aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2018-05-12 11:54:35 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2018-05-12 11:54:35 +0000
commit15de2de8449b4f5063f93578ae68aa0bc79a205c (patch)
treef0a7e3230212205e7ff88a2900de97026940f63c
parent689b65913bba5320ef50befddf4743c6dafde873 (diff)
downloadsrc-15de2de8449b4f5063f93578ae68aa0bc79a205c.tar.gz
src-15de2de8449b4f5063f93578ae68aa0bc79a205c.zip
Vendor import of Unbound 1.6.4.vendor/unbound/1.6.4
Notes
Notes: svn path=/vendor/unbound/dist/; revision=333537 svn path=/vendor/unbound/1.6.4/; revision=333538; tag=vendor/unbound/1.6.4
-rw-r--r--Makefile.in601
-rw-r--r--cachedb/cachedb.c59
-rw-r--r--config.h.in16
-rwxr-xr-xconfigure180
-rw-r--r--configure.ac50
-rw-r--r--contrib/README3
-rw-r--r--contrib/fastrpz.patch3552
-rw-r--r--contrib/redirect-bogus.patch344
-rw-r--r--contrib/unbound.service.in4
-rw-r--r--daemon/remote.c106
-rw-r--r--daemon/stats.c105
-rw-r--r--daemon/stats.h155
-rw-r--r--daemon/worker.c94
-rw-r--r--daemon/worker.h2
-rw-r--r--dnscrypt/cert.h2
-rw-r--r--dnscrypt/dnscrypt.c212
-rw-r--r--dnscrypt/dnscrypt.h7
-rw-r--r--dnscrypt/dnscrypt.m411
-rw-r--r--doc/Changelog190
-rw-r--r--doc/README2
-rw-r--r--doc/example.conf.in33
-rw-r--r--doc/libunbound.3.in4
-rw-r--r--doc/unbound-anchor.8.in2
-rw-r--r--doc/unbound-checkconf.8.in2
-rw-r--r--doc/unbound-control.8.in2
-rw-r--r--doc/unbound-host.1.in2
-rw-r--r--doc/unbound.8.in4
-rw-r--r--doc/unbound.conf.5.in438
-rw-r--r--edns-subnet/addrtree.c1
-rw-r--r--edns-subnet/subnet-whitelist.c120
-rw-r--r--edns-subnet/subnet-whitelist.h49
-rw-r--r--edns-subnet/subnetmod.c20
-rw-r--r--edns-subnet/subnetmod.h2
-rw-r--r--ipsecmod/ipsecmod-whitelist.c158
-rw-r--r--ipsecmod/ipsecmod-whitelist.h82
-rw-r--r--ipsecmod/ipsecmod.c515
-rw-r--r--ipsecmod/ipsecmod.h97
-rw-r--r--iterator/iter_hints.c2
-rw-r--r--iterator/iterator.c106
-rw-r--r--libunbound/unbound.h161
-rw-r--r--pythonmod/pythonmod.c2
-rw-r--r--respip/respip.c1
-rw-r--r--services/authzone.c2369
-rw-r--r--services/authzone.h209
-rw-r--r--services/cache/dns.c17
-rw-r--r--services/cache/dns.h6
-rw-r--r--services/cache/infra.c4
-rw-r--r--services/cache/infra.h2
-rw-r--r--services/listen_dnsport.c26
-rw-r--r--services/localzone.c17
-rw-r--r--services/localzone.h9
-rw-r--r--services/mesh.c35
-rw-r--r--services/mesh.h29
-rw-r--r--services/modstack.c39
-rw-r--r--services/modstack.h3
-rw-r--r--services/outside_network.c25
-rw-r--r--services/view.c38
-rw-r--r--sldns/keyraw.c21
-rw-r--r--sldns/keyraw.h9
-rw-r--r--sldns/parse.c4
-rw-r--r--sldns/rrdef.c16
-rw-r--r--sldns/rrdef.h15
-rw-r--r--sldns/sbuffer.c2
-rw-r--r--sldns/str2wire.c78
-rw-r--r--sldns/str2wire.h20
-rw-r--r--sldns/wire2str.c51
-rw-r--r--sldns/wire2str.h15
-rw-r--r--smallapp/unbound-anchor.c2
-rw-r--r--smallapp/unbound-checkconf.c82
-rw-r--r--smallapp/unbound-control.c60
-rwxr-xr-xtestcode/do-tests.sh2
-rw-r--r--testcode/replay.c1
-rw-r--r--testcode/streamtcp.c4
-rw-r--r--testcode/testbound.c12
-rw-r--r--testcode/unitauth.c858
-rw-r--r--testcode/unitmain.c21
-rw-r--r--testcode/unitmain.h2
-rw-r--r--testcode/unitverify.c5
-rw-r--r--testdata/03-testbound.tpkgbin1306 -> 1345 bytes
-rw-r--r--testdata/05-asynclook.tpkgbin1950 -> 1843 bytes
-rw-r--r--testdata/08-host-lib.tpkgbin1908 -> 1816 bytes
-rw-r--r--testdata/dnscrypt_cert.tpkgbin2875 -> 2966 bytes
-rw-r--r--testdata/dnscrypt_cert_chacha.tpkgbin0 -> 3413 bytes
-rw-r--r--testdata/dnscrypt_queries.tpkgbin2664 -> 2667 bytes
-rw-r--r--testdata/dnscrypt_queries_chacha.tpkgbin0 -> 2884 bytes
-rw-r--r--testdata/ipsecmod_bogus_ipseckey.crpl236
-rw-r--r--testdata/ipsecmod_enabled.crpl219
-rwxr-xr-xtestdata/ipsecmod_hook.sh2
-rw-r--r--testdata/ipsecmod_ignore_bogus_ipseckey.crpl257
-rw-r--r--testdata/ipsecmod_max_ttl.crpl228
-rw-r--r--testdata/ipsecmod_strict.crpl217
-rw-r--r--testdata/ipsecmod_whitelist.crpl294
-rw-r--r--testdata/iter_stub_leak.rpl220
-rw-r--r--testdata/subnet_max_source.crpl231
-rw-r--r--testdata/test_ldnsrr.56
-rw-r--r--testdata/test_ldnsrr.c524
-rw-r--r--testdata/test_sigs.ed2551921
-rw-r--r--util/config_file.c98
-rw-r--r--util/config_file.h22
-rw-r--r--util/configlexer.c4558
-rw-r--r--util/configlexer.lex8
-rw-r--r--util/configparser.c2340
-rw-r--r--util/configparser.h150
-rw-r--r--util/configparser.y113
-rw-r--r--util/data/msgencode.c12
-rw-r--r--util/data/msgparse.c2
-rw-r--r--util/fptr_wlist.c34
-rw-r--r--util/fptr_wlist.h9
-rw-r--r--util/iana_ports.inc5
-rw-r--r--util/log.c8
-rw-r--r--util/module.h31
-rw-r--r--util/netevent.c84
-rw-r--r--util/netevent.h10
-rw-r--r--util/shm_side/shm_main.c79
-rw-r--r--util/shm_side/shm_main.h26
-rw-r--r--util/timehist.c8
-rw-r--r--util/timehist.h4
-rw-r--r--validator/val_secalgo.c51
-rw-r--r--validator/val_utils.c5
-rw-r--r--validator/val_utils.h4
-rw-r--r--validator/validator.c142
-rw-r--r--validator/validator.h13
-rw-r--r--winrc/setup.nsi1
123 files changed, 16785 insertions, 4593 deletions
diff --git a/Makefile.in b/Makefile.in
index 588fbc5553dd..033b026cc911 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -100,6 +100,9 @@ PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
SUBNET_SRC=edns-subnet/edns-subnet.c edns-subnet/subnetmod.c edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c
SUBNET_OBJ=@SUBNET_OBJ@
SUBNET_HEADER=@SUBNET_HEADER@
+IPSECMOD_SRC=ipsecmod/ipsecmod.c ipsecmod/ipsecmod-whitelist.c
+IPSECMOD_OBJ=@IPSECMOD_OBJ@
+IPSECMOD_HEADER=@IPSECMOD_HEADER@
COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
@@ -109,7 +112,7 @@ iterator/iter_scrub.c iterator/iter_utils.c services/listen_dnsport.c \
services/localzone.c services/mesh.c services/modstack.c services/view.c \
services/outbound_list.c services/outside_network.c util/alloc.c \
util/config_file.c util/configlexer.c util/configparser.c \
-util/shm_side/shm_main.c \
+util/shm_side/shm_main.c services/authzone.c\
util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
util/rtt.c util/storage/dnstree.c util/storage/lookup3.c \
@@ -122,7 +125,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
-$(DNSTAP_SRC) $(DNSCRYPT_SRC)
+$(DNSTAP_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC)
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
@@ -132,8 +135,9 @@ fptr_wlist.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
-val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \
-$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ)
+val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo authzone.lo\
+$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
+$(IPSECMOD_OBJ)
COMMON_OBJ_WITHOUT_NETCALL+=respip.lo
COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
outside_network.lo
@@ -159,10 +163,10 @@ UNITTEST_SRC=testcode/unitanchor.c testcode/unitdname.c \
testcode/unitlruhash.c testcode/unitmain.c testcode/unitmsgparse.c \
testcode/unitneg.c testcode/unitregional.c testcode/unitslabhash.c \
testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c \
-testcode/unitecs.c
+testcode/unitecs.c testcode/unitauth.c
UNITTEST_OBJ=unitanchor.lo unitdname.lo unitlruhash.lo unitmain.lo \
unitmsgparse.lo unitneg.lo unitregional.lo unitslabhash.lo unitverify.lo \
-readhex.lo testpkts.lo unitldns.lo unitecs.lo
+readhex.lo testpkts.lo unitldns.lo unitecs.lo unitauth.lo
UNITTEST_OBJ_LINK=$(UNITTEST_OBJ) worker_cb.lo $(COMMON_OBJ) $(SLDNS_OBJ) \
$(COMPAT_OBJ)
DAEMON_SRC=daemon/acl_list.c daemon/cachedump.c daemon/daemon.c \
@@ -605,6 +609,7 @@ depend:
-e 's?$$(srcdir)/dnscrypt/dnscrypt_config.h??g' \
-e 's?$$(srcdir)/pythonmod/pythonmod.h?$$(PYTHONMOD_HEADER)?g' \
-e 's?$$(srcdir)/edns-subnet/subnetmod.h $$(srcdir)/edns-subnet/subnet-whitelist.h $$(srcdir)/edns-subnet/edns-subnet.h $$(srcdir)/edns-subnet/addrtree.h?$$(SUBNET_HEADER)?g' \
+ -e 's?$$(srcdir)/ipsecmod/ipsecmod.h $$(srcdir)/ipsecmod/ipsecmod-whitelist.h?$$(IPSECMOD_HEADER)?g' \
-e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' \
> $(DEPEND_TMP)
cp $(DEPEND_TARGET) $(DEPEND_TMP2)
@@ -622,18 +627,19 @@ depend:
# Dependencies
dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
$(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/util/locks.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \
+ $(srcdir)/sldns/sbuffer.h
infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \
@@ -656,11 +662,11 @@ msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/d
msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/util/module.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
@@ -674,10 +680,11 @@ iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterato
$(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h \
$(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/random.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
$(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
@@ -719,17 +726,18 @@ iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/i
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/validator/val_anchor.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/str2wire.h
listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h
localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@@ -737,27 +745,30 @@ localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/serv
$(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/as112.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/as112.h
mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
- $(srcdir)/util/data/dname.h $(srcdir)/respip/respip.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/util/data/dname.h $(srcdir)/respip/respip.h
modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/services/view.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(PYTHONMOD_HEADER) \
+ $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h \
+ $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@@ -766,31 +777,32 @@ view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(s
outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
$(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
-
+ $(srcdir)/dnscrypt/cert.h
outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \
$(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/dnstap/dnstap.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
+
alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h util/configparser.h \
$(srcdir)/util/net_help.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/iana_ports.inc
configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
@@ -798,24 +810,33 @@ configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configy
configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
$(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rtt.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
+authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/validator/val_nsec3.h \
+ $(srcdir)/validator/val_secalgo.h
fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/services/authzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
@@ -823,38 +844,42 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
$(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
$(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h \
+ $(PYTHONMOD_HEADER) $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h \
$(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h $(srcdir)/edns-subnet/addrtree.h \
$(srcdir)/edns-subnet/edns-subnet.h
locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h
module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/ub_event.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/dnstap/dnstap.h \
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/wire2str.h \
+
random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h $(srcdir)/util/regional.h
rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h
dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \
@@ -863,25 +888,25 @@ dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/s
lookup3.lo lookup3.o: $(srcdir)/util/storage/lookup3.c config.h $(srcdir)/util/storage/lookup3.h
lruhash.lo lruhash.o: $(srcdir)/util/storage/lruhash.c config.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
slabhash.lo slabhash.o: $(srcdir)/util/storage/slabhash.c config.h $(srcdir)/util/storage/slabhash.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h
tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
$(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
@@ -894,9 +919,10 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
$(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \
+
val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
@@ -912,7 +938,8 @@ validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/val
$(srcdir)/validator/autotrust.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/validator/val_kcache.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/validator/val_kentry.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
@@ -921,13 +948,15 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
@@ -943,14 +972,16 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
$(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/sbuffer.h \
+
val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
+
val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@@ -958,15 +989,16 @@ val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/val
$(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \
$(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h
+ $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/parseutil.h
dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
@@ -976,8 +1008,9 @@ subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/e
$(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h \
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/edns-subnet/subnet-whitelist.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/modstack.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/services/modstack.h $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
@@ -985,18 +1018,43 @@ addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util
subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \
$(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/regional.h $(srcdir)/util/config_file.h
-cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h
+ $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
+cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/services/cache/dns.h $(srcdir)/validator/val_neg.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/validator/val_secalgo.h $(srcdir)/iterator/iter_utils.h \
+ $(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/sbuffer.h
respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h \
$(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
$(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/respip/respip.h
checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/testcode/checklocks.h
+dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h
+ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \
+ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h
+ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h \
+ $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@@ -1005,14 +1063,15 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
-unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
$(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/random.h \
- $(srcdir)/respip/respip.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/view.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/random.h $(srcdir)/respip/respip.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h
unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \
$(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
@@ -1049,18 +1108,24 @@ unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h
$(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \
$(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
$(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/edns-subnet.h
+unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/sbuffer.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
$(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
-cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
- $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
+cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
+ $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \
$(srcdir)/dnstap/dnstap.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h \
@@ -1068,24 +1133,27 @@ cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon
$(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
$(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
$(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
$(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h \
$(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h $(srcdir)/respip/respip.h
-remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
$(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
@@ -1098,48 +1166,51 @@ remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h
$(srcdir)/services/outside_network.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/sldns/wire2str.h
stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/util/shm_side/shm_main.h
+ $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
$(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
- $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/testcode/fake_event.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
@@ -1153,69 +1224,72 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
$(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/remote.h \
+ $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
$(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/util/shm_side/shm_main.h
+ $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h
acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
$(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
- $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+ $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
$(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
$(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h \
$(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h $(srcdir)/respip/respip.h
stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
- $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/testcode/testpkts.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/util/rbtree.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
pktview.lo pktview.o: $(srcdir)/testcode/pktview.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/testcode/readhex.h $(srcdir)/sldns/sbuffer.h \
@@ -1224,10 +1298,10 @@ readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/r
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h
memstats.lo memstats.o: $(srcdir)/testcode/memstats.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h
unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c config.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
@@ -1235,14 +1309,14 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
$(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h $(PYTHONMOD_HEADER)
worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h
context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbound/context.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@@ -1251,7 +1325,7 @@ context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbou
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/sldns/sbuffer.h
libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
$(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
@@ -1261,22 +1335,22 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
$(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h \
$(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
-libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/sldns/str2wire.h
+libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
+ $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/services/mesh.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
+ $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/str2wire.h
unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
@@ -1287,34 +1361,40 @@ streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util
$(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
+
perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
$(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
$(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
+ $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/shm_side/shm_main.h $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h
unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
+
+petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
+
pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/util/regional.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h \
+
win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
$(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
$(srcdir)/daemon/worker.h \
$(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
- $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
+ $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \
+ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
$(srcdir)/winrc/w_inst.h
@@ -1322,11 +1402,14 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
$(srcdir)/winrc/w_inst.h
anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
-keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
+keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/sldns/rrdef.h \
+
sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/keyraw.h
+ $(srcdir)/sldns/keyraw.h \
+
parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
$(srcdir)/sldns/sbuffer.h
parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
@@ -1346,9 +1429,11 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
+
getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \
+
getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h
diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c
index a326d6ef8dbc..9a63101edee3 100644
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@@ -171,12 +171,13 @@ static int
cachedb_apply_cfg(struct cachedb_env* cachedb_env, struct config_file* cfg)
{
const char* backend_str = "testframe"; /* TODO get from cfg */
+ (void)cfg; /* need this until the TODO is implemented */
if(backend_str && backend_str[0]) {
cachedb_env->backend = cachedb_find_backend(backend_str);
if(!cachedb_env->backend) {
log_err("cachedb: cannot find backend name '%s",
backend_str);
- return NULL;
+ return 0;
}
}
/* TODO see if more configuration needs to be applied or not */
@@ -374,6 +375,36 @@ good_expiry_and_qinfo(struct module_qstate* qstate, struct sldns_buffer* buf)
return 1;
}
+static void
+packed_rrset_ttl_subtract(struct packed_rrset_data* data, time_t subtract)
+{
+ size_t i;
+ size_t total = data->count + data->rrsig_count;
+ if(data->ttl > subtract)
+ data->ttl -= subtract;
+ else data->ttl = 0;
+ for(i=0; i<total; i++) {
+ if(data->rr_ttl[i] > subtract)
+ data->rr_ttl[i] -= subtract;
+ else data->rr_ttl[i] = 0;
+ }
+}
+
+static void
+adjust_msg_ttl(struct dns_msg* msg, time_t adjust)
+{
+ size_t i;
+ if(msg->rep->ttl > adjust)
+ msg->rep->ttl -= adjust;
+ else msg->rep->ttl = 0;
+ msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+
+ for(i=0; i<msg->rep->rrset_count; i++) {
+ packed_rrset_ttl_subtract((struct packed_rrset_data*)msg->
+ rep->rrsets[i]->entry.data, adjust);
+ }
+}
+
/** convert dns message in buffer to return_msg */
static int
parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
@@ -420,24 +451,18 @@ parse_data(struct module_qstate* qstate, struct sldns_buffer* buf)
qstate->return_rcode = LDNS_RCODE_NOERROR;
/* see how much of the TTL expired, and remove it */
+ if(*qstate->env->now <= (time_t)timestamp) {
+ verbose(VERB_ALGO, "cachedb msg adjust by zero");
+ return 1; /* message from the future (clock skew?) */
+ }
adjust = *qstate->env->now - (time_t)timestamp;
+ if(qstate->return_msg->rep->ttl < adjust) {
+ verbose(VERB_ALGO, "cachedb msg expired");
+ return 0; /* message expired */
+ }
verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust);
- /*adjust_msg(qstate->return_msg, adjust);*/
- /* TODO:
- msg->rep->ttl = r->ttl - adjust;
- msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
- for(i=0; i<d->count + d->rrsig_count; i++) {
- if(d->rr_ttl[i] < adjust)
- d->rr_ttl[i] = 0;
- else d->rr_ttl[i] -= adjust;
- }
- if(d->ttl < adjust)
- d->ttl = 0;
- else d->ttl -= adjust;
- */
- /* TODO */
-
- return 0;
+ adjust_msg_ttl(qstate->return_msg, adjust);
+ return 1;
}
/**
diff --git a/config.h.in b/config.h.in
index eacbc7f69ee0..04aa762c58a9 100644
--- a/config.h.in
+++ b/config.h.in
@@ -79,6 +79,10 @@
don't. */
#undef HAVE_DECL_INET_PTON
+/* Define to 1 if you have the declaration of `NID_ED25519', and to 0 if you
+ don't. */
+#undef HAVE_DECL_NID_ED25519
+
/* Define to 1 if you have the declaration of `NID_secp384r1', and to 0 if you
don't. */
#undef HAVE_DECL_NID_SECP384R1
@@ -157,6 +161,9 @@
/* Define to 1 if you have the `EVP_cleanup' function. */
#undef HAVE_EVP_CLEANUP
+/* Define to 1 if you have the `EVP_DigestVerify' function. */
+#undef HAVE_EVP_DIGESTVERIFY
+
/* Define to 1 if you have the `EVP_dss1' function. */
#undef HAVE_EVP_DSS1
@@ -666,6 +673,9 @@
/* Define to 1 to enable dnscrypt support */
#undef USE_DNSCRYPT
+/* Define to 1 to enable dnscrypt with xchacha20 support */
+#undef USE_DNSCRYPT_XCHACHA20
+
/* Define to 1 to enable dnstap support */
#undef USE_DNSTAP
@@ -678,9 +688,15 @@
/* Define this to enable an EVP workaround for older openssl */
#undef USE_ECDSA_EVP_WORKAROUND
+/* Define this to enable ED25519 support. */
+#undef USE_ED25519
+
/* Define this to enable GOST support. */
#undef USE_GOST
+/* Define to 1 to use ipsecmod support. */
+#undef USE_IPSECMOD
+
/* Define if you want to use internal select based events */
#undef USE_MINI_EVENT
diff --git a/configure b/configure
index 48162d86f4e7..202dc7d6ea86 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.6.3.
+# Generated by GNU Autoconf 2.69 for unbound 1.6.4.
#
# Report bugs to <unbound-bugs@nlnetlabs.nl>.
#
@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.6.3'
-PACKAGE_STRING='unbound 1.6.3'
+PACKAGE_VERSION='1.6.4'
+PACKAGE_STRING='unbound 1.6.4'
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
PACKAGE_URL=''
@@ -638,9 +638,12 @@ INSTALLTARGET
ALLTARGET
SOURCEFILE
SOURCEDETERMINE
+IPSECMOD_HEADER
+IPSECMOD_OBJ
DNSCRYPT_OBJ
DNSCRYPT_SRC
ENABLE_DNSCRYPT
+ENABLE_DNSCRYPT_XCHACHA20
DNSTAP_OBJ
DNSTAP_SRC
opt_dnstap_socket_path
@@ -755,6 +758,9 @@ UNBOUND_CHROOT_DIR
UNBOUND_RUN_DIR
ub_conf_dir
ub_conf_file
+UNBOUND_LOCALSTATE_DIR
+UNBOUND_SYSCONF_DIR
+UNBOUND_SBIN_DIR
EGREP
GREP
CPP
@@ -851,6 +857,7 @@ enable_subnet
enable_gost
enable_ecdsa
enable_dsa
+enable_ed25519
enable_event_api
enable_tfo_client
enable_tfo_server
@@ -867,6 +874,7 @@ with_libfstrm
enable_dnscrypt
with_libsodium
enable_cachedb
+enable_ipsecmod
with_libunbound_only
'
ac_precious_vars='build_alias
@@ -1429,7 +1437,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures unbound 1.6.3 to adapt to many kinds of systems.
+\`configure' configures unbound 1.6.4 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1494,7 +1502,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of unbound 1.6.3:";;
+ short | recursive ) echo "Configuration of unbound 1.6.4:";;
esac
cat <<\_ACEOF
@@ -1531,6 +1539,7 @@ Optional Features:
--disable-gost Disable GOST support
--disable-ecdsa Disable ECDSA support
--disable-dsa Disable DSA support
+ --disable-ed25519 Disable ED25519 support
--enable-event-api Enable (experimental) pluggable event base
libunbound API installed to unbound-event.h
--enable-tfo-client Enable TCP Fast Open for client mode
@@ -1547,6 +1556,8 @@ Optional Features:
--enable-dnscrypt Enable dnscrypt support (requires libsodium)
--enable-cachedb enable cachedb module that can use external cache
storage
+ --enable-ipsecmod Enable ipsecmod module that facilitates
+ opportunistic IPsec
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -1703,7 +1714,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-unbound configure 1.6.3
+unbound configure 1.6.4
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2412,7 +2423,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.6.3, which was
+It was created by unbound $as_me 1.6.4, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2764,11 +2775,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=6
-UNBOUND_VERSION_MICRO=3
+UNBOUND_VERSION_MICRO=4
LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -2822,6 +2833,7 @@ LIBUNBOUND_AGE=5
# 1.6.1 had 7:0:5 # ub_callback_t typedef renamed to ub_callback_type
# 1.6.2 had 7:1:5
# 1.6.3 had 7:2:5
+# 1.6.4 had 7:3:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -4106,6 +4118,11 @@ case "$prefix" in
prefix="/usr/local"
;;
esac
+case "$exec_prefix" in
+ NONE)
+ exec_prefix="$prefix"
+ ;;
+esac
# are we on MinGW?
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
@@ -4117,6 +4134,12 @@ fi
#
# Determine configuration file
# the eval is to evaluate shell expansion twice
+UNBOUND_SBIN_DIR=`eval echo "${sbindir}"`
+
+UNBOUND_SYSCONF_DIR=`eval echo "${sysconfdir}"`
+
+UNBOUND_LOCALSTATE_DIR=`eval echo "${localstatedir}"`
+
if test $on_mingw = "no"; then
ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
else
@@ -17598,7 +17621,7 @@ fi
done
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -18046,6 +18069,47 @@ fi
;;
esac
+# Check whether --enable-ed25519 was given.
+if test "${enable_ed25519+set}" = set; then :
+ enableval=$enable_ed25519;
+fi
+
+use_ed25519="no"
+case "$enable_ed25519" in
+ no)
+ ;;
+ *)
+ if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+ ac_fn_c_check_decl "$LINENO" "NID_ED25519" "ac_cv_have_decl_NID_ED25519" "$ac_includes_default
+#include <openssl/evp.h>
+
+"
+if test "x$ac_cv_have_decl_NID_ED25519" = xyes; then :
+ ac_have_decl=1
+else
+ ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_NID_ED25519 $ac_have_decl
+_ACEOF
+if test $ac_have_decl = 1; then :
+
+
+cat >>confdefs.h <<_ACEOF
+#define USE_ED25519 1
+_ACEOF
+
+ use_ed25519="yes"
+
+else
+ if test "x$enable_ed25519" = "xyes"; then as_fn_error $? "OpenSSL does not support ED25519 and you used --enable-ed25519." "$LINENO" 5
+ fi
+fi
+
+ fi
+ ;;
+esac
# Check whether --enable-event-api was given.
if test "${enable_event_api+set}" = set; then :
@@ -20309,6 +20373,73 @@ else
as_fn_error $? "The sodium library was not found. Please install sodium!" "$LINENO" 5
fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing crypto_box_curve25519xchacha20poly1305_beforenm" >&5
+$as_echo_n "checking for library containing crypto_box_curve25519xchacha20poly1305_beforenm... " >&6; }
+if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char crypto_box_curve25519xchacha20poly1305_beforenm ();
+int
+main ()
+{
+return crypto_box_curve25519xchacha20poly1305_beforenm ();
+ ;
+ return 0;
+}
+_ACEOF
+for ac_lib in '' sodium; do
+ if test -z "$ac_lib"; then
+ ac_res="none required"
+ else
+ ac_res=-l$ac_lib
+ LIBS="-l$ac_lib $ac_func_search_save_LIBS"
+ fi
+ if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext
+ if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
+ break
+fi
+done
+if ${ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm+:} false; then :
+
+else
+ ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm" >&5
+$as_echo "$ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm" >&6; }
+ac_res=$ac_cv_search_crypto_box_curve25519xchacha20poly1305_beforenm
+if test "$ac_res" != no; then :
+ test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+ ENABLE_DNSCRYPT_XCHACHA20=1
+
+
+$as_echo "#define USE_DNSCRYPT_XCHACHA20 1" >>confdefs.h
+
+
+else
+
+ ENABLE_DNSCRYPT_XCHACHA20=0
+
+
+fi
+
$as_echo "#define USE_DNSCRYPT 1" >>confdefs.h
@@ -20322,6 +20453,8 @@ $as_echo "#define USE_DNSCRYPT 1" >>confdefs.h
else
+ ENABLE_DNSCRYPT_XCHACHA20=0
+
ENABLE_DNSCRYPT=0
@@ -20347,6 +20480,27 @@ $as_echo "#define USE_CACHEDB 1" >>confdefs.h
;;
esac
+# check for ipsecmod if requested
+# Check whether --enable-ipsecmod was given.
+if test "${enable_ipsecmod+set}" = set; then :
+ enableval=$enable_ipsecmod;
+fi
+
+case "$enable_ipsecmod" in
+ yes)
+
+$as_echo "#define USE_IPSECMOD 1" >>confdefs.h
+
+ IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo"
+
+ IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h'
+
+ ;;
+ no|*)
+ # nothing
+ ;;
+esac
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
$as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
# on openBSD, the implicit rule make $< work.
@@ -20488,7 +20642,7 @@ _ACEOF
-version=1.6.3
+version=1.6.4
date=`date +'%b %e, %Y'`
@@ -21007,7 +21161,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by unbound $as_me 1.6.3, which was
+This file was extended by unbound $as_me 1.6.4, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -21073,7 +21227,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-unbound config.status 1.6.3
+unbound config.status 1.6.4
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git a/configure.ac b/configure.ac
index c2d1213daa0a..e908ff21331a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[6])
-m4_define([VERSION_MICRO],[3])
+m4_define([VERSION_MICRO],[4])
AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=7
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
LIBUNBOUND_AGE=5
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -72,6 +72,7 @@ LIBUNBOUND_AGE=5
# 1.6.1 had 7:0:5 # ub_callback_t typedef renamed to ub_callback_type
# 1.6.2 had 7:1:5
# 1.6.3 had 7:2:5
+# 1.6.4 had 7:3:5
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -109,6 +110,11 @@ case "$prefix" in
prefix="/usr/local"
;;
esac
+case "$exec_prefix" in
+ NONE)
+ exec_prefix="$prefix"
+ ;;
+esac
# are we on MinGW?
if uname -s 2>&1 | grep MINGW32 >/dev/null; then on_mingw="yes"
@@ -120,6 +126,12 @@ fi
#
# Determine configuration file
# the eval is to evaluate shell expansion twice
+UNBOUND_SBIN_DIR=`eval echo "${sbindir}"`
+AC_SUBST(UNBOUND_SBIN_DIR)
+UNBOUND_SYSCONF_DIR=`eval echo "${sysconfdir}"`
+AC_SUBST(UNBOUND_SYSCONF_DIR)
+UNBOUND_LOCALSTATE_DIR=`eval echo "${localstatedir}"`
+AC_SUBST(UNBOUND_LOCALSTATE_DIR)
if test $on_mingw = "no"; then
ub_conf_file=`eval echo "${sysconfdir}/unbound/unbound.conf"`
else
@@ -680,7 +692,7 @@ else
AC_MSG_RESULT([no])
fi
AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify])
# these check_funcs need -lssl
BAKLIBS="$LIBS"
@@ -906,6 +918,23 @@ case "$enable_dsa" in
;;
esac
+AC_ARG_ENABLE(ed25519, AC_HELP_STRING([--disable-ed25519], [Disable ED25519 support]))
+use_ed25519="no"
+case "$enable_ed25519" in
+ no)
+ ;;
+ *)
+ if test $USE_NSS = "no" -a $USE_NETTLE = "no"; then
+ AC_CHECK_DECLS([NID_ED25519], [
+ AC_DEFINE_UNQUOTED([USE_ED25519], [1], [Define this to enable ED25519 support.])
+ use_ed25519="yes"
+ ], [ if test "x$enable_ed25519" = "xyes"; then AC_MSG_ERROR([OpenSSL does not support ED25519 and you used --enable-ed25519.])
+ fi ], [AC_INCLUDES_DEFAULT
+#include <openssl/evp.h>
+ ])
+ fi
+ ;;
+esac
AC_ARG_ENABLE(event-api, AC_HELP_STRING([--enable-event-api], [Enable (experimental) pluggable event base libunbound API installed to unbound-event.h]))
case "$enable_event_api" in
@@ -1353,6 +1382,21 @@ case "$enable_cachedb" in
;;
esac
+# check for ipsecmod if requested
+AC_ARG_ENABLE(ipsecmod, AC_HELP_STRING([--enable-ipsecmod], [Enable ipsecmod module that facilitates opportunistic IPsec]))
+case "$enable_ipsecmod" in
+ yes)
+ AC_DEFINE([USE_IPSECMOD], [1], [Define to 1 to use ipsecmod support.])
+ IPSECMOD_OBJ="ipsecmod.lo ipsecmod-whitelist.lo"
+ AC_SUBST(IPSECMOD_OBJ)
+ IPSECMOD_HEADER='$(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/ipsecmod/ipsecmod-whitelist.h'
+ AC_SUBST(IPSECMOD_HEADER)
+ ;;
+ no|*)
+ # nothing
+ ;;
+esac
+
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
# on openBSD, the implicit rule make $< work.
# on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
diff --git a/contrib/README b/contrib/README
index 7ccae735d797..8aa5fb4eb064 100644
--- a/contrib/README
+++ b/contrib/README
@@ -31,3 +31,6 @@ distribution but may be helpful.
Contributed by Yuri Voinov.
* unbound.socket and unbound.service: systemd files for unbound, install them
in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov.
+* redirect-bogus.patch: Return configured address for bogus A and AAAA answers,
+ instead of SERVFAIL. Contributed by SIDN.
+* fastrpz.patch: fastrpz support from Farsight Security.
diff --git a/contrib/fastrpz.patch b/contrib/fastrpz.patch
new file mode 100644
index 000000000000..aa8c1ece0e20
--- /dev/null
+++ b/contrib/fastrpz.patch
@@ -0,0 +1,3552 @@
+===================================================================
+RCS file: ./RCS/Makefile.in,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./Makefile.in
+--- ./Makefile.in
++++ ./Makefile.in
+@@ -23,6 +23,8 @@
+ CHECKLOCK_OBJ=@CHECKLOCK_OBJ@
+ DNSTAP_SRC=@DNSTAP_SRC@
+ DNSTAP_OBJ=@DNSTAP_OBJ@
++FASTRPZ_SRC=@FASTRPZ_SRC@
++FASTRPZ_OBJ=@FASTRPZ_OBJ@
+ DNSCRYPT_SRC=@DNSCRYPT_SRC@
+ DNSCRYPT_OBJ=@DNSCRYPT_OBJ@
+ WITH_PYTHONMODULE=@WITH_PYTHONMODULE@
+@@ -125,7 +127,7 @@
+ edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
+ edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
+ cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
+-$(DNSTAP_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC)
++$(DNSTAP_SRC) $(FASTRPZ_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC)
+ COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
+ as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
+ iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
+@@ -137,7 +139,7 @@
+ validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
+ val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \
+ $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
+-$(IPSECMOD_OBJ)
++$(FASTRPZ_OBJ) $(DNSCRYPT_OBJ)
+ COMMON_OBJ_WITHOUT_NETCALL+=respip.lo
+ COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
+ outside_network.lo
+@@ -398,6 +401,11 @@
+ $(srcdir)/util/config_file.h $(srcdir)/util/log.h \
+ $(srcdir)/util/netevent.h
+
++# fastrpz
++rpz.lo rpz.o: $(srcdir)/fastrpz/rpz.c config.h fastrpz/rpz.h fastrpz/librpz.h \
++ $(srcdir)/util/config_file.h $(srcdir)/daemon/daemon.h \
++ $(srcdir)/util/log.h
++
+ # Python Module
+ pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
+ pythonmod/interface.h \
+===================================================================
+RCS file: ./RCS/config.h.in,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./config.h.in
+--- ./config.h.in
++++ ./config.h.in
+@@ -1199,4 +1199,11 @@
+ /** the version of unbound-control that this software implements */
+ #define UNBOUND_CONTROL_VERSION 1
+
+-
++/* have __attribute__s used in librpz.h */
++#undef LIBRPZ_HAVE_ATTR
++/** fastrpz librpz.so */
++#undef FASTRPZ_LIBRPZ_PATH
++/** 0=no fastrpz 1=static link 2=dlopen() */
++#undef FASTRPZ_LIB_OPEN
++/** turn on fastrpz response policy zones */
++#undef ENABLE_FASTRPZ
+===================================================================
+RCS file: ./RCS/configure.ac,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./configure.ac
+--- ./configure.ac
++++ ./configure.ac
+@@ -6,6 +6,7 @@
+ sinclude(acx_python.m4)
+ sinclude(ac_pkg_swig.m4)
+ sinclude(dnstap/dnstap.m4)
++sinclude(fastrpz/rpz.m4)
+ sinclude(dnscrypt/dnscrypt.m4)
+
+ # must be numbers. ac_defun because of later processing
+@@ -1352,6 +1353,9 @@
+ ;;
+ esac
+
++# check for Fastrpz with fastrpz/rpz.m4
++ck_FASTRPZ
++
+ AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
+ # on openBSD, the implicit rule make $< work.
+ # on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
+===================================================================
+RCS file: ./daemon/RCS/daemon.c,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c
+--- ./daemon/daemon.c
++++ ./daemon/daemon.c
+@@ -89,6 +89,9 @@
+ #include "sldns/keyraw.h"
+ #include "respip/respip.h"
+ #include <signal.h>
++#ifdef ENABLE_FASTRPZ
++#include "fastrpz/rpz.h"
++#endif
+
+ #ifdef HAVE_SYSTEMD
+ #include <systemd/sd-daemon.h>
+@@ -451,6 +454,14 @@
+ fatal_exit("dnstap enabled in config but not built with dnstap support");
+ #endif
+ }
++ if(daemon->cfg->rpz_enable) {
++#ifdef ENABLE_FASTRPZ
++ rpz_init(&daemon->rpz_clist, &daemon->rpz_client, daemon->cfg);
++#else
++ fatal_exit("fastrpz enabled in config"
++ " but not built with fastrpz");
++#endif
++ }
+ for(i=0; i<daemon->num; i++) {
+ if(!(daemon->workers[i] = worker_create(daemon, i,
+ shufport+numport*i/daemon->num,
+@@ -691,6 +702,9 @@
+ #ifdef USE_DNSTAP
+ dt_delete(daemon->dtenv);
+ #endif
++#ifdef ENABLE_FASTRPZ
++ rpz_delete(&daemon->rpz_clist, &daemon->rpz_client);
++#endif
+ daemon->cfg = NULL;
+ }
+
+===================================================================
+RCS file: ./daemon/RCS/daemon.h,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.h
+--- ./daemon/daemon.h
++++ ./daemon/daemon.h
+@@ -134,6 +134,11 @@
+ /** the dnscrypt environment */
+ struct dnsc_env* dnscenv;
+ #endif
++#ifdef ENABLE_FASTRPZ
++ /** global opaque rpz handles */
++ struct librpz_clist *rpz_clist;
++ struct librpz_client *rpz_client;
++#endif
+ };
+
+ /**
+===================================================================
+RCS file: ./daemon/RCS/worker.c,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
+--- ./daemon/worker.c
++++ ./daemon/worker.c
+@@ -73,6 +73,9 @@
+ #include "libunbound/context.h"
+ #include "libunbound/libworker.h"
+ #include "sldns/sbuffer.h"
++#ifdef ENABLE_FASTRPZ
++#include "fastrpz/rpz.h"
++#endif
+ #include "sldns/wire2str.h"
+ #include "util/shm_side/shm_main.h"
+ #include "dnscrypt/dnscrypt.h"
+@@ -526,8 +529,27 @@
+ /* not secure */
+ secure = 0;
+ break;
++#ifdef ENABLE_FASTRPZ
++ case sec_status_rpz_rewritten:
++ case sec_status_rpz_drop:
++ fatal_exit("impossible cached RPZ sec_status");
++ break;
++#endif
+ }
+ }
++#ifdef ENABLE_FASTRPZ
++ if(repinfo->rpz) {
++ /* Scan the cached answer for RPZ hits.
++ * ret=1 use cache entry
++ * ret=-1 rewritten response already sent or dropped
++ * ret=0 deny a cached entry exists
++ */
++ int ret = rpz_worker_cache(worker, msg->rep, qinfo,
++ id, flags, edns, repinfo);
++ if(ret != 1)
++ return ret;
++ }
++#endif
+ /* return this delegation from the cache */
+ edns->edns_version = EDNS_ADVERTISED_VERSION;
+ edns->udp_size = EDNS_ADVERTISED_SIZE;
+@@ -688,6 +710,23 @@
+ secure = 0;
+ }
+ } else secure = 0;
++#ifdef ENABLE_FASTRPZ
++ if(repinfo->rpz) {
++ /* Scan the cached answer for RPZ hits.
++ * ret=1 use cache entry
++ * ret=-1 rewritten response already sent or dropped
++ * ret=0 deny a cached entry exists
++ */
++ int ret = rpz_worker_cache(worker, rep, qinfo, id, flags, edns,
++ repinfo);
++ if(ret != 1) {
++ rrset_array_unlock_touch(worker->env.rrset_cache,
++ worker->scratchpad, rep->ref,
++ rep->rrset_count);
++ return ret;
++ }
++ }
++#endif
+
+ edns->edns_version = EDNS_ADVERTISED_VERSION;
+ edns->udp_size = EDNS_ADVERTISED_SIZE;
+@@ -1267,6 +1306,15 @@
+ log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
+ &repinfo->addr, repinfo->addrlen);
+ goto send_reply;
++#ifdef ENABLE_FASTRPZ
++ } else {
++ /* Start to rewrite for response policy zones.
++ * This can hit a qname trigger and be done. */
++ if(rpz_start(worker, &qinfo, repinfo, &edns)) {
++ regional_free_all(worker->scratchpad);
++ return 0;
++ }
++#endif
+ }
+
+ /* If we've found a local alias, replace the qname with the alias
+@@ -1315,12 +1363,21 @@
+ h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
+ if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
+ /* answer from cache - we have acquired a readlock on it */
+- if(answer_from_cache(worker, &qinfo,
++ ret = answer_from_cache(worker, &qinfo,
+ cinfo, &need_drop, &alias_rrset, &partial_rep,
+ (struct reply_info*)e->data,
+ *(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
+ sldns_buffer_read_u16_at(c->buffer, 2), repinfo,
+- &edns)) {
++ &edns);
++#ifdef ENABLE_FASTRPZ
++ if(ret < 0) {
++ /* RPZ already dropped or sent a response. */
++ lock_rw_unlock(&e->lock);
++ regional_free_all(worker->scratchpad);
++ return 0;
++ }
++#endif
++ if(ret) {
+ /* prefetch it if the prefetch TTL expired.
+ * Note that if there is more than one pass
+ * its qname must be that used for cache
+@@ -1371,11 +1428,19 @@
+ lock_rw_unlock(&e->lock);
+ }
+ if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) {
+- if(answer_norec_from_cache(worker, &qinfo,
++ ret = answer_norec_from_cache(worker, &qinfo,
+ *(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
+ sldns_buffer_read_u16_at(c->buffer, 2), repinfo,
+- &edns)) {
++ &edns);
++ if(ret) {
+ regional_free_all(worker->scratchpad);
++#ifdef ENABLE_FASTRPZ
++ if(ret < 0) {
++ /* RPZ already dropped
++ * or sent a response. */
++ return 0;
++ }
++#endif
+ goto send_reply;
+ }
+ verbose(VERB_ALGO, "answer norec from cache -- "
+===================================================================
+RCS file: ./doc/RCS/unbound.conf.5.in,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./doc/unbound.conf.5.in
+--- ./doc/unbound.conf.5.in
++++ ./doc/unbound.conf.5.in
+@@ -1446,6 +1446,81 @@
+ .B dns64\-synthall: \fI<yes or no>\fR
+ Debug option, default no. If enabled, synthesize all AAAA records
+ despite the presence of actual AAAA records.
++.SS "Response Policy Zone Rewriting"
++.LP
++Response policy zone rewriting is controlled with the
++.B rpz
++clause.
++It must contain a
++.B rpz\-enable:
++option, and one or more
++.B rpz\-zone:
++options.
++It will usually also contain
++.B rpz\-option:
++clauses with general rewriting options or specifying dnsrpzd parameters.
++Beneath the surface, the text in
++.B rpz\-zone: \fI<"domain">\fR
++is converted to \fI"zone domain\\n"\fR and added to the configuration string
++given to
++\fIlibrpz\fR(3).
++The text in
++.B rpz-option \fI<"text">\fR
++is also added to that configuration string.
++.LP
++If using chroot, then the chroot directory must contain the \fIdnsrpzd\fR(3)
++command and the shared libraries that it uses.
++Those can be found with the \fIldd\fR(1) command.
++.LP
++Resolver zone and rewriting options and response policy zone triggers and
++actions are described in \fIlibrpz\fR(3).
++The separate control file that specifies the policy zones maintained by
++the dnsrpzd daemon is described in \fIdnsrpzd\fR(8).
++.LP
++Many installations need a local whitelist that exempts local
++domains from rewriting.
++Whitelist records can be in zones transferred by dnsrpzd from
++authorities or in a local zone file.
++.TP
++.B rpz-enable: \fI<yes or no>
++enables Fastrpz.
++If not enabled, the other options in the
++.B rpz:
++clause are ignored.
++.TP
++.B rpz-zone: \fI<"zone and options">
++specifies a policy zone and optional per-zone rewriting parameters.
++.TP
++.B rpz-option: \fI<"option">
++specifies general Fastrpz options.
++.LP
++Fastrpz is available only on POSIX compliant UNIX-like systems with the
++\fImmap\fR(2) system call.
++.LP
++Fastrpz in Unbound differs from rpz and fastrpz in BIND by
++.RS 3
++.HP 4
++RPZ-CLIENT-IP triggers can only be used in the first policy zone
++specified with
++.B rpz-zone:
++.HP
++Policy zone rewriting is disabled by the DO bit in DNS requests
++even when no DNSSEC signatures are supplied by authorities.
++.HP
++Unbound local zones are not subject to rpz rewriting.
++.HP
++Like Fastrpz with BIND but unlike classic BIND rpz,
++the ADDITIONAL sections of rewritten responses contain the SOA record from
++the policy zone used to rewrite the response.
++.RE
++.P
++.nf
++# example Fastrpz settings for use with chroot on Freebsd
++rpz:
++ rpz-zone: "rpz.example.org"
++ rpz-zone: "other.rpz.example.org ip-as-ns yes"
++ rpz-option: "dnsrpzd ./dnsrpzd"
++.fi
+ .SS "DNSCrypt Options"
+ .LP
+ The
+===================================================================
+RCS file: ./fastrpz/RCS/librpz.h,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./fastrpz/librpz.h
+--- ./fastrpz/librpz.h
++++ ./fastrpz/librpz.h
+@@ -0,0 +1,957 @@
++/*
++ * Define the interface from a DNS resolver to the Response Policy Zone
++ * library, librpz.
++ *
++ * This file should be included only the interface functions between the
++ * resolver and librpz to avoid name space pollution.
++ *
++ * Copyright (c) 2016-2017 Farsight Security, Inc.
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ *
++ * Fastrpz version 1.2.10
++ */
++
++#ifndef LIBRPZ_H
++#define LIBRPZ_H
++
++#include <arpa/nameser.h>
++#include <netinet/in.h>
++#include <stdarg.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <sys/types.h>
++
++
++/*
++ * Allow either ordinary or dlopen() linking.
++ */
++#ifdef LIBRPZ_INTERNAL
++#define LIBDEF(t,s) extern t s;
++#define LIBDEF_F(f) LIBDEF(librpz_##f##_t, librpz_##f)
++#else
++#define LIBDEF(t,s)
++#define LIBDEF_F(f)
++#endif
++
++/*
++ * Response Policy Zone triggers.
++ * Comparisons of trigger precedences require
++ * LIBRPZ_TRIG_CLIENT_IP < LIBRPZ_TRIG_QNAME < LIBRPZ_TRIG_IP
++ * < LIBRPZ_TRIG_NSDNAME < LIBRPZ_TRIG_NSIP}
++ */
++typedef enum {
++ LIBRPZ_TRIG_BAD =0,
++ LIBRPZ_TRIG_CLIENT_IP =1,
++ LIBRPZ_TRIG_QNAME =2,
++ LIBRPZ_TRIG_IP =3,
++ LIBRPZ_TRIG_NSDNAME =4,
++ LIBRPZ_TRIG_NSIP =5
++} librpz_trig_t;
++#define LIBRPZ_TRIG_SIZE 3 /* sizeof librpz_trig_t in bits */
++typedef uint8_t librpz_tbit_t; /* one bit for each of the TRIGS_NUM
++ * trigger types */
++
++
++/*
++ * Response Policy Zone Actions or policies
++ */
++typedef enum {
++ LIBRPZ_POLICY_UNDEFINED =0, /* an empty entry or no decision yet */
++ LIBRPZ_POLICY_DELETED =1, /* placeholder for a deleted policy */
++
++ LIBRPZ_POLICY_PASSTHRU =2, /* 'passthru': do not rewrite */
++ LIBRPZ_POLICY_DROP =3, /* 'drop': do not respond */
++ LIBRPZ_POLICY_TCP_ONLY =4, /* 'tcp-only': answer UDP with TC=1 */
++ LIBRPZ_POLICY_NXDOMAIN =5, /* 'nxdomain': answer with NXDOMAIN */
++ LIBRPZ_POLICY_NODATA =6, /* 'nodata': answer with ANCOUNT=0 */
++ LIBRPZ_POLICY_RECORD =7, /* rewrite with the policy's RR */
++
++ /* only in client configurations to override the zone */
++ LIBRPZ_POLICY_GIVEN, /* 'given': what policy record says */
++ LIBRPZ_POLICY_DISABLED, /* at most log */
++ LIBRPZ_POLICY_CNAME, /* answer with 'cname x' */
++} librpz_policy_t;
++#define LIBRPZ_POLICY_BITS 4
++
++/*
++ * Special policies that appear as targets of CNAMEs
++ * NXDOMAIN is signaled by a CNAME with a "." target.
++ * NODATA is signaled by a CNAME with a "*." target.
++ */
++#define LIBRPZ_RPZ_PREFIX "rpz-"
++#define LIBRPZ_RPZ_PASSTHRU LIBRPZ_RPZ_PREFIX"passthru"
++#define LIBRPZ_RPZ_DROP LIBRPZ_RPZ_PREFIX"drop"
++#define LIBRPZ_RPZ_TCP_ONLY LIBRPZ_RPZ_PREFIX"tcp-only"
++
++
++typedef uint16_t librpz_dznum_t; /* dnsrpzd zone # in [0,DZNUM_MAX] */
++typedef uint8_t librpz_cznum_t; /* client zone # in [0,CZNUM_MAX] */
++
++
++/*
++ * CIDR block
++ */
++typedef struct librpz_prefix {
++ union {
++ struct in_addr in;
++ struct in6_addr in6;
++ } addr;
++ uint8_t family;
++ uint8_t len;
++} librpz_prefix_t;
++
++/*
++ * A domain
++ */
++typedef uint8_t librpz_dsize_t;
++typedef struct librpz_domain {
++ librpz_dsize_t size; /* of only .d */
++ uint8_t d[0]; /* variable length wire format */
++} librpz_domain_t;
++
++/*
++ * A maximal domain buffer
++ */
++typedef struct librpz_domain_buf {
++ librpz_dsize_t size;
++ uint8_t d[NS_MAXCDNAME];
++} librpz_domain_buf_t;
++
++/*
++ * A resource record without the owner name.
++ * C compilers say that sizeof(librpz_rr_t)=12 instead of 10.
++ */
++typedef struct {
++ uint16_t type; /* network byte order */
++ uint16_t class; /* network byte order */
++ uint32_t ttl; /* network byte order */
++ uint16_t rdlength; /* network byte order */
++ uint8_t rdata[0]; /* variable length */
++} librpz_rr_t;
++
++/*
++ * The database file might be mapped with different starting addresses
++ * by concurrent clients (resolvers), and so all pointers are offsets.
++ */
++typedef uint32_t librpz_idx_t;
++#define LIBRPZ_IDX_NULL 0
++#define LIBRPZ_IDX_MIN 1
++#define LIBRPZ_IDX_BAD ((librpz_idx_t)-1)
++/**
++ * Partial decoded results of a set of RPZ queries for a single DNS response
++ * or interation through the mapped file.
++ */
++typedef int16_t librpz_result_id_t;
++typedef struct librpz_result {
++ librpz_idx_t next_rr;
++ librpz_result_id_t hit_id; /* trigger ID from resolver */
++ librpz_policy_t zpolicy; /* policy from zone */
++ librpz_policy_t policy; /* adjusted by client configuration */
++ librpz_dznum_t dznum; /* dnsrpzd zone number */
++ librpz_cznum_t cznum; /* librpz client zone number */
++ librpz_trig_t trig:LIBRPZ_TRIG_SIZE;
++ bool log:1; /* log rewrite given librpz_log_level */
++} librpz_result_t;
++
++
++/**
++ * librpz trace or log levels.
++ */
++typedef enum {
++ LIBRPZ_LOG_FATAL =0, /* always print fatal errors */
++ LIBRPZ_LOG_ERROR =1, /* errors have this level */
++ LIBRPZ_LOG_TRACE1 =2, /* big events such as dnsrpzd starts */
++ LIBRPZ_LOG_TRACE2 =3, /* smaller dnsrpzd zone transfers */
++ LIBRPZ_LOG_TRACE3 =4, /* librpz hits */
++ LIBRPZ_LOG_TRACE4 =5, /* librpz lookups */
++ LIBRPZ_LOG_INVALID =999,
++} librpz_log_level_t;
++typedef librpz_log_level_t (librpz_log_level_val_t)(librpz_log_level_t level);
++LIBDEF_F(log_level_val)
++
++/**
++ * Logging function that can be supplied by the resolver.
++ * @param level is one of librpz_log_level_t
++ * @param ctx is for use by the resolver's logging system.
++ * NULL mean a context-free message.
++ */
++typedef void(librpz_log_fnc_t)(librpz_log_level_t level, void *ctx,
++ const char *buf);
++
++/**
++ * Point librpz logging functions to the resolver's choice.
++ */
++typedef void (librpz_set_log_t)(librpz_log_fnc_t *new_log, const char *prog_nm);
++LIBDEF_F(set_log)
++
++
++/**
++ * librpz error messages are put in these buffers.
++ * Use a structure intead of naked char* to let the compiler check the length.
++ * A function defined with "foo(char buf[120])" can be called with
++ * "char sbuf[2]; foo(sbuf)" and suffer a buffer overrun.
++ */
++typedef struct {
++ char c[120];
++} librpz_emsg_t;
++
++
++#ifdef LIBRPZ_HAVE_ATTR
++#define LIBRPZ_UNUSED __attribute__((unused))
++#define LIBRPZ_PF(f,l) __attribute__((format(printf,f,l)))
++#define LIBRPZ_NORET __attribute__((__noreturn__))
++#else
++#define LIBRPZ_UNUSED
++#define LIBRPZ_PF(f,l)
++#define LIBRPZ_NORET
++#endif
++
++#ifdef HAVE_BUILTIN_EXPECT
++#define LIBRPZ_LIKELY(c) __builtin_expect(!!(c), 1)
++#define LIBRPZ_UNLIKELY(c) __builtin_expect(!!(c), 0)
++#else
++#define LIBRPZ_LIKELY(c) (c)
++#define LIBRPZ_UNLIKELY(c) (c)
++#endif
++
++typedef bool (librpz_parse_log_opt_t)(librpz_emsg_t *emsg, const char *arg);
++LIBDEF_F(parse_log_opt)
++
++typedef void (librpz_vpemsg_t)(librpz_emsg_t *emsg,
++ const char *p, va_list args);
++LIBDEF_F(vpemsg)
++typedef void (librpz_pemsg_t)(librpz_emsg_t *emsg,
++ const char *p, ...) LIBRPZ_PF(2,3);
++LIBDEF_F(pemsg)
++
++typedef void (librpz_vlog_t)(librpz_log_level_t level, void *ctx,
++ const char *p, va_list args);
++LIBDEF_F(vlog)
++typedef void (librpz_log_t)(librpz_log_level_t level, void *ctx,
++ const char *p, ...) LIBRPZ_PF(3,4);
++LIBDEF_F(log)
++
++typedef void (librpz_fatal_t)(int ex_code,
++ const char *p, ...) LIBRPZ_PF(2,3);
++extern void librpz_fatal(int ex_code,
++ const char *p, ...) LIBRPZ_PF(2,3) LIBRPZ_NORET;
++
++typedef void (librpz_rpz_assert_t)(const char *file, unsigned line,
++ const char *p, ...) LIBRPZ_PF(3,4);
++extern void librpz_rpz_assert(const char *file, unsigned line,
++ const char *p, ...) LIBRPZ_PF(3,4) LIBRPZ_NORET;
++
++typedef void (librpz_rpz_vassert_t)(const char *file, uint line,
++ const char *p, va_list args);
++extern void librpz_rpz_vassert(const char *file, uint line,
++ const char *p, va_list args) LIBRPZ_NORET;
++
++
++/*
++ * As far as clients are concerned, all relative pointers or indexes in a
++ * version of the mapped file except trie node parent pointers remain valid
++ * forever. A client must release a version so that it can be garbage
++ * collected by the file system. When dnsrpzd needs to expand the file,
++ * it copies the old file to a new, larger file. Clients can continue
++ * using the old file.
++ *
++ * Versions can also appear in a single file. Old nodes and trie values
++ * within the file are not destroyed until all clients using the version
++ * that contained the old values release the version.
++ *
++ * A client is marked as using version by connecting to the deamon. It is
++ * marked as using all subsequent versions. A client releases all versions
++ * by closing the connection or a range of versions by updating is slot
++ * in the shared memory version table.
++ *
++ * As far as clients are concerned, there are the following possible librpz
++ * failures:
++ * - malloc() or other fatal internal librpz problems indicated by
++ * a failing return from a librpz function
++ * All operations will fail until client handle is destroyed and
++ * recreated with librpz_client_detach() and librpz_client_create().
++ * - corrupt database detected by librpz code, corrupt database detected
++ * by dnsrpzd, or disconnection from the daemon.
++ * Current operations will fail.
++ *
++ * Clients assume that the file has already been unlinked before
++ * the corrupt flag is set so that they do not race with the server
++ * over the corruption of a single file. A client that finds the
++ * corrupt set knows that dnsrpzd has already crashed with
++ * abort() and is restarting. The client can re-connect to dnsrpzd
++ * and retransmit its configuration, backing off as usual if anything
++ * goes wrong.
++ *
++ * Searchs of the database by a client do not need locks against dnsrpzd or
++ * other clients, but a lock is used to protect changes to the connection
++ * by competing threads in the client. The client provides fuctions
++ * to serialize the conncurrent use of any single client handle.
++ * Functions that do nothing are appropriate for applications that are
++ * not "threaded" or that do not share client handles among threads.
++ * Otherwise, functions must be provided to librpz_clientcreate().
++ * Something like the following works with pthreads:
++ *
++ * static void
++ * lock(void *mutex) { assert(pthread_mutex_lock(mutex) == 0); }
++ *
++ * static void
++ * unlock(void *mutex) { assert(pthread_mutex_unlock(mutex) == 0); }
++ *
++ * static void
++ * mutex_destroy(void *mutex) { assert(pthread_mutex_destroy(mutex) == 0); }
++ *
++ *
++ *
++ * At every instant, all of the data and pointers in the mapped file are valid.
++ * Changes to trie node or other data are always made so that it and
++ * all pointers in and to it remain valid for a time. Old versions are
++ * eventually discarded.
++ *
++ * Dnsrpzd periodically defines a new version by setting asside all changes
++ * made since the previous version was defined. Subsequent changes
++ * made (only!) by dnsrpzd will be part of the next version.
++ *
++ * To discard an old version, dnsrpzd must know that all clients have stopped
++ * using that version. Clients do that by using part of the mapped file
++ * to tell dnsrpzd the oldest version that each client is using.
++ * Dnsrpzd assigns each connecting client an entry in the cversions array
++ * in the mapped file. The client puts version numbers into that entry
++ * to signal to dnsrpzd which versions that can be discarded.
++ * Dnsrpzd is free, as far as that client is concerned, to discard all
++ * numerically smaller versions. A client can disclaim all versions with
++ * the version number VERSIONS_ALL or 0.
++ *
++ * The race between a client changing its entry and dnsrpzd discarding a
++ * version is resolved by allowing dnsrpzd to discard all versions
++ * smaller or equal to the client's version number. If dnsrpzd is in
++ * the midst of discarding or about to discard version N when the
++ * client asserts N, no harm is done. The client depends only on
++ * the consistency of version N+1.
++ *
++ * This version mechanism depends in part on not being exercised too frequently
++ * Version numbers are 32 bits long and dnsrpzd creates new versions
++ * at most once every 30 seconds.
++ */
++
++
++/*
++ * Lock functions for concurrent use of a single librpz_client_t client handle.
++ */
++typedef void(librpz_mutex_t)(void *mutex);
++
++/*
++ * List of connections to dnsrpzd daemons.
++ */
++typedef struct librpz_clist librpz_clist_t;
++
++/*
++ * Client's handle on dnsrpzd.
++ */
++typedef struct librpz_client librpz_client_t;
++
++/**
++ * Create the list of connections to the dnsrpzd daemon.
++ * @param[out] emsg: error message
++ * @param lock: start exclusive access to the client handle
++ * @param unlock: end exclusive access to the client handle
++ * @param mutex_destroy: release the lock
++ * @param mutex: pointer to the lock for the client handle
++ * @param log_ctx: NULL or resolver's context log messages
++ */
++typedef librpz_clist_t *(librpz_clist_create_t)(librpz_emsg_t *emsg,
++ librpz_mutex_t *lock,
++ librpz_mutex_t *unlock,
++ librpz_mutex_t *mutex_destroy,
++ void *mutex, void *log_ctx);
++LIBDEF_F(clist_create)
++
++
++/**
++ * Release the list of dnsrpzd connections.
++ */
++typedef void (librpz_clist_detach_t)(librpz_clist_t **clistp);
++LIBDEF_F(clist_detach)
++
++/**
++ * Create a librpz client handle.
++ * @param[out] emsg: error message
++ * @param: list of dnsrpzd connections
++ * @param cstr: string of configuration settings separated by ';' or '\n'
++ * @param use_expired: true to not ignore expired zones
++ * @return client handle or NULL if the handle could not be created
++ */
++typedef librpz_client_t *(librpz_client_create_t)(librpz_emsg_t *emsg,
++ librpz_clist_t *clist,
++ const char *cstr,
++ bool use_expired);
++LIBDEF_F(client_create)
++
++/**
++ * Start (if necessary) dnsrpzd and connect to it.
++ * @param[out] emsg: error message
++ * @param client handle
++ * @param optional: true if it is ok if starting the daemon is not allowed
++ */
++typedef bool (librpz_connect_t)(librpz_emsg_t *emsg, librpz_client_t *client,
++ bool optional);
++LIBDEF_F(connect)
++
++/**
++ * Start to destroy a librpz client handle.
++ * It will not be destroyed until the last set of RPZ queries represented
++ * by a librpz_rsp_t ends.
++ * @param client handle to be released
++ * @return false on error
++ */
++typedef void (librpz_client_detach_t)(librpz_client_t **clientp);
++LIBDEF_F(client_detach)
++
++/**
++ * State for a set of RPZ queries for a single DNS response
++ * or for listing the database.
++ */
++typedef struct librpz_rsp librpz_rsp_t;
++
++/**
++ * Start a set of RPZ queries for a single DNS response.
++ * @param[out] emsg: error message for false return or *rspp=NULL
++ * @param[out] rspp created context or NULL
++ * @param[out] min_ns_dotsp: NULL or pointer to configured MIN-NS-DOTS value
++ * @param client state
++ * @param have_rd: RD=1 in the DNS request
++ * @param have_do: DO=1 in the DNS request
++ * @return false on error
++ */
++typedef bool (librpz_rsp_create_t)(librpz_emsg_t *emsg, librpz_rsp_t **rspp,
++ int *min_ns_dotsp, librpz_client_t *client,
++ bool have_rd, bool have_do);
++LIBDEF_F(rsp_create)
++
++/**
++ * Finish RPZ work for a DNS response.
++ */
++typedef void (librpz_rsp_detach_t)(librpz_rsp_t **rspp);
++LIBDEF_F(rsp_detach)
++
++/**
++ * Get the final, accumulated result of a set of RPZ queries.
++ * Yield LIBRPZ_POLICY_UNDEFINED if
++ * - there were no hits,
++ * - there was a dispositive hit, be we have not recursed and are required
++ * to recurse so that evil DNS authories will not know we are using RPZ
++ * - we have a hit and have recursed, but later data such as NSIP could
++ * override
++ * @param[out] emsg
++ * @param[out] result describes the hit
++ * or result->policy=LIBRPZ_POLICY_UNDEFINED without a hit
++ * @param[out] result: current policy rewrite values
++ * @param recursed: recursion has now been done even if it was not done
++ * when the hit was found
++ * @param[in,out] rsp state from librpz_itr_start()
++ * @return false on error
++ */
++typedef bool (librpz_rsp_result_t)(librpz_emsg_t *emsg, librpz_result_t *result,
++ bool recursed, const librpz_rsp_t *rsp);
++LIBDEF_F(rsp_result)
++
++/**
++ * Might looking for a trigger be worthwhile?
++ * @param trig: look for this type of trigger
++ * @param ipv6: true if trig is LIBRPZ_TRIG_CLIENT_IP, LIBRPZ_TRIG_IP,
++ * or LIBRPZ_TRIG_NSIP and the IP address is IPv6
++ * @return: true if looking could be worthwhile
++ */
++typedef bool (librpz_have_trig_t)(librpz_trig_t trig, bool ipv6,
++ const librpz_rsp_t *rsp);
++LIBDEF_F(have_trig)
++
++/**
++ * Might looking for NSDNAME and NSIP triggers be worthwhile?
++ * @return: true if looking could be worthwhile
++ */
++typedef bool (librpz_have_ns_trig_t)(const librpz_rsp_t *rsp);
++LIBDEF_F(have_ns_trig)
++
++/**
++ * Convert the found client IP trie key to a CIDR block
++ * @param[out] emsg
++ * @param[out] prefix trigger
++ * @param[in,out] rsp state from librpz_itr_start()
++ * @return false on error
++ */
++typedef bool (librpz_rsp_clientip_prefix_t)(librpz_emsg_t *emsg,
++ librpz_prefix_t *prefix,
++ librpz_rsp_t *rsp);
++LIBDEF_F(rsp_clientip_prefix)
++
++/**
++ * Compute the owner name of the found or result trie key, usually to log it.
++ * An IP address key might be returned as 8.0.0.0.127.rpz-client-ip.
++ * example.com. might be a qname trigger. example.com.rpz-nsdname. could
++ * be an NSDNAME trigger.
++ * @param[out] emsg
++ * @param[out] owner domain
++ * @param[in,out] rsp state from librpz_itr_start()
++ * @return false on error
++ */
++typedef bool (librpz_rsp_domain_t)(librpz_emsg_t *emsg,
++ librpz_domain_buf_t *owner,
++ librpz_rsp_t *rsp);
++LIBDEF_F(rsp_domain)
++
++/**
++ * Get the next RR of the LIBRPZ_POLICY_RECORD result after an initial use of
++ * librpz_rsp_result() or librpz_itr_node() or after a previous use of
++ * librpz_rsp_rr(). The RR is in uncompressed wire format including type,
++ * class, ttl and length in network byte order.
++ * @param[out] emsg
++ * @param[out] typep: optional host byte order record type or ns_t_invalid (0)
++ * @param[out] classp: class such as ns_c_in
++ * @param[out] ttlp: TTL
++ * @param[out] rrp: optionall malloc() buffer containting the next RR or
++ * NULL after the last RR
++ * @param[out] result: current policy rewrite values
++ * @param qname: used construct a wildcard CNAME
++ * @param qname_size
++ * @param[in,out] rsp state from librpz_itr_start()
++ * @return false on error
++ */
++typedef bool (librpz_rsp_rr_t)(librpz_emsg_t *emsg, uint16_t *typep,
++ uint16_t *classp, uint32_t *ttlp,
++ librpz_rr_t **rrp, librpz_result_t *result,
++ const uint8_t *qname, size_t qname_size,
++ librpz_rsp_t *rsp);
++LIBDEF_F(rsp_rr)
++
++/**
++ * Get the next RR of the LIBRPZ_POLICY_RECORD result.
++ * @param[out] emsg
++ * @param[out] ttlp: TTL
++ * @param[out] rrp: malloc() buffer with SOA RR without owner name
++ * @param[out] result: current policy rewrite values
++ * @param[out] origin: SOA owner name
++ * @param[out] origin_size
++ * @param[in,out] rsp state from librpz_itr_start()
++ * @return false on error
++ */
++typedef bool (librpz_rsp_soa_t)(librpz_emsg_t *emsg, uint32_t *ttlp,
++ librpz_rr_t **rrp, librpz_domain_buf_t *origin,
++ librpz_result_t *result, librpz_rsp_t *rsp);
++LIBDEF_F(rsp_soa)
++
++/**
++ * Get the SOA serial number for a policy zone to compare with a known value
++ * to check whether a zone tranfer is complete.
++ */
++typedef bool (librpz_soa_serial_t)(librpz_emsg_t *emsg, uint32_t *serialp,
++ const char *domain_nm, librpz_rsp_t *rsp);
++LIBDEF_F(soa_serial)
++
++/**
++ * Save the current policy checking state.
++ * @param[out] emsg
++ * @param[in,out] rsp state from librpz_itr_start()
++ * @return false on error
++ */
++typedef bool (librpz_rsp_push_t)(librpz_emsg_t *emsg, librpz_rsp_t *rsp);
++LIBDEF_F(rsp_push)
++#define LIBRPZ_RSP_STACK_DEPTH 3
++
++/**
++ * Restore the previous policy checking state.
++ * @param[out] emsg
++ * @param[out] result: NULL or restored policy rewrite values
++ * @param[in,out] rsp state from librpz_itr_start()
++ * @return false on error
++ */
++typedef bool (librpz_rsp_pop_t)(librpz_emsg_t *emsg, librpz_result_t *result,
++ librpz_rsp_t *rsp);
++LIBDEF_F(rsp_pop)
++
++/**
++ * Discard the most recently save policy checking state.
++ * @param[out] emsg
++ * @param[out] result: NULL or restored policy rewrite values
++ * @return false on error
++ */
++typedef bool (librpz_rsp_pop_discard_t)(librpz_emsg_t *emsg, librpz_rsp_t *rsp);
++LIBDEF_F(rsp_pop_discard)
++
++/**
++ * Disable a zone.
++ * @param[out] emsg
++ * @param znum
++ * @param[in,out] rsp state from librpz_itr_start()
++ * @return false on error
++ */
++typedef bool (librpz_rsp_forget_zone_t)(librpz_emsg_t *emsg,
++ librpz_cznum_t znum, librpz_rsp_t *rsp);
++LIBDEF_F(rsp_forget_zone)
++
++/**
++ * Apply RPZ to an IP address.
++ * @param[out] emsg
++ * @param addr: address to check
++ * @param ipv6: true for 16 byte IPv6 instead of 4 byte IPv4
++ * @param trig LIBRPZ_TRIG_CLIENT_IP, LIBRPZ_TRIG_IP, or LIBRPZ_TRIG_NSIP
++ * @param hit_id: caller chosen
++ * @param recursed: recursion has been done
++ * @param[in,out] rsp state from librpz_itr_start()
++ * @return false on error
++ */
++typedef bool (librpz_ck_ip_t)(librpz_emsg_t *emsg,
++ const void *addr, uint family,
++ librpz_trig_t trig, librpz_result_id_t hit_id,
++ bool recursed, librpz_rsp_t *rsp);
++LIBDEF_F(ck_ip)
++
++/**
++ * Apply RPZ to a wire-format domain.
