DNAME documentation update.

Also fix overflow checking of NSEC type maps.

.gitignore

@@ -7,8 +7,4 @@ src/.copts_*
 contrib/lease-tools/dhcp_lease_time
 contrib/lease-tools/dhcp_release
 contrib/lease-tools/dhcp_release6
-debian/files
-debian/substvars
-debian/utils-substvars
-debian/trees/
-debian/build/
+

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "debian"]
+	path = debian
+	url = git://thekelleys.org.uk/dnsmasq-debian.git
+[submodule "submodules/dnsmasq-debian"]
+	path = submodules/dnsmasq-debian
+	url = https://thekelleys.org.uk/git/dnsmasq-debian

CHANGELOG

@@ -1,7 +1,246 @@
+version 2.92
+        Redesign the interaction between DNSSEC vaildation and per-domain
+	servers, specified as --server=/<domain>/<ip-address>. This should
+	just work in all cases now. If the normal chain-of-trust exists into
+	the delegated domain then whether the domain is signed or not, DNSSEC
+	validation will function normally. In the case the delgated domain
+	is an "overlay" on top of the global DNS and no NS and/or DS records
+	exist connecting it to the global dns, then if the domain is
+	unsigned the situation will be handled by synthesising a
+	proof-of-non-existance-of-DS for the domain and queries will be
+	answered unvalidated; this action will be logged. A signed domain
+	without chain-of-trust can be validated if a suitable trust-anchor
+	is provided using --trust-anchor. This change should be backwards
+	compatible for all existing working configurations; it extends the
+	space of possible configurations which are functional.
+
+	Fix a couple of problems with DNSSEC validation and DNAME. One
+	could cause validation failure on correct domains, and the other
+	would fail to spot an invalid domain. Thanks to Graham Clinch
+	for spotting the problem.
+
+	
+version 2.91
+	Fix spurious "resource limit exceeded messages". Thanks to 
+	Dominik Derigs for the bug report.
+
+	Fix out-of-bounds heap read in order_qsort().
+	We only need to order two server records on the ->serial field.
+	Literal address records are smaller and don't have
+	this field and don't need to be ordered on it.
+	To actually provoke this bug seems to need the same server-literal
+	to be repeated twice, e.g., --address=/a/1.1.1.1 --address-/a/1.1.1.1
+	which is clearly rare in the wild, but if it did exist it could
+	provoke a SIGSEGV. Thanks to Daniel Rhea for fuzzing this one.
+
+	Fix buffer overflow when configured lease-change script name
+	is too long.
+	Thanks to Daniel Rhea for finding this one.
+
+	Improve behaviour in the face of non-responsive upstream TCP DNS
+	servers. Without shorter timeouts, clients are blocked for too long
+	and fail with their own timeouts.
+
+	Set --fast-dns-retries by default when doing DNSSEC. A single
+	downstream query can trigger many upstream queries. On an
+	unreliable network, there may not be enough downstream retries
+	to ensure that all these queries complete.
+
+	Improve behaviour in the face of truncated answers to queries
+	for DNSSEC records. Getting these answers by TCP doesn't now
+	involve a faked truncated answer to the downstream client to
+	force it to move to TCP. This improves performance and robustness
+	in the face of broken clients which can't fall back to TCP.
+
+	No longer remove data from truncated upstream answers. If an
+	upstream replies with a truncated answer, but the answer has some
+	RRs included, return those RRs, rather than returning and
+	empty answer.
+
+	Fix handling of EDNS0 UDP packet sizes.
+	When talking upstream we always add a pseudo header, and set the
+        UDP packet size to --edns-packet-max. Answering queries from
+	downstream, we get the answer (either from upstream or local
+	data) If local data won't fit the advertised size (or 512 if
+	there's not an EDNS0 header) return truncated. If upstream
+        returns truncated, do likewise. If upstream is OK, but the
+	answer is too big for downstream, truncate the answer.
+
+	Modify the behaviour of --synth-domain for IPv6.
+	When deriving a domain name from an IPv6 address, an address
+	such as 1234:: would become 1234--.example.com, which is
+	not legal in IDNA2008. Stop using the :: compression method,
+	so 1234:: becomes
+	1234-0000-0000-0000-0000-0000-0000-0000.example.com
+
+	Fix broken dhcp-relay on *BSD. Thanks to Harold for finding
+	this problem.
+
+	Add --dhcp-option-pxe config. This acts almost exactly like
+	--dhcp-option except that the defined option is only sent when
+	replying to PXE clients. More importantly, these options are sent
+	in reply PXE clients when dnsmasq in acting in PXE proxy mode. In
+	PXE proxy mode, the set of options sent is defined by the PXE standard
+	and the normal set of options is not sent. This config allows arbitrary
+	options in PXE-proxy replies. A typical use-case is to send option
+	175 to iPXE. Thanks to Jason Berry for finding the requirement for
+	this.
+
+	Support PXE proxy-DHCP and DHCP-relay at the same time.
+        When using PXE proxy-DHCP, dnsmasq supplies PXE information to
+        the client, which also talks to another "normal" DHCP server
+        for address allocation and similar. The normal DHCP server may
+        be on the local network, but it may also be remote, and accessed via
+        a DHCP relay. This change allows dnsmasq to act as both a
+        PXE proxy-DHCP server AND a DHCP relay for the same network.
+
+	Fix erroneous "DNSSEC validated" state with non-DNSSEC
+	upstream servers.  Thanks to Dominik Derigs for the bug report.
+
+	Handle queries with EDNS client subnet fields better. If dnsmasq
+	is configured to add an EDNS client subnet to a query, it is careful
+	to suppress use of the cache, since a cached answer may not be valid
+	for a query with a different client subnet. Extend this behaviour
+	to queries which arrive a dnsmasq already carrying an EDNS client
+	subnet.
+
+	Handle DS queries to auth zones. When dnsmasq is configured to
+	act as an authoritative server and has an authoritative zone
+	configured, and receives a query for that zone _as_forwarder_
+	it answers the query directly rather than forwarding it. This
+	doesn't affect the answer, but it saves dnsmasq forwarding the
+	query to the recursor upstream, which then bounces it back to dnsmasq
+	in auth mode. The exception should be when the query is for the root
+	of zone, for a DS RR. The answer to that has to come from the parent,
+	via the recursor, and will typically be a proof-of-non-existence
+	since dnsmasq doesn't support signed zones. This patch suppresses
+	local answers and forces forwarding to the upstream recursor for such
+	queries. It stops breakage when a DNSSEC validating client makes
+	queries to dnsmasq acting as forwarder for a zone for which it is
+	authoritative.
+
+	Implement "DNS-0x20 encoding", for extra protection against
+	reply-spoof attacks. Since DNS queries are case-insensitive,
+	it's possible to randomly flip the case of letters in a query
+	and still get the correct answer back.
+	This adds an extra dimension for a cache-poisoning attacker
+	to guess when sending replies in-the-blind since it's expected
+	that the legitimate answer will have the same  pattern of upper
+	and lower case as the query, so any replies which don't can be
+	ignored as malicious. The amount of extra entropy clearly depends
+	on the number of a-z and A-Z characters in the query, and this
+	implementation puts a hard limit of 32 bits to make resource
+	allocation easy. This about doubles entropy over the standard
+	random ID and random port combination. This technique can interact
+	badly with rare broken DNS servers which don't preserve the case
+	of the query in their reply. The first time a reply is returned
+	which matches the query in all respects except case, a warning
+	will be logged. In this release, 0x020-encoding is default-off
+	and must be explicitly enabled with --do-0x20-encoding. In future
+	releases it may default on. You can avoid a future release
+	changing the behaviour of an installation with --no-x20-encode.
+	
+	Fix a long-standing problem when two queries which are identical
+	in every repect _except_ case, get combined by dnsmasq. If
+	dnsmasq gets eg, two queries for example.com and Example.com
+	in quick succession it will get the answer for example.com from
+	upstream and send that answer to both requestors. This means that
+	the query for Example.com will get an answer for example.com, and
+	in the modern DNS, that answer may not be accepted.
+
+	
+version 2.90
+	Fix reversion in --rev-server introduced in 2.88 which
+	caused breakage if the prefix length is not exactly divisible
+	by 8 (IPv4) or 4 (IPv6).
+
+	Fix possible SEGV when there server(s) for a particular
+	domain are configured, but no server which is not qualified
+	for a particular domain. Thanks to Daniel Danzberger for
+	spotting this bug.
+
+	Set the default maximum DNS UDP packet sice to 1232. This
+	has been the recommended value since 2020 because it's the
+	largest value that avoid fragmentation, and fragmentation
+	is just not reliable on the modern internet, especially
+	for IPv6. It's still possible to override this with
+	--edns-packet-max for special circumstances.
+
+	Add --no-dhcpv4-interface and --no-dhcpv6-interface for
+	better control over which inetrfaces are providing DHCP service.
+
+	Fix issue with stale caching: After replying with stale data,
+	dnsmasq sends the query upstream to refresh the cache asynchronously
+	and sometimes sends the wrong packet: packet length can be wrong,
+	and if an EDE marking stale data is added to the answer that can
+	end up in the query also. This bug only seems to cause problems
+	when the usptream server is a DOH/DOT proxy. Thanks to Justin He
+	for the bug report.
+
+	Add configurable caching for arbitrary RR-types.
+
+	Add --filter-rr option, to filter arbitrary RR-types.
+	--filter-rr=ANY has a special meaning: it filters the
+	answers to queries for the ANY RR-type.
+	
+	Add limits on the resources used to do DNSSEC validation.
+	DNSSEC introduces a potential CPU DoS, because a crafted domain
+	can force a validator to a large number of cryptographic
+	operations whilst attempting to do validation. When using TCP
+	transport a DNSKEY RRset contain thousands of members and any
+	RRset can have thousands of signatures. The potential number
+	of signature validations to follow the RFC for validation
+	for one RRset is the cross product of the keys and signatures,
+	so millions. In practice, the actual numbers are much lower,
+	so attacks can be mitigated by limiting the amount of
+	cryptographic "work" to a much lower amount. The actual
+	limits are number a signature validation fails per RRset(20),
+	number of signature validations and hash computations
+	per query(200), number of sub-queries  to fetch  DS and DNSKEY
+	RRsets per query(40), and the number of iterations in a
+	NSEC3 record(150). These values are sensible, but there is, as yet,
+	no standardisation on the values for a "conforming" domain, so a
+	new option --dnssec-limit is provided should they need to be altered.
+	The algorithm to validate DS records has also been altered to reduce
+	the maximum work from cross product of the number of DS records and
+	number of DNSKEYs to the cross product of the number of DS records
+	and supported DS digest types. As the number of DS digest types
+	is in single figures, this reduces the exposure.
+
+	Credit is due to Elias Heftrig, Haya Schulmann, Niklas Vogel,
+	and Michael Waidner from the German National Research Center for
+	Applied Cybersecurity ATHENE for finding this vulnerability.
+
+	CVE 2023-50387 and CVE 2023-50868 apply.
+	Note that the is a security vulnerablity only when DNSSEC validation
+	is enabled.
+	
+	Fix memory-leak when attempting to cache SRV records with zero TTL.
+	Thanks to Damian Sawicki for the bug report.
+
+	Add --max-tcp-connections option to make limit on TCP handling
+	processes configurable.  Also keep stats on how near the limit
+	we're getting, to help with tuning. Patch from Damian Sawicki.
+
+	
+version 2.89
+        Fix bug introduced in 2.88 (commit fe91134b) which can result
+	in corruption of the DNS cache internal data structures and
+	logging of "cache internal error". This has only been seen
+	in one place in the wild, and it took considerable effort
+	to even generate a test case to reproduce it, but there's
+	no way to be sure it won't strike, and the effect is to break
+	the cache badly. Installations with DNSSEC enabled are more
+	likely to see the problem, but not running DNSSEC does not
+	guarantee that it won't happen. Thanks to Timo van Roermund
+	for reporting the bug and for his great efforts in chasing
+	it down.
+
+
 version 2.88
 	Fix bug in --dynamic-host when an interface has /16 IPv4
-	address. Thanks to Mark Dietzer for spotting this.
-	
+  	address. Thanks to Mark Dietzer for spotting this.
+
 	Add --fast-dns-retry option. This gives dnsmasq the ability
 	to originate retries for upstream DNS queries itself, rather
 	than relying on the downstream client. This is most useful
@@ -12,12 +251,18 @@ version 2.88
 	in the cache, but its time-to-live has expired, dnsmasq will
 	return the data anyway. (It attempts to refresh the
 	data with an upstream query after returning the stale data.)
-	This can improve speed and reliability. It comes 
+	This can improve speed and reliability. It comes
 	at the expense of sometimes returning out-of-date data and
 	less efficient cache utilisation, since old data cannot be
 	flushed when its TTL expires, so the cache becomes
 	strictly least-recently-used.
 
+	Add --port-limit option which allows tuning for robustness in
+	the face of some upstream network errors. Thanks to
+	Prashant Kumar Singh, Ravi Nagayach and Mike Danilov,
+	all of Amazon Web Services, for their efforts in developing this
+	and the stale-cache and fast-retry options.
+
 	Make --hostsdir (but NOT --dhcp-hostsdir and --dhcp-optsdir)
 	handle removal of whole files or entries within files.
 	Thanks to Dominik Derigs for the initial patches for this.
@@ -1772,7 +2017,7 @@ version 2.61
 
 	Set the environment variable DNSMASQ_LOG_DHCP when running
 	the script id --log-dhcp is in effect, so that script can
-	taylor their logging verbosity. Suggestion from Malte
+	tailor their logging verbosity. Suggestion from Malte
 	Forkel.
 
 	Arrange that addresses specified with --listen-address

Makefile

@@ -1,4 +1,4 @@
-# dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+# dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@@ -29,6 +29,7 @@ LDFLAGS       =
 COPTS         = 
 RPM_OPT_FLAGS = 
 LIBS          = 
+LUA           = lua
 
 #################################################################
 
@@ -60,22 +61,18 @@ idn2_cflags =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFI
 idn2_libs =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --libs libidn2`
 ct_cflags =     `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --cflags libnetfilter_conntrack`
 ct_libs =       `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
-lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.2` 
-lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.2` 
-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --cflags 'nettle hogweed' \
-                                                        HAVE_CRYPTOHASH $(PKG_CONFIG) --cflags nettle \
-                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`
-nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --libs 'nettle hogweed' \
-                                                        HAVE_CRYPTOHASH $(PKG_CONFIG) --libs nettle \
-                                                        HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
+lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags $(LUA)` 
+lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs $(LUA)` 
+nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --cflags 'nettle hogweed'`
+nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC     $(PKG_CONFIG) --libs 'nettle hogweed'`
 gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
 sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
 nft_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --cflags libnftables` 
 nft_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_NFTSET $(PKG_CONFIG) --libs libnftables`
 version =       -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
 
-sum?=$(shell $(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ')
-sum!=$(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' '
+sum?=$(shell echo $(CC) -DDNSMASQ_COMPILE_FLAGS="$(CFLAGS)" -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ')
+sum!=echo $(CC) -DDNSMASQ_COMPILE_FLAGS="$(CFLAGS)" -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' '
 copts_conf = .copts_$(sum)
 
 objs = cache.o rfc1035.o util.o option.o forward.o network.o \
@@ -84,7 +81,7 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
        dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o pattern.o \
        domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
        poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \
-       metrics.o hash-questions.o domain-match.o nftset.o
+       metrics.o domain-match.o nftset.o
 
 hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
        dns-protocol.h radv-protocol.h ip6addr.h metrics.h
@@ -105,9 +102,7 @@ clean : mostly_clean
 	rm -f core */core
 	rm -f *~ contrib/*/*~ */*~
 
-install : all install-common
-
-install-common :
+install : all
 	$(INSTALL) -d $(DESTDIR)$(BINDIR)
 	$(INSTALL) -d $(DESTDIR)$(MANDIR)/man8
 	$(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 
@@ -124,7 +119,11 @@ all-i18n : $(BUILDDIR)
 		cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \
 	done
 
-install-i18n : all-i18n install-common
+install-i18n : all-i18n
+	$(INSTALL) -d $(DESTDIR)$(BINDIR)
+	$(INSTALL) -d $(DESTDIR)$(MANDIR)/man8
+	$(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 
+	$(INSTALL) -m 755 $(BUILDDIR)/dnsmasq $(DESTDIR)$(BINDIR)
 	cd $(BUILDDIR); $(top)/bld/install-mo $(DESTDIR)$(LOCALEDIR) $(INSTALL)
 	cd $(MAN); ../bld/install-man $(DESTDIR)$(MANDIR) $(INSTALL)
 

bld/Android.mk

@@ -11,14 +11,14 @@ LOCAL_SRC_FILES :=  bpf.c cache.c dbus.c dhcp.c dnsmasq.c \
 		    radv.c slaac.c auth.c ipset.c domain.c \
 	            dnssec.c dnssec-openssl.c blockdata.c tables.c \
 		    loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \
-		    crypto.c dump.c ubus.c metrics.c hash-questions.c \
-                    domain-match.c
+		    crypto.c dump.c ubus.c metrics.c \
+                    domain-match.c nftset.c
 
 LOCAL_MODULE := dnsmasq
 
 LOCAL_C_INCLUDES := external/dnsmasq/src
 
-LOCAL_CFLAGS := -O2 -g -W -Wall -D__ANDROID__ -DNO_IPV6 -DNO_TFTP -DNO_SCRIPT
+LOCAL_CFLAGS := -O2 -g -W -Wall -D__ANDROID__ -DNO_TFTP -DNO_SCRIPT
 LOCAL_SYSTEM_SHARED_LIBRARIES := libc libcutils
 
 LOCAL_LDLIBS := -L$(SYSROOT)/usr/lib -llog

dbus/DBus-interface

@@ -44,6 +44,14 @@ SetFilterWin2KOption
 --------------------
 Takes boolean, sets or resets the --filterwin2k option.
 
+SetFilterA
+------------------------
+Takes boolean, sets or resets the --filter-A option.
+
+SetFilterAAAA
+------------------------
+Takes boolean, sets or resets the --filter-AAAA option.
+
 SetBogusPrivOption
 ------------------
 Takes boolean, sets or resets the --bogus-priv option.

debian

@@ -0,0 +1 @@
+submodules/dnsmasq-debian/debian

debian/conffiles

@@ -1,5 +0,0 @@
-/etc/init.d/dnsmasq
-/etc/default/dnsmasq
-/etc/dnsmasq.conf
-/etc/resolvconf/update.d/dnsmasq
-/etc/insserv.conf.d/dnsmasq

debian/control

@@ -1,66 +0,0 @@
-Source: dnsmasq
-Section: net
-Priority: optional
-Build-depends: gettext, libnetfilter-conntrack-dev [linux-any],
-               libidn2-dev, libdbus-1-dev (>=0.61), libgmp-dev, 
-               nettle-dev (>=2.4-3), libbsd-dev [kfreebsd-any],
-	       liblua5.2-dev, dh-runit, debhelper-compat (= 10),
-               pkg-config, libnftables-dev
-Maintainer: Simon Kelley <simon@thekelleys.org.uk>
-Homepage: http://www.thekelleys.org.uk/dnsmasq/doc.html
-Vcs-Git: http://thekelleys.org.uk/git/dnsmasq.git
-Vcs-Browser: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git
-Standards-Version: 3.9.8
-
-Package: dnsmasq
-Architecture: all
-Depends: netbase, dnsmasq-base,
-         init-system-helpers (>= 1.18~), lsb-base (>= 3.0-6), ${misc:Depends}
-Suggests: resolvconf
-Breaks: ${runit:Breaks}
-Conflicts: resolvconf (<<1.15), ${runit:Conflicts}
-Description: Small caching DNS proxy and DHCP/TFTP server
- Dnsmasq is a lightweight, easy to configure, DNS forwarder and DHCP
- server. It is designed to provide DNS and optionally, DHCP, to a 
- small network. It can serve the names of local machines which are 
- not in the global DNS. The DHCP server integrates with the DNS 
- server and allows machines with DHCP-allocated addresses
- to appear in the DNS with names configured either in each host or
- in a central configuration file. Dnsmasq supports static and dynamic 
- DHCP leases and BOOTP/TFTP for network booting of diskless machines.
-
-Package: dnsmasq-base
-Architecture: any
-Depends: adduser, ${shlibs:Depends}
-Breaks: dnsmasq (<< 2.63-1~)
-Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
-Recommends: dns-root-data
-Provides: dnsmasq-base
-Conflicts: dnsmasq-base-lua
-Description: Small caching DNS proxy and DHCP/TFTP server
- This package contains the dnsmasq executable and documentation, but
- not the infrastructure required to run it as a system daemon. For
- that, install the dnsmasq package.
-
-Package: dnsmasq-base-lua
-Architecture: any
-Depends: adduser, ${shlibs:Depends}
-Breaks: dnsmasq (<< 2.63-1~)
-Replaces: dnsmasq (<< 2.63-1~), dnsmasq-base
-Recommends: dns-root-data
-Provides: dnsmasq-base
-Conflicts: dnsmasq-base
-Description: Small caching DNS proxy and DHCP/TFTP server
- This package contains the dnsmasq executable and documentation, but
- not the infrastructure required to run it as a system daemon. For
- that, install the dnsmasq package. This package is an alternative
- to dnsmasq-base which includes the LUA interpreter.
- 
-Package: dnsmasq-utils
-Architecture: linux-any
-Depends: ${shlibs:Depends}
-Conflicts: dnsmasq (<<2.40)
-Description: Utilities for manipulating DHCP leases
- Small utilities to query a DHCP server's lease database and
- remove leases from it. These programs are distributed with dnsmasq
- and may not work correctly with other DHCP servers.

debian/copyright

@@ -1,21 +0,0 @@
-dnsmasq is Copyright (c) 2000-2021 Simon Kelley
-
-It was downloaded from: http://www.thekelleys.org.uk/dnsmasq/
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991, or
-   (at your option) version 3 dated 29 June, 2007.
- 
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-On Debian GNU/Linux systems, the text of the GNU general public license is 
-available in the file /usr/share/common-licenses/GPL-2 or 
-/usr/share/common-licenses/GPL-3
-
-The Debian package of dnsmasq was created by Simon Kelley with assistance 
-from Lars Bahner.
-

debian/dbus.conf

@@ -1,18 +0,0 @@
-<!DOCTYPE busconfig PUBLIC
- "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
-	<policy user="root">
-		<allow own="uk.org.thekelleys.dnsmasq"/>
-		<allow send_destination="uk.org.thekelleys.dnsmasq"/>
-	</policy>
-        <policy user="dnsmasq">
-                <allow own="uk.org.thekelleys.dnsmasq"/>
-                <allow send_destination="uk.org.thekelleys.dnsmasq"/>
-        </policy>
-	<policy context="default">
-                <deny own="uk.org.thekelleys.dnsmasq"/>
-                <deny send_destination="uk.org.thekelleys.dnsmasq"/>
-        </policy>
-</busconfig>
-

debian/default

@@ -1,42 +0,0 @@
-# This file has six functions:
-# 1) to completely disable starting this dnsmasq instance
-# 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
-# 3) to select an alternative config file
-#    by setting DNSMASQ_OPTS to --conf-file=<file>
-# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
-#    more configuration variables.
-# 5) to stop the resolvconf package from controlling dnsmasq's
-#    idea of which upstream nameservers to use.
-# 6) to avoid using this dnsmasq instance as the system's default resolver
-#    by setting DNSMASQ_EXCEPT="lo"
-# For upgraders from very old versions, all the shell variables set
-# here in previous versions are still honored by the init script
-# so if you just keep your old version of this file nothing will break.
-
-#DOMAIN_SUFFIX=`dnsdomainname`
-#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
-
-# Whether or not to run the dnsmasq daemon; set to 0 to disable.
-# Note that this is only valid when using SYSV init. For systemd,
-# use "systemctl disable dnsmasq"
-ENABLED=1
-
-# By default search this drop directory for configuration options.
-# Libvirt leaves a file here to make the system dnsmasq play nice.
-# Comment out this line if you don't want this. The dpkg-* are file
-# endings which cause dnsmasq to skip that file. This avoids pulling
-# in backups made by dpkg.
-CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
-
-# If the resolvconf package is installed, dnsmasq will use its output
-# rather than the contents of /etc/resolv.conf to find upstream
-# nameservers. Uncommenting this line inhibits this behaviour.
-# Note that including a "resolv-file=<filename>" line in
-# /etc/dnsmasq.conf is not enough to override resolvconf if it is
-# installed: the line below must be uncommented.
-#IGNORE_RESOLVCONF=yes
-
-# If the resolvconf package is installed, dnsmasq will tell resolvconf
-# to use dnsmasq under 127.0.0.1 as the system's default resolver.
-# Uncommenting this line inhibits this behaviour.
-#DNSMASQ_EXCEPT="lo"

debian/dnsmasq-base.conffiles

@@ -1 +0,0 @@
-/etc/dbus-1/system.d/dnsmasq.conf

debian/dnsmasq-base.postinst

@@ -1,24 +0,0 @@
-#!/bin/sh
-set -e
-
-# Create the dnsmasq user in dnsmasq-base, so that Dbus doesn't complain.
-      
-# create a user to run as (code stolen from dovecot-common)
-if [ "$1" = "configure" ]; then
-  if [ -z "`id -u dnsmasq 2> /dev/null`" ]; then
-    adduser --system  --home /var/lib/misc --gecos "dnsmasq" \
-            --no-create-home --disabled-password \
-            --quiet dnsmasq || true
-  fi
-
-  # Make the directory where we keep the pid file - this
-  # has to be owned by "dnsmasq" so that the file can be unlinked.
-  # This is only actually used by the dnsmasq binary package, not
-  # dnsmasq-base, but it's much easier to create it here so that
-  # we don't have synchronisation issues with the creation of the
-  # dnsmasq user. 
-  if [ ! -d /run/dnsmasq ]; then
-    mkdir /run/dnsmasq
-    chown dnsmasq:nogroup /run/dnsmasq
-  fi
-fi

debian/dnsmasq-base.postrm

@@ -1,11 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ purge = "$1" ]; then
-   if [ -x "$(command -v deluser)" ]; then
-     deluser --quiet --system dnsmasq > /dev/null || true
-  else
-     echo >&2 "not removing dnsmasq system account because deluser command was not found"
-  fi
-  rm -rf /run/dnsmasq
-fi

debian/dnsmasq.runit

@@ -1 +0,0 @@
-debian/dnsmasq.runscript name=dnsmasq,logscript,presubj

debian/dnsmasq.runscript/finish

@@ -1,5 +0,0 @@
-#!/bin/sh -eu
-if [ -x /sbin/resolvconf ] ; then
-	/sbin/resolvconf -d lo.dnsmasq
-fi
-

debian/dnsmasq.runscript/run

@@ -1,43 +0,0 @@
-#!/lib/runit/invoke-run
-
-readonly name=dnsmasq
-readonly daemon=/usr/sbin/dnsmasq
-readonly marker=/usr/share/dnsmasq/installed-marker
-
-test -e "${marker}" || exec sv down "${name}"
-test -x "${daemon}" || exec sv down "${name}"
-
-if [ ! "${RESOLV_CONF:-}" ] &&
-   [ "${IGNORE_RESOLVCONF:-}" != "yes" ] &&
-   [ -x /sbin/resolvconf ]
-then
-	RESOLV_CONF=/run/dnsmasq/resolv.conf
-fi
-
-# This tells dnsmasq to ignore DNS requests that don't come from a local network.
-# It's automatically ignored if  --interface --except-interface, --listen-address 
-# or --auth-server exist in the configuration, so for most installations, it will
-# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
-# from being vulnerable to DNS-reflection attacks.
-
-DNSMASQ_OPTS="${DNSMASQ_OPTS:-} --local-service"
-
-# If the dns-root-data package is installed, then the trust anchors will be 
-# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
-# --trust-anchor options.
-
-ROOT_DS="/usr/share/dns/root.ds"
-
-if [ -f $ROOT_DS ]; then
-    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
-fi
-
-mkdir -p /run/dnsmasq
-chown dnsmasq:nogroup /run/dnsmasq
-[ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
-exec "${daemon}" \
-	--keep-in-foreground \
-	--log-facility=/dev/stdout \
-	${RESOLV_CONF:+ -r $RESOLV_CONF} \
-	${DNSMASQ_OPTS} \
-	-u dnsmasq

debian/init

@@ -1,325 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides:       dnsmasq
-# Required-Start: $network $remote_fs $syslog
-# Required-Stop:  $network $remote_fs $syslog
-# Default-Start:  2 3 4 5
-# Default-Stop:   0 1 6
-# Description:    DHCP and DNS server
-### END INIT INFO
-
-# Don't exit on error status
-set +e
-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-DAEMON=/usr/sbin/dnsmasq
-NAME=dnsmasq
-DESC="DNS forwarder and DHCP server"
-INSTANCE="${2}"
-
-# Most configuration options in /etc/default/dnsmasq are deprecated
-# but still honoured.
-ENABLED=1
-if [ -r /etc/default/${NAME}${INSTANCE:+.${INSTANCE}} ]; then
-    . /etc/default/${NAME}${INSTANCE:+.${INSTANCE}}
-fi
-
-# Get the system locale, so that messages are in the correct language, and the
-# charset for IDN is correct
-if [ -r /etc/default/locale ]; then
-    . /etc/default/locale
-    export LANG
-fi
-
-# The following test ensures the dnsmasq service is not started, when the
-# package 'dnsmasq' is removed but not purged, even if the dnsmasq-base
-# package is still in place.
-test -e /usr/share/dnsmasq/installed-marker || exit 0
-
-test -x ${DAEMON} || exit 0
-
-# Provide skeleton LSB log functions for backports which don't have LSB functions.
-if [ -f /lib/lsb/init-functions ]; then
-    . /lib/lsb/init-functions
-else
-    log_warning_msg () {
-        echo "${@}."
-    }
-
-    log_success_msg () {
-        echo "${@}."
-    }
-
-    log_daemon_msg () {
-        echo -n "${1}: ${2}"
-    }
-
-    log_end_msg () {
-        if [ "${1}" -eq 0 ]; then
-            echo "."
-        elif [ "${1}" -eq 255 ]; then
-            /bin/echo -e " (warning)."
-        else
-            /bin/echo -e " failed!"
-        fi
-    }
-fi
-
-# RESOLV_CONF:
-# If the resolvconf package is installed then use the resolv conf file
-# that it provides as the default.  Otherwise use /etc/resolv.conf as
-# the default.
-#
-# If IGNORE_RESOLVCONF is set in /etc/default/dnsmasq or an explicit
-# filename is set there then this inhibits the use of the resolvconf-provided
-# information.
-#
-# Note that if the resolvconf package is installed it is not possible to
-# override it just by configuration in /etc/dnsmasq.conf, it is necessary
-# to set IGNORE_RESOLVCONF=yes in /etc/default/dnsmasq.
-
-if [ ! "${RESOLV_CONF}" ] &&
-   [ "${IGNORE_RESOLVCONF}" != "yes" ] &&
-   [ -x /sbin/resolvconf ]
-then
-    RESOLV_CONF=/run/dnsmasq/resolv.conf
-fi
-
-for INTERFACE in ${DNSMASQ_INTERFACE}; do
-    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -i ${INTERFACE}"
-done
-
-for INTERFACE in ${DNSMASQ_EXCEPT}; do
-    DNSMASQ_INTERFACES="${DNSMASQ_INTERFACES} -I ${INTERFACE}"
-done
-
-if [ ! "${DNSMASQ_USER}" ]; then
-   DNSMASQ_USER="dnsmasq"
-fi
-
-# This tells dnsmasq to ignore DNS requests that don't come from a local network.
-# It's automatically ignored if --interface --except-interface, --listen-address
-# or --auth-server exist in the configuration, so for most installations, it will
-# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
-# from being vulnerable to DNS-reflection attacks.
-
-DNSMASQ_OPTS="${DNSMASQ_OPTS} --local-service"
-
-# If the dns-root-data package is installed, then the trust anchors will be
-# available in ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
-# --trust-anchor options.
-
-ROOT_DS="/usr/share/dns/root.ds"
-
-if [ -f ${ROOT_DS} ]; then
-    DNSMASQ_OPTS="$DNSMASQ_OPTS `env LC_ALL=C sed -rne "s/^([.a-zA-Z0-9]+)([[:space:]]+[0-9]+)*([[:space:]]+IN)*[[:space:]]+DS[[:space:]]+/--trust-anchor=\1,/;s/[[:space:]]+/,/gp" $ROOT_DS | tr '\n' ' '`"
-fi
-
-start()
-{
-    # Return
-    #   0 if daemon has been started
-    #   1 if daemon was already running
-    #   2 if daemon could not be started
-
-    # /run may be volatile, so we need to ensure that
-    # /run/dnsmasq exists here as well as in postinst
-    if [ ! -d /run/dnsmasq ]; then
-        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
-        chown dnsmasq:nogroup /run/dnsmasq || return 2
-    fi
-    [ -x /sbin/restorecon ] && /sbin/restorecon /run/dnsmasq
-
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null || return 1
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} -- \
-        -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
-        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
-        ${MAILTARGET:+ -t ${MAILTARGET}} \
-        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
-        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
-        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
-        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
-        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
-        ${CACHESIZE:+ -c ${CACHESIZE}} \
-        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
-        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} \
-        || return 2
-}
-
-start_resolvconf()
-{
-# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
-# Then dnsmasq won't be providing local DNS, so don't add it to
-# the resolvconf server set.
-    for interface in ${DNSMASQ_EXCEPT}; do
-        [ ${interface} = lo ] && return
-    done
-
-    # Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
-    if grep -qs '^port=0' /etc/dnsmasq.conf; then
-        return
-    fi
-
-    if [ -x /sbin/resolvconf ] ; then
-        echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.${NAME}${INSTANCE:+.${INSTANCE}}
-    fi
-    return 0
-}
-
-stop()
-{
-    # Return
-    #   0 if daemon has been stopped
-    #   1 if daemon was already stopped
-    #   2 if daemon could not be stopped
-    #   other if a failure occurred
-    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --name ${NAME}
-}
-
-stop_resolvconf()
-{
-    if [ -x /sbin/resolvconf ] ; then
-        /sbin/resolvconf -d lo.${NAME}${INSTANCE:+.${INSTANCE}}
-    fi
-    return 0
-}
-
-status()
-{
-    # Return
-    #   0 if daemon is running
-    #   1 if daemon is dead and pid file exists
-    #   3 if daemon is not running
-    #   4 if daemon status is unknown
-    start-stop-daemon --start --quiet --pidfile /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid --exec ${DAEMON} --test > /dev/null
-    case "${?}" in
-      0) [ -e "/run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid" ] && return 1 ; return 3 ;;
-      1) return 0 ;;
-      *) return 4 ;;
-    esac
-}
-
-case "${1}" in
-  start)
-    test "${ENABLED}" != "0" || exit 0
-    log_daemon_msg "Starting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    start
-    case "${?}" in
-      0)
-        log_end_msg 0
-        start_resolvconf
-        exit 0
-        ;;
-      1)
-        log_success_msg "(already running)"
-        exit 0
-        ;;
-      *)
-        log_end_msg 1
-        exit 1
-        ;;
-    esac
-    ;;
-  stop)
-    stop_resolvconf
-    if [ "${ENABLED}" != "0" ]; then
-        log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    fi
-    stop
-    RETVAL="${?}"
-    if [ "${ENABLED}" = "0" ]; then
-        case "${RETVAL}" in
-          0) log_daemon_msg "Stopping ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"; log_end_msg 0 ;;
-        esac
-        exit 0
-    fi
-    case "${RETVAL}" in
-      0) log_end_msg 0 ; exit 0 ;;
-      1) log_warning_msg "(not running)" ; exit 0 ;;
-      *) log_end_msg 1; exit 1 ;;
-    esac
-    ;;
-  checkconfig)
-    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
-    RETVAL="${?}"
-    exit ${RETVAL}
-    ;;
-  restart|force-reload)
-    test "${ENABLED}" != "0" || exit 1
-    ${DAEMON} --test ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}} >/dev/null 2>&1
-    if [ ${?} -ne 0 ]; then
-        NAME="configuration syntax check"
-        RETVAL="2"
-    else
-        stop_resolvconf
-        stop
-        RETVAL="${?}"
-    fi
-    log_daemon_msg "Restarting ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    case "${RETVAL}" in
-      0|1)
-        sleep 2
-        start
-        case "${?}" in
-          0)
-            log_end_msg 0
-            start_resolvconf
-            exit 0
-            ;;
-          *)
-            log_end_msg 1
-            exit 1
-            ;;
-        esac
-        ;;
-      *)
-        log_end_msg 1
-        exit 1
-        ;;
-    esac
-    ;;
-  status)
-    log_daemon_msg "Checking ${DESC}" "${NAME}${INSTANCE:+.${INSTANCE}}"
-    status
-    case "${?}" in
-      0) log_success_msg "(running)" ; exit 0 ;;
-      1) log_success_msg "(dead, pid file exists)" ; exit 1 ;;
-      3) log_success_msg "(not running)" ; exit 3 ;;
-      *) log_success_msg "(unknown)" ; exit 4 ;;
-    esac
-    ;;
-  dump-stats)
-    kill -s USR1 `cat /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid`
-    ;;
-  systemd-start-resolvconf)
-    start_resolvconf
-    ;;
-  systemd-stop-resolvconf)
-    stop_resolvconf
-    ;;
-  systemd-exec)
-    # /run may be volatile, so we need to ensure that
-    # /run/dnsmasq exists here as well as in postinst
-    if [ ! -d /run/dnsmasq ]; then
-        mkdir /run/dnsmasq || { [ -d /run/dnsmasq ] || return 2 ; }
-        chown dnsmasq:nogroup /run/dnsmasq || return 2
-    fi
-    exec ${DAEMON} -x /run/dnsmasq/${NAME}${INSTANCE:+.${INSTANCE}}.pid \
-        ${MAILHOSTNAME:+ -m ${MAILHOSTNAME}} \
-        ${MAILTARGET:+ -t ${MAILTARGET}} \
-        ${DNSMASQ_USER:+ -u ${DNSMASQ_USER}} \
-        ${DNSMASQ_INTERFACES:+ ${DNSMASQ_INTERFACES}} \
-        ${DHCP_LEASE:+ -l ${DHCP_LEASE}} \
-        ${DOMAIN_SUFFIX:+ -s ${DOMAIN_SUFFIX}} \
-        ${RESOLV_CONF:+ -r ${RESOLV_CONF}} \
-        ${CACHESIZE:+ -c ${CACHESIZE}} \
-        ${CONFIG_DIR:+ -7 ${CONFIG_DIR}} \
-        ${DNSMASQ_OPTS:+ ${DNSMASQ_OPTS}}
-    ;;
-  *)
-    echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload|dump-stats|status}" >&2
-    exit 3
-    ;;
-esac
-
-exit 0

debian/insserv

@@ -1 +0,0 @@
-$named dnsmasq

debian/installed-marker

@@ -1,2 +0,0 @@
-# This file indicates dnsmasq (and not just dnsmasq-base) is installed.
-# It is an implementation detail of the dnsmasq init script.

