.s_addr));
-		  pxe_misc(mess, end, uuid);
+		  pxe_misc(mess, end, uuid, pxevendor);
 		  prune_vendor_opts(tagif_netid);
 		  if ((pxe && !workaround) || !redirect4011)
 		    do_encap_opts(pxe_opts(pxearch, tagif_netid, tmp->local, now), OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, 0);
@@ -1126,7 +1152,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
      option_put(mess, end, OPTION_LEASE_TIME, 4, time);
      /* T1 and T2 are required in DHCPOFFER by HP's wacky Jetdirect client. */
      do_options(context, mess, end, req_options, offer_hostname, get_domain(mess->yiaddr), 
-		 netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, time, fuzz);
+		 netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, time, fuzz, pxevendor);
      
      return dhcp_packet_size(mess, agent_id, real_end);
 	
@@ -1475,7 +1501,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	  if (rapid_commit)
 	     option_put(mess, end, OPTION_RAPID_COMMIT, 0, 0);
 	   do_options(context, mess, end, req_options, hostname, get_domain(mess->yiaddr), 
-		     netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, time, fuzz);
+		     netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, time, fuzz, pxevendor);
 	}

      return dhcp_packet_size(mess, agent_id, real_end); 
@@ -1542,7 +1568,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	}

      do_options(context, mess, end, req_options, hostname, get_domain(mess->ciaddr),
-		 netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, 0xffffffff, 0);
+		 netid, subnet_addr, fqdn_flags, borken_opt, pxearch, uuid, vendor_class_len, now, 0xffffffff, 0, pxevendor);
      
      *is_inform = 1; /* handle reply differently */
      return dhcp_packet_size(mess, agent_id, real_end); 
@@ -1924,7 +1950,7 @@ static void option_put(struct dhcp_packet *mess, unsigned char *end, int opt, in
 }

 static void option_put_string(struct dhcp_packet *mess, unsigned char *end, int opt, 
-			      char *string, int null_term)
+			      const char *string, int null_term)
 {
  unsigned char *p;
  size_t len = strlen(string);
@@ -2002,15 +2028,32 @@ static void match_vendor_opts(unsigned char *opt, struct dhcp_opt *dopt)
      dopt->flags &= ~DHOPT_VENDOR_MATCH;
      if (opt && (dopt->flags & DHOPT_VENDOR))
 	{
-	  int i, len = 0;
-	  if (dopt->u.vendor_class)
-	    len = strlen((char *)dopt->u.vendor_class);
-	  for (i = 0; i <= (option_len(opt) - len); i++)
-	    if (len == 0 || memcmp(dopt->u.vendor_class, option_ptr(opt, i), len) == 0)
-	      {
-		dopt->flags |= DHOPT_VENDOR_MATCH;
-		break;
-	      }
+	  const struct dhcp_pxe_vendor *pv;
+	  struct dhcp_pxe_vendor dummy_vendor = {
+	    .data = (char *)dopt->u.vendor_class,
+	    .next = NULL,
+	  };
+	  if (dopt->flags & DHOPT_VENDOR_PXE)
+	    pv = daemon->dhcp_pxe_vendors;
+	  else
+	    pv = &dummy_vendor;
+	  for (; pv; pv = pv->next)
+	    {
+	      int i, len = 0, matched = 0;
+	      if (pv->data)
+	        len = strlen(pv->data);
+	      for (i = 0; i <= (option_len(opt) - len); i++)
+	        if (len == 0 || memcmp(pv->data, option_ptr(opt, i), len) == 0)
+	          {
+		    matched = 1;
+	            break;
+	          }
+	      if (matched)
+		{
+	          dopt->flags |= DHOPT_VENDOR_MATCH;
+		  break;
+		}
+	    }
 	}
    }
 }
@@ -2063,11 +2106,13 @@ static int do_encap_opts(struct dhcp_opt *opt, int encap, int flag,
  return ret;
 }

-static void pxe_misc(struct dhcp_packet *mess, unsigned char *end, unsigned char *uuid)
+static void pxe_misc(struct dhcp_packet *mess, unsigned char *end, unsigned char *uuid, const char *pxevendor)
 {
  unsigned char *p;

-  option_put_string(mess, end, OPTION_VENDOR_ID, "PXEClient", 0);
+  if (!pxevendor)
+    pxevendor="PXEClient";
+  option_put_string(mess, end, OPTION_VENDOR_ID, pxevendor, 0);
  if (uuid && (p = free_space(mess, end, OPTION_PXE_UUID, 17)))
    memcpy(p, uuid, 17);
 }
@@ -2284,6 +2329,29 @@ struct dhcp_boot *find_boot(struct dhcp_netid *netid)
  return boot;
 }

+static int is_pxe_client(struct dhcp_packet *mess, size_t sz, const char **pxe_vendor)
+{
+  const unsigned char *opt = NULL;
+  ssize_t conf_len = 0;
+  const struct dhcp_pxe_vendor *conf = daemon->dhcp_pxe_vendors;
+  opt = option_find(mess, sz, OPTION_VENDOR_ID, 0);
+  if (!opt) 
+    return 0;
+  for (; conf; conf = conf->next)
+    {
+      conf_len = strlen(conf->data);
+      if (option_len(opt) < conf_len)
+        continue;
+      if (strncmp(option_ptr(opt, 0), conf->data, conf_len) == 0)
+        {
+          if (pxe_vendor)
+            *pxe_vendor = conf->data;
+          return 1;
+        }
+    }
+  return 0;
+}
+
 static void do_options(struct dhcp_context *context,
 		       struct dhcp_packet *mess,
 		       unsigned char *end, 
@@ -2298,7 +2366,8 @@ static void do_options(struct dhcp_context *context,
 		       int vendor_class_len,
 		       time_t now,
 		       unsigned int lease_time,
-		       unsigned short fuzz)
+		       unsigned short fuzz,
+		       const char *pxevendor)
 {
  struct dhcp_opt *opt, *config_opts = daemon->dhcp_opts;
  struct dhcp_boot *boot;
@@ -2672,7 +2741,7 @@ static void do_options(struct dhcp_context *context,
  
  if (context && pxe_arch != -1)
    {
-      pxe_misc(mess, end, uuid);
+      pxe_misc(mess, end, uuid, pxevendor);
      if (!pxe_uefi_workaround(pxe_arch, tagif, mess, context->local, now, 0))
 	config_opts = pxe_opts(pxe_arch, tagif, context->local, now);
    }
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -21,19 +21,16 @@

 struct state {
  unsigned char *clid;
-  int clid_len, iaid, ia_type, interface, hostname_auth, lease_allocate;
+  int clid_len, ia_type, interface, hostname_auth, lease_allocate;
  char *client_hostname, *hostname, *domain, *send_domain;
  struct dhcp_context *context;
  struct in6_addr *link_address, *fallback, *ll_addr, *ula_addr;
-  unsigned int xid, fqdn_flags;
+  unsigned int xid, fqdn_flags, iaid;
  char *iface_name;
  void *packet_options, *end;
  struct dhcp_netid *tags, *context_tags;
  unsigned char mac[DHCP_CHADDR_MAX];
  unsigned int mac_len, mac_type;
-#ifdef OPTION6_PREFIX_CLASS
-  struct prefix_class *send_prefix_class;
-#endif
 };