++ * @param[out] emsg
++ * @param domain in wire format
++ * @param domain_size
++ * @param trig LIBRPZ_TRIG_QNAME or LIBRPZ_TRIG_NSDNAME
++ * @param hit_id: caller chosen
++ * @param recursed: recursion has been done
++ * @param[in,out] rsp state from librpz_itr_start()
++ * @return false on error
++ */
++typedef bool (librpz_ck_domain_t)(librpz_emsg_t *emsg,
++ const uint8_t *domain, size_t domain_size,
++ librpz_trig_t trig, librpz_result_id_t hit_id,
++ bool recursed, librpz_rsp_t *rsp);
++LIBDEF_F(ck_domain)
++
++/**
++ * Ask dnsrpzd to refresh a zone.
++ * @param[out] emsg error message
++ * @param librpz_domain_t domain to refresh
++ * @param client context
++ * @return false after error
++ */
++typedef bool (librpz_zone_refresh_t)(librpz_emsg_t *emsg, const char *domain,
++ librpz_rsp_t *rsp);
++LIBDEF_F(zone_refresh)
++
++/**
++ * Get a string describing the the databasse
++ * @param license: include the license
++ * @param cfiles: include the configuration file names
++ * @param listens: include the local notify IP addresses
++ * @param[out] emsg error message if the result is null
++ * @param client context
++ * @return malloc'ed string or NULL after error
++ */
++typedef char *(librpz_db_info_t)(librpz_emsg_t *emsg,
++ bool license, bool cfiles, bool listens,
++ librpz_rsp_t *rsp);
++LIBDEF_F(db_info)
++
++/**
++ * Start a context for listing the nodes and/or zones in the mapped file
++ * @param[out] emsg: error message for false return or *rspp=NULL
++ * @param[out[ rspp created context or NULL
++ * @param client context
++ * @return false after error
++ */
++typedef bool (librpz_itr_start_t)(librpz_emsg_t *emsg, librpz_rsp_t **rspp,
++ librpz_client_t *client);
++LIBDEF_F(itr_start)
++
++/**
++ * Get mapped file memory allocation statistics.
++ * @param[out] emsg: error message
++ * @param rsp state from librpz_itr_start()
++ * @return malloc'ed string or NULL after error
++ */
++typedef char *(librpz_mf_stats_t)(librpz_emsg_t *emsg, librpz_rsp_t *rsp);
++LIBDEF_F(mf_stats)
++
++/**
++ * Get versions currently used by clients.
++ * @param[out] emsg: error message
++ * @param[in,out] rsp: state from librpz_itr_start()
++ * @return malloc'ed string or NULL after error
++ */
++typedef char *(librpz_vers_stats_t)(librpz_emsg_t *emsg, librpz_rsp_t *rsp);
++LIBDEF_F(vers_stats)
++
++/**
++ * Allocate a string describing the next zone or "" after the last zone.
++ * @param[out] emsg
++ * @param all_zones to list all instead of only requested zones
++ * @param[in,out] rsp state from librpz_rsp_start()
++ * @return malloc'ed string or NULL after error
++ */
++typedef char *(librpz_itr_zone_t)(librpz_emsg_t *emsg, bool all_zones,
++ librpz_rsp_t *rsp);
++LIBDEF_F(itr_zone)
++
++/**
++ * Describe the next trie node while dumping the database.
++ * @param[out] emsg
++ * @param[out] result describes node
++ * or result->policy=LIBRPZ_POLICY_UNDEFINED after the last node.
++ * @param all_zones to list all instead of only requested zones
++ * @param[in,out] rsp state from librpz_itr_start()
++ * @return: false on error
++ */
++typedef bool (librpz_itr_node_t)(librpz_emsg_t *emsg, librpz_result_t *result,
++ bool all_zones, librpz_rsp_t *rsp);
++LIBDEF_F(itr_node)
++
++/**
++ * RPZ policy to string with a backup buffer of POLICY2STR_SIZE size
++ */
++typedef const char *(librpz_policy2str_t)(librpz_policy_t policy,
++ char *buf, size_t buf_size);
++#define POLICY2STR_SIZE sizeof("policy xxxxxx")
++LIBDEF_F(policy2str)
++
++/**
++ * Trigger type to string.
++ */
++typedef const char *(librpz_trig2str_t)(librpz_trig_t trig);
++LIBDEF_F(trig2str)
++
++/**
++ * Convert a number of seconds to a zone file duration string
++ */
++typedef const char *(librpz_secs2str_t)(time_t secs,
++ char *buf, size_t buf_size);
++#define SECS2STR_SIZE sizeof("1234567w7d24h59m59s")
++LIBDEF_F(secs2str)
++
++/**
++ * Parse a duration with 's', 'm', 'h', 'd', and 'w' units.
++ */
++typedef bool (librpz_str2secs_t)(librpz_emsg_t *emsg, time_t *val,
++ const char *str0);
++LIBDEF_F(str2secs)
++
++/**
++ * Translate selected rtypes to strings
++ */
++typedef const char *(librpz_rtype2str_t)(uint type, char *buf, size_t buf_size);
++#define RTYPE2STR_SIZE sizeof("type xxxxx")
++LIBDEF_F(rtype2str)
++
++/**
++ * Local version of ns_name_ntop() for portability.
++ */
++typedef int (librpz_domain_ntop_t)(const u_char *src, char *dst, size_t dstsiz);
++LIBDEF_F(domain_ntop)
++
++/**
++ * Local version of ns_name_pton().
++ */
++typedef int (librpz_domain_pton2_t)(const char *src, u_char *dst, size_t dstsiz,
++ size_t *dstlen, bool lower);
++LIBDEF_F(domain_pton2)
++
++typedef union socku socku_t;
++typedef socku_t *(librpz_mk_inet_su_t)(socku_t *su, const struct in_addr *addrp,
++ in_port_t port);
++LIBDEF_F(mk_inet_su)
++
++typedef socku_t *(librpz_mk_inet6_su_t)(socku_t *su, const
++ struct in6_addr *addrp,
++ uint32_t scope_id, in_port_t port);
++LIBDEF_F(mk_inet6_su)
++
++typedef bool (librpz_str2su_t)(socku_t *sup, const char *str);
++LIBDEF_F(str2su)
++
++typedef char *(librpz_su2str_t)(char *str, size_t str_len, const socku_t *su);
++LIBDEF_F(su2str)
++#define SU2STR_SIZE (INET6_ADDRSTRLEN+1+6+1)
++
++
++/**
++ * default path to dnsrpzd
++ */
++const char *librpz_dnsrpzd_path;
++
++
++#undef LIBDEF
++
++/*
++ * This is the dlopen() interface to librpz.
++ */
++typedef const struct {
++ const char *dnsrpzd_path;
++ const char *version;
++ librpz_parse_log_opt_t *parse_log_opt;
++ librpz_log_level_val_t *log_level_val;
++ librpz_set_log_t *set_log;
++ librpz_vpemsg_t *vpemsg;
++ librpz_pemsg_t *pemsg;
++ librpz_vlog_t *vlog;
++ librpz_log_t *log;
++ librpz_fatal_t *fatal LIBRPZ_NORET;
++ librpz_rpz_assert_t *rpz_assert LIBRPZ_NORET;
++ librpz_rpz_vassert_t *rpz_vassert LIBRPZ_NORET;
++ librpz_clist_create_t *clist_create;
++ librpz_clist_detach_t *clist_detach;
++ librpz_client_create_t *client_create;
++ librpz_connect_t *connect;
++ librpz_client_detach_t *client_detach;
++ librpz_rsp_create_t *rsp_create;
++ librpz_rsp_detach_t *rsp_detach;
++ librpz_rsp_result_t *rsp_result;
++ librpz_have_trig_t *have_trig;
++ librpz_have_ns_trig_t *have_ns_trig;
++ librpz_rsp_clientip_prefix_t *rsp_clientip_prefix;
++ librpz_rsp_domain_t *rsp_domain;
++ librpz_rsp_rr_t *rsp_rr;
++ librpz_rsp_soa_t *rsp_soa;
++ librpz_soa_serial_t *soa_serial;
++ librpz_rsp_push_t *rsp_push;
++ librpz_rsp_pop_t *rsp_pop;
++ librpz_rsp_pop_discard_t *rsp_pop_discard;
++ librpz_rsp_forget_zone_t *rsp_forget_zone;
++ librpz_ck_ip_t *ck_ip;
++ librpz_ck_domain_t *ck_domain;
++ librpz_zone_refresh_t *zone_refresh;
++ librpz_db_info_t *db_info;
++ librpz_itr_start_t *itr_start;
++ librpz_mf_stats_t *mf_stats;
++ librpz_vers_stats_t *vers_stats;
++ librpz_itr_zone_t *itr_zone;
++ librpz_itr_node_t *itr_node;
++ librpz_policy2str_t *policy2str;
++ librpz_trig2str_t *trig2str;
++ librpz_secs2str_t *secs2str;
++ librpz_str2secs_t *str2secs;
++ librpz_rtype2str_t *rtype2str;
++ librpz_domain_ntop_t *domain_ntop;
++ librpz_domain_pton2_t *domain_pton2;
++ librpz_mk_inet_su_t *mk_inet_su;
++ librpz_mk_inet6_su_t *mk_inet6_su;
++ librpz_str2su_t *str2su;
++ librpz_su2str_t *su2str;
++} librpz_0_t;
++extern librpz_0_t librpz_def_0;
++
++/*
++ * Future versions can be upward compatible by defining LIBRPZ_DEF as
++ * librpz_X_t.
++ */
++#define LIBRPZ_DEF librpz_def_0
++#define LIBRPZ_DEF_STR "librpz_def_0"
++
++typedef librpz_0_t librpz_t;
++extern librpz_t *librpz;
++
++
++#if LIBRPZ_LIB_OPEN == 2
++#include <dlfcn.h>
++
++/**
++ * link-load librpz
++ * @param[out] emsg: error message
++ * @param[in,out] dl_handle: NULL or pointer to new dlopen handle
++ * @param[in] path: librpz.so path
++ * @return address of interface structure or NULL on failure
++ */
++static inline librpz_t *
++librpz_lib_open(librpz_emsg_t *emsg, void **dl_handle, const char *path)
++{
++ void *handle;
++ librpz_t *new_librpz;
++
++ emsg->c[0] = '\0';
++
++ /*
++ * Close a previously opened handle on librpz.so.
++ */
++ if (dl_handle != NULL && *dl_handle != NULL) {
++ if (dlclose(*dl_handle) != 0) {
++ snprintf(emsg->c, sizeof(librpz_emsg_t),
++ "dlopen(NULL): %s", dlerror());
++ return (NULL);
++ }
++ *dl_handle = NULL;
++ }
++
++ /*
++ * First try the main executable of the process in case it was
++ * linked to librpz.
++ * Do not worry if we cannot search the main executable of the process.
++ */
++ handle = dlopen(NULL, RTLD_NOW | RTLD_LOCAL);
++ if (handle != NULL) {
++ new_librpz = dlsym(handle, LIBRPZ_DEF_STR);
++ if (new_librpz != NULL) {
++ if (dl_handle != NULL)
++ *dl_handle = handle;
++ return (new_librpz);
++ }
++ if (dlclose(handle) != 0) {
++ snprintf(emsg->c, sizeof(librpz_emsg_t),
++ "dlsym(NULL, "LIBRPZ_DEF_STR"): %s",
++ dlerror());
++ return (NULL);
++ }
++ }
++
++ if (path == NULL || path[0] == '\0') {
++ snprintf(emsg->c, sizeof(librpz_emsg_t),
++ "librpz not linked and no dlopen() path provided");
++ return (NULL);
++ }
++
++ handle = dlopen(path, RTLD_NOW | RTLD_LOCAL);
++ if (handle == NULL) {
++ snprintf(emsg->c, sizeof(librpz_emsg_t), "dlopen(%s): %s",
++ path, dlerror());
++ return (NULL);
++ }
++ new_librpz = dlsym(handle, LIBRPZ_DEF_STR);
++ if (new_librpz != NULL) {
++ if (dl_handle != NULL)
++ *dl_handle = handle;
++ return (new_librpz);
++ }
++ snprintf(emsg->c, sizeof(librpz_emsg_t),
++ "dlsym(%s, "LIBRPZ_DEF_STR"): %s",
++ path, dlerror());
++ dlclose(handle);
++ return (NULL);
++}
++
++#elif defined(LIBRPZ_LIB_OPEN)
++
++/*
++ * Statically link to the librpz.so DSO on systems without dlopen()
++ */
++static inline librpz_t *
++librpz_lib_open(librpz_emsg_t *emsg, void **dl_handle, const char *path)
++{
++ (void)(path);
++
++ if (dl_handle != NULL)
++ *dl_handle = NULL;
++
++#if LIBRPZ_LIB_OPEN == 1
++ emsg->c[0] = '\0';
++ return (&LIBRPZ_DEF);
++#else
++ snprintf(emsg->c, sizeof(librpz_emsg_t),
++ "librpz not available via ./configure");
++ return (NULL);
++#endif /* LIBRPZ_LIB_OPEN */
++}
++#endif /* LIBRPZ_LIB_OPEN */
++
++#endif /* LIBRPZ_H */
+===================================================================
+RCS file: ./fastrpz/RCS/rpz.c,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.c
+--- ./fastrpz/rpz.c
++++ ./fastrpz/rpz.c
+@@ -0,0 +1,1357 @@
++/*
++ * fastrpz/rpz.c - interface to the fastrpz response policy zone library
++ *
++ * Optimize no-rewrite cases for speed but optimize rewriting for
++ * simplicity and size.
++ */
++
++#include "config.h"
++
++#ifdef ENABLE_FASTRPZ
++#include "daemon/daemon.h"
++#define LIBRPZ_LIB_OPEN FASTRPZ_LIB_OPEN
++#include "fastrpz/rpz.h"
++#include "daemon/worker.h"
++#include "iterator/iter_delegpt.h"
++#include "iterator/iter_utils.h"
++#include "iterator/iterator.h"
++#include "util/data/dname.h"
++#include "util/data/msgencode.h"
++#include "util/data/msgparse.h"
++#include "util/data/msgreply.h"
++#include "util/log.h"
++#include "util/netevent.h"
++#include "util/net_help.h"
++#include "util/regional.h"
++#include "util/storage/slabhash.h"
++#include "services/cache/dns.h"
++#include "services/cache/rrset.h"
++#include "services/mesh.h"
++#include "sldns/sbuffer.h"
++#include "sldns/rrdef.h"
++
++
++typedef enum state {
++ /* No more rewriting */
++ st_off = 1,
++ /* Send SERVFAIL */
++ st_servfail,
++ /* No dispositive hit yet */
++ st_unknown,
++ /* Let the iterator resolve a CNAME or get a delegation point. */
++ st_iterate,
++ /* Let the iterator resolve NS to check NSIP or NSDNAME triggers. */
++ st_ck_ns,
++ /* We have an answer */
++ st_rewritten,
++} st_t;
++
++
++/* RPZ state pointed to by struct comm_reply */
++typedef struct commreply_rpz {
++ /* librpz state */
++ librpz_rsp_t* rsp;
++ /* ID for log messages */
++ int log_id;
++
++ /* from configuration */
++ int min_ns_dots;
++
++ /* Running in the iterator */
++ bool iterating;
++
++ /* current and previous state and librpz result */
++ st_t st;
++ st_t saved_st[LIBRPZ_RSP_STACK_DEPTH-1];
++ librpz_result_t result;
++
++ /* Stop adding CNAMEs to the prepend list before this owner name. */
++ librpz_domain_buf_t cname_hit;
++ /* It is not the first CNAME */
++ bool cname_hit_2nd;
++ librpz_result_id_t hit_id;
++} commreply_rpz_t;
++
++
++/* Generate an ID for log messages. */
++static int log_id;
++
++librpz_t *librpz;
++
++
++static void LIBRPZ_NORET
++rpz_assert(const char *s)
++{
++ fatal_exit("%s", s);
++ exit(1);
++}
++#define RPZ_ASSERT(c) ((c) ? (void)0 : rpz_assert(#c), (void)0)
++
++/*
++ * librpz client handle locking
++ */
++static void
++lock_destroy(void* mutex)
++{
++ lock_basic_destroy(mutex);
++ free(mutex);
++}
++
++static void
++lock(void* mutex)
++{
++ lock_basic_lock(mutex);
++}
++
++static void
++unlock(void* mutex)
++{
++ lock_basic_unlock(mutex);
++}
++
++
++static void
++log_fnc(librpz_log_level_t level, void* ATTR_UNUSED(ctx), const char* buf)
++{
++ char label_buf[sizeof("rpz ")+8];
++
++ /* Setting librpz_log_level overrides the unbound "verbose" level. */
++ if(level > LIBRPZ_LOG_TRACE1 &&
++ level <= librpz->log_level_val(LIBRPZ_LOG_INVALID))
++ level = LIBRPZ_LOG_TRACE1;
++
++ switch(level) {
++ case LIBRPZ_LOG_FATAL:
++ case LIBRPZ_LOG_ERROR: /* errors */
++ default:
++ log_err("rpz: %s", buf);
++ break;
++
++ case LIBRPZ_LOG_TRACE1: /* big events such as dnsrpzd starts */
++ verbose(VERB_OPS, "rpz: %s", buf);
++ break;
++
++ case LIBRPZ_LOG_TRACE2: /* smaller dnsrpzd zone transfers */
++ verbose(VERB_DETAIL, "rpz: %s", buf);
++ break;
++
++ case LIBRPZ_LOG_TRACE3: /* librpz hits */
++ verbose(VERB_QUERY, "rpz: %s", buf);
++ break;
++
++ case LIBRPZ_LOG_TRACE4: /* librpz lookups */
++ verbose(VERB_CLIENT, "rpz: %s", buf);
++ break;
++ }
++}
++
++
++/* Release the librpz version. */
++static void
++rpz_off(commreply_rpz_t* rpz, st_t st)
++{
++ if(!rpz)
++ return;
++ rpz->st = st;
++ librpz->rsp_detach(&rpz->rsp);
++}
++
++
++static void LIBRPZ_PF(2,3)
++log_fail(commreply_rpz_t* rpz, const char* p, ...)
++{
++ va_list args;
++
++ if(rpz->st == st_servfail)
++ return;
++
++ va_start(args, p);
++ librpz->vlog(LIBRPZ_LOG_ERROR, rpz, p, args);
++ va_end(args);
++ if(!rpz)
++ return;
++ rpz_off(rpz, st_servfail);
++}
++
++
++/* Announce a rewrite. */
++static void
++log_rewrite(uint8_t* qname, librpz_policy_t policy, const char* msg,
++ commreply_rpz_t* rpz)
++{
++ char policy_buf[POLICY2STR_SIZE];
++ char qname_nm[LDNS_MAX_DOMAINLEN+1];
++ librpz_domain_buf_t tdomain;
++ char tdomain_nm[LDNS_MAX_DOMAINLEN+1];
++ librpz_emsg_t emsg;
++
++ if(rpz->st == st_servfail || !rpz->result.log)
++ return;
++ if(librpz->log_level_val(LIBRPZ_LOG_INVALID) < LIBRPZ_LOG_TRACE1)
++ return;
++
++ dname_str(qname, qname_nm);
++
++ if(!librpz->rsp_domain(&emsg, &tdomain, rpz->rsp)) {
++ librpz->log(LIBRPZ_LOG_ERROR, rpz, "%s", emsg.c);
++ return;
++ }
++ dname_str(tdomain.d, tdomain_nm);
++
++ librpz->log(LIBRPZ_LOG_TRACE3, rpz, "%srewriting %s via %s %s to %s",
++ msg, qname_nm, tdomain_nm,
++ librpz->trig2str(rpz->result.trig),
++ librpz->policy2str(policy, policy_buf,
++ sizeof(policy_buf)));
++}
++
++
++/* Connect to and start dnsrpzd if necessary for the unbound daemon.
++ * Require "rpz-conf: path" to specify the rpz configuration file.
++ * The unbound server directory name is the default rpz working
++ * directory. If unbound uses chroot, then the dnsrpzd working
++ * directory must be in the chroot tree.
++ * The database and socket are closed and re-opened.
++ */
++void
++rpz_init(librpz_clist_t** pclist, librpz_client_t** pclient,
++ const struct config_file* cfg)
++{
++ lock_basic_type* mutex;
++ librpz_emsg_t emsg;
++
++ if(!librpz) {
++ librpz = librpz_lib_open(&emsg, NULL, FASTRPZ_LIBRPZ_PATH);
++ if(!librpz)
++ fatal_exit("rpz: %s", emsg.c);
++ }
++
++ librpz->set_log(&log_fnc, NULL);
++
++ if(!cfg->rpz_cstr)
++ fatal_exit("rpz: rpz-zone: not set");
++
++ librpz->client_detach(pclient);
++ librpz->clist_detach(pclist);
++
++ mutex = malloc(sizeof(*mutex));
++ if(!mutex)
++ fatal_exit("rpz: no memory for lock");
++ lock_basic_init(mutex);
++
++ *pclist = librpz->clist_create(&emsg, &lock, &unlock, &lock_destroy,
++ mutex, NULL);
++ if(!pclist)
++ fatal_exit("rpz: %s", emsg.c);
++
++ *pclient = librpz->client_create(&emsg, *pclist, cfg->rpz_cstr, false);
++ if(!*pclient)
++ fatal_exit("rpz: %s", emsg.c);
++
++ if(!librpz->connect(&emsg, *pclient, true))
++ fatal_exit("rpz: %s", emsg.c);
++
++ verbose(VERB_OPS, "rpz: librpz version %s", librpz->version);
++}
++
++
++/* Stop using librpz on behalf of a worker thread. */
++void
++rpz_delete(librpz_clist_t** pclist, librpz_client_t** pclient)
++{
++ if(librpz) {
++ librpz->client_detach(pclient);
++ librpz->clist_detach(pclist);
++ }
++}
++
++
++/* Release the librpz resources held for a DNS client request. */
++void
++rpz_end(struct comm_reply* commreply)
++{
++ if(!commreply->rpz)
++ return;
++ rpz_off(commreply->rpz, commreply->rpz->st);
++ free(commreply->rpz);
++ commreply->rpz = NULL;
++}
++
++
++static bool
++push_st(commreply_rpz_t* rpz)
++{
++ librpz_emsg_t emsg;
++
++ if(rpz->st == st_off || rpz->st == st_servfail) {
++ librpz->log(LIBRPZ_LOG_ERROR, rpz,
++ "state %d in push_st()", rpz->st);
++ return false;
++ }
++ if(!librpz->rsp_push(&emsg, rpz->rsp))
++ log_fail(rpz, "%s", emsg.c);
++ memmove(&rpz->saved_st[1], &rpz->saved_st[0],
++ sizeof(rpz->saved_st) - sizeof(rpz->saved_st[0]));
++ rpz->saved_st[0] = rpz->st;
++ return rpz->st != st_servfail;
++}
++
++
++static bool
++pop_st(commreply_rpz_t* rpz)
++{
++ librpz_emsg_t emsg;
++
++ if(rpz->rsp && !librpz->rsp_pop(&emsg, &rpz->result, rpz->rsp))
++ log_fail(rpz, "%s", emsg.c);
++ if(rpz->st != st_servfail)
++ rpz->st = rpz->saved_st[0];
++ memmove(&rpz->saved_st[0], &rpz->saved_st[1],
++ sizeof(rpz->saved_st) - sizeof(rpz->saved_st[0]));
++ return rpz->st != st_servfail;
++}
++
++static bool
++pop_discard_st(commreply_rpz_t* rpz)
++{
++ librpz_emsg_t emsg;
++
++ if(rpz->rsp && !librpz->rsp_pop_discard(&emsg, rpz->rsp))
++ log_fail(rpz, "%s", emsg.c);
++ memmove(&rpz->saved_st[0], &rpz->saved_st[1],
++ sizeof(rpz->saved_st) - sizeof(rpz->saved_st[0]));
++ return rpz->st != st_servfail;
++}
++
++/* Check a rewrite attempt for errors and a disabled zone. */
++static bool /* true=repeat the check */
++ck_after(uint8_t* qname, bool recursed, librpz_trig_t trig,
++ commreply_rpz_t* rpz)
++{
++ librpz_emsg_t emsg;
++
++ if(rpz->st == st_servfail)
++ return false;
++
++ if(!librpz->rsp_result(&emsg, &rpz->result, recursed, rpz->rsp)) {
++ log_fail(rpz, "%s", emsg.c);
++ return false;
++ }
++
++ if(rpz->result.policy == LIBRPZ_POLICY_DISABLED) {
++ /* Log the hit on the disabled zone, do not try the zone again,
++ * and restore the state from before the check to forget the hit
++ * before trying again. */
++ log_rewrite(qname, rpz->result.zpolicy, "disabled ", rpz);
++ if(!librpz->rsp_forget_zone(&emsg, rpz->result.cznum, rpz->rsp))
++ log_fail(rpz, "%s", emsg.c);
++ return pop_st(rpz);
++ }
++
++ /* Complain about and forget client-IP address hit that is not
++ * dispositive. Client-IP triggers have the highest priority
++ * within a policy zone, but can be overridden by any hit in a policy
++ * earlier in the client's (resolver's) list of zones, including
++ * policies that cannot be hit until after recursion. If we allowed
++ * client-IP triggers in secondary zones, then than two DNS requests
++ * that differ only in DNS client-IP addresses could properly
++ * have differing results. The Unbound iterator treats identical
++ * DNS requests the same regardless of DNS client-IP address.
++ * struct query_info would need to be modified to have an optional
++ * librpz_prefix_t containing the prefix of the client-IP address hit
++ * from librpz->rsp_clientip_prefix(). Adding to struct query_info
++ * would require finding and changing the many and obscure places
++ * including the Unbound tests to memset(0) the struct query_info
++ * that they create. */
++ if(trig == LIBRPZ_TRIG_CLIENT_IP) {
++ if(rpz->result.cznum != 0) {
++ log_rewrite(qname, rpz->result.policy,
++ "ignore secondary ", rpz);
++ if(!pop_st(rpz))
++ log_fail(rpz, "%s", emsg.c);
++ return (false);
++ }
++ }
++
++ /* Forget the state from before the check and keep the new state
++ * if we do not have a hit on a disabled policy zone. */
++ pop_discard_st(rpz);
++ return false;
++}
++
++
++/* Get the next RR from the policy record. */
++static bool
++next_rr(librpz_rr_t** rrp, const uint8_t* qname, size_t qname_len,
++ commreply_rpz_t* rpz)
++{
++ librpz_emsg_t emsg;
++
++ if(!librpz->rsp_rr(&emsg, NULL, NULL, NULL, rrp, &rpz->result,
++ qname, qname_len, rpz->rsp)) {
++ log_fail(rpz, "%s", emsg.c);
++ *rrp = NULL;
++ return false;
++ }
++ return true;
++}
++
++
++static bool /* false=fatal error to be logged */
++add_rr(struct sldns_buffer* pkt, const uint8_t* owner, size_t owner_len,
++ librpz_rr_t* rr, commreply_rpz_t* rpz)
++{
++ size_t rdlength;
++
++ rdlength = ntohs(rr->rdlength);
++
++ if(!sldns_buffer_available(pkt, owner_len + 10 + rdlength)) {
++ log_fail(rpz, "comm_reply buffer exhausted");
++ free(rr);
++ return false;
++ }
++ sldns_buffer_write(pkt, owner, owner_len);
++ /* sizeof(librpz_rr_t)=12 instead of 10 */
++ sldns_buffer_write(pkt, rr, 10 + rdlength);
++ return true;
++}
++
++
++/* Convert a fake incoming DNS message to an Unbound struct dns_msg */
++static void
++pkt2dns_msg(struct dns_msg** dnsmsg, struct sldns_buffer* pkt,
++ commreply_rpz_t* rpz, struct regional* region)
++{
++ struct msg_parse* msgparse;
++
++ msgparse = regional_alloc(region, sizeof(*msgparse));
++ if(!msgparse) {
++ log_fail(rpz, "out of memory for msgparse");
++ *dnsmsg = NULL;
++ return;
++ }
++ memset(msgparse, 0, sizeof(*msgparse));
++ if(parse_packet(pkt, msgparse, region) != LDNS_RCODE_NOERROR) {
++ log_fail(rpz, "packet parse error");
++ *dnsmsg = NULL;
++ return;
++ }
++ *dnsmsg = dns_alloc_msg(pkt, msgparse, region);
++ if(!*dnsmsg) {
++ log_fail(rpz, "dns_alloc_msg() failed");
++ *dnsmsg = NULL;
++ return;
++ }
++ (*dnsmsg)->rep->security = sec_status_rpz_rewritten;
++}
++
++
++static bool /* false=SERVFAIL */
++ck_ip_rrset(const void* vdata, int family, librpz_trig_t trig,
++ uint8_t* qname, commreply_rpz_t* rpz)
++{
++ const struct packed_rrset_data* data;
++ uint rr_n;
++ size_t len;
++ librpz_emsg_t emsg;
++
++ data = vdata;
++
++ /* Loop to ignore disabled zones. */
++ do {
++ if(!push_st(rpz))
++ return false;
++ for(rr_n = 0; rr_n < data->count; ++rr_n) {
++ len = data->rr_len[rr_n];
++ /* Skip bogus including negative placeholding rdata. */
++ if((family == AF_INET &&
++ len != sizeof(struct in_addr)+2) ||
++ (family == AF_INET6 &&
++ len != sizeof(struct in6_addr)+2))
++ continue;
++ if(!librpz->ck_ip(&emsg, data->rr_data[rr_n]+2,
++ family, trig, rpz->hit_id, true,
++ rpz->rsp)) {
++ log_fail(rpz, "%s", emsg.c);
++ return false;
++ }
++ }
++ } while(ck_after(qname, true, trig, rpz));
++ return rpz->st != st_servfail;
++}
++
++
++static bool /* false=SERVFAIL */
++ck_dname(uint8_t* dname, size_t dname_size, librpz_trig_t trig,
++ uint8_t* qname, bool recursed, commreply_rpz_t* rpz)
++{
++ librpz_emsg_t emsg;
++
++ /* Refuse to check the root. */
++ if(dname_is_root(dname))
++ return rpz->st != st_servfail;
++
++ /* Loop to ignore disabled zones. */
++ do {
++ if(!push_st(rpz))
++ return false;
++ if(!librpz->ck_domain(&emsg, dname, dname_size, trig,
++ rpz->hit_id, recursed, rpz->rsp)) {
++ log_fail(rpz, "%s", emsg.c);
++ return false;
++ }
++ } while(ck_after(qname, recursed, trig, rpz));
++
++ return rpz->st != st_servfail;
++}
++
++
++/* Check the IPv4 or IPv6 addresses for one NS name. */
++static bool /* false=st_servfail */
++ck_1nsip(uint8_t* nsname, size_t nsname_size, int family, int qtype,
++ bool* have_ns, commreply_rpz_t* rpz, struct module_env* env)
++{
++ struct ub_packed_rrset_key* akey;
++
++ akey = rrset_cache_lookup(env->rrset_cache, nsname, nsname_size,
++ qtype, LDNS_RR_CLASS_IN, 0, 0, 0);
++ if(akey) {
++ *have_ns = true;
++
++ if(!ck_ip_rrset(akey->entry.data, family, LIBRPZ_TRIG_NSIP,
++ nsname, rpz)) {
++ lock_rw_unlock(&akey->entry.lock);
++ return false;
++ }
++ lock_rw_unlock(&akey->entry.lock);
++ }
++ return true;
++}
++
++
++static bool /* false=st_servfail */
++ck_qname(uint8_t* qname, size_t qname_len,
++ bool recursed, /* recursion done */
++ bool wait_ns, /* willing to iterate for NS data */
++ commreply_rpz_t* rpz, struct module_env* env)
++{
++ uint8_t* dname;
++ size_t dname_size;
++ int cur_lab;
++ struct ub_packed_rrset_key* nskey;
++ const struct packed_rrset_data* nsdata;
++ uint8_t* nsname;
++ size_t nsname_size;
++ uint rr_n;
++ bool have_ns, tried_ns;
++
++ if(!ck_dname(qname, qname_len, LIBRPZ_TRIG_QNAME, qname, false, rpz))
++ return false;
++
++ /* Do not waste time looking for NSDNAME and NSIP hits when there
++ * are no currently relevant triggers. */
++ if(!librpz->have_ns_trig(rpz->rsp))
++ return true;
++
++ have_ns = false;
++ tried_ns = false;
++ dname = qname;
++ dname_size = qname_len;
++ for(cur_lab = dname_count_labels(dname) - 2;
++ cur_lab > rpz->min_ns_dots;
++ --cur_lab) {
++ tried_ns = true;
++ dname_remove_label(&dname, &dname_size);
++ nskey = rrset_cache_lookup(env->rrset_cache, dname, dname_size,
++ LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN,
++ 0, 0, 0);
++ if(!nskey)
++ continue;
++
++ nsdata = (const struct packed_rrset_data*)nskey->entry.data;
++ for(rr_n = 0;
++ rr_n < nsdata->count && rpz->st == st_unknown;
++ ++rr_n) {
++ nsname = nsdata->rr_data[rr_n]+2;
++ nsname_size = nsdata->rr_len[rr_n];
++ if(nsname_size <= 2)
++ continue;
++ nsname_size -= 2;
++ if(!ck_dname(nsname, nsname_size, LIBRPZ_TRIG_NSDNAME,
++ qname, recursed, rpz))
++ return false;
++ if(!ck_1nsip(nsname, nsname_size, AF_INET,
++ LDNS_RR_TYPE_A, &have_ns, rpz, env))
++ return false;
++ if(!ck_1nsip(nsname, nsname_size, AF_INET6,
++ LDNS_RR_TYPE_AAAA, &have_ns, rpz, env))
++ return false;
++ }
++ lock_rw_unlock(&nskey->entry.lock);
++ }
++
++ /* If we failed to find NS records, then stop building the response
++ * before a CNAME with this owner name. */
++ if(!have_ns && tried_ns && (!recursed || wait_ns)) {
++ rpz->cname_hit.size = qname_len;
++ RPZ_ASSERT(rpz->cname_hit.size <= sizeof(rpz->cname_hit.d));
++ memcpy(rpz->cname_hit.d, qname, qname_len);
++ rpz->result.hit_id = rpz->hit_id;
++ rpz->st = st_ck_ns;
++ }
++ return true;
++}
++
++
++/*
++ * Are we ready to rewrite the response?
++ */
++static bool /* true=send rewritten response */
++ck_result(uint8_t* qname, bool recursed,
++ commreply_rpz_t* rpz, const struct comm_point* commpoint)
++{
++ librpz_emsg_t emsg;
++
++ switch(rpz->st) {
++ case st_off:
++ case st_servfail:
++ case st_rewritten:
++ return false;
++ case st_unknown:
++ break;
++ case st_iterate:
++ return false;
++ case st_ck_ns:
++ /* An NSDNAME or NSIP check failed for lack of cached data. */
++ return false;
++#pragma clang diagnostic push
++#pragma clang diagnostic ignored "-Wunreachable-code"
++ default:
++ fatal_exit("impossible RPZ state %d in rpz_worker_cache()",
++ rpz->st);
++#pragma clang diagnostic pop
++ }
++
++ /* Wait for a trigger. */
++ if(rpz->result.policy == LIBRPZ_POLICY_UNDEFINED) {
++ if(recursed &&
++ rpz->result.zpolicy != LIBRPZ_POLICY_UNDEFINED &&
++ !librpz->rsp_result(&emsg, &rpz->result, true, rpz->rsp)) {
++ log_fail(rpz, "%s", emsg.c);
++ return false;
++ }
++ if(rpz->result.policy == LIBRPZ_POLICY_UNDEFINED)
++ return false;
++ }
++
++ if(rpz->result.policy == LIBRPZ_POLICY_PASSTHRU) {
++ log_rewrite(qname, rpz->result.policy, "", rpz);
++ rpz_off(rpz, st_off);
++ return false;
++ }
++
++ /* The TCP-only policy answers UDP requests with truncated responses. */
++ if(rpz->result.policy == LIBRPZ_POLICY_TCP_ONLY &&
++ commpoint->type == comm_tcp) {
++ rpz_off(rpz, st_off);
++ return false;
++ }
++
++ return true;
++}
++
++
++/*
++ * Convert an RPZ hit to a struct dns_msg
++ */
++static void
++get_result_msg(struct dns_msg** dnsmsg, struct query_info* qinfo,
++ uint16_t id, uint16_t flags, bool recursed, commreply_rpz_t* rpz,
++ struct comm_point* commpoint, struct regional* region)
++{
++ librpz_rr_t* rr;
++ librpz_domain_buf_t origin;
++ struct sldns_buffer* pkt;
++ uint16_t num_rrs;
++ librpz_emsg_t emsg;
++
++ *dnsmsg = NULL;
++ if(!ck_result(qinfo->qname, recursed, rpz, commpoint))
++ return;
++
++ rpz->st = st_rewritten;
++
++ if(rpz->result.policy == LIBRPZ_POLICY_DROP) {
++ log_rewrite(qinfo->qname, rpz->result.policy, "", rpz);
++ /* Make a fake cached message to carry
++ * sec_status_rpz_drop and be dropped. */
++ error_encode(commpoint->buffer, LDNS_RCODE_NOERROR,
++ qinfo, id, flags, NULL);
++ pkt2dns_msg(dnsmsg, commpoint->buffer, rpz, region);
++ (*dnsmsg)->rep->security = sec_status_rpz_drop;
++ return;
++ }
++
++ /* Create a DNS message of the RPZ data.
++ * In many cases that message could be sent directly to the DNS client,
++ * but sometimes iteration must be used to resolve a CNAME.
++ * This need not be fast, because rewriting responses should be rare.
++ * Therefore, use the simpler but slower tactic of generating a
++ * parsed version of the message. */
++
++ flags &= ~BIT_AA;
++ flags |= BIT_QR | BIT_RA;
++ rr = NULL;
++
++ /* The TCP-only policy answers UDP requests with truncated responses. */
++ if(rpz->result.policy == LIBRPZ_POLICY_TCP_ONLY) {
++ flags |= BIT_TC;
++
++ } else if(rpz->result.policy == LIBRPZ_POLICY_NXDOMAIN) {
++ flags |= LDNS_RCODE_NXDOMAIN;
++
++ } else if(rpz->result.policy == LIBRPZ_POLICY_CNAME) {
++ if(!rpz->iterating &&
++ qinfo->qtype != LDNS_RR_TYPE_CNAME) {
++ /* The new DNS message would be a CNAME and
++ * the external request was not for a CNAME.
++ * The worker must punt to the iterator so that
++ * the iterator can resolve the CNAME. */
++ rpz->st = st_iterate;
++ return;
++ }
++ next_rr(&rr, qinfo->qname, qinfo->qname_len, rpz);
++
++ } else if(rpz->result.policy == LIBRPZ_POLICY_RECORD ||
++ rpz->result.policy == LIBRPZ_POLICY_NODATA) {
++ next_rr(&rr, qinfo->qname, qinfo->qname_len, rpz);
++ /* Punt to the iterator if the new DNS message would
++ * be a CNAME that must be resolved. */
++ if(!rpz->iterating &&
++ qinfo->qtype != LDNS_RR_TYPE_CNAME &&
++ rr && rr->type == ntohs(LDNS_RR_TYPE_CNAME)) {
++ free(rr);
++ rpz->st = st_iterate;
++ return;
++ }
++ }
++ log_rewrite(qinfo->qname, rpz->result.policy, "", rpz);
++
++ /* Make a buffer containing a DNS message with the RPZ data. */
++ pkt = commpoint->buffer;
++ sldns_buffer_clear(pkt);
++ if(sldns_buffer_remaining(pkt) < LDNS_HEADER_SIZE) {
++ log_fail(rpz, "comm_reply buffer too small for header");
++ if(rr)
++ free(rr);
++ return;
++ }
++
++ /* Install ID, flags, QDCOUNT=1, ANCOUNT=# of RPZ RRs, NSCOUNT=0,
++ * and ARCOUNT=1 for the RPZ SOA. */
++ sldns_buffer_write_u16(pkt, id);
++ sldns_buffer_write_u16(pkt, flags);
++ sldns_buffer_write_u16(pkt, 1); /* QDCOUNT */
++ sldns_buffer_write_u16(pkt, 0); /* ANCOUNT will be set later */
++ sldns_buffer_write_u16(pkt, 0); /* NSCOUNT */
++ sldns_buffer_write_u16(pkt, 1); /* ARCOUNT */
++
++ /* Install the question with the LDNS_RR_CLASS_RPZ bit to
++ * to distinguish this supposed cache entry from the real deal. */
++ sldns_buffer_write(pkt, qinfo->qname, qinfo->qname_len);
++ sldns_buffer_write_u16(pkt, qinfo->qtype);
++ sldns_buffer_write_u16(pkt, LDNS_RR_CLASS_IN);
++
++ /* Install the RPZ RRs in the answer section */
++ num_rrs = 0;
++ while(rr) {
++ /* Include only the requested RRs. */
++ if(qinfo->qtype == LDNS_RR_TYPE_ANY ||
++ rr->type == htons(qinfo->qtype) ||
++ rr->type == htons(LDNS_RR_TYPE_CNAME)) {
++ if(!add_rr(pkt, qinfo->qname, qinfo->qname_len,
++ rr, rpz))
++ return;
++
++ ++num_rrs;
++ }
++ free(rr);
++
++ next_rr(&rr, qinfo->qname, qinfo->qname_len, rpz);
++ }
++ /* Finish ANCOUNT. */
++ if(num_rrs != 0)
++ sldns_buffer_write_u16_at(pkt, 6, num_rrs);
++
++ /* All rewritten responses have an identifying SOA record in the
++ * additional section. */
++ if(!librpz->rsp_soa(&emsg, NULL, &rr, &origin,
++ &rpz->result, rpz->rsp)) {
++ log_fail(rpz, "no soa");
++ return;
++ }
++ if(!add_rr(pkt, origin.d, origin.size, rr, rpz))
++ return;
++ free(rr);
++
++ /* Create a dns_msg representation of the fake incoming message. */
++ sldns_buffer_flip(pkt);
++ pkt2dns_msg(dnsmsg, pkt, rpz, region);
++}
++
++
++/* Check the RRs in the ANSWER section of a reply_info. */
++static void
++ck_reply(struct reply_info* reply, uint8_t* qname, bool wait_ns,
++ commreply_rpz_t* rpz, struct module_env* env)
++{
++ struct ub_packed_rrset_key* rrset;
++ enum sldns_enum_rr_type type;
++ uint rrset_n;
++
++ /* Check the RRs in the ANSWER section. */
++ rpz->cname_hit.size = 0;
++ rpz->cname_hit_2nd = false;
++ for(rrset_n = 0; rrset_n < reply->an_numrrsets; ++rrset_n) {
++ /* Check all of the RRs before deciding. */
++ if(rpz->st != st_unknown)
++ return;
++
++ rrset = reply->rrsets[rrset_n];
++ if(ntohs(rrset->rk.rrset_class) != LDNS_RR_CLASS_IN)
++ continue;
++ type = ntohs(rrset->rk.type);
++
++ if(type == LDNS_RR_TYPE_A) {
++ if(!ck_ip_rrset(rrset->entry.data, AF_INET,
++ LIBRPZ_TRIG_IP, qname, rpz))
++ break;
++
++ } else if(type == LDNS_RR_TYPE_AAAA) {
++ if(!ck_ip_rrset(rrset->entry.data, AF_INET6,
++ LIBRPZ_TRIG_IP, qname, rpz))
++ break;
++
++ } else if(type == LDNS_RR_TYPE_CNAME) {
++ /* Check CNAME owners unless we already have a hit. */
++ ++rpz->hit_id;
++ if(!ck_qname(rrset->rk.dname, rrset->rk.dname_len,
++ true, wait_ns, rpz, env))
++ break;
++
++ /* Do not worry about the CNAME if it did not hit,
++ * but note the miss so that it can be prepended
++ * if we do hit. */
++ if(rpz->result.hit_id != rpz->hit_id) {
++ rpz->cname_hit_2nd = true;
++ continue;
++ }
++
++ /* Stop after hitting a CNAME.
++ * The iterator must be used to include CNAMEs before
++ * the CNAME that hit in the rewritten response. */
++ rpz->cname_hit.size = rrset->rk.dname_len;
++ RPZ_ASSERT(rpz->cname_hit.size <= sizeof(rpz->cname_hit.d));
++ memcpy(rpz->cname_hit.d, rrset->rk.dname,
++ rpz->cname_hit.size);
++ break;
++ }
++ }
++}
++
++
++static void
++worker_servfail(struct worker* worker, struct query_info* qinfo,
++ uint16_t id, uint16_t flags, struct comm_reply* commreply)
++{
++ error_encode(commreply->c->buffer, LDNS_RCODE_SERVFAIL,
++ qinfo, id, flags, NULL);
++ regional_free_all(worker->scratchpad);
++ comm_point_send_reply(commreply);
++}
++
++
++/* Send an RPZ answer before the iterator has started.
++ * @return: 1=continue normal unbound processing
++ * 0=punt to the iterator
++ * -1=rewritten response already sent or dropped. */
++static int
++worker_send(struct dns_msg* dnsmsg, struct worker* worker,
++ struct query_info* qinfo, uint16_t id, uint16_t flags,
++ struct edns_data* edns, struct comm_reply* commreply)
++{
++ switch (commreply->rpz->st) {
++ case st_off:
++ return 1;
++ case st_servfail:
++ worker_servfail(worker, qinfo, id, flags, commreply);
++ return -1;
++ case st_unknown:
++ return 1;
++ case st_iterate:
++ case st_ck_ns:
++ return 0; /* punt to the iterator */
++ case st_rewritten:
++ break;
++ default:
++ fatal_exit("impossible RPZ state %d in worker_send()",
++ commreply->rpz->st);
++ }
++
++ if(dnsmsg->rep->security == sec_status_rpz_drop) {
++ regional_free_all(worker->scratchpad);
++ comm_point_drop_reply(commreply);
++ return -1;
++ }
++
++ edns->edns_version = EDNS_ADVERTISED_VERSION;
++ edns->udp_size = EDNS_ADVERTISED_SIZE;
++ edns->ext_rcode = 0;
++ edns->bits = 0; /* rewritten response cannot verify. */
++ if(!reply_info_answer_encode(qinfo, dnsmsg->rep,
++ id, flags | BIT_QR,
++ commreply->c->buffer, 0, 1,
++ worker->scratchpad,
++ edns->udp_size, edns, 0, 0)) {
++ worker_servfail(worker, qinfo, id, flags, commreply);
++ } else {
++ regional_free_all(worker->scratchpad);
++ comm_point_send_reply(commreply);
++ }
++ return -1;
++}
++
++
++/* Set commreply to an RPZ context if the response might be rewritten.
++ * Try to answer now with a hit allowed before recursion (iteration). */
++bool /* true=response sent or dropped */
++rpz_start(struct worker* worker, struct query_info* qinfo,
++ struct comm_reply* commreply, struct edns_data* edns)
++{
++ commreply_rpz_t* rpz;
++ uint16_t id, flags;
++ struct dns_msg* dnsmsg;
++ int family;
++ const void* addr;
++ librpz_emsg_t emsg;
++
++ /* Quit if rpz not configured. */
++ if(!worker->daemon->rpz_client)
++ return false;
++
++ /* Rewrite only the Internet class */
++ if(qinfo->qclass != LDNS_RR_CLASS_IN)
++ return false;
++
++ rpz = commreply->rpz;
++ RPZ_ASSERT(!rpz);
++
++ dnsmsg = NULL;
++ id = htons(sldns_buffer_read_u16_at(commreply->c->buffer, 0));
++ flags = sldns_buffer_read_u16_at(commreply->c->buffer, 2);
++
++ rpz = malloc(sizeof(*rpz));
++ if(!rpz) {
++ librpz->log(LIBRPZ_LOG_ERROR, NULL, "no memory for rpz");
++ return 0 > worker_send(dnsmsg, worker, qinfo,
++ id, flags, edns, commreply);
++ }
++ memset(rpz, 0, sizeof(*rpz));
++ rpz->st = st_unknown;
++ commreply->rpz = rpz;
++
++ /* Make a new ID for log messages */
++ rpz->log_id = __sync_add_and_fetch(&log_id, 1);
++
++ /* Get access to the librpz data. */
++ if(!librpz->rsp_create(&emsg, &rpz->rsp, &rpz->min_ns_dots,
++ worker->daemon->rpz_client,
++ (flags & BIT_RD) != 0,
++ (edns->bits & EDNS_DO) != 0)) {
++ log_fail(rpz, "%s", emsg.c);
++ return false;
++ }
++ /* Quit if benign reasons prevent rewriting. */
++ if(!rpz->rsp) {
++ rpz->st = st_off;
++ librpz->log(LIBRPZ_LOG_TRACE1, rpz, "%s", emsg.c);
++ return false;
++ }
++
++ /* Check the client IP address.
++ * Do not use commreply->srctype because it is often 0. */
++ family = ((struct sockaddr*)&commreply->addr)->sa_family;
++ switch(family) {
++ case AF_INET:
++ addr = &((struct sockaddr_in*)&commreply->addr)->sin_addr;
++ break;
++ case AF_INET6:
++ addr = &((struct sockaddr_in6*)&commreply->addr)->sin6_addr;
++ break;
++ default:
++ /* Maybe the client is on a UNIX domain socket. */
++ librpz->log(LIBRPZ_LOG_TRACE2, rpz,
++ "unknown client address family %d", family);
++ addr = NULL;
++ break;
++ }
++ /* Loop to ignore disabled zones. */
++ while(addr) {
++ if(!push_st(rpz))
++ break;
++ if(!librpz->ck_ip(&emsg, addr, family, LIBRPZ_TRIG_CLIENT_IP,
++ rpz->hit_id, true, rpz->rsp)) {
++ log_fail(rpz, "%s", emsg.c);
++ break;
++ }
++ if(!ck_after(qinfo->qname, false, LIBRPZ_TRIG_CLIENT_IP, rpz))
++ break;
++ }
++ if(rpz->st == st_servfail)
++ return 0 > worker_send(dnsmsg, worker, qinfo,
++ id, flags, edns, commreply);
++
++ /* Check the QNAME and possibly replace a client-IP hit. */
++ ck_qname(qinfo->qname, qinfo->qname_len, false, true,
++ rpz, &worker->env);
++
++ get_result_msg(&dnsmsg, qinfo, id, flags, false,
++ rpz, commreply->c, worker->scratchpad);
++ return 0 > worker_send(dnsmsg, worker, qinfo,
++ id, flags, edns, commreply);
++}
++
++
++/* Check a cached reply before iteration.
++ * @return: 1=use cache entry
++ * 0=deny a cached entry exists in order to punt to the iterator
++ * -1=rewritten response already sent or dropped */
++int
++rpz_worker_cache(struct worker* worker, struct reply_info* reply,
++ struct query_info* qinfo, uint16_t id, uint16_t flags,
++ struct edns_data* edns, struct comm_reply* commreply)
++{
++ commreply_rpz_t* rpz;
++ struct dns_msg* dnsmsg;
++ st_t new_st;
++ librpz_rr_t* rr;
++
++ dnsmsg = NULL;
++
++ rpz = commreply->rpz;
++ switch(rpz->st) {
++ case st_off:
++ return 1; /* Send the cache entry. */
++ case st_servfail:
++ return worker_send(dnsmsg, worker, qinfo, id, flags,
++ edns, commreply);
++ case st_unknown:
++ break;
++ case st_iterate:
++ case st_ck_ns:
++ return 0; /* Punt to the iterator. */
++ case st_rewritten:
++ default:
++ fatal_exit("impossible RPZ state %d in rpz_worker_cache()",
++ rpz->st);
++ }
++
++ /* Check the RRs in the ANSWER section. */
++ if(!push_st(rpz))
++ return worker_send(dnsmsg, worker, qinfo, id, flags, edns,
++ commreply);
++
++ ck_reply(reply, qinfo->qname, true, rpz, &worker->env);
++ if(!ck_result(qinfo->qname, true, rpz, commreply->c))
++ return worker_send(dnsmsg, worker, qinfo, id, flags, edns,
++ commreply);
++
++ if(rpz->cname_hit.size != 0) {
++ /* Punt to the iterator if leading CNAMEs must be
++ * included in the rewritten response. */
++ rpz->cname_hit.size = 0;
++ new_st = st_iterate;
++
++ } else if(rpz->result.policy == LIBRPZ_POLICY_CNAME) {
++ /* Punt if the rewritten response is to a CNAME. */
++ new_st = st_iterate;
++
++ } else {
++ if(rpz->result.policy == LIBRPZ_POLICY_RECORD) {
++ next_rr(&rr, qinfo->qname, qinfo->qname_len, rpz);
++ if(rr) {
++ /* Punt we are rewriting to a CNAME. */
++ if(rr->type == ntohs(LDNS_RR_TYPE_CNAME)) {
++ free(rr);
++ rpz->st = st_iterate;
++ } else {
++ free(rr);
++ }
++ }
++ }
++ get_result_msg(&dnsmsg, qinfo, id, flags, true,
++ rpz, commreply->c, worker->scratchpad);
++ new_st = rpz->st;
++ }
++
++ switch(new_st) {
++ case st_off:
++ case st_servfail:
++ break;
++ case st_unknown:
++ pop_discard_st(rpz);
++ break;
++ case st_iterate:
++ case st_ck_ns:
++ if(pop_st(rpz))
++ rpz->st = new_st;
++ break;
++ case st_rewritten:
++ pop_discard_st(rpz);
++ break;
++ default:
++ fatal_exit("impossible RPZ state %d in rpz_worker_cache()",
++ rpz->st);
++ }
++
++ return worker_send(dnsmsg, worker, qinfo, id, flags, edns, commreply);
++}
++
++
++/* Check a cache hit or miss for the iterator.
++ * A cache miss can already have a QNAME hit that was ignored before checking
++ * the iterator because of "QNAME-WAIT-RECURSE yes".
++ * Cache hits are treated like responses from authorities. */
++bool /* false=SERVFAIL */
++rpz_iter_cache(struct dns_msg** msg, enum response_type* type,
++ struct module_qstate* qstate, struct iter_qstate* iq)
++{
++ struct comm_reply* commreply;
++ commreply_rpz_t* rpz;
++ struct dns_msg* dnsmsg;
++
++ commreply = &qstate->mesh_info->reply_list->query_reply;
++ rpz = commreply->rpz;
++
++ rpz->iterating = true;
++
++ switch(rpz->st) {
++ case st_off:
++ iq->rpz_rewritten = 1; /* RPZ has nothing to say. */
++ return true;
++ case st_servfail:
++ return false;
++ case st_unknown:
++ break;
++ case st_iterate:
++ case st_ck_ns:
++ rpz->st = st_unknown;
++ if(!ck_qname(iq->qchase.qname, iq->qchase.qname_len,
++ *msg != NULL, true, rpz, qstate->env))
++ return false;
++ /* If we must recurse regardless and if NSIP/NSDNAME
++ * checking failed, then delay in the hope that
++ * recursion will also get NS data. */
++ if(rpz->st == st_ck_ns)
++ return true;
++ break;
++ case st_rewritten:
++ default:
++ fatal_exit("impossible RPZ state %d in rpz_iter_cache()",
++ rpz->st);
++ }
++
++ push_st(rpz);
++
++ /* Check the cache hit. */
++ if(*msg)
++ ck_reply((*msg)->rep, iq->qchase.qname, true, rpz, qstate->env);
++
++ /* The DNS ID does not matter, because the generated dns_msg
++ * is nominally from an authority and not to the DNS client. */
++ get_result_msg(&dnsmsg, &iq->qchase, 1, qstate->query_flags, true,
++ rpz, commreply->c, qstate->region);
++
++ switch(rpz->st) {
++ case st_off:
++ iq->rpz_rewritten = 1; /* RPZ has nothing to say. */
++ return true;
++ case st_servfail:
++ return false;
++ case st_unknown:
++ /* RPZ has nothing to say yet. Maybe there will be a hit
++ * later in the CNAME chain. */
++ return pop_discard_st(rpz);
++ case st_ck_ns:
++ /* Try to get NS data for a CNAME found by ck_reply() */
++ *type = RESPONSE_TYPE_CNAME;
++ return pop_discard_st(rpz);
++ case st_iterate:
++ default:
++ fatal_exit("impossible RPZ state %d in rpz_iter_cache()",
++ rpz->st);
++ case st_rewritten:
++ break;
++ }
++
++ if(*msg && rpz->cname_hit.size != 0 && rpz->cname_hit_2nd) {
++ /* We hit a CNAME owner in the cached msg after not hitting one
++ * or more CNAME owners. We need to add those leading CNAMEs
++ * to the prepend list. Tell the iterator to treat the cached
++ * message as a RESPONSE_TYPE_CNAME even if it contains answers.
++ * handle_cname_response() will stop prepending CNAMEs before
++ * the triggering CNAME. handle_cname_response() will cause
++ * a restart to resolve the target of the preceding CNAME,
++ * which is the same as the hit CNAME owner. */
++ rpz->st = st_unknown;
++ *type = RESPONSE_TYPE_CNAME;
++ return pop_discard_st(rpz);
++ }
++
++ *msg = dnsmsg;
++ iq->rpz_security = dnsmsg->rep->security;
++
++ if(dnsmsg && dnsmsg->rep->an_numrrsets != 0 &&
++ dnsmsg->rep->rrsets[0]->rk.type == htons(LDNS_RR_TYPE_CNAME)) {
++ /* The cached msg triggered a rule that rewrites to a
++ * CNAME that must be resolved.
++ * We have a replacement dns_msg with that CNAME and also
++ * an SOA RR in the ADDITIONAL section that the iterator
++ * will lose as it adds the CNAME to the prepend list.
++ * Save the SOA RR in iq->rpz_soa. */
++ iq->rpz_soa = dnsmsg->rep->rrsets[1];
++ iq->rpz_rewritten = 1;
++ *type = RESPONSE_TYPE_CNAME;
++ return true;
++ }
++
++ /* Otherwise we have rewritten to zero or more non-CNAME RRs.
++ * (DNAMEs are not supported.)
++ * Tell the iterator to send the rewritten message. */
++ *type = RESPONSE_TYPE_ANSWER;
++ iq->rpz_rewritten = 1;
++ return true;
++}
++
++
++/* Check a RESPONSE_TYPE_ANSWER response from an authority in the iterator. */
++rpz_iter_resp_t
++rpz_iter_resp(struct module_qstate* qstate, struct iter_qstate* iq,
++ struct dns_msg** resp, bool* is_cname)
++{
++ struct comm_reply* commreply;
++ commreply_rpz_t* rpz;
++ struct reply_info* rep;
++
++ *is_cname = false;
++
++ commreply = &qstate->mesh_info->reply_list->query_reply;
++ rpz = commreply->rpz;
++ switch(rpz->st) {
++ case st_off:
++ case st_servfail:
++ case st_iterate:
++ case st_rewritten:
++ default:
++ fatal_exit("impossible RPZ state %d in rpz_iter_resp()",
++ rpz->st);
++ case st_ck_ns:
++ case st_unknown:
++ break;
++ }
++
++ /* We know !iq->rpz_rewritten and so the response was after a simple
++ * cache miss when the original QNAME did not trigger a response
++ * or after a CNAME whose owner name did hit but was then forgotten
++ * with pop_st().
++ * In either case, it is necessary to check the QNAME here.
++ * Checking the QNAME will not lose a better hit. */
++ rpz->st = st_unknown;
++ ck_qname(iq->qchase.qname, iq->qchase.qname_len, true, false,
++ rpz, qstate->env);
++
++ /* Check the RRs in the ANSWER section. */
++ if(!push_st(rpz))
++ return rpz_iter_resp_fail;
++ ck_reply(iq->response->rep, iq->qchase.qname, false, rpz, qstate->env);
++ get_result_msg(resp, &qstate->qinfo, 1, qstate->query_flags, true,
++ rpz, commreply->c, qstate->region);
++ switch(rpz->st) {
++ case st_off:
++ iq->rpz_rewritten = 1; /* Do not come back. */
++ return rpz_iter_resp_done;
++ case st_servfail: /* Send SERVFAIL */
++ return rpz_iter_resp_fail;
++ case st_unknown:
++ case st_ck_ns:
++ return rpz_iter_resp_done; /* continue without change */
++ case st_iterate:
++ default:
++ fatal_exit("impossible RPZ state %d in rpz_iter_resp()",
++ rpz->st);
++ case st_rewritten:
++ /* Tell the iterator to use handle_cname_response() to
++ * prepend any preceding CNAMEs.
++ * We have a replacement dns_msg that also has an SOA RR in the
++ * ADDITIONAL section that the iterator will lose if it is a
++ * CNAME. Save that SOA in that case. */
++ rep = (*resp)->rep;
++ if(rep->an_numrrsets != 0 &&
++ rep->rrsets[0]->rk.type == ntohs(LDNS_RR_TYPE_CNAME)) {
++ *is_cname = true;
++ iq->rpz_soa = rep->rrsets[1];
++ }
++ return rpz_iter_resp_rewrite;
++ }
++}
++
++
++/* Tell handle_cname_response() to stop adding to the answer prepend list
++ * after adding CNAME with a target that hits a QNAME trigger.
++ * Do not change any RPZ state, but expect the call of handle_cname_response()
++ * to try to resolve the CNAME and hit the same QNAME trigger and rewrite
++ * the response. */
++rpz_cname_t
++rpz_cname(struct module_qstate* qstate,
++ uint8_t* oname, size_t oname_size)
++{
++ struct mesh_reply* reply_list;
++ struct comm_reply* commreply;
++ commreply_rpz_t* rpz;
++ rpz_cname_t ret;
++
++ /* Quit if RPZ is off */
++ reply_list = qstate->mesh_info->reply_list;
++ if(!reply_list)
++ return rpz_cname_prepend;
++ commreply = &reply_list->query_reply;
++ rpz = commreply->rpz;
++
++ if(!rpz || rpz->st == st_off)
++ return rpz_cname_prepend;
++
++ /* Stop on a 2nd or later CNAME for rpz_iter_resp(). */
++ if(rpz->cname_hit.size != 0) {
++ if(!query_dname_compare(rpz->cname_hit.d, oname))
++ return rpz_cname_stop;
++ return rpz_cname_prepend;
++ }
++
++ if(rpz->st != st_unknown)
++ fatal_exit("impossible RPZ state %d in rpz_cname()", rpz->st);
++
++ ret = rpz_cname_prepend;
++ if(!push_st(rpz))
++ return rpz_cname_fail;
++ /* Stop before prepending a CNAME that would preempt a
++ * rewritten response or before a possible NSDNAME or NSIP trigger. */
++ ++rpz->hit_id;
++ ck_qname(oname, oname_size, true, true, rpz, qstate->env);
++ if(rpz->st != st_unknown)
++ ret = rpz_cname_stop;
++ if(!pop_st(rpz))
++ return rpz_cname_fail;
++ return ret;
++}
++
++#endif /* ENABLE_FASTRPZ */
+===================================================================
+RCS file: ./fastrpz/RCS/rpz.h,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.h
+--- ./fastrpz/rpz.h
++++ ./fastrpz/rpz.h
+@@ -0,0 +1,138 @@
++/*
++ * fastrpz/rpz.h - interface to the fastrpz response policy zone library
++ *
++ * Copyright (c) 2016 Farsight Security, Inc.
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++#ifndef UNBOUND_FASTRPZ_RPZ_H
++#define UNBOUND_FASTRPZ_RPZ_H
++
++#ifndef PACKAGE_VERSION
++/* Ensure that config.h has been included to correctly set ENABLE_FASTRPZ */
++#include "config.h"
++#endif
++
++#ifdef ENABLE_FASTRPZ
++
++#include "librpz.h"
++
++#include "daemon/daemon.h"
++#include "util/config_file.h"
++
++struct comm_point; /* forward references */
++struct comm_reply;
++struct dns_msg;
++struct edns_data;
++struct iter_qstate;
++struct query_info;
++struct reply_info;
++enum response_type; /* iterator/iter_utils.h */
++
++
++struct commreply_rpz;
++
++/**
++ * Connect to the librpz database.
++ * @param pclist: future pointer to opaque librpz client data
++ * @param pclient: future pointer to opaque librpz client data
++ * @param cfg: parsed unbound configuration
++ */
++void rpz_init(librpz_clist_t** pclist, librpz_client_t** pclient,
++ const struct config_file* cfg);
++
++/**
++ * Disconnect from the librpz database
++ * @param client: opaque librpz client data
++ */
++void rpz_delete(librpz_clist_t** pclist, librpz_client_t** pclient);
++
++/**
++ * Start working on a DNS request and check for client IP address triggers.
++ * @param worker: the DNS request context
++ * @param qinfo: the DNS question
++ * @param[in,out] commreply: the answer
++ * @param c: where to send the response
++ * @param[in,out] edns for the DO flag
++ * @return true if response already sent or dropped
++ */
++bool rpz_start(struct worker* worker, struct query_info* qinfo,
++ struct comm_reply* commreply, struct edns_data* edns);
++
++/**
++ * Release resources held for a DNS request
++ * @param rspp: pointer to pointer to rpz client context.
++ */
++void rpz_end(struct comm_reply* comm_rep);
++
++/**
++ * Check a cached reply for RPZ hits before iteration
++ * @param worker: the DNS request context
++ * @param casheresp: cache reply
++ * @param qinfo: the DNS question
++ * @param id from the DNS request
++ * @param flags from the DNS request
++ * @param[in,out] edns for the DO flag
++ * @param[in,out] commreply: RPZ state
++ * @return 1=use cache entry, -1=rewritten response already sent or dropped,
++ * 0=deny a cached entry exists
++ */
++int rpz_worker_cache(struct worker* worker, struct reply_info* cacheresp,
++ struct query_info* qinfo, uint16_t id, uint16_t flags,
++ struct edns_data* edns, struct comm_reply* commreply);
++
++/**
++ * Check for an existing RPZ CNAME rewrite with "QNAME-WAIT-RECURSE no"
++ * that needs to be resolved before resolving the external request.
++ * @param[out] msg: rewritten CNAME response.
++ * @param qstate: query state.
++ * @param iq: iterator query state.
++ * @return false=send SERVFAIL
++ */
++bool rpz_iter_cache(struct dns_msg** msg, enum response_type* type,
++ struct module_qstate* qstate, struct iter_qstate* iq);
++
++/**
++ * Check a response from an authority in the iterator.
++ * @param[out] type: of the final response
++ * @param qstate: query state.
++ * @param iq: iterator query state.
++ * @param is_cname: true if the rewritten response is a CNAME
++ * @return one of rpz_resp_t
++ */
++typedef enum {
++ rpz_iter_resp_fail, /* Send SERVFAIL. */
++ rpz_iter_resp_rewrite, /* We rewrote the response. */
++ rpz_iter_resp_done, /* Restart to refetch glue. */
++} rpz_iter_resp_t;
++rpz_iter_resp_t rpz_iter_resp(struct module_qstate* qstate,
++ struct iter_qstate* iq, struct dns_msg** resp,
++ bool* is_cname);
++
++/**
++ * Check a CNAME RR
++ * @param qstate: query state.
++ * @param oname: cname owner name
++ * @param oname_size: length of oname
++ * @return: one of rpz_cname_t
++ */
++typedef enum {
++ rpz_cname_fail, /* send SERVFAIL */
++ rpz_cname_prepend, /* prepend CNAME as usual */
++ rpz_cname_stop, /* stop before prepending this CNAME */
++} rpz_cname_t;
++rpz_cname_t rpz_cname(struct module_qstate* qstate,
++ uint8_t* oname, size_t oname_size);
++
++#endif /* ENABLE_FASTRPZ */
++#endif /* UNBOUND_FASTRPZ_RPZ_H */
+===================================================================
+RCS file: ./fastrpz/RCS/rpz.m4,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.m4
+--- ./fastrpz/rpz.m4
++++ ./fastrpz/rpz.m4
+@@ -0,0 +1,64 @@
++# fastrpz/rpz.m4
++
++# ck_FASTRPZ
++# --------------------------------------------------------------------------
++# check for Fastrpz
++# --enable-fastrpz enable Fastrpz response policy zones
++# --enable-fastrpz-dl Fastrpz delayed link [default=have dlopen]
++# --with-fastrpz-dir directory containing librpz.so
++#
++# Fastrpz can be compiled into Unbound everywhere with a reasonably
++# modern C compiler. It is enabled on systems with dlopen() and librpz.so.
++
++AC_DEFUN([ck_FASTRPZ],
++[
++ fastrpz_avail=yes
++ AC_MSG_CHECKING([for librpz __attribute__s])
++ AC_TRY_COMPILE(,[
++ extern void f(char *p __attribute__((unused)), ...)
++ __attribute__((format(printf,1,2))) __attribute__((__noreturn__));],
++ librpz_have_attr=yes
++ AC_DEFINE([LIBRPZ_HAVE_ATTR], 1, [have __attribute__s used in librpz.h])
++ AC_MSG_RESULT([yes]),
++ librpz_have_attr=no
++ AC_MSG_RESULT([no]))
++
++ AC_SEARCH_LIBS(dlopen, dl)
++ librpz_dl=yes
++ AC_CHECK_FUNCS(dlopen dlclose dlsym,,librpz_dl=no)
++ AC_ARG_ENABLE([fastrpz-dl],
++ [ --enable-fastrpz-dl Fastrpz delayed link [[default=$librpz_dl]]],
++ [enable_librpz_dl="$enableval"],
++ [enable_librpz_dl="$librpz_dl"])
++ AC_ARG_WITH([fastrpz-dir],
++ [ --with-fastrpz-dir directory containing librpz.so],
++ [librpz_path="$withval/librpz.so"], [librpz_path="librpz.so"])
++ AC_DEFINE_UNQUOTED([FASTRPZ_LIBRPZ_PATH], ["$librpz_path"],
++ [fastrpz librpz.so])
++ if test "x$enable_librpz_dl" = "xyes"; then
++ fastrpz_lib_open=2
++ else
++ fastrpz_lib_open=1
++ # Add librpz.so to linked libraries if we are not using dlopen()
++ AC_SEARCH_LIBS([librpz_client_create], [rpz], [],
++ [fastrpz_lib_open=0
++ fastrpz_avail=no])
++ fi
++ AC_DEFINE_UNQUOTED([FASTRPZ_LIB_OPEN], [$fastrpz_lib_open],
++ [0=no fastrpz 1=static link 2=dlopen()])
++
++ AC_ARG_ENABLE([fastrpz],
++ AS_HELP_STRING([--enable-fastrpz],[enable Fastrpz response policy zones]),
++ [enable_fastrpz=$enableval],[enable_fastrpz=$fastrpz_avail])
++ if test "x$enable_fastrpz" = xyes; then
++ AC_DEFINE([ENABLE_FASTRPZ], [1], [Enable fastrpz])
++ if test "x$fastrpz_lib_open" = "x0"; then
++ AC_MSG_ERROR([[dlopen and librpz.so needed for fastrpz]])
++ fi
++ # used in Makefile.in
++ AC_SUBST([FASTRPZ_SRC], [fastrpz/rpz.c])
++ AC_SUBST([FASTRPZ_OBJ], [rpz.lo])
++ elif test "x$fastrpz_avail" = "x0"; then
++ AC_MSG_WARN([[dlopen and librpz.so needed for fastrpz]])
++ fi
++])
+===================================================================
+RCS file: ./iterator/RCS/iterator.c,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
+--- ./iterator/iterator.c
++++ ./iterator/iterator.c
+@@ -67,6 +67,9 @@
+ #include "sldns/str2wire.h"
+ #include "sldns/parseutil.h"
+ #include "sldns/sbuffer.h"
++#ifdef ENABLE_FASTRPZ
++#include "fastrpz/rpz.h"
++#endif
+
+ int
+ iter_init(struct module_env* env, int id)
+@@ -487,6 +490,23 @@
+ if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME &&
+ query_dname_compare(*mname, r->rk.dname) == 0 &&
+ !iter_find_rrset_in_prepend_answer(iq, r)) {
++#ifdef ENABLE_FASTRPZ
++ /* Stop adding CNAME rrsets to the prepend list
++ * before defining an RPZ hit. */
++ if(!iq->rpz_rewritten) {
++ switch (rpz_cname(qstate, *mname, *mname_len)) {
++ case rpz_cname_fail:
++ /* send SERVFAIL */
++ return 0;
++ case rpz_cname_prepend:
++ /* save the CNAME. */
++ break;
++ case rpz_cname_stop:
++ /* Pause before adding the CNAME. */
++ goto stop_short;
++ }
++ }
++#endif
+ /* Add this relevant CNAME rrset to the prepend list.*/
+ if(!iter_add_prepend_answer(qstate, iq, r))
+ return 0;
+@@ -495,6 +515,9 @@
+
+ /* Other rrsets in the section are ignored. */
+ }
++#ifdef ENABLE_FASTRPZ
++stop_short: ;
++#endif
+ /* add authority rrsets to authority prepend, for wildcarded CNAMEs */
+ for(i=msg->rep->an_numrrsets; i<msg->rep->an_numrrsets +
+ msg->rep->ns_numrrsets; i++) {
+@@ -996,6 +1019,7 @@
+ uint8_t* delname;
+ size_t delnamelen;
+ struct dns_msg* msg = NULL;
++ enum response_type type;
+
+ log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
+ /* check effort */
+@@ -1056,8 +1080,7 @@
+ }
+ if(msg) {
+ /* handle positive cache response */
+- enum response_type type = response_type_from_cache(msg,
+- &iq->qchase);
++ type = response_type_from_cache(msg, &iq->qchase);
+ if(verbosity >= VERB_ALGO) {
+ log_dns_msg("msg from cache lookup", &msg->qinfo,
+ msg->rep);
+@@ -1065,7 +1088,22 @@
+ (int)msg->rep->ttl,
+ (int)msg->rep->prefetch_ttl);
+ }
++#ifdef ENABLE_FASTRPZ
++ }
++ /* Check for an RPZ hit in the cached DNS message or an existing
++ * RPZ CNAME rewrite that can be resolved now after a hit on the QNAME
++ * or client IP address. This can involve a creating a fake cache
++ * hit. It can also involve overriding an RESPONSE_TYPE_ANSWER
++ * result from response_type_from_cache(). Or it can ignore
++ * the cached result to refetch glue. */
++ if(!iq->rpz_rewritten &&
++ qstate->mesh_info->reply_list &&
++ qstate->mesh_info->reply_list->query_reply.rpz &&
++ !rpz_iter_cache(&msg, &type, qstate, iq))
++ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+
++ if(msg) {
++#endif
+ if(type == RESPONSE_TYPE_CNAME) {
+ uint8_t* sname = 0;
+ size_t slen = 0;
+@@ -2321,6 +2359,62 @@
+ sock_list_insert(&qstate->reply_origin,
+ &qstate->reply->addr, qstate->reply->addrlen,
+ qstate->region);
++#ifdef ENABLE_FASTRPZ
++ /* Check the response for an RPZ hit. The response has already
++ * been saved in the cache. This should have the same effect
++ * as finding that response in the cache.
