embedaddon/dnsmasq/src/forward.c - diff

Return to forward.c CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq / src

Diff for /embedaddon/dnsmasq/src/forward.c between versions 1.1 and 1.1.1.4

-version 1.1, 2013/07/29 19:37:40
+version 1.1.1.4, 2021/03/17 00:56:46
  Line 1
-/* dnsmasq is Copyright (c) 2000-2013 Simon Kelley
+/* dnsmasq is Copyright (c) 2000-2021 Simon Kelley
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
  Line 16
  #include "dnsmasq.h"
-static struct frec *lookup_frec(unsigned short id, unsigned int crc);
+static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash);
  static struct frec *lookup_frec_by_sender(unsigned short id,
                                            union mysockaddr *addr,
-                                          unsigned int crc);
+                                          void *hash);
-static unsigned short get_id(unsigned int crc);
+static struct frec *lookup_frec_by_query(void *hash, unsigned int flags);
+static unsigned short get_id(void);
  static void free_frec(struct frec *f);
- static struct randfd *allocate_rfd(int family);
  /* Send a UDP packet with its source address set as "source"
     unless nowild is true, when we just send it with the kernel default */
  int send_from(int fd, int nowild, char *packet, size_t len,
-              union mysockaddr *to, struct all_addr *source,
+              union mysockaddr *to, union all_addr *source,
                unsigned int iface)
  {
    struct msghdr msg;
- Line 39  int send_from(int fd, int nowild, char *packet, size_t
+ Line 40  int send_from(int fd, int nowild, char *packet, size_t
  #elif defined(IP_SENDSRCADDR)
      char control[CMSG_SPACE(sizeof(struct in_addr))];
  #endif
- #ifdef HAVE_IPV6
      char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
- #endif
    } control_u;
    iov[0].iov_base = packet;
- Line 67  int send_from(int fd, int nowild, char *packet, size_t
+ Line 66  int send_from(int fd, int nowild, char *packet, size_t
  #if defined(HAVE_LINUX_NETWORK)
            struct in_pktinfo p;
            p.ipi_ifindex = 0;
-          p.ipi_spec_dst = source->addr.addr4;
+          p.ipi_spec_dst = source->addr4;
+          msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo));
            memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
-          msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
+          cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
            cmptr->cmsg_level = IPPROTO_IP;
            cmptr->cmsg_type = IP_PKTINFO;
  #elif defined(IP_SENDSRCADDR)
-          memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
+          msg.msg_controllen = CMSG_SPACE(sizeof(struct in_addr));
-          msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
+          memcpy(CMSG_DATA(cmptr), &(source->addr4), sizeof(source->addr4));
+          cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
            cmptr->cmsg_level = IPPROTO_IP;
            cmptr->cmsg_type = IP_SENDSRCADDR;
  #endif
          }
        else
- #ifdef HAVE_IPV6
          {
            struct in6_pktinfo p;
            p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
-          p.ipi6_addr = source->addr.addr6;
+          p.ipi6_addr = source->addr6;
+          msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo));
            memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
-          msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
+          cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
            cmptr->cmsg_type = daemon->v6pktinfo;
            cmptr->cmsg_level = IPPROTO_IPV6;
          }
- #else
-       (void)iface; /* eliminate warning */
- #endif
      }
-  while (sendmsg(fd, &msg, 0) == -1)
+  while (retry_send(sendmsg(fd, &msg, 0)));
+  if (errno != 0)
      {
-      if (retry_send())
+#ifdef HAVE_LINUX_NETWORK
-        continue;
        /* If interface is still in DAD, EINVAL results - ignore that. */
-      if (errno == EINVAL)
+      if (errno != EINVAL)
-        break;
+        my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
 #endif
-      my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
        return 0;
      }
    return 1;
  }
-static unsigned int search_servers(time_t now, struct all_addr **addrpp,
+static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned int qtype,
-                                     unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
+                                   char *qdomain, int *type, char **domain, int *norebind)
  {
    /* If the query ends in the domain in one of our servers, set
- Line 123  static unsigned int search_servers(time_t now, struct
+ Line 120  static unsigned int search_servers(time_t now, struct
    unsigned int matchlen = 0;
    struct server *serv;
    unsigned int flags = 0;
+   static union all_addr zero;
    for (serv = daemon->servers; serv; serv=serv->next)
+     if (qtype == F_DNSSECOK && !(serv->flags & SERV_DO_DNSSEC))
+       continue;
      /* domain matches take priority over NODOTS matches */
-    if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
+    else if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
        {
          unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
          *type = SERV_FOR_NODOTS;
-        if (serv->flags & SERV_NO_ADDR)
+        if ((serv->flags & SERV_NO_REBIND) && norebind)
+          *norebind = 1;
+        else if (serv->flags & SERV_NO_ADDR)
            flags = F_NXDOMAIN;
         else if (serv->flags & SERV_LITERAL_ADDRESS)
            {
-            if (sflag & qtype)
+            /* literal address = '#' -> return all-zero address for IPv4 and IPv6 */
+            if ((serv->flags & SERV_USE_RESOLV) && (qtype & (F_IPV6 | F_IPV4)))
                {
+                 memset(&zero, 0, sizeof(zero));
+                 flags = qtype;
+                 *addrpp = &zero;
+               }
+             else if (sflag & qtype)
+               {
                  flags = sflag;
                  if (serv->addr.sa.sa_family == AF_INET)
-                  *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
+                  *addrpp = (union all_addr *)&serv->addr.in.sin_addr;
-#ifdef HAVE_IPV6
                  else
-                  *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
+                  *addrpp = (union all_addr *)&serv->addr.in6.sin6_addr;
-#endif
                }
              else if (!flags || (flags & F_NXDOMAIN))
                flags = F_NOERR;
- Line 156  static unsigned int search_servers(time_t now, struct
+ Line 163  static unsigned int search_servers(time_t now, struct
              hostname_isequal(matchstart, serv->domain) &&
              (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
            {
-            if (serv->flags & SERV_NO_REBIND)
+            if ((serv->flags & SERV_NO_REBIND) && norebind)
                *norebind = 1;
              else
                {
- Line 180  static unsigned int search_servers(time_t now, struct
+ Line 187  static unsigned int search_servers(time_t now, struct
                  if (domainlen >= matchlen)
                    {
-                    *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
+                    *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND | SERV_DO_DNSSEC);
                      *domain = serv->domain;
                      matchlen = domainlen;
                      if (serv->flags & SERV_NO_ADDR)
                        flags = F_NXDOMAIN;
                      else if (serv->flags & SERV_LITERAL_ADDRESS)
                        {
-                        if (sflag & qtype)
+                         /* literal address = '#' -> return all-zero address for IPv4 and IPv6 */
+                        if ((serv->flags & SERV_USE_RESOLV) && (qtype & (F_IPV6 | F_IPV4)))
+                          {
+                            memset(&zero, 0, sizeof(zero));
+                            flags = qtype;
+                            *addrpp = &zero;
+                          }
+                        else if (sflag & qtype)
                            {
                              flags = sflag;
                              if (serv->addr.sa.sa_family == AF_INET)
-                              *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
+                              *addrpp = (union all_addr *)&serv->addr.in.sin_addr;
-#ifdef HAVE_IPV6
                              else
-                              *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
+                              *addrpp = (union all_addr *)&serv->addr.in6.sin6_addr;
-#endif
                            }
                          else if (!flags || (flags & F_NXDOMAIN))
                            flags = F_NOERR;
- Line 207  static unsigned int search_servers(time_t now, struct
+ Line 219  static unsigned int search_servers(time_t now, struct
            }
        }
-  if (flags == 0 && !(qtype & F_QUERY) &&
+  if (flags == 0 && !(qtype & (F_QUERY | F_DNSSECOK)) &&
        option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
      /* don't forward A or AAAA queries for simple names, except the empty name */
      flags = F_NOERR;
- Line 217  static unsigned int search_servers(time_t now, struct
+ Line 229  static unsigned int search_servers(time_t now, struct
    if (flags)
      {
-      int logflags = 0;
+       if (flags == F_NXDOMAIN || flags == F_NOERR)
          log_query(flags | qtype | F_NEG | F_CONFIG | F_FORWARD, qdomain, NULL, NULL);
        else
-        logflags = F_NEG | qtype;
+         {
+           /* handle F_IPV4 and F_IPV6 set on ANY query to 0.0.0.0/:: domain. */
-      log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
+           if (flags & F_IPV4)
+             log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV6, qdomain, *addrpp, NULL);
+           if (flags & F_IPV6)
+             log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV4, qdomain, *addrpp, NULL);
+         }
      }
    else if ((*type) & SERV_USE_RESOLV)
      {
- Line 233  static unsigned int search_servers(time_t now, struct
+ Line 249  static unsigned int search_servers(time_t now, struct
  }
  static int forward_query(int udpfd, union mysockaddr *udpaddr,
-                         struct all_addr *dst_addr, unsigned int dst_iface,
+                         union all_addr *dst_addr, unsigned int dst_iface,
-                         struct dns_header *header, size_t plen, time_t now, struct frec *forward)
+                         struct dns_header *header, size_t plen, time_t now,
+                         struct frec *forward, int ad_reqd, int do_bit)
  {
    char *domain = NULL;
-  int type = 0, norebind = 0;
+  int type = SERV_DO_DNSSEC, norebind = 0;
-  struct all_addr *addrp = NULL;
+  union all_addr *addrp = NULL;
-  unsigned int crc = questions_crc(header, plen, daemon->namebuff);
    unsigned int flags = 0;
-  unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
+  unsigned int fwd_flags = 0;
    struct server *start = NULL;
+   void *hash = hash_questions(header, plen, daemon->namebuff);
+ #ifdef HAVE_DNSSEC
+   int do_dnssec = 0;
+ #endif
+   unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
+   unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL);
+   (void)do_bit;
-  /* RFC 4035: sect 4.6 para 2 */
+  if (header->hb4 & HB4_CD)
-  header->hb4 &= ~HB4_AD;
+    fwd_flags |= FREC_CHECKING_DISABLED;
+  if (ad_reqd)
+    fwd_flags |= FREC_AD_QUESTION;
+  if (oph)
+    fwd_flags |= FREC_HAS_PHEADER;
+#ifdef HAVE_DNSSEC
+  if (do_bit)
+    fwd_flags |= FREC_DO_QUESTION;
+#endif
    /* may be no servers available. */
-  if (!daemon->servers)
+  if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))
-    forward = NULL;
-  else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
      {
+       /* If we didn't get an answer advertising a maximal packet in EDNS,
+          fall back to 1280, which should work everywhere on IPv6.