 static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, 
@@ -49,12 +46,11 @@ static void get_context_tag(struct state *state, struct dhcp_context *context);
 static int check_ia(struct state *state, void *opt, void **endp, void **ia_option);
 static int build_ia(struct state *state, int *t1cntr);
 static void end_ia(int t1cntr, unsigned int min_time, int do_fuzz);
-#ifdef OPTION6_PREFIX_CLASS
-static struct prefix_class *prefix_class_from_context(struct dhcp_context *context);
-#endif
 static void mark_context_used(struct state *state, struct in6_addr *addr);
 static void mark_config_used(struct dhcp_context *context, struct in6_addr *addr);
 static int check_address(struct state *state, struct in6_addr *addr);
+static int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr, struct state *state, time_t now);
+static struct addrlist *config_implies(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr);
 static void add_address(struct state *state, struct dhcp_context *context, unsigned int lease_time, void *ia_option, 
 			unsigned int *min_time, struct in6_addr *addr, time_t now);
 static void update_leases(struct state *state, struct dhcp_context *context, struct in6_addr *addr, unsigned int lease_time, time_t now);
@@ -134,21 +130,41 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
      else
 	{
 	  struct dhcp_context *c;
+	  struct shared_network *share = NULL;
 	  state->context = NULL;
-	   
+
 	  if (!IN6_IS_ADDR_LOOPBACK(state->link_address) &&
 	      !IN6_IS_ADDR_LINKLOCAL(state->link_address) &&
 	      !IN6_IS_ADDR_MULTICAST(state->link_address))
 	    for (c = daemon->dhcp6; c; c = c->next)
-	      if ((c->flags & CONTEXT_DHCP) &&
-		  !(c->flags & (CONTEXT_TEMPLATE | CONTEXT_OLD)) &&
-		  is_same_net6(state->link_address, &c->start6, c->prefix) &&
-		  is_same_net6(state->link_address, &c->end6, c->prefix))
-		{
-		  c->preferred = c->valid = 0xffffffff;
-		  c->current = state->context;
-		  state->context = c;
-		}
+	      {
+		for (share = daemon->shared_networks; share; share = share->next)
+		  {
+		    if (share->shared_addr.s_addr != 0)
+		      continue;
+		    
+		    if (share->if_index != 0 ||
+			!IN6_ARE_ADDR_EQUAL(state->link_address, &share->match_addr6))
+		      continue;
+		    
+		    if ((c->flags & CONTEXT_DHCP) &&
+			!(c->flags & (CONTEXT_TEMPLATE | CONTEXT_OLD)) &&
+			is_same_net6(&share->shared_addr6, &c->start6, c->prefix) &&
+			is_same_net6(&share->shared_addr6, &c->end6, c->prefix))
+		      break;
+		  }
+		
+		if (share ||
+		    ((c->flags & CONTEXT_DHCP) &&
+		     !(c->flags & (CONTEXT_TEMPLATE | CONTEXT_OLD)) &&
+		     is_same_net6(state->link_address, &c->start6, c->prefix) &&
+		     is_same_net6(state->link_address, &c->end6, c->prefix)))
+		  {
+		    c->preferred = c->valid = 0xffffffff;
+		    c->current = state->context;
+		    state->context = c;
+		  }
+	      }
 	  
 	  if (!state->context)
 	    {
@@ -219,21 +235,25 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
      if (opt6_ptr(opt, 0) + opt6_len(opt) > end) 
        return 0;
     
-      int o = new_opt6(opt6_type(opt));
-      if (opt6_type(opt) == OPTION6_RELAY_MSG)
+      /* Don't copy MAC address into reply. */
+      if (opt6_type(opt) != OPTION6_CLIENT_MAC)
 	{
-	  struct in6_addr align;
-	  /* the packet data is unaligned, copy to aligned storage */
-	  memcpy(&align, inbuff + 2, IN6ADDRSZ); 
-	  state->link_address = &align;
-	  /* zero is_unicast since that is now known to refer to the 
-	     relayed packet, not the original sent by the client */
-	  if (!dhcp6_maybe_relay(state, opt6_ptr(opt, 0), opt6_len(opt), client_addr, 0, now))
-	    return 0;
+	  int o = new_opt6(opt6_type(opt));
+	  if (opt6_type(opt) == OPTION6_RELAY_MSG)
+	    {
+	      struct in6_addr align;
+	      /* the packet data is unaligned, copy to aligned storage */
+	      memcpy(&align, inbuff + 2, IN6ADDRSZ); 
+	      state->link_address = &align;
+	      /* zero is_unicast since that is now known to refer to the 
+		 relayed packet, not the original sent by the client */
+	      if (!dhcp6_maybe_relay(state, opt6_ptr(opt, 0), opt6_len(opt), client_addr, 0, now))
+		return 0;
+	    }
+	  else
+	    put_opt6(opt6_ptr(opt, 0), opt6_len(opt));
+	  end_opt6(o);
 	}
-      else if (opt6_type(opt) != OPTION6_CLIENT_MAC)
-	put_opt6(opt6_ptr(opt, 0), opt6_len(opt));
-      end_opt6(o);	    
    }
  
  return 1;
@@ -252,10 +272,6 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
  struct dhcp_context *context_tmp;
  struct dhcp_mac *mac_opt;
  unsigned int ignore = 0;
-#ifdef OPTION6_PREFIX_CLASS
-  struct prefix_class *p;
-  int dump_all_prefix_classes = 0;
-#endif

  state->packet_options = inbuff + 4;
  state->end = inbuff + sz;
@@ -269,9 +285,6 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
  state->hostname = NULL;
  state->client_hostname = NULL;
  state->fqdn_flags = 0x01; /* default to send if we receive no FQDN option */
-#ifdef OPTION6_PREFIX_CLASS
-  state->send_prefix_class = NULL;
-#endif

  /* set tag with name == interface */
  iface_id.net = state->iface_name;
@@ -477,39 +490,66 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 	   
 	   if (legal_hostname(daemon->dhcp_buff))
 	     {
+	       struct dhcp_match_name *m;
+	       size_t nl = strlen(daemon->dhcp_buff);
+	       
 	       state->client_hostname = daemon->dhcp_buff;
+	       
 	       if (option_bool(OPT_LOG_OPTS))
-		 my_syslog(MS_DHCP | LOG_INFO, _("%u client provides name: %s"), state->xid, state->client_hostname); 
+		 my_syslog(MS_DHCP | LOG_INFO, _("%u client provides name: %s"), state->xid, state->client_hostname);
+	       
+	       for (m = daemon->dhcp_name_match; m; m = m->next)
+		 {
+		   size_t ml = strlen(m->name);
+		   char save = 0;
+		   
+		   if (nl < ml)
+		     continue;
+		   if (nl > ml)
+		     {
+		       save = state->client_hostname[ml];
+		       state->client_hostname[ml] = 0;
+		     }
+		   
+		   if (hostname_isequal(state->client_hostname, m->name) &&
+		       (save == 0 || m->wildcard))
+		     {
+		       m->netid->next = state->tags;
+		       state->tags = m->netid;
+		     }
+		   
+		   if (save != 0)
+		     state->client_hostname[ml] = save;
+		 }
 	     }
 	 }
    }	 
  
-  if (state->clid)
+  if (state->clid &&
+      (config = find_config(daemon->dhcp_conf, state->context, state->clid, state->clid_len,
+			    state->mac, state->mac_len, state->mac_type, NULL, run_tag_if(state->tags))) &&
+      have_config(config, CONFIG_NAME))
    {
-      config = find_config(daemon->dhcp_conf, state->context, state->clid, state->clid_len, state->mac, state->mac_len, state->mac_type, NULL);
+      state->hostname = config->hostname;
+      state->domain = config->domain;
+      state->hostname_auth = 1;
+    }
+  else if (state->client_hostname)
+    {
+      state->domain = strip_hostname(state->client_hostname);
      
-      if (have_config(config, CONFIG_NAME))
+      if (strlen(state->client_hostname) != 0)
 	{
-	  state->hostname = config->hostname;
-	  state->domain = config->domain;
-	  state->hostname_auth = 1;
-	}
-      else if (state->client_hostname)
-	{
-	  state->domain = strip_hostname(state->client_hostname);
+	  state->hostname = state->client_hostname;
 	  
-	  if (strlen(state->client_hostname) != 0)
+	  if (!config)
 	    {
-	      state->hostname = state->client_hostname;
-	      if (!config)
-		{
-		  /* Search again now we have a hostname. 
-		     Only accept configs without CLID here, (it won't match)
-		     to avoid impersonation by name. */
-		  struct dhcp_config *new = find_config(daemon->dhcp_conf, state->context, NULL, 0, NULL, 0, 0, state->hostname);
-		  if (new && !have_config(new, CONFIG_CLID) && !new->hwaddr)
-		    config = new;
-		}
+	      /* Search again now we have a hostname. 
+		 Only accept configs without CLID here, (it won't match)
+		 to avoid impersonation by name. */
+	      struct dhcp_config *new = find_config(daemon->dhcp_conf, state->context, NULL, 0, NULL, 0, 0, state->hostname, run_tag_if(state->tags));
+	      if (new && !have_config(new, CONFIG_CLID) && !new->hwaddr)
+		config = new;
 	    }
 	}
    }
@@ -533,38 +573,14 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 	ignore = 1;
    }
  else if (state->clid &&
-	   find_config(daemon->dhcp_conf, NULL, state->clid, state->clid_len, state->mac, state->mac_len, state->mac_type, NULL))
+	   find_config(daemon->dhcp_conf, NULL, state->clid, state->clid_len,
+		       state->mac, state->mac_len, state->mac_type, NULL, run_tag_if(state->tags)))
    {
      known_id.net = "known-othernet";
      known_id.next = state->tags;
      state->tags = &known_id;
    }
  