++ * We have already used rpz_iter_cache() at least once. */
++ if(!iq->rpz_rewritten &&
++ qstate->mesh_info->reply_list &&
++ qstate->mesh_info->reply_list->query_reply.rpz) {
++ struct dns_msg* resp;
++ bool is_cname;
++ uint8_t* sname;
++ size_t slen;
++
++ switch (rpz_iter_resp(qstate, iq, &resp, &is_cname)) {
++ case rpz_iter_resp_fail:
++ return error_response(qstate, id,
++ LDNS_RCODE_SERVFAIL);
++ case rpz_iter_resp_rewrite:
++ /* Prepend any initial CNAMEs from the original
++ * response up to a hit. */
++ if(!handle_cname_response(qstate, iq,
++ iq->response,
++ &sname, &slen))
++ return error_response(qstate, id,
++ LDNS_RCODE_SERVFAIL);
++ if (resp) {
++ iq->response = resp;
++ iq->rpz_security = resp->rep->security;
++ iq->rpz_rewritten = 1;
++
++ /* Send the rewritten record if it
++ * is not a CNAME. */
++ if(!is_cname)
++ break;
++
++ /* Prepend the new CNAME
++ * and restart to resolve it. */
++ if(!handle_cname_response(qstate, iq,
++ resp, &sname, &slen))
++ return error_response(qstate, id,
++ LDNS_RCODE_SERVFAIL);
++ }
++ iq->qchase.qname = sname;
++ iq->qchase.qname_len = slen;
++ iq->dp = NULL;
++ iq->refetch_glue = 0;
++ iq->query_restart_count++;
++ iq->sent_count = 0;
++ iq->state = INIT_REQUEST_STATE;
++ return 1;
++
++ case rpz_iter_resp_done:
++ break;
++ }
++ }
++#endif
+ if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
+ if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
+ LDNS_RCODE_NOERROR) {
+@@ -3022,12 +3116,44 @@
+ * but only if we did recursion. The nonrecursion referral
+ * from cache does not need to be stored in the msg cache. */
+ if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
++#ifdef ENABLE_FASTRPZ
++ /* Do not save RPZ rewritten messages. */
++ if(!iq->rpz_rewritten)
++#endif
+ iter_dns_store(qstate->env, &qstate->qinfo,
+ iq->response->rep, 0, qstate->prefetch_leeway,
+ iq->dp&&iq->dp->has_parent_side_NS,
+ qstate->region, qstate->query_flags);
+ }
+ }
++#ifdef ENABLE_FASTRPZ
++ if(iq->rpz_rewritten) {
++ /* Restore RPZ marks on a rewritten response. The marks
++ * are lost if the rewrite is to a CNAME. */
++ iq->response->rep->security = iq->rpz_security;
++
++ /* Append the RPZ SOA to rewritten CNAME chains. */
++ if(iq->rpz_soa) {
++ struct ub_packed_rrset_key** sets;
++ uint n;
++
++ n = iq->response->rep->rrset_count;
++ sets = regional_alloc(qstate->region,
++ (1+n) * sizeof(*sets));
++ if(!sets) {
++ log_err("append RPZ SOA: out of memory");
++ return error_response(qstate, id,
++ LDNS_RCODE_SERVFAIL);
++ }
++ memcpy(sets, iq->response->rep->rrsets,
++ n * sizeof(struct ub_packed_rrset_key*));
++ sets[n] = iq->rpz_soa;
++ iq->response->rep->rrsets = sets;
++ ++iq->response->rep->rrset_count;
++ ++iq->response->rep->ar_numrrsets;
++ }
++ }
++#endif
+ qstate->return_rcode = LDNS_RCODE_NOERROR;
+ qstate->return_msg = iq->response;
+ return 0;
+===================================================================
+RCS file: ./iterator/RCS/iterator.h,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.h
+--- ./iterator/iterator.h
++++ ./iterator/iterator.h
+@@ -381,6 +381,16 @@
+ */
+ int minimise_count;
+
++
++#ifdef ENABLE_FASTRPZ
++ /** The response has been rewritten by RPZ. */
++ int rpz_rewritten;
++ /** RPZ SOA RR for the ADDITIONAL section */
++ struct ub_packed_rrset_key* rpz_soa;
++ /** sec_status_rpz_rewritten or sec_status_rpz_drop if rewritten. */
++ enum sec_status rpz_security;
++#endif
++
+ /**
+ * Count number of time-outs. Used to prevent resolving failures when
+ * the QNAME minimisation QTYPE is blocked. */
+===================================================================
+RCS file: ./services/cache/RCS/dns.c,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./services/cache/dns.c
+--- ./services/cache/dns.c
++++ ./services/cache/dns.c
+@@ -838,6 +838,14 @@
+ struct regional* region, uint16_t flags)
+ {
+ struct reply_info* rep = NULL;
++
++#ifdef ENABLE_FASTRPZ
++ /* Never save RPZ rewritten data. */
++ if (msgrep->security == sec_status_rpz_drop ||
++ msgrep->security == sec_status_rpz_rewritten)
++ return 1;
++#endif
++
+ /* alloc, malloc properly (not in region, like msg is) */
+ rep = reply_info_copy(msgrep, env->alloc, NULL);
+ if(!rep)
+===================================================================
+RCS file: ./services/RCS/mesh.c,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./services/mesh.c
+--- ./services/mesh.c
++++ ./services/mesh.c
+@@ -59,6 +59,9 @@
+ #include "sldns/wire2str.h"
+ #include "services/localzone.h"
+ #include "util/data/dname.h"
++#ifdef ENABLE_FASTRPZ
++#include "fastrpz/rpz.h"
++#endif
+ #include "respip/respip.h"
+
+ /** subtract timers and the values do not overflow or become negative */
+@@ -1011,6 +1014,13 @@
+ else secure = 0;
+ if(!rep && rcode == LDNS_RCODE_NOERROR)
+ rcode = LDNS_RCODE_SERVFAIL;
++#ifdef ENABLE_FASTRPZ
++ /* Drop the response here for LIBRPZ_POLICY_DROP after iteration. */
++ if(rep && rep->security == sec_status_rpz_drop) {
++ log_query_info(VERB_QUERY, "rpz drop", &m->s.qinfo);
++ secure = 0;
++ } else
++#endif
+ /* send the reply */
+ /* We don't reuse the encoded answer if either the previous or current
+ * response has a local alias. We could compare the alias records
+@@ -1160,6 +1170,7 @@
+ key.s.is_valrec = valrec;
+ key.s.qinfo = *qinfo;
+ key.s.query_flags = qflags;
++ key.reply_list = NULL;
+ /* We are searching for a similar mesh state when we DO want to
+ * aggregate the state. Thus unique is set to NULL. (default when we
+ * desire aggregation).*/
+@@ -1206,6 +1217,10 @@
+ if(!r)
+ return 0;
+ r->query_reply = *rep;
++#ifdef ENABLE_FASTRPZ
++ /* The new reply structure owns the RPZ state. */
++ rep->rpz = NULL;
++#endif
+ r->edns = *edns;
+ if(edns->opt_list) {
+ r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
+===================================================================
+RCS file: ./util/RCS/config_file.c,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./util/config_file.c
+--- ./util/config_file.c
++++ ./util/config_file.c
+@@ -1167,6 +1167,8 @@
+ free(cfg->dnstap_socket_path);
+ free(cfg->dnstap_identity);
+ free(cfg->dnstap_version);
++ if (cfg->rpz_cstr)
++ free(cfg->rpz_cstr);
+ config_deldblstrlist(cfg->ratelimit_for_domain);
+ config_deldblstrlist(cfg->ratelimit_below_domain);
+ free(cfg);
+===================================================================
+RCS file: ./util/RCS/config_file.h,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./util/config_file.h
+--- ./util/config_file.h
++++ ./util/config_file.h
+@@ -416,6 +416,11 @@
+ /** true to disable DNSSEC lameness check in iterator */
+ int disable_dnssec_lame_check;
+
++ /** true to enable RPZ */
++ int rpz_enable;
++ /** RPZ configuration */
++ char* rpz_cstr;
++
+ /** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */
+ int ip_ratelimit;
+ /** number of slabs for ip_ratelimit cache */
+===================================================================
+RCS file: ./util/RCS/configlexer.lex,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./util/configlexer.lex
+--- ./util/configlexer.lex
++++ ./util/configlexer.lex
+@@ -395,6 +395,10 @@
+ YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
+ dnstap-log-forwarder-response-messages{COLON} {
+ YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
++rpz{COLON} { YDVAR(0, VAR_RPZ) }
++rpz-enable{COLON} { YDVAR(1, VAR_RPZ_ENABLE) }
++rpz-zone{COLON} { YDVAR(1, VAR_RPZ_ZONE) }
++rpz-option{COLON} { YDVAR(1, VAR_RPZ_OPTION) }
+ disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
+ ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) }
+ ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) }
+===================================================================
+RCS file: ./util/RCS/configparser.y,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./util/configparser.y
+--- ./util/configparser.y
++++ ./util/configparser.y
+@@ -124,6 +124,7 @@
+ %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
+ %token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES
+ %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
++%token VAR_RPZ VAR_RPZ_ENABLE VAR_RPZ_ZONE VAR_RPZ_OPTION
+ %token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
+ %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
+ %token VAR_DISABLE_DNSSEC_LAME_CHECK
+@@ -150,7 +151,7 @@
+ toplevelvar: serverstart contents_server | stubstart contents_stub |
+ forwardstart contents_forward | pythonstart contents_py |
+ rcstart contents_rc | dtstart contents_dt | viewstart
+- contents_view |
++ contents_view | rpzstart contents_rpz |
+ dnscstart contents_dnsc
+ ;
+
+@@ -2160,6 +2161,50 @@
+ (strcmp($2, "yes")==0);
+ }
+ ;
++rpzstart: VAR_RPZ
++ {
++ OUTYY(("\nP(rpz:)\n"));
++ }
++ ;
++contents_rpz: contents_rpz content_rpz
++ | ;
++content_rpz: rpz_enable | rpz_zone | rpz_option
++ ;
++rpz_enable: VAR_RPZ_ENABLE STRING_ARG
++ {
++ OUTYY(("P(rpz_enable:%s)\n", $2));
++ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
++ yyerror("expected yes or no.");
++ else cfg_parser->cfg->rpz_enable = (strcmp($2, "yes")==0);
++ free($2);
++ }
++ ;
++rpz_zone: VAR_RPZ_ZONE STRING_ARG
++ {
++ char *new_cstr, *old_cstr;
++
++ OUTYY(("P(rpz_zone:%s)\n", $2));
++ old_cstr = cfg_parser->cfg->rpz_cstr;
++ asprintf(&new_cstr, "%s\nzone %s", old_cstr?old_cstr:"", $2);
++ if(!new_cstr)
++ yyerror("out of memory");
++ free(old_cstr);
++ cfg_parser->cfg->rpz_cstr = new_cstr;
++ }
++ ;
++rpz_option: VAR_RPZ_OPTION STRING_ARG
++ {
++ char *new_cstr, *old_cstr;
++
++ OUTYY(("P(rpz_option:%s)\n", $2));
++ old_cstr = cfg_parser->cfg->rpz_cstr;
++ asprintf(&new_cstr, "%s\n%s", old_cstr ? old_cstr : "", $2);
++ if(!new_cstr)
++ yyerror("out of memory");
++ free(old_cstr);
++ cfg_parser->cfg->rpz_cstr = new_cstr;
++ }
++ ;
+ pythonstart: VAR_PYTHON
+ {
+ OUTYY(("\nP(python:)\n"));
+===================================================================
+RCS file: ./util/data/RCS/msgencode.c,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./util/data/msgencode.c
+--- ./util/data/msgencode.c
++++ ./util/data/msgencode.c
+@@ -585,6 +585,35 @@
+ return RETVAL_OK;
+ }
+
++#ifdef ENABLE_FASTRPZ
++/* Insert the RPZ SOA even with MINIMAL_RESPONSES */
++static int
++insert_rpz_soa(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
++ sldns_buffer* pkt, size_t rrsets_before, time_t timenow,
++ struct regional* region, struct compress_tree_node** tree,
++ size_t rr_offset)
++{
++ int r;
++ size_t i, setstart;
++
++ *num_rrs = 0;
++ for(i=0; i<num_rrsets; i++) {
++ if (rep->rrsets[rrsets_before+i]->rk.type != LDNS_RR_TYPE_SOA)
++ continue;
++ setstart = sldns_buffer_position(pkt);
++ if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i],
++ pkt, num_rrs, timenow, region,
++ 1, 0, tree, LDNS_SECTION_ADDITIONAL,
++ LDNS_RR_TYPE_ANY, 0, rr_offset))
++ != RETVAL_OK) {
++ sldns_buffer_set_position(pkt, setstart);
++ return r;
++ }
++ }
++ return RETVAL_OK;
++}
++
++#endif
+ /** store query section in wireformat buffer, return RETVAL */
+ static int
+ insert_query(struct query_info* qinfo, struct compress_tree_node** tree,
+@@ -748,6 +777,19 @@
+ return 0;
+ }
+ sldns_buffer_write_u16_at(buffer, 10, arcount);
++#ifdef ENABLE_FASTRPZ
++ } else if(rep->security == sec_status_rpz_rewritten) {
++ /* Insert the RPZ SOA for rpz even with MINIMAL_RESPONSES */
++ r = insert_rpz_soa(rep, rep->ar_numrrsets, &arcount, buffer,
++ rep->an_numrrsets + rep->ns_numrrsets,
++ timenow, region, &tree, rr_offset);
++ if(r!= RETVAL_OK) {
++ if(r != RETVAL_TRUNC)
++ return 0;
++ /* no need to set TC bit, this is the additional */
++ sldns_buffer_write_u16_at(buffer, 10, arcount);
++ }
++#endif
+ }
+ sldns_buffer_flip(buffer);
+ return 1;
+===================================================================
+RCS file: ./util/data/RCS/packed_rrset.c,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.c
+--- ./util/data/packed_rrset.c
++++ ./util/data/packed_rrset.c
+@@ -254,6 +254,10 @@
+ case sec_status_indeterminate: return "sec_status_indeterminate";
+ case sec_status_insecure: return "sec_status_insecure";
+ case sec_status_secure: return "sec_status_secure";
++#ifdef ENABLE_FASTRPZ
++ case sec_status_rpz_rewritten: return "sec_status_rpz_rewritten";
++ case sec_status_rpz_drop: return "sec_status_rpz_drop";
++#endif
+ }
+ return "unknown_sec_status_value";
+ }
+===================================================================
+RCS file: ./util/data/RCS/packed_rrset.h,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.h
+--- ./util/data/packed_rrset.h
++++ ./util/data/packed_rrset.h
+@@ -189,7 +189,15 @@
+ sec_status_insecure,
+ /** SECURE means that the object (RRset or message) validated
+ * according to local policy. */
+- sec_status_secure
++ sec_status_secure,
++#ifdef ENABLE_FASTRPZ
++ /** RPZ_REWRITTEN means that the response has been rewritten by
++ * rpz and so cannot be verified. */
++ sec_status_rpz_rewritten,
++ /** RPZ_DROP means that the response has been rewritten by rpz
++ * as silence. */
++ sec_status_rpz_drop
++#endif
+ };
+
+ /**
+===================================================================
+RCS file: ./util/RCS/netevent.c,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
+--- ./util/netevent.c
++++ ./util/netevent.c
+@@ -54,6 +54,9 @@
+ #ifdef HAVE_OPENSSL_ERR_H
+ #include <openssl/err.h>
+ #endif
++#ifdef ENABLE_FASTRPZ
++#include "fastrpz/rpz.h"
++#endif
+
+ /* -------- Start of local definitions -------- */
+ /** if CMSG_ALIGN is not defined on this platform, a workaround */
+@@ -579,6 +582,9 @@
+ struct cmsghdr* cmsg;
+ #endif /* S_SPLINT_S */
+
++#ifdef ENABLE_FASTRPZ
++ rep.rpz = NULL;
++#endif
+ rep.c = (struct comm_point*)arg;
+ log_assert(rep.c->type == comm_udp);
+
+@@ -668,6 +674,9 @@
+ int i;
+ struct sldns_buffer *buffer;
+
++#ifdef ENABLE_FASTRPZ
++ rep.rpz = NULL;
++#endif
+ rep.c = (struct comm_point*)arg;
+ log_assert(rep.c->type == comm_udp);
+
+@@ -711,6 +720,9 @@
+ (void)comm_point_send_udp_msg(rep.c, buffer,
+ (struct sockaddr*)&rep.addr, rep.addrlen);
+ }
++#ifdef ENABLE_FASTRPZ
++ rpz_end(&rep);
++#endif
+ if(rep.c->fd != fd) /* commpoint closed to -1 or reused for
+ another UDP port. Note rep.c cannot be reused with TCP fd. */
+ break;
+@@ -2145,6 +2157,9 @@
+ comm_point_start_listening(repinfo->c, -1,
+ repinfo->c->tcp_timeout_msec);
+ }
++#ifdef ENABLE_FASTRPZ
++ rpz_end(repinfo);
++#endif
+ }
+
+ void
+@@ -2154,6 +2169,9 @@
+ return;
+ log_assert(repinfo && repinfo->c);
+ log_assert(repinfo->c->type != comm_tcp_accept);
++#ifdef ENABLE_FASTRPZ
++ rpz_end(repinfo);
++#endif
+ if(repinfo->c->type == comm_udp)
+ return;
+ reclaim_tcp_handler(repinfo->c);
+@@ -2173,6 +2191,9 @@
+ {
+ verbose(VERB_ALGO, "comm point start listening %d",
+ c->fd==-1?newfd:c->fd);
++#ifdef ENABLE_FASTRPZ
++ rpz_end(&c->repinfo);
++#endif
+ if(c->type == comm_tcp_accept && !c->tcp_free) {
+ /* no use to start listening no free slots. */
+ return;
+===================================================================
+RCS file: ./util/RCS/netevent.h,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./util/netevent.h
+--- ./util/netevent.h
++++ ./util/netevent.h
+@@ -117,6 +117,10 @@
+ /** return type 0 (none), 4(IP4), 6(IP6) */
+ int srctype;
+ /* DnsCrypt context */
++#ifdef ENABLE_FASTRPZ
++ /** per-request RPZ state */
++ struct commreply_rpz* rpz;
++#endif
+ #ifdef USE_DNSCRYPT
+ uint8_t client_nonce[crypto_box_HALF_NONCEBYTES];
+ uint8_t nmkey[crypto_box_BEFORENMBYTES];
+===================================================================
+RCS file: ./validator/RCS/validator.c,v
+retrieving revision 1.1
+diff -u --unidirectional-new-file -r1.1 ./validator/validator.c
+--- ./validator/validator.c
++++ ./validator/validator.c
+@@ -2552,6 +2552,12 @@
+ default:
+ /* NSEC proof did not work, try next */
+ break;
++#ifdef ENABLE_FASTRPZ
++ case sec_status_rpz_rewritten:
++ case sec_status_rpz_drop:
++ fatal_exit("impossible RPZ sec_status");
++ break;
++#endif
+ }
+
+ sec = nsec3_prove_nods(qstate->env, ve,
+@@ -2584,6 +2590,12 @@
+ default:
+ /* NSEC3 proof did not work */
+ break;
++#ifdef ENABLE_FASTRPZ
++ case sec_status_rpz_rewritten:
++ case sec_status_rpz_drop:
++ fatal_exit("impossible RPZ sec_status");
++ break;
++#endif
+ }
+
+ /* Apparently, no available NSEC/NSEC3 proved NODATA, so
diff --git a/contrib/redirect-bogus.patch b/contrib/redirect-bogus.patch
new file mode 100644
index 000000000000..8f8035c4f96e
--- /dev/null
+++ b/contrib/redirect-bogus.patch
@@ -0,0 +1,344 @@
+Index: daemon/worker.c
+===================================================================
+--- daemon/worker.c (revision 4191)
++++ daemon/worker.c (working copy)
+@@ -663,8 +663,21 @@
+ if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, rep,
+ LDNS_RCODE_SERVFAIL, edns, worker->scratchpad))
+ goto bail_out;
+- error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
+- qinfo, id, flags, edns);
++ if (qinfo->qtype == LDNS_RR_TYPE_A &&
++ worker->env.cfg->redirect_bogus_ipv4) {
++ /* BAD cached */
++ fixed_address_encode(repinfo->c->buffer,
++ LDNS_RCODE_NOERROR, qinfo, id, flags, edns,
++ worker->env.cfg->redirect_bogus_ipv4);
++ } else if (qinfo->qtype == LDNS_RR_TYPE_AAAA &&
++ worker->env.cfg->redirect_bogus_ipv6) {
++ fixed_address_encode(repinfo->c->buffer,
++ LDNS_RCODE_NOERROR, qinfo, id, flags, edns,
++ worker->env.cfg->redirect_bogus_ipv6);
++ } else {
++ error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
++ qinfo, id, flags, edns);
++ }
+ rrset_array_unlock_touch(worker->env.rrset_cache,
+ worker->scratchpad, rep->ref, rep->rrset_count);
+ if(worker->stats.extended) {
+Index: doc/unbound.conf.5.in
+===================================================================
+--- doc/unbound.conf.5.in (revision 4191)
++++ doc/unbound.conf.5.in (working copy)
+@@ -1244,6 +1244,18 @@
+ This can make ordinary queries complete (if repeatedly queried for),
+ and enter the cache, whilst also mitigating the traffic flow by the
+ factor given.
++.TP 5
++.B redirect-bogus-ipv4: \fI<IPv4 address>
++Set a fixed address for DNSSEC failures that are cached
++Instead of responding to A queries with SERVFAIL, respond
++with NOERROR and the address specified here
++The TTL of the response will be 5 seconds
++.TP 5
++.B redirect-bogus-ipv6: \fI<IPv4 address>
++Set a fixed address for DNSSEC failures that are cached
++Instead of responding to AAAA queries with SERVFAIL, respond
++with NOERROR and the address specified here
++The TTL of the response will be 5 seconds
+ .SS "Remote Control Options"
+ In the
+ .B remote\-control:
+Index: services/mesh.c
+===================================================================
+--- services/mesh.c (revision 4191)
++++ services/mesh.c (working copy)
+@@ -1006,6 +1006,7 @@
+ struct timeval end_time;
+ struct timeval duration;
+ int secure;
++ int bogus_override = 0;
+ /* Copy the client's EDNS for later restore, to make sure the edns
+ * compare is with the correct edns options. */
+ struct edns_data edns_bak = r->edns;
+@@ -1016,6 +1017,7 @@
+ rcode = LDNS_RCODE_SERVFAIL;
+ if(m->s.env->cfg->stat_extended)
+ m->s.env->mesh->ans_bogus++;
++ bogus_override = 1;
+ }
+ if(rep && rep->security == sec_status_secure)
+ secure = 1;
+@@ -1047,17 +1049,34 @@
+ } else if(rcode) {
+ m->s.qinfo.qname = r->qname;
+ m->s.qinfo.local_alias = r->local_alias;
+- if(rcode == LDNS_RCODE_SERVFAIL) {
+- if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
+- rep, rcode, &r->edns, m->s.region))
+- r->edns.opt_list = NULL;
+- } else {
+- if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode,
+- &r->edns, m->s.region))
+- r->edns.opt_list = NULL;
++ if(bogus_override && m->s.qinfo.qtype == LDNS_RR_TYPE_A &&
++ m->s.env->cfg->redirect_bogus_ipv4) {
++ fixed_address_encode(r->query_reply.c->buffer,
++ LDNS_RCODE_NOERROR, &m->s.qinfo, r->qid,
++ r->qflags, &r->edns,
++ m->s.env->cfg->redirect_bogus_ipv4);
++ } else if(bogus_override &&
++ m->s.qinfo.qtype == LDNS_RR_TYPE_AAAA &&
++ m->s.env->cfg->redirect_bogus_ipv6) {
++ fixed_address_encode(r->query_reply.c->buffer,
++ LDNS_RCODE_NOERROR, &m->s.qinfo, r->qid,
++ r->qflags, &r->edns,
++ m->s.env->cfg->redirect_bogus_ipv6);
++ } else {
++ if(rcode == LDNS_RCODE_SERVFAIL) {
++ if(!inplace_cb_reply_servfail_call(m->s.env,
++ &m->s.qinfo, &m->s,
++ rep, rcode, &r->edns, m->s.region))
++ r->edns.opt_list = NULL;
++ } else {
++ if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo,
++ &m->s, rep, rcode, &r->edns,
++ m->s.region))
++ r->edns.opt_list = NULL;
++ }
++ error_encode(r->query_reply.c->buffer, rcode,
++ &m->s.qinfo, r->qid, r->qflags, &r->edns);
+ }
+- error_encode(r->query_reply.c->buffer, rcode, &m->s.qinfo,
+- r->qid, r->qflags, &r->edns);
+ comm_point_send_reply(&r->query_reply);
+ } else {
+ size_t udp_size = r->edns.udp_size;
+Index: util/config_file.c
+===================================================================
+--- util/config_file.c (revision 4191)
++++ util/config_file.c (working copy)
+@@ -273,6 +273,8 @@
+ cfg->ratelimit_factor = 10;
+ cfg->qname_minimisation = 0;
+ cfg->qname_minimisation_strict = 0;
++ cfg->redirect_bogus_ipv4 = NULL;
++ cfg->redirect_bogus_ipv6 = NULL;
+ cfg->shm_enable = 0;
+ cfg->shm_key = 11777;
+ cfg->dnscrypt = 0;
+@@ -602,6 +604,10 @@
+ }
+ oi[cfg->num_out_ifs++] = d;
+ cfg->out_ifs = oi;
++ } else if (strcmp(opt, "redirect-bogus-ipv4:") == 0) {
++ cfg->redirect_bogus_ipv4 = strdup(val);
++ } else if (strcmp(opt, "redirect-bogus-ipv6:") == 0) {
++ cfg->redirect_bogus_ipv6 = strdup(val);
+ } else {
+ /* unknown or unsupported (from the set_option interface):
+ * interface, outgoing-interface, access-control,
+@@ -1250,6 +1256,12 @@
+ free(cfg->dnstap_version);
+ config_deldblstrlist(cfg->ratelimit_for_domain);
+ config_deldblstrlist(cfg->ratelimit_below_domain);
++ if (cfg->redirect_bogus_ipv4) {
++ free(cfg->redirect_bogus_ipv4);
++ }
++ if (cfg->redirect_bogus_ipv6) {
++ free(cfg->redirect_bogus_ipv6);
++ }
+ #ifdef USE_IPSECMOD
+ free(cfg->ipsecmod_hook);
+ config_delstrlist(cfg->ipsecmod_whitelist);
+Index: util/config_file.h
+===================================================================
+--- util/config_file.h (revision 4191)
++++ util/config_file.h (working copy)
+@@ -444,6 +444,9 @@
+ /** minimise QNAME in strict mode, minimise according to RFC.
+ * Do not apply fallback */
+ int qname_minimisation_strict;
++ /** construct fake responses for DNSSEC failures */
++ char *redirect_bogus_ipv4;
++ char *redirect_bogus_ipv6;
+ /** SHM data - true if shm is enabled */
+ int shm_enable;
+ /** SHM data - key for the shm */
+Index: util/configlexer.lex
+===================================================================
+--- util/configlexer.lex (revision 4191)
++++ util/configlexer.lex (working copy)
+@@ -410,6 +410,8 @@
+ response-ip-tag{COLON} { YDVAR(2, VAR_RESPONSE_IP_TAG) }
+ response-ip{COLON} { YDVAR(2, VAR_RESPONSE_IP) }
+ response-ip-data{COLON} { YDVAR(2, VAR_RESPONSE_IP_DATA) }
++redirect-bogus-ipv4{COLON} { YDVAR(1, VAR_REDIRECT_BOGUS_IPV4) }
++redirect-bogus-ipv6{COLON} { YDVAR(1, VAR_REDIRECT_BOGUS_IPV6) }
+ dnscrypt{COLON} { YDVAR(0, VAR_DNSCRYPT) }
+ dnscrypt-enable{COLON} { YDVAR(1, VAR_DNSCRYPT_ENABLE) }
+ dnscrypt-port{COLON} { YDVAR(1, VAR_DNSCRYPT_PORT) }
+Index: util/configparser.y
+===================================================================
+--- util/configparser.y (revision 4191)
++++ util/configparser.y (working copy)
+@@ -44,6 +44,7 @@
+ #include <stdlib.h>
+ #include <assert.h>
+
++#include "sldns/str2wire.h"
+ #include "util/configyyrename.h"
+ #include "util/config_file.h"
+ #include "util/net_help.h"
+@@ -141,6 +142,7 @@
+ %token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
+ %token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_FAKE_DSA VAR_FAKE_SHA1
+ %token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR VAR_TRUST_ANCHOR_SIGNALING
++%token VAR_REDIRECT_BOGUS_IPV4 VAR_REDIRECT_BOGUS_IPV6
+ %token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
+ %token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
+ %token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
+@@ -228,6 +230,7 @@
+ server_access_control_tag_data | server_access_control_view |
+ server_qname_minimisation_strict | server_serve_expired |
+ server_fake_dsa | server_log_identity | server_use_systemd |
++ server_redirect_bogus_ipv4 | server_redirect_bogus_ipv6 |
+ server_response_ip_tag | server_response_ip | server_response_ip_data |
+ server_shm_enable | server_shm_key | server_fake_sha1 |
+ server_hide_trustanchor | server_trust_anchor_signaling |
+@@ -1873,6 +1876,34 @@
+ #endif
+ }
+ ;
++server_redirect_bogus_ipv4: VAR_REDIRECT_BOGUS_IPV4 STRING_ARG
++ {
++ uint8_t data[4];
++ size_t data_len = 4;
++ OUTYY(("P(name:%s)\n", $2));
++ if(cfg_parser->cfg->redirect_bogus_ipv4) {
++ yyerror("redirect-bogus-ipv4, can only use one address");
++ }
++ if(sldns_str2wire_a_buf($2, data, &data_len) != LDNS_WIREPARSE_ERR_OK) {
++ yyerror("redirect-bogus-ipv4, not a valid IPv4 address");
++ }
++ free(cfg_parser->cfg->redirect_bogus_ipv4);
++ cfg_parser->cfg->redirect_bogus_ipv4 = $2;
++ }
++server_redirect_bogus_ipv6: VAR_REDIRECT_BOGUS_IPV6 STRING_ARG
++ {
++ uint8_t data[16];
++ size_t data_len = 16;
++ OUTYY(("P(name:%s)\n", $2));
++ if(cfg_parser->cfg->redirect_bogus_ipv6) {
++ yyerror("redirect-bogus-ipv6, can only use one address");
++ }
++ if(sldns_str2wire_aaaa_buf($2, data, &data_len) != LDNS_WIREPARSE_ERR_OK) {
++ yyerror("redirect-bogus-ipv6, not a valid IPv6 address");
++ }
++ free(cfg_parser->cfg->redirect_bogus_ipv6);
++ cfg_parser->cfg->redirect_bogus_ipv6 = $2;
++ }
+ stub_name: VAR_NAME STRING_ARG
+ {
+ OUTYY(("P(name:%s)\n", $2));
+Index: util/data/msgencode.c
+===================================================================
+--- util/data/msgencode.c (revision 4191)
++++ util/data/msgencode.c (working copy)
+@@ -48,6 +48,7 @@
+ #include "util/regional.h"
+ #include "util/net_help.h"
+ #include "sldns/sbuffer.h"
++#include "sldns/str2wire.h"
+ #include "services/localzone.h"
+
+ /** return code that means the function ran out of memory. negative so it does
+@@ -914,3 +915,63 @@
+ attach_edns_record(buf, &es);
+ }
+ }
++
++void
++fixed_address_encode(sldns_buffer* buf, int r, struct query_info* qinfo,
++ uint16_t qid, uint16_t qflags, struct edns_data* edns, char* data)
++{
++ uint16_t flags;
++ uint8_t addr_data[16];
++ size_t addr_len = 16;
++ if (qinfo->qtype == LDNS_RR_TYPE_A) {
++ sldns_str2wire_a_buf(data, addr_data, &addr_len);
++ } else if (qinfo->qtype == LDNS_RR_TYPE_AAAA) {
++ sldns_str2wire_aaaa_buf(data, addr_data, &addr_len);
++ } else {
++ return error_encode(buf, LDNS_RCODE_NOERROR, qinfo, qid, qflags, edns);
++ }
++ sldns_buffer_clear(buf);
++ sldns_buffer_write(buf, &qid, sizeof(uint16_t));
++ flags = (uint16_t)(BIT_QR | BIT_RA | r); /* QR and retcode*/
++ flags |= (qflags & (BIT_RD|BIT_CD)); /* copy RD and CD bit */
++ sldns_buffer_write_u16(buf, flags);
++ if(qinfo) flags = 1;
++ else flags = 0;
++ sldns_buffer_write_u16(buf, flags);
++ sldns_buffer_write_u16(buf, 1);
++ flags = 0;
++ sldns_buffer_write(buf, &flags, sizeof(uint16_t));
++ sldns_buffer_write(buf, &flags, sizeof(uint16_t));
++ if(qinfo) {
++ // query
++ if(sldns_buffer_current(buf) == qinfo->qname)
++ sldns_buffer_skip(buf, (ssize_t)qinfo->qname_len);
++ else sldns_buffer_write(buf, qinfo->qname, qinfo->qname_len);
++ sldns_buffer_write_u16(buf, qinfo->qtype);
++ sldns_buffer_write_u16(buf, qinfo->qclass);
++ // faked answer
++ if(sldns_buffer_current(buf) == qinfo->qname)
++ sldns_buffer_skip(buf, (ssize_t)qinfo->qname_len);
++ else sldns_buffer_write(buf, qinfo->qname, qinfo->qname_len);
++ sldns_buffer_write_u16(buf, qinfo->qtype);
++ sldns_buffer_write_u16(buf, qinfo->qclass);
++ sldns_buffer_write_u16(buf, 0);
++ // TTL. Should we make this configurable too?
++ sldns_buffer_write_u16(buf, 5);
++ sldns_buffer_write_u16(buf, addr_len);
++ sldns_buffer_write(buf, addr_data, addr_len);
++ fflush(stderr);
++ }
++ sldns_buffer_flip(buf);
++ if(edns) {
++ struct edns_data es = *edns;
++ es.edns_version = EDNS_ADVERTISED_VERSION;
++ es.udp_size = EDNS_ADVERTISED_SIZE;
++ es.ext_rcode = 0;
++ es.bits &= EDNS_DO;
++ if(sldns_buffer_limit(buf) + calc_edns_field_size(&es) >
++ edns->udp_size)
++ return;
++ attach_edns_record(buf, &es);
++ }
++}
+Index: util/data/msgencode.h
+===================================================================
+--- util/data/msgencode.h (revision 4191)
++++ util/data/msgencode.h (working copy)
+@@ -128,4 +128,20 @@
+ void error_encode(struct sldns_buffer* pkt, int r, struct query_info* qinfo,
+ uint16_t qid, uint16_t qflags, struct edns_data* edns);
+
++/**
++ * Encode a fixed address response.
++ * This is a fake answer to either an A or AAA query
++ *
++ * It will answer with that address
++ *
++ * @param pkt: where to store the packet.
++ * @param r: RCODE value to encode.
++ * @param qinfo: if not NULL, the query is included.
++ * @param qid: query ID to set in packet. network order.
++ * @param qflags: original query flags (to copy RD and CD bits). host order.
++ * @param edns: if not NULL, this is the query edns info,
++ * and an edns reply is attached. Only attached if EDNS record fits reply.
++ */
++void fixed_address_encode(struct sldns_buffer* pkt, int r, struct query_info* qinfo,
++ uint16_t qid, uint16_t qflags, struct edns_data* edns, char* address);
+ #endif /* UTIL_DATA_MSGENCODE_H */
diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index 3ddadfa95ee2..b3856690a4ca 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -7,7 +7,7 @@ WantedBy=multi-user.target
[Service]
ExecReload=/bin/kill -HUP $MAINPID
-ExecStart=/home/vagrant/unbound_systemd/unbound
+ExecStart=@UNBOUND_SBIN_DIR@/unbound
NotifyAccess=main
Type=notify
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
@@ -20,7 +20,7 @@ ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
-ReadWritePaths=/etc/unbound /run
+ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@
RestrictAddressFamilies=AF_INET AF_UNIX
RestrictRealtime=true
SystemCallArchitectures=native
diff --git a/daemon/remote.c b/daemon/remote.c
index c15967c20888..bb41cc5df2db 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -124,7 +124,7 @@ timeval_subtract(struct timeval* d, const struct timeval* end,
/** divide sum of timers to get average */
static void
-timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
+timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
{
#ifndef S_SPLINT_S
size_t leftover;
@@ -260,10 +260,10 @@ daemon_remote_create(struct config_file* cfg)
return NULL;
}
#endif
-#ifdef SHA256_DIGEST_LENGTH
+#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
/* if we have sha256, set the cipher list to have no known vulns */
if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
- log_crypto_err("coult not set cipher list with SSL_CTX_set_cipher_list");
+ log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
#endif
if (cfg->remote_control_use_cert == 0) {
@@ -780,9 +780,9 @@ do_verbosity(SSL* ssl, char* str)
/** print stats from statinfo */
static int
-print_stats(SSL* ssl, const char* nm, struct stats_info* s)
+print_stats(SSL* ssl, const char* nm, struct ub_stats_info* s)
{
- struct timeval avg;
+ struct timeval sumwait, avg;
if(!ssl_printf(ssl, "%s.num.queries"SQ"%lu\n", nm,
(unsigned long)s->svr.num_queries)) return 0;
if(!ssl_printf(ssl, "%s.num.queries_ip_ratelimited"SQ"%lu\n", nm,
@@ -799,19 +799,19 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
if(!ssl_printf(ssl, "%s.num.recursivereplies"SQ"%lu\n", nm,
(unsigned long)s->mesh_replies_sent)) return 0;
#ifdef USE_DNSCRYPT
- if(!ssl_printf(ssl, "%s.num.dnscrypt.crypted"SQ"%lu\n", nm,
- (unsigned long)s->svr.num_query_dnscrypt_crypted)) return 0;
- if(!ssl_printf(ssl, "%s.num.dnscrypt.cert"SQ"%lu\n", nm,
- (unsigned long)s->svr.num_query_dnscrypt_cert)) return 0;
- if(!ssl_printf(ssl, "%s.num.dnscrypt.cleartext"SQ"%lu\n", nm,
- (unsigned long)s->svr.num_query_dnscrypt_cleartext)) return 0;
- if(!ssl_printf(ssl, "%s.num.dnscrypt.malformed"SQ"%lu\n", nm,
- (unsigned long)s->svr.num_query_dnscrypt_crypted_malformed)) return 0;
+ if(!ssl_printf(ssl, "%s.num.dnscrypt.crypted"SQ"%lu\n", nm,
+ (unsigned long)s->svr.num_query_dnscrypt_crypted)) return 0;
+ if(!ssl_printf(ssl, "%s.num.dnscrypt.cert"SQ"%lu\n", nm,
+ (unsigned long)s->svr.num_query_dnscrypt_cert)) return 0;
+ if(!ssl_printf(ssl, "%s.num.dnscrypt.cleartext"SQ"%lu\n", nm,
+ (unsigned long)s->svr.num_query_dnscrypt_cleartext)) return 0;
+ if(!ssl_printf(ssl, "%s.num.dnscrypt.malformed"SQ"%lu\n", nm,
+ (unsigned long)s->svr.num_query_dnscrypt_crypted_malformed)) return 0;
#endif
if(!ssl_printf(ssl, "%s.requestlist.avg"SQ"%g\n", nm,
(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
(double)s->svr.sum_query_list_size/
- (s->svr.num_queries_missed_cache+
+ (double)(s->svr.num_queries_missed_cache+
s->svr.num_queries_prefetch) : 0.0)) return 0;
if(!ssl_printf(ssl, "%s.requestlist.max"SQ"%lu\n", nm,
(unsigned long)s->svr.max_query_list_size)) return 0;
@@ -823,7 +823,11 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
(unsigned long)s->mesh_num_states)) return 0;
if(!ssl_printf(ssl, "%s.requestlist.current.user"SQ"%lu\n", nm,
(unsigned long)s->mesh_num_reply_states)) return 0;
- timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent);
+#ifndef S_SPLINT_S
+ sumwait.tv_sec = s->mesh_replies_sum_wait_sec;
+ sumwait.tv_usec = s->mesh_replies_sum_wait_usec;
+#endif
+ timeval_divide(&avg, &sumwait, s->mesh_replies_sent);
if(!ssl_printf(ssl, "%s.recursion.time.avg"SQ ARG_LL "d.%6.6d\n", nm,
(long long)avg.tv_sec, (int)avg.tv_usec)) return 0;
if(!ssl_printf(ssl, "%s.recursion.time.median"SQ"%g\n", nm,
@@ -835,7 +839,7 @@ print_stats(SSL* ssl, const char* nm, struct stats_info* s)
/** print stats for one thread */
static int
-print_thread_stats(SSL* ssl, int i, struct stats_info* s)
+print_thread_stats(SSL* ssl, int i, struct ub_stats_info* s)
{
char nm[16];
snprintf(nm, sizeof(nm), "thread%d", i);
@@ -862,46 +866,24 @@ print_longnum(SSL* ssl, const char* desc, size_t x)
static int
print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
{
- int m;
size_t msg, rrset, val, iter, respip;
#ifdef CLIENT_SUBNET
size_t subnet = 0;
#endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+ size_t ipsecmod = 0;
+#endif /* USE_IPSECMOD */
msg = slabhash_get_mem(daemon->env->msg_cache);
rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
- val=0;
- iter=0;
- respip=0;
- m = modstack_find(&worker->env.mesh->mods, "validator");
- if(m != -1) {
- fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
- mods.mod[m]->get_mem));
- val = (*worker->env.mesh->mods.mod[m]->get_mem)
- (&worker->env, m);
- }
- m = modstack_find(&worker->env.mesh->mods, "iterator");
- if(m != -1) {
- fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
- mods.mod[m]->get_mem));
- iter = (*worker->env.mesh->mods.mod[m]->get_mem)
- (&worker->env, m);
- }
- m = modstack_find(&worker->env.mesh->mods, "respip");
- if(m != -1) {
- fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
- mods.mod[m]->get_mem));
- respip = (*worker->env.mesh->mods.mod[m]->get_mem)
- (&worker->env, m);
- }
+ val = mod_get_mem(&worker->env, "validator");
+ iter = mod_get_mem(&worker->env, "iterator");
+ respip = mod_get_mem(&worker->env, "respip");
#ifdef CLIENT_SUBNET
- m = modstack_find(&worker->env.mesh->mods, "subnet");
- if(m != -1) {
- fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
- mods.mod[m]->get_mem));
- subnet = (*worker->env.mesh->mods.mod[m]->get_mem)
- (&worker->env, m);
- }
+ subnet = mod_get_mem(&worker->env, "subnet");
#endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+ ipsecmod = mod_get_mem(&worker->env, "ipsecmod");
+#endif /* USE_IPSECMOD */
if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
return 0;
@@ -917,6 +899,10 @@ print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
if(!print_longnum(ssl, "mem.mod.subnet"SQ, subnet))
return 0;
#endif /* CLIENT_SUBNET */
+#ifdef USE_IPSECMOD
+ if(!print_longnum(ssl, "mem.mod.ipsecmod"SQ, ipsecmod))
+ return 0;
+#endif /* USE_IPSECMOD */
return 1;
}
@@ -941,7 +927,7 @@ print_uptime(SSL* ssl, struct worker* worker, int reset)
/** print extended histogram */
static int
-print_hist(SSL* ssl, struct stats_info* s)
+print_hist(SSL* ssl, struct ub_stats_info* s)
{
struct timehist* hist;
size_t i;
@@ -969,14 +955,14 @@ print_hist(SSL* ssl, struct stats_info* s)
/** print extended stats */
static int
-print_ext(SSL* ssl, struct stats_info* s)
+print_ext(SSL* ssl, struct ub_stats_info* s)
{
int i;
char nm[16];
const sldns_rr_descriptor* desc;
const sldns_lookup_table* lt;
/* TYPE */
- for(i=0; i<STATS_QTYPE_NUM; i++) {
+ for(i=0; i<UB_STATS_QTYPE_NUM; i++) {
if(inhibit_zero && s->svr.qtype[i] == 0)
continue;
desc = sldns_rr_descript((uint16_t)i);
@@ -1003,7 +989,7 @@ print_ext(SSL* ssl, struct stats_info* s)
(unsigned long)s->svr.qtype_big)) return 0;
}
/* CLASS */
- for(i=0; i<STATS_QCLASS_NUM; i++) {
+ for(i=0; i<UB_STATS_QCLASS_NUM; i++) {
if(inhibit_zero && s->svr.qclass[i] == 0)
continue;
lt = sldns_lookup_by_id(sldns_rr_classes, i);
@@ -1020,7 +1006,7 @@ print_ext(SSL* ssl, struct stats_info* s)
(unsigned long)s->svr.qclass_big)) return 0;
}
/* OPCODE */
- for(i=0; i<STATS_OPCODE_NUM; i++) {
+ for(i=0; i<UB_STATS_OPCODE_NUM; i++) {
if(inhibit_zero && s->svr.qopcode[i] == 0)
continue;
lt = sldns_lookup_by_id(sldns_opcodes, i);
@@ -1062,7 +1048,7 @@ print_ext(SSL* ssl, struct stats_info* s)
(unsigned long)s->svr.qEDNS_DO)) return 0;
/* RCODE */
- for(i=0; i<STATS_RCODE_NUM; i++) {
+ for(i=0; i<UB_STATS_RCODE_NUM; i++) {
/* Always include RCODEs 0-5 */
if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
continue;
@@ -1108,8 +1094,8 @@ static void
do_stats(SSL* ssl, struct daemon_remote* rc, int reset)
{
struct daemon* daemon = rc->worker->daemon;
- struct stats_info total;
- struct stats_info s;
+ struct ub_stats_info total;
+ struct ub_stats_info s;
int i;
log_assert(daemon->num > 0);
/* gather all thread statistics in one place */
@@ -1407,6 +1393,14 @@ do_view_zone_add(SSL* ssl, struct worker* worker, char* arg)
ssl_printf(ssl,"error out of memory\n");
return;
}
+ if(!v->isfirst) {
+ /* Global local-zone is not used for this view,
+ * therefore add defaults to this view-specic
+ * local-zone. */
+ struct config_file lz_cfg;
+ memset(&lz_cfg, 0, sizeof(lz_cfg));
+ local_zone_enter_defaults(v->local_zones, &lz_cfg);
+ }
}
do_zone_add(ssl, v->local_zones, arg2);
lock_rw_unlock(&v->lock);
diff --git a/daemon/stats.c b/daemon/stats.c
index 3665616be8be..599f39bcddda 100644
--- a/daemon/stats.c
+++ b/daemon/stats.c
@@ -63,42 +63,42 @@
/** add timers and the values do not overflow or become negative */
static void
-timeval_add(struct timeval* d, const struct timeval* add)
+stats_timeval_add(long long* d_sec, long long* d_usec, long long add_sec, long long add_usec)
{
#ifndef S_SPLINT_S
- d->tv_sec += add->tv_sec;
- d->tv_usec += add->tv_usec;
- if(d->tv_usec > 1000000) {
- d->tv_usec -= 1000000;
- d->tv_sec++;
+ (*d_sec) += add_sec;
+ (*d_usec) += add_usec;
+ if((*d_usec) > 1000000) {
+ (*d_usec) -= 1000000;
+ (*d_sec)++;
}
#endif
}
-void server_stats_init(struct server_stats* stats, struct config_file* cfg)
+void server_stats_init(struct ub_server_stats* stats, struct config_file* cfg)
{
memset(stats, 0, sizeof(*stats));
stats->extended = cfg->stat_extended;
}
-void server_stats_querymiss(struct server_stats* stats, struct worker* worker)
+void server_stats_querymiss(struct ub_server_stats* stats, struct worker* worker)
{
stats->num_queries_missed_cache++;
stats->sum_query_list_size += worker->env.mesh->all.count;
- if(worker->env.mesh->all.count > stats->max_query_list_size)
- stats->max_query_list_size = worker->env.mesh->all.count;
+ if((long long)worker->env.mesh->all.count > stats->max_query_list_size)
+ stats->max_query_list_size = (long long)worker->env.mesh->all.count;
}
-void server_stats_prefetch(struct server_stats* stats, struct worker* worker)
+void server_stats_prefetch(struct ub_server_stats* stats, struct worker* worker)
{
stats->num_queries_prefetch++;
/* changes the query list size so account that, like a querymiss */
stats->sum_query_list_size += worker->env.mesh->all.count;
- if(worker->env.mesh->all.count > stats->max_query_list_size)
- stats->max_query_list_size = worker->env.mesh->all.count;
+ if((long long)worker->env.mesh->all.count > stats->max_query_list_size)
+ stats->max_query_list_size = (long long)worker->env.mesh->all.count;
}
-void server_stats_log(struct server_stats* stats, struct worker* worker,
+void server_stats_log(struct ub_server_stats* stats, struct worker* worker,
int threadnum)
{
log_info("server stats for thread %d: %u queries, "
@@ -115,7 +115,7 @@ void server_stats_log(struct server_stats* stats, struct worker* worker,
(unsigned)stats->max_query_list_size,
(stats->num_queries_missed_cache+stats->num_queries_prefetch)?
(double)stats->sum_query_list_size/
- (stats->num_queries_missed_cache+
+ (double)(stats->num_queries_missed_cache+
stats->num_queries_prefetch) : 0.0,
(unsigned)worker->env.mesh->stats_dropped,
(unsigned)worker->env.mesh->stats_jostled);
@@ -140,49 +140,50 @@ get_rrset_bogus(struct worker* worker)
}
void
-server_stats_compile(struct worker* worker, struct stats_info* s, int reset)
+server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
{
int i;
struct listen_list* lp;
s->svr = worker->stats;
- s->mesh_num_states = worker->env.mesh->all.count;
- s->mesh_num_reply_states = worker->env.mesh->num_reply_states;
- s->mesh_jostled = worker->env.mesh->stats_jostled;
- s->mesh_dropped = worker->env.mesh->stats_dropped;
- s->mesh_replies_sent = worker->env.mesh->replies_sent;
- s->mesh_replies_sum_wait = worker->env.mesh->replies_sum_wait;
+ s->mesh_num_states = (long long)worker->env.mesh->all.count;
+ s->mesh_num_reply_states = (long long)worker->env.mesh->num_reply_states;
+ s->mesh_jostled = (long long)worker->env.mesh->stats_jostled;
+ s->mesh_dropped = (long long)worker->env.mesh->stats_dropped;
+ s->mesh_replies_sent = (long long)worker->env.mesh->replies_sent;
+ s->mesh_replies_sum_wait_sec = (long long)worker->env.mesh->replies_sum_wait.tv_sec;
+ s->mesh_replies_sum_wait_usec = (long long)worker->env.mesh->replies_sum_wait.tv_usec;
s->mesh_time_median = timehist_quartile(worker->env.mesh->histogram,
0.50);
/* add in the values from the mesh */
- s->svr.ans_secure += worker->env.mesh->ans_secure;
- s->svr.ans_bogus += worker->env.mesh->ans_bogus;
- s->svr.ans_rcode_nodata += worker->env.mesh->ans_nodata;
+ s->svr.ans_secure += (long long)worker->env.mesh->ans_secure;
+ s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus;
+ s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata;
for(i=0; i<16; i++)
- s->svr.ans_rcode[i] += worker->env.mesh->ans_rcode[i];
+ s->svr.ans_rcode[i] += (long long)worker->env.mesh->ans_rcode[i];
timehist_export(worker->env.mesh->histogram, s->svr.hist,
NUM_BUCKETS_HIST);
/* values from outside network */
- s->svr.unwanted_replies = worker->back->unwanted_replies;
- s->svr.qtcp_outgoing = worker->back->num_tcp_outgoing;
+ s->svr.unwanted_replies = (long long)worker->back->unwanted_replies;
+ s->svr.qtcp_outgoing = (long long)worker->back->num_tcp_outgoing;
/* get and reset validator rrset bogus number */
- s->svr.rrset_bogus = get_rrset_bogus(worker);
+ s->svr.rrset_bogus = (long long)get_rrset_bogus(worker);
/* get cache sizes */
- s->svr.msg_cache_count = count_slabhash_entries(worker->env.msg_cache);
- s->svr.rrset_cache_count = count_slabhash_entries(&worker->env.rrset_cache->table);
- s->svr.infra_cache_count = count_slabhash_entries(worker->env.infra_cache->hosts);
+ s->svr.msg_cache_count = (long long)count_slabhash_entries(worker->env.msg_cache);
+ s->svr.rrset_cache_count = (long long)count_slabhash_entries(&worker->env.rrset_cache->table);
+ s->svr.infra_cache_count = (long long)count_slabhash_entries(worker->env.infra_cache->hosts);
if(worker->env.key_cache)
- s->svr.key_cache_count = count_slabhash_entries(worker->env.key_cache->slab);
+ s->svr.key_cache_count = (long long)count_slabhash_entries(worker->env.key_cache->slab);
else s->svr.key_cache_count = 0;
/* get tcp accept usage */
s->svr.tcp_accept_usage = 0;
for(lp = worker->front->cps; lp; lp = lp->next) {
if(lp->com->type == comm_tcp_accept)
- s->svr.tcp_accept_usage += lp->com->cur_tcp_count;
+ s->svr.tcp_accept_usage += (long long)lp->com->cur_tcp_count;
}
if(reset && !worker->env.cfg->stat_cumulative) {
@@ -191,7 +192,7 @@ server_stats_compile(struct worker* worker, struct stats_info* s, int reset)
}
void server_stats_obtain(struct worker* worker, struct worker* who,
- struct stats_info* s, int reset)
+ struct ub_stats_info* s, int reset)
{
uint8_t *reply = NULL;
uint32_t len = 0;
@@ -217,7 +218,7 @@ void server_stats_obtain(struct worker* worker, struct worker* who,
void server_stats_reply(struct worker* worker, int reset)
{
- struct stats_info s;
+ struct ub_stats_info s;
server_stats_compile(worker, &s, reset);
verbose(VERB_ALGO, "write stats replymsg");
if(!tube_write_msg(worker->daemon->workers[0]->cmd,
@@ -225,7 +226,7 @@ void server_stats_reply(struct worker* worker, int reset)
fatal_exit("could not write stat values over cmd channel");
}
-void server_stats_add(struct stats_info* total, struct stats_info* a)
+void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
{
total->svr.num_queries += a->svr.num_queries;
total->svr.num_queries_ip_ratelimited += a->svr.num_queries_ip_ratelimited;
@@ -233,12 +234,12 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
total->svr.num_queries_prefetch += a->svr.num_queries_prefetch;
total->svr.sum_query_list_size += a->svr.sum_query_list_size;
#ifdef USE_DNSCRYPT
- total->svr.num_query_dnscrypt_crypted += a->svr.num_query_dnscrypt_crypted;
- total->svr.num_query_dnscrypt_cert += a->svr.num_query_dnscrypt_cert;
- total->svr.num_query_dnscrypt_cleartext += \
- a->svr.num_query_dnscrypt_cleartext;
- total->svr.num_query_dnscrypt_crypted_malformed += \
- a->svr.num_query_dnscrypt_crypted_malformed;
+ total->svr.num_query_dnscrypt_crypted += a->svr.num_query_dnscrypt_crypted;
+ total->svr.num_query_dnscrypt_cert += a->svr.num_query_dnscrypt_cert;
+ total->svr.num_query_dnscrypt_cleartext += \
+ a->svr.num_query_dnscrypt_cleartext;
+ total->svr.num_query_dnscrypt_crypted_malformed += \
+ a->svr.num_query_dnscrypt_crypted_malformed;
#endif
/* the max size reached is upped to higher of both */
if(a->svr.max_query_list_size > total->svr.max_query_list_size)
@@ -269,13 +270,13 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
total->svr.unwanted_replies += a->svr.unwanted_replies;
total->svr.unwanted_queries += a->svr.unwanted_queries;
total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;
- for(i=0; i<STATS_QTYPE_NUM; i++)
+ for(i=0; i<UB_STATS_QTYPE_NUM; i++)
total->svr.qtype[i] += a->svr.qtype[i];
- for(i=0; i<STATS_QCLASS_NUM; i++)
+ for(i=0; i<UB_STATS_QCLASS_NUM; i++)
total->svr.qclass[i] += a->svr.qclass[i];
- for(i=0; i<STATS_OPCODE_NUM; i++)
+ for(i=0; i<UB_STATS_OPCODE_NUM; i++)
total->svr.qopcode[i] += a->svr.qopcode[i];
- for(i=0; i<STATS_RCODE_NUM; i++)
+ for(i=0; i<UB_STATS_RCODE_NUM; i++)
total->svr.ans_rcode[i] += a->svr.ans_rcode[i];
for(i=0; i<NUM_BUCKETS_HIST; i++)
total->svr.hist[i] += a->svr.hist[i];
@@ -286,22 +287,22 @@ void server_stats_add(struct stats_info* total, struct stats_info* a)
total->mesh_jostled += a->mesh_jostled;
total->mesh_dropped += a->mesh_dropped;
total->mesh_replies_sent += a->mesh_replies_sent;
- timeval_add(&total->mesh_replies_sum_wait, &a->mesh_replies_sum_wait);
+ stats_timeval_add(&total->mesh_replies_sum_wait_sec, &total->mesh_replies_sum_wait_usec, a->mesh_replies_sum_wait_sec, a->mesh_replies_sum_wait_usec);
/* the medians are averaged together, this is not as accurate as
* taking the median over all of the data, but is good and fast
* added up here, division later*/
total->mesh_time_median += a->mesh_time_median;
}
-void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
+void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
uint16_t qtype, uint16_t qclass, struct edns_data* edns,
struct comm_reply* repinfo)
{
uint16_t flags = sldns_buffer_read_u16_at(c->buffer, 2);
- if(qtype < STATS_QTYPE_NUM)
+ if(qtype < UB_STATS_QTYPE_NUM)
stats->qtype[qtype]++;
else stats->qtype_big++;
- if(qclass < STATS_QCLASS_NUM)
+ if(qclass < UB_STATS_QCLASS_NUM)
stats->qclass[qclass]++;
else stats->qclass_big++;
stats->qopcode[ LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) ]++;
@@ -332,7 +333,7 @@ void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
}
}
-void server_stats_insrcode(struct server_stats* stats, sldns_buffer* buf)
+void server_stats_insrcode(struct ub_server_stats* stats, sldns_buffer* buf)
{
if(stats->extended && sldns_buffer_limit(buf) != 0) {
int r = (int)LDNS_RCODE_WIRE( sldns_buffer_begin(buf) );
diff --git a/daemon/stats.h b/daemon/stats.h
index 39c4d21c5774..4e5e6cf8aed5 100644
--- a/daemon/stats.h
+++ b/daemon/stats.h
@@ -43,7 +43,6 @@
#ifndef DAEMON_STATS_H
#define DAEMON_STATS_H
#include "util/timehist.h"
-#include "dnscrypt/dnscrypt_config.h"
struct worker;
struct config_file;
struct comm_point;
@@ -51,156 +50,24 @@ struct comm_reply;
struct edns_data;
struct sldns_buffer;
-/** number of qtype that is stored for in array */
-#define STATS_QTYPE_NUM 256
-/** number of qclass that is stored for in array */
-#define STATS_QCLASS_NUM 256
-/** number of rcodes in stats */
-#define STATS_RCODE_NUM 16
-/** number of opcodes in stats */
-#define STATS_OPCODE_NUM 16
-
-/** per worker statistics */
-struct server_stats {
- /** number of queries from clients received. */
- size_t num_queries;
- /** number of queries that have been dropped/ratelimited by ip. */
- size_t num_queries_ip_ratelimited;
- /** number of queries that had a cache-miss. */
- size_t num_queries_missed_cache;
- /** number of prefetch queries - cachehits with prefetch */
- size_t num_queries_prefetch;
-
- /**
- * Sum of the querylistsize of the worker for
- * every query that missed cache. To calculate average.
- */
- size_t sum_query_list_size;
- /** max value of query list size reached. */
- size_t max_query_list_size;
-
- /** Extended stats below (bool) */
- int extended;
-
- /** qtype stats */
- size_t qtype[STATS_QTYPE_NUM];
- /** bigger qtype values not in array */
- size_t qtype_big;
- /** qclass stats */
- size_t qclass[STATS_QCLASS_NUM];
- /** bigger qclass values not in array */
- size_t qclass_big;
- /** query opcodes */
- size_t qopcode[STATS_OPCODE_NUM];
- /** number of queries over TCP */
- size_t qtcp;
- /** number of outgoing queries over TCP */
- size_t qtcp_outgoing;
- /** number of queries over IPv6 */
- size_t qipv6;
- /** number of queries with QR bit */
- size_t qbit_QR;
- /** number of queries with AA bit */
- size_t qbit_AA;
- /** number of queries with TC bit */
- size_t qbit_TC;
- /** number of queries with RD bit */
- size_t qbit_RD;
- /** number of queries with RA bit */
- size_t qbit_RA;
- /** number of queries with Z bit */
- size_t qbit_Z;
- /** number of queries with AD bit */
- size_t qbit_AD;
- /** number of queries with CD bit */
- size_t qbit_CD;
- /** number of queries with EDNS OPT record */
- size_t qEDNS;
- /** number of queries with EDNS with DO flag */
- size_t qEDNS_DO;
- /** answer rcodes */
- size_t ans_rcode[STATS_RCODE_NUM];
- /** answers with pseudo rcode 'nodata' */
- size_t ans_rcode_nodata;
- /** answers that were secure (AD) */
- size_t ans_secure;
- /** answers that were bogus (withheld as SERVFAIL) */
- size_t ans_bogus;
- /** rrsets marked bogus by validator */
- size_t rrset_bogus;
- /** unwanted traffic received on server-facing ports */
- size_t unwanted_replies;
- /** unwanted traffic received on client-facing ports */
- size_t unwanted_queries;
- /** usage of tcp accept list */
- size_t tcp_accept_usage;
- /** answers served from expired cache */
- size_t zero_ttl_responses;
- /** histogram data exported to array
- * if the array is the same size, no data is lost, and
- * if all histograms are same size (is so by default) then
- * adding up works well. */
- size_t hist[NUM_BUCKETS_HIST];
-
- /** number of message cache entries */
- size_t msg_cache_count;
- /** number of rrset cache entries */
- size_t rrset_cache_count;
- /** number of infra cache entries */
- size_t infra_cache_count;
- /** number of key cache entries */
- size_t key_cache_count;
-#ifdef USE_DNSCRYPT
- /** number of queries that used dnscrypt */
- size_t num_query_dnscrypt_crypted;
- /** number of queries that queried dnscrypt certificates */
- size_t num_query_dnscrypt_cert;
- /** number of queries in clear text and not asking for the certificates */
- size_t num_query_dnscrypt_cleartext;
- /** number of malformed encrypted queries */
- size_t num_query_dnscrypt_crypted_malformed;
-#endif
-};
-
-/**
- * Statistics to send over the control pipe when asked
- * This struct is made to be memcpied, sent in binary.
- */
-struct stats_info {
- /** the thread stats */
- struct server_stats svr;
-
- /** mesh stats: current number of states */
- size_t mesh_num_states;
- /** mesh stats: current number of reply (user) states */
- size_t mesh_num_reply_states;
- /** mesh stats: number of reply states overwritten with a new one */
- size_t mesh_jostled;
- /** mesh stats: number of incoming queries dropped */
- size_t mesh_dropped;
- /** mesh stats: replies sent */
- size_t mesh_replies_sent;
- /** mesh stats: sum of waiting times for the replies */
- struct timeval mesh_replies_sum_wait;
- /** mesh stats: median of waiting times for replies (in sec) */
- double mesh_time_median;
-};
+/* stats struct */
+#include "libunbound/unbound.h"
/**
* Initialize server stats to 0.
* @param stats: what to init (this is alloced by the caller).
* @param cfg: with extended statistics option.
*/
-void server_stats_init(struct server_stats* stats, struct config_file* cfg);
+void server_stats_init(struct ub_server_stats* stats, struct config_file* cfg);
/** add query if it missed the cache */
-void server_stats_querymiss(struct server_stats* stats, struct worker* worker);
+void server_stats_querymiss(struct ub_server_stats* stats, struct worker* worker);
/** add query if was cached and also resulted in a prefetch */
-void server_stats_prefetch(struct server_stats* stats, struct worker* worker);
+void server_stats_prefetch(struct ub_server_stats* stats, struct worker* worker);
/** display the stats to the log */
-void server_stats_log(struct server_stats* stats, struct worker* worker,
+void server_stats_log(struct ub_server_stats* stats, struct worker* worker,
int threadnum);
/**
@@ -211,7 +78,7 @@ void server_stats_log(struct server_stats* stats, struct worker* worker,
* @param reset: if stats can be reset.
*/
void server_stats_obtain(struct worker* worker, struct worker* who,
- struct stats_info* s, int reset);
+ struct ub_stats_info* s, int reset);
/**
* Compile stats into structure for this thread worker.
@@ -221,7 +88,7 @@ void server_stats_obtain(struct worker* worker, struct worker* who,
* @param reset: if true, depending on config stats are reset.
* if false, statistics are not reset.
*/
-void server_stats_compile(struct worker* worker, struct stats_info* s,
+void server_stats_compile(struct worker* worker, struct ub_stats_info* s,
int reset);
/**
@@ -237,7 +104,7 @@ void server_stats_reply(struct worker* worker, int reset);
* @param total: sum of the two entries.
* @param a: to add to it.
*/
-void server_stats_add(struct stats_info* total, struct stats_info* a);
+void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a);
/**
* Add stats for this query
@@ -248,7 +115,7 @@ void server_stats_add(struct stats_info* total, struct stats_info* a);
* @param edns: edns record
* @param repinfo: reply info with remote address
*/
-void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
+void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
uint16_t qtype, uint16_t qclass, struct edns_data* edns,
struct comm_reply* repinfo);
@@ -257,6 +124,6 @@ void server_stats_insquery(struct server_stats* stats, struct comm_point* c,
* @param stats: the stats
* @param buf: buffer with rcode. If buffer is length0: not counted.
