Hardcode Lua library version in debian/rules, rather than the Makefile.

The version can be overridden with the LUA envvar

Make LUA=lua5.4

Thanks to Petr Menšík for the patch which inspired this one.

.gitignore

@@ -7,8 +7,15 @@ src/.copts_*
 contrib/lease-tools/dhcp_lease_time
 contrib/lease-tools/dhcp_release
 contrib/lease-tools/dhcp_release6
+debian/.debhelper
+debian/auto-build
+debian/debhelper-build-stamp
 debian/files
-debian/substvars
-debian/utils-substvars
-debian/trees/
-debian/build/
+debian/*.substvars
+debian/*.debhelper
+debian/*.log
+debian/dnsmasq-base-lua/
+debian/dnsmasq-base/
+debian/dnsmasq-utils/
+debian/dnsmasq/
+debian/tmp

CHANGELOG

@@ -1,7 +1,50 @@
+version 2.90
+	Fix reversion in --rev-server introduced in 2.88 which
+	caused breakage if the prefix length is not exactly divisible
+	by 8 (IPv4) or 4 (IPv6).
+
+	Fix possible SEGV when there server(s) for a particular
+	domain are configured, but no server which is not qualified
+	for a particular domain. Thanks to Daniel Danzberger for
+	spotting this bug.
+
+	Set the default maximum DNS UDP packet sice to 1232. This
+	has been the recommended value since 2020 because it's the
+	largest value that avoid fragmentation, and fragmentation
+	is just not reliable on the modern internet, especially
+	for IPv6. It's still possible to override this with
+	--edns-packet-max for special circumstances.
+
+	Add --no-dhcpv4-interface and --no-dhcpv6-interface for
+	better control over which inetrfaces are providing DHCP service.
+
+	Fix issue with stale caching: After replying with stale data,
+	dnsmasq sends the query upstream to refresh the cache asynchronously
+	and sometimes sends the wrong packet: packet length can be wrong,
+	and if an EDE marking stale data is added to the answer that can
+	end up in the query also. This bug only seems to cause problems
+	when the usptream server is a DOH/DOT proxy. Thanks to Justin He
+	for the bug report.
+	
+	
+version 2.89
+        Fix bug introduced in 2.88 (commit fe91134b) which can result
+	in corruption of the DNS cache internal data structures and
+	logging of "cache internal error". This has only been seen
+	in one place in the wild, and it took considerable effort
+	to even generate a test case to reproduce it, but there's
+	no way to be sure it won't strike, and the effect is to break
+	the cache badly. Installations with DNSSEC enabled are more
+	likely to see the problem, but not running DNSSEC does not
+	guarantee that it won't happen. Thanks to Timo van Roermund
+	for reporting the bug and for his great efforts in chasing
+	it down.
+
+
 version 2.88
 	Fix bug in --dynamic-host when an interface has /16 IPv4
-	address. Thanks to Mark Dietzer for spotting this.
-	
+  	address. Thanks to Mark Dietzer for spotting this.
+
 	Add --fast-dns-retry option. This gives dnsmasq the ability
 	to originate retries for upstream DNS queries itself, rather
 	than relying on the downstream client. This is most useful
@@ -12,12 +55,18 @@ version 2.88
 	in the cache, but its time-to-live has expired, dnsmasq will
 	return the data anyway. (It attempts to refresh the
 	data with an upstream query after returning the stale data.)
-	This can improve speed and reliability. It comes 
+	This can improve speed and reliability. It comes
 	at the expense of sometimes returning out-of-date data and
 	less efficient cache utilisation, since old data cannot be
 	flushed when its TTL expires, so the cache becomes
 	strictly least-recently-used.
 
+	Add --port-limit option which allows tuning for robustness in
+	the face of some upstream network errors. Thanks to
+	Prashant Kumar Singh, Ravi Nagayach and Mike Danilov,
+	all of Amazon Web Services, for their efforts in developing this
+	and the stale-cache and fast-retry options.
+
 	Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir)
 	handle removal of whole files or entries within files.
 	Thanks to Dominik Derigs for the initial patches for this.

Makefile

@@ -1,4 +1,4 @@
-# dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+# dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@@ -29,6 +29,7 @@ LDFLAGS       =
 COPTS         = 
 RPM_OPT_FLAGS = 
 LIBS          = 
+LUA           = lua
 
 #################################################################
 
@@ -60,8 +61,8 @@ idn2_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFI
 idn2_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --libs libidn2`
 ct_cflags =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --cflags libnetfilter_conntrack`
 ct_libs =       `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
-lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.2` 
-lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.2` 
+lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags $(LUA)` 
+lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs $(LUA)` 
 nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --cflags 'nettle hogweed' \
                                                         HAVE_CRYPTOHASH $(PKG_CONFIG) --cflags nettle \
                                                         HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`

dbus/DBus-interface

@@ -44,6 +44,14 @@ SetFilterWin2KOption
 --------------------
 Takes boolean, sets or resets the --filterwin2k option.
 
+SetFilterA
+------------------------
+Takes boolean, sets or resets the --filter-A option.
+
+SetFilterAAAA
+------------------------
+Takes boolean, sets or resets the --filter-AAAA option.
+
 SetBogusPrivOption
 ------------------
 Takes boolean, sets or resets the --bogus-priv option.

debian/conffiles

@@ -1,5 +0,0 @@
-/etc/init.d/dnsmasq
-/etc/default/dnsmasq
-/etc/dnsmasq.conf
-/etc/resolvconf/update.d/dnsmasq
-/etc/insserv.conf.d/dnsmasq

debian/control

@@ -1,64 +1,66 @@
 Source: dnsmasq
 Section: net
 Priority: optional
-Build-depends: gettext, libnetfilter-conntrack-dev [linux-any],
-               libidn2-dev, libdbus-1-dev (>=0.61), libgmp-dev, 
+Build-Depends: dh-exec, gettext, libnetfilter-conntrack-dev [linux-any],
+               libidn2-dev, libdbus-1-dev (>=0.61), libgmp-dev,
                nettle-dev (>=2.4-3), libbsd-dev [kfreebsd-any],
-	       liblua5.2-dev, dh-runit, debhelper-compat (= 10),
+	       liblua5.4-dev, dh-runit, debhelper-compat (= 13),
                pkg-config, libnftables-dev
 Maintainer: Simon Kelley <simon@thekelleys.org.uk>
-Homepage: http://www.thekelleys.org.uk/dnsmasq/doc.html
-Vcs-Git: http://thekelleys.org.uk/git/dnsmasq.git
-Vcs-Browser: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git
-Standards-Version: 3.9.8
+Homepage: https://www.thekelleys.org.uk/dnsmasq/doc.html
+Vcs-Git: https://thekelleys.org.uk/git/dnsmasq.git
+Vcs-Browser: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
 
 Package: dnsmasq
 Architecture: all
+Pre-Depends: ${misc:Pre-Depends}
 Depends: netbase, dnsmasq-base,
-         init-system-helpers (>= 1.18~), lsb-base (>= 3.0-6), ${misc:Depends}
+         ${misc:Depends}
 Suggests: resolvconf
 Breaks: ${runit:Breaks}
 Conflicts: resolvconf (<<1.15), ${runit:Conflicts}
-Description: Small caching DNS proxy and DHCP/TFTP server
+Description: Small caching DNS proxy and DHCP/TFTP server - system daemon
  Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP
- server. It is designed to provide DNS and optionally, DHCP, to a 
- small network. It can serve the names of local machines which are 
- not in the global DNS. The DHCP server integrates with the DNS 
+ server. It is designed to provide DNS and optionally, DHCP, to a
+ small network. It can serve the names of local machines which are
+ not in the global DNS. The DHCP server integrates with the DNS
  server and allows machines with DHCP-allocated addresses
  to appear in the DNS with names configured either in each host or
- in a central configuration file. Dnsmasq supports static and dynamic 
+ in a central configuration file. Dnsmasq supports static and dynamic
  DHCP leases and BOOTP/TFTP for network booting of diskless machines.
 
 Package: dnsmasq-base
 Architecture: any
-Depends: adduser, ${shlibs:Depends}
+Depends: ${misc:Depends}, ${shlibs:Depends}
 Breaks: dnsmasq (<< 2.63-1~)
 Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
 Recommends: dns-root-data
 Provides: dnsmasq-base
 Conflicts: dnsmasq-base-lua
-Description: Small caching DNS proxy and DHCP/TFTP server
+Description: Small caching DNS proxy and DHCP/TFTP server - executable
  This package contains the dnsmasq executable and documentation, but
  not the infrastructure required to run it as a system daemon. For
  that, install the dnsmasq package.
 
 Package: dnsmasq-base-lua
 Architecture: any
-Depends: adduser, ${shlibs:Depends}
+Depends: ${misc:Depends}, ${shlibs:Depends}
 Breaks: dnsmasq (<< 2.63-1~)
 Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
 Recommends: dns-root-data
 Provides: dnsmasq-base
 Conflicts: dnsmasq-base
-Description: Small caching DNS proxy and DHCP/TFTP server
+Description: Small caching DNS proxy and DHCP/TFTP server - executable, Lua-enabled
  This package contains the dnsmasq executable and documentation, but
  not the infrastructure required to run it as a system daemon. For
  that, install the dnsmasq package. This package is an alternative
- to dnsmasq-base which includes the LUA interpreter.
- 
+ to dnsmasq-base which includes the Lua interpreter.
+
 Package: dnsmasq-utils
 Architecture: linux-any
-Depends: ${shlibs:Depends}
+Depends: ${misc:Depends}, ${shlibs:Depends}
 Conflicts: dnsmasq (<<2.40)
 Description: Utilities for manipulating DHCP leases
  Small utilities to query a DHCP server's lease database and

debian/copyright

@@ -1,21 +1,58 @@
-dnsmasq is Copyright (c) 2000-2021 Simon Kelley
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: dnsmasq
+Upstream-Contact: Simon Kelley <simon@thekelleys.org.uk>
+Source: https://thekelleys.org.uk/dnsmasq/
 
-It was downloaded from: http://www.thekelleys.org.uk/dnsmasq/
+Files: *
+Copyright: 2000-2024 Simon Kelley <simon@thekelleys.org.uk>
+License: GPL-2 or GPL-3
 
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991, or
-   (at your option) version 3 dated 29 June, 2007.
- 
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
+Files: src/dnssec.c
+Copyright: 2012-2024 Simon Kelley <simon@thekelleys.org.uk>
+           2012      Giovanni Bajo <rasky@develer.com>
 
-On Debian GNU/Linux systems, the text of the GNU general public license is 
-available in the file /usr/share/common-licenses/GPL-2 or 
-/usr/share/common-licenses/GPL-3
+Files: debian/*
+Copyright: 2004-2024 Simon Kelley <simon@thekelleys.org.uk>
+           2012      Lars Bahner <bahner@debian.org>
+           2024      Sven Geuer <debmaint@g-e-u-e-r.de>
+License: GPL-2 or GPL-3
 
-The Debian package of dnsmasq was created by Simon Kelley with assistance 
-from Lars Bahner.
+License: GPL-2
+ This program is free software; you can redistribute it
+ and/or modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation;
+ version 2 dated June, 1991.
+ .
+ This program is distributed in the hope that it will be
+ useful, but WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE.  See the GNU General Public License for more
+ details.
+ .
+ You should have received a copy of the GNU General Public
+ License along with this program.  If not, see
+ <https://www.gnu.org/licenses/gpl-2.0>.
+ .
+ On Debian systems, the full text of the GNU General Public
+ License can be found in the file
+ `/usr/share/common-licenses/GPL-2'.
 
+License: GPL-3
+ This program is free software; you can redistribute it
+ and/or modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation;
+ version 3 dated 29 June, 2007.
+ .
+ This program is distributed in the hope that it will be
+ useful, but WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE.  See the GNU General Public License for more
+ details.
+ .
+ You should have received a copy of the GNU General Public
+ License along with this program.  If not, see
+ <https://www.gnu.org/licenses/gpl-3.0>.
+ .
+ On Debian systems, the full text of the GNU General Public
+ License can be found in the file
+ `/usr/share/common-licenses/GPL-3'.

debian/dnsmasq-base-lua.dirs

@@ -0,0 +1 @@
+dnsmasq-base.dirs

debian/dnsmasq-base-lua.docs

@@ -0,0 +1 @@
+dnsmasq-base.docs

debian/dnsmasq-base-lua.install

@@ -0,0 +1,3 @@
+#!/usr/bin/dh-exec
+debian/dbus.conf => /usr/share/dbus-1/system.d/dnsmasq.conf
+trust-anchors.conf /usr/share/dnsmasq-base-lua

debian/dnsmasq-base-lua.links

@@ -0,0 +1,2 @@
+usr/share/dnsmasq-base-lua usr/share/dnsmasq-base
+usr/share/doc/dnsmasq-base-lua usr/share/doc/dnsmasq-base

debian/dnsmasq-base-lua.maintscript

@@ -0,0 +1,9 @@
+# With the use of debhelper /usr/share/doc/dnsmasq-base-lua has become a
+# directory as required in
+# https://www.debian.org/doc/debian-policy/ch-docs.html#additional-documentation
+# thus /usr/share/doc/dnsmasq-base will be a link from now onwards.
+symlink_to_dir /usr/share/doc/dnsmasq-base-lua /usr/share/doc/dnsmasq-base 2.89-1.1~ dnsmasq-base-lua
+dir_to_symlink /usr/share/doc/dnsmasq-base /usr/share/doc/dnsmasq-base-lua 2.89-1.1~ dnsmasq-base-lua
+# Due to lintian warning dbus-policy-in-etc this file has been moved to
+# /usr/share/dbus-1/system.d/dnsmasq.conf and thus is not a conffile any more.
+rm_conffile /etc/dbus-1/system.d/dnsmasq.conf 2.89-1.1~ dnsmasq-base-lua

debian/dnsmasq-base-lua.postinst

@@ -0,0 +1 @@
+dnsmasq-base.postinst

debian/dnsmasq-base-lua.postrm

@@ -0,0 +1 @@
+dnsmasq-base.postrm

debian/dnsmasq-base.conffiles

@@ -1 +0,0 @@
-/etc/dbus-1/system.d/dnsmasq.conf

debian/dnsmasq-base.dirs

@@ -0,0 +1 @@
+/var/lib/misc

debian/dnsmasq-base.docs

@@ -0,0 +1,8 @@
+doc.html
+setup.html
+dnsmasq.conf.example
+FAQ
+CHANGELOG.archive
+dbus/DBus-interface
+debian/systemd_howto
+debian/readme

debian/dnsmasq-base.install

@@ -0,0 +1,3 @@
+#!/usr/bin/dh-exec
+debian/dbus.conf => /usr/share/dbus-1/system.d/dnsmasq.conf
+trust-anchors.conf /usr/share/dnsmasq-base

debian/dnsmasq-base.maintscript

@@ -0,0 +1,3 @@
+# Due to lintian warning dbus-policy-in-etc this file has been moved to
+# /usr/share/dbus-1/system.d/dnsmasq.conf and thus is not a conffile any more.
+rm_conffile /etc/dbus-1/system.d/dnsmasq.conf 2.89-1.1~ dnsmasq-base

debian/dnsmasq-base.postinst

@@ -2,13 +2,16 @@
 set -e
 
 # Create the dnsmasq user in dnsmasq-base, so that Dbus doesn't complain.
-      
-# create a user to run as (code stolen from dovecot-common)
+
 if [ "$1" = "configure" ]; then
+  # Create the user to run as.
   if [ -z "`id -u dnsmasq 2> /dev/null`" ]; then
-    adduser --system  --home /var/lib/misc --gecos "dnsmasq" \
-            --no-create-home --disabled-password \
-            --quiet dnsmasq || true
+    useradd --system \
+            --gid nogroup \
+            --comment dnsmasq \
+            --home-dir /var/lib/misc --no-create-home \
+            --shell /usr/sbin/nologin \
+            dnsmasq
   fi
 
   # Make the directory where we keep the pid file - this
@@ -16,9 +19,12 @@ if [ "$1" = "configure" ]; then
   # This is only actually used by the dnsmasq binary package, not
   # dnsmasq-base, but it's much easier to create it here so that
   # we don't have synchronisation issues with the creation of the
-  # dnsmasq user. 
+  # dnsmasq user.
   if [ ! -d /run/dnsmasq ]; then
     mkdir /run/dnsmasq
     chown dnsmasq:nogroup /run/dnsmasq
   fi
 fi
+
+#DEBHELPER#
+

debian/dnsmasq-base.postrm

@@ -2,10 +2,9 @@
 set -e
 
 if [ purge = "$1" ]; then
-   if [ -x "$(command -v deluser)" ]; then
-     deluser --quiet --system dnsmasq > /dev/null || true
-  else
-     echo >&2 "not removing dnsmasq system account because deluser command was not found"
-  fi
+  userdel dnsmasq
   rm -rf /run/dnsmasq
 fi
+
+#DEBHELPER#
+

debian/dnsmasq-utils.install

@@ -0,0 +1,3 @@
+dhcp_lease_time	/usr/bin
+dhcp_release	/usr/bin
+dhcp_release6	/usr/bin

debian/dnsmasq-utils.manpages

@@ -0,0 +1,3 @@
+dhcp_lease_time.1
+dhcp_release.1
+dhcp_release6.1

debian/dnsmasq.default

@@ -16,10 +16,10 @@
 #DOMAIN_SUFFIX=`dnsdomainname`
 #DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
 
-# Whether or not to run the dnsmasq daemon; set to 0 to disable.
-# Note that this is only valid when using SYSV init. For systemd,
-# use "systemctl disable dnsmasq"
-ENABLED=1
+# The dnsmasq daemon is run by default conforming to the Debian Policy.
+# To disable the service,
+# for SYSV init, use "update-rc.d dnsmasq disable",
+# for systemd, use "systemctl disable dnsmasq".
 
 # By default search this drop directory for configuration options.
 # Libvirt leaves a file here to make the system dnsmasq play nice.

debian/dnsmasq.init

@@ -0,0 +1,170 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:       dnsmasq
+# Required-Start: $network $remote_fs $syslog
+# Required-Stop:  $network $remote_fs $syslog
+# Default-Start:  2 3 4 5
+# Default-Stop:   0 1 6
+# Description:    DHCP and DNS server
+### END INIT INFO
+
+# Don't exit on error status
+set +e
+
+# The following test ensures the dnsmasq service is not started, when the
+# package 'dnsmasq' is removed but not purged, even if the dnsmasq-base
+# package is still in place.
+if [ -r /usr/share/dnsmasq/init-system-common ]; then
+    # 'dnsmasq' is installed: source initial code used also with systemd.
+    . /usr/share/dnsmasq/init-system-common
+else
+    # 'dnsmasq' is removed but not purged, or damaged: do nothing.
+    exit 0
+fi
+
+# Double-check 'dnsmasq-base' or 'dnsmasq-base-lua' is installed.
+test -x ${DAEMON} || exit 0
+
+# Source the SysV init-functions which should always be available.
+. /lib/lsb/init-functions || exit 0
+
+start()
+{
+    # Return
+    #   0 if daemon has been started
+    #   1 if daemon was already running
+    #   2 if daemon could not be started
+
+    # /run may be volatile, so we need to ensure that
+    # /run/dnsmasq exists here as well as in postinst
+    if [ ! -d /run/dnsmasq ]; then
+        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
+        chown dnsmasq:nogroup /run/dnsmasq || return 2
+    fi
+    [ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
+
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null || return 1
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} -- \
+        -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
+        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
+        ${MAILTARGET:+ -t ${MAILTARGET}} \
+        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
+        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
+        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
+        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
+        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
+        ${CACHESIZE:+ -c ${CACHESIZE}} \
+        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
+        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} \
+        || return 2
+}
+
+stop()
+{
+    # Return
+    #   0 if daemon has been stopped
+    #   1 if daemon was already stopped
+    #   2 if daemon could not be stopped
+    #   other if a failure occurred
+    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --name ${NAME}
+}
+
+status()
+{
+    # Return
+    #   0 if daemon is running
+    #   1 if daemon is dead and pid file exists
+    #   3 if daemon is not running
+    #   4 if daemon status is unknown
+    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null
+    case "${?}" in
+      0) [ -e "/run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid" ] && return 1 ; return 3 ;;
+      1) return 0 ;;
+      *) return 4 ;;
+    esac
+}
+
+case "${1}" in
+  start)
+    log_daemon_msg "Starting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    start
+    case "${?}" in
+      0)
+        log_end_msg 0
+        start_resolvconf
+        exit 0
+        ;;
+      1)
+        log_success_msg "(already running)"
+        exit 0
+        ;;
+      *)
+        log_end_msg 1
+        exit 1
+        ;;
+    esac
+    ;;
+  stop)
+    stop_resolvconf
+    log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    stop
+    RETVAL="${?}"
+    case "${RETVAL}" in
+      0) log_end_msg 0 ; exit 0 ;;
+      1) log_warning_msg "(not running)" ; exit 0 ;;
+      *) log_end_msg 1; exit 1 ;;
+    esac
+    ;;
+  restart|force-reload)
+    checkconfig
+    if [ ${?} -ne 0 ]; then
+        NAME="configuration syntax check"
+        RETVAL="2"
+    else
+        stop_resolvconf
+        stop
+        RETVAL="${?}"
+    fi
+    log_daemon_msg "Restarting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    case "${RETVAL}" in
+      0|1)
+        sleep 2
+        start
+        case "${?}" in
+          0)
+            log_end_msg 0
+            start_resolvconf
+            exit 0
+            ;;
+          *)
+            log_end_msg 1
+            exit 1
+            ;;
+        esac
+        ;;
+      *)
+        log_end_msg 1
+        exit 1
+        ;;
+    esac
+    ;;
+  status)
+    log_daemon_msg "Checking ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
+    status
+    case "${?}" in
+      0) log_success_msg "(running)" ; exit 0 ;;
+      1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
+      3) log_success_msg "(not running)" ; exit 3 ;;
+      *) log_success_msg "(unknown)" ; exit 4 ;;
+    esac
+    ;;
+  dump-stats)
+    kill -s USR1 `cat /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid`
+    ;;
+  *)
+    echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload|dump-stats|status}" >&2
+    exit 3
+    ;;
+esac
+
+exit 0

debian/dnsmasq.install

@@ -0,0 +1,8 @@
+#!/usr/bin/dh-exec
+debian/resolvconf => /etc/resolvconf/update.d/dnsmasq
+debian/resolvconf-package => /usr/lib/resolvconf/dpkg-event.d/dnsmasq
+debian/init-system-common => /usr/share/dnsmasq/init-system-common
+debian/systemd-helper => /usr/share/dnsmasq/systemd-helper
+dnsmasq.conf.example => /etc/dnsmasq.conf
+debian/readme.dnsmasq.d => /etc/dnsmasq.d/README
+debian/insserv => /etc/insserv.conf.d/dnsmasq

debian/dnsmasq.links

@@ -0,0 +1 @@
+usr/share/dnsmasq-base/trust-anchors.conf usr/share/dnsmasq/trust-anchors.conf

debian/dnsmasq.maintscript

@@ -0,0 +1,2 @@
+# /usr/share/doc/dnsmasq was a symlink in versions < 2.81-1 (see #985282)
+symlink_to_dir /usr/share/doc/dnsmasq dnsmasq-base 2.84-1.2~ dnsmasq

debian/dnsmasq.runscript/run

@@ -15,14 +15,14 @@ then
 fi
 
 # This tells dnsmasq to ignore DNS requests that don't come from a local network.
-# It's automatically ignored if  --interface --except-interface, --listen-address 
+# It's automatically ignored if  --interface --except-interface, --listen-address
 # or --auth-server exist in the configuration, so for most installations, it will
 # have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
 # from being vulnerable to DNS-reflection attacks.
 