-#ifdef OPTION6_PREFIX_CLASS
-  /* OPTION_PREFIX_CLASS in ORO, send addresses in all prefix classes */
-  if (daemon->prefix_classes && (msg_type == DHCP6SOLICIT || msg_type == DHCP6REQUEST))
-    {
-      void *oro;
-      
-      if ((oro = opt6_find(state->packet_options, state->end, OPTION6_ORO, 0)))
-	for (i = 0; i <  opt6_len(oro) - 1; i += 2)
-	  if (opt6_uint(oro, i, 2) == OPTION6_PREFIX_CLASS)
-	    {
-	      dump_all_prefix_classes = 1;
-	      break;
-	    }
-      
-      if (msg_type != DHCP6SOLICIT || dump_all_prefix_classes)
-	/* Add the tags associated with prefix classes so we can use the DHCP ranges.
-	   Not done for SOLICIT as we add them  one-at-time. */
-	for (p = daemon->prefix_classes; p ; p = p->next)
-	  {
-	    p->tag.next = state->tags;
-	    state->tags = &p->tag;
-	  }
-    }    
-#endif
-
  tagif = run_tag_if(state->tags);
  
  /* if all the netids in the ignore list are present, ignore this client */
@@ -648,60 +664,6 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 	    for (c = state->context; c; c = c->current)
 	      c->flags &= ~CONTEXT_USED;

-#ifdef OPTION6_PREFIX_CLASS
-	    if (daemon->prefix_classes && state->ia_type == OPTION6_IA_NA)
-	      {
-		void *prefix_opt;
-		int prefix_class;
-		
-		if (dump_all_prefix_classes)
-		  /* OPTION_PREFIX_CLASS in ORO, send addresses in all prefix classes */
-		  plain_range = 0;
-		else 
-		  { 
-		    if ((prefix_opt = opt6_find(opt6_ptr(opt, 12), ia_end, OPTION6_PREFIX_CLASS, 2)))
-		      {
-			
-			prefix_class = opt6_uint(prefix_opt, 0, 2);
-			
-			for (p = daemon->prefix_classes; p ; p = p->next)
-			  if (p->class == prefix_class)
-			    break;
-			
-			if (!p)
-			  my_syslog(MS_DHCP | LOG_WARNING, _("unknown prefix-class %d"), prefix_class);
-			else
-			  {
-			    /* add tag to list, and exclude undecorated dhcp-ranges */
-			    p->tag.next = state->tags;
-			    solicit_tags = run_tag_if(&p->tag);
-			    plain_range = 0;
-			    state->send_prefix_class = p;
-			  }
-		      }
-		    else
-		      {
-			/* client didn't ask for a prefix class, lets see if we can find one. */
-			for (p = daemon->prefix_classes; p ; p = p->next)
-			  {
-			    p->tag.next = NULL;
-			    if (match_netid(&p->tag, solicit_tags, 1))
-			      break;
-			  }
-			
-			if (p)
-			  {
-			    plain_range = 0;
-			    state->send_prefix_class = p;
-			  }
-		      }
-
-		    if (p && option_bool(OPT_LOG_OPTS))
-		      my_syslog(MS_DHCP | LOG_INFO, "%u prefix class %d tag:%s", state->xid, p->class, p->tag.net); 
-		  }
-	      }
-#endif
-
 	    o = build_ia(state, &t1cntr);
 	    if (address_assigned)
 		address_assigned = 2;
@@ -717,7 +679,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 		    /* If the client asks for an address on the same network as a configured address, 
 		       offer the configured address instead, to make moving to newly-configured
 		       addresses automatic. */
-		    if (!(c->flags & CONTEXT_CONF_USED) && config_valid(config, c, &addr) && check_address(state, &addr))
+		    if (!(c->flags & CONTEXT_CONF_USED) && config_valid(config, c, &addr, state, now))
 		      {
 			req_addr = addr;
 			mark_config_used(c, &addr);
@@ -730,10 +692,6 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 		      continue; /* address leased elsewhere */
 		    
 		    /* add address to output packet */
-#ifdef OPTION6_PREFIX_CLASS
-		    if (dump_all_prefix_classes && state->ia_type == OPTION6_IA_NA)
-		      state->send_prefix_class = prefix_class_from_context(c);
-#endif		    
 		    add_address(state, c, lease_time, ia_option, &min_time, &req_addr, now);
 		    mark_context_used(state, &req_addr);
 		    get_context_tag(state, c);
@@ -745,19 +703,15 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 	    for (c = state->context; c; c = c->current) 
 	      if (!(c->flags & CONTEXT_CONF_USED) &&
 		  match_netid(c->filter, solicit_tags, plain_range) &&
-		  config_valid(config, c, &addr) && 
-		  check_address(state, &addr))
+		  config_valid(config, c, &addr, state, now))
 		{
 		  mark_config_used(state->context, &addr);
 		  if (have_config(config, CONFIG_TIME))
 		    lease_time = config->lease_time;
 		  else
 		    lease_time = c->lease_time;
+
 		  /* add address to output packet */
-#ifdef OPTION6_PREFIX_CLASS
-		  if (dump_all_prefix_classes && state->ia_type == OPTION6_IA_NA)
-		    state->send_prefix_class = prefix_class_from_context(c);
-#endif
 		  add_address(state, c, lease_time, NULL, &min_time, &addr, now);
 		  mark_context_used(state, &addr);
 		  get_context_tag(state, c);
@@ -771,10 +725,6 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 		req_addr = ltmp->addr6;
 		if ((c = address6_available(state->context, &req_addr, solicit_tags, plain_range)))
 		  {
-#ifdef OPTION6_PREFIX_CLASS
-		    if (dump_all_prefix_classes && state->ia_type == OPTION6_IA_NA)
-		      state->send_prefix_class = prefix_class_from_context(c);
-#endif
 		    add_address(state, c, c->lease_time, NULL, &min_time, &req_addr, now);
 		    mark_context_used(state, &req_addr);
 		    get_context_tag(state, c);
@@ -786,10 +736,6 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 	    while ((c = address6_allocate(state->context, state->clid, state->clid_len, state->ia_type == OPTION6_IA_TA,
 					  state->iaid, ia_counter, solicit_tags, plain_range, &addr)))
 	      {
-#ifdef OPTION6_PREFIX_CLASS
-		if (dump_all_prefix_classes && state->ia_type == OPTION6_IA_NA)
-		  state->send_prefix_class = prefix_class_from_context(c);
-#endif
 		add_address(state, c, c->lease_time, NULL, &min_time, &addr, now);
 		mark_context_used(state, &addr);
 		get_context_tag(state, c);
@@ -895,14 +841,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 		struct in6_addr req_addr;
 		struct dhcp_context *dynamic, *c;
 		unsigned int lease_time;
-		struct in6_addr addr;
 		int config_ok = 0;

 		/* align. */
 		memcpy(&req_addr, opt6_ptr(ia_option, 0), IN6ADDRSZ);
 		
 		if ((c = address6_valid(state->context, &req_addr, tagif, 1)))
-		  config_ok = config_valid(config, c, &addr) && IN6_ARE_ADDR_EQUAL(&addr, &req_addr);
+		  config_ok = (config_implies(config, c, &req_addr) != NULL);
 		
 		if ((dynamic = address6_available(state->context, &req_addr, tagif, 1)) || c)
 		  {
@@ -932,10 +877,6 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 			if (config_ok && have_config(config, CONFIG_TIME))
 			  lease_time = config->lease_time;

-#ifdef OPTION6_PREFIX_CLASS
-			if (dump_all_prefix_classes && state->ia_type == OPTION6_IA_NA)
-			  state->send_prefix_class = prefix_class_from_context(c);
-#endif
 			add_address(state, dynamic, lease_time, ia_option, &min_time, &req_addr, now);
 			get_context_tag(state, dynamic);
 			address_assigned = 1;
@@ -1032,12 +973,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 		if ((this_context = address6_available(state->context, &req_addr, tagif, 1)) ||
 		    (this_context = address6_valid(state->context, &req_addr, tagif, 1)))
 		  {
-		    struct in6_addr addr;
 		    unsigned int lease_time;

 		    get_context_tag(state, this_context);
 		    
