Add --nftset option, like --ipset but for the newer nftables.

Thanks to Chen Zhenge for the original patch, which I've
reworked. Any bugs down to SRK.

CHANGELOG

@@ -1,6 +1,17 @@
+version 2.87
+        Allow arbitrary prefix lengths in --rev-server and
+	--domain=....,local
+
+	Replace --address=/#/..... functionality which got
+	missed in the 2.86 domain search rewrite.
+
+	Add --nftset option, like --ipset but for the newer nftables.
+	Thanks to Chen Zhenge for the patch.
+	
+	
 version 2.86
 	Handle DHCPREBIND requests in the DHCPv6 server code.
-	Thanks to Aichun Li for spotting this ommision, and the initial
+	Thanks to Aichun Li for spotting this omission, and the initial
 	patch.
 
 	Fix bug which caused dnsmasq to lose track of processes forked
@@ -33,7 +44,7 @@ version 2.86
 	address=/example.com/1.2.3.4
 	address=/example.com/5.6.7.8
 	It also handles multiple upstream servers for a domain better; using
-	the same try/retry alogrithms as non domain-specific servers. This
+	the same try/retry algorithms as non domain-specific servers. This
 	also applies to DNSSEC-generated queries.
 	Finally, some of the oldest and gnarliest code in dnsmasq has had
 	a significant clean-up. It's far from perfect, but it _is_ better.
@@ -76,6 +87,25 @@ version 2.86
 	Disallowed queries are not forwarded; they are rejected
 	with a REFUSED error code.
 
+	Allow smaller than 64 prefix lengths in synth-domain, with caveats.
+	--synth-domain=1234:4567::/56,example.com is now valid.
+
+	Make domains generated by --synth-domain appear in replies
+	when in authoritative mode.
+
+	Ensure CAP_NET_ADMIN capability is available when
+	conntrack is configured. Thanks to Yick Xie for spotting
+	the lack of this.
+
+	When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are
+	given a directory as argument, define the order in which
+	files within that directory are read (alphabetical order
+	of filename). Thanks to Ed Wildgoose for the initial patch
+	and motivation for this.
+
+	Allow adding IP address to nftables set in addition to
+	ipset.
+
 	
 version 2.85
         Fix problem with DNS retries in 2.83/2.84.
@@ -147,6 +177,9 @@ version 2.85
 	Tweak TFTP code to check sender of all received packets, as
 	specified in RFC 1350 para 4.
 
+	Support some wildcard matching of input tags to --tag-if.
+	Thanks to Geoff Back for the idea and the patch.
+
 	
 version 2.84
 	Fix a problem, introduced in 2.83, which could see DNS replies

Makefile

@@ -70,6 +70,7 @@ nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CO
                                                         HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
 gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
 sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
+nft_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --libs libnftables` 
 version =     -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
 
 sum?=$(shell $(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ')
@@ -82,7 +83,7 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
        dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \
        domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
        poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
-       metrics.o hash-questions.o domain-match.o
+       metrics.o hash-questions.o domain-match.o nftset.o
 
 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
        dns-protocol.h radv-protocol.h ip6addr.h metrics.h
@@ -91,7 +92,7 @@ all : $(BUILDDIR)
 	@cd $(BUILDDIR) && $(MAKE) \
  top="$(top)" \
  build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
- build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs)" \
+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs) $(nft_libs)" \
  -f $(top)/Makefile dnsmasq 
 
 mostly_clean :
@@ -116,7 +117,7 @@ all-i18n : $(BUILDDIR)
  top="$(top)" \
  i18n=-DLOCALEDIR=\'\"$(LOCALEDIR)\"\' \
  build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
- build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs)"  \
+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) $(ubus_libs) $(nft_libs)"  \
  -f $(top)/Makefile dnsmasq
 	for f in `cd $(PO); echo *.po`; do \
 		cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \

contrib/lease-tools/dhcp_lease_time.c

@@ -153,7 +153,11 @@ int main(int argc, char **argv)
       exit(1);
     }
  
-  lease.s_addr = inet_addr(argv[1]);
+  if (inet_pton(AF_INET, argv[1], &lease) < 1)
+    {
+      fprintf(stderr, "invalid address: %s\n", argv[1]);
+      exit(1);
+    }
    
   memset(&packet, 0, sizeof(packet));
  
@@ -176,8 +180,8 @@ int main(int argc, char **argv)
   
   *(p++) = OPTION_END;
  
-  dest.sin_family = AF_INET; 
-  dest.sin_addr.s_addr = inet_addr("127.0.0.1");
+  dest.sin_family = AF_INET;
+  (void)inet_pton(AF_INET, "127.0.0.1", &dest.sin_addr);
   dest.sin_port = ntohs(DHCP_SERVER_PORT);
   
   if (sendto(fd, &packet, sizeof(packet), 0, 

contrib/lease-tools/dhcp_release.c

@@ -280,6 +280,7 @@ int main(int argc, char **argv)
   
   /* This voodoo fakes up a packet coming from the correct interface, which really matters for 
      a DHCP server */
+  memset(&ifr, 0, sizeof(ifr));
   strncpy(ifr.ifr_name, argv[1], sizeof(ifr.ifr_name)-1);
   ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';
   if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr)) == -1)
@@ -288,13 +289,12 @@ int main(int argc, char **argv)
       exit(1);
     }
   
-  if (inet_addr(argv[2]) == INADDR_NONE)
+  if (inet_pton(AF_INET, argv[2], &lease.s_addr) < 1)
     {
       perror("invalid ip address");
       exit(1);
     }
   
-  lease.s_addr = inet_addr(argv[2]);
   server = find_interface(lease, nl, if_nametoindex(argv[1]), fd, &ifr);
   
   memset(&packet, 0, sizeof(packet));

contrib/lease-tools/dhcp_release6.c

@@ -318,6 +318,12 @@ void usage(const char* arg, FILE* stream)
   fprintf (stream, "Usage: %s %s\n", arg, usage_string);   
 }
 
+static void fail_fatal(const char *errstr, int exitcode)
+{
+  perror(errstr);
+  exit(exitcode);
+}
+
 int send_release_packet(const char* iface, struct dhcp6_packet* packet)
 {
   struct sockaddr_in6 server_addr, client_addr;
@@ -343,18 +349,19 @@ int send_release_packet(const char* iface, struct dhcp6_packet* packet)
     client_addr.sin6_port = htons(DHCP6_CLIENT_PORT);
     client_addr.sin6_flowinfo = 0;
     client_addr.sin6_scope_id =0;
-    inet_pton(AF_INET6, "::", &client_addr.sin6_addr);
-    bind(sock, (struct sockaddr*)&client_addr, sizeof(struct sockaddr_in6));
-    inet_pton(AF_INET6, DHCP6_MULTICAST_ADDRESS, &server_addr.sin6_addr);
+    if (inet_pton(AF_INET6, "::", &client_addr.sin6_addr) <= 0)
+      fail_fatal("inet_pton", 5);
+    if (bind(sock, (struct sockaddr*)&client_addr, sizeof(struct sockaddr_in6)) != 0)
+      perror("bind"); /* continue on bind error */
+    if (inet_pton(AF_INET6, DHCP6_MULTICAST_ADDRESS, &server_addr.sin6_addr) <= 0)
+      fail_fatal("inet_pton", 5);
     server_addr.sin6_port = htons(DHCP6_SERVER_PORT);
-    int16_t recv_size = 0;
+    ssize_t recv_size = 0;
+    int result;
     for (i = 0; i < 5; i++)
       {
         if (sendto(sock, packet->buf, packet->len, 0, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0)
-	  {
-	    perror("sendto failed");
-            exit(4);
-	  }
+	  fail_fatal("sendto failed", 4);
 	
         recv_size = recvfrom(sock, response, sizeof(response), MSG_DONTWAIT, NULL, 0);
         if (recv_size == -1)
@@ -367,16 +374,18 @@ int send_release_packet(const char* iface, struct dhcp6_packet* packet)
 	    else
 	      {
                 perror("recvfrom");
+		result = UNSPEC_FAIL;
 	      }
 	  }
-	
-        int16_t result = parse_packet(response, recv_size);
-        if (result == NOT_REPLY_CODE)
+	else
 	  {
-            sleep(1);
-            continue;
+	    result = parse_packet(response, recv_size);
+	    if (result == NOT_REPLY_CODE)
+	      {
+		sleep(1);
+		continue;
+	      }
 	  }
-
         close(sock);
         return result;
       }

debian/changelog

@@ -1,3 +1,9 @@
+dnsmasq (2.87-1) unstable; urgency=low
+
+   * New upstream.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Wed, 08 Sep 2021 23:11:25 +0000
+
 dnsmasq (2.86-1) unstable; urgency=low
 
    * Fix debian/changelog format error. (closes: #986626)

dnsmasq.conf.example

@@ -85,6 +85,16 @@
 # subdomains to the vpn and search ipsets:
 #ipset=/yahoo.com/google.com/vpn,search
 
+# Add the IPs of all queries to yahoo.com, google.com, and their
+# subdomains to netfilters sets, which is equivalent to
+# 'nft add element ip test vpn { ... }; nft add element ip test search { ... }'
+#nftset=/yahoo.com/google.com/ip#test#vpn,ip#test#search
+
+# Use netfilters sets for both IPv4 and IPv6:
+# This adds all addresses in *.yahoo.com to vpn4 and vpn6 for IPv4 and IPv6 addresses.
+#nftset=/yahoo.com/4#ip#test#vpn4
+#nftset=/yahoo.com/6#ip#test#vpn6
+
 # You can control how dnsmasq talks to a server: this forces
 # queries to 10.1.2.3 to be routed via eth1
 # server=10.1.2.3@eth1

man/dnsmasq.8

@@ -1,4 +1,4 @@
-.TH DNSMASQ 8 2020-04-05
+.TH DNSMASQ 8 2021-08-16
 .SH NAME
 dnsmasq \- A lightweight DHCP and caching DNS server.
 .SH SYNOPSIS
@@ -55,7 +55,8 @@ Don't read the hostnames in /etc/hosts.
 .B \-H, --addn-hosts=<file>
 Additional hosts file. Read the specified file as well as /etc/hosts. If \fB--no-hosts\fP is given, read
 only the specified file. This option may be repeated for more than one
-additional hosts file. If a directory is given, then read all the files contained in that directory. 
+additional hosts file. If a directory is given, then read all the files contained in that directory
+in alphabetical order.
 .TP
 .B --hostsdir=<path>
 Read all the hosts files contained in the directory. New or changed files
@@ -327,8 +328,8 @@ are re-written. So
 maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
 .TP 
 .B \-B, --bogus-nxdomain=<ipaddr>[/prefix]
-Transform replies which contain the IP specified address or subnet into "No such
-domain" replies. This is intended to counteract a devious move made by
+Transform replies which contain the specified address or subnet into "No such
+domain" replies. IPv4 and IPv6 are supported. This is intended to counteract a devious move made by
 Verisign in September 2003 when they started returning the address of
 an advertising web page in response to queries for unregistered names,
 instead of the correct NXDOMAIN response. This option tells dnsmasq to
@@ -336,7 +337,7 @@ fake the correct response when it sees this behaviour. As at Sept 2003
 the IP address being returned by Verisign is 64.94.110.11
 .TP 
 .B --ignore-address=<ipaddr>[/prefix]
-Ignore replies to A-record queries which include the specified address or subnet. 
+Ignore replies to A or AAAA queries which include the specified address or subnet. 
 No error is generated, dnsmasq simply continues to listen for another reply. 
 This is useful to defeat blocking strategies which rely on quickly supplying a
 forged answer to a DNS request for certain domain, before the correct answer can arrive.
@@ -460,13 +461,22 @@ repeated domain or ipaddr parts as required.
 More specific domains take precedence over less specific domains, so:
 .B --server=/google.com/1.2.3.4
 .B --server=/www.google.com/2.3.4.5
-will send queries for *.google.com to 1.2.3.4, except *www.google.com,
-which will go to 2.3.4.5
+will send queries for google.com and gmail.google.com to 1.2.3.4, but www.google.com
+will go to 2.3.4.5
+
+Matching of domains is normally done on complete labels, so /google.com/ matches google.com and www.google.com
+but NOT supergoogle.com. This can be overridden with a * at the start of a pattern only: /*google.com/
+will match google.com and www.google.com AND supergoogle.com. The non-wildcard form has priority, so
+if /google.com/ and /*google.com/ are both specified then google.com and www.google.com will match /google.com/
+and /*google.com/ will only match supergoogle.com.
+
+For historical reasons, the pattern /.google.com/ is equivalent to /google.com/ if you wish to match any subdomain
+of google.com but NOT google.com itself, use /*.google.com/
 
 The special server address '#' means, "use the standard servers", so
 .B --server=/google.com/1.2.3.4
 .B --server=/www.google.com/#
-will send queries for *.google.com to 1.2.3.4, except *www.google.com which will
+will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdomains) which will
 be forwarded as usual.
 
 Also permitted is a -S
@@ -495,13 +505,14 @@ source address specified but the port may be specified directly as
 part of the source address. Forcing queries to an interface is not
 implemented on all platforms supported by dnsmasq.
 .TP
-.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<interface>][@<source-ip>[#<port>]]
+.B --rev-server=<ip-address>[/<prefix-len>][,<ipaddr>][#<port>][@<interface>][@<source-ip>[#<port>]]
 This is functionally the same as 
 .B --server, 
 but provides some syntactic sugar to make specifying address-to-name queries easier. For example
 .B --rev-server=1.2.3.0/24,192.168.0.1
 is exactly equivalent to 
 .B --server=/3.2.1.in-addr.arpa/192.168.0.1
+Allowed prefix lengths are 1-32 (IPv4) and 1-128 (IPv6). If the prefix length is omitted, dnsmasq substitutes either 32 (IPv4) or 128 (IPv6).
 .TP
 .B \-A, --address=/<domain>[/<domain>...]/[<ipaddr>]
 Specify an IP address to return for any host in the given domains.
@@ -539,6 +550,15 @@ These IP sets must already exist. See
 .BR ipset (8)
 for more details.
 .TP
+.B --nftset=/<domain>[/<domain>...]/[(6|4)#[<family>#]<table>#<set>[,[(6|4)#[<family>#]<table>#<set>]...]
+Similar to the \fB--ipset\fP option, but accepts one or more nftables 
+sets to add IP addresses into.
+These sets must already exist. See
+.BR nft (8)
+for more details. The family, table and set are passed directly to the nft. If the spec starts with 4# or 6# then
+only A or AAAA records respectively are added to the set. Since an nftset can hold only IPv4 or IPv6 addresses, this
+avoids errors being logged for addresses of the wrong type.
+.TP
 .B --connmark-allowlist-enable[=<mask>]
 Enables filtering of incoming DNS queries with associated Linux connection track marks
 according to individual allowlists configured via a series of \fB--connmark-allowlist\fP
@@ -696,7 +716,8 @@ configured a zero is added in front of the label. ::1 becomes 0--1.
 V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4
 
 The address range can be of the form
-<ip address>,<ip address> or <ip address>/<netmask> in both forms of the option.
+<start address>,<end address> or <ip address>/<prefix-length> in both forms of the option. For IPv6 the start and end addresses
+must fall in the same /64 network, or prefix-length must be greater than or equal to 64 except that shorter prefix lengths than 64 are allowed only if non-sequential names are in use.
 .TP
 .B --dumpfile=<path/to/file>
 Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end.
@@ -895,7 +916,7 @@ compiled in and the kernel must have conntrack support
 included and configured. This option cannot be combined with
 .B --query-port.
 .TP
-.B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>][,<netmask>[,<broadcast>]][,<lease time>]
+.B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>[,<netmask>[,<broadcast>]]][,<lease time>]
 .TP
 .B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>]
 
@@ -1025,7 +1046,7 @@ is also included, as described in RFC-3775 section 7.3.
 tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.
 
 .TP
-.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
+.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
 Specify per host parameters for the DHCP server. This allows a machine
 with a particular hardware address to be always allocated the same
 hostname, IP address and lease time. A hostname specified like this
@@ -1124,7 +1145,10 @@ ignore requests from unknown machines using
 If the host matches only a \fB--dhcp-host\fP directive which cannot
 be used because it specifies an address on different subnet, the tag "known-othernet" is set.
 
-The tag:<tag> construct filters which dhcp-host directives are used. Tagged directives are used in preference to untagged ones.
+The tag:<tag> construct filters which dhcp-host directives are used; more than
+one can be provided, in this case the request must match all of them. Tagged
+directives are used in preference to untagged ones. Note that one of <hwaddr>,
+<client_id> or <hostname> still needs to be specified (can be a wildcard).
 
 Ethernet addresses (but not client-ids) may have
 wildcard bytes, so for example 
@@ -1155,7 +1179,7 @@ has both wired and wireless interfaces.
 .TP
 .B --dhcp-hostsfile=<path>
 Read DHCP host information from the specified file. If a directory
-is given, then read all the files contained in that directory. The file contains 
+is given, then read all the files contained in that directory in alphabetical order. The file contains 
 information about one host per line. The format of a line is the same
 as text to the right of '=' in \fB--dhcp-host\fP. The advantage of storing DHCP host information
 in this file is that it can be changed without re-starting dnsmasq:
@@ -1163,7 +1187,7 @@ the file will be re-read when dnsmasq receives SIGHUP.
 .TP
 .B --dhcp-optsfile=<path>
 Read DHCP option information from the specified file.  If a directory
-is given, then read all the files contained in that directory. The advantage of 
+is given, then read all the files contained in that directory in alphabetical order. The advantage of 
 using this option is the same as for \fB--dhcp-hostsfile\fP: the
 \fB--dhcp-optsfile\fP will be re-read when dnsmasq receives SIGHUP. Note that
 it is possible to encode the information in a
@@ -1178,7 +1202,8 @@ directory, and not an individual file. Changed or new files within
 the directory are read automatically, without the need to send SIGHUP.
 If a file is deleted or changed after it has been read by dnsmasq, then the
 host record it contained will remain until dnsmasq receives a SIGHUP, or 
-is restarted; ie host records are only added dynamically.
+is restarted; ie host records are only added dynamically. The order in which the
+files in a directory are read is not defined.
 .TP
 .B --dhcp-optsdir=<path>
 This is equivalent to \fB--dhcp-optsfile\fP, with the differences noted for \fB--dhcp-hostsdir\fP.
@@ -1423,6 +1448,12 @@ Any number of set: and tag: forms may appear, in any order.
 tag set by another
 .B --tag-if,
 the line which sets the tag must precede the one which tests it.
+
+As an extension, the tag:<tag> clauses support limited wildcard matching,
+similar to the matching in the \fB--interface\fP directive.  This allows, for
+example, using \fB--tag-if=set:ppp,tag:ppp*\fP to set the tag 'ppp' for all requests
+received on any matching interface (ppp0, ppp1, etc).  This can be used in conjunction
+with the tag:!<tag> format meaning that no tag matching the wildcard may be set.
 .TP
 .B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
 When all the given tags appear in the tag set ignore the host and do
@@ -1603,10 +1634,11 @@ tried. This flag disables this check. Use with caution.
 Extra logging for DHCP: log all the options sent to DHCP clients and
 the tags used to determine them.
 .TP
-.B --quiet-dhcp, --quiet-dhcp6, --quiet-ra
+.B --quiet-dhcp, --quiet-dhcp6, --quiet-ra, --quiet-tftp
 Suppress logging of the routine operation of these protocols. Errors and
-problems will still be logged. \fB--quiet-dhcp\fP and quiet-dhcp6 are
-over-ridden by \fB--log-dhcp\fP.
+problems will still be logged. \fB--quiet-tftp\fP does not consider file not
+found to be an error. \fB--quiet-dhcp\fP and quiet-dhcp6 are over-ridden by
+\fB--log-dhcp\fP.
 .TP
 .B \-l, --dhcp-leasefile=<path>
 Use the specified file to store DHCP lease information.
@@ -1904,7 +1936,6 @@ additional flag "local" may be supplied which has the effect of adding
 is identical to
 .B --domain=thekelleys.org.uk,192.168.0.0/24
 .B --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
-The network size must be 8, 16 or 24 for this to be legal.
 .TP
 .B --dhcp-fqdn
 In the default mode, dnsmasq inserts the unqualified names of
@@ -2408,6 +2439,10 @@ following data is used to populate the authoritative zone.
 .B --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-record,
 as long as the record names are in the authoritative domain.
 .PP
+.B --synth-domain
+as long as the domain is in the authoritative zone and, for
+reverse (PTR) queries, the address is in the relevant subnet.
+.PP
 .B --cname
 as long as the record name is in  the authoritative domain. If the
 target of the CNAME is unqualified, then it  is qualified with the

src/auth.c

@@ -105,7 +105,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   int nameoffset, axfroffset = 0;
   int q, anscount = 0, authcount = 0;
   struct crec *crecp;
-  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0;
+  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0, out_of_zone = 0;
   struct auth_zone *zone = NULL;
   struct addrlist *subnet = NULL;
   char *cut;
@@ -146,6 +146,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
       if (qclass != C_IN)
 	{
 	  auth = 0;
+	  out_of_zone = 1;
 	  continue;
 	}
 
@@ -159,6 +160,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  
 	  if (!zone)
 	    {
+	      out_of_zone = 1;
 	      auth = 0;
 	      continue;
 	    }
@@ -208,7 +210,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      if (local_query || in_zone(zone, intr->name, NULL))
 		{	
 		  found = 1;
-		  log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
+		  log_query(flag | F_REVERSE | F_CONFIG, intr->name, &addr, NULL, 0);
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
 					  T_PTR, C_IN, "d", intr->name))
@@ -232,7 +234,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		      strcat(name, ".");
 		      strcat(name, zone->domain);
 		    }
-		  log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid));
+		  log_query(flag | F_DHCP | F_REVERSE, name, &addr, record_source(crecp->uid), 0);
 		  found = 1;
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
@@ -241,7 +243,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		}
 	      else if (crecp->flags & (F_DHCP | F_HOSTS) && (local_query || in_zone(zone, name, NULL)))
 		{
-		  log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid));
+		  log_query(crecp->flags & ~F_FORWARD, name, &addr, record_source(crecp->uid), 0);
 		  found = 1;
 		  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					  daemon->auth_ttl, NULL,
@@ -253,10 +255,21 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		    
 	    } while ((crecp = cache_find_by_addr(crecp, &addr, now, flag)));
 
+	  if (!found && is_rev_synth(flag, &addr, name) && (local_query || in_zone(zone, name, NULL)))
+	    {
+	      log_query(F_CONFIG | F_REVERSE | flag, name, &addr, NULL, 0);
+	      found = 1;
+	      
+	      if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+				      daemon->auth_ttl, NULL,
+				      T_PTR, C_IN, "d", name))
+		anscount++;
+	    }
+
 	  if (found)
 	    nxdomain = 0;
 	  else
-	    log_query(flag | F_NEG | F_NXDOMAIN | F_REVERSE | (auth ? F_AUTH : 0), NULL, &addr, NULL);
+	    log_query(flag | F_NEG | F_NXDOMAIN | F_REVERSE | (auth ? F_AUTH : 0), NULL, &addr, NULL, 0);
 
 	  continue;
 	}
@@ -273,6 +286,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  
 	  if (!zone)
 	    {
+	      out_of_zone = 1;
 	      auth = 0;
 	      continue;
 	    }
@@ -286,7 +300,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && qtype == T_MX)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>"); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_MX, C_IN, "sd", rec->weight, rec->target))
 		  anscount++;
@@ -301,7 +315,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && qtype == T_SRV)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>"); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_SRV, C_IN, "sssd", 
 					rec->priority, rec->weight, rec->srvport, rec->target))
@@ -335,7 +349,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && txt->class == qtype)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, querystr(NULL, txt->class)); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, NULL, txt->class);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, txt->class, C_IN, "t", txt->len, txt->txt))
 		  anscount++;
@@ -349,7 +363,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    if (rc == 2 && qtype == T_TXT)
 	      {
 		found = 1;
-		log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>"); 
+		log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>", 0);
 		if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl,
 					NULL, T_TXT, C_IN, "t", txt->len, txt->txt))
 		  anscount++;
@@ -363,7 +377,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	     if (rc == 2 && qtype == T_NAPTR)
 	       {
 		 found = 1;
-		 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>");
+		 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>", 0);
 		 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->auth_ttl, 
 					 NULL, T_NAPTR, C_IN, "sszzzd", 
 					 na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
@@ -393,13 +407,23 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		       continue;
 
 		     found = 1;
-		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
+		     log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL, 0);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					     daemon->auth_ttl, NULL, qtype, C_IN, 
 					     qtype == T_A ? "4" : "6", &addrlist->addr))
 		       anscount++;
 		   }
 	     }
+
+       if (!found && is_name_synthetic(flag, name, &addr) )
+	 {
+	   nxdomain = 0;
+	   
+	   log_query(F_FORWARD | F_CONFIG | flag, name, &addr, NULL, 0);
+	   if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+				   daemon->auth_ttl, NULL, qtype, C_IN, qtype == T_A ? "4" : "6", &addr))
+	     anscount++;
+	 }
        
       if (!cut)
 	{
@@ -408,8 +432,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  if (qtype == T_SOA)
 	    {
 	      auth = soa = 1; /* inhibits auth section */
-	      found = 1;
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>");
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>", 0);
 	    }
       	  else if (qtype == T_AXFR)
 	    {
@@ -444,16 +467,14 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      soa = 1; /* inhibits auth section */
 	      ns = 1; /* ensure we include NS records! */
 	      axfr = 1;
-	      found = 1;
 	      axfroffset = nameoffset;
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>");
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<AXFR>", 0);
 	    }
       	  else if (qtype == T_NS)
 	    {
 	      auth = 1;
 	      ns = 1; /* inhibits auth section */
-	      found = 1;
-	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>"); 
+	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<NS>", 0);
 	    }
 	}
       