 DNSMASQ_OPTS="${DNSMASQ_OPTS:-} --local-service"
 
-# If the dns-root-data package is installed, then the trust anchors will be 
+# If the dns-root-data package is installed, then the trust anchors will be
 # available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
 # --trust-anchor options.
 

debian/dnsmasq.service

@@ -10,19 +10,19 @@ Type=forking
 PIDFile=/run/dnsmasq/dnsmasq.pid
 
 # Test the config file and refuse starting if it is not valid.
-ExecStartPre=/etc/init.d/dnsmasq checkconfig
+ExecStartPre=/usr/share/dnsmasq/systemd-helper checkconfig
 
-# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
-# wrapper picking up extra configuration files and then execs dnsmasq
-# itself, when called with the "systemd-exec" function.
-ExecStart=/etc/init.d/dnsmasq systemd-exec
+# We run dnsmasq via the /usr/share/dnsmasq/systemd-helper script which acts
+# as a wrapper picking up extra configuration files and then execs dnsmasq
+# itself, when called with the "exec" function.
+ExecStart=/usr/share/dnsmasq/systemd-helper exec
 
-# The systemd-*-resolvconf functions configure (and deconfigure)
+# The *-resolvconf functions configure (and deconfigure)
 # resolvconf to work with the dnsmasq DNS server. They're called like
 # this to get correct error handling (ie don't start-resolvconf if the
 # dnsmasq daemon fails to start).
-ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
-ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf
+ExecStartPost=/usr/share/dnsmasq/systemd-helper start-resolvconf
+ExecStop=/usr/share/dnsmasq/systemd-helper stop-resolvconf
 
 
 ExecReload=/bin/kill -HUP $MAINPID

debian/dnsmasq@.service

@@ -10,19 +10,19 @@ Type=forking
 PIDFile=/run/dnsmasq/dnsmasq.%i.pid
 
 # Test the config file and refuse starting if it is not valid.
-ExecStartPre=/etc/init.d/dnsmasq checkconfig "%i"
+ExecStartPre=/usr/share/dnsmasq/systemd-helper checkconfig "%i"
 
-# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
-# wrapper picking up extra configuration files and then execs dnsmasq
-# itself, when called with the "systemd-exec" function.
-ExecStart=/etc/init.d/dnsmasq systemd-exec "%i"
+# We run dnsmasq via the /usr/share/dnsmasq/systemd-helper script which acts
+# as a wrapper picking up extra configuration files and then execs dnsmasq
+# itself, when called with the "exec" function.
+ExecStart=/usr/share/dnsmasq/systemd-helper exec "%i"
 
-# The systemd-*-resolvconf functions configure (and deconfigure)
+# The *-resolvconf functions configure (and deconfigure)
 # resolvconf to work with the dnsmasq DNS server. They're called like
 # this to get correct error handling (ie don't start-resolvconf if the
 # dnsmasq daemon fails to start).
-ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf "%i"
-ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf "%i"
+ExecStartPost=/usr/share/dnsmasq/systemd-helper start-resolvconf "%i"
+ExecStop=/usr/share/dnsmasq/systemd-helper stop-resolvconf "%i"
 
 
 ExecReload=/bin/kill -HUP $MAINPID

debian/init

@@ -1,325 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides:       dnsmasq
-# Required-Start: $network $remote_fs $syslog
-# Required-Stop:  $network $remote_fs $syslog
-# Default-Start:  2 3 4 5
-# Default-Stop:   0 1 6
-# Description:    DHCP and DNS server
-### END INIT INFO
-
-# Don't exit on error status
-set +e
-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-DAEMON=/usr/sbin/dnsmasq
-NAME=dnsmasq
-DESC="DNS forwarder and DHCP server"
-INSTANCE="${2}"
-
-# Most configuration options in /etc/default/dnsmasq are deprecated
-# but still honoured.
-ENABLED=1
-if [ -r /etc/default/${NAME}${INSTANCE:+.${INSTANCE}} ]; then
-    . /etc/default/${NAME}${INSTANCE:+.${INSTANCE}}
-fi
-
-# Get the system locale, so that messages are in the correct language, and the
-# charset for IDN is correct
-if [ -r /etc/default/locale ]; then
-    . /etc/default/locale
-    export LANG
-fi
-
-# The following test ensures the dnsmasq service is not started, when the
-# package 'dnsmasq' is removed but not purged, even if the dnsmasq-base
-# package is still in place.
-test -e /usr/share/dnsmasq/installed-marker || exit 0
-
-test -x ${DAEMON} || exit 0
-
-# Provide skeleton LSB log functions for backports which don't have LSB functions.
-if [ -f /lib/lsb/init-functions ]; then
-    . /lib/lsb/init-functions
-else
-    log_warning_msg () {
-        echo "${@}."
-    }
-
-    log_success_msg () {
-        echo "${@}."
-    }
-
-    log_daemon_msg () {
-        echo -n "${1}: ${2}"
-    }
-
-    log_end_msg () {
-        if [ "${1}" -eq 0 ]; then
-            echo "."
-        elif [ "${1}" -eq 255 ]; then
-            /bin/echo -e " (warning)."
-        else
-            /bin/echo -e " failed!"
-        fi
-    }
-fi
-
-# RESOLV_CONF:
-# If the resolvconf package is installed then use the resolv conf file
-# that it provides as the default.  Otherwise use /etc/resolv.conf as
-# the default.
-#
-# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit
-# filename is set there then this inhibits the use of the resolvconf-provided
-# information.
-#
-# Note that if the resolvconf package is installed it is not possible to
-# override it just by configuration in /etc/dnsmasq.conf, it is necessary
-# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
-
-if [ ! "${RESOLV_CONF}" ] &&
-   [ "${IGNORE_RESOLVCONF}" != "yes" ] &&
-   [ -x /sbin/resolvconf ]
-then
-    RESOLV_CONF=/run/dnsmasq/resolv.conf
-fi
-
-for INTERFACE in ${DNSMASQ_INTERFACE}; do
-    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -i ${INTERFACE}"
-done
-
-for INTERFACE in ${DNSMASQ_EXCEPT}; do
-    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -I ${INTERFACE}"
-done
-
-if [ ! "${DNSMASQ_USER}" ]; then
-   DNSMASQ_USER="dnsmasq"
-fi
-
-# This tells dnsmasq to ignore DNS requests that don't come from a local network.
-# It's automatically ignored if --interface --except-interface, --listen-address
-# or --auth-server exist in the configuration, so for most installations, it will
-# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
-# from being vulnerable to DNS-reflection attacks.
-
-DNSMASQ_OPTS="${DNSMASQ_OPTS} --local-service"
-
-# If the dns-root-data package is installed, then the trust anchors will be
-# available in ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
-# --trust-anchor options.
-
-ROOT_DS="/usr/share/dns/root.ds"
-
-if [ -f ${ROOT_DS} ]; then
-    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
-fi
-
-start()
-{
-    # Return
-    #   0 if daemon has been started
-    #   1 if daemon was already running
-    #   2 if daemon could not be started
-
-    # /run may be volatile, so we need to ensure that
-    # /run/dnsmasq exists here as well as in postinst
-    if [ ! -d /run/dnsmasq ]; then
-        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
-        chown dnsmasq:nogroup /run/dnsmasq || return 2
-    fi
-    [ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
-
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null || return 1
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} -- \
-        -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
-        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
-        ${MAILTARGET:+ -t ${MAILTARGET}} \
-        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
-        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
-        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
-        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
-        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
-        ${CACHESIZE:+ -c ${CACHESIZE}} \
-        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
-        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} \
-        || return 2
-}
-
-start_resolvconf()
-{
-# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
-# Then dnsmasq won't be providing local DNS, so don't add it to
-# the resolvconf server set.
-    for interface in ${DNSMASQ_EXCEPT}; do
-        [ ${interface} = lo ] && return
-    done
-
-    # Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
-    if grep -qs '^port=0' /etc/dnsmasq.conf; then
-        return
-    fi
-
-    if [ -x /sbin/resolvconf ] ; then
-        echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.${NAME}${INSTANCE:+.${INSTANCE}}
-    fi
-    return 0
-}
-
-stop()
-{
-    # Return
-    #   0 if daemon has been stopped
-    #   1 if daemon was already stopped
-    #   2 if daemon could not be stopped
-    #   other if a failure occurred
-    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --name ${NAME}
-}
-
-stop_resolvconf()
-{
-    if [ -x /sbin/resolvconf ] ; then
-        /sbin/resolvconf -d lo.${NAME}${INSTANCE:+.${INSTANCE}}
-    fi
-    return 0
-}
-
-status()
-{
-    # Return
-    #   0 if daemon is running
-    #   1 if daemon is dead and pid file exists
-    #   3 if daemon is not running
-    #   4 if daemon status is unknown
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null
-    case "${?}" in
-      0) [ -e "/run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid" ] && return 1 ; return 3 ;;
-      1) return 0 ;;
-      *) return 4 ;;
-    esac
-}
-
-case "${1}" in
-  start)
-    test "${ENABLED}" != "0" || exit 0
-    log_daemon_msg "Starting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    start
-    case "${?}" in
-      0)
-        log_end_msg 0
-        start_resolvconf
-        exit 0
-        ;;
-      1)
-        log_success_msg "(already running)"
-        exit 0
-        ;;
-      *)
-        log_end_msg 1
-        exit 1
-        ;;
-    esac
-    ;;
-  stop)
-    stop_resolvconf
-    if [ "${ENABLED}" != "0" ]; then
-        log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    fi
-    stop
-    RETVAL="${?}"
-    if [ "${ENABLED}" = "0" ]; then
-        case "${RETVAL}" in
-          0) log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"; log_end_msg 0 ;;
-        esac
-        exit 0
-    fi
-    case "${RETVAL}" in
-      0) log_end_msg 0 ; exit 0 ;;
-      1) log_warning_msg "(not running)" ; exit 0 ;;
-      *) log_end_msg 1; exit 1 ;;
-    esac
-    ;;
-  checkconfig)
-    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
-    RETVAL="${?}"
-    exit ${RETVAL}
-    ;;
-  restart|force-reload)
-    test "${ENABLED}" != "0" || exit 1
-    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
-    if [ ${?} -ne 0 ]; then
-        NAME="configuration syntax check"
-        RETVAL="2"
-    else
-        stop_resolvconf
-        stop
-        RETVAL="${?}"
-    fi
-    log_daemon_msg "Restarting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    case "${RETVAL}" in
-      0|1)
-        sleep 2
-        start
-        case "${?}" in
-          0)
-            log_end_msg 0
-            start_resolvconf
-            exit 0
-            ;;
-          *)
-            log_end_msg 1
-            exit 1
-            ;;
-        esac
-        ;;
-      *)
-        log_end_msg 1
-        exit 1
-        ;;
-    esac
-    ;;
-  status)
-    log_daemon_msg "Checking ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    status
-    case "${?}" in
-      0) log_success_msg "(running)" ; exit 0 ;;
-      1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
-      3) log_success_msg "(not running)" ; exit 3 ;;
-      *) log_success_msg "(unknown)" ; exit 4 ;;
-    esac
-    ;;
-  dump-stats)
-    kill -s USR1 `cat /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid`
-    ;;
-  systemd-start-resolvconf)
-    start_resolvconf
-    ;;
-  systemd-stop-resolvconf)
-    stop_resolvconf
-    ;;
-  systemd-exec)
-    # /run may be volatile, so we need to ensure that
-    # /run/dnsmasq exists here as well as in postinst
-    if [ ! -d /run/dnsmasq ]; then
-        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
-        chown dnsmasq:nogroup /run/dnsmasq || return 2
-    fi
-    exec ${DAEMON} -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
-        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
-        ${MAILTARGET:+ -t ${MAILTARGET}} \
-        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
-        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
-        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
-        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
-        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
-        ${CACHESIZE:+ -c ${CACHESIZE}} \
-        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
-        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}}
-    ;;
-  *)
-    echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload|dump-stats|status}" >&2
-    exit 3
-    ;;
-esac
-
-exit 0

debian/init-system-common

@@ -0,0 +1,102 @@
+# -*- shell-script -*-
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/dnsmasq
+NAME=dnsmasq
+DESC="DNS forwarder and DHCP server"
+INSTANCE="${2}"
+
+# Most configuration options in /etc/default/dnsmasq are deprecated
+# but still honoured.
+if [ -r /etc/default/${NAME}${INSTANCE:+.${INSTANCE}} ]; then
+    . /etc/default/${NAME}${INSTANCE:+.${INSTANCE}}
+fi
+
+# Get the system locale, so that messages are in the correct language, and the
+# charset for IDN is correct
+if [ -r /etc/default/locale ]; then
+    . /etc/default/locale
+    export LANG
+fi
+
+# RESOLV_CONF:
+# If the resolvconf package is installed then use the resolv conf file
+# that it provides as the default.  Otherwise use /etc/resolv.conf as
+# the default.
+#
+# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit
+# filename is set there then this inhibits the use of the resolvconf-provided
+# information.
+#
+# Note that if the resolvconf package is installed it is not possible to
+# override it just by configuration in /etc/dnsmasq.conf, it is necessary
+# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
+
+if [ ! "${RESOLV_CONF}" ] &&
+   [ "${IGNORE_RESOLVCONF}" != "yes" ] &&
+   [ -x /sbin/resolvconf ]
+then
+    RESOLV_CONF=/run/dnsmasq/resolv.conf
+fi
+
+for INTERFACE in ${DNSMASQ_INTERFACE}; do
+    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -i ${INTERFACE}"
+done
+
+for INTERFACE in ${DNSMASQ_EXCEPT}; do
+    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -I ${INTERFACE}"
+done
+
+if [ ! "${DNSMASQ_USER}" ]; then
+    DNSMASQ_USER="dnsmasq"
+fi
+
+# This tells dnsmasq to ignore DNS requests that don't come from a local network.
+# It's automatically ignored if --interface --except-interface, --listen-address
+# or --auth-server exist in the configuration, so for most installations, it will
+# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
+# from being vulnerable to DNS-reflection attacks.
+
+DNSMASQ_OPTS="${DNSMASQ_OPTS} --local-service"
+
+# If the dns-root-data package is installed, then the trust anchors will be
+# available in ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
+# --trust-anchor options.
+
+ROOT_DS="/usr/share/dns/root.ds"
+
+if [ -f ${ROOT_DS} ]; then
+    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
+fi
+
+checkconfig()
+{
+    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
+}
+
+start_resolvconf()
+{
+# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
+# Then dnsmasq won't be providing local DNS, so don't add it to
+# the resolvconf server set.
+    for interface in ${DNSMASQ_EXCEPT}; do
+        [ ${interface} = lo ] && return
+    done
+
+    # Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
+    if grep -qs '^port=0' /etc/dnsmasq.conf; then
+        return
+    fi
+
+    if [ -x /sbin/resolvconf ] ; then
+        echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.${NAME}${INSTANCE:+.${INSTANCE}}
+    fi
+    return 0
+}
+
+stop_resolvconf()
+{
+    if [ -x /sbin/resolvconf ] ; then
+        /sbin/resolvconf -d lo.${NAME}${INSTANCE:+.${INSTANCE}}
+    fi
+    return 0
+}

debian/installed-marker

@@ -1,2 +0,0 @@
-# This file indicates dnsmasq (and not just dnsmasq-base) is installed.
-# It is an implementation detail of the dnsmasq init script.

debian/lintian-override

@@ -1,3 +0,0 @@
-# dnsmasq-base and dnsmasq-base-lua are mutually exclusive and both
-# provide /usr/share/doc/dnsmasq-base
-dnsmasq-base-lua binary: usr-share-doc-symlink-without-dependency dnsmasq-base

debian/patches/eliminate-privacy-breaches.patch

@@ -0,0 +1,40 @@
+Description: Remove or replace privacy breaching logos and forms
+ Lintian complains about these by issuing the tags privacy-breach-logo and
+ privacy-breach-donation.
+Forwarded: not-needed
+Author: Sven Geuer <debmaint@g-e-u-e-r.de>
+Last-Update: 2023-11-18
+
+--- a/doc.html
++++ b/doc.html
+@@ -1,14 +1,11 @@
+ <HTML>
+ <HEAD>
+ <TITLE> Dnsmasq - network services for small networks.</TITLE>
+-<link rel="icon" href="http://www.thekelleys.org.uk/dnsmasq/images/favicon.ico">
+ </HEAD>
+ <BODY BGCOLOR="WHITE"> 
+ <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+-<td align="left" valign="middle"><img border="0" src="http://www.thekelleys.org.uk/dnsmasq/images/icon.png" /></td>
+ <td align="middle" valign="middle"><h1>Dnsmasq</h1></td>
+-<td align="right" valign="middle"><img border="0" src="http://www.thekelleys.org.uk/dnsmasq/images/icon.png" /></td></tr>
+ </table>
+ Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be 
+ lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used 
+@@ -88,14 +85,6 @@
+ Dnsmasq is mainly written and maintained by Simon Kelley. For most of its life, dnsmasq has been a spare-time project. 
+ These days I'm working on it as my main activity. 
+ I don't have an employer or anyone who pays me regularly to work on dnsmasq. If you'd like to make 
+-a contribution towards my expenses, please use the donation button below.
+-<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
+-<input type="hidden" name="cmd" value="_s-xclick">
+-<input type="hidden" name="hosted_button_id" value="V3X9GVW5GX6DA">
+-<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">
+-<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="1" height="1">
+-</form>
+-
+-
++a contribution towards my expenses, please use the donation button at <A HREF="https://www.thekelleys.org.uk/dnsmasq/doc.html">the project's home page</A>.
+ </BODY>
+ 

debian/patches/series

@@ -0,0 +1 @@
+eliminate-privacy-breaches.patch

debian/postinst

@@ -1,41 +0,0 @@
-#!/bin/sh
-set -e
-
-# /usr/share/doc/dnsmasq was a symlink in versions < 2.81-1 (see #985282)
-dpkg-maintscript-helper symlink_to_dir /usr/share/doc/dnsmasq dnsmasq-base 2.84-1.2~ dnsmasq -- "$@"
-
-# Code copied from dh_systemd_enable ----------------------
-# This will only remove masks created by d-s-h on package removal.
-deb-systemd-helper unmask dnsmasq.service >/dev/null || true
-
-# was-enabled defaults to true, so new installations run enable.
-if deb-systemd-helper --quiet was-enabled dnsmasq.service; then
-	# Enables the unit on first installation, creates new
-	# symlinks on upgrades if the unit file has changed.
-	deb-systemd-helper enable dnsmasq.service >/dev/null || true
-else
-	# Update the statefile to add new symlinks (if any), which need to be
-	# cleaned up on purge. Also remove old symlinks.
-	deb-systemd-helper update-state dnsmasq.service >/dev/null || true
-fi
-# End code copied from dh_systemd_enable ------------------
-
-if [ -x /etc/init.d/dnsmasq ]; then
-   update-rc.d dnsmasq defaults 15 85 >/dev/null
-
-   if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
-      if [ -e /run/dnsmasq/dnsmasq.pid ]; then
-          ACTION=restart
-      else
-          ACTION=start
-      fi
-
-      if [ -x /usr/sbin/invoke-rc.d ] ; then
-         invoke-rc.d dnsmasq $ACTION || true
-      else
-         /etc/init.d/dnsmasq $ACTION || true
-      fi
-   fi
-fi
-
-

debian/postrm

@@ -1,25 +0,0 @@
-#!/bin/sh
-set -e
-
-# /usr/share/doc/dnsmasq was a symlink in versions < 2.81-1 (see #985282)
-dpkg-maintscript-helper symlink_to_dir /usr/share/doc/dnsmasq dnsmasq-base 2.84-1.2~ dnsmasq -- "$@"
-
-if [ purge = "$1" ]; then
-   update-rc.d dnsmasq remove >/dev/null
-fi
-
-# Code copied from dh_systemd_enable ----------------------
-if [ "$1" = "remove" ]; then
-	if [ -x "/usr/bin/deb-systemd-helper" ]; then
-		deb-systemd-helper mask dnsmasq.service >/dev/null
-	fi
-fi
-
-if [ "$1" = "purge" ]; then
-	if [ -x "/usr/bin/deb-systemd-helper" ]; then
-		deb-systemd-helper purge dnsmasq.service >/dev/null
-		deb-systemd-helper unmask dnsmasq.service >/dev/null
-	fi
-fi
-# End code copied from dh_systemd_enable ------------------
-

debian/preinst

@@ -1,5 +0,0 @@
-#!/bin/sh
-set -e
-
-# /usr/share/doc/dnsmasq was a symlink in versions < 2.81-1 (see #985282)
-dpkg-maintscript-helper symlink_to_dir /usr/share/doc/dnsmasq dnsmasq-base 2.84-1.2~ dnsmasq -- "$@"

debian/prerm

@@ -1,14 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ "$1" = "remove" ]; then
-  if [ -x /usr/sbin/invoke-rc.d ] ; then
-      invoke-rc.d dnsmasq stop || true
-  else
-      /etc/init.d/dnsmasq stop || true
-  fi
-fi
-
-exit 0
-
-

debian/readme

@@ -4,13 +4,13 @@ Notes on configuring dnsmasq as packaged for Debian.
     commented; see also the dnsmasq.8 man page for explanation of
     the options. The file /etc/default/dnsmasq also exists but it
     shouldn't need to be touched in most cases. To set up DHCP
-    options you might need to refer to a copy of RFC 2132. This is 
+    options you might need to refer to a copy of RFC 2132. This is
     available on Debian systems in the package doc-rfc-std as the file
     /usr/share/doc/RFC/draft-standard/rfc2132.txt.gz .
 
 (2) Installing the dnsmasq package also creates the directory
     /etc/dnsmasq.d which is searched by dnsmasq for configuration file
-    fragments. This behaviour can be disabled by editing 
+    fragments. This behaviour can be disabled by editing
     /etc/default/dnsmasq.
 
 (3) If the Debian resolvconf package is installed then, regardless
@@ -30,25 +30,25 @@ Notes on configuring dnsmasq as packaged for Debian.
     generated file /etc/ppp/resolv.conf.  You should list 127.0.0.1
     as the first nameserver address in /etc/resolv.conf.
 
-(6) In the absence of resolvconf, dns-nameservers lines in 
+(6) In the absence of resolvconf, dns-nameservers lines in
     /etc/network/interfaces are ignored. If you do not use
     resolvconf, list 127.0.0.1 as the first nameserver address
     in /etc/resolv.conf and configure your nameservers using
     "server=<IP-address>" lines in /etc/dnsmasq.conf.
 
 (7) If you run multiple DNS servers on a single machine, each
-    listening on a different interface, then it is necessary to use 
-    the bind-interfaces option by uncommenting "bind-interfaces" in 
-    /etc/dnsmasq.conf. This option stops dnsmasq from binding the 
+    listening on a different interface, then it is necessary to use
+    the bind-interfaces option by uncommenting "bind-interfaces" in
+    /etc/dnsmasq.conf. This option stops dnsmasq from binding the
     wildcard address and allows servers listening on port 53 on
-    interfaces not in use by dnsmasq to work. The Debian 
+    interfaces not in use by dnsmasq to work. The Debian
     libvirt package will add a configuration file in /etc/dnsmasq.d
     which does this so that the "system" dnsmasq and "private" dnsmasq
     instances started by libvirt do not clash.
 
 (8) The following options are supported in DEB_BUILD_OPTIONS
       noopt       : compile without optimisation.
-      nostrip     : don't remove symbols from binary. 
+      nostrip     : don't remove symbols from binary.
       nodocs      : omit documentation.
       notftp      : omit TFTP support.
       nodhcp      : omit DHCP support.
@@ -58,7 +58,7 @@ Notes on configuring dnsmasq as packaged for Debian.
                     in Lua.
       noipv6      : omit IPv6 support.
       nodbus      : omit DBus support.
-      noconntrack : omit connection tracking support. 
+      noconntrack : omit connection tracking support.
       noipset     : omit IPset support.
       nonftset    : omit nftset support.
       nortc       : compile alternate mode suitable for systems without an RTC.
@@ -67,7 +67,7 @@ Notes on configuring dnsmasq as packaged for Debian.
                     combined with noi18n to be effective.
       gitversion  : set the version of the produced packages from the
                     git-derived versioning information on the source,
-                    rather than the debian changelog. 
+                    rather than the debian changelog.
 