-		    if (config_valid(config, this_context, &addr) && IN6_ARE_ADDR_EQUAL(&addr, &req_addr) && have_config(config, CONFIG_TIME))
+		    if (config_implies(config, this_context, &req_addr) && have_config(config, CONFIG_TIME))
 		      lease_time = config->lease_time;
 		    else 
 		      lease_time = this_context->lease_time;
@@ -1246,18 +1186,19 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
 	      {
 		struct dhcp_lease *lease;
 		struct in6_addr addr;
-
+		struct addrlist *addr_list;
+		
 		/* align */
 		memcpy(&addr, opt6_ptr(ia_option, 0), IN6ADDRSZ);

-		if (have_config(config, CONFIG_ADDR6) && IN6_ARE_ADDR_EQUAL(&config->addr6, &addr))
+		if ((addr_list = config_implies(config, state->context, &addr)))
 		  {
 		    prettyprint_time(daemon->dhcp_buff3, DECLINE_BACKOFF);
 		    inet_ntop(AF_INET6, &addr, daemon->addrbuff, ADDRSTRLEN);
 		    my_syslog(MS_DHCP | LOG_WARNING, _("disabling DHCP static address %s for %s"), 
 			      daemon->addrbuff, daemon->dhcp_buff3);
-		    config->flags |= CONFIG_DECLINED;
-		    config->decline_time = now;
+		    addr_list->flags |= ADDRLIST_DECLINED;
+		    addr_list->decline_time = now;
 		  }
 		else
 		  /* make sure this host gets a different address next time. */
@@ -1370,23 +1311,39 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
 	      	  
 	      for (a = (struct in6_addr *)opt_cfg->val, j = 0; j < opt_cfg->len; j+=IN6ADDRSZ, a++)
 		{
+		  struct in6_addr *p = NULL;
+
 		  if (IN6_IS_ADDR_UNSPECIFIED(a))
 		    {
 		      if (!add_local_addrs(state->context))
-			put_opt6(state->fallback, IN6ADDRSZ);
+			p = state->fallback;
 		    }
 		  else if (IN6_IS_ADDR_ULA_ZERO(a))
 		    {
 		      if (!IN6_IS_ADDR_UNSPECIFIED(state->ula_addr))
-			put_opt6(state->ula_addr, IN6ADDRSZ);
+			p = state->ula_addr;
 		    }
 		  else if (IN6_IS_ADDR_LINK_LOCAL_ZERO(a))
 		    {
 		      if (!IN6_IS_ADDR_UNSPECIFIED(state->ll_addr))
-			put_opt6(state->ll_addr, IN6ADDRSZ);
+			p = state->ll_addr;
 		    }
 		  else
-		    put_opt6(a, IN6ADDRSZ);
+		    p = a;
+
+		  if (!p)
+		    continue;
+		  else if (opt_cfg->opt == OPTION6_NTP_SERVER)
+		    {
+		      if (IN6_IS_ADDR_MULTICAST(p))
+			o1 = new_opt6(NTP_SUBOPTION_MC_ADDR);
+		      else
+			o1 = new_opt6(NTP_SUBOPTION_SRV_ADDR);
+		      put_opt6(p, IN6ADDRSZ);
+		      end_opt6(o1);
+		    }
+		  else
+		    put_opt6(p, IN6ADDRSZ);
 		}

 	      end_opt6(o);
@@ -1580,21 +1537,6 @@ static void get_context_tag(struct state *state, struct dhcp_context *context)
    }
 } 

-#ifdef OPTION6_PREFIX_CLASS
-static struct prefix_class *prefix_class_from_context(struct dhcp_context *context)
-{
-  struct prefix_class *p;
-  struct dhcp_netid *t;
-  
-  for (p = daemon->prefix_classes; p ; p = p->next)
-    for (t = context->filter; t; t = t->next)
-      if (strcmp(p->tag.net, t->net) == 0)
-	return p;
-  
- return NULL;
-}
-#endif
-
 static int check_ia(struct state *state, void *opt, void **endp, void **ia_option)
 {
  state->ia_type = opt6_type(opt);
@@ -1679,16 +1621,6 @@ static void add_address(struct state *state, struct dhcp_context *context, unsig
  put_opt6(addr, sizeof(*addr));
  put_opt6_long(preferred_time);
  put_opt6_long(valid_time); 		    
-  
-#ifdef OPTION6_PREFIX_CLASS
-  if (state->send_prefix_class)
-    {
-      int o1 = new_opt6(OPTION6_PREFIX_CLASS);
-      put_opt6_short(state->send_prefix_class->class);
-      end_opt6(o1);
-    }
-#endif
-
  end_opt6(o);
  
  if (state->lease_allocate)
@@ -1724,16 +1656,9 @@ static void mark_context_used(struct state *state, struct in6_addr *addr)
  struct dhcp_context *context;

  /* Mark that we have an address for this prefix. */
-#ifdef OPTION6_PREFIX_CLASS
-  for (context = state->context; context; context = context->current)
-    if (is_same_net6(addr, &context->start6, context->prefix) &&
-	(!state->send_prefix_class || state->send_prefix_class == prefix_class_from_context(context)))
-      context->flags |= CONTEXT_USED;
-#else
  for (context = state->context; context; context = context->current)
    if (is_same_net6(addr, &context->start6, context->prefix))
      context->flags |= CONTEXT_USED;
-#endif
 }

 static void mark_config_used(struct dhcp_context *context, struct in6_addr *addr)
@@ -1760,6 +1685,78 @@ static int check_address(struct state *state, struct in6_addr *addr)
 }


+/* return true of *addr could have been generated from config. */
+static struct addrlist *config_implies(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr)
+{
+  int prefix;
+  struct in6_addr wild_addr;
+  struct addrlist *addr_list;
+  
+  if (!config || !(config->flags & CONFIG_ADDR6))
+    return NULL;
+  
+  for (addr_list = config->addr6; addr_list; addr_list = addr_list->next)
+    {
+      prefix = (addr_list->flags & ADDRLIST_PREFIX) ? addr_list->prefixlen : 128;
+      wild_addr = addr_list->addr.addr6;
+      
+      if ((addr_list->flags & ADDRLIST_WILDCARD) && context->prefix == 64)
+	{
+	  wild_addr = context->start6;
+	  setaddr6part(&wild_addr, addr6part(&addr_list->addr.addr6));
+	}
+      else if (!is_same_net6(&context->start6, addr, context->prefix))
+	continue;
+      
+      if (is_same_net6(&wild_addr, addr, prefix))
+	return addr_list;
+    }
+  
+  return NULL;
+}
+
+static int config_valid(struct dhcp_config *config, struct dhcp_context *context, struct in6_addr *addr, struct state *state, time_t now)
+{
+  u64 addrpart, i, addresses;
+  struct addrlist *addr_list;
+  
+  if (!config || !(config->flags & CONFIG_ADDR6))
+    return 0;
+
+  for (addr_list = config->addr6; addr_list; addr_list = addr_list->next)
+    if (!(addr_list->flags & ADDRLIST_DECLINED) ||
+	difftime(now, addr_list->decline_time) >= (float)DECLINE_BACKOFF)
+      {
+	addrpart = addr6part(&addr_list->addr.addr6);
+	addresses = 1;
+	
+	if (addr_list->flags & ADDRLIST_PREFIX)
+	  addresses = (u64)1<<(128-addr_list->prefixlen);
+	
+	if ((addr_list->flags & ADDRLIST_WILDCARD))
+	  {
+	    if (context->prefix != 64)
+	      continue;
+	    
+	    *addr = context->start6;
+	  }
+	else if (is_same_net6(&context->start6, &addr_list->addr.addr6, context->prefix))
+	  *addr = addr_list->addr.addr6;
+	else
+	  continue;
+	
+	for (i = 0 ; i < addresses; i++)
+	  {
+	    setaddr6part(addr, addrpart+i);
+	    
+	    if (check_address(state, addr))
+	      return 1;
+	  }
+      }
+  
+  return 0;
+}
+
 /* Calculate valid and preferred times to send in leases/renewals. 