debian/lintian-override

@@ -1,3 +0,0 @@
-# dnsmasq-base and dnsmasq-base-lua are mutually exclusive and both
-# provide /usr/share/doc/dnsmasq-base
-dnsmasq-base-lua binary: usr-share-doc-symlink-without-dependency dnsmasq-base

debian/postinst

@@ -1,41 +0,0 @@
-#!/bin/sh
-set -e
-
-# /usr/share/doc/dnsmasq was a symlink in versions < 2.81-1 (see #985282)
-dpkg-maintscript-helper symlink_to_dir /usr/share/doc/dnsmasq dnsmasq-base 2.84-1.2~ dnsmasq -- "$@"
-
-# Code copied from dh_systemd_enable ----------------------
-# This will only remove masks created by d-s-h on package removal.
-deb-systemd-helper unmask dnsmasq.service >/dev/null || true
-
-# was-enabled defaults to true, so new installations run enable.
-if deb-systemd-helper --quiet was-enabled dnsmasq.service; then
-	# Enables the unit on first installation, creates new
-	# symlinks on upgrades if the unit file has changed.
-	deb-systemd-helper enable dnsmasq.service >/dev/null || true
-else
-	# Update the statefile to add new symlinks (if any), which need to be
-	# cleaned up on purge. Also remove old symlinks.
-	deb-systemd-helper update-state dnsmasq.service >/dev/null || true
-fi
-# End code copied from dh_systemd_enable ------------------
-
-if [ -x /etc/init.d/dnsmasq ]; then
-   update-rc.d dnsmasq defaults 15 85 >/dev/null
-
-   if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
-      if [ -e /run/dnsmasq/dnsmasq.pid ]; then
-          ACTION=restart
-      else
-          ACTION=start
-      fi
-
-      if [ -x /usr/sbin/invoke-rc.d ] ; then
-         invoke-rc.d dnsmasq $ACTION || true
-      else
-         /etc/init.d/dnsmasq $ACTION || true
-      fi
-   fi
-fi
-
-

debian/postrm

@@ -1,25 +0,0 @@
-#!/bin/sh
-set -e
-
-# /usr/share/doc/dnsmasq was a symlink in versions < 2.81-1 (see #985282)
-dpkg-maintscript-helper symlink_to_dir /usr/share/doc/dnsmasq dnsmasq-base 2.84-1.2~ dnsmasq -- "$@"
-
-if [ purge = "$1" ]; then
-   update-rc.d dnsmasq remove >/dev/null
-fi
-
-# Code copied from dh_systemd_enable ----------------------
-if [ "$1" = "remove" ]; then
-	if [ -x "/usr/bin/deb-systemd-helper" ]; then
-		deb-systemd-helper mask dnsmasq.service >/dev/null
-	fi
-fi
-
-if [ "$1" = "purge" ]; then
-	if [ -x "/usr/bin/deb-systemd-helper" ]; then
-		deb-systemd-helper purge dnsmasq.service >/dev/null
-		deb-systemd-helper unmask dnsmasq.service >/dev/null
-	fi
-fi
-# End code copied from dh_systemd_enable ------------------
-

debian/preinst

@@ -1,5 +0,0 @@
-#!/bin/sh
-set -e
-
-# /usr/share/doc/dnsmasq was a symlink in versions < 2.81-1 (see #985282)
-dpkg-maintscript-helper symlink_to_dir /usr/share/doc/dnsmasq dnsmasq-base 2.84-1.2~ dnsmasq -- "$@"

debian/prerm

@@ -1,14 +0,0 @@
-#!/bin/sh
-set -e
-
-if [ "$1" = "remove" ]; then
-  if [ -x /usr/sbin/invoke-rc.d ] ; then
-      invoke-rc.d dnsmasq stop || true
-  else
-      /etc/init.d/dnsmasq stop || true
-  fi
-fi
-
-exit 0
-
-

debian/readme

@@ -1,80 +0,0 @@
-Notes on configuring dnsmasq as packaged for Debian.
-
-(1) To configure dnsmasq edit /etc/dnsmasq.conf. The file is well
-    commented; see also the dnsmasq.8 man page for explanation of
-    the options. The file /etc/default/dnsmasq also exists but it
-    shouldn't need to be touched in most cases. To set up DHCP
-    options you might need to refer to a copy of RFC 2132. This is 
-    available on Debian systems in the package doc-rfc-std as the file
-    /usr/share/doc/RFC/draft-standard/rfc2132.txt.gz .
-
-(2) Installing the dnsmasq package also creates the directory
-    /etc/dnsmasq.d which is searched by dnsmasq for configuration file
-    fragments. This behaviour can be disabled by editing 
-    /etc/default/dnsmasq.
-
-(3) If the Debian resolvconf package is installed then, regardless
-    of what interface configuration daemons are employed, the list of
-    nameservers to which dnsmasq should forward queries can be found
-    in /var/run/dnsmasq/resolv.conf; also, 127.0.0.1 is listed as the
-    first nameserver address in /etc/resolv.conf. This works using the
-    default configurations of resolvconf and dnsmasq.
-
-(4) In the absence of resolvconf, if you are using dhcpcd then
-    dnsmasq should read the list of nameservers from the automatically
-    generated file /etc/dhcpc/resolv.conf.  You should list 127.0.0.1
-    as the first nameserver address in /etc/resolv.conf.
-
-(5) In the absence of resolvconf, if you are using pppd then
-    dnsmasq should read the list of nameservers from the automatically
-    generated file /etc/ppp/resolv.conf.  You should list 127.0.0.1
-    as the first nameserver address in /etc/resolv.conf.
-
-(6) In the absence of resolvconf, dns-nameservers lines in 
-    /etc/network/interfaces are ignored. If you do not use
-    resolvconf, list 127.0.0.1 as the first nameserver address
-    in /etc/resolv.conf and configure your nameservers using
-    "server=<IP-address>" lines in /etc/dnsmasq.conf.
-
-(7) If you run multiple DNS servers on a single machine, each
-    listening on a different interface, then it is necessary to use 
-    the bind-interfaces option by uncommenting "bind-interfaces" in 
-    /etc/dnsmasq.conf. This option stops dnsmasq from binding the 
-    wildcard address and allows servers listening on port 53 on
-    interfaces not in use by dnsmasq to work. The Debian 
-    libvirt package will add a configuration file in /etc/dnsmasq.d
-    which does this so that the "system" dnsmasq and "private" dnsmasq
-    instances started by libvirt do not clash.
-
-(8) The following options are supported in DEB_BUILD_OPTIONS
-      noopt       : compile without optimisation.
-      nostrip     : don't remove symbols from binary. 
-      nodocs      : omit documentation.
-      notftp      : omit TFTP support.
-      nodhcp      : omit DHCP support.
-      nodhcp6     : omit DHCPv6 support.
-      noscript    : omit lease-change script support.
-      uselua      : provide support for lease-change scripts written
-                    in Lua.
-      noipv6      : omit IPv6 support.
-      nodbus      : omit DBus support.
-      noconntrack : omit connection tracking support. 
-      noipset     : omit IPset support.
-      nonftset    : omit nftset support.
-      nortc       : compile alternate mode suitable for systems without an RTC.
-      noi18n      : omit translations and internationalisation support.
-      noidn       : omit international domain name support, must be
-                    combined with noi18n to be effective.
-      gitversion  : set the version of the produced packages from the
-                    git-derived versioning information on the source,
-                    rather than the debian changelog. 
-
-(9) Dnsmasq comes as three packages - dnsmasq-utils, dnsmasq-base and
-    dnsmasq. Dnsmasq-base provides the dnsmasq executable and
-    documentation (including this file). Dnsmasq, which depends on
-    dnsmasq-base, provides the init script and configuration
-    infrastructure. This file assumes that both are installed. It is
-    possible to install only dnsmasq-base and use dnsmasq as a
-    non-"system" daemon. Libvirt, for instance, does this.
-    Dnsmasq-utils provides the utilities dhcp_release and 
-    dhcp_lease_time.

debian/readme.dnsmasq.d

@@ -1,7 +0,0 @@
-# All files in this directory will be read by dnsmasq as 
-# configuration files, except if their names end in 
-# ".dpkg-dist",".dpkg-old" or ".dpkg-new"
-#
-# This can be changed by editing /etc/default/dnsmasq
-
-

debian/resolvconf

@@ -1,84 +0,0 @@
-#!/bin/sh
-#
-# Script to update the resolver list for dnsmasq
-#
-# N.B. Resolvconf may run us even if dnsmasq is not (yet) running.
-# If dnsmasq is installed then we go ahead and update the resolver list
-# in case dnsmasq is started later.
-#
-# Assumption: On entry, PWD contains the resolv.conf-type files.
-#
-# This file is part of the dnsmasq package.
-#
-
-set -e
-
-RUN_DIR="/run/dnsmasq"
-RSLVRLIST_FILE="${RUN_DIR}/resolv.conf"
-TMP_FILE="${RSLVRLIST_FILE}_new.$$"
-MY_NAME_FOR_RESOLVCONF="dnsmasq"
-
-[ -x /usr/sbin/dnsmasq ] || exit 0
-[ -x /lib/resolvconf/list-records ] || exit 1
-
-PATH=/bin:/sbin
-
-report_err() { echo "$0: Error: $*" >&2 ; }
-
-# Stores arguments (minus duplicates) in RSLT, separated by spaces
-# Doesn't work properly if an argument itself contains whitespace
-uniquify()
-{
-	RSLT=""
-	while [ "$1" ] ; do
-		for E in $RSLT ; do
-			[ "$1" = "$E" ] && { shift ; continue 2 ; }
-		done
-		RSLT="${RSLT:+$RSLT }$1"
-		shift
-	done
-}
-
-if [ ! -d "$RUN_DIR" ] && ! mkdir --parents --mode=0755 "$RUN_DIR" ; then
-	report_err "Failed trying to create directory $RUN_DIR"
-	exit 1
-fi
-
-RSLVCNFFILES=""
-for F in $(/lib/resolvconf/list-records --after "lo.$MY_NAME_FOR_RESOLVCONF") ; do
-	case "$F" in
-	    "lo.$MY_NAME_FOR_RESOLVCONF")
-		# Omit own record	 
-		;;
-	    lo.*)
-		# Include no more records after one for a local nameserver
-		RSLVCNFFILES="${RSLVCNFFILES:+$RSLVCNFFILES }$F"
-		break
-		;;
-	  *)
-		RSLVCNFFILES="${RSLVCNFFILES:+$RSLVCNFFILES }$F"
-		;;
-	esac
-done
-
-NMSRVRS=""
-if [ "$RSLVCNFFILES" ] ; then
-	uniquify $(sed -n -e 's/^[[:space:]]*nameserver[[:space:]]\+//p' $RSLVCNFFILES)
-	NMSRVRS="$RSLT"
-fi
-
-# Dnsmasq uses the mtime of $RSLVRLIST_FILE, with a resolution of one second,
-# to detect changes in the file. This means that if a resolvconf update occurs
-# within one second of the previous one then dnsmasq may fail to notice the
-# more recent change. To work around this problem we sleep one second here
-# if necessary in order to ensure that the new mtime is different.
-if [ -f "$RSLVRLIST_FILE" ] && [ "$(ls -go --time-style='+%s' "$RSLVRLIST_FILE" | { read p h s t n ; echo "$t" ; })" = "$(date +%s)" ] ; then
-	sleep 1
-fi
-
-clean_up() { rm -f "$TMP_FILE" ; }
-trap clean_up EXIT
-: >| "$TMP_FILE"
-for N in $NMSRVRS ; do echo "nameserver $N" >> "$TMP_FILE" ; done
-mv -f "$TMP_FILE" "$RSLVRLIST_FILE"
-

debian/resolvconf-package

@@ -1,13 +0,0 @@
-#!/bin/sh
-# Resolvconf packaging event hook script for the dnsmasq package
-restart_dnsmasq() {
-    if which invoke-rc.d >/dev/null 2>&1 ; then
-        invoke-rc.d dnsmasq restart
-    elif [ -x /etc/init.d/dnsmasq ] ; then
-        /etc/init.d/dnsmasq restart
-    fi
-}
-
-case "$1" in
-  install) restart_dnsmasq ;;
-esac

debian/rules

@@ -1,309 +0,0 @@
-#!/usr/bin/make -f
-# debian/rules file - for dnsmasq.
-# Copyright 2001-2020 by Simon Kelley
-# Based on the sample in the debian hello package which carries the following:
-# Copyright 1994,1995 by Ian Jackson.
-# I hereby give you perpetual unlimited permission to copy,
-# modify and relicense this file, provided that you do not remove
-# my name from the file itself.  (I assert my moral right of
-# paternity under the Copyright, Designs and Patents Act 1988.)
-# This file may have to be extensively modified
-
-package=dnsmasq-base
-
-dpkg_buildflags := DEB_BUILD_MAINT_OPTIONS="hardening=+all,+pie,+bindnow" dpkg-buildflags
-
-CFLAGS = $(shell $(dpkg_buildflags) --get CFLAGS)
-CFLAGS += $(shell $(dpkg_buildflags) --get CPPFLAGS)
-CFLAGS += -Wall -W
-
-LDFLAGS = $(shell $(dpkg_buildflags) --get LDFLAGS)
-
-DEB_COPTS = $(COPTS)
-
-TARGET = install-i18n
-
-DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
-DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
-DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
-BUILD_DATE := $(shell dpkg-parsechangelog --show-field Date)
-
-ifeq ($(origin CC),default)
-     CC = $(DEB_HOST_GNU_TYPE)-gcc
-endif
-
-# Support non-cross-builds on systems without gnu-triplet-binaries for pkg-config.
-ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
-     PKG_CONFIG=pkg-config
-else
-     PKG_CONFIG=$(DEB_HOST_GNU_TYPE)-pkg-config	
-endif
-
-# Force package version based on git tags.
-ifneq (,$(filter gitversion,$(DEB_BUILD_OPTIONS)))
-     PACKAGE_VERSION = $(shell bld/get-version `pwd` |  sed 's/test/~&/; s/[a-z]/~&/;  s/-/./g; s/$$/-1/; s/^/-v/';)
-endif
-
-ifeq (,$(filter nodbus,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_DBUS
-endif
-
-ifeq (,$(filter noidn, $(DEB_BUILD_OPTIONS)))
-	DEB_COPTS += -DHAVE_LIBIDN2
-endif
-
-ifeq (,$(filter nonftset, $(DEB_BUILD_OPTIONS)))
-	DEB_COPTS += -DHAVE_NFTSET
-endif
-
-ifeq (,$(filter noconntrack,$(DEB_BUILD_OPTIONS)))
-ifeq ($(DEB_HOST_ARCH_OS),linux)
-     DEB_COPTS += -DHAVE_CONNTRACK
-endif
-endif
-
-ifneq (,$(filter noipset,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_IPSET
-endif
-
-ifneq (,$(filter nodhcp6,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_DHCP6
-endif
-
-ifneq (,$(filter noipv6,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_IPV6
-endif
-
-ifneq (,$(filter notftp,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_TFTP
-endif
-
-ifneq (,$(filter nodhcp,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_DHCP
-endif
-
-ifneq (,$(filter noscript,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DNO_SCRIPT
-endif
-
-ifneq (,$(filter nortc,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_BROKEN_RTC
-endif
-
-ifneq (,$(filter noi18n,$(DEB_BUILD_OPTIONS)))
-     TARGET = install
-endif
-
-ifneq (,$(filter uselua,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_LUASCRIPT
-endif
-
-ifeq (,$(filter nodnssec,$(DEB_BUILD_OPTIONS)))
-     DEB_COPTS += -DHAVE_DNSSEC
-endif
-
-ifeq ($(DEB_HOST_ARCH_OS),kfreebsd)
-     # For strlcpy in FreeBSD
-     LIBS += $(shell ${PKG_CONFIG} --libs libbsd-overlay)
-     CFLAGS += $(shell ${PKG_CONFIG} --cflags libbsd-overlay)
-endif
-
-define build_tree
-	rm -rf $1
-	install -m 755 \
-		-d $1/DEBIAN \
-		-d $1/etc/dbus-1/system.d \
-	        -d $1/usr/share/doc/$(package) \
-		-d $1/usr/share/doc/$(package)/examples \
-		-d $1/usr/share/$(package) \
-	        -d $1/var/lib/misc
-
-endef
-
-define add_docs
-# Need to remove paypal links in Debian Package for policy reasons.
-	sed -e /\<H2\>Donations/Q -e /icon.png/d doc.html -e /favicon.ico/d >$1/usr/share/doc/$(package)/doc.html
-	echo "</BODY>" >>$1/usr/share/doc/$(package)/doc.html 
-	install -m 644 setup.html $1/usr/share/doc/$(package)/.
-	install -m 644 dnsmasq.conf.example $1/usr/share/doc/$(package)/examples/.
-	install -m 644 FAQ $1/usr/share/doc/$(package)/.
-	gzip -9n $1/usr/share/doc/$(package)/FAQ
-	install -m 644 CHANGELOG $1/usr/share/doc/$(package)/changelog
-	gzip -9n $1/usr/share/doc/$(package)/changelog
-	install -m 644 CHANGELOG.archive $1/usr/share/doc/$(package)/changelog.archive
-	gzip -9n $1/usr/share/doc/$(package)/changelog.archive
-	install -m 644 dbus/DBus-interface $1/usr/share/doc/$(package)/.
-	gzip -9n $1/usr/share/doc/$(package)/DBus-interface	
-	install -m 644 debian/systemd_howto $1/usr/share/doc/$(package)/.
-	gzip -9n $1/usr/share/doc/$(package)/systemd_howto
-	gzip -9n $1/usr/share/man/man8/dnsmasq.8
-	for f in $1/usr/share/man/*; do \
-		if [ -f $$f/man8/dnsmasq.8 ]; then \
-                       gzip -9n $$f/man8/dnsmasq.8 ; \
-                fi \
-	done
-endef
-
-define add_files
-	install -m 644 trust-anchors.conf $1/usr/share/$(package)/.
-	install -m 644 debian/dnsmasq-base.conffiles $1/DEBIAN/conffiles
-	install -m 755 debian/dnsmasq-base.postinst $1/DEBIAN/postinst
-	install -m 755 debian/dnsmasq-base.postrm  $1/DEBIAN/postrm
-	install -m 644 debian/changelog $1/usr/share/doc/$(package)/changelog.Debian
-	gzip -9n $1/usr/share/doc/$(package)/changelog.Debian
-	install -m 644 debian/readme $1/usr/share/doc/$(package)/README.Debian
-	install -m 644 debian/copyright $1/usr/share/doc/$(package)/copyright
-	install -m 644 debian/dbus.conf $1/etc/dbus-1/system.d/dnsmasq.conf
-endef
-
-clean:
-	$(checkdir)
-	make BUILDDIR=debian/build/no-lua clean
-	make BUILDDIR=debian/build/lua clean
-	make -C contrib/lease-tools clean
-	rm -rf debian/build debian/trees debian/*~ debian/files debian/substvars debian/utils-substvars
-
-binary-indep:	checkroot
-	$(checkdir)
-	rm -rf debian/trees/daemon
-	install -m 755 \
-	        -d debian/trees/daemon/DEBIAN \
-		-d debian/trees/daemon/usr/share/doc/dnsmasq \
-	        -d debian/trees/daemon/etc/init.d \
-		-d debian/trees/daemon/etc/dnsmasq.d \
-	        -d debian/trees/daemon/etc/resolvconf/update.d \
-		-d debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d \
-		-d debian/trees/daemon/usr/share/dnsmasq \
-		-d debian/trees/daemon/usr/share/doc/dnsmasq \
-	        -d debian/trees/daemon/etc/default \
-		-d debian/trees/daemon/lib/systemd/system \
-		-d debian/trees/daemon/usr/lib/tmpfiles.d \
-                -d debian/trees/daemon/etc/insserv.conf.d
-	install -m 644 debian/conffiles debian/trees/daemon/DEBIAN
-	install -m 755 debian/postinst debian/postrm debian/preinst debian/prerm debian/trees/daemon/DEBIAN
-	if ! dpkg-vendor --derives-from Ubuntu; then \
-                rm -f debian/dnsmasq.postinst.debhelper debian/dnsmasq.postrm.debhelper; \
-	      	dh_runit -pdnsmasq -Pdebian/trees/daemon; \
-		cat debian/dnsmasq.postinst.debhelper >> debian/trees/daemon/DEBIAN/postinst; \
-		cat debian/dnsmasq.postrm.debhelper   >> debian/trees/daemon/DEBIAN/postrm; \
-		cd debian/trees/daemon && find etc/sv -type f -printf '/%p\n' >>DEBIAN/conffiles; \
-	fi
-	install -m 755 debian/init debian/trees/daemon/etc/init.d/dnsmasq
-	install -m 755 debian/resolvconf debian/trees/daemon/etc/resolvconf/update.d/dnsmasq
-	install -m 755 debian/resolvconf-package debian/trees/daemon/usr/lib/resolvconf/dpkg-event.d/dnsmasq
-	install -m 644 debian/installed-marker debian/trees/daemon/usr/share/dnsmasq
-	install -m 644 debian/default debian/trees/daemon/etc/default/dnsmasq
-	install -m 644 dnsmasq.conf.example debian/trees/daemon/etc/dnsmasq.conf
-	install -m 644 debian/readme.dnsmasq.d debian/trees/daemon/etc/dnsmasq.d/README
-	install -m 644 debian/systemd.service debian/trees/daemon/lib/systemd/system/dnsmasq.service
-	install -m 644 debian/systemd@.service debian/trees/daemon/lib/systemd/system/dnsmasq@.service
-	install -m 644 debian/tmpfiles.conf debian/trees/daemon/usr/lib/tmpfiles.d/dnsmasq.conf
-	install -m 644 debian/insserv debian/trees/daemon/etc/insserv.conf.d/dnsmasq
-	install -m 644 debian/copyright debian/trees/daemon/usr/share/doc/dnsmasq/copyright
-	install -m 644 debian/changelog debian/trees/daemon/usr/share/doc/dnsmasq/changelog.Debian
-	gzip -9n debian/trees/daemon/usr/share/doc/dnsmasq/changelog.Debian
-	cd debian/trees/daemon && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums	
-	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/dnsmasq.substvars -pdnsmasq -Pdebian/trees/daemon
-	find debian/trees/daemon -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/daemon
-	chmod -R g-ws debian/trees/daemon
-	dpkg --build debian/trees/daemon ..
-
-binary-arch:	checkroot 
-	$(call build_tree,debian/trees/base)
-	make $(TARGET) BUILDDIR=debian/build/no-lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
-ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	$(call add_docs,debian/trees/base)
-else	
-	rm -rf debian/trees/base/usr/share/man
-endif
-	$(call add_files,debian/trees/base)
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/base/usr/sbin/dnsmasq
-endif
-	cd debian/trees/base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps --warnings=1 debian/trees/base/usr/sbin/dnsmasq
-	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base -Pdebian/trees/base
-	find debian/trees/base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/base
-	chmod -R g-ws debian/trees/base 
-	dpkg --build debian/trees/base ..
-
-	$(call build_tree,debian/trees/lua-base)
-	make $(TARGET) BUILDDIR=debian/build/lua PREFIX=/usr DESTDIR=`pwd`/debian/trees/lua-base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="-DHAVE_LUASCRIPT $(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
-ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	$(call add_docs,debian/trees/lua-base)
-else	
-	rm -rf debian/trees/lua-base/usr/share/man
-endif
-	$(call add_files,debian/trees/lua-base)
-	install -m 755 -d debian/trees/lua-base/usr/share/lintian/overrides
-	install -m 644 debian/lintian-override debian/trees/lua-base/usr/share/lintian/overrides/dnsmasq-base-lua
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/lua-base/usr/sbin/dnsmasq
-endif
-	ln -s $(package) debian/trees/lua-base/usr/share/doc/dnsmasq-base-lua
-	cd debian/trees/lua-base && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps --warnings=1 debian/trees/lua-base/usr/sbin/dnsmasq
-	dpkg-gencontrol $(PACKAGE_VERSION) -pdnsmasq-base-lua -Pdebian/trees/lua-base
-	find debian/trees/lua-base -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/lua-base
-	chmod -R g-ws debian/trees/lua-base 
-	dpkg --build debian/trees/lua-base ..
-
-
-ifeq ($(DEB_HOST_ARCH_OS),linux)
-	rm -rf debian/trees/utils
-	install -m 755 -d debian/trees/utils/DEBIAN \
-	               -d debian/trees/utils/usr/bin \
-                       -d debian/trees/utils/usr/share/doc/dnsmasq-utils
-ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	install -m 755 -d debian/trees/utils/usr/share/man/man1
-endif
-	make -C contrib/lease-tools PREFIX=/usr DESTDIR=`pwd`/debian/trees/utils CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=$(CC) PKG_CONFIG=$(PKG_CONFIG) LIBS="$(LIBS)"
-	install -m 755 contrib/lease-tools/dhcp_release debian/trees/utils/usr/bin/dhcp_release
-	install -m 755 contrib/lease-tools/dhcp_release6 debian/trees/utils/usr/bin/dhcp_release6
-	install -m 755 contrib/lease-tools/dhcp_lease_time debian/trees/utils/usr/bin/dhcp_lease_time
-ifeq (,$(findstring nodoc,$(DEB_BUILD_OPTIONS)))
-	install -m 644 contrib/lease-tools/dhcp_release.1 debian/trees/utils/usr/share/man/man1/dhcp_release.1
-	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_release.1
-	install -m 644 contrib/lease-tools/dhcp_release6.1 debian/trees/utils/usr/share/man/man1/dhcp_release6.1
-	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_release6.1
-	install -m 644 contrib/lease-tools/dhcp_lease_time.1 debian/trees/utils/usr/share/man/man1/dhcp_lease_time.1
-	gzip -9n debian/trees/utils/usr/share/man/man1/dhcp_lease_time.1
-endif
-	install -m 644 debian/copyright debian/trees/utils/usr/share/doc/dnsmasq-utils/copyright
-	install -m 644 debian/changelog debian/trees/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
-	gzip -9n debian/trees/utils/usr/share/doc/dnsmasq-utils/changelog.Debian
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_release
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_release6
-	$(DEB_HOST_GNU_TYPE)-strip -R .note -R .comment debian/trees/utils/usr/bin/dhcp_lease_time
-endif	
-	cd debian/trees/utils && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
-	dpkg-shlibdeps -Tdebian/utils-substvars debian/trees/utils/usr/bin/dhcp_release debian/trees/utils/usr/bin/dhcp_release6 debian/trees/utils/usr/bin/dhcp_lease_time 
-	dpkg-gencontrol $(PACKAGE_VERSION) -Tdebian/utils-substvars -pdnsmasq-utils -Pdebian/trees/utils
-	find debian/trees/utils -depth -newermt '$(BUILD_DATE)' -print0 | xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
-	chown -R root.root debian/trees/utils
-	chmod -R g-ws debian/trees/utils 
-	dpkg --build debian/trees/utils ..
-endif
-
-define checkdir
-	test -f Makefile -a -f debian/rules
-endef
-
-# Below here is fairly generic really
-
-binary:		binary-arch binary-indep
-
-build:		
-build-arch:
-build-indep:
-
-checkroot:
-	test root = "`whoami`"
-
-.PHONY: binary binary-arch binary-indep clean checkroot
-
-

debian/source/format

@@ -1 +0,0 @@
-1.0

debian/systemd.service

@@ -1,31 +0,0 @@
-[Unit]
-Description=dnsmasq - A lightweight DHCP and caching DNS server
-Requires=network.target
-Wants=nss-lookup.target
-Before=nss-lookup.target
-After=network.target
-
-[Service]
-Type=forking
-PIDFile=/run/dnsmasq/dnsmasq.pid
-
-# Test the config file and refuse starting if it is not valid.
-ExecStartPre=/etc/init.d/dnsmasq checkconfig
-
-# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
-# wrapper picking up extra configuration files and then execs dnsmasq
-# itself, when called with the "systemd-exec" function.
-ExecStart=/etc/init.d/dnsmasq systemd-exec
-
-# The systemd-*-resolvconf functions configure (and deconfigure)
-# resolvconf to work with the dnsmasq DNS server. They're called like
-# this to get correct error handling (ie don't start-resolvconf if the
-# dnsmasq daemon fails to start).
-ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
-ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf
-
-
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target

debian/systemd@.service

@@ -1,31 +0,0 @@
-[Unit]
-Description=dnsmasq (%i) - A lightweight DHCP and caching DNS server
-Requires=network.target
-Wants=nss-lookup.target
-Before=nss-lookup.target
-After=network.target
-
-[Service]
-Type=forking
-PIDFile=/run/dnsmasq/dnsmasq.%i.pid
-
-# Test the config file and refuse starting if it is not valid.
-ExecStartPre=/etc/init.d/dnsmasq checkconfig "%i"
-
-# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
-# wrapper picking up extra configuration files and then execs dnsmasq
-# itself, when called with the "systemd-exec" function.
-ExecStart=/etc/init.d/dnsmasq systemd-exec "%i"
-
-# The systemd-*-resolvconf functions configure (and deconfigure)
-# resolvconf to work with the dnsmasq DNS server. They're called like
-# this to get correct error handling (ie don't start-resolvconf if the
-# dnsmasq daemon fails to start).
-ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf "%i"
-ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf "%i"
-
-
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target

debian/systemd_howto

@@ -1,41 +0,0 @@
-HOWTO
-=====
-dnsmasq comes with the possibility to run multiple systemd service instances on the same machine.
-There is the main service which is enabled by default via `systemctl enable dnsmasq.service` and uses the configuration from `/etc/default/dnsmasq`.
-
-Additional service instances can be enabled via `systemctl enable dnsmasq@<instance name>.service` that use the configuration from `/etc/default/dnsmasq.<instance name>`.
-It is recommended to use a separate configuration file and directory for each instance.
-Additionally make sure that all instances use either different ports and/or ip addresses to avoid binding collisions.
-
-Example setup for an instance called "alt"
-#1 File `/etc/dnsmasq.alt.conf` copied from `/etc/dnsmasq.conf`
-#2 Directory `/etc/dnsmasq.alt.d`
-#3 File `/etc/default/dnsmasq.alt` copied from `/etc/default/dnsmasq` with following adaptions:
-   * The options DNSMASQ_OPTS and CONFIG_DIR point to the correct configuration file and directory.
-     DNSMASQ_OPTS="... --conf-file=/etc/dnsmasq.alt.conf ..."
-     CONFIG_DIR=/etc/dnsmasq.alt.d,.dpkg-dist,.dpkg-old,.dpkg-new
-   * The option DNSMASQ_EXCEPT must contain "lo" to avoid that an instance becomes the machine's DNS resolver.
-     DNSMASQ_EXCEPT="lo"
-  * If the additional instance should bind to all IP addresses of a specific interface, e.g. "dnsalt01", then the following addition could be used:
-    DNSMASQ_OPTS="... --bind-dynamic --interface=dnsalt01 ..."
-    Additionally the main instance must be stopped from binding to interfaces that are used by other instances:
-    DNSMASQ_OPTS="... --bind-dynamic --except-interface=dnsalt* ..."
-  * If the additional instance should not use the machine's DNS resolver, normally that's the dnsmasq main instance, as upstream server, then the following addition could be used:
-    IGNORE_RESOLVCONF=yes
-#4 Enable additional instance via `systemctl enable dnsmasq@alt.service`
-#5 Start additional instance without reboot via `systemctl start dnsmasq@alt.service`
-
-
-
-TODO
-====
-#1 - Found shortcoming on 2019-03-10
-Only the option DNSMASQ_EXCEPT="lo" avoids that an DNS instance will be set as the machine's DNS resolver.
-This may interfere with the wish to run an additional instance on a different port on the localhost addresses.
-My suggestion in the initial Debian report [1] was to specify an explicit variable for this.
-
-[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914305#5
-
-
-#2 - Preferred configuration way
-Should the variables DNSMASQ_INTERFACE and DNSMASQ_EXCEPT be used instead of --interface and --except-interface?  (while "lo" still has to be in DNSMASQ_EXCEPT as of now)

debian/tmpfiles.conf

@@ -1 +0,0 @@
-d /run/dnsmasq 755 dnsmasq nogroup

dnsmasq.conf.example

@@ -394,7 +394,7 @@
 
 # The following DHCP options set up dnsmasq in the same way as is specified
 # for the ISC dhcpcd in
-# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
+# https://web.archive.org/web/20040313070105/http://us1.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
 # adapted for a typical dnsmasq installation where the host running
 # dnsmasq is also the host running samba.
 # you may want to uncomment some or all of them if you use
@@ -664,7 +664,7 @@
 # Provide an alias for a "local" DNS name. Note that this _only_ works
 # for targets which are names from DHCP or /etc/hosts. Give host
 # "bert" another name, bertrand
-#cname=bertand,bert
+#cname=bertrand,bert
 
 # For debugging purposes, log each DNS query as it passes through
 # dnsmasq.

man/dnsmasq.8

@@ -1,4 +1,4 @@
-.TH DNSMASQ 8 2021-08-16
+.TH DNSMASQ 8 2025-02-05
 .SH NAME
 dnsmasq \- A lightweight DHCP and caching DNS server.
 .SH SYNOPSIS
@@ -114,7 +114,8 @@ which defaults to 1000ms. If the second parameter is given this controls
 how long the retries will continue for
 otherwise this defaults to 10000ms. Retries are repeated with exponential
 backoff. Using this option increases memory usage and
-network bandwidth.
+network bandwidth. If not otherwise configured, this option is activated
+with the default parameters when \fB--dnssec\fP is set.
 .TP
 .B \-k, --keep-in-foreground
 Do not go into the background at startup but otherwise run as
@@ -133,7 +134,7 @@ only, to stop dnsmasq daemonising in production, use
 Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. If the argument "extra" is supplied, ie
 .B --log-queries=extra
 then the log has extra information at the start of each line.
-This consists of a serial number which ties together the log lines associated with an individual query, and the IP address of the requestor.
+This consists of a serial number which ties together the log lines associated with an individual query, and the IP address of the requestor. If the argument "proto" is supplied, this shows everything that "extra" does and also the network protocol used to communicate the queries.
 .TP
 .B \-8, --log-facility=<facility>
 Set the facility to which dnsmasq will send syslog entries, this
@@ -183,7 +184,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
 .TP
 .B \-P, --edns-packet-max=<size>
 Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
 .TP
 .B \-Q, --query-port=<query_port>
 Send outbound DNS queries from, and listen for their replies on, the
@@ -269,16 +271,25 @@ the address dnsmasq is listening on. When an interface is specified,
 it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6
 addresses associated with the interface. Since any defined authoritative zones are also available as part of the normal recusive DNS service supplied by dnsmasq, it can make sense to have an --auth-server declaration with no interfaces or address, but simply specifying the primary external nameserver.
 .TP
-.B --local-service
+.B --local-service[=net|host]
+Without parameter or with net parameter, restricts service to connected network.
 Accept DNS queries only from hosts whose address is on a local subnet,
-ie a subnet for which an interface exists on the server. This option
+ie a subnet for which an interface exists on the server. With host parameter, listens
+only on lo interface and accepts queries from localhost only. This option
 only has effect if there are no \fB--interface\fP, \fB--except-interface\fP,
 \fB--listen-address\fP or \fB--auth-server\fP options. It is intended to be set as
 a default on installation, to allow unconfigured installations to be
 useful but also safe from being used for DNS amplification attacks.
-.TP 
+.TP
 .B \-2, --no-dhcp-interface=<interface name>
-Do not provide DHCP or TFTP on the specified interface, but do provide DNS service.
+Do not provide DHCP, TFTP or router advertisement on the specified interface, but do provide DNS service.
+.TP
+.B --no-dhcpv4-interface=<interface name>
+Disable only IPv4 DHCP on the specified interface.
+.TP
+.B 
+--no-dhcpv6-interface=<interface name>
+Disable IPv6 DHCP and router advertisement on the specified interface.
 .TP
 .B \-a, --listen-address=<ipaddr>
 Listen on the given IP address(es). Both 
@@ -375,6 +386,20 @@ Remove A records from answers. No IPv4 addresses will be returned.
 .B --filter-AAAA
 Remove AAAA records from answers. No IPv6 addresses will be returned.
 .TP
+.B --filter-rr=<rrtype>[,<rrtype>...]
+Remove records of the specified type(s) from answers. The otherwise-nonsensical --filter-rr=ANY has
+a special meaning: it filters replies to queries for type ANY. Everything other than A, AAAA, MX and CNAME
+records are removed. Since ANY queries with forged source addresses can be used in DNS amplification attacks
+(replies to ANY queries can be large) this defangs such attacks, whilst still supporting the
+one remaining possible use of ANY queries. See RFC 8482 para 4.3 for details.
+.TP
+.B --cache-rr=<rrtype>[,<rrtype>...]
+By default, dnsmasq caches A, AAAA, CNAME and SRV DNS record types.
+This option adds other record types to the cache. The RR-type can be given
+as a name such as TXT or MX or a decimal number. A single --cache-rr option
+can take a comma-separated list of RR-types and more than one --cache-rr option
+is allowed. Use --cache-rr=ANY to enable caching for all RR-types.
+.TP
 .B \-r, --resolv-file=<file>
 Read the IP addresses of the upstream nameservers from <file>, instead of
 /etc/resolv.conf. For the format of this file see
@@ -473,10 +498,7 @@ xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving  the flag
 .B --server=/internal.thekelleys.org.uk/192.168.1.1
 will send all queries for
 internal machines to that nameserver, everything else will go to the
-servers in /etc/resolv.conf. DNSSEC validation is turned off for such
-private nameservers, UNLESS a
-.B --trust-anchor
-is specified for the domain in question. An empty domain specification,
+servers in /etc/resolv.conf. An empty domain specification,
 .B // 
 has the special meaning of "unqualified names only" ie names without any
 dots in them. A non-standard port may be specified as 
@@ -744,19 +766,18 @@ results in the name internal-0.thekelleys.org.uk. returning 192.168.0.50, intern
 Second, 
 .B --synth-domain=thekelleys.org.uk,192.168.0.0/24,internal- (no *)
 will result in a query for internal-192-168-0-56.thekelleys.org.uk returning
-192.168.0.56 and a reverse query vice versa. The same applies to IPv6,
-but IPv6 addresses may start with '::'
-but DNS labels may not start with '-' so in this case if no prefix is
-configured a zero is added in front of the label. ::1 becomes 0--1.
-
-V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4
+192.168.0.56 and a reverse query vice versa. The same applies to IPv6;
+the representation doesn't use the :: compression feature or
+the special representation of V4 mapped IPv6 addresses as these
+can generate illegal domain names, so all domains are of the form
+internal-1000-0000-0000-0000-0000-0000-0000-0008.example.com
 
 The address range can be of the form
 <start address>,<end address> or <ip address>/<prefix-length> in both forms of the option. For IPv6 the start and end addresses
 must fall in the same /64 network, or prefix-length must be greater than or equal to 64 except that shorter prefix lengths than 64 are allowed only if non-sequential names are in use.
 .TP
 .B --dumpfile=<path/to/file>
-Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end.
+Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end. The file may be a named-pipe which Wireshark is listening to.
 .TP
 .B --dumpmask=<mask>
 Specify which types of packets should be added to the dumpfile. The argument should be the OR of the bitmasks for each type of packet to be dumped: it can be specified in hex by preceding the number with 0x in  the normal way. Each time a packet is written to the dumpfile, dnsmasq logs the packet sequence and the mask
@@ -828,6 +849,18 @@ name on successive queries, for load-balancing. This turns off that
 behaviour, so that the records are always returned in the order
 that they are received from upstream.
 .TP
+.B --do-0x20-encode, --no-0x20-encode
+Dnsmasq can scramble the case of letters in DNS queries it sends upstream as a security feature.
+This technique can interact badly with rare broken DNS servers which don't preserve the case
+of the query in their reply. The first time a reply is returned
+which matches the query in all respects except case, a warning
+will be logged. If this coincides with DNS not functioning, it
+is necessary to disable the feature. As at version 2.91, 0x20 encoding
+is disabled by default, and must be enabled with --do-0x20-encode. The default
+may change in the future, so to be sure of its status after an upgrade, set --do-0x20-encode
+or --no-0x20-encode in your config. --no-0x20-encode overrides --do-x20-encode or a future default
+0x20-encode enable.
+.TP
 .B --use-stale-cache[=<max TTL excess in s>]
 When set, if a DNS name exists in the cache, but its time-to-live has expired, dnsmasq will return the data anyway. (It attempts to refresh the
 data with an upstream query after returning the stale data.) This can improve speed and reliability. It comes at the expense
@@ -858,12 +891,15 @@ ie capable of returning DNSSEC records with data. If they are not,
 then dnsmasq will not be able to determine the trusted status of
 answers and this means that DNS service will be entirely broken.
 .TP
-.B --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
+.B --trust-anchor=<domain>,[<class>,][<key-tag>,<algorithm>,<digest-type>,<digest>]
 Provide DS records to act a trust anchors for DNSSEC
-validation. Typically these will be the DS record(s) for Key Signing
+validation. The class defaults to IN. Typically these will be the DS record(s) for Key Signing
 key(s) (KSK) of the root zone,
-but trust anchors for limited domains are also possible. The current
-root-zone trust anchors may be downloaded from https://data.iana.org/root-anchors/root-anchors.xml 
+but trust anchors for limited domains are also possible.
+A negative trust anchor (ie. proof that a DS record doesn't exist) may be configured be specifying
+only the name or only the name and class. This can be useful for forcing dnsmasq to treat zones delegated
+using \fB--server=/<domain>/<ip-address>\fP as unsigned. The current
+root-zone trust anchors may be downloaded from https://data.iana.org/root-anchors/root-anchors.xml
 .TP
 .B --dnssec-check-unsigned[=no]
 As a default, dnsmasq checks that unsigned DNS replies are
@@ -907,6 +943,15 @@ Authenticated Data bit correctly in all cases is not technically possible. If th
 when using this option, then the cache should be disabled using --cache-size=0. In most cases, enabling DNSSEC validation
 within dnsmasq is a better option. See --dnssec for details.
 .TP
+.B --dnssec-limits=<limit>[,<limit>.......]
+Override the default resource limits applied to DNSSEC validation. Cryptographic operations are expensive and crafted domains
+can DoS a DNSSEC validator by forcing it to do hundreds of thousands of such operations. To avoid this, the dnsmasq validation code
+applies limits on how much work will be expended in validation. If any of the limits are exceeded, the validation will fail and the
+domain treated as BOGUS. There are four limits, in order(default values in parens): number a signature validation fails per RRset(20), number of signature validations and
+hash computations per query(200), number of sub-queries to fetch DS and DNSKEY RRsets per query(40), and the number of iterations in a NSEC3 record(150).
+The maximum values reached during validation are stored, and dumped as part of the stats generated by SIGUSR1. Supplying a limit value of 0 leaves the default in place, so
+\fB--dnssec-limits=0,0,20\fP sets the number of sub-queries to 20 whilst leaving the other limits at default values.
+.TP
 .B --dnssec-debug
 Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries, 
 and don't convert replies which do not validate to responses with
@@ -1155,7 +1200,7 @@ available, though it normally is for direct-connected clients, or
 clients using DHCP relays which support RFC 6939.
 