@@ -471,9 +492,8 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 			(local_query || filter_zone(zone, flag, &(crecp->addr))))
 		      {
 			*cut = '.'; /* restore domain part */
-			log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid));
+			log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid), 0);
 			*cut  = 0; /* remove domain part */
-			found = 1;
 			if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 						daemon->auth_ttl, NULL, qtype, C_IN, 
 						qtype == T_A ? "4" : "6", &crecp->addr))
@@ -493,8 +513,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		 nxdomain = 0;
 		 if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr))))
 		   {
-		     log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid));
-		     found = 1;
+		     log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid), 0);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					     daemon->auth_ttl, NULL, qtype, C_IN, 
 					     qtype == T_A ? "4" : "6", &crecp->addr))
@@ -541,7 +560,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  
 	  if (candidate)
 	    {
-	      log_query(F_CONFIG | F_CNAME, name, NULL, NULL);
+	      log_query(F_CONFIG | F_CNAME, name, NULL, NULL, 0);
 	      strcpy(name, candidate->target);
 	      if (!strchr(name, '.'))
 		{
@@ -559,7 +578,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  else if (cache_find_non_terminal(name, now))
 	    nxdomain = 0;
 
-	  log_query(flag | F_NEG | (nxdomain ? F_NXDOMAIN : 0) | F_FORWARD | F_AUTH, name, NULL, NULL);
+	  log_query(flag | F_NEG | (nxdomain ? F_NXDOMAIN : 0) | F_FORWARD | F_AUTH, name, NULL, NULL, 0);
 	}
       
     }
@@ -589,7 +608,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      if (subnet->prefixlen >= 16 )
 		p += sprintf(p, "%u.", a & 0xff);
 	      a = a >> 8;
-	      p += sprintf(p, "%u.in-addr.arpa", a & 0xff);
+	      sprintf(p, "%u.in-addr.arpa", a & 0xff);
 	      
 	    }
 	  else
@@ -602,7 +621,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  int dig = ((unsigned char *)&subnet->addr.addr6)[i>>3];
 		  p += sprintf(p, "%.1x.", (i>>2) & 1 ? dig & 15 : dig >> 4);
 		}
-	      p += sprintf(p, "ip6.arpa");
+	      sprintf(p, "ip6.arpa");
 	      
 	    }
 	}
@@ -855,10 +874,22 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
     SET_RCODE(header, NXDOMAIN);
   else
     SET_RCODE(header, NOERROR); /* no error */
+  
   header->ancount = htons(anscount);
   header->nscount = htons(authcount);
   header->arcount = htons(0);
 
+  if (!local_query && out_of_zone)
+    {
+      SET_RCODE(header, REFUSED); 
+      header->ancount = htons(0);
+      header->nscount = htons(0);
+      addr.log.rcode = REFUSED;
+      addr.log.ede = EDE_NOT_AUTH;
+      log_query(F_UPSTREAM | F_RCODE, "error", &addr, NULL, 0);
+      return resize_packet(header,  ansp - (unsigned char *)header, NULL, 0);
+    }
+  
   /* Advertise our packet size limit in our reply */
   if (have_pseudoheader)
     return add_pseudoheader(header,  ansp - (unsigned char *)header, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);

src/blockdata.c

@@ -52,7 +52,7 @@ void blockdata_init(void)
 
 void blockdata_report(void)
 {
-  my_syslog(LOG_INFO, _("pool memory in use %u, max %u, allocated %u"), 
+  my_syslog(LOG_INFO, _("pool memory in use %zu, max %zu, allocated %zu"), 
 	    blockdata_count * sizeof(struct blockdata),  
 	    blockdata_hwm * sizeof(struct blockdata),  
 	    blockdata_alloced * sizeof(struct blockdata));

src/cache.c

@@ -30,50 +30,100 @@ static struct crec *really_insert(char *name, union all_addr *addr, unsigned sho
 				  time_t now,  unsigned long ttl, unsigned int flags);
 
 /* type->string mapping: this is also used by the name-hash function as a mixing table. */
+/* taken from https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml */
 static const struct {
   unsigned int type;
   const char * const name;
 } typestr[] = {
-  { 1,   "A" },
-  { 2,   "NS" },
-  { 5,   "CNAME" },
-  { 6,   "SOA" },
-  { 10,  "NULL" },
-  { 11,  "WKS" },
-  { 12,  "PTR" },
-  { 13,  "HINFO" },	
-  { 15,  "MX" },
-  { 16,  "TXT" },
-  { 22,  "NSAP" },
-  { 23,  "NSAP_PTR" },
-  { 24,  "SIG" },
-  { 25,  "KEY" },
-  { 28,  "AAAA" },
-  { 29,  "LOC" },
-  { 33,  "SRV" },
-  { 35,  "NAPTR" },
-  { 36,  "KX" },
-  { 37,  "CERT" },
-  { 38,  "A6" },
-  { 39,  "DNAME" },
-  { 41,  "OPT" },
-  { 43,  "DS" },
-  { 46,  "RRSIG" },
-  { 47,  "NSEC" },
-  { 48,  "DNSKEY" },
-  { 50,  "NSEC3" },
-  { 51,  "NSEC3PARAM" },
-  { 52,  "TLSA" },
-  { 53,  "SMIMEA" },
-  { 55,  "HIP" },
-  { 249, "TKEY" },
-  { 250, "TSIG" },
-  { 251, "IXFR" },
-  { 252, "AXFR" },
-  { 253, "MAILB" },
-  { 254, "MAILA" },
-  { 255, "ANY" },
-  { 257, "CAA" }
+  { 1,   "A" }, /* a host address [RFC1035] */
+  { 2,   "NS" }, /* an authoritative name server [RFC1035] */
+  { 3,   "MD" }, /* a mail destination (OBSOLETE - use MX) [RFC1035] */
+  { 4,   "MF" }, /* a mail forwarder (OBSOLETE - use MX) [RFC1035] */
+  { 5,   "CNAME" }, /* the canonical name for an alias [RFC1035] */
+  { 6,   "SOA" }, /* marks the start of a zone of authority [RFC1035] */
+  { 7,   "MB" }, /* a mailbox domain name (EXPERIMENTAL) [RFC1035] */
+  { 8,   "MG" }, /* a mail group member (EXPERIMENTAL) [RFC1035] */
+  { 9,   "MR" }, /* a mail rename domain name (EXPERIMENTAL) [RFC1035] */
+  { 10,  "NULL" }, /* a null RR (EXPERIMENTAL) [RFC1035] */
+  { 11,  "WKS" }, /* a well known service description [RFC1035] */
+  { 12,  "PTR" }, /* a domain name pointer [RFC1035] */
+  { 13,  "HINFO" }, /* host information [RFC1035] */
+  { 14,  "MINFO" }, /* mailbox or mail list information [RFC1035] */
+  { 15,  "MX" }, /* mail exchange [RFC1035] */
+  { 16,  "TXT" }, /* text strings [RFC1035] */
+  { 17,  "RP" }, /* for Responsible Person [RFC1183] */
+  { 18,  "AFSDB" }, /* for AFS Data Base location [RFC1183][RFC5864] */
+  { 19,  "X25" }, /* for X.25 PSDN address [RFC1183] */
+  { 20,  "ISDN" }, /* for ISDN address [RFC1183] */
+  { 21,  "RT" }, /* for Route Through [RFC1183] */
+  { 22,  "NSAP" }, /* for NSAP address, NSAP style A record [RFC1706] */
+  { 23,  "NSAP_PTR" }, /* for domain name pointer, NSAP style [RFC1348][RFC1637][RFC1706] */
+  { 24,  "SIG" }, /* for security signature [RFC2535][RFC2536][RFC2537][RFC2931][RFC3008][RFC3110][RFC3755][RFC4034] */
+  { 25,  "KEY" }, /* for security key [RFC2535][RFC2536][RFC2537][RFC2539][RFC3008][RFC3110][RFC3755][RFC4034] */
+  { 26,  "PX" }, /* X.400 mail mapping information [RFC2163] */
+  { 27,  "GPOS" }, /* Geographical Position [RFC1712] */
+  { 28,  "AAAA" }, /* IP6 Address [RFC3596] */
+  { 29,  "LOC" }, /* Location Information [RFC1876] */
+  { 30,  "NXT" }, /* Next Domain (OBSOLETE) [RFC2535][RFC3755] */
+  { 31,  "EID" }, /* Endpoint Identifier [Michael_Patton][http://ana-3.lcs.mit.edu/~jnc/nimrod/dns.txt] 1995-06*/
+  { 32,  "NIMLOC" }, /* Nimrod Locator [1][Michael_Patton][http://ana-3.lcs.mit.edu/~jnc/nimrod/dns.txt] 1995-06*/
+  { 33,  "SRV" }, /* Server Selection [1][RFC2782] */
+  { 34,  "ATMA" }, /* ATM Address [ ATM Forum Technical Committee, "ATM Name System, V2.0", Doc ID: AF-DANS-0152.000, July 2000. Available from and held in escrow by IANA.] */
+  { 35,  "NAPTR" }, /* Naming Authority Pointer [RFC2168][RFC2915][RFC3403] */
+  { 36,  "KX" }, /* Key Exchanger [RFC2230] */
+  { 37,  "CERT" }, /* CERT [RFC4398] */
+  { 38,  "A6" }, /* A6 (OBSOLETE - use AAAA) [RFC2874][RFC3226][RFC6563] */
+  { 39,  "DNAME" }, /* DNAME [RFC6672] */
+  { 40,  "SINK" }, /* SINK [Donald_E_Eastlake][http://tools.ietf.org/html/draft-eastlake-kitchen-sink] 1997-11*/
+  { 41,  "OPT" }, /* OPT [RFC3225][RFC6891] */
+  { 42,  "APL" }, /* APL [RFC3123] */
+  { 43,  "DS" }, /* Delegation Signer [RFC3658][RFC4034] */
+  { 44,  "SSHFP" }, /* SSH Key Fingerprint [RFC4255] */
+  { 45,  "IPSECKEY" }, /* IPSECKEY [RFC4025] */
+  { 46,  "RRSIG" }, /* RRSIG [RFC3755][RFC4034] */
+  { 47,  "NSEC" }, /* NSEC [RFC3755][RFC4034][RFC9077] */
+  { 48,  "DNSKEY" }, /* DNSKEY [RFC3755][RFC4034] */
+  { 49,  "DHCID" }, /* DHCID [RFC4701] */
+  { 50,  "NSEC3" }, /* NSEC3 [RFC5155][RFC9077] */
+  { 51,  "NSEC3PARAM" }, /* NSEC3PARAM [RFC5155] */
+  { 52,  "TLSA" }, /* TLSA [RFC6698] */
+  { 53,  "SMIMEA" }, /* S/MIME cert association [RFC8162] SMIMEA/smimea-completed-template 2015-12-01*/
+  { 55,  "HIP" }, /* Host Identity Protocol [RFC8005] */
+  { 56,  "NINFO" }, /* NINFO [Jim_Reid] NINFO/ninfo-completed-template 2008-01-21*/
+  { 57,  "RKEY" }, /* RKEY [Jim_Reid] RKEY/rkey-completed-template 2008-01-21*/
+  { 58,  "TALINK" }, /* Trust Anchor LINK [Wouter_Wijngaards] TALINK/talink-completed-template 2010-02-17*/
+  { 59,  "CDS" }, /* Child DS [RFC7344] CDS/cds-completed-template 2011-06-06*/
+  { 60,  "CDNSKEY" }, /* DNSKEY(s) the Child wants reflected in DS [RFC7344] 2014-06-16*/
+  { 61,  "OPENPGPKEY" }, /* OpenPGP Key [RFC7929] OPENPGPKEY/openpgpkey-completed-template 2014-08-12*/
+  { 62,  "CSYNC" }, /* Child-To-Parent Synchronization [RFC7477] 2015-01-27*/
+  { 63,  "ZONEMD" }, /* Message Digest Over Zone Data [RFC8976] ZONEMD/zonemd-completed-template 2018-12-12*/
+  { 64,  "SVCB" }, /* Service Binding [draft-ietf-dnsop-svcb-https-00] SVCB/svcb-completed-template 2020-06-30*/
+  { 65,  "HTTPS" }, /* HTTPS Binding [draft-ietf-dnsop-svcb-https-00] HTTPS/https-completed-template 2020-06-30*/
+  { 99,  "SPF" }, /* [RFC7208] */
+  { 100, "UINFO" }, /* [IANA-Reserved] */
+  { 101, "UID" }, /* [IANA-Reserved] */
+  { 102, "GID" }, /* [IANA-Reserved] */
+  { 103, "UNSPEC" }, /* [IANA-Reserved] */
+  { 104, "NID" }, /* [RFC6742] ILNP/nid-completed-template */
+  { 105, "L32" }, /* [RFC6742] ILNP/l32-completed-template */
+  { 106, "L64" }, /* [RFC6742] ILNP/l64-completed-template */
+  { 107, "LP" }, /* [RFC6742] ILNP/lp-completed-template */
+  { 108, "EUI48" }, /* an EUI-48 address [RFC7043] EUI48/eui48-completed-template 2013-03-27*/
+  { 109, "EUI64" }, /* an EUI-64 address [RFC7043] EUI64/eui64-completed-template 2013-03-27*/
+  { 249, "TKEY" }, /* Transaction Key [RFC2930] */
+  { 250, "TSIG" }, /* Transaction Signature [RFC8945] */
+  { 251, "IXFR" }, /* incremental transfer [RFC1995] */
+  { 252, "AXFR" }, /* transfer of an entire zone [RFC1035][RFC5936] */
+  { 253, "MAILB" }, /* mailbox-related RRs (MB, MG or MR) [RFC1035] */
+  { 254, "MAILA" }, /* mail agent RRs (OBSOLETE - see MX) [RFC1035] */
+  { 255, "ANY" }, /* A request for some or all records the server has available [RFC1035][RFC6895][RFC8482] */
+  { 256, "URI" }, /* URI [RFC7553] URI/uri-completed-template 2011-02-22*/
+  { 257, "CAA" }, /* Certification Authority Restriction [RFC8659] CAA/caa-completed-template 2011-04-07*/
+  { 258, "AVC" }, /* Application Visibility and Control [Wolfgang_Riedel] AVC/avc-completed-template 2016-02-26*/
+  { 259, "DOA" }, /* Digital Object Architecture [draft-durand-doa-over-dns] DOA/doa-completed-template 2017-08-30*/
+  { 260, "AMTRELAY" }, /* Automatic Multicast Tunneling Relay [RFC8777] AMTRELAY/amtrelay-completed-template 2019-02-06*/
+  { 32768,  "TA" }, /* DNSSEC Trust Authorities [Sam_Weiler][http://cameo.library.cmu.edu/][ Deploying DNSSEC Without a Signed Root. Technical Report 1999-19, Information Networking Institute, Carnegie Mellon University, April 2004.] 2005-12-13*/
+  { 32769,  "DLV" }, /* DNSSEC Lookaside Validation (OBSOLETE) [RFC8749][RFC4431] */
 };
 
 static void cache_free(struct crec *crecp);
@@ -433,7 +483,7 @@ static struct crec *cache_scan_free(char *name, union all_addr *addr, unsigned s
 	  else if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) &&
 		   (flags & crecp->flags & F_REVERSE) && 
 		   (flags & crecp->flags & (F_IPV4 | F_IPV6)) &&
-		   memcmp(&crecp->addr, addr, addrlen) == 0)
+		   addr && memcmp(&crecp->addr, addr, addrlen) == 0)
 	    {
 	      *up = crecp->hash_next;
 	      cache_unlink(crecp);
@@ -488,8 +538,6 @@ struct crec *cache_insert(char *name, union all_addr *addr, unsigned short class
   else
 #endif
     {
-      /* Don't log DNSSEC records here, done elsewhere */
-      log_query(flags | F_UPSTREAM, name, addr, NULL);
       if (daemon->max_cache_ttl != 0 && daemon->max_cache_ttl < ttl)
 	ttl = daemon->max_cache_ttl;
       if (daemon->min_cache_ttl != 0 && daemon->min_cache_ttl > ttl)
@@ -1549,7 +1597,8 @@ static void make_non_terminals(struct crec *source)
       if (crecp)
 	{
 	  crecp->flags = (source->flags | F_NAMEP) & ~(F_IPV4 | F_IPV6 | F_CNAME | F_SRV | F_DNSKEY | F_DS | F_REVERSE);
-	  crecp->ttd = source->ttd;
+	  if (!(crecp->flags & F_IMMORTAL))
+	    crecp->ttd = source->ttd;
 	  crecp->name.namep = name;
 	  
 	  cache_hash(crecp);
@@ -1602,18 +1651,18 @@ int cache_make_stat(struct txt_record *t)
     case TXT_STAT_SERVERS:
       /* sum counts from different records for same server */
       for (serv = daemon->servers; serv; serv = serv->next)
-	serv->flags &= ~SERV_COUNTED;
+	serv->flags &= ~SERV_MARK;
       
       for (serv = daemon->servers; serv; serv = serv->next)
-	if (!(serv->flags & SERV_COUNTED))
+	if (!(serv->flags & SERV_MARK))
 	  {
 	    char *new, *lenp;
 	    int port, newlen, bytes_avail, bytes_needed;
 	    unsigned int queries = 0, failed_queries = 0;
 	    for (serv1 = serv; serv1; serv1 = serv1->next)
-	      if (!(serv1->flags & SERV_COUNTED) && sockaddr_isequal(&serv->addr, &serv1->addr))
+	      if (!(serv1->flags & SERV_MARK) && sockaddr_isequal(&serv->addr, &serv1->addr))
 		{
-		  serv1->flags |= SERV_COUNTED;
+		  serv1->flags |= SERV_MARK;
 		  queries += serv1->queries;
 		  failed_queries += serv1->failed_queries;
 		}
@@ -1641,6 +1690,7 @@ int cache_make_stat(struct txt_record *t)
 	  }
       t->txt = (unsigned char *)buff;
       t->len = p - buff;
+
       return 1;
     }
   
@@ -1683,24 +1733,24 @@ void dump_cache(time_t now)
 
   /* sum counts from different records for same server */
   for (serv = daemon->servers; serv; serv = serv->next)
-    serv->flags &= ~SERV_COUNTED;
+    serv->flags &= ~SERV_MARK;
   
   for (serv = daemon->servers; serv; serv = serv->next)
-    if (!(serv->flags & SERV_COUNTED))
+    if (!(serv->flags & SERV_MARK))
       {
 	int port;
 	unsigned int queries = 0, failed_queries = 0;
 	for (serv1 = serv; serv1; serv1 = serv1->next)
-	  if (!(serv1->flags & SERV_COUNTED) && sockaddr_isequal(&serv->addr, &serv1->addr))
+	  if (!(serv1->flags & SERV_MARK) && sockaddr_isequal(&serv->addr, &serv1->addr))
 	    {
-	      serv1->flags |= SERV_COUNTED;
+	      serv1->flags |= SERV_MARK;
 	      queries += serv1->queries;
 	      failed_queries += serv1->failed_queries;
 	    }
 	port = prettyprint_addr(&serv->addr, daemon->addrbuff);
 	my_syslog(LOG_INFO, _("server %s#%d: queries sent %u, retried or failed %u"), daemon->addrbuff, port, queries, failed_queries);
       }
-  
+
   if (option_bool(OPT_DEBUG) || option_bool(OPT_LOG))
     {
       struct crec *cache ;
@@ -1806,7 +1856,7 @@ char *record_source(unsigned int index)
   return "<unknown>";
 }
 
-char *querystr(char *desc, unsigned short type)
+static char *querystr(char *desc, unsigned short type)
 {
   unsigned int i;
   int len = 10; /* strlen("type=xxxxx") */
@@ -1854,25 +1904,70 @@ char *querystr(char *desc, unsigned short type)
 	  if (types)
 	    sprintf(buff, "<%s>", types);
 	  else
-	    sprintf(buff, "type=%d", type);
+	    sprintf(buff, "<type=%d>", type);
 	}
     }
   
   return buff ? buff : "";
 }
 
-void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg)
+static char *edestr(int ede)
 {
-  char *source, *dest = daemon->addrbuff;
+  switch (ede)
+    {
+    case EDE_OTHER:                       return "other";
+    case EDE_USUPDNSKEY:                  return "unsupported DNSKEY algorithm";
+    case EDE_USUPDS:                      return "unsupported DS digest";
+    case EDE_STALE:                       return "stale answer";
+    case EDE_FORGED:                      return "forged";
+    case EDE_DNSSEC_IND:                  return "DNSSEC indeterminate";
+    case EDE_DNSSEC_BOGUS:                return "DNSSEC bogus";
+    case EDE_SIG_EXP:                     return "DNSSEC signature expired";
+    case EDE_SIG_NYV:                     return "DNSSEC sig not yet valid";
+    case EDE_NO_DNSKEY:                   return "DNSKEY missing";
+    case EDE_NO_RRSIG:                    return "RRSIG missing";
+    case EDE_NO_ZONEKEY:                  return "no zone key bit set";
+    case EDE_NO_NSEC:                     return "NSEC(3) missing";
+    case EDE_CACHED_ERR:                  return "cached error";
+    case EDE_NOT_READY:                   return "not ready";
+    case EDE_BLOCKED:                     return "blocked";
+    case EDE_CENSORED:                    return "censored";
+    case EDE_FILTERED:                    return "filtered";
+    case EDE_PROHIBITED:                  return "prohibited";
+    case EDE_STALE_NXD:                   return "stale NXDOMAIN";
+    case EDE_NOT_AUTH:                    return "not authoritative";
+    case EDE_NOT_SUP:                     return "not supported";
+    case EDE_NO_AUTH:                     return "no reachable authority";
+    case EDE_NETERR:                      return "network error";
+    case EDE_INVALID_DATA:                return "invalid data";
+    default:                              return "unknown";
+    }
+}
+
+void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg, unsigned short type)
+{
+  char *source, *dest = arg;
   char *verb = "is";
+  char *extra = "";
   
   if (!option_bool(OPT_LOG))
     return;
 
+  /* build query type string if requested */
+  if(type > 0)
+    arg = querystr(arg, type);
+
+#ifdef HAVE_DNSSEC
+  if ((flags & F_DNSSECOK) && option_bool(OPT_EXTRALOG))
+    extra = " (DNSSEC signed)";
+#endif
+
   name = sanitise(name);
 
   if (addr)
     {
+      dest = daemon->addrbuff;
+
       if (flags & F_KEYTAG)
 	sprintf(daemon->addrbuff, arg, addr->log.keytag, addr->log.algo, addr->log.digest);
       else if (flags & F_RCODE)
@@ -1887,14 +1982,19 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg)
 	    dest = "not implemented";
 	  else
 	    sprintf(daemon->addrbuff, "%u", rcode);
+
+	  if (addr->log.ede != EDE_UNSET)
+	    {
+	      extra = daemon->addrbuff;
+	      sprintf(extra, " (EDE: %s)", edestr(addr->log.ede));
+	    }
 	}
-      else
+      else if (flags & (F_IPV4 | F_IPV6))
 	inet_ntop(flags & F_IPV4 ? AF_INET : AF_INET6,
 		  addr, daemon->addrbuff, ADDRSTRLEN);
-      
+      else
+	dest = arg;
     }
-  else
-    dest = arg;
 
   if (flags & F_REVERSE)
     {
@@ -1932,7 +2032,15 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg)
   else if (flags & F_UPSTREAM)
     source = "reply";
   else if (flags & F_SECSTAT)
-    source = "validation";
+    {
+      if (addr && addr->log.ede != EDE_UNSET && option_bool(OPT_EXTRALOG))
+	{
+	  extra = daemon->addrbuff;
+	  sprintf(extra, " (EDE: %s)", edestr(addr->log.ede));
+	}
+      source = "validation";
+      dest = arg;
+    }
   else if (flags & F_AUTH)
     source = "auth";
   else if (flags & F_SERVER)
@@ -1952,7 +2060,7 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg)
     }
   else if (flags & F_IPSET)
     {
-      source = "ipset add";
+      source = type ? "ipset add" : "nftset add";
       dest = name;
       name = arg;
       verb = daemon->addrbuff;
@@ -1960,19 +2068,19 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg)
   else
     source = "cached";
   
-  if (strlen(name) == 0)
+  if (name && !name[0])
     name = ".";
 
   if (option_bool(OPT_EXTRALOG))
     {
       if (flags & F_NOEXTRA)
-	my_syslog(LOG_INFO, "%u %s %s %s %s", daemon->log_display_id, source, name, verb, dest);
+	my_syslog(LOG_INFO, "%u %s %s %s %s%s", daemon->log_display_id, source, name, verb, dest, extra);
       else
 	{
 	   int port = prettyprint_addr(daemon->log_source_addr, daemon->addrbuff2);
-	   my_syslog(LOG_INFO, "%u %s/%u %s %s %s %s", daemon->log_display_id, daemon->addrbuff2, port, source, name, verb, dest);
+	   my_syslog(LOG_INFO, "%u %s/%u %s %s %s %s%s", daemon->log_display_id, daemon->addrbuff2, port, source, name, verb, dest, extra);
 	}
     }
   else
-    my_syslog(LOG_INFO, "%s %s %s %s", source, name, verb, dest);
+    my_syslog(LOG_INFO, "%s %s %s %s%s", source, name, verb, dest, extra);
 }

src/config.h

@@ -115,6 +115,10 @@ HAVE_IPSET
     define this to include the ability to selectively add resolved ip addresses
     to given ipsets.
 