   Inputs are:
@@ -1960,13 +1957,6 @@ static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_op
 	  optname = "iaaddr";
 	  ia_options = opt6_ptr(opt, 24);
 	}
-#ifdef OPTION6_PREFIX_CLASS
-      else if (type == OPTION6_PREFIX_CLASS)
-	{
-	  optname = "prefix-class";
-	  sprintf(daemon->namebuff, "class=%u", opt6_uint(opt, 0, 2));
-	}
-#endif
      else if (type == OPTION6_STATUS_CODE)
 	{
 	  int len = sprintf(daemon->namebuff, "%u ", opt6_uint(opt, 0, 2));
@@ -2091,7 +2081,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz,
 {
  /* ->local is same value for all relays on ->current chain */
  
-  struct all_addr from;
+  union all_addr from;
  unsigned char *header;
  unsigned char *inbuff = daemon->dhcp_packet.iov_base;
  int msg_type = *inbuff;
@@ -2104,7 +2094,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz,
  get_client_mac(peer_address, scope_id, mac, &maclen, &mactype, now);

  /* source address == relay address */
-  from.addr.addr6 = relay->local.addr.addr6;
+  from.addr6 = relay->local.addr6;
    
  /* Get hop count from nested relayed message */ 
  if (msg_type == DHCP6RELAYFORW)
@@ -2124,7 +2114,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz,

      header[0] = DHCP6RELAYFORW;
      header[1] = hopcount;
-      memcpy(&header[2],  &relay->local.addr.addr6, IN6ADDRSZ);
+      memcpy(&header[2],  &relay->local.addr6, IN6ADDRSZ);
      memcpy(&header[18], peer_address, IN6ADDRSZ);
 
      /* RFC-6939 */
@@ -2145,12 +2135,12 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz,
 	  union mysockaddr to;
 	  
 	  to.sa.sa_family = AF_INET6;
-	  to.in6.sin6_addr = relay->server.addr.addr6;
+	  to.in6.sin6_addr = relay->server.addr6;
 	  to.in6.sin6_port = htons(DHCPV6_SERVER_PORT);
 	  to.in6.sin6_flowinfo = 0;
 	  to.in6.sin6_scope_id = 0;

-	  if (IN6_ARE_ADDR_EQUAL(&relay->server.addr.addr6, &multicast))
+	  if (IN6_ARE_ADDR_EQUAL(&relay->server.addr6, &multicast))
 	    {
 	      int multicast_iface;
 	      if (!relay->interface || strchr(relay->interface, '*') ||
@@ -2189,7 +2179,7 @@ unsigned short relay_reply6(struct sockaddr_in6 *peer, ssize_t sz, char *arrival
  memcpy(&link, &inbuff[2], IN6ADDRSZ); 
  
  for (relay = daemon->relay6; relay; relay = relay->next)
-    if (IN6_ARE_ADDR_EQUAL(&link, &relay->local.addr.addr6) &&
+    if (IN6_ARE_ADDR_EQUAL(&link, &relay->local.addr6) &&
 	(!relay->interface || wildcard_match(relay->interface, arrival_interface)))
      break;
      
--- a/src/rrfilter.c
+++ b/src/rrfilter.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
--- a/src/slaac.c
+++ b/src/slaac.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -166,7 +166,8 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases)
 	    
 	    if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(-1), 0,
 		       (struct sockaddr *)&addr,  sizeof(addr)) == -1 &&
-		errno == EHOSTUNREACH)
+		errno == EHOSTUNREACH &&
+		slaac->backoff == 12)
 	      slaac->ping_time = 0; /* Give up */ 
 	    else
 	      {
--- a/src/tables.c
+++ b/src/tables.c
@@ -62,7 +62,7 @@ void ipset_init(void)
    }
 }

-int add_to_ipset(const char *setname, const struct all_addr *ipaddr,
+int add_to_ipset(const char *setname, const union all_addr *ipaddr,
 		 int flags, int remove)
 {
  struct pfr_addr addr;
@@ -108,19 +108,18 @@ int add_to_ipset(const char *setname, const struct all_addr *ipaddr,
    my_syslog(LOG_INFO, _("info: table created"));
 
  bzero(&addr, sizeof(addr));
-#ifdef HAVE_IPV6
+
  if (flags & F_IPV6) 
    {
      addr.pfra_af = AF_INET6;
      addr.pfra_net = 0x80;
-      memcpy(&(addr.pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr));
+      memcpy(&(addr.pfra_ip6addr), ipaddr, sizeof(struct in6_addr));
    } 
  else 
-#endif
    {
      addr.pfra_af = AF_INET;
      addr.pfra_net = 0x20;
-      addr.pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr;
+      addr.pfra_ip4addr.s_addr = ipaddr->addr4.s_addr;
    }

  bzero(&io, sizeof(io));
--- a/src/tftp.c
+++ b/src/tftp.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -18,6 +18,7 @@

 #ifdef HAVE_TFTP

+static void handle_tftp(time_t now, struct tftp_transfer *transfer, ssize_t len);
 static struct tftp_file *check_tftp_fileperm(ssize_t *len, char *prefix);
 static void free_transfer(struct tftp_transfer *transfer);
 static ssize_t tftp_err(int err, char *packet, char *message, char *file);
@@ -50,7 +51,7 @@ void tftp_request(struct listener *listen, time_t now)
  struct ifreq ifr;
  int is_err = 1, if_index = 0, mtu = 0;
  struct iname *tmp;
-  struct tftp_transfer *transfer;
+  struct tftp_transfer *transfer = NULL, **up;
  int port = daemon->start_tftp_port; /* may be zero to use ephemeral port */
 #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
  int mtuflag = IP_PMTUDISC_DONT;
@@ -59,24 +60,21 @@ void tftp_request(struct listener *listen, time_t now)
  char *name = NULL;
  char *prefix = daemon->tftp_prefix;
  struct tftp_prefix *pref;
-  struct all_addr addra;
-#ifdef HAVE_IPV6
+  union all_addr addra;
+  int family = listen->addr.sa.sa_family;
  /* Can always get recvd interface for IPv6 */
-  int check_dest = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
-#else
-  int check_dest = !option_bool(OPT_NOWILD);
-#endif
+  int check_dest = !option_bool(OPT_NOWILD) || family == AF_INET6;
  union {
    struct cmsghdr align; /* this ensures alignment */
-#ifdef HAVE_IPV6
    char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
-#endif
 #if defined(HAVE_LINUX_NETWORK)
    char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
 #elif defined(HAVE_SOLARIS_NETWORK)
-    char control[CMSG_SPACE(sizeof(unsigned int))];
+    char control[CMSG_SPACE(sizeof(struct in_addr)) +
+		 CMSG_SPACE(sizeof(unsigned int))];
 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
-    char control[CMSG_SPACE(sizeof(struct sockaddr_dl))];
+    char control[CMSG_SPACE(sizeof(struct in_addr)) +
+		 CMSG_SPACE(sizeof(struct sockaddr_dl))];
 #endif
  } control_u; 

@@ -124,10 +122,10 @@ void tftp_request(struct listener *listen, time_t now)
      if (msg.msg_controllen < sizeof(struct cmsghdr))
        return;
      
-      addr.sa.sa_family = listen->family;
+      addr.sa.sa_family = family;
      
 #if defined(HAVE_LINUX_NETWORK)
-      if (listen->family == AF_INET)
+      if (family == AF_INET)
 	for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
 	  if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
 	    {
@@ -141,7 +139,7 @@ void tftp_request(struct listener *listen, time_t now)
 	    }
      
 #elif defined(HAVE_SOLARIS_NETWORK)
-      if (listen->family == AF_INET)
+      if (family == AF_INET)
 	for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
 	  {
 	    union {
@@ -157,7 +155,7 @@ void tftp_request(struct listener *listen, time_t now)
 	  }
      
 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
-      if (listen->family == AF_INET)
+      if (family == AF_INET)
 	for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
 	  {
 	    union {
@@ -174,8 +172,7 @@ void tftp_request(struct listener *listen, time_t now)
 	  
 #endif

-#ifdef HAVE_IPV6
-      if (listen->family == AF_INET6)
+      if (family == AF_INET6)
        {
          for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
            if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
@@ -190,19 +187,16 @@ void tftp_request(struct listener *listen, time_t now)
                if_index = p.p->ipi6_ifindex;
              }
        }
-#endif
      
      if (!indextoname(listen->tftpfd, if_index, namebuff))
 	return;

      name = namebuff;
      
-      addra.addr.addr4 = addr.in.sin_addr;
+      addra.addr4 = addr.in.sin_addr;