 
-For DHCPv4, the  special option id:* means "ignore any client-id 
+For DHCPv4, the special option \fBid:*\fP means "ignore any client-id 
 and use MAC addresses only." This is useful when a client presents a client-id sometimes 
 but not others.
 
@@ -1183,36 +1228,34 @@ the result is undefined. A corollary to this is that the name associated with a
 does not appear in the DNS until the host obtains a DHCP lease.
 
 
-The special keyword "ignore"
-tells dnsmasq to never offer a DHCP lease to a machine. The machine
-can be specified by hardware address, client ID or hostname, for
-instance
-.B --dhcp-host=00:20:e0:3b:13:af,ignore
-This is
-useful when there is another DHCP server on the network which should
+The special keyword \fBignore\fP tells dnsmasq never to offer a DHCP lease
+to a machine. The machine
+can be specified by hardware address, client ID or hostname. For
+example: \fB--dhcp-host=00:20:e0:3b:13:af,ignore\fP. 
+This can be useful when there is another DHCP server on the network which should
 be used by some machines.
 
-The set:<tag> construct sets the tag
+The \fBset:<tag>\fP construct sets the tag
 whenever this \fB--dhcp-host\fP directive is in use. This can be used to
 selectively send DHCP options just for this host. More than one tag
 can be set in a \fB--dhcp-host\fP directive (but not in other places where
-"set:<tag>" is allowed). When a host matches any
+\fBset:<tag>\fP is allowed). When a host matches any
 \fB--dhcp-host\fP directive (or one implied by /etc/ethers) then the special
-tag "known" is set. This allows dnsmasq to be configured to
+tag \fBknown\fP is set. This allows dnsmasq to be configured to
 ignore requests from unknown machines using
-.B --dhcp-ignore=tag:!known
+\fB--dhcp-ignore=tag:!known\fP.
 If the host matches only a \fB--dhcp-host\fP directive which cannot
-be used because it specifies an address on different subnet, the tag "known-othernet" is set.
+be used because it specifies an address on a different subnet, the tag \fBknown-othernet\fP is set.
 
-The tag:<tag> construct filters which dhcp-host directives are used; more than
-one can be provided, in this case the request must match all of them. Tagged
+The \fBtag:<tag>\fP construct filters which dhcp-host directives are used. More than
+one tag can be provided. In this case, the request must match all tags. Tagged
 directives are used in preference to untagged ones. Note that one of <hwaddr>,
-<client_id> or <hostname> still needs to be specified (can be a wildcard).
+<client_id> or <hostname> still must be specified (can be a wildcard).
 
 Ethernet addresses (but not client-ids) may have
 wildcard bytes, so for example 
 .B --dhcp-host=00:20:e0:3b:13:*,ignore 
-will cause dnsmasq to ignore a range of hardware addresses. Note that
+will cause dnsmasq to ignore the given range of hardware addresses. Note that
 the "*" will need to be escaped or quoted on a command line, but not
 in the configuration file.
 
@@ -1226,11 +1269,11 @@ is 6.
 
 As a special case, in DHCPv4, it is possible to include more than one
 hardware address. eg:
-.B --dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2
+\fB--dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.2\fP.
 This allows an IP address to be associated with
 multiple hardware addresses, and gives dnsmasq permission to abandon a
 DHCP lease to one of the hardware addresses when another one asks for
-a lease. Beware that this is a dangerous thing to do, it will only
+a lease. Beware that this is a dangerous thing to do: it will only
 work reliably if only one of the hardware addresses is active at any
 time and there is no way for dnsmasq to enforce this. It is, for instance,
 useful to allocate a stable IP address to a laptop which
@@ -1277,27 +1320,33 @@ options containing the same information. /etc/ethers is re-read when
 dnsmasq receives SIGHUP. IPv6 addresses are NOT read from /etc/ethers.
 .TP
 .B \-O, --dhcp-option=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,][vendor:[<vendor-class>],][<opt>|option:<opt-name>|option6:<opt>|option6:<opt-name>],[<value>[,<value>]]
-Specify different or extra options to DHCP clients. By default,
+Send various extra options to DHCP clients. By default,
 dnsmasq sends some standard options to DHCP clients, the netmask and
 broadcast address are set to the same as the host running dnsmasq, and
 the DNS server and default route are set to the address of the machine
 running dnsmasq. (Equivalent rules apply for IPv6.) If the domain name option has been set, that is sent.
 This configuration allows these defaults to be overridden,
-or other options specified. The option, to be sent may be given as a
-decimal number or as "option:<option-name>" The option numbers are
+or other options specified. The option to be sent may be given as a
+decimal number or as \fBoption:<option-name>\fP. 
+
+Option numbers are
 specified in RFC2132 and subsequent RFCs. The set of option-names
-known by dnsmasq can be discovered by running "dnsmasq --help dhcp".
-For example, to set the default route option to 
-192.168.4.4, do 
-.B --dhcp-option=3,192.168.4.4 
-or
-.B --dhcp-option = option:router, 192.168.4.4
-and to set the time-server address to 192.168.0.4, do
-.B --dhcp-option = 42,192.168.0.4 
-or 
-.B --dhcp-option = option:ntp-server, 192.168.0.4
-The special address 0.0.0.0 is taken to mean "the address of the
-machine running dnsmasq". 
+known by dnsmasq can be discovered by running \fBdnsmasq --help dhcp\fP.
+For example, to set the default route option to 192.168.4.4, use 
+\fB--dhcp-option=3,192.168.4.4\fP or 
+\fB--dhcp-option=option:router,192.168.4.4\fP 
+and to set the time-server address to 192.168.0.4, use
+\fB--dhcp-option=42,192.168.0.4\fP or
+\fB--dhcp-option=option:ntp-server,192.168.0.4\fP.
+The special address 0.0.0.0 means "the address of the system running dnsmasq".
+
+An option without data is valid, and includes just the option without data.
+(There is only one option with a zero length data field currently defined for DHCPv4, 80:rapid commit, so this feature is not very useful in practice). Options for which dnsmasq normally
+provides default values can be ommitted by defining the option with no data. These are
+netmask, broadcast, router, DNS server, domainname and hostname. Thus, for DHCPv4
+.B --dhcp-option = option:router
+will result in no router option being sent, rather than the default of the host on which dnsmasq is running. For DHCPv6, the same is true of the options DNS server and refresh time.
+
 
 Data types allowed are comma separated
 dotted-quad IPv4 addresses, []-wrapped IPv6 addresses, a decimal number, colon-separated hex digits
@@ -1310,30 +1359,29 @@ to option 120 are handled as per RFC 3361. Dotted-quad IP addresses
 which are followed by a slash and then a netmask size are encoded as
 described in RFC 3442.
 
-IPv6 options are specified using the 
-.B option6:
+IPv6 options are specified using the \fBoption6:\fP
 keyword, followed by the option number or option name. The IPv6 option
 name space is disjoint from the IPv4 option name space. IPv6 addresses
 in options must be bracketed with square brackets, eg. 
-.B --dhcp-option=option6:ntp-server,[1234::56]
+\fB --dhcp-option=option6:ntp-server,[1234::56]\fP. 
 For IPv6, [::] means "the global address of
 the machine running dnsmasq", whilst [fd00::] is replaced with the
 ULA, if it exists, and [fe80::] with the link-local address.
 
-Be careful: no checking is done that the correct type of data for the
-option number is sent, it is quite possible to
-persuade dnsmasq to generate illegal DHCP packets with injudicious use
-of this flag. When the value is a decimal number, dnsmasq must determine how 
+Be careful: data-type suitability for the option number sent is not checked.
+It is quite possible to persuade dnsmasq to generate illegal DHCP packets with
+injudicious use of this flag. 
+When the value is a decimal number, dnsmasq must determine how 
 large the data item is. It does this by examining the option number and/or the
 value, but can be overridden by appending a single letter flag as follows:
 b = one byte, s = two bytes, i = four bytes. This is mainly useful with 
 encapsulated vendor class options (see below) where dnsmasq cannot
-determine data size from the  option number. Option data which
+determine data size from the option number. Option data which
 consists solely of periods and digits will be interpreted by dnsmasq
 as an IP address, and inserted into an option as such. To force a
 literal string, use quotes. For instance when using option 66 to send
-a literal IP address as TFTP server name, it is necessary to do
-.B --dhcp-option=66,"1.2.3.4"
+a literal IP address as TFTP server name, it is necessary to do 
+\fB--dhcp-option=66,"1.2.3.4"\fP.
 
 Encapsulated Vendor-class options may also be specified (IPv4 only) using
 \fB--dhcp-option\fP: for instance
@@ -1354,7 +1402,7 @@ Options may be encapsulated (IPv4 only) within other options: for instance
 will send option 175, within which is the option 190. If multiple
 options are given which are encapsulated with the same option number
 then they will be correctly combined into one encapsulated option.
-encap: and vendor: are may not both be set in the same \fB--dhcp-option\fP.
+encap: and vendor: may not both be set in the same \fB--dhcp-option\fP.
 
 The final variant on encapsulated options is "Vendor-Identifying
 Vendor Options" as specified by RFC3925. These are denoted like this: 
@@ -1362,7 +1410,7 @@ Vendor Options" as specified by RFC3925. These are denoted like this:
 The number in the vi-encap: section is the IANA enterprise number
 used to identify this option. This form of encapsulation is supported
 in IPv6.
- 
+
 The address 0.0.0.0 is not treated specially in
 encapsulated options.
 .TP
@@ -1373,6 +1421,10 @@ except that the option will always be sent, even if the client does
 not ask for it in the parameter request list. This is sometimes
 needed, for example when sending options to PXELinux.
 .TP
+.B --dhcp-option-pxe=[tag:<tag>,[tag:<tag>,]][encap:<opt>,][vi-encap:<enterprise>,]<opt>,[<value>[,<value>]]
+A variant of --dhcp-option which defines options only sent in reply to PXE clients. In addition, such options are
+sent in reply to PXE clients when dnsmasq is acting as a PXE proxy, unlike other options. A typical use-case is option 175, sent to iPXE.
+.TP
 .B --dhcp-no-override
 (IPv4 only) Disable re-use of the DHCP servername and filename fields as extra
 option space. If it can, dnsmasq moves the boot server and filename
@@ -1384,7 +1436,7 @@ forces "simple and safe" behaviour to avoid problems in such a case.
 .B --dhcp-relay=<local address>[,<server address>[#<server port>]][,<interface]
 Configure dnsmasq to do DHCP relay. The local address is an address
 allocated to an interface on the host running dnsmasq. All DHCP
-requests arriving on that interface will we relayed to a remote DHCP
+requests arriving on that interface will be relayed to a remote DHCP
 server at the server address. It is possible to relay from a single local
 address to multiple remote servers by using multiple \fB--dhcp-relay\fP
 configs with the same local address and different server
@@ -1484,45 +1536,47 @@ via relays. If a list of IP addresses is given, only interactions via
 relays at those addresses are affected.
 .TP
 .B --dhcp-match=set:<tag>,<option number>|option:<option name>|vi-encap:<enterprise>[,<value>]
-Without a value, set the tag if the client sends a DHCP
-option of the given number or name. When a value is given, set the tag only if
-the option is sent and matches the value. The value may be of the form
+Without \fB<value>\fP, set \fB<tag>\fP if the client sends a DHCP
+\fBoption\fP of the given number or name. With \fB<value>\fP, set \fB<tag>\fP only if
+the client sends the \fBoption\fP matching or containing \fB<value>\fP. 
+
+The value may be of the form
 "01:ff:*:02" in which case the value must match (apart from wildcards)
 but the option sent may have unmatched data past the end of the
 value. The value may also be of the same form as in 
 .B --dhcp-option
 in which case the option sent is treated as an array, and one element
-must match, so
+must match.
 .B --dhcp-match=set:efi-ia32,option:client-arch,6
-will set the tag "efi-ia32" if the the number 6 appears in the list of
+sets the tag \fBefi-ia32\fP if the number \fB6\fP appears in the list of
 architectures sent by the client in option 93. (See RFC 4578 for
-details.)  If the value is a string, substring matching is used.
+details.) If the value is a string, substring matching is used.
 
 The special form with vi-encap:<enterprise number> matches against
 vendor-identifying vendor classes for the specified enterprise. Please
 see RFC 3925 for more details of these rare and interesting beasts.
 .TP
 .B --dhcp-name-match=set:<tag>,<name>[*]
-Set the tag if the given name is supplied by a DHCP client. There may be a single trailing wildcard *, which has the usual meaning. Combined with dhcp-ignore or dhcp-ignore-names this gives the ability to ignore certain clients by name, or disallow certain hostnames from being claimed by a client.
+Set a \fB<tag>\fP if the given \fB<name>\fP is supplied by a DHCP client. There may be a single trailing wildcard *, with a glob meaning. Combined with \fBdhcp-ignore\fP or \fBdhcp-ignore-names\fP this gives the ability to ignore certain clients by name, or disallow certain hostnames from being claimed by a client.
 .TP
 .B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
-Perform boolean operations on tags. Any tag appearing as set:<tag> is set if
-all the tags which appear as tag:<tag> are set, (or unset when tag:!<tag> is used)
-If no tag:<tag> appears set:<tag> tags are set unconditionally.
-Any number of set: and tag: forms may appear, in any order. 
-\fB--tag-if\fP lines are executed in order, so if the tag in tag:<tag> is a
+Perform boolean operations on tags. All \fBset:<tag>\fP tags are set if
+all \fBtag:<tag>\fP are already set, (or unset when \fBtag:!<tag>\fP is used).
+If no \fBtag:<tag>\fP appears, \fBset:<tag>\fP tags are set unconditionally.
+Any number of \fBset:\fP and \fBtag:\fP forms may appear, in any order. 
+\fB--tag-if\fP lines are executed in order, so if the tag in \fBtag:<tag>\fP is a
 tag set by another
 .B --tag-if,
-the line which sets the tag must precede the one which tests it.
+the line which sets the tag must precede the line which tests it.
 
-As an extension, the tag:<tag> clauses support limited wildcard matching,
-similar to the matching in the \fB--interface\fP directive.  This allows, for
-example, using \fB--tag-if=set:ppp,tag:ppp*\fP to set the tag 'ppp' for all requests
-received on any matching interface (ppp0, ppp1, etc).  This can be used in conjunction
-with the tag:!<tag> format meaning that no tag matching the wildcard may be set.
+As an extension, the \fBtag:<tag>\fP clauses support limited wildcard matching,
+similar to the matching in the \fB--interface\fP directive. This allows the
+example \fB--tag-if=set:ppp,tag:ppp*\fP to set the tag 'ppp' for all requests
+received on any matching interface (ppp0, ppp1, etc). This can be used in conjunction
+with the \fBtag:!<tag>\fP format meaning that no tag matching the wildcard may be set.
 .TP
 .B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
-When all the given tags appear in the tag set ignore the host and do
+When all the given tags appear in the tag set, ignore the host and do
 not allocate it a DHCP lease.
 .TP
 .B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
@@ -1635,6 +1689,11 @@ to allow netbooting. This mode is enabled using the
 .B proxy
 keyword in
 .B --dhcp-range.
+If the "other" DHCP server is on a remote network, it is
+possible, and useful, to configure dnsmasq as both a PXE proxy-DHCP server
+and a DHCP relay to the remote DHCP server. See
+.B --dhcp-relay
+for details. PXE is only supported over IPv4 at this time.
 .TP
 .B --dhcp-pxe-vendor=<vendor>[,...]
 According to UEFI and PXE specifications, DHCP packets between PXE clients and
@@ -2215,6 +2274,24 @@ exit 0
 
 and /share/ads-domains.gz containing a compressed
 list of ad server domains will save disk space with large ad-server blocklists.
+.TP
+.B --no-ident
+Do not respond to class CHAOS and type TXT in domain bind queries.
+
+Without this option being set, the cache statistics are also available in the
+DNS as answers to queries of class CHAOS and type TXT in domain bind. The domain
+names are cachesize.bind, insertions.bind, evictions.bind, misses.bind,
+hits.bind, auth.bind and servers.bind unless disabled at compile-time. An
+example command to query this, using the
+.B dig
+utility would be
+
+dig +short chaos txt cachesize.bind
+.TP
+.B --max-tcp-connections=<number>
+The maximum number of concurrent TCP connections. The application forks to
+handle each TCP request. The default maximum is 20.
+
 .SH CONFIG FILE
 At startup, dnsmasq reads
 .I /etc/dnsmasq.conf,
@@ -2259,20 +2336,11 @@ they expired in order to make room for new names and the total number
 of names that have been inserted into the cache. The number of cache hits and 
 misses and the number of authoritative queries answered are also given. For each upstream
 server it gives the number of queries sent, and the number which
-resulted in an error. In 
+resulted in an error. It also gives information on the number of forks for TCP connections. In
 .B --no-daemon
 mode or when full logging is enabled (\fB--log-queries\fP), a complete dump of the
 contents of the cache is made. 
 
-The cache statistics are also available in the DNS as answers to 
-queries of class CHAOS and type TXT in domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind, 
-misses.bind, hits.bind, auth.bind and servers.bind. An example command to query this, using the 
-.B dig
-utility would be
-
-dig +short chaos txt cachesize.bind
-
-.PP 
 When it receives SIGUSR2 and it is logging direct to a file (see
 .B --log-facility
 ) 
@@ -2357,48 +2425,67 @@ the CNAME. To work around this, add the CNAME to /etc/hosts so that
 the CNAME is shadowed too.
 
 .PP
-The tag system works as follows: For each DHCP request, dnsmasq
-collects a set of valid tags from active configuration lines which
-include set:<tag>, including one from the 
-.B --dhcp-range
-used to allocate the address, one from any matching 
-.B --dhcp-host
-(and "known" or "known-othernet" if a \fB--dhcp-host\fP matches)
-The tag "bootp" is set for BOOTP requests, and a tag whose name is the 
-name of the interface on which the request arrived is also set.
+The tag system works as follows: dnsmasq tags each DHCP request
+with tags from applicable configuration lines containing \fBset:<tag>\fP i.e. 
 
-Any configuration lines which include one or more tag:<tag> constructs
-will only be valid if all that tags are matched in the set derived
-above. Typically this is \fB--dhcp-option\fP.
-.B --dhcp-option
-which has tags will be used in preference  to an untagged 
-.B --dhcp-option,
-provided that _all_ the tags match somewhere in the
-set collected as described above. The prefix '!' on a tag means 'not'
-so \fB--dhcp-option=tag:!purple,3,1.2.3.4\fP sends the option when the
-tag purple is not in the set of valid tags. (If using this in a
-command line rather than a configuration file, be sure to escape !,
-which is a shell metacharacter)
+\fBset:<tag>\fP from the \fB--dhcp-range\fP used to allocate the address;
+
+\fBset:<tag>\fP from any matching \fB--dhcp-host\fP (plus the tag \fBknown\fP or 
+\fBknown-othernet\fP).
+
+BOOTP requests are tagged \fBbootp\fP. Each request is also tagged with the name of  
+the interface on which the request arrived.
+
+Each configuration line containing one or more \fBtag:<tag>\fP constructs
+applies when all its tags exist on the request. That is:
+
+Configuration tag:A applies to a request set:tagged A.
+
+Configuration tag:B applies to a request set:tagged B.
+
+Configuration tag:A+B doesn't apply to a request set:tagged A.
+
+Configuration tag:A+B doesn't apply to a request set:tagged B.
+
+Configurations tag:A+B, tag:A, tag:B apply to a request set:tagged A+B.
+
+\fBset:<tag>\fP constructs in \fB--dhcp-range\fP and \fB--dhcp-host\fP tag requests.
+
+Use \fBtag:<tag>\fPs in \fB--dhcp-option\fPs to match \fBset:<tag>\fP and apply configurations.
+
+A \fB--dhcp-option\fP with \fBtag:<tag>\fP is preferred over an untagged 
+\fB--dhcp-option\fP, provided that \fBall\fP its tags match somewhere in the
+set gathered above. 
+
+The tag prefix '!' means 'not'.
+\fB--dhcp-option=tag:!purple,3,1.2.3.4\fP sends the option when the request 
+is not tagged with purple. (The shell metacharacter '!' must be escaped on the
+command line but not in a configuration file).
+
+When selecting \fB--dhcp-option\fPs, a \fB--dhcp-range\fP tag is second class 
+to other tags, to make it easy to override options for
+individual hosts, so:
 
-When selecting \fB--dhcp-options\fP, a tag from \fB--dhcp-range\fP is second class
-relative to other tags, to make it easy to override options for
-individual hosts, so 
 .B --dhcp-range=set:interface1,......
+
 .B --dhcp-host=set:myhost,.....
+
 .B --dhcp-option=tag:interface1,option:nis-domain,"domain1"
+
 .B --dhcp-option=tag:myhost,option:nis-domain,"domain2"
-will set the NIS-domain to domain1 for hosts in the range, but
-override that to domain2 for a particular host.
+
+sets the NIS-domain to domain1 for hosts in the range, but
+to domain2 for a particular host that may or may not fall in the range.
 
 .PP
-Note that for 
-.B --dhcp-range
-both tag:<tag> and set:<tag> are allowed, to both select the range in
+Note that for \fB--dhcp-range\fP both 
+\fBtag:<tag>\fP and 
+\fBset:<tag>\fP are possible, in order to both select the range in
 use based on (eg) \fB--dhcp-host\fP, and to affect the options sent, based on
 the range selected.
 
-This system evolved from an earlier, more limited one and for backward
-compatibility "net:" may be used instead of "tag:" and "set:" may be
+The tag system evolved from an earlier, more limited system. For backward
+compatibility, "net:" may be used instead of "tag:" and "set:" may be
 omitted. (Except in 
 .B --dhcp-host,
 where "net:" may be used instead of "set:".) For the same reason, '#'
@@ -2416,7 +2503,7 @@ configuration option is present to activate the DHCP server
 on a particular network. (Setting \fB--bootp-dynamic\fP removes the need for
 static address mappings.) The filename
 parameter in a BOOTP request is used as a tag,
-as is the tag "bootp", allowing some control over the options returned to
+as is the tag \fBbootp\fP, allowing some control over the options returned to
 different classes of hosts.
 
 .SH AUTHORITATIVE CONFIGURATION

po/de.po

@@ -2,7 +2,7 @@
 #
 # This revised version is (C) Copyright by
 # Matthias Andree <matthias.andree@gmx.de>, 2010 - 2021.
-# Conrad Kostecki <conrad@kostecki.com>, 2014 - 2022.
+# Conrad Kostecki <conrad@kostecki.com>, 2014 - 2024.
 # It is subject to the GNU General Public License v2,
 # or at your option, any later version.
 #
@@ -10,10 +10,10 @@
 # Simon Kelley <simon@thekelleys.org.uk>, 2005.
 msgid ""
 msgstr ""
-"Project-Id-Version: dnsmasq 2.88\n"
+"Project-Id-Version: dnsmasq 2.91\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2021-03-20 00:00+0000\n"
-"PO-Revision-Date: 2022-11-17 20:08+0100\n"
+"PO-Revision-Date: 2024-12-23 22:36+0100\n"
 "Last-Translator: Conrad Kostecki <conrad@kostecki.com>\n"
 "Language-Team: German <de@li.org>\n"
 "Language: de\n"
@@ -21,7 +21,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Poedit 3.2\n"
+"X-Generator: Poedit 3.5\n"
 
 #: cache.c:652
 msgid "Internal error in cache."
@@ -43,9 +43,9 @@ msgid "bad name at %s line %d"
 msgstr "Fehlerhafter Name in %s Zeile %d"
 
 #: cache.c:1265
-#, fuzzy, c-format
+#, c-format
 msgid "read %s - %d names"
-msgstr "%s gelesen - %d Adressen"
+msgstr "%s gelesen - %d Namen"
 
 #: cache.c:1381
 msgid "cleared cache"
@@ -84,7 +84,7 @@ msgstr "weitergeleitete Anfragen %u, lokal beantwortete Anfragen %u"
 #: cache.c:1766
 #, c-format
 msgid "queries answered from stale cache %u"
-msgstr ""
+msgstr "Anfragen beantwortet vom veralteten Cache %u"
 
 #: cache.c:1768
 #, c-format
@@ -92,9 +92,9 @@ msgid "queries for authoritative zones %u"
 msgstr "Anfragen nach autoritativen Zonen %u"
 
 #: cache.c:1796
-#, fuzzy, c-format
+#, c-format
 msgid "server %s#%d: queries sent %u, retried %u, failed %u, nxdomain replies %u, avg. latency %ums"
-msgstr "Server %s#%d: Anfragen gesendet %u, erneut versucht oder fehlgeschlagen %u"
+msgstr "Server %s#%d: Anfragen gesendet %u, erneut versucht %u, fehlgeschlagen %u, nxdomain-Antworten %u, durchschnittliche Latenz %ums"
 
 #: util.c:51
 #, c-format
@@ -120,14 +120,14 @@ msgid "failed to allocate %d bytes"
 msgstr "Konnte %d Bytes nicht belegen"
 
 #: util.c:344
-#, fuzzy, c-format
+#, c-format
 msgid "failed to reallocate %d bytes"
-msgstr "Konnte %d Bytes nicht belegen"
+msgstr "Konnte %d Bytes nicht allozieren"
 
 #: util.c:465
-#, fuzzy, c-format
+#, c-format
 msgid "cannot read monotonic clock: %s"
-msgstr "kann Netlink-Socket nicht erzeugen: %s"
+msgstr "monotone Uhr kann nicht gelesen werden: %s"
 
 # @Simon: not perfect but I cannot get nearer right now.
 #: util.c:579
@@ -188,11 +188,11 @@ msgstr "Unberechtigte DNS-Anfragen von Windows-Rechnern nicht weiterleiten."
 
 #: option.c:404
 msgid "Don't include IPv4 addresses in DNS answers."
-msgstr ""
+msgstr "Keine IPv4-Adressen in DNS-Antworten inkludieren."
 
 #: option.c:405
 msgid "Don't include IPv6 addresses in DNS answers."
-msgstr ""
+msgstr "Keine IPv6-Adressen in DNS-Antworten inkludieren."
 
 #: option.c:406
 msgid "Enable DHCP in the range given with lease duration."
@@ -313,7 +313,7 @@ msgstr "Fehlerhafte Suchergebnisse NICHT zwischenspeichern."
 
 #: option.c:434
 msgid "Use expired cache data for faster reply."
-msgstr ""
+msgstr "Verwende abgelaufene Cachedaten für schnellere Antwort."
 
 #: option.c:435
 #, c-format
@@ -347,7 +347,7 @@ msgstr "Ausgehenden Port für DNS-Anfragen an vorgelagerte Server erzwingen."
 
 #: option.c:442
 msgid "Set maximum number of random originating ports for a query."
-msgstr ""
+msgstr "Setze die maximale Anzahl zufälliger Ursprungsports für eine Abfrage."
 
 #: option.c:443
 msgid "Do NOT read resolv.conf."
@@ -404,7 +404,7 @@ msgstr "Spezifiziere untere Gültigkeitsdauergrenze für Zwischenspeicher."
 
 #: option.c:456
 msgid "Retry DNS queries after this many milliseconds."
-msgstr ""
+msgstr "DNS-Abfragen nach so vielen Millisekunden wiederholen."
 
 #: option.c:457
 #, c-format
@@ -520,7 +520,7 @@ msgstr "Konfiguration aus allen Dateien in diesem Verzeichnis lesen."
 
 #: option.c:484
 msgid "Execute file and read configuration from stdin."
-msgstr ""
+msgstr "Führe Datei aus und lese die Konfiguration aus stdin."
 
 #: option.c:485
 msgid "Log to this syslog facility or file. (defaults to DAEMON)"
@@ -680,7 +680,7 @@ msgstr "Anfragende MAC-Adresse in die weiterleitende DNS-Anfrage einfügen."
 
 #: option.c:523
 msgid "Strip MAC information from queries."
-msgstr ""
+msgstr "Entferne die MAC-Information von Abfragen."
 
 #: option.c:524
 msgid "Add specified IP subnet to forwarded DNS queries."
@@ -688,7 +688,7 @@ msgstr "Füge spezifiziertes IP-Subnetz an weitergeleiteten DNS-Anfragen hinzu."
 
 #: option.c:525
 msgid "Strip ECS information from queries."
-msgstr ""
+msgstr "Entferne die ECS-Information von Abfragen."
 
 #: option.c:526
 msgid "Add client identification to forwarded DNS queries."
@@ -773,9 +773,8 @@ msgid "Specify ipsets to which matching domains should be added"
 msgstr "Spezifiziere IPSets, zu denen passende Domains hinzugefügt werden sollen"
 
 #: option.c:546
-#, fuzzy
 msgid "Specify nftables sets to which matching domains should be added"
-msgstr "Spezifiziere IPSets, zu denen passende Domains hinzugefügt werden sollen"
+msgstr "Geben Sie nftables sets an, zu denen passende Domänen hinzugefügt werden sollen"
 
 #: option.c:547
 msgid "Enable filtering of DNS queries with connection-track marks."
@@ -880,7 +879,7 @@ msgstr "Protokolliere kein Routine-TFTP."
 
 #: option.c:572
 msgid "Suppress round-robin ordering of DNS records."
-msgstr ""
+msgstr "Unterdrückt die Round-Robin-Sortierung von DNS-Einträgen."
 
 #: option.c:802
 #, c-format
@@ -915,11 +914,11 @@ msgstr "Schnittstellenbindung nicht unterstützt"
 
 #: option.c:955
 msgid "Cannot resolve server name"
-msgstr ""
+msgstr "Servername kann nicht aufgelöst werden"
 
 #: option.c:991
 msgid "cannot use IPv4 server address with IPv6 source address"
-msgstr ""
+msgstr "IPv4-Serveradresse kann nicht mit IPv6-Quelladresse verwendet werden"
 
 #: option.c:997 option.c:1043
 msgid "interface can only be specified once"
@@ -931,21 +930,19 @@ msgstr "Fehlerhafter Schnittestellenname"
 
 #: option.c:1037
 msgid "cannot use IPv6 server address with IPv4 source address"
-msgstr ""
+msgstr "IPv6-Serveradresse kann nicht mit IPv4-Quelladresse verwendet werden"
 
 #: option.c:1124
-#, fuzzy
 msgid "bad IPv4 prefix length"
-msgstr "fehlerhafte Präfixlänge"
+msgstr "ungültige IPv4-Präfixlänge"
 
 #: option.c:1155 option.c:1165 option.c:1240 option.c:1250 option.c:5360
 msgid "error"
 msgstr "Fehler"
 
 #: option.c:1207
-#, fuzzy
 msgid "bad IPv6 prefix length"
-msgstr "fehlerhafte Präfixlänge"
+msgstr "ungültige IPv6-Präfixlänge"
 
 #: option.c:1467
 msgid "inappropriate vendor:"
@@ -1034,7 +1031,6 @@ msgid "recompile with HAVE_LUASCRIPT defined to enable Lua scripts"
 msgstr "Neuübersetzung mit HAVE_LUASCRIPT nötig, um benutzerdefinierte Lua-Skripte auszuführen"
 
 #: option.c:2447
-#, fuzzy
 msgid "invalid auth-zone"
 msgstr "unzulässiger Alias-Bereich"
 
@@ -1059,9 +1055,8 @@ msgid "recompile with HAVE_IPSET defined to enable ipset directives"
 msgstr "Neuübersetzung mit HAVE_IPSET nötig, um IPSet-Direktiven zu aktivieren"
 
 #: option.c:3117
-#, fuzzy
 msgid "recompile with HAVE_NFTSET defined to enable nftset directives"
-msgstr "Neuübersetzung mit HAVE_IPSET nötig, um IPSet-Direktiven zu aktivieren"
+msgstr "Neukompilieren mit definiertem HAVE_NFTSET, um NFTSET-Direktiven zu aktivieren"
 
 #: option.c:3192 option.c:3210
 msgid "recompile with HAVE_CONNTRACK defined to enable connmark-allowlist directives"
@@ -1259,7 +1254,7 @@ msgstr "unzulässige Option"
 #: option.c:5363
 #, c-format
 msgid " in output from %s"
-msgstr ""
+msgstr " in der Ausgabe von %s"
 
 #: option.c:5365
 #, c-format
@@ -1272,9 +1267,9 @@ msgid "read %s"
 msgstr "%s gelesen"
 
 #: option.c:5446
-#, fuzzy, c-format
+#, c-format
 msgid "cannot execute %s: %s"
-msgstr "kann %s nicht erstellen: %s"
+msgstr "kann %s nicht ausführen: %s"
 
 #: option.c:5454 option.c:5615 tftp.c:790
 #, c-format
@@ -1282,14 +1277,14 @@ msgid "cannot read %s: %s"
 msgstr "kann %s nicht lesen: %s"
 
 #: option.c:5473
-#, fuzzy, c-format
+#, c-format
 msgid "error executing %s: %s"
-msgstr "konnte %s nicht ausführen: %s"
+msgstr "Fehler bei der Ausführung von %s: %s"
 
 #: option.c:5476
 #, c-format
 msgid "%s returns non-zero error code"
-msgstr ""
+msgstr "%s gibt einen Fehlercode ungleich Null zurück"
 
 #: option.c:5775
 msgid "junk found in command line"
@@ -1399,14 +1394,14 @@ msgid "reducing DNS packet size for nameserver %s to %d"
 msgstr "Reduziere die DNS-Paketgröße für Nameserver %s auf %d"
 
 #: forward.c:1565
-#, fuzzy, c-format
+#, c-format
 msgid "ignoring query from non-local network %s (logged only once)"
-msgstr "Ignoriere Anfrage von auswärtigem Netzwerk"
+msgstr "Ignoriere Abfrage von nicht-lokalen Netzwerk %s (Nur einmal protokolliert)"
 
 #: forward.c:2139
-#, fuzzy, c-format
+#, c-format
 msgid "ignoring query from non-local network %s"
-msgstr "Ignoriere Anfrage von auswärtigem Netzwerk"
+msgstr "Ignoriere Abfrage von nicht-lokalen Netzwerk %s"
 
 #: forward.c:2501
 #, c-format
@@ -1488,7 +1483,7 @@ msgstr "ignoriere Namensserver %s - kann Socket nicht erzeugen/binden: %s"
 
 #: network.c:1643
 msgid "more servers are defined but not logged"
-msgstr ""
+msgstr "mehr Server sind definiert aber nicht protokolliert"
 
 #: network.c:1654
 msgid "(no DNSSEC)"
@@ -1605,7 +1600,7 @@ msgstr "max_port darf nicht kleiner als min_port sein"
 
 #: dnsmasq.c:271
 msgid "port_limit must not be larger than available port range"
-msgstr ""
+msgstr "port_limit darf nicht größer als der verfügbare Portbereich sein"
 
 #: dnsmasq.c:278
 msgid "--auth-server required when an auth zone is defined."
@@ -1810,9 +1805,9 @@ msgid "restricting maximum simultaneous TFTP transfers to %d"
 msgstr "Begrenze gleichzeitige TFTP-Übertragungen auf maximal %d"
 
 #: dnsmasq.c:1095
-#, fuzzy, c-format
+#, c-format
 msgid "error binding DHCP socket to device %s"
-msgstr "Fehler beim Senden des DHCP-Pakets an %s: %s"
+msgstr "Fehler beim Binden des DHCP-Sockets an Gerät %s"
 
 #: dnsmasq.c:1229
 msgid "connected to system DBus"
@@ -1981,19 +1976,19 @@ msgid "read %s - %d addresses"
 msgstr "%s gelesen - %d Adressen"
 
 #: dhcp.c:1136
-#, fuzzy, c-format
+#, c-format
 msgid "Cannot broadcast DHCP relay via interface %s"
-msgstr "Kann nicht zum DHCPv6 Server multicasten ohne korrekte Schnittstelle"
+msgstr "DHCP-Relay kann nicht über die Schnittstelle %s gesendet werden"
 
 #: dhcp.c:1160
 #, c-format
 msgid "broadcast via %s"
-msgstr ""
+msgstr "broadcast via %s"
 
 #: dhcp.c:1163 rfc3315.c:2219
-#, fuzzy, c-format
+#, c-format
 msgid "DHCP relay at %s -> %s"
-msgstr "DHCP Relais %s -> %s"
+msgstr "DHCP-Relay bei %s -> %s"
 
 #: lease.c:64
 #, c-format
@@ -2405,14 +2400,14 @@ msgid "release received"
 msgstr "Freigabe empfangen"
 
 #: rfc3315.c:2200
-#, fuzzy, c-format
+#, c-format
 msgid "Cannot multicast DHCP relay via interface %s"
-msgstr "Kann nicht zum DHCPv6 Server multicasten ohne korrekte Schnittstelle"
+msgstr "Multicast-DHCP-Relay über Schnittstelle %s nicht möglich"
 
 #: rfc3315.c:2216
 #, c-format
 msgid "multicast via %s"
-msgstr ""
+msgstr "multicast via %s"
 
 #: dhcp-common.c:187
 #, c-format
@@ -2484,9 +2479,9 @@ msgid "router advertisement on %s%s"
 msgstr "Router-Advertisment auf %s%s"
 
 #: dhcp-common.c:1043
-#, fuzzy, c-format
+#, c-format
 msgid "DHCP relay from %s via %s"
-msgstr "DHCP Weiterleitung von %s nach %s"
+msgstr "DHCP-Relay von %s über %s"
 
 #: dhcp-common.c:1045
 #, c-format
@@ -2621,9 +2616,9 @@ msgid "Insecure DS reply received for %s, check domain configuration and upstrea
 msgstr "Unsichere DS-Antwort für %s, bitte Domainkonfiguration und Upstream DNS-Server für DNSSEC-Unterstützung überprüfen"
 