+          If that generates an answer, it will become the new default
+          for this server */
+       forward->flags |= FREC_TEST_PKTSZ;
+ #ifdef HAVE_DNSSEC
+       /* If we've already got an answer to this query, but we're awaiting keys for validation,
+          there's no point retrying the query, retry the key query instead...... */
+       if (forward->blocking_query)
+         {
+           int fd, is_sign;
+           unsigned char *pheader;
+           forward->flags &= ~FREC_TEST_PKTSZ;
+           while (forward->blocking_query)
+             forward = forward->blocking_query;
+           blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
+           plen = forward->stash_len;
+           forward->flags |= FREC_TEST_PKTSZ;
+           if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign)
+             PUTSHORT(SAFE_PKTSZ, pheader);
+           if (forward->sentto->addr.sa.sa_family == AF_INET)
+             log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
+           else
+             log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
+           if (forward->sentto->sfd)
+             fd = forward->sentto->sfd->fd;
+           else
+             {
+               if (forward->sentto->addr.sa.sa_family == AF_INET6)
+                 fd = forward->rfd6->fd;
+               else
+                 fd = forward->rfd4->fd;
+             }
+           while (retry_send(sendto(fd, (char *)header, plen, 0,
+                                    &forward->sentto->addr.sa,
+                                    sa_len(&forward->sentto->addr))));
+           return 1;
+         }
+ #endif
        /* retry on existing query, send to all available servers  */
        domain = forward->sentto->domain;
        forward->sentto->failed_queries++;
- Line 261  static int forward_query(int udpfd, union mysockaddr *
+ Line 340  static int forward_query(int udpfd, union mysockaddr *
            daemon->last_server = NULL;
          }
        type = forward->sentto->flags & SERV_TYPE;
+ #ifdef HAVE_DNSSEC
+       do_dnssec = forward->sentto->flags & SERV_DO_DNSSEC;
+ #endif
        if (!(start = forward->sentto->next))
          start = daemon->servers; /* at end of list, recycle */
        header->id = htons(forward->new_id);
      }
    else
      {
+       /* Query from new source, but the same query may be in progress
+          from another source. If so, just add this client to the
+          list that will get the reply.*/
+       if (!option_bool(OPT_ADD_MAC) && !option_bool(OPT_MAC_B64) &&
+           (forward = lookup_frec_by_query(hash, fwd_flags)))
+         {
+           /* Note whine_malloc() zeros memory. */
+           if (!daemon->free_frec_src &&
+               daemon->frec_src_count < daemon->ftabsize &&
+               (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src))))
+             {
+               daemon->frec_src_count++;
+               daemon->free_frec_src->next = NULL;
+             }
+           /* If we've been spammed with many duplicates, just drop the query. */
+           if (daemon->free_frec_src)
+             {
+               struct frec_src *new = daemon->free_frec_src;
+               daemon->free_frec_src = new->next;
+               new->next = forward->frec_src.next;
+               forward->frec_src.next = new;
+               new->orig_id = ntohs(header->id);
+               new->source = *udpaddr;
+               new->dest = *dst_addr;
+               new->log_id = daemon->log_id;
+               new->iface = dst_iface;
+               new->fd = udpfd;
+             }
+           return 1;
+         }
        if (gotname)
          flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
-      if (!flags && !(forward = get_new_frec(now, NULL)))
+#ifdef HAVE_DNSSEC
-        /* table full - server failure. */
+      do_dnssec = type & SERV_DO_DNSSEC;
-        flags = F_NEG;
+#endif
+      type &= ~SERV_DO_DNSSEC;
+       if (daemon->servers && !flags)
+         forward = get_new_frec(now, NULL, NULL);
+       /* table full - flags == 0, return REFUSED */
        if (forward)
          {
-          forward->source = *udpaddr;
+          forward->frec_src.source = *udpaddr;
-          forward->dest = *dst_addr;
+          forward->frec_src.orig_id = ntohs(header->id);
-          forward->iface = dst_iface;
+          forward->frec_src.dest = *dst_addr;
-          forward->orig_id = ntohs(header->id);
+          forward->frec_src.iface = dst_iface;
-          forward->new_id = get_id(crc);
+          forward->frec_src.next = NULL;
-          forward->fd = udpfd;
+          forward->frec_src.fd = udpfd;
-          forward->crc = crc;
+          forward->new_id = get_id();
+          memcpy(forward->hash, hash, HASH_SIZE);
            forward->forwardall = 0;
+           forward->flags = fwd_flags;
            if (norebind)
              forward->flags |= FREC_NOREBIND;
            if (header->hb4 & HB4_CD)
              forward->flags |= FREC_CHECKING_DISABLED;
+          if (ad_reqd)
+            forward->flags |= FREC_AD_QUESTION;
+#ifdef HAVE_DNSSEC
+          forward->work_counter = DNSSEC_WORK;
+          if (do_bit)
+            forward->flags |= FREC_DO_QUESTION;
+#endif
            header->id = htons(forward->new_id);
            /* In strict_order mode, always try servers in the order
- Line 326  static int forward_query(int udpfd, union mysockaddr *
+ Line 457  static int forward_query(int udpfd, union mysockaddr *
    if (!flags && forward)
      {
        struct server *firstsentto = start;
-      int forwarded = 0;
+      int subnet, cacheable, forwarded = 0;
+      size_t edns0_len;
+      unsigned char *pheader;
-      if (udpaddr && option_bool(OPT_ADD_MAC))
+      /* If a query is retried, use the log_id for the retry when logging the answer. */
-        plen = add_mac(header, plen, ((char *) header) + PACKETSZ, udpaddr);
+      forward->frec_src.log_id = daemon->log_id;
+       plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->frec_src.source, now, &subnet, &cacheable);
+       if (subnet)
+         forward->flags |= FREC_HAS_SUBNET;
+       if (!cacheable)
+         forward->flags |= FREC_NO_CACHE;
+ #ifdef HAVE_DNSSEC
+       if (option_bool(OPT_DNSSEC_VALID) && do_dnssec)
+         {
+           plen = add_do_bit(header, plen, ((unsigned char *) header) + PACKETSZ);
+           /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
+              this allows it to select auth servers when one is returning bad data. */
+           if (option_bool(OPT_DNSSEC_DEBUG))
+             header->hb4 |= HB4_CD;
+         }
+ #endif
+       if (find_pseudoheader(header, plen, &edns0_len, &pheader, NULL, NULL))
+         {
+           /* If there wasn't a PH before, and there is now, we added it. */
+           if (!oph)
+             forward->flags |= FREC_ADDED_PHEADER;
+           /* If we're sending an EDNS0 with any options, we can't recreate the query from a reply. */
+           if (edns0_len > 11)
+             forward->flags |= FREC_HAS_EXTRADATA;
+           /* Reduce udp size on retransmits. */
+           if (forward->flags & FREC_TEST_PKTSZ)
+             PUTSHORT(SAFE_PKTSZ, pheader);
+         }
        while (1)
          {
            /* only send to servers dealing with our domain.
- Line 339  static int forward_query(int udpfd, union mysockaddr *
+ Line 508  static int forward_query(int udpfd, union mysockaddr *
            if (type == (start->flags & SERV_TYPE) &&
                (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
-              !(start->flags & SERV_LITERAL_ADDRESS))
+              !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
              {
                int fd;
- Line 348  static int forward_query(int udpfd, union mysockaddr *
+ Line 517  static int forward_query(int udpfd, union mysockaddr *
                  fd = start->sfd->fd;
                else
                  {
- #ifdef HAVE_IPV6
                    if (start->addr.sa.sa_family == AF_INET6)
                      {
                        if (!forward->rfd6 &&
- Line 358  static int forward_query(int udpfd, union mysockaddr *
+ Line 526  static int forward_query(int udpfd, union mysockaddr *
                        fd = forward->rfd6->fd;
                      }
                    else
- #endif
                      {
                        if (!forward->rfd4 &&
                            !(forward->rfd4 = allocate_rfd(AF_INET)))
- Line 372  static int forward_query(int udpfd, union mysockaddr *
+ Line 539  static int forward_query(int udpfd, union mysockaddr *
                    if (option_bool(OPT_CONNTRACK))
                      {
                        unsigned int mark;
-                      if (get_incoming_mark(udpaddr, dst_addr, 0, &mark))
+                      if (get_incoming_mark(&forward->frec_src.source, &forward->frec_src.dest, 0, &mark))
                          setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
                      }
  #endif
                  }
-              if (sendto(fd, (char *)header, plen, 0,
+#ifdef HAVE_DNSSEC
-                         &start->addr.sa,
+              if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER))
-                         sa_len(&start->addr)) == -1)
                  {
-                  if (retry_send())
+                  /* Difficult one here. If our client didn't send EDNS0, we will have set the UDP
-                    continue;
+                     packet size to 512. But that won't provide space for the RRSIGS in many cases.