+HAVE_NFTSET
+    define this to include the ability to selectively add resolved ip addresses
+    to given nftables sets.
+
 HAVE_AUTH
    define this to include the facility to act as an authoritative DNS
    server for one or more zones.
@@ -192,7 +196,7 @@ RESOLVFILE
 /* #define HAVE_CONNTRACK */
 /* #define HAVE_CRYPTOHASH */
 /* #define HAVE_DNSSEC */
-
+/* #define HAVE_NFTSET */
 
 /* Default locations for important system files. */
 
@@ -420,6 +424,10 @@ static char *compile_opts =
 "no-"
 #endif
 "ipset "
+#ifndef HAVE_NFTSET
+"no-"
+#endif
+"nftset "
 #ifndef HAVE_AUTH
 "no-"
 #endif

src/dbus.c

@@ -114,7 +114,7 @@ static dbus_bool_t add_watch(DBusWatch *watch, void *data)
   w->next = daemon->watches;
   daemon->watches = w;
 
-  w = data; /* no warning */
+  (void)data; /* no warning */
   return TRUE;
 }
 
@@ -134,16 +134,20 @@ static void remove_watch(DBusWatch *watch, void *data)
 	up = &(w->next);
     }
 
-  w = data; /* no warning */
+  (void)data; /* no warning */
 }
 
-static void dbus_read_servers(DBusMessage *message)
+static DBusMessage* dbus_read_servers(DBusMessage *message)
 {
   DBusMessageIter iter;
   union  mysockaddr addr, source_addr;
   char *domain;
   
-  dbus_message_iter_init(message, &iter);
+  if (!dbus_message_iter_init(message, &iter))
+    {
+      return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS,
+                                    "Failed to initialize dbus message iter");
+    }
 
   mark_servers(SERV_FROM_DBUS);
   
@@ -215,13 +219,14 @@ static void dbus_read_servers(DBusMessage *message)
 	  domain = NULL;
 	
 	if (!skip)
-	  add_update_server(SERV_FROM_DBUS, &addr, &source_addr, NULL, domain);
+	  add_update_server(SERV_FROM_DBUS, &addr, &source_addr, NULL, domain, NULL);
      
       } while (dbus_message_iter_get_arg_type(&iter) == DBUS_TYPE_STRING); 
     }
    
   /* unlink and free anything still marked. */
   cleanup_servers();
+  return NULL;
 }
 
 #ifdef HAVE_LOOP
@@ -276,7 +281,7 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings)
     {
       const char *str = NULL;
       union  mysockaddr addr, source_addr;
-      int flags = 0;
+      u16 flags = 0;
       char interface[IF_NAMESIZE];
       char *str_addr, *str_domain = NULL;
 
@@ -361,10 +366,6 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings)
 	  strcpy(str_addr, str);
 	}
 
-      memset(&addr, 0, sizeof(addr));
-      memset(&source_addr, 0, sizeof(source_addr));
-      memset(&interface, 0, sizeof(interface));
-
       /* parse the IP address */
       if ((addr_err = parse_server(str_addr, &addr, &source_addr, (char *) &interface, &flags)))
 	{
@@ -392,7 +393,7 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings)
 	    else 
 	      p = NULL;
 	    
-	    add_update_server(flags | SERV_FROM_DBUS, &addr, &source_addr, interface, str_domain);
+	    add_update_server(flags | SERV_FROM_DBUS, &addr, &source_addr, interface, str_domain, NULL);
 	  } while ((str_domain = p));
 	}
       else
@@ -407,7 +408,7 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings)
 	      dbus_message_iter_get_basic(&string_iter, &str);
 	    dbus_message_iter_next (&string_iter);
 	    
-	    add_update_server(flags | SERV_FROM_DBUS, &addr, &source_addr, interface, str);
+	    add_update_server(flags | SERV_FROM_DBUS, &addr, &source_addr, interface, str, NULL);
 	  } while (dbus_message_iter_get_arg_type(&string_iter) == DBUS_TYPE_STRING);
 	}
 	 
@@ -416,7 +417,7 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings)
     }
 
   cleanup_servers();
-
+    
   if (dup)
     free(dup);
 
@@ -549,6 +550,10 @@ static DBusMessage *dbus_add_lease(DBusMessage* message)
 					 "Invalid IP address '%s'", ipaddr);
    
   hw_len = parse_hex((char*)hwaddr, dhcp_chaddr, DHCP_CHADDR_MAX, NULL, &hw_type);
+  if (hw_len < 0)
+    return dbus_message_new_error_printf(message, DBUS_ERROR_INVALID_ARGS,
+					 "Invalid HW address '%s'", hwaddr);
+
   if (hw_type == 0 && hw_len != 0)
     hw_type = ARPHRD_ETHER;
   
@@ -672,7 +677,7 @@ DBusHandlerResult message_handler(DBusConnection *connection,
 #endif
   else if (strcmp(method, "SetServers") == 0)
     {
-      dbus_read_servers(message);
+      reply = dbus_read_servers(message);
       new_servers = 1;
     }
   else if (strcmp(method, "SetServersEx") == 0)
@@ -715,7 +720,7 @@ DBusHandlerResult message_handler(DBusConnection *connection,
   if (new_servers)
     {
       my_syslog(LOG_INFO, _("setting upstream servers from DBus"));
-      check_servers();
+      check_servers(0);
       if (option_bool(OPT_RELOAD))
 	clear_cache = 1;
     }
@@ -723,7 +728,7 @@ DBusHandlerResult message_handler(DBusConnection *connection,
   if (clear_cache)
     clear_cache_and_reload(dnsmasq_time());
   
-  method = user_data; /* no warning */
+  (void)user_data; /* no warning */
 
   /* If no reply or no error, return nothing */
   if (!reply)

src/dhcp-common.c

@@ -79,13 +79,46 @@ ssize_t recv_dhcp_packet(int fd, struct msghdr *msg)
   return (msg->msg_flags & MSG_TRUNC) ? -1 : new_sz;
 }
 
+/* like match_netid() except that the check can have a trailing * for wildcard */
+/* started as a direct copy of match_netid() */
+int match_netid_wild(struct dhcp_netid *check, struct dhcp_netid *pool)
+{
+  struct dhcp_netid *tmp1;
+  
+  for (; check; check = check->next)
+    {
+      const int check_len = strlen(check->net);
+      const int is_wc = (check_len > 0 && check->net[check_len - 1] == '*');
+      
+      /* '#' for not is for backwards compat. */
+      if (check->net[0] != '!' && check->net[0] != '#')
+	{
+	  for (tmp1 = pool; tmp1; tmp1 = tmp1->next)
+	    if (is_wc ? (strncmp(check->net, tmp1->net, check_len-1) == 0) :
+		(strcmp(check->net, tmp1->net) == 0))
+	      break;
+	  if (!tmp1)
+	    return 0;
+	}
+      else
+	for (tmp1 = pool; tmp1; tmp1 = tmp1->next)
+	  if (is_wc ? (strncmp((check->net)+1, tmp1->net, check_len-2) == 0) :
+	      (strcmp((check->net)+1, tmp1->net) == 0))
+	    return 0;
+    }
+  return 1;
+}
+
 struct dhcp_netid *run_tag_if(struct dhcp_netid *tags)
 {
   struct tag_if *exprs;
   struct dhcp_netid_list *list;
 
+  /* this now uses match_netid_wild() above so that tag_if can
+   * be used to set a 'group of interfaces' tag.
+   */
   for (exprs = daemon->tag_if; exprs; exprs = exprs->next)
-    if (match_netid(exprs->tag, tags, 1))
+    if (match_netid_wild(exprs->tag, tags))
       for (list = exprs->set; list; list = list->next)
 	{
 	  list->list->next = tags;
@@ -620,6 +653,8 @@ static const struct opttab_t {
   { "client-arch", 93, 2 | OT_DEC },
   { "client-interface-id", 94, 0 },
   { "client-machine-id", 97, 0 },
+  { "posix-timezone", 100, OT_NAME }, /* RFC 4833, Sec. 2 */
+  { "tzdb-timezone", 101, OT_NAME }, /* RFC 4833, Sec. 2 */
   { "subnet-select", 118, OT_INTERNAL },
   { "domain-search", 119, OT_RFC1035_NAME },
   { "sip-server", 120, 0 },

src/dhcp.c

@@ -468,8 +468,11 @@ void dhcp_packet(time_t now, int pxe_fd)
 
   /* This can fail when, eg, iptables DROPS destination 255.255.255.255 */
   if (errno != 0)
-    my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"),
-	      inet_ntoa(dest.sin_addr), strerror(errno));
+    {
+      inet_ntop(AF_INET, &dest.sin_addr, daemon->addrbuff, ADDRSTRLEN);
+      my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s"),
+		daemon->addrbuff, strerror(errno));
+    }
 }
 
 /* check against secondary interface addresses */
@@ -521,10 +524,11 @@ static void guess_range_netmask(struct in_addr addr, struct in_addr netmask)
 	    !(is_same_net(addr, context->start, netmask) &&
 	      is_same_net(addr, context->end, netmask)))
 	  {
-	    strcpy(daemon->dhcp_buff, inet_ntoa(context->start));
-	    strcpy(daemon->dhcp_buff2, inet_ntoa(context->end));
+	    inet_ntop(AF_INET, &context->start, daemon->dhcp_buff, DHCP_BUFF_SZ);
+	    inet_ntop(AF_INET, &context->end, daemon->dhcp_buff2, DHCP_BUFF_SZ);
+	    inet_ntop(AF_INET, &netmask, daemon->addrbuff, ADDRSTRLEN);
 	    my_syslog(MS_DHCP | LOG_WARNING, _("DHCP range %s -- %s is not consistent with netmask %s"),
-		      daemon->dhcp_buff, daemon->dhcp_buff2, inet_ntoa(netmask));
+		      daemon->dhcp_buff, daemon->dhcp_buff2, daemon->addrbuff);
 	  }	
 	context->netmask = netmask;
       }
@@ -922,7 +926,7 @@ void dhcp_read_ethers(void)
       
       if (!*cp)
 	{
-	  if ((addr.s_addr = inet_addr(ip)) == (in_addr_t)-1)
+	  if (inet_pton(AF_INET, ip, &addr.s_addr) < 1)
 	    {
 	      my_syslog(MS_DHCP | LOG_ERR, _("bad address at %s line %d"), ETHERSFILE, lineno); 
 	      continue;
@@ -1097,7 +1101,8 @@ static int  relay_upstream4(struct dhcp_relay *relay, struct dhcp_packet *mess,
       if (option_bool(OPT_LOG_OPTS))
 	{
 	  inet_ntop(AF_INET, &relay->local, daemon->addrbuff, ADDRSTRLEN);
-	  my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay %s -> %s"), daemon->addrbuff, inet_ntoa(relay->server.addr4));
+	  inet_ntop(AF_INET, &relay->server.addr4, daemon->dhcp_buff2, DHCP_BUFF_SZ);
+	  my_syslog(MS_DHCP | LOG_INFO, _("DHCP relay %s -> %s"), daemon->addrbuff, daemon->dhcp_buff2);
 	}
       
       /* Save this for replies */

src/dhcp6.c

@@ -292,7 +292,7 @@ void get_client_mac(struct in6_addr *client, int iface, unsigned char *mac, unsi
       if ((maclen = find_mac(&addr, mac, 0, now)) != 0)
 	break;
 	  
-      sendto(daemon->icmp6fd, &neigh, sizeof(neigh), 0, &addr.sa, sizeof(addr));
+      while(retry_send(sendto(daemon->icmp6fd, &neigh, sizeof(neigh), 0, &addr.sa, sizeof(addr))));
       
       ts.tv_sec = 0;
       ts.tv_nsec = 100000000; /* 100ms */

src/dns-protocol.h

@@ -80,10 +80,42 @@
 
 #define EDNS0_OPTION_MAC            65001 /* dyndns.org temporary assignment */
 #define EDNS0_OPTION_CLIENT_SUBNET  8     /* IANA */
+#define EDNS0_OPTION_EDE            15    /* IANA - RFC 8914 */
 #define EDNS0_OPTION_NOMDEVICEID    65073 /* Nominum temporary assignment */
 #define EDNS0_OPTION_NOMCPEID       65074 /* Nominum temporary assignment */
 #define EDNS0_OPTION_UMBRELLA       20292 /* Cisco Umbrella temporary assignment */
 
+/* RFC-8914 extended errors, negative values are our definitions */
+#define EDE_UNSET          -1  /* No extended DNS error available */
+#define EDE_OTHER           0  /* Other */
+#define EDE_USUPDNSKEY      1  /* Unsupported DNSKEY algo */
+#define EDE_USUPDS          2  /* Unsupported DS Digest */
+#define EDE_STALE           3  /* Stale answer */
+#define EDE_FORGED          4  /* Forged answer */
+#define EDE_DNSSEC_IND      5  /* DNSSEC Indeterminate  */
+#define EDE_DNSSEC_BOGUS    6  /* DNSSEC Bogus */
+#define EDE_SIG_EXP         7  /* Signature Expired */
+#define EDE_SIG_NYV         8  /* Signature Not Yet Valid  */
+#define EDE_NO_DNSKEY       9  /* DNSKEY missing */
+#define EDE_NO_RRSIG       10  /* RRSIGs missing */
+#define EDE_NO_ZONEKEY     11  /* No Zone Key Bit Set */
+#define EDE_NO_NSEC        12  /* NSEC Missing  */
+#define EDE_CACHED_ERR     13  /* Cached Error */
+#define EDE_NOT_READY      14  /* Not Ready */
+#define EDE_BLOCKED        15  /* Blocked */
+#define EDE_CENSORED       16  /* Censored */
+#define EDE_FILTERED       17  /* Filtered */
+#define EDE_PROHIBITED     18  /* Prohibited */
+#define EDE_STALE_NXD      19  /* Stale NXDOMAIN */
+#define EDE_NOT_AUTH       20  /* Not Authoritative */
+#define EDE_NOT_SUP        21  /* Not Supported */
+#define EDE_NO_AUTH        22  /* No Reachable Authority */
+#define EDE_NETERR         23  /* Network error */
+#define EDE_INVALID_DATA   24  /* Invalid Data */
+
+
+
+
 struct dns_header {
   u16 id;
   u8  hb3,hb4;

src/dnsmasq.c

@@ -34,7 +34,6 @@ static void poll_resolv(int force, int do_reload, time_t now);
 
 int main (int argc, char **argv)
 {
-  int bind_fallback = 0;
   time_t now;
   struct sigaction sigact;
   struct iname *if_tmp;
@@ -59,6 +58,8 @@ int main (int argc, char **argv)
   int did_bind = 0;
   struct server *serv;
   char *netlink_warn;
+#else
+  int bind_fallback = 0;
 #endif 
 #if defined(HAVE_DHCP) || defined(HAVE_DHCP6)
   struct dhcp_context *context;
@@ -109,7 +110,6 @@ int main (int argc, char **argv)
   daemon->packet_buff_sz = daemon->edns_pktsz + MAXDNAME + RRFIXEDSZ;
   daemon->packet = safe_malloc(daemon->packet_buff_sz);
   
-  daemon->addrbuff = safe_malloc(ADDRSTRLEN);
   if (option_bool(OPT_EXTRALOG))
     daemon->addrbuff2 = safe_malloc(ADDRSTRLEN);
   
@@ -212,8 +212,13 @@ int main (int argc, char **argv)
 #endif
 
 #ifdef HAVE_CONNTRACK
-  if (option_bool(OPT_CONNTRACK) && (daemon->query_port != 0 || daemon->osport))
-    die (_("cannot use --conntrack AND --query-port"), NULL, EC_BADCONF); 
+  if (option_bool(OPT_CONNTRACK))
+    {
+      if (daemon->query_port != 0 || daemon->osport)
+	die (_("cannot use --conntrack AND --query-port"), NULL, EC_BADCONF);
+
+      need_cap_net_admin = 1;
+    }
 #else
   if (option_bool(OPT_CONNTRACK))
     die(_("conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF);
@@ -341,6 +346,16 @@ int main (int argc, char **argv)
     }
 #endif
 
+#ifdef HAVE_NFTSET
+  if (daemon->nftsets)
+    {
+      nftset_init();
+#  ifdef HAVE_LINUX_NETWORK
+      need_cap_net_admin = 1;
+#  endif
+    }
+#endif
+
 #if  defined(HAVE_LINUX_NETWORK)
   netlink_warn = netlink_init();
 #elif defined(HAVE_BSD_NETWORK)
@@ -373,7 +388,7 @@ int main (int argc, char **argv)
 	      bindtodevice(bound_device, daemon->dhcpfd);
 	      did_bind = 1;
 	    }
-	  if (daemon->enable_pxe && bound_device)
+	  if (daemon->enable_pxe && bound_device && daemon->pxefd != -1)
 	    {
 	      bindtodevice(bound_device, daemon->pxefd);
 	      did_bind = 1;
@@ -437,8 +452,6 @@ int main (int argc, char **argv)
 #ifdef HAVE_DBUS
     {
       char *err;
-      daemon->dbus = NULL;
-      daemon->watches = NULL;
       if ((err = dbus_init()))
 	die(_("DBus error: %s"), err, EC_MISC);
     }
@@ -450,7 +463,6 @@ int main (int argc, char **argv)
 #ifdef HAVE_UBUS
     {
       char *err;
-      daemon->ubus = NULL;
       if ((err = ubus_init()))
 	die(_("UBus error: %s"), err, EC_MISC);
     }
@@ -919,8 +931,10 @@ int main (int argc, char **argv)
     my_syslog(LOG_WARNING, _("warning: failed to change owner of %s: %s"), 
 	      daemon->log_file, strerror(log_err));
   
+#ifndef HAVE_LINUX_NETWORK
   if (bind_fallback)
     my_syslog(LOG_WARNING, _("setting --bind-interfaces option because of OS limitations"));
+#endif
 
   if (option_bool(OPT_NOWILD))
     warn_bound_listeners();
@@ -1034,7 +1048,7 @@ int main (int argc, char **argv)
     close(err_pipe[1]);
   
   if (daemon->port != 0)
-    check_servers();
+    check_servers(0);
   
   pid = getpid();
 
@@ -1065,14 +1079,15 @@ int main (int argc, char **argv)
       set_dns_listeners();
 
 #ifdef HAVE_DBUS
-      set_dbus_listeners();
+      if (option_bool(OPT_DBUS))
+	set_dbus_listeners();
 #endif
-
+      
 #ifdef HAVE_UBUS
       if (option_bool(OPT_UBUS))
         set_ubus_listeners();
 #endif
-	  
+      
 #ifdef HAVE_DHCP
       if (daemon->dhcp || daemon->relay4)
 	{
@@ -1192,28 +1207,44 @@ int main (int argc, char **argv)
       
 #ifdef HAVE_DBUS
       /* if we didn't create a DBus connection, retry now. */ 
-     if (option_bool(OPT_DBUS) && !daemon->dbus)
+      if (option_bool(OPT_DBUS))
 	{
-	  char *err;
-	  if ((err = dbus_init()))
-	    my_syslog(LOG_WARNING, _("DBus error: %s"), err);
-	  if (daemon->dbus)
-	    my_syslog(LOG_INFO, _("connected to system DBus"));
+	  if (!daemon->dbus)
+	    {
+	      char *err  = dbus_init();
+
+	      if (daemon->dbus)
+		my_syslog(LOG_INFO, _("connected to system DBus"));
+	      else if (err)
+		{
+		  my_syslog(LOG_ERR, _("DBus error: %s"), err);
+		  reset_option_bool(OPT_DBUS); /* fatal error, stop trying. */
+		}
+	    }
+	  
+	  check_dbus_listeners();
 	}
-     check_dbus_listeners();
 #endif
 
 #ifdef HAVE_UBUS
       /* if we didn't create a UBus connection, retry now. */
-     if (option_bool(OPT_UBUS) && !daemon->ubus)
-        {
-	  char *err;
-	  if ((err = ubus_init()))
-	    my_syslog(LOG_WARNING, _("UBus error: %s"), err);
-	  if (daemon->ubus)
-	    my_syslog(LOG_INFO, _("connected to system UBus"));
+      if (option_bool(OPT_UBUS))
+	{
+	  if (!daemon->ubus)
+	    {
+	      char *err = ubus_init();
+
+	      if (daemon->ubus)
+		my_syslog(LOG_INFO, _("connected to system UBus"));
+	      else if (err)
+		{
+		  my_syslog(LOG_ERR, _("UBus error: %s"), err);
+		  reset_option_bool(OPT_UBUS); /* fatal error, stop trying. */
+		}
+	    }
+	  
+	  check_ubus_listeners();
 	}
-     check_ubus_listeners();
 #endif
 
       check_dns_listeners(now);
@@ -1446,7 +1477,7 @@ static void async_event(int pipe, time_t now)
 	      }
 
 	    if (check)
-	      check_servers();
+	      check_servers(0);
 	  }
 
 #ifdef HAVE_DHCP
@@ -1557,7 +1588,7 @@ static void async_event(int pipe, time_t now)
 	  {
 	    /* block in writes until all done */
 	    if ((i = fcntl(daemon->helperfd, F_GETFL)) != -1)
-	      fcntl(daemon->helperfd, F_SETFL, i & ~O_NONBLOCK); 
+	      while(retry_send(fcntl(daemon->helperfd, F_SETFL, i & ~O_NONBLOCK)));
 	    do {
 	      helper_write();
 	    } while (!helper_buf_empty() || do_script_run(now));
@@ -1645,7 +1676,7 @@ static void poll_resolv(int force, int do_reload, time_t now)
 	{
 	  my_syslog(LOG_INFO, _("reading %s"), latest->name);
 	  warned = 0;
-	  check_servers();
+	  check_servers(0);
 	  if (option_bool(OPT_RELOAD) && do_reload)
 	    clear_cache_and_reload(now);
 	}
@@ -1966,7 +1997,7 @@ static void check_dns_listeners(time_t now)
 		 attribute from the listening socket. 
 		 Reset that here. */
 	      if ((flags = fcntl(confd, F_GETFL, 0)) != -1)
-		fcntl(confd, F_SETFL, flags & ~O_NONBLOCK);
+		while(retry_send(fcntl(confd, F_SETFL, flags & ~O_NONBLOCK)));
 	      
 	      buff = tcp_request(confd, now, &tcp_addr, netmask, auth_dns);
 	       

src/dnsmasq.h

@@ -107,6 +107,7 @@ typedef unsigned long long u64;
 #endif
 #include <unistd.h>
 #include <stdio.h>
+#include <stdint.h>
 #include <string.h>
 #include <stdlib.h>
 #include <fcntl.h>
@@ -273,7 +274,8 @@ struct event_desc {
 #define OPT_UMBRELLA       63
 #define OPT_UMBRELLA_DEVID 64
 #define OPT_CMARK_ALST_EN  65
-#define OPT_LAST           66
+#define OPT_QUIET_TFTP     66
+#define OPT_LAST           67
 
 #define OPTION_BITS (sizeof(unsigned int)*8)
 #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
@@ -323,12 +325,14 @@ union all_addr {
   /* for log_query */
   struct {
     unsigned short keytag, algo, digest, rcode;
+    int ede;
   } log;
 };
 
 
 struct bogus_addr {
-  struct in_addr addr, mask;
+  int is6, prefix;
+  union all_addr addr;
   struct bogus_addr *next;
 };
 