 #: blockdata.c:55
-#, fuzzy, c-format
+#, c-format
 msgid "pool memory in use %zu, max %zu, allocated %zu"
-msgstr "Speicherpool in Benutzung %u, Max %u, zugewiesen %u"
+msgstr "Speicherpool in Benutzung %zu, Max %zu, zugewiesen %zu"
 
 #: tables.c:61
 #, c-format
@@ -2695,24 +2690,23 @@ msgid "bad dynamic directory %s: %s"
 msgstr "fehlerhaftes dynamisches Verzeichnis %s: %s"
 
 #: inotify.c:186
-#, fuzzy
 msgid "not a directory"
-msgstr "Kann auf Verzeichnis %s nicht zugreifen: %s"
+msgstr "ist kein Verzeichnis"
 
 #: inotify.c:299
 #, c-format
 msgid "inotify: %s removed"
-msgstr ""
+msgstr "inotify: %s entfernt"
 
 #: inotify.c:301
-#, fuzzy, c-format
+#, c-format
 msgid "inotify: %s new or modified"
-msgstr "inotify, neue oder geänderte Datei %s"
+msgstr "inotify: %s neu oder modifiziert"
 
 #: inotify.c:309
 #, c-format
 msgid "inotify: flushed %u names read from %s"
-msgstr ""
+msgstr "inotify: %u Namen gelöscht, aus %s gelesen"
 
 #: dump.c:68
 #, c-format
@@ -2729,14 +2723,14 @@ msgid "failed to write packet dump"
 msgstr "schreiben des Paketmitschnitts fehlgeschlagen"
 
 #: dump.c:289
-#, fuzzy, c-format
+#, c-format
 msgid "%u dumping packet %u mask 0x%04x"
-msgstr "Lade UDP Paket %u Maske 0x%04x ab"
+msgstr "%u dumpe Paket %u Maske 0x%04x"
 
 #: dump.c:291
-#, fuzzy, c-format
+#, c-format
 msgid "dumping packet %u mask 0x%04x"
-msgstr "Lade UDP Paket %u Maske 0x%04x ab"
+msgstr "Dumpe Packet %u Make 0x%04x"
 
 #: ubus.c:79
 #, c-format
@@ -2770,9 +2764,8 @@ msgid "Failed to create SHA-256 hash object"
 msgstr "Kann SHA-256-Hash-Objekt nicht erstellen"
 
 #: nftset.c:35
-#, fuzzy
 msgid "failed to create nftset context"
-msgstr "konnte IPset-Kontroll-Socket nicht erzeugen: %s"
+msgstr "Fehler beim Erstellen des NFTSET-Kontexts"
 
 #~ msgid "bad IPv4 prefix"
 #~ msgstr "fehlerhaftes IPv4-Präfix"

src/arp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -35,7 +35,7 @@ struct arp_record {
 static struct arp_record *arps = NULL, *old = NULL, *freelist = NULL;
 static time_t last = 0;
 
-static int filter_mac(int family, char *addrp, char *mac, size_t maclen, void *parmv)
+static int filter_mac(int family, void *addrp, char *mac, size_t maclen, void *parmv)
 {
   struct arp_record *arp;
 
@@ -152,7 +152,7 @@ int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now)
 	 if (arp->status != ARP_EMPTY)
 	   arp->status = ARP_MARK;
        
-       iface_enumerate(AF_UNSPEC, NULL, filter_mac);
+       iface_enumerate(AF_UNSPEC, NULL, (callback_t){.af_unspec=filter_mac});
        
        /* Remove all unconfirmed entries to old list. */
        for (arp = arps, up = &arps; arp; arp = tmp)

src/auth.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -96,8 +96,8 @@ int in_zone(struct auth_zone *zone, char *name, char **cut)
 }
 
 
-size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr, 
-		   int local_query, int do_bit, int have_pseudoheader) 
+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now,
+		   union mysockaddr *peer_addr, int local_query) 
 {
   char *name = daemon->namebuff;
   unsigned char *p, *ansp;
@@ -137,7 +137,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
       nameoffset = p - (unsigned char *)header;
 
       /* now extract name as .-concatenated string into name */
-      if (!extract_name(header, qlen, &p, name, 1, 4))
+      if (!extract_name(header, qlen, &p, name, EXTR_NAME_EXTRACT, 4))
 	return 0; /* bad packet */
  
       GETSHORT(qtype, p); 
@@ -513,7 +513,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		 nxdomain = 0;
 		 if ((crecp->flags & flag) && (local_query || filter_zone(zone, flag, &(crecp->addr))))
 		   {
-		     log_query(crecp->flags, name, &crecp->addr, record_source(crecp->uid), 0);
+		     log_query(crecp->flags & ~F_REVERSE, name, &crecp->addr, record_source(crecp->uid), 0);
 		     if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					     daemon->auth_ttl, NULL, qtype, C_IN, 
 					     qtype == T_A ? "4" : "6", &crecp->addr))
@@ -868,7 +868,13 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
   
   /* truncation */
   if (trunc)
-    header->hb3 |= HB3_TC;
+    {
+      header->hb3 |= HB3_TC;
+      if (!(ansp = skip_questions(header, qlen)))
+	return 0; /* bad packet */
+      anscount = authcount = 0;
+      log_query(F_AUTH, "reply", NULL, "truncated", 0);
+    }
   
   if ((auth || local_query) && nxdomain)
     SET_RCODE(header, NXDOMAIN);
@@ -890,10 +896,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
       return resize_packet(header,  ansp - (unsigned char *)header, NULL, 0);
     }
   
-  /* Advertise our packet size limit in our reply */
-  if (have_pseudoheader)
-    return add_pseudoheader(header,  ansp - (unsigned char *)header, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
-
   return ansp - (unsigned char *)header;
 }
   

src/blockdata.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -19,7 +19,7 @@
 static struct blockdata *keyblock_free;
 static unsigned int blockdata_count, blockdata_hwm, blockdata_alloced;
 
-static void blockdata_expand(int n)
+static void add_blocks(int n)
 {
   struct blockdata *new = whine_malloc(n * sizeof(struct blockdata));
   
@@ -47,7 +47,7 @@ void blockdata_init(void)
 
   /* Note that daemon->cachesize is enforced to have non-zero size if OPT_DNSSEC_VALID is set */  
   if (option_bool(OPT_DNSSEC_VALID))
-    blockdata_expand(daemon->cachesize);
+    add_blocks(daemon->cachesize);
 }
 
 void blockdata_report(void)
@@ -58,50 +58,61 @@ void blockdata_report(void)
 	    blockdata_alloced * sizeof(struct blockdata));
 } 
 
+static struct blockdata *new_block(void)
+{
+  struct blockdata *block;
+
+  if (!keyblock_free)
+    add_blocks(50);
+  
+  if (keyblock_free)
+    {
+      block = keyblock_free;
+      keyblock_free = block->next;
+      blockdata_count++;
+      if (blockdata_hwm < blockdata_count)
+	blockdata_hwm = blockdata_count;
+      block->next = NULL;
+      return block;
+    }
+  
+  return NULL;
+}
+
 static struct blockdata *blockdata_alloc_real(int fd, char *data, size_t len)
 {
   struct blockdata *block, *ret = NULL;
   struct blockdata **prev = &ret;
   size_t blen;
 
-  while (len > 0)
+  do
     {
-      if (!keyblock_free)
-	blockdata_expand(50);
-      
-      if (keyblock_free)
-	{
-	  block = keyblock_free;
-	  keyblock_free = block->next;
-	  blockdata_count++; 
-	}
-      else
+      if (!(block = new_block()))
 	{
 	  /* failed to alloc, free partial chain */
 	  blockdata_free(ret);
 	  return NULL;
 	}
-       
-      if (blockdata_hwm < blockdata_count)
-	blockdata_hwm = blockdata_count; 
+
+      if ((blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len) > 0)
+	{
+	  if (data)
+	    {
+	      memcpy(block->key, data, blen);
+	      data += blen;
+	    }
+	  else if (!read_write(fd, block->key, blen, RW_READ))
+	    {
+	      /* failed read free partial chain */
+	      blockdata_free(ret);
+	      return NULL;
+	    }
+	}
       
-      blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
-      if (data)
-	{
-	  memcpy(block->key, data, blen);
-	  data += blen;
-	}
-      else if (!read_write(fd, block->key, blen, 1))
-	{
-	  /* failed read free partial chain */
-	  blockdata_free(ret);
-	  return NULL;
-	}
       len -= blen;
       *prev = block;
       prev = &block->next;
-      block->next = NULL;
-    }
+    } while (len != 0);
   
   return ret;
 }
@@ -111,6 +122,58 @@ struct blockdata *blockdata_alloc(char *data, size_t len)
   return blockdata_alloc_real(0, data, len);
 }
 
+/* Add data to the end of the block. 
+   newlen is length of new data, NOT total new length. 
+   Use blockdata_alloc(NULL, 0) to make empty block to add to. */
+int blockdata_expand(struct blockdata *block, size_t oldlen, char *data, size_t newlen)
+{
+  struct blockdata *b;
+  
+  /* find size of current final block */
+  for (b = block; oldlen > KEYBLOCK_LEN && b;  b = b->next, oldlen -= KEYBLOCK_LEN);
+
+  /* chain to short for length, something is broken */
+  if (oldlen > KEYBLOCK_LEN)
+    {
+      blockdata_free(block);
+      return 0;
+    }
+
+  while (1)
+    {
+      struct blockdata *new;
+      size_t blocksize = KEYBLOCK_LEN - oldlen;
+      size_t size = (newlen <= blocksize) ? newlen : blocksize;
+      
+      if (size != 0)
+	{
+	  memcpy(&b->key[oldlen], data, size);
+	  data += size;
+	  newlen -= size;
+	}
+      
+      /* full blocks from now on. */
+      oldlen = 0;
+
+      if (newlen == 0)
+	break;
+
+      if ((new = new_block()))
+	{
+	  b->next = new;
+	  b = new;
+	}
+      else
+	{
+	  /* failed to alloc, free partial chain */
+	  blockdata_free(block);
+	  return 0;
+	}
+    }
+
+  return 1;
+}
+
 void blockdata_free(struct blockdata *blocks)
 {
   struct blockdata *tmp;
@@ -130,7 +193,7 @@ void *blockdata_retrieve(struct blockdata *block, size_t len, void *data)
 {
   size_t blen;
   struct  blockdata *b;
-  void *new, *d;
+  uint8_t *new, *d;
   
   static unsigned int buff_len = 0;
   static unsigned char *buff = NULL;
@@ -165,7 +228,7 @@ void blockdata_write(struct blockdata *block, size_t len, int fd)
   for (; len > 0 && block; block = block->next)
     {
       size_t blen = len > KEYBLOCK_LEN ? KEYBLOCK_LEN : len;
-      read_write(fd, block->key, blen, 0);
+      read_write(fd, block->key, blen, RW_WRITE);
       len -= blen;
     }
 }

src/bpf.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -47,7 +47,7 @@ static union all_addr del_addr;
 
 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
 
-int arp_enumerate(void *parm, int (*callback)())
+int arp_enumerate(void *parm, callback_t callback)
 {
   int mib[6];
   size_t needed;
@@ -91,7 +91,7 @@ int arp_enumerate(void *parm, int (*callback)())
       rtm = (struct rt_msghdr *)next;
       sin2 = (struct sockaddr_inarp *)(rtm + 1);
       sdl = (struct sockaddr_dl *)((char *)sin2 + SA_SIZE(sin2));
-      if (!(*callback)(AF_INET, &sin2->sin_addr, LLADDR(sdl), sdl->sdl_alen, parm))
+      if (!callback.af_unspec(AF_INET, &sin2->sin_addr, LLADDR(sdl), sdl->sdl_alen, parm))
 	return 0;
     }
 
@@ -100,7 +100,7 @@ int arp_enumerate(void *parm, int (*callback)())
 #endif /* defined(HAVE_BSD_NETWORK) && !defined(__APPLE__) */
 
 
-int iface_enumerate(int family, void *parm, int (*callback)())
+int iface_enumerate(int family, void *parm, callback_t callback)
 {
   struct ifaddrs *head, *addrs;
   int errsave, fd = -1, ret = 0;
@@ -126,112 +126,110 @@ int iface_enumerate(int family, void *parm, int (*callback)())
   
   for (addrs = head; addrs; addrs = addrs->ifa_next)
     {
-      if (addrs->ifa_addr->sa_family == family)
+      int iface_index = if_nametoindex(addrs->ifa_name);
+      
+      if (iface_index == 0 || !addrs->ifa_addr || 
+	  addrs->ifa_addr->sa_family != family ||
+	  (!addrs->ifa_netmask && family != AF_LINK))
+	continue;
+      
+      if (family == AF_INET)
 	{
-	  int iface_index = if_nametoindex(addrs->ifa_name);
-
-	  if (iface_index == 0 || !addrs->ifa_addr || 
-	      (!addrs->ifa_netmask && family != AF_LINK))
+	  struct in_addr addr, netmask, broadcast;
+	  addr = ((struct sockaddr_in *) addrs->ifa_addr)->sin_addr;
+#ifdef HAVE_BSD_NETWORK
+	  if (del_family == AF_INET && del_addr.addr4.s_addr == addr.s_addr)
 	    continue;
-
-	  if (family == AF_INET)
-	    {
-	      struct in_addr addr, netmask, broadcast;
-	      addr = ((struct sockaddr_in *) addrs->ifa_addr)->sin_addr;
-#ifdef HAVE_BSD_NETWORK
-	      if (del_family == AF_INET && del_addr.addr4.s_addr == addr.s_addr)
-		continue;
 #endif
-	      netmask = ((struct sockaddr_in *) addrs->ifa_netmask)->sin_addr;
-	      if (addrs->ifa_broadaddr)
-		broadcast = ((struct sockaddr_in *) addrs->ifa_broadaddr)->sin_addr; 
-	      else 
-		broadcast.s_addr = 0;	      
-	      if (!((*callback)(addr, iface_index, NULL, netmask, broadcast, parm)))
-		goto err;
-	    }
-	  else if (family == AF_INET6)
-	    {
-	      struct in6_addr *addr = &((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_addr;
-	      unsigned char *netmask = (unsigned char *) &((struct sockaddr_in6 *) addrs->ifa_netmask)->sin6_addr;
-	      int scope_id = ((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_scope_id;
-	      int i, j, prefix = 0;
-	      u32 valid = 0xffffffff, preferred = 0xffffffff;
-	      int flags = 0;
+	  netmask = ((struct sockaddr_in *) addrs->ifa_netmask)->sin_addr;
+	  if (addrs->ifa_broadaddr)
+	    broadcast = ((struct sockaddr_in *) addrs->ifa_broadaddr)->sin_addr; 
+	  else 
+	    broadcast.s_addr = 0;	      
+	  if (!callback.af_inet(addr, iface_index, NULL, netmask, broadcast, parm))
+	    goto err;
+	}
+      else if (family == AF_INET6)
+	{
+	  struct in6_addr *addr = &((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_addr;
+	  unsigned char *netmask = (unsigned char *) &((struct sockaddr_in6 *) addrs->ifa_netmask)->sin6_addr;
+	  int scope_id = ((struct sockaddr_in6 *) addrs->ifa_addr)->sin6_scope_id;
+	  int i, j, prefix = 0;
+	  u32 valid = 0xffffffff, preferred = 0xffffffff;
+	  int flags = 0;
 #ifdef HAVE_BSD_NETWORK
-	      if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr6, addr))
-		continue;
+	  if (del_family == AF_INET6 && IN6_ARE_ADDR_EQUAL(&del_addr.addr6, addr))
+	    continue;
 #endif
 #if defined(HAVE_BSD_NETWORK) && !defined(__APPLE__)
-	      struct in6_ifreq ifr6;
-
-	      memset(&ifr6, 0, sizeof(ifr6));
-	      safe_strncpy(ifr6.ifr_name, addrs->ifa_name, sizeof(ifr6.ifr_name));
+	  struct in6_ifreq ifr6;
+	  
+	  memset(&ifr6, 0, sizeof(ifr6));
+	  safe_strncpy(ifr6.ifr_name, addrs->ifa_name, sizeof(ifr6.ifr_name));
+	  
+	  ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
+	  if (fd != -1 && ioctl(fd, SIOCGIFAFLAG_IN6, &ifr6) != -1)
+	    {
+	      if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_TENTATIVE)
+		flags |= IFACE_TENTATIVE;
+	      
+	      if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DEPRECATED)
+		flags |= IFACE_DEPRECATED;
 	      
-	      ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
-	      if (fd != -1 && ioctl(fd, SIOCGIFAFLAG_IN6, &ifr6) != -1)
-		{
-		  if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_TENTATIVE)
-		    flags |= IFACE_TENTATIVE;
-		  
-		  if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DEPRECATED)
-		    flags |= IFACE_DEPRECATED;
-
 #ifdef IN6_IFF_TEMPORARY
-		  if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_TEMPORARY)))
-		    flags |= IFACE_PERMANENT;
+	      if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_TEMPORARY)))
+		flags |= IFACE_PERMANENT;
 #endif
-
+	      
 #ifdef IN6_IFF_PRIVACY
-		  if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_PRIVACY)))
-		    flags |= IFACE_PERMANENT;
+	      if (!(ifr6.ifr_ifru.ifru_flags6 & (IN6_IFF_AUTOCONF | IN6_IFF_PRIVACY)))
+		flags |= IFACE_PERMANENT;
 #endif
-		}
-	      
-	      ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
-	      if (fd != -1 && ioctl(fd, SIOCGIFALIFETIME_IN6, &ifr6) != -1)
-		{
-		  valid = ifr6.ifr_ifru.ifru_lifetime.ia6t_vltime;
-		  preferred = ifr6.ifr_ifru.ifru_lifetime.ia6t_pltime;
-		}
+	    }
+	  
+	  ifr6.ifr_addr = *((struct sockaddr_in6 *) addrs->ifa_addr);
+	  if (fd != -1 && ioctl(fd, SIOCGIFALIFETIME_IN6, &ifr6) != -1)
+	    {
+	      valid = ifr6.ifr_ifru.ifru_lifetime.ia6t_vltime;
+	      preferred = ifr6.ifr_ifru.ifru_lifetime.ia6t_pltime;
+	    }
 #endif
-	      	      
-	      for (i = 0; i < IN6ADDRSZ; i++, prefix += 8) 
-                if (netmask[i] != 0xff)
-		  break;
-	      
-	      if (i != IN6ADDRSZ && netmask[i]) 
-                for (j = 7; j > 0; j--, prefix++) 
-		  if ((netmask[i] & (1 << j)) == 0)
-		    break;
-	      
-	      /* voodoo to clear interface field in address */
-	      if (!option_bool(OPT_NOWILD) && IN6_IS_ADDR_LINKLOCAL(addr))
-		{
-		  addr->s6_addr[2] = 0;
-		  addr->s6_addr[3] = 0;
-		} 
-	     
-	      if (!((*callback)(addr, prefix, scope_id, iface_index, flags,
-				(int) preferred, (int)valid, parm)))
-		goto err;	      
-	    }
-
-#ifdef HAVE_DHCP6      
-	  else if (family == AF_LINK)
-	    { 
-	      /* Assume ethernet again here */
-	      struct sockaddr_dl *sdl = (struct sockaddr_dl *) addrs->ifa_addr;
-	      if (sdl->sdl_alen != 0 && 
-		  !((*callback)(iface_index, ARPHRD_ETHER, LLADDR(sdl), sdl->sdl_alen, parm)))
-		goto err;
-	    }
-#endif 
+	  
+	  for (i = 0; i < IN6ADDRSZ; i++, prefix += 8) 
+	    if (netmask[i] != 0xff)
+	      break;
+	  
+	  if (i != IN6ADDRSZ && netmask[i]) 
+	    for (j = 7; j > 0; j--, prefix++) 
+	      if ((netmask[i] & (1 << j)) == 0)
+		break;
+	  
+	  /* voodoo to clear interface field in address */
+	  if (!option_bool(OPT_NOWILD) && IN6_IS_ADDR_LINKLOCAL(addr))
+	    {
+	      addr->s6_addr[2] = 0;
+	      addr->s6_addr[3] = 0;
+	    } 
+	  
+	  if (!callback.af_inet6(addr, prefix, scope_id, iface_index, flags,
+				 (unsigned int) preferred, (unsigned int)valid, parm))
+	    goto err;	      
 	}
+      
+#ifdef HAVE_DHCP6      
+      else if (family == AF_LINK)
+	{ 
+	  /* Assume ethernet again here */
+	  struct sockaddr_dl *sdl = (struct sockaddr_dl *) addrs->ifa_addr;
+	  if (sdl->sdl_alen != 0 && 
+	      !callback.af_local(iface_index, ARPHRD_ETHER, LLADDR(sdl), sdl->sdl_alen, parm))
+	    goto err;
+	}
+#endif 
     }
   
   ret = 1;
-
+  
  err:
   errsave = errno;
   freeifaddrs(head); 

src/cache.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -28,6 +28,8 @@ static int bignames_left, hash_size;
 static void make_non_terminals(struct crec *source);
 static struct crec *really_insert(char *name, union all_addr *addr, unsigned short class,
 				  time_t now,  unsigned long ttl, unsigned int flags);
+static void dump_cache_entry(struct crec *cache, time_t now);
+static char *querystr(char *desc, unsigned short type);
 
 /* type->string mapping: this is also used by the name-hash function as a mixing table. */
 /* taken from https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml */
@@ -99,6 +101,7 @@ static const struct {
   { 63,  "ZONEMD" }, /* Message Digest Over Zone Data [RFC8976] ZONEMD/zonemd-completed-template 2018-12-12*/
   { 64,  "SVCB" }, /* Service Binding [draft-ietf-dnsop-svcb-https-00] SVCB/svcb-completed-template 2020-06-30*/
   { 65,  "HTTPS" }, /* HTTPS Binding [draft-ietf-dnsop-svcb-https-00] HTTPS/https-completed-template 2020-06-30*/
+  { 66,  "DSYNC" }, /* Endpoint discovery for delegation synchronization [draft-ietf-dnsop-generalized-notify-03] DSYNC/dsync-completed-template 2024-12-10 */
   { 99,  "SPF" }, /* [RFC7208] */
   { 100, "UINFO" }, /* [IANA-Reserved] */
   { 101, "UID" }, /* [IANA-Reserved] */
@@ -110,6 +113,7 @@ static const struct {
   { 107, "LP" }, /* [RFC6742] ILNP/lp-completed-template */
   { 108, "EUI48" }, /* an EUI-48 address [RFC7043] EUI48/eui48-completed-template 2013-03-27*/
   { 109, "EUI64" }, /* an EUI-64 address [RFC7043] EUI64/eui64-completed-template 2013-03-27*/
+  { 128, "NXNAME" }, /* NXDOMAIN indicator for Compact Denial of Existence https://www.iana.org/go/draft-ietf-dnsop-compact-denial-of-existence-04 */
   { 249, "TKEY" }, /* Transaction Key [RFC2930] */
   { 250, "TSIG" }, /* Transaction Signature [RFC8945] */
   { 251, "IXFR" }, /* incremental transfer [RFC1995] */
@@ -122,6 +126,10 @@ static const struct {
   { 258, "AVC" }, /* Application Visibility and Control [Wolfgang_Riedel] AVC/avc-completed-template 2016-02-26*/
   { 259, "DOA" }, /* Digital Object Architecture [draft-durand-doa-over-dns] DOA/doa-completed-template 2017-08-30*/
   { 260, "AMTRELAY" }, /* Automatic Multicast Tunneling Relay [RFC8777] AMTRELAY/amtrelay-completed-template 2019-02-06*/
+  { 261, "RESINFO" }, /* Resolver Information as Key/Value Pairs https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/06/ */
+  { 262, "WALLET" }, /* Public wallet address https://www.iana.org/assignments/dns-parameters/WALLET/wallet-completed-template */
+  { 263, "CLA" }, /*  BP Convergence Layer Adapter https://www.iana.org/go/draft-johnson-dns-ipn-cla-07 */
+  { 264, "IPN" }, /* BP Node Number https://www.iana.org/go/draft-johnson-dns-ipn-cla-07 */
   { 32768,  "TA" }, /* DNSSEC Trust Authorities [Sam_Weiler][http://cameo.library.cmu.edu/][ Deploying DNSSEC Without a Signed Root. Technical Report 1999-19, Information Networking Institute, Carnegie Mellon University, April 2004.] 2005-12-13*/
   { 32769,  "DLV" }, /* DNSSEC Lookaside Validation (OBSOLETE) [RFC8749][RFC4431] */
 };
@@ -132,6 +140,17 @@ static void cache_link(struct crec *crecp);
 static void rehash(int size);
 static void cache_hash(struct crec *crecp);
 
+unsigned short rrtype(char *in)
+{
+  unsigned int i;
+  
+  for (i = 0; i < (sizeof(typestr)/sizeof(typestr[0])); i++)
+    if (strcasecmp(in, typestr[i].name) == 0)
+      return typestr[i].type;
+
+  return 0;
+}
+
 void next_uid(struct crec *crecp)
 {
   static unsigned int uid = 0;
@@ -235,19 +254,23 @@ static void cache_hash(struct crec *crecp)
 
   char *name = cache_get_name(crecp);
   struct crec **up = hash_bucket(name);
-
-  if (!(crecp->flags & F_REVERSE))
+  unsigned int flags = crecp->flags & (F_IMMORTAL | F_REVERSE);
+  
+  if (!(flags & F_REVERSE))
     {
       while (*up && ((*up)->flags & F_REVERSE))
 	up = &((*up)->hash_next); 
       
-      if (crecp->flags & F_IMMORTAL)
+      if (flags & F_IMMORTAL)
 	while (*up && !((*up)->flags & F_IMMORTAL))
 	  up = &((*up)->hash_next);
     }
 
-  /* Preserve order when inserting the same name multiple times. */
-  while (*up && hostname_isequal(cache_get_name(*up), name))
+  /* Preserve order when inserting the same name multiple times.
+     Do not mess up the flag invariants. */
+  while (*up &&
+	 hostname_isequal(cache_get_name(*up), name) &&
+	 flags == ((*up)->flags & (F_IMMORTAL | F_REVERSE)))
     up = &((*up)->hash_next);
   
   crecp->hash_next = *up;
@@ -258,8 +281,8 @@ static void cache_blockdata_free(struct crec *crecp)
 {
   if (!(crecp->flags & F_NEG))
     {
-      if (crecp->flags & F_SRV)
-	blockdata_free(crecp->addr.srv.target);
+      if ((crecp->flags & F_RR) && (crecp->flags & F_KEYTAG))
+	blockdata_free(crecp->addr.rrblock.rrdata);
 #ifdef HAVE_DNSSEC
       else if (crecp->flags & F_DNSKEY)
 	blockdata_free(crecp->addr.key.keydata);
@@ -407,18 +430,21 @@ unsigned int cache_remove_uid(const unsigned int uid)
 {
   int i;
   unsigned int removed = 0;
-  struct crec *crecp, **up;
+  struct crec *crecp, *tmp, **up;
 
   for (i = 0; i < hash_size; i++)
-    for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = crecp->hash_next)
-      if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && crecp->uid == uid)
-	{
-	  *up = crecp->hash_next;
-	  free(crecp);
-	  removed++;
-	}
-      else
-	up = &crecp->hash_next;
+    for (crecp = hash_table[i], up = &hash_table[i]; crecp; crecp = tmp)
+      {
+	tmp = crecp->hash_next;
+	if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && crecp->uid == uid)
+	  {
+	    *up = tmp;
+	    free(crecp);
+	    removed++;
+	  }
+	else
+	  up = &crecp->hash_next;
+      }
   
   return removed;
 }
@@ -452,9 +478,20 @@ static struct crec *cache_scan_free(char *name, union all_addr *addr, unsigned s
 	{
 	  if ((crecp->flags & F_FORWARD) && hostname_isequal(cache_get_name(crecp), name))
 	    {
+	      int rrmatch = 0;
+	      if (addr && (crecp->flags & flags & F_RR))
+		{
+		  unsigned short rrc = (crecp->flags & F_KEYTAG) ? crecp->addr.rrblock.rrtype : crecp->addr.rrdata.rrtype;
+		  unsigned short rra = (flags & F_KEYTAG) ? addr->rrblock.rrtype : addr->rrdata.rrtype;
+
+		  if (rrc == rra)
+		    rrmatch = 1;
+		}
+
 	      /* Don't delete DNSSEC in favour of a CNAME, they can co-exist */
-	      if ((flags & crecp->flags & (F_IPV4 | F_IPV6 | F_SRV | F_NXDOMAIN)) || 
-		  (((crecp->flags | flags) & F_CNAME) && !(crecp->flags & (F_DNSKEY | F_DS))))
+	      if ((flags & crecp->flags & (F_IPV4 | F_IPV6 | F_NXDOMAIN)) || 
+		  (((crecp->flags | flags) & F_CNAME) && !(crecp->flags & (F_DNSKEY | F_DS))) ||
+		  rrmatch)
 		{
 		  if (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG))
 		    return crecp;
@@ -594,15 +631,15 @@ static struct crec *really_insert(char *name, union all_addr *addr, unsigned sho
   struct crec *new, *target_crec = NULL;
   union bigname *big_name = NULL;
   int freed_all = (flags & F_REVERSE);
-  int free_avail = 0;
+  struct crec *free_avail = NULL;
   unsigned int target_uid;
   
   /* if previous insertion failed give up now. */
   if (insert_error)
     return NULL;
 
-  /* we don't cache zero-TTL records. */
-  if (ttl == 0)
+  /* we don't cache zero-TTL records unless we're doing stale-caching. */
+  if (daemon->cache_max_expiry == 0 && ttl == 0)
     {
       insert_error = 1;
       return NULL;
@@ -642,7 +679,7 @@ static struct crec *really_insert(char *name, union all_addr *addr, unsigned sho
       
       /* Free entry at end of LRU list, use it. */
       if (!(new->flags & (F_FORWARD | F_REVERSE)))
-	break;
+	break; 
 
       /* End of LRU list is still in use: if we didn't scan all the hash
 	 chains for expired entries do that now. If we already tried that
@@ -654,12 +691,9 @@ static struct crec *really_insert(char *name, union all_addr *addr, unsigned sho
 	 insert. Once in this state, all inserts will probably fail. */
       if (free_avail)
 	{
-	  static int warned = 0;
-	  if (!warned)
-	    {
-	      my_syslog(LOG_ERR, _("Internal error in cache."));
-	      warned = 1;
-	    }
+	  my_syslog(LOG_ERR, _("Internal error in cache."));
+	  /* Log the entry we tried to delete. */
+	  dump_cache_entry(free_avail, now);
 	  insert_error = 1;
 	  return NULL;
 	}
@@ -667,13 +701,13 @@ static struct crec *really_insert(char *name, union all_addr *addr, unsigned sho
       if (freed_all)
 	{
 	  /* For DNSSEC records, uid holds class. */
-	  free_avail = 1; /* Must be free space now. */
+	  free_avail = new; /* Must be free space now. */
 	  
 	  /* condition valid when stale-caching */
 	  if (difftime(now, new->ttd) < 0)
 	    daemon->metrics[METRIC_DNS_CACHE_LIVE_FREED]++;
 	  
-	  cache_scan_free(cache_get_name(new), &new->addr, new->uid, now, new->flags, NULL, NULL);
+	  cache_scan_free(cache_get_name(new), &new->addr, new->uid, now, new->flags, NULL, NULL); 
 	}
       else
 	{
@@ -769,28 +803,27 @@ void cache_end_insert(void)
 	      u16 class = new_chain->uid;
 #endif
 	      
-	      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
-	      read_write(daemon->pipe_to_parent, (unsigned char *)name, m, 0);
-	      read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->ttd, sizeof(new_chain->ttd), 0);
-	      read_write(daemon->pipe_to_parent, (unsigned  char *)&flags, sizeof(flags), 0);
-
-	      if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_SRV))
-		read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr, sizeof(new_chain->addr), 0);
-	      if (flags & F_SRV)
+	      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), RW_WRITE);
+	      read_write(daemon->pipe_to_parent, (unsigned char *)name, m, RW_WRITE);
+	      read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->ttd, sizeof(new_chain->ttd), RW_WRITE);
+	      read_write(daemon->pipe_to_parent, (unsigned  char *)&flags, sizeof(flags), RW_WRITE);
+	      read_write(daemon->pipe_to_parent, (unsigned char *)&new_chain->addr, sizeof(new_chain->addr), RW_WRITE);
+	      
+	      if (flags & F_RR)
 		{
-		  /* A negative SRV entry is possible and has no data, obviously. */
-		  if (!(flags & F_NEG))
-		    blockdata_write(new_chain->addr.srv.target, new_chain->addr.srv.targetlen, daemon->pipe_to_parent);
+		  /* A negative RR entry is possible and has no data, obviously. */
+		  if (!(flags & F_NEG) && (flags & F_KEYTAG))
+		    blockdata_write(new_chain->addr.rrblock.rrdata, new_chain->addr.rrblock.datalen, daemon->pipe_to_parent);
 		}
 #ifdef HAVE_DNSSEC
 	      if (flags & F_DNSKEY)
 		{
-		  read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
+		  read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), RW_WRITE);
 		  blockdata_write(new_chain->addr.key.keydata, new_chain->addr.key.keylen, daemon->pipe_to_parent);
 		}
 	      else if (flags & F_DS)
 		{
-		  read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), 0);
+		  read_write(daemon->pipe_to_parent, (unsigned char *)&class, sizeof(class), RW_WRITE);
 		  /* A negative DS entry is possible and has no data, obviously. */
 		  if (!(flags & F_NEG))
 		    blockdata_write(new_chain->addr.ds.keydata, new_chain->addr.ds.keylen, daemon->pipe_to_parent);
@@ -806,7 +839,18 @@ void cache_end_insert(void)
   if (daemon->pipe_to_parent != -1)
     {
       ssize_t m = -1;
-      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
+
+      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), RW_WRITE);
+
+#ifdef HAVE_DNSSEC
+      /* Sneak out possibly updated crypto HWM values. */
+      m = daemon->metrics[METRIC_CRYPTO_HWM];
+      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), RW_WRITE);
+      m = daemon->metrics[METRIC_SIG_FAIL_HWM];
+      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), RW_WRITE);
+      m = daemon->metrics[METRIC_WORK_HWM];
+      read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), RW_WRITE);
+#endif
     }
       
   new_chain = NULL;
@@ -825,55 +869,93 @@ int cache_recv_insert(time_t now, int fd)
   
   cache_start_insert();
   
-  while(1)
+  while (1)
     {
  
-      if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1))
+      if (!read_write(fd, (unsigned char *)&m, sizeof(m), RW_READ))
 	return 0;
       
       if (m == -1)
 	{
+#ifdef HAVE_DNSSEC
+	  /* Sneak in possibly updated crypto HWM. */
+	  if (!read_write(fd, (unsigned char *)&m, sizeof(m), RW_READ))
+	    return 0;
+	  if (m > daemon->metrics[METRIC_CRYPTO_HWM])
+	    daemon->metrics[METRIC_CRYPTO_HWM] = m;
+	  if (!read_write(fd, (unsigned char *)&m, sizeof(m), RW_READ))
+	    return 0;
+	  if (m > daemon->metrics[METRIC_SIG_FAIL_HWM])
+	    daemon->metrics[METRIC_SIG_FAIL_HWM] = m;
+	  if (!read_write(fd, (unsigned char *)&m, sizeof(m), RW_READ))
+	    return 0;
+	  if (m > daemon->metrics[METRIC_WORK_HWM])
+	    daemon->metrics[METRIC_WORK_HWM] = m;
+#endif
 	  cache_end_insert();
 	  return 1;
 	}
 
-      if (!read_write(fd, (unsigned char *)daemon->namebuff, m, 1) ||
-	  !read_write(fd, (unsigned char *)&ttd, sizeof(ttd), 1) ||
-	  !read_write(fd, (unsigned char *)&flags, sizeof(flags), 1))
+#ifdef HAVE_DNSSEC
+      /* UDP validation moved to TCP to avoid truncation. 
+	 Restart UDP validation process with the returned result. */
+      if (m == -2)
+	{
+	  int status, uid, keycount, validatecount;
+	  int *keycountp, *validatecountp;
+	  size_t ret_len;
+	  
+	  struct frec *forward;
+	  
+	  if (!read_write(fd, (unsigned char *)&status, sizeof(status), RW_READ))
+	    return 0;
+	  if (!read_write(fd, (unsigned char *)&ret_len, sizeof(ret_len), RW_READ))
+	    return 0;
+	  if (!read_write(fd, (unsigned char *)daemon->packet, ret_len, RW_READ))
+	    return 0;
+	  if (!read_write(fd, (unsigned char *)&forward, sizeof(forward), RW_READ))
+	    return 0;
+	  if (!read_write(fd, (unsigned char *)&uid, sizeof(uid), RW_READ))
+	    return 0;
+	  if (!read_write(fd, (unsigned char *)&keycount, sizeof(keycount), RW_READ))
+	    return 0;
+	  if (!read_write(fd, (unsigned char *)&keycountp, sizeof(keycountp), RW_READ))
+	    return 0;
+	  if (!read_write(fd, (unsigned char *)&validatecount, sizeof(validatecount), RW_READ))
+	    return 0;
+	  if (!read_write(fd, (unsigned char *)&validatecountp, sizeof(validatecountp), RW_READ))
+	    return 0;
+	  
+	  /* There's a tiny chance that the frec may have been freed 
+	     and reused before the TCP process returns. Detect that with
+	     the uid field which is unique modulo 2^32 for each use. */
+	  if (uid == forward->uid)
+	    {
+	      /* repatriate the work counters from the child process. */
+	      *keycountp = keycount;
+	      *validatecountp = validatecount;
+	      
+	      if (!forward->dependent)
+		return_reply(now, forward, (struct dns_header *)daemon->packet, ret_len, status);
+	      else
+		pop_and_retry_query(forward, status, now);
+	    }
+	  
+	  return 1;
+	}
+#endif
+       
+      if (!read_write(fd, (unsigned char *)daemon->namebuff, m, RW_READ) ||
+	  !read_write(fd, (unsigned char *)&ttd, sizeof(ttd), RW_READ) ||
+	  !read_write(fd, (unsigned char *)&flags, sizeof(flags), RW_READ) ||
+	  !read_write(fd, (unsigned char *)&addr, sizeof(addr), RW_READ))
 	return 0;
 
       daemon->namebuff[m] = 0;
 
       ttl = difftime(ttd, now);
       
-      if (flags & (F_IPV4 | F_IPV6 | F_DNSKEY | F_DS | F_SRV))
-	{
-	  unsigned short class = C_IN;
-
-	  if (!read_write(fd, (unsigned char *)&addr, sizeof(addr), 1))
-	    return 0;
-
-	  if ((flags & F_SRV) && !(flags & F_NEG) && !(addr.srv.target = blockdata_read(fd, addr.srv.targetlen)))
-	    return 0;
-	
-#ifdef HAVE_DNSSEC
-	   if (flags & F_DNSKEY)
-	     {
-	       if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
-		   !(addr.key.keydata = blockdata_read(fd, addr.key.keylen)))
-		 return 0;
-	     }
-	   else  if (flags & F_DS)
-	     {
-	        if (!read_write(fd, (unsigned char *)&class, sizeof(class), 1) ||
-		    (!(flags & F_NEG) && !(addr.key.keydata = blockdata_read(fd, addr.key.keylen))))
-		  return 0;
-	     }
-#endif
-	       
-	  crecp = really_insert(daemon->namebuff, &addr, class, now, ttl, flags);
-	}
-      else if (flags & F_CNAME)
+      if (flags & F_CNAME)
 	{
 	  struct crec *newc = really_insert(daemon->namebuff, NULL, C_IN, now, ttl, flags);
 	  /* This relies on the fact that the target of a CNAME immediately precedes
@@ -881,11 +963,11 @@ int cache_recv_insert(time_t now, int fd)
 	     the order reversal on the new_chain. */
 	  if (newc)
 	    {
-	       newc->addr.cname.is_name_ptr = 0;
-	       
-	       if (!crecp)
-		 newc->addr.cname.target.cache = NULL;
-	       else
+	      newc->addr.cname.is_name_ptr = 0;
+	      
+	      if (!crecp)
+		newc->addr.cname.target.cache = NULL;
+	      else
 		{
 		  next_uid(crecp);
 		  newc->addr.cname.target.cache = crecp;
@@ -893,6 +975,29 @@ int cache_recv_insert(time_t now, int fd)
 		}
 	    }
 	}
+      else
+	{
+	  unsigned short class = C_IN;
+
+	  if ((flags & F_RR) && !(flags & F_NEG) && (flags & F_KEYTAG)
+	      && !(addr.rrblock.rrdata = blockdata_read(fd, addr.rrblock.datalen)))
+	    return 0;
+#ifdef HAVE_DNSSEC
+	  if (flags & F_DNSKEY)
+	    {
+	      if (!read_write(fd, (unsigned char *)&class, sizeof(class), RW_READ) ||
+		  !(addr.key.keydata = blockdata_read(fd, addr.key.keylen)))
+		return 0;
+	    }
+	  else  if (flags & F_DS)
+	    {
+	      if (!read_write(fd, (unsigned char *)&class, sizeof(class), RW_READ) ||
+		  (!(flags & F_NEG) && !(addr.key.keydata = blockdata_read(fd, addr.key.keylen))))
+		return 0;
+	    }
+#endif
+	  crecp = really_insert(daemon->namebuff, &addr, class, now, ttl, flags);
+	}
     }
 }
 	
@@ -1080,7 +1185,6 @@ static void add_hosts_entry(struct crec *cache, union all_addr *addr, int addrle
      the array rhash, hashed on address. Note that rhash and the values
      in ->next are only valid  whilst reading hosts files: the buckets are
      then freed, and the ->next pointer used for other things. 
-
      Only insert each unique address once into this hashing structure.
 