-#ifdef HAVE_IPV6
-      if (listen->family == AF_INET6)
-	addra.addr.addr6 = addr.in6.sin6_addr;
-#endif
+      if (family == AF_INET6)
+	addra.addr6 = addr.in6.sin6_addr;

      if (daemon->tftp_interfaces)
 	{
@@ -217,12 +211,12 @@ void tftp_request(struct listener *listen, time_t now)
      else
 	{
 	  /* Do the same as DHCP */
-	  if (!iface_check(listen->family, &addra, name, NULL))
+	  if (!iface_check(family, &addra, name, NULL))
 	    {
 	      if (!option_bool(OPT_CLEVERBIND))
 		enumerate_interfaces(0); 
-	      if (!loopback_exception(listen->tftpfd, listen->family, &addra, name) &&
-		  !label_exception(if_index, listen->family, &addra) )
+	      if (!loopback_exception(listen->tftpfd, family, &addra, name) &&
+		  !label_exception(if_index, family, &addra))
 		return;
 	    }
 	  
@@ -247,6 +241,39 @@ void tftp_request(struct listener *listen, time_t now)
  if (mtu == 0)
    mtu = daemon->tftp_mtu;

+  /* data transfer via server listening socket */
+  if (option_bool(OPT_SINGLE_PORT))
+    {
+      int tftp_cnt;
+
+      for (tftp_cnt = 0, transfer = daemon->tftp_trans, up = &daemon->tftp_trans; transfer; up = &transfer->next, transfer = transfer->next)
+	{
+	  tftp_cnt++;
+
+	  if (sockaddr_isequal(&peer, &transfer->peer))
+	    {
+	      if (ntohs(*((unsigned short *)packet)) == OP_RRQ)
+		{
+		  /* Handle repeated RRQ or abandoned transfer from same host and port 
+		     by unlinking and reusing the struct transfer. */
+		  *up = transfer->next;
+		  break;
+		}
+	      else
+		{
+		  handle_tftp(now, transfer, len);
+		  return;
+		}
+	    }
+	}
+      
+      /* Enforce simultaneous transfer limit. In non-single-port mode
+	 this is doene by not listening on the server socket when
+	 too many transfers are in progress. */
+      if (!transfer && tftp_cnt >= daemon->tftp_max)
+	return;
+    }
+  
  if (name)
    {
      /* check for per-interface prefix */ 
@@ -255,14 +282,13 @@ void tftp_request(struct listener *listen, time_t now)
 	  prefix = pref->prefix;  
    }

-  if (listen->family == AF_INET)
+  if (family == AF_INET)
    {
      addr.in.sin_port = htons(port);
 #ifdef HAVE_SOCKADDR_SA_LEN
      addr.in.sin_len = sizeof(addr.in);
 #endif
    }
-#ifdef HAVE_IPV6
  else
    {
      addr.in6.sin6_port = htons(port);
@@ -272,18 +298,22 @@ void tftp_request(struct listener *listen, time_t now)
      addr.in6.sin6_len = sizeof(addr.in6);
 #endif
    }
-#endif

-  if (!(transfer = whine_malloc(sizeof(struct tftp_transfer))))
+  /* May reuse struct transfer from abandoned transfer in single port mode. */
+  if (!transfer && !(transfer = whine_malloc(sizeof(struct tftp_transfer))))
    return;
  
-  if ((transfer->sockfd = socket(listen->family, SOCK_DGRAM, 0)) == -1)
+  if (option_bool(OPT_SINGLE_PORT))
+    transfer->sockfd = listen->tftpfd;
+  else if ((transfer->sockfd = socket(family, SOCK_DGRAM, 0)) == -1)
    {
      free(transfer);
      return;
    }
  
  transfer->peer = peer;
+  transfer->source = addra;
+  transfer->if_index = if_index;
  transfer->timeout = now + 2;
  transfer->backoff = 1;
  transfer->block = 1;
@@ -293,10 +323,10 @@ void tftp_request(struct listener *listen, time_t now)
  transfer->opt_blocksize = transfer->opt_transize = 0;
  transfer->netascii = transfer->carrylf = 0;
 
-  prettyprint_addr(&peer, daemon->addrbuff);
+  (void)prettyprint_addr(&peer, daemon->addrbuff);
  
  /* if we have a nailed-down range, iterate until we find a free one. */
-  while (1)
+  while (!option_bool(OPT_SINGLE_PORT))
    {
      if (bind(transfer->sockfd, &addr.sa, sa_len(&addr)) == -1 ||
 #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
@@ -308,12 +338,11 @@ void tftp_request(struct listener *listen, time_t now)
 	    {
 	      if (++port <= daemon->end_tftp_port)
 		{ 
-		  if (listen->family == AF_INET)
+		  if (family == AF_INET)
 		    addr.in.sin_port = htons(port);
-#ifdef HAVE_IPV6
 		  else
-		     addr.in6.sin6_port = htons(port);
-#endif
+		    addr.in6.sin6_port = htons(port);
+		  
 		  continue;
 		}
 	      my_syslog(MS_TFTP | LOG_ERR, _("unable to get free port for TFTP"));
@@ -326,7 +355,7 @@ void tftp_request(struct listener *listen, time_t now)
  
  p = packet + 2;
  end = packet + len;
-
+  
  if (ntohs(*((unsigned short *)packet)) != OP_RRQ ||
      !(filename = next(&p, end)) ||
      !(mode = next(&p, end)) ||
@@ -347,7 +376,7 @@ void tftp_request(struct listener *listen, time_t now)
 	      if ((opt = next(&p, end)) && !option_bool(OPT_TFTP_NOBLOCK))
 		{
 		  /* 32 bytes for IP, UDP and TFTP headers, 52 bytes for IPv6 */
-		  int overhead = (listen->family == AF_INET) ? 32 : 52;
+		  int overhead = (family == AF_INET) ? 32 : 52;
 		  transfer->blocksize = atoi(opt);
 		  if (transfer->blocksize < 1)
 		    transfer->blocksize = 1;
@@ -450,9 +479,8 @@ void tftp_request(struct listener *listen, time_t now)
 	    is_err = 0;
 	}
    }
-  
-  while (sendto(transfer->sockfd, packet, len, 0, 
-		(struct sockaddr *)&peer, sa_len(&peer)) == -1 && errno == EINTR);
+
+  send_from(transfer->sockfd, !option_bool(OPT_SINGLE_PORT), packet, len, &peer, &addra, if_index);
  
  if (is_err)
    free_transfer(transfer);
@@ -549,63 +577,28 @@ static struct tftp_file *check_tftp_fileperm(ssize_t *len, char *prefix)
 void check_tftp_listeners(time_t now)
 {
  struct tftp_transfer *transfer, *tmp, **up;
-  ssize_t len;
  
-  struct ack {
-    unsigned short op, block;
-  } *mess = (struct ack *)daemon->packet;
-  
-  /* Check for activity on any existing transfers */
-  for (transfer = daemon->tftp_trans, up = &daemon->tftp_trans; transfer; transfer = tmp)
-    {
-      tmp = transfer->next;
-      
-      prettyprint_addr(&transfer->peer, daemon->addrbuff);
-     
+  /* In single port mode, all packets come via port 69 and tftp_request() */
+  if (!option_bool(OPT_SINGLE_PORT))
+    for (transfer = daemon->tftp_trans; transfer; transfer = transfer->next)
      if (poll_check(transfer->sockfd, POLLIN))
 	{
 	  /* we overwrote the buffer... */
 	  daemon->srv_save = NULL;
-	  
-	  if ((len = recv(transfer->sockfd, daemon->packet, daemon->packet_buff_sz, 0)) >= (ssize_t)sizeof(struct ack))
-	    {
-	      if (ntohs(mess->op) == OP_ACK && ntohs(mess->block) == (unsigned short)transfer->block) 
-		{
-		  /* Got ack, ensure we take the (re)transmit path */
-		  transfer->timeout = now;
-		  transfer->backoff = 0;
-		  if (transfer->block++ != 0)
-		    transfer->offset += transfer->blocksize - transfer->expansion;
-		}
-	      else if (ntohs(mess->op) == OP_ERR)
-		{
-		  char *p = daemon->packet + sizeof(struct ack);
-		  char *end = daemon->packet + len;
-		  char *err = next(&p, end);
-		  
-		  /* Sanitise error message */
-		  if (!err)
-		    err = "";
-		  else
-		    sanitise(err);
-		  
-		  my_syslog(MS_TFTP | LOG_ERR, _("error %d %s received from %s"),
-			    (int)ntohs(mess->block), err, 
-			    daemon->addrbuff);	
-		  
-		  /* Got err, ensure we take abort */
-		  transfer->timeout = now;
-		  transfer->backoff = 100;
-		}
-	    }
+	  handle_tftp(now, transfer, recv(transfer->sockfd, daemon->packet, daemon->packet_buff_sz, 0));
 	}
+
+  for (transfer = daemon->tftp_trans, up = &daemon->tftp_trans; transfer; transfer = tmp)
+    {
+      tmp = transfer->next;
      
      if (difftime(now, transfer->timeout) >= 0.0)
 	{
 	  int endcon = 0;
+	  ssize_t len;