 (9) Dnsmasq comes as three packages - dnsmasq-utils, dnsmasq-base and
     dnsmasq. Dnsmasq-base provides the dnsmasq executable and
@@ -76,5 +76,5 @@ Notes on configuring dnsmasq as packaged for Debian.
     infrastructure. This file assumes that both are installed. It is
     possible to install only dnsmasq-base and use dnsmasq as a
     non-"system" daemon. Libvirt, for instance, does this.
-    Dnsmasq-utils provides the utilities dhcp_release and 
+    Dnsmasq-utils provides the utilities dhcp_release and
     dhcp_lease_time.

debian/resolvconf

@@ -48,7 +48,7 @@ RSLVCNFFILES=""
 for F in $(/lib/resolvconf/list-records --after "lo.$MY_NAME_FOR_RESOLVCONF") ; do
 	case "$F" in
 	    "lo.$MY_NAME_FOR_RESOLVCONF")
-		# Omit own record	 
+		# Omit own record
 		;;
 	    lo.*)
 		# Include no more records after one for a local nameserver

debian/rules

@@ -1,309 +1,127 @@
 #!/usr/bin/make -f
-# debian/rules file - for dnsmasq.
-# Copyright 2001-2020 by Simon Kelley
-# Based on the sample in the debian hello package which carries the following:
-# Copyright 1994,1995 by Ian Jackson.
-# I hereby give you perpetual unlimited permission to copy,
-# modify and relicense this file, provided that you do not remove
-# my name from the file itself.  (I assert my moral right of
-# paternity under the Copyright, Designs and Patents Act 1988.)
-# This file may have to be extensively modified
+# -*- makefile -*-
 
-package=dnsmasq-base
+# Uncomment this to turn on verbose mode.
+export DH_VERBOSE=1
 
-dpkg_buildflags := DEB_BUILD_MAINT_OPTIONS="hardening=+all,+pie,+bindnow" dpkg-buildflags
+# Make sure lintian does not complain about missing hardenings.
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 
-CFLAGS = $(shell $(dpkg_buildflags) --get CFLAGS)
-CFLAGS += $(shell $(dpkg_buildflags) --get CPPFLAGS)
-CFLAGS += -Wall -W
+include /usr/share/dpkg/architecture.mk
 
-LDFLAGS = $(shell $(dpkg_buildflags) --get LDFLAGS)
-
-DEB_COPTS = $(COPTS)
-
-TARGET = install-i18n
-
-DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
-DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
-DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
-BUILD_DATE := $(shell dpkg-parsechangelog --show-field Date)
-
-ifeq ($(origin CC),default)
-     CC = $(DEB_HOST_GNU_TYPE)-gcc
-endif
-
-# Support non-cross-builds on systems without gnu-triplet-binaries for pkg-config.
-ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
-     PKG_CONFIG=pkg-config
-else
-     PKG_CONFIG=$(DEB_HOST_GNU_TYPE)-pkg-config	
-endif
-
-# Force package version based on git tags.
-ifneq (,$(filter gitversion,$(DEB_BUILD_OPTIONS)))
-     PACKAGE_VERSION = $(shell bld/get-version `pwd` |  sed 's/test/~&/; s/[a-z]/~&/;  s/-/./g; s/$$/-1/; s/^/-v/';)
-endif
+PREFIX = /usr
+# Upstream does not handle CPPFLAGS, so we add it to CFLAGS here.
+CFLAGS += $(CPPFLAGS)
+COPTS =
 
 ifeq (,$(filter nodbus,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_DBUS
+	COPTS += -DHAVE_DBUS
 endif
 
 ifeq (,$(filter noidn, $(DEB_BUILD_OPTIONS)))
-	DEB_COPTS += -DHAVE_LIBIDN2
+	COPTS += -DHAVE_LIBIDN2
 endif
 
 ifeq (,$(filter nonftset, $(DEB_BUILD_OPTIONS)))
-	DEB_COPTS += -DHAVE_NFTSET
+	COPTS += -DHAVE_NFTSET
 endif
 
 ifeq (,$(filter noconntrack,$(DEB_BUILD_OPTIONS)))
 ifeq ($(DEB_HOST_ARCH_OS),linux)
-     DEB_COPTS += -DHAVE_CONNTRACK
+	COPTS += -DHAVE_CONNTRACK
 endif
 endif
 
 ifneq (,$(filter noipset,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_IPSET
+	COPTS += -DNO_IPSET
 endif
 
 ifneq (,$(filter nodhcp6,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_DHCP6
+	COPTS += -DNO_DHCP6
 endif
 
 ifneq (,$(filter noipv6,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_IPV6
+	COPTS += -DNO_IPV6
 endif
 
 ifneq (,$(filter notftp,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_TFTP
+	COPTS += -DNO_TFTP
 endif
 
 ifneq (,$(filter nodhcp,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_DHCP
+	COPTS += -DNO_DHCP
 endif
 
 ifneq (,$(filter noscript,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_SCRIPT
+	COPTS += -DNO_SCRIPT
 endif
 
 ifneq (,$(filter nortc,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_BROKEN_RTC
-endif
-
-ifneq (,$(filter noi18n,$(DEB_BUILD_OPTIONS)))
-     TARGET = install
-endif
-
-ifneq (,$(filter uselua,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_LUASCRIPT
+	COPTS += -DHAVE_BROKEN_RTC
 endif
 
 ifeq (,$(filter nodnssec,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_DNSSEC
+	COPTS += -DHAVE_DNSSEC
 endif
 
-ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
-     # For strlcpy in FreeBSD
-     LIBS += $(shell ${PKG_CONFIG} --libs libbsd-overlay)
-     CFLAGS += $(shell ${PKG_CONFIG} --cflags libbsd-overlay)
-endif
 
-define build_tree
-	rm -rf $1
-	install -m 755 \
-		-d $1/DEBIAN \
-		-d $1/etc/dbus-1/system.d \
-	        -d $1/usr/share/doc/$(package) \
-		-d $1/usr/share/doc/$(package)/examples \
-		-d $1/usr/share/$(package) \
-	        -d $1/var/lib/misc
-
-endef
-
-define add_docs
-# Need to remove paypal links in Debian Package for policy reasons.
-	sed -e /\<H2\>Donations/Q -e /icon.png/d doc.html -e /favicon.ico/d >$1/usr/share/doc/$(package)/doc.html
-	echo "</BODY>" >>$1/usr/share/doc/$(package)/doc.html 
-	install -m 644 setup.html $1/usr/share/doc/$(package)/.
-	install -m 644 dnsmasq.conf.example $1/usr/share/doc/$(package)/examples/.
-	install -m 644 FAQ $1/usr/share/doc/$(package)/.
-	gzip -9n $1/usr/share/doc/$(package)/FAQ
-	install -m 644 CHANGELOG $1/usr/share/doc/$(package)/changelog
-	gzip -9n $1/usr/share/doc/$(package)/changelog
-	install -m 644 CHANGELOG.archive $1/usr/share/doc/$(package)/changelog.archive
-	gzip -9n $1/usr/share/doc/$(package)/changelog.archive
-	install -m 644 dbus/DBus-interface $1/usr/share/doc/$(package)/.
-	gzip -9n $1/usr/share/doc/$(package)/DBus-interface	
-	install -m 644 debian/systemd_howto $1/usr/share/doc/$(package)/.
-	gzip -9n $1/usr/share/doc/$(package)/systemd_howto
-	gzip -9n $1/usr/share/man/man8/dnsmasq.8
-	for f in $1/usr/share/man/*; do \
-		if [ -f $$f/man8/dnsmasq.8 ]; then \
-                       gzip -9n $$f/man8/dnsmasq.8 ; \
-                fi \
-	done
-endef
-
-define add_files
-	install -m 644 trust-anchors.conf $1/usr/share/$(package)/.
-	install -m 644 debian/dnsmasq-base.conffiles $1/DEBIAN/conffiles
-	install -m 755 debian/dnsmasq-base.postinst $1/DEBIAN/postinst
-	install -m 755 debian/dnsmasq-base.postrm  $1/DEBIAN/postrm
-	install -m 644 debian/changelog $1/usr/share/doc/$(package)/changelog.Debian
-	gzip -9n $1/usr/share/doc/$(package)/changelog.Debian
-	install -m 644 debian/readme $1/usr/share/doc/$(package)/README.Debian
-	install -m 644 debian/copyright $1/usr/share/doc/$(package)/copyright
-	install -m 644 debian/dbus.conf $1/etc/dbus-1/system.d/dnsmasq.conf
-endef
-
-clean:
-	$(checkdir)
-	make BUILDDIR=debian/build/no-lua clean
-	make BUILDDIR=debian/build/lua clean
-	make -C contrib/lease-tools clean
-	rm -rf debian/build debian/trees debian/*~ debian/files debian/substvars debian/utils-substvars
-
-binary-indep:	checkroot
-	$(checkdir)
-	rm -rf debian/trees/daemon
-	install -m 755 \
-	        -d debian/trees/daemon/DEBIAN \
-		-d debian/trees/daemon/usr/share/doc/dnsmasq \
-	        -d debian/trees/daemon/etc/init.d \
-		-d debian/trees/daemon/etc/dnsmasq.d \
-	        -d debian/trees/daemon/etc/resolvconf/update.d \
-		-d debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d \
-		-d debian/trees/daemon/usr/share/dnsmasq \
-		-d debian/trees/daemon/usr/share/doc/dnsmasq \
-	        -d debian/trees/daemon/etc/default \
-		-d debian/trees/daemon/lib/systemd/system \
-		-d debian/trees/daemon/usr/lib/tmpfiles.d \
-                -d debian/trees/daemon/etc/insserv.conf.d
-	install -m 644 debian/conffiles debian/trees/daemon/DEBIAN
-	install -m 755 debian/postinst debian/postrm debian/preinst debian/prerm debian/trees/daemon/DEBIAN
-	if ! dpkg-vendor --derives-from Ubuntu; then \
-                rm -f debian/dnsmasq.postinst.debhelper debian/dnsmasq.postrm.debhelper; \
-	      	dh_runit -pdnsmasq -Pdebian/trees/daemon; \
-		cat debian/dnsmasq.postinst.debhelper >> debian/trees/daemon/DEBIAN/postinst; \
-		cat debian/dnsmasq.postrm.debhelper   >> debian/trees/daemon/DEBIAN/postrm; \
-		cd debian/trees/daemon && find etc/sv -type f -printf '/%p\n' >>DEBIAN/conffiles; \
+%:
+	# Ubuntu and derivates do not support runit, see
+	# https://bugs.debian.org/960401 for details.
+	if dpkg-vendor --derives-from Ubuntu; then \
+		dh $@; \
+	else \
+		dh $@ --with runit; \
 	fi
-	install -m 755 debian/init debian/trees/daemon/etc/init.d/dnsmasq
-	install -m 755 debian/resolvconf debian/trees/daemon/etc/resolvconf/update.d/dnsmasq
-	install -m 755 debian/resolvconf-package debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d/dnsmasq
-	install -m 644 debian/installed-marker debian/trees/daemon/usr/share/dnsmasq
-	install -m 644 debian/default debian/trees/daemon/etc/default/dnsmasq
-	install -m 644 dnsmasq.conf.example debian/trees/daemon/etc/dnsmasq.conf
-	install -m 644 debian/readme.dnsmasq.d debian/trees/daemon/etc/dnsmasq.d/README
-	install -m 644 debian/systemd.service debian/trees/daemon/lib/systemd/system/dnsmasq.service
-	install -m 644 debian/systemd@.service debian/trees/daemon/lib/systemd/system/dnsmasq@.service
-	install -m 644 debian/tmpfiles.conf debian/trees/daemon/usr/lib/tmpfiles.d/dnsmasq.conf
-	install -m 644 debian/insserv debian/trees/daemon/etc/insserv.conf.d/dnsmasq
-	install -m 644 debian/copyright debian/trees/daemon/usr/share/doc/dnsmasq/copyright
-	install -m 644 debian/changelog debian/trees/daemon/usr/share/doc/dnsmasq/changelog.Debian
-	gzip -9n debian/trees/daemon/usr/share/doc/dnsmasq/changelog.Debian
-	cd debian/trees/daemon && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums	
-	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/dnsmasq.substvars -pdnsmasq -Pdebian/trees/daemon
-	find debian/trees/daemon -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/daemon
-	chmod -R g-ws debian/trees/daemon
-	dpkg --build debian/trees/daemon ..
 
-binary-arch:	checkroot 
-	$(call build_tree,debian/trees/base)
-	make $(TARGET) BUILDDIR=debian/build/no-lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
+# Upstream builds and installs in one go, so do we.
+override_dh_auto_build:
+
+override_dh_auto_install:
+	dh_auto_build -p dnsmasq-base --no-parallel -- install-i18n \
+		BUILDDIR=debian/auto-build/dnsmasq-base \
+		DESTDIR=$(CURDIR)/debian/dnsmasq-base \
+		PREFIX=$(PREFIX) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+		COPTS="$(COPTS)"
+	dh_auto_build -p dnsmasq-base-lua --no-parallel -- install-i18n \
+		BUILDDIR=debian/auto-build/dnsmasq-base-lua \
+		DESTDIR=$(CURDIR)/debian/dnsmasq-base-lua \
+		PREFIX=$(PREFIX) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+		LUA=lua5.4 COPTS="$(COPTS) -DHAVE_LUASCRIPT"
+	dh_auto_build -p dnsmasq-utils -D contrib/lease-tools
+
+override_dh_auto_clean:
+	dh_auto_clean -p dnsmasq-base -- \
+		BUILDDIR=debian/auto-build/dnsmasq-base
+	dh_auto_clean -p dnsmasq-base-lua -- \
+		BUILDDIR=debian/auto-build/dnsmasq-base-lua
+	rm -rf debian/auto-build
+	dh_auto_clean -p dnsmasq-utils -D contrib/lease-tools
+
+override_dh_install:
+	dh_install -p dnsmasq-utils --sourcedir=contrib/lease-tools
+	dh_install --remaining-packages
+
+# If 'nodoc' is absent from DEB_BUILD_OPTIONS, Correct name or location of
+# some doc files.
+# We would prefer do this via dh-exec if it would support dh_installdocs.
 ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	$(call add_docs,debian/trees/base)
-else	
-	rm -rf debian/trees/base/usr/share/man
-endif
-	$(call add_files,debian/trees/base)
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/base/usr/sbin/dnsmasq
-endif
-	cd debian/trees/base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps --warnings=1 debian/trees/base/usr/sbin/dnsmasq
-	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base -Pdebian/trees/base
-	find debian/trees/base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/base
-	chmod -R g-ws debian/trees/base 
-	dpkg --build debian/trees/base ..
-
-	$(call build_tree,debian/trees/lua-base)
-	make $(TARGET) BUILDDIR=debian/build/lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/lua-base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="-DHAVE_LUASCRIPT $(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
-ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	$(call add_docs,debian/trees/lua-base)
-else	
-	rm -rf debian/trees/lua-base/usr/share/man
-endif
-	$(call add_files,debian/trees/lua-base)
-	install -m 755 -d debian/trees/lua-base/usr/share/lintian/overrides
-	install -m 644 debian/lintian-override debian/trees/lua-base/usr/share/lintian/overrides/dnsmasq-base-lua
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/lua-base/usr/sbin/dnsmasq
-endif
-	ln -s $(package) debian/trees/lua-base/usr/share/doc/dnsmasq-base-lua
-	cd debian/trees/lua-base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps --warnings=1 debian/trees/lua-base/usr/sbin/dnsmasq
-	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base-lua -Pdebian/trees/lua-base
-	find debian/trees/lua-base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/lua-base
-	chmod -R g-ws debian/trees/lua-base 
-	dpkg --build debian/trees/lua-base ..
-
-
-ifeq ($(DEB_HOST_ARCH_OS),linux)
-	rm -rf debian/trees/utils
-	install -m 755 -d debian/trees/utils/DEBIAN \
-	               -d debian/trees/utils/usr/bin \
-                       -d debian/trees/utils/usr/share/doc/dnsmasq-utils
-ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	install -m 755 -d debian/trees/utils/usr/share/man/man1
-endif
-	make -C contrib/lease-tools PREFIX=/usr DESTDIR=`pwd`/debian/trees/utils CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
-	install -m 755 contrib/lease-tools/dhcp_release debian/trees/utils/usr/bin/dhcp_release
-	install -m 755 contrib/lease-tools/dhcp_release6 debian/trees/utils/usr/bin/dhcp_release6
-	install -m 755 contrib/lease-tools/dhcp_lease_time debian/trees/utils/usr/bin/dhcp_lease_time
-ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	install -m 644 contrib/lease-tools/dhcp_release.1 debian/trees/utils/usr/share/man/man1/dhcp_release.1
-	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_release.1
-	install -m 644 contrib/lease-tools/dhcp_release6.1 debian/trees/utils/usr/share/man/man1/dhcp_release6.1
-	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_release6.1
-	install -m 644 contrib/lease-tools/dhcp_lease_time.1 debian/trees/utils/usr/share/man/man1/dhcp_lease_time.1
-	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_lease_time.1
-endif
-	install -m 644 debian/copyright debian/trees/utils/usr/share/doc/dnsmasq-utils/copyright
-	install -m 644 debian/changelog debian/trees/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
-	gzip -9n debian/trees/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_release
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_release6
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_lease_time
-endif	
-	cd debian/trees/utils && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps -Tdebian/utils-substvars debian/trees/utils/usr/bin/dhcp_release debian/trees/utils/usr/bin/dhcp_release6 debian/trees/utils/usr/bin/dhcp_lease_time 
-	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/utils-substvars -pdnsmasq-utils -Pdebian/trees/utils
-	find debian/trees/utils -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/utils
-	chmod -R g-ws debian/trees/utils 
-	dpkg --build debian/trees/utils ..
+execute_after_dh_installdocs:
+	for d in $(CURDIR)/debian/dnsmasq-base*/usr/share/doc/dnsmasq-base*; do \
+		cd $$d; \
+		mv readme README.Debian; \
+		mv CHANGELOG.archive changelog.archive; \
+		mkdir examples; \
+		mv dnsmasq.conf.example examples/; \
+	done
 endif
 
-define checkdir
-	test -f Makefile -a -f debian/rules
-endef
-
-# Below here is fairly generic really
-
-binary:		binary-arch binary-indep
-
-build:		
-build-arch:
-build-indep:
-
-checkroot:
-	test root = "`whoami`"
-
-.PHONY: binary binary-arch binary-indep clean checkroot
-
-
+# If 'nodoc' is present in DEB_BUILD_OPTIONS, drop the man pages already
+# installed by the upstream build script. Then, let dh_installman do what
+# else needs doing.
+override_dh_installman:
+ifneq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
+	rm -rf debian/dnsmasq-base*/usr/share/man
+endif
+	dh_installman -p dnsmasq-utils --sourcedir=contrib/lease-tools
+	dh_installman --remaining-packages

debian/source/format

@@ -1 +1 @@
-1.0
+3.0 (quilt)

debian/systemd-helper

@@ -0,0 +1,34 @@
+#!/bin/sh
+
+. /usr/share/dnsmasq/init-system-common
+
+case "$1" in
+	checkconfig)
+		checkconfig
+		;;
+	start-resolvconf)
+		start_resolvconf
+		;;
+	stop-resolvconf)
+		stop_resolvconf
+		;;
+	exec)
+		# /run may be volatile, so we need to ensure that
+		# /run/dnsmasq exists here as well as in postinst
+		if [ ! -d /run/dnsmasq ]; then
+			mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || exit 2 ; }
+			chown dnsmasq:nogroup /run/dnsmasq || exit 2
+		fi
+		exec ${DAEMON} -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
+			${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
+			${MAILTARGET:+ -t ${MAILTARGET}} \
+			${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
+			${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
+			${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
+			${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
+			${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
+			${CACHESIZE:+ -c ${CACHESIZE}} \
+			${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
+			${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}}
+		;;
+esac

debian/tests/compile-time-options

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+. debian/tests/functions
+
+check_compile_time_options

debian/tests/compile-time-options+lua

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+. debian/tests/functions
+
+check_compile_time_options +lua

debian/tests/control

@@ -0,0 +1,39 @@
+Tests: compile-time-options
+Depends: dnsmasq,
+         dnsmasq-base,
+Restrictions: needs-root,
+              isolation-container,
+
+Tests: compile-time-options+lua
+Depends: dnsmasq,
+         dnsmasq-base-lua,
+Restrictions: needs-root,
+              isolation-container,
+
+Tests: get-address+query-dns+check-utils
+Depends: bind9,
+         bind9-dnsutils,
+         dnsmasq,
+         dnsmasq-base,
+         dnsmasq-utils,
+Restrictions: needs-root,
+              allow-stderr,
+              isolation-container,
+
+Tests: get-address+query-dns+lua+alt
+Depends: bind9,
+         bind9-dnsutils,
+         dnsmasq,
+         dnsmasq-base-lua,
+Restrictions: needs-root,
+              allow-stderr,
+              isolation-container,
+
+Tests: get-address+query-dns+sysv+alt
+Depends: bind9,
+         bind9-dnsutils,
+         dnsmasq,
+         dnsmasq-base,
+Restrictions: needs-root,
+              allow-stderr,
+              isolation-container,