      This complexity avoids O(n^2) divergent CPU use whilst reading
@@ -1344,11 +1448,17 @@ void cache_reload(void)
 	cache->flags = F_FORWARD | F_IMMORTAL | F_DS | F_CONFIG | F_NAMEP;
 	cache->ttd = daemon->local_ttl;
 	cache->name.namep = ds->name;
-	cache->addr.ds.keylen = ds->digestlen;
-	cache->addr.ds.algo = ds->algo;
-	cache->addr.ds.keytag = ds->keytag;
-	cache->addr.ds.digest = ds->digest_type;
 	cache->uid = ds->class;
+	if (ds->digestlen != 0)
+	  {
+	    cache->addr.ds.keylen = ds->digestlen;
+	    cache->addr.ds.algo = ds->algo;
+	    cache->addr.ds.keytag = ds->keytag;
+	    cache->addr.ds.digest = ds->digest_type;
+	  }
+	else
+	  cache->flags |= F_NEG | F_DNSSECOK | F_NO_RR;
+	
 	cache_hash(cache);
 	make_non_terminals(cache);
       }
@@ -1586,7 +1696,7 @@ static void make_non_terminals(struct crec *source)
       if (!is_outdated_cname_pointer(crecp) &&
 	  (crecp->flags & F_FORWARD) &&
 	  (crecp->flags & type) &&
-	  !(crecp->flags & (F_IPV4 | F_IPV6 | F_CNAME | F_SRV | F_DNSKEY | F_DS)) && 
+	  !(crecp->flags & (F_IPV4 | F_IPV6 | F_CNAME | F_DNSKEY | F_DS | F_RR)) && 
 	  hostname_isequal(name, cache_get_name(crecp)))
 	{
 	  *up = crecp->hash_next;
@@ -1643,7 +1753,7 @@ static void make_non_terminals(struct crec *source)
 
       if (crecp)
 	{
-	  crecp->flags = (source->flags | F_NAMEP) & ~(F_IPV4 | F_IPV6 | F_CNAME | F_SRV | F_DNSKEY | F_DS | F_REVERSE);
+	  crecp->flags = (source->flags | F_NAMEP) & ~(F_IPV4 | F_IPV6 | F_CNAME | F_RR | F_DNSKEY | F_DS | F_REVERSE);
 	  if (!(crecp->flags & F_IMMORTAL))
 	    crecp->ttd = source->ttd;
 	  crecp->name.namep = name;
@@ -1748,18 +1858,128 @@ int cache_make_stat(struct txt_record *t)
 #endif
 
 /* There can be names in the cache containing control chars, don't 
-   mess up logging or open security holes. */
+   mess up logging or open security holes. Also convert to all-LC
+   so that 0x20-encoding doesn't make logs look like ransom notes
+   made out of letters cut from a newspaper.
+   Overwrites daemon->workspacename */
 static char *sanitise(char *name)
 {
-  unsigned char *r;
+  unsigned char *r = (unsigned char *)name;
+  
   if (name)
-    for (r = (unsigned char *)name; *r; r++)
-      if (!isprint((int)*r))
-	return "<name unprintable>";
-
+    {
+      char *d = name = daemon->workspacename;
+      
+      for (; *r; r++, d++)
+	if (!isprint((int)*r))
+	  return "<name unprintable>";
+	else
+	  {
+	    unsigned char c = *r;
+	    
+	    *d = (char)((c >= 'A' && c <= 'Z') ? c + 'a' - 'A' : c);
+	  }
+      
+      *d = 0;
+    }
+  
   return name;
 }
 
+static void dump_cache_entry(struct crec *cache, time_t now)
+{
+  (void)now;
+  static char *buff = NULL;
+  
+  char *p, *t = " ";
+  char *a = daemon->addrbuff, *n = cache_get_name(cache);
+
+  /* String length is limited below */
+  if (!buff && !(buff = whine_malloc(150)))
+    return;
+  
+  p = buff;
+  
+  *a = 0;
+
+  if (cache->flags & F_REVERSE)
+    {
+      if ((cache->flags & F_NEG))
+	n = "";
+    }
+  else
+    {
+      if (strlen(n) == 0)
+	n = "<Root>";
+    }
+  
+  p += sprintf(p, "%-30.30s ", sanitise(n));
+  if ((cache->flags & F_CNAME) && !is_outdated_cname_pointer(cache))
+    a = sanitise(cache_get_cname_target(cache));
+  else if (cache->flags & F_RR)
+    {
+      if (cache->flags & F_KEYTAG)
+	sprintf(a, "%s", querystr(NULL, cache->addr.rrblock.rrtype));
+      else
+	sprintf(a, "%s", querystr(NULL, cache->addr.rrdata.rrtype));
+    }
+#ifdef HAVE_DNSSEC
+  else if (cache->flags & F_DS)
+    {
+      if (!(cache->flags & F_NEG))
+	sprintf(a, "%5u %3u %3u", cache->addr.ds.keytag,
+		cache->addr.ds.algo, cache->addr.ds.digest);
+    }
+  else if (cache->flags & F_DNSKEY)
+    sprintf(a, "%5u %3u %3u", cache->addr.key.keytag,
+	    cache->addr.key.algo, cache->addr.key.flags);
+#endif
+  else if (!(cache->flags & F_NEG) || !(cache->flags & F_FORWARD))
+    { 
+      a = daemon->addrbuff;
+      if (cache->flags & F_IPV4)
+	inet_ntop(AF_INET, &cache->addr, a, ADDRSTRLEN);
+      else if (cache->flags & F_IPV6)
+	inet_ntop(AF_INET6, &cache->addr, a, ADDRSTRLEN);
+    }
+  
+  if (cache->flags & F_IPV4)
+    t = "4";
+  else if (cache->flags & F_IPV6)
+    t = "6";
+  else if (cache->flags & F_CNAME)
+    t = "C";
+  else if (cache->flags & F_RR)
+    t = "T";
+#ifdef HAVE_DNSSEC
+  else if (cache->flags & F_DS)
+    t = "S";
+  else if (cache->flags & F_DNSKEY)
+    t = "K";
+#endif
+  else if (!(cache->flags & F_NXDOMAIN)) /* non-terminal */
+    t = "!";
+  
+  p += sprintf(p, "%-40.40s %s%s%s%s%s%s%s%s%s%s ", a, t,
+	       cache->flags & F_FORWARD ? "F" : " ",
+	       cache->flags & F_REVERSE ? "R" : " ",
+	       cache->flags & F_IMMORTAL ? "I" : " ",
+	       cache->flags & F_DHCP ? "D" : " ",
+	       cache->flags & F_NEG ? "N" : " ",
+	       cache->flags & F_NXDOMAIN ? "X" : " ",
+	       cache->flags & F_HOSTS ? "H" : " ",
+	       cache->flags & F_CONFIG ? "C" : " ",
+	       cache->flags & F_DNSSECOK ? "V" : " ");
+#ifdef HAVE_BROKEN_RTC
+  p += sprintf(p, "%-24lu", cache->flags & F_IMMORTAL ? 0: (unsigned long)(cache->ttd - now));
+#else
+  p += sprintf(p, "%-24.24s", cache->flags & F_IMMORTAL ? "" : ctime(&(cache->ttd)));
+#endif
+  if(cache->flags & (F_HOSTS | F_CONFIG) && cache->uid > 0)
+    p += sprintf(p, " %-40.40s", record_source(cache->uid));
+  
+  my_syslog(LOG_INFO, "%s", buff);
+}
 
 void dump_cache(time_t now)
 {
@@ -1775,9 +1995,19 @@ void dump_cache(time_t now)
 #ifdef HAVE_AUTH
   my_syslog(LOG_INFO, _("queries for authoritative zones %u"), daemon->metrics[METRIC_DNS_AUTH_ANSWERED]);
 #endif
+#ifdef HAVE_DNSSEC
+  my_syslog(LOG_INFO, _("DNSSEC per-query subqueries HWM %u"), daemon->metrics[METRIC_WORK_HWM]);
+  my_syslog(LOG_INFO, _("DNSSEC per-query crypto work HWM %u"), daemon->metrics[METRIC_CRYPTO_HWM]);
+  my_syslog(LOG_INFO, _("DNSSEC per-RRSet signature fails HWM %u"), daemon->metrics[METRIC_SIG_FAIL_HWM]);
+#endif
 
   blockdata_report();
-
+  my_syslog(LOG_INFO, _("child processes for TCP requests: in use %zu, highest since last SIGUSR1 %zu, max allowed %zu."),
+	    daemon->metrics[METRIC_TCP_CONNECTIONS],
+	    daemon->max_procs_used,
+	    daemon->max_procs);
+  daemon->max_procs_used = daemon->metrics[METRIC_TCP_CONNECTIONS];
+  
   /* sum counts from different records for same server */
   for (serv = daemon->servers; serv; serv = serv->next)
     serv->flags &= ~SERV_MARK;
@@ -1807,90 +2037,14 @@ void dump_cache(time_t now)
 
   if (option_bool(OPT_DEBUG) || option_bool(OPT_LOG))
     {
-      struct crec *cache ;
+      struct crec *cache;
       int i;
       my_syslog(LOG_INFO, "Host                           Address                                  Flags      Expires                  Source");
       my_syslog(LOG_INFO, "------------------------------ ---------------------------------------- ---------- ------------------------ ------------");
     
       for (i=0; i<hash_size; i++)
 	for (cache = hash_table[i]; cache; cache = cache->hash_next)
-	  {
-	    char *t = " ";
-	    char *a = daemon->addrbuff, *p = daemon->namebuff, *n = cache_get_name(cache);
-	    *a = 0;
-	    if (strlen(n) == 0 && !(cache->flags & F_REVERSE))
-	      n = "<Root>";
-	    p += sprintf(p, "%-30.30s ", sanitise(n));
-	    if ((cache->flags & F_CNAME) && !is_outdated_cname_pointer(cache))
-	      a = sanitise(cache_get_cname_target(cache));
-	    else if ((cache->flags & F_SRV) && !(cache->flags & F_NEG))
-	      {
-		int targetlen = cache->addr.srv.targetlen;
-		ssize_t len = sprintf(a, "%u %u %u ", cache->addr.srv.priority,
-				      cache->addr.srv.weight, cache->addr.srv.srvport);
-
-		if (targetlen > (40 - len))
-		  targetlen = 40 - len;
-		blockdata_retrieve(cache->addr.srv.target, targetlen, a + len);
-		a[len + targetlen] = 0;		
-	      }
-#ifdef HAVE_DNSSEC
-	    else if (cache->flags & F_DS)
-	      {
-		if (!(cache->flags & F_NEG))
-		  sprintf(a, "%5u %3u %3u", cache->addr.ds.keytag,
-			  cache->addr.ds.algo, cache->addr.ds.digest);
-	      }
-	    else if (cache->flags & F_DNSKEY)
-	      sprintf(a, "%5u %3u %3u", cache->addr.key.keytag,
-		      cache->addr.key.algo, cache->addr.key.flags);
-#endif
-	    else if (!(cache->flags & F_NEG) || !(cache->flags & F_FORWARD))
-	      { 
-		a = daemon->addrbuff;
-		if (cache->flags & F_IPV4)
-		  inet_ntop(AF_INET, &cache->addr, a, ADDRSTRLEN);
-		else if (cache->flags & F_IPV6)
-		  inet_ntop(AF_INET6, &cache->addr, a, ADDRSTRLEN);
-	      }
-
-	    if (cache->flags & F_IPV4)
-	      t = "4";
-	    else if (cache->flags & F_IPV6)
-	      t = "6";
-	    else if (cache->flags & F_CNAME)
-	      t = "C";
-	    else if (cache->flags & F_SRV)
-	      t = "V";
-#ifdef HAVE_DNSSEC
-	    else if (cache->flags & F_DS)
-	      t = "S";
-	    else if (cache->flags & F_DNSKEY)
-	      t = "K";
-#endif
-	    else /* non-terminal */
-	      t = "!";
-
-	    p += sprintf(p, "%-40.40s %s%s%s%s%s%s%s%s%s%s ", a, t,
-			 cache->flags & F_FORWARD ? "F" : " ",
-			 cache->flags & F_REVERSE ? "R" : " ",
-			 cache->flags & F_IMMORTAL ? "I" : " ",
-			 cache->flags & F_DHCP ? "D" : " ",
-			 cache->flags & F_NEG ? "N" : " ",
-			 cache->flags & F_NXDOMAIN ? "X" : " ",
-			 cache->flags & F_HOSTS ? "H" : " ",
-			 cache->flags & F_CONFIG ? "C" : " ",
-			 cache->flags & F_DNSSECOK ? "V" : " ");
-#ifdef HAVE_BROKEN_RTC
-	    p += sprintf(p, "%-24lu", cache->flags & F_IMMORTAL ? 0: (unsigned long)(cache->ttd - now));
-#else
-	    p += sprintf(p, "%-24.24s", cache->flags & F_IMMORTAL ? "" : ctime(&(cache->ttd)));
-#endif
-	    if(cache->flags & (F_HOSTS | F_CONFIG) && cache->uid > 0)
-		p += sprintf(p, " %s", record_source(cache->uid));
-
-	    my_syslog(LOG_INFO, "%s", daemon->namebuff);
-	  }
+	  dump_cache_entry(cache, now);
     }
 }
 
@@ -2005,15 +2159,21 @@ static char *edestr(int ede)
     case EDE_NO_AUTH:                     return "no reachable authority";
     case EDE_NETERR:                      return "network error";
     case EDE_INVALID_DATA:                return "invalid data";
+    case EDE_SIG_E_B_V:                   return "signature expired before valid";
+    case EDE_TOO_EARLY:                   return "too early";
+    case EDE_UNS_NS3_ITER:                return "unsupported NSEC3 iterations value";
+    case EDE_UNABLE_POLICY:               return "uanble to conform to policy";
+    case EDE_SYNTHESIZED:                 return "synthesized";
     default:                              return "unknown";
     }
 }
 
 void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg, unsigned short type)
 {
-  char *source, *dest = arg;
+  char *source, *dest;
   char *verb = "is";
   char *extra = "";
+  char *gap = " ";
   char portstring[7]; /* space for #<portnum> */
   
   if (!option_bool(OPT_LOG))
@@ -2023,6 +2183,8 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
   if (!(flags & (F_SERVER | F_IPSET)) && type > 0)
     arg = querystr(arg, type);
 
+  dest = arg;
+
 #ifdef HAVE_DNSSEC
   if ((flags & F_DNSSECOK) && option_bool(OPT_EXTRALOG))
     extra = " (DNSSEC signed)";
@@ -2034,7 +2196,14 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
     {
       dest = daemon->addrbuff;
 
-      if (flags & F_KEYTAG)
+       if (flags & F_RR)
+	 {
+	   if (flags & F_KEYTAG)
+	     dest = querystr(NULL, addr->rrblock.rrtype);
+	   else
+	     dest = querystr(NULL, addr->rrdata.rrtype);
+	 }
+       else if (flags & F_KEYTAG)
 	sprintf(daemon->addrbuff, arg, addr->log.keytag, addr->log.algo, addr->log.digest);
       else if (flags & F_RCODE)
 	{
@@ -2091,8 +2260,6 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
     }
   else if (flags & F_CNAME)
     dest = "<CNAME>";
-  else if (flags & F_SRV)
-    dest = "<SRV>";
   else if (flags & F_RRNAME)
     dest = arg;
     
@@ -2116,12 +2283,12 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
     }
   else if (flags & F_AUTH)
     source = "auth";
-   else if (flags & F_DNSSEC)
+  else if (flags & F_DNSSEC)
     {
       source = arg;
       verb = "to";
     }
-   else if (flags & F_SERVER)
+  else if (flags & F_SERVER)
     {
       source = "forwarded";
       verb = "to";
@@ -2143,19 +2310,30 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
   else
     source = "cached";
   
-  if (name && !name[0])
+  if (!name)
+    gap = name = "";
+  else if (!name[0])
     name = ".";
-
+  
   if (option_bool(OPT_EXTRALOG))
     {
-      if (flags & F_NOEXTRA)
-	my_syslog(LOG_INFO, "%u %s %s %s %s%s", daemon->log_display_id, source, name, verb, dest, extra);
+      int display_id = daemon->log_display_id;
+      char *proto = "";
+
+      if (option_bool(OPT_LOG_PROTO))
+	proto = (display_id < 0) ? "TCP " : "UDP ";
+      
+      if (display_id < 0)
+	display_id = -display_id;
+      
+      if (flags & F_NOEXTRA || !daemon->log_source_addr)
+	my_syslog(LOG_INFO, "%s%u %s %s%s%s %s%s", proto, display_id, source, name, gap, verb, dest, extra);
       else
 	{
 	   int port = prettyprint_addr(daemon->log_source_addr, daemon->addrbuff2);
-	   my_syslog(LOG_INFO, "%u %s/%u %s %s %s %s%s", daemon->log_display_id, daemon->addrbuff2, port, source, name, verb, dest, extra);
+	   my_syslog(LOG_INFO, "%s%u %s/%u %s %s%s%s %s%s", proto, display_id, daemon->addrbuff2, port, source, name, gap, verb, dest, extra);
 	}
     }
   else
-    my_syslog(LOG_INFO, "%s %s %s %s%s", source, name, verb, dest, extra);
+    my_syslog(LOG_INFO, "%s %s%s%s %s%s", source, name, gap, verb, dest, extra);
 }

src/config.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -15,14 +15,18 @@
 */
 
 #define FTABSIZ 150 /* max number of outstanding requests (default) */
-#define MAX_PROCS 20 /* max no children for TCP requests */
+#define MAX_PROCS 20 /* default max no children for TCP requests */
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
 #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
+#define TCP_TIMEOUT 5 /* timeout waiting to connect to an upstream server - double this for answer */
 #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
-#define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  /dnsflagday.net/2020 */
 #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
-#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
+#define DNSSEC_LIMIT_WORK 40 /* Max number of queries to validate one question */
+#define DNSSEC_LIMIT_SIG_FAIL 20 /* Number of signature that can fail to validate in one answer */
+#define DNSSEC_LIMIT_CRYPTO 200 /* max no. of crypto operations to validate one query. */
+#define DNSSEC_LIMIT_NSEC3_ITERS 150 /* Max. number if iterations allowed in NSEC3 record. */
+#define DNSSEC_ASSUMED_DS_TTL 3600 /* TTL for negative DS records implied by server=/domain/ */
 #define TIMEOUT 10     /* drop UDP queries after TIMEOUT seconds */
 #define SMALL_PORT_RANGE 30 /* If DNS port range is smaller than this, use different allocation. */
 #define FORWARD_TEST 50 /* try all servers every 50 queries */
@@ -126,9 +130,6 @@ HAVE_AUTH
    define this to include the facility to act as an authoritative DNS
    server for one or more zones.
 
-HAVE_CRYPTOHASH
-   include just hash function from crypto library, but no DNSSEC.
-
 HAVE_DNSSEC
    include DNSSEC validator.
 
@@ -197,7 +198,6 @@ RESOLVFILE
 /* #define HAVE_IDN */
 /* #define HAVE_LIBIDN2 */
 /* #define HAVE_CONNTRACK */
-/* #define HAVE_CRYPTOHASH */
 /* #define HAVE_DNSSEC */
 /* #define HAVE_NFTSET */
 
@@ -363,6 +363,11 @@ HAVE_SOCKADDR_SA_LEN
 #define HAVE_INOTIFY
 #endif
 
+/* This never compiles code, it's only used by the makefile to fingerprint builds. */
+#ifdef DNSMASQ_COMPILE_FLAGS
+static char *compile_flags = DNSMASQ_COMPILE_FLAGS;
+#endif
+
 /* Define a string indicating which options are in use.
    DNSMASQ_COMPILE_OPTS is only defined in dnsmasq.c */
 
@@ -435,10 +440,6 @@ static char *compile_opts =
 "no-"
 #endif
 "auth "
-#if !defined(HAVE_CRYPTOHASH) && !defined(HAVE_DNSSEC)
-"no-"
-#endif
-"cryptohash "
 #ifndef HAVE_DNSSEC
 "no-"
 #endif

src/conntrack.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/crypto.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -16,7 +16,7 @@
 
 #include "dnsmasq.h"
 
-#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH)
+#if defined(HAVE_DNSSEC)
 
 /* Minimal version of nettle */
 
@@ -30,9 +30,6 @@
 #define MIN_VERSION(major, minor) ((NETTLE_VERSION_MAJOR == (major) && NETTLE_VERSION_MINOR >= (minor)) || \
 				   (NETTLE_VERSION_MAJOR > (major)))
 
-#endif /* defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH) */
-
-#if defined(HAVE_DNSSEC)
 #include <nettle/rsa.h>
 #include <nettle/ecdsa.h>
 #include <nettle/ecc-curve.h>
@@ -476,9 +473,6 @@ char *nsec3_digest_name(int digest)
     }
 }
 
-#endif /* defined(HAVE_DNSSEC) */
-
-#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH)
 /* Find pointer to correct hash function in nettle library */
 const struct nettle_hash *hash_find(char *name)
 {
@@ -509,4 +503,4 @@ const struct nettle_hash *hash_find(char *name)
 #endif
 }
 
-#endif /* defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH) */
+#endif /* defined(HAVE_DNSSEC) */

src/dbus.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -52,6 +52,12 @@ const char* introspection_xml_template =
 "    <method name=\"SetFilterWin2KOption\">\n"
 "      <arg name=\"filterwin2k\" direction=\"in\" type=\"b\"/>\n"
 "    </method>\n"
+"    <method name=\"SetFilterA\">\n"
+"      <arg name=\"filter-a\" direction=\"in\" type=\"b\"/>\n"
+"    </method>\n"
+"    <method name=\"SetFilterAAAA\">\n"
+"      <arg name=\"filter-aaaa\" direction=\"in\" type=\"b\"/>\n"
+"    </method>\n"
 "    <method name=\"SetLocaliseQueriesOption\">\n"
 "      <arg name=\"localise-queries\" direction=\"in\" type=\"b\"/>\n"
 "    </method>\n"
@@ -100,6 +106,7 @@ const char* introspection_xml_template =
 "</node>\n";
 
 static char *introspection_xml = NULL;
+static int watches_modified = 0;
 
 struct watch {
   DBusWatch *watch;      
@@ -121,6 +128,7 @@ static dbus_bool_t add_watch(DBusWatch *watch, void *data)
   w->watch = watch;
   w->next = daemon->watches;
   daemon->watches = w;
+  watches_modified++;
 
   (void)data; /* no warning */
   return TRUE;
@@ -128,7 +136,7 @@ static dbus_bool_t add_watch(DBusWatch *watch, void *data)
 
 static void remove_watch(DBusWatch *watch, void *data)
 {
-  struct watch **up, *w, *tmp;  
+  struct watch **up, *w, *tmp;
   
   for (up = &(daemon->watches), w = daemon->watches; w; w = tmp)
     {
@@ -137,6 +145,7 @@ static void remove_watch(DBusWatch *watch, void *data)
 	{
 	  *up = tmp;
 	  free(w);
+	  watches_modified++;
 	}
       else
 	up = &(w->next);
@@ -476,28 +485,37 @@ static DBusMessage* dbus_read_servers_ex(DBusMessage *message, int strings)
   return error;
 }
 
-static DBusMessage *dbus_set_bool(DBusMessage *message, int flag, char *name)
+static DBusMessage *dbus_get_bool(DBusMessage *message, dbus_bool_t *enabled, char *name)
 {
   DBusMessageIter iter;
-  dbus_bool_t enabled;
 
   if (!dbus_message_iter_init(message, &iter) || dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_BOOLEAN)
     return dbus_message_new_error(message, DBUS_ERROR_INVALID_ARGS, "Expected boolean argument");
   
-  dbus_message_iter_get_basic(&iter, &enabled);
-
-  if (enabled)
-    { 
-      my_syslog(LOG_INFO, _("Enabling --%s option from D-Bus"), name);
-      set_option_bool(flag);
-    }
+  dbus_message_iter_get_basic(&iter, enabled);
+  
+  if (*enabled)
+    my_syslog(LOG_INFO, _("Enabling --%s option from D-Bus"), name);
   else
+    my_syslog(LOG_INFO, _("Disabling --%s option from D-Bus"), name);
+  
+  return NULL;
+}
+
+static DBusMessage *dbus_set_bool(DBusMessage *message, int flag, char *name)
+{
+  dbus_bool_t val;
+  DBusMessage *reply = dbus_get_bool(message, &val, name);
+  
+  if (!reply)
     {
-      my_syslog(LOG_INFO, _("Disabling --%s option from D-Bus"), name);
-      reset_option_bool(flag);
+      if (val)
+	set_option_bool(flag);
+      else
+	reset_option_bool(flag);
     }
 
-  return NULL;
+  return reply;
 }
 
 #ifdef HAVE_DHCP
@@ -817,6 +835,42 @@ DBusHandlerResult message_handler(DBusConnection *connection,
     {
       reply = dbus_set_bool(message, OPT_FILTER, "filterwin2k");
     }
+  else if (strcmp(method, "SetFilterA") == 0)
+    {
+      static int done = 0;
+      static struct rrlist list = { 0, NULL };
+      dbus_bool_t enabled;
+
+      if (!(reply = dbus_get_bool(message, &enabled, "filter-A")))
+	{
+	  if (!done)
+	    {
+	      done = 1;
+	      list.next = daemon->filter_rr;
+	      daemon->filter_rr = &list;
+	    }
+
+	  list.rr = enabled ? T_A : 0;
+	}
+    }
+  else if (strcmp(method, "SetFilterAAAA") == 0)
+    {
+      static int done = 0;
+      static struct rrlist list = { 0, NULL };
+      dbus_bool_t enabled;
+      
+      if (!(reply = dbus_get_bool(message, &enabled, "filter-AAAA")))
+	{
+	  if (!done)
+	    {
+	      done = 1;
+	      list.next = daemon->filter_rr;
+	      daemon->filter_rr = &list;
+	    }
+	  
+	  list.rr = enabled ? T_AAAA : 0;
+	}
+    }
   else if (strcmp(method, "SetLocaliseQueriesOption") == 0)
     {
       reply = dbus_set_bool(message, OPT_LOCALISE, "localise-queries");
@@ -927,41 +981,53 @@ void set_dbus_listeners(void)
       {
 	unsigned int flags = dbus_watch_get_flags(w->watch);
 	int fd = dbus_watch_get_unix_fd(w->watch);
+	int poll_flags = POLLERR;
 	
 	if (flags & DBUS_WATCH_READABLE)
-	  poll_listen(fd, POLLIN);
-	
+	  poll_flags |= POLLIN;
 	if (flags & DBUS_WATCH_WRITABLE)
-	  poll_listen(fd, POLLOUT);
+	  poll_flags |= POLLOUT;
 	
-	poll_listen(fd, POLLERR);
+	poll_listen(fd, poll_flags);
       }
 }
 
-void check_dbus_listeners()
+static int check_dbus_watches()
 {
-  DBusConnection *connection = (DBusConnection *)daemon->dbus;
   struct watch *w;
 
+  watches_modified = 0;
   for (w = daemon->watches; w; w = w->next)
     if (dbus_watch_get_enabled(w->watch))
       {
 	unsigned int flags = 0;
 	int fd = dbus_watch_get_unix_fd(w->watch);
-	
-	if (poll_check(fd, POLLIN))
+	int poll_flags = poll_check(fd, POLLIN|POLLOUT|POLLERR);
+
+	if ((poll_flags & POLLIN) != 0)
 	  flags |= DBUS_WATCH_READABLE;
-	
-	if (poll_check(fd, POLLOUT))
+	if ((poll_flags & POLLOUT) != 0)
 	  flags |= DBUS_WATCH_WRITABLE;
-	
-	if (poll_check(fd, POLLERR))
+	if ((poll_flags & POLLERR) != 0)
 	  flags |= DBUS_WATCH_ERROR;
 
 	if (flags != 0)
-	  dbus_watch_handle(w->watch, flags);
+	  {
+	    dbus_watch_handle(w->watch, flags);
+	    if (watches_modified)
+	      return 0;
+	  }
       }
 
+  return 1;
+}
+
+void check_dbus_listeners()
+{
+  DBusConnection *connection = (DBusConnection *)daemon->dbus;
+
+  while (!check_dbus_watches()) ;
+
   if (connection)
     {
       dbus_connection_ref (connection);

src/dhcp-common.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -128,22 +128,41 @@ struct dhcp_netid *run_tag_if(struct dhcp_netid *tags)
   return tags;
 }
 
+/* pxemode == 0 -> don't include dhcp-option-pxe options.
+   pxemode == 1 -> do include dhcp-option-pxe options.
+   pxemode == 2 -> include ONLY dhcp-option-pxe options. */
+int pxe_ok(struct dhcp_opt *opt, int pxemode)
+{
+  if (opt->flags & DHOPT_PXE_OPT)
+    {
+      if (pxemode != 0)
+	return 1;
+    }
+  else
+    {
+      if (pxemode != 2)
+	return 1;
+    }
+  
+  return 0;
+}
 
-struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *context_tags, struct dhcp_opt *opts)
+struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *context_tags, struct dhcp_opt *opts, int pxemode)
 {
   struct dhcp_netid *tagif = run_tag_if(tags);
   struct dhcp_opt *opt;
   struct dhcp_opt *tmp;  
-
+  
   /* flag options which are valid with the current tag set (sans context tags) */
   for (opt = opts; opt; opt = opt->next)
     {
       opt->flags &= ~DHOPT_TAGOK;
       if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925)) &&
-	  match_netid(opt->netid, tagif, 0))
+	  match_netid(opt->netid, tagif, 0) &&
+	  pxe_ok(opt, pxemode))
 	opt->flags |= DHOPT_TAGOK;
     }
-
+  
   /* now flag options which are valid, including the context tags,
      otherwise valid options are inhibited if we found a higher priority one above */
   if (context_tags)
@@ -163,7 +182,8 @@ struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *con
 
       for (opt = opts; opt; opt = opt->next)
 	if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925 | DHOPT_TAGOK)) &&
-	    match_netid(opt->netid, tagif, 0))
+	    match_netid(opt->netid, tagif, 0) &&
+	    pxe_ok(opt, pxemode))
 	  {
 	    struct dhcp_opt *tmp;  
 	    for (tmp = opts; tmp; tmp = tmp->next) 
@@ -176,7 +196,9 @@ struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *con
   
   /* now flag untagged options which are not overridden by tagged ones */
   for (opt = opts; opt; opt = opt->next)
-    if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925 | DHOPT_TAGOK)) && !opt->netid)
+    if (!(opt->flags & (DHOPT_ENCAPSULATE | DHOPT_VENDOR | DHOPT_RFC3925 | DHOPT_TAGOK)) &&
+	!opt->netid &&
+	pxe_ok(opt, pxemode))
       {
 	for (tmp = opts; tmp; tmp = tmp->next) 
 	  if (tmp->opt == opt->opt && (tmp->flags & DHOPT_TAGOK))
@@ -186,7 +208,7 @@ struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *con
 	else if (!tmp->netid)
 	  my_syslog(MS_DHCP | LOG_WARNING, _("Ignoring duplicate dhcp-option %d"), tmp->opt); 
       }
-
+  
   /* Finally, eliminate duplicate options later in the chain, and therefore earlier in the config file. */
   for (opt = opts; opt; opt = opt->next)
     if (opt->flags & DHOPT_TAGOK)
@@ -553,11 +575,11 @@ char *whichdevice(void)
     return NULL;
   
   for (if_tmp = daemon->if_names; if_tmp; if_tmp = if_tmp->next)
-    if (if_tmp->name && (!if_tmp->used || strchr(if_tmp->name, '*')))
+    if (if_tmp->name && (!(if_tmp->flags & INAME_USED) || strchr(if_tmp->name, '*')))
       return NULL;
 
   for (found = NULL, iface = daemon->interfaces; iface; iface = iface->next)
-    if (iface->dhcp_ok)
+    if (iface->dhcp4_ok || iface->dhcp6_ok)
       {
 	if (!found)
 	  found = iface;
@@ -838,7 +860,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 		for (i = 0, j = 0; i < opt_len && j < buf_len ; i++)
 		  {
 		    char c = val[i];
-		    if (isprint((int)c))
+		    if (isprint((unsigned char)c))
 		      buf[j++] = c;
 		  }
 #ifdef HAVE_DHCP6
@@ -852,7 +874,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 		    for (k = i + 1; k < opt_len && k < l && j < buf_len ; k++)
 		     {
 		       char c = val[k];
-		       if (isprint((int)c))
+		       if (isprint((unsigned char)c))
 			 buf[j++] = c;
 		     }
 		    i = l;
@@ -873,7 +895,7 @@ char *option_string(int prot, unsigned int opt, unsigned char *val, int opt_len,
 		    for (k = 0; k < len && j < buf_len; k++)
 		      {
 		       char c = *p++;
-		       if (isprint((int)c))
+		       if (isprint((unsigned char)c))
 			 buf[j++] = c;
 		     }
 		    i += len +2;

src/dhcp-protocol.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/dhcp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -32,7 +32,7 @@ static int complete_context(struct in_addr local, int if_index, char *label,
 			    struct in_addr netmask, struct in_addr broadcast, void *vparam);
 static int check_listen_addrs(struct in_addr local, int if_index, char *label,
 			      struct in_addr netmask, struct in_addr broadcast, void *vparam);
-static int relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz);
+static void relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz);
 static struct dhcp_relay *relay_reply4(struct dhcp_packet *mess, char *arrival_interface);
 
 static int make_fd(int port)
@@ -297,7 +297,7 @@ void dhcp_packet(time_t now, int pxe_fd)
 	}
       
       for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-	if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
+	if (tmp->name && (tmp->flags & INAME_4) && wildcard_match(tmp->name, ifr.ifr_name))
 	  return;
       
       /* unlinked contexts/relays are marked by context->current == context */
@@ -317,7 +317,7 @@ void dhcp_packet(time_t now, int pxe_fd)
 	  match.ind = iface_index;
 	  
 	  if (!daemon->if_addrs ||
-	      !iface_enumerate(AF_INET, &match, check_listen_addrs) ||
+	      !iface_enumerate(AF_INET, &match, (callback_t){.af_inet=check_listen_addrs}) ||
 	      !match.matched)
 	    return;
 	  
@@ -327,17 +327,10 @@ void dhcp_packet(time_t now, int pxe_fd)
 	  complete_context(match.addr, iface_index, NULL, match.netmask, match.broadcast, &parm);
 	}    
             
-      if (relay_upstream4(iface_index, mess, (size_t)sz))
-	return;
-      
-      if (!iface_enumerate(AF_INET, &parm, complete_context))
+      if (!iface_enumerate(AF_INET, &parm, (callback_t){.af_inet=complete_context}))
 	return;
 
-      /* Check for a relay again after iface_enumerate/complete_context has had
-	 chance to fill in relay->iface_index fields. This handles first time through
-	 and any changes in interface config. */
-       if (relay_upstream4(iface_index, mess, (size_t)sz))
-	return;
+      relay_upstream4(iface_index, mess, (size_t)sz);
        
       /* May have configured relay, but not DHCP server */
       if (!daemon->dhcp)
@@ -398,6 +391,10 @@ void dhcp_packet(time_t now, int pxe_fd)
       struct in_pktinfo *pkt;
       msg.msg_control = control_u.control;
       msg.msg_controllen = sizeof(control_u);
+
+      /* alignment padding passed to the kernel should not be uninitialised. */
+      memset(&control_u, 0, sizeof(control_u));
+
       cmptr = CMSG_FIRSTHDR(&msg);
       pkt = (struct in_pktinfo *)CMSG_DATA(cmptr);
       pkt->ipi_ifindex = rcvd_iface_index;
@@ -916,14 +913,14 @@ void dhcp_read_ethers(void)
       
       lineno++;
       
-      while (strlen(buff) > 0 && isspace((int)buff[strlen(buff)-1]))
+      while (strlen(buff) > 0 && isspace((unsigned char)buff[strlen(buff)-1]))
 	buff[strlen(buff)-1] = 0;
       
       if ((*buff == '#') || (*buff == '+') || (*buff == 0))
 	continue;
       
-      for (ip = buff; *ip && !isspace((int)*ip); ip++);
-      for(; *ip && isspace((int)*ip); ip++)
+      for (ip = buff; *ip && !isspace((unsigned char)*ip); ip++);
+      for(; *ip && isspace((unsigned char)*ip); ip++)
 	*ip = 0;
       if (!*ip || parse_hex(buff, hwaddr, ETHER_ADDR_LEN, NULL, NULL) != ETHER_ADDR_LEN)
 	{
@@ -1073,14 +1070,14 @@ char *host_from_dns(struct in_addr addr)
   return NULL;
 }
 
-static int relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz)
+static void relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz)
 {
   struct in_addr giaddr = mess->giaddr;
   u8 hops = mess->hops;
   struct dhcp_relay *relay;
 
   if (mess->op != BOOTREQUEST)
-    return 0;
+    return;
 
   for (relay = daemon->relay4; relay; relay = relay->next)
     if (relay->iface_index != 0 && relay->iface_index == iface_index)
@@ -1088,7 +1085,7 @@ static int relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz)
 
   /* No relay config. */
   if (!relay)
-    return 0;
+    return;
   
   for (; relay; relay = relay->next)
     if (relay->iface_index != 0 && relay->iface_index == iface_index)
@@ -1121,6 +1118,9 @@ static int relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz)
 	to.sa.sa_family = AF_INET;
 	to.in.sin_addr = relay->server.addr4;
 	to.in.sin_port = htons(relay->port);
+#ifdef HAVE_SOCKADDR_SA_LEN
+	to.in.sin_len = sizeof(struct sockaddr_in);
+#endif
 	
 	/* Broadcasting to server. */
 	if (relay->server.addr4.s_addr == 0)
@@ -1164,7 +1164,8 @@ static int relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz)
 	   }
       }
   
-  return 1;
+  /* restore in case of a local reply. */
+  mess->giaddr = giaddr;
 }
 