+                     The RRSIGS will be stripped out before the answer goes back, so the packet should
+                     shrink again. So, if we added a do-bit, bump the udp packet size to the value
+                     known to be OK for this server. We check returned size after stripping and set
+                     the truncated bit if it's still too big. */
+                  unsigned char *pheader;
+                  int is_sign;
+                  if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign)
+                    PUTSHORT(start->edns_pktsz, pheader);
                  }
-              else
+#endif
+              if (retry_send(sendto(fd, (char *)header, plen, 0,
+                                    &start->addr.sa,
+                                    sa_len(&start->addr))))
+                continue;
+              if (errno == 0)
                  {
+ #ifdef HAVE_DUMPFILE
+                   dump_packet(DUMP_UP_QUERY, (void *)header, plen, NULL, &start->addr);
+ #endif
                    /* Keep info in case we want to re-send this packet */
                    daemon->srv_save = start;
                    daemon->packet_len = plen;
- Line 395  static int forward_query(int udpfd, union mysockaddr *
+ Line 580  static int forward_query(int udpfd, union mysockaddr *
                      strcpy(daemon->namebuff, "query");
                    if (start->addr.sa.sa_family == AF_INET)
                      log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
-                              (struct all_addr *)&start->addr.in.sin_addr, NULL);
+                              (union all_addr *)&start->addr.in.sin_addr, NULL);
-#ifdef HAVE_IPV6
                    else
                      log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
-                              (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
+                              (union  all_addr *)&start->addr.in6.sin6_addr, NULL);
-#endif
                    start->queries++;
                    forwarded = 1;
                    forward->sentto = start;
- Line 421  static int forward_query(int udpfd, union mysockaddr *
+ Line 604  static int forward_query(int udpfd, union mysockaddr *
          return 1;
        /* could not send on, prepare to return */
-      header->id = htons(forward->orig_id);
+      header->id = htons(forward->frec_src.orig_id);
        free_frec(forward); /* cancel */
      }
- Line 429  static int forward_query(int udpfd, union mysockaddr *
+ Line 612  static int forward_query(int udpfd, union mysockaddr *
    if (udpfd != -1)
      {
        plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
+       if (oph)
+         plen = add_pseudoheader(header, plen, ((unsigned char *) header) + PACKETSZ, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
        send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
      }
    return 0;
  }
-static size_t process_reply(struct dns_header *header, time_t now,
+static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
-                            struct server *server, size_t n, int check_rebind, int checking_disabled)
+                            int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader,
+                            int check_subnet, union mysockaddr *query_source)
  {
    unsigned char *pheader, *sizep;
    char **sets = 0;
    int munged = 0, is_sign;
+   unsigned int rcode = RCODE(header);
    size_t plen;
+   (void)ad_reqd;
+   (void)do_bit;
+   (void)bogusanswer;
  #ifdef HAVE_IPSET
-  /* Similar algorithm to search_servers. */
+  if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
-  struct ipsets *ipset_pos;
-  unsigned int namelen = strlen(daemon->namebuff);
-  unsigned int matchlen = 0;
-  for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
      {
-      unsigned int domainlen = strlen(ipset_pos->domain);
+      /* Similar algorithm to search_servers. */
       struct ipsets *ipset_pos;
       unsigned int namelen = strlen(daemon->namebuff);
       unsigned int matchlen = 0;
-          domainlen >= matchlen) {
+      for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
         matchlen = domainlen;
           unsigned int domainlen = strlen(ipset_pos->domain);
           char *matchstart = daemon->namebuff + namelen - domainlen;
+          if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
+              (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
+              domainlen >= matchlen)
+              matchlen = domainlen;
+              sets = ipset_pos->sets;
+            }
      }
  #endif
-   /* If upstream is advertising a larger UDP packet size
-      than we allow, trim it so that we don't get overlarge
-      requests for the client. We can't do this for signed packets. */
-  if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)) && !is_sign)
+  if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign, NULL)))
      {
-      unsigned short udpsz;
+      /* Get extended RCODE. */
-      unsigned char *psave = sizep;
+      rcode |= sizep[2] << 4;
+      if (check_subnet && !check_source(header, plen, pheader, query_source))
+        {
+          my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
+          return 0;
+        }
-      GETSHORT(udpsz, sizep);
+      if (!is_sign)
-      if (udpsz > daemon->edns_pktsz)
+        {
-        PUTSHORT(daemon->edns_pktsz, psave);
+          if (added_pheader)
-    }
+            {
+              /* client didn't send EDNS0, we added one, strip it off before returning answer. */
+              n = rrfilter(header, n, 0);
+              pheader = NULL;
+            }
+          else
+            {
+              unsigned short udpsz;
+               /* If upstream is advertising a larger UDP packet size
+                  than we allow, trim it so that we don't get overlarge
+                  requests for the client. We can't do this for signed packets. */
+               GETSHORT(udpsz, sizep);
+               if (udpsz > daemon->edns_pktsz)
+                 {
+                   sizep -= 2;
+                   PUTSHORT(daemon->edns_pktsz, sizep);
+                 }
+ #ifdef HAVE_DNSSEC
+               /* If the client didn't set the do bit, but we did, reset it. */
+               if (option_bool(OPT_DNSSEC_VALID) && !do_bit)
+                 {
+                   unsigned short flags;
+                   sizep += 2; /* skip RCODE */
+                   GETSHORT(flags, sizep);
+                   flags &= ~0x8000;
+                   sizep -= 2;
+                   PUTSHORT(flags, sizep);
+                 }
+ #endif
+             }
+         }
+     }
    /* RFC 4035 sect 4.6 para 3 */
-  if (!is_sign && !option_bool(OPT_DNSSEC))
+  if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
       header->hb4 &= ~HB4_AD;
+   if (OPCODE(header) != QUERY)
+     return resize_packet(header, n, pheader, plen);
-  if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
+  if (rcode != NOERROR && rcode != NXDOMAIN)
     return n;
+      union all_addr a;
+      a.log.rcode = rcode;
+      log_query(F_UPSTREAM | F_RCODE, "error", &a, NULL);
+      return resize_packet(header, n, pheader, plen);
+    }
    /* Complain loudly if the upstream server is non-recursive. */
-  if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
+  if (!(header->hb4 & HB4_RA) && rcode == NOERROR &&
        server && !(server->flags & SERV_WARNED_RECURSIVE))
      {
-      prettyprint_addr(&server->addr, daemon->namebuff);
+      (void)prettyprint_addr(&server->addr, daemon->namebuff);
        my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
        if (!option_bool(OPT_LOG))
          server->flags |= SERV_WARNED_RECURSIVE;
      }
-  if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
+  if (daemon->bogus_addr && rcode != NXDOMAIN &&
        check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
      {
        munged = 1;
        SET_RCODE(header, NXDOMAIN);
        header->hb3 &= ~HB3_AA;
+       cache_secure = 0;
      }
    else
      {
-      if (RCODE(header) == NXDOMAIN &&
+      int doctored = 0;
+      if (rcode == NXDOMAIN &&
            extract_request(header, n, daemon->namebuff, NULL) &&
            check_for_local_domain(daemon->namebuff, now))
          {
- Line 511  static size_t process_reply(struct dns_header *header,
+ Line 753  static size_t process_reply(struct dns_header *header,
            munged = 1;
            header->hb3 |= HB3_AA;
            SET_RCODE(header, NOERROR);
+           cache_secure = 0;
          }
-      if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, checking_disabled))
+      if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
          {
            my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
            munged = 1;
+           cache_secure = 0;
          }
+       if (doctored)
+         cache_secure = 0;
      }
+ #ifdef HAVE_DNSSEC
+   if (bogusanswer && !(header->hb4 & HB4_CD) && !option_bool(OPT_DNSSEC_DEBUG))
+     {
+       /* Bogus reply, turn into SERVFAIL */
+       SET_RCODE(header, SERVFAIL);
+       munged = 1;
+     }
+   if (option_bool(OPT_DNSSEC_VALID))
+     {
+       header->hb4 &= ~HB4_AD;
+       if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
+         header->hb4 |= HB4_AD;
+       /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
+       if (!do_bit)
+         n = rrfilter(header, n, 1);
+     }
+ #endif
    /* do this after extract_addresses. Ensure NODATA reply and remove
       nameserver info. */
- Line 528  static size_t process_reply(struct dns_header *header,
+ Line 796  static size_t process_reply(struct dns_header *header,
        header->ancount = htons(0);
        header->nscount = htons(0);
        header->arcount = htons(0);
+       header->hb3 &= ~HB3_TC;
      }
    /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
- Line 545  void reply_query(int fd, int family, time_t now)
+ Line 814  void reply_query(int fd, int family, time_t now)
    union mysockaddr serveraddr;
    struct frec *forward;
    socklen_t addrlen = sizeof(serveraddr);
-  ssize_t n = recvfrom(fd, daemon->packet, daemon->edns_pktsz, 0, &serveraddr.sa, &addrlen);
+  ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
    size_t nn;
    struct server *server;
+  void *hash;
    /* packet buffer overwritten */
    daemon->srv_save = NULL;
    /* Determine the address of the server replying  so that we can mark that as good */
-  serveraddr.sa.sa_family = family;
+  if ((serveraddr.sa.sa_family = family) == AF_INET6)
-#ifdef HAVE_IPV6
-  if (serveraddr.sa.sa_family == AF_INET6)
      serveraddr.in6.sin6_flowinfo = 0;
- #endif
+   header = (struct dns_header *)daemon->packet;
+   if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
+     return;
    /* spoof check: answer must come from known server, */
    for (server = daemon->servers; server; server = server->next)
      if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
          sockaddr_isequal(&server->addr, &serveraddr))
        break;
-   header = (struct dns_header *)daemon->packet;
-  if (!server ||
+  if (!server)
-      n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) ||
-      !(forward = lookup_frec(ntohs(header->id), questions_crc(header, n, daemon->namebuff))))
      return;
-  server = forward->sentto;
+  /* If sufficient time has elapsed, try and expand UDP buffer size again. */
+  if (difftime(now, server->pktsz_reduced) > UDP_TEST_TIME)
+    server->edns_pktsz = daemon->edns_pktsz;
+  hash = hash_questions(header, n, daemon->namebuff);
-  if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
+  if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash)))
-      !option_bool(OPT_ORDER) &&
+    return;
-      forward->forwardall == 0)
+#ifdef HAVE_DUMPFILE
+  dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_REPLY : DUMP_UP_REPLY,
+              (void *)header, n, &serveraddr, NULL);
+#endif
+  /* log_query gets called indirectly all over the place, so
+     pass these in global variables - sorry. */
+  daemon->log_display_id = forward->frec_src.log_id;
+  daemon->log_source_addr = &forward->frec_src.source;
+  if (daemon->ignore_addr && RCODE(header) == NOERROR &&
+      check_for_ignored_address(header, n, daemon->ignore_addr))
+    return;
+  /* Note: if we send extra options in the EDNS0 header, we can't recreate
+     the query from the reply. */
+  if ((RCODE(header) == REFUSED || RCODE(header) == SERVFAIL) &&
+      forward->forwardall == 0 &&
+      !(forward->flags & FREC_HAS_EXTRADATA))
      /* for broken servers, attempt to send to another one. */
      {
        unsigned char *pheader;
        size_t plen;
        int is_sign;
+ #ifdef HAVE_DNSSEC
+       if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
+         {
+           struct server *start;
+           blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
+           plen = forward->stash_len;
+           forward->forwardall = 2; /* only retry once */
+           start = forward->sentto;
+           /* for non-domain specific servers, see if we can find another to try. */
+           if ((forward->sentto->flags & SERV_TYPE) == 0)
+             while (1)
+               {
+                 if (!(start = start->next))
+                   start = daemon->servers;
+                 if (start == forward->sentto)
+                   break;
+                 if ((start->flags & SERV_TYPE) == 0 &&
+                     (start->flags & SERV_DO_DNSSEC))
+                   break;
+               }
+           fd = -1;
+           if (start->sfd)
+             fd = start->sfd->fd;
+           else
+             {
+               if (start->addr.sa.sa_family == AF_INET6)
+                 {
+                   /* may have changed family */
+                   if (forward->rfd6 || (forward->rfd6 = allocate_rfd(AF_INET6)))
+                     fd = forward->rfd6->fd;
+                 }
+               else
+                 {
+                   /* may have changed family */
+                   if (forward->rfd4 || (forward->rfd4 = allocate_rfd(AF_INET)))
+                     fd = forward->rfd4->fd;
+                 }
+             }
+           /* Can't get socket. */
+           if (fd == -1)
+             return;
+ #ifdef HAVE_DUMPFILE
+           dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)plen, NULL, &start->addr);
+ #endif
+           while (retry_send(sendto(fd, (char *)header, plen, 0,
+                                    &start->addr.sa,
+                                    sa_len(&start->addr))));
+           if (start->addr.sa.sa_family == AF_INET)
+             log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&start->addr.in.sin_addr, "dnssec");
+           else
+             log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&start->addr.in6.sin6_addr, "dnssec");
+           return;
+         }
+ #endif
+       /* In strict order mode, there must be a server later in the chain
+          left to send to, otherwise without the forwardall mechanism,
+          code further on will cycle around the list forwever if they
+          all return REFUSED. Note that server is always non-NULL before
+          this executes. */
+       if (option_bool(OPT_ORDER))
+         for (server = forward->sentto->next; server; server = server->next)
+           if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR | SERV_LOOP)))
+             break;
        /* recreate query from reply */
-      pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
+      pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign, NULL);
-      if (!is_sign)
+      if (!is_sign && server)
          {
            header->ancount = htons(0);
            header->nscount = htons(0);
            header->arcount = htons(0);
            if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
              {
-              header->hb3 &= ~(HB3_QR | HB3_TC);
+              header->hb3 &= ~(HB3_QR | HB3_AA | HB3_TC);
-              forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
+              header->hb4 &= ~(HB4_RA | HB4_RCODE | HB4_CD | HB4_AD);
+              if (forward->flags & FREC_CHECKING_DISABLED)
+                header->hb4 |= HB4_CD;
+              if (forward->flags & FREC_AD_QUESTION)
+                header->hb4 |= HB4_AD;
+              if (forward->flags & FREC_DO_QUESTION)
+                add_do_bit(header, nn,  (unsigned char *)pheader + plen);
+              forward_query(-1, NULL, NULL, 0, header, nn, now, forward, forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION);
                return;
              }
          }
      }
+  server = forward->sentto;
    if ((forward->sentto->flags & SERV_TYPE) == 0)
      {
-      if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED)
+      if (RCODE(header) == REFUSED)
          server = NULL;
        else
          {
- Line 619  void reply_query(int fd, int family, time_t now)
+ Line 995  void reply_query(int fd, int family, time_t now)
        if (!option_bool(OPT_ALL_SERVERS))
          daemon->last_server = server;
      }
+  /* We tried resending to this server with a smaller maximum size and got an answer.