debian/tests/functions

@@ -0,0 +1,151 @@
+# -*- shell-script -*-
+
+FUNCTIONS_DIR="debian/tests/functions.d"
+
+match_or_exit () {
+	file_to_match="$1"
+	pattern_file="$2"
+
+	while read line_to_match <&3 && read pattern_line <&4 ; do
+		if [ "${line_to_match##$pattern_line}" ]; then
+			echo '!!! MISMATCH !!!' >&2
+			echo "Line:    ${line_to_match}" >&2
+			echo "Pattern: ${pattern_line}" >&2
+			exit 1
+		fi;
+	done 3<"${file_to_match}" 4<"${pattern_file}"
+}
+
+linecount () {
+	wc -l $1 | cut -d' ' -f1
+}
+
+error_exit () {
+	echo "ERROR: $1"
+	exit 1
+}
+
+stop_dnsmasq_bind_networking () {
+	systemctl stop dnsmasq.service
+	systemctl stop named.service
+	systemctl stop networking.service
+}
+
+configure_and_start_networking () {
+	#Add interfaces needed for the test
+	cat ${FUNCTIONS_DIR}/add-to.interfaces >> /etc/network/interfaces
+	systemctl start networking.service
+}
+
+configure_and_start_bind () {
+	cp ${FUNCTIONS_DIR}/db.autopkg.test /etc/bind/
+	cat ${FUNCTIONS_DIR}/add-to.named.conf.local >> /etc/bind/named.conf.local
+	cp ${FUNCTIONS_DIR}/named.conf.options /etc/bind/named.conf.options
+	systemctl start named.service
+}
+
+configure_and_start_dnsmasq () {
+	alt_mode=0
+	lua_mode=0
+	sysv_mode=0
+	service='dnsmasq.service'
+	sysv_param2=''
+	conf_dir='/etc/dnsmasq.d'
+
+	while [ -n "$1" ]; do
+		case "$1" in
+			alt|lua|sysv) eval ${1}_mode=1 ;;
+			*) error_exit "configure_and_start_dnsmasq(): invalid flag '$1'"
+		esac
+		shift
+	done
+
+	if [ ${alt_mode} -eq 1 ]; then
+		cp ${FUNCTIONS_DIR}/dnsmasq.alt-autopkgtest.default /etc/default/dnsmasq.alt
+		cp /etc/dnsmasq.conf /etc/dnsmasq.alt.conf
+		mkdir /etc/dnsmasq.alt.d
+		service='dnsmasq@alt.service'
+		sysv_param2='alt'
+		conf_dir='/etc/dnsmasq.alt.d'
+	fi
+
+	cp ${FUNCTIONS_DIR}/dnsmasq-autopkgtest.conf "${conf_dir}"
+
+	if [ ${lua_mode} -eq 1 ]; then
+		mkdir -p /usr/local/share/dnsmasq
+		cp ${FUNCTIONS_DIR}/log.lua /usr/local/share/dnsmasq/
+		echo "dhcp-luascript=/usr/local/share/dnsmasq/log.lua\n" \
+			>>"${conf_dir}"/dnsmasq-autopkgtest.conf
+	fi
+
+	if [ ${sysv_mode} -eq 1 ]; then
+		SYSTEMCTL_SKIP_REDIRECT=1 /etc/init.d/dnsmasq start "${sysv_param2}"
+	else
+		systemctl enable "${service}"
+		systemctl start "${service}"
+	fi
+}
+
+check_compile_time_options () {
+	journalctl -b -u dnsmasq
+	echo ~~~ Check compile time options...
+	journalctl -b -u dnsmasq -g '[a-z]+: ' --output cat >options.msg
+	cat options.msg
+	match_or_exit options.msg ${FUNCTIONS_DIR}/options${1}.patterns
+}
+
+get_address_on_veth1_and_check_the_result () {
+	echo ~~~ Get an address on veth1 and check the result...
+	ip netns exec clientnet ifup veth1
+	ip netns exec clientnet ip addr show dev veth1 >ip-addr.out 2>&1
+	cat ip-addr.out
+	match_or_exit ip-addr.out ${FUNCTIONS_DIR}/ip-addr.patterns
+}
+
+query_test_zone_records_and_check_the_result () {
+	echo ~~~ Query some test zone records and check the result...
+	ip netns exec clientnet dig +short SOA autopkg.test >dig.out 2>&1
+	ip netns exec clientnet dig +short NS autopkg.test >>dig.out 2>&1
+	ip netns exec clientnet dig +short A ns.autopkg.test >>dig.out 2>&1
+	ip netns exec clientnet dig +short A dhcp3.autopkg.test >>dig.out 2>&1
+	cat dig.out
+	if [ `linecount dig.out` -ne `linecount ${FUNCTIONS_DIR}/dig.patterns` ] ; then
+		error_exit 'empty or unexpected output'
+	fi
+	match_or_exit dig.out ${FUNCTIONS_DIR}/dig.patterns
+}
+
+check_utils () {
+	#Test dhcp_lease_time and dhcp_release
+	leases_file='/var/lib/misc/dnsmasq.leases'
+	client_ip_address=`cut -d' ' -f3 $leases_file`
+	client_mac_address=`cut -d' ' -f2 $leases_file`
+	echo ~~~ Test dhcp_lease_time...
+	if ! dhcp_lease_time $client_ip_address; then
+		error_exit "'dhcp_lease_time $client_ip_address' failed with return code $?"
+	else
+		#Add \n to dhcp_lease_time's output
+		echo ''
+	fi
+	echo ~~~ Test dhcp_release...
+	cat $leases_file
+	if ! dhcp_release veth0 $client_ip_address 1-$client_mac_address; then
+		error_exit "'dhcp_release veth0 $client_ip_address 1-$client_mac_address' failed with return code $?0"
+	fi
+	if [ -n "`cat $leases_file`" ]; then
+		cat $leases_file
+		error_exit "$leases_file is not empty"
+	fi
+}
+
+check_lua_log () {
+	log_file='/var/log/dnsmasq-lua.log'
+	echo ~~~ Check log file generated by lua script
+	ls -l ${log_file}
+	if [ -s ${log_file} ]; then
+		cat ${log_file}
+		match_or_exit ${log_file} ${FUNCTIONS_DIR}/log.patterns
+	else
+		error_exit "${log_file} is empty"
+	fi
+}

debian/tests/functions.d/add-to.interfaces

@@ -0,0 +1,18 @@
+
+auto dummy0
+iface dummy0 inet static
+    pre-up ip link add dummy0 type dummy
+    address 192.168.141.1
+    netmask 255.255.255.248
+    post-down ip link del dummy0
+
+auto veth0
+iface veth0 inet static
+    pre-up ip netns add clientnet
+    pre-up ip link add veth0 type veth peer veth1 netns clientnet
+    address 192.168.142.1
+    netmask 255.255.255.248
+    post-down ip link del veth0
+    post-down ip netns del clientnet
+
+iface veth1 inet dhcp

debian/tests/functions.d/add-to.named.conf.local

@@ -0,0 +1,2 @@
+zone "autopkg.test"      { type master; file "/etc/bind/db.autopkg.test"; };
+

debian/tests/functions.d/db.autopkg.test

@@ -0,0 +1,18 @@
+$TTL    604800
+@       IN      SOA     ns.autopkg.test. hostmaster.autopkg.test. (
+                              2         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                            300 )       ; Negative Cache TTL
+;
+@	IN	NS	ns
+ns	IN	A	192.168.141.1
+host	IN	A	192.168.142.1
+dhcp0	IN	A	192.168.142.2
+dhcp1	IN	A	192.168.142.3
+dhcp2	IN	A	192.168.142.4
+dhcp3	IN	A	192.168.142.5
+dhcp4	IN	A	192.168.142.6
+brdcst	IN	A	192.168.142.7
+

debian/tests/functions.d/dig.patterns

@@ -0,0 +1,4 @@
+ns.autopkg.test. hostmaster.autopkg.test. 2 604800 86400 2419200 300
+ns.autopkg.test.
+192.168.141.1
+192.168.142.5

debian/tests/functions.d/dnsmasq-autopkgtest.conf

@@ -0,0 +1,6 @@
+no-resolv
+server=/autopkg.test/192.168.141.1
+listen-address=192.168.142.1,127.0.0.1
+bind-interfaces
+dhcp-range=192.168.142.2,192.168.142.6
+dhcp-authoritative

debian/tests/functions.d/dnsmasq.alt-autopkgtest.default

@@ -0,0 +1,42 @@
+# This file has six functions:
+# 1) to completely disable starting this dnsmasq instance
+# 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
+# 3) to select an alternative config file
+#    by setting DNSMASQ_OPTS to --conf-file=<file>
+# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
+#    more configuration variables.
+# 5) to stop the resolvconf package from controlling dnsmasq's
+#    idea of which upstream nameservers to use.
+# 6) to avoid using this dnsmasq instance as the system's default resolver
+#    by setting DNSMASQ_EXCEPT="lo"
+# For upgraders from very old versions, all the shell variables set
+# here in previous versions are still honored by the init script
+# so if you just keep your old version of this file nothing will break.
+
+#DOMAIN_SUFFIX=`dnsdomainname`
+DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt.conf"
+
+# The dnsmasq daemon is run by default conforming to the Debian Policy.
+# To disable the service,
+# for SYSV init, use "update-rc.d dnsmasq disable",
+# for systemd, use "systemctl disable dnsmasq".
+
+# By default search this drop directory for configuration options.
+# Libvirt leaves a file here to make the system dnsmasq play nice.
+# Comment out this line if you don't want this. The dpkg-* are file
+# endings which cause dnsmasq to skip that file. This avoids pulling
+# in backups made by dpkg.
+CONFIG_DIR=/etc/dnsmasq.alt.d,.dpkg-dist,.dpkg-old,.dpkg-new
+
+# If the resolvconf package is installed, dnsmasq will use its output
+# rather than the contents of /etc/resolv.conf to find upstream
+# nameservers. Uncommenting this line inhibits this behaviour.
+# Note that including a "resolv-file=<filename>" line in
+# /etc/dnsmasq.conf is not enough to override resolvconf if it is
+# installed: the line below must be uncommented.
+#IGNORE_RESOLVCONF=yes
+
+# If the resolvconf package is installed, dnsmasq will tell resolvconf
+# to use dnsmasq under 127.0.0.1 as the system's default resolver.
+# Uncommenting this line inhibits this behaviour.
+#DNSMASQ_EXCEPT="lo"

debian/tests/functions.d/ip-addr.patterns

@@ -0,0 +1,6 @@
+?: veth1@if?: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
+    link/ether ??:??:??:??:??:?? brd ff:ff:ff:ff:ff:ff link-netnsid 0
+    inet 192.168.142.?/29 brd 192.168.142.7 scope global dynamic veth1
+       valid_lft 3[56][0-9][0-9]sec preferred_lft 3[56][0-9][0-9]sec
+    inet6 fe80::*:*:*:*/64 scope link*
+       valid_lft forever preferred_lft forever

debian/tests/functions.d/log.lua

@@ -0,0 +1,40 @@
+-- Lua script logging calls from dnsmasq
+
+-- Open the log file in append mode 
+logfile = assert(io.open("/var/log/dnsmasq-lua.log", "a"))
+
+-- Prepend date and time to a string and write the result to the log file
+function __log(str)
+	logfile:write(os.date("!%FT%TZ ")..str.."\n")
+end
+
+-- flush the log file
+function __flush_log()
+	logfile:flush()
+end
+
+-- Log a call to init()
+function init()
+	__log("initialising")
+	__flush_log()
+end
+
+-- Log a call to shutdown()
+function shutdown()
+	__log("shutting down")
+	__flush_log()
+end
+
+-- Log a call to lease() including all arguments
+function lease(operation, params)
+	local lines = {}
+	__log(operation.." lease")
+	for key,value in pairs(params) do
+		table.insert(lines, key..": "..value)
+	end
+	table.sort(lines)
+	for index,line in ipairs(lines) do
+		__log("\t"..line)
+	end
+	__flush_log()
+end

debian/tests/functions.d/log.patterns

@@ -0,0 +1,10 @@
+????-??-??T??:??:??Z initialising
+????-??-??T??:??:??Z add lease
+????-??-??T??:??:??Z 	client_id: ??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??:??
+????-??-??T??:??:??Z 	data_missing: 1.0
+????-??-??T??:??:??Z 	hostname: ?*
+????-??-??T??:??:??Z 	interface: veth0
+????-??-??T??:??:??Z 	ip_address: 192.168.142.[2-6]
+????-??-??T??:??:??Z 	lease_expires: [1-9]*
+????-??-??T??:??:??Z 	mac_address: ??:??:??:??:??:??
+????-??-??T??:??:??Z 	time_remaining: 3600.0

debian/tests/functions.d/named.conf.options

@@ -0,0 +1,6 @@
+options {
+        directory "/var/cache/bind";
+        listen-on { 192.168.141.1; };
+        recursion no;
+};
+

debian/tests/functions.d/options+lua.patterns

@@ -0,0 +1 @@
+*: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile

debian/tests/functions.d/options.patterns

@@ -0,0 +1 @@
+*: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile

debian/tests/get-address+query-dns+check-utils

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+. debian/tests/functions
+
+stop_dnsmasq_bind_networking
+configure_and_start_networking
+configure_and_start_bind
+configure_and_start_dnsmasq
+
+get_address_on_veth1_and_check_the_result
+
+query_test_zone_records_and_check_the_result
+
+check_utils
+
+#Done
+echo Looks good.

debian/tests/get-address+query-dns+lua+alt

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+. debian/tests/functions
+
+stop_dnsmasq_bind_networking
+configure_and_start_networking
+configure_and_start_bind
+configure_and_start_dnsmasq lua alt
+
+get_address_on_veth1_and_check_the_result
+
+query_test_zone_records_and_check_the_result
+
+check_lua_log
+
+#Done
+echo Looks good.

debian/tests/get-address+query-dns+sysv+alt

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+. debian/tests/functions
+
+stop_dnsmasq_bind_networking
+configure_and_start_networking
+configure_and_start_bind
+configure_and_start_dnsmasq sysv alt
+
+get_address_on_veth1_and_check_the_result
+
+query_test_zone_records_and_check_the_result
+
+#Done
+echo Looks good.
+SYSTEMCTL_SKIP_REDIRECT=1 /etc/init.d/dnsmasq stop alt

debian/upstream/metadata

@@ -0,0 +1,9 @@
+Cite-As: dnsmasq
+Contact: simon@thekelleys.org.uk
+Security-Contact: https://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
+Repository: https://thekelleys.org.uk/git/dnsmasq.git
+Repository-Browse: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=summary
+Changelog: https://thekelleys.org.uk/dnsmasq/CHANGELOG
+Documentation: https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
+FAQ: https://thekelleys.org.uk/dnsmasq/docs/FAQ
+Bug-Submit: https://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

debian/upstream/signing-key.asc

@@ -0,0 +1,63 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFMbjUMBEACsU1Xk8+uu/EsGVJTh9Tn31C2e0ycd0voBVT7cTdtXpzeiNR+o
+/zUAi95ds7FiecpZJp1nRO4vNzvaaAPZhFsFVLzZYyIVABgTXsskT88xbZvzb4W5
+KKRWVhoTQxVDgj1+dXLUXULTB6rg02WEhqnix/qf/zFdM9I4/3pRHJn9k+3XKygR
+on+nYtljfn3AKBelCo1y28istC6wCncoH11b/qdQtlfxVXaJY4HF27V0MqFFmDMg
+cuhOHR7DnhymeDh7GmLfTHJ4LUFG+TecqCjiYhyWcuv2wuSb0EPXUKHJQVViQ8qg
+KyPm1ly6uFP0CYdVavO7/oJwKFBIChECrj7BQ4GsImMHeuSzfWno7qy6Fxoxx2+g
+0F9cdXWvcxFDGPQsL5vXp8KYNwBrzmijRzQ2ZAnrbG+ilFCkJCbxXcrhzpd4tKwE
+0dgcyPL1Ma/lrznhL4ZuOzjVMgLNne7WiPpBNRqI1GoT0pUn6as4pU3En8B+K7zy
+MLVfHvI1+iH45fP5bZwYSbXCa85v4+xqljYrzs9giaROEsXe/tsXvuc6JPCcmJXk
+CUO3c3QVxqDFt9OYuTHIR8hqehDPLgFgzKqVuoAwMkhTf/zZNGlsy4jvKXQNcZ50
+uD4mWO3e+gykNW/OH+88IoCR0rgjQ6trMLOceZFnrtvxwRL//lMndGCTYQARAQAB
+tB1TaW1vbiBLZWxsZXkgPHNya0BkZWJpYW4ub3JnPokCNwQTAQgAIQUCUyDDdAIb
+AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAVzdpq4ZE1oqFGD/9LkbZFigc1
+jbZ5zIbmGkGvfniWp1mJhEcpgKNfb2MMiu1lKULccIvfVyIY5WDrrpoPnHLnhYA9
+OXHcwVADGBayoVOQgIePrMV0V24uYjUh9+9zGRwQrCLo0rl/l07GKH0S1dxDUeyh
+JRYZGYEqW2+3XDJqIbfsDzSmPNCyjVvqSvkkt0YyuNbH0+cVEoJ1Q2HmfEhvgd4L
+lHZDyhMVqKlKmlnCa8DmhwK+EyzJgLKITqjxBO3NOqPmYZlp8irLXyHAH1sDafaB
+wRjV9cNX2TLTwn3wDdUmoAwMz1jopi/61A0kEglENYaa+NH/UnqfWOo7riXuZNwG
+VP/F/KlMV+JdXMY34fcSIQMWk9cpxzhpuOJjwhoK7g/yq8q9578QXv4VR6ndH+Le
+HDRrm2Ftnih/Ut8unqqDteMJnd3YxSK3Ep78WgVBL9y2Qo3CyKY6VSXlshWZokwy
+rwVS8uLqIGAUzLwsKTYi1nmsDb7mQZqUbPBxYN2mrroD7Pr1/XAV8oNxw6l84nzf
+zObEKvNZLFtWctNpFJXhWhtm/AeQBdkYKcMyTrwQt9Q0XMYKUGE05U+oAdtTvgCR
+JLltqzmt5yMpTPncNmXVoA5YvEVdCU6/Gxpn3Aea8ckBmIqxxQY1QFdEr2nvxPNA
+SbkvHDNDr9XUlKQDqjherurKBIBEiKCMnLQmU2ltb24gS2VsbGV5IDxzaW1vbkB0
+aGVrZWxsZXlzLm9yZy51az6JAjoEEwEIACQCGwMFCwkIBwMFFQoJCAsFFgIDAQAC
+HgECF4AFAlMgw44CGQEACgkQFc3aauGRNaLaZg/+PR41J3P7omGv6XD+TiAXfJQo
+R5RfzQoeLNUQEnir/XBulg45203cYHEurchEhSTn2f4WVtFgxJrgId7XGYdf8oIZ
+IjBd82fpwdMwhbfcv/6iqzWL0+2vaPmBqE7iwDTatI888q5TyXppGe8L5/VjX0aB
+vmVIPyEE9BFQas+vv5byUkU542FxPApGsv0W0P1pKabLl0F7ItPFPuaD0+K1kwBr
+WbuGhBKMV9jGHB4qdX/21FBczgAf3J9yJ22vm6orCwwhptxde+DSn7vqZNjDtHGr
+kUWDzKAQBy1g4BmTl6IoVgYKZXAVBGMtYUjS+80VV+QE9meVqmtX1aJJEnf0/BRd
+v9CeD46hZArwXwi/AWFs300pEfzwcC+9T5xc3jlSdYdWxeQDV7XwK2VCOhxjFqTm
++ehP2Gh14Wfpc34jN9jMJ3OowxzN5iZxGYzkHLFhM+0IKEeWEjxRWOoJgV5PmNvG
+7IBbzt8O9xo550h7JmXZVsfSpkFpzJPy0Puz1JeyH/niCeDwKkhEHXQTk/4O+EOD
+RxruJbwIYGeO2lNfPn2Hcb1aHvSclx7GGOYDzI4jN0UcYroJpvHZU+0X2ClpCTAW
+5IshgHkOkdUQ1c7S+5zPTeLbW+pxTlbWClA0NYMbSn68//i/DMstyBEwtTWYJLmg
+5V3HWzRd/6BwKZfDSuu5Ag0EUyDDoQEQAMfQfa2tw3+OJFGMQEzLJSoXYN8/HnZE
+gKNlcMuYzhheQLgu/MfcQJ7mnCIdn6xdPaalfLmYx63tM47/NGEM1+MSEvovPiRG
+0OLxzSgwei9DiGeNEgsPTLXSZ5EVSXCM1+e9mT1ExT9aGLNnpCd6kIyWIcKCVMot
++XC70R9prWLeyKSh0FAZ0Pwv9i23osJVGOtJjND+WZ0uCeN29ocfN0b64yF4nPRc
+9IbcmYIDgNU3RybK2Z/dupbthTisRjHRI3iX3/tiymXF3J0sSvsCluWIJWmyltS3
+Xyk/wfKVJz6OouiJjTj5utXVnCGptCDw+DCcj89vx1N0+0Dhm1cQcNZvXjMbVDTs
+uU+eVpJbxU6y8N+nXpAXjEw4jMi3zNpqKtkyv2YpoqY5HhGLybgrY0zwSQOyMNf9
+lZ5J7znq5gEmiMXnG9OPEw7PPSvm6QfbHPY/jAOgxsu7Fme7k303D5KkyGkkbzQi
+YyEtMZvbOMH/uECi2uHGB72qiGpEYjMtHhihaRCBl+0bY8sH83He690qNQHSdStj
+aKXcecduE/v5iO0mOYIHdsEHhKlWsE1GXXVLofBr68UBhYV6/AGXko4Pr+dXLzau
+N4kALDx6WltFu3qUvoD+uEoLq7IXULMo5Pyd7bO4qGQMKykaXTb5o6dqdu4GzWIU
+w1fr9kLEmo29ABEBAAGJAh8EGAEIAAkFAlMgw6ECGwwACgkQFc3aauGRNaIjqA/+
+PXuaM6JHuudLycmB0iKAwyB5csOFGpF3b9FgMR68TC4jzi5J5hJZASl0cO/e0ytQ
+srDUBbH74y+WaA4ldwBVYr0j/2hqzIjrnGMtgWeHFPLV3sKw8DGuNx1/cOoljJXz
+i1WWSHIwDvaj3uZ9CwHt+4/abR7kdvMcnFhQVA4zuzZWFqpp+CDkkJNVwB9zxtAQ
+wGTGF4cQ0IvTkhCo6DQhZZVTeyn+nBKxzzWijniWc0LyRsum03MxZ6E7UVIInCTj
+dXTalnO8wColwIx5FV4nTMxdsKKgnIXmLexBdd03bW9TkowWf2C2XfDN+pDS8X3M
+zO6zAyogqJhAiBFjnRzkOw0cw1VTL00o8uiWdMeu7OKOKeQbUilMAn4MweKB57mc
+582kjeGmwdZgWFA4BJ2eiH7HwjxiynwMdZwQEBdOTNLbggHk3/mScF8U1KcJhjAF
+f7Ne+Z0feG/8GgKl5aj3ucl821+dfpzB79lLo+kmd1qkDyDiUR5yN6P8l8k6IAUJ
+z2KUe0BjtO6VFFw0xni05dkrXdfo7IO79ictHmEn+g3QO8ZLUGRwdtZ1cMhTkm7F
+hH8Bdby0y4SoqluvHbri++cC91i1I3a92kHi/8O45rnLhVt+sOfxY1QnSIYh5OFw
+GMqMCNDTEL7ESiFaFhSXkmzzVntlyvOBMlgz3IGh2hA=
+=otES
+-----END PGP PUBLIC KEY BLOCK-----

debian/watch

@@ -0,0 +1,5 @@
+version=4
+opts=\
+pgpmode=auto \
+https://thekelleys.org.uk/dnsmasq/ \
+dnsmasq-([\d.]+)@ARCHIVE_EXT@

dnsmasq.conf.example

@@ -394,7 +394,7 @@
 
 # The following DHCP options set up dnsmasq in the same way as is specified
 # for the ISC dhcpcd in
-# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# https://web.archive.org/web/20040313070105/http://us1.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
 # adapted for a typical dnsmasq installation where the host running
 # dnsmasq is also the host running samba.
 # you may want to uncomment some or all of them if you use
@@ -664,7 +664,7 @@
 # Provide an alias for a "local" DNS name. Note that this _only_ works
 # for targets which are names from DHCP or /etc/hosts. Give host
 # "bert" another name, bertrand
-#cname=bertand,bert
+#cname=bertrand,bert
 