@@ -526,23 +530,23 @@ union mysockaddr {
 
 
 /* The actual values here matter, since we sort on them to get records in the order
-   IPv6 addr, IPv4 addr, all zero return, no-data return, send upstream. */
-#define SERV_LITERAL_ADDRESS   1  /* addr is the answer, or NoDATA is the answer, depending on the next three flags */
-#define SERV_ALL_ZEROS         2  /* return all zeros for A and AAAA */
-#define SERV_4ADDR             4  /* addr is IPv4 */
-#define SERV_6ADDR             8  /* addr is IPv6 */
-#define SERV_HAS_SOURCE       16  /* source address defined */
-#define SERV_FOR_NODOTS       32  /* server for names with no domain part only */
-#define SERV_WARNED_RECURSIVE 64  /* avoid warning spam */
-#define SERV_FROM_DBUS       128  /* 1 if source is DBus */
-#define SERV_MARK            256  /* for mark-and-delete */
-#define SERV_COUNTED         512  /* workspace for log code */
-#define SERV_USE_RESOLV     1024  /* forward this domain in the normal way */
-#define SERV_FROM_RESOLV    2048  /* 1 for servers from resolv, 0 for command line. */
-#define SERV_FROM_FILE      4096  /* read from --servers-file */
-#define SERV_LOOP           8192  /* server causes forwarding loop */
-#define SERV_DO_DNSSEC     16384  /* Validate DNSSEC when using this server */
-#define SERV_GOT_TCP       32768  /* Got some data from the TCP connection */
+   IPv6 addr, IPv4 addr, all zero return, resolvconf servers, upstream server, no-data return  */
+#define SERV_LITERAL_ADDRESS    1  /* addr is the answer, or NoDATA is the answer, depending on the next four flags */
+#define SERV_USE_RESOLV         2  /* forward this domain in the normal way */
+#define SERV_ALL_ZEROS          4  /* return all zeros for A and AAAA */
+#define SERV_4ADDR              8  /* addr is IPv4 */
+#define SERV_6ADDR             16  /* addr is IPv6 */
+#define SERV_HAS_SOURCE        32  /* source address defined */
+#define SERV_FOR_NODOTS        64  /* server for names with no domain part only */
+#define SERV_WARNED_RECURSIVE 128  /* avoid warning spam */
+#define SERV_FROM_DBUS        256  /* 1 if source is DBus */
+#define SERV_MARK             512  /* for mark-and-delete and log code */
+#define SERV_WILDCARD        1024  /* domain has leading '*' */ 
+#define SERV_FROM_RESOLV     2048  /* 1 for servers from resolv, 0 for command line. */
+#define SERV_FROM_FILE       4096  /* read from --servers-file */
+#define SERV_LOOP            8192  /* server causes forwarding loop */
+#define SERV_DO_DNSSEC      16384  /* Validate DNSSEC when using this server */
+#define SERV_GOT_TCP        32768  /* Got some data from the TCP connection */
 
 struct serverfd {
   int fd;
@@ -605,6 +609,11 @@ struct serv_local {
   struct server *next;
 };
 
+struct rebind_domain {
+  char *domain;
+  struct rebind_domain *next;
+};
+
 struct ipsets {
   char **sets;
   char *domain;
@@ -686,17 +695,28 @@ struct hostsfile {
 #define DUMP_BOGUS     0x0040
 #define DUMP_SEC_BOGUS 0x0080
 
-
 /* DNSSEC status values. */
-#define STAT_SECURE             1
-#define STAT_INSECURE           2
-#define STAT_BOGUS              3
-#define STAT_NEED_DS            4
-#define STAT_NEED_KEY           5
-#define STAT_TRUNCATED          6
-#define STAT_SECURE_WILDCARD    7
-#define STAT_OK                 8
-#define STAT_ABANDONED          9
+#define STAT_SECURE             0x10000
+#define STAT_INSECURE           0x20000
+#define STAT_BOGUS              0x30000
+#define STAT_NEED_DS            0x40000
+#define STAT_NEED_KEY           0x50000
+#define STAT_TRUNCATED          0x60000
+#define STAT_SECURE_WILDCARD    0x70000
+#define STAT_OK                 0x80000
+#define STAT_ABANDONED          0x90000
+
+#define DNSSEC_FAIL_NYV         0x0001 /* key not yet valid */
+#define DNSSEC_FAIL_EXP         0x0002 /* key expired */
+#define DNSSEC_FAIL_INDET       0x0004 /* indetermined */
+#define DNSSEC_FAIL_NOKEYSUP    0x0008 /* no supported key algo. */
+#define DNSSEC_FAIL_NOSIG       0x0010 /* No RRsigs */
+#define DNSSEC_FAIL_NOZONE      0x0020 /* No Zone bit set */
+#define DNSSEC_FAIL_NONSEC      0x0040 /* No NSEC */
+#define DNSSEC_FAIL_NODSSUP     0x0080 /* no supported DS algo. */
+#define DNSSEC_FAIL_NOKEY       0x0100 /* no DNSKEY */
+
+#define STAT_ISEQUAL(a, b)  (((a) & 0xffff0000) == (b))
 
 #define FREC_NOREBIND           1
 #define FREC_CHECKING_DISABLED  2
@@ -946,10 +966,10 @@ struct dhcp_bridge {
 };
 
 struct cond_domain {
-  char *domain, *prefix;
+  char *domain, *prefix; /* prefix is text-prefix on domain name */
   struct in_addr start, end;
   struct in6_addr start6, end6;
-  int is6, indexed;
+  int is6, indexed, prefixlen;
   struct cond_domain *next;
 }; 
 
@@ -1090,9 +1110,11 @@ extern struct daemon {
   char *lease_change_command;
   struct iname *if_names, *if_addrs, *if_except, *dhcp_except, *auth_peers, *tftp_interfaces;
   struct bogus_addr *bogus_addr, *ignore_addr;
-  struct server *servers, *local_domains, **serverarray, *no_rebind;
-  int serverarraysz;
-  struct ipsets *ipsets;
+  struct server *servers, *servers_tail, *local_domains, **serverarray;
+  struct rebind_domain *no_rebind;
+  int server_has_wildcard;
+  int serverarraysz, serverarrayhwm;
+  struct ipsets *ipsets, *nftsets;
   u32 allowlist_mask;
   struct allowlist *allowlists;
   int log_fac; /* log facility */
@@ -1229,9 +1251,8 @@ extern struct daemon {
 /* cache.c */
 void cache_init(void);
 void next_uid(struct crec *crecp);
-void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg); 
+void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg, unsigned short type); 
 char *record_source(unsigned int index);
-char *querystr(char *desc, unsigned short type);
 int cache_find_non_terminal(char *name, time_t now);
 struct crec *cache_find_by_addr(struct crec *crecp,
 				union all_addr *addr, time_t now, 
@@ -1280,10 +1301,10 @@ unsigned char *skip_questions(struct dns_header *header, size_t plen);
 unsigned char *skip_section(unsigned char *ansp, int count, struct dns_header *header, size_t plen);
 unsigned int extract_request(struct dns_header *header, size_t qlen, 
 			       char *name, unsigned short *typep);
-void setup_reply(struct dns_header *header, unsigned int flags);
+void setup_reply(struct dns_header *header, unsigned int flags, int ede);
 int extract_addresses(struct dns_header *header, size_t qlen, char *name,
-		      time_t now, char **ipsets, int is_sign, int check_rebind,
-		      int no_cache_dnssec, int secure, int *doctored);
+		      time_t now, struct ipsets *ipsets, struct ipsets *nftsets, int is_sign,
+                      int check_rebind, int no_cache_dnssec, int secure, int *doctored);
 #if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
 void report_addresses(struct dns_header *header, size_t len, u32 mark);
 #endif
@@ -1311,6 +1332,7 @@ int in_zone(struct auth_zone *zone, char *name, char **cut);
 #endif
 
 /* dnssec.c */
+#ifdef HAVE_DNSSEC
 size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int type, int edns_pktsz);
 int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
 int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
@@ -1319,6 +1341,8 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
 int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen);
 size_t filter_rrsigs(struct dns_header *header, size_t plen);
 int setup_timestamp(void);
+int errflags_to_ede(int status);
+#endif
 
 /* hash_questions.c */
 void hash_questions_init(void);
@@ -1352,6 +1376,7 @@ int hostname_issubdomain(char *a, char *b);
 time_t dnsmasq_time(void);
 int netmask_length(struct in_addr mask);
 int is_same_net(struct in_addr a, struct in_addr b, struct in_addr mask);
+int is_same_net_prefix(struct in_addr a, struct in_addr b, int prefix);
 int is_same_net6(struct in6_addr *a, struct in6_addr *b, int prefixlen);
 u64 addr6part(struct in6_addr *addr);
 void setaddr6part(struct in6_addr *addr, u64 host);
@@ -1414,14 +1439,7 @@ int indextoname(int fd, int index, char *name);
 int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp);
 void pre_allocate_sfds(void);
 int reload_servers(char *fname);
-void mark_servers(int flag);
-void cleanup_servers(void);
-void add_update_server(int flags,
-		       union mysockaddr *addr,
-		       union mysockaddr *source_addr,
-		       const char *interface,
-		       const char *domain);
-void check_servers(void);
+void check_servers(int no_loop_call);
 int enumerate_interfaces(int reset);
 void create_wildcard_listeners(void);
 void create_bound_listeners(int dienow);
@@ -1570,6 +1588,12 @@ void ipset_init(void);
 int add_to_ipset(const char *setname, const union all_addr *ipaddr, int flags, int remove);
 #endif
 
+/* nftset.c */
+#ifdef HAVE_NFTSET
+void nftset_init(void);
+int add_to_nftset(const char *setpath, const union all_addr *ipaddr, int flags, int remove);
+#endif
+
 /* pattern.c */
 #ifdef HAVE_CONNTRACK
 int is_valid_dns_name(const char *value);
@@ -1749,9 +1773,16 @@ int lookup_domain(char *qdomain, int flags, int *lowout, int *highout);
 int filter_servers(int seed, int flags, int *lowout, int *highout);
 int is_local_answer(time_t now, int first, char *name);
 size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header *header,
-			 char *name, char *limit, int first, int last);
+			 char *name, char *limit, int first, int last, int ede);
 int server_samegroup(struct server *a, struct server *b);
 #ifdef HAVE_DNSSEC
 int dnssec_server(struct server *server, char *keyname, int *firstp, int *lastp);
 #endif
- 
+void mark_servers(int flag);
+void cleanup_servers(void);
+int add_update_server(int flags,
+		      union mysockaddr *addr,
+		      union mysockaddr *source_addr,
+		      const char *interface,
+		      const char *domain,
+		      union all_addr *local_addr); 

src/dnssec.c

@@ -215,14 +215,6 @@ static int is_check_date(unsigned long curtime)
     return !daemon->dnssec_no_time_check;
 }
 
-/* Check whether today/now is between date_start and date_end */
-static int check_date_range(unsigned long curtime, u32 date_start, u32 date_end)
-{
-  /* We must explicitly check against wanted values, because of SERIAL_UNDEF */
-  return serial_compare_32(curtime, date_start) == SERIAL_GT
-    && serial_compare_32(curtime, date_end) == SERIAL_LT;
-}
-
 /* Return bytes of canonicalised rrdata one by one.
    Init state->ip with the RR, and state->end with the end of same.
    Init state->op to NULL.
@@ -534,7 +526,8 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
   struct crec *crecp = NULL;
   u16 *rr_desc = rrfilter_desc(type);
   u32 sig_expiration, sig_inception;
-
+  int failflags = DNSSEC_FAIL_NOSIG | DNSSEC_FAIL_NYV | DNSSEC_FAIL_EXP | DNSSEC_FAIL_NOKEYSUP;
+  
   unsigned long curtime = time(0);
   int time_check = is_check_date(curtime);
   
@@ -557,6 +550,8 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
       void *ctx;
       char *name_start;
       u32 nsigttl, ttl, orig_ttl;
+
+      failflags &= ~DNSSEC_FAIL_NOSIG;
       
       p = sigs[j];
       GETLONG(ttl, p);
@@ -574,12 +569,31 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
       if (!extract_name(header, plen, &p, keyname, 1, 0))
 	return STAT_BOGUS;
 
-      if ((time_check && !check_date_range(curtime, sig_inception, sig_expiration)) ||
-	  labels > name_labels ||
-	  !(hash = hash_find(algo_digest_name(algo))) ||
+      if (!time_check)
+	failflags &= ~(DNSSEC_FAIL_NYV | DNSSEC_FAIL_EXP);
+      else
+	{
+	  /* We must explicitly check against wanted values, because of SERIAL_UNDEF */
+	  if (serial_compare_32(curtime, sig_inception) == SERIAL_LT)
+	    continue;
+	  else
+	    failflags &= ~DNSSEC_FAIL_NYV;
+	  
+	  if (serial_compare_32(curtime, sig_expiration) == SERIAL_GT)
+	    continue;
+	  else
+	    failflags &= ~DNSSEC_FAIL_EXP;
+	}
+
+      if (!(hash = hash_find(algo_digest_name(algo))))
+	continue;
+      else
+	failflags &= ~DNSSEC_FAIL_NOKEYSUP;
+      
+      if (labels > name_labels ||
 	  !hash_init(hash, &ctx, &digest))
 	continue;
-
+      
       /* OK, we have the signature record, see if the relevant DNSKEY is in the cache. */
       if (!key && !(crecp = cache_find_by_name(NULL, keyname, now, F_DNSKEY)))
 	return STAT_NEED_KEY;
@@ -710,7 +724,8 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
       
       /* namebuff used for workspace above, restore to leave unchanged on exit */
       p = (unsigned char*)(rrset[0]);
-      extract_name(header, plen, &p, name, 1, 0);
+      if (!extract_name(header, plen, &p, name, 1, 0))
+	return STAT_BOGUS;
 
       if (key)
 	{
@@ -730,7 +745,8 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
 	}
     }
 
-  return STAT_BOGUS;
+  /* If we reach this point, no verifying key was found */
+  return STAT_BOGUS | failflags | DNSSEC_FAIL_NOKEY;
 }
  
 
@@ -751,17 +767,18 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
   unsigned long ttl, sig_ttl;
   struct blockdata *key;
   union all_addr a;
+  int failflags = DNSSEC_FAIL_NOSIG | DNSSEC_FAIL_NODSSUP | DNSSEC_FAIL_NOZONE | DNSSEC_FAIL_NOKEY;
 
   if (ntohs(header->qdcount) != 1 ||
       RCODE(header) == SERVFAIL || RCODE(header) == REFUSED ||
       !extract_name(header, plen, &p, name, 1, 4))
-    return STAT_BOGUS;
+    return STAT_BOGUS | DNSSEC_FAIL_NOKEY;
 
   GETSHORT(qtype, p);
   GETSHORT(qclass, p);
   
   if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0)
-    return STAT_BOGUS;
+    return STAT_BOGUS | DNSSEC_FAIL_NOKEY;
 
   /* See if we have cached a DS record which validates this key */
   if (!(crecp = cache_find_by_name(NULL, name, now, F_DS)))
@@ -795,14 +812,17 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
       
       GETSHORT(flags, p);
       if (*p++ != 3)
-	return STAT_BOGUS;
+	return STAT_BOGUS | DNSSEC_FAIL_NOKEY;
       algo = *p++;
       keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
       key = NULL;
       
       /* key must have zone key flag set */
       if (flags & 0x100)
-	key = blockdata_alloc((char*)p, rdlen - 4);
+	{
+	  key = blockdata_alloc((char*)p, rdlen - 4);
+	  failflags &= ~DNSSEC_FAIL_NOZONE;
+	}
       
       p = psave;
       
@@ -823,15 +843,23 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
 	  unsigned char *digest, *ds_digest;
 	  const struct nettle_hash *hash;
 	  int sigcnt, rrcnt;
-
+	  int wire_len;
+	  
 	  if (recp1->addr.ds.algo == algo && 
 	      recp1->addr.ds.keytag == keytag &&
-	      recp1->uid == (unsigned int)class &&
-	      (hash = hash_find(ds_digest_name(recp1->addr.ds.digest))) &&
-	      hash_init(hash, &ctx, &digest))
-	    
+	      recp1->uid == (unsigned int)class)
 	    {
-	      int wire_len = to_wire(name);
+	      failflags &= ~DNSSEC_FAIL_NOKEY;
+	      
+	      if (!(hash = hash_find(ds_digest_name(recp1->addr.ds.digest))))
+		continue;
+	      else
+		failflags &= ~DNSSEC_FAIL_NODSSUP;
+
+	      if (!hash_init(hash, &ctx, &digest))
+		continue;
+	      
+	      wire_len = to_wire(name);
 	      
 	      /* Note that digest may be different between DSs, so 
 		 we can't move this outside the loop. */
@@ -846,12 +874,23 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
 		  (ds_digest = blockdata_retrieve(recp1->addr.ds.keydata, recp1->addr.ds.keylen, NULL)) &&
 		  memcmp(ds_digest, digest, recp1->addr.ds.keylen) == 0 &&
 		  explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &rrcnt) &&
-		  sigcnt != 0 && rrcnt != 0 &&
-		  validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name, keyname, 
-				 NULL, key, rdlen - 4, algo, keytag, &sig_ttl) == STAT_SECURE)
+		  rrcnt != 0)
 		{
-		  valid = 1;
-		  break;
+		  if (sigcnt == 0)
+		    continue;
+		  else
+		    failflags &= ~DNSSEC_FAIL_NOSIG;
+		  
+		  rc = validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name, keyname, 
+				      NULL, key, rdlen - 4, algo, keytag, &sig_ttl);
+
+		  failflags &= rc;
+		  
+		  if (STAT_ISEQUAL(rc, STAT_SECURE))
+		    {
+		      valid = 1;
+		      break;
+		    }
 		}
 	    }
 	}
@@ -916,9 +955,9 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
 			  a.log.keytag = keytag;
 			  a.log.algo = algo;
 			  if (algo_digest_name(algo))
-			    log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu");
+			    log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu", 0);
 			  else
-			    log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)");
+			    log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)", 0);
 			}
 		    }
 		}
@@ -935,8 +974,8 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
       return STAT_OK;
     }
 
-  log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DNSKEY");
-  return STAT_BOGUS;
+  log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DNSKEY", 0);
+  return STAT_BOGUS | failflags;
 }
 
 /* The DNS packet is expected to contain the answer to a DS query
@@ -971,26 +1010,29 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
   else
     rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons, &neg_ttl);
   
-  if (rc == STAT_INSECURE)
+  if (STAT_ISEQUAL(rc, STAT_INSECURE))
     {
       my_syslog(LOG_WARNING, _("Insecure DS reply received for %s, check domain configuration and upstream DNS server DNSSEC support"), name);
-      rc = STAT_BOGUS;
+      log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS - not secure", 0);
+      return STAT_BOGUS | DNSSEC_FAIL_INDET;
     }
   
   p = (unsigned char *)(header+1);
-  extract_name(header, plen, &p, name, 1, 4);
+  if (!extract_name(header, plen, &p, name, 1, 4))
+      return STAT_BOGUS;
+
   p += 4; /* qtype, qclass */
   
   /* If the key needed to validate the DS is on the same domain as the DS, we'll
      loop getting nowhere. Stop that now. This can happen of the DS answer comes
      from the DS's zone, and not the parent zone. */
-  if (rc == STAT_BOGUS || (rc == STAT_NEED_KEY && hostname_isequal(name, keyname)))
+  if (STAT_ISEQUAL(rc, STAT_NEED_KEY) && hostname_isequal(name, keyname))
     {
-      log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS");
+      log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS", 0);
       return STAT_BOGUS;
     }
   
-  if (rc != STAT_SECURE)
+  if (!STAT_ISEQUAL(rc, STAT_SECURE))
     return rc;
    
   if (!neganswer)
@@ -1042,9 +1084,9 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
 		      a.log.algo = algo;
 		      a.log.digest = digest;
 		      if (ds_digest_name(digest) && algo_digest_name(algo))
-			log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu");
+			log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu", 0);
 		      else
-			log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu (not supported)");
+			log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu (not supported)", 0);
 		    } 
 		}
 	      
@@ -1077,7 +1119,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
       
       cache_end_insert();  
       
-      log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, nons ? "no DS/cut" : "no DS");
+      log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, nons ? "no DS/cut" : "no DS", 0);
     }
       
   return STAT_OK;
@@ -1456,7 +1498,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
       if (!(p = skip_name(nsecs[i], header, plen, 15)))
 	return 0; /* bad packet */
       
-      p += 10; /* type, class, TTL, rdlen */
+     p += 10; /* type, class, TTL, rdlen */
       algo = *p++;
       
       if ((hash = hash_find(nsec3_digest_name(algo))))
@@ -1854,7 +1896,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
   
    /* Find all the targets we're looking for answers to.
      The zeroth array element is for the query, subsequent ones
-     for CNAME targets, unless the query is for a CNAME. */
+     for CNAME targets, unless the query is for a CNAME or ANY. */
 
   if (!expand_workspace(&targets, &target_sz, 0))
     return STAT_BOGUS;
@@ -1873,7 +1915,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
   if (qtype == T_RRSIG)
     return STAT_INSECURE;
   
-  if (qtype != T_CNAME)
+  if (qtype != T_CNAME && qtype != T_ANY)
     for (j = ntohs(header->ancount); j != 0; j--) 
       {
 	if (!(p1 = skip_name(p1, header, plen, 10)))
@@ -1959,15 +2001,15 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
 		  if (check_unsigned && i < ntohs(header->ancount))
 		    {
 		      rc = zone_status(name, class1, keyname, now);
-		      if (rc == STAT_SECURE)
-			rc = STAT_BOGUS;
+		      if (STAT_ISEQUAL(rc, STAT_SECURE))
+			rc = STAT_BOGUS | DNSSEC_FAIL_NOSIG;
 		      if (class)
 			*class = class1; /* Class for NEED_DS or NEED_KEY */
 		    }
 		  else 
 		    rc = STAT_INSECURE; 
 		  
-		  if (rc != STAT_INSECURE)
+		  if (!STAT_ISEQUAL(rc, STAT_INSECURE))
 		    return rc;
 		}
 	    }
@@ -1978,7 +2020,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
 	      strcpy(daemon->workspacename, keyname);
 	      rc = zone_status(daemon->workspacename, class1, keyname, now);
 	      
-	      if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS)
+	      if (STAT_ISEQUAL(rc, STAT_BOGUS) || STAT_ISEQUAL(rc, STAT_NEED_KEY) || STAT_ISEQUAL(rc, STAT_NEED_DS))
 		{
 		  if (class)
 		    *class = class1; /* Class for NEED_DS or NEED_KEY */
@@ -1986,13 +2028,13 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
 		}
 	      
 	      /* Zone is insecure, don't need to validate RRset */
-	      if (rc == STAT_SECURE)
+	      if (STAT_ISEQUAL(rc, STAT_SECURE))
 		{
 		  unsigned long sig_ttl;
 		  rc = validate_rrset(now, header, plen, class1, type1, sigcnt,
 				      rrcnt, name, keyname, &wildname, NULL, 0, 0, 0, &sig_ttl);
 		  
-		  if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS)
+		  if (STAT_ISEQUAL(rc, STAT_BOGUS) || STAT_ISEQUAL(rc, STAT_NEED_KEY) || STAT_ISEQUAL(rc, STAT_NEED_DS))
 		    {
 		      if (class)
 			*class = class1; /* Class for DS or DNSKEY */
@@ -2025,21 +2067,21 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
 		     Note that we may not yet have validated the NSEC/NSEC3 RRsets. 
 		     That's not a problem since if the RRsets later fail
 		     we'll return BOGUS then. */
-		  if (rc == STAT_SECURE_WILDCARD &&
+		  if (STAT_ISEQUAL(rc, STAT_SECURE_WILDCARD) &&
 		      !prove_non_existence(header, plen, keyname, name, type1, class1, wildname, NULL, NULL))
-		    return STAT_BOGUS;
+		    return STAT_BOGUS | DNSSEC_FAIL_NONSEC;
 
 		  rc = STAT_SECURE;
 		}
 	    }
 	}
 
-      if (rc == STAT_INSECURE)
+      if (STAT_ISEQUAL(rc, STAT_INSECURE))
 	secure = STAT_INSECURE;
     }
 
   /* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */
-  if (secure == STAT_SECURE)
+  if (STAT_ISEQUAL(secure, STAT_SECURE))
     for (j = 0; j <targetidx; j++)
       if ((p2 = targets[j]))
 	{
@@ -2057,16 +2099,16 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
 	    {
 	      /* Empty DS without NSECS */
 	      if (qtype == T_DS)
-		return STAT_BOGUS;
+		return STAT_BOGUS | DNSSEC_FAIL_NONSEC;
 	      