*/
-void server_stats_insrcode(struct server_stats* stats, struct sldns_buffer* buf);
+void server_stats_insrcode(struct ub_server_stats* stats, struct sldns_buffer* buf);
#endif /* DAEMON_STATS_H */
diff --git a/daemon/worker.c b/daemon/worker.c
index b1cc974aa2e2..2c4cf5ba6c0a 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -811,7 +811,9 @@ chaos_replystr(sldns_buffer* pkt, char** str, int num, struct edns_data* edns,
if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL,
LDNS_RCODE_NOERROR, edns, worker->scratchpad))
edns->opt_list = NULL;
- attach_edns_record(pkt, edns);
+ if(sldns_buffer_capacity(pkt) >=
+ sldns_buffer_limit(pkt)+calc_edns_field_size(edns))
+ attach_edns_record(pkt, edns);
}
/** Reply with one string */
@@ -1014,43 +1016,48 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
return 0;
}
#ifdef USE_DNSCRYPT
- repinfo->max_udp_size = worker->daemon->cfg->max_udp_size;
- if(!dnsc_handle_curved_request(worker->daemon->dnscenv, repinfo)) {
- worker->stats.num_query_dnscrypt_crypted_malformed++;
- return 0;
- }
- if(c->dnscrypt && !repinfo->is_dnscrypted) {
- char buf[LDNS_MAX_DOMAINLEN+1];
- // Check if this is unencrypted and asking for certs
- if(worker_check_request(c->buffer, worker) != 0) {
- verbose(VERB_ALGO, "dnscrypt: worker check request: bad query.");
- log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
- comm_point_drop_reply(repinfo);
- return 0;
- }
- if(!query_info_parse(&qinfo, c->buffer)) {
- verbose(VERB_ALGO, "dnscrypt: worker parse request: formerror.");
- log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
- comm_point_drop_reply(repinfo);
- return 0;
- }
- dname_str(qinfo.qname, buf);
- if(!(qinfo.qtype == LDNS_RR_TYPE_TXT &&
- strcasecmp(buf, worker->daemon->dnscenv->provider_name) == 0)) {
- verbose(VERB_ALGO,
- "dnscrypt: not TXT %s. Receive: %s %s",
- worker->daemon->dnscenv->provider_name,
- sldns_rr_descript(qinfo.qtype)->_name,
- buf);
- comm_point_drop_reply(repinfo);
- worker->stats.num_query_dnscrypt_cleartext++;
- return 0;
- }
- worker->stats.num_query_dnscrypt_cert++;
- sldns_buffer_rewind(c->buffer);
- } else if(c->dnscrypt && repinfo->is_dnscrypted) {
- worker->stats.num_query_dnscrypt_crypted++;
- }
+ repinfo->max_udp_size = worker->daemon->cfg->max_udp_size;
+ if(!dnsc_handle_curved_request(worker->daemon->dnscenv, repinfo)) {
+ worker->stats.num_query_dnscrypt_crypted_malformed++;
+ return 0;
+ }
+ if(c->dnscrypt && !repinfo->is_dnscrypted) {
+ char buf[LDNS_MAX_DOMAINLEN+1];
+ /* Check if this is unencrypted and asking for certs */
+ if(worker_check_request(c->buffer, worker) != 0) {
+ verbose(VERB_ALGO,
+ "dnscrypt: worker check request: bad query.");
+ log_addr(VERB_CLIENT,"from",&repinfo->addr,
+ repinfo->addrlen);
+ comm_point_drop_reply(repinfo);
+ return 0;
+ }
+ if(!query_info_parse(&qinfo, c->buffer)) {
+ verbose(VERB_ALGO,
+ "dnscrypt: worker parse request: formerror.");
+ log_addr(VERB_CLIENT, "from", &repinfo->addr,
+ repinfo->addrlen);
+ comm_point_drop_reply(repinfo);
+ return 0;
+ }
+ dname_str(qinfo.qname, buf);
+ if(!(qinfo.qtype == LDNS_RR_TYPE_TXT &&
+ strcasecmp(buf,
+ worker->daemon->dnscenv->provider_name) == 0)) {
+ verbose(VERB_ALGO,
+ "dnscrypt: not TXT %s. Receive: %s %s",
+ worker->daemon->dnscenv->provider_name,
+ sldns_rr_descript(qinfo.qtype)->_name,
+ buf);
+ comm_point_drop_reply(repinfo);
+ worker->stats.num_query_dnscrypt_cleartext++;
+ return 0;
+ }
+ worker->stats.num_query_dnscrypt_cert++;
+ sldns_buffer_rewind(c->buffer);
+ } else if(c->dnscrypt && repinfo->is_dnscrypted) {
+ worker->stats.num_query_dnscrypt_crypted++;
+ }
#endif
#ifdef USE_DNSTAP
if(worker->dtenv.log_client_query_messages)
@@ -1182,7 +1189,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
sldns_buffer_read_u16_at(c->buffer, 2), NULL);
- attach_edns_record(c->buffer, &edns);
+ if(sldns_buffer_capacity(c->buffer) >=
+ sldns_buffer_limit(c->buffer)+calc_edns_field_size(&edns))
+ attach_edns_record(c->buffer, &edns);
regional_free_all(worker->scratchpad);
goto send_reply;
}
@@ -1420,9 +1429,9 @@ send_reply_rc:
tv, 1, c->buffer);
}
#ifdef USE_DNSCRYPT
- if(!dnsc_handle_uncurved_request(repinfo)) {
- return 0;
- }
+ if(!dnsc_handle_uncurved_request(repinfo)) {
+ return 0;
+ }
#endif
return rc;
}
@@ -1664,6 +1673,7 @@ worker_init(struct worker* worker, struct config_file *cfg,
worker->env.mesh = mesh_create(&worker->daemon->mods, &worker->env);
worker->env.detach_subs = &mesh_detach_subs;
worker->env.attach_sub = &mesh_attach_sub;
+ worker->env.add_sub = &mesh_add_sub;
worker->env.kill_sub = &mesh_state_delete;
worker->env.detect_cycle = &mesh_detect_cycle;
worker->env.scratch_buffer = sldns_buffer_new(cfg->msg_buffer_size);
diff --git a/daemon/worker.h b/daemon/worker.h
index 0d7ce9521610..3887d0405ae6 100644
--- a/daemon/worker.h
+++ b/daemon/worker.h
@@ -116,7 +116,7 @@ struct worker {
/** allocation cache for this thread */
struct alloc_cache alloc;
/** per thread statistics */
- struct server_stats stats;
+ struct ub_server_stats stats;
/** thread scratch regional */
struct regional* scratchpad;
diff --git a/dnscrypt/cert.h b/dnscrypt/cert.h
index 044f49f2642c..7cad146d9498 100644
--- a/dnscrypt/cert.h
+++ b/dnscrypt/cert.h
@@ -20,12 +20,12 @@ struct SignedCert {
uint8_t version_minor[2];
// Signed Content
+ uint8_t signed_content[64];
uint8_t server_publickey[crypto_box_PUBLICKEYBYTES];
uint8_t magic_query[8];
uint8_t serial[4];
uint8_t ts_begin[4];
uint8_t ts_end[4];
- uint8_t end[64];
};
diff --git a/dnscrypt/dnscrypt.c b/dnscrypt/dnscrypt.c
index 56903e6513f3..9e858c3fb061 100644
--- a/dnscrypt/dnscrypt.c
+++ b/dnscrypt/dnscrypt.c
@@ -15,6 +15,7 @@
#include "dnscrypt/cert.h"
#include "dnscrypt/dnscrypt.h"
+#include "dnscrypt/dnscrypt_config.h"
#include <ctype.h>
@@ -35,18 +36,18 @@
(DNSCRYPT_MAGIC_HEADER_LEN + crypto_box_HALF_NONCEBYTES + crypto_box_HALF_NONCEBYTES)
/**
- * Decrypt a query using the keypair that was found using dnsc_find_keypair.
+ * Decrypt a query using the dnsccert that was found using dnsc_find_cert.
* The client nonce will be extracted from the encrypted query and stored in
* client_nonce, a shared secret will be computed and stored in nmkey and the
* buffer will be decrypted inplace.
- * \param[in] keypair the keypair that matches this encrypted query.
+ * \param[in] cert the cert that matches this encrypted query.
* \param[in] client_nonce where the client nonce will be stored.
* \param[in] nmkey where the shared secret key will be written.
* \param[in] buffer the encrypted buffer.
* \return 0 on success.
*/
static int
-dnscrypt_server_uncurve(const KeyPair *keypair,
+dnscrypt_server_uncurve(const dnsccert *cert,
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
uint8_t nmkey[crypto_box_BEFORENMBYTES],
struct sldns_buffer* buffer)
@@ -62,25 +63,48 @@ dnscrypt_server_uncurve(const KeyPair *keypair,
query_header = (struct dnscrypt_query_header *)buf;
memcpy(nmkey, query_header->publickey, crypto_box_PUBLICKEYBYTES);
- if (crypto_box_beforenm(nmkey, nmkey, keypair->crypt_secretkey) != 0) {
+ if(cert->es_version[1] == 2) {
+#ifdef USE_DNSCRYPT_XCHACHA20
+ if (crypto_box_curve25519xchacha20poly1305_beforenm(
+ nmkey, nmkey, cert->keypair->crypt_secretkey) != 0) {
+ return -1;
+ }
+#else
return -1;
+#endif
+ } else {
+ if (crypto_box_beforenm(nmkey, nmkey, cert->keypair->crypt_secretkey) != 0) {
+ return -1;
+ }
}
memcpy(nonce, query_header->nonce, crypto_box_HALF_NONCEBYTES);
memset(nonce + crypto_box_HALF_NONCEBYTES, 0, crypto_box_HALF_NONCEBYTES);
- sldns_buffer_set_at(buffer,
- DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
- 0, crypto_box_BOXZEROBYTES);
-
- if (crypto_box_open_afternm
- (buf + DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
- buf + DNSCRYPT_QUERY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
- len - DNSCRYPT_QUERY_BOX_OFFSET + crypto_box_BOXZEROBYTES, nonce,
- nmkey) != 0) {
+ if(cert->es_version[1] == 2) {
+#ifdef USE_DNSCRYPT_XCHACHA20
+ if (crypto_box_curve25519xchacha20poly1305_open_easy_afternm
+ (buf,
+ buf + DNSCRYPT_QUERY_BOX_OFFSET,
+ len - DNSCRYPT_QUERY_BOX_OFFSET, nonce,
+ nmkey) != 0) {
+ return -1;
+ }
+#else
return -1;
+#endif
+ } else {
+ if (crypto_box_open_easy_afternm
+ (buf,
+ buf + DNSCRYPT_QUERY_BOX_OFFSET,
+ len - DNSCRYPT_QUERY_BOX_OFFSET, nonce,
+ nmkey) != 0) {
+ return -1;
+ }
}
+ len -= DNSCRYPT_QUERY_HEADER_SIZE;
+
while (*sldns_buffer_at(buffer, --len) == 0)
;
@@ -89,12 +113,9 @@ dnscrypt_server_uncurve(const KeyPair *keypair,
}
memcpy(client_nonce, nonce, crypto_box_HALF_NONCEBYTES);
- memmove(sldns_buffer_begin(buffer),
- sldns_buffer_at(buffer, DNSCRYPT_QUERY_HEADER_SIZE),
- len - DNSCRYPT_QUERY_HEADER_SIZE);
sldns_buffer_set_position(buffer, 0);
- sldns_buffer_set_limit(buffer, len - DNSCRYPT_QUERY_HEADER_SIZE);
+ sldns_buffer_set_limit(buffer, len);
return 0;
}
@@ -182,10 +203,10 @@ add_server_nonce(uint8_t *nonce)
}
/**
- * Encrypt a reply using the keypair that was used with the query.
+ * Encrypt a reply using the dnsccert that was used with the query.
* The client nonce will be extracted from the encrypted query and stored in
* The buffer will be encrypted inplace.
- * \param[in] keypair the keypair that matches this encrypted query.
+ * \param[in] cert the dnsccert that matches this encrypted query.
* \param[in] client_nonce client nonce used during the query
* \param[in] nmkey shared secret key used during the query.
* \param[in] buffer the buffer where to encrypt the reply.
@@ -194,7 +215,7 @@ add_server_nonce(uint8_t *nonce)
* \return 0 on success.
*/
static int
-dnscrypt_server_curve(const KeyPair *keypair,
+dnscrypt_server_curve(const dnsccert *cert,
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES],
uint8_t nmkey[crypto_box_BEFORENMBYTES],
struct sldns_buffer* buffer,
@@ -223,7 +244,7 @@ dnscrypt_server_curve(const KeyPair *keypair,
memmove(boxed + crypto_box_MACBYTES, buf, len);
len = dnscrypt_pad(boxed + crypto_box_MACBYTES, len,
max_len - DNSCRYPT_REPLY_HEADER_SIZE, nonce,
- keypair->crypt_secretkey);
+ cert->keypair->crypt_secretkey);
sldns_buffer_set_at(buffer,
DNSCRYPT_REPLY_BOX_OFFSET - crypto_box_BOXZEROBYTES,
0, crypto_box_ZEROBYTES);
@@ -231,10 +252,20 @@ dnscrypt_server_curve(const KeyPair *keypair,
// add server nonce extension
add_server_nonce(nonce);
- if (crypto_box_afternm
- (boxed - crypto_box_BOXZEROBYTES, boxed - crypto_box_BOXZEROBYTES,
- len + crypto_box_ZEROBYTES, nonce, nmkey) != 0) {
+ if(cert->es_version[1] == 2) {
+#ifdef USE_DNSCRYPT_XCHACHA20
+ if (crypto_box_curve25519xchacha20poly1305_easy_afternm
+ (boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) {
+ return -1;
+ }
+#else
return -1;
+#endif
+ } else {
+ if (crypto_box_easy_afternm
+ (boxed, boxed + crypto_box_MACBYTES, len, nonce, nmkey) != 0) {
+ return -1;
+ }
}
sldns_buffer_write_at(buffer, 0, DNSCRYPT_MAGIC_RESPONSE, DNSCRYPT_MAGIC_HEADER_LEN);
@@ -267,6 +298,25 @@ dnsc_read_from_file(char *fname, char *buf, size_t count)
}
/**
+ * Given an absolute path on the original root, returns the absolute path
+ * within the chroot. If chroot is disabled, the path is not modified.
+ * No char * is malloced so there is no need to free this.
+ * \param[in] cfg the configuration.
+ * \param[in] path the path from the original root.
+ * \return the path from inside the chroot.
+ */
+static char *
+dnsc_chroot_path(struct config_file *cfg, char *path)
+{
+ char *nm;
+ nm = path;
+ if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(nm,
+ cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
+ nm += strlen(cfg->chrootdir);
+ return nm;
+}
+
+/**
* Parse certificates files provided by the configuration and load them into
* dnsc_env.
* \param[in] env the dnsc_env structure to load the certs into.
@@ -278,6 +328,7 @@ dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
{
struct config_strlist *head;
size_t signed_cert_id;
+ char *nm;
env->signed_certs_count = 0U;
for (head = cfg->dnscrypt_provider_cert; head; head = head->next) {
@@ -288,8 +339,9 @@ dnsc_parse_certs(struct dnsc_env *env, struct config_file *cfg)
signed_cert_id = 0U;
for(head = cfg->dnscrypt_provider_cert; head; head = head->next, signed_cert_id++) {
+ nm = dnsc_chroot_path(cfg, head->str);
if(dnsc_read_from_file(
- head->str,
+ nm,
(char *)(env->signed_certs + signed_cert_id),
sizeof(struct SignedCert)) != 0) {
fatal_exit("dnsc_parse_certs: failed to load %s: %s", head->str, strerror(errno));
@@ -326,16 +378,17 @@ dnsc_key_to_fingerprint(char fingerprint[80U], const uint8_t * const key)
}
/**
- * Find the keypair matching a DNSCrypt query.
- * \param[in] dnscenv The DNSCrypt enviroment, which contains the list of keys
+ * Find the cert matching a DNSCrypt query.
+ * \param[in] dnscenv The DNSCrypt enviroment, which contains the list of certs
* supported by the server.
* \param[in] buffer The encrypted DNS query.
- * \return a KeyPair * if we found a key pair matching the query, NULL otherwise.
+ * \return a dnsccert * if we found a cert matching the magic_number of the
+ * query, NULL otherwise.
*/
-static const KeyPair *
-dnsc_find_keypair(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
+static const dnsccert *
+dnsc_find_cert(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
{
- const KeyPair *keypairs = dnscenv->keypairs;
+ const dnsccert *certs = dnscenv->certs;
struct dnscrypt_query_header *dnscrypt_header;
size_t i;
@@ -343,10 +396,10 @@ dnsc_find_keypair(struct dnsc_env* dnscenv, struct sldns_buffer* buffer)
return NULL;
}
dnscrypt_header = (struct dnscrypt_query_header *)sldns_buffer_begin(buffer);
- for (i = 0U; i < dnscenv->keypairs_count; i++) {
- if (memcmp(keypairs[i].crypt_publickey, dnscrypt_header->magic_query,
+ for (i = 0U; i < dnscenv->signed_certs_count; i++) {
+ if (memcmp(certs[i].magic_query, dnscrypt_header->magic_query,
DNSCRYPT_MAGIC_HEADER_LEN) == 0) {
- return &keypairs[i];
+ return &certs[i];
}
}
return NULL;
@@ -404,9 +457,33 @@ dnsc_load_local_data(struct dnsc_env* dnscenv, struct config_file *cfg)
return dnscenv->signed_certs_count;
}
+static const char *
+key_get_es_version(uint8_t version[2])
+{
+ struct es_version {
+ uint8_t es_version[2];
+ const char *name;
+ };
+
+ struct es_version es_versions[] = {
+ {{0x00, 0x01}, "X25519-XSalsa20Poly1305"},
+ {{0x00, 0x02}, "X25519-XChacha20Poly1305"},
+ };
+ int i;
+ for(i=0; i < (int)sizeof(es_versions); i++){
+ if(es_versions[i].es_version[0] == version[0] &&
+ es_versions[i].es_version[1] == version[1]){
+ return es_versions[i].name;
+ }
+ }
+ return NULL;
+}
+
+
/**
* Parse the secret key files from `dnscrypt-secret-key` config and populates
- * a list of secret/public keys supported by dnscrypt listener.
+ * a list of dnsccert with es_version, magic number and secret/public keys
+ * supported by dnscrypt listener.
* \param[in] env The dnsc_env structure which will hold the keypairs.
* \param[in] cfg The config with the secret key file paths.
*/
@@ -414,33 +491,76 @@ static int
dnsc_parse_keys(struct dnsc_env *env, struct config_file *cfg)
{
struct config_strlist *head;
- size_t keypair_id;
+ size_t cert_id, keypair_id;
+ size_t c;
+ char *nm;
env->keypairs_count = 0U;
for (head = cfg->dnscrypt_secret_key; head; head = head->next) {
env->keypairs_count++;
}
+
env->keypairs = sodium_allocarray(env->keypairs_count,
- sizeof *env->keypairs);
+ sizeof *env->keypairs);
+ env->certs = sodium_allocarray(env->signed_certs_count,
+ sizeof *env->certs);
+ cert_id = 0U;
keypair_id = 0U;
for(head = cfg->dnscrypt_secret_key; head; head = head->next, keypair_id++) {
char fingerprint[80];
+ int found_cert = 0;
+ KeyPair *current_keypair = &env->keypairs[keypair_id];
+ nm = dnsc_chroot_path(cfg, head->str);
if(dnsc_read_from_file(
- head->str,
- (char *)(env->keypairs[keypair_id].crypt_secretkey),
+ nm,
+ (char *)(current_keypair->crypt_secretkey),
crypto_box_SECRETKEYBYTES) != 0) {
fatal_exit("dnsc_parse_keys: failed to load %s: %s", head->str, strerror(errno));
}
verbose(VERB_OPS, "Loaded key %s", head->str);
- if (crypto_scalarmult_base(env->keypairs[keypair_id].crypt_publickey,
- env->keypairs[keypair_id].crypt_secretkey) != 0) {
+ if (crypto_scalarmult_base(current_keypair->crypt_publickey,
+ current_keypair->crypt_secretkey) != 0) {
fatal_exit("dnsc_parse_keys: could not generate public key from %s", head->str);
}
- dnsc_key_to_fingerprint(fingerprint, env->keypairs[keypair_id].crypt_publickey);
+ dnsc_key_to_fingerprint(fingerprint, current_keypair->crypt_publickey);
verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s", head->str, fingerprint);
+ // find the cert matching this key
+ for(c = 0; c < env->signed_certs_count; c++) {
+ if(memcmp(current_keypair->crypt_publickey,
+ env->signed_certs[c].server_publickey,
+ crypto_box_PUBLICKEYBYTES) == 0) {
+ dnsccert *current_cert = &env->certs[cert_id++];
+ found_cert = 1;
+ current_cert->keypair = current_keypair;
+ memcpy(current_cert->magic_query,
+ env->signed_certs[c].magic_query,
+ sizeof env->signed_certs[c].magic_query);
+ memcpy(current_cert->es_version,
+ env->signed_certs[c].version_major,
+ sizeof env->signed_certs[c].version_major
+ );
+ dnsc_key_to_fingerprint(fingerprint,
+ current_cert->keypair->crypt_publickey);
+ verbose(VERB_OPS, "Crypt public key fingerprint for %s: %s",
+ head->str, fingerprint);
+ verbose(VERB_OPS, "Using %s",
+ key_get_es_version(current_cert->es_version));
+#ifndef USE_DNSCRYPT_XCHACHA20
+ if (current_cert->es_version[1] == 0x02) {
+ fatal_exit("Certificate for XChacha20 but libsodium does not support it.");
+ }
+#endif
+
+ }
+ }
+ if (!found_cert) {
+ fatal_exit("dnsc_parse_keys: could not match certificate for key "
+ "%s. Unable to determine ES version.",
+ head->str);
+ }
}
- return keypair_id;
+ return cert_id;
}
@@ -463,8 +583,8 @@ dnsc_handle_curved_request(struct dnsc_env* dnscenv,
// Attempt to decrypt the query. If it is not crypted, we may still need
// to serve the certificate.
verbose(VERB_ALGO, "handle request called on DNSCrypt socket");
- if ((repinfo->keypair = dnsc_find_keypair(dnscenv, c->buffer)) != NULL) {
- if(dnscrypt_server_uncurve(repinfo->keypair,
+ if ((repinfo->dnsc_cert = dnsc_find_cert(dnscenv, c->buffer)) != NULL) {
+ if(dnscrypt_server_uncurve(repinfo->dnsc_cert,
repinfo->client_nonce,
repinfo->nmkey,
c->buffer) != 0){
@@ -488,7 +608,7 @@ dnsc_handle_uncurved_request(struct comm_reply *repinfo)
if(!repinfo->is_dnscrypted) {
return 1;
}
- if(dnscrypt_server_curve(repinfo->keypair,
+ if(dnscrypt_server_curve(repinfo->dnsc_cert,
repinfo->client_nonce,
repinfo->nmkey,
repinfo->c->dnscrypt_buffer,
diff --git a/dnscrypt/dnscrypt.h b/dnscrypt/dnscrypt.h
index dac611b056f8..26c2bb21d6b6 100644
--- a/dnscrypt/dnscrypt.h
+++ b/dnscrypt/dnscrypt.h
@@ -44,8 +44,15 @@ typedef struct KeyPair_ {
uint8_t crypt_secretkey[crypto_box_SECRETKEYBYTES];
} KeyPair;
+typedef struct cert_ {
+ uint8_t magic_query[DNSCRYPT_MAGIC_HEADER_LEN];
+ uint8_t es_version[2];
+ KeyPair *keypair;
+} dnsccert;
+
struct dnsc_env {
struct SignedCert *signed_certs;
+ dnsccert *certs;
size_t signed_certs_count;
uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES];
uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES];
diff --git a/dnscrypt/dnscrypt.m4 b/dnscrypt/dnscrypt.m4
index 077d2822174f..7193519fcf03 100644
--- a/dnscrypt/dnscrypt.m4
+++ b/dnscrypt/dnscrypt.m4
@@ -18,8 +18,19 @@ AC_DEFUN([dnsc_DNSCRYPT],
])
AC_SEARCH_LIBS([sodium_init], [sodium], [],
AC_MSG_ERROR([The sodium library was not found. Please install sodium!]))
+ AC_SEARCH_LIBS([crypto_box_curve25519xchacha20poly1305_beforenm], [sodium],
+ [
+ AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [1])
+ AC_DEFINE(
+ [USE_DNSCRYPT_XCHACHA20], [1],
+ [Define to 1 to enable dnscrypt with xchacha20 support])
+ ],
+ [
+ AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [0])
+ ])
$1
else
+ AC_SUBST([ENABLE_DNSCRYPT_XCHACHA20], [0])
$2
fi
])
diff --git a/doc/Changelog b/doc/Changelog
index 8f8d6daeacea..24a4f97e9a94 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,12 +1,198 @@
+22 June 2017: Wouter
+ - Tag 1.6.4rc2
+
+22 June 2017: Ralph
+ - Added fastrpz patch to contrib
+
+21 June 2017: Wouter
+ - Fix #1316: heap read buffer overflow in parse_edns_options.
+
+20 June 2017: Wouter
+ - Fix warning in pythonmod under clang compiler.
+ - Tag 1.6.4rc1
+ - Fix lintian typo.
+
+16 June 2017: Ralph
+ - Fix #1277: disable domain ratelimit by setting value to 0.
+
+16 June 2017: Wouter
+ - Fix #1301: memory leak in respip and tests.
+ - Free callback in edns-subnetmod on exit and restart.
+ - Fix memory leak in sldns_buffer_new_frm_data.
+ - Fix memory leak in dnscrypt config read.
+ - Fix dnscrypt chacha cert support ifdefs.
+ - Fix dnscrypt chacha cert unit test escapes in grep.
+ - Remove asynclook tests that cause test and purifier problems.
+ - Fix to unlock view in view test.
+
+15 June 2017: Wouter
+ - Fix stub zone queries leaking to the internet for
+ harden-referral-path ns checks.
+ - Fix query for refetch_glue of stub leaking to internet.
+
13 June 2017: Wouter
+ - Fix #1279: Memory leak on reload when python module is enabled.
- Fix #1280: Unbound fails assert when response from authoritative
contains malformed qname. When 0x20 caps-for-id is enabled, when
assertions are not enabled the malformed qname is handled correctly.
- - tag for 1.6.3
+ - 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
+ - More fixes in depth for buffer checks in 0x20 qname checks.
+
+12 June 2017: Wouter
+ - Fix #1278: Incomplete wildcard proof.
+
+8 June 2017: Ralph
+ - Added domain name based ECS whitelist.
+
+8 June 2017: Wouter
+ - Detect chacha for dnscrypt at configure time.
+ - dnscrypt unit tests with chacha.
+
+7 June 2017: Wouter
+ - Fix that unbound-control can set val_clean_additional and val_permissive_mode.
+ - Add dnscrypt XChaCha20 tests.
+
+6 June 2017: Wouter
+ - Add an explicit type cast for TCP FASTOPEN fix.
+ - renumbering B-Root's IPv6 address to 2001:500:200::b.
+ - Fix #1275: cached data in cachedb is never used.
+ - Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
+
+1 June 2017: Ralph
+ - Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
+ (from Manu Bretelle).
+
+1 June 2017: Wouter
+ - Fix fastopen EPIPE fallthrough to perform connect.
+
+31 May 2017: Ralph
+ - Also use global local-zones when there is a matching view that does
+ not have any local-zone specified.
+
+31 May 2017: Wouter
+ - Fix #1273: cachedb.c doesn't compile with -Wextra.
+ - If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
+
+30 May 2017: Ralph
+ - Fix #1269: inconsistent use of built-in local zones with views.
+ - Add defaults for new local-zone trees added to views using
+ unbound-control.
+
+30 May 2017: Wouter
+ - Support for openssl EVP_DigestVerify.
+ - Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
+
+29 May 2017: Wouter
+ - Fix assertion for low buffer size and big edns payload when worker
+ overrides udpsize.
+
+26 May 2017: Ralph
+ - Added redirect-bogus.patch to contrib directory.
+
+26 May 2017: Wouter
+ - Fix #1270: unitauth.c doesn't compile with higher warning level
+ and optimization
+ - exec_prefix is by default equal to prefix.
+ - printout localzone for duplicate local-zone warnings.
+
+24 May 2017: Wouter
+ - authzone cname chain, no rrset duplicates, wildcard doesn't change
+ rrsets added for cname chain.
+
+23 May 2017: Wouter
+ - first services/authzone check in, it compiles and reads and writes
+ zonefiles.
+ - iana portlist update
+
+22 May 2017: Wouter
+ - Fix #1268: SIGSEGV after log_reopen.
+
+18 May 2017: Wouter
+ - Fix #1265 to use /bin/kill.
+ - Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
+ and compatibility with BoringSSL.
+
+17 May 2017: Wouter
+ - Fix #1265: contrib/unbound.service contains hardcoded path.
+
+17 May 2017: George
+ - Use qstate's region for IPSECKEY rrset (ipsecmod).
+
+16 May 2017: George
+ - Implemented opportunistic IPsec support module (ipsecmod).
+ - Some whitespace fixup.
+
+16 May 2017: Wouter
+ - updated dependencies in the makefile.
+ - document trust-anchor-signaling in example config file.
+ - updated configure, dependencies and flex output.
+ - better module memory lookup, fix of unbound-control shm names for
+ module memory printout of statistics.
+ - Fix type AVC sldns rrdef.
+
+12 May 2017: Wouter
+ - Adjust servfail by iterator to not store in cache when serve-expired
+ is enabled, to avoid overwriting useful information there.
+ - Fix queries for nameservers under a stub leaking to the internet.
+
+9 May 2017: Ralph
+ - Add 'c' to getopt() in testbound.
+ - iana portlist update
+
+8 May 2017: Wouter
+ - Fix tcp-mss failure printout text.
+ - Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
+ connect limited tcp connections. With the option tcp connections
+ can share the same source port (for different destinations).
+
+2 May 2017: Ralph
+ - Added mesh_add_sub to add detached mesh entries.
+ - Use mesh_add_sub for key tag signaling query.
+
+2 May 2017: Wouter
+ - Added test for leak of stub information.
+ - Fix sldns wire2str printout of RR type CAA tags.
+ - Fix sldns int16_data parse.
+ - Fix sldns parse and printout of TSIG RRs.
+ - sldns SMIMEA and AVC definitions, same as getdns definitions.
+
+1 May 2017: Wouter
+ - Fix #1259: "--disable-ecdsa" argument overwritten
+ by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
+ - iana portlist update
+ - Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
+ and fix that 64bit getting installed in C:\Program Files (x86).
+
+26 April 2017: Ralph
+ - Implemented trust anchor signaling using key tag query.
+
+26 April 2017: Wouter
+ - Based on #1257: check parse limit before t increment in sldns RR
+ string parse routine.
+
+24 April 2017: Wouter
+ - unbound-checkconf -o allows query of dnstap config variables.
+ Also unbound-control get_option. Also for dnscrypt.
+ - trunk contains 1.6.3 version number (changes from 1.6.2 back from
+ when the 1.6.2rc1 tag has been created).
+
+21 April 2017: Ralph
+ - Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
+ - iana portlist update
+
+18 April 2017: Ralph
+ - Fix #1252: more indentation inconsistencies.
+ - Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
+
+13 April 2017: Ralph
+ - Added ECS unit test (from Manu Bretelle).
+ - ECS documentation fix (from Manu Bretelle).
13 April 2017: Wouter
- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
- tag for 1.6.2rc1
+ - (for 1.6.3:) unbound.h exports the shm stats structures. They use
+ type long long and no ifdefs, and ub_ before the typenames.
12 April 2017: Wouter
- subnet mem value is available in shm, also when not enabled,
@@ -243,7 +429,7 @@
- Fix #1184: Log DNS replies. This includes the same logging
information that DNS queries and response code and response size,
patch from Larissa Feng.
- - Fix #1185: Source IP rate limiting, patch from Larissa Feng.
+ - Fix #1187: Source IP rate limiting, patch from Larissa Feng.
3 January 2017: Wouter
- configure --enable-systemd and lets unbound use systemd sockets if
diff --git a/doc/README b/doc/README
index 558a48071e2a..0e4a1535ed14 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.6.3
+README for Unbound 1.6.4
Copyright 2007 NLnet Labs
http://unbound.net
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 3411d7edbdd6..539602953beb 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
#
# Example configuration file.
#
-# See unbound.conf(5) man page, version 1.6.3.
+# See unbound.conf(5) man page, version 1.6.4.
#
# this is a comment.
@@ -448,6 +448,9 @@ server:
# and under the terms of our LICENSE (see that file in the source).
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+ # trust anchor signaling sends a RFC8145 key tag query after priming.
+ # trust-anchor-signaling: no
+
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
# DLV is going to be decommissioned. Please do not use it any more.
@@ -698,6 +701,34 @@ server:
# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
# ip-ratelimit-factor: 10
+ # Specific options for ipsecmod. unbound needs to be configured with
+ # --enable-ipsecmod for these to take effect.
+ #
+ # Enable or disable ipsecmod (it still needs to be defined in
+ # module-config above). Can be used when ipsecmod needs to be
+ # enabled/disabled via remote-control(below).
+ # ipsecmod-enabled: yes
+ #
+ # Path to executable external hook. It must be defined when ipsecmod is
+ # listed in module-config (above).
+ # ipsecmod-hook: "./my_executable"
+ #
+ # When enabled unbound will reply with SERVFAIL if the return value of
+ # the ipsecmod-hook is not 0.
+ # ipsecmod-strict: no
+ #
+ # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
+ # ipsecmod-max-ttl: 3600
+ #
+ # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
+ # testing.
+ # ipsecmod-ignore-bogus: no
+ #
+ # Domains for which ipsecmod will be triggered. If not defined (default)
+ # all domains are treated as being whitelisted.
+ # ipsecmod-whitelist: "example.com"
+ # ipsecmod-whitelist: "nlnetlabs.nl"
+
# Python config section. To enable:
# o use --with-pythonmodule to configure before compiling.
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 70ed5c2d4e74..bcd79ffcaff4 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "libunbound" "3" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@@ -43,7 +43,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.6.3 functions.
+\- Unbound DNS validating resolver 1.6.4 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index f96a9e6c291d..8d041c01d19f 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-anchor" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index 523784b5c4b8..c9f4502cf6ed 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-checkconf" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 47d2a4861a23..98be38c44137 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound-control" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index 1d698e16d93e..db51410c428f 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound\-host" "1" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index cca759b622b5..8555937c1be9 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound" "8" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
.\"
.\" unbound.8 -- unbound manual
.\"
@@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
-\- Unbound DNS validating resolver 1.6.3.
+\- Unbound DNS validating resolver 1.6.4.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index b2c76ac9575c..6b6e6d974bc8 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jun 13, 2017" "NLnet Labs" "unbound 1.6.3"
+.TH "unbound.conf" "5" "Jun 27, 2017" "NLnet Labs" "unbound 1.6.4"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@@ -16,13 +16,14 @@
.B unbound.conf
is used to configure
\fIunbound\fR(8).
-The file format has attributes and values. Some attributes have attributes inside them.
+The file format has attributes and values. Some attributes have attributes
+inside them.
The notation is: attribute: value.
.P
Comments start with # and last to the end of line. Empty lines are
ignored as is whitespace at the beginning of a line.
.P
-The utility
+The utility
\fIunbound\-checkconf\fR(8)
can be used to check unbound.conf prior to usage.
.SH "EXAMPLE"
@@ -30,7 +31,7 @@ An example config file is shown below. Copy this to /etc/unbound/unbound.conf
and start the server with:
.P
.nf
- $ unbound \-c /etc/unbound/unbound.conf
+ $ unbound \-c /etc/unbound/unbound.conf
.fi
.P
Most settings are the defaults. Stop the server with:
@@ -62,8 +63,8 @@ server:
access\-control: 2001:DB8::/64 allow
.fi
.SH "FILE FORMAT"
-There must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute
-is followed by its containing attributes, or a value.
+There must be whitespace between keywords. Attribute keywords end with a colon ':'.
+An attribute is followed by its containing attributes, or a value.
.P
Files can be included using the
.B include:
@@ -71,7 +72,7 @@ directive. It can appear anywhere, it accepts a single file name as argument.
Processing continues as if the text from the included file was copied into
the config file at that point. If also using chroot, using full path names
for the included files works, relative pathnames for the included names work
-if the directory where the daemon is started equals its chroot/working
+if the directory where the daemon is started equals its chroot/working
directory or is specified before the include statement with directory: dir.
Wildcards can be used to include multiple files, see \fIglob\fR(7).
.SS "Server Options"
@@ -80,17 +81,17 @@ These options are part of the
clause.
.TP
.B verbosity: \fI<number>
-The verbosity number, level 0 means no verbosity, only errors. Level 1
+The verbosity number, level 0 means no verbosity, only errors. Level 1
gives operational information. Level 2 gives detailed operational
-information. Level 3 gives query level information, output per query.
-Level 4 gives algorithm level information. Level 5 logs client
-identification for cache misses. Default is level 1.
+information. Level 3 gives query level information, output per query.
+Level 4 gives algorithm level information. Level 5 logs client
+identification for cache misses. Default is level 1.
The verbosity can also be increased from the commandline, see \fIunbound\fR(8).
.TP
.B statistics\-interval: \fI<seconds>
The number of seconds between printing statistics to the log for every thread.
Disable with value 0 or "". Default is disabled. The histogram statistics
-are only printed if replies were sent during the statistics interval,
+are only printed if replies were sent during the statistics interval,
requestlist statistics are printed for every interval (but can be 0).
This is because the median calculation requires data to be present.
.TP
@@ -99,7 +100,7 @@ If enabled, statistics are cumulative since starting unbound, without clearing
the statistics counters after logging the statistics. Default is no.
.TP
.B extended\-statistics: \fI<yes or no>
-If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
+If enabled, extended statistics are printed from \fIunbound\-control\fR(8).
Default is off, because keeping track of more statistics takes time. The
counters are listed in \fIunbound\-control\fR(8).
.TP
@@ -112,7 +113,7 @@ The port number, default 53, on which the server responds to queries.
.B interface: \fI<ip address[@port]>
Interface to use to connect to the network. This interface is listened to
for queries from clients, and answers to clients are given from it.
-Can be given multiple times to work on several interfaces. If none are
+Can be given multiple times to work on several interfaces. If none are
given the default is to listen to localhost.
The interfaces are not changed on a reload (kill \-HUP) but only on restart.
A port number can be specified with @port (without spaces between
@@ -123,19 +124,19 @@ interface and port number), if not specified the default port (from
Same as interface: (for easy of compatibility with nsd.conf).
.TP
.B interface\-automatic: \fI<yes or no>
-Detect source interface on UDP queries and copy them to replies. This
+Detect source interface on UDP queries and copy them to replies. This
feature is experimental, and needs support in your OS for particular socket
options. Default value is no.
.TP
.B outgoing\-interface: \fI<ip address or ip6 netblock>
Interface to use to connect to the network. This interface is used to send
-queries to authoritative servers and receive their replies. Can be given
-multiple times to work on several interfaces. If none are given the
-default (all) is used. You can specify the same interfaces in
+queries to authoritative servers and receive their replies. Can be given
+multiple times to work on several interfaces. If none are given the
+default (all) is used. You can specify the same interfaces in
.B interface:
and
.B outgoing\-interface:
-lines, the interfaces are then used for both purposes. Outgoing queries are
+lines, the interfaces are then used for both purposes. Outgoing queries are
sent via a random outgoing interface to counter spoofing.
.IP
If an IPv6 netblock is specified instead of an individual IPv6 address,
@@ -155,26 +156,26 @@ ip \-6 addr add mynetblock/64 dev lo &&
ip \-6 route add local mynetblock/64 dev lo
.TP
.B outgoing\-range: \fI<number>
-Number of ports to open. This number of file descriptors can be opened per
-thread. Must be at least 1. Default depends on compile options. Larger
+Number of ports to open. This number of file descriptors can be opened per
+thread. Must be at least 1. Default depends on compile options. Larger
numbers need extra resources from the operating system. For performance a
very large value is best, use libevent to make this possible.
.TP
.B outgoing\-port\-permit: \fI<port number or range>
Permit unbound to open this port or range of ports for use to send queries.
A larger number of permitted outgoing ports increases resilience against
-spoofing attempts. Make sure these ports are not needed by other daemons.
+spoofing attempts. Make sure these ports are not needed by other daemons.
By default only ports above 1024 that have not been assigned by IANA are used.
Give a port number or a range of the form "low\-high", without spaces.
.IP
-The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
-are processed in the line order of the config file, adding the permitted ports
-and subtracting the avoided ports from the set of allowed ports. The
-processing starts with the non IANA allocated ports above 1024 in the set
+The \fBoutgoing\-port\-permit\fR and \fBoutgoing\-port\-avoid\fR statements
+are processed in the line order of the config file, adding the permitted ports
+and subtracting the avoided ports from the set of allowed ports. The
+processing starts with the non IANA allocated ports above 1024 in the set
of allowed ports.
.TP
.B outgoing\-port\-avoid: \fI<port number or range>
-Do not permit unbound to open this port or range of ports for use to send
+Do not permit unbound to open this port or range of ports for use to send
queries. Use this to make sure unbound does not grab a port that another
daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6.
By default only ports above 1024 that have not been assigned by IANA are used.
@@ -204,13 +205,13 @@ consider tuning the outgoing tcp number).
.B max\-udp\-size: \fI<number>
Maximum UDP response size (not applied to TCP response). 65536 disables the
udp response size maximum, and uses the choice from the client, always.
-Suggested values are 512 to 4096. Default is 4096.
+Suggested values are 512 to 4096. Default is 4096.
.TP
.B msg\-buffer\-size: \fI<number>
Number of bytes size of the message buffers. Default is 65552 bytes, enough
for 64 Kb packets, the maximum DNS message size. No message larger than this
can be sent or received. Can be reduced to use less memory, but some requests
-for DNS data, such as for huge resource records, will result in a SERVFAIL
+for DNS data, such as for huge resource records, will result in a SERVFAIL
reply to the client.
.TP
.B msg\-cache\-size: \fI<number>
@@ -220,7 +221,7 @@ or gigabytes (1024*1024 bytes in a megabyte).
.TP
.B msg\-cache\-slabs: \fI<number>
Number of slabs in the message cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2. Setting (close) to the number of cpus is a
+Must be set to a power of 2. Setting (close) to the number of cpus is a
reasonable guess.
.TP
.B num\-queries\-per\-thread: \fI<number>
@@ -232,12 +233,12 @@ the existing queries. Default depends on compile options, 512 or 1024.
.TP
.B jostle\-timeout: \fI<msec>
Timeout used when the server is very busy. Set to a value that usually
-results in one roundtrip to the authority servers. If too many queries
+results in one roundtrip to the authority servers. If too many queries
arrive, then 50% of the queries are allowed to run to completion, and
-the other 50% are replaced with the new incoming query if they have already
-spent more than their allowed time. This protects against denial of
+the other 50% are replaced with the new incoming query if they have already
+spent more than their allowed time. This protects against denial of
service by slow queries or high query rates. Default 200 milliseconds.
-The effect is that the qps for long-lasting queries is about
+The effect is that the qps for long-lasting queries is about
(numqueriesperthread / 2) / (average time for such long queries) qps.
The qps for short queries can be about (numqueriesperthread / 2)
/ (jostletimeout in whole seconds) qps per thread, about (1024/2)*5 = 2560
@@ -308,12 +309,12 @@ or gigabytes (1024*1024 bytes in a megabyte).
.TP
.B rrset\-cache\-slabs: \fI<number>
Number of slabs in the RRset cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2.
+Must be set to a power of 2.
.TP
.B cache\-max\-ttl: \fI<seconds>
-Time to live maximum for RRsets and messages in the cache. Default is
-86400 seconds (1 day). If the maximum kicks in, responses to clients
-still get decrementing TTLs based on the original (larger) values.
+Time to live maximum for RRsets and messages in the cache. Default is
+86400 seconds (1 day). If the maximum kicks in, responses to clients
+still get decrementing TTLs based on the original (larger) values.
When the internal TTL expires, the cache item has expired.
Can be set lower to force the resolver to query for data often, and not
trust (very large) TTL values.
@@ -323,7 +324,7 @@ Time to live minimum for RRsets and messages in the cache. Default is 0.
If the minimum kicks in, the data is cached for longer than the domain
owner intended, and thus less queries are made to look up the data.
Zero makes sure the data in the cache is as the domain owner intended,
-higher values, especially more than an hour or so, can lead to trouble as
+higher values, especially more than an hour or so, can lead to trouble as
the data in the cache does not match up with the actual data any more.
.TP
.B cache\-max\-negative\-ttl: \fI<seconds>
@@ -331,12 +332,12 @@ Time to live maximum for negative responses, these have a SOA in the
authority section that is limited in time. Default is 3600.
.TP
.B infra\-host\-ttl: \fI<seconds>
-Time to live for entries in the host cache. The host cache contains
+Time to live for entries in the host cache. The host cache contains
roundtrip timing, lameness and EDNS support information. Default is 900.
.TP
.B infra\-cache\-slabs: \fI<number>
-Number of slabs in the infrastructure cache. Slabs reduce lock contention
-by threads. Must be set to a power of 2.
+Number of slabs in the infrastructure cache. Slabs reduce lock contention
+by threads. Must be set to a power of 2.
.TP
.B infra\-cache\-numhosts: \fI<number>
Number of hosts for which information is cached. Default is 10000.
@@ -372,7 +373,7 @@ Enable or disable whether TCP queries are answered or issued. Default is yes.
.TP
.B tcp\-mss: \fI<number>
Maximum segment size (MSS) of TCP socket on which the server responds
-to queries. Value lower than common MSS on Ethernet
+to queries. Value lower than common MSS on Ethernet
(1220 for example) will address path MTU problem.
Note that not all platform supports socket option to set MSS (TCP_MAXSEG).
Default is system default MSS determined by interface MTU and
@@ -393,7 +394,8 @@ Default is no. Useful in tunneling scenarios.
.B ssl\-upstream: \fI<yes or no>
Enabled or disable whether the upstream queries use SSL only for transport.
Default is no. Useful in tunneling scenarios. The SSL contains plain DNS in
-TCP wireformat. The other server must support this (see \fBssl\-service\-key\fR).
+TCP wireformat. The other server must support this (see
+\fBssl\-service\-key\fR).
.TP
.B ssl\-service-key: \fI<file>
If enabled, the server provider SSL service on its TCP sockets. The clients
@@ -423,37 +425,37 @@ a daemon. Set the value to \fIno\fR when unbound runs as systemd service.
Default is yes.
.TP
.B access\-control: \fI<IP netblock> <action>
-The netblock is given as an IP4 or IP6 address with /size appended for a
-classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
+The netblock is given as an IP4 or IP6 address with /size appended for a
+classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
\fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
The most specific netblock match is used, if none match \fIdeny\fR is used.
.IP
The action \fIdeny\fR stops queries from hosts from that netblock.
.IP
-The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
+The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
error message back.
.IP
-The action \fIallow\fR gives access to clients from that netblock.
-It gives only access for recursion clients (which is
+The action \fIallow\fR gives access to clients from that netblock.
+It gives only access for recursion clients (which is
what almost all clients need). Nonrecursive queries are refused.
.IP
-The \fIallow\fR action does allow nonrecursive queries to access the
+The \fIallow\fR action does allow nonrecursive queries to access the
local\-data that is configured. The reason is that this does not involve
-the unbound server recursive lookup algorithm, and static data is served
-in the reply. This supports normal operations where nonrecursive queries
-are made for the authoritative data. For nonrecursive queries any replies
+the unbound server recursive lookup algorithm, and static data is served
+in the reply. This supports normal operations where nonrecursive queries
+are made for the authoritative data. For nonrecursive queries any replies
from the dynamic cache are refused.
.IP
-The action \fIallow_snoop\fR gives nonrecursive access too. This give
-both recursive and non recursive access. The name \fIallow_snoop\fR refers
+The action \fIallow_snoop\fR gives nonrecursive access too. This give
+both recursive and non recursive access. The name \fIallow_snoop\fR refers
to cache snooping, a technique to use nonrecursive queries to examine
-the cache contents (for malicious acts). However, nonrecursive queries can
-also be a valuable debugging tool (when you want to examine the cache
+the cache contents (for malicious acts). However, nonrecursive queries can
+also be a valuable debugging tool (when you want to examine the cache
contents). In that case use \fIallow_snoop\fR for your administration host.
.IP
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
-The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
-protocol is not designed to handle dropped packets due to policy, and
+The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
+protocol is not designed to handle dropped packets due to policy, and
dropping may result in (possibly excessive) retried queries.
.IP
The deny_non_local and refuse_non_local settings are for hosts that are
@@ -485,8 +487,8 @@ Set view for given access control element.
.B chroot: \fI<directory>
If chroot is enabled, you should pass the configfile (from the
commandline) as a full path from the original root. After the
-chroot has been performed the now defunct portion of the config
-file path is removed to be able to reread the config after a reload.
+chroot has been performed the now defunct portion of the config
+file path is removed to be able to reread the config after a reload.
.IP
All other file paths (working dir, logfile, roothints, and
key files) can be specified in several ways:
@@ -497,22 +499,22 @@ In the last case the path is adjusted to remove the unused portion.
.IP
The pidfile can be either a relative path to the working directory, or
an absolute path relative to the original root. It is written just prior
-to chroot and dropping permissions. This allows the pidfile to be
+to chroot and dropping permissions. This allows the pidfile to be
/var/run/unbound.pid and the chroot to be /var/unbound, for example.
.IP
Additionally, unbound may need to access /dev/random (for entropy)
from inside the chroot.
.IP
-If given a chroot is done to the given directory. The default is
+If given a chroot is done to the given directory. The default is
"@UNBOUND_CHROOT_DIR@". If you give "" no chroot is performed.
.TP
.B username: \fI<name>
If given, after binding the port the user privileges are dropped. Default is
-"@UNBOUND_USERNAME@". If you give username: "" no user change is performed.
+"@UNBOUND_USERNAME@". If you give username: "" no user change is performed.
.IP
If this user is not capable of binding the
port, reloads (by signal HUP) will still retain the opened ports.
-If you change the port number in the config file, and that new port number
+If you change the port number in the config file, and that new port number
requires privileges, then a reload will fail; a restart is needed.
.TP
.B directory: \fI<directory>
@@ -524,17 +526,17 @@ then those includes can be relative to the working directory.
.TP
.B logfile: \fI<filename>
If "" is given, logging goes to stderr, or nowhere once daemonized.
-The logfile is appended to, in the following format:
+The logfile is appended to, in the following format:
.nf
-[seconds since 1970] unbound[pid:tid]: type: message.
+[seconds since 1970] unbound[pid:tid]: type: message.
.fi
If this option is given, the use\-syslog is option is set to "no".
-The logfile is reopened (for append) when the config file is reread, on
+The logfile is reopened (for append) when the config file is reread, on
SIGHUP.
.TP
.B use\-syslog: \fI<yes or no>
-Sets unbound to send log messages to the syslogd, using
-\fIsyslog\fR(3).
+Sets unbound to send log messages to the syslogd, using
+\fIsyslog\fR(3).
The log facility LOG_DAEMON is used, with identity "unbound".
The logfile setting is overridden when use\-syslog is turned on.
The default is to log to syslog.
@@ -565,20 +567,20 @@ lines which makes the server (significantly) slower. Odd (nonprintable)
characters in names are printed as '?'.
.TP
.B pidfile: \fI<filename>
-The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
+The process id is written to the file. Default is "@UNBOUND_PIDFILE@".
So,
.nf
-kill \-HUP `cat @UNBOUND_PIDFILE@`
+kill \-HUP `cat @UNBOUND_PIDFILE@`
.fi
triggers a reload,
.nf
-kill \-TERM `cat @UNBOUND_PIDFILE@`
+kill \-TERM `cat @UNBOUND_PIDFILE@`
.fi
gracefully terminates.
.TP
.B root\-hints: \fI<filename>
Read the root hints from this file. Default is nothing, using builtin hints
-for the IN class. The file has the format of zone files, with root
+for the IN class. The file has the format of zone files, with root
nameserver names and addresses only. The default may become outdated,
when servers change, therefore it is good practice to use a root\-hints file.
.TP
@@ -602,22 +604,22 @@ If enabled trustanchor.unbound queries are refused.
.B target\-fetch\-policy: \fI<"list of numbers">
Set the target fetch policy used by unbound to determine if it should fetch
nameserver target addresses opportunistically. The policy is described per
-dependency depth.
+dependency depth.
.IP
The number of values determines the maximum dependency depth
-that unbound will pursue in answering a query.
+that unbound will pursue in answering a query.
A value of \-1 means to fetch all targets opportunistically for that dependency
depth. A value of 0 means to fetch on demand only. A positive value fetches
-that many targets opportunistically.
+that many targets opportunistically.
.IP
Enclose the list between quotes ("") and put spaces between numbers.
The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0 0" gives behaviour
-closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
+closer to that of BIND 9, while setting "\-1 \-1 \-1 \-1 \-1" gives behaviour
rumoured to be closer to that of BIND 8.
.TP
.B harden\-short\-bufsize: \fI<yes or no>
Very small EDNS buffer sizes from queries are ignored. Default is off, since
-it is legal protocol wise to send these, and unbound tries to give very
+it is legal protocol wise to send these, and unbound tries to give very
small answers to these queries, where possible.
.TP
.B harden\-large\-queries: \fI<yes or no>
@@ -631,11 +633,11 @@ Will trust glue only if it is within the servers authority. Default is on.
.B harden\-dnssec\-stripped: \fI<yes or no>
Require DNSSEC data for trust\-anchored zones, if such data is absent,
the zone becomes bogus. If turned off, and no DNSSEC data is received
-(or the DNSKEY data fails to validate), then the zone is made insecure,
-this behaves like there is no trust anchor. You could turn this off if
-you are sometimes behind an intrusive firewall (of some sort) that
-removes DNSSEC data from packets, or a zone changes from signed to
-unsigned to badly signed often. If turned off you run the risk of a
+(or the DNSKEY data fails to validate), then the zone is made insecure,
+this behaves like there is no trust anchor. You could turn this off if
+you are sometimes behind an intrusive firewall (of some sort) that
+removes DNSSEC data from packets, or a zone changes from signed to
+unsigned to badly signed often. If turned off you run the risk of a
downgrade attack that disables security for a zone. Default is on.
.TP
.B harden\-below\-nxdomain: \fI<yes or no>
@@ -653,7 +655,7 @@ The nxdomain must be secure, this means nsec3 with optout is insufficient.
Harden the referral path by performing additional queries for
infrastructure data. Validates the replies if trust anchors are configured
and the zones are signed. This enforces DNSSEC validation on nameserver
-NS sets and the nameserver addresses that are encountered on the referral
+NS sets and the nameserver addresses that are encountered on the referral
path to the answer.
Default off, because it burdens the authority servers, and it is
not RFC standard, and could lead to performance problems because of the
@@ -670,9 +672,9 @@ this option off avoids that validation failure.
.TP
.B use\-caps\-for\-id: \fI<yes or no>
Use 0x20\-encoded random bits in the query to foil spoof attempts.
-This perturbs the lowercase and uppercase of query names sent to
-authority servers and checks if the reply still has the correct casing.
-Disabled by default.
+This perturbs the lowercase and uppercase of query names sent to
+authority servers and checks if the reply still has the correct casing.
+Disabled by default.
This feature is an experimental implementation of draft dns\-0x20.
.TP
.B caps\-whitelist: \fI<domain>
@@ -683,7 +685,7 @@ Can be given multiple times, for different domains.
.TP
.B qname\-minimisation: \fI<yes or no>
Send minimum amount of information to upstream servers to enhance privacy.
-Only sent minimum required labels of the QNAME and set QTYPE to NS when
+Only sent minimum required labels of the QNAME and set QTYPE to NS when
possible. Best effort approach; full QNAME and original QTYPE will be sent when
upstream replies with a RCODE other than NOERROR, except when receiving
NXDOMAIN from a DNSSEC signed zone. Default is off.
@@ -715,7 +717,7 @@ stops IPv4-mapped IPv6 addresses from bypassing the filter.
.TP
.B private\-domain: \fI<domain name>
Allow this domain, and all its subdomains to contain private addresses.
-Give multiple times to allow multiple domain names to contain private
+Give multiple times to allow multiple domain names to contain private
addresses. Default is none.
.TP
.B unwanted\-reply\-threshold: \fI<number>
@@ -726,7 +728,7 @@ message caches, hopefully flushing away any poison. A value of 10 million
is suggested. Default is 0 (turned off).
.TP
.B do\-not\-query\-address: \fI<IP address>
-Do not query the given IP address. Can be IP4 or IP6. Append /num to
+Do not query the given IP address. Can be IP4 or IP6. Append /num to
indicate a classless delegation netblock, for example like
10.2.3.4/24 or 2001::11/64.
.TP
@@ -793,17 +795,20 @@ A DS or DNSKEY RR for a key to use for validation. Multiple entries can be
given to specify multiple trusted keys, in addition to the trust\-anchor\-files.
The resource record is entered in the same format as 'dig' or 'drill' prints
them, the same format as in the zone file. Has to be on a single line, with
-"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
+"" around it. A TTL can be specified for ease of cut and paste, but is ignored.
A class can be specified, but class IN is default.
.TP
.B trusted\-keys\-file: \fI<filename>
File with trusted keys for validation. Specify more than one file
with several entries, one file per entry. Like \fBtrust\-anchor\-file\fR
-but has a different file format. Format is BIND\-9 style format,
+but has a different file format. Format is BIND\-9 style format,
the trusted\-keys { name flag proto algo "key"; }; clauses are read.
It is possible to use wildcards with this statement, the wildcard is
expanded on start and on reload.
.TP
+.B trust\-anchor\-signaling: \fI<yes or no>
+Send RFC8145 key tag query after trust anchor priming. Default is off.
+.TP
.B dlv\-anchor\-file: \fI<filename>
This option was used during early days DNSSEC deployment when no parent-side
DS record registrations were easily available. Nowadays, it is best to have
@@ -811,9 +816,9 @@ DS records registered with the parent zone (many top level zones are signed).
File with trusted keys for DLV (DNSSEC Lookaside Validation). Both DS and
DNSKEY entries can be used in the file, in the same format as for
\fItrust\-anchor\-file:\fR statements. Only one DLV can be configured, more
-would be slow. The DLV configured is used as a root trusted DLV, this
-means that it is a lookaside for the root. Default is "", or no dlv anchor file.
-DLV is going to be decommissioned. Please do not use it any more.
+would be slow. The DLV configured is used as a root trusted DLV, this
+means that it is a lookaside for the root. Default is "", or no dlv anchor
+file. DLV is going to be decommissioned. Please do not use it any more.
.TP
.B dlv\-anchor: \fI<"Resource Record">
Much like trust\-anchor, this is a DLV anchor with the DS or DNSKEY inline.
@@ -825,17 +830,17 @@ the domain name. So a trust anchor above the domain name can not make the
domain secure with a DS record, such a DS record is then ignored.
Also keys from DLV are ignored for the domain. Can be given multiple times
to specify multiple domains that are treated as if unsigned. If you set
-trust anchors for the domain they override this setting (and the domain
+trust anchors for the domain they override this setting (and the domain
is secured).
.IP
This can be useful if you want to make sure a trust anchor for external
-lookups does not affect an (unsigned) internal domain. A DS record
+lookups does not affect an (unsigned) internal domain. A DS record
externally can create validation failures for that internal domain.
.TP
.B val\-override\-date: \fI<rrsig\-style date spec>
Default is "" or "0", which disables this debugging feature. If enabled by
giving a RRSIG style date, that date is used for verifying RRSIG inception
-and expiration dates, instead of the current date. Do not set this unless
+and expiration dates, instead of the current date. Do not set this unless
you are debugging signature inception and expiration. The value \-1 ignores
the date altogether, useful for some special applications.
.TP
@@ -865,7 +870,7 @@ The time interval prevents repeated revalidation of bogus data.
Instruct the validator to remove data from the additional section of secure
messages that are not signed properly. Messages that are insecure, bogus,
indeterminate or unchecked are not affected. Default is yes. Use this setting
-to protect the users that rely on this validator for authentication from
+to protect the users that rely on this validator for authentication from
potentially bad data in the additional section.
.TP
.B val\-log\-level: \fI<number>
@@ -880,10 +885,10 @@ it was wrong and which server sent the faulty data.
.B val\-permissive\-mode: \fI<yes or no>
Instruct the validator to mark bogus messages as indeterminate. The security
checks are performed, but if the result is bogus (failed security), the
-reply is not withheld from the client with SERVFAIL as usual. The client
-receives the bogus data. For messages that are found to be secure the AD bit
+reply is not withheld from the client with SERVFAIL as usual. The client
+receives the bogus data. For messages that are found to be secure the AD bit
is set in replies. Also logging is performed as for full validation.
-The default value is "no".
+The default value is "no".
.TP
.B ignore\-cd\-flag: \fI<yes or no>
Instruct unbound to ignore the CD flag from clients and refuse to
@@ -903,7 +908,7 @@ List of keysize and iteration count values, separated by spaces, surrounded
by quotes. Default is "1024 150 2048 500 4096 2500". This determines the
maximum allowed NSEC3 iteration count before a message is simply marked
insecure instead of performing the many hashing iterations. The list must
-be in ascending order and have at least one entry. If you set it to
+be in ascending order and have at least one entry. If you set it to
"1024 65535" there is no restriction to NSEC3 iteration values.
This table must be kept short; a very long list could cause slower operation.
.TP
@@ -938,7 +943,7 @@ or gigabytes (1024*1024 bytes in a megabyte).
.TP
.B key\-cache\-slabs: \fI<number>
Number of slabs in the key cache. Slabs reduce lock contention by threads.
-Must be set to a power of 2. Setting (close) to the number of cpus is a
+Must be set to a power of 2. Setting (close) to the number of cpus is a
reasonable guess.
.TP
.B neg\-cache\-size: \fI<number>
@@ -989,7 +994,7 @@ Otherwise, the query is answered with nodata or nxdomain.
For a negative answer a SOA is included in the answer if present
as local\-data for the zone apex domain.
.TP 10
-\h'5'\fItransparent\fR
+\h'5'\fItransparent\fR
If there is a match from local data, the query is answered.
Otherwise if the query has a different name, the query is resolved normally.
If the query is for a name given in localdata but no such type of data is
@@ -997,49 +1002,49 @@ given in localdata, then a noerror nodata answer is returned.
If no local\-zone is given local\-data causes a transparent zone
to be created by default.
.TP 10
-\h'5'\fItypetransparent\fR
+\h'5'\fItypetransparent\fR
If there is a match from local data, the query is answered. If the query
is for a different name, or for the same name but for a different type,
the query is resolved normally. So, similar to transparent but types
that are not listed in local data are resolved normally, so if an A record
is in the local data that does not cause a nodata reply for AAAA queries.
.TP 10
-\h'5'\fIredirect\fR
+\h'5'\fIredirect\fR
The query is answered from the local data for the zone name.
There may be no local data beneath the zone name.
This answers queries for the zone, and all subdomains of the zone
with the local data for the zone.
It can be used to redirect a domain to return a different address record
-to the end user, with
-local\-zone: "example.com." redirect and
+to the end user, with
+local\-zone: "example.com." redirect and
local\-data: "example.com. A 127.0.0.1"
queries for www.example.com and www.foo.example.com are redirected, so
that users with web browsers cannot access sites with suffix example.com.
.TP 10
-\h'5'\fIinform\fR
+\h'5'\fIinform\fR
The query is answered normally, same as transparent. The client IP
address (@portnumber) is printed to the logfile. The log message is:
timestamp, unbound-pid, info: zonename inform IP@port queryname type
class. This option can be used for normal resolution, but machines
looking up infected names are logged, eg. to run antivirus on them.
.TP 10
-\h'5'\fIinform_deny\fR
+\h'5'\fIinform_deny\fR
The query is dropped, like 'deny', and logged, like 'inform'. Ie. find
infected machines without answering the queries.
.TP 10
-\h'5'\fIalways_transparent\fR
+\h'5'\fIalways_transparent\fR
Like transparent, but ignores local data and resolves normally.
.TP 10
-\h'5'\fIalways_refuse\fR
+\h'5'\fIalways_refuse\fR
Like refuse, but ignores local data and refuses the query.
.TP 10
-\h'5'\fIalways_nxdomain\fR
+\h'5'\fIalways_nxdomain\fR
Like static, but ignores local data and returns nxdomain for the query.
.TP 10
-\h'5'\fInodefault\fR
+\h'5'\fInodefault\fR
Used to turn off default contents for AS112 zones. The other types
-also turn off default contents for the zone. The 'nodefault' option
-has no other effect than turning off default contents for the
+also turn off default contents for the zone. The 'nodefault' option
+has no other effect than turning off default contents for the
given zone. Use \fInodefault\fR if you use exactly that zone, if you want to
use a subzone, use \fItransparent\fR.
.P
@@ -1048,71 +1053,71 @@ the AS112 zones. The AS112 zones are reverse DNS zones for private use and
reserved IP addresses for which the servers on the internet cannot provide
correct answers. They are configured by default to give nxdomain (no reverse
information) answers. The defaults can be turned off by specifying your
-own local\-zone of that name, or using the 'nodefault' type. Below is a
+own local\-zone of that name, or using the 'nodefault' type. Below is a
list of the default zone contents.
.TP 10
-\h'5'\fIlocalhost\fR
+\h'5'\fIlocalhost\fR
The IP4 and IP6 localhost information is given. NS and SOA records are provided
for completeness and to satisfy some DNS update tools. Default content:
.nf
local\-zone: "localhost." static
local\-data: "localhost. 10800 IN NS localhost."
-local\-data: "localhost. 10800 IN
+local\-data: "localhost. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
local\-data: "localhost. 10800 IN A 127.0.0.1"
local\-data: "localhost. 10800 IN AAAA ::1"
.fi
.TP 10
-\h'5'\fIreverse IPv4 loopback\fR
+\h'5'\fIreverse IPv4 loopback\fR
Default content:
.nf
local\-zone: "127.in\-addr.arpa." static
local\-data: "127.in\-addr.arpa. 10800 IN NS localhost."
-local\-data: "127.in\-addr.arpa. 10800 IN
+local\-data: "127.in\-addr.arpa. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
-local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
+local\-data: "1.0.0.127.in\-addr.arpa. 10800 IN
PTR localhost."
.fi
.TP 10
-\h'5'\fIreverse IPv6 loopback\fR
+\h'5'\fIreverse IPv6 loopback\fR
Default content:
.nf
local\-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." static
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
+ 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
NS localhost."
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
+ 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
local\-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
+ 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. 10800 IN
PTR localhost."
.fi
.TP 10
-\h'5'\fIonion (RFC 7686)\fR
+\h'5'\fIonion (RFC 7686)\fR
Default content:
.nf
local\-zone: "onion." static
local\-data: "onion. 10800 IN NS localhost."
-local\-data: "onion. 10800 IN
+local\-data: "onion. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
.fi
.TP 10
-\h'5'\fIreverse RFC1918 local use zones\fR
-Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
+\h'5'\fIreverse RFC1918 local use zones\fR
+Reverse data for zones 10.in\-addr.arpa, 16.172.in\-addr.arpa to
31.172.in\-addr.arpa, 168.192.in\-addr.arpa.
-The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
+The \fBlocal\-zone:\fR is set static and as \fBlocal\-data:\fR SOA and NS
records are provided.
.TP 10
-\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
-Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
+\h'5'\fIreverse RFC3330 IP4 this, link\-local, testnet and broadcast\fR
+Reverse data for zones 0.in\-addr.arpa, 254.169.in\-addr.arpa,
2.0.192.in\-addr.arpa (TEST NET 1), 100.51.198.in\-addr.arpa (TEST NET 2),
113.0.203.in\-addr.arpa (TEST NET 3), 255.255.255.255.in\-addr.arpa.
And from 64.100.in\-addr.arpa to 127.100.in\-addr.arpa (Shared Address Space).
.TP 10
\h'5'\fIreverse RFC4291 IP6 unspecified\fR
-Reverse data for zone
+Reverse data for zone
.nf
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
@@ -1137,11 +1142,11 @@ This also works with the other default zones.
.TP 5
.B local\-data: \fI"<resource record string>"
Configure local data, which is served in reply to queries for it.
-The query has to match exactly unless you configure the local\-zone as
+The query has to match exactly unless you configure the local\-zone as
redirect. If not matched exactly, the local\-zone type determines
further processing. If local\-data is configured that is not a subdomain of
-a local\-zone, a transparent local\-zone is configured.
-For record types such as TXT, use single quotes, as in
+a local\-zone, a transparent local\-zone is configured.
+For record types such as TXT, use single quotes, as in
local\-data: 'example. TXT "text"'.
.IP
If you need more complicated authoritative data, with referrals, wildcards,
@@ -1160,7 +1165,7 @@ used access-control element has a matching tag. Tags must be defined in
tags.
.TP 5
.B local\-zone\-override: \fI<zone> <IP netblock> <type>
-Override the localzone type for queries from addresses matching netblock.
+Override the localzone type for queries from addresses matching netblock.
Use this localzone type, regardless the type configured for the local-zone
(both tagged and untagged) and regardless the type configured using
access\-control\-tag\-action.
@@ -1197,18 +1202,20 @@ This can make ordinary queries complete (if repeatedly queried for),
and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.TP 5
-.B ratelimit\-for\-domain: \fI<domain> <number qps>
+.B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
Override the global ratelimit for an exact match domain name with the listed
number. You can give this for any number of names. For example, for
a top\-level\-domain you may want to have a higher limit than other names.
+A value of 0 will disable ratelimiting for that domain.
.TP 5
-.B ratelimit\-below\-domain: \fI<domain> <number qps>
+.B ratelimit\-below\-domain: \fI<domain> <number qps or 0>
Override the global ratelimit for a domain name that ends in this name.
You can give this multiple times, it then describes different settings
in different parts of the namespace. The closest matching suffix is used
to determine the qps limit. The rate for the exact matching domain name
is not changed, use ratelimit\-for\-domain to set that, you might want
to use different settings for a top\-level\-domain and subdomains.
+A value of 0 will disable ratelimiting for domain names that end in this name.
.TP 5
.B ip\-ratelimit: \fI<number or 0>
Enable global ratelimiting of queries accepted per ip address.
@@ -1304,21 +1311,21 @@ the recursive processing itself for stub zones.
.P
The stub zone can be used to configure authoritative data to be used
by the resolver that cannot be accessed using the public internet servers.
-This is useful for company\-local data or private zones. Setup an
-authoritative server on a different host (or different port). Enter a config
-entry for unbound with
+This is useful for company\-local data or private zones. Setup an
+authoritative server on a different host (or different port). Enter a config
+entry for unbound with
.B stub\-addr:
-<ip address of host[@port]>.
-The unbound resolver can then access the data, without referring to the
-public internet for it.
+<ip address of host[@port]>.
+The unbound resolver can then access the data, without referring to the
+public internet for it.
.P
-This setup allows DNSSEC signed zones to be served by that
+This setup allows DNSSEC signed zones to be served by that
authoritative server, in which case a trusted key entry with the public key
-can be put in config, so that unbound can validate the data and set the AD
-bit on replies for the private zone (authoritative servers do not set the
-AD bit). This setup makes unbound capable of answering queries for the
-private zone, and can even set the AD bit ('authentic'), but the AA
-('authoritative') bit is not set on these replies.
+can be put in config, so that unbound can validate the data and set the AD
+bit on replies for the private zone (authoritative servers do not set the
+AD bit). This setup makes unbound capable of answering queries for the
+private zone, and can even set the AD bit ('authentic'), but the AA
+('authoritative') bit is not set on these replies.
.P
Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
@@ -1337,8 +1344,8 @@ IP address of stub zone nameserver. Can be IP 4 or IP 6.
To use a nondefault port for DNS communication append '@' with the port number.
.TP
.B stub\-prime: \fI<yes or no>
-This option is by default off. If enabled it performs NS set priming,
-which is similar to root hints, where it starts using the list of nameservers
+This option is by default off. If enabled it performs NS set priming,
+which is similar to root hints, where it starts using the list of nameservers
currently published by the zone. Thus, if the hint list is slightly outdated,
the resolver picks up a correct list online.
.TP
@@ -1390,10 +1397,10 @@ Default is no.
There may be multiple
.B view:
clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and
-\fBlocal\-data\fR elements. View can be mapped to requests by specifying the view
-name in an \fBaccess\-control\-view\fR element. Options from matching views will
-override global options. Global options will be used if no matching view
-is found.
+\fBlocal\-data\fR elements. View can be mapped to requests by specifying the
+view name in an \fBaccess\-control\-view\fR element. Options from matching
+views will override global options. Global options will be used if no matching
+view is found, or when the matching view does not have the option specified.
.TP
.B name: \fI<view name>
Name of the view. Must be unique. This name is used in access\-control\-view
@@ -1401,7 +1408,11 @@ elements.
.TP
.B local\-zone: \fI<zone> <type>
View specific local\-zone elements. Has the same types and behaviour as the
-global local\-zone elements.
+global local\-zone elements. When there is at least one local\-zone specified
+and view\-first is no, the default local-zones will be added to this view.
+Defaults can be disabled using the nodefault type. When view\-first is yes or
+when a view does not have a local\-zone, the global local\-zone will be used
+including it's default zones.
.TP
.B local\-data: \fI"<resource record string>"
View specific local\-data elements. Has the same behaviour as the global
@@ -1454,7 +1465,8 @@ clause give the settings of the dnscrypt channel. While those options are
available, they are only meaningful if unbound was compiled with
\fB\-\-enable\-dnscrypt\fR.
Currently certificate and secret/public keys cannot be generated by unbound.
-You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
+You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\
+dnscrypt-wrapper/blob/master/README.md#usage
.TP
.B dnscrypt\-enable: \fI<yes or no>\fR
Whether or not the \fBdnscrypt\fR config should be enabled. You may define
@@ -1475,23 +1487,24 @@ Path to the time limited secret key file. This option may be specified multiple
times.
.TP
.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
-Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option
-may be specified multiple times.
+Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
+This option may be specified multiple times.
.SS "EDNS Client Subnet Module Options"
.LP
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
validator iterator" directive and be compiled into the daemon to be
enabled. These settings go in the \fBserver:\fR section.
.LP
-If the destination address is whitelisted with Unbound will add the EDNS0 option
-to the query containing the relevant part of the client's address. When an
-answer contains the ECS option the response and the option are placed in a
-specialized cache. If the authority indicated no support, the response is stored
-in the regular cache.
+If the destination address is whitelisted with Unbound will add the EDNS0
+option to the query containing the relevant part of the client's address. When
+an answer contains the ECS option the response and the option are placed in a
+specialized cache. If the authority indicated no support, the response is
+stored in the regular cache.
.LP
Additionally, when a client includes the option in its queries, Unbound will
-forward the option to the authority regardless of the authorities presence in
-the whitelist. In this case the lookup in the regular cache is skipped.
+forward the option to the authority if prensent in the whitelist, or
+\fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
+the regular cache is skipped.
.LP
The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
configuration file. On top of that, for each query only 100 different subnets
@@ -1502,7 +1515,12 @@ entries will be purged from cache.
Send client source address to this authority. Append /num to indicate a
classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can
be given multiple times. Authorities not listed will not receive edns-subnet
-information.
+information, unless domain in query is specified in \fBclient\-subnet\-zone\fR.
+.TP
+.B client\-subnet\-zone: \fI<domain>\fR
+Send client source address in queries for this domain and its subdomains. Can be
+given multiple times. Zones not listed will not receive edns-subnet information,
+unless hosted by authority specified in \fBsend\-client\-subnet\fR.
.TP
.B client\-subnet\-always\-forward: \fI<yes or no>\fR
Specify whether the ECS whitelist check (configured using
@@ -1519,6 +1537,72 @@ to expose to third parties for IPv6. Defaults to 56.
.B max\-client\-subnet\-ipv4: \fI<number>\fR
Specifies the maximum prefix length of the client source address we are willing
to expose to third parties for IPv4. Defaults to 24.
+.SS "Opportunistic IPsec Support Module Options"
+.LP
+The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod
+validator iterator" directive and be compiled into the daemon to be
+enabled. These settings go in the \fBserver:\fR section.
+.LP
+When unbound receives an A/AAAA query that is not in the cache and finds a
+valid answer, it will withhold returning the answer and instead will generate
+an IPSECKEY subquery for the same domain name. If an answer was found, unbound
+will call an external hook passing the following arguments:
+.TP 10
+\h'5'\fIQNAME\fR
+Domain name of the A/AAAA and IPSECKEY query. In string format.
+.TP 10
+\h'5'\fIIPSECKEY TTL\fR
+TTL of the IPSECKEY RRset.
+.TP 10
+\h'5'\fIA/AAAA\fR
+String of space separated IP addresses present in the A/AAAA RRset. The IP
+addresses are in string format.
+.TP 10
+\h'5'\fIIPSECKEY\fR
+String of space separated IPSECKEY RDATA present in the IPSECKEY RRset. The
+IPSECKEY RDATA are in DNS presentation format.
+.LP
+The A/AAAA answer is then cached and returned to the client. If the external
+hook was called the TTL changes to ensure it doesn't surpass
+\fBipsecmod-max-ttl\fR.
+.LP
+The same procedure is also followed when \fBprefetch:\fR is used, but the
+A/AAAA answer is given to the client before the hook is called.
+\fBipsecmod-max-ttl\fR ensures that the A/AAAA answer given from cache is still
+relevant for opportunistic IPsec.
+.TP
+.B ipsecmod-enabled: \fI<yes or no>\fR
+Specifies whether the IPsec module is enabled or not. The IPsec module still
+needs to be defined in the \fBmodule\-config:\fR directive. This option
+facilitates turning on/off the module without restarting/reloading unbound.
+Defaults to yes.
+.TP
+.B ipsecmod\-hook: \fI<filename>\fR
+Specifies the external hook that unbound will call with \fIsystem\fR(3). The
+file can be specified as an absolute/relative path. The file needs the proper
+permissions to be able to be executed by the same user that runs unbound. It
+must be present when the IPsec module is defined in the \fBmodule\-config:\fR
+directive.
+.TP
+.B ipsecmod-strict: \fI<yes or no>\fR
+If enabled unbound requires the external hook to return a success value of 0.
+Failing to do so unbound will reply with SERVFAIL. The A/AAAA answer will also
+not be cached. Defaults to no.
+.TP
+.B ipsecmod\-max-ttl: \fI<seconds>\fR
+Time to live maximum for A/AAAA cached records after calling the external hook.
+Defaults to 3600.
+.TP
+.B ipsecmod-ignore-bogus: \fI<yes or no>\fR
+Specifies the behaviour of unbound when the IPSECKEY answer is bogus. If set
+to yes, the hook will be called and the A/AAAA answer will be returned to the
+client. If set to no, the hook will not be called and the answer to the
+A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no.
+.TP
+.B ipsecmod\-whitelist: \fI<domain>\fR
+Whitelist the domain so that the module logic will be executed. Can
+be given multiple times, for different domains. If the option is not
+specified, all domains are treated as being whitelisted (default).
.SH "MEMORY CONTROL EXAMPLE"
In the example config settings below memory usage is reduced. Some service
levels are lower, notable very large data and a high TCP load are no longer
@@ -1526,7 +1610,7 @@ supported. Very large data and high TCP loads are exceptional for the DNS.
DNSSEC validation is enabled, just add trust anchors.
If you do not have to worry about programs using more than 3 Mb of memory,
the below example is not for you. Use the defaults to receive full service,
-which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
+which on BSD\-32bit tops out at 30\-40 Mb after heavy usage.
.P
.nf
# example settings that reduce memory usage
@@ -1567,12 +1651,12 @@ unbound configuration file.
default unbound pidfile with process ID of the running daemon.
.TP
.I unbound.log
-unbound log file. default is to log to
-\fIsyslog\fR(3).
+unbound log file. default is to log to
+\fIsyslog\fR(3).
.SH "SEE ALSO"
-\fIunbound\fR(8),
+\fIunbound\fR(8),
\fIunbound\-checkconf\fR(8).
.SH "AUTHORS"
-.B Unbound
+.B Unbound
was written by NLnet Labs. Please see CREDITS file
in the distribution for further details.
diff --git a/edns-subnet/addrtree.c b/edns-subnet/addrtree.c
index 69ace60549bf..050eb31fc98f 100644
--- a/edns-subnet/addrtree.c
+++ b/edns-subnet/addrtree.c
@@ -302,6 +302,7 @@ static int
getbit(const addrkey_t *addr, addrlen_t addrlen, addrlen_t n)
{
log_assert(addrlen > n);
+ (void)addrlen;
return (int)(addr[n/KEYWIDTH]>>((KEYWIDTH-1)-(n%KEYWIDTH))) & 1;
}
diff --git a/edns-subnet/subnet-whitelist.c b/edns-subnet/subnet-whitelist.c
index 1cfdb4be3c5a..1ea7fb1b2591 100644
--- a/edns-subnet/subnet-whitelist.c
+++ b/edns-subnet/subnet-whitelist.c
@@ -50,42 +50,44 @@
#include "util/config_file.h"
#include "util/net_help.h"
#include "util/storage/dnstree.h"
+#include "sldns/str2wire.h"
+#include "util/data/dname.h"
-struct ednssubnet_upstream*
-upstream_create(void)
+struct ecs_whitelist*
+ecs_whitelist_create(void)
{
- struct ednssubnet_upstream* upstream =
- (struct ednssubnet_upstream*)calloc(1,
- sizeof(struct ednssubnet_upstream));
- if(!upstream)
+ struct ecs_whitelist* whitelist =
+ (struct ecs_whitelist*)calloc(1,
+ sizeof(struct ecs_whitelist));
+ if(!whitelist)
return NULL;
- upstream->region = regional_create();
- if(!upstream->region) {
- upstream_delete(upstream);
+ whitelist->region = regional_create();
+ if(!whitelist->region) {
+ ecs_whitelist_delete(whitelist);
return NULL;
}
- return upstream;
+ return whitelist;
}
void
-upstream_delete(struct ednssubnet_upstream* upstream)
+ecs_whitelist_delete(struct ecs_whitelist* whitelist)
{
- if(!upstream)
+ if(!whitelist)
return;
- regional_destroy(upstream->region);
- free(upstream);
+ regional_destroy(whitelist->region);
+ free(whitelist);
}
-/** insert new address into upstream structure */
+/** insert new address into whitelist structure */
static int
-upstream_insert(struct ednssubnet_upstream* upstream,
+upstream_insert(struct ecs_whitelist* whitelist,
struct sockaddr_storage* addr, socklen_t addrlen, int net)
{
struct addr_tree_node* node = (struct addr_tree_node*)regional_alloc(
- upstream->region, sizeof(*node));
+ whitelist->region, sizeof(*node));
if(!node)
return 0;
- if(!addr_tree_insert(&upstream->tree, node, addr, addrlen, net)) {
+ if(!addr_tree_insert(&whitelist->upstream, node, addr, addrlen, net)) {
verbose(VERB_QUERY,
"duplicate send-client-subnet address ignored.");
}
@@ -94,7 +96,7 @@ upstream_insert(struct ednssubnet_upstream* upstream,
/** apply edns-subnet string */
static int
-upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
+upstream_str_cfg(struct ecs_whitelist* whitelist, const char* str)
{
struct sockaddr_storage addr;
int net;
@@ -104,7 +106,7 @@ upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
log_err("cannot parse send-client-subnet netblock: %s", str);
return 0;
}
- if(!upstream_insert(upstream, &addr, addrlen, net)) {
+ if(!upstream_insert(whitelist, &addr, addrlen, net)) {
log_err("out of memory");
return 0;
}
@@ -113,41 +115,93 @@ upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
/** read client_subnet config */
static int
-read_upstream(struct ednssubnet_upstream* upstream, struct config_file* cfg)
+read_upstream(struct ecs_whitelist* whitelist, struct config_file* cfg)
{
struct config_strlist* p;
for(p = cfg->client_subnet; p; p = p->next) {
log_assert(p->str);
- if(!upstream_str_cfg(upstream, p->str))
+ if(!upstream_str_cfg(whitelist, p->str))
return 0;
}
return 1;
}
+/** read client_subnet_zone config */
+static int
+read_names(struct ecs_whitelist* whitelist, struct config_file* cfg)
+{
+ /* parse names, report errors, insert into tree */
+ struct config_strlist* p;
+ struct name_tree_node* n;
+ uint8_t* nm, *nmr;
+ size_t nm_len;
+ int nm_labs;
+
+ for(p = cfg->client_subnet_zone; p; p = p->next) {
+ log_assert(p->str);
+ nm = sldns_str2wire_dname(p->str, &nm_len);
+ if(!nm) {
+ log_err("cannot parse client-subnet-zone: %s", p->str);
+ return 0;
+ }
+ nm_labs = dname_count_size_labels(nm, &nm_len);
+ nmr = (uint8_t*)regional_alloc_init(whitelist->region, nm,
+ nm_len);
+ free(nm);
+ if(!nmr) {
+ log_err("out of memory");
+ return 0;
+ }
+ n = (struct name_tree_node*)regional_alloc(whitelist->region,
+ sizeof(*n));
+ if(!n) {
+ log_err("out of memory");
+ return 0;
+ }
+ if(!name_tree_insert(&whitelist->dname, n, nmr, nm_len, nm_labs,
+ LDNS_RR_CLASS_IN)) {
+ verbose(VERB_QUERY, "ignoring duplicate "
+ "client-subnet-zone: %s", p->str);
+ }
+ }
+ return 1;
+}
+
int
-upstream_apply_cfg(struct ednssubnet_upstream* upstream,
+ecs_whitelist_apply_cfg(struct ecs_whitelist* whitelist,
struct config_file* cfg)
{
- regional_free_all(upstream->region);
- addr_tree_init(&upstream->tree);
- if(!read_upstream(upstream, cfg))
+ regional_free_all(whitelist->region);
+ addr_tree_init(&whitelist->upstream);
+ name_tree_init(&whitelist->dname);
+ if(!read_upstream(whitelist, cfg))
+ return 0;
+ if(!read_names(whitelist, cfg))
return 0;
- addr_tree_init_parents(&upstream->tree);
+ addr_tree_init_parents(&whitelist->upstream);
+ name_tree_init_parents(&whitelist->dname);
return 1;
}
int
-upstream_is_whitelisted(struct ednssubnet_upstream* upstream,
- struct sockaddr_storage* addr, socklen_t addrlen)
+ecs_is_whitelisted(struct ecs_whitelist* whitelist,
+ struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* qname,
+ size_t qname_len, uint16_t qclass)
{
- return addr_tree_lookup(&upstream->tree, addr, addrlen) != NULL;
+ int labs;
+ if(addr_tree_lookup(&whitelist->upstream, addr, addrlen))
+ return 1;
+ /* Not in upstream whitelist, check dname whitelist. */
+ labs = dname_count_labels(qname);
+ return name_tree_lookup(&whitelist->dname, qname, qname_len, labs,
+ qclass) != NULL;
}
size_t
-upstream_get_mem(struct ednssubnet_upstream* upstream)
+ecs_whitelist_get_mem(struct ecs_whitelist* whitelist)
{
- if(!upstream) return 0;
- return sizeof(*upstream) + regional_get_mem(upstream->region);
+ if(!whitelist) return 0;
+ return sizeof(*whitelist) + regional_get_mem(whitelist->region);
}
#endif /* CLIENT_SUBNET */
diff --git a/edns-subnet/subnet-whitelist.h b/edns-subnet/subnet-whitelist.h
index c08b40d86aba..8cd03abab393 100644
--- a/edns-subnet/subnet-whitelist.h
+++ b/edns-subnet/subnet-whitelist.h
@@ -36,8 +36,8 @@
/**
* \file
*
- * Keep track of the white listed servers for subnet option. Based
- * on acl_list.c|h
+ * Keep track of the white listed servers and domain names for subnet option.
+ * Based on acl_list.c|h
*/
#ifndef EDNSSUBNET_WHITELIST_H
@@ -48,9 +48,9 @@ struct config_file;
struct regional;
/**
- * ednssubnet_upstream structure
+ * ecs_whitelist structure
*/
-struct ednssubnet_upstream {
+struct ecs_whitelist {
/** regional for allocation */
struct regional* region;
/**
@@ -58,45 +58,54 @@ struct ednssubnet_upstream {
* contents of type addr_tree_node. Each node is an address span
* Unbound will append subnet option for.
*/
- rbtree_type tree;
+ rbtree_type upstream;
+ /**
+ * Tree of domain names for which Unbound will append an ECS option.
+ * rbtree of struct name_tree_node.
+ */
+ rbtree_type dname;
};
/**
- * Create ednssubnet_upstream structure
+ * Create ecs_whitelist structure
* @return new structure or NULL on error.
*/
-struct ednssubnet_upstream* upstream_create(void);
+struct ecs_whitelist* ecs_whitelist_create(void);
/**
- * Delete ednssubnet_upstream structure.
- * @param upstream: to delete.
+ * Delete ecs_whitelist structure.
+ * @param whitelist: to delete.
*/
-void upstream_delete(struct ednssubnet_upstream* upstream);
+void ecs_whitelist_delete(struct ecs_whitelist* whitelist);
/**
- * Process ednssubnet_upstream config.
- * @param upstream: where to store.
+ * Process ecs_whitelist config.
+ * @param whitelist: where to store.
* @param cfg: config options.
* @return 0 on error.
*/
-int upstream_apply_cfg(struct ednssubnet_upstream* upstream,
+int ecs_whitelist_apply_cfg(struct ecs_whitelist* whitelist,
struct config_file* cfg);
/**
- * See if an address is whitelisted.
- * @param upstream: structure for address storage.
+ * See if an address or domain is whitelisted.
+ * @param whitelist: structure for address storage.
* @param addr: address to check
* @param addrlen: length of addr.
+ * @param qname: dname in query
+ * @param qname_len: length of dname
+ * @param qclass: class in query
* @return: true if the address is whitelisted for subnet option.
*/
-int upstream_is_whitelisted(struct ednssubnet_upstream* upstream,
- struct sockaddr_storage* addr, socklen_t addrlen);
+int ecs_is_whitelisted(struct ecs_whitelist* whitelist,
+ struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* qname,
+ size_t qname_len, uint16_t qclass);
/**
- * Get memory used by ednssubnet_upstream structure.
- * @param upstream: structure for address storage.
+ * Get memory used by ecs_whitelist structure.
+ * @param whitelist: structure for address storage.
* @return bytes in use.
*/
-size_t upstream_get_mem(struct ednssubnet_upstream* upstream);
+size_t ecs_whitelist_get_mem(struct ecs_whitelist* whitelist);
#endif /* EDNSSUBNET_WHITELIST_H */
diff --git a/edns-subnet/subnetmod.c b/edns-subnet/subnetmod.c
index 4008004e4a32..9e76cefdf3b6 100644
--- a/edns-subnet/subnetmod.c
+++ b/edns-subnet/subnetmod.c
@@ -135,7 +135,7 @@ ecs_opt_list_append(struct ecs_data* ecs, struct edns_option** list,
}
}
-int ecs_whitelist_check(struct query_info* ATTR_UNUSED(qinfo),
+int ecs_whitelist_check(struct query_info* qinfo,
uint16_t ATTR_UNUSED(flags), struct module_qstate* qstate,
struct sockaddr_storage* addr, socklen_t addrlen,
uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
@@ -154,8 +154,9 @@ int ecs_whitelist_check(struct query_info* ATTR_UNUSED(qinfo),
if(sq->ecs_server_out.subnet_validdata && ((sq->subnet_downstream &&
qstate->env->cfg->client_subnet_always_forward) ||
- upstream_is_whitelisted(sn_env->edns_subnet_upstreams,
- addr, addrlen))) {
+ ecs_is_whitelisted(sn_env->whitelist,
+ addr, addrlen, qinfo->qname, qinfo->qname_len,
+ qinfo->qclass))) {
/* Address on whitelist or client query contains ECS option, we
* want to sent out ECS. Only add option if it is not already
* set. */
@@ -199,9 +200,9 @@ subnetmod_init(struct module_env *env, int id)
return 0;
}
/* whitelist for edns subnet capable servers */
- sn_env->edns_subnet_upstreams = upstream_create();
- if(!sn_env->edns_subnet_upstreams ||
- !upstream_apply_cfg(sn_env->edns_subnet_upstreams, env->cfg)) {
+ sn_env->whitelist = ecs_whitelist_create();
+ if(!sn_env->whitelist ||
+ !ecs_whitelist_apply_cfg(sn_env->whitelist, env->cfg)) {
log_err("subnet: could not create ECS whitelist");
slabhash_delete(sn_env->subnet_msg_cache);
free(sn_env);
@@ -217,7 +218,7 @@ subnetmod_init(struct module_env *env, int id)
env->cfg->client_subnet_always_forward /* bypass cache */,
0 /* no aggregation */, env)) {
log_err("subnet: could not register opcode");
- upstream_delete(sn_env->edns_subnet_upstreams);
+ ecs_whitelist_delete(sn_env->whitelist);
slabhash_delete(sn_env->subnet_msg_cache);
free(sn_env);
env->modinfo[id] = NULL;
@@ -243,7 +244,8 @@ subnetmod_deinit(struct module_env *env, int id)
lock_rw_destroy(&sn_env->biglock);
inplace_cb_delete(env, inplace_cb_edns_back_parsed, id);
inplace_cb_delete(env, inplace_cb_query, id);
- upstream_delete(sn_env->edns_subnet_upstreams);
+ inplace_cb_delete(env, inplace_cb_query_response, id);
+ ecs_whitelist_delete(sn_env->whitelist);
slabhash_delete(sn_env->subnet_msg_cache);
alloc_clear(&sn_env->alloc);
free(sn_env);
@@ -781,7 +783,7 @@ subnetmod_get_mem(struct module_env *env, int id)
if (!sn_env) return 0;
return sizeof(*sn_env) +
slabhash_get_mem(sn_env->subnet_msg_cache) +
- upstream_get_mem(sn_env->edns_subnet_upstreams);
+ ecs_whitelist_get_mem(sn_env->whitelist);
}
/**
diff --git a/edns-subnet/subnetmod.h b/edns-subnet/subnetmod.h
index f2baa466ae61..29bf64b4f55d 100644
--- a/edns-subnet/subnetmod.h
+++ b/edns-subnet/subnetmod.h
@@ -57,7 +57,7 @@ struct subnet_env {
* data: struct subnet_msg_cache_data* */
struct slabhash* subnet_msg_cache;
/** access control, which upstream servers we send client address */
- struct ednssubnet_upstream* edns_subnet_upstreams;
+ struct ecs_whitelist* whitelist;
/** allocation service */
struct alloc_cache alloc;
lock_rw_type biglock;
diff --git a/ipsecmod/ipsecmod-whitelist.c b/ipsecmod/ipsecmod-whitelist.c
new file mode 100644
index 000000000000..c2b1f5d4a596
--- /dev/null
+++ b/ipsecmod/ipsecmod-whitelist.c
@@ -0,0 +1,158 @@
+/*
+ * ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to
+ * operate on.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ *
+ * Keep track of the white listed domains for ipsecmod.
+ */
+
+#include "config.h"
+
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#include "ipsecmod/ipsecmod-whitelist.h"
+#include "util/regional.h"
+#include "util/log.h"
+#include "util/config_file.h"
+#include "util/rbtree.h"
+#include "util/data/dname.h"
+#include "util/storage/dnstree.h"
+#include "sldns/str2wire.h"
+
+/** Apply ipsecmod-whitelist string. */
+static int
+whitelist_str_cfg(rbtree_type* whitelist, const char* name)
+{
+ struct name_tree_node* n;
+ size_t len;
+ uint8_t* nm = sldns_str2wire_dname(name, &len);
+ if(!nm) {
+ log_err("ipsecmod: could not parse %s for whitelist.", name);
+ return 0;
+ }
+ n = (struct name_tree_node*)calloc(1, sizeof(*n));
+ if(!n) {
+ log_err("ipsecmod: out of memory while creating whitelist.");
+ free(nm);
+ return 0;
+ }
+ n->node.key = n;
+ n->name = nm;
+ n->len = len;
+ n->labs = dname_count_labels(nm);
+ n->dclass = LDNS_RR_CLASS_IN;
+ if(!name_tree_insert(whitelist, n, nm, len, n->labs, n->dclass)) {
+ /* duplicate element ignored, idempotent */
+ free(n->name);
+ free(n);
+ }
+ return 1;
+}
+
+/** Read ipsecmod-whitelist config. */
+static int
+read_whitelist(rbtree_type* whitelist, struct config_file* cfg)
+{
+ struct config_strlist* p;
+ for(p = cfg->ipsecmod_whitelist; p; p = p->next) {
+ log_assert(p->str);
+ if(!whitelist_str_cfg(whitelist, p->str))
+ return 0;
+ }
+ return 1;
+}
+
+int
+ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie,
+ struct config_file* cfg)
+{
+ ie->whitelist = rbtree_create(name_tree_compare);
+ if(!read_whitelist(ie->whitelist, cfg))
+ return 0;
+ name_tree_init_parents(ie->whitelist);
+ return 1;
+}
+
+/** Delete ipsecmod_env->whitelist element. */
+static void
+whitelist_free(struct rbnode_type* n, void* ATTR_UNUSED(d))
+{
+ if(n) {
+ free(((struct name_tree_node*)n)->name);
+ free(n);
+ }
+}
+
+/** Get memory usage of ipsecmod_env->whitelist element. */
+static void
+whitelist_get_mem(struct rbnode_type* n, void* arg)
+{
+ struct name_tree_node* node = (struct name_tree_node*)n;
+ size_t* size = (size_t*) arg;
+ if(node) {
+ *size += sizeof(node) + node->len;
+ }
+}
+
+void
+ipsecmod_whitelist_delete(rbtree_type* whitelist)
+{
+ if(whitelist) {
+ traverse_postorder(whitelist, whitelist_free, NULL);
+ free(whitelist);
+ }
+}
+
+int
+ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname,
+ size_t dname_len, uint16_t qclass)
+{
+ if(!ie->whitelist) return 1; /* No whitelist, treat as whitelisted. */
+ return name_tree_lookup(ie->whitelist, dname, dname_len,
+ dname_count_labels(dname), qclass) != NULL;
+}
+
+size_t
+ipsecmod_whitelist_get_mem(rbtree_type* whitelist)
+{
+ size_t size = 0;
+ if(whitelist) {
+ traverse_postorder(whitelist, whitelist_get_mem, &size);
+ }
+ return size;
+}
+
+#endif /* USE_IPSECMOD */
diff --git a/ipsecmod/ipsecmod-whitelist.h b/ipsecmod/ipsecmod-whitelist.h
new file mode 100644
index 000000000000..d98868814284
--- /dev/null
+++ b/ipsecmod/ipsecmod-whitelist.h
@@ -0,0 +1,82 @@
+/*
+ * ipsecmod/ipsecmod-whitelist.h - White listed domains for the ipsecmod to
+ * operate on.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ *
+ * Keep track of the white listed domains for ipsecmod.
+ */
+
+#ifndef IPSECMOD_WHITELIST_H
+#define IPSECMOD_WHITELIST_H
+#include "util/storage/dnstree.h"
+
+struct config_file;
+struct regional;
+
+/**
+ * Process ipsecmod_whitelist config.
+ * @param ie: ipsecmod environment.
+ * @param cfg: config options.
+ * @return 0 on error.
+ */
+int ipsecmod_whitelist_apply_cfg(struct ipsecmod_env* ie,
+ struct config_file* cfg);
+
+/**
+ * Delete the ipsecmod whitelist.
+ * @param whitelist: ipsecmod whitelist.
+ */
+void ipsecmod_whitelist_delete(rbtree_type* whitelist);
+
+/**
+ * See if a domain is whitelisted.
+ * @param ie: ipsecmod environment.
+ * @param dname: domain name to check.
+ * @param dname_len: length of domain name.
+ * @param qclass: query CLASS.
+ * @return: true if the domain is whitelisted for the ipsecmod.
+ */
+int ipsecmod_domain_is_whitelisted(struct ipsecmod_env* ie, uint8_t* dname,
+ size_t dname_len, uint16_t qclass);
+
+/**
+ * Get memory used by ipsecmod whitelist.
+ * @param whitelist: structure for domain storage.
+ * @return bytes in use.
+ */
+size_t ipsecmod_whitelist_get_mem(rbtree_type* whitelist);
+
+#endif /* IPSECMOD_WHITELIST_H */
diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
new file mode 100644
index 000000000000..3e4ee6a53508
--- /dev/null
+++ b/ipsecmod/ipsecmod.c
@@ -0,0 +1,515 @@
+/*
+ * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains a module that facilitates opportunistic IPsec. It does so
+ * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * configurable hook (eg. signaling an IKE daemon) before replying.
+ */
+
+#include "config.h"
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#include "ipsecmod/ipsecmod-whitelist.h"
+#include "util/fptr_wlist.h"
+#include "util/regional.h"
+#include "util/net_help.h"
+#include "util/config_file.h"
+#include "services/cache/dns.h"
+#include "sldns/wire2str.h"
+
+/** Apply configuration to ipsecmod module 'global' state. */
+static int
+ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg)
+{
+ if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) {
+ log_err("ipsecmod: missing ipsecmod-hook.");
+ return 0;
+ }
+ if(cfg->ipsecmod_whitelist &&
+ !ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg))
+ return 0;
+ return 1;
+}
+
+int
+ipsecmod_init(struct module_env* env, int id)
+{
+ struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1,
+ sizeof(struct ipsecmod_env));
+ if(!ipsecmod_env) {
+ log_err("malloc failure");
+ return 0;
+ }
+ env->modinfo[id] = (void*)ipsecmod_env;
+ ipsecmod_env->whitelist = NULL;
+ if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) {
+ log_err("ipsecmod: could not apply configuration settings.");
+ return 0;
+ }
+ return 1;
+}
+
+void
+ipsecmod_deinit(struct module_env* env, int id)
+{
+ struct ipsecmod_env* ipsecmod_env;
+ if(!env || !env->modinfo[id])
+ return;
+ ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id];
+ /* Free contents. */
+ ipsecmod_whitelist_delete(ipsecmod_env->whitelist);
+ free(ipsecmod_env);
+ env->modinfo[id] = NULL;
+}
+
+/** New query for ipsecmod. */
+static int
+ipsecmod_new(struct module_qstate* qstate, int id)
+{
+ struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc(
+ qstate->region, sizeof(struct ipsecmod_qstate));
+ memset(iq, 0, sizeof(*iq));
+ qstate->minfo[id] = iq;
+ if(!iq)
+ return 0;
+ /* Initialise it. */
+ iq->enabled = qstate->env->cfg->ipsecmod_enabled;
+ iq->is_whitelisted = ipsecmod_domain_is_whitelisted(
+ (struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname,
+ qstate->qinfo.qname_len, qstate->qinfo.qclass);
+ return 1;
+}
+
+/**
+ * Exit module with an error status.
+ * @param qstate: query state
+ * @param id: module id.
+ */
+static void
+ipsecmod_error(struct module_qstate* qstate, int id)
+{
+ qstate->ext_state[id] = module_error;
+ qstate->return_rcode = LDNS_RCODE_SERVFAIL;
+}
+
+/**
+ * Generate a request for the IPSECKEY.
+ *
+ * @param qstate: query state that is the parent.
+ * @param id: module id.
+ * @param name: what name to query for.
+ * @param namelen: length of name.
+ * @param qtype: query type.
+ * @param qclass: query class.
+ * @param flags: additional flags, such as the CD bit (BIT_CD), or 0.
+ * @return false on alloc failure.
+ */
+static int
+generate_request(struct module_qstate* qstate, int id, uint8_t* name,
+ size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
+{
+ struct module_qstate* newq;
+ struct query_info ask;
+ ask.qname = name;
+ ask.qname_len = namelen;
+ ask.qtype = qtype;
+ ask.qclass = qclass;
+ ask.local_alias = NULL;
+ log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask);
+ fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
+ if(!(*qstate->env->attach_sub)(qstate, &ask,
+ (uint16_t)(BIT_RD|flags), 0, 0, &newq)){
+ log_err("Could not generate request: out of memory");
+ return 0;
+ }
+ qstate->ext_state[id] = module_wait_subquery;
+ return 1;
+}
+
+/**
+ * Prepare the data and call the hook.
+ *
+ * @param qstate: query state.
+ * @param iq: ipsecmod qstate.
+ * @param ie: ipsecmod environment.
+ * @return true on success, false otherwise.
+ */
+static int
+call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
+ struct ipsecmod_env* ATTR_UNUSED(ie))
+{
+ size_t slen, tempdata_len, tempstring_len, i;
+ char str[65535], *s, *tempstring;
+ int w;
+ struct ub_packed_rrset_key* rrset_key;
+ struct packed_rrset_data* rrset_data;
+ uint8_t *tempdata;
+
+ /* Check if a shell is available */
+ if(system(NULL) == 0) {
+ log_err("ipsecmod: no shell available for ipsecmod-hook");
+ return 0;
+ }
+
+ /* Zero the buffer. */
+ s = str;
+ slen = sizeof(str);
+ memset(s, 0, slen);
+
+ /* Copy the hook into the buffer. */
+ sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ /* Copy the qname into the buffer. */
+ tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
+ qstate->qinfo.qname_len);
+ if(!tempstring) {
+ log_err("ipsecmod: out of memory when calling the hook");
+ return 0;
+ }
+ sldns_str_print(&s, &slen, "\"%s\"", tempstring);
+ free(tempstring);
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ /* Copy the IPSECKEY TTL into the buffer. */
+ rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+ sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ /* Copy the A/AAAA record(s) into the buffer. Start and end this section
+ * with a double quote. */
+ rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
+ qstate->return_msg->rep);
+ rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
+ sldns_str_print(&s, &slen, "\"");
+ for(i=0; i<rrset_data->count; i++) {
+ if(i > 0) {
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ }
+ /* Ignore the first two bytes, they are the rr_data len. */
+ w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
+ rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
+ if(w < 0) {
+ /* Error in printout. */
+ return -1;
+ } else if((size_t)w >= slen) {
+ s = NULL; /* We do not want str to point outside of buffer. */
+ slen = 0;
+ return -1;
+ } else {
+ s += w;
+ slen -= w;
+ }
+ }
+ sldns_str_print(&s, &slen, "\"");
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ /* Copy the IPSECKEY record(s) into the buffer. Start and end this section
+ * with a double quote. */
+ sldns_str_print(&s, &slen, "\"");
+ rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+ for(i=0; i<rrset_data->count; i++) {
+ if(i > 0) {
+ /* Put space into the buffer. */
+ sldns_str_print(&s, &slen, " ");
+ }
+ /* Ignore the first two bytes, they are the rr_data len. */
+ tempdata = rrset_data->rr_data[i] + 2;
+ tempdata_len = rrset_data->rr_len[i] - 2;
+ /* Save the buffer pointers. */
+ tempstring = s; tempstring_len = slen;
+ w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
+ NULL, 0);
+ /* There was an error when parsing the IPSECKEY; reset the buffer
+ * pointers to their previous values. */
+ if(w == -1){
+ s = tempstring; slen = tempstring_len;
+ }
+ }
+ sldns_str_print(&s, &slen, "\"");
+ verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
+ /* ipsecmod-hook should return 0 on success. */
+ if(system(str) != 0)
+ return 0;
+ return 1;
+}
+
+/**
+ * Handle an ipsecmod module event with a query
+ * @param qstate: query state (from the mesh), passed between modules.
+ * contains qstate->env module environment with global caches and so on.
+ * @param iq: query state specific for this module. per-query.
+ * @param ie: environment specific for this module. global.
+ * @param id: module id.
+ */
+static void
+ipsecmod_handle_query(struct module_qstate* qstate,
+ struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id)
+{
+ struct ub_packed_rrset_key* rrset_key;
+ struct packed_rrset_data* rrset_data;
+ size_t i;
+ /* Pass to next module if we are not enabled and whitelisted. */
+ if(!(iq->enabled && iq->is_whitelisted)) {
+ qstate->ext_state[id] = module_wait_module;
+ return;
+ }
+ /* New query, check if the query is for an A/AAAA record and disable
+ * caching for other modules. */
+ if(!iq->ipseckey_done) {
+ if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
+ qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
+ char type[16];
+ sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
+ sizeof(type));
+ verbose(VERB_ALGO, "ipsecmod: query for %s; engaging",
+ type);
+ qstate->no_cache_store = 1;
+ }
+ /* Pass request to next module. */
+ qstate->ext_state[id] = module_wait_module;
+ return;
+ }
+ /* IPSECKEY subquery is finished. */
+ /* We have an IPSECKEY answer. */
+ if(iq->ipseckey_rrset) {
+ rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
+ if(rrset_data) {
+ /* If bogus return SERVFAIL. */
+ if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
+ rrset_data->security == sec_status_bogus) {
+ log_err("ipsecmod: bogus IPSECKEY");
+ ipsecmod_error(qstate, id);
+ return;
+ }
+ /* We have a valid IPSECKEY reply, call hook. */
+ if(!call_hook(qstate, iq, ie) &&
+ qstate->env->cfg->ipsecmod_strict) {
+ log_err("ipsecmod: ipsecmod-hook failed");
+ ipsecmod_error(qstate, id);
+ return;
+ }
+ /* Make sure the A/AAAA's TTL is equal/less than the
+ * ipsecmod_max_ttl. */
+ rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
+ qstate->return_msg->rep);
+ rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
+ if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
+ /* Update TTL for rrset to fixed value. */
+ rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl;
+ for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++)
+ rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl;
+ /* Also update reply_info's TTL */
+ if(qstate->return_msg->rep->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
+ qstate->return_msg->rep->ttl =
+ qstate->env->cfg->ipsecmod_max_ttl;
+ qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(
+ qstate->return_msg->rep->ttl);
+ }
+ }
+ }
+ }
+ /* Store A/AAAA in cache. */
+ if(!dns_cache_store(qstate->env, &qstate->qinfo,
+ qstate->return_msg->rep, 0, qstate->prefetch_leeway,
+ 0, qstate->region, qstate->query_flags)) {
+ log_err("ipsecmod: out of memory caching record");
+ }
+ qstate->ext_state[id] = module_finished;
+}
+
+/**
+ * Handle an ipsecmod module event with a response from the iterator.
+ * @param qstate: query state (from the mesh), passed between modules.
+ * contains qstate->env module environment with global caches and so on.
+ * @param iq: query state specific for this module. per-query.
+ * @param ie: environment specific for this module. global.
+ * @param id: module id.
+ */
+static void
+ipsecmod_handle_response(struct module_qstate* qstate,
+ struct ipsecmod_qstate* ATTR_UNUSED(iq),
+ struct ipsecmod_env* ATTR_UNUSED(ie), int id)
+{
+ /* Pass to previous module if we are not enabled and whitelisted. */
+ if(!(iq->enabled && iq->is_whitelisted)) {
+ qstate->ext_state[id] = module_finished;
+ return;
+ }
+ /* check if the response is for an A/AAAA query. */
+ if((qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
+ qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) &&
+ /* check that we had an answer for the A/AAAA query. */
+ qstate->return_msg &&
+ reply_find_answer_rrset(&qstate->return_msg->qinfo,
+ qstate->return_msg->rep) &&
+ /* check that another module didn't SERVFAIL. */
+ qstate->return_rcode == LDNS_RCODE_NOERROR) {
+ char type[16];
+ sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
+ sizeof(type));
+ verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY "
+ "subquery", type);
+ /* generate an IPSECKEY query. */
+ if(!generate_request(qstate, id, qstate->qinfo.qname,
+ qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
+ qstate->qinfo.qclass, 0)) {
+ log_err("ipsecmod: could not generate subquery.");
+ ipsecmod_error(qstate, id);
+ }
+ return;
+ }
+ /* we are done with the query. */
+ qstate->ext_state[id] = module_finished;
+}
+
+void
+ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
+ struct outbound_entry* outbound)
+{
+ struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id];
+ struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id];
+ verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s",
+ id, strextstate(qstate->ext_state[id]), strmodulevent(event));
+ if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query",
+ &qstate->qinfo);
+
+ /* create ipsecmod_qstate. */
+ if((event == module_event_new || event == module_event_pass) &&
+ iq == NULL) {
+ if(!ipsecmod_new(qstate, id)) {
+ ipsecmod_error(qstate, id);
+ return;
+ }
+ iq = (struct ipsecmod_qstate*)qstate->minfo[id];
+ }
+ if(iq && (event == module_event_pass || event == module_event_new)) {
+ ipsecmod_handle_query(qstate, iq, ie, id);
+ return;
+ }
+ if(iq && (event == module_event_moddone)) {
+ ipsecmod_handle_response(qstate, iq, ie, id);
+ return;
+ }
+ if(iq && outbound) {
+ /* cachedb does not need to process responses at this time
+ * ignore it.
+ cachedb_process_response(qstate, iq, ie, id, outbound, event);
+ */
+ return;
+ }
+ if(event == module_event_error) {
+ verbose(VERB_ALGO, "got called with event error, giving up");
+ ipsecmod_error(qstate, id);
+ return;
+ }
+ if(!iq && (event == module_event_moddone)) {
+ /* during priming, module done but we never started. */
+ qstate->ext_state[id] = module_finished;
+ return;
+ }
+
+ log_err("ipsecmod: bad event %s", strmodulevent(event));
+ ipsecmod_error(qstate, id);
+ return;
+}
+
+void
+ipsecmod_inform_super(struct module_qstate* qstate, int id,
+ struct module_qstate* super)
+{
+ struct ipsecmod_qstate* siq;
+ log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is",
+ &qstate->qinfo);
+ log_query_info(VERB_ALGO, "super is", &super->qinfo);
+ siq = (struct ipsecmod_qstate*)super->minfo[id];
+ if(!siq) {
+ verbose(VERB_ALGO, "super has no ipsecmod state");
+ return;
+ }
+
+ if(qstate->return_msg) {
+ struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset(
+ &qstate->return_msg->qinfo, qstate->return_msg->rep);
+ if(rrset_key) {
+ /* We have an answer. */
+ /* Copy to super's region. */
+ rrset_key = packed_rrset_copy_region(rrset_key, super->region, 0);
+ siq->ipseckey_rrset = rrset_key;
+ if(!rrset_key) {
+ log_err("ipsecmod: out of memory.");
+ }
+ }
+ }
+ /* Notify super to proceed. */
+ siq->ipseckey_done = 1;
+}
+
+void
+ipsecmod_clear(struct module_qstate* qstate, int id)
+{
+ if(!qstate)
+ return;
+ qstate->minfo[id] = NULL;
+}
+
+size_t
+ipsecmod_get_mem(struct module_env* env, int id)
+{
+ struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id];
+ if(!ie)
+ return 0;
+ return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist);
+}
+
+/**
+ * The ipsecmod function block
+ */
+static struct module_func_block ipsecmod_block = {
+ "ipsecmod",
+ &ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate,
+ &ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem
+};
+
+struct module_func_block*
+ipsecmod_get_funcblock(void)
+{
+ return &ipsecmod_block;
+}
+#endif /* USE_IPSECMOD */
diff --git a/ipsecmod/ipsecmod.h b/ipsecmod/ipsecmod.h
new file mode 100644
index 000000000000..e00816d4bf99
--- /dev/null
+++ b/ipsecmod/ipsecmod.h
@@ -0,0 +1,97 @@
+/*
+ * ipsecmod/ipsecmod.h - facilitate opportunistic IPsec module
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains a module that facilitates opportunistic IPsec. It does so
+ * by also quering for the IPSECKEY for A/AAAA queries and calling a
+ * configurable hook (eg. signaling an IKE daemon) before replying.
+ */
+
+#ifndef IPSECMOD_H
+#define IPSECMOD_H
+#include "util/module.h"
+#include "util/rbtree.h"
+
+/**
+ * The global variable environment contents for the ipsecmod
+ * Shared between threads, this represents long term information.
+ */
+struct ipsecmod_env {
+ /** White listed domains for ipsecmod. */
+ rbtree_type* whitelist;
+};
+
+/**
+ * Per query state for the ipsecmod module.
+ */
+struct ipsecmod_qstate {
+ /** State of the IPsec module. */
+ /** NOTE: This value is copied here from the configuration so that a change
+ * with unbound-control would not complicate an already running mesh. */
+ int enabled;
+ /** If the qname is whitelisted or not. */
+ /** NOTE: No whitelist means all qnames are whitelisted. */
+ int is_whitelisted;
+ /** Pointer to IPSECKEY rrset allocated in the qstate region. NULL if there
+ * was no IPSECKEY reply from the subquery. */
+ struct ub_packed_rrset_key* ipseckey_rrset;
+ /** If the IPSECKEY subquery has finished. */
+ int ipseckey_done;
+};
+
+/** Init the ipsecmod module */
+int ipsecmod_init(struct module_env* env, int id);
+/** Deinit the ipsecmod module */
+void ipsecmod_deinit(struct module_env* env, int id);
+/** Operate on an event on a query (in qstate). */
+void ipsecmod_operate(struct module_qstate* qstate, enum module_ev event,
+ int id, struct outbound_entry* outbound);
+/** Subordinate query done, inform this super request of its conclusion */
+void ipsecmod_inform_super(struct module_qstate* qstate, int id,
+ struct module_qstate* super);
+/** clear the ipsecmod query-specific contents out of qstate */
+void ipsecmod_clear(struct module_qstate* qstate, int id);
+/** return memory estimate for the ipsecmod module */
+size_t ipsecmod_get_mem(struct module_env* env, int id);
+
+/**
+ * Get the function block with pointers to the ipsecmod functions
+ * @return the function block for "ipsecmod".
+ */
+struct module_func_block* ipsecmod_get_funcblock(void);
+
+#endif /* IPSECMOD_H */
diff --git a/iterator/iter_hints.c b/iterator/iter_hints.c
index 74869d355472..47af96687fe6 100644
--- a/iterator/iter_hints.c
+++ b/iterator/iter_hints.c
@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
}
if(do_ip6) {
if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
- if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:84::b")) goto failed;
+ if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 43b3d30c330b..205ab0d15407 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -288,6 +288,22 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
return error_response(qstate, id, rcode);
/* if that fails (not in cache), fall through to store err */
}
+ if(qstate->env->cfg->serve_expired) {
+ /* if serving expired contents, and such content is
+ * already available, don't overwrite this servfail */
+ struct msgreply_entry* msg;
+ if((msg=msg_cache_lookup(qstate->env,
+ qstate->qinfo.qname, qstate->qinfo.qname_len,
+ qstate->qinfo.qtype, qstate->qinfo.qclass,
+ qstate->query_flags, 0, 0))
+ != NULL) {
+ lock_rw_unlock(&msg->entry.lock);
+ return error_response(qstate, id, rcode);
+ }
+ /* serving expired contents, but nothing is cached
+ * at all, so the servfail cache entry is useful
+ * (stops waste of time on this servfail NORR_TTL) */
+ }
memset(&err, 0, sizeof(err));
err.flags = (uint16_t)(BIT_QR | BIT_RA);
FLAGS_SET_RCODE(err.flags, rcode);
@@ -509,6 +525,33 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
return 1;
}
+/** see if last resort is possible - does config allow queries to parent */
+static int
+can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen,
+ uint16_t qclass)
+{
+ struct delegpt* fwddp;
+ struct iter_hints_stub* stub;
+ int labs = dname_count_labels(nm);
+ /* do not process a last resort (the parent side) if a stub
+ * or forward is configured, because we do not want to go 'above'
+ * the configured servers */
+ if(!dname_is_root(nm) && (stub = (struct iter_hints_stub*)
+ name_tree_find(&env->hints->tree, nm, nmlen, labs, qclass)) &&
+ /* has_parent side is turned off for stub_first, where we
+ * are allowed to go to the parent */
+ stub->dp->has_parent_side_NS) {
+ return 0;
+ }
+ if((fwddp = forwards_find(env->fwds, nm, qclass)) &&
+ /* has_parent_side is turned off for forward_first, where
+ * we are allowed to go to the parent */
+ fwddp->has_parent_side_NS) {
+ return 0;
+ }
+ return 1;
+}
+
/** see if target name is caps-for-id whitelisted */
static int
is_caps_whitelisted(struct iter_env* ie, struct iter_qstate* iq)
@@ -853,6 +896,9 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
if(iq->depth == ie->max_dependency_depth)
return;
+ if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen,
+ iq->qchase.qclass))
+ return;
/* is this query the same as the nscheck? */
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&
@@ -1025,6 +1071,20 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
return next_state(iq, COLLECT_CLASS_STATE);
}
+ /*
+ * If we are restricted by a forward-zone or a stub-zone, we
+ * can't re-fetch glue for this delegation point.
+ * we won’t try to re-fetch glue if the iq->dp is null.
+ */
+ if (iq->refetch_glue &&
+ iq->dp &&
+ !can_have_last_resort(qstate->env,
+ iq->dp->name,
+ iq->dp->namelen,
+ iq->qchase.qclass)) {
+ iq->refetch_glue = 0;
+ }
+
/* Resolver Algorithm Step 1 -- Look for the answer in local data. */
/* This either results in a query restart (CNAME cache response), a
@@ -1558,35 +1618,6 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
return 1;
}
-/** see if last resort is possible - does config allow queries to parent */
-static int
-can_have_last_resort(struct module_env* env, struct delegpt* dp,
- struct iter_qstate* iq)
-{
- struct delegpt* fwddp;
- struct iter_hints_stub* stub;
- /* do not process a last resort (the parent side) if a stub
- * or forward is configured, because we do not want to go 'above'
- * the configured servers */
- if(!dname_is_root(dp->name) && (stub = (struct iter_hints_stub*)
- name_tree_find(&env->hints->tree, dp->name, dp->namelen,
- dp->namelabs, iq->qchase.qclass)) &&
- /* has_parent side is turned off for stub_first, where we
- * are allowed to go to the parent */
- stub->dp->has_parent_side_NS) {
- verbose(VERB_QUERY, "configured stub servers failed -- returning SERVFAIL");
- return 0;
- }
- if((fwddp = forwards_find(env->fwds, dp->name, iq->qchase.qclass)) &&
- /* has_parent_side is turned off for forward_first, where
- * we are allowed to go to the parent */
- fwddp->has_parent_side_NS) {
- verbose(VERB_QUERY, "configured forward servers failed -- returning SERVFAIL");
- return 0;
- }
- return 1;
-}
-
/**
* Called by processQueryTargets when it would like extra targets to query
* but it seems to be out of options. At last resort some less appealing
@@ -1608,9 +1639,11 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
verbose(VERB_ALGO, "No more query targets, attempting last resort");
log_assert(iq->dp);
- if(!can_have_last_resort(qstate->env, iq->dp, iq)) {
+ if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen,
+ iq->qchase.qclass)) {
/* fail -- no more targets, no more hope of targets, no hope
* of a response. */
+ verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
}
if(!iq->dp->has_parent_side_NS && dname_is_root(iq->dp->name)) {
@@ -1695,6 +1728,19 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
/* see if we can issue queries to get nameserver addresses */
/* this lookup is not randomized, but sequential. */
for(ns = iq->dp->nslist; ns; ns = ns->next) {
+ /* if this nameserver is at a delegation point, but that
+ * delegation point is a stub and we cannot go higher, skip*/
+ if( ((ie->supports_ipv6 && !ns->done_pside6) ||
+ (ie->supports_ipv4 && !ns->done_pside4)) &&
+ !can_have_last_resort(qstate->env, ns->name, ns->namelen,
+ iq->qchase.qclass)) {
+ log_nametypeclass(VERB_ALGO, "cannot pside lookup ns "
+ "because it is also a stub/forward,",
+ ns->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
+ if(ie->supports_ipv6) ns->done_pside6 = 1;
+ if(ie->supports_ipv4) ns->done_pside4 = 1;
+ continue;
+ }
/* query for parent-side A and AAAA for nameservers */
if(ie->supports_ipv6 && !ns->done_pside6) {
/* Send the AAAA request. */
diff --git a/libunbound/unbound.h b/libunbound/unbound.h
index 9a076927f9a6..d7667d104a0e 100644
--- a/libunbound/unbound.h
+++ b/libunbound/unbound.h
@@ -601,6 +601,167 @@ int ub_ctx_data_remove(struct ub_ctx* ctx, const char *data);
*/
const char* ub_version(void);
+/**
+ * Some global statistics that are not in struct stats_info,
+ * this struct is shared on a shm segment (shm-key in unbound.conf)
+ */
+struct ub_shm_stat_info {
+ int num_threads;
+
+ struct {
+ long long now_sec, now_usec;
+ long long up_sec, up_usec;
+ long long elapsed_sec, elapsed_usec;
+ } time;
+
+ struct {
+ long long msg;
+ long long rrset;
+ long long val;
+ long long iter;
+ long long subnet;
+ long long ipsecmod;
+ long long respip;
+ } mem;
+};
+
+/** number of qtype that is stored for in array */
+#define UB_STATS_QTYPE_NUM 256
+/** number of qclass that is stored for in array */
+#define UB_STATS_QCLASS_NUM 256
+/** number of rcodes in stats */
+#define UB_STATS_RCODE_NUM 16
+/** number of opcodes in stats */
+#define UB_STATS_OPCODE_NUM 16
+/** number of histogram buckets */
+#define UB_STATS_BUCKET_NUM 40
+
+/** per worker statistics. */
+struct ub_server_stats {
+ /** number of queries from clients received. */
+ long long num_queries;
+ /** number of queries that have been dropped/ratelimited by ip. */
+ long long num_queries_ip_ratelimited;
+ /** number of queries that had a cache-miss. */
+ long long num_queries_missed_cache;
+ /** number of prefetch queries - cachehits with prefetch */
+ long long num_queries_prefetch;
+
+ /**
+ * Sum of the querylistsize of the worker for
+ * every query that missed cache. To calculate average.
+ */
+ long long sum_query_list_size;
+ /** max value of query list size reached. */
+ long long max_query_list_size;
+
+ /** Extended stats below (bool) */
+ int extended;
+
+ /** qtype stats */
+ long long qtype[UB_STATS_QTYPE_NUM];
+ /** bigger qtype values not in array */
+ long long qtype_big;
+ /** qclass stats */
+ long long qclass[UB_STATS_QCLASS_NUM];
+ /** bigger qclass values not in array */
+ long long qclass_big;
+ /** query opcodes */
+ long long qopcode[UB_STATS_OPCODE_NUM];
+ /** number of queries over TCP */
+ long long qtcp;
+ /** number of outgoing queries over TCP */
+ long long qtcp_outgoing;
+ /** number of queries over IPv6 */
+ long long qipv6;
+ /** number of queries with QR bit */
+ long long qbit_QR;
+ /** number of queries with AA bit */
+ long long qbit_AA;
+ /** number of queries with TC bit */
+ long long qbit_TC;
+ /** number of queries with RD bit */
+ long long qbit_RD;
+ /** number of queries with RA bit */
+ long long qbit_RA;
+ /** number of queries with Z bit */
+ long long qbit_Z;
+ /** number of queries with AD bit */
+ long long qbit_AD;
+ /** number of queries with CD bit */
+ long long qbit_CD;
+ /** number of queries with EDNS OPT record */
+ long long qEDNS;
+ /** number of queries with EDNS with DO flag */
+ long long qEDNS_DO;
+ /** answer rcodes */
+ long long ans_rcode[UB_STATS_RCODE_NUM];
+ /** answers with pseudo rcode 'nodata' */
+ long long ans_rcode_nodata;
+ /** answers that were secure (AD) */
+ long long ans_secure;
+ /** answers that were bogus (withheld as SERVFAIL) */
+ long long ans_bogus;
+ /** rrsets marked bogus by validator */
+ long long rrset_bogus;
+ /** unwanted traffic received on server-facing ports */
+ long long unwanted_replies;
+ /** unwanted traffic received on client-facing ports */
+ long long unwanted_queries;
+ /** usage of tcp accept list */
+ long long tcp_accept_usage;
+ /** answers served from expired cache */
+ long long zero_ttl_responses;
+ /** histogram data exported to array
+ * if the array is the same size, no data is lost, and
+ * if all histograms are same size (is so by default) then
+ * adding up works well. */
+ long long hist[UB_STATS_BUCKET_NUM];
+
+ /** number of message cache entries */
+ long long msg_cache_count;
+ /** number of rrset cache entries */
+ long long rrset_cache_count;
+ /** number of infra cache entries */
+ long long infra_cache_count;
+ /** number of key cache entries */
+ long long key_cache_count;
+
+ /** number of queries that used dnscrypt */
+ long long num_query_dnscrypt_crypted;
+ /** number of queries that queried dnscrypt certificates */
+ long long num_query_dnscrypt_cert;
+ /** number of queries in clear text and not asking for the certificates */
+ long long num_query_dnscrypt_cleartext;
+ /** number of malformed encrypted queries */
+ long long num_query_dnscrypt_crypted_malformed;
+};
+
+/**
+ * Statistics to send over the control pipe when asked
+ * This struct is made to be memcpied, sent in binary.
+ * shm mapped with (number+1) at num_threads+1, with first as total
+ */
+struct ub_stats_info {
+ /** the thread stats */
+ struct ub_server_stats svr;
+
+ /** mesh stats: current number of states */
+ long long mesh_num_states;
+ /** mesh stats: current number of reply (user) states */
+ long long mesh_num_reply_states;
+ /** mesh stats: number of reply states overwritten with a new one */
+ long long mesh_jostled;
+ /** mesh stats: number of incoming queries dropped */
+ long long mesh_dropped;
+ /** mesh stats: replies sent */
+ long long mesh_replies_sent;
+ /** mesh stats: sum of waiting times for the replies */
+ long long mesh_replies_sum_wait_sec, mesh_replies_sum_wait_usec;
+ /** mesh stats: median of waiting times for replies (in sec) */
+ double mesh_time_median;
+};
+
#ifdef __cplusplus
}
#endif
diff --git a/pythonmod/pythonmod.c b/pythonmod/pythonmod.c
index dde7e54b246a..35a20434b935 100644
--- a/pythonmod/pythonmod.c
+++ b/pythonmod/pythonmod.c
@@ -41,8 +41,10 @@
/* ignore the varargs unused warning from SWIGs internal vararg support */
#ifdef __GNUC__
#pragma GCC diagnostic ignored "-Wunused-parameter"
+#ifndef __clang__
#pragma GCC diagnostic ignored "-Wunused-but-set-variable"
#endif
+#endif
#include "config.h"
#include "sldns/sbuffer.h"
diff --git a/respip/respip.c b/respip/respip.c
index d7132511122a..2e9313f271bb 100644
--- a/respip/respip.c
+++ b/respip/respip.c
@@ -261,6 +261,7 @@ respip_enter_rr(struct regional* region, struct resp_addr* raddr,
log_err("bad response-ip-data: %s", rrstr);
return 0;
}
+ free(nm);
sa = (struct sockaddr*)&raddr->node.addr;
if (rrtype == LDNS_RR_TYPE_CNAME && raddr->data) {
log_err("CNAME response-ip data (%s) can not co-exist with other "
diff --git a/services/authzone.c b/services/authzone.c
new file mode 100644
index 000000000000..75dd4fc60736
--- /dev/null
+++ b/services/authzone.c
@@ -0,0 +1,2369 @@
+/*
+ * services/authzone.c - authoritative zone that is locally hosted.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains the functions for an authority zone. This zone
+ * is queried by the iterator, just like a stub or forward zone, but then
+ * the data is locally held.
+ */
+
+#include "config.h"
+#include "services/authzone.h"
+#include "util/data/dname.h"
+#include "util/data/msgreply.h"
+#include "util/data/packed_rrset.h"
+#include "util/regional.h"
+#include "util/net_help.h"
+#include "util/config_file.h"
+#include "util/log.h"
+#include "services/cache/dns.h"
+#include "sldns/rrdef.h"
+#include "sldns/pkthdr.h"
+#include "sldns/sbuffer.h"
+#include "sldns/str2wire.h"
+#include "sldns/wire2str.h"
+#include "sldns/parseutil.h"
+#include "validator/val_nsec3.h"
+#include "validator/val_secalgo.h"
+
+/** bytes to use for NSEC3 hash buffer. 20 for sha1 */
+#define N3HASHBUFLEN 32
+/** max number of CNAMEs we are willing to follow (in one answer) */
+#define MAX_CNAME_CHAIN 8
+
+/** create new dns_msg */
+static struct dns_msg*
+msg_create(struct regional* region, struct query_info* qinfo)
+{
+ struct dns_msg* msg = (struct dns_msg*)regional_alloc(region,
+ sizeof(struct dns_msg));
+ if(!msg)
+ return NULL;
+ msg->qinfo.qname = regional_alloc_init(region, qinfo->qname,
+ qinfo->qname_len);
+ if(!msg->qinfo.qname)
+ return NULL;
+ msg->qinfo.qname_len = qinfo->qname_len;
+ msg->qinfo.qtype = qinfo->qtype;
+ msg->qinfo.qclass = qinfo->qclass;
+ msg->qinfo.local_alias = NULL;
+ /* non-packed reply_info, because it needs to grow the array */
+ msg->rep = (struct reply_info*)regional_alloc_zero(region,
+ sizeof(struct reply_info)-sizeof(struct rrset_ref));
+ if(!msg->rep)
+ return NULL;
+ msg->rep->flags = (uint16_t)(BIT_QR | BIT_AA);
+ msg->rep->authoritative = 1;
+ msg->rep->qdcount = 1;
+ /* rrsets is NULL, no rrsets yet */
+ return msg;
+}
+
+/** grow rrset array by one in msg */
+static int
+msg_grow_array(struct regional* region, struct dns_msg* msg)
+{
+ if(msg->rep->rrsets == NULL) {
+ msg->rep->rrsets = regional_alloc_zero(region,
+ sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1));
+ if(!msg->rep->rrsets)
+ return 0;
+ } else {
+ struct ub_packed_rrset_key** rrsets_old = msg->rep->rrsets;
+ msg->rep->rrsets = regional_alloc_zero(region,
+ sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1));
+ if(!msg->rep->rrsets)
+ return 0;
+ memmove(msg->rep->rrsets, rrsets_old,
+ sizeof(struct ub_packed_rrset_key*)*msg->rep->rrset_count);
+ }
+ return 1;
+}
+
+/** get ttl of rrset */
+static time_t
+get_rrset_ttl(struct ub_packed_rrset_key* k)
+{
+ struct packed_rrset_data* d = (struct packed_rrset_data*)
+ k->entry.data;
+ return d->ttl;
+}
+
+/** Copy rrset into region from domain-datanode and packet rrset */
+static struct ub_packed_rrset_key*
+auth_packed_rrset_copy_region(struct auth_zone* z, struct auth_data* node,
+ struct auth_rrset* rrset, struct regional* region, time_t adjust)
+{
+ struct ub_packed_rrset_key key;
+ memset(&key, 0, sizeof(key));
+ key.entry.key = &key;
+ key.entry.data = rrset->data;
+ key.rk.dname = node->name;
+ key.rk.dname_len = node->namelen;
+ key.rk.type = htons(rrset->type);
+ key.rk.rrset_class = htons(z->dclass);
+ key.entry.hash = rrset_key_hash(&key.rk);
+ return packed_rrset_copy_region(&key, region, adjust);
+}
+
+/** fix up msg->rep TTL and prefetch ttl */
+static void
+msg_ttl(struct dns_msg* msg)
+{
+ if(msg->rep->rrset_count == 0) return;
+ if(msg->rep->rrset_count == 1) {
+ msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
+ msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+ } else if(get_rrset_ttl(msg->rep->rrsets[msg->rep->rrset_count-1]) <
+ msg->rep->ttl) {
+ msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[
+ msg->rep->rrset_count-1]);
+ msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+ }
+}
+
+/** see if rrset is a duplicate in the answer message */
+static int
+msg_rrset_duplicate(struct dns_msg* msg, uint8_t* nm, size_t nmlen,
+ uint16_t type, uint16_t dclass)
+{
+ size_t i;
+ for(i=0; i<msg->rep->rrset_count; i++) {
+ struct ub_packed_rrset_key* k = msg->rep->rrsets[i];
+ if(ntohs(k->rk.type) == type && k->rk.dname_len == nmlen &&
+ ntohs(k->rk.rrset_class) == dclass &&
+ query_dname_compare(k->rk.dname, nm) == 0)
+ return 1;
+ }
+ return 0;
+}
+
+/** add rrset to answer section (no auth, add rrsets yet) */
+static int
+msg_add_rrset_an(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
+{
+ log_assert(msg->rep->ns_numrrsets == 0);
+ log_assert(msg->rep->ar_numrrsets == 0);
+ if(!rrset)
+ return 1;
+ if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
+ z->dclass))
+ return 1;
+ /* grow array */
+ if(!msg_grow_array(region, msg))
+ return 0;
+ /* copy it */
+ if(!(msg->rep->rrsets[msg->rep->rrset_count] =
+ auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
+ return 0;
+ msg->rep->rrset_count++;
+ msg->rep->an_numrrsets++;
+ msg_ttl(msg);
+ return 1;
+}
+
+/** add rrset to authority section (no additonal section rrsets yet) */
+static int
+msg_add_rrset_ns(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
+{
+ log_assert(msg->rep->ar_numrrsets == 0);
+ if(!rrset)
+ return 1;
+ if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
+ z->dclass))
+ return 1;
+ /* grow array */
+ if(!msg_grow_array(region, msg))
+ return 0;
+ /* copy it */
+ if(!(msg->rep->rrsets[msg->rep->rrset_count] =
+ auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
+ return 0;
+ msg->rep->rrset_count++;
+ msg->rep->ns_numrrsets++;
+ msg_ttl(msg);
+ return 1;
+}
+
+/** add rrset to additional section */
+static int
+msg_add_rrset_ar(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
+{
+ if(!rrset)
+ return 1;
+ if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
+ z->dclass))
+ return 1;
+ /* grow array */
+ if(!msg_grow_array(region, msg))
+ return 0;
+ /* copy it */
+ if(!(msg->rep->rrsets[msg->rep->rrset_count] =
+ auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
+ return 0;
+ msg->rep->rrset_count++;
+ msg->rep->ar_numrrsets++;
+ msg_ttl(msg);
+ return 1;
+}
+
+struct auth_zones* auth_zones_create(void)
+{
+ struct auth_zones* az = (struct auth_zones*)calloc(1, sizeof(*az));
+ if(!az) {
+ log_err("out of memory");
+ return NULL;
+ }
+ rbtree_init(&az->ztree, &auth_zone_cmp);
+ lock_rw_init(&az->lock);
+ lock_protect(&az->lock, &az->ztree, sizeof(az->ztree));
+ /* also lock protects the rbnode's in struct auth_zone */
+ return az;
+}
+
+int auth_zone_cmp(const void* z1, const void* z2)
+{
+ /* first sort on class, so that hierarchy can be maintained within
+ * a class */
+ struct auth_zone* a = (struct auth_zone*)z1;
+ struct auth_zone* b = (struct auth_zone*)z2;
+ int m;
+ if(a->dclass != b->dclass) {
+ if(a->dclass < b->dclass)
+ return -1;
+ return 1;
+ }
+ /* sorted such that higher zones sort before lower zones (their
+ * contents) */
+ return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m);
+}
+
+int auth_data_cmp(const void* z1, const void* z2)
+{
+ struct auth_data* a = (struct auth_data*)z1;
+ struct auth_data* b = (struct auth_data*)z2;
+ int m;
+ /* canonical sort, because DNSSEC needs that */
+ return dname_canon_lab_cmp(a->name, a->namelabs, b->name,
+ b->namelabs, &m);
+}
+
+/** delete auth rrset node */
+static void
+auth_rrset_delete(struct auth_rrset* rrset)
+{
+ if(!rrset) return;
+ free(rrset->data);
+ free(rrset);
+}
+
+/** delete auth data domain node */
+static void
+auth_data_delete(struct auth_data* n)
+{
+ struct auth_rrset* p, *np;
+ if(!n) return;
+ p = n->rrsets;
+ while(p) {
+ np = p->next;
+ auth_rrset_delete(p);
+ p = np;
+ }
+ free(n->name);
+ free(n);
+}
+
+/** helper traverse to delete zones */
+static void
+auth_data_del(rbnode_type* n, void* ATTR_UNUSED(arg))
+{
+ struct auth_data* z = (struct auth_data*)n->key;
+ auth_data_delete(z);
+}
+
+/** delete an auth zone structure (tree remove must be done elsewhere) */
+static void
+auth_zone_delete(struct auth_zone* z)
+{
+ if(!z) return;
+ lock_rw_destroy(&z->lock);
+ traverse_postorder(&z->data, auth_data_del, NULL);
+ free(z->name);
+ free(z->zonefile);
+ free(z);
+}
+
+struct auth_zone*
+auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen,
+ uint16_t dclass)
+{
+ struct auth_zone* z = (struct auth_zone*)calloc(1, sizeof(*z));
+ if(!z) {
+ return NULL;
+ }
+ z->node.key = z;
+ z->dclass = dclass;
+ z->namelen = nmlen;
+ z->namelabs = dname_count_labels(nm);
+ z->name = memdup(nm, nmlen);
+ if(!z->name) {
+ free(z);
+ return NULL;
+ }
+ rbtree_init(&z->data, &auth_data_cmp);
+ lock_rw_init(&z->lock);
+ lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type));
+ lock_rw_wrlock(&z->lock);
+ /* z lock protects all, except rbtree itself, which is az->lock */
+ if(!rbtree_insert(&az->ztree, &z->node)) {
+ lock_rw_unlock(&z->lock);
+ auth_zone_delete(z);
+ log_warn("duplicate auth zone");
+ return NULL;
+ }
+ return z;
+}
+
+struct auth_zone*
+auth_zone_find(struct auth_zones* az, uint8_t* nm, size_t nmlen,
+ uint16_t dclass)
+{
+ struct auth_zone key;
+ key.node.key = &key;
+ key.dclass = dclass;
+ key.name = nm;
+ key.namelen = nmlen;
+ key.namelabs = dname_count_labels(nm);
+ return (struct auth_zone*)rbtree_search(&az->ztree, &key);
+}
+
+/** find an auth zone or sorted less-or-equal, return true if exact */
+static int
+auth_zone_find_less_equal(struct auth_zones* az, uint8_t* nm, size_t nmlen,
+ uint16_t dclass, struct auth_zone** z)
+{
+ struct auth_zone key;
+ key.node.key = &key;
+ key.dclass = dclass;
+ key.name = nm;
+ key.namelen = nmlen;
+ key.namelabs = dname_count_labels(nm);
+ return rbtree_find_less_equal(&az->ztree, &key, (rbnode_type**)z);
+}
+
+/** find the auth zone that is above the given qname */
+struct auth_zone*
+auth_zones_find_zone(struct auth_zones* az, struct query_info* qinfo)
+{
+ uint8_t* nm = qinfo->qname;
+ size_t nmlen = qinfo->qname_len;
+ struct auth_zone* z;
+ if(auth_zone_find_less_equal(az, nm, nmlen, qinfo->qclass, &z)) {
+ /* exact match */
+ return z;
+ } else {
+ /* less-or-nothing */
+ if(!z) return NULL; /* nothing smaller, nothing above it */
+ /* we found smaller name; smaller may be above the qname,
+ * but not below it. */
+ nm = dname_get_shared_topdomain(z->name, qinfo->qname);
+ dname_count_size_labels(nm, &nmlen);
+ }
+ /* search up */
+ while(!z && !dname_is_root(nm)) {
+ dname_remove_label(&nm, &nmlen);
+ z = auth_zone_find(az, nm, nmlen, qinfo->qclass);
+ }
+ return z;
+}
+
+/** find or create zone with name str. caller must have lock on az.