 # For debugging purposes, log each DNS query as it passes through
 # dnsmasq.

man/dnsmasq.8

@@ -183,7 +183,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
 .TP
 .B \-P, --edns-packet-max=<size>
 Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
 .TP
 .B \-Q, --query-port=<query_port>
 Send outbound DNS queries from, and listen for their replies on, the
@@ -269,16 +270,25 @@ the address dnsmasq is listening on. When an interface is specified,
 it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6
 addresses associated with the interface. Since any defined authoritative zones are also available as part of the normal recusive DNS service supplied by dnsmasq, it can make sense to have an --auth-server declaration with no interfaces or address, but simply specifying the primary external nameserver.
 .TP
-.B --local-service
+.B --local-service[=net|host]
+Without parameter or with net parameter, restricts service to connected network.
 Accept DNS queries only from hosts whose address is on a local subnet,
-ie a subnet for which an interface exists on the server. This option
+ie a subnet for which an interface exists on the server. With host parameter, listens
+only on lo interface and accepts queries from localhost only. This option
 only has effect if there are no \fB--interface\fP, \fB--except-interface\fP,
 \fB--listen-address\fP or \fB--auth-server\fP options. It is intended to be set as
 a default on installation, to allow unconfigured installations to be
 useful but also safe from being used for DNS amplification attacks.
-.TP 
+.TP
 .B \-2, --no-dhcp-interface=<interface name>
-Do not provide DHCP or TFTP on the specified interface, but do provide DNS service.
+Do not provide DHCP, TFTP or router advertisement on the specified interface, but do provide DNS service.
+.TP
+.B --no-dhcpv4-interface=<interface name>
+Disable only IPv4 DHCP on the specified interface.
+.TP
+.B 
+--no-dhcpv6-interface=<interface name>
+Disable IPv6 DHCP and router advertisement on the specified interface.
 .TP
 .B \-a, --listen-address=<ipaddr>
 Listen on the given IP address(es). Both 
@@ -375,6 +385,16 @@ Remove A records from answers. No IPv4 addresses will be returned.
 .B --filter-AAAA
 Remove AAAA records from answers. No IPv6 addresses will be returned.
 .TP
+.B --filter-rr=<rrtype>[,<rrtype>...]
+Remove records of the specified type(s) from answers.
+.TP
+.B --cache-rr=<rrtype>[,<rrtype>...]
+By default, dnsmasq caches A, AAAA, CNAME and SRV DNS record types.
+This option adds other record types to the cache. The RR-type can be given
+as a name such as TXT or MX or a decimal number. A single --cache-rr option
+can take a comma-separated list of RR-types and more than one --cache-rr option
+is allowed. Use --cache-rr=ANY to enable caching for all RR-types.
+.TP
 .B \-r, --resolv-file=<file>
 Read the IP addresses of the upstream nameservers from <file>, instead of
 /etc/resolv.conf. For the format of this file see
@@ -1297,7 +1317,15 @@ and to set the time-server address to 192.168.0.4, do
 or 
 .B --dhcp-option = option:ntp-server, 192.168.0.4
 The special address 0.0.0.0 is taken to mean "the address of the
-machine running dnsmasq". 
+machine running dnsmasq".
+
+An option without data is valid, and includes just the option without data.
+(There is only one option with a zero length data field currently defined for DHCPv4, 80:rapid commit, so this feature is not very useful in practice). Options for which dnsmasq normally
+provides default values can be ommitted by defining the option with no data. These are
+netmask, broadcast, router, DNS server, domainname and hostname. Thus, for DHCPv4
+.B --dhcp-option = option:router
+will result in no router option being sent, rather than the default of the host on which dnsmasq is running. For DHCPv6, the same is true of the options DNS server and refresh time.
+
 
 Data types allowed are comma separated
 dotted-quad IPv4 addresses, []-wrapped IPv6 addresses, a decimal number, colon-separated hex digits
@@ -2215,6 +2243,24 @@ exit 0
 
 and /share/ads-domains.gz containing a compressed
 list of ad server domains will save disk space with large ad-server blocklists.
+.TP
+.B --no-ident
+Do not respond to class CHAOS and type TXT in domain bind queries.
+
+Without this option being set, the cache statistics are also available in the
+DNS as answers to queries of class CHAOS and type TXT in domain bind. The domain
+names are cachesize.bind, insertions.bind, evictions.bind, misses.bind,
+hits.bind, auth.bind and servers.bind unless disabled at compile-time. An
+example command to query this, using the
+.B dig
+utility would be
+
+dig +short chaos txt cachesize.bind
+.TP
+.B --max-tcp-connections=<number>
+The maximum number of concurrent TCP connections. The application forks to
+handle each TCP request. The default maximum is 20.
+
 .SH CONFIG FILE
 At startup, dnsmasq reads
 .I /etc/dnsmasq.conf,
@@ -2259,20 +2305,11 @@ they expired in order to make room for new names and the total number
 of names that have been inserted into the cache. The number of cache hits and 
 misses and the number of authoritative queries answered are also given. For each upstream
 server it gives the number of queries sent, and the number which
-resulted in an error. In 
+resulted in an error. It also gives information on the number of forks for TCP connections. In
 .B --no-daemon
 mode or when full logging is enabled (\fB--log-queries\fP), a complete dump of the
 contents of the cache is made. 
 
-The cache statistics are also available in the DNS as answers to 
-queries of class CHAOS and type TXT in domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind, 
-misses.bind, hits.bind, auth.bind and servers.bind. An example command to query this, using the 
-.B dig
-utility would be
-
-dig +short chaos txt cachesize.bind
-
-.PP 
 When it receives SIGUSR2 and it is logging direct to a file (see
 .B --log-facility
 ) 

src/arp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/auth.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/blockdata.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -19,7 +19,7 @@
 static struct blockdata *keyblock_free;
 static unsigned int blockdata_count, blockdata_hwm, blockdata_alloced;
 
-static void blockdata_expand(int n)
+static void add_blocks(int n)
 {
   struct blockdata *new = whine_malloc(n * sizeof(struct blockdata));
   
@@ -47,7 +47,7 @@ void blockdata_init(void)
 
   /* Note that daemon->cachesize is enforced to have non-zero size if OPT_DNSSEC_VALID is set */  
   if (option_bool(OPT_DNSSEC_VALID))
-    blockdata_expand(daemon->cachesize);
+    add_blocks(daemon->cachesize);
 }
 
 void blockdata_report(void)
@@ -58,50 +58,61 @@ void blockdata_report(void)
 	    blockdata_alloced * sizeof(struct blockdata));
 } 
 
+static struct blockdata *new_block(void)
+{
+  struct blockdata *block;
+
+  if (!keyblock_free)
+    add_blocks(50);
+  
+  if (keyblock_free)
+    {
+      block = keyblock_free;
+      keyblock_free = block->next;
+      blockdata_count++;
+      if (blockdata_hwm < blockdata_count)
+	blockdata_hwm = blockdata_count;
+      block->next = NULL;
+      return block;
+    }
+  
+  return NULL;
+}
+
 static struct blockdata *blockdata_alloc_real(int fd, char *data, size_t len)
 {
   struct blockdata *block, *ret = NULL;
   struct blockdata **prev = &ret;
   size_t blen;
 
-  while (len > 0)
+  do
     {
-      if (!keyblock_free)
-	blockdata_expand(50);
-      
-      if (keyblock_free)
-	{
-	  block = keyblock_free;
-	  keyblock_free = block->next;
-	  blockdata_count++; 
-	}
-      else
+      if (!(block = new_block()))
 	{
 	  /* failed to alloc, free partial chain */
 	  blockdata_free(ret);
 	  return NULL;
 	}
-       
-      if (blockdata_hwm < blockdata_count)
-	blockdata_hwm = blockdata_count; 
+
+      if ((blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len) > 0)
+	{
+	  if (data)
+	    {
+	      memcpy(block->key, data, blen);
+	      data += blen;
+	    }
+	  else if (!read_write(fd, block->key, blen, 1))
+	    {
+	      /* failed read free partial chain */
+	      blockdata_free(ret);
+	      return NULL;
+	    }
+	}
       
-      blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
-      if (data)
-	{
-	  memcpy(block->key, data, blen);
-	  data += blen;
-	}
-      else if (!read_write(fd, block->key, blen, 1))
-	{
-	  /* failed read free partial chain */
-	  blockdata_free(ret);
-	  return NULL;
-	}
       len -= blen;
       *prev = block;
       prev = &block->next;
-      block->next = NULL;
-    }
+    } while (len != 0);
   
   return ret;
 }
@@ -111,6 +122,58 @@ struct blockdata *blockdata_alloc(char *data, size_t len)
   return blockdata_alloc_real(0, data, len);
 }
 
+/* Add data to the end of the block. 
+   newlen is length of new data, NOT total new length. 
+   Use blockdata_alloc(NULL, 0) to make empty block to add to. */
+int blockdata_expand(struct blockdata *block, size_t oldlen, char *data, size_t newlen)
+{
+  struct blockdata *b;
+  
+  /* find size of current final block */
+  for (b = block; oldlen > KEYBLOCK_LEN && b;  b = b->next, oldlen -= KEYBLOCK_LEN);
+
+  /* chain to short for length, something is broken */
+  if (oldlen > KEYBLOCK_LEN)
+    {
+      blockdata_free(block);
+      return 0;
+    }
+
+  while (1)
+    {
+      struct blockdata *new;
+      size_t blocksize = KEYBLOCK_LEN - oldlen;
+      size_t size = (newlen <= blocksize) ? newlen : blocksize;
+      
+      if (size != 0)
+	{
+	  memcpy(&b->key[oldlen], data, size);
+	  data += size;
+	  newlen -= size;
+	}
+      
+      /* full blocks from now on. */
+      oldlen = 0;
+
+      if (newlen == 0)
+	break;
+
+      if ((new = new_block()))
+	{
+	  b->next = new;
+	  b = new;
+	}
+      else
+	{
+	  /* failed to alloc, free partial chain */
+	  blockdata_free(block);
+	  return 0;
+	}
+    }
+
+  return 1;
+}
+
 void blockdata_free(struct blockdata *blocks)
 {
   struct blockdata *tmp;

src/bpf.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/cache.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -28,6 +28,8 @@ static int bignames_left, hash_size;
 static void make_non_terminals(struct crec *source);
 static struct crec *really_insert(char *name, union all_addr *addr, unsigned short class,
 				  time_t now,  unsigned long ttl, unsigned int flags);
+static void dump_cache_entry(struct crec *cache, time_t now);
+static char *querystr(char *desc, unsigned short type);
 
 /* type->string mapping: this is also used by the name-hash function as a mixing table. */
 /* taken from https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml */
@@ -122,6 +124,7 @@ static const struct {
   { 258, "AVC" }, /* Application Visibility and Control [Wolfgang_Riedel] AVC/avc-completed-template 2016-02-26*/
   { 259, "DOA" }, /* Digital Object Architecture [draft-durand-doa-over-dns] DOA/doa-completed-template 2017-08-30*/
   { 260, "AMTRELAY" }, /* Automatic Multicast Tunneling Relay [RFC8777] AMTRELAY/amtrelay-completed-template 2019-02-06*/
+  { 261, "RESINFO" }, /* Resolver Information as Key/Value Pairs https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/06/ */
   { 32768,  "TA" }, /* DNSSEC Trust Authorities [Sam_Weiler][http://cameo.library.cmu.edu/][ Deploying DNSSEC Without a Signed Root. Technical Report 1999-19, Information Networking Institute, Carnegie Mellon University, April 2004.] 2005-12-13*/
   { 32769,  "DLV" }, /* DNSSEC Lookaside Validation (OBSOLETE) [RFC8749][RFC4431] */
 };
@@ -132,6 +135,17 @@ static void cache_link(struct crec *crecp);
 static void rehash(int size);
 static void cache_hash(struct crec *crecp);
 
+unsigned short rrtype(char *in)
+{
+  unsigned int i;
+  
+  for (i = 0; i < (sizeof(typestr)/sizeof(typestr[0])); i++)
+    if (strcasecmp(in, typestr[i].name) == 0)
+      return typestr[i].type;
+
+  return 0;
+}
+
 void next_uid(struct crec *crecp)
 {
   static unsigned int uid = 0;
@@ -235,19 +249,23 @@ static void cache_hash(struct crec *crecp)
 
   char *name = cache_get_name(crecp);
   struct crec **up = hash_bucket(name);
-
-  if (!(crecp->flags & F_REVERSE))
+  unsigned int flags = crecp->flags & (F_IMMORTAL | F_REVERSE);
+  
+  if (!(flags & F_REVERSE))
     {
       while (*up && ((*up)->flags & F_REVERSE))
 	up = &((*up)->hash_next); 
       
-      if (crecp->flags & F_IMMORTAL)
+      if (flags & F_IMMORTAL)
 	while (*up && !((*up)->flags & F_IMMORTAL))
 	  up = &((*up)->hash_next);
     }
 
-  /* Preserve order when inserting the same name multiple times. */
-  while (*up && hostname_isequal(cache_get_name(*up), name))
+  /* Preserve order when inserting the same name multiple times.
+     Do not mess up the flag invariants. */
+  while (*up &&
+	 hostname_isequal(cache_get_name(*up), name) &&
+	 flags == ((*up)->flags & (F_IMMORTAL | F_REVERSE)))
     up = &((*up)->hash_next);
   
   crecp->hash_next = *up;
@@ -258,8 +276,8 @@ static void cache_blockdata_free(struct crec *crecp)
 {
   if (!(crecp->flags & F_NEG))
     {
-      if (crecp->flags & F_SRV)
-	blockdata_free(crecp->addr.srv.target);
+      if ((crecp->flags & F_RR) && (crecp->flags & F_KEYTAG))
+	blockdata_free(crecp->addr.rrblock.rrdata);
 #ifdef HAVE_DNSSEC
       else if (crecp->flags & F_DNSKEY)
 	blockdata_free(crecp->addr.key.keydata);
@@ -407,18 +425,21 @@ unsigned int cache_remove_uid(const unsigned int uid)
 {
   int i;
   unsigned int removed = 0;
-  struct crec *crecp, **up;
+  struct crec *crecp, *tmp, **up;
 
   for (i = 0; i < hash_size; i++)
-    for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = crecp->hash_next)
-      if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && crecp->uid == uid)
-	{
-	  *up = crecp->hash_next;
-	  free(crecp);
-	  removed++;
-	}
-      else
-	up = &crecp->hash_next;
+    for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = tmp)
+      {
+	tmp = crecp->hash_next;
+	if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && crecp->uid == uid)
+	  {
+	    *up = tmp;
+	    free(crecp);
+	    removed++;
+	  }
+	else
+	  up = &crecp->hash_next;
+      }
   
   return removed;
 }
@@ -452,9 +473,20 @@ static struct crec *cache_scan_free(char *name, union all_addr *addr, unsigned s
 	{
 	  if ((crecp->flags & F_FORWARD) && hostname_isequal(cache_get_name(crecp), name))
 	    {
+	      int rrmatch = 0;
+	      if (crecp->flags & flags & F_RR)
+		{
+		  unsigned short rrc = (crecp->flags & F_KEYTAG) ? crecp->addr.rrblock.rrtype : crecp->addr.rrdata.rrtype;
+		  unsigned short rra = (flags & F_KEYTAG) ? addr->rrblock.rrtype : addr->rrdata.rrtype;
+
+		  if (rrc == rra)
+		    rrmatch = 1;
+		}
+
 	      /* Don't delete DNSSEC in favour of a CNAME, they can co-exist */
-	      if ((flags & crecp->flags & (F_IPV4 | F_IPV6 | F_SRV | F_NXDOMAIN)) || 
-		  (((crecp->flags | flags) & F_CNAME) && !(crecp->flags & (F_DNSKEY | F_DS))))
+	      if ((flags & crecp->flags & (F_IPV4 | F_IPV6 | F_NXDOMAIN)) || 
+		  (((crecp->flags | flags) & F_CNAME) && !(crecp->flags & (F_DNSKEY | F_DS))) ||
+		  rrmatch)
 		{
 		  if (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG))
 		    return crecp;
@@ -594,15 +626,15 @@ static struct crec *really_insert(char *name, union all_addr *addr, unsigned sho
   struct crec *new, *target_crec = NULL;
   union bigname *big_name = NULL;
   int freed_all = (flags & F_REVERSE);
-  int free_avail = 0;
+  struct crec *free_avail = NULL;
   unsigned int target_uid;
   
   /* if previous insertion failed give up now. */
   if (insert_error)
     return NULL;
 
-  /* we don't cache zero-TTL records. */
-  if (ttl == 0)
+  /* we don't cache zero-TTL records unless we're doing stale-caching. */
+  if (daemon->cache_max_expiry == 0 && ttl == 0)
     {
       insert_error = 1;
       return NULL;
@@ -642,7 +674,7 @@ static struct crec *really_insert(char *name, union all_addr *addr, unsigned sho
       
       /* Free entry at end of LRU list, use it. */
       if (!(new->flags & (F_FORWARD | F_REVERSE)))
-	break;
+	break; 
 
       /* End of LRU list is still in use: if we didn't scan all the hash
 	 chains for expired entries do that now. If we already tried that
@@ -654,12 +686,9 @@ static struct crec *really_insert(char *name, union all_addr *addr, unsigned sho
 	 insert. Once in this state, all inserts will probably fail. */
       if (free_avail)
 	{
-	  static int warned = 0;
-	  if (!warned)
-	    {
-	      my_syslog(LOG_ERR, _("Internal error in cache."));
-	      warned = 1;
-	    }
+	  my_syslog(LOG_ERR, _("Internal error in cache."));
+	  /* Log the entry we tried to delete. */
+	  dump_cache_entry(free_avail, now);
 	  insert_error = 1;
 	  return NULL;
 	}
@@ -667,13 +696,13 @@ static struct crec *really_insert(char *name, union all_addr *addr, unsigned sho
       if (freed_all)
 	{
 	  /* For DNSSEC records, uid holds class. */
-	  free_avail = 1; /* Must be free space now. */
+	  free_avail = new; /* Must be free space now. */
 	  
 	  /* condition valid when stale-caching */
 	  if (difftime(now, new->ttd) < 0)
 	    daemon->metrics[METRIC_DNS_CACHE_LIVE_FREED]++;
 	  
-	  cache_scan_free(cache_get_name(new), &new->addr, new->uid, now, new->flags, NULL, NULL);
+	  cache_scan_free(cache_get_name(new), &new->addr, new->uid, now, new->flags, NULL, NULL); 
 	}
       else
 	{
@@ -774,28 +803,31 @@ void cache_end_insert(void)
 	      read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->ttd, sizeof(new_chain->ttd), 0);
 	      read_write(daemon->pipe_to_parent, (unsigned  char *)&flags, sizeof(flags), 0);
 
-	      if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_SRV))
-		read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr, sizeof(new_chain->addr), 0);
-	      if (flags & F_SRV)
+	      if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_RR))
 		{
-		  /* A negative SRV entry is possible and has no data, obviously. */
-		  if (!(flags & F_NEG))
-		    blockdata_write(new_chain->addr.srv.target, new_chain->addr.srv.targetlen, daemon->pipe_to_parent);
-		}
+		  read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr, sizeof(new_chain->addr), 0);
+
+		  if (flags & F_RR)
+		    {
+		      /* A negative RR entry is possible and has no data, obviously. */
+		      if (!(flags & F_NEG) && (flags & F_KEYTAG))
+			blockdata_write(new_chain->addr.rrblock.rrdata, new_chain->addr.rrblock.datalen, daemon->pipe_to_parent);
+		    }
 #ifdef HAVE_DNSSEC
-	      if (flags & F_DNSKEY)
-		{
-		  read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
-		  blockdata_write(new_chain->addr.key.keydata, new_chain->addr.key.keylen, daemon->pipe_to_parent);
-		}
-	      else if (flags & F_DS)
-		{
-		  read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
-		  /* A negative DS entry is possible and has no data, obviously. */
-		  if (!(flags & F_NEG))
-		    blockdata_write(new_chain->addr.ds.keydata, new_chain->addr.ds.keylen, daemon->pipe_to_parent);
-		}
+		  if (flags & F_DNSKEY)
+		    {
+		      read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
+		      blockdata_write(new_chain->addr.key.keydata, new_chain->addr.key.keylen, daemon->pipe_to_parent);
+		    }
+		  else if (flags & F_DS)
+		    {
+		      read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
+		      /* A negative DS entry is possible and has no data, obviously. */
+		      if (!(flags & F_NEG))
+			blockdata_write(new_chain->addr.ds.keydata, new_chain->addr.ds.keylen, daemon->pipe_to_parent);
+		    }
 #endif
+		}
 	    }
 	}
       
@@ -846,34 +878,7 @@ int cache_recv_insert(time_t now, int fd)
 
       ttl = difftime(ttd, now);
       
-      if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_SRV))
-	{
-	  unsigned short class = C_IN;
-
-	  if (!read_write(fd, (unsigned char *)&addr, sizeof(addr), 1))
-	    return 0;
-
-	  if ((flags & F_SRV) && !(flags & F_NEG) && !(addr.srv.target = blockdata_read(fd, addr.srv.targetlen)))
-	    return 0;
-	
-#ifdef HAVE_DNSSEC
-	   if (flags & F_DNSKEY)
-	     {
-	       if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
-		   !(addr.key.keydata = blockdata_read(fd, addr.key.keylen)))
-		 return 0;
-	     }
-	   else  if (flags & F_DS)
-	     {
-	        if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
-		    (!(flags & F_NEG) && !(addr.key.keydata = blockdata_read(fd, addr.key.keylen))))
-		  return 0;
-	     }
-#endif
-	       
-	  crecp = really_insert(daemon->namebuff, &addr, class, now, ttl, flags);
-	}
-      else if (flags & F_CNAME)
+      if (flags & F_CNAME)
 	{
 	  struct crec *newc = really_insert(daemon->namebuff, NULL, C_IN, now, ttl, flags);
 	  /* This relies on the fact that the target of a CNAME immediately precedes
@@ -881,11 +886,11 @@ int cache_recv_insert(time_t now, int fd)
 	     the order reversal on the new_chain. */
 	  if (newc)
 	    {
-	       newc->addr.cname.is_name_ptr = 0;
-	       
-	       if (!crecp)
-		 newc->addr.cname.target.cache = NULL;
-	       else
+	      newc->addr.cname.is_name_ptr = 0;
+	      
+	      if (!crecp)
+		newc->addr.cname.target.cache = NULL;
+	      else
 		{
 		  next_uid(crecp);
 		  newc->addr.cname.target.cache = crecp;
@@ -893,6 +898,36 @@ int cache_recv_insert(time_t now, int fd)
 		}
 	    }
 	}
+      else
+	{
+	  unsigned short class = C_IN;
+
+	  if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_RR))
+	    {
+	      if (!read_write(fd, (unsigned char *)&addr, sizeof(addr), 1))
+		return 0;
+	      
+	      if ((flags & F_RR) && !(flags & F_NEG) && (flags & F_KEYTAG)
+		  && !(addr.rrblock.rrdata = blockdata_read(fd, addr.rrblock.datalen)))
+		return 0;
+#ifdef HAVE_DNSSEC
+	      if (flags & F_DNSKEY)
+		{
+		  if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
+		      !(addr.key.keydata = blockdata_read(fd, addr.key.keylen)))
+		    return 0;
+		}
+	      else  if (flags & F_DS)
+		{
+		  if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
+		      (!(flags & F_NEG) && !(addr.key.keydata = blockdata_read(fd, addr.key.keylen))))
+		    return 0;
+		}
+#endif
+	    }
+	  
+	  crecp = really_insert(daemon->namebuff, &addr, class, now, ttl, flags);
+	}
     }
 }
 	
@@ -1080,7 +1115,6 @@ static void add_hosts_entry(struct crec *cache, union all_addr *addr, int addrle
      the array rhash, hashed on address. Note that rhash and the values
      in ->next are only valid  whilst reading hosts files: the buckets are
      then freed, and the ->next pointer used for other things. 
-
      Only insert each unique address once into this hashing structure.
 