+     Make that permanent. To avoid reduxing the packet size for a single dropped packet,
+     only do this when we get a truncated answer, or one larger than the safe size. */
+  if (forward->sentto->edns_pktsz > SAFE_PKTSZ && (forward->flags & FREC_TEST_PKTSZ) &&
+      ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ))
+    {
+      forward->sentto->edns_pktsz = SAFE_PKTSZ;
+      forward->sentto->pktsz_reduced = now;
+      (void)prettyprint_addr(&forward->sentto->addr, daemon->addrbuff);
+      my_syslog(LOG_WARNING, _("reducing DNS packet size for nameserver %s to %d"), daemon->addrbuff, SAFE_PKTSZ);
+    }
    /* If the answer is an error, keep the forward record in place in case
       we get a good reply from another server. Kill it when we've
       had replies from all to avoid filling the forwarding table when
       everything is broken */
-  if (forward->forwardall == 0 || --forward->forwardall == 1 ||
+  if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED)
-      (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
      {
-      int check_rebind = !(forward->flags & FREC_NOREBIND);
+      int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
+      if (option_bool(OPT_NO_REBIND))
+        check_rebind = !(forward->flags & FREC_NOREBIND);
+      /*   Don't cache replies where DNSSEC validation was turned off, either
+           the upstream server told us so, or the original query specified it.  */
+      if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
+        no_cache_dnssec = 1;
+#ifdef HAVE_DNSSEC
+      if ((forward->sentto->flags & SERV_DO_DNSSEC) &&
+          option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
+        {
+          int status = 0;
-      if (!option_bool(OPT_NO_REBIND))
+          /* We've had a reply already, which we're validating. Ignore this duplicate */
-        check_rebind = 0;
+          if (forward->blocking_query)
+            return;
+           /* Truncated answer can't be validated.
+              If this is an answer to a DNSSEC-generated query, we still
+              need to get the client to retry over TCP, so return
+              an answer with the TC bit set, even if the actual answer fits.
+           */
+          if (header->hb3 & HB3_TC)
+            status = STAT_TRUNCATED;
+          while (1)
+            {
+              /* As soon as anything returns BOGUS, we stop and unwind, to do otherwise
+                 would invite infinite loops, since the answers to DNSKEY and DS queries
+                 will not be cached, so they'll be repeated. */
+              if (status != STAT_BOGUS && status != STAT_TRUNCATED && status != STAT_ABANDONED)
+                {
+                  if (forward->flags & FREC_DNSKEY_QUERY)
+                    status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+                  else if (forward->flags & FREC_DS_QUERY)
+                    status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+                  else
+                    status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class,
+                                                   !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC),
+                                                   NULL, NULL, NULL);
+#ifdef HAVE_DUMPFILE
+                  if (status == STAT_BOGUS)
+                    dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS,
+                                header, (size_t)n, &serveraddr, NULL);
+#endif
+                }
+              /* Can't validate, as we're missing key data. Put this
+                 answer aside, whilst we get that. */
+              if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
+                {
+                  struct frec *new, *orig;
+                  /* Free any saved query */
+                  if (forward->stash)
+                    blockdata_free(forward->stash);
+                  /* Now save reply pending receipt of key data */
+                  if (!(forward->stash = blockdata_alloc((char *)header, n)))
+                    return;
+                  forward->stash_len = n;
+                  /* Find the original query that started it all.... */
+                  for (orig = forward; orig->dependent; orig = orig->dependent);
+                  /* Make sure we don't expire and free the orig frec during the
+                     allocation of a new one. */
+                  if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, orig)))
+                    status = STAT_ABANDONED;
+                  else
+                    {
+                      int querytype, fd, type = SERV_DO_DNSSEC;
+                      struct frec *next = new->next;
+                      char *domain;
+                      *new = *forward; /* copy everything, then overwrite */
+                      new->next = next;
+                      new->blocking_query = NULL;
+                      /* Find server to forward to. This will normally be the
+                         same as for the original query, but may be another if
+                         servers for domains are involved. */
+                      if (search_servers(now, NULL, F_DNSSECOK, daemon->keyname, &type, &domain, NULL) == 0)
+                        {
+                          struct server *start, *new_server = NULL;
+                          start = server = forward->sentto;
+                          while (1)
+                            {
+                              if (type == (start->flags & (SERV_TYPE | SERV_DO_DNSSEC)) &&
+                                  ((type & SERV_TYPE) != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
+                                  !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
+                                {
+                                  new_server = start;
+                                  if (server == start)
+                                    {
+                                      new_server = NULL;
+                                      break;
+                                    }
+                                }
+                              if (!(start = start->next))
+                                start = daemon->servers;
+                              if (start == server)
+                                break;
+                            }
+                          if (new_server)
+                            server = new_server;
+                        }
+                      new->sentto = server;
+                      new->rfd4 = NULL;
+                      new->rfd6 = NULL;
+                      new->frec_src.next = NULL;
+                      new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA);
+                      new->forwardall = 0;
+                      new->dependent = forward; /* to find query awaiting new one. */
+                      forward->blocking_query = new; /* for garbage cleaning */
+                      /* validate routines leave name of required record in daemon->keyname */
+                      if (status == STAT_NEED_KEY)
+                        {
+                          new->flags |= FREC_DNSKEY_QUERY;
+                          querytype = T_DNSKEY;
+                        }
+                      else
+                        {
+                          new->flags |= FREC_DS_QUERY;
+                          querytype = T_DS;
+                        }
+                      nn = dnssec_generate_query(header,((unsigned char *) header) + server->edns_pktsz,
+                                                 daemon->keyname, forward->class, querytype, server->edns_pktsz);
+                      if (server->addr.sa.sa_family == AF_INET)
+                        log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, daemon->keyname, (union all_addr *)&(server->addr.in.sin_addr),
+                                  querystr("dnssec-query", querytype));
+                      else
+                        log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, daemon->keyname, (union all_addr *)&(server->addr.in6.sin6_addr),
+                                  querystr("dnssec-query", querytype));
+                      memcpy(new->hash, hash_questions(header, nn, daemon->namebuff), HASH_SIZE);
+                      new->new_id = get_id();
+                      header->id = htons(new->new_id);
+                      /* Save query for retransmission */
+                      new->stash = blockdata_alloc((char *)header, nn);
+                      new->stash_len = nn;
+                      /* Don't resend this. */
+                      daemon->srv_save = NULL;
+                      if (server->sfd)
+                        fd = server->sfd->fd;
+                      else
+                        {
+                          fd = -1;
+                          if (server->addr.sa.sa_family == AF_INET6)
+                            {
+                              if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
+                                fd = new->rfd6->fd;
+                            }
+                          else
+                            {
+                              if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
+                                fd = new->rfd4->fd;
+                            }
+                        }
+                      if (fd != -1)
+                        {
+#ifdef HAVE_CONNTRACK
+                          /* Copy connection mark of incoming query to outgoing connection. */
+                          if (option_bool(OPT_CONNTRACK))
+                            {
+                              unsigned int mark;
+                              if (get_incoming_mark(&orig->frec_src.source, &orig->frec_src.dest, 0, &mark))
+                                setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+                            }
+#endif
+#ifdef HAVE_DUMPFILE
+                          dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)nn, NULL, &server->addr);
+#endif
+                          while (retry_send(sendto(fd, (char *)header, nn, 0,
+                                                   &server->addr.sa,
+                                                   sa_len(&server->addr))));
+                          server->queries++;
+                        }
+                    }
+                  return;
+                }
+              /* Validated original answer, all done. */
+              if (!forward->dependent)
+                break;
+              /* validated subsidiary query, (and cached result)
+                 pop that and return to the previous query we were working on. */
+              struct frec *prev = forward->dependent;
+              free_frec(forward);
+              forward = prev;
+              forward->blocking_query = NULL; /* already gone */
+              blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