 	  /* timeout, retransmit */
-	  transfer->timeout += 1 + (1<<transfer->backoff);
+	  transfer->timeout += 1 + (1<<(transfer->backoff/2));
 	  	  
 	  /* we overwrote the buffer... */
 	  daemon->srv_save = NULL;
@@ -615,22 +608,24 @@ void check_tftp_listeners(time_t now)
 	      len = tftp_err_oops(daemon->packet, transfer->file->filename);
 	      endcon = 1;
 	    }
-	  /* don't complain about timeout when we're awaiting the last
-	     ACK, some clients never send it */
-	  else if (++transfer->backoff > 7 && len != 0)
+	  else if (++transfer->backoff > 7)
 	    {
-	      endcon = 1;
+	      /* don't complain about timeout when we're awaiting the last
+		 ACK, some clients never send it */
+	      if ((unsigned)len == transfer->blocksize + 4)
+		endcon = 1;
 	      len = 0;
 	    }

 	  if (len != 0)
-	    while(sendto(transfer->sockfd, daemon->packet, len, 0, 
-			 (struct sockaddr *)&transfer->peer, sa_len(&transfer->peer)) == -1 && errno == EINTR);
-	  
+	    send_from(transfer->sockfd, !option_bool(OPT_SINGLE_PORT), daemon->packet, len,
+		      &transfer->peer, &transfer->source, transfer->if_index);
+	  	  
 	  if (endcon || len == 0)
 	    {
 	      strcpy(daemon->namebuff, transfer->file->filename);
 	      sanitise(daemon->namebuff);
+	      (void)prettyprint_addr(&transfer->peer, daemon->addrbuff);
 	      my_syslog(MS_TFTP | LOG_INFO, endcon ? _("failed sending %s to %s") : _("sent %s to %s"), daemon->namebuff, daemon->addrbuff);
 	      /* unlink */
 	      *up = tmp;
@@ -649,15 +644,60 @@ void check_tftp_listeners(time_t now)
      up = &transfer->next;
    }    
 }
+	  
+/* packet in daemon->packet as this is called. */
+static void handle_tftp(time_t now, struct tftp_transfer *transfer, ssize_t len)
+{
+  struct ack {
+    unsigned short op, block;
+  } *mess = (struct ack *)daemon->packet;
+  
+  if (len >= (ssize_t)sizeof(struct ack))
+    {
+      if (ntohs(mess->op) == OP_ACK && ntohs(mess->block) == (unsigned short)transfer->block) 
+	{
+	  /* Got ack, ensure we take the (re)transmit path */
+	  transfer->timeout = now;
+	  transfer->backoff = 0;
+	  if (transfer->block++ != 0)
+	    transfer->offset += transfer->blocksize - transfer->expansion;
+	}
+      else if (ntohs(mess->op) == OP_ERR)
+	{
+	  char *p = daemon->packet + sizeof(struct ack);
+	  char *end = daemon->packet + len;
+	  char *err = next(&p, end);
+	  
+	  (void)prettyprint_addr(&transfer->peer, daemon->addrbuff);
+	  
+	  /* Sanitise error message */
+	  if (!err)
+	    err = "";
+	  else
+	    sanitise(err);
+	  
+	  my_syslog(MS_TFTP | LOG_ERR, _("error %d %s received from %s"),
+		    (int)ntohs(mess->block), err, 
+		    daemon->addrbuff);	
+	  
+	  /* Got err, ensure we take abort */
+	  transfer->timeout = now;
+	  transfer->backoff = 100;
+	}
+    }
+}

 static void free_transfer(struct tftp_transfer *transfer)
 {
-  close(transfer->sockfd);
+  if (!option_bool(OPT_SINGLE_PORT))
+    close(transfer->sockfd);
+
  if (transfer->file && (--transfer->file->refcount) == 0)
    {
      close(transfer->file->fd);
      free(transfer->file);
    }
+  
  free(transfer);
 }

--- a/src/ubus.c
+++ b/src/ubus.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -20,29 +20,114 @@

 #include <libubus.h>

-static struct ubus_context *ubus = NULL;
 static struct blob_buf b;
+static int notify;
+static int error_logged = 0;

 static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj,
 			       struct ubus_request_data *req, const char *method,
 			       struct blob_attr *msg);
-static struct ubus_method ubus_object_methods[] = {
-  {.name = "metrics", .handler = ubus_handle_metrics},
+
+static void ubus_subscribe_cb(struct ubus_context *ctx, struct ubus_object *obj);
+
+static const struct ubus_method ubus_object_methods[] = {
+  UBUS_METHOD_NOARG("metrics", ubus_handle_metrics),
 };

-static struct ubus_object_type ubus_object_type = UBUS_OBJECT_TYPE("dnsmasq", ubus_object_methods);
+static struct ubus_object_type ubus_object_type =
+  UBUS_OBJECT_TYPE("dnsmasq", ubus_object_methods);

 static struct ubus_object ubus_object = {
-  .name = "dnsmasq",
+  .name = NULL,
  .type = &ubus_object_type,
  .methods = ubus_object_methods,
  .n_methods = ARRAY_SIZE(ubus_object_methods),
+  .subscribe_cb = ubus_subscribe_cb,
 };

+static void ubus_subscribe_cb(struct ubus_context *ctx, struct ubus_object *obj)
+{
+  (void)ctx;
+
+  my_syslog(LOG_DEBUG, _("UBus subscription callback: %s subscriber(s)"), obj->has_subscribers ? "1" : "0");
+  notify = obj->has_subscribers;
+}
+
+static void ubus_destroy(struct ubus_context *ubus)
+{
+  // Forces re-initialization when we're reusing the same definitions later on.
+  ubus_object.id = 0;
+  ubus_object_type.id = 0;
+
+  ubus_free(ubus);
+  daemon->ubus = NULL;
+}
+
+static void ubus_disconnect_cb(struct ubus_context *ubus)
+{
+  int ret;
+
+  ret = ubus_reconnect(ubus, NULL);
+  if (ret)
+    {
+      my_syslog(LOG_ERR, _("Cannot reconnect to UBus: %s"), ubus_strerror(ret));
+
+      ubus_destroy(ubus);
+    }
+}
+
+void ubus_init()
+{
+  struct ubus_context *ubus = NULL;
+  int ret = 0;
+
+  ubus = ubus_connect(NULL);
+  if (!ubus)
+    {
+      if (!error_logged)
+        {
+          my_syslog(LOG_ERR, _("Cannot initialize UBus: connection failed"));
+          error_logged = 1;
+        }
+
+      ubus_destroy(ubus);
+      return;
+    }
+
+  ubus_object.name = daemon->ubus_name;
+  ret = ubus_add_object(ubus, &ubus_object);
+  if (ret)
+    {
+      if (!error_logged)
+        {
+          my_syslog(LOG_ERR, _("Cannot add object to UBus: %s"), ubus_strerror(ret));
+          error_logged = 1;
+        }
+      ubus_destroy(ubus);
+      return;
+    }
+
+  ubus->connection_lost = ubus_disconnect_cb;
+  daemon->ubus = ubus;
+  error_logged = 0;
+
+  my_syslog(LOG_INFO, _("Connected to system UBus"));
+}
+
 void set_ubus_listeners()
 {
+  struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
  if (!ubus)
-    return;
+    {
+      if (!error_logged)
+        {
+          my_syslog(LOG_ERR, _("Cannot set UBus listeners: no connection"));
+          error_logged = 1;
+        }
+      return;
+    }
+
+  error_logged = 0;

  poll_listen(ubus->sock.fd, POLLIN);
  poll_listen(ubus->sock.fd, POLLERR);
@@ -51,46 +136,57 @@ void set_ubus_listeners()

 void check_ubus_listeners()
 {
+  struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
  if (!ubus)
    {
-      ubus = ubus_connect(NULL);
-      if (!ubus)
-	return;
-      ubus_add_object(ubus, &ubus_object);
+      if (!error_logged)
+        {
+          my_syslog(LOG_ERR, _("Cannot poll UBus listeners: no connection"));
+          error_logged = 1;
+        }
+      return;
    }
  