+ * returns a wrlocked zone */
+static struct auth_zone*
+auth_zones_find_or_add_zone(struct auth_zones* az, char* name)
+{
+ uint8_t nm[LDNS_MAX_DOMAINLEN+1];
+ size_t nmlen = sizeof(nm);
+ struct auth_zone* z;
+
+ if(sldns_str2wire_dname_buf(name, nm, &nmlen) != 0) {
+ log_err("cannot parse auth zone name: %s", name);
+ return 0;
+ }
+ z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN);
+ if(!z) {
+ /* not found, create the zone */
+ z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN);
+ } else {
+ lock_rw_wrlock(&z->lock);
+ }
+ return z;
+}
+
+int
+auth_zone_set_zonefile(struct auth_zone* z, char* zonefile)
+{
+ if(z->zonefile) free(z->zonefile);
+ if(zonefile == NULL) {
+ z->zonefile = NULL;
+ } else {
+ z->zonefile = strdup(zonefile);
+ if(!z->zonefile) {
+ log_err("malloc failure");
+ return 0;
+ }
+ }
+ return 1;
+}
+
+/** set auth zone fallback. caller must have lock on zone */
+int
+auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr)
+{
+ if(strcmp(fallbackstr, "yes") != 0 && strcmp(fallbackstr, "no") != 0){
+ log_err("auth zone fallback, expected yes or no, got %s",
+ fallbackstr);
+ return 0;
+ }
+ z->fallback_enabled = (strcmp(fallbackstr, "yes")==0);
+ return 1;
+}
+
+/** create domain with the given name */
+static struct auth_data*
+az_domain_create(struct auth_zone* z, uint8_t* nm, size_t nmlen)
+{
+ struct auth_data* n = (struct auth_data*)malloc(sizeof(*n));
+ if(!n) return NULL;
+ memset(n, 0, sizeof(*n));
+ n->node.key = n;
+ n->name = memdup(nm, nmlen);
+ if(!n->name) {
+ free(n);
+ return NULL;
+ }
+ n->namelen = nmlen;
+ n->namelabs = dname_count_labels(nm);
+ if(!rbtree_insert(&z->data, &n->node)) {
+ log_warn("duplicate auth domain name");
+ free(n->name);
+ free(n);
+ return NULL;
+ }
+ return n;
+}
+
+/** find domain with exactly the given name */
+static struct auth_data*
+az_find_name(struct auth_zone* z, uint8_t* nm, size_t nmlen)
+{
+ struct auth_zone key;
+ key.node.key = &key;
+ key.name = nm;
+ key.namelen = nmlen;
+ key.namelabs = dname_count_labels(nm);
+ return (struct auth_data*)rbtree_search(&z->data, &key);
+}
+
+/** Find domain name (or closest match) */
+static void
+az_find_domain(struct auth_zone* z, struct query_info* qinfo, int* node_exact,
+ struct auth_data** node)
+{
+ struct auth_zone key;
+ key.node.key = &key;
+ key.name = qinfo->qname;
+ key.namelen = qinfo->qname_len;
+ key.namelabs = dname_count_labels(key.name);
+ *node_exact = rbtree_find_less_equal(&z->data, &key,
+ (rbnode_type**)node);
+}
+
+/** find or create domain with name in zone */
+static struct auth_data*
+az_domain_find_or_create(struct auth_zone* z, uint8_t* dname,
+ size_t dname_len)
+{
+ struct auth_data* n = az_find_name(z, dname, dname_len);
+ if(!n) {
+ n = az_domain_create(z, dname, dname_len);
+ }
+ return n;
+}
+
+/** find rrset of given type in the domain */
+static struct auth_rrset*
+az_domain_rrset(struct auth_data* n, uint16_t t)
+{
+ struct auth_rrset* rrset;
+ if(!n) return NULL;
+ rrset = n->rrsets;
+ while(rrset) {
+ if(rrset->type == t)
+ return rrset;
+ rrset = rrset->next;
+ }
+ return NULL;
+}
+
+/** remove rrset of this type from domain */
+static void
+domain_remove_rrset(struct auth_data* node, uint16_t rr_type)
+{
+ struct auth_rrset* rrset, *prev;
+ if(!node) return;
+ prev = NULL;
+ rrset = node->rrsets;
+ while(rrset) {
+ if(rrset->type == rr_type) {
+ /* found it, now delete it */
+ if(prev) prev->next = rrset->next;
+ else node->rrsets = rrset->next;
+ auth_rrset_delete(rrset);
+ return;
+ }
+ prev = rrset;
+ rrset = rrset->next;
+ }
+}
+
+/** see if rdata is duplicate */
+static int
+rdata_duplicate(struct packed_rrset_data* d, uint8_t* rdata, size_t len)
+{
+ size_t i;
+ for(i=0; i<d->count + d->rrsig_count; i++) {
+ if(d->rr_len[i] != len)
+ continue;
+ if(memcmp(d->rr_data[i], rdata, len) == 0)
+ return 1;
+ }
+ return 0;
+}
+
+/** get rrsig type covered from rdata.
+ * @param rdata: rdata in wireformat, starting with 16bit rdlength.
+ * @param rdatalen: length of rdata buffer.
+ * @return type covered (or 0).
+ */
+static uint16_t
+rrsig_rdata_get_type_covered(uint8_t* rdata, size_t rdatalen)
+{
+ if(rdatalen < 4)
+ return 0;
+ return sldns_read_uint16(rdata+2);
+}
+
+/** add RR to existing RRset. If insert_sig is true, add to rrsigs.
+ * This reallocates the packed rrset for a new one */
+static int
+rrset_add_rr(struct auth_rrset* rrset, uint32_t rr_ttl, uint8_t* rdata,
+ size_t rdatalen, int insert_sig)
+{
+ struct packed_rrset_data* d, *old = rrset->data;
+ size_t total, old_total;
+
+ d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old)
+ + sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)
+ + rdatalen);
+ if(!d) {
+ log_err("out of memory");
+ return 0;
+ }
+ /* copy base values */
+ memcpy(d, old, sizeof(struct packed_rrset_data));
+ if(!insert_sig) {
+ d->count++;
+ } else {
+ d->rrsig_count++;
+ }
+ old_total = old->count + old->rrsig_count;
+ total = d->count + d->rrsig_count;
+ /* set rr_len, needed for ptr_fixup */
+ d->rr_len = (size_t*)((uint8_t*)d +
+ sizeof(struct packed_rrset_data));
+ if(old->count != 0)
+ memmove(d->rr_len, old->rr_len, old->count*sizeof(size_t));
+ if(old->rrsig_count != 0)
+ memmove(d->rr_len+d->count, old->rr_len+old->count,
+ old->rrsig_count*sizeof(size_t));
+ if(!insert_sig)
+ d->rr_len[d->count-1] = rdatalen;
+ else d->rr_len[total-1] = rdatalen;
+ packed_rrset_ptr_fixup(d);
+ if(rr_ttl < d->ttl)
+ d->ttl = rr_ttl;
+
+ /* copy old values into new array */
+ if(old->count != 0) {
+ memmove(d->rr_ttl, old->rr_ttl, old->count*sizeof(time_t));
+ /* all the old rr pieces are allocated sequential, so we
+ * can copy them in one go */
+ memmove(d->rr_data[0], old->rr_data[0],
+ (old->rr_data[old->count-1] - old->rr_data[0]) +
+ old->rr_len[old->count-1]);
+ }
+ if(old->rrsig_count != 0) {
+ memmove(d->rr_ttl+d->count, old->rr_ttl+old->count,
+ old->rrsig_count*sizeof(time_t));
+ memmove(d->rr_data[d->count], old->rr_data[old->count],
+ (old->rr_data[old_total-1] - old->rr_data[old->count]) +
+ old->rr_len[old_total-1]);
+ }
+
+ /* insert new value */
+ if(!insert_sig) {
+ d->rr_ttl[d->count-1] = rr_ttl;
+ memmove(d->rr_data[d->count-1], rdata, rdatalen);
+ } else {
+ d->rr_ttl[total-1] = rr_ttl;
+ memmove(d->rr_data[total-1], rdata, rdatalen);
+ }
+
+ rrset->data = d;
+ free(old);
+ return 1;
+}
+
+/** Create new rrset for node with packed rrset with one RR element */
+static struct auth_rrset*
+rrset_create(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl,
+ uint8_t* rdata, size_t rdatalen)
+{
+ struct auth_rrset* rrset = (struct auth_rrset*)calloc(1,
+ sizeof(*rrset));
+ struct auth_rrset* p, *prev;
+ struct packed_rrset_data* d;
+ if(!rrset) {
+ log_err("out of memory");
+ return NULL;
+ }
+ rrset->type = rr_type;
+
+ /* the rrset data structure, with one RR */
+ d = (struct packed_rrset_data*)calloc(1,
+ sizeof(struct packed_rrset_data) + sizeof(size_t) +
+ sizeof(uint8_t*) + sizeof(time_t) + rdatalen);
+ if(!d) {
+ free(rrset);
+ log_err("out of memory");
+ return NULL;
+ }
+ rrset->data = d;
+ d->ttl = rr_ttl;
+ d->trust = rrset_trust_prim_noglue;
+ d->rr_len = (size_t*)((uint8_t*)d + sizeof(struct packed_rrset_data));
+ d->rr_data = (uint8_t**)&(d->rr_len[1]);
+ d->rr_ttl = (time_t*)&(d->rr_data[1]);
+ d->rr_data[0] = (uint8_t*)&(d->rr_ttl[1]);
+
+ /* insert the RR */
+ d->rr_len[0] = rdatalen;
+ d->rr_ttl[0] = rr_ttl;
+ memmove(d->rr_data[0], rdata, rdatalen);
+ d->count++;
+
+ /* insert rrset into linked list for domain */
+ /* find sorted place to link the rrset into the list */
+ prev = NULL;
+ p = node->rrsets;
+ while(p && p->type<=rr_type) {
+ prev = p;
+ p = p->next;
+ }
+ /* so, prev is smaller, and p is larger than rr_type */
+ rrset->next = p;
+ if(prev) prev->next = rrset;
+ else node->rrsets = rrset;
+ return rrset;
+}
+
+/** count number (and size) of rrsigs that cover a type */
+static size_t
+rrsig_num_that_cover(struct auth_rrset* rrsig, uint16_t rr_type, size_t* sigsz)
+{
+ struct packed_rrset_data* d = rrsig->data;
+ size_t i, num = 0;
+ *sigsz = 0;
+ log_assert(d && rrsig->type == LDNS_RR_TYPE_RRSIG);
+ for(i=0; i<d->count+d->rrsig_count; i++) {
+ if(rrsig_rdata_get_type_covered(d->rr_data[i],
+ d->rr_len[i]) == rr_type) {
+ num++;
+ (*sigsz) += d->rr_len[i];
+ }
+ }
+ return num;
+}
+
+/** See if rrsig set has covered sigs for rrset and move them over */
+static int
+rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type,
+ struct auth_rrset* rrset, struct auth_rrset* rrsig)
+{
+ size_t sigs, sigsz, i, j, total;
+ struct packed_rrset_data* sigold = rrsig->data;
+ struct packed_rrset_data* old = rrset->data;
+ struct packed_rrset_data* d, *sigd;
+
+ log_assert(rrset->type == rr_type);
+ log_assert(rrsig->type == LDNS_RR_TYPE_RRSIG);
+ sigs = rrsig_num_that_cover(rrsig, rr_type, &sigsz);
+ if(sigs == 0) {
+ /* 0 rrsigs to move over, done */
+ return 1;
+ }
+ log_info("moveover %d sigs size %d", (int)sigs, (int)sigsz);
+
+ /* allocate rrset sigsz larger for extra sigs elements, and
+ * allocate rrsig sigsz smaller for less sigs elements. */
+ d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old)
+ + sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t))
+ + sigsz);
+ if(!d) {
+ log_err("out of memory");
+ return 0;
+ }
+ /* copy base values */
+ total = old->count + old->rrsig_count;
+ memcpy(d, old, sizeof(struct packed_rrset_data));
+ d->rrsig_count += sigs;
+ /* setup rr_len */
+ d->rr_len = (size_t*)((uint8_t*)d +
+ sizeof(struct packed_rrset_data));
+ if(total != 0)
+ memmove(d->rr_len, old->rr_len, total*sizeof(size_t));
+ j = d->count+d->rrsig_count-sigs;
+ for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
+ if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
+ sigold->rr_len[i]) == rr_type) {
+ d->rr_len[j] = sigold->rr_len[i];
+ j++;
+ }
+ }
+ packed_rrset_ptr_fixup(d);
+
+ /* copy old values into new array */
+ if(total != 0) {
+ memmove(d->rr_ttl, old->rr_ttl, total*sizeof(time_t));
+ /* all the old rr pieces are allocated sequential, so we
+ * can copy them in one go */
+ memmove(d->rr_data[0], old->rr_data[0],
+ (old->rr_data[total-1] - old->rr_data[0]) +
+ old->rr_len[total-1]);
+ }
+
+ /* move over the rrsigs to the larger rrset*/
+ j = d->count+d->rrsig_count-sigs;
+ for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
+ if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
+ sigold->rr_len[i]) == rr_type) {
+ /* move this one over to location j */
+ d->rr_ttl[j] = sigold->rr_ttl[i];
+ memmove(d->rr_data[j], sigold->rr_data[i],
+ sigold->rr_len[i]);
+ if(d->rr_ttl[j] < d->ttl)
+ d->ttl = d->rr_ttl[j];
+ j++;
+ }
+ }
+
+ /* put it in and deallocate the old rrset */
+ rrset->data = d;
+ free(old);
+
+ /* now make rrsig set smaller */
+ if(sigold->count+sigold->rrsig_count == sigs) {
+ /* remove all sigs from rrsig, remove it entirely */
+ domain_remove_rrset(node, LDNS_RR_TYPE_RRSIG);
+ return 1;
+ }
+ log_assert(packed_rrset_sizeof(sigold) > sigs*(sizeof(size_t) +
+ sizeof(uint8_t*) + sizeof(time_t)) + sigsz);
+ sigd = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(sigold)
+ - sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t))
+ - sigsz);
+ if(!sigd) {
+ /* no need to free up d, it has already been placed in the
+ * node->rrset structure */
+ log_err("out of memory");
+ return 0;
+ }
+ /* copy base values */
+ memcpy(sigd, sigold, sizeof(struct packed_rrset_data));
+ sigd->rrsig_count -= sigs;
+ /* setup rr_len */
+ sigd->rr_len = (size_t*)((uint8_t*)sigd +
+ sizeof(struct packed_rrset_data));
+ j = 0;
+ for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
+ if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
+ sigold->rr_len[i]) != rr_type) {
+ sigd->rr_len[j] = sigold->rr_len[i];
+ j++;
+ }
+ }
+ packed_rrset_ptr_fixup(sigd);
+
+ /* copy old values into new rrsig array */
+ j = 0;
+ for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
+ if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
+ sigold->rr_len[i]) != rr_type) {
+ /* move this one over to location j */
+ sigd->rr_ttl[j] = sigold->rr_ttl[i];
+ memmove(sigd->rr_data[j], sigold->rr_data[i],
+ sigold->rr_len[i]);
+ if(j==0) sigd->ttl = sigd->rr_ttl[j];
+ else {
+ if(sigd->rr_ttl[j] < sigd->ttl)
+ sigd->ttl = sigd->rr_ttl[j];
+ }
+ j++;
+ }
+ }
+
+ /* put it in and deallocate the old rrset */
+ rrsig->data = sigd;
+ free(sigold);
+
+ return 1;
+}
+
+/** Add rr to node, ignores duplicate RRs,
+ * rdata points to buffer with rdatalen octets, starts with 2bytelength. */
+static int
+az_domain_add_rr(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl,
+ uint8_t* rdata, size_t rdatalen)
+{
+ struct auth_rrset* rrset;
+ /* packed rrsets have their rrsigs along with them, sort them out */
+ if(rr_type == LDNS_RR_TYPE_RRSIG) {
+ uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen);
+ if((rrset=az_domain_rrset(node, ctype))!= NULL) {
+ /* a node of the correct type exists, add the RRSIG
+ * to the rrset of the covered data type */
+ if(rdata_duplicate(rrset->data, rdata, rdatalen))
+ return 1;
+ if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 1))
+ return 0;
+ } else if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
+ /* add RRSIG to rrset of type RRSIG */
+ if(rdata_duplicate(rrset->data, rdata, rdatalen))
+ return 1;
+ if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0))
+ return 0;
+ } else {
+ /* create rrset of type RRSIG */
+ if(!rrset_create(node, rr_type, rr_ttl, rdata,
+ rdatalen))
+ return 0;
+ }
+ } else {
+ /* normal RR type */
+ if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
+ /* add data to existing node with data type */
+ if(rdata_duplicate(rrset->data, rdata, rdatalen))
+ return 1;
+ if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0))
+ return 0;
+ } else {
+ struct auth_rrset* rrsig;
+ /* create new node with data type */
+ if(!(rrset=rrset_create(node, rr_type, rr_ttl, rdata,
+ rdatalen)))
+ return 0;
+
+ /* see if node of type RRSIG has signatures that
+ * cover the data type, and move them over */
+ /* and then make the RRSIG type smaller */
+ if((rrsig=az_domain_rrset(node, LDNS_RR_TYPE_RRSIG))
+ != NULL) {
+ if(!rrset_moveover_rrsigs(node, rr_type,
+ rrset, rrsig))
+ return 0;
+ }
+ }
+ }
+ return 1;
+}
+
+/** insert RR into zone, ignore duplicates */
+static int
+az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
+ size_t dname_len)
+{
+ struct auth_data* node;
+ uint8_t* dname = rr;
+ uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len);
+ uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len);
+ uint32_t rr_ttl = sldns_wirerr_get_ttl(rr, rr_len, dname_len);
+ size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len,
+ dname_len))+2;
+ /* rdata points to rdata prefixed with uint16 rdatalength */
+ uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len);
+
+ if(rr_class != z->dclass) {
+ log_err("wrong class for RR");
+ return 0;
+ }
+ if(!(node=az_domain_find_or_create(z, dname, dname_len))) {
+ log_err("cannot create domain");
+ return 0;
+ }
+ if(!az_domain_add_rr(node, rr_type, rr_ttl, rdata, rdatalen)) {
+ log_err("cannot add RR to domain");
+ return 0;
+ }
+ return 1;
+}
+
+/**
+ * Parse zonefile
+ * @param z: zone to read in.
+ * @param in: file to read from (just opened).
+ * @param rr: buffer to use for RRs, 64k.
+ * passed so that recursive includes can use the same buffer and do
+ * not grow the stack too much.
+ * @param rrbuflen: sizeof rr buffer.
+ * @param state: parse state with $ORIGIN, $TTL and 'prev-dname' and so on,
+ * that is kept between includes.
+ * The lineno is set at 1 and then increased by the function.
+ * returns false on failure, has printed an error message
+ */
+static int
+az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen,
+ struct sldns_file_parse_state* state)
+{
+ size_t rr_len, dname_len;
+ int status;
+ state->lineno = 1;
+
+ while(!feof(in)) {
+ rr_len = rrbuflen;
+ dname_len = 0;
+ status = sldns_fp2wire_rr_buf(in, rr, &rr_len, &dname_len,
+ state);
+ if(status == LDNS_WIREPARSE_ERR_INCLUDE && rr_len == 0) {
+ /* we have $INCLUDE or $something */
+ if(strncmp((char*)rr, "$INCLUDE ", 9) == 0 ||
+ strncmp((char*)rr, "$INCLUDE\t", 9) == 0) {
+ FILE* inc;
+ int lineno_orig = state->lineno;
+ char* incfile = (char*)rr + 8;
+ /* skip spaces */
+ while(*incfile == ' ' || *incfile == '\t')
+ incfile++;
+ verbose(VERB_ALGO, "opening $INCLUDE %s",
+ incfile);
+ inc = fopen(incfile, "r");
+ if(!inc) {
+ log_err("%s:%d cannot open include "
+ "file %s: %s", z->zonefile,
+ lineno_orig, incfile,
+ strerror(errno));
+ return 0;
+ }
+ /* recurse read that file now */
+ if(!az_parse_file(z, inc, rr, rrbuflen,
+ state)) {
+ log_err("%s:%d cannot parse include "
+ "file %s", z->zonefile,
+ lineno_orig, incfile);
+ fclose(inc);
+ return 0;
+ }
+ fclose(inc);
+ verbose(VERB_ALGO, "done with $INCLUDE %s",
+ incfile);
+ state->lineno = lineno_orig;
+ }
+ continue;
+ }
+ if(status != 0) {
+ log_err("parse error %s %d:%d: %s", z->zonefile,
+ state->lineno, LDNS_WIREPARSE_OFFSET(status),
+ sldns_get_errorstr_parse(status));
+ return 0;
+ }
+ if(rr_len == 0) {
+ /* EMPTY line, TTL or ORIGIN */
+ continue;
+ }
+ /* insert wirerr in rrbuf */
+ if(!az_insert_rr(z, rr, rr_len, dname_len)) {
+ char buf[17];
+ sldns_wire2str_type_buf(sldns_wirerr_get_type(rr,
+ rr_len, dname_len), buf, sizeof(buf));
+ log_err("%s:%d cannot insert RR of type %s",
+ z->zonefile, state->lineno, buf);
+ return 0;
+ }
+ }
+ return 1;
+}
+
+int
+auth_zone_read_zonefile(struct auth_zone* z)
+{
+ uint8_t rr[LDNS_RR_BUF_SIZE];
+ struct sldns_file_parse_state state;
+ FILE* in;
+ if(!z || !z->zonefile || z->zonefile[0]==0)
+ return 1; /* no file, or "", nothing to read */
+ verbose(VERB_ALGO, "read zonefile %s", z->zonefile);
+ in = fopen(z->zonefile, "r");
+ if(!in) {
+ char* n = sldns_wire2str_dname(z->name, z->namelen);
+ log_err("cannot open zonefile %s for %s: %s",
+ z->zonefile, n?n:"error", strerror(errno));
+ free(n);
+ return 0;
+ }
+ memset(&state, 0, sizeof(state));
+ /* default TTL to 3600 */
+ state.default_ttl = 3600;
+ /* set $ORIGIN to the zone name */
+ if(z->namelen <= sizeof(state.origin)) {
+ memcpy(state.origin, z->name, z->namelen);
+ state.origin_len = z->namelen;
+ }
+ /* parse the (toplevel) file */
+ if(!az_parse_file(z, in, rr, sizeof(rr), &state)) {
+ char* n = sldns_wire2str_dname(z->name, z->namelen);
+ log_err("error parsing zonefile %s for %s",
+ z->zonefile, n?n:"error");
+ free(n);
+ fclose(in);
+ return 0;
+ }
+ fclose(in);
+ return 1;
+}
+
+/** write buffer to file and check return codes */
+static int
+write_out(FILE* out, const char* str)
+{
+ size_t r, len = strlen(str);
+ if(len == 0)
+ return 1;
+ r = fwrite(str, 1, len, out);
+ if(r == 0) {
+ log_err("write failed: %s", strerror(errno));
+ return 0;
+ } else if(r < len) {
+ log_err("write failed: too short (disk full?)");
+ return 0;
+ }
+ return 1;
+}
+
+/** write rrset to file */
+static int
+auth_zone_write_rrset(struct auth_zone* z, struct auth_data* node,
+ struct auth_rrset* r, FILE* out)
+{
+ size_t i, count = r->data->count + r->data->rrsig_count;
+ char buf[LDNS_RR_BUF_SIZE];
+ for(i=0; i<count; i++) {
+ struct ub_packed_rrset_key key;
+ memset(&key, 0, sizeof(key));
+ key.entry.key = &key;
+ key.entry.data = r->data;
+ key.rk.dname = node->name;
+ key.rk.dname_len = node->namelen;
+ key.rk.type = htons(r->type);
+ key.rk.rrset_class = htons(z->dclass);
+ if(!packed_rr_to_string(&key, i, 0, buf, sizeof(buf))) {
+ verbose(VERB_ALGO, "failed to rr2str rr %d", (int)i);
+ continue;
+ }
+ if(!write_out(out, buf))
+ return 0;
+ }
+ return 1;
+}
+
+/** write domain to file */
+static int
+auth_zone_write_domain(struct auth_zone* z, struct auth_data* n, FILE* out)
+{
+ struct auth_rrset* r;
+ /* if this is zone apex, write SOA first */
+ if(z->namelen == n->namelen) {
+ struct auth_rrset* soa = az_domain_rrset(n, LDNS_RR_TYPE_SOA);
+ if(soa) {
+ if(!auth_zone_write_rrset(z, n, soa, out))
+ return 0;
+ }
+ }
+ /* write all the RRsets for this domain */
+ for(r = n->rrsets; r; r = r->next) {
+ if(z->namelen == n->namelen &&
+ r->type == LDNS_RR_TYPE_SOA)
+ continue; /* skip SOA here */
+ if(!auth_zone_write_rrset(z, n, r, out))
+ return 0;
+ }
+ return 1;
+}
+
+int auth_zone_write_file(struct auth_zone* z, const char* fname)
+{
+ FILE* out;
+ struct auth_data* n;
+ out = fopen(fname, "w");
+ if(!out) {
+ log_err("could not open %s: %s", fname, strerror(errno));
+ return 0;
+ }
+ RBTREE_FOR(n, struct auth_data*, &z->data) {
+ if(!auth_zone_write_domain(z, n, out)) {
+ log_err("could not write domain to %s", fname);
+ fclose(out);
+ return 0;
+ }
+ }
+ fclose(out);
+ return 1;
+}
+
+/** read all auth zones from file (if they have) */
+static int
+auth_zones_read_zones(struct auth_zones* az)
+{
+ struct auth_zone* z;
+ lock_rw_wrlock(&az->lock);
+ RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
+ lock_rw_wrlock(&z->lock);
+ if(!auth_zone_read_zonefile(z)) {
+ lock_rw_unlock(&z->lock);
+ lock_rw_unlock(&az->lock);
+ return 0;
+ }
+ lock_rw_unlock(&z->lock);
+ }
+ lock_rw_unlock(&az->lock);
+ return 1;
+}
+
+/** set str2list with (zonename, zonefile) config items and create zones */
+static int
+auth_zones_cfg_zonefile(struct auth_zones* az, struct config_str2list* zlist)
+{
+ struct auth_zone* z;
+ while(zlist) {
+ lock_rw_wrlock(&az->lock);
+ if(!(z=auth_zones_find_or_add_zone(az, zlist->str))) {
+ lock_rw_unlock(&az->lock);
+ return 0;
+ }
+ lock_rw_unlock(&az->lock);
+ if(!auth_zone_set_zonefile(z, zlist->str2)) {
+ lock_rw_unlock(&z->lock);
+ return 0;
+ }
+ lock_rw_unlock(&z->lock);
+ zlist = zlist->next;
+ }
+ return 1;
+}
+
+/** set str2list with (zonename, fallback) config items and create zones */
+static int
+auth_zones_cfg_fallback(struct auth_zones* az, struct config_str2list* zlist)
+{
+ struct auth_zone* z;
+ while(zlist) {
+ lock_rw_wrlock(&az->lock);
+ if(!(z=auth_zones_find_or_add_zone(az, zlist->str))) {
+ lock_rw_unlock(&az->lock);
+ return 0;
+ }
+ lock_rw_unlock(&az->lock);
+ if(!auth_zone_set_fallback(z, zlist->str2)) {
+ lock_rw_unlock(&z->lock);
+ return 0;
+ }
+ lock_rw_unlock(&z->lock);
+ zlist = zlist->next;
+ }
+ return 1;
+}
+
+int auth_zones_apply_config(struct auth_zones* az, struct config_file* cfg)
+{
+ (void)cfg;
+ /* TODO cfg str2lists */
+ /* create config items for
+ * auth-zone: name: "example.com"
+ * zonefile: "zones/example.com"
+ * fallback: yes
+ */
+ if(!auth_zones_cfg_zonefile(az, NULL /*cfg->auth_zones*/))
+ return 0;
+ if(!auth_zones_cfg_fallback(az, NULL /*cfg->auth_zones*/))
+ return 0;
+ if(!auth_zones_read_zones(az))
+ return 0;
+ return 1;
+}
+
+/** helper traverse to delete zones */
+static void
+auth_zone_del(rbnode_type* n, void* ATTR_UNUSED(arg))
+{
+ struct auth_zone* z = (struct auth_zone*)n->key;
+ auth_zone_delete(z);
+}
+
+void auth_zones_delete(struct auth_zones* az)
+{
+ if(!az) return;
+ lock_rw_destroy(&az->lock);
+ traverse_postorder(&az->ztree, auth_zone_del, NULL);
+ free(az);
+}
+
+/** true if domain has only nsec3 */
+static int
+domain_has_only_nsec3(struct auth_data* n)
+{
+ struct auth_rrset* rrset = n->rrsets;
+ int nsec3_seen = 0;
+ while(rrset) {
+ if(rrset->type == LDNS_RR_TYPE_NSEC3) {
+ nsec3_seen = 1;
+ } else if(rrset->type != LDNS_RR_TYPE_RRSIG) {
+ return 0;
+ }
+ rrset = rrset->next;
+ }
+ return nsec3_seen;
+}
+
+/** see if the domain has a wildcard child '*.domain' */
+static struct auth_data*
+az_find_wildcard_domain(struct auth_zone* z, uint8_t* nm, size_t nmlen)
+{
+ uint8_t wc[LDNS_MAX_DOMAINLEN];
+ if(nmlen+2 > sizeof(wc))
+ return NULL; /* result would be too long */
+ wc[0] = 1; /* length of wildcard label */
+ wc[1] = (uint8_t)'*'; /* wildcard label */
+ memmove(wc+2, nm, nmlen);
+ return az_find_name(z, wc, nmlen+2);
+}
+
+/** find wildcard between qname and cename */
+static struct auth_data*
+az_find_wildcard(struct auth_zone* z, struct query_info* qinfo,
+ struct auth_data* ce)
+{
+ uint8_t* nm = qinfo->qname;
+ size_t nmlen = qinfo->qname_len;
+ struct auth_data* node;
+ if(!dname_subdomain_c(nm, z->name))
+ return NULL; /* out of zone */
+ while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) {
+ /* see if we can go up to find the wildcard */
+ if(nmlen == z->namelen)
+ return NULL; /* top of zone reached */
+ if(ce && nmlen == ce->namelen)
+ return NULL; /* ce reached */
+ if(dname_is_root(nm))
+ return NULL; /* cannot go up */
+ dname_remove_label(&nm, &nmlen);
+ }
+ return node;
+}
+
+/** domain is not exact, find first candidate ce (name that matches
+ * a part of qname) in tree */
+static struct auth_data*
+az_find_candidate_ce(struct auth_zone* z, struct query_info* qinfo,
+ struct auth_data* n)
+{
+ uint8_t* nm;
+ size_t nmlen;
+ if(n) {
+ nm = dname_get_shared_topdomain(qinfo->qname, n->name);
+ } else {
+ nm = qinfo->qname;
+ }
+ dname_count_size_labels(nm, &nmlen);
+ n = az_find_name(z, nm, nmlen);
+ /* delete labels and go up on name */
+ while(!n) {
+ if(dname_is_root(nm))
+ return NULL; /* cannot go up */
+ dname_remove_label(&nm, &nmlen);
+ n = az_find_name(z, nm, nmlen);
+ }
+ return n;
+}
+
+/** go up the auth tree to next existing name. */
+static struct auth_data*
+az_domain_go_up(struct auth_zone* z, struct auth_data* n)
+{
+ uint8_t* nm = n->name;
+ size_t nmlen = n->namelen;
+ while(!dname_is_root(nm)) {
+ dname_remove_label(&nm, &nmlen);
+ if((n=az_find_name(z, nm, nmlen)) != NULL)
+ return n;
+ }
+ return NULL;
+}
+
+/** Find the closest encloser, an name that exists and is above the
+ * qname.
+ * return true if the node (param node) is existing, nonobscured and
+ * can be used to generate answers from. It is then also node_exact.
+ * returns false if the node is not good enough (or it wasn't node_exact)
+ * in this case the ce can be filled.
+ * if ce is NULL, no ce exists, and likely the zone is completely empty,
+ * not even with a zone apex.
+ * if ce is nonNULL it is the closest enclosing upper name (that exists
+ * itself for answer purposes). That name may have DNAME, NS or wildcard
+ * rrset is the closest DNAME or NS rrset that was found.
+ */
+static int
+az_find_ce(struct auth_zone* z, struct query_info* qinfo,
+ struct auth_data* node, int node_exact, struct auth_data** ce,
+ struct auth_rrset** rrset)
+{
+ struct auth_data* n = node;
+ *ce = NULL;
+ *rrset = NULL;
+ if(!node_exact) {
+ /* if not exact, lookup closest exact match */
+ n = az_find_candidate_ce(z, qinfo, n);
+ } else {
+ /* if exact, the node itself is the first candidate ce */
+ *ce = n;
+ }
+
+ /* no direct answer from nsec3-only domains */
+ if(n && domain_has_only_nsec3(n)) {
+ node_exact = 0;
+ *ce = NULL;
+ }
+
+ /* with exact matches, walk up the labels until we find the
+ * delegation, or DNAME or zone end */
+ while(n) {
+ /* see if the current candidate has issues */
+ /* not zone apex and has type NS */
+ if(n->namelen != z->namelen &&
+ (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) &&
+ /* delegate here, but DS at exact the dp has notype */
+ (qinfo->qtype != LDNS_RR_TYPE_DS ||
+ n->namelen != qinfo->qname_len)) {
+ /* referral */
+ /* this is ce and the lowernode is nonexisting */
+ *ce = n;
+ return 0;
+ }
+ /* not equal to qname and has type DNAME */
+ if(n->namelen != qinfo->qname_len &&
+ (*rrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) {
+ /* this is ce and the lowernode is nonexisting */
+ *ce = n;
+ return 0;
+ }
+
+ if(*ce == NULL && !domain_has_only_nsec3(n)) {
+ /* if not found yet, this exact name must be
+ * our lowest match (but not nsec3onlydomain) */
+ *ce = n;
+ }
+
+ /* walk up the tree by removing labels from name and lookup */
+ n = az_domain_go_up(z, n);
+ }
+ /* found no problems, if it was an exact node, it is fine to use */
+ return node_exact;
+}
+
+/** add additional A/AAAA from domain names in rrset rdata (+offset)
+ * offset is number of bytes in rdata where the dname is located. */
+static int
+az_add_additionals_from(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, struct auth_rrset* rrset, size_t offset)
+{
+ struct packed_rrset_data* d = rrset->data;
+ size_t i;
+ if(!d) return 0;
+ for(i=0; i<d->count; i++) {
+ size_t dlen;
+ struct auth_data* domain;
+ struct auth_rrset* ref;
+ if(d->rr_len[i] < 2+offset)
+ continue; /* too short */
+ if(!(dlen = dname_valid(d->rr_data[i]+2+offset,
+ d->rr_len[i]-2-offset)))
+ continue; /* malformed */
+ domain = az_find_name(z, d->rr_data[i]+2+offset, dlen);
+ if(!domain)
+ continue;
+ if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_A)) != NULL) {
+ if(!msg_add_rrset_ar(z, region, msg, domain, ref))
+ return 0;
+ }
+ if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_AAAA)) != NULL) {
+ if(!msg_add_rrset_ar(z, region, msg, domain, ref))
+ return 0;
+ }
+ }
+ return 1;
+}
+
+/** add negative SOA record (with negative TTL) */
+static int
+az_add_negative_soa(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg)
+{
+ uint32_t minimum;
+ struct packed_rrset_data* d;
+ struct auth_rrset* soa;
+ struct auth_data* apex = az_find_name(z, z->name, z->namelen);
+ if(!apex) return 0;
+ soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
+ if(!soa) return 0;
+ /* must be first to put in message; we want to fix the TTL with
+ * one RRset here, otherwise we'd need to loop over the RRs to get
+ * the resulting lower TTL */
+ log_assert(msg->rep->rrset_count == 0);
+ if(!msg_add_rrset_ns(z, region, msg, apex, soa)) return 0;
+ /* fixup TTL */
+ d = (struct packed_rrset_data*)msg->rep->rrsets[msg->rep->rrset_count-1]->entry.data;
+ /* last 4 bytes are minimum ttl in network format */
+ if(d->count == 0) return 0;
+ if(d->rr_len[0] < 2+4) return 0;
+ minimum = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4));
+ d->ttl = (time_t)minimum;
+ d->rr_ttl[0] = (time_t)minimum;
+ msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
+ msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
+ return 1;
+}
+
+/** See if the query goes to empty nonterminal (that has no auth_data,
+ * but there are nodes underneath. We already checked that there are
+ * not NS, or DNAME above, so that we only need to check if some node
+ * exists below (with nonempty rr list), return true if emptynonterminal */
+static int
+az_empty_nonterminal(struct auth_zone* z, struct query_info* qinfo,
+ struct auth_data* node)
+{
+ struct auth_data* next;
+ if(!node) {
+ /* no smaller was found, use first (smallest) node as the
+ * next one */
+ next = (struct auth_data*)rbtree_first(&z->data);
+ } else {
+ next = (struct auth_data*)rbtree_next(&node->node);
+ }
+ while(next && (rbnode_type*)next != RBTREE_NULL && next->rrsets == NULL) {
+ /* the next name has empty rrsets, is an empty nonterminal
+ * itself, see if there exists something below it */
+ next = (struct auth_data*)rbtree_next(&node->node);
+ }
+ if((rbnode_type*)next == RBTREE_NULL || !next) {
+ /* there is no next node, so something below it cannot
+ * exist */
+ return 0;
+ }
+ /* a next node exists, if there was something below the query,
+ * this node has to be it. See if it is below the query name */
+ if(dname_strict_subdomain_c(next->name, qinfo->qname))
+ return 1;
+ return 0;
+}
+
+/** create synth cname target name in buffer, or fail if too long */
+static size_t
+synth_cname_buf(uint8_t* qname, size_t qname_len, size_t dname_len,
+ uint8_t* dtarg, size_t dtarglen, uint8_t* buf, size_t buflen)
+{
+ size_t newlen = qname_len + dtarglen - dname_len;
+ if(newlen > buflen) {
+ /* YXDOMAIN error */
+ return 0;
+ }
+ /* new name is concatenation of qname front (without DNAME owner)
+ * and DNAME target name */
+ memcpy(buf, qname, qname_len-dname_len);
+ memmove(buf+(qname_len-dname_len), dtarg, dtarglen);
+ return newlen;
+}
+
+/** create synthetic CNAME rrset for in a DNAME answer in region,
+ * false on alloc failure, cname==NULL when name too long. */
+static int
+create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region,
+ struct auth_data* node, struct auth_rrset* dname, uint16_t dclass,
+ struct ub_packed_rrset_key** cname)
+{
+ uint8_t buf[LDNS_MAX_DOMAINLEN];
+ uint8_t* dtarg;
+ size_t dtarglen, newlen;
+ struct packed_rrset_data* d;
+
+ /* get DNAME target name */
+ if(dname->data->count < 1) return 0;
+ if(dname->data->rr_len[0] < 3) return 0; /* at least rdatalen +1 */
+ dtarg = dname->data->rr_data[0]+2;
+ dtarglen = dname->data->rr_len[0]-2;
+ if(sldns_read_uint16(dname->data->rr_data[0]) != dtarglen)
+ return 0; /* rdatalen in DNAME rdata is malformed */
+ if(dname_valid(dtarg, dtarglen) != dtarglen)
+ return 0; /* DNAME RR has malformed rdata */
+
+ /* synthesize a CNAME */
+ newlen = synth_cname_buf(qname, qname_len, node->namelen,
+ dtarg, dtarglen, buf, sizeof(buf));
+ if(newlen == 0) {
+ /* YXDOMAIN error */
+ *cname = NULL;
+ return 1;
+ }
+ *cname = (struct ub_packed_rrset_key*)regional_alloc(region,
+ sizeof(struct ub_packed_rrset_key));
+ if(!*cname)
+ return 0; /* out of memory */
+ memset(&(*cname)->entry, 0, sizeof((*cname)->entry));
+ (*cname)->entry.key = (*cname);
+ (*cname)->rk.type = htons(LDNS_RR_TYPE_CNAME);
+ (*cname)->rk.rrset_class = htons(dclass);
+ (*cname)->rk.flags = 0;
+ (*cname)->rk.dname = regional_alloc_init(region, qname, qname_len);
+ if(!(*cname)->rk.dname)
+ return 0; /* out of memory */
+ (*cname)->rk.dname_len = qname_len;
+ (*cname)->entry.hash = rrset_key_hash(&(*cname)->rk);
+ d = (struct packed_rrset_data*)regional_alloc_zero(region,
+ sizeof(struct packed_rrset_data) + sizeof(size_t) +
+ sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t)
+ + newlen);
+ if(!d)
+ return 0; /* out of memory */
+ (*cname)->entry.data = d;
+ d->ttl = 0; /* 0 for synthesized CNAME TTL */
+ d->count = 1;
+ d->rrsig_count = 0;
+ d->trust = rrset_trust_ans_noAA;
+ d->rr_len = (size_t*)((uint8_t*)d +
+ sizeof(struct packed_rrset_data));
+ d->rr_len[0] = newlen + sizeof(uint16_t);
+ packed_rrset_ptr_fixup(d);
+ d->rr_ttl[0] = d->ttl;
+ sldns_write_uint16(d->rr_data[0], newlen);
+ memmove(d->rr_data[0] + sizeof(uint16_t), buf, newlen);
+ return 1;
+}
+
+/** add a synthesized CNAME to the answer section */
+static int
+add_synth_cname(struct auth_zone* z, uint8_t* qname, size_t qname_len,
+ struct regional* region, struct dns_msg* msg, struct auth_data* dname,
+ struct auth_rrset* rrset)
+{
+ struct ub_packed_rrset_key* cname;
+ /* synthesize a CNAME */
+ if(!create_synth_cname(qname, qname_len, region, dname, rrset,
+ z->dclass, &cname)) {
+ /* out of memory */
+ return 0;
+ }
+ if(!cname) {
+ /* cname cannot be create because of YXDOMAIN */
+ msg->rep->flags |= LDNS_RCODE_YXDOMAIN;
+ return 1;
+ }
+ /* add cname to message */
+ if(!msg_grow_array(region, msg))
+ return 0;
+ msg->rep->rrsets[msg->rep->rrset_count] = cname;
+ msg->rep->rrset_count++;
+ msg->rep->an_numrrsets++;
+ msg_ttl(msg);
+ return 1;
+}
+
+/** Change a dname to a different one, for wildcard namechange */
+static void
+az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname,
+ size_t newlen, int an_only)
+{
+ size_t i;
+ size_t start = 0, end = msg->rep->rrset_count;
+ if(!an_only) start = msg->rep->an_numrrsets;
+ if(an_only) end = msg->rep->an_numrrsets;
+ for(i=start; i<end; i++) {
+ /* allocated in region so we can change the ptrs */
+ if(query_dname_compare(msg->rep->rrsets[i]->rk.dname, oldname)
+ == 0) {
+ msg->rep->rrsets[i]->rk.dname = newname;
+ msg->rep->rrsets[i]->rk.dname_len = newlen;
+ }
+ }
+}
+
+/** find NSEC record covering the query */
+static struct auth_rrset*
+az_find_nsec_cover(struct auth_zone* z, struct auth_data** node)
+{
+ uint8_t* nm = (*node)->name;
+ size_t nmlen = (*node)->namelen;
+ struct auth_rrset* rrset;
+ /* find the NSEC for the smallest-or-equal node */
+ /* if node == NULL, we did not find a smaller name. But the zone
+ * name is the smallest name and should have an NSEC. So there is
+ * no NSEC to return (for a properly signed zone) */
+ /* for empty nonterminals, the auth-data node should not exist,
+ * and thus we don't need to go rbtree_previous here to find
+ * a domain with an NSEC record */
+ /* but there could be glue, and if this is node, then it has no NSEC.
+ * Go up to find nonglue (previous) NSEC-holding nodes */
+ while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) {
+ if(dname_is_root(nm)) return NULL;
+ if(nmlen == z->namelen) return NULL;
+ dname_remove_label(&nm, &nmlen);
+ /* adjust *node for the nsec rrset to find in */
+ *node = az_find_name(z, nm, nmlen);
+ }
+ return rrset;
+}
+
+/** Find NSEC and add for wildcard denial */
+static int
+az_nsec_wildcard_denial(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, uint8_t* cenm, size_t cenmlen)
+{
+ struct query_info qinfo;
+ int node_exact;
+ struct auth_data* node;
+ struct auth_rrset* nsec;
+ uint8_t wc[LDNS_MAX_DOMAINLEN];
+ if(cenmlen+2 > sizeof(wc))
+ return 0; /* result would be too long */
+ wc[0] = 1; /* length of wildcard label */
+ wc[1] = (uint8_t)'*'; /* wildcard label */
+ memmove(wc+2, cenm, cenmlen);
+
+ /* we have '*.ce' in wc wildcard name buffer */
+ /* get nsec cover for that */
+ qinfo.qname = wc;
+ qinfo.qname_len = cenmlen+2;
+ qinfo.qtype = 0;
+ qinfo.qclass = 0;
+ az_find_domain(z, &qinfo, &node_exact, &node);
+ if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
+ if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
+ }
+ return 1;
+}
+
+/** Find the NSEC3PARAM rrset (if any) and if true you have the parameters */
+static int
+az_nsec3_param(struct auth_zone* z, int* algo, size_t* iter, uint8_t** salt,
+ size_t* saltlen)
+{
+ struct auth_data* apex;
+ struct auth_rrset* param;
+ size_t i;
+ apex = az_find_name(z, z->name, z->namelen);
+ if(!apex) return 0;
+ param = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC3PARAM);
+ if(!param || param->data->count==0)
+ return 0; /* no RRset or no RRs in rrset */
+ /* find out which NSEC3PARAM RR has supported parameters */
+ /* skip unknown flags (dynamic signer is recalculating nsec3 chain) */
+ for(i=0; i<param->data->count; i++) {
+ uint8_t* rdata = param->data->rr_data[i]+2;
+ size_t rdatalen = param->data->rr_len[i];
+ if(rdatalen < 2+5)
+ continue; /* too short */
+ if(!nsec3_hash_algo_size_supported((int)(rdata[0])))
+ continue; /* unsupported algo */
+ if(rdatalen < (size_t)(2+5+(size_t)rdata[4]))
+ continue; /* salt missing */
+ if((rdata[1]&NSEC3_UNKNOWN_FLAGS)!=0)
+ continue; /* unknown flags */
+ *algo = (int)(rdata[0]);
+ *iter = sldns_read_uint16(rdata+2);
+ *saltlen = rdata[4];
+ if(*saltlen == 0)
+ *salt = NULL;
+ else *salt = rdata+5;
+ return 1;
+ }
+ /* no supported params */
+ return 0;
+}
+
+/** Hash a name with nsec3param into buffer, it has zone name appended.
+ * return length of hash */
+static size_t
+az_nsec3_hash(uint8_t* buf, size_t buflen, uint8_t* nm, size_t nmlen,
+ int algo, size_t iter, uint8_t* salt, size_t saltlen)
+{
+ size_t hlen = nsec3_hash_algo_size_supported(algo);
+ /* buffer has domain name, nsec3hash, and 256 is for max saltlen
+ * (salt has 0-255 length) */
+ unsigned char p[LDNS_MAX_DOMAINLEN+1+N3HASHBUFLEN+256];
+ size_t i;
+ if(nmlen+saltlen > sizeof(p) || hlen+saltlen > sizeof(p))
+ return 0;
+ if(hlen > buflen)
+ return 0; /* somehow too large for destination buffer */
+ /* hashfunc(name, salt) */
+ memmove(p, nm, nmlen);
+ query_dname_tolower(p);
+ memmove(p+nmlen, salt, saltlen);
+ (void)secalgo_nsec3_hash(algo, p, nmlen+saltlen, (unsigned char*)buf);
+ for(i=0; i<iter; i++) {
+ /* hashfunc(hash, salt) */
+ memmove(p, buf, hlen);
+ memmove(p+hlen, salt, saltlen);
+ (void)secalgo_nsec3_hash(algo, p, hlen+saltlen,
+ (unsigned char*)buf);
+ }
+ return hlen;
+}
+
+/** Hash name and return b32encoded hashname for lookup, zone name appended */
+static int
+az_nsec3_hashname(struct auth_zone* z, uint8_t* hashname, size_t* hashnmlen,
+ uint8_t* nm, size_t nmlen, int algo, size_t iter, uint8_t* salt,
+ size_t saltlen)
+{
+ uint8_t hash[N3HASHBUFLEN];
+ size_t hlen;
+ int ret;
+ hlen = az_nsec3_hash(hash, sizeof(hash), nm, nmlen, algo, iter,
+ salt, saltlen);
+ if(!hlen) return 0;
+ /* b32 encode */
+ if(*hashnmlen < hlen*2+1+z->namelen) /* approx b32 as hexb16 */
+ return 0;
+ ret = sldns_b32_ntop_extended_hex(hash, hlen, (char*)(hashname+1),
+ (*hashnmlen)-1);
+ if(ret<1)
+ return 0;
+ hashname[0] = (uint8_t)ret;
+ ret++;
+ if((*hashnmlen) - ret < z->namelen)
+ return 0;
+ memmove(hashname+ret, z->name, z->namelen);
+ *hashnmlen = z->namelen+(size_t)ret;
+ return 1;
+}
+
+/** Find the datanode that covers the nsec3hash-name */
+struct auth_data*
+az_nsec3_findnode(struct auth_zone* z, uint8_t* hashnm, size_t hashnmlen)
+{
+ struct query_info qinfo;
+ struct auth_data* node;
+ int node_exact;
+ qinfo.qclass = 0;
+ qinfo.qtype = 0;
+ qinfo.qname = hashnm;
+ qinfo.qname_len = hashnmlen;
+ /* because canonical ordering and b32 nsec3 ordering are the same.
+ * this is a good lookup to find the nsec3 name. */
+ az_find_domain(z, &qinfo, &node_exact, &node);
+ /* but we may have to skip non-nsec3 nodes */
+ /* this may be a lot, the way to speed that up is to have a
+ * separate nsec3 tree with nsec3 nodes */
+ while(node && (rbnode_type*)node != RBTREE_NULL &&
+ !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) {
+ node = (struct auth_data*)rbtree_previous(&node->node);
+ }
+ if((rbnode_type*)node == RBTREE_NULL)
+ node = NULL;
+ return node;
+}
+
+/** Find cover for hashed(nm, nmlen) (or NULL) */
+static struct auth_data*
+az_nsec3_find_cover(struct auth_zone* z, uint8_t* nm, size_t nmlen,
+ int algo, size_t iter, uint8_t* salt, size_t saltlen)
+{
+ struct auth_data* node;
+ uint8_t hname[LDNS_MAX_DOMAINLEN];
+ size_t hlen = sizeof(hname);
+ if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter,
+ salt, saltlen))
+ return NULL;
+ node = az_nsec3_findnode(z, hname, hlen);
+ if(node)
+ return node;
+ /* we did not find any, perhaps because the NSEC3 hash is before
+ * the first hash, we have to find the 'last hash' in the zone */
+ node = (struct auth_data*)rbtree_last(&z->data);
+ while(node && (rbnode_type*)node != RBTREE_NULL &&
+ !az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) {
+ node = (struct auth_data*)rbtree_previous(&node->node);
+ }
+ if((rbnode_type*)node == RBTREE_NULL)
+ node = NULL;
+ return node;
+}
+
+/** Find exact match for hashed(nm, nmlen) NSEC3 record or NULL */
+static struct auth_data*
+az_nsec3_find_exact(struct auth_zone* z, uint8_t* nm, size_t nmlen,
+ int algo, size_t iter, uint8_t* salt, size_t saltlen)
+{
+ struct auth_data* node;
+ uint8_t hname[LDNS_MAX_DOMAINLEN];
+ size_t hlen = sizeof(hname);
+ if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter,
+ salt, saltlen))
+ return NULL;
+ node = az_find_name(z, hname, hlen);
+ if(az_domain_rrset(node, LDNS_RR_TYPE_NSEC3))
+ return node;
+ return NULL;
+}
+
+/** Return nextcloser name (as a ref into the qname). This is one label
+ * more than the cenm (cename must be a suffix of qname) */
+static void
+az_nsec3_get_nextcloser(uint8_t* cenm, uint8_t* qname, size_t qname_len,
+ uint8_t** nx, size_t* nxlen)
+{
+ int celabs = dname_count_labels(cenm);
+ int qlabs = dname_count_labels(qname);
+ int strip = qlabs - celabs -1;
+ log_assert(dname_strict_subdomain(qname, qlabs, cenm, celabs));
+ *nx = qname;
+ *nxlen = qname_len;
+ if(strip>0)
+ dname_remove_labels(nx, nxlen, strip);
+}
+
+/** Find the closest encloser that has exact NSEC3.
+ * updated cenm to the new name. If it went up no-exact-ce is true. */
+static struct auth_data*
+az_nsec3_find_ce(struct auth_zone* z, uint8_t** cenm, size_t* cenmlen,
+ int* no_exact_ce, int algo, size_t iter, uint8_t* salt, size_t saltlen)
+{
+ struct auth_data* node;
+ while((node = az_nsec3_find_exact(z, *cenm, *cenmlen,
+ algo, iter, salt, saltlen)) == NULL) {
+ if(*cenmlen == z->namelen) {
+ /* next step up would take us out of the zone. fail */
+ return NULL;
+ }
+ *no_exact_ce = 1;
+ dname_remove_label(cenm, cenmlen);
+ }
+ return node;
+}
+
+/* Insert NSEC3 record in authority section, if NULL does nothing */
+static int
+az_nsec3_insert(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, struct auth_data* node)
+{
+ struct auth_rrset* nsec3;
+ if(!node) return 1; /* no node, skip this */
+ nsec3 = az_domain_rrset(node, LDNS_RR_TYPE_NSEC3);
+ if(!nsec3) return 1; /* if no nsec3 RR, skip it */
+ if(!msg_add_rrset_ns(z, region, msg, node, nsec3)) return 0;
+ return 1;
+}
+
+/** add NSEC3 records to the zone for the nsec3 proof.
+ * Specify with the flags with parts of the proof are required.
+ * the ce is the exact matching name (for notype) but also delegation points.
+ * qname is the one where the nextcloser name can be derived from.
+ * If NSEC3 is not properly there (in the zone) nothing is added.
+ * always enabled: include nsec3 proving about the Closest Encloser.
+ * that is an exact match that should exist for it.
+ * If that does not exist, a higher exact match + nxproof is enabled
+ * (for some sort of opt-out empty nonterminal cases).
+ * nxproof: include denial of the qname.
+ * wcproof: include denial of wildcard (wildcard.ce).
+ */
+static int
+az_add_nsec3_proof(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname,
+ size_t qname_len, int nxproof, int wcproof)
+{
+ int algo;
+ size_t iter, saltlen;
+ uint8_t* salt;
+ int no_exact_ce = 0;
+ struct auth_data* node;
+
+ /* find parameters of nsec3 proof */
+ if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen))
+ return 1; /* no nsec3 */
+ /* find ce that has an NSEC3 */
+ node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce,
+ algo, iter, salt, saltlen);
+ if(no_exact_ce) nxproof = 1;
+ if(!az_nsec3_insert(z, region, msg, node))
+ return 0;
+
+ if(nxproof) {
+ uint8_t* nx;
+ size_t nxlen;
+ /* create nextcloser domain name */
+ az_nsec3_get_nextcloser(cenm, qname, qname_len, &nx, &nxlen);
+ /* find nsec3 that matches or covers it */
+ node = az_nsec3_find_cover(z, nx, nxlen, algo, iter, salt,
+ saltlen);
+ if(!az_nsec3_insert(z, region, msg, node))
+ return 0;
+ }
+ if(wcproof) {
+ /* create wildcard name *.ce */
+ uint8_t wc[LDNS_MAX_DOMAINLEN];
+ size_t wclen;
+ if(cenmlen+2 > sizeof(wc))
+ return 0; /* result would be too long */
+ wc[0] = 1; /* length of wildcard label */
+ wc[1] = (uint8_t)'*'; /* wildcard label */
+ memmove(wc+2, cenm, cenmlen);
+ wclen = cenmlen+2;
+ /* find nsec3 that matches or covers it */
+ node = az_nsec3_find_cover(z, wc, wclen, algo, iter, salt,
+ saltlen);
+ if(!az_nsec3_insert(z, region, msg, node))
+ return 0;
+ }
+ return 1;
+}
+
+/** generate answer for positive answer */
+static int
+az_generate_positive_answer(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
+{
+ if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
+ /* see if we want additional rrs */
+ if(rrset->type == LDNS_RR_TYPE_MX) {
+ if(!az_add_additionals_from(z, region, msg, rrset, 2))
+ return 0;
+ } else if(rrset->type == LDNS_RR_TYPE_SRV) {
+ if(!az_add_additionals_from(z, region, msg, rrset, 6))
+ return 0;
+ } else if(rrset->type == LDNS_RR_TYPE_NS) {
+ if(!az_add_additionals_from(z, region, msg, rrset, 0))
+ return 0;
+ }
+ return 1;
+}
+
+/** generate answer for type ANY answer */
+static int
+az_generate_any_answer(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, struct auth_data* node)
+{
+ struct auth_rrset* rrset;
+ int added = 0;
+ /* add a couple (at least one) RRs */
+ if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_SOA)) != NULL) {
+ if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
+ added++;
+ }
+ if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_MX)) != NULL) {
+ if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
+ added++;
+ }
+ if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_A)) != NULL) {
+ if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
+ added++;
+ }
+ if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_AAAA)) != NULL) {
+ if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
+ added++;
+ }
+ if(added == 0 && node->rrsets) {
+ if(!msg_add_rrset_an(z, region, msg, node,
+ node->rrsets)) return 0;
+ }
+ return 1;
+}
+
+/** follow cname chain and add more data to the answer section */
+static int
+follow_cname_chain(struct auth_zone* z, uint16_t qtype,
+ struct regional* region, struct dns_msg* msg,
+ struct packed_rrset_data* d)
+{
+ int maxchain = 0;
+ /* see if we can add the target of the CNAME into the answer */
+ while(maxchain++ < MAX_CNAME_CHAIN) {
+ struct auth_data* node;
+ struct auth_rrset* rrset;
+ size_t clen;
+ /* d has cname rdata */
+ if(d->count == 0) break; /* no CNAME */
+ if(d->rr_len[0] < 2+1) break; /* too small */
+ if((clen=dname_valid(d->rr_data[0]+2, d->rr_len[0]-2))==0)
+ break; /* malformed */
+ if(!dname_subdomain_c(d->rr_data[0]+2, z->name))
+ break; /* target out of zone */
+ if((node = az_find_name(z, d->rr_data[0]+2, clen))==NULL)
+ break; /* no such target name */
+ if((rrset=az_domain_rrset(node, qtype))!=NULL) {
+ /* done we found the target */
+ if(!msg_add_rrset_an(z, region, msg, node, rrset))
+ return 0;
+ break;
+ }
+ if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME))==NULL)
+ break; /* no further CNAME chain, notype */
+ if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
+ d = rrset->data;
+ }
+ return 1;
+}
+
+/** generate answer for cname answer */
+static int
+az_generate_cname_answer(struct auth_zone* z, struct query_info* qinfo,
+ struct regional* region, struct dns_msg* msg,
+ struct auth_data* node, struct auth_rrset* rrset)
+{
+ if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
+ if(!rrset) return 1;
+ if(!follow_cname_chain(z, qinfo->qtype, region, msg, rrset->data))
+ return 0;
+ return 1;
+}
+
+/** generate answer for notype answer */
+static int
+az_generate_notype_answer(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, struct auth_data* node)
+{
+ struct auth_rrset* rrset;
+ if(!az_add_negative_soa(z, region, msg)) return 0;
+ /* DNSSEC denial NSEC */
+ if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_NSEC))!=NULL) {
+ if(!msg_add_rrset_ns(z, region, msg, node, rrset)) return 0;
+ } else if(node) {
+ /* DNSSEC denial NSEC3 */
+ if(!az_add_nsec3_proof(z, region, msg, node->name,
+ node->namelen, msg->qinfo.qname,
+ msg->qinfo.qname_len, 0, 0))
+ return 0;
+ }
+ return 1;
+}
+
+/** generate answer for referral answer */
+static int
+az_generate_referral_answer(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, struct auth_data* ce, struct auth_rrset* rrset)
+{
+ struct auth_rrset* ds, *nsec;
+ /* turn off AA flag, referral is nonAA because it leaves the zone */
+ log_assert(ce);
+ msg->rep->flags &= ~BIT_AA;
+ if(!msg_add_rrset_ns(z, region, msg, ce, rrset)) return 0;
+ /* add DS or deny it */
+ if((ds=az_domain_rrset(ce, LDNS_RR_TYPE_DS))!=NULL) {
+ if(!msg_add_rrset_ns(z, region, msg, ce, ds)) return 0;
+ } else {
+ /* deny the DS */
+ if((nsec=az_domain_rrset(ce, LDNS_RR_TYPE_NSEC))!=NULL) {
+ if(!msg_add_rrset_ns(z, region, msg, ce, nsec))
+ return 0;
+ } else {
+ if(!az_add_nsec3_proof(z, region, msg, ce->name,
+ ce->namelen, msg->qinfo.qname,
+ msg->qinfo.qname_len, 0, 0))
+ return 0;
+ }
+ }
+ /* add additional rrs for type NS */
+ if(!az_add_additionals_from(z, region, msg, rrset, 0)) return 0;
+ return 1;
+}
+
+/** generate answer for DNAME answer */
+static int
+az_generate_dname_answer(struct auth_zone* z, struct query_info* qinfo,
+ struct regional* region, struct dns_msg* msg, struct auth_data* ce,
+ struct auth_rrset* rrset)
+{
+ log_assert(ce);
+ /* add the DNAME and then a CNAME */
+ if(!msg_add_rrset_an(z, region, msg, ce, rrset)) return 0;
+ if(!add_synth_cname(z, qinfo->qname, qinfo->qname_len, region,
+ msg, ce, rrset)) return 0;
+ if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_YXDOMAIN)
+ return 1;
+ if(msg->rep->rrset_count == 0 ||
+ !msg->rep->rrsets[msg->rep->rrset_count-1])
+ return 0;
+ if(!follow_cname_chain(z, qinfo->qtype, region, msg,
+ (struct packed_rrset_data*)msg->rep->rrsets[
+ msg->rep->rrset_count-1]->entry.data))
+ return 0;
+ return 1;
+}
+
+/** generate answer for wildcard answer */
+static int
+az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo,
+ struct regional* region, struct dns_msg* msg, struct auth_data* ce,
+ struct auth_data* wildcard, struct auth_data* node)
+{
+ struct auth_rrset* rrset, *nsec;
+ if(verbosity>=VERB_ALGO) {
+ char wcname[256];
+ sldns_wire2str_dname_buf(wildcard->name, wildcard->namelen,
+ wcname, sizeof(wcname));
+ log_info("wildcard %s", wcname);
+ }
+ if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) {
+ /* wildcard has type, add it */
+ if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
+ return 0;
+ az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
+ msg->qinfo.qname_len, 1);
+ } else if((rrset=az_domain_rrset(wildcard, LDNS_RR_TYPE_CNAME))!=NULL) {
+ /* wildcard has cname instead, do that */
+ if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
+ return 0;
+ az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
+ msg->qinfo.qname_len, 1);
+ if(!follow_cname_chain(z, qinfo->qtype, region, msg,
+ rrset->data))
+ return 0;
+ } else if(qinfo->qtype == LDNS_RR_TYPE_ANY && wildcard->rrsets) {
+ /* add ANY rrsets from wildcard node */
+ if(!az_generate_any_answer(z, region, msg, wildcard))
+ return 0;
+ az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
+ msg->qinfo.qname_len, 1);
+ } else {
+ /* wildcard has nodata, notype answer */
+ /* call other notype routine for dnssec notype denials */
+ if(!az_generate_notype_answer(z, region, msg, wildcard))
+ return 0;
+ }
+
+ /* ce and node for dnssec denial of wildcard original name */
+ if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
+ if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
+ } else if(ce) {
+ if(!az_add_nsec3_proof(z, region, msg, ce->name,
+ ce->namelen, msg->qinfo.qname,
+ msg->qinfo.qname_len, 1, 0))
+ return 0;
+ }
+
+ /* fixup name of wildcard from *.zone to qname, use already allocated
+ * pointer to msg qname */
+ az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
+ msg->qinfo.qname_len, 0);
+ return 1;
+}
+
+/** generate answer for nxdomain answer */
+static int
+az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region,
+ struct dns_msg* msg, struct auth_data* ce, struct auth_data* node)
+{
+ struct auth_rrset* nsec;
+ msg->rep->flags |= LDNS_RCODE_NXDOMAIN;
+ if(!az_add_negative_soa(z, region, msg)) return 0;
+ if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
+ if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
+ if(ce && !az_nsec_wildcard_denial(z, region, msg, ce->name,
+ ce->namelen)) return 0;
+ } else if(ce) {
+ if(!az_add_nsec3_proof(z, region, msg, ce->name,
+ ce->namelen, msg->qinfo.qname,
+ msg->qinfo.qname_len, 1, 1))
+ return 0;
+ }
+ return 1;
+}
+
+/** Create answers when an exact match exists for the domain name */
+static int
+az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo,
+ struct regional* region, struct dns_msg* msg, struct auth_data* node)
+{
+ struct auth_rrset* rrset;
+ /* positive answer, rrset we are looking for exists */
+ if((rrset=az_domain_rrset(node, qinfo->qtype)) != NULL) {
+ return az_generate_positive_answer(z, region, msg, node, rrset);
+ }
+ /* CNAME? */
+ if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME)) != NULL) {
+ return az_generate_cname_answer(z, qinfo, region, msg,
+ node, rrset);
+ }
+ /* type ANY ? */
+ if(qinfo->qtype == LDNS_RR_TYPE_ANY) {
+ return az_generate_any_answer(z, region, msg, node);
+ }
+ /* NOERROR/NODATA (no such type at domain name) */
+ return az_generate_notype_answer(z, region, msg, node);
+}
+
+/** Generate answer without an existing-node that we can use.
+ * So it'll be a referral, DNAME or nxdomain */
+static int
+az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo,
+ struct regional* region, struct dns_msg* msg, struct auth_data* ce,
+ struct auth_rrset* rrset, struct auth_data* node)
+{
+ struct auth_data* wildcard;
+
+ /* we do not have an exact matching name (that exists) */
+ /* see if we have a NS or DNAME in the ce */
+ if(ce && rrset && rrset->type == LDNS_RR_TYPE_NS) {
+ return az_generate_referral_answer(z, region, msg, ce, rrset);
+ }
+ if(ce && rrset && rrset->type == LDNS_RR_TYPE_DNAME) {
+ return az_generate_dname_answer(z, qinfo, region, msg, ce,
+ rrset);
+ }
+ /* if there is an empty nonterminal, wildcard and nxdomain don't
+ * happen, it is a notype answer */
+ if(az_empty_nonterminal(z, qinfo, node)) {
+ return az_generate_notype_answer(z, region, msg, node);
+ }
+ /* see if we have a wildcard under the ce */
+ if((wildcard=az_find_wildcard(z, qinfo, ce)) != NULL) {
+ return az_generate_wildcard_answer(z, qinfo, region, msg,
+ ce, wildcard, node);
+ }
+ /* generate nxdomain answer */
+ return az_generate_nxdomain_answer(z, region, msg, ce, node);
+}
+
+/** Lookup answer in a zone. */
+static int
+auth_zone_generate_answer(struct auth_zone* z, struct query_info* qinfo,
+ struct regional* region, struct dns_msg** msg, int* fallback)
+{
+ struct auth_data* node, *ce;
+ struct auth_rrset* rrset;
+ int node_exact, node_exists;
+ /* does the zone want fallback in case of failure? */
+ *fallback = z->fallback_enabled;
+ if(!(*msg=msg_create(region, qinfo))) return 0;
+
+ /* lookup if there is a matching domain name for the query */
+ az_find_domain(z, qinfo, &node_exact, &node);
+
+ /* see if node exists for generating answers from (i.e. not glue and
+ * obscured by NS or DNAME or NSEC3-only), and also return the
+ * closest-encloser from that, closest node that should be used
+ * to generate answers from that is above the query */
+ node_exists = az_find_ce(z, qinfo, node, node_exact, &ce, &rrset);
+
+ if(verbosity >= VERB_ALGO) {
+ char zname[256], qname[256], nname[256], cename[256],
+ tpstr[32], rrstr[32];
+ sldns_wire2str_dname_buf(qinfo->qname, qinfo->qname_len, qname,
+ sizeof(qname));
+ sldns_wire2str_type_buf(qinfo->qtype, tpstr, sizeof(tpstr));
+ sldns_wire2str_dname_buf(z->name, z->namelen, zname,
+ sizeof(zname));
+ if(node)
+ sldns_wire2str_dname_buf(node->name, node->namelen,
+ nname, sizeof(nname));
+ else snprintf(nname, sizeof(nname), "NULL");
+ if(ce)
+ sldns_wire2str_dname_buf(ce->name, ce->namelen,
+ cename, sizeof(cename));
+ else snprintf(cename, sizeof(cename), "NULL");
+ if(rrset) sldns_wire2str_type_buf(rrset->type, rrstr,
+ sizeof(rrstr));
+ else snprintf(rrstr, sizeof(rrstr), "NULL");
+ log_info("auth_zone %s query %s %s, domain %s %s %s, "
+ "ce %s, rrset %s", zname, qname, tpstr, nname,
+ (node_exact?"exact":"notexact"),
+ (node_exists?"exist":"notexist"), cename, rrstr);
+ }
+
+ if(node_exists) {
+ /* the node is fine, generate answer from node */
+ return az_generate_answer_with_node(z, qinfo, region, *msg,
+ node);
+ }
+ return az_generate_answer_nonexistnode(z, qinfo, region, *msg,
+ ce, rrset, node);
+}
+
+int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo,
+ struct regional* region, struct dns_msg** msg, int* fallback,
+ uint8_t* dp_nm, size_t dp_nmlen)
+{
+ int r;
+ struct auth_zone* z;
+
+ /* find the zone that should contain the answer. */
+ lock_rw_rdlock(&az->lock);
+ z = auth_zone_find(az, dp_nm, dp_nmlen, qinfo->qclass);
+ if(!z) {
+ lock_rw_unlock(&az->lock);
+ verbose(VERB_ALGO, "no auth zone for query, fallback");
+ /* no auth zone, fallback to internet */
+ *fallback = 1;
+ return 0;
+ }
+ lock_rw_rdlock(&z->lock);
+ lock_rw_unlock(&az->lock);
+
+ /* see what answer that zone would generate */
+ r = auth_zone_generate_answer(z, qinfo, region, msg, fallback);
+ lock_rw_unlock(&z->lock);
+ return r;
+}
diff --git a/services/authzone.h b/services/authzone.h
new file mode 100644
index 000000000000..5b4623b65200
--- /dev/null
+++ b/services/authzone.h
@@ -0,0 +1,209 @@
+/*
+ * services/authzone.h - authoritative zone that is locally hosted.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains the functions for an authority zone. This zone
+ * is queried by the iterator, just like a stub or forward zone, but then
+ * the data is locally held.
+ */
+
+#ifndef SERVICES_AUTHZONE_H
+#define SERVICES_AUTHZONE_H
+#include "util/rbtree.h"
+#include "util/locks.h"
+struct ub_packed_rrset_key;
+struct regional;
+struct config_file;
+struct query_info;
+struct dns_msg;
+
+/**
+ * Authoritative zones, shared.
+ */
+struct auth_zones {
+ /** lock on the authzone tree */
+ lock_rw_type lock;
+ /** rbtree of struct auth_zone */
+ rbtree_type ztree;
+};
+
+/**
+ * Auth zone. Authoritative data, that is fetched from instead of sending
+ * packets to the internet.
+ */
+struct auth_zone {
+ /** rbtree node, key is name and class */
+ rbnode_type node;
+
+ /** zone name, in uncompressed wireformat */
+ uint8_t* name;
+ /** length of zone name */
+ size_t namelen;
+ /** number of labels in zone name */
+ int namelabs;
+ /** the class of this zone, in host byteorder.
+ * uses 'dclass' to not conflict with c++ keyword class. */
+ uint16_t dclass;
+
+ /** lock on the data in the structure
+ * For the node, parent, name, namelen, namelabs, dclass, you
+ * need to also hold the zones_tree lock to change them (or to
+ * delete this zone) */
+ lock_rw_type lock;
+
+ /** auth data for this zone
+ * rbtree of struct auth_data */
+ rbtree_type data;
+
+ /* zonefile name (or NULL for no zonefile) */
+ char* zonefile;
+ /* fallback to the internet on failure or ttl-expiry of auth zone */
+ int fallback_enabled;
+};
+
+/**
+ * Auth data. One domain name, and the RRs to go with it.
+ */
+struct auth_data {
+ /** rbtree node, key is name only */
+ rbnode_type node;
+ /** domain name */
+ uint8_t* name;
+ /** length of name */
+ size_t namelen;
+ /** number of labels in name */
+ int namelabs;
+ /** the data rrsets, with different types, linked list.
+ * if the list if NULL the node would be an empty non-terminal,
+ * but in this data structure such nodes that represent an empty
+ * non-terminal are not needed; they just don't exist.
+ */
+ struct auth_rrset* rrsets;
+};
+
+/**
+ * A auth data RRset
+ */
+struct auth_rrset {
+ /** next in list */
+ struct auth_rrset* next;
+ /** RR type in host byteorder */
+ uint16_t type;
+ /** RRset data item */
+ struct packed_rrset_data* data;
+};
+
+/**
+ * Create auth zones structure
+ */
+struct auth_zones* auth_zones_create(void);
+
+/**
+ * Apply configuration to auth zones. Reads zonefiles.