+              n = forward->stash_len;
+            }
+          no_cache_dnssec = 0;
+          if (status == STAT_TRUNCATED)
+            header->hb3 |= HB3_TC;
+          else
+            {
+              char *result, *domain = "result";
+              if (status == STAT_ABANDONED)
+                {
+                  result = "ABANDONED";
+                  status = STAT_BOGUS;
+                }
+              else
+                result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+              if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
+                domain = daemon->namebuff;
+              log_query(F_SECSTAT, domain, NULL, result);
+            }
+          if (status == STAT_SECURE)
+            cache_secure = 1;
+          else if (status == STAT_BOGUS)
+            {
+              no_cache_dnssec = 1;
+              bogusanswer = 1;
+            }
+        }
+#endif
+      /* restore CD bit to the value in the query */
+      if (forward->flags & FREC_CHECKING_DISABLED)
+        header->hb4 |= HB4_CD;
+      else
+        header->hb4 &= ~HB4_CD;
+      /* Never cache answers which are contingent on the source or MAC address EDSN0 option,
+         since the cache is ignorant of such things. */
+      if (forward->flags & FREC_NO_CACHE)
+        no_cache_dnssec = 1;
-      if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, forward->flags & FREC_CHECKING_DISABLED)))
+      if ((nn = process_reply(header, now, forward->sentto, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
+                              forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
+                              forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source)))
          {
-          header->id = htons(forward->orig_id);
+          struct frec_src *src;
+          header->id = htons(forward->frec_src.orig_id);
            header->hb4 |= HB4_RA; /* recursion if available */
-          send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
+#ifdef HAVE_DNSSEC
-                    &forward->source, &forward->dest, forward->iface);
+          /* We added an EDNSO header for the purpose of getting DNSSEC RRs, and set the value of the UDP payload size
+             greater than the no-EDNS0-implied 512 to have space for the RRSIGS. If, having stripped them and the EDNS0
+             header, the answer is still bigger than 512, truncate it and mark it so. The client then retries with TCP. */
+          if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER) && (nn > PACKETSZ))
+            {
+              header->ancount = htons(0);
+              header->nscount = htons(0);
+              header->arcount = htons(0);
+              header->hb3 |= HB3_TC;
+              nn = resize_packet(header, nn, NULL, 0);
+            }
+#endif
+          for (src = &forward->frec_src; src; src = src->next)
+            {
+              header->id = htons(src->orig_id);
+#ifdef HAVE_DUMPFILE
+              dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &src->source);
+#endif
+              send_from(src->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
+                        &src->source, &src->dest, src->iface);
+              if (option_bool(OPT_EXTRALOG) && src != &forward->frec_src)
+                {
+                  daemon->log_display_id = src->log_id;
+                  daemon->log_source_addr = &src->source;
+                  log_query(F_UPSTREAM, "query", NULL, "duplicate");
+                }
+            }
          }
        free_frec(forward); /* cancel */
      }
  }
- Line 648  void receive_query(struct listener *listen, time_t now
+ Line 1322  void receive_query(struct listener *listen, time_t now
  {
    struct dns_header *header = (struct dns_header *)daemon->packet;
    union mysockaddr source_addr;
-  unsigned short type;
+  unsigned char *pheader;
-  struct all_addr dst_addr;
+  unsigned short type, udp_size = PACKETSZ; /* default if no EDNS0 */
+  union all_addr dst_addr;
    struct in_addr netmask, dst_addr_4;
    size_t m;
    ssize_t n;
-  int if_index = 0;
+  int if_index = 0, auth_dns = 0, do_bit = 0, have_pseudoheader = 0;
-  int auth_dns = 0;
+#ifdef HAVE_AUTH
+  int local_auth = 0;
+#endif
    struct iovec iov[1];
    struct msghdr msg;
    struct cmsghdr *cmptr;
    union {
      struct cmsghdr align; /* this ensures alignment */
- #ifdef HAVE_IPV6
      char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
- #endif
  #if defined(HAVE_LINUX_NETWORK)
      char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
  #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
- Line 673  void receive_query(struct listener *listen, time_t now
+ Line 1348  void receive_query(struct listener *listen, time_t now
                   CMSG_SPACE(sizeof(struct sockaddr_dl))];
  #endif
    } control_u;
+  int family = listen->addr.sa.sa_family;
+   /* Can always get recvd interface for IPv6 */
+  int check_dst = !option_bool(OPT_NOWILD) || family == AF_INET6;
    /* packet buffer overwritten */
    daemon->srv_save = NULL;
-  dst_addr_4.s_addr = 0;
+  dst_addr_4.s_addr = dst_addr.addr4.s_addr = 0;
    netmask.s_addr = 0;
    if (option_bool(OPT_NOWILD) && listen->iface)
      {
        auth_dns = listen->iface->dns_auth;
-      if (listen->family == AF_INET)
+      if (family == AF_INET)
          {
-          dst_addr_4 = listen->iface->addr.in.sin_addr;
+          dst_addr_4 = dst_addr.addr4 = listen->iface->addr.in.sin_addr;
            netmask = listen->iface->netmask;
          }
      }
- Line 709  void receive_query(struct listener *listen, time_t now
+ Line 1387  void receive_query(struct listener *listen, time_t now
        (msg.msg_flags & MSG_TRUNC) ||
        (header->hb3 & HB3_QR))
      return;
+   /* Clear buffer beyond request to avoid risk of
+      information disclosure. */
+   memset(daemon->packet + n, 0, daemon->edns_pktsz - n);
-  source_addr.sa.sa_family = listen->family;
+  source_addr.sa.sa_family = family;
-#ifdef HAVE_IPV6
-  if (listen->family == AF_INET6)
+  if (family == AF_INET)
     {
-#endif
+       /* Source-port == 0 is an error, we can't send back to that.
+          http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
+      if (source_addr.in.sin_port == 0)
+        return;
+    }
+  else
+    {
+      /* Source-port == 0 is an error, we can't send back to that. */
+      if (source_addr.in6.sin6_port == 0)
+        return;
+      source_addr.in6.sin6_flowinfo = 0;
+  /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
+  if (option_bool(OPT_LOCAL_SERVICE))
+    {
+      struct addrlist *addr;
-  if (!option_bool(OPT_NOWILD))
+      if (family == AF_INET6)
+        {
+          for (addr = daemon->interface_addrs; addr; addr = addr->next)
+            if ((addr->flags & ADDRLIST_IPV6) &&
+                is_same_net6(&addr->addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
+              break;
+        }
+      else
+        {
+          struct in_addr netmask;
+          for (addr = daemon->interface_addrs; addr; addr = addr->next)
+            {
+              netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
+              if (!(addr->flags & ADDRLIST_IPV6) &&
+                  is_same_net(addr->addr.addr4, source_addr.in.sin_addr, netmask))
+                break;
+            }
+        }
+      if (!addr)
+        {
+          static int warned = 0;
+          if (!warned)
+            {
+              my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
+              warned = 1;
+            }
+          return;
+        }
+    }
+  if (check_dst)
      {
        struct ifreq ifr;
- Line 724  void receive_query(struct listener *listen, time_t now
+ Line 1452  void receive_query(struct listener *listen, time_t now
          return;
  #if defined(HAVE_LINUX_NETWORK)
-      if (listen->family == AF_INET)
+      if (family == AF_INET)
          for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
            if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
              {
- Line 733  void receive_query(struct listener *listen, time_t now
+ Line 1461  void receive_query(struct listener *listen, time_t now
                  struct in_pktinfo *p;
                } p;
                p.c = CMSG_DATA(cmptr);
-              dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
+              dst_addr_4 = dst_addr.addr4 = p.p->ipi_spec_dst;
                if_index = p.p->ipi_ifindex;
              }
  #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
-      if (listen->family == AF_INET)
+      if (family == AF_INET)
          {
            for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
              {
- Line 751  void receive_query(struct listener *listen, time_t now
+ Line 1479  void receive_query(struct listener *listen, time_t now
                } p;
                 p.c = CMSG_DATA(cmptr);
                 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
-                 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
+                 dst_addr_4 = dst_addr.addr4 = *(p.a);
                 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
  #ifdef HAVE_SOLARIS_NETWORK
                   if_index = *(p.i);
- Line 762  void receive_query(struct listener *listen, time_t now
+ Line 1490  void receive_query(struct listener *listen, time_t now
          }
  #endif
-#ifdef HAVE_IPV6
+      if (family == AF_INET6)
-      if (listen->family == AF_INET6)
          {
            for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
              if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
- Line 774  void receive_query(struct listener *listen, time_t now
+ Line 1501  void receive_query(struct listener *listen, time_t now
                  } p;
                  p.c = CMSG_DATA(cmptr);
-                dst_addr.addr.addr6 = p.p->ipi6_addr;
+                dst_addr.addr6 = p.p->ipi6_addr;
                  if_index = p.p->ipi6_ifindex;
                }
          }
- #endif
        /* enforce available interface configuration */
        if (!indextoname(listen->fd, if_index, ifr.ifr_name))
          return;
-      if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
+      if (!iface_check(family, &dst_addr, ifr.ifr_name, &auth_dns))
          {
             if (!option_bool(OPT_CLEVERBIND))
-             enumerate_interfaces();
+             enumerate_interfaces(0);
-           if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name))
+           if (!loopback_exception(listen->fd, family, &dst_addr, ifr.ifr_name) &&
+               !label_exception(if_index, family, &dst_addr))
               return;
          }
-      if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
+      if (family == AF_INET && option_bool(OPT_LOCALISE))
          {
            struct irec *iface;
-          /* get the netmask of the interface whch has the address we were sent to.
+          /* get the netmask of the interface which has the address we were sent to.