      This complexity avoids O(n^2) divergent CPU use whilst reading
@@ -1586,7 +1620,7 @@ static void make_non_terminals(struct crec *source)
       if (!is_outdated_cname_pointer(crecp) &&
 	  (crecp->flags & F_FORWARD) &&
 	  (crecp->flags & type) &&
-	  !(crecp->flags & (F_IPV4 | F_IPV6 | F_CNAME | F_SRV | F_DNSKEY | F_DS)) && 
+	  !(crecp->flags & (F_IPV4 | F_IPV6 | F_CNAME | F_DNSKEY | F_DS | F_RR)) && 
 	  hostname_isequal(name, cache_get_name(crecp)))
 	{
 	  *up = crecp->hash_next;
@@ -1643,7 +1677,7 @@ static void make_non_terminals(struct crec *source)
 
       if (crecp)
 	{
-	  crecp->flags = (source->flags | F_NAMEP) & ~(F_IPV4 | F_IPV6 | F_CNAME | F_SRV | F_DNSKEY | F_DS | F_REVERSE);
+	  crecp->flags = (source->flags | F_NAMEP) & ~(F_IPV4 | F_IPV6 | F_CNAME | F_RR | F_DNSKEY | F_DS | F_REVERSE);
 	  if (!(crecp->flags & F_IMMORTAL))
 	    crecp->ttd = source->ttd;
 	  crecp->name.namep = name;
@@ -1760,6 +1794,90 @@ static char *sanitise(char *name)
   return name;
 }
 
+static void dump_cache_entry(struct crec *cache, time_t now)
+{
+  (void)now;
+  static char *buff = NULL;
+  
+  char *p, *t = " ";
+  char *a = daemon->addrbuff, *n = cache_get_name(cache);
+
+  /* String length is limited below */
+  if (!buff && !(buff = whine_malloc(150)))
+    return;
+  
+  p = buff;
+  
+  *a = 0;
+  if (strlen(n) == 0 && !(cache->flags & F_REVERSE))
+    n = "<Root>";
+  p += sprintf(p, "%-30.30s ", sanitise(n));
+  if ((cache->flags & F_CNAME) && !is_outdated_cname_pointer(cache))
+    a = sanitise(cache_get_cname_target(cache));
+  else if (cache->flags & F_RR)
+    {
+      if (cache->flags & F_KEYTAG)
+	sprintf(a, "%s", querystr(NULL, cache->addr.rrblock.rrtype));
+      else
+	sprintf(a, "%s", querystr(NULL, cache->addr.rrdata.rrtype));
+    }
+#ifdef HAVE_DNSSEC
+  else if (cache->flags & F_DS)
+    {
+      if (!(cache->flags & F_NEG))
+	sprintf(a, "%5u %3u %3u", cache->addr.ds.keytag,
+		cache->addr.ds.algo, cache->addr.ds.digest);
+    }
+  else if (cache->flags & F_DNSKEY)
+    sprintf(a, "%5u %3u %3u", cache->addr.key.keytag,
+	    cache->addr.key.algo, cache->addr.key.flags);
+#endif
+  else if (!(cache->flags & F_NEG) || !(cache->flags & F_FORWARD))
+    { 
+      a = daemon->addrbuff;
+      if (cache->flags & F_IPV4)
+	inet_ntop(AF_INET, &cache->addr, a, ADDRSTRLEN);
+      else if (cache->flags & F_IPV6)
+	inet_ntop(AF_INET6, &cache->addr, a, ADDRSTRLEN);
+    }
+  
+  if (cache->flags & F_IPV4)
+    t = "4";
+  else if (cache->flags & F_IPV6)
+    t = "6";
+  else if (cache->flags & F_CNAME)
+    t = "C";
+  else if (cache->flags & F_RR)
+    t = "T";
+#ifdef HAVE_DNSSEC
+  else if (cache->flags & F_DS)
+    t = "S";
+  else if (cache->flags & F_DNSKEY)
+    t = "K";
+#endif
+  else if (!(cache->flags & F_NXDOMAIN)) /* non-terminal */
+    t = "!";
+  
+  p += sprintf(p, "%-40.40s %s%s%s%s%s%s%s%s%s%s ", a, t,
+	       cache->flags & F_FORWARD ? "F" : " ",
+	       cache->flags & F_REVERSE ? "R" : " ",
+	       cache->flags & F_IMMORTAL ? "I" : " ",
+	       cache->flags & F_DHCP ? "D" : " ",
+	       cache->flags & F_NEG ? "N" : " ",
+	       cache->flags & F_NXDOMAIN ? "X" : " ",
+	       cache->flags & F_HOSTS ? "H" : " ",
+	       cache->flags & F_CONFIG ? "C" : " ",
+	       cache->flags & F_DNSSECOK ? "V" : " ");
+#ifdef HAVE_BROKEN_RTC
+  p += sprintf(p, "%-24lu", cache->flags & F_IMMORTAL ? 0: (unsigned long)(cache->ttd - now));
+#else
+  p += sprintf(p, "%-24.24s", cache->flags & F_IMMORTAL ? "" : ctime(&(cache->ttd)));
+#endif
+  if(cache->flags & (F_HOSTS | F_CONFIG) && cache->uid > 0)
+    p += sprintf(p, " %-40.40s", record_source(cache->uid));
+  
+  my_syslog(LOG_INFO, "%s", buff);
+}
 
 void dump_cache(time_t now)
 {
@@ -1777,7 +1895,12 @@ void dump_cache(time_t now)
 #endif
 
   blockdata_report();
-
+  my_syslog(LOG_INFO, _("child processes for TCP requests: in use %zu, highest since last SIGUSR1 %zu, max allowed %zu."),
+	    daemon->metrics[METRIC_TCP_CONNECTIONS],
+	    daemon->max_procs_used,
+	    daemon->max_procs);
+  daemon->max_procs_used = daemon->metrics[METRIC_TCP_CONNECTIONS];
+  
   /* sum counts from different records for same server */
   for (serv = daemon->servers; serv; serv = serv->next)
     serv->flags &= ~SERV_MARK;
@@ -1807,90 +1930,14 @@ void dump_cache(time_t now)
 
   if (option_bool(OPT_DEBUG) || option_bool(OPT_LOG))
     {
-      struct crec *cache ;
+      struct crec *cache;
       int i;
       my_syslog(LOG_INFO, "Host                           Address                                  Flags      Expires                  Source");
       my_syslog(LOG_INFO, "------------------------------ ---------------------------------------- ---------- ------------------------ ------------");
     
       for (i=0; i<hash_size; i++)
 	for (cache = hash_table[i]; cache; cache = cache->hash_next)
-	  {
-	    char *t = " ";
-	    char *a = daemon->addrbuff, *p = daemon->namebuff, *n = cache_get_name(cache);
-	    *a = 0;
-	    if (strlen(n) == 0 && !(cache->flags & F_REVERSE))
-	      n = "<Root>";
-	    p += sprintf(p, "%-30.30s ", sanitise(n));
-	    if ((cache->flags & F_CNAME) && !is_outdated_cname_pointer(cache))
-	      a = sanitise(cache_get_cname_target(cache));
-	    else if ((cache->flags & F_SRV) && !(cache->flags & F_NEG))
-	      {
-		int targetlen = cache->addr.srv.targetlen;
-		ssize_t len = sprintf(a, "%u %u %u ", cache->addr.srv.priority,
-				      cache->addr.srv.weight, cache->addr.srv.srvport);
-
-		if (targetlen > (40 - len))
-		  targetlen = 40 - len;
-		blockdata_retrieve(cache->addr.srv.target, targetlen, a + len);
-		a[len + targetlen] = 0;		
-	      }
-#ifdef HAVE_DNSSEC
-	    else if (cache->flags & F_DS)
-	      {
-		if (!(cache->flags & F_NEG))
-		  sprintf(a, "%5u %3u %3u", cache->addr.ds.keytag,
-			  cache->addr.ds.algo, cache->addr.ds.digest);
-	      }
-	    else if (cache->flags & F_DNSKEY)
-	      sprintf(a, "%5u %3u %3u", cache->addr.key.keytag,
-		      cache->addr.key.algo, cache->addr.key.flags);
-#endif
-	    else if (!(cache->flags & F_NEG) || !(cache->flags & F_FORWARD))
-	      { 
-		a = daemon->addrbuff;
-		if (cache->flags & F_IPV4)
-		  inet_ntop(AF_INET, &cache->addr, a, ADDRSTRLEN);
-		else if (cache->flags & F_IPV6)
-		  inet_ntop(AF_INET6, &cache->addr, a, ADDRSTRLEN);
-	      }
-
-	    if (cache->flags & F_IPV4)
-	      t = "4";
-	    else if (cache->flags & F_IPV6)
-	      t = "6";
-	    else if (cache->flags & F_CNAME)
-	      t = "C";
-	    else if (cache->flags & F_SRV)
-	      t = "V";
-#ifdef HAVE_DNSSEC
-	    else if (cache->flags & F_DS)
-	      t = "S";
-	    else if (cache->flags & F_DNSKEY)
-	      t = "K";
-#endif
-	    else /* non-terminal */
-	      t = "!";
-
-	    p += sprintf(p, "%-40.40s %s%s%s%s%s%s%s%s%s%s ", a, t,
-			 cache->flags & F_FORWARD ? "F" : " ",
-			 cache->flags & F_REVERSE ? "R" : " ",
-			 cache->flags & F_IMMORTAL ? "I" : " ",
-			 cache->flags & F_DHCP ? "D" : " ",
-			 cache->flags & F_NEG ? "N" : " ",
-			 cache->flags & F_NXDOMAIN ? "X" : " ",
-			 cache->flags & F_HOSTS ? "H" : " ",
-			 cache->flags & F_CONFIG ? "C" : " ",
-			 cache->flags & F_DNSSECOK ? "V" : " ");
-#ifdef HAVE_BROKEN_RTC
-	    p += sprintf(p, "%-24lu", cache->flags & F_IMMORTAL ? 0: (unsigned long)(cache->ttd - now));
-#else
-	    p += sprintf(p, "%-24.24s", cache->flags & F_IMMORTAL ? "" : ctime(&(cache->ttd)));
-#endif
-	    if(cache->flags & (F_HOSTS | F_CONFIG) && cache->uid > 0)
-		p += sprintf(p, " %s", record_source(cache->uid));
-
-	    my_syslog(LOG_INFO, "%s", daemon->namebuff);
-	  }
+	  dump_cache_entry(cache, now);
     }
 }
 
@@ -2011,9 +2058,10 @@ static char *edestr(int ede)
 
 void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg, unsigned short type)
 {
-  char *source, *dest = arg;
+  char *source, *dest;
   char *verb = "is";
   char *extra = "";
+  char *gap = " ";
   char portstring[7]; /* space for #<portnum> */
   
   if (!option_bool(OPT_LOG))
@@ -2023,6 +2071,8 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
   if (!(flags & (F_SERVER | F_IPSET)) && type > 0)
     arg = querystr(arg, type);
 
+  dest = arg;
+
 #ifdef HAVE_DNSSEC
   if ((flags & F_DNSSECOK) && option_bool(OPT_EXTRALOG))
     extra = " (DNSSEC signed)";
@@ -2034,7 +2084,14 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
     {
       dest = daemon->addrbuff;
 
-      if (flags & F_KEYTAG)
+       if (flags & F_RR)
+	 {
+	   if (flags & F_KEYTAG)
+	     dest = querystr(NULL, addr->rrblock.rrtype);
+	   else
+	     dest = querystr(NULL, addr->rrdata.rrtype);
+	 }
+       else if (flags & F_KEYTAG)
 	sprintf(daemon->addrbuff, arg, addr->log.keytag, addr->log.algo, addr->log.digest);
       else if (flags & F_RCODE)
 	{
@@ -2091,8 +2148,6 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
     }
   else if (flags & F_CNAME)
     dest = "<CNAME>";
-  else if (flags & F_SRV)
-    dest = "<SRV>";
   else if (flags & F_RRNAME)
     dest = arg;
     
@@ -2143,19 +2198,21 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
   else
     source = "cached";
   
-  if (name && !name[0])
+  if (!name)
+    gap = name = "";
+  else if (!name[0])
     name = ".";
-
+  
   if (option_bool(OPT_EXTRALOG))
     {
       if (flags & F_NOEXTRA)
-	my_syslog(LOG_INFO, "%u %s %s %s %s%s", daemon->log_display_id, source, name, verb, dest, extra);
+	my_syslog(LOG_INFO, "%u %s %s%s%s %s%s", daemon->log_display_id, source, name, gap, verb, dest, extra);
       else
 	{
 	   int port = prettyprint_addr(daemon->log_source_addr, daemon->addrbuff2);
-	   my_syslog(LOG_INFO, "%u %s/%u %s %s %s %s%s", daemon->log_display_id, daemon->addrbuff2, port, source, name, verb, dest, extra);
+	   my_syslog(LOG_INFO, "%u %s/%u %s %s%s%s %s%s", daemon->log_display_id, daemon->addrbuff2, port, source, name, gap, verb, dest, extra);
 	}
     }
   else
-    my_syslog(LOG_INFO, "%s %s %s %s%s", source, name, verb, dest, extra);
+    my_syslog(LOG_INFO, "%s %s%s%s %s%s", source, name, gap, verb, dest, extra);
 }

src/config.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -15,11 +15,11 @@
 */
 
 #define FTABSIZ 150 /* max number of outstanding requests (default) */
-#define MAX_PROCS 20 /* max no children for TCP requests */
+#define MAX_PROCS 20 /* default max no children for TCP requests */
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
 #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
 #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  /dnsflagday.net/2020 */
 #define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */
 #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
 #define DNSSEC_WORK 50 /* Max number of queries to validate one question */

src/conntrack.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/crypto.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/dbus.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -52,6 +52,12 @@ const char* introspection_xml_template =
 "    <method name=\"SetFilterWin2KOption\">\n"
 "      <arg name=\"filterwin2k\" direction=\"in\" type=\"b\"/>\n"
 "    </method>\n"
+"    <method name=\"SetFilterA\">\n"
+"      <arg name=\"filter-a\" direction=\"in\" type=\"b\"/>\n"
+"    </method>\n"
+"    <method name=\"SetFilterAAAA\">\n"
+"      <arg name=\"filter-aaaa\" direction=\"in\" type=\"b\"/>\n"
+"    </method>\n"
 "    <method name=\"SetLocaliseQueriesOption\">\n"
 "      <arg name=\"localise-queries\" direction=\"in\" type=\"b\"/>\n"
 "    </method>\n"
@@ -100,6 +106,7 @@ const char* introspection_xml_template =
 "</node>\n";
 
 static char *introspection_xml = NULL;
+static int watches_modified = 0;
 
 struct watch {
   DBusWatch *watch;      
@@ -121,6 +128,7 @@ static dbus_bool_t add_watch(DBusWatch *watch, void *data)
   w->watch = watch;
   w->next = daemon->watches;
   daemon->watches = w;
+  watches_modified++;
 
   (void)data; /* no warning */
   return TRUE;
@@ -128,7 +136,7 @@ static dbus_bool_t add_watch(DBusWatch *watch, void *data)
 
 static void remove_watch(DBusWatch *watch, void *data)
 {
-  struct watch **up, *w, *tmp;  
+  struct watch **up, *w, *tmp;
   
   for (up = &(daemon->watches), w = daemon->watches; w; w = tmp)
     {
@@ -137,6 +145,7 @@ static void remove_watch(DBusWatch *watch, void *data)
 	{
 	  *up = tmp;
 	  free(w);
+	  watches_modified++;
 	}
       else
 	up = &(w->next);
@@ -817,6 +826,28 @@ DBusHandlerResult message_handler(DBusConnection *connection,
     {
       reply = dbus_set_bool(message, OPT_FILTER, "filterwin2k");
     }
+  else if (strcmp(method, "SetFilterA") == 0)
+    {
+      static int done = 0;
+      static struct rrlist list = { T_A, NULL };
+
+      if (!done)
+	{
+	  list.next = daemon->filter_rr;
+	  daemon->filter_rr = &list;
+	}
+    }
+  else if (strcmp(method, "SetFilterAAAA") == 0)
+    {
+      static int done = 0;
+      static struct rrlist list = { T_AAAA, NULL };
+
+      if (!done)
+	{
+	  list.next = daemon->filter_rr;
+	  daemon->filter_rr = &list;
+	}
+    }
   else if (strcmp(method, "SetLocaliseQueriesOption") == 0)
     {
       reply = dbus_set_bool(message, OPT_LOCALISE, "localise-queries");
@@ -927,41 +958,53 @@ void set_dbus_listeners(void)
       {
 	unsigned int flags = dbus_watch_get_flags(w->watch);
 	int fd = dbus_watch_get_unix_fd(w->watch);
+	int poll_flags = POLLERR;
 	
 	if (flags & DBUS_WATCH_READABLE)
-	  poll_listen(fd, POLLIN);
-	
+	  poll_flags |= POLLIN;
 	if (flags & DBUS_WATCH_WRITABLE)
-	  poll_listen(fd, POLLOUT);
+	  poll_flags |= POLLOUT;
 	
-	poll_listen(fd, POLLERR);
+	poll_listen(fd, poll_flags);
       }
 }
 
-void check_dbus_listeners()
+static int check_dbus_watches()
 {
-  DBusConnection *connection = (DBusConnection *)daemon->dbus;
   struct watch *w;
 
+  watches_modified = 0;
   for (w = daemon->watches; w; w = w->next)
     if (dbus_watch_get_enabled(w->watch))
       {
 	unsigned int flags = 0;
 	int fd = dbus_watch_get_unix_fd(w->watch);
-	
-	if (poll_check(fd, POLLIN))
+	int poll_flags = poll_check(fd, POLLIN|POLLOUT|POLLERR);
+
+	if ((poll_flags & POLLIN) != 0)
 	  flags |= DBUS_WATCH_READABLE;
-	
-	if (poll_check(fd, POLLOUT))
+	if ((poll_flags & POLLOUT) != 0)
 	  flags |= DBUS_WATCH_WRITABLE;
-	
-	if (poll_check(fd, POLLERR))
+	if ((poll_flags & POLLERR) != 0)
 	  flags |= DBUS_WATCH_ERROR;
 
 	if (flags != 0)
-	  dbus_watch_handle(w->watch, flags);
+	  {
+	    dbus_watch_handle(w->watch, flags);
+	    if (watches_modified)
+	      return 0;
+	  }
       }
 
+  return 1;
+}
+
+void check_dbus_listeners()
+{
+  DBusConnection *connection = (DBusConnection *)daemon->dbus;
+
+  while (!check_dbus_watches()) ;
+
   if (connection)
     {
       dbus_connection_ref (connection);

src/dhcp-common.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -553,11 +553,11 @@ char *whichdevice(void)
     return NULL;
   
   for (if_tmp = daemon->if_names; if_tmp; if_tmp = if_tmp->next)
-    if (if_tmp->name && (!if_tmp->used || strchr(if_tmp->name, '*')))
+    if (if_tmp->name && (!(if_tmp->flags & INAME_USED) || strchr(if_tmp->name, '*')))
       return NULL;
 
   for (found = NULL, iface = daemon->interfaces; iface; iface = iface->next)
-    if (iface->dhcp_ok)
+    if (iface->dhcp4_ok || iface->dhcp6_ok)
       {
 	if (!found)
 	  found = iface;
@@ -838,7 +838,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 		for (i = 0, j = 0; i < opt_len && j < buf_len ; i++)
 		  {
 		    char c = val[i];
-		    if (isprint((int)c))
+		    if (isprint((unsigned char)c))
 		      buf[j++] = c;
 		  }
 #ifdef HAVE_DHCP6
@@ -852,7 +852,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 		    for (k = i + 1; k < opt_len && k < l && j < buf_len ; k++)
 		     {
 		       char c = val[k];
-		       if (isprint((int)c))
+		       if (isprint((unsigned char)c))
 			 buf[j++] = c;
 		     }
 		    i = l;
@@ -873,7 +873,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 		    for (k = 0; k < len && j < buf_len; k++)
 		      {
 		       char c = *p++;
-		       if (isprint((int)c))
+		       if (isprint((unsigned char)c))
 			 buf[j++] = c;
 		     }
 		    i += len +2;

src/dhcp-protocol.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/dhcp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -297,7 +297,7 @@ void dhcp_packet(time_t now, int pxe_fd)
 	}
       
       for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-	if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
+	if (tmp->name && (tmp->flags & INAME_4) && wildcard_match(tmp->name, ifr.ifr_name))
 	  return;
       
       /* unlinked contexts/relays are marked by context->current == context */
@@ -916,14 +916,14 @@ void dhcp_read_ethers(void)
       
       lineno++;
       
-      while (strlen(buff) > 0 && isspace((int)buff[strlen(buff)-1]))
+      while (strlen(buff) > 0 && isspace((unsigned char)buff[strlen(buff)-1]))
 	buff[strlen(buff)-1] = 0;
       
       if ((*buff == '#') || (*buff == '+') || (*buff == 0))
 	continue;
       
-      for (ip = buff; *ip && !isspace((int)*ip); ip++);
-      for(; *ip && isspace((int)*ip); ip++)
+      for (ip = buff; *ip && !isspace((unsigned char)*ip); ip++);
+      for(; *ip && isspace((unsigned char)*ip); ip++)
 	*ip = 0;
       if (!*ip || parse_hex(buff, hwaddr, ETHER_ADDR_LEN, NULL, NULL) != ETHER_ADDR_LEN)
 	{

src/dhcp6-protocol.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/dhcp6.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -92,7 +92,7 @@ void dhcp6_packet(time_t now)
   struct iface_param parm;
   struct cmsghdr *cmptr;
   struct msghdr msg;
-  int if_index = 0;
+  uint32_t if_index = 0;
   union {
     struct cmsghdr align; /* this ensures alignment */
     char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
@@ -118,11 +118,6 @@ void dhcp6_packet(time_t now)
   if ((sz = recv_dhcp_packet(daemon->dhcp6fd, &msg)) == -1)
     return;
   
-#ifdef HAVE_DUMPFILE
-  dump_packet_udp(DUMP_DHCPV6, (void *)daemon->dhcp_packet.iov_base, sz,
-		  (union mysockaddr *)&from, NULL, daemon->dhcp6fd);
-#endif
-  
   for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
     if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
       {
@@ -138,6 +133,34 @@ void dhcp6_packet(time_t now)
 
   if (!indextoname(daemon->dhcp6fd, if_index, ifr.ifr_name))
     return;
+  
+#ifdef HAVE_LINUX_NETWORK
+  /* This works around a possible Linux kernel bug when using interfaces
+     enslaved to a VRF. The scope_id in the source address gets set
+     to the index of the VRF interface, not the slave. Fortunately,
+     the interface index returned by packetinfo is correct so we use
+     that instead. Log this once, so if it triggers in other circumstances
+     we've not anticipated and breaks things, we get some clues. */
+  if (from.sin6_scope_id != if_index)
+    {
+      static int logged = 0;
+      
+      if (!logged)
+	{
+	  my_syslog(MS_DHCP | LOG_WARNING,
+		    _("Working around kernel bug: faulty source address scope for VRF slave %s"),
+		    ifr.ifr_name);
+	  logged = 1;
+	}
+      
+      from.sin6_scope_id = if_index;
+    }
+#endif
+
+#ifdef HAVE_DUMPFILE
+  dump_packet_udp(DUMP_DHCPV6, (void *)daemon->dhcp_packet.iov_base, sz,
+		  (union mysockaddr *)&from, NULL, daemon->dhcp6fd);
+#endif
 
   if (relay_reply6(&from, sz, ifr.ifr_name))
     {
@@ -159,7 +182,8 @@ void dhcp6_packet(time_t now)
 	  return;
       
       for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-	if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
+	if (tmp->name && (tmp->flags & INAME_6) &&
+	    wildcard_match(tmp->name, ifr.ifr_name))
 	  return;
       
       parm.current = NULL;

src/dns-protocol.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/dnsmasq.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -30,12 +30,14 @@ static volatile pid_t pid = 0;
 static volatile int pipewrite;
 
 static void set_dns_listeners(void);
+static void set_tftp_listeners(void);
 static void check_dns_listeners(time_t now);
 static void sig_handler(int sig);
 static void async_event(int pipe, time_t now);
 static void fatal_event(struct event_desc *ev, char *msg);
 static int read_event(int fd, struct event_desc *evp, char **msg);
 static void poll_resolv(int force, int do_reload, time_t now);
+static void tcp_init(void);
 
 int main (int argc, char **argv)
 {
@@ -125,17 +127,11 @@ int main (int argc, char **argv)
     {
       /* Note that both /000 and '.' are allowed within labels. These get
 	 represented in presentation format using NAME_ESCAPE as an escape
-	 character when in DNSSEC mode. 
-	 In theory, if all the characters in a name were /000 or
+	 character. In theory, if all the characters in a name were /000 or
 	 '.' or NAME_ESCAPE then all would have to be escaped, so the 
-	 presentation format would be twice as long as the spec.
-
-	 daemon->namebuff was previously allocated by the option-reading
-	 code before we knew if we're in DNSSEC mode, so reallocate here. */
-      free(daemon->namebuff);
-      daemon->namebuff = safe_malloc(MAXDNAME * 2);
-      daemon->keyname = safe_malloc(MAXDNAME * 2);
-      daemon->workspacename = safe_malloc(MAXDNAME * 2);
+	 presentation format would be twice as long as the spec. */
+      daemon->keyname = safe_malloc((MAXDNAME * 2) + 1);
+      daemon->workspacename = safe_malloc((MAXDNAME * 2) + 1);
       /* one char flag per possible RR in answer section (may get extended). */
       daemon->rr_status_sz = 64;
       daemon->rr_status = safe_malloc(sizeof(*daemon->rr_status) * daemon->rr_status_sz);
@@ -146,7 +142,7 @@ int main (int argc, char **argv)
   /* CONNTRACK UBUS code uses this buffer, so if not allocated above,
      we need to allocate it here. */
   if (option_bool(OPT_CMARK_ALST_EN) && !daemon->workspacename)
-    daemon->workspacename = safe_malloc(MAXDNAME);
+    daemon->workspacename = safe_malloc((MAXDNAME * 2) + 1);
 #endif
   