-	      if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE)
+	      if (STAT_ISEQUAL((rc = zone_status(name, qclass, keyname, now)), STAT_SECURE))
 		{
 		  if (class)
 		    *class = qclass; /* Class for NEED_DS or NEED_KEY */
 		  return rc;
 		} 
 	      
-	      return STAT_BOGUS; /* signed zone, no NSECs */
+	      return STAT_BOGUS | DNSSEC_FAIL_NONSEC; /* signed zone, no NSECs */
 	    }
 	}
   
@@ -2130,4 +2172,31 @@ size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char
   return ret;
 }
 
+int errflags_to_ede(int status)
+{
+  /* We can end up with more than one flag set for some errors,
+     so this encodes a rough priority so the (eg) No sig is reported
+     before no-unexpired-sig. */
+
+  if (status & DNSSEC_FAIL_NYV)
+    return EDE_SIG_NYV;
+  else if (status & DNSSEC_FAIL_EXP)
+    return EDE_SIG_EXP;
+  else if (status & DNSSEC_FAIL_NOKEYSUP)
+    return EDE_USUPDNSKEY;
+  else if (status & DNSSEC_FAIL_NOZONE)
+    return EDE_NO_ZONEKEY;
+  else if (status & DNSSEC_FAIL_NOKEY)
+    return EDE_NO_DNSKEY;
+  else if (status & DNSSEC_FAIL_NODSSUP)
+    return EDE_USUPDS;
+  else if (status & DNSSEC_FAIL_NONSEC)
+    return EDE_NO_NSEC;
+  else if (status & DNSSEC_FAIL_INDET)
+    return EDE_DNSSEC_IND;
+  else if (status & DNSSEC_FAIL_NOSIG)
+    return EDE_NO_RRSIG;
+  else
+    return EDE_UNSET;
+}
 #endif /* HAVE_DNSSEC */

src/domain-match.c

@@ -20,49 +20,71 @@ static int order(char *qdomain, size_t qlen, struct server *serv);
 static int order_qsort(const void *a, const void *b);
 static int order_servers(struct server *s, struct server *s2);
 
+/* If the server is USE_RESOLV or LITERAL_ADDRES, it lives on the local_domains chain. */
+#define SERV_IS_LOCAL (SERV_USE_RESOLV | SERV_LITERAL_ADDRESS)
+
 void build_server_array(void)
 {
   struct server *serv;
   int count = 0;
   
   for (serv = daemon->servers; serv; serv = serv->next)
-    count++;
-
-  for (serv = daemon->local_domains; serv; serv = serv->next)
-    count++;
+#ifdef HAVE_LOOP
+    if (!(serv->flags & SERV_LOOP))
+#endif
+      {
+	count++;
+	if (serv->flags & SERV_WILDCARD)
+	  daemon->server_has_wildcard = 1;
+      }
   
-  if (count > daemon->serverarraysz)
+  for (serv = daemon->local_domains; serv; serv = serv->next)
+    {
+      count++;
+      if (serv->flags & SERV_WILDCARD)
+	daemon->server_has_wildcard = 1;
+    }
+  
+  daemon->serverarraysz = count;
+
+  if (count > daemon->serverarrayhwm)
     {
       struct server **new;
 
+      count += 10; /* A few extra without re-allocating. */
+
       if ((new = whine_malloc(count * sizeof(struct server *))))
 	{
 	  if (daemon->serverarray)
 	    free(daemon->serverarray);
 	  
 	  daemon->serverarray = new;
-	  daemon->serverarraysz = count;
+	  daemon->serverarrayhwm = count;
 	}
     }
 
   count = 0;
   
-  for (serv = daemon->servers; serv; serv = serv->next, count++)
-    {
-      daemon->serverarray[count] = serv;
-      serv->serial = count;
-      serv->last_server = -1;
-    }
-
+  for (serv = daemon->servers; serv; serv = serv->next)
+#ifdef HAVE_LOOP
+    if (!(serv->flags & SERV_LOOP))
+#endif
+      {
+	daemon->serverarray[count] = serv;
+	serv->serial = count;
+	serv->last_server = -1;
+	count++;
+      }
+  
   for (serv = daemon->local_domains; serv; serv = serv->next, count++)
     daemon->serverarray[count] = serv;
   
   qsort(daemon->serverarray, daemon->serverarraysz, sizeof(struct server *), order_qsort);
-
+  
   /* servers need the location in the array to find all the whole
      set of equivalent servers from a pointer to a single one. */
   for (count = 0; count < daemon->serverarraysz; count++)
-    if (!(daemon->serverarray[count]->flags & (SERV_LITERAL_ADDRESS | SERV_USE_RESOLV)))
+    if (!(daemon->serverarray[count]->flags & SERV_IS_LOCAL))
       daemon->serverarray[count]->arrayposn = count;
 }
 
@@ -79,13 +101,13 @@ void build_server_array(void)
    reply of IPv4 or IPV6.
    return 0 if nothing found, 1 otherwise.
 */
-int lookup_domain(char *qdomain, int flags, int *lowout, int *highout)
+int lookup_domain(char *domain, int flags, int *lowout, int *highout)
 {
   int rc, crop_query, nodots;
   ssize_t qlen;
   int try, high, low = 0;
   int nlow = 0, nhigh = 0;
-  char *cp;
+  char *cp, *qdomain = domain;
 
   /* may be no configured servers. */
   if (daemon->serverarraysz == 0)
@@ -165,16 +187,36 @@ int lookup_domain(char *qdomain, int flags, int *lowout, int *highout)
       
       if (rc == 0)
 	{
-	  /* We've matched a setting which says to use servers without a domain.
-	     Continue the search with empty query */
-	  if (daemon->serverarray[try]->flags & SERV_USE_RESOLV)
-	    crop_query = qlen;
-	  else
+	  int found = 1;
+
+	  if (daemon->server_has_wildcard)
 	    {
-	      /* We have a match, but it may only be (say) an IPv6 address, and
-		 if the query wasn't for an AAAA record, it's no good, and we need
-		 to continue generalising */
-	      if (filter_servers(try, flags, &nlow, &nhigh))
+	      /* if we have example.com and *example.com we need to check against *example.com, 
+		 but the binary search may have found either. Use the fact that example.com is sorted before *example.com
+		 We favour example.com in the case that both match (ie www.example.com) */
+	      while (try != 0 && order(qdomain, qlen, daemon->serverarray[try-1]) == 0)
+		try--;
+	      
+	      if (!(qdomain == domain || *qdomain == 0 || *(qdomain-1) == '.'))
+		{
+		  while (try < daemon->serverarraysz-1 && order(qdomain, qlen, daemon->serverarray[try+1]) == 0)
+		    try++;
+		  
+		  if (!(daemon->serverarray[try]->flags & SERV_WILDCARD))
+		     found = 0;
+		}
+	    }
+	  
+	  if (found && filter_servers(try, flags, &nlow, &nhigh))
+	    /* We have a match, but it may only be (say) an IPv6 address, and
+	       if the query wasn't for an AAAA record, it's no good, and we need
+	       to continue generalising */
+	    {
+	      /* We've matched a setting which says to use servers without a domain.
+		 Continue the search with empty query */
+	      if (daemon->serverarray[nlow]->flags & SERV_USE_RESOLV)
+		crop_query = qlen;
+	      else
 		break;
 	    }
 	}
@@ -184,11 +226,13 @@ int lookup_domain(char *qdomain, int flags, int *lowout, int *highout)
 	crop_query = 1;
 
       /* strip chars off the query based on the largest possible remaining match,
-	 then continue to the start of the next label. */
+	 then continue to the start of the next label unless we have a wildcard
+	 domain somewhere, in which case we have to go one at a time. */
       qlen -= crop_query;
       qdomain += crop_query;
-      while (qlen > 0 &&  (*(qdomain-1) != '.'))
-	qlen--, qdomain++;
+      if (!daemon->server_has_wildcard)
+	while (qlen > 0 &&  (*(qdomain-1) != '.'))
+	  qlen--, qdomain++;
     }
 
   /* domain has no dots, and we have at least one server configured to handle such,
@@ -199,11 +243,6 @@ int lookup_domain(char *qdomain, int flags, int *lowout, int *highout)
       (nlow == nhigh || daemon->serverarray[nlow]->domain_len == 0))
     filter_servers(daemon->serverarraysz-1, flags, &nlow, &nhigh);
   
-  /* F_DOMAINSRV returns only domain-specific servers, so if we got to a 
-     general server, return empty set. */
-  if (nlow != nhigh && (flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0)
-    nlow = nhigh;
-  
   if (lowout)
     *lowout = nlow;
   
@@ -234,23 +273,30 @@ int filter_servers(int seed, int flags, int *lowout, int *highout)
     nlow--;
   
   while (nhigh < daemon->serverarraysz-1 && order_servers(daemon->serverarray[nhigh], daemon->serverarray[nhigh+1]) == 0)
-	nhigh++;
+    nhigh++;
   
   nhigh++;
   
-  /* Now the servers are on order between low and high, in the order
-     return zero for both, IPv6 addr, IPv4 addr, no-data return, send upstream.
-     
-     See which of those match our query in that priority order and narrow (low, high) */
-
 #define SERV_LOCAL_ADDRESS (SERV_6ADDR | SERV_4ADDR | SERV_ALL_ZEROS)
   
-  for (i = nlow; (flags & F_CONFIG) && i < nhigh && (daemon->serverarray[i]->flags & SERV_LOCAL_ADDRESS); i++);
-  
-  if (i != nlow)
-    nhigh = i;
+  if (flags & F_CONFIG)
+    {
+      /* We're just lookin for any matches that return an RR. */
+      for (i = nlow; i < nhigh; i++)
+	if (daemon->serverarray[i]->flags & SERV_LOCAL_ADDRESS)
+	  break;
+      
+      /* failed, return failure. */
+      if (i == nhigh)
+	nhigh = nlow;
+    }
   else
     {
+      /* Now the servers are on order between low and high, in the order
+	 IPv6 addr, IPv4 addr, return zero for both, resolvconf servers, send upstream, no-data return.
+	 
+	 See which of those match our query in that priority order and narrow (low, high) */
+      
       for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_6ADDR); i++);
       
       if (i != nlow && (flags & F_IPV6))
@@ -275,24 +321,40 @@ int filter_servers(int seed, int flags, int *lowout, int *highout)
 		{
 		  nlow = i;
 		  
-		  for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_LITERAL_ADDRESS); i++);
+		  /* Short to resolv.conf servers */
+		  for (i = nlow; i < nhigh && (daemon->serverarray[i]->flags & SERV_USE_RESOLV); i++);
 		  
-		  /* --local=/domain/, only return if we don't need a server. */
-		  if (i != nlow && !(flags & (F_DNSSECOK | F_DOMAINSRV | F_SERVER)))
+		  if (i != nlow)
 		    nhigh = i;
 		  else
 		    {
-		      nlow = i;
-		      /* If we want a server that can do DNSSEC, and this one can't, 
-			 return nothing. */
-		      if ((flags & F_DNSSECOK) && !(daemon->serverarray[nlow]->flags & SERV_DO_DNSSEC))
-			nlow = nhigh;
+		      /* now look for a server */
+		      for (i = nlow; i < nhigh && !(daemon->serverarray[i]->flags & SERV_LITERAL_ADDRESS); i++);
+		      
+		      if (i != nlow)
+			{
+			  /* If we want a server that can do DNSSEC, and this one can't, 
+			     return nothing, similarly if were looking only for a server
+			     for a particular domain. */
+			  if ((flags & F_DNSSECOK) && !(daemon->serverarray[nlow]->flags & SERV_DO_DNSSEC))
+			    nlow = nhigh;
+			  else if ((flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0)
+			    nlow = nhigh;
+			  else
+			    nhigh = i;
+			}
+		      else
+			{
+			  /* --local=/domain/, only return if we don't need a server. */
+			  if (flags & (F_DNSSECOK | F_DOMAINSRV | F_SERVER))
+			    nhigh = i;
+			}
 		    }
 		}
 	    }
 	}
     }
-  
+
   *lowout = nlow;
   *highout = nhigh;
   
@@ -331,7 +393,7 @@ int is_local_answer(time_t now, int first, char *name)
   return rc;
 }
 
-size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header *header, char *name, char *limit, int first, int last)
+size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header *header, char *name, char *limit, int first, int last, int ede)
 {
   int trunc = 0;
   unsigned char *p;
@@ -339,9 +401,9 @@ size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header
   union all_addr addr;
   
   if (flags & (F_NXDOMAIN | F_NOERR))
-    log_query(flags | gotname | F_NEG | F_CONFIG | F_FORWARD, name, NULL, NULL);
+    log_query(flags | gotname | F_NEG | F_CONFIG | F_FORWARD, name, NULL, NULL, 0);
 	  
-  setup_reply(header, flags);
+  setup_reply(header, flags, ede);
 	  
   if (!(p = skip_questions(header, size)))
     return 0;
@@ -357,8 +419,9 @@ size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header
 	  addr.addr4 = srv->addr;
 	
 	header->ancount = htons(ntohs(header->ancount) + 1);
-	add_resource_record(header, limit, &trunc, sizeof(struct dns_header), &p, daemon->local_ttl, NULL, T_A, C_IN, "4", &addr);
-	log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV6, name, (union all_addr *)&addr, NULL);
+	if (!add_resource_record(header, limit, &trunc, sizeof(struct dns_header), &p, daemon->local_ttl, NULL, T_A, C_IN, "4", &addr))
+	  return 0;
+	log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV6, name, (union all_addr *)&addr, NULL, 0);
       }
   
   if (flags & gotname & F_IPV6)
@@ -373,7 +436,7 @@ size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header
 	
 	header->ancount = htons(ntohs(header->ancount) + 1);
 	add_resource_record(header, limit, &trunc, sizeof(struct dns_header), &p, daemon->local_ttl, NULL, T_AAAA, C_IN, "6", &addr);
-	log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV4, name, (union all_addr *)&addr, NULL);
+	log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV4, name, (union all_addr *)&addr, NULL, 0);
       }
 
   if (trunc)
@@ -436,13 +499,22 @@ static int order(char *qdomain, size_t qlen, struct server *serv)
 
 static int order_servers(struct server *s1, struct server *s2)
 {
+  int rc;
+
   /* need full comparison of dotless servers in 
      order_qsort() and filter_servers() */
 
   if (s1->flags & SERV_FOR_NODOTS)
      return (s2->flags & SERV_FOR_NODOTS) ? 0 : 1;
    
-   return order(s1->domain, s1->domain_len, s2);
+  if ((rc = order(s1->domain, s1->domain_len, s2)) != 0)
+    return rc;
+
+  /* For identical domains, sort wildcard ones first */
+  if (s1->flags & SERV_WILDCARD)
+    return (s2->flags & SERV_WILDCARD) ? 0 : 1;
+
+  return (s2->flags & SERV_WILDCARD) ? -1 : 0;
 }
   
 static int order_qsort(const void *a, const void *b)
@@ -455,10 +527,12 @@ static int order_qsort(const void *a, const void *b)
   rc = order_servers(s1, s2);
 
   /* Sort all literal NODATA and local IPV4 or IPV6 responses together,
-     in a very specific order. */
+     in a very specific order. We flip the SERV_LITERAL_ADDRESS bit
+     so the order is IPv6 literal, IPv4 literal, all-zero literal, 
+     unqualified servers, upstream server, NXDOMAIN literal. */
   if (rc == 0)
-    rc = (s2->flags & (SERV_LITERAL_ADDRESS | SERV_4ADDR | SERV_6ADDR | SERV_ALL_ZEROS)) -
-    (s1->flags & (SERV_LITERAL_ADDRESS | SERV_4ADDR | SERV_6ADDR | SERV_ALL_ZEROS));
+    rc = ((s2->flags & (SERV_LITERAL_ADDRESS | SERV_4ADDR | SERV_6ADDR | SERV_USE_RESOLV | SERV_ALL_ZEROS)) ^ SERV_LITERAL_ADDRESS) -
+      ((s1->flags & (SERV_LITERAL_ADDRESS | SERV_4ADDR | SERV_6ADDR | SERV_USE_RESOLV | SERV_ALL_ZEROS)) ^ SERV_LITERAL_ADDRESS);
 
   /* Finally, order by appearance in /etc/resolv.conf etc, for --strict-order */
   if (rc == 0)
@@ -467,3 +541,167 @@ static int order_qsort(const void *a, const void *b)
 
   return rc;
 }
+
+void mark_servers(int flag)
+{
+  struct server *serv;
+
+  /* mark everything with argument flag */
+  for (serv = daemon->servers; serv; serv = serv->next)
+    if (serv->flags & flag)
+      serv->flags |= SERV_MARK;
+    else
+      serv->flags &= ~SERV_MARK;
+
+  for (serv = daemon->local_domains; serv; serv = serv->next)
+    if (serv->flags & flag)
+      serv->flags |= SERV_MARK;
+    else
+      serv->flags &= ~SERV_MARK;
+}
+
+void cleanup_servers(void)
+{
+  struct server *serv, *tmp, **up;
+
+  /* unlink and free anything still marked. */
+  for (serv = daemon->servers, up = &daemon->servers; serv; serv = tmp) 
+    {
+      tmp = serv->next;
+      if (serv->flags & SERV_MARK)
+       {
+         server_gone(serv);
+         *up = serv->next;
+	 free(serv->domain);
+	 free(serv);
+       }
+      else 
+	{
+	  up = &serv->next;
+	  daemon->servers_tail = serv;
+	}
+    }
+  
+ for (serv = daemon->local_domains, up = &daemon->local_domains; serv; serv = tmp) 
+   {
+     tmp = serv->next;
+      if (serv->flags & SERV_MARK)
+       {
+	 *up = serv->next;
+	 free(serv->domain);
+	 free(serv);
+       }
+      else 
+	up = &serv->next;
+   }
+}
+
+int add_update_server(int flags,
+		      union mysockaddr *addr,
+		      union mysockaddr *source_addr,
+		      const char *interface,
+		      const char *domain,
+		      union all_addr *local_addr)
+{
+  struct server *serv = NULL;
+  char *alloc_domain;
+  
+  if (!domain)
+    domain = "";
+
+  /* .domain == domain, for historical reasons. */
+  if (*domain == '.')
+    while (*domain == '.') domain++;
+  else if (*domain == '*')
+    {
+      domain++;
+      if (*domain != 0)
+	flags |= SERV_WILDCARD;
+    }
+  
+  if (*domain == 0)
+    alloc_domain = whine_malloc(1);
+  else
+    alloc_domain = canonicalise((char *)domain, NULL);
+
+  if (!alloc_domain)
+    return 0;
+  
+  /* See if there is a suitable candidate, and unmark
+     only do this for forwarding servers, not 
+     address or local, to avoid delays on large numbers. */
+  if (flags & SERV_IS_LOCAL)
+    for (serv = daemon->servers; serv; serv = serv->next)
+      if ((serv->flags & SERV_MARK) &&
+	  hostname_isequal(alloc_domain, serv->domain))
+	break;
+  
+  if (serv)
+    {
+      free(alloc_domain);
+      alloc_domain = serv->domain;
+    }
+  else
+    {
+      size_t size;
+
+      if (flags & SERV_IS_LOCAL)
+	{
+	  if (flags & SERV_6ADDR)
+	    size = sizeof(struct serv_addr6);
+	  else if (flags & SERV_4ADDR)
+	    size = sizeof(struct serv_addr4);
+	  else
+	    size = sizeof(struct serv_local);
+	}
+      else
+	size = sizeof(struct server);
+      
+      if (!(serv = whine_malloc(size)))
+	{
+	  free(alloc_domain);
+	  return 0;
+	}
+      
+      if (flags & SERV_IS_LOCAL)
+	{
+	  serv->next = daemon->local_domains;
+	  daemon->local_domains = serv;
+
+	  if (flags & SERV_4ADDR)
+	    ((struct serv_addr4*)serv)->addr = local_addr->addr4;
+	  
+	  if (flags & SERV_6ADDR)
+	    ((struct serv_addr6*)serv)->addr = local_addr->addr6;
+	}
+      else
+	{
+	  memset(serv, 0, sizeof(struct server));
+	  
+	  /* Add to the end of the chain, for order */
+	  if (daemon->servers_tail)
+	    daemon->servers_tail->next = serv;
+	  else
+	    daemon->servers = serv;
+	  daemon->servers_tail = serv;
+	  
+#ifdef HAVE_LOOP
+	  serv->uid = rand32();
+#endif      
+	  
+	  if (interface)
+	    safe_strncpy(serv->interface, interface, sizeof(serv->interface));
+	  if (addr)
+	    serv->addr = *addr;
+	  if (source_addr)
+	    serv->source_addr = *source_addr;
+	}
+    }
+  
+  serv->flags = flags;
+  serv->domain = alloc_domain;
+  serv->domain_len = strlen(alloc_domain);
+  
+  return 1;
+}
+

src/domain.c

@@ -18,8 +18,9 @@
 
 
 static struct cond_domain *search_domain(struct in_addr addr, struct cond_domain *c);
+static int match_domain(struct in_addr addr, struct cond_domain *c);
 static struct cond_domain *search_domain6(struct in6_addr *addr, struct cond_domain *c);
-
+static int match_domain6(struct in6_addr *addr, struct cond_domain *c);
 
 int is_name_synthetic(int flags, char *name, union all_addr *addr)
 {
@@ -135,28 +136,9 @@ int is_name_synthetic(int flags, char *name, union all_addr *addr)
 	    }
 	  
 	  if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, addr))
-	    {
-	      if (prot == AF_INET)
-		{
-		  if (!c->is6 &&
-		      ntohl(addr->addr4.s_addr) >= ntohl(c->start.s_addr) &&
-		      ntohl(addr->addr4.s_addr) <= ntohl(c->end.s_addr))
-		    found = 1;
-		}
-	      else
-		{
-		  u64 addrpart = addr6part(&addr->addr6);
-		  
-		  if (c->is6 &&
-		      is_same_net6(&addr->addr6, &c->start6, 64) &&
-		      addrpart >= addr6part(&c->start6) &&
-		      addrpart <= addr6part(&c->end6))
-		    found = 1;
-		}
-	    }
-
+	    found = (prot == AF_INET) ? match_domain(addr->addr4, c) : match_domain6(&addr->addr6, c);
 	}
-
+      
       /* restore name */
       for (p = tail; *p; p++)
 	if (*p == '.' || *p == ':')
@@ -246,14 +228,22 @@ int is_rev_synth(int flag, union all_addr *addr, char *name)
 }
 
 
+static int match_domain(struct in_addr addr, struct cond_domain *c)
+{
+  if (!c->is6 &&
+      ntohl(addr.s_addr) >= ntohl(c->start.s_addr) &&
+      ntohl(addr.s_addr) <= ntohl(c->end.s_addr))
+    return 1;
+
+  return 0;
+}
+
 static struct cond_domain *search_domain(struct in_addr addr, struct cond_domain *c)
 {
   for (; c; c = c->next)
-    if (!c->is6 &&
-	ntohl(addr.s_addr) >= ntohl(c->start.s_addr) &&
-        ntohl(addr.s_addr) <= ntohl(c->end.s_addr))
+    if (match_domain(addr, c))
       return c;
-
+  
   return NULL;
 }
 
@@ -267,16 +257,30 @@ char *get_domain(struct in_addr addr)
   return daemon->domain_suffix;
 } 
 
-
-static struct cond_domain *search_domain6(struct in6_addr *addr, struct cond_domain *c)
+static int match_domain6(struct in6_addr *addr, struct cond_domain *c)
 {
   u64 addrpart = addr6part(addr);
   
+  if (c->is6)
+    {
+      if (c->prefixlen >= 64)
+	{
+	  if (is_same_net6(addr, &c->start6, 64) &&
+	      addrpart >= addr6part(&c->start6) &&
+	      addrpart <= addr6part(&c->end6))
+	    return 1;
+	}
+      else if (is_same_net6(addr, &c->start6, c->prefixlen))
+	return 1;
+    }
+
+  return 0;
+}
+
+static struct cond_domain *search_domain6(struct in6_addr *addr, struct cond_domain *c)
+{
   for (; c; c = c->next)
-    if (c->is6 &&
-	is_same_net6(addr, &c->start6, 64) &&
-	addrpart >= addr6part(&c->start6) &&
-        addrpart <= addr6part(&c->end6))
+    if (match_domain6(addr, c))
       return c;
   
   return NULL;

src/forward.c

@@ -119,12 +119,12 @@ static void set_outgoing_mark(struct frec *forward, int fd)
 }
 #endif
 