-             This is no neccessarily the interface we arrived on. */
+             This is no necessarily the interface we arrived on. */
            for (iface = daemon->interfaces; iface; iface = iface->next)
              if (iface->addr.sa.sa_family == AF_INET &&
- Line 807  void receive_query(struct listener *listen, time_t now
+ Line 1534  void receive_query(struct listener *listen, time_t now
            /* interface may be new */
            if (!iface && !option_bool(OPT_CLEVERBIND))
-            enumerate_interfaces();
+            enumerate_interfaces(0);
            for (iface = daemon->interfaces; iface; iface = iface->next)
              if (iface->addr.sa.sa_family == AF_INET &&
- Line 821  void receive_query(struct listener *listen, time_t now
+ Line 1548  void receive_query(struct listener *listen, time_t now
              dst_addr_4.s_addr = 0;
          }
      }
+  /* log_query gets called indirectly all over the place, so
+     pass these in global variables - sorry. */
+  daemon->log_display_id = ++daemon->log_id;
+  daemon->log_source_addr = &source_addr;
+#ifdef HAVE_DUMPFILE
+  dump_packet(DUMP_QUERY, daemon->packet, (size_t)n, &source_addr, NULL);
+#endif
    if (extract_request(header, (size_t)n, daemon->namebuff, &type))
      {
-      char types[20];
+#ifdef HAVE_AUTH
       struct auth_zone *zone;
-      querystr(auth_dns ? "auth" : "query", types, type);
+#endif
       char *types = querystr(auth_dns ? "auth" : "query", type);
-      if (listen->family == AF_INET)
+      if (family == AF_INET)
          log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
-                  (struct all_addr *)&source_addr.in.sin_addr, types);
+                  (union all_addr *)&source_addr.in.sin_addr, types);
-#ifdef HAVE_IPV6
        else
          log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
-                  (struct all_addr *)&source_addr.in6.sin6_addr, types);
+                  (union all_addr *)&source_addr.in6.sin6_addr, types);
+#ifdef HAVE_AUTH
+      /* find queries for zones we're authoritative for, and answer them directly */
+      if (!auth_dns && !option_bool(OPT_LOCALISE))
+        for (zone = daemon->auth_zones; zone; zone = zone->next)
+          if (in_zone(zone, daemon->namebuff, NULL))
+            {
+              auth_dns = 1;
+              local_auth = 1;
+              break;
+            }
  #endif
+ #ifdef HAVE_LOOP
+       /* Check for forwarding loop */
+       if (detect_loop(daemon->namebuff, type))
+         return;
+ #endif
      }
+   if (find_pseudoheader(header, (size_t)n, NULL, &pheader, NULL, NULL))
+     {
+       unsigned short flags;
+       have_pseudoheader = 1;
+       GETSHORT(udp_size, pheader);
+       pheader += 2; /* ext_rcode */
+       GETSHORT(flags, pheader);
+       if (flags & 0x8000)
+         do_bit = 1;/* do bit */
+       /* If the client provides an EDNS0 UDP size, use that to limit our reply.
+          (bounded by the maximum configured). If no EDNS0, then it
+          defaults to 512 */
+       if (udp_size > daemon->edns_pktsz)
+         udp_size = daemon->edns_pktsz;
+       else if (udp_size < PACKETSZ)
+         udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */
+     }
  #ifdef HAVE_AUTH
    if (auth_dns)
      {
-      m = answer_auth(header, ((char *) header) + PACKETSZ, (size_t)n, now, &source_addr);
+      m = answer_auth(header, ((char *) header) + udp_size, (size_t)n, now, &source_addr,
+                      local_auth, do_bit, have_pseudoheader);
        if (m >= 1)
         send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
-                  (char *)header, m, &source_addr, &dst_addr, if_index);
+          send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
+                    (char *)header, m, &source_addr, &dst_addr, if_index);
+          daemon->metrics[METRIC_DNS_AUTH_ANSWERED]++;
+        }
      }
    else
  #endif
      {
-      m = answer_request(header, ((char *) header) + PACKETSZ, (size_t)n,
+      int ad_reqd = do_bit;
-                         dst_addr_4, netmask, now);
+       /* RFC 6840 5.7 */
+      if (header->hb4 & HB4_AD)
+        ad_reqd = 1;
+      m = answer_request(header, ((char *) header) + udp_size, (size_t)n,
+                         dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader);
        if (m >= 1)
          {
            send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
                      (char *)header, m, &source_addr, &dst_addr, if_index);
-          daemon->local_answer++;
+          daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++;
          }
        else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
-                             header, (size_t)n, now, NULL))
+                             header, (size_t)n, now, NULL, ad_reqd, do_bit))
-        daemon->queries_forwarded++;
+        daemon->metrics[METRIC_DNS_QUERIES_FORWARDED]++;
        else
-        daemon->local_answer++;
+        daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++;
      }
  }
+ #ifdef HAVE_DNSSEC
+ /* Recurse up the key hierarchy */
+ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
+                            int class, char *name, char *keyname, struct server *server,
+                            int have_mark, unsigned int mark, int *keycount)
+ {
+   int new_status;
+   unsigned char *packet = NULL;
+   unsigned char *payload = NULL;
+   struct dns_header *new_header = NULL;
+   u16 *length = NULL;
+   while (1)
+     {
+       int type = SERV_DO_DNSSEC;
+       char *domain;
+       size_t m;
+       unsigned char c1, c2;
+       struct server *firstsendto = NULL;
+       /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
+       if (--(*keycount) == 0)
+         new_status = STAT_ABANDONED;
+       else if (status == STAT_NEED_KEY)
+         new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
+       else if (status == STAT_NEED_DS)
+         new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
+       else
+         new_status = dnssec_validate_reply(now, header, n, name, keyname, &class,
+                                            !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC),
+                                            NULL, NULL, NULL);
+       if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY)
+         break;
+       /* Can't validate because we need a key/DS whose name now in keyname.
+          Make query for same, and recurse to validate */
+       if (!packet)
+         {
+           packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
+           payload = &packet[2];
+           new_header = (struct dns_header *)payload;
+           length = (u16 *)packet;
+         }
+       if (!packet)
+         {
+           new_status = STAT_ABANDONED;
+           break;
+         }
+       m = dnssec_generate_query(new_header, ((unsigned char *) new_header) + 65536, keyname, class,
+                                 new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, server->edns_pktsz);
+       *length = htons(m);
+       /* Find server to forward to. This will normally be the
+          same as for the original query, but may be another if
+          servers for domains are involved. */
+       if (search_servers(now, NULL, F_DNSSECOK, keyname, &type, &domain, NULL) != 0)
+         {
+           new_status = STAT_ABANDONED;
+           break;
+         }
+       while (1)
+         {
+           int data_sent = 0;
+           if (!firstsendto)
+             firstsendto = server;
+           else
+             {
+               if (!(server = server->next))
+                 server = daemon->servers;
+               if (server == firstsendto)
+                 {
+                   /* can't find server to accept our query. */
+                   new_status = STAT_ABANDONED;
+                   break;
+                 }
+             }
+           if (type != (server->flags & (SERV_TYPE | SERV_DO_DNSSEC)) ||
+               (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, server->domain)) ||
+               (server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
+             continue;
+         retry:
+           /* may need to make new connection. */
+           if (server->tcpfd == -1)
+             {
+               if ((server->tcpfd = socket(server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
+                 continue; /* No good, next server */
+ #ifdef HAVE_CONNTRACK
+               /* Copy connection mark of incoming query to outgoing connection. */
+               if (have_mark)
+                 setsockopt(server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+ #endif
+               if (!local_bind(server->tcpfd,  &server->source_addr, server->interface, 0, 1))
+                 {
+                   close(server->tcpfd);
+                   server->tcpfd = -1;
+                   continue; /* No good, next server */
+                 }
+ #ifdef MSG_FASTOPEN
+               while(retry_send(sendto(server->tcpfd, packet, m + sizeof(u16),
+                                       MSG_FASTOPEN, &server->addr.sa, sa_len(&server->addr))));
+               if (errno == 0)
+                 data_sent = 1;
+ #endif
+               if (!data_sent && connect(server->tcpfd, &server->addr.sa, sa_len(&server->addr)) == -1)
+                 {
+                   close(server->tcpfd);
+                   server->tcpfd = -1;
+                   continue; /* No good, next server */
+                 }
+               server->flags &= ~SERV_GOT_TCP;
+             }
+           if ((!data_sent && !read_write(server->tcpfd, packet, m + sizeof(u16), 0)) ||
+               !read_write(server->tcpfd, &c1, 1, 1) ||
+               !read_write(server->tcpfd, &c2, 1, 1) ||
+               !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
+             {
+               close(server->tcpfd);
+               server->tcpfd = -1;
+               /* We get data then EOF, reopen connection to same server,
+                  else try next. This avoids DoS from a server which accepts
+                  connections and then closes them. */
+               if (server->flags & SERV_GOT_TCP)
+                 goto retry;
+               else
+                 continue;
+             }
+           if (server->addr.sa.sa_family == AF_INET)
+             log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, keyname, (union all_addr *)&(server->addr.in.sin_addr),
+                       querystr("dnssec-query", new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS));
+           else
+             log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, keyname, (union all_addr *)&(server->addr.in6.sin6_addr),
+                       querystr("dnssec-query", new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS));
+           server->flags |= SERV_GOT_TCP;
+           m = (c1 << 8) | c2;
+           new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount);
+           break;
+         }
+       if (new_status != STAT_OK)
+         break;
+     }
+   if (packet)
+     free(packet);
+   return new_status;
+ }
+ #endif
  /* The daemon forks before calling this: it should deal with one connection,
-   blocking as neccessary, and then return. Note, need to be a bit careful
+   blocking as necessary, and then return. Note, need to be a bit careful
     about resources for debug mode, when the fork is suppressed: that's
     done by the caller. */
  unsigned char *tcp_request(int confd, time_t now,
- Line 875  unsigned char *tcp_request(int confd, time_t now,
+ Line 1827  unsigned char *tcp_request(int confd, time_t now,
  {
    size_t size = 0;
    int norebind = 0;
-  int checking_disabled;
+#ifdef HAVE_AUTH
+  int local_auth = 0;
+#endif
+  int checking_disabled, do_bit, added_pheader = 0, have_pseudoheader = 0;
+  int check_subnet, cacheable, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
    size_t m;
    unsigned short qtype;
    unsigned int gotname;
    unsigned char c1, c2;
-  /* Max TCP packet + slop */
+  /* Max TCP packet + slop + size */
-  unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ);
+  unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
-  struct dns_header *header;
+  unsigned char *payload = &packet[2];
+  /* largest field in header is 16-bits, so this is still sufficiently aligned */
+  struct dns_header *header = (struct dns_header *)payload;
+  u16 *length = (u16 *)packet;
    struct server *last_server;
    struct in_addr dst_addr_4;
    union mysockaddr peer_addr;
    socklen_t peer_len = sizeof(union mysockaddr);
+  int query_count = 0;
+  unsigned char *pheader;
+  unsigned int mark = 0;
+  int have_mark = 0;
+  (void)mark;
+  (void)have_mark;
    if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
      return packet;
+ #ifdef HAVE_CONNTRACK
+   /* Get connection mark of incoming query to set on outgoing connections. */