 #ifdef HAVE_DHCP
@@ -378,6 +374,13 @@ int main (int argc, char **argv)
   
   if (!enumerate_interfaces(1) || !enumerate_interfaces(0))
     die(_("failed to find list of interfaces: %s"), NULL, EC_MISC);
+
+#ifdef HAVE_DHCP
+  /* Determine lease FQDNs after enumerate_interfaces() call, since it needs
+     to call get_domain and that's only valid for some domain configs once we
+     have interface addresses. */
+  lease_calc_fqdns();
+#endif
   
   if (option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND)) 
     {
@@ -385,7 +388,7 @@ int main (int argc, char **argv)
       
       if (!option_bool(OPT_CLEVERBIND))
 	for (if_tmp = daemon->if_names; if_tmp; if_tmp = if_tmp->next)
-	  if (if_tmp->name && !if_tmp->used)
+	  if (if_tmp->name && !(if_tmp->flags & INAME_USED))
 	    die(_("unknown interface %s"), if_tmp->name, EC_BADNET);
 
 #if defined(HAVE_LINUX_NETWORK) && defined(HAVE_DHCP)
@@ -421,6 +424,8 @@ int main (int argc, char **argv)
 	daemon->numrrand = max_fd/3;
       /* safe_malloc returns zero'd memory */
       daemon->randomsocks = safe_malloc(daemon->numrrand * sizeof(struct randfd));
+
+      tcp_init();
     }
 
 #ifdef HAVE_INOTIFY
@@ -863,6 +868,8 @@ int main (int argc, char **argv)
 
       if (option_bool(OPT_LOCAL_SERVICE))
 	my_syslog(LOG_INFO, _("DNS service limited to local subnets"));
+      else if (option_bool(OPT_LOCALHOST_SERVICE))
+	my_syslog(LOG_INFO, _("DNS service limited to localhost"));
     }
   
   my_syslog(LOG_INFO, _("compile time options: %s"), compile_opts);
@@ -941,7 +948,7 @@ int main (int argc, char **argv)
   
   if (!option_bool(OPT_NOWILD)) 
     for (if_tmp = daemon->if_names; if_tmp; if_tmp = if_tmp->next)
-      if (if_tmp->name && !if_tmp->used)
+      if (if_tmp->name && !(if_tmp->flags & INAME_USED))
 	my_syslog(LOG_WARNING, _("warning: interface %s does not currently exist"), if_tmp->name);
    
   if (daemon->port != 0 && option_bool(OPT_NO_RESOLV))
@@ -1049,8 +1056,10 @@ int main (int argc, char **argv)
   pid = getpid();
 
   daemon->pipe_to_parent = -1;
-  for (i = 0; i < MAX_PROCS; i++)
-    daemon->tcp_pipes[i] = -1;
+
+  if (daemon->port != 0)
+    for (i = 0; i < daemon->max_procs; i++)
+      daemon->tcp_pipes[i] = -1;
   
 #ifdef HAVE_INOTIFY
   /* Using inotify, have to select a resolv file at startup */
@@ -1073,7 +1082,12 @@ int main (int argc, char **argv)
 	       (timeout == -1 || timeout > 1000))
 	timeout = 1000;
       
-      set_dns_listeners();
+      if (daemon->port != 0)
+	set_dns_listeners();
+      
+#ifdef HAVE_TFTP
+      set_tftp_listeners();
+#endif
 
 #ifdef HAVE_DBUS
       if (option_bool(OPT_DBUS))
@@ -1258,8 +1272,9 @@ int main (int argc, char **argv)
 	  check_ubus_listeners();
 	}
 #endif
-
-      check_dns_listeners(now);
+      
+      if (daemon->port != 0)
+	check_dns_listeners(now);
 
 #ifdef HAVE_TFTP
       check_tftp_listeners(now);
@@ -1525,10 +1540,15 @@ static void async_event(int pipe, time_t now)
 	      if (errno != EINTR)
 		break;
 	    }      
-	  else 
-	    for (i = 0 ; i < MAX_PROCS; i++)
+	  else if (daemon->port != 0)
+	    for (i = 0 ; i < daemon->max_procs; i++)
 	      if (daemon->tcp_pids[i] == p)
-		daemon->tcp_pids[i] = 0;
+		{
+		  daemon->tcp_pids[i] = 0;
+		  /* tcp_pipes == -1 && tcp_pids == 0 required to free slot */
+		  if (daemon->tcp_pipes[i] == -1)
+		    daemon->metrics[METRIC_TCP_CONNECTIONS]--;
+		}
 	break;
 	
 #if defined(HAVE_SCRIPT)	
@@ -1590,9 +1610,10 @@ static void async_event(int pipe, time_t now)
 	
       case EVENT_TERM:
 	/* Knock all our children on the head. */
-	for (i = 0; i < MAX_PROCS; i++)
-	  if (daemon->tcp_pids[i] != 0)
-	    kill(daemon->tcp_pids[i], SIGALRM);
+	if (daemon->port != 0)
+	  for (i = 0; i < daemon->max_procs; i++)
+	    if (daemon->tcp_pids[i] != 0)
+	      kill(daemon->tcp_pids[i], SIGALRM);
 	
 #if defined(HAVE_SCRIPT) && defined(HAVE_DHCP)
 	/* handle pending lease transitions */
@@ -1737,23 +1758,33 @@ void clear_cache_and_reload(time_t now)
 #endif
 }
 
-static void set_dns_listeners(void)
-{
-  struct serverfd *serverfdp;
-  struct listener *listener;
-  struct randfd_list *rfl;
-  int i;
-  
 #ifdef HAVE_TFTP
+static void set_tftp_listeners(void)
+{
   int  tftp = 0;
   struct tftp_transfer *transfer;
+  struct listener *listener;
+  
   if (!option_bool(OPT_SINGLE_PORT))
     for (transfer = daemon->tftp_trans; transfer; transfer = transfer->next)
       {
 	tftp++;
 	poll_listen(transfer->sockfd, POLLIN);
       }
+
+  for (listener = daemon->listeners; listener; listener = listener->next)
+    /* tftp == 0 in single-port mode. */
+    if (tftp <= daemon->tftp_max && listener->tftpfd != -1)
+      poll_listen(listener->tftpfd, POLLIN);
+}
 #endif
+
+static void set_dns_listeners(void)
+{
+  struct serverfd *serverfdp;
+  struct listener *listener;
+  struct randfd_list *rfl;
+  int i;
   
   for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next)
     poll_listen(serverfdp->fd, POLLIN);
@@ -1767,7 +1798,7 @@ static void set_dns_listeners(void)
     poll_listen(rfl->rfd->fd, POLLIN);
   
   /* check to see if we have free tcp process slots. */
-  for (i = MAX_PROCS - 1; i >= 0; i--)
+  for (i = daemon->max_procs - 1; i >= 0; i--)
     if (daemon->tcp_pids[i] == 0 && daemon->tcp_pipes[i] == -1)
       break;
 
@@ -1782,16 +1813,10 @@ static void set_dns_listeners(void)
 	 we'll be called again when a slot becomes available. */
       if  (listener->tcpfd != -1 && i >= 0)
 	poll_listen(listener->tcpfd, POLLIN);
-      
-#ifdef HAVE_TFTP
-      /* tftp == 0 in single-port mode. */
-      if (tftp <= daemon->tftp_max && listener->tftpfd != -1)
-	poll_listen(listener->tftpfd, POLLIN);
-#endif
     }
   
   if (!option_bool(OPT_DEBUG))
-    for (i = 0; i < MAX_PROCS; i++)
+    for (i = 0; i < daemon->max_procs; i++)
       if (daemon->tcp_pipes[i] != -1)
 	poll_listen(daemon->tcp_pipes[i], POLLIN);
 }
@@ -1826,13 +1851,16 @@ static void check_dns_listeners(time_t now)
      to free the process slot. Once the child process has gone, poll()
      returns POLLHUP, not POLLIN, so have to check for both here. */
   if (!option_bool(OPT_DEBUG))
-    for (i = 0; i < MAX_PROCS; i++)
+    for (i = 0; i < daemon->max_procs; i++)
       if (daemon->tcp_pipes[i] != -1 &&
 	  poll_check(daemon->tcp_pipes[i], POLLIN | POLLHUP) &&
 	  !cache_recv_insert(now, daemon->tcp_pipes[i]))
 	{
 	  close(daemon->tcp_pipes[i]);
 	  daemon->tcp_pipes[i] = -1;	
+	  /* tcp_pipes == -1 && tcp_pids == 0 required to free slot */
+	  if (daemon->tcp_pids[i] == 0)
+	    daemon->metrics[METRIC_TCP_CONNECTIONS]--;
 	}
 	
   for (listener = daemon->listeners; listener; listener = listener->next)
@@ -1840,17 +1868,12 @@ static void check_dns_listeners(time_t now)
       if (listener->fd != -1 && poll_check(listener->fd, POLLIN))
 	receive_query(listener, now); 
       
-#ifdef HAVE_TFTP     
-      if (listener->tftpfd != -1 && poll_check(listener->tftpfd, POLLIN))
-	tftp_request(listener, now);
-#endif
-
       /* check to see if we have a free tcp process slot.
 	 Note that we can't assume that because we had
 	 at least one a poll() time, that we still do.
 	 There may be more waiting connections after
 	 poll() returns then free process slots. */
-      for (i = MAX_PROCS - 1; i >= 0; i--)
+      for (i = daemon->max_procs - 1; i >= 0; i--)
 	if (daemon->tcp_pids[i] == 0 && daemon->tcp_pipes[i] == -1)
 	  break;
 
@@ -1966,6 +1989,9 @@ static void check_dns_listeners(time_t now)
 		  /* i holds index of free slot */
 		  daemon->tcp_pids[i] = p;
 		  daemon->tcp_pipes[i] = pipefd[0];
+		  daemon->metrics[METRIC_TCP_CONNECTIONS]++;
+		  if (daemon->metrics[METRIC_TCP_CONNECTIONS] > daemon->max_procs_used)
+		    daemon->max_procs_used = daemon->metrics[METRIC_TCP_CONNECTIONS];
 		}
 	      close(confd);
 
@@ -2141,7 +2167,11 @@ int delay_dhcp(time_t start, int sec, int fd, uint32_t addr, unsigned short id)
       poll_reset();
       if (fd != -1)
         poll_listen(fd, POLLIN);
-      set_dns_listeners();
+      if (daemon->port != 0)
+	set_dns_listeners();
+#ifdef HAVE_TFTP
+      set_tftp_listeners();
+#endif
       set_log_writer();
       
 #ifdef HAVE_DHCP6
@@ -2159,7 +2189,8 @@ int delay_dhcp(time_t start, int sec, int fd, uint32_t addr, unsigned short id)
       now = dnsmasq_time();
       
       check_log_writer(0);
-      check_dns_listeners(now);
+      if (daemon->port != 0)
+	check_dns_listeners(now);
       
 #ifdef HAVE_DHCP6
       if (daemon->doing_ra && poll_check(daemon->icmp6fd, POLLIN))
@@ -2192,3 +2223,9 @@ int delay_dhcp(time_t start, int sec, int fd, uint32_t addr, unsigned short id)
   return 0;
 }
 #endif /* HAVE_DHCP */
+
+void tcp_init(void)
+{
+  daemon->tcp_pids = safe_malloc(daemon->max_procs*sizeof(pid_t));
+  daemon->tcp_pipes = safe_malloc(daemon->max_procs*sizeof(int));
+}

src/dnsmasq.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
  
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -14,7 +14,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#define COPYRIGHT "Copyright (c) 2000-2022 Simon Kelley"
+#define COPYRIGHT "Copyright (c) 2000-2024 Simon Kelley"
 
 /* We do defines that influence behavior of stdio.h, so complain
    if included too early. */
@@ -276,12 +276,13 @@ struct event_desc {
 #define OPT_UMBRELLA_DEVID 64
 #define OPT_CMARK_ALST_EN  65
 #define OPT_QUIET_TFTP     66
-#define OPT_FILTER_A       67
-#define OPT_FILTER_AAAA    68
-#define OPT_STRIP_ECS      69
-#define OPT_STRIP_MAC      70
-#define OPT_NORR           71
-#define OPT_LAST           72
+#define OPT_STRIP_ECS      67
+#define OPT_STRIP_MAC      68
+#define OPT_NORR           69
+#define OPT_NO_IDENT       70
+#define OPT_CACHE_RR       71
+#define OPT_LOCALHOST_SERVICE  72
+#define OPT_LAST           73
 
 #define OPTION_BITS (sizeof(unsigned int)*8)
 #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
@@ -324,17 +325,28 @@ union all_addr {
     unsigned char algo;
     unsigned char digest; 
   } ds;
-  struct {
-    struct blockdata *target;
-    unsigned short targetlen, srvport, priority, weight;
-  } srv;
   /* for log_query */
   struct {
     unsigned short keytag, algo, digest, rcode;
     int ede;
   } log;
+  /* for arbitrary RR record stored in block */
+  struct {
+    unsigned short rrtype;
+    unsigned short datalen; 
+    struct blockdata *rrdata;
+  } rrblock;
+  /* for arbitrary RR record small enough to go in addr.
+     NOTE: rrblock and rrdata are discriminated by the F_KEYTAG bit
+     in the cache flags. */
+  struct datablock {
+    unsigned short rrtype;
+    unsigned char datalen;
+    char data[];
+  } rrdata;
 };
 
+#define RR_IMDATALEN (sizeof(union all_addr) - offsetof(struct datablock, data))
 
 struct bogus_addr {
   int is6, prefix;
@@ -511,7 +523,7 @@ struct crec {
 #define F_NOEXTRA   (1u<<27)
 #define F_DOMAINSRV (1u<<28)
 #define F_RCODE     (1u<<29)
-#define F_SRV       (1u<<30)
+#define F_RR        (1u<<30)
 #define F_STALE     (1u<<31)
 
 #define UID_NONE      0
@@ -637,7 +649,8 @@ struct allowlist {
 struct irec {
   union mysockaddr addr;
   struct in_addr netmask; /* only valid for IPv4 */
-  int tftp_ok, dhcp_ok, mtu, done, warned, dad, dns_auth, index, multicast_done, found, label;
+  int tftp_ok, dhcp4_ok, dhcp6_ok, mtu, done, warned, dad;
+  int dns_auth, index, multicast_done, found, label;
   char *name; 
   struct irec *next;
 };
@@ -653,10 +666,19 @@ struct listener {
 struct iname {
   char *name;
   union mysockaddr addr;
-  int used;
+  int flags;
   struct iname *next;
 };
 
+#define  INAME_USED  1
+#define  INAME_4     2
+#define  INAME_6     4
+
+struct rrlist {
+  unsigned short rr;
+  struct rrlist *next;
+};
+
 /* subnet parameters from command line */
 struct mysubnet {
   union mysockaddr addr;
@@ -1122,6 +1144,7 @@ extern struct daemon {
   struct naptr *naptr;
   struct txt_record *txt, *rr;
   struct ptr_record *ptr;
+  struct rrlist *cache_rr, *filter_rr;
   struct host_record *host_records, *host_records_tail;
   struct cname *cnames;
   struct auth_zone *auth_zones;
@@ -1230,8 +1253,8 @@ extern struct daemon {
   struct server *srv_save; /* Used for resend on DoD */
   size_t packet_len;       /*      "        "        */
   int    fd_save;          /*      "        "        */
-  pid_t tcp_pids[MAX_PROCS];
-  int tcp_pipes[MAX_PROCS];
+  pid_t *tcp_pids;
+  int *tcp_pipes;
   int pipe_to_parent;
   int numrrand;
   struct randfd *randomsocks;
@@ -1291,6 +1314,8 @@ extern struct daemon {
   /* file for packet dumps. */
   int dumpfd;
 #endif
+  int max_procs;
+  uint max_procs_used;
 } *daemon;
 
 struct server_details {
@@ -1303,6 +1328,7 @@ struct server_details {
 
 /* cache.c */
 void cache_init(void);
+unsigned short rrtype(char *in);
 void next_uid(struct crec *crecp);
 void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg, unsigned short type); 
 char *record_source(unsigned int index);
@@ -1336,6 +1362,8 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size,
 void blockdata_init(void);
 void blockdata_report(void);
 struct blockdata *blockdata_alloc(char *data, size_t len);
+int blockdata_expand(struct blockdata *block, size_t oldlen,
+		     char *data, size_t newlen);
 void *blockdata_retrieve(struct blockdata *block, size_t len, void *data);
 struct blockdata *blockdata_read(int fd, size_t len);
 void blockdata_write(struct blockdata *block, size_t len, int fd);
@@ -1365,7 +1393,7 @@ void report_addresses(struct dns_header *header, size_t len, u32 mark);
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
 		      struct in_addr local_addr, struct in_addr local_netmask, 
 		      time_t now, int ad_reqd, int do_bit, int have_pseudoheader,
-		      int *stale);
+		      int *stale, int *filtered);
 int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name, 
 			     time_t now);
 int check_for_ignored_address(struct dns_header *header, size_t qlen);
@@ -1417,6 +1445,7 @@ void rand_init(void);
 unsigned short rand16(void);
 u32 rand32(void);
 u64 rand64(void);
+int rr_on_list(struct rrlist *list, unsigned short rr);
 int legal_hostname(char *name);
 char *canonicalise(char *in, int *nomem);
 unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit);
@@ -1577,6 +1606,7 @@ void lease_update_from_configs(void);
 int do_script_run(time_t now);
 void rerun_scripts(void);
 void lease_find_interfaces(time_t now);
+void lease_calc_fqdns(void);
 #ifdef HAVE_SCRIPT
 void lease_add_extradata(struct dhcp_lease *lease, unsigned char *data, 
 			 unsigned int len, int delim);
@@ -1810,14 +1840,16 @@ void poll_listen(int fd, short event);
 int do_poll(int timeout);
 
 /* rrfilter.c */
-size_t rrfilter(struct dns_header *header, size_t plen, int mode);
-u16 *rrfilter_desc(int type);
+size_t rrfilter(struct dns_header *header, size_t *plen, int mode);
+short *rrfilter_desc(int type);
 int expand_workspace(unsigned char ***wkspc, int *szp, int new);
+int to_wire(char *name);
+void from_wire(char *name);
 /* modes. */
 #define RRFILTER_EDNS0   0
 #define RRFILTER_DNSSEC  1
-#define RRFILTER_A       2
-#define RRFILTER_AAAA    3
+#define RRFILTER_CONF    2
+
 /* edns0.c */
 unsigned char *find_pseudoheader(struct dns_header *header, size_t plen,
 				   size_t *len, unsigned char **p, int *is_sign, int *is_last);

src/dnssec.c

@@ -1,5 +1,5 @@
 /* dnssec.c is Copyright (c) 2012 Giovanni Bajo <rasky@develer.com>
-           and Copyright (c) 2012-2020 Simon Kelley
+           and Copyright (c) 2012-2023 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -24,81 +24,6 @@
 #define SERIAL_LT       -1
 #define SERIAL_GT        1
 
-/* Convert from presentation format to wire format, in place.
-   Also map UC -> LC.
-   Note that using extract_name to get presentation format
-   then calling to_wire() removes compression and maps case,
-   thus generating names in canonical form.
-   Calling to_wire followed by from_wire is almost an identity,
-   except that the UC remains mapped to LC. 
-
-   Note that both /000 and '.' are allowed within labels. These get
-   represented in presentation format using NAME_ESCAPE as an escape
-   character. In theory, if all the characters in a name were /000 or
-   '.' or NAME_ESCAPE then all would have to be escaped, so the 
-   presentation format would be twice as long as the spec (1024). 
-   The buffers are all declared as 2049 (allowing for the trailing zero) 
-   for this reason.
-*/
-static int to_wire(char *name)
-{
-  unsigned char *l, *p, *q, term;
-  int len;
-
-  for (l = (unsigned char*)name; *l != 0; l = p)
-    {
-      for (p = l; *p != '.' && *p != 0; p++)
-	if (*p >= 'A' && *p <= 'Z')
-	  *p = *p - 'A' + 'a';
-	else if (*p == NAME_ESCAPE)
-	  {
-	    for (q = p; *q; q++)
-	      *q = *(q+1);
-	    (*p)--;
-	  }
-      term = *p;
-      
-      if ((len = p - l) != 0)
-	memmove(l+1, l, len);
-      *l = len;
-      
-      p++;
-      
-      if (term == 0)
-	*p = 0;
-    }
-  
-  return l + 1 - (unsigned char *)name;
-}
-
-/* Note: no compression  allowed in input. */
-static void from_wire(char *name)
-{
-  unsigned char *l, *p, *last;
-  int len;
-  
-  for (last = (unsigned char *)name; *last != 0; last += *last+1);
-  
-  for (l = (unsigned char *)name; *l != 0; l += len+1)
-    {
-      len = *l;
-      memmove(l, l+1, len);
-      for (p = l; p < l + len; p++)
-	if (*p == '.' || *p == 0 || *p == NAME_ESCAPE)
-	  {
-	    memmove(p+1, p, 1 + last - p);
-	    len++;
-	    *p++ = NAME_ESCAPE; 
-	    (*p)++;
-	  }
-	
-      l[len] = '.';
-    }
-
-  if ((char *)l != name)
-    *(l-1) = 0;
-}
-
 /* Input in presentation format */
 static int count_labels(char *name)
 {
@@ -225,7 +150,7 @@ static int is_check_date(unsigned long curtime)
    On returning 0, the end has been reached.
 */
 struct rdata_state {
-  u16 *desc;
+  short *desc;
   size_t c;
   unsigned char *end, *ip, *op;
   char *buff;
@@ -246,7 +171,7 @@ static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state
     {
       d = *(state->desc);
       
-      if (d == (u16)-1)
+      if (d == -1)
 	{
 	  /* all the bytes to the end. */
 	  if ((state->c = state->end - state->ip) != 0)
@@ -294,7 +219,7 @@ static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state
 