-static void log_query_mysockaddr(unsigned int flags, char *name, union mysockaddr *addr, char *arg)
+static void log_query_mysockaddr(unsigned int flags, char *name, union mysockaddr *addr, char *arg, unsigned short type)
 {
   if (addr->sa.sa_family == AF_INET)
-    log_query(flags | F_IPV4, name, (union all_addr *)&addr->in.sin_addr, arg);
+    log_query(flags | F_IPV4, name, (union all_addr *)&addr->in.sin_addr, arg, type);
   else
-    log_query(flags | F_IPV6, name, (union all_addr *)&addr->in6.sin6_addr, arg);
+    log_query(flags | F_IPV6, name, (union all_addr *)&addr->in6.sin6_addr, arg, type);
 }
 
 static void server_send(struct server *server, int fd,
@@ -138,23 +138,24 @@ static void server_send(struct server *server, int fd,
 #ifdef HAVE_DNSSEC
 static void server_send_log(struct server *server, int fd,
 			const void *header, size_t plen, int dumpflags,
-			unsigned int logflags, char *name, char *arg)
+			unsigned int logflags, char *name, char *arg,
+			unsigned short type)
 {
 #ifdef HAVE_DUMPFILE
 	  dump_packet(dumpflags, (void *)header, (size_t)plen, NULL, &server->addr);
 #endif
-	  log_query_mysockaddr(logflags, name, &server->addr, arg);
+	  log_query_mysockaddr(logflags, name, &server->addr, arg, type);
 	  server_send(server, fd, header, plen, 0);
 }
 #endif
 
 static int domain_no_rebind(char *domain)
 {
-  struct server *serv;
-  int dlen = (int)strlen(domain);
+  struct rebind_domain *rbd;
+  size_t tlen, dlen = strlen(domain);
   
-  for (serv = daemon->no_rebind; serv; serv = serv->next)
-    if (dlen >= serv->domain_len && strcmp(serv->domain, &domain[dlen - serv->domain_len]) == 0)
+  for (rbd = daemon->no_rebind; rbd; rbd = rbd->next)
+    if (dlen >= (tlen = strlen(rbd->domain)) && strcmp(rbd->domain, &domain[dlen - tlen]) == 0)
       return 1;
 
   return 0;
@@ -177,6 +178,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
   int subnet, cacheable, forwarded = 0;
   size_t edns0_len;
   unsigned char *pheader;
+  int ede = EDE_UNSET;
   (void)do_bit;
   
   if (header->hb4 & HB4_CD)
@@ -254,26 +256,25 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
   /* new query */
   if (!forward)
     {
-      /* new query */
-      
+      if (lookup_domain(daemon->namebuff, gotname, &first, &last))
+	flags = is_local_answer(now, first, daemon->namebuff);
+      else
+	{
+	  /* no available server. */
+	  ede = EDE_NOT_READY;
+	  flags = 0;
+	}
+       
       /* don't forward A or AAAA queries for simple names, except the empty name */
-      if (option_bool(OPT_NODOTS_LOCAL) &&
+      if (!flags &&
+	  option_bool(OPT_NODOTS_LOCAL) &&
 	  (gotname & (F_IPV4 | F_IPV6)) &&
 	  !strchr(daemon->namebuff, '.') &&
 	  strlen(daemon->namebuff) != 0)
-	{
-	  flags = F_NOERR;
-	  goto reply;
-	}
-      
-      flags = 0;
-
-      /* no available server. */
-      if (!lookup_domain(daemon->namebuff, gotname, &first, &last))
-	goto reply;
+	flags = check_for_local_domain(daemon->namebuff, now) ? F_NOERR : F_NXDOMAIN;
       
       /* Configured answer. */
-      if ((flags = is_local_answer(now, first, daemon->namebuff)))
+      if (flags || ede == EDE_NOT_READY)
 	goto reply;
       
       master = daemon->serverarray[first];
@@ -494,12 +495,12 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 		  if (!gotname)
 		    strcpy(daemon->namebuff, "query");
 		  log_query_mysockaddr(F_SERVER | F_FORWARD, daemon->namebuff,
-				       &srv->addr, NULL);
+				       &srv->addr, NULL, 0);
 		}
 #ifdef HAVE_DNSSEC
 	      else
 		log_query_mysockaddr(F_NOEXTRA | F_DNSSEC, daemon->namebuff, &srv->addr,
-				     querystr("dnssec-retry", (forward->flags & FREC_DNSKEY_QUERY) ? T_DNSKEY : T_DS));
+				     "dnssec-retry", (forward->flags & FREC_DNSKEY_QUERY) ? T_DNSKEY : T_DS);
 #endif
 
 	      srv->queries++;
@@ -521,15 +522,23 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
   /* could not send on, prepare to return */ 
   header->id = htons(forward->frec_src.orig_id);
   free_frec(forward); /* cancel */
+  ede = EDE_NETERR;
   
  reply:
   if (udpfd != -1)
     {
-      if (!(plen = make_local_answer(flags, gotname, plen, header, daemon->namebuff, limit, first, last)))
+      if (!(plen = make_local_answer(flags, gotname, plen, header, daemon->namebuff, limit, first, last, ede)))
 	return 0;
       
       if (oph)
-	plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+	{
+	  u16 swap = htons((u16)ede);
+
+	  if (ede != EDE_UNSET)
+	    plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, EDNS0_OPTION_EDE, (unsigned char *)&swap, 2, do_bit, 0);
+	  else
+	    plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+	}
       
 #if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
       if (option_bool(OPT_CMARK_ALST_EN))
@@ -547,40 +556,49 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
   return 0;
 }
 
+static struct ipsets *domain_find_sets(struct ipsets *setlist, const char *domain) {
+  /* Similar algorithm to search_servers. */
+  struct ipsets *ipset_pos, *ret = NULL;
+  unsigned int namelen = strlen(domain);
+  unsigned int matchlen = 0;
+  for (ipset_pos = setlist; ipset_pos; ipset_pos = ipset_pos->next) 
+    {
+      unsigned int domainlen = strlen(ipset_pos->domain);
+      const char *matchstart = domain + namelen - domainlen;
+      if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
+          (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
+          domainlen >= matchlen) 
+        {
+          matchlen = domainlen;
+          ret = ipset_pos;
+        }
+    }
+
+  return ret;
+}
+
 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind, 
 			    int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader, 
-			    int check_subnet, union mysockaddr *query_source)
+			    int check_subnet, union mysockaddr *query_source, unsigned char *limit, int ede)
 {
   unsigned char *pheader, *sizep;
-  char **sets = 0;
+  struct ipsets *ipsets = NULL, *nftsets = NULL;
   int munged = 0, is_sign;
   unsigned int rcode = RCODE(header);
   size_t plen; 
-  
+    
   (void)ad_reqd;
   (void)do_bit;
   (void)bogusanswer;
 
 #ifdef HAVE_IPSET
   if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
-    {
-      /* Similar algorithm to search_servers. */
-      struct ipsets *ipset_pos;
-      unsigned int namelen = strlen(daemon->namebuff);
-      unsigned int matchlen = 0;
-      for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next) 
-	{
-	  unsigned int domainlen = strlen(ipset_pos->domain);
-	  char *matchstart = daemon->namebuff + namelen - domainlen;
-	  if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
-	      (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
-	      domainlen >= matchlen) 
-	    {
-	      matchlen = domainlen;
-	      sets = ipset_pos->sets;
-	    }
-	}
-    }
+    ipsets = domain_find_sets(daemon->ipsets, daemon->namebuff);
+#endif
+
+#ifdef HAVE_NFTSET
+  if (daemon->nftsets && extract_request(header, n, daemon->namebuff, NULL))
+    nftsets = domain_find_sets(daemon->nftsets, daemon->namebuff);
 #endif
 
   if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign, NULL)))
@@ -604,11 +622,10 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 	    }
 	  else
 	    {
-	      unsigned short udpsz;
-
 	      /* If upstream is advertising a larger UDP packet size
 		 than we allow, trim it so that we don't get overlarge
 		 requests for the client. We can't do this for signed packets. */
+	      unsigned short udpsz;
 	      GETSHORT(udpsz, sizep);
 	      if (udpsz > daemon->edns_pktsz)
 		{
@@ -645,7 +662,8 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
     {
       union all_addr a;
       a.log.rcode = rcode;
-      log_query(F_UPSTREAM | F_RCODE, "error", &a, NULL);
+      a.log.ede = ede;
+      log_query(F_UPSTREAM | F_RCODE, "error", &a, NULL, 0);
       
       return resize_packet(header, n, pheader, plen);
     }
@@ -667,6 +685,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
       SET_RCODE(header, NXDOMAIN);
       header->hb3 &= ~HB3_AA;
       cache_secure = 0;
+      ede = EDE_BLOCKED;
     }
   else 
     {
@@ -688,11 +707,12 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 	    }
 	}
       
-      if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
+      if (extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
 	{
 	  my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
 	  munged = 1;
 	  cache_secure = 0;
+	  ede = EDE_BLOCKED;
 	}
 
       if (doctored)
@@ -722,7 +742,6 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 
   /* do this after extract_addresses. Ensure NODATA reply and remove
      nameserver info. */
-  
   if (munged)
     {
       header->ancount = htons(0);
@@ -734,7 +753,15 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
   /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
      sections of the packet. Find the new length here and put back pseudoheader
      if it was removed. */
-  return resize_packet(header, n, pheader, plen);
+  n = resize_packet(header, n, pheader, plen);
+
+  if (pheader && ede != EDE_UNSET)
+    {
+      u16 swap = htons((u16)ede);
+      n = add_pseudoheader(header, n, limit, daemon->edns_pktsz, EDNS0_OPTION_EDE, (unsigned char *)&swap, 2, do_bit, 1);
+    }
+  
+  return n;
 }
 
 #ifdef HAVE_DNSSEC
@@ -762,7 +789,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
   /* As soon as anything returns BOGUS, we stop and unwind, to do otherwise
      would invite infinite loops, since the answers to DNSKEY and DS queries
      will not be cached, so they'll be repeated. */
-  if (status != STAT_BOGUS && status != STAT_TRUNCATED && status != STAT_ABANDONED)
+  if (!STAT_ISEQUAL(status, STAT_BOGUS) && !STAT_ISEQUAL(status, STAT_TRUNCATED) && !STAT_ISEQUAL(status, STAT_ABANDONED))
     {
       if (forward->flags & FREC_DNSKEY_QUERY)
 	status = dnssec_validate_by_ds(now, header, plen, daemon->namebuff, daemon->keyname, forward->class);
@@ -773,7 +800,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
 				       !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC),
 				       NULL, NULL, NULL);
 #ifdef HAVE_DUMPFILE
-      if (status == STAT_BOGUS)
+      if (STAT_ISEQUAL(status, STAT_BOGUS))
 	dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS,
 		    header, (size_t)plen, &forward->sentto->addr, NULL);
 #endif
@@ -781,7 +808,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
   
   /* Can't validate, as we're missing key data. Put this
      answer aside, whilst we get that. */     
-  if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
+  if (STAT_ISEQUAL(status, STAT_NEED_DS) || STAT_ISEQUAL(status, STAT_NEED_KEY))
     {
       struct frec *new = NULL;
       int serverind;
@@ -800,9 +827,9 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
 	  /* validate routines leave name of required record in daemon->keyname */
 	  nn = dnssec_generate_query(header, ((unsigned char *) header) + server->edns_pktsz,
 				     daemon->keyname, forward->class,
-				     status == STAT_NEED_KEY ? T_DNSKEY : T_DS, server->edns_pktsz);
+				     STAT_ISEQUAL(status, STAT_NEED_KEY) ? T_DNSKEY : T_DS, server->edns_pktsz);
 	  
-	  flags = (status == STAT_NEED_KEY) ? FREC_DNSKEY_QUERY : FREC_DS_QUERY;
+	  flags = STAT_ISEQUAL(status, STAT_NEED_KEY) ? FREC_DNSKEY_QUERY : FREC_DS_QUERY;
 	  hash = hash_questions(header, nn, daemon->namebuff);
 
 	  if ((new = lookup_frec_by_query(hash, flags, FREC_DNSKEY_QUERY | FREC_DS_QUERY)))
@@ -872,7 +899,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
 #endif
 		  server_send_log(server, fd, header, nn, DUMP_SEC_QUERY,
 				  F_NOEXTRA | F_DNSSEC, daemon->keyname,
-				  querystr("dnssec-query", status == STAT_NEED_KEY ? T_DNSKEY : T_DS));
+				  "dnssec-query", STAT_ISEQUAL(status, STAT_NEED_KEY) ? T_DNSKEY : T_DS);
 		  server->queries++;
 		}
 	      
@@ -1073,6 +1100,7 @@ static void return_reply(time_t now, struct frec *forward, struct dns_header *he
 {
   int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
   size_t nn;
+  int ede = EDE_UNSET;
 
   (void)status;
 
@@ -1085,36 +1113,40 @@ static void return_reply(time_t now, struct frec *forward, struct dns_header *he
     no_cache_dnssec = 1;
 
 #ifdef HAVE_DNSSEC
-  if (status != STAT_OK)
+  if (!STAT_ISEQUAL(status, STAT_OK))
     {
+      /* status is STAT_OK when validation not turned on. */
       no_cache_dnssec = 0;
       
-      if (status == STAT_TRUNCATED)
+      if (STAT_ISEQUAL(status, STAT_TRUNCATED))
 	header->hb3 |= HB3_TC;
       else
 	{
 	  char *result, *domain = "result";
-	  
-	  if (status == STAT_ABANDONED)
+	  union all_addr a;
+
+	  a.log.ede = ede = errflags_to_ede(status);
+
+	  if (STAT_ISEQUAL(status, STAT_ABANDONED))
 	    {
 	      result = "ABANDONED";
 	      status = STAT_BOGUS;
 	    }
 	  else
-	    result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+	    result = (STAT_ISEQUAL(status, STAT_SECURE) ? "SECURE" : (STAT_ISEQUAL(status, STAT_INSECURE) ? "INSECURE" : "BOGUS"));
 	  
-	  if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
-	    domain = daemon->namebuff;
+	  if (STAT_ISEQUAL(status, STAT_SECURE))
+	    cache_secure = 1;
+	  else if (STAT_ISEQUAL(status, STAT_BOGUS))
+	    {
+	      no_cache_dnssec = 1;
+	      bogusanswer = 1;
+	      
+	      if (extract_request(header, n, daemon->namebuff, NULL))
+		domain = daemon->namebuff;
+	    }
 	  
-	  log_query(F_SECSTAT, domain, NULL, result);
-	}
-      
-      if (status == STAT_SECURE)
-	cache_secure = 1;
-      else if (status == STAT_BOGUS)
-	{
-	  no_cache_dnssec = 1;
-	  bogusanswer = 1;
+	  log_query(F_SECSTAT, domain, &a, result, 0);
 	}
     }
 #endif
@@ -1135,7 +1167,8 @@ static void return_reply(time_t now, struct frec *forward, struct dns_header *he
   
   if ((nn = process_reply(header, now, forward->sentto, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer, 
 			  forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, 
-			  forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source)))
+			  forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source,
+			  ((unsigned char *)header) + daemon->edns_pktsz, ede)))
     {
       struct frec_src *src;
       
@@ -1179,7 +1212,7 @@ static void return_reply(time_t now, struct frec *forward, struct dns_header *he
 	    {
 	      daemon->log_display_id = src->log_id;
 	      daemon->log_source_addr = &src->source;
-	      log_query(F_UPSTREAM, "query", NULL, "duplicate");
+	      log_query(F_UPSTREAM, "query", NULL, "duplicate", 0);
 	    }
 	}
     }
@@ -1215,13 +1248,15 @@ static int is_query_allowed_for_mark(u32 mark, const char *name)
 static size_t answer_disallowed(struct dns_header *header, size_t qlen, u32 mark, const char *name)
 {
   unsigned char *p;
+  (void)name;
+  (void)mark;
   
 #ifdef HAVE_UBUS
   if (name)
     ubus_event_bcast_connmark_allowlist_refused(mark, name);
 #endif
   
-  setup_reply(header, /* flags: */ 0);
+  setup_reply(header, /* flags: */ 0, EDE_BLOCKED);
   
   if (!(p = skip_questions(header, qlen)))
     return 0;
@@ -1484,10 +1519,8 @@ void receive_query(struct listener *listen, time_t now)
 #ifdef HAVE_AUTH
       struct auth_zone *zone;
 #endif
-      char *types = querystr(auth_dns ? "auth" : "query", type);
-
       log_query_mysockaddr(F_QUERY | F_FORWARD, daemon->namebuff,
-			   &source_addr, types);
+			   &source_addr, auth_dns ? "auth" : "query", type);
       
 #ifdef HAVE_CONNTRACK
       is_single_query = 1;
@@ -1545,13 +1578,19 @@ void receive_query(struct listener *listen, time_t now)
 #ifdef HAVE_CONNTRACK
   else if (!allowed)
     {
+      u16 swap = htons(EDE_BLOCKED);
+
       m = answer_disallowed(header, (size_t)n, (u32)mark, is_single_query ? daemon->namebuff : NULL);
       
       if (have_pseudoheader && m != 0)
-	m = add_pseudoheader(header,  m,  ((unsigned char *) header) + udp_size, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+	m = add_pseudoheader(header,  m,  ((unsigned char *) header) + udp_size, daemon->edns_pktsz,
+			     EDNS0_OPTION_EDE, (unsigned char *)&swap, 2, do_bit, 0);
       
       if (m >= 1)
 	{
+#ifdef HAVE_DUMPFILE
+	  dump_packet(DUMP_REPLY, daemon->packet, m, NULL, &source_addr);
+#endif
 	  send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
 		    (char *)header, m, &source_addr, &dst_addr, if_index);
 	  daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++;
@@ -1565,6 +1604,9 @@ void receive_query(struct listener *listen, time_t now)
 		      local_auth, do_bit, have_pseudoheader);
       if (m >= 1)
 	{
+#ifdef HAVE_DUMPFILE
+	  dump_packet(DUMP_REPLY, daemon->packet, m, NULL, &source_addr);
+#endif
 #if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
 	  if (local_auth)
 	    if (option_bool(OPT_CMARK_ALST_EN) && have_mark && ((u32)mark & daemon->allowlist_mask))
@@ -1579,15 +1621,18 @@ void receive_query(struct listener *listen, time_t now)
   else
     {
       int ad_reqd = do_bit;
-       /* RFC 6840 5.7 */
+      /* RFC 6840 5.7 */
       if (header->hb4 & HB4_AD)
 	ad_reqd = 1;
-
+      
       m = answer_request(header, ((char *) header) + udp_size, (size_t)n, 
 			 dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader);
       
       if (m >= 1)
 	{
+#ifdef HAVE_DUMPFILE
+	  dump_packet(DUMP_REPLY, daemon->packet, m, NULL, &source_addr);
+#endif
 #if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
 	  if (option_bool(OPT_CMARK_ALST_EN) && have_mark && ((u32)mark & daemon->allowlist_mask))
 	    report_addresses(header, m, mark);
@@ -1731,16 +1776,16 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
       /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
       if (--(*keycount) == 0)
 	new_status = STAT_ABANDONED;
-      else if (status == STAT_NEED_KEY)
+      else if (STAT_ISEQUAL(status, STAT_NEED_KEY))
 	new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
-      else if (status == STAT_NEED_DS)
+      else if (STAT_ISEQUAL(status, STAT_NEED_DS))
 	new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
       else 
 	new_status = dnssec_validate_reply(now, header, n, name, keyname, &class,
 					   !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC),
 					   NULL, NULL, NULL);
       
-      if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY)
+      if (!STAT_ISEQUAL(new_status, STAT_NEED_DS) && !STAT_ISEQUAL(new_status, STAT_NEED_KEY))
 	break;
 
       /* Can't validate because we need a key/DS whose name now in keyname.
@@ -1758,7 +1803,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
 	}
 
       m = dnssec_generate_query(new_header, ((unsigned char *) new_header) + 65536, keyname, class, 
-				new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, server->edns_pktsz);
+				STAT_ISEQUAL(new_status, STAT_NEED_KEY) ? T_DNSKEY : T_DS, server->edns_pktsz);
       
       if ((start = dnssec_server(server, daemon->keyname, &first, &last)) == -1 ||
 	  (m = tcp_talk(first, last, start, packet, m, have_mark, mark, &server)) == 0)
@@ -1771,13 +1816,13 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
       daemon->log_display_id = ++daemon->log_id;
       
       log_query_mysockaddr(F_NOEXTRA | F_DNSSEC, keyname, &server->addr,
-			   querystr("dnssec-query", new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS));
+			   "dnssec-query", STAT_ISEQUAL(new_status, STAT_NEED_KEY) ? T_DNSKEY : T_DS);
             
       new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount);
 
       daemon->log_display_id = log_save;
       
-      if (new_status != STAT_OK)
+      if (!STAT_ISEQUAL(new_status, STAT_OK))
 	break;
     }
     
@@ -1826,8 +1871,8 @@ unsigned char *tcp_request(int confd, time_t now,
   int have_mark = 0;
   int first, last;
   unsigned int flags = 0;
-  
-  if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
+    
+  if (!packet || getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
     return packet;
 
 #ifdef HAVE_CONNTRACK
@@ -1877,6 +1922,8 @@ unsigned char *tcp_request(int confd, time_t now,
 
   while (1)
     {
+      int ede = EDE_UNSET;
+
       if (query_count == TCP_MAX_QUERIES ||
 	  !packet ||
 	  !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
@@ -1907,11 +1954,10 @@ unsigned char *tcp_request(int confd, time_t now,
 #ifdef HAVE_AUTH
 	  struct auth_zone *zone;
 #endif
-	  char *types = querystr(auth_dns ? "auth" : "query", qtype);
-	  
+
 	  log_query_mysockaddr(F_QUERY | F_FORWARD, daemon->namebuff,
-			       &peer_addr, types);
-	  
+			       &peer_addr, auth_dns ? "auth" : "query", qtype);
+
 #ifdef HAVE_CONNTRACK
 	  is_single_query = 1;
 #endif
@@ -1962,10 +2008,13 @@ unsigned char *tcp_request(int confd, time_t now,
 #ifdef HAVE_CONNTRACK
       else if (!allowed)
 	{
+	  u16 swap = htons(EDE_BLOCKED);
+
 	  m = answer_disallowed(header, size, (u32)mark, is_single_query ? daemon->namebuff : NULL);
 	  
 	  if (have_pseudoheader && m != 0)
-	    m = add_pseudoheader(header,  m, ((unsigned char *) header) + 65536, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+	    m = add_pseudoheader(header,  m, ((unsigned char *) header) + 65536, daemon->edns_pktsz,
+				 EDNS0_OPTION_EDE, (unsigned char *)&swap, 2, do_bit, 0);
 	}
 #endif
 #ifdef HAVE_AUTH
@@ -1991,14 +2040,25 @@ unsigned char *tcp_request(int confd, time_t now,
 	    {
 	      struct server *master;
 	      int start;
+
+	      if (lookup_domain(daemon->namebuff, gotname, &first, &last))
+		flags = is_local_answer(now, first, daemon->namebuff);
+	      else
+		{
+		  /* No configured servers */
+		  ede = EDE_NOT_READY;
+		  flags = 0;
+		}
 	      
 	      /* don't forward A or AAAA queries for simple names, except the empty name */
-	      if (option_bool(OPT_NODOTS_LOCAL) &&
+	      if (!flags &&
+		  option_bool(OPT_NODOTS_LOCAL) &&
 		  (gotname & (F_IPV4 | F_IPV6)) &&
 		  !strchr(daemon->namebuff, '.') &&
 		  strlen(daemon->namebuff) != 0)
-		flags = F_NOERR;
-	      else if (lookup_domain(daemon->namebuff, gotname, &first, &last) && !(flags = is_local_answer(now, first, daemon->namebuff)))
+		flags = check_for_local_domain(daemon->namebuff, now) ? F_NOERR : F_NXDOMAIN;
+		
+	      if (!flags && ede != EDE_NOT_READY)
 		{
 		  master = daemon->serverarray[first];
 		  
@@ -2028,12 +2088,15 @@ unsigned char *tcp_request(int confd, time_t now,
 		  
 		  /* Loop round available servers until we succeed in connecting to one. */
 		  if ((m = tcp_talk(first, last, start, packet, size, have_mark, mark, &serv)) == 0)
-		    break;
+		    {
+		      ede = EDE_NETERR;
+		      break;
+		    }
 		  
 		  /* get query name again for logging - may have been overwritten */
 		  if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
 		    strcpy(daemon->namebuff, "query");
-		  log_query_mysockaddr(F_SERVER | F_FORWARD, daemon->namebuff, &serv->addr, NULL);
+		  log_query_mysockaddr(F_SERVER | F_FORWARD, daemon->namebuff, &serv->addr, NULL, 0);
 		  
 #ifdef HAVE_DNSSEC
 		  if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled && (master->flags & SERV_DO_DNSSEC))
@@ -2043,27 +2106,29 @@ unsigned char *tcp_request(int confd, time_t now,
 						   serv, have_mark, mark, &keycount);
 		      char *result, *domain = "result";
 		      