+ */
+int auth_zones_apply_config(struct auth_zones* az, struct config_file* cfg);
+
+/**
+ * Delete auth zones structure
+ */
+void auth_zones_delete(struct auth_zones* az);
+
+/**
+ * Write auth zone data to file, in zonefile format.
+ */
+int auth_zone_write_file(struct auth_zone* z, const char* fname);
+
+/**
+ * Use auth zones to lookup the answer to a query.
+ * The query is from the iterator. And the auth zones attempts to provide
+ * the answer instead of going to the internet.
+ *
+ * @param az: auth zones structure.
+ * @param qinfo: query info to lookup.
+ * @param region: region to use to allocate the reply in.
+ * @param msg: reply is stored here (if one).
+ * @param fallback: if true, fallback to making a query to the internet.
+ * @param dp_nm: name of delegation point to look for. This zone is used
+ * to answer the query.
+ * If the dp_nm is not found, fallback is set to true and false returned.
+ * @param dp_nmlen: length of dp_nm.
+ * @return 0: failure (an error of some sort, like servfail).
+ * if 0 and fallback is true, fallback to the internet.
+ * if 0 and fallback is false, like getting servfail.
+ * If true, an answer is available.
+ */
+int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo,
+ struct regional* region, struct dns_msg** msg, int* fallback,
+ uint8_t* dp_nm, size_t dp_nmlen);
+
+/**
+ * Find the auth zone that is above the given qname.
+ * Return NULL when there is no auth_zone above the give name, otherwise
+ * returns the closest auth_zone above the qname that pertains to it.
+ * @param az: auth zones structure.
+ * @param qinfo: query info to lookup.
+ * @return NULL or auth_zone that pertains to the query.
+ */
+struct auth_zone* auth_zones_find_zone(struct auth_zones* az,
+ struct query_info* qinfo);
+
+/** find an auth zone by name (exact match by name or NULL returned) */
+struct auth_zone* auth_zone_find(struct auth_zones* az, uint8_t* nm,
+ size_t nmlen, uint16_t dclass);
+
+/** create an auth zone. returns wrlocked zone. caller must have wrlock
+ * on az. returns NULL on malloc failure */
+struct auth_zone* auth_zone_create(struct auth_zones* az, uint8_t* nm,
+ size_t nmlen, uint16_t dclass);
+
+/** set auth zone zonefile string. caller must have lock on zone */
+int auth_zone_set_zonefile(struct auth_zone* z, char* zonefile);
+
+/** set auth zone fallback. caller must have lock on zone.
+ * fallbackstr is "yes" or "no". false on parse failure. */
+int auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr);
+
+/** read auth zone from zonefile. caller must lock zone. false on failure */
+int auth_zone_read_zonefile(struct auth_zone* z);
+
+/** compare auth_zones for sorted rbtree */
+int auth_zone_cmp(const void* z1, const void* z2);
+
+/** compare auth_data for sorted rbtree */
+int auth_data_cmp(const void* z1, const void* z2);
+
+#endif /* SERVICES_AUTHZONE_H */
diff --git a/services/cache/dns.c b/services/cache/dns.c
index a8fde9f2890e..764205e53cbe 100644
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -41,6 +41,7 @@
#include "config.h"
#include "iterator/iter_delegpt.h"
#include "validator/val_nsec.h"
+#include "validator/val_utils.h"
#include "services/cache/dns.h"
#include "services/cache/rrset.h"
#include "util/data/msgreply.h"
@@ -182,7 +183,7 @@ addr_to_additional(struct ub_packed_rrset_key* rrset, struct regional* region,
}
/** lookup message in message cache */
-static struct msgreply_entry*
+struct msgreply_entry*
msg_cache_lookup(struct module_env* env, uint8_t* qname, size_t qnamelen,
uint16_t qtype, uint16_t qclass, uint16_t flags, time_t now, int wr)
{
@@ -755,10 +756,16 @@ dns_cache_lookup(struct module_env* env,
if( qtype != LDNS_RR_TYPE_DS &&
(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen,
LDNS_RR_TYPE_CNAME, qclass, 0, now, 0))) {
- struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
- if(msg) {
- lock_rw_unlock(&rrset->entry.lock);
- return msg;
+ uint8_t* wc = NULL;
+ /* if the rrset is not a wildcard expansion, with wcname */
+ /* because, if we return that CNAME rrset on its own, it is
+ * missing the NSEC or NSEC3 proof */
+ if(!(val_rrset_wildcard(rrset, &wc) && wc != NULL)) {
+ struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
+ if(msg) {
+ lock_rw_unlock(&rrset->entry.lock);
+ return msg;
+ }
}
lock_rw_unlock(&rrset->entry.lock);
}
diff --git a/services/cache/dns.h b/services/cache/dns.h
index 0dfb68874403..096ddf28db63 100644
--- a/services/cache/dns.h
+++ b/services/cache/dns.h
@@ -208,4 +208,10 @@ int dns_msg_authadd(struct dns_msg* msg, struct regional* region,
int dns_cache_prefetch_adjust(struct module_env* env, struct query_info* qinfo,
time_t adjust, uint16_t flags);
+/** lookup message in message cache
+ * the returned nonNULL entry is locked and has to be unlocked by the caller */
+struct msgreply_entry* msg_cache_lookup(struct module_env* env,
+ uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
+ uint16_t flags, time_t now, int wr);
+
#endif /* SERVICES_CACHE_DNS_H */
diff --git a/services/cache/infra.c b/services/cache/infra.c
index 314c85ef5112..ca1102ef5f7f 100644
--- a/services/cache/infra.c
+++ b/services/cache/infra.c
@@ -893,6 +893,8 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
/* find ratelimit */
lim = infra_find_ratelimit(infra, name, namelen);
+ if(!lim)
+ return 1; /* disabled for this domain */
/* find or insert ratedata */
entry = infra_find_ratedata(infra, name, namelen, 1);
@@ -941,6 +943,8 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
/* find ratelimit */
lim = infra_find_ratelimit(infra, name, namelen);
+ if(!lim)
+ return 0; /* disabled for this domain */
/* find current rate */
entry = infra_find_ratedata(infra, name, namelen, 0);
diff --git a/services/cache/infra.h b/services/cache/infra.h
index 6f9471a3941c..10db796bfcdd 100644
--- a/services/cache/infra.h
+++ b/services/cache/infra.h
@@ -401,7 +401,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
/** find the maximum rate stored, not too old. 0 if no information. */
int infra_rate_max(void* data, time_t now);
-/** find the ratelimit in qps for a domain */
+/** find the ratelimit in qps for a domain. 0 if no limit for domain. */
int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
size_t namelen);
diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
index 37ee9a6b9b46..0341f3067489 100644
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@@ -1223,15 +1223,15 @@ listen_create(struct comm_base* base, struct listen_port* ports,
ports->ftype == listen_type_tcp_dnscrypt ||
ports->ftype == listen_type_udpancil_dnscrypt) {
cp->dnscrypt = 1;
- cp->dnscrypt_buffer = sldns_buffer_new(bufsize);
- if(!cp->dnscrypt_buffer) {
- log_err("can't alloc dnscrypt_buffer");
- comm_point_delete(cp);
- listen_delete(front);
- return NULL;
- }
- front->dnscrypt_udp_buff = cp->dnscrypt_buffer;
- }
+ cp->dnscrypt_buffer = sldns_buffer_new(bufsize);
+ if(!cp->dnscrypt_buffer) {
+ log_err("can't alloc dnscrypt_buffer");
+ comm_point_delete(cp);
+ listen_delete(front);
+ return NULL;
+ }
+ front->dnscrypt_udp_buff = cp->dnscrypt_buffer;
+ }
#endif
if(!listen_cp_insert(cp, front)) {
log_err("malloc failed");
@@ -1269,10 +1269,10 @@ listen_delete(struct listen_dnsport* front)
return;
listen_list_delete(front->cps);
#ifdef USE_DNSCRYPT
- if(front->dnscrypt_udp_buff &&
- front->udp_buff != front->dnscrypt_udp_buff) {
- sldns_buffer_free(front->dnscrypt_udp_buff);
- }
+ if(front->dnscrypt_udp_buff &&
+ front->udp_buff != front->dnscrypt_udp_buff) {
+ sldns_buffer_free(front->dnscrypt_udp_buff);
+ }
#endif
sldns_buffer_free(front->udp_buff);
free(front);
diff --git a/services/localzone.c b/services/localzone.c
index dcce46e863e4..a19b5252643f 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -187,7 +187,9 @@ lz_enter_zone_dname(struct local_zones* zones, uint8_t* nm, size_t len,
lock_rw_wrlock(&z->lock);
if(!rbtree_insert(&zones->ztree, &z->node)) {
struct local_zone* oldz;
- log_warn("duplicate local-zone");
+ char str[256];
+ dname_str(nm, str);
+ log_warn("duplicate local-zone %s", str);
lock_rw_unlock(&z->lock);
/* save zone name locally before deallocation,
* otherwise, nm is gone if we zone_delete now. */
@@ -744,12 +746,15 @@ add_as112_default(struct local_zones* zones, struct config_file* cfg,
}
/** enter default zones */
-static int
-lz_enter_defaults(struct local_zones* zones, struct config_file* cfg)
+int local_zone_enter_defaults(struct local_zones* zones, struct config_file* cfg)
{
struct local_zone* z;
const char** zstr;
+ /* Do not add any default */
+ if(cfg->local_zones_disable_default)
+ return 1;
+
/* this list of zones is from RFC 6303 and RFC 7686 */
/* block localhost level zones first, then onion and later the LAN zones */
@@ -1019,7 +1024,7 @@ local_zones_apply_cfg(struct local_zones* zones, struct config_file* cfg)
return 0;
}
/* apply default zones+content (unless disabled, or overridden) */
- if(!lz_enter_defaults(zones, cfg)) {
+ if(!local_zone_enter_defaults(zones, cfg)) {
return 0;
}
/* enter local zone overrides */
@@ -1585,7 +1590,7 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
lock_rw_rdlock(&z->lock);
lzt = z->type;
}
- if(!z && !view->isfirst){
+ if(view->local_zones && !z && !view->isfirst){
lock_rw_unlock(&view->lock);
return 0;
}
@@ -1670,6 +1675,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
*t = local_zone_always_refuse;
else if(strcmp(type, "always_nxdomain") == 0)
*t = local_zone_always_nxdomain;
+ else if(strcmp(type, "nodefault") == 0)
+ *t = local_zone_nodefault;
else return 0;
return 1;
}
diff --git a/services/localzone.h b/services/localzone.h
index 658f28024ef4..fcdad41666d2 100644
--- a/services/localzone.h
+++ b/services/localzone.h
@@ -428,6 +428,15 @@ enum localzone_type local_data_find_tag_action(const uint8_t* taglist,
enum localzone_type lzt, int* tag, char* const* tagname, int num_tags);
/**
+ * Enter defaults to local zone.
+ * @param zones: to add defaults to
+ * @param cfg: containing list of zones to exclude from default set.
+ * @return 1 on success; 0 otherwise.
+ */
+int local_zone_enter_defaults(struct local_zones* zones,
+ struct config_file* cfg);
+
+/**
* Parses resource record string into wire format, also returning its field values.
* @param str: input resource record
* @param nm: domain name field
diff --git a/services/mesh.c b/services/mesh.c
index 0cb134ade85f..f04ae16ddbcb 100644
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -174,7 +174,7 @@ client_info_compare(const struct respip_client_info* ci_a,
* but we check that just in case. */
if(ci_a->respip_set != ci_b->respip_set)
return ci_a->respip_set < ci_b->respip_set ? -1 : 1;
- return 0;
+ return 0;
}
int
@@ -821,26 +821,26 @@ void mesh_detach_subs(struct module_qstate* qstate)
rbtree_init(&qstate->mesh_info->sub_set, &mesh_state_ref_compare);
}
-int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
- uint16_t qflags, int prime, int valrec, struct module_qstate** newq)
+int mesh_add_sub(struct module_qstate* qstate, struct query_info* qinfo,
+ uint16_t qflags, int prime, int valrec, struct module_qstate** newq,
+ struct mesh_state** sub)
{
/* find it, if not, create it */
struct mesh_area* mesh = qstate->env->mesh;
- struct mesh_state* sub = mesh_area_find(mesh, NULL, qinfo, qflags,
+ *sub = mesh_area_find(mesh, NULL, qinfo, qflags,
prime, valrec);
- int was_detached;
- if(mesh_detect_cycle_found(qstate, sub)) {
+ if(mesh_detect_cycle_found(qstate, *sub)) {
verbose(VERB_ALGO, "attach failed, cycle detected");
return 0;
}
- if(!sub) {
+ if(!*sub) {
#ifdef UNBOUND_DEBUG
struct rbnode_type* n;
#endif
/* create a new one */
- sub = mesh_state_create(qstate->env, qinfo, NULL, qflags, prime,
+ *sub = mesh_state_create(qstate->env, qinfo, NULL, qflags, prime,
valrec);
- if(!sub) {
+ if(!*sub) {
log_err("mesh_attach_sub: out of memory");
return 0;
}
@@ -849,7 +849,7 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
#else
(void)
#endif
- rbtree_insert(&mesh->all, &sub->node);
+ rbtree_insert(&mesh->all, &(*sub)->node);
log_assert(n != NULL);
/* set detached (it is now) */
mesh->num_detached_states++;
@@ -859,11 +859,22 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
#else
(void)
#endif
- rbtree_insert(&mesh->run, &sub->run_node);
+ rbtree_insert(&mesh->run, &(*sub)->run_node);
log_assert(n != NULL);
- *newq = &sub->s;
+ *newq = &(*sub)->s;
} else
*newq = NULL;
+ return 1;
+}
+
+int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
+ uint16_t qflags, int prime, int valrec, struct module_qstate** newq)
+{
+ struct mesh_area* mesh = qstate->env->mesh;
+ struct mesh_state* sub = NULL;
+ int was_detached;
+ if(!mesh_add_sub(qstate, qinfo, qflags, prime, valrec, newq, &sub))
+ return 0;
was_detached = (sub->super_set.count == 0);
if(!mesh_state_attachment(qstate->mesh_info, sub))
return 0;
diff --git a/services/mesh.h b/services/mesh.h
index 1c77945320e3..67749accb35a 100644
--- a/services/mesh.h
+++ b/services/mesh.h
@@ -371,6 +371,35 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo,
uint16_t qflags, int prime, int valrec, struct module_qstate** newq);
/**
+ * Add detached query.
+ * Creates it if it does not exist already.
+ * Does not make super/sub references.
+ * Performs a cycle detection - for double check - and fails if there is one.
+ * Updates stat items in mesh_area structure.
+ * Pass if it is priming query or not.
+ * return:
+ * o if error (malloc) happened.
+ * o need to initialise the new state (module init; it is a new state).
+ * so that the next run of the query with this module is successful.
+ * o no init needed, attachment successful.
+ * o added subquery, created if it did not exist already.
+ *
+ * @param qstate: the state to find mesh state, and that wants to receive
+ * the results from the new subquery.
+ * @param qinfo: what to query for (copied).
+ * @param qflags: what flags to use (RD / CD flag or not).
+ * @param prime: if it is a (stub) priming query.
+ * @param valrec: if it is a validation recursion query (lookup of key, DS).
+ * @param newq: If the new subquery needs initialisation, it is returned,
+ * otherwise NULL is returned.
+ * @param sub: The added mesh state, created if it did not exist already.
+ * @return: false on error, true if success (and init may be needed).
+ */
+int mesh_add_sub(struct module_qstate* qstate, struct query_info* qinfo,
+ uint16_t qflags, int prime, int valrec, struct module_qstate** newq,
+ struct mesh_state** sub);
+
+/**
* Query state is done, send messages to reply entries.
* Encode messages using reply entry values and the querystate (with original
* qinfo), using given reply_info.
diff --git a/services/modstack.c b/services/modstack.c
index 9bebd3a5634c..136245a96838 100644
--- a/services/modstack.c
+++ b/services/modstack.c
@@ -54,6 +54,9 @@
#ifdef USE_CACHEDB
#include "cachedb/cachedb.h"
#endif
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#endif
#ifdef CLIENT_SUBNET
#include "edns-subnet/subnetmod.h"
#endif
@@ -126,17 +129,20 @@ module_list_avail(void)
static const char* names[] = {
"dns64",
#ifdef WITH_PYTHONMODULE
- "python",
+ "python",
#endif
#ifdef USE_CACHEDB
"cachedb",
#endif
+#ifdef USE_IPSECMOD
+ "ipsecmod",
+#endif
#ifdef CLIENT_SUBNET
- "subnetcache",
+ "subnetcache",
#endif
"respip",
- "validator",
- "iterator",
+ "validator",
+ "iterator",
NULL};
return names;
}
@@ -151,22 +157,25 @@ module_funcs_avail(void)
static struct module_func_block* (*fb[])(void) = {
&dns64_get_funcblock,
#ifdef WITH_PYTHONMODULE
- &pythonmod_get_funcblock,
+ &pythonmod_get_funcblock,
#endif
#ifdef USE_CACHEDB
&cachedb_get_funcblock,
#endif
+#ifdef USE_IPSECMOD
+ &ipsecmod_get_funcblock,
+#endif
#ifdef CLIENT_SUBNET
- &subnetmod_get_funcblock,
+ &subnetmod_get_funcblock,
#endif
&respip_get_funcblock,
- &val_get_funcblock,
- &iter_get_funcblock,
+ &val_get_funcblock,
+ &iter_get_funcblock,
NULL};
return fb;
}
-struct
+struct
module_func_block* module_factory(const char** str)
{
int i = 0;
@@ -234,3 +243,15 @@ modstack_find(struct module_stack* stack, const char* name)
}
return -1;
}
+
+size_t
+mod_get_mem(struct module_env* env, const char* name)
+{
+ int m = modstack_find(&env->mesh->mods, name);
+ if(m != -1) {
+ fptr_ok(fptr_whitelist_mod_get_mem(env->mesh->
+ mods.mod[m]->get_mem));
+ return (*env->mesh->mods.mod[m]->get_mem)(env, m);
+ }
+ return 0;
+}
diff --git a/services/modstack.h b/services/modstack.h
index cb8613299abb..3ff01b54d938 100644
--- a/services/modstack.h
+++ b/services/modstack.h
@@ -110,4 +110,7 @@ void modstack_desetup(struct module_stack* stack, struct module_env* env);
*/
int modstack_find(struct module_stack* stack, const char* name);
+/** fetch memory for a module by name, returns 0 if module not there */
+size_t mod_get_mem(struct module_env* env, const char* name);
+
#endif /* SERVICES_MODSTACK_H */
diff --git a/services/outside_network.c b/services/outside_network.c
index 426e87b3e246..9b1490e643f8 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -204,6 +204,9 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
{
struct pending_tcp* pend = w->outnet->tcp_free;
int s;
+#ifdef SO_REUSEADDR
+ int on = 1;
+#endif
log_assert(pend);
log_assert(pkt);
log_assert(w->addrlen > 0);
@@ -225,13 +228,20 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
return 0;
}
+#ifdef SO_REUSEADDR
+ if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void*)&on,
+ (socklen_t)sizeof(on)) < 0) {
+ verbose(VERB_ALGO, "outgoing tcp:"
+ " setsockopt(.. SO_REUSEADDR ..) failed");
+ }
+#endif
if (w->outnet->tcp_mss > 0) {
#if defined(IPPROTO_TCP) && defined(TCP_MAXSEG)
if(setsockopt(s, IPPROTO_TCP, TCP_MAXSEG,
(void*)&w->outnet->tcp_mss,
(socklen_t)sizeof(w->outnet->tcp_mss)) < 0) {
verbose(VERB_ALGO, "outgoing tcp:"
- " setsockopt(.. SO_REUSEADDR ..) failed");
+ " setsockopt(.. TCP_MAXSEG ..) failed");
}
#else
verbose(VERB_ALGO, "outgoing tcp:"
@@ -1538,18 +1548,22 @@ serviced_udp_send(struct serviced_query* sq, sldns_buffer* buff)
static int
serviced_check_qname(sldns_buffer* pkt, uint8_t* qbuf, size_t qbuflen)
{
- uint8_t* d1 = sldns_buffer_at(pkt, 12);
+ uint8_t* d1 = sldns_buffer_begin(pkt)+12;
uint8_t* d2 = qbuf+10;
uint8_t len1, len2;
int count = 0;
+ if(sldns_buffer_limit(pkt) < 12+1+4) /* packet too small for qname */
+ return 0;
log_assert(qbuflen >= 15 /* 10 header, root, type, class */);
len1 = *d1++;
len2 = *d2++;
- if(sldns_buffer_limit(pkt) < 12+1+4) /* packet too small for qname */
- return 0;
while(len1 != 0 || len2 != 0) {
if(LABEL_IS_PTR(len1)) {
+ /* check if we can read *d1 with compression ptr rest */
+ if(d1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
+ return 0;
d1 = sldns_buffer_begin(pkt)+PTR_OFFSET(len1, *d1);
+ /* check if we can read the destination *d1 */
if(d1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
return 0;
len1 = *d1++;
@@ -1563,6 +1577,9 @@ serviced_check_qname(sldns_buffer* pkt, uint8_t* qbuf, size_t qbuflen)
return 0;
if(len1 > LDNS_MAX_LABELLEN)
return 0;
+ /* check len1 + 1(next length) are okay to read */
+ if(d1+len1 >= sldns_buffer_at(pkt, sldns_buffer_limit(pkt)))
+ return 0;
log_assert(len1 <= LDNS_MAX_LABELLEN);
log_assert(len2 <= LDNS_MAX_LABELLEN);
log_assert(len1 == len2 && len1 != 0);
diff --git a/services/view.c b/services/view.c
index 33f4f4986ba7..c6709e58fd6a 100644
--- a/services/view.c
+++ b/services/view.c
@@ -167,6 +167,44 @@ views_apply_cfg(struct views* vs, struct config_file* cfg)
lz_cfg.local_data = cv->local_data;
lz_cfg.local_zones_nodefault =
cv->local_zones_nodefault;
+ if(v->isfirst) {
+ /* Do not add defaults to view-specific
+ * local-zone when global local zone will be
+ * used. */
+ struct config_strlist* nd;
+ lz_cfg.local_zones_disable_default = 1;
+ /* Add nodefault zones to list of zones to add,
+ * so they will be used as if they are
+ * configured as type transparent */
+ for(nd = cv->local_zones_nodefault; nd;
+ nd = nd->next) {
+ char* nd_str, *nd_type;
+ nd_str = strdup(nd->str);
+ if(!nd_str) {
+ log_err("out of memory");
+ lock_rw_unlock(&v->lock);
+ return 0;
+ }
+ nd_type = strdup("nodefault");
+ if(!nd_type) {
+ log_err("out of memory");
+ free(nd_str);
+ lock_rw_unlock(&v->lock);
+ return 0;
+ }
+ if(!cfg_str2list_insert(
+ &lz_cfg.local_zones, nd_str,
+ nd_type)) {
+ log_err("failed to insert "
+ "default zones into "
+ "local-zone list");
+ free(nd_str);
+ free(nd_type);
+ lock_rw_unlock(&v->lock);
+ return 0;
+ }
+ }
+ }
if(!local_zones_apply_cfg(v->local_zones, &lz_cfg)){
lock_rw_unlock(&v->lock);
return 0;
diff --git a/sldns/keyraw.c b/sldns/keyraw.c
index e8f2da089d6a..e2f14f2a4e97 100644
--- a/sldns/keyraw.c
+++ b/sldns/keyraw.c
@@ -388,6 +388,27 @@ sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
}
#endif /* USE_ECDSA */
+#ifdef USE_ED25519
+EVP_PKEY*
+sldns_ed255192pkey_raw(const unsigned char* key, size_t keylen)
+{
+ /* ASN1 for ED25519 is 302a300506032b6570032100 <32byteskey> */
+ uint8_t pre[] = {0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+ 0x70, 0x03, 0x21, 0x00};
+ int pre_len = 12;
+ uint8_t buf[256];
+ EVP_PKEY *evp_key;
+ /* pp gets modified by d2i() */
+ const unsigned char* pp = (unsigned char*)buf;
+ if(keylen != 32 || keylen + pre_len > sizeof(buf))
+ return NULL; /* wrong length */
+ memmove(buf, pre, pre_len);
+ memmove(buf+pre_len, key, keylen);
+ evp_key = d2i_PUBKEY(NULL, &pp, (int)(pre_len+keylen));
+ return evp_key;
+}
+#endif /* USE_ED25519 */
+
int
sldns_digest_evp(unsigned char* data, unsigned int len, unsigned char* dest,
const EVP_MD* md)
diff --git a/sldns/keyraw.h b/sldns/keyraw.h
index 8abe235097b2..19653b46c7ba 100644
--- a/sldns/keyraw.h
+++ b/sldns/keyraw.h
@@ -93,6 +93,15 @@ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len);
/**
+ * Converts a holding buffer with key material to EVP PKEY in openssl.
+ * Only available if ldns was compiled with ED25519.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* sldns_ed255192pkey_raw(const unsigned char* key, size_t len);
+
+/**
* Utility function to calculate hash using generic EVP_MD pointer.
* \param[in] data the data to hash.
* \param[in] len length of data.
diff --git a/sldns/parse.c b/sldns/parse.c
index 35dee719628c..e30a753a49bf 100644
--- a/sldns/parse.c
+++ b/sldns/parse.c
@@ -120,6 +120,10 @@ sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
if (line_nr) {
*line_nr = *line_nr + 1;
}
+ if (limit > 0 && (i >= limit || (size_t)(t-token) >= limit)) {
+ *t = '\0';
+ return -1;
+ }
*t++ = ' ';
prev_c = c;
continue;
diff --git a/sldns/rrdef.c b/sldns/rrdef.c
index 80b47da16465..644762f59f4a 100644
--- a/sldns/rrdef.c
+++ b/sldns/rrdef.c
@@ -175,7 +175,7 @@ static const sldns_rdf_type type_tkey_wireformat[] = {
LDNS_RDF_TYPE_TIME,
LDNS_RDF_TYPE_TIME,
LDNS_RDF_TYPE_INT16,
- LDNS_RDF_TYPE_INT16,
+ LDNS_RDF_TYPE_TSIGERROR,
LDNS_RDF_TYPE_INT16_DATA,
LDNS_RDF_TYPE_INT16_DATA,
};
@@ -185,7 +185,7 @@ static const sldns_rdf_type type_tsig_wireformat[] = {
LDNS_RDF_TYPE_INT16,
LDNS_RDF_TYPE_INT16_DATA,
LDNS_RDF_TYPE_INT16,
- LDNS_RDF_TYPE_INT16,
+ LDNS_RDF_TYPE_TSIGERROR,
LDNS_RDF_TYPE_INT16_DATA
};
static const sldns_rdf_type type_tlsa_wireformat[] = {
@@ -341,8 +341,12 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
{LDNS_RR_TYPE_NSEC3PARAM, "NSEC3PARAM", 4, 4, type_nsec3param_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
/* 52 */
{LDNS_RR_TYPE_TLSA, "TLSA", 4, 4, type_tlsa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
-
+ /*53 */
+#ifdef DRAFT_RRTYPES
+ {LDNS_RR_TYPE_SMIMEA, "SMIMEA", 4, 4, type_tlsa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#else
{LDNS_RR_TYPE_NULL, "TYPE53", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#endif
{LDNS_RR_TYPE_NULL, "TYPE54", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
/* 55
* Hip ends with 0 or more Rendezvous Servers represented as dname's.
@@ -600,6 +604,12 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
{LDNS_RR_TYPE_URI, "URI", 3, 3, type_uri_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
/* 257 */
{LDNS_RR_TYPE_CAA, "CAA", 3, 3, type_caa_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#ifdef DRAFT_RRTYPES
+ /* 258 */
+ {LDNS_RR_TYPE_AVC, "AVC", 1, 0, NULL, LDNS_RDF_TYPE_STR, LDNS_RR_NO_COMPRESS, 0 },
+#else
+{LDNS_RR_TYPE_NULL, "TYPE258", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+#endif
/* split in array, no longer contiguous */
diff --git a/sldns/rrdef.h b/sldns/rrdef.h
index af7bca1d2558..09d81d9b1920 100644
--- a/sldns/rrdef.h
+++ b/sldns/rrdef.h
@@ -38,7 +38,7 @@ extern "C" {
#define LDNS_KEY_REVOKE_KEY 0x0080 /* used to revoke KSK, rfc 5011 */
/* The first fields are contiguous and can be referenced instantly */
-#define LDNS_RDATA_FIELD_DESCRIPTORS_COMMON 258
+#define LDNS_RDATA_FIELD_DESCRIPTORS_COMMON 259
/** lookuptable for rr classes */
extern struct sldns_struct_lookup_table* sldns_rr_classes;
@@ -226,6 +226,7 @@ enum sldns_enum_rr_type
LDNS_RR_TYPE_ANY = 255,
LDNS_RR_TYPE_URI = 256, /* RFC 7553 */
LDNS_RR_TYPE_CAA = 257, /* RFC 6844 */
+ LDNS_RR_TYPE_AVC = 258,
/** DNSSEC Trust Authorities */
LDNS_RR_TYPE_TA = 32768,
@@ -350,6 +351,9 @@ enum sldns_enum_rdf_type
*/
LDNS_RDF_TYPE_LONG_STR,
+ /** TSIG extended 16bit error value */
+ LDNS_RDF_TYPE_TSIGERROR,
+
/* Aliases */
LDNS_RDF_TYPE_BITMAP = LDNS_RDF_TYPE_NSEC
};
@@ -430,6 +434,15 @@ typedef enum sldns_enum_edns_option sldns_edns_option;
#define LDNS_EDNS_MASK_DO_BIT 0x8000
+/** TSIG and TKEY extended rcodes (16bit), 0-15 are the normal rcodes. */
+#define LDNS_TSIG_ERROR_NOERROR 0
+#define LDNS_TSIG_ERROR_BADSIG 16
+#define LDNS_TSIG_ERROR_BADKEY 17
+#define LDNS_TSIG_ERROR_BADTIME 18
+#define LDNS_TSIG_ERROR_BADMODE 19
+#define LDNS_TSIG_ERROR_BADNAME 20
+#define LDNS_TSIG_ERROR_BADALG 21
+
/**
* Contains all information about resource record types.
*
diff --git a/sldns/sbuffer.c b/sldns/sbuffer.c
index a04b9b655633..4ac83977eecb 100644
--- a/sldns/sbuffer.c
+++ b/sldns/sbuffer.c
@@ -50,6 +50,8 @@ sldns_buffer_new_frm_data(sldns_buffer *buffer, void *data, size_t size)
buffer->_limit = buffer->_capacity = size;
buffer->_fixed = 0;
buffer->_vfixed = 0;
+ if (!buffer->_fixed && buffer->_data)
+ free(buffer->_data);
buffer->_data = malloc(size);
if(!buffer->_data) {
buffer->_status_err = 1;
diff --git a/sldns/str2wire.c b/sldns/str2wire.c
index 75c5d71b1ac6..b4f84faf9b3b 100644
--- a/sldns/str2wire.c
+++ b/sldns/str2wire.c
@@ -664,6 +664,14 @@ rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
&pre_data_pos, delimiters,
rdftype, &token_strlen))
break;
+ } else if(rdftype == LDNS_RDF_TYPE_INT16_DATA &&
+ strcmp(token, "0")!=0) {
+ /* affix len and b64 fields */
+ if(!sldns_affix_token(strbuf, token,
+ &token_len, &quoted, &parens,
+ &pre_data_pos, delimiters,
+ rdftype, &token_strlen))
+ break;
}
/* normal RR */
@@ -861,6 +869,8 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
/* we can have the situation, where we've read ok, but still got
* no bytes to play with, in this case size is 0 */
if(size == 0) {
+ if(*len > 0)
+ rr[0] = 0;
*len = 0;
*dname_len = 0;
return LDNS_WIREPARSE_ERR_OK;
@@ -868,6 +878,7 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
if(strncmp(line, "$ORIGIN", 7) == 0 && isspace((unsigned char)line[7])) {
int s;
+ strlcpy((char*)rr, line, *len);
*len = 0;
*dname_len = 0;
if(!parse_state) return LDNS_WIREPARSE_ERR_OK;
@@ -878,12 +889,19 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
return s;
} else if(strncmp(line, "$TTL", 4) == 0 && isspace((unsigned char)line[4])) {
const char* end = NULL;
+ strlcpy((char*)rr, line, *len);
*len = 0;
*dname_len = 0;
if(!parse_state) return LDNS_WIREPARSE_ERR_OK;
parse_state->default_ttl = sldns_str2period(
sldns_strip_ws(line+5), &end);
} else if (strncmp(line, "$INCLUDE", 8) == 0) {
+ strlcpy((char*)rr, line, *len);
+ *len = 0;
+ *dname_len = 0;
+ return LDNS_WIREPARSE_ERR_INCLUDE;
+ } else if (strncmp(line, "$", 1) == 0) {
+ strlcpy((char*)rr, line, *len);
*len = 0;
*dname_len = 0;
return LDNS_WIREPARSE_ERR_INCLUDE;
@@ -940,6 +958,8 @@ int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
return sldns_str2wire_time_buf(str, rd, len);
case LDNS_RDF_TYPE_PERIOD:
return sldns_str2wire_period_buf(str, rd, len);
+ case LDNS_RDF_TYPE_TSIGTIME:
+ return sldns_str2wire_tsigtime_buf(str, rd, len);
case LDNS_RDF_TYPE_LOC:
return sldns_str2wire_loc_buf(str, rd, len);
case LDNS_RDF_TYPE_WKS:
@@ -964,6 +984,8 @@ int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
return sldns_str2wire_tag_buf(str, rd, len);
case LDNS_RDF_TYPE_LONG_STR:
return sldns_str2wire_long_str_buf(str, rd, len);
+ case LDNS_RDF_TYPE_TSIGERROR:
+ return sldns_str2wire_tsigerror_buf(str, rd, len);
case LDNS_RDF_TYPE_HIP:
return sldns_str2wire_hip_buf(str, rd, len);
case LDNS_RDF_TYPE_INT16_DATA:
@@ -1341,6 +1363,21 @@ int sldns_str2wire_alg_buf(const char* str, uint8_t* rd, size_t* len)
return LDNS_WIREPARSE_ERR_OK;
}
+int sldns_str2wire_tsigerror_buf(const char* str, uint8_t* rd, size_t* len)
+{
+ sldns_lookup_table *lt = sldns_lookup_by_name(sldns_tsig_errors, str);
+ if(*len < 2)
+ return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+ if(lt) {
+ sldns_write_uint16(rd, (uint16_t)lt->id);
+ *len = 2;
+ } else {
+ /* try as-is (a number) */
+ return sldns_str2wire_int16_buf(str, rd, len);
+ }
+ return LDNS_WIREPARSE_ERR_OK;
+}
+
int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len)
{
/* convert a time YYYYDDMMHHMMSS to wireformat */
@@ -1383,6 +1420,24 @@ int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len)
return LDNS_WIREPARSE_ERR_OK;
}
+int sldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len)
+{
+ char* end;
+ uint64_t t = (uint64_t)strtol((char*)str, &end, 10);
+ uint16_t high;
+ uint32_t low;
+ if(*end != 0)
+ return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_TIME, end-str);
+ if(*len < 6)
+ return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+ high = (uint16_t)(t>>32);
+ low = (uint32_t)(t);
+ sldns_write_uint16(rd, high);
+ sldns_write_uint32(rd+2, low);
+ *len = 6;
+ return LDNS_WIREPARSE_ERR_OK;
+}
+
int sldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len)
{
const char* end;
@@ -2008,16 +2063,29 @@ int sldns_str2wire_hip_buf(const char* str, uint8_t* rd, size_t* len)
int sldns_str2wire_int16_data_buf(const char* str, uint8_t* rd, size_t* len)
{
- size_t sz = sldns_b64_pton_calculate_size(strlen(str));
+ char* s;
int n;
- if(*len < sz+2)
+ n = strtol(str, &s, 10);
+ if(*len < ((size_t)n)+2)
return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
- if(sz > 65535)
+ if(n > 65535)
return LDNS_WIREPARSE_ERR_LABEL_OVERFLOW;
- n = sldns_b64_pton(str, rd+2, (*len)-2);
+
+ if(n == 0) {
+ sldns_write_uint16(rd, 0);
+ *len = 2;
+ return LDNS_WIREPARSE_ERR_OK;
+ }
+ if(*s != ' ')
+ return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_INT, s-(char*)str);
+ s++;
+ while(*s == ' ')
+ s++;
+
+ n = sldns_b64_pton(s, rd+2, (*len)-2);
if(n < 0)
return LDNS_WIREPARSE_ERR_SYNTAX_B64;
sldns_write_uint16(rd, (uint16_t)n);
- *len = (size_t)n;
+ *len = ((size_t)n)+2;
return LDNS_WIREPARSE_ERR_OK;
}
diff --git a/sldns/str2wire.h b/sldns/str2wire.h
index 527074a15b81..a0d6f55b03e8 100644
--- a/sldns/str2wire.h
+++ b/sldns/str2wire.h
@@ -237,6 +237,8 @@ struct sldns_file_parse_state {
* @param rr: this is malloced by the user and the result is stored here,
* if an RR is read. If no RR is read this is signalled with the
* return len set to 0 (for ORIGIN, TTL directives).
+ * The read line is available in the rr_buf (zero terminated), for
+ * $DIRECTIVE style elements.
* @param len: on input, the length of the rr buffer. on output the rr len.
* Buffer size of 64k should be enough.
* @param dname_len: returns the length of the dname initial part of the rr.
@@ -418,6 +420,24 @@ int sldns_str2wire_time_buf(const char* str, uint8_t* rd, size_t* len);
int sldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len);
/**
+ * Convert rdf of type LDNS_RDF_TYPE_TSIGTIME from string to wireformat.
+ * @param str: the text to convert for this rdata element.
+ * @param rd: rdata buffer for the wireformat.
+ * @param len: length of rd buffer on input, used length on output.
+ * @return 0 on success, error on failure.
+ */
+int sldns_str2wire_tsigtime_buf(const char* str, uint8_t* rd, size_t* len);
+
+/**
+ * Convert rdf of type LDNS_RDF_TYPE_TSIGERROR from string to wireformat.
+ * @param str: the text to convert for this rdata element.
+ * @param rd: rdata buffer for the wireformat.
+ * @param len: length of rd buffer on input, used length on output.
+ * @return 0 on success, error on failure.
+ */
+int sldns_str2wire_tsigerror_buf(const char* str, uint8_t* rd, size_t* len);
+
+/**
* Convert rdf of type LDNS_RDF_TYPE_LOC from string to wireformat.
* @param str: the text to convert for this rdata element.
* @param rd: rdata buffer for the wireformat.
diff --git a/sldns/wire2str.c b/sldns/wire2str.c
index b2ca6192c649..ef505780f454 100644
--- a/sldns/wire2str.c
+++ b/sldns/wire2str.c
@@ -173,6 +173,28 @@ static sldns_lookup_table sldns_edns_options_data[] = {
};
sldns_lookup_table* sldns_edns_options = sldns_edns_options_data;
+static sldns_lookup_table sldns_tsig_errors_data[] = {
+ { LDNS_TSIG_ERROR_NOERROR, "NOERROR" },
+ { LDNS_RCODE_FORMERR, "FORMERR" },
+ { LDNS_RCODE_SERVFAIL, "SERVFAIL" },
+ { LDNS_RCODE_NXDOMAIN, "NXDOMAIN" },
+ { LDNS_RCODE_NOTIMPL, "NOTIMPL" },
+ { LDNS_RCODE_REFUSED, "REFUSED" },
+ { LDNS_RCODE_YXDOMAIN, "YXDOMAIN" },
+ { LDNS_RCODE_YXRRSET, "YXRRSET" },
+ { LDNS_RCODE_NXRRSET, "NXRRSET" },
+ { LDNS_RCODE_NOTAUTH, "NOTAUTH" },
+ { LDNS_RCODE_NOTZONE, "NOTZONE" },
+ { LDNS_TSIG_ERROR_BADSIG, "BADSIG" },
+ { LDNS_TSIG_ERROR_BADKEY, "BADKEY" },
+ { LDNS_TSIG_ERROR_BADTIME, "BADTIME" },
+ { LDNS_TSIG_ERROR_BADMODE, "BADMODE" },
+ { LDNS_TSIG_ERROR_BADNAME, "BADNAME" },
+ { LDNS_TSIG_ERROR_BADALG, "BADALG" },
+ { 0, NULL }
+};
+sldns_lookup_table* sldns_tsig_errors = sldns_tsig_errors_data;
+
char* sldns_wire2str_pkt(uint8_t* data, size_t len)
{
size_t slen = (size_t)sldns_wire2str_pkt_buf(data, len, NULL, 0);
@@ -976,6 +998,8 @@ int sldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
return sldns_wire2str_tag_scan(d, dlen, s, slen);
case LDNS_RDF_TYPE_LONG_STR:
return sldns_wire2str_long_str_scan(d, dlen, s, slen);
+ case LDNS_RDF_TYPE_TSIGERROR:
+ return sldns_wire2str_tsigerror_scan(d, dlen, s, slen);
}
/* unknown rdf type */
return -1;
@@ -1574,6 +1598,7 @@ int sldns_wire2str_hip_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
int sldns_wire2str_int16_data_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
{
+ int w;
uint16_t n;
if(*dl < 2)
return -1;
@@ -1582,7 +1607,12 @@ int sldns_wire2str_int16_data_scan(uint8_t** d, size_t* dl, char** s, size_t* sl
return -1;
(*d)+=2;
(*dl)-=2;
- return sldns_wire2str_b64_scan_num(d, dl, s, sl, n);
+ if(n == 0) {
+ return sldns_str_print(s, sl, "0");
+ }
+ w = sldns_str_print(s, sl, "%u ", (unsigned)n);
+ w += sldns_wire2str_b64_scan_num(d, dl, s, sl, n);
+ return w;
}
int sldns_wire2str_nsec3_next_owner_scan(uint8_t** d, size_t* dl, char** s,
@@ -1639,10 +1669,10 @@ int sldns_wire2str_tag_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
if(*dl < 1+n)
return -1;
for(i=0; i<n; i++)
- if(!isalnum((unsigned char)(*d)[i]))
+ if(!isalnum((unsigned char)(*d)[i+1]))
return -1;
for(i=0; i<n; i++)
- w += sldns_str_print(s, sl, "%c", (char)(*d)[i]);
+ w += sldns_str_print(s, sl, "%c", (char)(*d)[i+1]);
(*d)+=n+1;
(*dl)-=(n+1);
return w;
@@ -1661,6 +1691,21 @@ int sldns_wire2str_long_str_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
return w;
}
+int sldns_wire2str_tsigerror_scan(uint8_t** d, size_t* dl, char** s, size_t* sl)
+{
+ sldns_lookup_table *lt;
+ int data, w;
+ if(*dl < 2) return -1;
+ data = (int)sldns_read_uint16(*d);
+ lt = sldns_lookup_by_id(sldns_tsig_errors, data);
+ if(lt && lt->name)
+ w = sldns_str_print(s, sl, "%s", lt->name);
+ else w = sldns_str_print(s, sl, "%d", data);
+ (*dl)-=2;
+ (*d)+=2;
+ return w;
+}
+
int sldns_wire2str_edns_llq_print(char** s, size_t* sl, uint8_t* data,
size_t len)
{
diff --git a/sldns/wire2str.h b/sldns/wire2str.h
index e0fda92339b9..aac13c548acd 100644
--- a/sldns/wire2str.h
+++ b/sldns/wire2str.h
@@ -38,6 +38,8 @@ extern struct sldns_struct_lookup_table* sldns_edns_flags;
extern struct sldns_struct_lookup_table* sldns_edns_options;
/** error string from wireparse */
extern struct sldns_struct_lookup_table* sldns_wireparse_errors;
+/** tsig errors are the rcodes with extra (higher) values */
+extern struct sldns_struct_lookup_table* sldns_tsig_errors;
/**
* Convert wireformat packet to a string representation
@@ -808,6 +810,19 @@ int sldns_wire2str_int16_data_scan(uint8_t** data, size_t* data_len, char** str,
size_t* str_len);
/**
+ * Scan wireformat tsigerror field to string, with user buffers.
+ * It shifts the arguments to move along (see sldns_wire2str_pkt_scan).
+ * @param data: wireformat data.
+ * @param data_len: length of data buffer.
+ * @param str: string buffer.
+ * @param str_len: length of string buffer.
+ * @return number of characters (except null) needed to print.
+ * Can return -1 on failure.
+ */
+int sldns_wire2str_tsigerror_scan(uint8_t** data, size_t* data_len, char** str,
+ size_t* str_len);
+
+/**
* Scan wireformat nsec3_next_owner field to string, with user buffers.
* It shifts the arguments to move along (see sldns_wire2str_pkt_scan).
* @param data: wireformat data.
diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
index 2828088d9fd6..19ee85b1aaaa 100644
--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
@@ -241,6 +241,8 @@ static const char*
get_builtin_ds(void)
{
return
+/* The anchors must start on a new line with ". IN DS and end with \n"[;]
+ * because the makedist script greps on the source here */
/* anchor 19036 is from 2010 */
/* anchor 20326 is from 2017 */
". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c
index ddf8b3a750b1..11df4415c5c5 100644
--- a/smallapp/unbound-checkconf.c
+++ b/smallapp/unbound-checkconf.c
@@ -4,22 +4,22 @@
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
* This software is open source.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
- *
+ *
* Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
- *
+ *
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
- *
+ *
* Neither the name of the NLNET LABS nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
@@ -88,10 +88,10 @@ usage(void)
exit(1);
}
-/**
- * Print given option to stdout
+/**
+ * Print given option to stdout
* @param cfg: config
- * @param opt: option name without trailing :.
+ * @param opt: option name without trailing :.
* This is different from config_set_option.
* @param final: if final pathname with chroot applied has to be printed.
*/
@@ -156,9 +156,9 @@ view_and_respipchecks(struct config_file* cfg)
fatal_exit("Could not create respip set: out of memory");
if(!views_apply_cfg(views, cfg))
fatal_exit("Could not set up views");
- if(!respip_global_apply_cfg(respip, cfg))
+ if(!respip_global_apply_cfg(respip, cfg))
fatal_exit("Could not setup respip set");
- if(!respip_views_apply_cfg(views, cfg, &ignored))
+ if(!respip_views_apply_cfg(views, cfg, &ignored))
fatal_exit("Could not setup per-view respip sets");
views_delete(views);
respip_set_delete(respip);
@@ -178,7 +178,7 @@ warn_hosts(const char* typ, struct config_stub* list)
fprintf(stderr, "unbound-checkconf: warning:"
" %s %s: \"%s\" is an IP%s address, "
"and when looked up as a host name "
- "during use may not resolve.\n",
+ "during use may not resolve.\n",
s->name, typ, h->str,
addr_is_ip6(&a, alen)?"6":"4");
}
@@ -230,7 +230,7 @@ aclchecks(struct config_file* cfg)
socklen_t alen;
struct config_str2list* acl;
for(acl=cfg->acls; acl; acl = acl->next) {
- if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
+ if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
&d)) {
fatal_exit("cannot parse access control address %s %s",
acl->str, acl->str2);
@@ -240,7 +240,7 @@ aclchecks(struct config_file* cfg)
/** true if fname is a file */
static int
-is_file(const char* fname)
+is_file(const char* fname)
{
struct stat buf;
if(stat(fname, &buf) < 0) {
@@ -260,7 +260,7 @@ is_file(const char* fname)
/** true if fname is a directory */
static int
-is_dir(const char* fname)
+is_dir(const char* fname)
{
struct stat buf;
if(stat(fname, &buf) < 0) {
@@ -305,7 +305,7 @@ check_chroot_string(const char* desc, char** ss,
fatal_exit("%s: \"%s\" does not exist in "
"chrootdir %s", desc, str, chrootdir);
else
- fatal_exit("%s: \"%s\" does not exist",
+ fatal_exit("%s: \"%s\" does not exist",
desc, str);
}
/* put in a new full path for continued checking */
@@ -332,8 +332,8 @@ check_chroot_filelist_wild(const char* desc, struct config_strlist* list,
struct config_strlist* p;
for(p=list; p; p=p->next) {
#ifdef HAVE_GLOB
- if(strchr(p->str, '*') || strchr(p->str, '[') ||
- strchr(p->str, '?') || strchr(p->str, '{') ||
+ if(strchr(p->str, '*') || strchr(p->str, '[') ||
+ strchr(p->str, '?') || strchr(p->str, '{') ||
strchr(p->str, '~')) {
char* s = p->str;
/* adjust whole pattern for chroot and check later */
@@ -370,11 +370,11 @@ morechecks(struct config_file* cfg, const char* fname)
#ifdef UB_ON_WINDOWS
w_config_adjust_directory(cfg);
#endif
- if(cfg->chrootdir && cfg->chrootdir[0] &&
+ if(cfg->chrootdir && cfg->chrootdir[0] &&
cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
fatal_exit("chootdir %s has trailing slash '/' please remove.",
cfg->chrootdir);
- if(cfg->chrootdir && cfg->chrootdir[0] &&
+ if(cfg->chrootdir && cfg->chrootdir[0] &&
!is_dir(cfg->chrootdir)) {
fatal_exit("bad chroot directory");
}
@@ -416,16 +416,20 @@ morechecks(struct config_file* cfg, const char* fname)
}
}
- check_chroot_filelist("file with root-hints",
+ check_chroot_filelist("file with root-hints",
cfg->root_hints, cfg->chrootdir, cfg);
- check_chroot_filelist("trust-anchor-file",
+ check_chroot_filelist("trust-anchor-file",
cfg->trust_anchor_file_list, cfg->chrootdir, cfg);
- check_chroot_filelist("auto-trust-anchor-file",
+ check_chroot_filelist("auto-trust-anchor-file",
cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
- check_chroot_filelist_wild("trusted-keys-file",
+ check_chroot_filelist_wild("trusted-keys-file",
cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
- check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
+ check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
cfg->chrootdir, cfg);
+#ifdef USE_IPSECMOD
+ check_chroot_string("ipsecmod-hook", &cfg->ipsecmod_hook, cfg->chrootdir,
+ cfg);
+#endif
/* remove chroot setting so that modules are not stripping pathnames*/
free(cfg->chrootdir);
cfg->chrootdir = NULL;
@@ -434,21 +438,21 @@ morechecks(struct config_file* cfg, const char* fname)
* dns64, but it's not explicitly confirmed, so the combination is
* excluded below. It's simply unknown yet for the combination of
* respip and other modules. */
- if(strcmp(cfg->module_conf, "iterator") != 0
+ if(strcmp(cfg->module_conf, "iterator") != 0
&& strcmp(cfg->module_conf, "validator iterator") != 0
&& strcmp(cfg->module_conf, "dns64 validator iterator") != 0
&& strcmp(cfg->module_conf, "dns64 iterator") != 0
&& strcmp(cfg->module_conf, "respip iterator") != 0
&& strcmp(cfg->module_conf, "respip validator iterator") != 0
#ifdef WITH_PYTHONMODULE
- && strcmp(cfg->module_conf, "python iterator") != 0
- && strcmp(cfg->module_conf, "python validator iterator") != 0
+ && strcmp(cfg->module_conf, "python iterator") != 0
+ && strcmp(cfg->module_conf, "python validator iterator") != 0
&& strcmp(cfg->module_conf, "validator python iterator") != 0
- && strcmp(cfg->module_conf, "dns64 python iterator") != 0
- && strcmp(cfg->module_conf, "dns64 python validator iterator") != 0
+ && strcmp(cfg->module_conf, "dns64 python iterator") != 0
+ && strcmp(cfg->module_conf, "dns64 python validator iterator") != 0
&& strcmp(cfg->module_conf, "dns64 validator python iterator") != 0
- && strcmp(cfg->module_conf, "python dns64 iterator") != 0
- && strcmp(cfg->module_conf, "python dns64 validator iterator") != 0
+ && strcmp(cfg->module_conf, "python dns64 iterator") != 0
+ && strcmp(cfg->module_conf, "python dns64 validator iterator") != 0
#endif
#ifdef USE_CACHEDB
&& strcmp(cfg->module_conf, "validator cachedb iterator") != 0
@@ -468,17 +472,29 @@ morechecks(struct config_file* cfg, const char* fname)
&& strcmp(cfg->module_conf, "validator python cachedb iterator") != 0
#endif
#ifdef CLIENT_SUBNET
- && strcmp(cfg->module_conf, "subnetcache iterator") != 0
+ && strcmp(cfg->module_conf, "subnetcache iterator") != 0
&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
#endif
#if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET)
&& strcmp(cfg->module_conf, "python subnetcache iterator") != 0
- && strcmp(cfg->module_conf, "subnetcache python iterator") != 0
+ && strcmp(cfg->module_conf, "subnetcache python iterator") != 0
&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
&& strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0
&& strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0
&& strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0
#endif
+#ifdef USE_IPSECMOD
+ && strcmp(cfg->module_conf, "ipsecmod iterator") != 0
+ && strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
+#endif
+#if defined(WITH_PYTHONMODULE) && defined(USE_IPSECMOD)
+ && strcmp(cfg->module_conf, "python ipsecmod iterator") != 0
+ && strcmp(cfg->module_conf, "ipsecmod python iterator") != 0
+ && strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
+ && strcmp(cfg->module_conf, "python ipsecmod validator iterator") != 0
+ && strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0
+ && strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0
+#endif
) {
fatal_exit("module conf '%s' is not known to work",
cfg->module_conf);
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index 6cd4e70861f0..aa2db4a61dfb 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -161,7 +161,7 @@ usage(void)
static const int inhibit_zero = 1;
/** divide sum of timers to get average */
static void
-timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
+timeval_divide(struct timeval* avg, const struct timeval* sum, long long d)
{
#ifndef S_SPLINT_S
size_t leftover;
@@ -184,12 +184,14 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
#define PR_UL_SUB(str, nm, var) printf(str".%s"SQ"%lu\n", nm, (unsigned long)(var));
#define PR_TIMEVAL(str, var) printf(str SQ ARG_LL "d.%6.6d\n", \
(long long)var.tv_sec, (int)var.tv_usec);
+#define PR_STATSTIME(str, var) printf(str SQ ARG_LL "d.%6.6d\n", \
+ (long long)var ## _sec, (int)var ## _usec);
#define PR_LL(str, var) printf(str SQ ARG_LL"d\n", (long long)(var));
/** print stat block */
-static void pr_stats(const char* nm, struct stats_info* s)
+static void pr_stats(const char* nm, struct ub_stats_info* s)
{
- struct timeval avg;
+ struct timeval sumwait, avg;
PR_UL_NM("num.queries", s->svr.num_queries);
PR_UL_NM("num.queries_ip_ratelimited",
s->svr.num_queries_ip_ratelimited);
@@ -209,14 +211,18 @@ static void pr_stats(const char* nm, struct stats_info* s)
printf("%s.requestlist.avg"SQ"%g\n", nm,
(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
(double)s->svr.sum_query_list_size/
- (s->svr.num_queries_missed_cache+
+ (double)(s->svr.num_queries_missed_cache+
s->svr.num_queries_prefetch) : 0.0);
PR_UL_NM("requestlist.max", s->svr.max_query_list_size);
PR_UL_NM("requestlist.overwritten", s->mesh_jostled);
PR_UL_NM("requestlist.exceeded", s->mesh_dropped);
PR_UL_NM("requestlist.current.all", s->mesh_num_states);
PR_UL_NM("requestlist.current.user", s->mesh_num_reply_states);
- timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent);
+#ifndef S_SPLINT_S
+ sumwait.tv_sec = s->mesh_replies_sum_wait_sec;
+ sumwait.tv_usec = s->mesh_replies_sum_wait_usec;
+#endif
+ timeval_divide(&avg, &sumwait, s->mesh_replies_sent);
printf("%s.", nm);
PR_TIMEVAL("recursion.time.avg", avg);
printf("%s.recursion.time.median"SQ"%g\n", nm, s->mesh_time_median);
@@ -224,27 +230,31 @@ static void pr_stats(const char* nm, struct stats_info* s)
}
/** print uptime */
-static void print_uptime(struct shm_stat_info* shm_stat)
+static void print_uptime(struct ub_shm_stat_info* shm_stat)
{
- PR_TIMEVAL("time.now", shm_stat->time.now);
- PR_TIMEVAL("time.up", shm_stat->time.up);
- PR_TIMEVAL("time.elapsed", shm_stat->time.elapsed);
+ PR_STATSTIME("time.now", shm_stat->time.now);
+ PR_STATSTIME("time.up", shm_stat->time.up);
+ PR_STATSTIME("time.elapsed", shm_stat->time.elapsed);
}
/** print memory usage */
-static void print_mem(struct shm_stat_info* shm_stat)
+static void print_mem(struct ub_shm_stat_info* shm_stat)
{
PR_LL("mem.cache.rrset", shm_stat->mem.rrset);
PR_LL("mem.cache.message", shm_stat->mem.msg);
- PR_LL("mem.cache.iterator", shm_stat->mem.iter);
- PR_LL("mem.cache.validator", shm_stat->mem.val);
+ PR_LL("mem.mod.iterator", shm_stat->mem.iter);
+ PR_LL("mem.mod.validator", shm_stat->mem.val);
+ PR_LL("mem.mod.respip", shm_stat->mem.respip);
#ifdef CLIENT_SUBNET
- PR_LL("mem.cache.subnet", shm_stat->mem.subnet);
+ PR_LL("mem.mod.subnet", shm_stat->mem.subnet);
+#endif
+#ifdef USE_IPSECMOD
+ PR_LL("mem.mod.ipsecmod", shm_stat->mem.ipsecmod);
#endif
}
/** print histogram */
-static void print_hist(struct stats_info* s)
+static void print_hist(struct ub_stats_info* s)
{
struct timehist* hist;
size_t i;
@@ -264,13 +274,13 @@ static void print_hist(struct stats_info* s)
}
/** print extended */
-static void print_extended(struct stats_info* s)
+static void print_extended(struct ub_stats_info* s)
{
int i;
char nm[16];
/* TYPE */
- for(i=0; i<STATS_QTYPE_NUM; i++) {
+ for(i=0; i<UB_STATS_QTYPE_NUM; i++) {
if(inhibit_zero && s->svr.qtype[i] == 0)
continue;
sldns_wire2str_type_buf((uint16_t)i, nm, sizeof(nm));
@@ -281,7 +291,7 @@ static void print_extended(struct stats_info* s)
}
/* CLASS */
- for(i=0; i<STATS_QCLASS_NUM; i++) {
+ for(i=0; i<UB_STATS_QCLASS_NUM; i++) {
if(inhibit_zero && s->svr.qclass[i] == 0)
continue;
sldns_wire2str_class_buf((uint16_t)i, nm, sizeof(nm));
@@ -292,7 +302,7 @@ static void print_extended(struct stats_info* s)
}
/* OPCODE */
- for(i=0; i<STATS_OPCODE_NUM; i++) {
+ for(i=0; i<UB_STATS_OPCODE_NUM; i++) {
if(inhibit_zero && s->svr.qopcode[i] == 0)
continue;
sldns_wire2str_opcode_buf(i, nm, sizeof(nm));
@@ -317,7 +327,7 @@ static void print_extended(struct stats_info* s)
PR_UL("num.query.edns.DO", s->svr.qEDNS_DO);
/* RCODE */
- for(i=0; i<STATS_RCODE_NUM; i++) {
+ for(i=0; i<UB_STATS_RCODE_NUM; i++) {
/* Always include RCODEs 0-5 */
if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
continue;
@@ -342,8 +352,8 @@ static void print_extended(struct stats_info* s)
}
/** print statistics out of memory structures */
-static void do_stats_shm(struct config_file* cfg, struct stats_info* stats,
- struct shm_stat_info* shm_stat)
+static void do_stats_shm(struct config_file* cfg, struct ub_stats_info* stats,
+ struct ub_shm_stat_info* shm_stat)
{
int i;
char nm[16];
@@ -366,8 +376,8 @@ static void print_stats_shm(const char* cfgfile)
{
#ifdef HAVE_SHMGET
struct config_file* cfg;
- struct stats_info* stats;
- struct shm_stat_info* shm_stat;
+ struct ub_stats_info* stats;
+ struct ub_shm_stat_info* shm_stat;
int id_ctl, id_arr;
/* read config */
if(!(cfg = config_create()))
@@ -383,11 +393,11 @@ static void print_stats_shm(const char* cfgfile)
if(id_arr == -1) {
fatal_exit("shmget(%d): %s", cfg->shm_key+1, strerror(errno));
}
- shm_stat = (struct shm_stat_info*)shmat(id_ctl, NULL, 0);
+ shm_stat = (struct ub_shm_stat_info*)shmat(id_ctl, NULL, 0);
if(shm_stat == (void*)-1) {
fatal_exit("shmat(%d): %s", id_ctl, strerror(errno));
}
- stats = (struct stats_info*)shmat(id_arr, NULL, 0);
+ stats = (struct ub_stats_info*)shmat(id_arr, NULL, 0);
if(stats == (void*)-1) {
fatal_exit("shmat(%d): %s", id_arr, strerror(errno));
}
diff --git a/testcode/do-tests.sh b/testcode/do-tests.sh
index e356d4fc312c..dcf93907e388 100755
--- a/testcode/do-tests.sh
+++ b/testcode/do-tests.sh
@@ -9,7 +9,7 @@ NEED_CURL='06-ianaports.tpkg root_anchor.tpkg'
NEED_WHOAMI='07-confroot.tpkg'
NEED_IPV6='fwd_ancil.tpkg fwd_tcp_tc6.tpkg stub_udp6.tpkg edns_cache.tpkg'
NEED_NOMINGW='tcp_sigpipe.tpkg 07-confroot.tpkg 08-host-lib.tpkg fwd_ancil.tpkg'
-NEED_DNSCRYPT_PROXY='dnscrypt_queries.tpkg'
+NEED_DNSCRYPT_PROXY='dnscrypt_queries.tpkg dnscrypt_queries_chacha.tpkg'
# test if dig and ldns-testns are available.
test_tool_avail "dig"
diff --git a/testcode/replay.c b/testcode/replay.c
index b45bde806729..085c314759fd 100644
--- a/testcode/replay.c
+++ b/testcode/replay.c
@@ -488,6 +488,7 @@ replay_scenario_read(FILE* in, const char* name, int* lineno)
return scen;
}
}
+ log_err("scenario read failed at line %d (no SCENARIO_END?)", *lineno);
replay_scenario_delete(scen);
return NULL;
}
diff --git a/testcode/streamtcp.c b/testcode/streamtcp.c
index 34b5c0281369..f5eb8fc48b1d 100644
--- a/testcode/streamtcp.c
+++ b/testcode/streamtcp.c
@@ -143,7 +143,9 @@ write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id,
edns.edns_present = 1;
edns.bits = EDNS_DO;
edns.udp_size = 4096;
- attach_edns_record(buf, &edns);
+ if(sldns_buffer_capacity(buf) >=
+ sldns_buffer_limit(buf)+calc_edns_field_size(&edns))
+ attach_edns_record(buf, &edns);
}
/* send it */
diff --git a/testcode/testbound.c b/testcode/testbound.c
index 180b2c256a49..20c99608fdd7 100644
--- a/testcode/testbound.c
+++ b/testcode/testbound.c
@@ -78,6 +78,7 @@ testbound_usage(void)
printf("-g detect GOST support (exit code 0 or 1)\n");
printf("-e detect ECDSA support (exit code 0 or 1)\n");
printf("-c detect CLIENT_SUBNET support (exit code 0 or 1)\n");
+ printf("-i detect IPSECMOD support (exit code 0 or 1)\n");
printf("-s testbound self-test - unit test of testbound parts.\n");
printf("-o str unbound commandline options separated by spaces.\n");
printf("Version %s\n", PACKAGE_VERSION);
@@ -281,7 +282,7 @@ main(int argc, char* argv[])
pass_argc = 1;
pass_argv[0] = "unbound";
add_opts("-d", &pass_argc, pass_argv);
- while( (c=getopt(argc, argv, "12egho:p:s")) != -1) {
+ while( (c=getopt(argc, argv, "12egciho:p:s")) != -1) {
switch(c) {
case 's':
free(pass_argv[1]);
@@ -337,6 +338,15 @@ main(int argc, char* argv[])
exit(1);
#endif
break;
+ case 'i':
+#ifdef USE_IPSECMOD
+ printf("IPSECMOD supported\n");
+ exit(0);
+#else
+ printf("IPSECMOD not supported\n");
+ exit(1);
+#endif
+ break;
case 'p':
playback_file = optarg;
break;
diff --git a/testcode/unitauth.c b/testcode/unitauth.c
new file mode 100644
index 000000000000..f6c022aa03d7
--- /dev/null
+++ b/testcode/unitauth.c
@@ -0,0 +1,858 @@
+/*
+ * testcode/unitauth.c - unit test for authzone authoritative zone code.
+ *
+ * Copyright (c) 2017, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+/**
+ * \file
+ * Unit test for auth zone code.