 

src/dhcp6-protocol.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/dhcp6.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -92,7 +92,7 @@ void dhcp6_packet(time_t now)
   struct iface_param parm;
   struct cmsghdr *cmptr;
   struct msghdr msg;
-  int if_index = 0;
+  uint32_t if_index = 0;
   union {
     struct cmsghdr align; /* this ensures alignment */
     char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
@@ -118,11 +118,6 @@ void dhcp6_packet(time_t now)
   if ((sz = recv_dhcp_packet(daemon->dhcp6fd, &msg)) == -1)
     return;
   
-#ifdef HAVE_DUMPFILE
-  dump_packet_udp(DUMP_DHCPV6, (void *)daemon->dhcp_packet.iov_base, sz,
-		  (union mysockaddr *)&from, NULL, daemon->dhcp6fd);
-#endif
-  
   for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
     if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
       {
@@ -138,6 +133,34 @@ void dhcp6_packet(time_t now)
 
   if (!indextoname(daemon->dhcp6fd, if_index, ifr.ifr_name))
     return;
+  
+#ifdef HAVE_LINUX_NETWORK
+  /* This works around a possible Linux kernel bug when using interfaces
+     enslaved to a VRF. The scope_id in the source address gets set
+     to the index of the VRF interface, not the slave. Fortunately,
+     the interface index returned by packetinfo is correct so we use
+     that instead. Log this once, so if it triggers in other circumstances
+     we've not anticipated and breaks things, we get some clues. */
+  if (from.sin6_scope_id != if_index)
+    {
+      static int logged = 0;
+      
+      if (!logged)
+	{
+	  my_syslog(MS_DHCP | LOG_WARNING,
+		    _("Working around kernel bug: faulty source address scope for VRF slave %s"),
+		    ifr.ifr_name);
+	  logged = 1;
+	}
+      
+      from.sin6_scope_id = if_index;
+    }
+#endif
+
+#ifdef HAVE_DUMPFILE
+  dump_packet_udp(DUMP_DHCPV6, (void *)daemon->dhcp_packet.iov_base, sz,
+		  (union mysockaddr *)&from, NULL, daemon->dhcp6fd);
+#endif
 
   if (relay_reply6(&from, sz, ifr.ifr_name))
     {
@@ -159,7 +182,8 @@ void dhcp6_packet(time_t now)
 	  return;
       
       for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-	if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
+	if (tmp->name && (tmp->flags & INAME_6) &&
+	    wildcard_match(tmp->name, ifr.ifr_name))
 	  return;
       
       parm.current = NULL;
@@ -215,7 +239,7 @@ void dhcp6_packet(time_t now)
 	  relay_upstream6(if_index, (size_t)sz, &from.sin6_addr, from.sin6_scope_id, now))
 	return;
       
-      if (!iface_enumerate(AF_INET6, &parm, complete_context6))
+      if (!iface_enumerate(AF_INET6, &parm, (callback_t){.af_inet6=complete_context6}))
 	return;
       
       /* Check for a relay again after iface_enumerate/complete_context has had
@@ -593,7 +617,7 @@ void make_duid(time_t now)
 	newnow = now - 946684800;
 #endif      
       
-      iface_enumerate(AF_LOCAL, &newnow, make_duid1);
+      iface_enumerate(AF_LOCAL, &newnow, (callback_t){.af_local=make_duid1});
       
       if(!daemon->duid)
 	die("Cannot create DHCPv6 server DUID: %s", NULL, EC_MISC);
@@ -643,7 +667,7 @@ struct cparam {
 
 static int construct_worker(struct in6_addr *local, int prefix, 
 			    int scope, int if_index, int flags, 
-			    int preferred, int valid, void *vparam)
+			    unsigned int preferred, unsigned int valid, void *vparam)
 {
   char ifrn_name[IFNAMSIZ];
   struct in6_addr start6, end6;
@@ -777,7 +801,7 @@ void dhcp_construct_contexts(time_t now)
     if (context->flags & CONTEXT_CONSTRUCTED)
       context->flags |= CONTEXT_GC;
    
-  iface_enumerate(AF_INET6, &param, construct_worker);
+  iface_enumerate(AF_INET6, &param, (callback_t){.af_inet6=construct_worker});
 
   for (up = &daemon->dhcp6, context = daemon->dhcp6; context; context = tmp)
     {

src/dns-protocol.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -112,8 +112,11 @@
 #define EDE_NO_AUTH        22  /* No Reachable Authority */
 #define EDE_NETERR         23  /* Network error */
 #define EDE_INVALID_DATA   24  /* Invalid Data */
-
-
+#define EDE_SIG_E_B_V      25  /* Signature Expired before Valid */
+#define EDE_TOO_EARLY      26  /* To Early */
+#define EDE_UNS_NS3_ITER   27  /* Unsupported NSEC3 Iterations Value */
+#define EDE_UNABLE_POLICY  28  /* Unable to conform to policy */
+#define EDE_SYNTHESIZED    29  /* Synthesized */
 
 
 struct dns_header {
@@ -139,15 +142,15 @@ struct dns_header {
 #define RCODE(x)           ((x)->hb4 & HB4_RCODE)
 #define SET_RCODE(x, code) (x)->hb4 = ((x)->hb4 & ~HB4_RCODE) | code
   
-#define GETSHORT(s, cp) { \
+#define GETSHORT(s, cp) do { \
 	unsigned char *t_cp = (unsigned char *)(cp); \
 	(s) = ((u16)t_cp[0] << 8) \
 	    | ((u16)t_cp[1]) \
 	    ; \
 	(cp) += 2; \
-}
+  } while(0)
 
-#define GETLONG(l, cp) { \
+#define GETLONG(l, cp) do { \
 	unsigned char *t_cp = (unsigned char *)(cp); \
 	(l) = ((u32)t_cp[0] << 24) \
 	    | ((u32)t_cp[1] << 16) \
@@ -155,17 +158,17 @@ struct dns_header {
 	    | ((u32)t_cp[3]) \
 	    ; \
 	(cp) += 4; \
-}
+  } while (0)
 
-#define PUTSHORT(s, cp) { \
+#define PUTSHORT(s, cp) do { \
 	u16 t_s = (u16)(s); \
 	unsigned char *t_cp = (unsigned char *)(cp); \
 	*t_cp++ = t_s >> 8; \
 	*t_cp   = t_s; \
 	(cp) += 2; \
-}
+  } while(0)
 
-#define PUTLONG(l, cp) { \
+#define PUTLONG(l, cp) do { \
 	u32 t_l = (u32)(l); \
 	unsigned char *t_cp = (unsigned char *)(cp); \
 	*t_cp++ = t_l >> 24; \
@@ -173,7 +176,7 @@ struct dns_header {
 	*t_cp++ = t_l >> 8; \
 	*t_cp   = t_l; \
 	(cp) += 4; \
-}
+  } while (0)
 
 #define CHECK_LEN(header, pp, plen, len) \
     ((size_t)((pp) - (unsigned char *)(header) + (len)) <= (plen))

src/dnsmasq.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
  
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -14,7 +14,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-#define COPYRIGHT "Copyright (c) 2000-2022 Simon Kelley"
+#define COPYRIGHT "Copyright (c) 2000-2025 Simon Kelley"
 
 /* We do defines that influence behavior of stdio.h, so complain
    if included too early. */
@@ -155,11 +155,7 @@ extern int capget(cap_user_header_t header, cap_user_data_t data);
 #include <priv.h>
 #endif
 
-/* Backwards compat with 2.83 */
-#if defined(HAVE_NETTLEHASH)
-#  define HAVE_CRYPTOHASH
-#endif
-#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH)
+#if defined(HAVE_DNSSEC)
 #  include <nettle/nettle-meta.h>
 #endif
 
@@ -276,12 +272,16 @@ struct event_desc {
 #define OPT_UMBRELLA_DEVID 64
 #define OPT_CMARK_ALST_EN  65
 #define OPT_QUIET_TFTP     66
-#define OPT_FILTER_A       67
-#define OPT_FILTER_AAAA    68
-#define OPT_STRIP_ECS      69
-#define OPT_STRIP_MAC      70
-#define OPT_NORR           71
-#define OPT_LAST           72
+#define OPT_STRIP_ECS      67
+#define OPT_STRIP_MAC      68
+#define OPT_NORR           69
+#define OPT_NO_IDENT       70
+#define OPT_CACHE_RR       71
+#define OPT_LOCALHOST_SERVICE  72
+#define OPT_LOG_PROTO      73
+#define OPT_NO_0x20        74
+#define OPT_DO_0x20        75
+#define OPT_LAST           76
 
 #define OPTION_BITS (sizeof(unsigned int)*8)
 #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
@@ -324,17 +324,28 @@ union all_addr {
     unsigned char algo;
     unsigned char digest; 
   } ds;
-  struct {
-    struct blockdata *target;
-    unsigned short targetlen, srvport, priority, weight;
-  } srv;
   /* for log_query */
   struct {
     unsigned short keytag, algo, digest, rcode;
     int ede;
   } log;
+  /* for arbitrary RR record stored in block */
+  struct {
+    unsigned short rrtype;
+    unsigned short datalen; 
+    struct blockdata *rrdata;
+  } rrblock;
+  /* for arbitrary RR record small enough to go in addr.
+     NOTE: rrblock and rrdata are discriminated by the F_KEYTAG bit
+     in the cache flags. */
+  struct datablock {
+    unsigned short rrtype;
+    unsigned char datalen; /* also length of SOA in negative records. */
+    char data[1];
+  } rrdata;
 };
 
+#define RR_IMDATALEN (sizeof(union all_addr) - offsetof(struct datablock, data))
 
 struct bogus_addr {
   int is6, prefix;
@@ -444,6 +455,11 @@ struct host_record {
 #define INP4 4
 #define INP6 8
 
+#define RW_WRITE      0
+#define RW_READ       1
+#define RW_WRITE_ONCE 2
+#define RW_READ_ONCE  3
+
 struct interface_name {
   char *name; /* domain name */
   char *intr; /* interface name */
@@ -511,7 +527,7 @@ struct crec {
 #define F_NOEXTRA   (1u<<27)
 #define F_DOMAINSRV (1u<<28)
 #define F_RCODE     (1u<<29)
-#define F_SRV       (1u<<30)
+#define F_RR        (1u<<30)
 #define F_STALE     (1u<<31)
 
 #define UID_NONE      0
@@ -585,8 +601,7 @@ struct server {
   char interface[IF_NAMESIZE+1];
   unsigned int ifindex; /* corresponding to interface, above */
   struct serverfd *sfd; 
-  int tcpfd, edns_pktsz;
-  time_t pktsz_reduced;
+  int tcpfd;
   unsigned int queries, failed_queries, nxdomain_replies, retrys;
   unsigned int query_latency, mma_latency;
   time_t forwardtime;
@@ -637,7 +652,8 @@ struct allowlist {
 struct irec {
   union mysockaddr addr;
   struct in_addr netmask; /* only valid for IPv4 */
-  int tftp_ok, dhcp_ok, mtu, done, warned, dad, dns_auth, index, multicast_done, found, label;
+  int tftp_ok, dhcp4_ok, dhcp6_ok, mtu, done, warned, dad;
+  int dns_auth, index, multicast_done, found, label;
   char *name; 
   struct irec *next;
 };
@@ -653,10 +669,19 @@ struct listener {
 struct iname {
   char *name;
   union mysockaddr addr;
-  int used;
+  int flags;
   struct iname *next;
 };
 
+#define  INAME_USED  1
+#define  INAME_4     2
+#define  INAME_6     4
+
+struct rrlist {
+  unsigned short rr;
+  struct rrlist *next;
+};
+
 /* subnet parameters from command line */
 struct mysubnet {
   union mysockaddr addr;
@@ -725,6 +750,7 @@ struct dyndir {
 #define STAT_SECURE_WILDCARD    0x70000
 #define STAT_OK                 0x80000
 #define STAT_ABANDONED          0x90000
+#define STAT_ASYNC              0xa0000
 
 #define DNSSEC_FAIL_NYV         0x0001 /* key not yet valid */
 #define DNSSEC_FAIL_EXP         0x0002 /* key expired */
@@ -735,6 +761,9 @@ struct dyndir {
 #define DNSSEC_FAIL_NONSEC      0x0040 /* No NSEC */
 #define DNSSEC_FAIL_NODSSUP     0x0080 /* no supported DS algo. */
 #define DNSSEC_FAIL_NOKEY       0x0100 /* no DNSKEY */
+#define DNSSEC_FAIL_NSEC3_ITERS 0x0200 /* too many iterations in NSEC3 */
+#define DNSSEC_FAIL_BADPACKET   0x0400 /* bad packet */
+#define DNSSEC_FAIL_WORK        0x0800 /* too much crypto */
 
 #define STAT_ISEQUAL(a, b)  (((a) & 0xffff0000) == (b))
 
@@ -745,20 +774,17 @@ struct dyndir {
 #define FREC_DS_QUERY          16
 #define FREC_AD_QUESTION       32
 #define FREC_DO_QUESTION       64
-#define FREC_ADDED_PHEADER    128
-#define FREC_TEST_PKTSZ       256
-#define FREC_HAS_EXTRADATA    512
-#define FREC_HAS_PHEADER     1024
-
-#define HASH_SIZE 32 /* SHA-256 digest size */
+#define FREC_HAS_PHEADER      128
+#define FREC_GONE_TO_TCP      256
+#define FREC_ANSWER           512
 
 struct frec {
   struct frec_src {
     union mysockaddr source;
     union all_addr dest;
-    unsigned int iface, log_id;
+    unsigned int iface, log_id, encode_bitmap, *encode_bigmap;
     int fd;
-    unsigned short orig_id;
+    unsigned short orig_id, udp_pkt_size;
     struct frec_src *next;
   } frec_src;
   struct server *sentto; /* NULL means free */
@@ -768,11 +794,10 @@ struct frec {
   time_t time;
   u32 forward_timestamp;
   int forward_delay;
-  unsigned char *hash[HASH_SIZE];
-  struct blockdata *stash; /* Saved reply, whilst we validate */
+  struct blockdata *stash; /* saved query or saved reply, whilst we validate */
   size_t stash_len;
 #ifdef HAVE_DNSSEC 
-  int class, work_counter;
+  int uid, class, work_counter, validate_counter;
   struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */
   struct frec *next_dependent; /* list of above. */
   struct frec *blocking_query; /* Query which is blocking us. */
@@ -809,6 +834,12 @@ struct frec {
 #define LEASE_HAVE_HWADDR  128  /* Have set hwaddress */
 #define LEASE_EXP_CHANGED  256  /* Lease expiry time changed */
 
+#define LIMIT_SIG_FAIL    0
+#define LIMIT_CRYPTO      1
+#define LIMIT_WORK        2
+#define LIMIT_NSEC3_ITERS 3
+#define LIMIT_MAX         4
+
 struct dhcp_lease {
   int clid_len;          /* length of client identifier */
   unsigned char *clid;   /* clientid */
@@ -929,6 +960,7 @@ struct dhcp_opt {
 #define DHOPT_TAGOK           4096
 #define DHOPT_ADDR6           8192
 #define DHOPT_VENDOR_PXE     16384
+#define DHOPT_PXE_OPT        32768
 
 struct dhcp_boot {
   char *file, *sname, *tftp_sname;
@@ -1095,7 +1127,10 @@ struct tftp_prefix {
 };
 
 struct dhcp_relay {
-  union all_addr local, server;
+  union {
+    struct in_addr addr4;
+    struct in6_addr addr6;
+  } local, server;
   char *interface; /* Allowable interface for replies from server, and dest for IPv6 multicast */
   int iface_index; /* working - interface in which requests arrived, for return */
   int port;        /* Port of relay we forward to. */
@@ -1122,6 +1157,7 @@ extern struct daemon {
   struct naptr *naptr;
   struct txt_record *txt, *rr;
   struct ptr_record *ptr;
+  struct rrlist *cache_rr, *filter_rr;
   struct host_record *host_records, *host_records_tail;
   struct cname *cnames;
   struct auth_zone *auth_zones;
@@ -1210,16 +1246,14 @@ extern struct daemon {
   char *packet; /* packet buffer */
   int packet_buff_sz; /* size of above */
   char *namebuff; /* MAXDNAME size buffer */
-#if (defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)) || defined(HAVE_DNSSEC)
-  /* CONNTRACK UBUS code uses this buffer, as well as DNSSEC code. */
   char *workspacename;
-#endif
 #ifdef HAVE_DNSSEC
-  char *keyname; /* MAXDNAME size buffer */
+  char *keyname, *cname; /* MAXDNAME size buffer */
   unsigned long *rr_status; /* ceiling in TTL from DNSSEC or zero for insecure */
   int rr_status_sz;
   int dnssec_no_time_check;
   int back_to_the_future;
+  int limit[LIMIT_MAX];
 #endif
   struct frec *frec_list;
   struct frec_src *free_frec_src;
@@ -1230,8 +1264,8 @@ extern struct daemon {
   struct server *srv_save; /* Used for resend on DoD */
   size_t packet_len;       /*      "        "        */
   int    fd_save;          /*      "        "        */
-  pid_t tcp_pids[MAX_PROCS];
-  int tcp_pipes[MAX_PROCS];
+  pid_t *tcp_pids;
+  int *tcp_pipes;
   int pipe_to_parent;
   int numrrand;
   struct randfd *randomsocks;
@@ -1291,6 +1325,8 @@ extern struct daemon {
   /* file for packet dumps. */
   int dumpfd;
 #endif
+  int max_procs;
+  uint max_procs_used;
 } *daemon;
 
 struct server_details {
@@ -1303,6 +1339,7 @@ struct server_details {
 
 /* cache.c */
 void cache_init(void);
+unsigned short rrtype(char *in);
 void next_uid(struct crec *crecp);
 void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg, unsigned short type); 
 char *record_source(unsigned int index);
@@ -1336,6 +1373,8 @@ int read_hostsfile(char *filename, unsigned int index, int cache_size,
 void blockdata_init(void);
 void blockdata_report(void);
 struct blockdata *blockdata_alloc(char *data, size_t len);
+int blockdata_expand(struct blockdata *block, size_t oldlen,
+		     char *data, size_t newlen);
 void *blockdata_retrieve(struct blockdata *block, size_t len, void *data);
 struct blockdata *blockdata_read(int fd, size_t len);
 void blockdata_write(struct blockdata *block, size_t len, int fd);
@@ -1348,24 +1387,24 @@ int is_name_synthetic(int flags, char *name, union all_addr *addr);
 int is_rev_synth(int flag, union all_addr *addr, char *name);
 
 /* rfc1035.c */
+int do_doctor(struct dns_header *header, size_t qlen, char *namebuff);
 int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, 
-                 char *name, int isExtract, int extrabytes);
+                 char *name, int func, unsigned int parm);
 unsigned char *skip_name(unsigned char *ansp, struct dns_header *header, size_t plen, int extrabytes);
 unsigned char *skip_questions(struct dns_header *header, size_t plen);
 unsigned char *skip_section(unsigned char *ansp, int count, struct dns_header *header, size_t plen);
-unsigned int extract_request(struct dns_header *header, size_t qlen, 
-			       char *name, unsigned short *typep);
+unsigned int extract_request(struct dns_header *header, size_t qlen, char *name,
+			     unsigned short *typep, unsigned short *classp);
 void setup_reply(struct dns_header *header, unsigned int flags, int ede);
 int extract_addresses(struct dns_header *header, size_t qlen, char *name,
 		      time_t now, struct ipsets *ipsets, struct ipsets *nftsets, int is_sign,
-                      int check_rebind, int no_cache_dnssec, int secure, int *doctored);
+                      int check_rebind, int no_cache_dnssec, int secure);
 #if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS)
 void report_addresses(struct dns_header *header, size_t len, u32 mark);
 #endif
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
 		      struct in_addr local_addr, struct in_addr local_netmask, 
-		      time_t now, int ad_reqd, int do_bit, int have_pseudoheader,
-		      int *stale);
+		      time_t now, int ad_reqd, int do_bit, int no_cache, int *stale, int *filtered);
 int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name, 
 			     time_t now);
 int check_for_ignored_address(struct dns_header *header, size_t qlen);
@@ -1377,32 +1416,34 @@ int add_resource_record(struct dns_header *header, char *limit, int *truncp,
 			int *offset, unsigned short type, unsigned short class, char *format, ...);
 int in_arpa_name_2_addr(char *namein, union all_addr *addrp);
 int private_net(struct in_addr addr, int ban_localhost);
+/* extract_name ops */
+#define EXTR_NAME_EXTRACT   1
+#define EXTR_NAME_COMPARE   2
+#define EXTR_NAME_NOCASE    3
+#define EXTR_NAME_FLIP      4
 
 /* auth.c */
 #ifdef HAVE_AUTH
 size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, 
-		   time_t now, union mysockaddr *peer_addr, int local_query,
-		   int do_bit, int have_pseudoheader);
+		   time_t now, union mysockaddr *peer_addr, int local_query);
 int in_zone(struct auth_zone *zone, char *name, char **cut);
 #endif
 
 /* dnssec.c */
 #ifdef HAVE_DNSSEC
-size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int type, int edns_pktsz);
-int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
-int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
+size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int id, int type);
+int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name,
+			  char *keyname, int class, int *validate_count);
+int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name,
+		       char *keyname, int class, int *validate_count);
 int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class,
-			  int check_unsigned, int *neganswer, int *nons, int *nsec_ttl);
+			  int check_unsigned, int *neganswer, int *nons, int *nsec_ttl, int *validate_count);
 int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen);
 size_t filter_rrsigs(struct dns_header *header, size_t plen);
 int setup_timestamp(void);
 int errflags_to_ede(int status);
 #endif
 
-/* hash_questions.c */
-void hash_questions_init(void);
-unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name);
-
 /* crypto.c */
 const struct nettle_hash *hash_find(char *name);
 int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp);
@@ -1417,6 +1458,7 @@ void rand_init(void);
 unsigned short rand16(void);
 u32 rand32(void);
 u64 rand64(void);
+int rr_on_list(struct rrlist *list, unsigned short rr);
 int legal_hostname(char *name);
 char *canonicalise(char *in, int *nomem);
 unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit);
@@ -1484,6 +1526,13 @@ int option_read_dynfile(char *file, int flags);
 /* forward.c */
 void reply_query(int fd, time_t now);
 void receive_query(struct listener *listen, time_t now);
+void return_reply(time_t now, struct frec *forward, struct dns_header *header, ssize_t n, int status);
+#ifdef HAVE_DNSSEC
+void pop_and_retry_query(struct frec *forward, int status, time_t now);
+int tcp_from_udp(time_t now, int status, struct dns_header *header, ssize_t *n, 
+		 int class, char *name, struct server *server, 
+		 int *keycount, int *validatecount);
+#endif
 unsigned char *tcp_request(int confd, time_t now,
 			   union mysockaddr *local_addr, struct in_addr netmask, int auth_dns);
 void server_gone(struct server *server);
@@ -1577,6 +1626,7 @@ void lease_update_from_configs(void);
 int do_script_run(time_t now);
 void rerun_scripts(void);
 void lease_find_interfaces(time_t now);
+void lease_calc_fqdns(void);
 #ifdef HAVE_SCRIPT
 void lease_add_extradata(struct dhcp_lease *lease, unsigned char *data, 
 			 unsigned int len, int delim);
@@ -1602,6 +1652,10 @@ void queue_event(int event);
 void send_alarm(time_t event, time_t now);
 void send_event(int fd, int event, int data, char *msg);
 void clear_cache_and_reload(time_t now);
+#ifdef HAVE_DNSSEC
+int swap_to_tcp(struct frec *forward, time_t now, int status, struct dns_header *header,
+		ssize_t *plen, char *name, int class, struct server *server, int *keycount, int *validatecount);
+#endif
 
 /* netlink.c */
 #ifdef HAVE_LINUX_NETWORK
@@ -1619,7 +1673,13 @@ void route_sock(void);
 #endif
 
 /* bpf.c or netlink.c */
-int iface_enumerate(int family, void *parm, int (callback)());
+typedef union {
+	int (*af_unspec)(int family, void *addrp, char *mac, size_t maclen, void *parmv);
+	int (*af_inet)(struct in_addr local, int if_index, char *label, struct in_addr netmask, struct in_addr broadcast, void *vparam);
+	int (*af_inet6)(struct in6_addr *local, int prefix, int scope, int if_index, int flags, unsigned int preferred, unsigned int valid, void *vparam);
+	int (*af_local)(int index, unsigned int type, char *mac, size_t maclen, void *parm);
+} callback_t;
+int iface_enumerate(int family, void *parm, callback_t callback);
 
 /* dbus.c */
 #ifdef HAVE_DBUS
@@ -1733,8 +1793,9 @@ int do_snoop_script_run(void);
 void dhcp_common_init(void);
 ssize_t recv_dhcp_packet(int fd, struct msghdr *msg);
 struct dhcp_netid *run_tag_if(struct dhcp_netid *tags);
+int pxe_ok(struct dhcp_opt *opt, int pxemode);
 struct dhcp_netid *option_filter(struct dhcp_netid *tags, struct dhcp_netid *context_tags,
-				 struct dhcp_opt *opts);
+				 struct dhcp_opt *opts, int pxemode);
 int match_netid(struct dhcp_netid *check, struct dhcp_netid *pool, int tagnotneeded);
 char *strip_hostname(char *hostname);
 void log_tags(struct dhcp_netid *netid, u32 xid);
@@ -1810,19 +1871,21 @@ void poll_listen(int fd, short event);
 int do_poll(int timeout);
 
 /* rrfilter.c */
-size_t rrfilter(struct dns_header *header, size_t plen, int mode);
-u16 *rrfilter_desc(int type);
+size_t rrfilter(struct dns_header *header, size_t *plen, int mode);
+short *rrfilter_desc(int type);
 int expand_workspace(unsigned char ***wkspc, int *szp, int new);
+int to_wire(char *name);
+void from_wire(char *name);
 /* modes. */
 #define RRFILTER_EDNS0   0
 #define RRFILTER_DNSSEC  1
-#define RRFILTER_A       2
-#define RRFILTER_AAAA    3
+#define RRFILTER_CONF    2
+
 /* edns0.c */
 unsigned char *find_pseudoheader(struct dns_header *header, size_t plen,
 				   size_t *len, unsigned char **p, int *is_sign, int *is_last);
 size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit, 
-			unsigned short udp_sz, int optno, unsigned char *opt, size_t optlen, int set_do, int replace);
+			int optno, unsigned char *opt, size_t optlen, int set_do, int replace);
 size_t add_do_bit(struct dns_header *header, size_t plen, unsigned char *limit);
 size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *limit, 
 			union mysockaddr *source, time_t now, int *cacheable);

src/domain-match.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -94,8 +94,7 @@ void build_server_array(void)
    server=/.example.com/ works.
 
    A flag of F_SERVER returns an upstream server only.
-   A flag of F_DNSSECOK returns a DNSSEC capable server only and
-   also disables NODOTS servers from consideration.
+   A flag of F_DNSSECOK disables NODOTS servers from consideration.
    A flag of F_DOMAINSRV returns a domain-specific server only.
    A flag of F_CONFIG returns anything that generates a local
    reply of IPv4 or IPV6.
@@ -253,9 +252,10 @@ int lookup_domain(char *domain, int flags, int *lowout, int *highout)
   if (highout)
     *highout = nhigh;
 
-  if (nlow == nhigh)
+  /* qlen == -1 when we failed to match even an empty query, if there are no default servers. */
+  if (nlow == nhigh || qlen == -1)
     return 0;
-
+  
   return 1;
 }
 
@@ -337,12 +337,8 @@ int filter_servers(int seed, int flags, int *lowout, int *highout)
 		      
 		      if (i != nlow)
 			{
-			  /* If we want a server that can do DNSSEC, and this one can't, 
-			     return nothing, similarly if were looking only for a server
-			     for a particular domain. */
-			  if ((flags & F_DNSSECOK) && !(daemon->serverarray[nlow]->flags & SERV_DO_DNSSEC))
-			    nlow = nhigh;
-			  else if ((flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0)
+			  /* If we want a server for a particular domain, and this one isn't, return nothing. */
+			  if ((flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0)
 			    nlow = nhigh;
 			  else
 			    nhigh = i;
@@ -350,7 +346,7 @@ int filter_servers(int seed, int flags, int *lowout, int *highout)
 		      else
 			{
 			  /* --local=/domain/, only return if we don't need a server. */
-			  if (flags & (F_DNSSECOK | F_DOMAINSRV | F_SERVER))
+			  if (flags & (F_DOMAINSRV | F_SERVER))
 			    nhigh = i;
 			}
 		    }
@@ -404,11 +400,19 @@ size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header
   int start;
   union all_addr addr;
   
+  setup_reply(header, flags, ede);
+
   if (flags & (F_NXDOMAIN | F_NOERR))
     log_query(flags | gotname | F_NEG | F_CONFIG | F_FORWARD, name, NULL, NULL, 0);
-	  
-  setup_reply(header, flags, ede);
-	  
+
+  if (flags & F_RCODE)
+     {
+       union all_addr a;
+       a.log.rcode = RCODE(header);
+       a.log.ede = ede;
+       log_query(F_UPSTREAM | F_RCODE, "opcode", &a, NULL, 0);
+     }
+  
   if (!(p = skip_questions(header, size)))
     return 0;
 	  
@@ -443,7 +447,13 @@ size_t make_local_answer(int flags, int gotname, size_t size, struct dns_header
       }
 
   if (trunc)
-    header->hb3 |= HB3_TC;
+    {
+      header->hb3 |= HB3_TC;
+      if (!(p = skip_questions(header, size)))
+	return 0; /* bad packet */
+      anscount  = 0;
+    }
+  
   header->ancount = htons(anscount);
   
   return p - (unsigned char *)header;
@@ -540,9 +550,9 @@ static int order_qsort(const void *a, const void *b)
 
   /* Finally, order by appearance in /etc/resolv.conf etc, for --strict-order */
   if (rc == 0)
-    if (!(s1->flags & SERV_LITERAL_ADDRESS))
+    if (!(s1->flags & SERV_IS_LOCAL) && !(s2->flags & SERV_IS_LOCAL))
       rc = s1->serial - s2->serial;
-
+  
   return rc;
 }
 
@@ -738,12 +748,14 @@ int add_update_server(int flags,
 	serv->addr = *addr;
       if (source_addr)
 	serv->source_addr = *source_addr;
+
+      serv->tcpfd = -1;
     }
     
   serv->flags = flags;
   serv->domain = alloc_domain;
   serv->domain_len = strlen(alloc_domain);
-  
+    
   return 1;
 }
 

src/domain.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -22,12 +22,13 @@ static int match_domain(struct in_addr addr, struct cond_domain *c);
 static struct cond_domain *search_domain6(struct in6_addr *addr, struct cond_domain *c);
 static int match_domain6(struct in6_addr *addr, struct cond_domain *c);
 
-int is_name_synthetic(int flags, char *name, union all_addr *addr)
+int is_name_synthetic(int flags, char *name, union all_addr *addrp)
 {
   char *p;
   struct cond_domain *c = NULL;
   int prot = (flags & F_IPV6) ? AF_INET6 : AF_INET;
-
+  union all_addr addr;
+  
   for (c = daemon->synth_domains; c; c = c->next)
     {
       int found = 0;
@@ -74,7 +75,7 @@ int is_name_synthetic(int flags, char *name, union all_addr *addr)
 		   if (!c->is6 &&
 		      index <= ntohl(c->end.s_addr) - ntohl(c->start.s_addr))
 		    {
-		      addr->addr4.s_addr = htonl(ntohl(c->start.s_addr) + index);
+		      addr.addr4.s_addr = htonl(ntohl(c->start.s_addr) + index);
 		      found = 1;
 		    }
 		} 
@@ -86,8 +87,8 @@ int is_name_synthetic(int flags, char *name, union all_addr *addr)
 		      index <= addr6part(&c->end6) - addr6part(&c->start6))
 		    {
 		      u64 start = addr6part(&c->start6);
-		      addr->addr6 = c->start6;
-		      setaddr6part(&addr->addr6, start + index);
+		      addr.addr6 = c->start6;
+		      setaddr6part(&addr.addr6, start + index);
 		      found = 1;
 		    }
 		}
@@ -114,29 +115,18 @@ int is_name_synthetic(int flags, char *name, union all_addr *addr)
 	  
 	  *p = 0;	
 	  
-	  if (prot == AF_INET6 && strstr(tail, "--ffff-") == tail)
-	    {
-	      /* special hack for v4-mapped. */
-	      memcpy(tail, "::ffff:", 7);
-	      for (p = tail + 7; *p; p++)
-		if (*p == '-')
+	  /* swap . or : for - */
+	  for (p = tail; *p; p++)
+	    if (*p == '-')
+	      {
+		if (prot == AF_INET)
 		  *p = '.';
-	    }
-	  else
-	    {
-	      /* swap . or : for - */
-	      for (p = tail; *p; p++)
-		if (*p == '-')
-		  {
-		    if (prot == AF_INET)
-		      *p = '.';
-		    else
-		      *p = ':';
-		  }
-	    }
+		else
+		  *p = ':';
+	      }
 	  
-	  if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, addr))
-	    found = (prot == AF_INET) ? match_domain(addr->addr4, c) : match_domain6(&addr->addr6, c);
+	  if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, &addr))
+	    found = (prot == AF_INET) ? match_domain(addr.addr4, c) : match_domain6(&addr.addr6, c);
 	}
       
       /* restore name */
@@ -148,7 +138,12 @@ int is_name_synthetic(int flags, char *name, union all_addr *addr)
       
       
       if (found)
-	return 1;
+	{
+	  if (addrp)
+	    *addrp = addr;
+	  
+	  return 1;
+	}
     }
   
   return 0;
@@ -188,9 +183,8 @@ int is_rev_synth(int flag, union all_addr *addr, char *name)
 
    if ((flag & F_IPV6) && (c = search_domain6(&addr->addr6, daemon->synth_domains))) 
      {
-       char *p;
-       
        *name = 0;
+
        if (c->indexed)
 	 {
 	   u64 index = addr6part(&addr->addr6) - addr6part(&c->start6);
@@ -198,24 +192,17 @@ int is_rev_synth(int flag, union all_addr *addr, char *name)
 	 }
        else
 	 {
-	   if (c->prefix)
-	     strncpy(name, c->prefix, MAXDNAME - ADDRSTRLEN);
-       
-	   inet_ntop(AF_INET6, &addr->addr6, name + strlen(name), ADDRSTRLEN);
+	   int i;
+	   char frag[6];
 
-	   /* IPv6 presentation address can start with ":", but valid domain names
-	      cannot start with "-" so prepend a zero in that case. */
-	   if (!c->prefix && *name == ':')
+	   if (c->prefix)
+	     strncpy(name, c->prefix, MAXDNAME);
+	   
+	   for (i = 0; i < 16; i += 2)
 	     {
-	       *name = '0';
-	       inet_ntop(AF_INET6, &addr->addr6, name+1, ADDRSTRLEN);
+	       sprintf(frag, "%s%02x%02x",  i == 0 ? "" : "-", addr->addr6.s6_addr[i], addr->addr6.s6_addr[i+1]);
+	       strncat(name, frag, MAXDNAME);
 	     }
-	   
-	   /* V4-mapped have periods.... */
-	   for (p = name; *p; p++)
-	     if (*p == ':' || *p == '.')
-	       *p = '-';
-	   
 	 }
 
        strncat(name, ".", MAXDNAME);

src/dump.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -51,31 +51,39 @@ void dump_init(void)
 
   packet_count = 0;
   
+  header.magic_number = 0xa1b2c3d4;
+  header.version_major = 2;
+  header.version_minor = 4;
+  header.thiszone = 0;
+  header.sigfigs = 0;
+  header.snaplen = daemon->edns_pktsz + 200; /* slop for IP/UDP headers */
+  header.network = 101; /* DLT_RAW http://www.tcpdump.org/linktypes.html */
+
   if (stat(daemon->dump_file, &buf) == -1)
     {
       /* doesn't exist, create and add header */
-      header.magic_number = 0xa1b2c3d4;
-      header.version_major = 2;
-      header.version_minor = 4;
-      header.thiszone = 0;
-      header.sigfigs = 0;
-      header.snaplen = daemon->edns_pktsz + 200; /* slop for IP/UDP headers */
-      header.network = 101; /* DLT_RAW http://www.tcpdump.org/linktypes.html */
-
       if (errno != ENOENT ||
 	  (daemon->dumpfd = creat(daemon->dump_file, S_IRUSR | S_IWUSR)) == -1 ||
-	  !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 0))
+	  !read_write(daemon->dumpfd, (void *)&header, sizeof(header), RW_WRITE))
 	die(_("cannot create %s: %s"), daemon->dump_file, EC_FILE);
     }
+  else if (S_ISFIFO(buf.st_mode))
+    {
+      /* File is named pipe (with wireshark on the other end, probably.)
+	 Send header. */
+      if  ((daemon->dumpfd = open(daemon->dump_file, O_APPEND | O_RDWR)) == -1 ||
+	   !read_write(daemon->dumpfd, (void *)&header, sizeof(header), RW_WRITE))
+	die(_("cannot open pipe %s: %s"), daemon->dump_file, EC_FILE);
+    }
   else if ((daemon->dumpfd = open(daemon->dump_file, O_APPEND | O_RDWR)) == -1 ||
-	   !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 1))
+	   !read_write(daemon->dumpfd, (void *)&header, sizeof(header), RW_READ))
     die(_("cannot access %s: %s"), daemon->dump_file, EC_FILE);
   else if (header.magic_number != 0xa1b2c3d4)
     die(_("bad header in %s"), daemon->dump_file, EC_FILE);
   else
     {
       /* count existing records */
-      while (read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), 1))
+      while (read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), RW_READ))
 	{
 	  lseek(daemon->dumpfd, pcap_header.incl_len, SEEK_CUR);
 	  packet_count++;
@@ -280,12 +288,12 @@ static void do_dump_packet(int mask, void *packet, size_t len,
   pcap_header.ts_usec = time.tv_usec;
   
   if (rc == -1 ||
-      !read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), 0) ||
-      !read_write(daemon->dumpfd, iphdr, ipsz, 0) ||
-      (proto == IPPROTO_UDP && !read_write(daemon->dumpfd, (void *)&udp, sizeof(udp), 0)) ||
-      !read_write(daemon->dumpfd, (void *)packet, len, 0))
+      !read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), RW_WRITE) ||
+      !read_write(daemon->dumpfd, iphdr, ipsz, RW_WRITE) ||
+      (proto == IPPROTO_UDP && !read_write(daemon->dumpfd, (void *)&udp, sizeof(udp), RW_WRITE)) ||
+      !read_write(daemon->dumpfd, (void *)packet, len, RW_WRITE))
     my_syslog(LOG_ERR, _("failed to write packet dump"));
-  else if (option_bool(OPT_EXTRALOG))
+  else if (option_bool(OPT_EXTRALOG) && (mask & 0x00ff))
     my_syslog(LOG_INFO, _("%u dumping packet %u mask 0x%04x"),  daemon->log_display_id, ++packet_count, mask);
   else
     my_syslog(LOG_INFO, _("dumping packet %u mask 0x%04x"), ++packet_count, mask);

src/edns0.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -96,9 +96,12 @@ unsigned char *find_pseudoheader(struct dns_header *header, size_t plen, size_t
 }
  
 
-/* replace == 2 ->delete existing option only. */
+/* replace == 0 ->don't replace existing option
+   replace == 1 ->replace existing or add option
+   replace == 2 ->relpace existing option only.
+*/
 size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *limit, 
-			unsigned short udp_sz, int optno, unsigned char *opt, size_t optlen, int set_do, int replace)
+			int optno, unsigned char *opt, size_t optlen, int set_do, int replace)
 { 
   unsigned char *lenp, *datap, *p, *udp_len, *buff = NULL;
   int rdlen = 0, is_sign, is_last;
@@ -114,9 +117,10 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
       /* Existing header */
       int i;
       unsigned short code, len;
-
+      
       p = udp_len;
-      GETSHORT(udp_sz, p);
+
+      PUTSHORT(daemon->edns_pktsz, p);
       GETSHORT(rcode, p);
       GETSHORT(flags, p);
 