+   if (option_bool(OPT_CONNTRACK))
+     {
+       union all_addr local;
+       if (local_addr->sa.sa_family == AF_INET6)
+         local.addr6 = local_addr->in6.sin6_addr;
+       else
+         local.addr4 = local_addr->in.sin_addr;
+       have_mark = get_incoming_mark(&peer_addr, &local, 1, &mark);
+     }
+ #endif
+   /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
+   if (option_bool(OPT_LOCAL_SERVICE))
+     {
+       struct addrlist *addr;
+       if (peer_addr.sa.sa_family == AF_INET6)
+         {
+           for (addr = daemon->interface_addrs; addr; addr = addr->next)
+             if ((addr->flags & ADDRLIST_IPV6) &&
+                 is_same_net6(&addr->addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
+               break;
+         }
+       else
+         {
+           struct in_addr netmask;
+           for (addr = daemon->interface_addrs; addr; addr = addr->next)
+             {
+               netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
+               if (!(addr->flags & ADDRLIST_IPV6) &&
+                   is_same_net(addr->addr.addr4, peer_addr.in.sin_addr, netmask))
+                 break;
+             }
+         }
+       if (!addr)
+         {
+           my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
+           return packet;
+         }
+     }
    while (1)
      {
-      if (!packet ||
+      if (query_count == TCP_MAX_QUERIES ||
+          !packet ||
            !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
            !(size = c1 << 8 | c2) ||
-          !read_write(confd, packet, size, 1))
+          !read_write(confd, payload, size, 1))
          return packet;
        if (size < (int)sizeof(struct dns_header))
          continue;
+       /* Clear buffer beyond request to avoid risk of
+          information disclosure. */
+       memset(payload + size, 0, 65536 - size);
-      header = (struct dns_header *)packet;
+      query_count++;
+       /* log_query gets called indirectly all over the place, so
+          pass these in global variables - sorry. */
+       daemon->log_display_id = ++daemon->log_id;
+       daemon->log_source_addr = &peer_addr;
        /* save state of "cd" flag in query */
-      checking_disabled = header->hb4 & HB4_CD;
+      if ((checking_disabled = header->hb4 & HB4_CD))
+        no_cache_dnssec = 1;
-       /* RFC 4035: sect 4.6 para 2 */
-       header->hb4 &= ~HB4_AD;
        if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
          {
-          char types[20];
+#ifdef HAVE_AUTH
+          struct auth_zone *zone;
+#endif
+          char *types = querystr(auth_dns ? "auth" : "query", qtype);
-           querystr(auth_dns ? "auth" : "query", types, qtype);
            if (peer_addr.sa.sa_family == AF_INET)
              log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
-                      (struct all_addr *)&peer_addr.in.sin_addr, types);
+                      (union all_addr *)&peer_addr.in.sin_addr, types);
-#ifdef HAVE_IPV6
            else
              log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
-                      (struct all_addr *)&peer_addr.in6.sin6_addr, types);
+                      (union all_addr *)&peer_addr.in6.sin6_addr, types);
+#ifdef HAVE_AUTH
+          /* find queries for zones we're authoritative for, and answer them directly */
+          if (!auth_dns && !option_bool(OPT_LOCALISE))
+            for (zone = daemon->auth_zones; zone; zone = zone->next)
+              if (in_zone(zone, daemon->namebuff, NULL))
+                {
+                  auth_dns = 1;
+                  local_auth = 1;
+                  break;
+                }
  #endif
          }
- Line 931  unsigned char *tcp_request(int confd, time_t now,
+ Line 1961  unsigned char *tcp_request(int confd, time_t now,
        else
          dst_addr_4.s_addr = 0;
+       do_bit = 0;
+       if (find_pseudoheader(header, (size_t)size, NULL, &pheader, NULL, NULL))
+         {
+           unsigned short flags;
+           have_pseudoheader = 1;
+           pheader += 4; /* udp_size, ext_rcode */
+           GETSHORT(flags, pheader);
+           if (flags & 0x8000)
+             do_bit = 1; /* do bit */
+         }
  #ifdef HAVE_AUTH
        if (auth_dns)
-        m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr);
+        m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr,
+                        local_auth, do_bit, have_pseudoheader);
        else
  #endif
          {
-          /* m > 0 if answered from cache */
+           int ad_reqd = do_bit;
            /* RFC 6840 5.7 */
-                             dst_addr_4, netmask, now);
+           if (header->hb4 & HB4_AD)
+             ad_reqd = 1;
+           /* m > 0 if answered from cache */
+           m = answer_request(header, ((char *) header) + 65536, (size_t)size,
+                              dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader);
            /* Do this by steam now we're not in the select() loop */
-          check_log_writer(NULL);
+          check_log_writer(1);
            if (m == 0)
              {
                unsigned int flags = 0;
-              struct all_addr *addrp = NULL;
+              union all_addr *addrp = NULL;
-              int type = 0;
+              int type = SERV_DO_DNSSEC;
                char *domain = NULL;
+              unsigned char *oph = find_pseudoheader(header, size, NULL, NULL, NULL, NULL);
-              if (option_bool(OPT_ADD_MAC))
-                size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
+              size = add_edns0_config(header, size, ((unsigned char *) header) + 65536, &peer_addr, now, &check_subnet, &cacheable);
                if (gotname)
                  flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
+ #ifdef HAVE_DNSSEC
+               if (option_bool(OPT_DNSSEC_VALID) && (type & SERV_DO_DNSSEC))
+                 {
+                   size = add_do_bit(header, size, ((unsigned char *) header) + 65536);
+                   /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
+                      this allows it to select auth servers when one is returning bad data. */
+                   if (option_bool(OPT_DNSSEC_DEBUG))
+                     header->hb4 |= HB4_CD;
+                 }
+ #endif
+               /* Check if we added a pheader on forwarding - may need to
+                  strip it from the reply. */
+               if (!oph && find_pseudoheader(header, size, NULL, NULL, NULL, NULL))
+                 added_pheader = 1;
+               type &= ~SERV_DO_DNSSEC;
                if (type != 0  || option_bool(OPT_ORDER) || !daemon->last_server)
                  last_server = daemon->servers;
- Line 965  unsigned char *tcp_request(int confd, time_t now,
+ Line 2034  unsigned char *tcp_request(int confd, time_t now,
                if (!flags && last_server)
                  {
                    struct server *firstsendto = NULL;
-                  unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
+                  unsigned char hash[HASH_SIZE];
+                  memcpy(hash, hash_questions(header, (unsigned int)size, daemon->namebuff), HASH_SIZE);
                    /* Loop round available servers until we succeed in connecting to one.
-                     Note that this code subtley ensures that consecutive queries on this connection
+                     Note that this code subtly ensures that consecutive queries on this connection
                       which can go to the same server, do so. */
                    while (1)
                      {
+                       int data_sent = 0;
                        if (!firstsendto)
                          firstsendto = last_server;
                        else
- Line 985  unsigned char *tcp_request(int confd, time_t now,
+ Line 2057  unsigned char *tcp_request(int confd, time_t now,
                        /* server for wrong domain */
                        if (type != (last_server->flags & SERV_TYPE) ||
-                          (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)))
+                          (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) ||
+                          (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
                          continue;
+                    retry:
+                      *length = htons(size);
                        if (last_server->tcpfd == -1)
                          {
                            if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
                              continue;
-                          if ((!local_bind(last_server->tcpfd,  &last_server->source_addr, last_server->interface, 1) ||
+#ifdef HAVE_CONNTRACK
-                               connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
+                          /* Copy connection mark of incoming query to outgoing connection. */
+                          if (have_mark)
+                            setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+#endif
+                          if ((!local_bind(last_server->tcpfd,  &last_server->source_addr, last_server->interface, 0, 1)))
                              {
                                close(last_server->tcpfd);
                                last_server->tcpfd = -1;
                                continue;
                              }
-#ifdef HAVE_CONNTRACK
+#ifdef MSG_FASTOPEN
-                          /* Copy connection mark of incoming query to outgoing connection. */
+                            while(retry_send(sendto(last_server->tcpfd, packet, size + sizeof(u16),
-                          if (option_bool(OPT_CONNTRACK))
+                                                    MSG_FASTOPEN, &last_server->addr.sa, sa_len(&last_server->addr))));
-                            {
-                              unsigned int mark;
+                            if (errno == 0)
-                              struct all_addr local;
+                              data_sent = 1;
-#ifdef HAVE_IPV6
-                              if (local_addr->sa.sa_family == AF_INET6)
-                                local.addr.addr6 = local_addr->in6.sin6_addr;
-                              else
  #endif
                                 local.addr.addr4 = local_addr->in.sin_addr;
                             if (!data_sent && connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1)
-                              if (get_incoming_mark(&peer_addr, &local, 1, &mark))
+                            {
-                                setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
+                              close(last_server->tcpfd);
+                              last_server->tcpfd = -1;
+                              continue;
                              }
-#endif
+                          last_server->flags &= ~SERV_GOT_TCP;
                          }
-                      c1 = size >> 8;
+                      /* get query name again for logging - may have been overwritten */
-                      c2 = size;
+                      if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
+                        strcpy(daemon->namebuff, "query");
-                      if (!read_write(last_server->tcpfd, &c1, 1, 0) ||
+                      if ((!data_sent && !read_write(last_server->tcpfd, packet, size + sizeof(u16), 0)) ||
-                          !read_write(last_server->tcpfd, &c2, 1, 0) ||
-                          !read_write(last_server->tcpfd, packet, size, 0) ||
                            !read_write(last_server->tcpfd, &c1, 1, 1) ||
-                          !read_write(last_server->tcpfd, &c2, 1, 1))
+                          !read_write(last_server->tcpfd, &c2, 1, 1) ||
+                          !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
                          {
                            close(last_server->tcpfd);
                            last_server->tcpfd = -1;
-                          continue;
+                          /* We get data then EOF, reopen connection to same server,
                              else try next. This avoids DoS from a server which accepts
+                             connections and then closes them. */
+                          if (last_server->flags & SERV_GOT_TCP)
+                            goto retry;
+                          else
+                            continue;
+                       last_server->flags |= SERV_GOT_TCP;
                        m = (c1 << 8) | c2;
-                       if (!read_write(last_server->tcpfd, packet, m, 1))
-                         return packet;
-                       if (!gotname)
-                         strcpy(daemon->namebuff, "query");
                        if (last_server->addr.sa.sa_family == AF_INET)
                          log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
-                                  (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