-		      if (status == STAT_ABANDONED)
+		      union all_addr a;
+		      a.log.ede = ede = errflags_to_ede(status);
+		      
+		      if (STAT_ISEQUAL(status, STAT_ABANDONED))
 			{
 			  result = "ABANDONED";
 			  status = STAT_BOGUS;
 			}
 		      else
-			result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+			result = (STAT_ISEQUAL(status, STAT_SECURE) ? "SECURE" : (STAT_ISEQUAL(status, STAT_INSECURE) ? "INSECURE" : "BOGUS"));
 		      
-		      if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
-			domain = daemon->namebuff;
-		      
-		      log_query(F_SECSTAT, domain, NULL, result);
-		      
-		      if (status == STAT_BOGUS)
+		      if (STAT_ISEQUAL(status, STAT_SECURE))
+			cache_secure = 1;
+		      else if (STAT_ISEQUAL(status, STAT_BOGUS))
 			{
 			  no_cache_dnssec = 1;
 			  bogusanswer = 1;
+			  
+			  if (extract_request(header, m, daemon->namebuff, NULL))
+			    domain = daemon->namebuff;
 			}
 		      
-		      if (status == STAT_SECURE)
-			cache_secure = 1;
+		      log_query(F_SECSTAT, domain, &a, result, 0);
 		    }
 #endif
 		  
@@ -2080,20 +2145,27 @@ unsigned char *tcp_request(int confd, time_t now,
 		  
 		  m = process_reply(header, now, serv, (unsigned int)m, 
 				    option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
-				    ad_reqd, do_bit, added_pheader, check_subnet, &peer_addr); 
+				    ad_reqd, do_bit, added_pheader, check_subnet, &peer_addr, ((unsigned char *)header) + 65536, ede); 
 		}
 	    }
 	}
-      
+	
       /* In case of local answer or no connections made. */
       if (m == 0)
 	{
 	  if (!(m = make_local_answer(flags, gotname, size, header, daemon->namebuff,
-				      ((char *) header) + 65536, first, last)))
+				      ((char *) header) + 65536, first, last, ede)))
 	    break;
 	  
 	  if (have_pseudoheader)
-	    m = add_pseudoheader(header, m, ((unsigned char *) header) + 65536, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+	    {
+	      u16 swap = htons((u16)ede);
+
+	       if (ede != EDE_UNSET)
+		 m = add_pseudoheader(header, m, ((unsigned char *) header) + 65536, daemon->edns_pktsz, EDNS0_OPTION_EDE, (unsigned char *)&swap, 2, do_bit, 0);
+	       else
+		 m = add_pseudoheader(header, m, ((unsigned char *) header) + 65536, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+	    }
 	}
       
       check_log_writer(1);
@@ -2211,7 +2283,7 @@ int allocate_rfd(struct randfd_list **fdlp, struct server *serv)
 	  }
       }
 
-  if (j == daemon->numrrand)
+  if (!rfd) /* should be when j == daemon->numrrand */
     {
       struct randfd_list *rfl_poll;
 

src/hash-questions.c

@@ -76,9 +76,9 @@ unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name
 
 #else /* HAVE_DNSSEC  || HAVE_CRYPTOHASH */
 
-#define SHA256_BLOCK_SIZE 32            // SHA256 outputs a 32 byte digest
-typedef unsigned char BYTE;             // 8-bit byte
-typedef unsigned int  WORD;             // 32-bit word, change to "long" for 16-bit machines
+#define SHA256_BLOCK_SIZE 32            /* SHA256 outputs a 32 byte digest */
+typedef unsigned char BYTE;             /* 8-bit byte */
+typedef unsigned int  WORD;             /* 32-bit word, change to "long" for 16-bit machines */
 
 typedef struct {
   BYTE data[64];
@@ -238,7 +238,7 @@ static void sha256_final(SHA256_CTX *ctx, BYTE hash[])
   
   i = ctx->datalen;
 
-  // Pad whatever data is left in the buffer.
+  /* Pad whatever data is left in the buffer. */
   if (ctx->datalen < 56)
     {
       ctx->data[i++] = 0x80;
@@ -254,7 +254,7 @@ static void sha256_final(SHA256_CTX *ctx, BYTE hash[])
       memset(ctx->data, 0, 56);
     }
   
-  // Append to the padding the total message's length in bits and transform.
+  /* Append to the padding the total message's length in bits and transform. */
   ctx->bitlen += ctx->datalen * 8;
   ctx->data[63] = ctx->bitlen;
   ctx->data[62] = ctx->bitlen >> 8;
@@ -266,8 +266,8 @@ static void sha256_final(SHA256_CTX *ctx, BYTE hash[])
   ctx->data[56] = ctx->bitlen >> 56;
   sha256_transform(ctx, ctx->data);
   
-  // Since this implementation uses little endian byte ordering and SHA uses big endian,
-  // reverse all the bytes when copying the final state to the output hash.
+  /* Since this implementation uses little endian byte ordering and SHA uses big endian,
+     reverse all the bytes when copying the final state to the output hash. */
   for (i = 0; i < 4; ++i)
     {
       hash[i]      = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff;

src/helper.c

@@ -235,7 +235,6 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	}
        else 
 	continue;
-
       	
       /* stringify MAC into dhcp_buff */
       p = daemon->dhcp_buff;
@@ -433,7 +432,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 		buf = grab_extradata_lua(buf, end, "relay_address");
 	      else if (data.giaddr.s_addr != 0)
 		{
-		  lua_pushstring(lua, inet_ntoa(data.giaddr));
+		  inet_ntop(AF_INET, &data.giaddr, daemon->addrbuff, ADDRSTRLEN);
+		  lua_pushstring(lua, daemon->addrbuff);
 		  lua_setfield(lua, -2, "relay_address");
 		}
 	      
@@ -611,8 +611,13 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 
 	  if (is6)
 	    buf = grab_extradata(buf, end, "DNSMASQ_RELAY_ADDRESS", &err);
-	  else 
-	    my_setenv("DNSMASQ_RELAY_ADDRESS", data.giaddr.s_addr != 0 ? inet_ntoa(data.giaddr) : NULL, &err); 
+	  else
+	    {
+	      const char *giaddr = NULL;
+	      if (data.giaddr.s_addr != 0)
+		  giaddr = inet_ntop(AF_INET, &data.giaddr, daemon->addrbuff, ADDRSTRLEN);
+	      my_setenv("DNSMASQ_RELAY_ADDRESS", giaddr, &err);
+	    }
 	  
 	  for (i = 0; buf; i++)
 	    {

src/inotify.c

@@ -148,12 +148,19 @@ void set_dynamic_inotify(int flag, int total_size, struct crec **rhash, int revh
       if (!(ah->flags & flag))
 	continue;
  
-      if (stat(ah->fname, &buf) == -1 || !(S_ISDIR(buf.st_mode)))
+      if (stat(ah->fname, &buf) == -1)
 	{
 	  my_syslog(LOG_ERR, _("bad dynamic directory %s: %s"), 
 		    ah->fname, strerror(errno));
 	  continue;
 	}
+
+      if (!(S_ISDIR(buf.st_mode)))
+	{
+	  my_syslog(LOG_ERR, _("bad dynamic directory %s: %s"), 
+		    ah->fname, _("not a directory"));
+	  continue;
+	}
       
        if (!(ah->flags & AH_WD_DONE))
 	 {

src/lease.c

@@ -1021,6 +1021,7 @@ void lease_set_hostname(struct dhcp_lease *lease, const char *name, int auth, ch
 	    }
 	
 	  kill_name(lease_tmp);
+	  lease_tmp->flags |= LEASE_CHANGED; /* run script on change */
 	  break;
 	}
     }

src/loop.c

@@ -31,11 +31,13 @@ void loop_send_probes()
       identifiable, via the uid. If we see that query back again, then the server is looping, and we should not use it. */
    for (serv = daemon->servers; serv; serv = serv->next)
      if (strlen(serv->domain) == 0 &&
-	 !(serv->flags & (SERV_FOR_NODOTS | SERV_LOOP)))
+	 !(serv->flags & (SERV_FOR_NODOTS)))
        {
 	 ssize_t len = loop_make_probe(serv->uid);
 	 int fd;
 	 
+	 serv->flags &= ~SERV_LOOP;
+
 	 if ((fd = allocate_rfd(&rfds, serv)) == -1)
 	   continue;
 	 
@@ -101,7 +103,7 @@ int detect_loop(char *query, int type)
 	uid == serv->uid)
       {
 	serv->flags |= SERV_LOOP;
-	check_servers(); /* log new state */
+	check_servers(1); /* log new state - don't send more probes. */
 	return 1;
       }
   

src/network.c

@@ -1494,149 +1494,7 @@ void pre_allocate_sfds(void)
       }  
 }
 
-void mark_servers(int flag)
-{
-  struct server *serv;
-
-  /* mark everything with argument flag */
-  for (serv = daemon->servers; serv; serv = serv->next)
-    {
-      if (serv->flags & flag)
-	serv->flags |= SERV_MARK;
-#ifdef HAVE_LOOP
-      /* Give looped servers another chance */
-      serv->flags &= ~SERV_LOOP;
-#endif
-    }
-
-  for (serv = daemon->local_domains; serv; serv = serv->next)
-    if (serv->flags & flag)
-      serv->flags |= SERV_MARK;
-}
-
-void cleanup_servers(void)
-{
-  struct server *serv, *tmp, **up;
-
-  /* unlink and free anything still marked. */
-  for (serv = daemon->servers, up = &daemon->servers; serv; serv = tmp) 
-    {
-      tmp = serv->next;
-      if (serv->flags & SERV_MARK)
-       {
-         server_gone(serv);
-         *up = serv->next;
-	 free(serv->domain);
-	 free(serv);
-       }
-      else 
-       up = &serv->next;
-    }
-  
- for (serv = daemon->local_domains, up = &daemon->local_domains; serv; serv = tmp) 
-   {
-     tmp = serv->next;
-      if (serv->flags & SERV_MARK)
-       {
-	 *up = serv->next;
-	 free(serv->domain);
-	 free(serv);
-       }
-      else 
-	up = &serv->next;
-   }
-
- 
-#ifdef HAVE_LOOP
-  /* Now we have a new set of servers, test for loops. */
-  loop_send_probes();
-#endif
-}
-
-void add_update_server(int flags,
-		       union mysockaddr *addr,
-		       union mysockaddr *source_addr,
-		       const char *interface,
-		       const char *domain)
-{
-  struct server *serv;
-  char *domain_str;
-
-  if (!domain)
-    domain = "";
-
-  /* If the server is USE_RESOLV or LITERAL_ADDRES, it lives on the local_domains chain.
-     NOTE that we can get local=/domain/ here, but NOT address=/domain/1.2.3.4 */
-#define SERV_IS_LOCAL (SERV_USE_RESOLV | SERV_LITERAL_ADDRESS)
-  
-  /* See if there is a suitable candidate, and unmark */
-  for (serv = (flags & SERV_IS_LOCAL) ? daemon->local_domains : daemon->servers; serv; serv = serv->next)
-    if ((serv->flags & SERV_MARK) && hostname_isequal(domain, serv->domain))
-	break;
-  
-  if (serv)
-    domain_str = serv->domain;
-  else if ((serv = whine_malloc(sizeof (struct server))))
-    {
-      /* Not found, create a new one. */
-      if (!(domain_str = whine_malloc(strlen(domain)+1)))
-	{
-	  free(serv);
-          serv = NULL;
-        }
-      else
-	{
-	  strcpy(domain_str, domain);
-	  
-	  if (flags & SERV_IS_LOCAL)
-	    {
-	      serv->next = daemon->local_domains;
-	      daemon->local_domains = serv;
-	    }
-	  else
-	    {
-	      struct server *s;
-	      /* Add to the end of the chain, for order */
-	      if (!daemon->servers)
-		daemon->servers = serv;
-	      else
-		{
-		  for (s = daemon->servers; s->next; s = s->next);
-		  s->next = serv;
-		}
-
-	      serv->next = NULL;
-	    }
-	}
-    }
-  
-  if (serv)
-    {
-      if (!(flags & SERV_IS_LOCAL))
-	memset(serv, 0, sizeof(struct server));
-
-      serv->flags = flags;
-      serv->domain = domain_str;
-      serv->domain_len = strlen(domain_str);
-
-      if (!(flags & SERV_IS_LOCAL))
-	{
-	  serv->queries = serv->failed_queries = 0;
-#ifdef HAVE_LOOP
-	  serv->uid = rand32();
-#endif      
-	  
-	  if (interface)
-	    safe_strncpy(serv->interface, interface, sizeof(serv->interface));
-	  if (addr)
-	    serv->addr = *addr;
-	  if (source_addr)
-	    serv->source_addr = *source_addr;
-	}
-    }
-}
-
-void check_servers(void)
+void check_servers(int no_loop_check)
 {
   struct irec *iface;
   struct server *serv;
@@ -1644,7 +1502,15 @@ void check_servers(void)
   int port = 0, count;
   int locals = 0;
   
-  /* interface may be new since startup */
+#ifdef HAVE_LOOP
+  if (!no_loop_check)
+    loop_send_probes();
+#endif
+
+  /* clear all marks. */
+  mark_servers(0);
+  
+ /* interface may be new since startup */
   if (!option_bool(OPT_NOWILD))
     enumerate_interfaces(0);
 
@@ -1720,12 +1586,15 @@ void check_servers(void)
       if (serv->sfd)
 	serv->sfd->used = 1;
       
+      if (count == SERVERS_LOGGED)
+	my_syslog(LOG_INFO, _("more servers are defined but not logged"));
+      
       if (++count > SERVERS_LOGGED)
 	continue;
       
       if (strlen(serv->domain) != 0 || (serv->flags & SERV_FOR_NODOTS))
 	{
-	  char *s1, *s2, *s3 = "";
+	  char *s1, *s2, *s3 = "", *s4 = "";
 
 #ifdef HAVE_DNSSEC
 	  if (option_bool(OPT_DNSSEC_VALID) && !(serv->flags & SERV_DO_DNSSEC))
@@ -1736,9 +1605,9 @@ void check_servers(void)
 	  else if (strlen(serv->domain) == 0)
 	    s1 = _("default"), s2 = "";
 	  else
-	    s1 = _("domain"), s2 = serv->domain;
+	    s1 = _("domain"), s2 = serv->domain, s4 = (serv->flags & SERV_WILDCARD) ? "*" : "";
 	  
-	  my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s %s"), daemon->namebuff, port, s1, s2, s3);
+	  my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s%s %s"), daemon->namebuff, port, s1, s4, s2, s3);
 	}
 #ifdef HAVE_LOOP
       else if (serv->flags & SERV_LOOP)
@@ -1757,7 +1626,8 @@ void check_servers(void)
 	 continue;
        
        if ((serv->flags & SERV_LITERAL_ADDRESS) &&
-	   !(serv->flags & (SERV_6ADDR | SERV_4ADDR | SERV_ALL_ZEROS)))
+	   !(serv->flags & (SERV_6ADDR | SERV_4ADDR | SERV_ALL_ZEROS)) &&
+	   strlen(serv->domain))
 	 {
 	   count--;
 	   if (++locals <= LOCALS_LOGGED)
@@ -1786,8 +1656,8 @@ void check_servers(void)
 	up = &sfd->next;
     }
   
-  cleanup_servers();
-  build_server_array();
+  cleanup_servers(); /* remove servers we just deleted. */
+  build_server_array(); 
 }
 
 /* Return zero if no servers found, in that case we keep polling.
@@ -1822,7 +1692,7 @@ int reload_servers(char *fname)
       memset(&addr, 0, sizeof(addr));
       memset(&source_addr, 0, sizeof(source_addr));
       
-      if ((addr.in.sin_addr.s_addr = inet_addr(token)) != (in_addr_t) -1)
+      if (inet_pton(AF_INET, token, &addr.in.sin_addr) > 0)
 	{
 #ifdef HAVE_SOCKADDR_SA_LEN
 	  source_addr.in.sin_len = addr.in.sin_len = sizeof(source_addr.in);
@@ -1860,7 +1730,7 @@ int reload_servers(char *fname)
 	    continue;
 	}
 
-      add_update_server(SERV_FROM_RESOLV, &addr, &source_addr, NULL, NULL);
+      add_update_server(SERV_FROM_RESOLV, &addr, &source_addr, NULL, NULL, NULL);
       gotone = 1;
     }
   

src/nftset.c

@@ -0,0 +1,94 @@
+/* dnsmasq is Copyright (c) 2000-2021 Simon Kelley
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 dated June, 1991, or
+   (at your option) version 3 dated 29 June, 2007.
+ 
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+     
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+#include "dnsmasq.h"
+
+#if defined (HAVE_NFTSET) && defined (HAVE_LINUX_NETWORK)
+
+#include <nftables/libnftables.h>
+
+#include <string.h>
+#include <arpa/inet.h>
+
+static struct nft_ctx *ctx = NULL;
+static const char *cmd_add = "add element %s { %s }";
+static const char *cmd_del = "delete element %s { %s }";
+
+void nftset_init()
+{
+  ctx = nft_ctx_new(NFT_CTX_DEFAULT);
+  if (ctx == NULL)
+    die(_("failed to create nftset context"), NULL, EC_MISC);
+
+  /* disable libnftables output */
+  nft_ctx_buffer_error(ctx);
+}
+
+int add_to_nftset(const char *setname, const union all_addr *ipaddr, int flags, int remove)
+{
+  const char *cmd = remove ? cmd_del : cmd_add;
+  int ret, af = (flags & F_IPV4) ? AF_INET : AF_INET6;
+  size_t new_sz;
+  char *new, *err, *nl;
+  static char *cmd_buf = NULL;
+  static size_t cmd_buf_sz = 0;
+
+  inet_ntop(af, ipaddr, daemon->addrbuff, ADDRSTRLEN);
+
+  if (setname[1] == ' ' && (setname[0] == '4' || setname[0] == '6'))
+    {
+      if (setname[0] == '4' && !(flags & F_IPV4))
+	return -1;
+
+      if (setname[0] == '6' && !(flags & F_IPV6))
+	return -1;
+
+      setname += 2;
+    }
+  
+  if (cmd_buf_sz == 0)
+    new_sz = 150; /* initial allocation */
+  else
+    new_sz = snprintf(cmd_buf, cmd_buf_sz, cmd, setname, daemon->addrbuff);
+  
+  if (new_sz > cmd_buf_sz)
+    {
+      if (!(new = whine_malloc(new_sz + 10)))
+	return 0;
+
+      if (cmd_buf)
+	free(cmd_buf);
+      cmd_buf = new;
+      cmd_buf_sz = new_sz + 10;
+      snprintf(cmd_buf, cmd_buf_sz, cmd, setname, daemon->addrbuff);
+    }
+
+  ret = nft_run_cmd_from_buffer(ctx, cmd_buf);
+  err = (char *)nft_ctx_get_error_buffer(ctx);
+
+  if (ret != 0)
+    {
+      /* Log only first line of error return. */
+      if ((nl = strchr(err, '\n')))
+	*nl = 0;
+      my_syslog(LOG_ERR,  "nftset %s %s", setname, err);
+    }
+  
+  return ret;
+}
+
+#endif

src/pattern.c

@@ -20,13 +20,13 @@
 
 #define LOG(...) \
   do { \
-    my_syslog(LOG_WARNING, __VA_ARGS__); \
+    my_syslog(LOG_DEBUG, __VA_ARGS__); \
   } while (0)
 
 #define ASSERT(condition) \
   do { \
     if (!(condition)) \
-      LOG("[pattern.c:%d] Assertion failure: %s", __LINE__, #condition); \
+      my_syslog(LOG_ERR, _("[pattern.c:%d] Assertion failure: %s"), __LINE__, #condition); \
   } while (0)
 
 /**
@@ -66,8 +66,8 @@ static int is_string_matching_glob_pattern(
 	    pattern_character -= 'a' - 'A';
 	  if (pattern_character == '*')
 	    {
-	      // zero-or-more-character wildcard
-	      // Try to match at value_index, otherwise restart at value_index + 1 next.
+	      /* zero-or-more-character wildcard */
+	      /* Try to match at value_index, otherwise restart at value_index + 1 next. */
 	      next_pattern_index = pattern_index;
 	      pattern_index++;
 	      if (value_index < num_value_bytes)
@@ -78,7 +78,7 @@ static int is_string_matching_glob_pattern(
 	    }
 	  else
 	    {
-	      // ordinary character
+	      /* ordinary character */
 	      if (value_index < num_value_bytes)
 	        {
 		  char value_character = value[value_index];
@@ -139,7 +139,7 @@ int is_valid_dns_name(const char *value)
 	  (*c < 'A' || *c > 'Z') &&
 	  (*c < 'a' || *c > 'z'))
 	{
-	  LOG("Invalid DNS name: Invalid character %c.", *c);
+	  LOG(_("Invalid DNS name: Invalid character %c."), *c);
 	  return 0;
 	}
       if (*c)
@@ -148,12 +148,12 @@ int is_valid_dns_name(const char *value)
 	{
 	  if (!*c || *c == '.')
 	    {
-	      LOG("Invalid DNS name: Empty label.");
+	      LOG(_("Invalid DNS name: Empty label."));
 	      return 0;
 	    }
 	  if (*c == '-')
 	    {
-	      LOG("Invalid DNS name: Label starts with hyphen.");
+	      LOG(_("Invalid DNS name: Label starts with hyphen."));
 	      return 0;
 	    }
 	  label = c;
@@ -167,13 +167,13 @@ int is_valid_dns_name(const char *value)
 	{
 	  if (c[-1] == '-')
 	    {
-	      LOG("Invalid DNS name: Label ends with hyphen.");
+	      LOG(_("Invalid DNS name: Label ends with hyphen."));
 	      return 0;
 	    }
 	  size_t num_label_bytes = (size_t) (c - label);
 	  if (num_label_bytes > 63)
 	    {
-	      LOG("Invalid DNS name: Label is too long (%zu).", num_label_bytes);
+	      LOG(_("Invalid DNS name: Label is too long (%zu)."), num_label_bytes);
 	      return 0;
 	    }
 	  num_labels++;
@@ -181,12 +181,12 @@ int is_valid_dns_name(const char *value)
 	    {
 	      if (num_labels < 2)
 		{
-		  LOG("Invalid DNS name: Not enough labels (%zu).", num_labels);
+		  LOG(_("Invalid DNS name: Not enough labels (%zu)."), num_labels);
 		  return 0;
 		}
 	      if (is_label_numeric)
 		{
-		  LOG("Invalid DNS name: Final label is fully numeric.");
+		  LOG(_("Invalid DNS name: Final label is fully numeric."));
 		  return 0;
 		}
 	      if (num_label_bytes == 5 &&
@@ -196,12 +196,12 @@ int is_valid_dns_name(const char *value)
 		  (label[3] == 'a' || label[3] == 'A') &&
 		  (label[4] == 'l' || label[4] == 'L'))
 		{
-		  LOG("Invalid DNS name: \"local\" pseudo-TLD.");
+		  LOG(_("Invalid DNS name: \"local\" pseudo-TLD."));
 		  return 0;
 		}
 	      if (num_bytes < 1 || num_bytes > 253)
 		{
-		  LOG("DNS name has invalid length (%zu).", num_bytes);
+		  LOG(_("DNS name has invalid length (%zu)."), num_bytes);
 		  return 0;
 		}
 	      return 1;
@@ -249,13 +249,13 @@ int is_valid_dns_name_pattern(const char *value)
   for (const char *c = value;; c++)
     {
       if (*c &&
-	  *c != '*' && // Wildcard.
+	  *c != '*' && /* Wildcard. */
 	  *c != '-' && *c != '.' &&
 	  (*c < '0' || *c > '9') &&
 	  (*c < 'A' || *c > 'Z') &&
 	  (*c < 'a' || *c > 'z'))
 	{
-	  LOG("Invalid DNS name pattern: Invalid character %c.", *c);
+	  LOG(_("Invalid DNS name pattern: Invalid character %c."), *c);
 	  return 0;
 	}
       if (*c && *c != '*')
@@ -264,12 +264,12 @@ int is_valid_dns_name_pattern(const char *value)
 	{
 	  if (!*c || *c == '.')
 	    {
-	      LOG("Invalid DNS name pattern: Empty label.");
+	      LOG(_("Invalid DNS name pattern: Empty label."));
 	      return 0;
 	    }
 	  if (*c == '-')
 	    {
-	      LOG("Invalid DNS name pattern: Label starts with hyphen.");
+	      LOG(_("Invalid DNS name pattern: Label starts with hyphen."));
 	      return 0;
 	    }
 	  label = c;
@@ -282,7 +282,7 @@ int is_valid_dns_name_pattern(const char *value)
 	    {
 	      if (num_wildcards >= 2)
 		{
-		  LOG("Invalid DNS name pattern: Wildcard character used more than twice per label.");
+		  LOG(_("Invalid DNS name pattern: Wildcard character used more than twice per label."));
 		  return 0;
 		}
 	      num_wildcards++;
@@ -292,13 +292,13 @@ int is_valid_dns_name_pattern(const char *value)
 	{
 	  if (c[-1] == '-')
 	    {
-	      LOG("Invalid DNS name pattern: Label ends with hyphen.");
+	      LOG(_("Invalid DNS name pattern: Label ends with hyphen."));
 	      return 0;
 	    }
 	  size_t num_label_bytes = (size_t) (c - label) - num_wildcards;
 	  if (num_label_bytes > 63)
 	    {
-	      LOG("Invalid DNS name pattern: Label is too long (%zu).", num_label_bytes);
+	      LOG(_("Invalid DNS name pattern: Label is too long (%zu)."), num_label_bytes);
 	      return 0;
 	    }
 	  num_labels++;
@@ -306,17 +306,17 @@ int is_valid_dns_name_pattern(const char *value)
 	    {
 	      if (num_labels < 2)
 		{
-		  LOG("Invalid DNS name pattern: Not enough labels (%zu).", num_labels);
+		  LOG(_("Invalid DNS name pattern: Not enough labels (%zu)."), num_labels);
 		  return 0;
 		}
 	      if (num_wildcards != 0 || previous_label_has_wildcard)
 		{
-		  LOG("Invalid DNS name pattern: Wildcard within final two labels.");
+		  LOG(_("Invalid DNS name pattern: Wildcard within final two labels."));
 		  return 0;
 		}
 	      if (is_label_numeric)
 		{
-		  LOG("Invalid DNS name pattern: Final label is fully numeric.");
+		  LOG(_("Invalid DNS name pattern: Final label is fully numeric."));
 		  return 0;
 		}
 	      if (num_label_bytes == 5 &&
@@ -326,12 +326,12 @@ int is_valid_dns_name_pattern(const char *value)
 		  (label[3] == 'a' || label[3] == 'A') &&
 		  (label[4] == 'l' || label[4] == 'L'))
 		{
-		  LOG("Invalid DNS name pattern: \"local\" pseudo-TLD.");
+		  LOG(_("Invalid DNS name pattern: \"local\" pseudo-TLD."));
 		  return 0;
 		}
 	      if (num_bytes < 1 || num_bytes > 253)
 		{
-		  LOG("DNS name pattern has invalid length after removing wildcards (%zu).", num_bytes);
+		  LOG(_("DNS name pattern has invalid length after removing wildcards (%zu)."), num_bytes);
 		  return 0;
 		}
 	      return 1;