 /* Bubble sort the RRset into the canonical order. */
 
-static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx, 
+static int sort_rrset(struct dns_header *header, size_t plen, short *rr_desc, int rrsetidx, 
 		      unsigned char **rrset, char *buff1, char *buff2)
 {
   int swap, i, j;
@@ -331,7 +256,7 @@ static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int
 	     is the identity function and we can compare
 	     the RRs directly. If not we compare the 
 	     canonicalised RRs one byte at a time. */
-	  if (*rr_desc == (u16)-1)	  
+	  if (*rr_desc == -1)	  
 	    {
 	      int rdmin = rdlen1 > rdlen2 ? rdlen2 : rdlen1;
 	      int cmp = memcmp(state1.ip, state2.ip, rdmin);
@@ -524,7 +449,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
   unsigned char *p;
   int rdlen, j, name_labels, algo, labels, key_tag;
   struct crec *crecp = NULL;
-  u16 *rr_desc = rrfilter_desc(type);
+  short *rr_desc = rrfilter_desc(type);
   u32 sig_expiration, sig_inception;
   int failflags = DNSSEC_FAIL_NOSIG | DNSSEC_FAIL_NYV | DNSSEC_FAIL_EXP | DNSSEC_FAIL_NOKEYSUP;
   
@@ -671,7 +596,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
 	     
 	     If canonicalisation is not needed, a simple insertion into the hash works.
 	  */
-	  if (*rr_desc == (u16)-1)
+	  if (*rr_desc == -1)
 	    {
 	      len = htons(rdlen);
 	      hash->update(ctx, 2, (unsigned char *)&len);
@@ -996,7 +921,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
 int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
 {
   unsigned char *p = (unsigned char *)(header+1);
-  int qtype, qclass, rc, i, neganswer, nons, neg_ttl = 0, found_supported = 0;
+  int qtype, qclass, rc, i, neganswer = 0, nons = 0, servfail = 0, neg_ttl = 0, found_supported = 0;
   int aclass, atype, rdlen, flags;
   unsigned long ttl;
   union all_addr a;
@@ -1009,35 +934,43 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
   GETSHORT(qclass, p);
 
   if (qtype != T_DS || qclass != class)
-    rc = STAT_BOGUS;
-  else
-    rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons, &neg_ttl);
-  
-  if (STAT_ISEQUAL(rc, STAT_INSECURE))
-    {
-      my_syslog(LOG_WARNING, _("Insecure DS reply received for %s, check domain configuration and upstream DNS server DNSSEC support"), name);
-      log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS - not secure", 0);
-      return STAT_BOGUS | DNSSEC_FAIL_INDET;
-    }
-  
-  p = (unsigned char *)(header+1);
-  if (!extract_name(header, plen, &p, name, 1, 4))
-      return STAT_BOGUS;
+    return STAT_BOGUS;
 
-  p += 4; /* qtype, qclass */
-  
-  /* If the key needed to validate the DS is on the same domain as the DS, we'll
-     loop getting nowhere. Stop that now. This can happen of the DS answer comes
-     from the DS's zone, and not the parent zone. */
-  if (STAT_ISEQUAL(rc, STAT_NEED_KEY) && hostname_isequal(name, keyname))
+  /* A SERVFAIL answer has been seen to a DS query not at start of authority,
+     so treat it as such and continue to search for a DS or proof of no existence
+     further down the tree. */
+  if (RCODE(header) == SERVFAIL)
+    servfail = neganswer = nons = 1;
+  else
     {
-      log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS", 0);
-      return STAT_BOGUS;
+      rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons, &neg_ttl);
+  
+      if (STAT_ISEQUAL(rc, STAT_INSECURE))
+	{
+	  my_syslog(LOG_WARNING, _("Insecure DS reply received for %s, check domain configuration and upstream DNS server DNSSEC support"), name);
+	  log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS - not secure", 0);
+	  return STAT_BOGUS | DNSSEC_FAIL_INDET;
+	}
+      
+      p = (unsigned char *)(header+1);
+      if (!extract_name(header, plen, &p, name, 1, 4))
+	return STAT_BOGUS;
+
+      p += 4; /* qtype, qclass */
+      
+      /* If the key needed to validate the DS is on the same domain as the DS, we'll
+	 loop getting nowhere. Stop that now. This can happen of the DS answer comes
+	 from the DS's zone, and not the parent zone. */
+      if (STAT_ISEQUAL(rc, STAT_NEED_KEY) && hostname_isequal(name, keyname))
+	{
+	  log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS", 0);
+	  return STAT_BOGUS;
+	}
+  
+      if (!STAT_ISEQUAL(rc, STAT_SECURE))
+	return rc;
     }
   
-  if (!STAT_ISEQUAL(rc, STAT_SECURE))
-    return rc;
-   
   if (!neganswer)
     {
       cache_start_insert();
@@ -1135,7 +1068,8 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
   cache_end_insert();  
   
   if (neganswer)
-    log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, nons ? "no DS/cut" : "no DS", 0);
+    log_query(F_NOEXTRA | F_UPSTREAM, name, NULL,
+	      servfail ? "SERVFAIL" : (nons ? "no DS/cut" : "no DS"), 0);
       
   return STAT_OK;
 }

src/domain-match.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -253,9 +253,10 @@ int lookup_domain(char *domain, int flags, int *lowout, int *highout)
   if (highout)
     *highout = nhigh;
 
-  if (nlow == nhigh)
+  /* qlen == -1 when we failed to match even an empty query, if there are no default servers. */
+  if (nlow == nhigh || qlen == -1)
     return 0;
-
+  
   return 1;
 }
 

src/domain.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -22,12 +22,13 @@ static int match_domain(struct in_addr addr, struct cond_domain *c);
 static struct cond_domain *search_domain6(struct in6_addr *addr, struct cond_domain *c);
 static int match_domain6(struct in6_addr *addr, struct cond_domain *c);
 
-int is_name_synthetic(int flags, char *name, union all_addr *addr)
+int is_name_synthetic(int flags, char *name, union all_addr *addrp)
 {
   char *p;
   struct cond_domain *c = NULL;
   int prot = (flags & F_IPV6) ? AF_INET6 : AF_INET;
-
+  union all_addr addr;
+  
   for (c = daemon->synth_domains; c; c = c->next)
     {
       int found = 0;
@@ -74,7 +75,7 @@ int is_name_synthetic(int flags, char *name, union all_addr *addr)
 		   if (!c->is6 &&
 		      index <= ntohl(c->end.s_addr) - ntohl(c->start.s_addr))
 		    {
-		      addr->addr4.s_addr = htonl(ntohl(c->start.s_addr) + index);
+		      addr.addr4.s_addr = htonl(ntohl(c->start.s_addr) + index);
 		      found = 1;
 		    }
 		} 
@@ -86,8 +87,8 @@ int is_name_synthetic(int flags, char *name, union all_addr *addr)
 		      index <= addr6part(&c->end6) - addr6part(&c->start6))
 		    {
 		      u64 start = addr6part(&c->start6);
-		      addr->addr6 = c->start6;
-		      setaddr6part(&addr->addr6, start + index);
+		      addr.addr6 = c->start6;
+		      setaddr6part(&addr.addr6, start + index);
 		      found = 1;
 		    }
 		}
@@ -135,8 +136,8 @@ int is_name_synthetic(int flags, char *name, union all_addr *addr)
 		  }
 	    }
 	  
-	  if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, addr))
-	    found = (prot == AF_INET) ? match_domain(addr->addr4, c) : match_domain6(&addr->addr6, c);
+	  if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, &addr))
+	    found = (prot == AF_INET) ? match_domain(addr.addr4, c) : match_domain6(&addr.addr6, c);
 	}
       
       /* restore name */
@@ -148,7 +149,12 @@ int is_name_synthetic(int flags, char *name, union all_addr *addr)
       
       
       if (found)
-	return 1;
+	{
+	  if (addrp)
+	    *addrp = addr;
+	  
+	  return 1;
+	}
     }
   
   return 0;

src/dump.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/edns0.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -178,7 +178,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
 	    memcpy(buff, datap, rdlen);	      
 	  
 	  /* now, delete OPT RR */
-	  plen = rrfilter(header, plen, RRFILTER_EDNS0);
+	  rrfilter(header, &plen, RRFILTER_EDNS0);
 	  
 	  /* Now, force addition of a new one */
 	  p = NULL;	  
@@ -191,16 +191,13 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
       if (!(p = skip_questions(header, plen)) ||
 	  !(p = skip_section(p, 
 			     ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 
-			     header, plen)))
-      {
-	free(buff);
-	return plen;
-      }
-      if (p + 11 > limit)
-      {
-        free(buff);
-        return plen; /* Too big */
-      }
+			     header, plen)) ||
+	  p + 11 > limit)
+	{
+	  free(buff);
+	  return plen; /* bad packet */
+	}
+      
       *p++ = 0; /* empty name */
       PUTSHORT(T_OPT, p);
       PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */

src/forward.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -721,7 +721,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 	  if (added_pheader)
 	    {
 	      /* client didn't send EDNS0, we added one, strip it off before returning answer. */
-	      n = rrfilter(header, n, RRFILTER_EDNS0);
+	      rrfilter(header, &n, RRFILTER_EDNS0);
 	      pheader = NULL;
 	    }
 	  else
@@ -811,16 +811,6 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 	    }
 	}
 
-      /* Before extract_addresses() */
-      if (rcode == NOERROR)
-	{
-	  if (option_bool(OPT_FILTER_A))
-	    n = rrfilter(header, n, RRFILTER_A);
-
-	  if (option_bool(OPT_FILTER_AAAA))
-	    n = rrfilter(header, n, RRFILTER_AAAA);
-	}
-
       switch (extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
 	{
 	case 1:
@@ -839,6 +829,9 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 	  break;
 	}
 
+      if (rcode == NOERROR && rrfilter(header, &n, RRFILTER_CONF) > 0) 
+	ede = EDE_FILTERED;
+      
       if (doctored)
 	cache_secure = 0;
     }
@@ -860,7 +853,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
       
       /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
       if (!do_bit)
-	n = rrfilter(header, n, RRFILTER_DNSSEC);
+	rrfilter(header, &n, RRFILTER_DNSSEC);
     }
 #endif
 
@@ -901,17 +894,24 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
   if (forward->blocking_query)
     return;
   
-  /* Truncated answer can't be validated.
-     If this is an answer to a DNSSEC-generated query, we still
-     need to get the client to retry over TCP, so return
-     an answer with the TC bit set, even if the actual answer fits.
-  */
-  if (header->hb3 & HB3_TC)
-    status = STAT_TRUNCATED;
-
   /* If all replies to a query are REFUSED, give up. */
   if (RCODE(header) == REFUSED)
     status = STAT_ABANDONED;
+  else if (header->hb3 & HB3_TC)
+    {
+      /* Truncated answer can't be validated.
+	 If this is an answer to a DNSSEC-generated query, we still
+	 need to get the client to retry over TCP, so return
+	 an answer with the TC bit set, even if the actual answer fits.
+      */
+      status = STAT_TRUNCATED;
+      if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
+	{
+	  unsigned char *p = (unsigned char *)(header+1);
+	  if  (extract_name(header, plen, &p, daemon->namebuff, 0, 4) == 1)
+	    log_query(F_UPSTREAM | F_NOEXTRA, daemon->namebuff, NULL, "truncated", (forward->flags & FREC_DNSKEY_QUERY) ? T_DNSKEY : T_DS);
+	}
+    }
   
   /* As soon as anything returns BOGUS, we stop and unwind, to do otherwise
      would invite infinite loops, since the answers to DNSKEY and DS queries
@@ -1300,7 +1300,10 @@ static void return_reply(time_t now, struct frec *forward, struct dns_header *he
       no_cache_dnssec = 0;
       
       if (STAT_ISEQUAL(status, STAT_TRUNCATED))
-	header->hb3 |= HB3_TC;
+	{
+	  header->hb3 |= HB3_TC;
+	  log_query(F_SECSTAT, "result", NULL, "TRUNCATED", 0);
+	}
       else
 	{
 	  char *result, *domain = "result";
@@ -1326,7 +1329,7 @@ static void return_reply(time_t now, struct frec *forward, struct dns_header *he
 	      if (extract_request(header, n, daemon->namebuff, NULL))
 		domain = daemon->namebuff;
 	    }
-	  
+      
 	  log_query(F_SECSTAT, domain, &a, result, 0);
 	}
     }
@@ -1808,27 +1811,38 @@ void receive_query(struct listener *listen, time_t now)
 #endif
   else
     {
-      int stale;
+      int stale, filtered;
       int ad_reqd = do_bit;
-      u16 hb3 = header->hb3, hb4 = header->hb4;
       int fd = listen->fd;
+      struct blockdata *saved_question = blockdata_alloc((char *) header, (size_t)n);
       
       /* RFC 6840 5.7 */
       if (header->hb4 & HB4_AD)
 	ad_reqd = 1;
-      
+
       m = answer_request(header, ((char *) header) + udp_size, (size_t)n, 
-			 dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader, &stale);
+			 dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader, &stale, &filtered);
       
       if (m >= 1)
 	{
-	  if (stale && have_pseudoheader)
+	  if (have_pseudoheader)
 	    {
-	      u16 swap = htons(EDE_STALE);
-	      
-	      m = add_pseudoheader(header,  m,  ((unsigned char *) header) + udp_size, daemon->edns_pktsz,
-				   EDNS0_OPTION_EDE, (unsigned char *)&swap, 2, do_bit, 0);
+	      int ede = EDE_UNSET;
+
+	      if (filtered)
+		ede = EDE_FILTERED;
+	      else if (stale)
+		ede = EDE_STALE;
+
+	      if (ede != EDE_UNSET)
+		{
+		  u16 swap = htons(ede);
+		  
+		  m = add_pseudoheader(header,  m,  ((unsigned char *) header) + udp_size, daemon->edns_pktsz,
+				       EDNS0_OPTION_EDE, (unsigned char *)&swap, 2, do_bit, 0);
+		}
 	    }
+	  
 #ifdef HAVE_DUMPFILE
 	  dump_packet_udp(DUMP_REPLY, daemon->packet, m, NULL, &source_addr, listen->fd);
 #endif
@@ -1843,34 +1857,31 @@ void receive_query(struct listener *listen, time_t now)
 	    daemon->metrics[METRIC_DNS_STALE_ANSWERED]++;
 	}
       
-      if (m == 0 || stale)
+      if (stale)
 	{
-	  if (m != 0)
+	  /* We answered with stale cache data, so forward the query anyway to
+	     refresh that. */
+	  m = 0;
+	  
+	  /* We've already answered the client, so don't send it the answer 
+	     when it comes back. */
+	  fd = -1;
+	}
+      
+      if (saved_question)
+	{
+	  if (m == 0)
 	    {
-	      size_t plen;
+	      blockdata_retrieve(saved_question, (size_t)n, header);
 	      
-	      /* We answered with stale cache data, so forward the query anyway to
-		 refresh that. Restore the query from the answer packet. */
-	      pheader = find_pseudoheader(header, (size_t)m, &plen, NULL, NULL, NULL);
-	      
-	      header->hb3 = hb3;
-	      header->hb4 = hb4;
-	      header->ancount = htons(0);
-	      header->nscount = htons(0);
-	      header->arcount = htons(0);
-
-	      m = resize_packet(header, m, pheader, plen);
-
-	      /* We've already answered the client, so don't send it the answer 
-		 when it comes back. */
-	      fd = -1;
+	      if (forward_query(fd, &source_addr, &dst_addr, if_index,
+				header, (size_t)n,  ((char *) header) + udp_size, now, NULL, ad_reqd, do_bit, 0))
+		daemon->metrics[METRIC_DNS_QUERIES_FORWARDED]++;
+	      else
+		daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++;
 	    }
 	  
-	  if (forward_query(fd, &source_addr, &dst_addr, if_index,
-			    header, (size_t)n,  ((char *) header) + udp_size, now, NULL, ad_reqd, do_bit, 0))
-	    daemon->metrics[METRIC_DNS_QUERIES_FORWARDED]++;
-	  else
-	    daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++;
+	  blockdata_free(saved_question);
 	}
     }
 }
@@ -1898,7 +1909,7 @@ static ssize_t tcp_talk(int first, int last, int start, unsigned char *packet,
   
   while (1) 
     {
-      int data_sent = 0;
+      int data_sent = 0, timedout = 0;
       struct server *serv;
       
       if (firstsendto == -1)
@@ -1936,15 +1947,27 @@ static ssize_t tcp_talk(int first, int last, int start, unsigned char *packet,
 	      serv->tcpfd = -1;
 	      continue;
 	    }
+
+#ifdef TCP_SYNCNT
+	  /* TCP connections by default take ages to time out. 
+	     At least on Linux, we can reduce that to only two attempts
+	     to get a reply. For DNS, that's more sensible. */
+	  mark = 2;
+	  setsockopt(serv->tcpfd, IPPROTO_TCP, TCP_SYNCNT, &mark, sizeof(unsigned int));
+#endif
 	  
 #ifdef MSG_FASTOPEN
 	  server_send(serv, serv->tcpfd, packet, qsize + sizeof(u16), MSG_FASTOPEN);
 	  
 	  if (errno == 0)
 	    data_sent = 1;
+	  else if (errno == ETIMEDOUT || errno == EHOSTUNREACH)
+	    timedout = 1;
 #endif
 	  
-	  if (!data_sent && connect(serv->tcpfd, &serv->addr.sa, sa_len(&serv->addr)) == -1)
+	  /* If fastopen failed due to lack of reply, then there's no point in
+	     trying again in non-FASTOPEN mode. */
+	  if (timedout || (!data_sent && connect(serv->tcpfd, &serv->addr.sa, sa_len(&serv->addr)) == -1))
 	    {
 	      close(serv->tcpfd);
 	      serv->tcpfd = -1;
@@ -2045,7 +2068,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
       daemon->log_display_id = ++daemon->log_id;
       
       log_query_mysockaddr(F_NOEXTRA | F_DNSSEC | F_SERVER, keyname, &server->addr,
-			    STAT_ISEQUAL(status, STAT_NEED_KEY) ? "dnssec-query[DNSKEY]" : "dnssec-query[DS]", 0);
+			    STAT_ISEQUAL(new_status, STAT_NEED_KEY) ? "dnssec-query[DNSKEY]" : "dnssec-query[DS]", 0);
             
       new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount);
 
@@ -2070,7 +2093,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
 unsigned char *tcp_request(int confd, time_t now,
 			   union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
 {
-  size_t size = 0;
+  size_t size = 0, saved_size = 0;
   int norebind;
 #ifdef HAVE_CONNTRACK
   int is_single_query = 0, allowed = 1;
@@ -2081,6 +2104,7 @@ unsigned char *tcp_request(int confd, time_t now,
   int checking_disabled, do_bit, added_pheader = 0, have_pseudoheader = 0;
   int cacheable, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
   size_t m;
+  struct blockdata *saved_question = NULL;
   unsigned short qtype;
   unsigned int gotname;
   /* Max TCP packet + slop + size */
@@ -2098,9 +2122,8 @@ unsigned char *tcp_request(int confd, time_t now,
   unsigned char *pheader;
   unsigned int mark = 0;
   int have_mark = 0;
-  int first, last, stale, do_stale = 0;
+  int first, last, filtered, stale, do_stale = 0;
   unsigned int flags = 0;
-  u16 hb3, hb4;
     
   if (!packet || getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
     return packet;
@@ -2155,35 +2178,15 @@ unsigned char *tcp_request(int confd, time_t now,
     {
       int ede = EDE_UNSET;
 
-      if (query_count == TCP_MAX_QUERIES)
-	return packet;
-
-      if (do_stale)
+      if (!do_stale)
 	{
-	  size_t plen;
-
-	  /* We answered the last query with stale data. Now try and get fresh data.
-	     Restore query from answer. */
-	  pheader = find_pseudoheader(header, m, &plen, NULL, NULL, NULL);
+	  if (query_count == TCP_MAX_QUERIES)
+	    break;
 	  
-	  header->hb3 = hb3;
-	  header->hb4 = hb4;
-	  header->ancount = htons(0);
-	  header->nscount = htons(0);
-	  header->arcount = htons(0);
-	  
-	  size = resize_packet(header, m, pheader, plen);
-	}
-      else
-	{
 	  if (!read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
 	      !(size = c1 << 8 | c2) ||
 	      !read_write(confd, payload, size, 1))
-	    return packet;
-	  
-	  /* for stale-answer processing. */
-	  hb3 = header->hb3;
-	  hb4 = header->hb4;
+	    break;
 	}
       
       if (size < (int)sizeof(struct dns_header))
@@ -2290,18 +2293,28 @@ unsigned char *tcp_request(int confd, time_t now,
 	   if (do_stale)
 	     m = 0;
 	   else
-	     /* m > 0 if answered from cache */
-	     m = answer_request(header, ((char *) header) + 65536, (size_t)size, 
-				dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader, &stale);
-	   
+	     {
+	       if (saved_question)
+		 blockdata_free(saved_question);
+	       
+	       saved_question = blockdata_alloc((char *) header, (size_t)size);
+	       saved_size = size;
+	       
+	       /* m > 0 if answered from cache */
+	       m = answer_request(header, ((char *) header) + 65536, (size_t)size, 
+				  dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader, &stale, &filtered);
+	     }
 	  /* Do this by steam now we're not in the select() loop */
 	  check_log_writer(1); 
 	  
-	  if (m == 0)
+	  if (m == 0 && saved_question)
 	    {
 	      struct server *master;
 	      int start;
 
+	      blockdata_retrieve(saved_question, (size_t)saved_size, header);
+	      size = saved_size;
+	      
 	      if (lookup_domain(daemon->namebuff, gotname, &first, &last))
 		flags = is_local_answer(now, first, daemon->namebuff);
 	      else
@@ -2431,13 +2444,23 @@ unsigned char *tcp_request(int confd, time_t now,
 		m = add_pseudoheader(header, m, ((unsigned char *) header) + 65536, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
 	    }
 	}
-      else if (stale)
-	 {
-	   u16 swap = htons((u16)EDE_STALE);
-	   
-	   m = add_pseudoheader(header, m, ((unsigned char *) header) + 65536, daemon->edns_pktsz, EDNS0_OPTION_EDE, (unsigned char *)&swap, 2, do_bit, 0);
-	 }
-      
+      else if (have_pseudoheader)
+	{
+	  ede = EDE_UNSET;
+	  
+	  if (filtered)
+	    ede = EDE_FILTERED;
+	  else if (stale)
+	    ede = EDE_STALE;
+	  
+	  if (ede != EDE_UNSET)
+	    {
+	      u16 swap = htons((u16)ede);
+	      
+	      m = add_pseudoheader(header, m, ((unsigned char *) header) + 65536, daemon->edns_pktsz, EDNS0_OPTION_EDE, (unsigned char *)&swap, 2, do_bit, 0);
+	    }
+	}
+	  
       check_log_writer(1);
       
       *length = htons(m);
@@ -2453,7 +2476,7 @@ unsigned char *tcp_request(int confd, time_t now,
 	break;
       
       /* If we answered with stale data, this process will now try and get fresh data into
-	 the cache then and cannot therefore accept new queries. Close the incoming
+	 the cache and cannot therefore accept new queries. Close the incoming
 	 connection to signal that to the client. Then set do_stale and loop round
 	 once more to try and get fresh data, after which we exit. */
       if (stale)
@@ -2471,6 +2494,9 @@ unsigned char *tcp_request(int confd, time_t now,
       close(confd);
     }
 
+  if (saved_question)
+    blockdata_free(saved_question);
+  
   return packet;
 }
 

src/hash-questions.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2020 Simon Kelley
+/* Copyright (c) 2012-2023 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -165,7 +165,7 @@ static void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
   WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
   
   for (i = 0, j = 0; i < 16; ++i, j += 4)
-    m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
+    m[i] = (((WORD)data[j]) << 24) | (((WORD)data[j + 1]) << 16) | (((WORD)data[j + 2]) << 8) | (((WORD)data[j + 3]));
   for ( ; i < 64; ++i)
     m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
 

src/helper.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/inotify.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
  
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/ip6addr.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2024 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by