+                                  (union all_addr *)&last_server->addr.in.sin_addr, NULL);
-#ifdef HAVE_IPV6
                        else
                          log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
-                                  (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
+                                  (union all_addr *)&last_server->addr.in6.sin6_addr, NULL);
-#endif
+#ifdef HAVE_DNSSEC
+                      if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled && (last_server->flags & SERV_DO_DNSSEC))
+                        {
+                          int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
+                          int status = tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->namebuff, daemon->keyname,
+                                                       last_server, have_mark, mark, &keycount);
+                          char *result, *domain = "result";
+                          if (status == STAT_ABANDONED)
+                            {
+                              result = "ABANDONED";
+                              status = STAT_BOGUS;
+                            }
+                          else
+                            result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+                          if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
+                            domain = daemon->namebuff;
+                          log_query(F_SECSTAT, domain, NULL, result);
+                          if (status == STAT_BOGUS)
+                            {
+                              no_cache_dnssec = 1;
+                              bogusanswer = 1;
+                            }
+                          if (status == STAT_SECURE)
+                            cache_secure = 1;
+                        }
+#endif
+                      /* restore CD bit to the value in the query */
+                      if (checking_disabled)
+                        header->hb4 |= HB4_CD;
+                      else
+                        header->hb4 &= ~HB4_CD;
                        /* There's no point in updating the cache, since this process will exit and
                           lose the information after a few queries. We make this call for the alias and
- Line 1055  unsigned char *tcp_request(int confd, time_t now,
+ Line 2175  unsigned char *tcp_request(int confd, time_t now,
                        /* If the crc of the question section doesn't match the crc we sent, then
                           someone might be attempting to insert bogus values into the cache by
                           sending replies containing questions and bogus answers. */
-                      if (crc == questions_crc(header, (unsigned int)m, daemon->namebuff))
+                      if (memcmp(hash, hash_questions(header, (unsigned int)m, daemon->namebuff), HASH_SIZE) != 0)
                         m = process_reply(header, now, last_server, (unsigned int)m,
-                                          option_bool(OPT_NO_REBIND) && !norebind, checking_disabled);
+                          m = 0;
+                          break;
+                        }
+                      /* Never cache answers which are contingent on the source or MAC address EDSN0 option,
+                         since the cache is ignorant of such things. */
+                      if (!cacheable)
+                        no_cache_dnssec = 1;
+                       m = process_reply(header, now, last_server, (unsigned int)m,
+                                         option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
+                                         ad_reqd, do_bit, added_pheader, check_subnet, &peer_addr);
                        break;
                      }
                  }
                /* In case of local answer or no connections made. */
                if (m == 0)
                 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
+                  m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
+                  if (have_pseudoheader)
+                    m = add_pseudoheader(header, m, ((unsigned char *) header) + 65536, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+                }
              }
          }
-      check_log_writer(NULL);
+      check_log_writer(1);
-      c1 = m>>8;
+      *length = htons(m);
-      c2 = m;
       if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
-          !read_write(confd, &c1, 1, 0) ||
-          !read_write(confd, &c2, 1, 0) ||
-          !read_write(confd, packet, m, 0))
          return packet;
      }
  }
- Line 1092  static struct frec *allocate_frec(time_t now)
+ Line 2224  static struct frec *allocate_frec(time_t now)
        f->sentto = NULL;
        f->rfd4 = NULL;
        f->flags = 0;
- #ifdef HAVE_IPV6
        f->rfd6 = NULL;
+ #ifdef HAVE_DNSSEC
+       f->dependent = NULL;
+       f->blocking_query = NULL;
+       f->stash = NULL;
  #endif
        daemon->frec_list = f;
      }
- Line 1101  static struct frec *allocate_frec(time_t now)
+ Line 2236  static struct frec *allocate_frec(time_t now)
    return f;
  }
-static struct randfd *allocate_rfd(int family)
+struct randfd *allocate_rfd(int family)
  {
    static int finger = 0;
    int i;
- Line 1137  static struct randfd *allocate_rfd(int family)
+ Line 2272  static struct randfd *allocate_rfd(int family)
    return NULL; /* doom */
  }
+ void free_rfd(struct randfd *rfd)
+ {
+   if (rfd && --(rfd->refcount) == 0)
+     close(rfd->fd);
+ }
  static void free_frec(struct frec *f)
  {
-  if (f->rfd4 && --(f->rfd4->refcount) == 0)
+  struct frec_src *last;
-    close(f->rfd4->fd);
+  /* add back to freelist if not the record builtin to every frec. */
+  for (last = f->frec_src.next; last && last->next; last = last->next) ;
+  if (last)
+    {
+      last->next = daemon->free_frec_src;
+      daemon->free_frec_src = f->frec_src.next;
+    }
+   f->frec_src.next = NULL;
+   free_rfd(f->rfd4);
    f->rfd4 = NULL;
    f->sentto = NULL;
    f->flags = 0;
+  free_rfd(f->rfd6);
-#ifdef HAVE_IPV6
-  if (f->rfd6 && --(f->rfd6->refcount) == 0)
-    close(f->rfd6->fd);
    f->rfd6 = NULL;
+ #ifdef HAVE_DNSSEC
+   if (f->stash)
+     {
+       blockdata_free(f->stash);
+       f->stash = NULL;
+     }
+   /* Anything we're waiting on is pointless now, too */
+   if (f->blocking_query)
+     free_frec(f->blocking_query);
+   f->blocking_query = NULL;
+   f->dependent = NULL;
  #endif
  }
  /* if wait==NULL return a free or older than TIMEOUT record.
     else return *wait zero if one available, or *wait is delay to
     when the oldest in-use record will expire. Impose an absolute
-   limit of 4*TIMEOUT before we wipe things (for random sockets) */
+   limit of 4*TIMEOUT before we wipe things (for random sockets).
-struct frec *get_new_frec(time_t now, int *wait)
+   If force is non-NULL, always return a result, even if we have
+   to allocate above the limit, and never free the record pointed
+   to by the force argument. */
+struct frec *get_new_frec(time_t now, int *wait, struct frec *force)
  {
    struct frec *f, *oldest, *target;
    int count;
- Line 1171  struct frec *get_new_frec(time_t now, int *wait)
+ Line 2335  struct frec *get_new_frec(time_t now, int *wait)
        target = f;
      else
        {
-        if (difftime(now, f->time) >= 4*TIMEOUT)
+#ifdef HAVE_DNSSEC
             /* Don't free DNSSEC sub-queries here, as we may end up with
                dangling references to them. They'll go when their "real" query
                is freed. */
             if (!f->dependent && f != force)
 #endif
         if (!oldest || difftime(f->time, oldest->time) <= 0)
-          oldest = f;
+                if (difftime(now, f->time) >= 4*TIMEOUT)
+                  {
+                    free_frec(f);
+                    target = f;
+                  }
+                if (!oldest || difftime(f->time, oldest->time) <= 0)
+                  oldest = f;
        }
    if (target)
- Line 1189  struct frec *get_new_frec(time_t now, int *wait)
+ Line 2362  struct frec *get_new_frec(time_t now, int *wait)
    /* can't find empty one, use oldest if there is one
       and it's older than timeout */
-  if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
+  if (!force && oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
      {
        /* keep stuff for twice timeout if we can by allocating a new
           record instead */
- Line 1207  struct frec *get_new_frec(time_t now, int *wait)
+ Line 2380  struct frec *get_new_frec(time_t now, int *wait)
      }
    /* none available, calculate time 'till oldest record expires */
-  if (count > daemon->ftabsize)
+  if (!force && count > daemon->ftabsize)
      {
+       static time_t last_log = 0;
        if (oldest && wait)
          *wait = oldest->time + (time_t)TIMEOUT - now;
+       if ((int)difftime(now, last_log) > 5)
+         {
+           last_log = now;
+           my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
+         }
        return NULL;
      }
- Line 1220  struct frec *get_new_frec(time_t now, int *wait)
+ Line 2402  struct frec *get_new_frec(time_t now, int *wait)
    return f; /* OK if malloc fails and this is NULL */
  }
-/* crc is all-ones if not known. */
+static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash)
-static struct frec *lookup_frec(unsigned short id, unsigned int crc)
  {
    struct frec *f;
    for(f = daemon->frec_list; f; f = f->next)
      if (f->sentto && f->new_id == id &&
-        (f->crc == crc || crc == 0xffffffff))
+        (memcmp(hash, f->hash, HASH_SIZE) == 0))
-      return f;
+      {
+        /* sent from random port */
+        if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd)
+          return f;
+        if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd)
+          return f;
+        /* sent to upstream from bound socket. */
+        if (f->sentto->sfd && f->sentto->sfd->fd == fd)
+          return f;
+      }
    return NULL;
  }
  static struct frec *lookup_frec_by_sender(unsigned short id,
                                            union mysockaddr *addr,
-                                          unsigned int crc)
+                                          void *hash)
  {
    struct frec *f;
+   struct frec_src *src;
+   for (f = daemon->frec_list; f; f = f->next)
+     if (f->sentto &&
+         !(f->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) &&
+         memcmp(hash, f->hash, HASH_SIZE) == 0)
+       for (src = &f->frec_src; src; src = src->next)
+         if (src->orig_id == id &&
+             sockaddr_isequal(&src->source, addr))
+           return f;
+   return NULL;
+ }
+ static struct frec *lookup_frec_by_query(void *hash, unsigned int flags)
+ {
+   struct frec *f;
+   /* FREC_DNSKEY and FREC_DS_QUERY are never set in flags, so the test below
+      ensures that no frec created for internal DNSSEC query can be returned here.
+      Similarly FREC_NO_CACHE is never set in flags, so a query which is
+      contigent on a particular source address EDNS0 option will never be matched. */
+ #define FLAGMASK (FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION \
+                   | FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_NO_CACHE)
    for(f = daemon->frec_list; f; f = f->next)
      if (f->sentto &&
-        f->orig_id == id &&
+        (f->flags & FLAGMASK) == flags &&
-        f->crc == crc &&
+        memcmp(hash, f->hash, HASH_SIZE) == 0)
-        sockaddr_isequal(&f->source, addr))
        return f;
    return NULL;
  }
+ /* Send query packet again, if we can. */
+ void resend_query()
+ {
+   if (daemon->srv_save)
+     {
+       int fd;
+       if (daemon->srv_save->sfd)
+         fd = daemon->srv_save->sfd->fd;
+       else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
+         fd = daemon->rfd_save->fd;
+       else
+         return;
+       while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
+                               &daemon->srv_save->addr.sa,
+                               sa_len(&daemon->srv_save->addr))));
+     }
+ }
  /* A server record is going away, remove references to it */
  void server_gone(struct server *server)
  {
- Line 1267  void server_gone(struct server *server)
+ Line 2504  void server_gone(struct server *server)
  }
  /* return unique random ids. */
-static unsigned short get_id(unsigned int crc)
+static unsigned short get_id(void)
  {
    unsigned short ret = 0;
+   struct frec *f;
-  do
+  while (1)
     ret = rand16();
-  while (lookup_frec(ret, crc));
+      ret = rand16();
-  return ret;
+      /* ensure id is unique. */
+      for (f = daemon->frec_list; f; f = f->next)
+        if (f->sentto && f->new_id == ret)
+          break;
+      if (!f)
+        return ret;
  }

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.1
changed lines
	Added in v.1.1.1.4