+  error_logged = 0;
+
  if (poll_check(ubus->sock.fd, POLLIN))
    ubus_handle_event(ubus);
  
-  if (poll_check(ubus->sock.fd, POLLHUP))
+  if (poll_check(ubus->sock.fd, POLLHUP | POLLERR))
    {
-      ubus_free(ubus);
-      ubus = NULL;
+      my_syslog(LOG_INFO, _("Disconnecting from UBus"));
+
+      ubus_destroy(ubus);
    }
 }

-
 static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj,
 			       struct ubus_request_data *req, const char *method,
 			       struct blob_attr *msg)
 {
  int i;
-  blob_buf_init(&b, 0);

-  for(i=0; i < __METRIC_MAX; i++)
+  (void)obj;
+  (void)method;
+  (void)msg;
+
+  blob_buf_init(&b, BLOBMSG_TYPE_TABLE);
+
+  for (i=0; i < __METRIC_MAX; i++)
    blobmsg_add_u32(&b, get_metric_name(i), daemon->metrics[i]);
  
-  ubus_send_reply(ctx, req, b.head);
-  
-  return 0;
+  return ubus_send_reply(ctx, req, b.head);
 }

 void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface)
 {
-  if (!ubus || !ubus_object.has_subscribers)
+  struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
+  int ret;
+
+  if (!ubus || !notify)
    return;

-  blob_buf_init(&b, 0);
+  blob_buf_init(&b, BLOBMSG_TYPE_TABLE);
  if (mac)
    blobmsg_add_string(&b, "mac", mac);
  if (ip)
@@ -100,7 +196,9 @@ void ubus_event_bcast(const char *type, const char *mac, const char *ip, const c
  if (interface)
    blobmsg_add_string(&b, "interface", interface);
  
-  ubus_notify(ubus, &ubus_object, type, b.head, -1);
+  ret = ubus_notify(ubus, &ubus_object, type, b.head, -1);
+  if (!ret)
+    my_syslog(LOG_ERR, _("Failed to send UBus event: %s"), ubus_strerror(ret));
 }


--- a/src/util.c
+++ b/src/util.c
@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2020 Simon Kelley

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -30,6 +30,10 @@
 #include <idna.h>
 #endif

+#ifdef HAVE_LINUX_NETWORK
+#include <sys/utsname.h>
+#endif
+
 /* SURF random number generator */

 static u32 seed[32];
@@ -320,13 +324,12 @@ int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2)
 	  s1->in.sin_port == s2->in.sin_port &&
 	  s1->in.sin_addr.s_addr == s2->in.sin_addr.s_addr)
 	return 1;
-#ifdef HAVE_IPV6      
+      
      if (s1->sa.sa_family == AF_INET6 &&
 	  s1->in6.sin6_port == s2->in6.sin6_port &&
 	  s1->in6.sin6_scope_id == s2->in6.sin6_scope_id &&
 	  IN6_ARE_ADDR_EQUAL(&s1->in6.sin6_addr, &s2->in6.sin6_addr))
 	return 1;
-#endif
    }
  return 0;
 }
@@ -336,11 +339,9 @@ int sa_len(union mysockaddr *addr)
 #ifdef HAVE_SOCKADDR_SA_LEN
  return addr->sa.sa_len;
 #else
-#ifdef HAVE_IPV6
  if (addr->sa.sa_family == AF_INET6)
    return sizeof(addr->in6);
  else
-#endif
    return sizeof(addr->in); 
 #endif
 }
@@ -437,7 +438,6 @@ int is_same_net(struct in_addr a, struct in_addr b, struct in_addr mask)
  return (a.s_addr & mask.s_addr) == (b.s_addr & mask.s_addr);
 } 

-#ifdef HAVE_IPV6
 int is_same_net6(struct in6_addr *a, struct in6_addr *b, int prefixlen)
 {
  int pfbytes = prefixlen >> 3;
@@ -476,15 +476,12 @@ void setaddr6part(struct in6_addr *addr, u64 host)
    }
 }

-#endif
- 

 /* returns port number from address */
 int prettyprint_addr(union mysockaddr *addr, char *buf)
 {
  int port = 0;
  
-#ifdef HAVE_IPV6
  if (addr->sa.sa_family == AF_INET)
    {
      inet_ntop(AF_INET, &addr->in.sin_addr, buf, ADDRSTRLEN);
@@ -503,10 +500,6 @@ int prettyprint_addr(union mysockaddr *addr, char *buf)
 	}
      port = ntohs(addr->in6.sin6_port);
    }
-#else
-  strcpy(buf, inet_ntoa(addr->in.sin_addr));
-  port = ntohs(addr->in.sin_port); 
-#endif
  
  return port;
 }
@@ -535,20 +528,20 @@ void prettyprint_time(char *buf, unsigned int t)
 int parse_hex(char *in, unsigned char *out, int maxlen, 
 	      unsigned int *wildcard_mask, int *mac_type)
 {
-  int mask = 0, i = 0;
+  int done = 0, mask = 0, i = 0;
  char *r;
    
  if (mac_type)
    *mac_type = 0;
  
-  while (maxlen == -1 || i < maxlen)
+  while (!done && (maxlen == -1 || i < maxlen))
    {
      for (r = in; *r != 0 && *r != ':' && *r != '-' && *r != ' '; r++)
 	if (*r != '*' && !isxdigit((unsigned char)*r))
 	  return -1;
      
      if (*r == 0)
-	maxlen = i;
+	done = 1;
      
      if (r != in )
 	{
@@ -716,6 +709,47 @@ int read_write(int fd, unsigned char *packet, int size, int rw)
  return 1;
 }

+/* close all fds except STDIN, STDOUT and STDERR, spare1, spare2 and spare3 */
+void close_fds(long max_fd, int spare1, int spare2, int spare3) 
+{
+  /* On Linux, use the /proc/ filesystem to find which files
+     are actually open, rather than iterate over the whole space,
+     for efficiency reasons. If this fails we drop back to the dumb code. */
+#ifdef HAVE_LINUX_NETWORK 
+  DIR *d;
+  
+  if ((d = opendir("/proc/self/fd")))
+    {
+      struct dirent *de;
+
+      while ((de = readdir(d)))
+	{
+	  long fd;
+	  char *e = NULL;
+	  
+	  errno = 0;
+	  fd = strtol(de->d_name, &e, 10);
+	  	  
+      	  if (errno != 0 || !e || *e || fd == dirfd(d) ||
+	      fd == STDOUT_FILENO || fd == STDERR_FILENO || fd == STDIN_FILENO ||
+	      fd == spare1 || fd == spare2 || fd == spare3)
+	    continue;
+	  
+	  close(fd);
+	}
+      
+      closedir(d);
+      return;
+  }
+#endif
+
+  /* fallback, dumb code. */
+  for (max_fd--; max_fd >= 0; max_fd--)
+    if (max_fd != STDOUT_FILENO && max_fd != STDERR_FILENO && max_fd != STDIN_FILENO &&
+	max_fd != spare1 && max_fd != spare2 && max_fd != spare3)
+      close(max_fd);
+}
+
 /* Basically match a string value against a wildcard pattern.  */
 int wildcard_match(const char* wildcard, const char* match)
 {
@@ -752,3 +786,22 @@ int wildcard_matchn(const char* wildcard, const char* match, int num)

  return (!num) || (*wildcard == *match);
 }
+
+#ifdef HAVE_LINUX_NETWORK
+int kernel_version(void)
+{
+  struct utsname utsname;
+  int version;
+  char *split;
+  
+  if (uname(&utsname) < 0)
+    die(_("failed to find kernel version: %s"), NULL, EC_MISC);
+  
+  split = strtok(utsname.release, ".");
+  version = (split ? atoi(split) : 0);
+  split = strtok(NULL, ".");
+  version = version * 256 + (split ? atoi(split) : 0);
+  split = strtok(NULL, ".");
+  return version * 256 + (split ? atoi(split) : 0);
+}
+#endif
--- a/trust-anchors.conf
+++ b/trust-anchors.conf
@@ -1,9 +1,8 @@
-# The root DNSSEC trust anchor, valid as at 10/02/2017
+# The root DNSSEC trust anchor, valid as at 11/01/2019

 # Note that this is a DS record (ie a hash of the root Zone Signing Key) 
 # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml

-trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
 trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
				`@@ -0,0 +1 @@`
				`debian/dnsmasq.runscript name=dnsmasq,logscript,presubj`