src/radv.c

@@ -746,6 +746,8 @@ static int add_lla(int index, unsigned int type, char *mac, size_t maclen, void
 	 add 7 to round up */
       int len = (maclen + 9) >> 3;
       unsigned char *p = expand(len << 3);
+      if (!p)
+	return 1;
       memset(p, 0, len << 3);
       *p++ = ICMP6_OPT_SOURCE_MAC;
       *p++ = len;

src/rfc2131.c

@@ -372,9 +372,22 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
   
   if (!context)
     {
-      my_syslog(MS_DHCP | LOG_WARNING, _("no address range available for DHCP request %s %s"), 
-		subnet_addr.s_addr ? _("with subnet selector") : _("via"),
-		subnet_addr.s_addr ? inet_ntoa(subnet_addr) : (mess->giaddr.s_addr ? inet_ntoa(mess->giaddr) : iface_name));
+      const char *via;
+      if (subnet_addr.s_addr)
+	{
+	  via = _("with subnet selector");
+	  inet_ntop(AF_INET, &subnet_addr, daemon->addrbuff, ADDRSTRLEN);
+	}
+      else
+	{
+	  via = _("via");
+	  if (mess->giaddr.s_addr)
+	    inet_ntop(AF_INET, &mess->giaddr, daemon->addrbuff, ADDRSTRLEN);
+	  else
+	    safe_strncpy(daemon->addrbuff, iface_name, ADDRSTRLEN);
+	}
+      my_syslog(MS_DHCP | LOG_WARNING, _("no address range available for DHCP request %s %s"),
+		via, daemon->addrbuff);
       return 0;
     }
 
@@ -383,13 +396,19 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
       struct dhcp_context *context_tmp;
       for (context_tmp = context; context_tmp; context_tmp = context_tmp->current)
 	{
-	  strcpy(daemon->namebuff, inet_ntoa(context_tmp->start));
+	  inet_ntop(AF_INET, &context_tmp->start, daemon->namebuff, MAXDNAME);
 	  if (context_tmp->flags & (CONTEXT_STATIC | CONTEXT_PROXY))
-	    my_syslog(MS_DHCP | LOG_INFO, _("%u available DHCP subnet: %s/%s"),
-		      ntohl(mess->xid), daemon->namebuff, inet_ntoa(context_tmp->netmask));
+	    {
+	      inet_ntop(AF_INET, &context_tmp->netmask, daemon->addrbuff, ADDRSTRLEN);
+	      my_syslog(MS_DHCP | LOG_INFO, _("%u available DHCP subnet: %s/%s"),
+			ntohl(mess->xid), daemon->namebuff, daemon->addrbuff);
+	    }
 	  else
-	    my_syslog(MS_DHCP | LOG_INFO, _("%u available DHCP range: %s -- %s"), 
-		      ntohl(mess->xid), daemon->namebuff, inet_ntoa(context_tmp->end));
+	    {
+	      inet_ntop(AF_INET, &context_tmp->end, daemon->addrbuff, ADDRSTRLEN);
+	      my_syslog(MS_DHCP | LOG_INFO, _("%u available DHCP range: %s -- %s"),
+			ntohl(mess->xid), daemon->namebuff, daemon->addrbuff);
+	    }
 	}
     }
   
@@ -1031,8 +1050,9 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	  config->addr.s_addr == option_addr(opt).s_addr)
 	{
 	  prettyprint_time(daemon->dhcp_buff, DECLINE_BACKOFF);
+	  inet_ntop(AF_INET, &config->addr, daemon->addrbuff, ADDRSTRLEN);
 	  my_syslog(MS_DHCP | LOG_WARNING, _("disabling DHCP static address %s for %s"), 
-		    inet_ntoa(config->addr), daemon->dhcp_buff);
+		    daemon->addrbuff, daemon->dhcp_buff);
 	  config->flags |= CONFIG_DECLINED;
 	  config->decline_time = now;
 	}
@@ -1078,7 +1098,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	  
 	  if (have_config(config, CONFIG_ADDR))
 	    {
-	      char *addrs = inet_ntoa(config->addr);
+	      inet_ntop(AF_INET, &config->addr, daemon->addrbuff, ADDRSTRLEN);
 	      
 	      if ((ltmp = lease_find_by_addr(config->addr)) && 
 		  ltmp != lease &&
@@ -1088,7 +1108,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		  unsigned char *mac = extended_hwaddr(ltmp->hwaddr_type, ltmp->hwaddr_len,
 						       ltmp->hwaddr, ltmp->clid_len, ltmp->clid, &len);
 		  my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it is leased to %s"),
-			    addrs, print_mac(daemon->namebuff, mac, len));
+			    daemon->addrbuff, print_mac(daemon->namebuff, mac, len));
 		}
 	      else
 		{
@@ -1097,10 +1117,10 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		    if (context->router.s_addr == config->addr.s_addr)
 		      break;
 		  if (tmp)
-		    my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it is in use by the server or relay"), addrs);
+		    my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it is in use by the server or relay"), daemon->addrbuff);
 		  else if (have_config(config, CONFIG_DECLINED) &&
 			   difftime(now, config->decline_time) < (float)DECLINE_BACKOFF)
-		    my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it was previously declined"), addrs);
+		    my_syslog(MS_DHCP | LOG_WARNING, _("not using configured address %s because it was previously declined"), daemon->addrbuff);
 		  else
 		    conf = config->addr;
 		}
@@ -1303,9 +1323,10 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		 a lease from one of it's MACs to give the address to another. */
 	      if (config && config_has_mac(config, ltmp->hwaddr, ltmp->hwaddr_len, ltmp->hwaddr_type))
 		{
+		  inet_ntop(AF_INET, &ltmp->addr, daemon->addrbuff, ADDRSTRLEN);
 		  my_syslog(MS_DHCP | LOG_INFO, _("abandoning lease to %s of %s"),
 			    print_mac(daemon->namebuff, ltmp->hwaddr, ltmp->hwaddr_len), 
-			    inet_ntoa(ltmp->addr));
+			    daemon->addrbuff);
 		  lease = ltmp;
 		}
 	      else
@@ -1674,42 +1695,40 @@ static void add_extradata_opt(struct dhcp_lease *lease, unsigned char *opt)
 static void log_packet(char *type, void *addr, unsigned char *ext_mac, 
 		       int mac_len, char *interface, char *string, char *err, u32 xid)
 {
-  struct in_addr a;
- 
   if (!err && !option_bool(OPT_LOG_OPTS) && option_bool(OPT_QUIET_DHCP))
     return;
   
-  /* addr may be misaligned */
+  daemon->addrbuff[0] = 0;
   if (addr)
-    memcpy(&a, addr, sizeof(a));
+    inet_ntop(AF_INET, addr, daemon->addrbuff, ADDRSTRLEN);
   
   print_mac(daemon->namebuff, ext_mac, mac_len);
   
-  if(option_bool(OPT_LOG_OPTS))
-     my_syslog(MS_DHCP | LOG_INFO, "%u %s(%s) %s%s%s %s%s",
-	       ntohl(xid), 
-	       type,
-	       interface, 
-	       addr ? inet_ntoa(a) : "",
-	       addr ? " " : "",
-	       daemon->namebuff,
-	       string ? string : "",
-	       err ? err : "");
-  else
-    my_syslog(MS_DHCP | LOG_INFO, "%s(%s) %s%s%s %s%s",
+  if (option_bool(OPT_LOG_OPTS))
+    my_syslog(MS_DHCP | LOG_INFO, "%u %s(%s) %s%s%s %s%s",
+	      ntohl(xid), 
 	      type,
 	      interface, 
-	      addr ? inet_ntoa(a) : "",
+	      daemon->addrbuff,
 	      addr ? " " : "",
 	      daemon->namebuff,
 	      string ? string : "",
 	      err ? err : "");
-
+  else
+    my_syslog(MS_DHCP | LOG_INFO, "%s(%s) %s%s%s %s%s",
+	      type,
+	      interface, 
+	      daemon->addrbuff,
+	      addr ? " " : "",
+	      daemon->namebuff,
+	      string ? string : "",
+	      err ? err : "");
+  
 #ifdef HAVE_UBUS
-	if (!strcmp(type, "DHCPACK"))
-		ubus_event_bcast("dhcp.ack", daemon->namebuff, addr ? inet_ntoa(a) : NULL, string ? string : NULL, interface);
-	else if (!strcmp(type, "DHCPRELEASE"))
-		ubus_event_bcast("dhcp.release", daemon->namebuff, addr ? inet_ntoa(a) : NULL, string ? string : NULL, interface);
+  if (!strcmp(type, "DHCPACK"))
+    ubus_event_bcast("dhcp.ack", daemon->namebuff, addr ? daemon->addrbuff : NULL, string, interface);
+  else if (!strcmp(type, "DHCPRELEASE"))
+    ubus_event_bcast("dhcp.release", daemon->namebuff, addr ? daemon->addrbuff : NULL, string, interface);
 #endif
 }
 
@@ -1861,7 +1880,10 @@ static size_t dhcp_packet_size(struct dhcp_packet *mess, unsigned char *agent_id
   if (option_bool(OPT_LOG_OPTS))
     {
       if (mess->siaddr.s_addr != 0)
-	my_syslog(MS_DHCP | LOG_INFO, _("%u next server: %s"), ntohl(mess->xid), inet_ntoa(mess->siaddr));
+	{
+	  inet_ntop(AF_INET, &mess->siaddr, daemon->addrbuff, ADDRSTRLEN);
+	  my_syslog(MS_DHCP | LOG_INFO, _("%u next server: %s"), ntohl(mess->xid), daemon->addrbuff);
+	}
       
       if ((mess->flags & htons(0x8000)) && mess->ciaddr.s_addr == 0)
 	my_syslog(MS_DHCP | LOG_INFO, _("%u broadcast response"), ntohl(mess->xid));

src/tftp.c

@@ -600,7 +600,7 @@ void check_tftp_listeners(time_t now)
 		  /* Wrong source address. See rfc1350 para 4. */
 		  prettyprint_addr(&peer, daemon->addrbuff);
 		  len = tftp_err(ERR_TID, daemon->packet, _("ignoring packet from %s (TID mismatch)"), daemon->addrbuff);
-		  sendto(transfer->sockfd, daemon->packet, len, 0, &peer.sa, sa_len(&peer));
+		  while(retry_send(sendto(transfer->sockfd, daemon->packet, len, 0, &peer.sa, sa_len(&peer))));
 		}
 	    }
 	}
@@ -761,7 +761,8 @@ static ssize_t tftp_err(int err, char *packet, char *message, char *file)
   len = snprintf(mess->message, MAXMESSAGE,  message, file, errstr);
   ret += (len < MAXMESSAGE) ? len + 1 : MAXMESSAGE; /* include terminating zero */
   
-  my_syslog(MS_TFTP | LOG_ERR, "%s", mess->message);
+  if (err != ERR_FNF || !option_bool(OPT_QUIET_TFTP))
+    my_syslog(MS_TFTP | LOG_ERR, "%s", mess->message);
   
   return  ret;
 }

src/ubus.c

@@ -21,7 +21,6 @@
 #include <libubus.h>
 
 static struct blob_buf b;
-static int notify;
 static int error_logged = 0;
 
 static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj,
@@ -78,17 +77,16 @@ static void ubus_subscribe_cb(struct ubus_context *ctx, struct ubus_object *obj)
   (void)ctx;
 
   my_syslog(LOG_DEBUG, _("UBus subscription callback: %s subscriber(s)"), obj->has_subscribers ? "1" : "0");
-  notify = obj->has_subscribers;
 }
 
 static void ubus_destroy(struct ubus_context *ubus)
 {
-  // Forces re-initialization when we're reusing the same definitions later on.
-  ubus_object.id = 0;
-  ubus_object_type.id = 0;
-
   ubus_free(ubus);
   daemon->ubus = NULL;
+  
+  /* Forces re-initialization when we're reusing the same definitions later on. */
+  ubus_object.id = 0;
+  ubus_object_type.id = 0;
 }
 
 static void ubus_disconnect_cb(struct ubus_context *ubus)
@@ -173,6 +171,16 @@ void check_ubus_listeners()
     }
 }
 
+#define CHECK(stmt) \
+  do { \
+    int e = (stmt); \
+    if (e) \
+      { \
+	my_syslog(LOG_ERR, _("UBus command failed: %d (%s)"), e, #stmt); \
+	return (UBUS_STATUS_UNKNOWN_ERROR); \
+      } \
+  } while (0)
+
 static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj,
 			       struct ubus_request_data *req, const char *method,
 			       struct blob_attr *msg)
@@ -183,12 +191,13 @@ static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj
   (void)method;
   (void)msg;
 
-  blob_buf_init(&b, BLOBMSG_TYPE_TABLE);
+  CHECK(blob_buf_init(&b, BLOBMSG_TYPE_TABLE));
 
   for (i=0; i < __METRIC_MAX; i++)
-    blobmsg_add_u32(&b, get_metric_name(i), daemon->metrics[i]);
+    CHECK(blobmsg_add_u32(&b, get_metric_name(i), daemon->metrics[i]));
   
-  return ubus_send_reply(ctx, req, b.head);
+  CHECK(ubus_send_reply(ctx, req, b.head));
+  return UBUS_STATUS_OK;
 }
 
 #ifdef HAVE_CONNTRACK
@@ -307,66 +316,71 @@ fail:
 }
 #endif
 
+#undef CHECK
+
+#define CHECK(stmt) \
+  do { \
+    int e = (stmt); \
+    if (e) \
+      { \
+	my_syslog(LOG_ERR, _("UBus command failed: %d (%s)"), e, #stmt); \
+	return; \
+      } \
+  } while (0)
+
 void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface)
 {
   struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
-  int ret;
 
-  if (!ubus || !notify)
+  if (!ubus || !ubus_object.has_subscribers)
     return;
 
-  blob_buf_init(&b, BLOBMSG_TYPE_TABLE);
+  CHECK(blob_buf_init(&b, BLOBMSG_TYPE_TABLE));
   if (mac)
-    blobmsg_add_string(&b, "mac", mac);
+    CHECK(blobmsg_add_string(&b, "mac", mac));
   if (ip)
-    blobmsg_add_string(&b, "ip", ip);
+    CHECK(blobmsg_add_string(&b, "ip", ip));
   if (name)
-    blobmsg_add_string(&b, "name", name);
+    CHECK(blobmsg_add_string(&b, "name", name));
   if (interface)
-    blobmsg_add_string(&b, "interface", interface);
+    CHECK(blobmsg_add_string(&b, "interface", interface));
   
-  ret = ubus_notify(ubus, &ubus_object, type, b.head, -1);
-  if (ret)
-    my_syslog(LOG_ERR, _("Failed to send UBus event: %s"), ubus_strerror(ret));
+  CHECK(ubus_notify(ubus, &ubus_object, type, b.head, -1));
 }
 
 #ifdef HAVE_CONNTRACK
 void ubus_event_bcast_connmark_allowlist_refused(u32 mark, const char *name)
 {
   struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
-  int ret;
 
-  if (!ubus || !notify)
+  if (!ubus || !ubus_object.has_subscribers)
     return;
 
-  blob_buf_init(&b, 0);
-  blobmsg_add_u32(&b, "mark", mark);
-  blobmsg_add_string(&b, "name", name);
+  CHECK(blob_buf_init(&b, 0));
+  CHECK(blobmsg_add_u32(&b, "mark", mark));
+  CHECK(blobmsg_add_string(&b, "name", name));
   
-  ret = ubus_notify(ubus, &ubus_object, "connmark-allowlist.refused", b.head, -1);
-  if (ret)
-    my_syslog(LOG_ERR, _("Failed to send UBus event: %s"), ubus_strerror(ret));
+  CHECK(ubus_notify(ubus, &ubus_object, "connmark-allowlist.refused", b.head, -1));
 }
 
 void ubus_event_bcast_connmark_allowlist_resolved(u32 mark, const char *name, const char *value, u32 ttl)
 {
   struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
-  int ret;
 
-  if (!ubus || !notify)
+  if (!ubus || !ubus_object.has_subscribers)
     return;
 
-  blob_buf_init(&b, 0);
-  blobmsg_add_u32(&b, "mark", mark);
-  blobmsg_add_string(&b, "name", name);
-  blobmsg_add_string(&b, "value", value);
-  blobmsg_add_u32(&b, "ttl", ttl);
+  CHECK(blob_buf_init(&b, 0));
+  CHECK(blobmsg_add_u32(&b, "mark", mark));
+  CHECK(blobmsg_add_string(&b, "name", name));
+  CHECK(blobmsg_add_string(&b, "value", value));
+  CHECK(blobmsg_add_u32(&b, "ttl", ttl));
   
-  ret = ubus_notify(ubus, &ubus_object, "connmark-allowlist.resolved", b.head, /* timeout: */ 1000);
-  if (ret)
-    my_syslog(LOG_ERR, _("Failed to send UBus event: %s"), ubus_strerror(ret));
+  /* Set timeout to allow UBus subscriber to configure firewall rules before returning. */
+  CHECK(ubus_notify(ubus, &ubus_object, "connmark-allowlist.resolved", b.head, /* timeout: */ 1000));
 }
 #endif
 
+#undef CHECK
 
 #endif /* HAVE_UBUS */

src/util.c

@@ -115,7 +115,8 @@ u64 rand64(void)
   return (u64)out[outleft+1] + (((u64)out[outleft]) << 32);
 }
 
-/* returns 2 if names is OK but contains one or more underscores */
+/* returns 1 if name is OK and ascii printable
+ * returns 2 if name should be processed by IDN */
 static int check_name(char *in)
 {
   /* remove trailing . 
@@ -123,7 +124,9 @@ static int check_name(char *in)
   size_t dotgap = 0, l = strlen(in);
   char c;
   int nowhite = 0;
+  int idn_encode = 0;
   int hasuscore = 0;
+  int hasucase = 0;
   
   if (l == 0 || l > MAXDNAME) return 0;
   
@@ -136,28 +139,49 @@ static int check_name(char *in)
   for (; (c = *in); in++)
     {
       if (c == '.')
-	dotgap = 0;
+        dotgap = 0;
       else if (++dotgap > MAXLABEL)
-	return 0;
+        return 0;
       else if (isascii((unsigned char)c) && iscntrl((unsigned char)c)) 
-	/* iscntrl only gives expected results for ascii */
-	return 0;
-#if !defined(HAVE_IDN) && !defined(HAVE_LIBIDN2)
+        /* iscntrl only gives expected results for ascii */
+        return 0;
       else if (!isascii((unsigned char)c))
-	return 0;
+#if !defined(HAVE_IDN) && !defined(HAVE_LIBIDN2)
+        return 0;
+#else
+        idn_encode = 1;
 #endif
       else if (c != ' ')
-	{
-	  nowhite = 1;
-	  if (c == '_')
-	    hasuscore = 1;
-	}
+        {
+          nowhite = 1;
+#if defined(HAVE_LIBIDN2) && (!defined(IDN2_VERSION_NUMBER) || IDN2_VERSION_NUMBER < 0x02000003)
+          if (c == '_')
+            hasuscore = 1;
+#else
+          (void)hasuscore;
+#endif
+
+#if defined(HAVE_IDN) || defined(HAVE_LIBIDN2)
+          if (c >= 'A' && c <= 'Z')
+            hasucase = 1;
+#else
+          (void)hasucase;
+#endif
+        }
     }
 
   if (!nowhite)
     return 0;
 
-  return hasuscore ? 2 : 1;
+#if defined(HAVE_LIBIDN2) && (!defined(IDN2_VERSION_NUMBER) || IDN2_VERSION_NUMBER < 0x02000003)
+  /* Older libidn2 strips underscores, so don't do IDN processing
+     if the name has an underscore unless it also has non-ascii characters. */
+  idn_encode = idn_encode || (hasucase && !hasuscore);
+#else
+  idn_encode = idn_encode || hasucase;
+#endif
+
+  return (idn_encode) ? 2 : 1;
 }
 
 /* Hostnames have a more limited valid charset than domain names
@@ -204,12 +228,8 @@ char *canonicalise(char *in, int *nomem)
   if (!(rc = check_name(in)))
     return NULL;
   
-#if defined(HAVE_LIBIDN2) && (!defined(IDN2_VERSION_NUMBER) || IDN2_VERSION_NUMBER < 0x02000003)
-  /* older libidn2 strips underscores, so don't do IDN processing
-     if the name has an underscore (check_name() returned 2) */
-  if (rc != 2)
-#endif
 #if defined(HAVE_IDN) || defined(HAVE_LIBIDN2)
+  if (rc == 2)
     {
 #  ifdef HAVE_LIBIDN2
       rc = idn2_to_ascii_lz(in, &ret, IDN2_NONTRANSITIONAL);
@@ -234,12 +254,14 @@ char *canonicalise(char *in, int *nomem)
       
       return ret;
     }
+#else
+  (void)rc;
 #endif
   
   if ((ret = whine_malloc(strlen(in)+1)))
     strcpy(ret, in);
   else if (nomem)
-    *nomem = 1;    
+    *nomem = 1;
 
   return ret;
 }
@@ -436,7 +458,17 @@ int netmask_length(struct in_addr mask)
 int is_same_net(struct in_addr a, struct in_addr b, struct in_addr mask)
 {
   return (a.s_addr & mask.s_addr) == (b.s_addr & mask.s_addr);
-} 
+}
+
+int is_same_net_prefix(struct in_addr a, struct in_addr b, int prefix)
+{
+  struct in_addr mask;
+
+  mask.s_addr = htonl(~((1 << (32 - prefix)) - 1));
+
+  return is_same_net(a, b, mask);
+}
+
 
 int is_same_net6(struct in6_addr *a, struct in6_addr *b, int prefixlen)
 {
@@ -518,7 +550,7 @@ void prettyprint_time(char *buf, unsigned int t)
       if ((x = (t/60)%60))
 	p += sprintf(&buf[p], "%um", x);
       if ((x = t%60))
-	p += sprintf(&buf[p], "%us", x);
+	sprintf(&buf[p], "%us", x);
     }
 }
 
@@ -564,7 +596,7 @@ int parse_hex(char *in, unsigned char *out, int maxlen,
 		  int j, bytes = (1 + (r - in))/2;
 		  for (j = 0; j < bytes; j++)
 		    { 
-		      char sav = sav;
+		      char sav;
 		      if (j < bytes - 1)
 			{
 			  sav = in[(j+1)*2];