@@ -178,7 +182,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
 	    memcpy(buff, datap, rdlen);	      
 	  
 	  /* now, delete OPT RR */
-	  plen = rrfilter(header, plen, RRFILTER_EDNS0);
+	  rrfilter(header, &plen, RRFILTER_EDNS0);
 	  
 	  /* Now, force addition of a new one */
 	  p = NULL;	  
@@ -191,21 +195,18 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
       if (!(p = skip_questions(header, plen)) ||
 	  !(p = skip_section(p, 
 			     ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount), 
-			     header, plen)))
-      {
-	free(buff);
-	return plen;
-      }
-      if (p + 11 > limit)
-      {
-        free(buff);
-        return plen; /* Too big */
-      }
+			     header, plen)) ||
+	  p + 11 > limit)
+	{
+	  free(buff);
+	  return plen; /* bad packet */
+	}
+
       *p++ = 0; /* empty name */
       PUTSHORT(T_OPT, p);
-      PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 header */
-      PUTSHORT(rcode, p);    /* extended RCODE and version */
-      PUTSHORT(flags, p); /* DO flag */
+      PUTSHORT(daemon->edns_pktsz, p); /* max packet length, 512 if not given in EDNS0 header */
+      PUTSHORT(rcode, p);  /* extended RCODE and version */
+      PUTSHORT(flags, p);  /* DO flag */
       lenp = p;
       PUTSHORT(rdlen, p);    /* RDLEN */
       datap = p;
@@ -248,7 +249,7 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
 
 size_t add_do_bit(struct dns_header *header, size_t plen, unsigned char *limit)
 {
-  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, 0, NULL, 0, 1, 0);
+  return add_pseudoheader(header, plen, (unsigned char *)limit, 0, NULL, 0, 1, 0);
 }
 
 static unsigned char char64(unsigned char c)
@@ -293,7 +294,7 @@ static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned ch
     replace = 2;
 
   if (replace != 0 || maclen == 6)
-    plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_NOMDEVICEID, (unsigned char *)encode, strlen(encode), 0, replace);
+    plen = add_pseudoheader(header, plen, limit, EDNS0_OPTION_NOMDEVICEID, (unsigned char *)encode, strlen(encode), 0, replace);
 
   return plen;
 }
@@ -318,7 +319,7 @@ static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *lim
     replace = 2;
   
   if (replace != 0 || maclen != 0)
-    plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, replace);
+    plen = add_pseudoheader(header, plen, limit, EDNS0_OPTION_MAC, mac, maclen, 0, replace);
 
   return plen; 
 }
@@ -416,21 +417,34 @@ static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned c
   else if (option_bool(OPT_STRIP_ECS))
     replace = 2;
   else
-    return plen;
-
-  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, replace);
+    {
+      unsigned char *pheader;
+      /* If we still think the data is cacheable, and we're not
+	 messing with EDNS client subnet ourselves, see if the client
+	 sent a client subnet. If so, mark the data as uncacheable */
+      if (*cacheable &&
+	  (pheader = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL)) &&
+	  !check_source(header, plen, pheader, NULL))
+	*cacheable = 0;
+      
+      return plen;
+    }
+  
+  return add_pseudoheader(header, plen, (unsigned char *)limit, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, replace);
 }
 
 int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer)
 {
-  /* Section 9.2, Check that subnet option in reply matches. */
+  /* Section 9.2, Check that subnet option (if any) in reply matches.
+     if peer == NULL, this degrades to a check for the existence of and EDNS0 client-subnet option. */
   
   int len, calc_len;
   struct subnet_opt opt;
   unsigned char *p;
   int code, i, rdlen;
   
-  calc_len = calc_subnet_opt(&opt, peer, NULL);
+  if (peer)
+    calc_len = calc_subnet_opt(&opt, peer, NULL);
    
   if (!(p = skip_name(pseudoheader, header, plen, 10)))
     return 1;
@@ -442,21 +456,26 @@ int check_source(struct dns_header *header, size_t plen, unsigned char *pseudohe
     return 1; /* bad packet */
   
   /* check if option there */
-   for (i = 0; i + 4 < rdlen; i += len + 4)
+  for (i = 0; i + 4 < rdlen; i += len + 4)
      {
        GETSHORT(code, p);
        GETSHORT(len, p);
        if (code == EDNS0_OPTION_CLIENT_SUBNET)
 	 {
-	   /* make sure this doesn't mismatch. */
-	   opt.scope_netmask = p[3];
-	   if (len != calc_len || memcmp(p, &opt, len) != 0)
+	   if (peer)
+	     {
+	       /* make sure this doesn't mismatch. */
+	       opt.scope_netmask = p[3];
+	       if (len != calc_len || memcmp(p, &opt, len) != 0)
+		 return 0;
+	     }
+	   else if (((struct subnet_opt *)p)->source_netmask != 0)
 	     return 0;
 	 }
        p += len;
      }
-   
-   return 1;
+  
+  return 1;
 }
 
 /* See https://docs.umbrella.com/umbrella-api/docs/identifying-dns-traffic for
@@ -490,7 +509,7 @@ static size_t add_umbrella_opt(struct dns_header *header, size_t plen, unsigned
 {
   *cacheable = 0;
 
-  struct umbrella_opt opt = {{"ODNS"}, UMBRELLA_VERSION, 0, {}};
+  struct umbrella_opt opt = {{"ODNS"}, UMBRELLA_VERSION, 0, {0}};
   u8 *u = &opt.fields[0];
   int family = source->sa.sa_family;
   int size = family == AF_INET ? INADDRSZ : IN6ADDRSZ;
@@ -518,7 +537,7 @@ static size_t add_umbrella_opt(struct dns_header *header, size_t plen, unsigned
       PUTLONG(daemon->umbrella_asset, u);
     }
   
-  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_UMBRELLA, (unsigned char *)&opt, u - (u8 *)&opt, 0, 1);
+  return add_pseudoheader(header, plen, (unsigned char *)limit, EDNS0_OPTION_UMBRELLA, (unsigned char *)&opt, u - (u8 *)&opt, 0, 1);
 }
 
 /* Set *check_subnet if we add a client subnet option, which needs to checked 
@@ -533,13 +552,13 @@ size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *l
   plen = add_dns_client(header, plen, limit, source, now, cacheable);
   
   if (daemon->dns_client_id)
-    plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_NOMCPEID, 
+    plen = add_pseudoheader(header, plen, limit, EDNS0_OPTION_NOMCPEID, 
 			    (unsigned char *)daemon->dns_client_id, strlen(daemon->dns_client_id), 0, 1);
 
   if (option_bool(OPT_UMBRELLA))
     plen = add_umbrella_opt(header, plen, limit, source, cacheable);
   
   plen = add_source_addr(header, plen, limit, source, cacheable);
-  	  
+
   return plen;
 }

src/hash-questions.c

@@ -1,284 +0,0 @@
-/* Copyright (c) 2012-2020 Simon Kelley
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991, or
-   (at your option) version 3 dated 29 June, 2007.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-
-/* Hash the question section. This is used to safely detect query 
-   retransmission and to detect answers to questions we didn't ask, which 
-   might be poisoning attacks. Note that we decode the name rather 
-   than CRC the raw bytes, since replies might be compressed differently. 
-   We ignore case in the names for the same reason. 
-
-   The hash used is SHA-256. If we're building with DNSSEC support,
-   we use the Nettle cypto library. If not, we prefer not to
-   add a dependency on Nettle, and use a stand-alone implementation. 
-*/
-
-#include "dnsmasq.h"
-
-#if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH)
-
-static const struct nettle_hash *hash;
-static void *ctx;
-static unsigned char *digest;
-
-void hash_questions_init(void)
-{
-  if (!(hash = hash_find("sha256")))
-    die(_("Failed to create SHA-256 hash object"), NULL, EC_MISC);
-
-  ctx = safe_malloc(hash->context_size);
-  digest = safe_malloc(hash->digest_size);
-}
-
-unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
-{
-  int q;
-  unsigned char *p = (unsigned char *)(header+1);
-
-  hash->init(ctx);
-
-  for (q = ntohs(header->qdcount); q != 0; q--) 
-    {
-      char *cp, c;
-
-      if (!extract_name(header, plen, &p, name, 1, 4))
-	return NULL; /* bad packet */
-
-      for (cp = name; (c = *cp); cp++)
-	 if (c >= 'A' && c <= 'Z')
-	   *cp += 'a' - 'A';
-
-      hash->update(ctx, cp - name, (unsigned char *)name);
-      /* CRC the class and type as well */
-      hash->update(ctx, 4, p);
-
-      p += 4;
-      if (!CHECK_LEN(header, p, plen, 0))
-	return NULL; /* bad packet */
-    }
-  
-  hash->digest(ctx, hash->digest_size, digest);
-  return digest;
-}
-
-#else /* HAVE_DNSSEC  || HAVE_CRYPTOHASH */
-
-#define SHA256_BLOCK_SIZE 32            /* SHA256 outputs a 32 byte digest */
-typedef unsigned char BYTE;             /* 8-bit byte */
-typedef unsigned int  WORD;             /* 32-bit word, change to "long" for 16-bit machines */
-
-typedef struct {
-  BYTE data[64];
-  WORD datalen;
-  unsigned long long bitlen;
-  WORD state[8];
-} SHA256_CTX;
-
-static void sha256_init(SHA256_CTX *ctx);
-static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len);
-static void sha256_final(SHA256_CTX *ctx, BYTE hash[]);
-
-void hash_questions_init(void)
-{
-}
-
-unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
-{
-  int q;
-  unsigned char *p = (unsigned char *)(header+1);
-  SHA256_CTX ctx;
-  static BYTE digest[SHA256_BLOCK_SIZE];
-  
-  sha256_init(&ctx);
-    
-  for (q = ntohs(header->qdcount); q != 0; q--) 
-    {
-      char *cp, c;
-
-      if (!extract_name(header, plen, &p, name, 1, 4))
-	return NULL; /* bad packet */
-
-      for (cp = name; (c = *cp); cp++)
-	 if (c >= 'A' && c <= 'Z')
-	   *cp += 'a' - 'A';
-
-      sha256_update(&ctx, (BYTE *)name, cp - name);
-      /* CRC the class and type as well */
-      sha256_update(&ctx, (BYTE *)p, 4);
-
-      p += 4;
-      if (!CHECK_LEN(header, p, plen, 0))
-	return NULL; /* bad packet */
-    }
-  
-  sha256_final(&ctx, digest);
-  return (unsigned char *)digest;
-}
-
-/* Code from here onwards comes from https://github.com/B-Con/crypto-algorithms
-   and was written by Brad Conte (brad@bradconte.com), to whom all credit is given.
-
-   This code is in the public domain, and the copyright notice at the head of this 
-   file does not apply to it.
-*/
-
-
-/****************************** MACROS ******************************/
-#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b))))
-#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b))))
-
-#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
-#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
-#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22))
-#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25))
-#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3))
-#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10))
-
-/**************************** VARIABLES *****************************/
-static const WORD k[64] = {
-			   0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
-			   0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
-			   0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
-			   0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
-			   0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
-			   0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
-			   0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
-			   0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
-};
-
-/*********************** FUNCTION DEFINITIONS ***********************/
-static void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
-{
-  WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
-  
-  for (i = 0, j = 0; i < 16; ++i, j += 4)
-    m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
-  for ( ; i < 64; ++i)
-    m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
-
-  a = ctx->state[0];
-  b = ctx->state[1];
-  c = ctx->state[2];
-  d = ctx->state[3];
-  e = ctx->state[4];
-  f = ctx->state[5];
-  g = ctx->state[6];
-  h = ctx->state[7];
-
-  for (i = 0; i < 64; ++i)
-    {
-      t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i];
-      t2 = EP0(a) + MAJ(a,b,c);
-      h = g;
-      g = f;
-      f = e;
-      e = d + t1;
-      d = c;
-      c = b;
-      b = a;
-      a = t1 + t2;
-    }
-  
-  ctx->state[0] += a;
-  ctx->state[1] += b;
-  ctx->state[2] += c;
-  ctx->state[3] += d;
-  ctx->state[4] += e;
-  ctx->state[5] += f;
-  ctx->state[6] += g;
-  ctx->state[7] += h;
-}
-
-static void sha256_init(SHA256_CTX *ctx)
-{
-  ctx->datalen = 0;
-  ctx->bitlen = 0;
-  ctx->state[0] = 0x6a09e667;
-  ctx->state[1] = 0xbb67ae85;
-  ctx->state[2] = 0x3c6ef372;
-  ctx->state[3] = 0xa54ff53a;
-  ctx->state[4] = 0x510e527f;
-  ctx->state[5] = 0x9b05688c;
-  ctx->state[6] = 0x1f83d9ab;
-  ctx->state[7] = 0x5be0cd19;
-}
-
-static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len)
-{
-  WORD i;
-  
-  for (i = 0; i < len; ++i)
-    {
-      ctx->data[ctx->datalen] = data[i];
-      ctx->datalen++;
-      if (ctx->datalen == 64) {
-	sha256_transform(ctx, ctx->data);
-	ctx->bitlen += 512;
-	ctx->datalen = 0;
-      }
-    }
-}
-
-static void sha256_final(SHA256_CTX *ctx, BYTE hash[])
-{
-  WORD i;
-  
-  i = ctx->datalen;
-
-  /* Pad whatever data is left in the buffer. */
-  if (ctx->datalen < 56)
-    {
-      ctx->data[i++] = 0x80;
-      while (i < 56)
-	ctx->data[i++] = 0x00;
-    }
-  else
-    {
-      ctx->data[i++] = 0x80;
-      while (i < 64)
-	ctx->data[i++] = 0x00;
-      sha256_transform(ctx, ctx->data);
-      memset(ctx->data, 0, 56);
-    }
-  
-  /* Append to the padding the total message's length in bits and transform. */
-  ctx->bitlen += ctx->datalen * 8;
-  ctx->data[63] = ctx->bitlen;
-  ctx->data[62] = ctx->bitlen >> 8;
-  ctx->data[61] = ctx->bitlen >> 16;
-  ctx->data[60] = ctx->bitlen >> 24;
-  ctx->data[59] = ctx->bitlen >> 32;
-  ctx->data[58] = ctx->bitlen >> 40;
-  ctx->data[57] = ctx->bitlen >> 48;
-  ctx->data[56] = ctx->bitlen >> 56;
-  sha256_transform(ctx, ctx->data);
-  
-  /* Since this implementation uses little endian byte ordering and SHA uses big endian,
-     reverse all the bytes when copying the final state to the output hash. */
-  for (i = 0; i < 4; ++i)
-    {
-      hash[i]      = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff;
-      hash[i + 4]  = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff;
-      hash[i + 8]  = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff;
-      hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff;
-      hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff;
-      hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff;
-      hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff;
-      hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff;
-    }
-}
-
-#endif

src/helper.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -196,7 +196,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	}
       
       /* we read zero bytes when pipe closed: this is our signal to exit */ 
-      if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), 1))
+      if (!read_write(pipefd[0], (unsigned char *)&data, sizeof(data), RW_READ))
 	{
 #ifdef HAVE_LUASCRIPT
 	  if (daemon->luascript)
@@ -258,7 +258,7 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 	continue;
       
       if (!read_write(pipefd[0], buf, 
-		      data.hostname_len + data.ed_len + data.clid_len, 1))
+		      data.hostname_len + data.ed_len + data.clid_len, RW_READ))
 	continue;
 
       /* CLID into packet */

src/inotify.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
  
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -94,7 +94,7 @@ void inotify_dnsmasq_init()
   if (daemon->inotifyfd == -1)
     die(_("failed to create inotify: %s"), NULL, EC_MISC);
 
-  if (option_bool(OPT_NO_RESOLV))
+  if (daemon->port == 0 || option_bool(OPT_NO_RESOLV))
     return;
   
   for (res = daemon->resolv_files; res; res = res->next)

src/ip6addr.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/ipset.c

@@ -75,11 +75,11 @@ static char *buffer;
 
 static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, const void *data)
 {
-  struct my_nlattr *attr = (void *)nlh + NL_ALIGN(nlh->nlmsg_len);
+  struct my_nlattr *attr = (struct my_nlattr *)((u8 *)nlh + NL_ALIGN(nlh->nlmsg_len));
   uint16_t payload_len = NL_ALIGN(sizeof(struct my_nlattr)) + len;
   attr->nla_type = type;
   attr->nla_len = payload_len;
-  memcpy((void *)attr + NL_ALIGN(sizeof(struct my_nlattr)), data, len);
+  memcpy((u8 *)attr + NL_ALIGN(sizeof(struct my_nlattr)), data, len);
   nlh->nlmsg_len += NL_ALIGN(payload_len);
 }
 
@@ -138,8 +138,8 @@ static int new_add_to_ipset(const char *setname, const union all_addr *ipaddr, i
   add_attr(nlh, 
 	   (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER,
 	   addrsz, ipaddr);
-  nested[1]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[1];
-  nested[0]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[0];
+  nested[1]->nla_len = (u8 *)buffer + NL_ALIGN(nlh->nlmsg_len) - (u8 *)nested[1];
+  nested[0]->nla_len = (u8 *)buffer + NL_ALIGN(nlh->nlmsg_len) - (u8 *)nested[0];
 	
   while (retry_send(sendto(ipset_sock, buffer, nlh->nlmsg_len, 0,
 			   (struct sockaddr *)&snl, sizeof(snl))));

src/lease.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -15,7 +15,6 @@
 */
 
 #include "dnsmasq.h"
-
 #ifdef HAVE_DHCP
 
 static struct dhcp_lease *leases = NULL, *old_leases = NULL;
@@ -28,8 +27,7 @@ static int read_leases(time_t now, FILE *leasestream)
   struct dhcp_lease *lease;
   int clid_len, hw_len, hw_type;
   int items;
-  char *domain = NULL;
-
+ 
   *daemon->dhcp_buff3 = *daemon->dhcp_buff2 = '\0';
 
   /* client-id max length is 255 which is 255*2 digits + 254 colons
@@ -69,8 +67,8 @@ static int read_leases(time_t now, FILE *leasestream)
 		
 	if (inet_pton(AF_INET, daemon->namebuff, &addr.addr4))
 	  {
-	    if ((lease = lease4_allocate(addr.addr4)))
-	      domain = get_domain(lease->addr);
+	    lease = lease4_allocate(addr.addr4);
+	    
 	    
 	    hw_len = parse_hex(daemon->dhcp_buff2, (unsigned char *)daemon->dhcp_buff2, DHCP_CHADDR_MAX, NULL, &hw_type);
 	    /* For backwards compatibility, no explicit MAC address type means ether. */
@@ -90,10 +88,7 @@ static int read_leases(time_t now, FILE *leasestream)
 	      }
 	    
 	    if ((lease = lease6_allocate(&addr.addr6, lease_type)))
-	      {
-		lease_set_iaid(lease, strtoul(s, NULL, 10));
-		domain = get_domain6(&lease->addr6);
-	      }
+	      lease_set_iaid(lease, strtoul(s, NULL, 10));
 	  }
 #endif
 	else
@@ -114,7 +109,7 @@ static int read_leases(time_t now, FILE *leasestream)
 			 hw_len, hw_type, clid_len, now, 0);
 	
 	if (strcmp(daemon->dhcp_buff, "*") !=  0)
-	  lease_set_hostname(lease, daemon->dhcp_buff, 0, domain, NULL);
+	  lease_set_hostname(lease, daemon->dhcp_buff, 0, NULL, NULL);
 
 	ei = atol(daemon->dhcp_buff3);
 
@@ -155,6 +150,10 @@ void lease_init(time_t now)
 #ifdef HAVE_SCRIPT
       if (daemon->lease_change_command)
 	{
+	  /* 6 == strlen(" init") plus terminator */
+	  if (strlen(daemon->lease_change_command) + 6 > DHCP_BUFF_SZ)
+	    die(_("lease-change script name is too long"), NULL, EC_FILE);
+	  
 	  strcpy(daemon->dhcp_buff, daemon->lease_change_command);
 	  strcat(daemon->dhcp_buff, " init");
 	  leasestream = popen(daemon->dhcp_buff, "r");
@@ -412,7 +411,7 @@ static int find_interface_v4(struct in_addr local, int if_index, char *label,
 #ifdef HAVE_DHCP6
 static int find_interface_v6(struct in6_addr *local,  int prefix,
 			     int scope, int if_index, int flags, 
-			     int preferred, int valid, void *vparam)
+			     unsigned int preferred, unsigned int valid, void *vparam)
 {
   struct dhcp_lease *lease;
 
@@ -469,9 +468,9 @@ void lease_find_interfaces(time_t now)
   for (lease = leases; lease; lease = lease->next)
     lease->new_prefixlen = lease->new_interface = 0;
 
-  iface_enumerate(AF_INET, &now, find_interface_v4);
+  iface_enumerate(AF_INET, &now, (callback_t){.af_inet=find_interface_v4});
 #ifdef HAVE_DHCP6
-  iface_enumerate(AF_INET6, &now, find_interface_v6);
+  iface_enumerate(AF_INET6, &now, (callback_t){.af_inet6=find_interface_v6});
 #endif
 
   for (lease = leases; lease; lease = lease->next)
@@ -946,6 +945,36 @@ static void kill_name(struct dhcp_lease *lease)
   lease->hostname = lease->fqdn = NULL;
 }
 
+void lease_calc_fqdns(void)
+{
+  struct dhcp_lease *lease;
+  
+  for (lease = leases; lease; lease = lease->next)
+    {
+      char *domain;
+
+      if (lease->hostname)
+	{
+#ifdef HAVE_DHCP6
+	  if (lease->flags & (LEASE_TA | LEASE_NA))
+	    domain = get_domain6(&lease->addr6);
+	  else
+#endif
+	    domain = get_domain(lease->addr);
+	  
+	  if (domain)
+	    {
+	      /* This is called only during startup, before forking, hence safe_malloc() */
+	      lease->fqdn = safe_malloc(strlen(lease->hostname) + strlen(domain) + 2);
+	      
+	      strcpy(lease->fqdn, lease->hostname);
+	      strcat(lease->fqdn, ".");
+	      strcat(lease->fqdn, domain);
+	    }
+	}
+    }
+}
+	  
 void lease_set_hostname(struct dhcp_lease *lease, const char *name, int auth, char *domain, char *config_domain)
 {
   struct dhcp_lease *lease_tmp;

src/log.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/loop.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -19,7 +19,7 @@
 #ifdef HAVE_LOOP
 static ssize_t loop_make_probe(u32 uid);
 
-void loop_send_probes()
+void loop_send_probes(void)
 {
    struct server *serv;
    struct randfd_list *rfds = NULL;
@@ -92,7 +92,7 @@ int detect_loop(char *query, int type)
     return 0;
 
   for (i = 0; i < 8; i++)
-    if (!isxdigit(query[i]))
+    if (!isxdigit((unsigned char)query[i]))
       return 0;
 
   uid = strtol(query, NULL, 16);

src/metrics.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -24,6 +24,9 @@ const char * metric_names[] = {
     "dns_local_answered",
     "dns_stale_answered",
     "dns_unanswered",
+    "dnssec_max_crypto_use",
+    "dnssec_max_sig_fail",
+    "dnssec_max_work",
     "bootp",
     "pxe",
     "dhcp_ack",
@@ -39,6 +42,7 @@ const char * metric_names[] = {
     "leases_pruned_4",
     "leases_allocated_6",
     "leases_pruned_6",
+    "tcp_connections",
 };
 
 const char* get_metric_name(int i) {

src/metrics.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -23,6 +23,9 @@ enum {
   METRIC_DNS_LOCAL_ANSWERED,
   METRIC_DNS_STALE_ANSWERED,
   METRIC_DNS_UNANSWERED_QUERY,
+  METRIC_CRYPTO_HWM,
+  METRIC_SIG_FAIL_HWM,
+  METRIC_WORK_HWM,
   METRIC_BOOTP,
   METRIC_PXE,
   METRIC_DHCPACK,
@@ -38,6 +41,7 @@ enum {
   METRIC_LEASES_PRUNED_4,
   METRIC_LEASES_ALLOCATED_6,
   METRIC_LEASES_PRUNED_6,
+  METRIC_TCP_CONNECTIONS,
   
   __METRIC_MAX,
 };

src/netlink.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -151,7 +151,7 @@ static ssize_t netlink_recv(int flags)
    family = AF_LOCAL finds MAC addresses.
    returns 0 on failure, 1 on success, -1 when restart is required
 */
-int iface_enumerate(int family, void *parm, int (*callback)())
+int iface_enumerate(int family, void *parm, callback_t callback)
 {
   struct sockaddr_nl addr;
   struct nlmsghdr *h;
@@ -247,7 +247,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 		      }
 		    
 		    if (addr.s_addr && callback_ok)
-		      if (!((*callback)(addr, ifa->ifa_index, label,  netmask, broadcast, parm)))
+		      if (!callback.af_inet(addr, ifa->ifa_index, label,  netmask, broadcast, parm))
 			callback_ok = 0;
 		  }
 		else if (ifa->ifa_family == AF_INET6)
@@ -288,9 +288,9 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 		      flags |= IFACE_PERMANENT;
     		    
 		    if (addrp && callback_ok)
-		      if (!((*callback)(addrp, (int)(ifa->ifa_prefixlen), (int)(ifa->ifa_scope), 
+		      if (!callback.af_inet6(addrp, (int)(ifa->ifa_prefixlen), (int)(ifa->ifa_scope), 
 					(int)(ifa->ifa_index), flags, 
-					(int) preferred, (int)valid, parm)))
+					(unsigned int)preferred, (unsigned int)valid, parm))
 			callback_ok = 0;
 		  }
 	      }
@@ -318,7 +318,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 
 	    if (!(neigh->ndm_state & (NUD_NOARP | NUD_INCOMPLETE | NUD_FAILED)) &&
 		inaddr && mac && callback_ok)
-	      if (!((*callback)(neigh->ndm_family, inaddr, mac, maclen, parm)))
+	      if (!callback.af_unspec(neigh->ndm_family, inaddr, mac, maclen, parm))
 		callback_ok = 0;
 	  }
 #ifdef HAVE_DHCP6
@@ -342,7 +342,7 @@ int iface_enumerate(int family, void *parm, int (*callback)())
 	      }
 
 	    if (mac && callback_ok && !((link->ifi_flags & (IFF_LOOPBACK | IFF_POINTOPOINT))) && 
-		!((*callback)((int)link->ifi_index, (unsigned int)link->ifi_type, mac, maclen, parm)))
+		!callback.af_local((int)link->ifi_index, (unsigned int)link->ifi_type, mac, maclen, parm))
 	      callback_ok = 0;
 	  }
 #endif

src/network.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -123,7 +123,10 @@ int iface_check(int family, union all_addr *addr, char *name, int *auth)
 
       for (tmp = daemon->if_names; tmp; tmp = tmp->next)
 	if (tmp->name && wildcard_match(tmp->name, name))
-	  ret = tmp->used = 1;
+	  {
+	    tmp->flags |= INAME_USED;
+	    ret = 1;
+	  }
 	        
       if (addr)
 	for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
@@ -131,11 +134,17 @@ int iface_check(int family, union all_addr *addr, char *name, int *auth)
 	    {
 	      if (family == AF_INET &&
 		  tmp->addr.in.sin_addr.s_addr == addr->addr4.s_addr)
-		ret = match_addr = tmp->used = 1;
+		{
+		  tmp->flags |= INAME_USED;
+		  ret = match_addr = 1;
+		}
 	      else if (family == AF_INET6 &&
 		       IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, 
 					  &addr->addr6))
-		ret = match_addr = tmp->used = 1;
+		{
+		  tmp->flags |= INAME_USED;
+		  ret = match_addr = 1;
+		}
 	    }          
     }
   
@@ -235,7 +244,8 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
   int loopback;
   struct ifreq ifr;
   int tftp_ok = !!option_bool(OPT_TFTP);
-  int dhcp_ok = 1;
+  int dhcp4_ok = 1;
+  int dhcp6_ok = 1;
   int auth_dns = 0;
   int is_label = 0;
 #if defined(HAVE_DHCP) || defined(HAVE_TFTP)
@@ -251,7 +261,7 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
   loopback = ifr.ifr_flags & IFF_LOOPBACK;
   
   if (loopback)
-    dhcp_ok = 0;
+    dhcp4_ok = dhcp6_ok = 0;
   
   if (!label)
     label = ifr.ifr_name;
@@ -359,13 +369,8 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
 		struct in_addr newaddr = addr->in.sin_addr;
 		
 		if (int_name->flags & INP4)
-		  {
-		    if (netmask.s_addr == 0xffffffff)
-		      continue;
-
-		    newaddr.s_addr = (addr->in.sin_addr.s_addr & netmask.s_addr) |
-		      (int_name->proto4.s_addr & ~netmask.s_addr);
-		  }
+		  newaddr.s_addr = (addr->in.sin_addr.s_addr & netmask.s_addr) |
+		    (int_name->proto4.s_addr & ~netmask.s_addr);
 		
 		/* check for duplicates. */
 		for (lp = int_name->addr; lp; lp = lp->next)
@@ -398,10 +403,6 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
 		  {
 		    int i;
 
-		    /* No sense in doing /128. */
-		    if (prefixlen == 128)
-		      continue;
-		    
 		    for (i = 0; i < 16; i++)
 		      {
 			int bits = ((i+1)*8) - prefixlen;
@@ -510,7 +511,7 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
 	  if ((lo->name = whine_malloc(strlen(ifr.ifr_name)+1)))
 	    {
 	      strcpy(lo->name, ifr.ifr_name);
-	      lo->used = 1;
+	      lo->flags |= INAME_USED;
 	      lo->next = daemon->if_names;
 	      daemon->if_names = lo;
 	    }
@@ -532,14 +533,17 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
   if (auth_dns)
     {
       tftp_ok = 0;
-      dhcp_ok = 0;
+      dhcp4_ok = dhcp6_ok = 0;
     }
   else
     for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
       if (tmp->name && wildcard_match(tmp->name, ifr.ifr_name))
 	{
 	  tftp_ok = 0;
-	  dhcp_ok = 0;
+	  if (tmp->flags & INAME_4)
+	    dhcp4_ok = 0;
+	  if (tmp->flags & INAME_6)
+	    dhcp6_ok = 0;
 	}
 #endif
  
@@ -566,7 +570,8 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
       iface->addr = *addr;
       iface->netmask = netmask;
       iface->tftp_ok = tftp_ok;
-      iface->dhcp_ok = dhcp_ok;
+      iface->dhcp4_ok = dhcp4_ok;
+      iface->dhcp6_ok = dhcp6_ok;
       iface->dns_auth = auth_dns;
       iface->mtu = mtu;
       iface->dad = !!(iface_flags & IFACE_TENTATIVE);
@@ -591,7 +596,7 @@ static int iface_allowed(struct iface_param *param, int if_index, char *label,
 
 static int iface_allowed_v6(struct in6_addr *local, int prefix, 
 			    int scope, int if_index, int flags, 
-			    int preferred, int valid, void *vparam)
+			    unsigned int preferred, unsigned int valid, void *vparam)
 {
   union mysockaddr addr;
   struct in_addr netmask; /* dummy */
@@ -642,7 +647,7 @@ static int iface_allowed_v4(struct in_addr local, int if_index, char *label,
 /*
  * Clean old interfaces no longer found.
  */
-static void clean_interfaces()
+static void clean_interfaces(void)
 {
   struct irec *iface;
   struct irec **up = &daemon->interfaces;
@@ -828,12 +833,12 @@ again:
 
   param.spare = spare;
   
-  ret = iface_enumerate(AF_INET6, &param, iface_allowed_v6);
+  ret = iface_enumerate(AF_INET6, &param, (callback_t){.af_inet6=iface_allowed_v6});
   if (ret < 0)
     goto again;
   else if (ret)
     {
-      ret = iface_enumerate(AF_INET, &param, iface_allowed_v4);
+      ret = iface_enumerate(AF_INET, &param, (callback_t){.af_inet=iface_allowed_v4});
       if (ret < 0)
 	goto again;
     }
@@ -915,15 +920,24 @@ static int make_sock(union mysockaddr *addr, int type, int dienow)
 	
       errno = errsave;
 
-      if (dienow)
+      /* Failure to bind addresses given by --listen-address at this point
+	 because there's no interface with the address is OK if we're doing bind-dynamic.
+	 If/when an interface is created with the relevant address we'll notice
+	 and attempt to bind it then. This is in the generic error path so we  close the socket,
+	 but EADDRNOTAVAIL is only a possible error from bind() 
+	 
+	 When a new address is created and we call this code again (dienow == 0) there
+	 may still be configured addresses when don't exist, (consider >1 --listen-address,
+	 when the first is created, the second will still be missing) so we suppress
+	 EADDRNOTAVAIL even in that case to avoid confusing log entries.
+      */
+      if (!option_bool(OPT_CLEVERBIND) || errno != EADDRNOTAVAIL)
 	{
-	  /* failure to bind addresses given by --listen-address at this point
-	     is OK if we're doing bind-dynamic */
-	  if (!option_bool(OPT_CLEVERBIND))
+	  if (dienow)
 	    die(s, daemon->addrbuff, EC_BADNET);
+	  else
+	    my_syslog(LOG_WARNING, s, daemon->addrbuff, strerror(errno));
 	}
-      else
-	my_syslog(LOG_WARNING, s, daemon->addrbuff, strerror(errno));
       
       return -1;
     }	
@@ -1207,7 +1221,7 @@ void create_bound_listeners(int dienow)
      (no netmask) and some MTU login the tftp code. */
 
   for (if_tmp = daemon->if_addrs; if_tmp; if_tmp = if_tmp->next)
-    if (!if_tmp->used && 
+    if (!(if_tmp->flags & INAME_USED) && 
 	(new = create_listeners(&if_tmp->addr, !!option_bool(OPT_TFTP), dienow)))
       {
 	new->next = daemon->listeners;
@@ -1295,7 +1309,7 @@ void join_multicast(int dienow)
   struct irec *iface, *tmp;
 
   for (iface = daemon->interfaces; iface; iface = iface->next)
-    if (iface->addr.sa.sa_family == AF_INET6 && iface->dhcp_ok && !iface->multicast_done)
+    if (iface->addr.sa.sa_family == AF_INET6 && iface->dhcp6_ok && !iface->multicast_done)
       {
 	/* There's an irec per address but we only want to join for multicast 
 	   once per interface. Weed out duplicates. */
@@ -1365,7 +1379,7 @@ int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifind
   /* cannot set source _port_ for TCP connections. */
   if (is_tcp)
     port = 0;
-  else if (port == 0 && daemon->max_port != 0)
+  else if (port == 0 && daemon->max_port != 0 && daemon->max_port >= daemon->min_port)
     {
       /* Bind a random port within the range given by min-port and max-port if either
 	 or both are set. Otherwise use the OS's random ephemeral port allocation by
@@ -1573,37 +1587,6 @@ void check_servers(int no_loop_check)
 
   for (count = 0, serv = daemon->servers; serv; serv = serv->next)
     {
-      /* Init edns_pktsz for newly created server records. */
-      if (serv->edns_pktsz == 0)
-	serv->edns_pktsz = daemon->edns_pktsz;
-      
-#ifdef HAVE_DNSSEC
-      if (option_bool(OPT_DNSSEC_VALID))
-	{ 
-	  if (!(serv->flags & SERV_FOR_NODOTS))
-	    serv->flags |= SERV_DO_DNSSEC;
-	  
-	  /* Disable DNSSEC validation when using server=/domain/.... servers
-	     unless there's a configured trust anchor. */
-	  if (strlen(serv->domain) != 0)
-	    {
-	      struct ds_config *ds;
-	      char *domain = serv->domain;
-	      
-	      /* .example.com is valid */
-	      while (*domain == '.')
-		domain++;
-	      
-	      for (ds = daemon->ds; ds; ds = ds->next)
-		if (ds->name[0] != 0 && hostname_isequal(domain, ds->name))
-		  break;
-	      
-	      if (!ds)
-		serv->flags &= ~SERV_DO_DNSSEC;
-	    }
-	}
-#endif
-      
       port = prettyprint_addr(&serv->addr, daemon->namebuff);
       
       /* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
@@ -1649,10 +1632,6 @@ void check_servers(int no_loop_check)
 	{
 	  char *s1, *s2, *s3 = "", *s4 = "";
 
-#ifdef HAVE_DNSSEC
-	  if (option_bool(OPT_DNSSEC_VALID) && !(serv->flags & SERV_DO_DNSSEC))
-	    s3 = _("(no DNSSEC)");
-#endif
 	  if (serv->flags & SERV_FOR_NODOTS)
 	    s1 = _("unqualified"), s2 = _("names");
 	  else if (strlen(serv->domain) == 0)

src/nftset.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -43,7 +43,8 @@ int add_to_nftset(const char *setname, const union all_addr *ipaddr, int flags,
   const char *cmd = remove ? cmd_del : cmd_add;
   int ret, af = (flags & F_IPV4) ? AF_INET : AF_INET6;
   size_t new_sz;
-  char *new, *err, *nl;
+  char *err_str, *new, *nl;
+  const char *err;
   static char *cmd_buf = NULL;
   static size_t cmd_buf_sz = 0;
 
@@ -78,14 +79,19 @@ int add_to_nftset(const char *setname, const union all_addr *ipaddr, int flags,
     }
 
   ret = nft_run_cmd_from_buffer(ctx, cmd_buf);
-  err = (char *)nft_ctx_get_error_buffer(ctx);
+  err = nft_ctx_get_error_buffer(ctx);
 
   if (ret != 0)
     {
       /* Log only first line of error return. */
-      if ((nl = strchr(err, '\n')))
-	*nl = 0;
-      my_syslog(LOG_ERR,  "nftset %s %s", setname, err);
+      if ((err_str = whine_malloc(strlen(err) + 1)))
+	{
+	  strcpy(err_str, err);
+	  if ((nl = strchr(err_str, '\n')))
+	    *nl = 0;
+	  my_syslog(LOG_ERR,  "nftset %s %s", setname, err_str);
+	  free(err_str);
+	}
     }
   
   return ret;

src/outpacket.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -23,7 +23,7 @@ static size_t outpacket_counter;
 
 void end_opt6(int container)
 {
-   void *p = daemon->outpacket.iov_base + container + 2;
+   uint8_t *p = (uint8_t *)daemon->outpacket.iov_base + container + 2;
    u16 len = outpacket_counter - container - 4 ;
    
    PUTSHORT(len, p);
@@ -50,11 +50,11 @@ int save_counter(int newval)
 
 void *expand(size_t headroom)
 {
-  void *ret;
+  uint8_t *ret;
 
   if (expand_buf(&daemon->outpacket, outpacket_counter + headroom))
     {
-      ret = daemon->outpacket.iov_base + outpacket_counter;
+      ret = (uint8_t *)daemon->outpacket.iov_base + outpacket_counter;
       outpacket_counter += headroom;
       return ret;
     }
@@ -65,7 +65,7 @@ void *expand(size_t headroom)
 int new_opt6(int opt)
 {
   int ret = outpacket_counter;
-  void *p;
+  unsigned char *p;
 
   if ((p = expand(4)))
     {
@@ -88,7 +88,7 @@ void *put_opt6(void *data, size_t len)
   
 void put_opt6_long(unsigned int val)
 {
-  void *p;
+  unsigned char *p;
   
   if ((p = expand(4)))  
     PUTLONG(val, p);
@@ -96,7 +96,7 @@ void put_opt6_long(unsigned int val)
 
 void put_opt6_short(unsigned int val)
 {
-  void *p;
+  uint8_t *p;
 
   if ((p = expand(2)))
     PUTSHORT(val, p);   

src/pattern.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/poll.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/radv-protocol.h

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/radv.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -58,7 +58,7 @@ static int add_prefixes(struct in6_addr *local,  int prefix,
 			unsigned int preferred, unsigned int valid, void *vparam);
 static int iface_search(struct in6_addr *local,  int prefix,
 			int scope, int if_index, int flags, 
-			int prefered, int valid, void *vparam);
+			unsigned int prefered, unsigned int valid, void *vparam);
 static int add_lla(int index, unsigned int type, char *mac, size_t maclen, void *parm);
 static void new_timeout(struct dhcp_context *context, char *iface_name, time_t now);
 static unsigned int calc_lifetime(struct ra_interface *ra);
@@ -186,7 +186,8 @@ void icmp6_packet(time_t now)
     return;
   
   for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-    if (tmp->name && wildcard_match(tmp->name, interface))
+    if (tmp->name && (tmp->flags & INAME_6) &&
+	wildcard_match(tmp->name, interface))
       return;
  
   if (packet[1] != 0)
@@ -306,7 +307,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
 
   /* If no link-local address then we can't advertise since source address of
      advertisement must be link local address: RFC 4861 para 6.1.2. */
-  if (!iface_enumerate(AF_INET6, &parm, add_prefixes) ||
+  if (!iface_enumerate(AF_INET6, &parm, (callback_t){.af_inet6=add_prefixes}) ||
       parm.link_pref_time == 0)
     return;
 
@@ -448,10 +449,10 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
       put_opt6_long(mtu);
     }
      
-  iface_enumerate(AF_LOCAL, &send_iface, add_lla);
+  iface_enumerate(AF_LOCAL, &send_iface, (callback_t){.af_local=add_lla});
  
   /* RDNSS, RFC 6106, use relevant DHCP6 options */
-  (void)option_filter(parm.tags, NULL, daemon->dhcp_opts6);
+  (void)option_filter(parm.tags, NULL, daemon->dhcp_opts6, 0);
   
   for (opt_cfg = daemon->dhcp_opts6; opt_cfg; opt_cfg = opt_cfg->next)
     {
@@ -822,7 +823,7 @@ time_t periodic_ra(time_t now)
 	  param.iface = context->if_index;
 	  new_timeout(context, param.name, now);
 	}
-      else if (iface_enumerate(AF_INET6, &param, iface_search))
+      else if (iface_enumerate(AF_INET6, &param, (callback_t){.af_inet6=iface_search}))
 	/* There's a context overdue, but we can't find an interface
 	   associated with it, because it's for a subnet we dont 
 	   have an interface on. Probably we're doing DHCP on
@@ -835,7 +836,8 @@ time_t periodic_ra(time_t now)
 	{
 	  struct iname *tmp;
 	  for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-	    if (tmp->name && wildcard_match(tmp->name, param.name))
+	    if (tmp->name && (tmp->flags & INAME_6) &&
+		wildcard_match(tmp->name, param.name))
 	      break;
 	  if (!tmp)
             {
@@ -854,7 +856,7 @@ time_t periodic_ra(time_t now)
                     aparam.iface = param.iface;
                     aparam.alias_ifs = NULL;
                     aparam.num_alias_ifs = 0;
-                    iface_enumerate(AF_LOCAL, &aparam, send_ra_to_aliases);
+                    iface_enumerate(AF_LOCAL, &aparam, (callback_t){.af_local=send_ra_to_aliases});
                     my_syslog(MS_DHCP | LOG_INFO, "RTR-ADVERT(%s) %s => %d alias(es)",
                               param.name, daemon->addrbuff, aparam.num_alias_ifs);
 
@@ -869,7 +871,7 @@ time_t periodic_ra(time_t now)
                            those. */
                         aparam.max_alias_ifs = aparam.num_alias_ifs;
                         aparam.num_alias_ifs = 0;
-                        iface_enumerate(AF_LOCAL, &aparam, send_ra_to_aliases);
+                        iface_enumerate(AF_LOCAL, &aparam, (callback_t){.af_local=send_ra_to_aliases});
                         for (; aparam.num_alias_ifs; aparam.num_alias_ifs--)
                           {
                             my_syslog(MS_DHCP | LOG_INFO, "RTR-ADVERT(%s) %s => i/f %d",
@@ -918,7 +920,7 @@ static int send_ra_to_aliases(int index, unsigned int type, char *mac, size_t ma
 
 static int iface_search(struct in6_addr *local,  int prefix,
 			int scope, int if_index, int flags, 
-			int preferred, int valid, void *vparam)
+			unsigned int preferred, unsigned int valid, void *vparam)
 {
   struct search_param *param = vparam;
   struct dhcp_context *context;
@@ -934,7 +936,8 @@ static int iface_search(struct in6_addr *local,  int prefix,
     return 1;
 
   for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-    if (tmp->name && wildcard_match(tmp->name, param->name))
+    if (tmp->name && (tmp->flags & INAME_6) &&
+	wildcard_match(tmp->name, param->name))
       return 1;
 
   for (context = daemon->dhcp6; context; context = context->next)

src/rfc2131.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -40,6 +40,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt
 static size_t dhcp_packet_size(struct dhcp_packet *mess, unsigned char *agent_id, unsigned char *real_end);
 static void clear_packet(struct dhcp_packet *mess, unsigned char *end);
 static int in_list(unsigned char *list, int opt);
+static unsigned char *free_space(struct dhcp_packet *mess, unsigned char *end, int opt, int len);
 static void do_options(struct dhcp_context *context,
 		       struct dhcp_packet *mess,
 		       unsigned char *end,
@@ -67,6 +68,8 @@ struct dhcp_boot *find_boot(struct dhcp_netid *netid);
 static int pxe_uefi_workaround(int pxe_arch, struct dhcp_netid *netid, struct dhcp_packet *mess, struct in_addr local, time_t now, int pxe);
 static void apply_delay(u32 xid, time_t recvtime, struct dhcp_netid *netid);
 static int is_pxe_client(struct dhcp_packet *mess, size_t sz, const char **pxe_vendor);
+static int do_opt(struct dhcp_opt *opt, unsigned char *p, struct dhcp_context *context, int null_term);
+static void handle_encap(struct dhcp_packet *mess, unsigned char *end, unsigned char *req_options, int null_term, struct dhcp_netid *tagif, int pxemode);
 
 size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		  size_t sz, time_t now, int unicast_dest, int loopback,
@@ -931,6 +934,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 	  opt71.next = daemon->dhcp_opts;
 	  do_encap_opts(&opt71, OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, 0);
 	  
+	  daemon->metrics[METRIC_PXE]++;
 	  log_packet("PXE", &mess->yiaddr, emac, emac_len, iface_name, (char *)mess->file, NULL, mess->xid);
 	  log_tags(tagif_netid, ntohl(mess->xid));
 	  return dhcp_packet_size(mess, agent_id, real_end);	  
@@ -955,13 +959,10 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		{
 		  struct dhcp_boot *boot;
 		  int redirect4011 = 0;
+		  struct dhcp_opt *option;
 
-		  if (tmp->netid.net)
-		    {
-		      tmp->netid.next = netid;
-		      tagif_netid = run_tag_if(&tmp->netid);
-		    }
-		  
+		  /* OK only dhcp-option-pxe options. */
+		  tagif_netid = option_filter(netid, tmp->netid.net ? &tmp->netid : NULL, daemon->dhcp_opts, 2);
 		  boot = find_boot(tagif_netid);
 		  
 		  mess->yiaddr.s_addr = 0;
@@ -1004,7 +1005,24 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
 		  prune_vendor_opts(tagif_netid);
 		  if ((pxe && !workaround) || !redirect4011)
 		    do_encap_opts(pxe_opts(pxearch, tagif_netid, tmp->local, now), OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, 0);
-	    
+
+		  /* dhcp-option-pxe ONLY */
+		  for (option = daemon->dhcp_opts; option; option = option->next)
+		    {
+		      int len;
+		      unsigned char *p;
+		      
+		      if (!(option->flags & DHOPT_TAGOK))
+			continue;
+		      
+		      len = do_opt(option, NULL, tmp, borken_opt);
+
+		      if ((p = free_space(mess, end, option->opt, len)))
+			do_opt(option, p, tmp, borken_opt);
+		    }
+
+		  handle_encap(mess, end, req_options, borken_opt, tagif_netid, 2);
+		  
 		  daemon->metrics[METRIC_PXE]++;
 		  log_packet("PXE", NULL, emac, emac_len, iface_name, ignore ? "proxy-ignored" : "proxy", NULL, mess->xid);
 		  log_tags(tagif_netid, ntohl(mess->xid));
@@ -1678,7 +1696,7 @@ static int sanitise(unsigned char *opt, char *buf)
   for (i = option_len(opt); i > 0; i--)
     {
       char c = *p++;
-      if (isprint((int)c))
+      if (isprint((unsigned char)c))
 	*buf++ = c;
     }
   *buf = 0; /* add terminator */
@@ -2409,7 +2427,7 @@ static void do_options(struct dhcp_context *context,
   /* filter options based on tags, those we want get DHOPT_TAGOK bit set */
   if (context)
     context->netid.next = NULL;
-  tagif = option_filter(netid, context && context->netid.net ? &context->netid : NULL, config_opts);
+  tagif = option_filter(netid, context && context->netid.net ? &context->netid : NULL, config_opts, pxe_arch != -1);
 	
   /* logging */
   if (option_bool(OPT_LOG_OPTS) && req_options)
@@ -2699,19 +2717,55 @@ static void do_options(struct dhcp_context *context,
 	}  
     }
 
-  /* Now send options to be encapsulated in arbitrary options, 
+  /* encapsulated options. */
+  handle_encap(mess, end, req_options, null_term, tagif, pxe_arch != 1);
+  
+  force_encap = prune_vendor_opts(tagif);
+  
+  if (context && pxe_arch != -1)
+    {
+      pxe_misc(mess, end, uuid, pxevendor);
+      if (!pxe_uefi_workaround(pxe_arch, tagif, mess, context->local, now, 0))
+	config_opts = pxe_opts(pxe_arch, tagif, context->local, now);
+    }
+
+  if ((force_encap || in_list(req_options, OPTION_VENDOR_CLASS_OPT)) &&
+      do_encap_opts(config_opts, OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, null_term) && 
+      pxe_arch == -1 && !done_vendor_class && vendor_class_len != 0 &&
+      (p = free_space(mess, end, OPTION_VENDOR_ID, vendor_class_len)))
+    /* If we send vendor encapsulated options, and haven't already sent option 60,
+       echo back the value we got from the client. */
+    memcpy(p, daemon->dhcp_buff3, vendor_class_len);	    
+   
+   /* restore BOOTP anti-overload hack */
+  if (!req_options || option_bool(OPT_NO_OVERRIDE))
+    {
+      mess->file[0] = f0;
+      mess->sname[0] = s0;
+    }
+}
+
+static void handle_encap(struct dhcp_packet *mess, unsigned char *end, unsigned char *req_options,
+			 int null_term, struct dhcp_netid *tagif, int pxemode)
+{
+  /* Send options to be encapsulated in arbitrary options, 
      eg dhcp-option=encap:172,17,.......
      Also handle vendor-identifying vendor-encapsulated options,
      dhcp-option = vi-encap:13,17,.......
      The may be more that one "outer" to do, so group
      all the options which match each outer in turn. */
+
+  struct dhcp_opt *opt, *config_opts = daemon->dhcp_opts;
+  unsigned char *p;
+  int len;
+
   for (opt = config_opts; opt; opt = opt->next)
     opt->flags &= ~DHOPT_ENCAP_DONE;
   
   for (opt = config_opts; opt; opt = opt->next)
     {
       int flags;
-      
+
       if ((flags = (opt->flags & (DHOPT_ENCAPSULATE | DHOPT_RFC3925))))
 	{
 	  int found = 0;
@@ -2731,6 +2785,7 @@ static void do_options(struct dhcp_context *context,
 	      
 	      o->flags |= DHOPT_ENCAP_DONE;
 	      if (match_netid(o->netid, tagif, 1) &&
+		  pxe_ok(o, pxemode) &&
 		  ((o->flags & DHOPT_FORCE) || in_list(req_options, outer)))
 		{
 		  o->flags |= DHOPT_ENCAP_MATCH;
@@ -2763,30 +2818,6 @@ static void do_options(struct dhcp_context *context,
 	    }
 	}
     }      
-
-  force_encap = prune_vendor_opts(tagif);
-  
-  if (context && pxe_arch != -1)
-    {
-      pxe_misc(mess, end, uuid, pxevendor);
-      if (!pxe_uefi_workaround(pxe_arch, tagif, mess, context->local, now, 0))
-	config_opts = pxe_opts(pxe_arch, tagif, context->local, now);
-    }
-
-  if ((force_encap || in_list(req_options, OPTION_VENDOR_CLASS_OPT)) &&
-      do_encap_opts(config_opts, OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, null_term) && 
-      pxe_arch == -1 && !done_vendor_class && vendor_class_len != 0 &&
-      (p = free_space(mess, end, OPTION_VENDOR_ID, vendor_class_len)))
-    /* If we send vendor encapsulated options, and haven't already sent option 60,
-       echo back the value we got from the client. */
-    memcpy(p, daemon->dhcp_buff3, vendor_class_len);	    
-   
-   /* restore BOOTP anti-overload hack */
-  if (!req_options || option_bool(OPT_NO_OVERRIDE))
-    {
-      mess->file[0] = f0;
-      mess->sname[0] = s0;
-    }
 }
 
 static void apply_delay(u32 xid, time_t recvtime, struct dhcp_netid *netid)

src/rfc3315.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -39,8 +39,8 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
 static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts);
 static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string);
 static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string);
-static void *opt6_find (void *opts, void *end, unsigned int search, unsigned int minsize);
-static void *opt6_next(void *opts, void *end);
+static void *opt6_find (uint8_t *opts, uint8_t *end, unsigned int search, unsigned int minsize);
+static void *opt6_next(uint8_t *opts, uint8_t *end);
 static unsigned int opt6_uint(unsigned char *opt, int offset, int size);
 static void get_context_tag(struct state *state, struct dhcp_context *context);
 static int check_ia(struct state *state, void *opt, void **endp, void **ia_option);
@@ -61,11 +61,11 @@ static void calculate_times(struct dhcp_context *context, unsigned int *min_time
 
 #define opt6_len(opt) ((int)(opt6_uint(opt, -2, 2)))
 #define opt6_type(opt) (opt6_uint(opt, -4, 2))
-#define opt6_ptr(opt, i) ((void *)&(((unsigned char *)(opt))[4+(i)]))
+#define opt6_ptr(opt, i) ((void *)&(((uint8_t *)(opt))[4+(i)]))
 
-#define opt6_user_vendor_ptr(opt, i) ((void *)&(((unsigned char *)(opt))[2+(i)]))
+#define opt6_user_vendor_ptr(opt, i) ((void *)&(((uint8_t *)(opt))[2+(i)]))
 #define opt6_user_vendor_len(opt) ((int)(opt6_uint(opt, -4, 2)))
-#define opt6_user_vendor_next(opt, end) (opt6_next(((void *) opt) - 2, end))
+#define opt6_user_vendor_next(opt, end) (opt6_next(((uint8_t *) opt) - 2, end))
  
 
 unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *iface_name,
@@ -107,11 +107,11 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if
 static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, 
 			     struct in6_addr *client_addr, int is_unicast, time_t now)
 {
-  void *end = inbuff + sz;
-  void *opts = inbuff + 34;
+  uint8_t *end = inbuff + sz;
+  uint8_t *opts = inbuff + 34;
   int msg_type = *inbuff;
   unsigned char *outmsgtypep;
-  void *opt;
+  uint8_t *opt;
   struct dhcp_vendor *vendor;
 
   /* if not an encapsulated relayed message, just do the stuff */
@@ -232,7 +232,7 @@ static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t
   
   for (opt = opts; opt; opt = opt6_next(opt, end))
     {
-      if (opt6_ptr(opt, 0) + opt6_len(opt) > end) 
+      if ((uint8_t *)opt6_ptr(opt, 0) + opt6_len(opt) > end)
         return 0;
      
       /* Don't copy MAC address into reply. */
@@ -333,12 +333,29 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
   else if (msg_type != DHCP6IREQ)
     return 0;
 
-  /* server-id must match except for SOLICIT, CONFIRM and REBIND messages */
-  if (msg_type != DHCP6SOLICIT && msg_type != DHCP6CONFIRM && msg_type != DHCP6IREQ && msg_type != DHCP6REBIND &&
-      (!(opt = opt6_find(state->packet_options, state->end, OPTION6_SERVER_ID, 1)) ||
-       opt6_len(opt) != daemon->duid_len ||
-       memcmp(opt6_ptr(opt, 0), daemon->duid, daemon->duid_len) != 0))
-    return 0;
+  /* server-id must match except for SOLICIT, CONFIRM and REBIND messages, which MUST NOT
+     have a server-id.  3315 para 15.x */
+  opt = opt6_find(state->packet_options, state->end, OPTION6_SERVER_ID, 1);
+
+  if (msg_type == DHCP6SOLICIT || msg_type == DHCP6CONFIRM || msg_type == DHCP6REBIND)
+    {
+      if (opt)
+	return 0;
+    }
+  else if (msg_type == DHCP6IREQ)
+    {
+      /* If server-id provided, it must match. */
+      if (opt && (opt6_len(opt) != daemon->duid_len ||
+		  memcmp(opt6_ptr(opt, 0), daemon->duid, daemon->duid_len) != 0))
+	return 0;
+    }
+  else
+    {
+      /* Everything else MUST have a server-id that matches ours. */
+      if (!opt || opt6_len(opt) != daemon->duid_len ||
+	  memcmp(opt6_ptr(opt, 0), daemon->duid, daemon->duid_len) != 0)
+	return 0;
+    }
   
   o = new_opt6(OPTION6_SERVER_ID);
   put_opt6(daemon->duid, daemon->duid_len);
@@ -353,7 +370,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
       put_opt6_short(DHCP6USEMULTI);
       put_opt6_string("Use multicast");
       end_opt6(o1);
-      return 1;
+      goto done;
     }
 
   /* match vendor and user class options */
@@ -457,6 +474,8 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
 	    state->tags = &mac_opt->netid;
 	  }
     }
+  else if (option_bool(OPT_LOG_OPTS))
+    my_syslog(MS_DHCP | LOG_INFO, _("%u cannot determine client MAC address"), state->xid);
   
   if ((opt = opt6_find(state->packet_options, state->end, OPTION6_FQDN, 1)))
     {
@@ -1055,7 +1074,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
       
     case DHCP6CONFIRM:
       {
-	int good_addr = 0;
+	int good_addr = 0, bad_addr = 0;
 
 	/* set reply message type */
 	outmsgtype = DHCP6REPLY;
@@ -1077,32 +1096,35 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
 		
 		if (!address6_valid(state->context, &req_addr, tagif, 1))
 		  {
-		    o1 = new_opt6(OPTION6_STATUS_CODE);
-		    put_opt6_short(DHCP6NOTONLINK);
-		    put_opt6_string(_("confirm failed"));
-		    end_opt6(o1);
+		    bad_addr = 1;
 		    log6_quiet(state, "DHCPREPLY", &req_addr, _("confirm failed"));
-		    return 1;
 		  }
-
-		good_addr = 1;
-		log6_quiet(state, "DHCPREPLY", &req_addr, state->hostname);
+		else
+		  {
+		    good_addr = 1;
+		    log6_quiet(state, "DHCPREPLY", &req_addr, state->hostname);
+		  }
 	      }
 	  }	 
 	
 	/* No addresses, no reply: RFC 3315 18.2.2 */
-	if (!good_addr)
+	if (!good_addr && !bad_addr)
 	  return 0;
 
 	o1 = new_opt6(OPTION6_STATUS_CODE);
-	put_opt6_short(DHCP6SUCCESS );
-	put_opt6_string(_("all addresses still on link"));
+	put_opt6_short(bad_addr ? DHCP6NOTONLINK : DHCP6SUCCESS);
+	put_opt6_string(bad_addr ? (_("confirm failed")) : (_("all addresses still on link")));
 	end_opt6(o1);
 	break;
     }
       
     case DHCP6IREQ:
       {
+	/* 3315 para 15.12 */
+	if (opt6_find(state->packet_options, state->end, OPTION6_IA_NA, 1) ||
+	    opt6_find(state->packet_options, state->end, OPTION6_IA_TA, 1))
+	  return 0;
+	
 	/* We can't discriminate contexts based on address, as we don't know it.
 	   If there is only one possible context, we can use its tags */
 	if (state->context && state->context->netid.net && !state->context->current)
@@ -1277,13 +1299,15 @@ static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbu
 
     }
 
+  log_tags(tagif, state->xid);
+
+ done:
   /* Fill in the message type. Note that we store the offset,
      not a direct pointer, since the packet memory may have been 
      reallocated. */
   ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype;
 
-  log_tags(tagif, state->xid);
-  log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1));
+  log6_opts(0, state->xid, (uint8_t *)daemon->outpacket.iov_base + start_opts, (uint8_t *)daemon->outpacket.iov_base + save_counter(-1));
   
   return 1;
 
@@ -1293,7 +1317,7 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
 {
   void *oro;
   /* filter options based on tags, those we want get DHOPT_TAGOK bit set */
-  struct dhcp_netid *tagif = option_filter(state->tags, state->context_tags, daemon->dhcp_opts6);
+  struct dhcp_netid *tagif = option_filter(state->tags, state->context_tags, daemon->dhcp_opts6, 0);
   struct dhcp_opt *opt_cfg;
   int done_dns = 0, done_refresh = !do_refresh, do_encap = 0;
   int i, o, o1;
@@ -2069,7 +2093,7 @@ static void log6_packet(struct state *state, char *type, struct in6_addr *addr,
 	      string ? string : "");
 }
 
-static void *opt6_find (void *opts, void *end, unsigned int search, unsigned int minsize)
+static void *opt6_find (uint8_t *opts, uint8_t *end, unsigned int search, unsigned int minsize)
 {
   u16 opt, opt_len;
   void *start;
@@ -2096,7 +2120,7 @@ static void *opt6_find (void *opts, void *end, unsigned int search, unsigned int
     }
 }
 
-static void *opt6_next(void *opts, void *end)
+static void *opt6_next(uint8_t *opts, uint8_t *end)
 {
   u16 opt_len;
   
@@ -2186,6 +2210,9 @@ int relay_upstream6(int iface_index, ssize_t sz,
 	
 	to.sa.sa_family = AF_INET6;
 	to.in6.sin6_addr = relay->server.addr6;
+#ifdef HAVE_SOCKADDR_SA_LEN
+	to.in6.sin6_len = sizeof(struct sockaddr_in6);
+#endif 
 	to.in6.sin6_port = htons(relay->port);
 	to.in6.sin6_flowinfo = 0;
 	to.in6.sin6_scope_id = 0;

src/rrfilter.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -136,9 +136,9 @@ static int check_rrs(unsigned char *p, struct dns_header *header, size_t plen, i
 	  
 	  if (class == C_IN)
 	    {
-	      u16 *d;
+	      short *d;
  
-	      for (pp = p, d = rrfilter_desc(type); *d != (u16)-1; d++)
+	      for (pp = p, d = rrfilter_desc(type); *d != -1; d++)
 		{
 		  if (*d != 0)
 		    pp += *d;
@@ -156,41 +156,46 @@ static int check_rrs(unsigned char *p, struct dns_header *header, size_t plen, i
 }
 	
 
-/* mode may be remove EDNS0 or DNSSEC RRs or remove A or AAAA from answer section. */
-size_t rrfilter(struct dns_header *header, size_t plen, int mode)
+/* mode may be remove EDNS0 or DNSSEC RRs or remove A or AAAA from answer section.
+ * returns number of modified records. */
+size_t rrfilter(struct dns_header *header, size_t *plen, int mode)
 {
   static unsigned char **rrs = NULL;
   static int rr_sz = 0;
 
   unsigned char *p = (unsigned char *)(header+1);
-  int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns, chop_ar;
+  size_t rr_found = 0;
+  int i, rdlen, qtype, qclass, chop_an, chop_ns, chop_ar;
 
+  if (mode == RRFILTER_CONF && !daemon->filter_rr)
+    return 0;
+  
   if (ntohs(header->qdcount) != 1 ||
-      !(p = skip_name(p, header, plen, 4)))
-    return plen;
+      !(p = skip_name(p, header, *plen, 4)))
+    return 0;
   
   GETSHORT(qtype, p);
   GETSHORT(qclass, p);
 
   /* First pass, find pointers to start and end of all the records we wish to elide:
      records added for DNSSEC, unless explicitly queried for */
-  for (rr_found = 0, chop_ns = 0, chop_an = 0, chop_ar = 0, i = 0; 
+  for (chop_ns = 0, chop_an = 0, chop_ar = 0, i = 0;
        i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount);
        i++)
     {
       unsigned char *pstart = p;
       int type, class;
 
-      if (!(p = skip_name(p, header, plen, 10)))
-	return plen;
+      if (!(p = skip_name(p, header, *plen, 10)))
+	return rr_found;
       
       GETSHORT(type, p); 
       GETSHORT(class, p);
       p += 4; /* TTL */
       GETSHORT(rdlen, p);
         
-      if (!ADD_RDLEN(header, p, plen, rdlen))
-	return plen;
+      if (!ADD_RDLEN(header, p, *plen, rdlen))
+	return rr_found;
 
       if (mode == RRFILTER_EDNS0) /* EDNS */
 	{
@@ -208,6 +213,14 @@ size_t rrfilter(struct dns_header *header, size_t plen, int mode)
 	  if (i < ntohs(header->ancount) && type == qtype && class == qclass)
 	    continue;
 	}
+      else if (qtype == T_ANY && rr_on_list(daemon->filter_rr, T_ANY))
+	{
+	  /* Filter replies to ANY queries in the spirit of
+	     RFC RFC 8482 para 4.3 */
+	  if (class != C_IN ||
+	      type == T_A || type == T_AAAA || type == T_MX || type == T_CNAME)
+	    continue;
+	}
       else
 	{
 	  /* Only looking at answer section now. */
@@ -217,15 +230,12 @@ size_t rrfilter(struct dns_header *header, size_t plen, int mode)
 	  if (class != C_IN)
 	    continue;
 	  
-	  if (mode == RRFILTER_A && type != T_A)
-	    continue;
-
-	  if (mode == RRFILTER_AAAA && type != T_AAAA)
+	  if (!rr_on_list(daemon->filter_rr, type))
 	    continue;
 	}
       
       if (!expand_workspace(&rrs, &rr_sz, rr_found + 1))
-	return plen; 
+	return rr_found;
       
       rrs[rr_found++] = pstart;
       rrs[rr_found++] = p;
@@ -240,7 +250,7 @@ size_t rrfilter(struct dns_header *header, size_t plen, int mode)
   
   /* Nothing to do. */
   if (rr_found == 0)
-    return plen;
+    return rr_found;
 
   /* Second pass, look for pointers in names in the records we're keeping and make sure they don't
      point to records we're going to elide. This is theoretically possible, but unlikely. If
@@ -248,42 +258,42 @@ size_t rrfilter(struct dns_header *header, size_t plen, int mode)
   p = (unsigned char *)(header+1);
   
   /* question first */
-  if (!check_name(&p, header, plen, 0, rrs, rr_found))
-    return plen;
+  if (!check_name(&p, header, *plen, 0, rrs, rr_found))
+    return rr_found;
   p += 4; /* qclass, qtype */
   
   /* Now answers and NS */
-  if (!check_rrs(p, header, plen, 0, rrs, rr_found))
-    return plen;
+  if (!check_rrs(p, header, *plen, 0, rrs, rr_found))
+    return rr_found;
   
   /* Third pass, actually fix up pointers in the records */
   p = (unsigned char *)(header+1);
   
-  check_name(&p, header, plen, 1, rrs, rr_found);
+  check_name(&p, header, *plen, 1, rrs, rr_found);
   p += 4; /* qclass, qtype */
   
-  check_rrs(p, header, plen, 1, rrs, rr_found);
+  check_rrs(p, header, *plen, 1, rrs, rr_found);
 
   /* Fourth pass, elide records */
-  for (p = rrs[0], i = 1; i < rr_found; i += 2)
+  for (p = rrs[0], i = 1; (unsigned)i < rr_found; i += 2)
     {
       unsigned char *start = rrs[i];
-      unsigned char *end = (i != rr_found - 1) ? rrs[i+1] : ((unsigned char *)header) + plen;
+      unsigned char *end = ((unsigned)i != rr_found - 1) ? rrs[i+1] : ((unsigned char *)header) + *plen;
       
       memmove(p, start, end-start);
       p += end-start;
     }
      
-  plen = p - (unsigned char *)header;
+  *plen = p - (unsigned char *)header;
   header->ancount = htons(ntohs(header->ancount) - chop_an);
   header->nscount = htons(ntohs(header->nscount) - chop_ns);
   header->arcount = htons(ntohs(header->arcount) - chop_ar);
 
-  return plen;
+  return rr_found;
 }
 
 /* This is used in the DNSSEC code too, hence it's exported */
-u16 *rrfilter_desc(int type)
+short *rrfilter_desc(int type)
 {
   /* List of RRtypes which include domains in the data.
      0 -> domain
@@ -294,7 +304,7 @@ u16 *rrfilter_desc(int type)
      anything which needs no mangling.
   */
   
-  static u16 rr_desc[] = 
+  static short rr_desc[] = 
     { 
       T_NS, 0, -1, 
       T_MD, 0, -1,
@@ -319,10 +329,10 @@ u16 *rrfilter_desc(int type)
       0, -1 /* wildcard/catchall */
     }; 
   
-  u16 *p = rr_desc;
+  short *p = rr_desc;
   
   while (*p != type && *p != 0)
-    while (*p++ != (u16)-1);
+    while (*p++ != -1);
 
   return p+1;
 }
@@ -335,9 +345,6 @@ int expand_workspace(unsigned char ***wkspc, int *szp, int new)
   if (old >= new+1)
     return 1;
 
-  if (new >= 100)
-    return 0;
-
   new += 5;
 
   if (!(p = whine_realloc(*wkspc, new * sizeof(unsigned char *))))
@@ -350,3 +357,78 @@ int expand_workspace(unsigned char ***wkspc, int *szp, int new)
 
   return 1;
 }
+
+/* Convert from presentation format to wire format, in place.
+   Also map UC -> LC.
+   Note that using extract_name to get presentation format
+   then calling to_wire() removes compression and maps case,
+   thus generating names in canonical form.
+   Calling to_wire followed by from_wire is almost an identity,
+   except that the UC remains mapped to LC. 
+
+   Note that both /000 and '.' are allowed within labels. These get
+   represented in presentation format using NAME_ESCAPE as an escape
+   character. In theory, if all the characters in a name were /000 or
+   '.' or NAME_ESCAPE then all would have to be escaped, so the 
+   presentation format would be twice as long as the spec (1024). 
+   The buffers are all declared as 2049 (allowing for the trailing zero) 
+   for this reason.
+*/
+int to_wire(char *name)
+{
+  unsigned char *l, *p, *q, term;
+  unsigned int len;
+
+  for (l = (unsigned char*)name; *l != 0; l = p)
+    {
+      for (p = l; *p != '.' && *p != 0; p++)
+	if (*p >= 'A' && *p <= 'Z')
+	  *p = *p - 'A' + 'a';
+	else if (*p == NAME_ESCAPE)
+	  {
+	    for (q = p; *q; q++)
+	      *q = *(q+1);
+	    (*p)--;
+	  }
+      term = *p;
+      
+      if ((len = p - l) != 0)
+	memmove(l+1, l, len);
+      *l = len;
+      
+      p++;
+      
+      if (term == 0)
+	*p = 0;
+    }
+  
+  return l + 1 - (unsigned char *)name;
+}
+
+/* Note: no compression  allowed in input. */
+void from_wire(char *name)
+{
+  unsigned char *l, *p, *last;
+  unsigned int len;
+  
+  for (last = (unsigned char *)name; *last != 0; last += *last+1);
+  
+  for (l = (unsigned char *)name; *l != 0; l += len+1)
+    {
+      len = *l;
+      memmove(l, l+1, len);
+      for (p = l; p < l + len; p++)
+	if (*p == '.' || *p == 0 || *p == NAME_ESCAPE)
+	  {
+	    memmove(p+1, p, 1 + last - p);
+	    len++;
+	    *p++ = NAME_ESCAPE; 
+	    (*p)++;
+	  }
+	
+      l[len] = '.';
+    }
+
+  if ((char *)l != name)
+    *(l-1) = 0;
+}

src/slaac.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/tftp.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -228,7 +228,8 @@ void tftp_request(struct listener *listen, time_t now)
 #ifdef HAVE_DHCP      
 	  /* allowed interfaces are the same as for DHCP */
 	  for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-	    if (tmp->name && wildcard_match(tmp->name, name))
+	    if (tmp->name && (tmp->flags & INAME_4) && (tmp->flags & INAME_6) &&
+		wildcard_match(tmp->name, name))
 	      return;
 #endif
 	}
@@ -405,7 +406,7 @@ void tftp_request(struct listener *listen, time_t now)
 	if (*p == '\\')
 	  *p = '/';
 	else if (option_bool(OPT_TFTP_LC))
-	  *p = tolower(*p);
+	  *p = tolower((unsigned char)*p);
 		
       strcpy(daemon->namebuff, "/");
       if (prefix)
@@ -584,8 +585,13 @@ static struct tftp_file *check_tftp_fileperm(ssize_t *len, char *prefix, char *c
 
 void check_tftp_listeners(time_t now)
 {
+  struct listener *listener;
   struct tftp_transfer *transfer, *tmp, **up;
   
+  for (listener = daemon->listeners; listener; listener = listener->next)
+    if (listener->tftpfd != -1 && poll_check(listener->tftpfd, POLLIN))
+      tftp_request(listener, now);
+    
   /* In single port mode, all packets come via port 69 and tftp_request() */
   if (!option_bool(OPT_SINGLE_PORT))
     for (transfer = daemon->tftp_trans; transfer; transfer = transfer->next)
@@ -736,15 +742,16 @@ static void free_transfer(struct tftp_transfer *transfer)
 
 static char *next(char **p, char *end)
 {
-  char *ret = *p;
-  size_t len;
+  char *n, *ret = *p;
+  
+  /* Look for end of string, without running off the end of the packet. */
+  for (n = *p; n < end && *n != 0; n++);
 
-  if (*(end-1) != 0 || 
-      *p == end ||
-      (len = strlen(ret)) == 0)
+  /* ran off the end or zero length string - failed */
+  if (n == end || n == ret)
     return NULL;
-
-  *p += len + 1;
+  
+  *p = n + 1;
   return ret;
 }
 
@@ -839,7 +846,7 @@ static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
       mess->block = htons((unsigned short)(transfer->block));
       
       if (lseek(transfer->file->fd, transfer->offset, SEEK_SET) == (off_t)-1 ||
-	  !read_write(transfer->file->fd, mess->data, size, 1))
+	  !read_write(transfer->file->fd, mess->data, size, RW_READ))
 	return -1;
       
       transfer->expansion = 0;

src/ubus.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by

src/util.c

@@ -1,4 +1,4 @@
-/* dnsmasq is Copyright (c) 2000-2022 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2025 Simon Kelley
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -41,13 +41,13 @@ static u32 in[12];
 static u32 out[8];
 static int outleft = 0;
 
-void rand_init()
+void rand_init(void)
 {
   int fd = open(RANDFILE, O_RDONLY);
   
   if (fd == -1 ||
-      !read_write(fd, (unsigned char *)&seed, sizeof(seed), 1) ||
-      !read_write(fd, (unsigned char *)&in, sizeof(in), 1))
+      !read_write(fd, (unsigned char *)&seed, sizeof(seed), RW_READ) ||
+      !read_write(fd, (unsigned char *)&in, sizeof(in), RW_READ))
     die(_("failed to seed the random number generator: %s"), NULL, EC_MISC);
   
   close(fd);
@@ -115,6 +115,19 @@ u64 rand64(void)
   return (u64)out[outleft+1] + (((u64)out[outleft]) << 32);
 }
 
+int rr_on_list(struct rrlist *list, unsigned short rr)
+{
+  while (list)
+    {
+      if (list->rr != 0 && list->rr == rr)
+	return 1;
+
+      list = list->next;
+    }
+
+  return 0;
+}
+
 /* returns 1 if name is OK and ascii printable
  * returns 2 if name should be processed by IDN */
 static int check_name(char *in)
@@ -280,11 +293,9 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval, char *limit)
           if (limit && p + 1 > (unsigned char*)limit)
             return NULL;
 
-#ifdef HAVE_DNSSEC
-	  if (option_bool(OPT_DNSSEC_VALID) && *sval == NAME_ESCAPE)
+	  if (*sval == NAME_ESCAPE)
 	    *p++ = (*(++sval))-1;
 	  else
-#endif		
 	    *p++ = *sval;
 	}
       
@@ -415,7 +426,7 @@ int hostname_order(const char *a, const char *b)
 
 int hostname_isequal(const char *a, const char *b)
 {
-  return hostname_order(a, b) == 0;
+  return strlen(a) == strlen(b) && hostname_order(a, b) == 0;
 }
 
 /* is b equal to or a subdomain of a return 2 for equal, 1 for subdomain */
@@ -754,27 +765,48 @@ int retry_send(ssize_t rc)
   return 0;
 }
 
+/* rw = 0 -> write
+   rw = 1 -> read
+   rw = 2 -> write once
+   rw = 3 -> read once
+
+   "once" fails on EAGAIN, as this a timeout.
+   This indicates a timeout of a TCP socket.
+*/
 int read_write(int fd, unsigned char *packet, int size, int rw)
 {
   ssize_t n, done;
   
   for (done = 0; done < size; done += n)
     {
-      do { 
-	if (rw)
-	  n = read(fd, &packet[done], (size_t)(size - done));
-	else
-	  n = write(fd, &packet[done], (size_t)(size - done));
-	
-	if (n == 0)
-	  return 0;
-	
-      } while (retry_send(n) || errno == ENOMEM || errno == ENOBUFS);
-
-      if (errno != 0)
+      if (rw & 1)
+	n = read(fd, &packet[done], (size_t)(size - done));
+      else
+	n = write(fd, &packet[done], (size_t)(size - done));
+      
+      if (n == 0)
 	return 0;
+
+      if (n == -1)
+	{
+	  n = 0; /* don't mess with counter when we loop. */
+
+	  if (errno == EINTR || errno == ENOMEM || errno == ENOBUFS)
+	    continue;
+
+	  if (errno == EAGAIN || errno == EWOULDBLOCK)
+	    {
+	      /* "once" variant */
+	      if (rw & 2)
+		return 0;
+
+	      continue;
+	    }
+
+	  return 0;
+	}
     }
-     
+          
   return 1;
 }
 
@@ -783,11 +815,25 @@ void close_fds(long max_fd, int spare1, int spare2, int spare3)
 {
   /* On Linux, use the /proc/ filesystem to find which files
      are actually open, rather than iterate over the whole space,
-     for efficiency reasons. If this fails we drop back to the dumb code. */
-#ifdef HAVE_LINUX_NETWORK 
+     for efficiency reasons.
+
+     On *BSD, the same facility is found at /dev/fd.
+
+     If this fails we drop back to the dumb code.
+  */
+
+#ifdef HAVE_LINUX_NETWORK
+#define FDESCFS "/proc/self/fd"
+#endif
+
+#ifdef HAVE_BSD_NETWORK
+#define FDESCFS "/dev/fd"
+#endif
+
+#ifdef FDESCFS
   DIR *d;
   
-  if ((d = opendir("/proc/self/fd")))
+  if ((d = opendir(FDESCFS)))
     {
       struct dirent *de;
 

trust-anchors.conf

@@ -1,9 +1,10 @@
-# The root DNSSEC trust anchor, valid as at 11/01/2019
+# The root DNSSEC trust anchor, valid as at 18/07/2024
 
-# Note that this is a DS record (ie a hash of the root Zone Signing Key) 
-# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
+# Note that this is a DS record (i.e. a hash of the root Zone Signing Key) 
+# It was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
 
 trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
+trust-anchor=.,38696,8,2,683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16