+ */
+#include "config.h"
+#include "services/authzone.h"
+#include "testcode/unitmain.h"
+#include "util/regional.h"
+#include "util/net_help.h"
+#include "util/data/msgreply.h"
+#include "services/cache/dns.h"
+#include "sldns/str2wire.h"
+#include "sldns/wire2str.h"
+#include "sldns/sbuffer.h"
+
+/** verbosity for this test */
+static int vbmp = 0;
+
+/** struct for query and answer checks */
+struct q_ans {
+ /** zone to query (delegpt) */
+ const char* zone;
+ /** query name, class, type */
+ const char* query;
+ /** additional flags or "" */
+ const char* flags;
+ /** expected answer to check against, multi-line string */
+ const char* answer;
+};
+
+/** auth zone for test */
+static const char* zone_example_com =
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+"example.com. 3600 IN A 10.0.0.1\n"
+"example.com. 3600 IN NS ns.example.com.\n"
+"example.com. 3600 IN MX 50 mail.example.com.\n"
+"deep.ent.example.com. 3600 IN A 10.0.0.9\n"
+"mail.example.com. 3600 IN A 10.0.0.4\n"
+"ns.example.com. 3600 IN A 10.0.0.5\n"
+"out.example.com. 3600 IN CNAME www.example.com.\n"
+"plan.example.com. 3600 IN CNAME nonexist.example.com.\n"
+"redir.example.com. 3600 IN DNAME redir.example.org.\n"
+"sub.example.com. 3600 IN NS ns1.sub.example.com.\n"
+"sub.example.com. 3600 IN NS ns2.sub.example.com.\n"
+"ns1.sub.example.com. 3600 IN A 10.0.0.6\n"
+"ns2.sub.example.com. 3600 IN AAAA 2001::7\n"
+"*.wild.example.com. 3600 IN A 10.0.0.8\n"
+"*.wild2.example.com. 3600 IN CNAME www.example.com.\n"
+"*.wild3.example.com. 3600 IN A 10.0.0.8\n"
+"*.wild3.example.com. 3600 IN MX 50 mail.example.com.\n"
+"www.example.com. 3600 IN A 10.0.0.2\n"
+"www.example.com. 3600 IN A 10.0.0.3\n"
+"yy.example.com. 3600 IN TXT \"a\"\n"
+"yy.example.com. 3600 IN TXT \"b\"\n"
+"yy.example.com. 3600 IN TXT \"c\"\n"
+"yy.example.com. 3600 IN TXT \"d\"\n"
+"yy.example.com. 3600 IN TXT \"e\"\n"
+"yy.example.com. 3600 IN TXT \"f\"\n"
+
+/* and some tests for RRSIGs (rrsig is www.nlnetlabs.nl copy) */
+/* normal: domain and 1 rrsig */
+"z1.example.com. 3600 IN A 10.0.0.10\n"
+"z1.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+/* normal: domain and 2 rrsigs */
+"z2.example.com. 3600 IN A 10.0.0.10\n"
+"z2.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z2.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 12345 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12345}\n"
+/* normal: domain and 3 rrsigs */
+"z3.example.com. 3600 IN A 10.0.0.10\n"
+"z3.example.com. 3600 IN A 10.0.0.11\n"
+"z3.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z3.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 12345 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12345}\n"
+"z3.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 12356 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12356}\n"
+/* just an RRSIG rrset with nothing else */
+"z4.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+/* just an RRSIG rrset with nothing else, 2 rrsigs */
+"z5.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z5.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 12345 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12345}\n"
+#if 0 /* comparison of file does not work on this part because duplicates */
+ /* are removed and the rrsets are reordered */
+/* first rrsig, then A record */
+"z6.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z6.example.com. 3600 IN A 10.0.0.10\n"
+/* first two rrsigs, then A record */
+"z7.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z7.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 12345 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12345}\n"
+"z7.example.com. 3600 IN A 10.0.0.10\n"
+/* first two rrsigs, then two A records */
+"z8.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z8.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 12345 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 12345}\n"
+"z8.example.com. 3600 IN A 10.0.0.10\n"
+"z8.example.com. 3600 IN A 10.0.0.11\n"
+/* duplicate RR, duplicate RRsig */
+"z9.example.com. 3600 IN A 10.0.0.10\n"
+"z9.example.com. 3600 IN A 10.0.0.11\n"
+"z9.example.com. 3600 IN A 10.0.0.10\n"
+"z9.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+"z9.example.com. 3600 IN RRSIG A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk= ;{id = 42393}\n"
+#endif /* if0 for duplicates and reordering */
+;
+
+/** queries for example.com: zone, query, flags, answer. end with NULL */
+static struct q_ans example_com_queries[] = {
+ { "example.com", "www.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"www.example.com. 3600 IN A 10.0.0.2\n"
+"www.example.com. 3600 IN A 10.0.0.3\n"
+ },
+
+ { "example.com", "example.com. SOA", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"example.com. 3600 IN A 10.0.0.1\n"
+ },
+
+ { "example.com", "example.com. AAAA", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "example.com. NS", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"example.com. 3600 IN NS ns.example.com.\n"
+";additional section\n"
+"ns.example.com. 3600 IN A 10.0.0.5\n"
+ },
+
+ { "example.com", "example.com. MX", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"example.com. 3600 IN MX 50 mail.example.com.\n"
+";additional section\n"
+"mail.example.com. 3600 IN A 10.0.0.4\n"
+ },
+
+ { "example.com", "example.com. IN ANY", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+"example.com. 3600 IN MX 50 mail.example.com.\n"
+"example.com. 3600 IN A 10.0.0.1\n"
+ },
+
+ { "example.com", "nonexist.example.com. A", "",
+";flags QR AA rcode NXDOMAIN\n"
+";authority section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "deep.ent.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"deep.ent.example.com. 3600 IN A 10.0.0.9\n"
+ },
+
+ { "example.com", "ent.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "below.deep.ent.example.com. A", "",
+";flags QR AA rcode NXDOMAIN\n"
+";authority section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "mail.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"mail.example.com. 3600 IN A 10.0.0.4\n"
+ },
+
+ { "example.com", "ns.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"ns.example.com. 3600 IN A 10.0.0.5\n"
+ },
+
+ { "example.com", "out.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"out.example.com. 3600 IN CNAME www.example.com.\n"
+"www.example.com. 3600 IN A 10.0.0.2\n"
+"www.example.com. 3600 IN A 10.0.0.3\n"
+ },
+
+ { "example.com", "out.example.com. CNAME", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"out.example.com. 3600 IN CNAME www.example.com.\n"
+ },
+
+ { "example.com", "plan.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"plan.example.com. 3600 IN CNAME nonexist.example.com.\n"
+ },
+
+ { "example.com", "plan.example.com. CNAME", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"plan.example.com. 3600 IN CNAME nonexist.example.com.\n"
+ },
+
+ { "example.com", "redir.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "redir.example.com. DNAME", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"redir.example.com. 3600 IN DNAME redir.example.org.\n"
+ },
+
+ { "example.com", "abc.redir.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"redir.example.com. 3600 IN DNAME redir.example.org.\n"
+"abc.redir.example.com. 0 IN CNAME abc.redir.example.org.\n"
+ },
+
+ { "example.com", "foo.abc.redir.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"redir.example.com. 3600 IN DNAME redir.example.org.\n"
+"foo.abc.redir.example.com. 0 IN CNAME foo.abc.redir.example.org.\n"
+ },
+
+ { "example.com", "sub.example.com. NS", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com. 3600 IN NS ns1.sub.example.com.\n"
+"sub.example.com. 3600 IN NS ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com. 3600 IN A 10.0.0.6\n"
+"ns2.sub.example.com. 3600 IN AAAA 2001::7\n"
+ },
+
+ { "example.com", "sub.example.com. DS", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "www.sub.example.com. NS", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com. 3600 IN NS ns1.sub.example.com.\n"
+"sub.example.com. 3600 IN NS ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com. 3600 IN A 10.0.0.6\n"
+"ns2.sub.example.com. 3600 IN AAAA 2001::7\n"
+ },
+
+ { "example.com", "foo.abc.sub.example.com. NS", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com. 3600 IN NS ns1.sub.example.com.\n"
+"sub.example.com. 3600 IN NS ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com. 3600 IN A 10.0.0.6\n"
+"ns2.sub.example.com. 3600 IN AAAA 2001::7\n"
+ },
+
+ { "example.com", "ns1.sub.example.com. A", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com. 3600 IN NS ns1.sub.example.com.\n"
+"sub.example.com. 3600 IN NS ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com. 3600 IN A 10.0.0.6\n"
+"ns2.sub.example.com. 3600 IN AAAA 2001::7\n"
+ },
+
+ { "example.com", "ns1.sub.example.com. AAAA", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com. 3600 IN NS ns1.sub.example.com.\n"
+"sub.example.com. 3600 IN NS ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com. 3600 IN A 10.0.0.6\n"
+"ns2.sub.example.com. 3600 IN AAAA 2001::7\n"
+ },
+
+ { "example.com", "ns2.sub.example.com. A", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com. 3600 IN NS ns1.sub.example.com.\n"
+"sub.example.com. 3600 IN NS ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com. 3600 IN A 10.0.0.6\n"
+"ns2.sub.example.com. 3600 IN AAAA 2001::7\n"
+ },
+
+ { "example.com", "ns2.sub.example.com. AAAA", "",
+";flags QR rcode NOERROR\n"
+";authority section\n"
+"sub.example.com. 3600 IN NS ns1.sub.example.com.\n"
+"sub.example.com. 3600 IN NS ns2.sub.example.com.\n"
+";additional section\n"
+"ns1.sub.example.com. 3600 IN A 10.0.0.6\n"
+"ns2.sub.example.com. 3600 IN AAAA 2001::7\n"
+ },
+
+ { "example.com", "wild.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "*.wild.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"*.wild.example.com. 3600 IN A 10.0.0.8\n"
+ },
+
+ { "example.com", "*.wild.example.com. AAAA", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "abc.wild.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"abc.wild.example.com. 3600 IN A 10.0.0.8\n"
+ },
+
+ { "example.com", "abc.wild.example.com. AAAA", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "foo.abc.wild.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"foo.abc.wild.example.com. 3600 IN A 10.0.0.8\n"
+ },
+
+ { "example.com", "foo.abc.wild.example.com. AAAA", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "wild2.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";authority section\n"
+"example.com. 3600 IN SOA ns.example.org. noc.example.org. 2017042710 7200 3600 1209600 3600\n"
+ },
+
+ { "example.com", "*.wild2.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"*.wild2.example.com. 3600 IN CNAME www.example.com.\n"
+"www.example.com. 3600 IN A 10.0.0.2\n"
+"www.example.com. 3600 IN A 10.0.0.3\n"
+ },
+
+ { "example.com", "abc.wild2.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"abc.wild2.example.com. 3600 IN CNAME www.example.com.\n"
+"www.example.com. 3600 IN A 10.0.0.2\n"
+"www.example.com. 3600 IN A 10.0.0.3\n"
+ },
+
+ { "example.com", "foo.abc.wild2.example.com. A", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"foo.abc.wild2.example.com. 3600 IN CNAME www.example.com.\n"
+"www.example.com. 3600 IN A 10.0.0.2\n"
+"www.example.com. 3600 IN A 10.0.0.3\n"
+ },
+
+ { "example.com", "abc.wild2.example.com. CNAME", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"abc.wild2.example.com. 3600 IN CNAME www.example.com.\n"
+ },
+
+ { "example.com", "abc.wild3.example.com. IN ANY", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"abc.wild3.example.com. 3600 IN MX 50 mail.example.com.\n"
+"abc.wild3.example.com. 3600 IN A 10.0.0.8\n"
+ },
+
+ { "example.com", "yy.example.com. TXT", "",
+";flags QR AA rcode NOERROR\n"
+";answer section\n"
+"yy.example.com. 3600 IN TXT \"a\"\n"
+"yy.example.com. 3600 IN TXT \"b\"\n"
+"yy.example.com. 3600 IN TXT \"c\"\n"
+"yy.example.com. 3600 IN TXT \"d\"\n"
+"yy.example.com. 3600 IN TXT \"e\"\n"
+"yy.example.com. 3600 IN TXT \"f\"\n"
+ },
+
+ {NULL, NULL, NULL, NULL}
+};
+
+/** number of tmpfiles */
+static int tempno = 0;
+/** number of deleted files */
+static int delno = 0;
+
+/** cleanup tmp files at exit */
+static void
+tmpfilecleanup(void)
+{
+ int i;
+ char buf[256];
+ for(i=0; i<tempno; i++) {
+ snprintf(buf, sizeof(buf), "/tmp/unbound.unittest.%u.%d",
+ (unsigned)getpid(), i);
+ if(vbmp) printf("cleanup: unlink %s\n", buf);
+ unlink(buf);
+ }
+}
+
+/** create temp file, return (malloced) name string, write contents to it */
+static char*
+create_tmp_file(const char* s)
+{
+ char buf[256];
+ char *fname;
+ FILE *out;
+ size_t r;
+ snprintf(buf, sizeof(buf), "/tmp/unbound.unittest.%u.%d",
+ (unsigned)getpid(), tempno++);
+ fname = strdup(buf);
+ if(!fname) fatal_exit("out of memory");
+ /* if no string, just make the name */
+ if(!s) return fname;
+ /* if string, write to file */
+ out = fopen(fname, "w");
+ if(!out) fatal_exit("cannot open %s: %s", fname, strerror(errno));
+ r = fwrite(s, 1, strlen(s), out);
+ if(r == 0) {
+ fatal_exit("write failed: %s", strerror(errno));
+ } else if(r < strlen(s)) {
+ fatal_exit("write failed: too short (disk full?)");
+ }
+ fclose(out);
+ return fname;
+}
+
+/** delete temp file and free name string */
+static void
+del_tmp_file(char* fname)
+{
+ unlink(fname);
+ free(fname);
+ delno++;
+ if(delno == tempno) {
+ /* deleted all outstanding files, back to start condition */
+ tempno = 0;
+ delno = 0;
+ }
+}
+
+/** Add zone from file for testing */
+static struct auth_zone*
+addzone(struct auth_zones* az, const char* name, char* fname)
+{
+ struct auth_zone* z;
+ size_t nmlen;
+ uint8_t* nm = sldns_str2wire_dname(name, &nmlen);
+ if(!nm) fatal_exit("out of memory");
+ lock_rw_wrlock(&az->lock);
+ z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN);
+ lock_rw_unlock(&az->lock);
+ if(!z) fatal_exit("cannot find zone");
+ auth_zone_set_zonefile(z, fname);
+
+ if(!auth_zone_read_zonefile(z)) {
+ fatal_exit("parse failure for auth zone %s", name);
+ }
+ lock_rw_unlock(&z->lock);
+ free(nm);
+ return z;
+}
+
+/** check that file is the same as other file */
+static void
+checkfile(char* f1, char *f2)
+{
+ char buf1[10240], buf2[10240];
+ int line = 0;
+ FILE* i1, *i2;
+ i1 = fopen(f1, "r");
+ if(!i1) fatal_exit("cannot open %s: %s", f1, strerror(errno));
+ i2 = fopen(f2, "r");
+ if(!i2) fatal_exit("cannot open %s: %s", f2, strerror(errno));
+
+ while(!feof(i1) && !feof(i2)) {
+ char* cp1, *cp2;
+ line++;
+ cp1 = fgets(buf1, (int)sizeof(buf1), i1);
+ cp2 = fgets(buf2, (int)sizeof(buf2), i2);
+ if((!cp1 && !feof(i1)) || (!cp2 && !feof(i2)))
+ fatal_exit("fgets failed: %s", strerror(errno));
+ if(strcmp(buf1, buf2) != 0) {
+ log_info("in files %s and %s:%d", f1, f2, line);
+ log_info("'%s'", buf1);
+ log_info("'%s'", buf2);
+ fatal_exit("files are not eqaul");
+ }
+ }
+ unit_assert(feof(i1) && feof(i2));
+
+ fclose(i1);
+ fclose(i2);
+}
+
+/** check that a zone (in string) can be read and reproduced */
+static void
+check_read_exact(const char* name, const char* zone)
+{
+ struct auth_zones* az;
+ struct auth_zone* z;
+ char* fname, *outf;
+ if(vbmp) printf("check read zone %s\n", name);
+ fname = create_tmp_file(zone);
+
+ az = auth_zones_create();
+ unit_assert(az);
+ z = addzone(az, name, fname);
+ unit_assert(z);
+ outf = create_tmp_file(NULL);
+ if(!auth_zone_write_file(z, outf)) {
+ fatal_exit("write file failed for %s", fname);
+ }
+ checkfile(fname, outf);
+
+ del_tmp_file(fname);
+ del_tmp_file(outf);
+ auth_zones_delete(az);
+}
+
+/** parse q_ans structure for making query */
+static void
+q_ans_parse(struct q_ans* q, struct regional* region,
+ struct query_info** qinfo, int* fallback, uint8_t** dp_nm,
+ size_t* dp_nmlen)
+{
+ int ret;
+ uint8_t buf[65535];
+ size_t len, dname_len;
+
+ /* parse flags */
+ *fallback = 0; /* default fallback value */
+ if(strstr(q->flags, "fallback"))
+ *fallback = 1;
+
+ /* parse zone */
+ *dp_nmlen = sizeof(buf);
+ if((ret=sldns_str2wire_dname_buf(q->zone, buf, dp_nmlen))!=0)
+ fatal_exit("cannot parse query dp zone %s : %s", q->zone,
+ sldns_get_errorstr_parse(ret));
+ *dp_nm = regional_alloc_init(region, buf, *dp_nmlen);
+ if(!dp_nm) fatal_exit("out of memory");
+
+ /* parse query */
+ len = sizeof(buf);
+ dname_len = 0;
+ if((ret=sldns_str2wire_rr_question_buf(q->query, buf, &len, &dname_len,
+ *dp_nm, *dp_nmlen, NULL, 0))!=0)
+ fatal_exit("cannot parse query %s : %s", q->query,
+ sldns_get_errorstr_parse(ret));
+ *qinfo = (struct query_info*)regional_alloc_zero(region,
+ sizeof(**qinfo));
+ if(!*qinfo) fatal_exit("out of memory");
+ (*qinfo)->qname = regional_alloc_init(region, buf, dname_len);
+ if(!(*qinfo)->qname) fatal_exit("out of memory");
+ (*qinfo)->qname_len = dname_len;
+ (*qinfo)->qtype = sldns_wirerr_get_type(buf, len, dname_len);
+ (*qinfo)->qclass = sldns_wirerr_get_class(buf, len, dname_len);
+}
+
+/** print flags to string */
+static void
+pr_flags(sldns_buffer* buf, uint16_t flags)
+{
+ char rcode[32];
+ sldns_buffer_printf(buf, ";flags");
+ if((flags&BIT_QR)!=0) sldns_buffer_printf(buf, " QR");
+ if((flags&BIT_AA)!=0) sldns_buffer_printf(buf, " AA");
+ if((flags&BIT_TC)!=0) sldns_buffer_printf(buf, " TC");
+ if((flags&BIT_RD)!=0) sldns_buffer_printf(buf, " RD");
+ if((flags&BIT_CD)!=0) sldns_buffer_printf(buf, " CD");
+ if((flags&BIT_RA)!=0) sldns_buffer_printf(buf, " RA");
+ if((flags&BIT_AD)!=0) sldns_buffer_printf(buf, " AD");
+ if((flags&BIT_Z)!=0) sldns_buffer_printf(buf, " Z");
+ sldns_wire2str_rcode_buf((int)(FLAGS_GET_RCODE(flags)),
+ rcode, sizeof(rcode));
+ sldns_buffer_printf(buf, " rcode %s", rcode);
+ sldns_buffer_printf(buf, "\n");
+}
+
+/** print RRs to string */
+static void
+pr_rrs(sldns_buffer* buf, struct reply_info* rep)
+{
+ char s[65536];
+ size_t i, j;
+ struct packed_rrset_data* d;
+ log_assert(rep->rrset_count == rep->an_numrrsets + rep->ns_numrrsets
+ + rep->ar_numrrsets);
+ for(i=0; i<rep->rrset_count; i++) {
+ /* section heading */
+ if(i == 0 && rep->an_numrrsets != 0)
+ sldns_buffer_printf(buf, ";answer section\n");
+ else if(i == rep->an_numrrsets && rep->ns_numrrsets != 0)
+ sldns_buffer_printf(buf, ";authority section\n");
+ else if(i == rep->an_numrrsets+rep->ns_numrrsets &&
+ rep->ar_numrrsets != 0)
+ sldns_buffer_printf(buf, ";additional section\n");
+ /* spool RRset */
+ d = (struct packed_rrset_data*)rep->rrsets[i]->entry.data;
+ for(j=0; j<d->count+d->rrsig_count; j++) {
+ if(!packed_rr_to_string(rep->rrsets[i], j, 0,
+ s, sizeof(s))) {
+ fatal_exit("could not rr_to_string %d",
+ (int)i);
+ }
+ sldns_buffer_printf(buf, "%s", s);
+ }
+ }
+}
+
+/** create string for message */
+static char*
+msgtostr(struct dns_msg* msg)
+{
+ char* str;
+ sldns_buffer* buf = sldns_buffer_new(65535);
+ if(!buf) fatal_exit("out of memory");
+ pr_flags(buf, msg->rep->flags);
+ pr_rrs(buf, msg->rep);
+
+ str = strdup((char*)sldns_buffer_begin(buf));
+ if(!str) fatal_exit("out of memory");
+ sldns_buffer_free(buf);
+ return str;
+}
+
+/** find line diff between strings */
+static void
+line_diff(const char* p, const char* q, const char* pdesc, const char* qdesc)
+{
+ char* pdup, *qdup, *pl, *ql;
+ int line = 1;
+ pdup = strdup(p);
+ qdup = strdup(q);
+ if(!pdup || !qdup) fatal_exit("out of memory");
+ pl=pdup;
+ ql=qdup;
+ printf("linediff (<%s, >%s)\n", pdesc, qdesc);
+ while(pl && ql && *pl && *ql) {
+ char* ep = strchr(pl, '\n');
+ char* eq = strchr(ql, '\n');
+ /* terminate lines */
+ if(ep) *ep = 0;
+ if(eq) *eq = 0;
+ /* printout */
+ if(strcmp(pl, ql) == 0) {
+ printf("%3d %s\n", line, pl);
+ } else {
+ printf("%3d < %s\n", line, pl);
+ printf("%3d > %s\n", line, ql);
+ }
+ if(ep) *ep = '\n';
+ if(eq) *eq = '\n';
+ if(ep) pl = ep+1;
+ else pl = NULL;
+ if(eq) ql = eq+1;
+ else ql = NULL;
+ line++;
+ }
+ if(pl && *pl) {
+ printf("%3d < %s\n", line, pl);
+ }
+ if(ql && *ql) {
+ printf("%3d > %s\n", line, ql);
+ }
+ free(pdup);
+ free(qdup);
+}
+
+/** make q_ans query */
+static void
+q_ans_query(struct q_ans* q, struct auth_zones* az, struct query_info* qinfo,
+ struct regional* region, int expected_fallback, uint8_t* dp_nm,
+ size_t dp_nmlen)
+{
+ int ret, fallback = 0;
+ struct dns_msg* msg = NULL;
+ char* ans_str;
+ int oldv = verbosity;
+ /* increase verbosity to printout logic in authzone */
+ if(vbmp) verbosity = 4;
+ ret = auth_zones_lookup(az, qinfo, region, &msg, &fallback, dp_nm,
+ dp_nmlen);
+ if(vbmp) verbosity = oldv;
+
+ /* check the answer */
+ ans_str = msgtostr(msg);
+ /* printout if vbmp */
+ if(vbmp) printf("got (ret=%s%s):\n%s",
+ (ret?"ok":"fail"), (fallback?" fallback":""), ans_str);
+ /* check expected value for ret */
+ if(expected_fallback && ret != 0) {
+ /* ret is zero on fallback */
+ if(vbmp) printf("fallback expected, but "
+ "return value is not false\n");
+ unit_assert(expected_fallback && ret == 0);
+ }
+ if(ret == 0) {
+ if(!expected_fallback) {
+ if(vbmp) printf("return value is false, "
+ "(unexpected)\n");
+ }
+ unit_assert(expected_fallback);
+ }
+ /* check expected value for fallback */
+ if(expected_fallback && !fallback) {
+ if(vbmp) printf("expected fallback, but fallback is no\n");
+ } else if(!expected_fallback && fallback) {
+ if(vbmp) printf("expected no fallback, but fallback is yes\n");
+ }
+ unit_assert( (expected_fallback&&fallback) ||
+ (!expected_fallback&&!fallback));
+ /* check answer string */
+ if(strcmp(q->answer, ans_str) != 0) {
+ if(vbmp) printf("wanted:\n%s", q->answer);
+ line_diff(q->answer, ans_str, "wanted", "got");
+ }
+ unit_assert(strcmp(q->answer, ans_str) == 0);
+ if(vbmp) printf("query ok\n\n");
+ free(ans_str);
+}
+
+/** check queries on a loaded zone */
+static void
+check_az_q_ans(struct auth_zones* az, struct q_ans* queries)
+{
+ struct q_ans* q;
+ struct regional* region = regional_create();
+ struct query_info* qinfo;
+ int fallback;
+ uint8_t* dp_nm;
+ size_t dp_nmlen;
+ for(q=queries; q->zone; q++) {
+ if(vbmp) printf("query %s: %s %s\n", q->zone, q->query,
+ q->flags);
+ q_ans_parse(q, region, &qinfo, &fallback, &dp_nm, &dp_nmlen);
+ q_ans_query(q, az, qinfo, region, fallback, dp_nm, dp_nmlen);
+ regional_free_all(region);
+ }
+ regional_destroy(region);
+}
+
+/** check queries for a zone are returned as specified */
+static void
+check_queries(const char* name, const char* zone, struct q_ans* queries)
+{
+ struct auth_zones* az;
+ struct auth_zone* z;
+ char* fname;
+ if(vbmp) printf("check queries %s\n", name);
+ fname = create_tmp_file(zone);
+ az = auth_zones_create();
+ if(!az) fatal_exit("out of memory");
+ z = addzone(az, name, fname);
+ if(!z) fatal_exit("could not read zone for queries test");
+ del_tmp_file(fname);
+
+ /* run queries and test them */
+ check_az_q_ans(az, queries);
+
+ auth_zones_delete(az);
+}
+
+/** Test authzone read from file */
+static void
+authzone_read_test(void)
+{
+ if(vbmp) printf("Testing read auth zone\n");
+ check_read_exact("example.com", zone_example_com);
+}
+
+/** Test authzone query from zone */
+static void
+authzone_query_test(void)
+{
+ if(vbmp) printf("Testing query auth zone\n");
+ check_queries("example.com", zone_example_com, example_com_queries);
+}
+
+/** test authzone code */
+void
+authzone_test(void)
+{
+ unit_show_feature("authzone");
+ atexit(tmpfilecleanup);
+ authzone_read_test();
+ authzone_query_test();
+}
diff --git a/testcode/unitmain.c b/testcode/unitmain.c
index fd56e64d3f5d..d662991bab5d 100644
--- a/testcode/unitmain.c
+++ b/testcode/unitmain.c
@@ -403,6 +403,8 @@ config_tag_test(void)
}
#include "util/rtt.h"
+#include "util/timehist.h"
+#include "libunbound/unbound.h"
/** test RTT code */
static void
rtt_test(void)
@@ -426,6 +428,8 @@ rtt_test(void)
unit_assert( rtt_timeout(&r) > RTT_MIN_TIMEOUT-1);
unit_assert( rtt_timeout(&r) < RTT_MAX_TIMEOUT+1);
}
+ /* must be the same, timehist bucket is used in stats */
+ unit_assert(UB_STATS_BUCKET_NUM == NUM_BUCKETS_HIST);
}
#include "services/cache/infra.h"
@@ -623,6 +627,9 @@ respip_conf_actions_test(void)
}
unit_assert(respip_global_apply_cfg(set, &cfg));
verify_respip_set_actions(set, config_response_ip, clen);
+
+ respip_set_delete(set);
+ config_deldblstrlist(cfg.respip_actions);
}
/** Per-view respip actions test; apply raw configuration with two views
@@ -690,6 +697,12 @@ respip_view_conf_actions_test(void)
unit_assert(v);
verify_respip_set_actions(v->respip_set, config_response_ip_view2, clen2);
lock_rw_unlock(&v->lock);
+
+ views_delete(views);
+ free(cv1->name);
+ free(cv1);
+ free(cv2->name);
+ free(cv2);
}
typedef struct addr_data {char* ip; char* data;} addr_data_t;
@@ -774,6 +787,8 @@ respip_conf_data_test(void)
verify_rrset(set, "192.0.1.0/24", "11.12.13.14", 1, LDNS_RR_TYPE_A);
verify_rrset(set, "192.0.2.0/24", "www.example.com", 0, LDNS_RR_TYPE_CNAME);
verify_rrset(set, "2001:db8:1::/48", "2001:db8:1::2:1", 0, LDNS_RR_TYPE_AAAA);
+
+ respip_set_delete(set);
}
/** Test per-view respip redirect w/ data directives */
@@ -810,6 +825,11 @@ respip_view_conf_data_test(void)
0, LDNS_RR_TYPE_CNAME);
verify_rrset(v->respip_set, "2001:db8:1::/48", "2001:db8:1::2:1",
0, LDNS_RR_TYPE_AAAA);
+ lock_rw_unlock(&v->lock);
+
+ views_delete(views);
+ free(cv->name);
+ free(cv);
}
/** respip unit tests */
@@ -865,6 +885,7 @@ main(int argc, char* argv[])
fatal_exit("could not init NSS");
#endif /* HAVE_SSL or HAVE_NSS*/
checklock_start();
+ authzone_test();
neg_test();
rnd_test();
respip_test();
diff --git a/testcode/unitmain.h b/testcode/unitmain.h
index d81b603b2f6b..e5c6109a2aae 100644
--- a/testcode/unitmain.h
+++ b/testcode/unitmain.h
@@ -78,5 +78,7 @@ void ecs_test(void);
#endif /* CLIENT_SUBNET */
/** unit test for ldns functions */
void ldns_test(void);
+/** unit test for auth zone functions */
+void authzone_test(void);
#endif /* TESTCODE_UNITMAIN_H */
diff --git a/testcode/unitverify.c b/testcode/unitverify.c
index 37994a377c28..e5e5b0f7bacb 100644
--- a/testcode/unitverify.c
+++ b/testcode/unitverify.c
@@ -537,6 +537,11 @@ verify_test(void)
}
dstest_file("testdata/test_ds.sha384");
#endif
+#ifdef USE_ED25519
+ if(dnskey_algo_id_is_supported(LDNS_ED25519)) {
+ verifytest_file("testdata/test_sigs.ed25519", "20170530140439");
+ }
+#endif
#ifdef USE_SHA1
dstest_file("testdata/test_ds.sha1");
#endif
diff --git a/testdata/03-testbound.tpkg b/testdata/03-testbound.tpkg
index 39e62169915b..5db2b7731336 100644
--- a/testdata/03-testbound.tpkg
+++ b/testdata/03-testbound.tpkg
Binary files differ
diff --git a/testdata/05-asynclook.tpkg b/testdata/05-asynclook.tpkg
index 8143b43f4425..e13476ab297c 100644
--- a/testdata/05-asynclook.tpkg
+++ b/testdata/05-asynclook.tpkg
Binary files differ
diff --git a/testdata/08-host-lib.tpkg b/testdata/08-host-lib.tpkg
index 3c7be0e6c17d..818ed5bca19a 100644
--- a/testdata/08-host-lib.tpkg
+++ b/testdata/08-host-lib.tpkg
Binary files differ
diff --git a/testdata/dnscrypt_cert.tpkg b/testdata/dnscrypt_cert.tpkg
index 18b41a27f16d..4263b9347e08 100644
--- a/testdata/dnscrypt_cert.tpkg
+++ b/testdata/dnscrypt_cert.tpkg
Binary files differ
diff --git a/testdata/dnscrypt_cert_chacha.tpkg b/testdata/dnscrypt_cert_chacha.tpkg
new file mode 100644
index 000000000000..4df461f03eac
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tpkg
Binary files differ
diff --git a/testdata/dnscrypt_queries.tpkg b/testdata/dnscrypt_queries.tpkg
index fa3cdca0056c..c856303cd284 100644
--- a/testdata/dnscrypt_queries.tpkg
+++ b/testdata/dnscrypt_queries.tpkg
Binary files differ
diff --git a/testdata/dnscrypt_queries_chacha.tpkg b/testdata/dnscrypt_queries_chacha.tpkg
new file mode 100644
index 000000000000..8cb39dc2c2f5
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tpkg
Binary files differ
diff --git a/testdata/ipsecmod_bogus_ipseckey.crpl b/testdata/ipsecmod_bogus_ipseckey.crpl
new file mode 100644
index 000000000000..1e76af3b963a
--- /dev/null
+++ b/testdata/ipsecmod_bogus_ipseckey.crpl
@@ -0,0 +1,236 @@
+; Test ipsecmod with bogus IPSECKEY
+
+; config options
+; The island of trust is at example.com
+server:
+ trust-anchor: "example.com. IN DS 48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a"
+ val-override-date: "-1"
+ target-fetch-policy: "0 0 0 0 0"
+ # test that default value of harden-dnssec-stripped is still yes.
+ fake-sha1: yes
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: no
+ ipsecmod-max-ttl: 200
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod with bogus IPSECKEY
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we don't get the IPSECKEY answer from cache (bogus)
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 86400 IN SOA ns.example.com. example.com. 2002022401 10800 15 604800 10800
+ example.com. 86400 IN RRSIG SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s=
+ ENTRY_END
+
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ example.com. 3600 IN RRSIG A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+ ; response to IPSECKEY query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ ;(correct answer) example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+ ; (bogus answer)
+ example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+; response to DNSKEY priming query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ example.com. IN DNSKEY
+ SECTION ANSWER
+ example.com. 86400 IN DNSKEY 256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b}
+ example.com. 86400 IN RRSIG DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ENTRY_END
+
+; Query without RD, check if not cached
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/ipsecmod_enabled.crpl b/testdata/ipsecmod_enabled.crpl
new file mode 100644
index 000000000000..757abb9674f4
--- /dev/null
+++ b/testdata/ipsecmod_enabled.crpl
@@ -0,0 +1,219 @@
+; Test ipsecmod-enabled option.
+
+; config options
+server:
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: no
+ ipsecmod-max-ttl: 200
+ ipsecmod-enabled: no
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-enabled option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we don't get the IPSECKEY answer from cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 10 IN SOA . . 15 28800 7200 604800 10
+ ENTRY_END
+
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to IPSECKEY query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if cached and with correct TTL
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if IPSECKEY cached
+STEP 21 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/ipsecmod_hook.sh b/testdata/ipsecmod_hook.sh
new file mode 100755
index 000000000000..a418cb591fc3
--- /dev/null
+++ b/testdata/ipsecmod_hook.sh
@@ -0,0 +1,2 @@
+echo " ---[ IPsec external hook FAIL; only care if ipsecmod-strict: yes ]---"
+exit 1
diff --git a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl
new file mode 100644
index 000000000000..b977790853e4
--- /dev/null
+++ b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl
@@ -0,0 +1,257 @@
+; Test ipsecmod-ignore-bogus option
+
+; config options
+; The island of trust is at example.com
+server:
+ trust-anchor: "example.com. IN DS 48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a"
+ val-override-date: "-1"
+ target-fetch-policy: "0 0 0 0 0"
+ # test that default value of harden-dnssec-stripped is still yes.
+ fake-sha1: yes
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: no
+ ipsecmod-max-ttl: 200
+ ipsecmod-ignore-bogus: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-ignore-bogus option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we don't get the IPSECKEY answer from cache (bogus)
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 86400 IN SOA ns.example.com. example.com. 2002022401 10800 15 604800 10800
+ example.com. 86400 IN RRSIG SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s=
+ ENTRY_END
+
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ example.com. 3600 IN RRSIG A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+ ; response to IPSECKEY query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ ;(correct answer) example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+ ; (bogus answer)
+ example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+
+; response to DNSKEY priming query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ example.com. IN DNSKEY
+ SECTION ANSWER
+ example.com. 86400 IN DNSKEY 256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b}
+ example.com. 86400 IN RRSIG DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI=
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if cached and with correct TTL
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if IPSECKEY is not cached
+STEP 21 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/ipsecmod_max_ttl.crpl b/testdata/ipsecmod_max_ttl.crpl
new file mode 100644
index 000000000000..633dbe52832e
--- /dev/null
+++ b/testdata/ipsecmod_max_ttl.crpl
@@ -0,0 +1,228 @@
+; Test ipsecmod-max-ttl option.
+
+; config options
+server:
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: no
+ ipsecmod-max-ttl: 200
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-max-ttl option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we get the IPSECKEY answer from cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 10 IN SOA . . 15 28800 7200 604800 10
+ ENTRY_END
+
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to IPSECKEY query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if cached and with correct TTL
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Query without RD, check if IPSECKEY cached
+STEP 21 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/ipsecmod_strict.crpl b/testdata/ipsecmod_strict.crpl
new file mode 100644
index 000000000000..1969b3b25081
--- /dev/null
+++ b/testdata/ipsecmod_strict.crpl
@@ -0,0 +1,217 @@
+; Test ipsecmod-strict option
+
+; config options
+server:
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: yes
+ ipsecmod-max-ttl: 200
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-strict option
+; Scenario overview:
+; - query for example.com. IN A
+; - check that query for example.com. IN IPSECKEY is generated
+; - check that we get SERVFAIL as answer (the hook failed)
+; - check that the example.com. IN A answer is not cached
+; - check that the example.com. IN IPSECKEY answer is cached
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 10 IN SOA . . 15 28800 7200 604800 10
+ ENTRY_END
+
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to IPSECKEY query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 21 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ example.com. IN IPSECKEY
+ SECTION ANSWER
+ example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/ipsecmod_whitelist.crpl b/testdata/ipsecmod_whitelist.crpl
new file mode 100644
index 000000000000..a185295fd7bb
--- /dev/null
+++ b/testdata/ipsecmod_whitelist.crpl
@@ -0,0 +1,294 @@
+; Test ipsecmod-whitelist option.
+
+; config options
+server:
+ access-control: 127.0.0.1 allow_snoop
+ module-config: "ipsecmod validator iterator"
+ ; ../../ is there because the test runs from testdata/03-testbound.dir
+ ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
+ ipsecmod-strict: no
+ ipsecmod-max-ttl: 200
+ ipsecmod-whitelist: white.example.com
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ipsecmod-whitelist option
+; Scenario overview:
+; - query for black.example.com. IN A
+; - check that we get an answer for black.example.com. IN A with the correct TTL
+; - check that an answer for black.example.com. IN IPSECKEY is not cached (not given)
+; - query for white.example.com. IN A
+; - check that query for white.example.com. IN IPSECKEY is generated
+; - check that we get an answer for white.example.com. IN A with the correct TTL
+; - check that the get the same answer from cache
+; - check that we get the IPSECKEY answer from cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ a.gtld-servers.net. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ K.ROOT-SERVERS.NET. IN AAAA
+ SECTION AUTHORITY
+ . 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode subdomain
+ ADJUST copy_id copy_query
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. 10 IN SOA . . 15 28800 7200 604800 10
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ white.example.com. IN A
+ SECTION ANSWER
+ white.example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ white.example.com. IN IPSECKEY
+ SECTION ANSWER
+ white.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ black.example.com. IN A
+ SECTION ANSWER
+ black.example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ black.example.com. IN IPSECKEY
+ SECTION ANSWER
+ black.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ black.example.com. IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ black.example.com. IN A
+ SECTION ANSWER
+ black.example.com. 3600 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ black.example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ black.example.com. IN IPSECKEY
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ white.example.com. IN A
+ENTRY_END
+
+STEP 21 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ white.example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ white.example.com. IN A
+ SECTION ANSWER
+ white.example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 31 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ white.example.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ white.example.com. IN A
+ SECTION ANSWER
+ white.example.com. 200 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 41 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ white.example.com. IN IPSECKEY
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RA NOERROR
+ SECTION QUESTION
+ white.example.com. IN IPSECKEY
+ SECTION ANSWER
+ white.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/iter_stub_leak.rpl b/testdata/iter_stub_leak.rpl
new file mode 100644
index 000000000000..e5c6200060a0
--- /dev/null
+++ b/testdata/iter_stub_leak.rpl
@@ -0,0 +1,220 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129
+stub-zone:
+ name: "example.com"
+ stub-addr: 10.0.1.1
+stub-zone:
+ name: "example.net"
+ stub-addr: 10.0.5.1
+CONFIG_END
+
+SCENARIO_BEGIN Test stub zone leaking to the internet on last resort fallback
+
+; root server
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+
+; root prime
+ENTRY_BEGIN
+MATCH qname qtype
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS k.root-servers.net.
+SECTION ADDITIONAL
+k.root-servers.net. IN A 193.0.14.129
+ENTRY_END
+
+RANGE_END
+
+; stub server for example.com
+RANGE_BEGIN 0 100
+ ADDRESS 10.0.1.1
+
+; subzone is delegated
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+subzone.example.com. IN A
+SECTION AUTHORITY
+subzone.example.com. IN NS sub-ns1.example.com.
+subzone.example.com. IN NS sub-ns2.example.com.
+subzone.example.com. IN NS example.net.
+SECTION ADDITIONAL
+sub-ns1.example.com. IN A 10.0.2.3
+sub-ns2.example.com. IN A 10.0.2.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns1.example.com. IN A
+SECTION ANSWER
+sub-ns1.example.com. IN A 10.0.2.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns2.example.com. IN A
+SECTION ANSWER
+sub-ns2.example.com. IN A 10.0.2.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns1.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. 300 SOA master.example.com etc 1 2 3 4 300
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns2.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. 300 SOA master.example.com etc 1 2 3 4 300
+ENTRY_END
+
+RANGE_END
+
+; stub server for example.net
+RANGE_BEGIN 0 100
+ ADDRESS 10.0.5.1
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net. IN NS ns.example.net.
+SECTION ADDITIONAL
+ns.example.net. IN A 10.0.5.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.net. IN A
+SECTION ANSWER
+example.net. IN A 10.0.5.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.net. IN AAAA
+SECTION AUTHORITY
+example.net. 300 SOA master.example.net etc 1 2 3 4 300
+ENTRY_END
+
+RANGE_END
+
+; stub server for subzone.example.com
+RANGE_BEGIN 0 100
+ ADDRESS 10.0.2.3
+; match anything, servfail
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+subzone.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+RANGE_END
+
+; stub server for subzone.example.com
+RANGE_BEGIN 0 100
+ ADDRESS 10.0.2.4
+; match anything, servfail
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+subzone.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+RANGE_END
+
+; stub server for subzone.example.com
+RANGE_BEGIN 0 100
+ ADDRESS 10.0.5.4
+; match anything, servfail
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+subzone.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+RANGE_END
+
+
+; fetch the delegation point for example.net in cache.
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.net. IN NS
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net. IN NS ns.example.net.
+SECTION ADDITIONAL
+ns.example.net. IN A 10.0.5.1
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+whatever.subzone.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+; the query should not leak subzone ns queries to the internet
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+whatever.subzone.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/subnet_max_source.crpl b/testdata/subnet_max_source.crpl
new file mode 100644
index 000000000000..dc4b54217d06
--- /dev/null
+++ b/testdata/subnet_max_source.crpl
@@ -0,0 +1,231 @@
+; When the triggering query includes ECS option, source prefix-length should
+; be set to the shorter of the incoming query or server maximum cacheable prefix
+; length
+
+server:
+ val-override-date: "20070916134226"
+ target-fetch-policy: "0 0 0 0 0"
+ send-client-subnet: 1.2.3.4
+ max-client-subnet-ipv4: 17
+ module-config: "subnetcache validator iterator"
+ verbosity: 3
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test shortest source prefix-length
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id copy_ednsdata_assume_clientsubnet
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id copy_ednsdata_assume_clientsubnet
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 06 ; option length
+ 00 01 ; Family
+ 10 00 ; source mask, scopemask
+ 7f 00 ; address
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; client send /18, we expect /17
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id copy_ednsdata_assume_clientsubnet
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. IN A 10.20.30.50
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.1.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 11 00 ; source mask, scopemask
+ 7f 01 00 ; address
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+ HEX_ANSWER_BEGIN;
+ 00 00 01 00 00 01 00 00 ;ID 0
+ 00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
+ 07 65 78 61 6d 70 6c 65
+ 03 63 6f 6d 00 00 01 00
+ 01 00 00 29 10 00 00 00
+ 80 00 00 0a
+
+ 00 08 00 06 ; OPC, optlen
+ 00 01 10 00 ; ip4, scope 16, source 0
+ 7f 00 ;127.0.0.0/16
+ HEX_ANSWER_END
+ENTRY_END
+
+
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ednsdata
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 06 ; option length
+ 00 01 ; Family
+ 10 10 ; source mask, scopemask
+ 7f 00 ; address
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+ HEX_ANSWER_BEGIN;
+ 00 00 01 00 00 01 00 00 ;ID 0
+ 00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
+ 07 65 78 61 6d 70 6c 65
+ 03 63 6f 6d 00 00 01 00
+ 01 00 00 29 10 00 00 00
+ 80 00 00 0b
+
+ 00 08 00 07 ; OPC, optlen
+ 00 01 12 00 ; ip4, scope 18, source 0
+ 7f 01 00 ;127.1.0.0/18
+ HEX_ANSWER_END
+ENTRY_END
+
+
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ednsdata
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. IN A 10.20.30.50
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.1.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 12 11 ; source mask, scopemask
+ 7f 01 00 ; address
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+
+SCENARIO_END
diff --git a/testdata/test_ldnsrr.5 b/testdata/test_ldnsrr.5
index 1df86c3bed40..d5f4650a784f 100644
--- a/testdata/test_ldnsrr.5
+++ b/testdata/test_ldnsrr.5
@@ -145,3 +145,9 @@ txt6 IN TXT ("v=DKIM1; k=rsa; g=*; s=email; h=sha1; t=s; p=MIGfMA
example.com. 3600 IN CSYNC 66 3 A NS AAAA
9fe6cbb9e933ad0b8b4fa94066474e091ee8be696c224b1c1678fcec._openpgpkey 3600 IN OPENPGPKEY \# 2221 ( 99020d044d6cf351011000ae2731a071cae66040331dcfffbc1abaea01fba2b3 341ad29f4191e1e2e47514cc595e5d3b59ebd460db81cb04e98a753dae963543 74b8c3a420364960a6c6875e66cea7216327c16996557c4d13e25e236b3714e9 32795be889e8b33a295faf6d9015474cfe9c2643603f1e91e01334011a841909 8e2fc9807285b2195cdbb1a9ae1916a26b9e33b3f91cde2f728aa133464a1099 fc2beecaf8f67ee03a999aa97be89ce4a252f804ce27a9efb7a631ca956bfa99 c51d6beca52af39a93353aac43097671074a4bb5b039eb86e99209989d5b6a4a e22b32c1605e712072926095b4640db4b4d16b54a8139048e25ef0098781e524 4222df9b6a6bf2335942527356a29e1063c5bc1297c051ab969a3e0c01fb15e2 0ea63a06b416d6c96f9794c5d80e97afb249d2b907dc46605f1001019dd62774 4bc2ad73f239cd623f945bf9922ec6ceb607ce8818455173199de1ef555bf3e8 5e9702dcab7a30e5e6c0f6827ce6d550df2ba4fa6ef2ed47bceb916aded25a72 7039a09942a0684897cdf2efc13f5169693c19da94d861be40e8b07fe853d297 8389eba876332be7db146f1ec6a957bfe39ac90514b1f870a5d899bb4e1d97af 49294ad09dede6d5a04abdc29332bbe74cf70393b626c0f4fdfef6ee2b01d8a6 a40750c446e159b44d0a783611585385ba912b771364b6eda8a69680026a6bf2 105692fd6f9a6cf19e09550011010001b42357696c6c656d20546f6f726f7020 3c77696c6c656d406e6c6e65746c6162732e6e6c3e89023e0413010200280502 4d6cf351021b23050909660180060b090807030206150802090a0b0416020301 021e01021780000a0910e5f8f8212f77a4985d5b0ffe289b97f7d8e4e5abc537 8b7d6db7c395f98c3d787e3fb598638c41e889aea40cbe5b3001d947c7184c92 9efe6ad1e32ae9acb0802823870bb149c3a7bdfbb591601d8c099b3bdd3b3ddc cb03b4d611dc741d9c49c3b5b87654a21dfb618cfe6087f172b3dc663a9f4c0d ad81476ebe5b6fd966164383bc39303a66272a3fe6a0b9a813d4e249c6b9dacf 748a49a979b3fa24036e47099e1d24ed3310cc04341e0bf3afd4e365a04cd075 b7d1dff607a3b8738abf885a7dc959251785ca626b8c9b476f44439653615437 c715b1a586236132e1f89b0e4a9d2d84e403e6733c90a96ec041d14994b19ec0 d23153bb94d9059851901353ddb60b9c42edf715af6ee4ef111e5afd56092a1f 7662a72af80f8768425324a8a7335c805a49b1c4d3dc279b69114a5c592638ff 22a963bd34d2d4bcc319972b99c197fa31c21b89e627f36ce811297ff707f53e 6c258dab407b7d618ec296317a565c2c8b740a39244d8f82095842f6f84448dc e29bb292c7e15072b00c04f2a0f4cd700f2e7348b703f74bcb8d5f4235fbd282 4f515852ea9be06255f88d81a5046d1f730e9bf103b3335f5f03d74ac2ec6581 4dd920e985b57a3b4e0c699f3103ab033ccf36a5b037b3668365484b58a4462d 79414d27170c9db4285bec72d24a9654354b996d13c14b2994f6725e36fb766d 57a79ed721c3ca248221390d7d6fa65f867fa6fa1369b9020d044d6cf3510110 00a4ece215b3f782bae8fb6c1e3fdc06d1e6242271f41b073fc7a85237788814 7b7168134e0b753c608d07308f188b9489af34f1dab1bb52fc3968d0a705c30a 35ea0226e7d2608931138d56ccf124a9236276462863a8f1c83b3a640167211d eaaadfc557ff7701cbb1d413259cf3f5b18ec6e615000bb4ab73c75b980615cf a9a7778de3bab318cc448eca044e3fdc95ac63aa2b28846d77fe190fe8fbc3a0 3ece39d38675040ff1be064410faad9fc5a8c2efe02f34cc39f3087d6b2e9346 42995fd5a9f2d3a59302c0cbe1fea01002c7eb64c8c4e5f853b5b17aebc7c722 97380b8df9ec7f32f1766b3d76e186dc582eedd5da955b7cacdb4cca69e99e9b 25d22b157a68c9f828170917709d335a000590f2be22fd7a5ed0ff2432969642 e84978428c1a3c8380bb339d21ce9cb8ce8f4d6bc102b70a56042159f26c85f7 8599f931a73fe159cf4ae34c828e66fe84f648af745b5d2b1022d514901a8e48 c1cdae82205fe21a58cab77bbc8c1dd32a94aaf4954e7695f05b7c40a395e07f 34ee0add218904fcd380bb737be2ec5b148942840c58abfa212c10ad6debb265 23aa040dad2191397deb472f0dbeeceb6afb386b7166754a47216c3629f63633 a02c5fd1c116e46c8a682a163426e556ea5c0ecdb472429c0d51bea5e583f889 e70f831251e8b31c231d2f946de8c31a6550f884ea961dfdf75a2c3e366ad48c b5001101000189022404180102000f05024d6cf351021b0c050909660180000a 0910e5f8f8212f77a498ed740ff8e1cd5baa631d75dff18a2aa27def9c416118 d178092a1c327c3cc641fd74bc976f3a1b5da52b95cfea68618b31f2aaee6f82 f30ed934eb98de0105878a4814fc811139ed4b3aa356e3c962c422f0be4d3d59 f8e9e64913964287282a6519cd0b1f3f03615aea223b276efcbc5cd4921787c1 7f70b0967aefdcc5462344399b4180efd75c1185a83d6b691e660f8210e76624 f1a87d988baf9367d26b84dcb5df8c7303c2947c4c238734addccb7970f6c192 f3f5dd5f75127e289f26b2fda0562b44a032ed45ae1fc855dca67d54125ccd36 c16f207e4389b0f4e5ff45fe60328a53b322534868ff0d3d8aca0bb0781ee1fe 62f2c0e6fc468f57ccf795ced9f2b27e3cb6d16fc417bd4ca969a364dc649ea5 c57f0325205eaa77fd9df84431c3be5329773828d0e32c0011cbb885e7131b44 b1fc5267b0b3ff125e7255c233239fc6e8c8844d613dab76833e49a7d947fae6 b3ceb35b2ddce2a0f71f384f74fecda521ae07ce3332e5eb2c79d100ad8f9ace 2a0067c1b590f61dd18ab021d66605aa745b5944d830de4c9f61dcc889354b1a 6203d918a5c2317b6d5f188d8d0cf6dab11c9578f6f41d3089871bbb2963b114 59ab0b4c4220ddafb14c20ecbacab1cec60a522ecc883bd1d539ca61cdd4933c 412fafd631d03eff23b23a4164729e32236947f622fe79a17493154e9a30b257 e3fdf97f0b2e1b8c65fc85bd98)
+
+test.add.1. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1480584899 300 16 lkEJsjwBeAdfv9RGs6zZrg== 15355 NOERROR 0
+blabla. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1480585012 300 16 k9mSMs2t5vq5FV2DvQvR6g== 59231 NOERROR 0
+blabla. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1480523776 300 16 sBfx00GRs+tfRTm4uRCjyQ== 25791 0 0
+blabla. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1480585449 300 0 59692 BADSIG 0
+blabla. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1480585462 300 16 6wvlG82sEVHyqsTtBLvRQw== 26044 NOERROR 0
diff --git a/testdata/test_ldnsrr.c5 b/testdata/test_ldnsrr.c5
index 6706aa392206..1e292ba6465f 100644
--- a/testdata/test_ldnsrr.c5
+++ b/testdata/test_ldnsrr.c5
@@ -111,19 +111,19 @@ host1.blaat.nl. 3600 IN L64 10 2001:0db8:1140:1000
05686F73743105626C616174026E6C00006B000100000E100018000A0B6C36342D7375626E65743105626C616174026E6C00
host1.blaat.nl. 3600 IN LP 10 l64-subnet1.blaat.nl.
03636161000101000100000E1000150005697373756563612E6578616D706C652E6E6574
-caa. 3600 IN CAA \# 21 0005697373756563612E6578616D706C652E6E6574
+caa. 3600 IN CAA 0 issue "ca.example.net"
03636161000101000100000E1000220005696F6465666D61696C746F3A7365637572697479406578616D706C652E636F6D
-caa. 3600 IN CAA \# 34 0005696F6465666D61696C746F3A7365637572697479406578616D706C652E636F6D
+caa. 3600 IN CAA 0 iodef "mailto:security@example.com"
03636161000101000100000E1000200005696F646566687474703A2F2F696F6465662E6578616D706C652E636F6D2F
-caa. 3600 IN CAA \# 32 0005696F646566687474703A2F2F696F6465662E6578616D706C652E636F6D2F
+caa. 3600 IN CAA 0 iodef "http://iodef.example.com/"
03636161000101000100000E1000250005697373756563612E6578616D706C652E6E65743B206163636F756E743D323330313233
-caa. 3600 IN CAA \# 37 0005697373756563612E6578616D706C652E6E65743B206163636F756E743D323330313233
+caa. 3600 IN CAA 0 issue "ca.example.net; account=230123"
03636161000101000100000E1000200005697373756563612E6578616D706C652E6E65743B20706F6C6963793D6576
-caa. 3600 IN CAA \# 32 0005697373756563612E6578616D706C652E6E65743B20706F6C6963793D6576
+caa. 3600 IN CAA 0 issue "ca.example.net; policy=ev"
03636161000101000100000E10000C8003746273556E6B6E6F776E
-caa. 3600 IN CAA \# 12 8003746273556E6B6E6F776E
+caa. 3600 IN CAA 128 tbs "Unknown"
03636161000101000100000E100046020461757468303E3039060A2B06010401D67902030106096086480165030402010420614829C81B958911F81164D40DCDBFD49D66CEB3B3442FF6C9C3A912F9497566020100
-caa. 3600 IN CAA \# 70 020461757468303E3039060A2B06010401D67902030106096086480165030402010420614829C81B958911F81164D40DCDBFD49D66CEB3B3442FF6C9C3A912F9497566020100
+caa. 3600 IN CAA 2 auth "0>09\006\010+\006\001\004\001\214y\002\003\001\006 `\134H\001e\003\004\002\001\004 aH)\200\027\149\137\017\248\017d\212\013\205\191\212\157f\206\179\179D/\246\201\195\169\018\249Iuf\002\001\000"
05657569343800006C000100000E10000600005E90012A
eui48. 3600 IN EUI48 00-00-5e-90-01-2a
05657569363400006D000100000E10000800005EEF0000002A
@@ -178,3 +178,13 @@ txt6. 3600 IN TXT "v=DKIM1; k=rsa; g=*; s=email; h=sha1; t=s; p=MIGfMA0GCSqGSIb3
example.com. 3600 IN CSYNC 66 3 A NS AAAA
3839666536636262396539333361643062386234666139343036363437346530393165653862653639366332323462316331363738666365630B5F6F70656E7067706B657900003D000100000E1008AD99020D044D6CF351011000AE2731A071CAE66040331DCFFFBC1ABAEA01FBA2B3341AD29F4191E1E2E47514CC595E5D3B59EBD460DB81CB04E98A753DAE96354374B8C3A420364960A6C6875E66CEA7216327C16996557C4D13E25E236B3714E932795BE889E8B33A295FAF6D9015474CFE9C2643603F1E91E01334011A8419098E2FC9807285B2195CDBB1A9AE1916A26B9E33B3F91CDE2F728AA133464A1099FC2BEECAF8F67EE03A999AA97BE89CE4A252F804CE27A9EFB7A631CA956BFA99C51D6BECA52AF39A93353AAC43097671074A4BB5B039EB86E99209989D5B6A4AE22B32C1605E712072926095B4640DB4B4D16B54A8139048E25EF0098781E5244222DF9B6A6BF2335942527356A29E1063C5BC1297C051AB969A3E0C01FB15E20EA63A06B416D6C96F9794C5D80E97AFB249D2B907DC46605F1001019DD627744BC2AD73F239CD623F945BF9922EC6CEB607CE8818455173199DE1EF555BF3E85E9702DCAB7A30E5E6C0F6827CE6D550DF2BA4FA6EF2ED47BCEB916ADED25A727039A09942A0684897CDF2EFC13F5169693C19DA94D861BE40E8B07FE853D2978389EBA876332BE7DB146F1EC6A957BFE39AC90514B1F870A5D899BB4E1D97AF49294AD09DEDE6D5A04ABDC29332BBE74CF70393B626C0F4FDFEF6EE2B01D8A6A40750C446E159B44D0A783611585385BA912B771364B6EDA8A69680026A6BF2105692FD6F9A6CF19E09550011010001B42357696C6C656D20546F6F726F70203C77696C6C656D406E6C6E65746C6162732E6E6C3E89023E04130102002805024D6CF351021B23050909660180060B090807030206150802090A0B0416020301021E01021780000A0910E5F8F8212F77A4985D5B0FFE289B97F7D8E4E5ABC5378B7D6DB7C395F98C3D787E3FB598638C41E889AEA40CBE5B3001D947C7184C929EFE6AD1E32AE9ACB0802823870BB149C3A7BDFBB591601D8C099B3BDD3B3DDCCB03B4D611DC741D9C49C3B5B87654A21DFB618CFE6087F172B3DC663A9F4C0DAD81476EBE5B6FD966164383BC39303A66272A3FE6A0B9A813D4E249C6B9DACF748A49A979B3FA24036E47099E1D24ED3310CC04341E0BF3AFD4E365A04CD075B7D1DFF607A3B8738ABF885A7DC959251785CA626B8C9B476F44439653615437C715B1A586236132E1F89B0E4A9D2D84E403E6733C90A96EC041D14994B19EC0D23153BB94D9059851901353DDB60B9C42EDF715AF6EE4EF111E5AFD56092A1F7662A72AF80F8768425324A8A7335C805A49B1C4D3DC279B69114A5C592638FF22A963BD34D2D4BCC319972B99C197FA31C21B89E627F36CE811297FF707F53E6C258DAB407B7D618EC296317A565C2C8B740A39244D8F82095842F6F84448DCE29BB292C7E15072B00C04F2A0F4CD700F2E7348B703F74BCB8D5F4235FBD2824F515852EA9BE06255F88D81A5046D1F730E9BF103B3335F5F03D74AC2EC65814DD920E985B57A3B4E0C699F3103AB033CCF36A5B037B3668365484B58A4462D79414D27170C9DB4285BEC72D24A9654354B996D13C14B2994F6725E36FB766D57A79ED721C3CA248221390D7D6FA65F867FA6FA1369B9020D044D6CF351011000A4ECE215B3F782BAE8FB6C1E3FDC06D1E6242271F41B073FC7A852377888147B7168134E0B753C608D07308F188B9489AF34F1DAB1BB52FC3968D0A705C30A35EA0226E7D2608931138D56CCF124A9236276462863A8F1C83B3A640167211DEAAADFC557FF7701CBB1D413259CF3F5B18EC6E615000BB4AB73C75B980615CFA9A7778DE3BAB318CC448ECA044E3FDC95AC63AA2B28846D77FE190FE8FBC3A03ECE39D38675040FF1BE064410FAAD9FC5A8C2EFE02F34CC39F3087D6B2E934642995FD5A9F2D3A59302C0CBE1FEA01002C7EB64C8C4E5F853B5B17AEBC7C72297380B8DF9EC7F32F1766B3D76E186DC582EEDD5DA955B7CACDB4CCA69E99E9B25D22B157A68C9F828170917709D335A000590F2BE22FD7A5ED0FF2432969642E84978428C1A3C8380BB339D21CE9CB8CE8F4D6BC102B70A56042159F26C85F78599F931A73FE159CF4AE34C828E66FE84F648AF745B5D2B1022D514901A8E48C1CDAE82205FE21A58CAB77BBC8C1DD32A94AAF4954E7695F05B7C40A395E07F34EE0ADD218904FCD380BB737BE2EC5B148942840C58ABFA212C10AD6DEBB26523AA040DAD2191397DEB472F0DBEECEB6AFB386B7166754A47216C3629F63633A02C5FD1C116E46C8A682A163426E556EA5C0ECDB472429C0D51BEA5E583F889E70F831251E8B31C231D2F946DE8C31A6550F884EA961DFDF75A2C3E366AD48CB5001101000189022404180102000F05024D6CF351021B0C050909660180000A0910E5F8F8212F77A498ED740FF8E1CD5BAA631D75DFF18A2AA27DEF9C416118D178092A1C327C3CC641FD74BC976F3A1B5DA52B95CFEA68618B31F2AAEE6F82F30ED934EB98DE0105878A4814FC811139ED4B3AA356E3C962C422F0BE4D3D59F8E9E64913964287282A6519CD0B1F3F03615AEA223B276EFCBC5CD4921787C17F70B0967AEFDCC5462344399B4180EFD75C1185A83D6B691E660F8210E76624F1A87D988BAF9367D26B84DCB5DF8C7303C2947C4C238734ADDCCB7970F6C192F3F5DD5F75127E289F26B2FDA0562B44A032ED45AE1FC855DCA67D54125CCD36C16F207E4389B0F4E5FF45FE60328A53B322534868FF0D3D8ACA0BB0781EE1FE62F2C0E6FC468F57CCF795CED9F2B27E3CB6D16FC417BD4CA969A364DC649EA5C57F0325205EAA77FD9DF84431C3BE5329773828D0E32C0011CBB885E7131B44B1FC5267B0B3FF125E7255C233239FC6E8C8844D613DAB76833E49A7D947FAE6B3CEB35B2DDCE2A0F71F384F74FECDA521AE07CE3332E5EB2C79D100AD8F9ACE2A0067C1B590F61DD18AB021D66605AA745B5944D830DE4C9F61DCC889354B1A6203D918A5C2317B6D5F188D8D0CF6DAB11C9578F6F41D3089871BBB2963B11459AB0B4C4220DDAFB14C20ECBACAB1CEC60A522ECC883BD1D539CA61CDD4933C412FAFD631D03EFF23B23A4164729E32236947F622FE79A17493154E9A30B257E3FDF97F0B2E1B8C65FC85BD98
9fe6cbb9e933ad0b8b4fa94066474e091ee8be696c224b1c1678fcec._openpgpkey. 3600 IN OPENPGPKEY mQINBE1s81EBEACuJzGgccrmYEAzHc//vBq66gH7orM0GtKfQZHh4uR1FMxZXl07WevUYNuBywTpinU9rpY1Q3S4w6QgNklgpsaHXmbOpyFjJ8FpllV8TRPiXiNrNxTpMnlb6InoszopX69tkBVHTP6cJkNgPx6R4BM0ARqEGQmOL8mAcoWyGVzbsamuGRaia54zs/kc3i9yiqEzRkoQmfwr7sr49n7gOpmaqXvonOSiUvgEziep77emMcqVa/qZxR1r7KUq85qTNTqsQwl2cQdKS7WwOeuG6ZIJmJ1bakriKzLBYF5xIHKSYJW0ZA20tNFrVKgTkEjiXvAJh4HlJEIi35tqa/IzWUJSc1ainhBjxbwSl8BRq5aaPgwB+xXiDqY6BrQW1slvl5TF2A6Xr7JJ0rkH3EZgXxABAZ3WJ3RLwq1z8jnNYj+UW/mSLsbOtgfOiBhFUXMZneHvVVvz6F6XAtyrejDl5sD2gnzm1VDfK6T6bvLtR7zrkWre0lpycDmgmUKgaEiXzfLvwT9RaWk8GdqU2GG+QOiwf+hT0peDieuodjMr59sUbx7GqVe/45rJBRSx+HCl2Jm7Th2Xr0kpStCd7ebVoEq9wpMyu+dM9wOTtibA9P3+9u4rAdimpAdQxEbhWbRNCng2EVhThbqRK3cTZLbtqKaWgAJqa/IQVpL9b5ps8Z4JVQARAQABtCNXaWxsZW0gVG9vcm9wIDx3aWxsZW1AbmxuZXRsYWJzLm5sPokCPgQTAQIAKAUCTWzzUQIbIwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ5fj4IS93pJhdWw/+KJuX99jk5avFN4t9bbfDlfmMPXh+P7WYY4xB6ImupAy+WzAB2UfHGEySnv5q0eMq6aywgCgjhwuxScOnvfu1kWAdjAmbO907PdzLA7TWEdx0HZxJw7W4dlSiHfthjP5gh/Fys9xmOp9MDa2BR26+W2/ZZhZDg7w5MDpmJyo/5qC5qBPU4knGudrPdIpJqXmz+iQDbkcJnh0k7TMQzAQ0Hgvzr9TjZaBM0HW30d/2B6O4c4q/iFp9yVklF4XKYmuMm0dvREOWU2FUN8cVsaWGI2Ey4fibDkqdLYTkA+ZzPJCpbsBB0UmUsZ7A0jFTu5TZBZhRkBNT3bYLnELt9xWvbuTvER5a/VYJKh92Yqcq+A+HaEJTJKinM1yAWkmxxNPcJ5tpEUpcWSY4/yKpY7000tS8wxmXK5nBl/oxwhuJ5ifzbOgRKX/3B/U+bCWNq0B7fWGOwpYxelZcLIt0CjkkTY+CCVhC9vhESNzim7KSx+FQcrAMBPKg9M1wDy5zSLcD90vLjV9CNfvSgk9RWFLqm+BiVfiNgaUEbR9zDpvxA7MzX18D10rC7GWBTdkg6YW1ejtODGmfMQOrAzzPNqWwN7Nmg2VIS1ikRi15QU0nFwydtChb7HLSSpZUNUuZbRPBSymU9nJeNvt2bVenntchw8okgiE5DX1vpl+Gf6b6E2m5Ag0ETWzzUQEQAKTs4hWz94K66PtsHj/cBtHmJCJx9BsHP8eoUjd4iBR7cWgTTgt1PGCNBzCPGIuUia808dqxu1L8OWjQpwXDCjXqAibn0mCJMRONVszxJKkjYnZGKGOo8cg7OmQBZyEd6qrfxVf/dwHLsdQTJZzz9bGOxuYVAAu0q3PHW5gGFc+pp3eN47qzGMxEjsoETj/claxjqisohG13/hkP6PvDoD7OOdOGdQQP8b4GRBD6rZ/FqMLv4C80zDnzCH1rLpNGQplf1any06WTAsDL4f6gEALH62TIxOX4U7WxeuvHxyKXOAuN+ex/MvF2az124YbcWC7t1dqVW3ys20zKaememyXSKxV6aMn4KBcJF3CdM1oABZDyviL9el7Q/yQylpZC6El4QowaPIOAuzOdIc6cuM6PTWvBArcKVgQhWfJshfeFmfkxpz/hWc9K40yCjmb+hPZIr3RbXSsQItUUkBqOSMHNroIgX+IaWMq3e7yMHdMqlKr0lU52lfBbfECjleB/NO4K3SGJBPzTgLtze+LsWxSJQoQMWKv6ISwQrW3rsmUjqgQNrSGROX3rRy8Nvuzravs4a3FmdUpHIWw2KfY2M6AsX9HBFuRsimgqFjQm5VbqXA7NtHJCnA1RvqXlg/iJ5w+DElHosxwjHS+UbejDGmVQ+ITqlh3991osPjZq1Iy1ABEBAAGJAiQEGAECAA8FAk1s81ECGwwFCQlmAYAACgkQ5fj4IS93pJjtdA/44c1bqmMddd/xiiqife+cQWEY0XgJKhwyfDzGQf10vJdvOhtdpSuVz+poYYsx8qrub4LzDtk065jeAQWHikgU/IEROe1LOqNW48lixCLwvk09Wfjp5kkTlkKHKCplGc0LHz8DYVrqIjsnbvy8XNSSF4fBf3Cwlnrv3MVGI0Q5m0GA79dcEYWoPWtpHmYPghDnZiTxqH2Yi6+TZ9JrhNy134xzA8KUfEwjhzSt3Mt5cPbBkvP13V91En4onyay/aBWK0SgMu1Frh/IVdymfVQSXM02wW8gfkOJsPTl/0X+YDKKU7MiU0ho/w09isoLsHge4f5i8sDm/EaPV8z3lc7Z8rJ+PLbRb8QXvUypaaNk3GSepcV/AyUgXqp3/Z34RDHDvlMpdzgo0OMsABHLuIXnExtEsfxSZ7Cz/xJeclXCMyOfxujIhE1hPat2gz5Jp9lH+uazzrNbLdzioPcfOE90/s2lIa4HzjMy5essedEArY+azioAZ8G1kPYd0YqwIdZmBap0W1lE2DDeTJ9h3MiJNUsaYgPZGKXCMXttXxiNjQz22rEclXj29B0wiYcbuyljsRRZqwtMQiDdr7FMIOy6yrHOxgpSLsyIO9HVOcphzdSTPEEvr9Yx0D7/I7I6QWRynjIjaUf2Iv55oXSTFU6aMLJX4/35fwsuG4xl/IW9mA==
+04746573740361646401310000FA00FF00000000003A08686D61632D6D6435077369672D616C670372656703696E74000000583FEEC3012C0010964109B23C0178075FBFD446B3ACD9AE3BFB00000000
+test.add.1. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1480584899 300 16 lkEJsjwBeAdfv9RGs6zZrg== 15355 NOERROR 0
+06626C61626C610000FA00FF00000000003A08686D61632D6D6435077369672D616C670372656703696E74000000583FEF34012C001093D99232CDADE6FAB9155D83BD0BD1EAE75F00000000
+blabla. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1480585012 300 16 k9mSMs2t5vq5FV2DvQvR6g== 59231 NOERROR 0
+06626C61626C610000FA00FF00000000003A08686D61632D6D6435077369672D616C670372656703696E74000000583F0000012C0010B017F1D34191B3EB5F4539B8B910A3C964BF00000000
+blabla. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1480523776 300 16 sBfx00GRs+tfRTm4uRCjyQ== 25791 NOERROR 0
+06626C61626C610000FA00FF00000000002A08686D61632D6D6435077369672D616C670372656703696E74000000583FF0E9012C0000E92C00100000
+blabla. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1480585449 300 0 59692 BADSIG 0
+06626C61626C610000FA00FF00000000003A08686D61632D6D6435077369672D616C670372656703696E74000000583FF0F6012C0010EB0BE51BCDAC1151F2AAC4ED04BBD14365BC00000000
+blabla. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1480585462 300 16 6wvlG82sEVHyqsTtBLvRQw== 26044 NOERROR 0
diff --git a/testdata/test_sigs.ed25519 b/testdata/test_sigs.ed25519
new file mode 100644
index 000000000000..b1592251e748
--- /dev/null
+++ b/testdata/test_sigs.ed25519
@@ -0,0 +1,21 @@
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification.
+; later entries are verified with it.
+
+ENTRY_BEGIN
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com. 3600 IN DNSKEY 256 3 15 +sZnc8HII6xxA9Ili5bboiKH0Ipv/Ap1aucIt/CVF2M= ;{id = 57147 (zsk), size = 256b}
+ENTRY_END
+
+; entry to test
+ENTRY_BEGIN
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 3600 IN A 10.0.0.1
+www.example.com. 3600 IN RRSIG A 15 3 3600 20170627103620 20170530103620 57147 example.com. daYG6zZJ3BJwGOS4PC0tDnxssVNYoenOHocoIfx0GeXNkKHSyXF+XHgD5LKbG3ZN0dZJ/4To5eni9QXOXiR4CA==
+ENTRY_END
+
diff --git a/util/config_file.c b/util/config_file.c
index af176929dc35..d0fdb2daaa25 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -178,6 +178,7 @@ config_create(void)
cfg->forwards = NULL;
#ifdef CLIENT_SUBNET
cfg->client_subnet = NULL;
+ cfg->client_subnet_zone = NULL;
cfg->client_subnet_opcode = LDNS_EDNS_CLIENT_SUBNET;
cfg->client_subnet_always_forward = 0;
cfg->max_client_subnet_ipv4 = 24;
@@ -206,6 +207,7 @@ config_create(void)
cfg->trust_anchor_file_list = NULL;
cfg->trust_anchor_list = NULL;
cfg->trusted_keys_file_list = NULL;
+ cfg->trust_anchor_signaling = 0;
cfg->dlv_anchor_file = NULL;
cfg->dlv_anchor_list = NULL;
cfg->domain_insecure = NULL;
@@ -227,6 +229,7 @@ config_create(void)
cfg->neg_cache_size = 1 * 1024 * 1024;
cfg->local_zones = NULL;
cfg->local_zones_nodefault = NULL;
+ cfg->local_zones_disable_default = 0;
cfg->local_data = NULL;
cfg->local_zone_overrides = NULL;
cfg->unblock_lan_zones = 0;
@@ -279,6 +282,14 @@ config_create(void)
cfg->dnscrypt_provider = NULL;
cfg->dnscrypt_provider_cert = NULL;
cfg->dnscrypt_secret_key = NULL;
+#ifdef USE_IPSECMOD
+ cfg->ipsecmod_enabled = 1;
+ cfg->ipsecmod_ignore_bogus = 0;
+ cfg->ipsecmod_hook = NULL;
+ cfg->ipsecmod_max_ttl = 3600;
+ cfg->ipsecmod_whitelist = NULL;
+ cfg->ipsecmod_strict = 0;
+#endif
return cfg;
error_exit:
config_delete(cfg);
@@ -480,6 +491,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_STRLIST("trust-anchor-file:", trust_anchor_file_list)
else S_STRLIST("trust-anchor:", trust_anchor_list)
else S_STRLIST("trusted-keys-file:", trusted_keys_file_list)
+ else S_YNO("trust-anchor-signaling:", trust_anchor_signaling)
else S_STR("dlv-anchor-file:", dlv_anchor_file)
else S_STRLIST("dlv-anchor:", dlv_anchor_list)
else S_STRLIST("domain-insecure:", domain_insecure)
@@ -523,6 +535,33 @@ int config_set_option(struct config_file* cfg, const char* opt,
/* No client-subnet-always-forward here, module registration depends on
* this option. */
#endif
+#ifdef USE_DNSTAP
+ else S_YNO("dnstap-enable:", dnstap)
+ else S_STR("dnstap-socket-path:", dnstap_socket_path)
+ else S_YNO("dnstap-send-identity:", dnstap_send_identity)
+ else S_YNO("dnstap-send-version:", dnstap_send_version)
+ else S_STR("dnstap-identity:", dnstap_identity)
+ else S_STR("dnstap-version:", dnstap_version)
+ else S_YNO("dnstap-log-resolver-query-messages:",
+ dnstap_log_resolver_query_messages)
+ else S_YNO("dnstap-log-resolver-response-messages:",
+ dnstap_log_resolver_response_messages)
+ else S_YNO("dnstap-log-client-query-messages:",
+ dnstap_log_client_query_messages)
+ else S_YNO("dnstap-log-client-response-messages:",
+ dnstap_log_client_response_messages)
+ else S_YNO("dnstap-log-forwarder-query-messages:",
+ dnstap_log_forwarder_query_messages)
+ else S_YNO("dnstap-log-forwarder-response-messages:",
+ dnstap_log_forwarder_response_messages)
+#endif
+#ifdef USE_DNSCRYPT
+ else S_YNO("dnscrypt-enable:", dnscrypt)
+ else S_NUMBER_NONZERO("dnscrypt-port:", dnscrypt_port)
+ else S_STR("dnscrypt-provider:", dnscrypt_provider)
+ else S_STRLIST("dnscrypt-provider-cert:", dnscrypt_provider_cert)
+ else S_STRLIST("dnscrypt-secret-key:", dnscrypt_secret_key)
+#endif
else if(strcmp(opt, "ip-ratelimit:") == 0) {
IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
infra_ip_ratelimit=cfg->ip_ratelimit;
@@ -539,6 +578,13 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
else S_YNO("qname-minimisation:", qname_minimisation)
else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
+#ifdef USE_IPSECMOD
+ else S_YNO("ipsecmod-enabled:", ipsecmod_enabled)
+ else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus)
+ else if(strcmp(opt, "ipsecmod-max-ttl:") == 0)
+ { IS_NUMBER_OR_ZERO; cfg->ipsecmod_max_ttl = atoi(val); }
+ else S_YNO("ipsecmod-strict:", ipsecmod_strict)
+#endif
else if(strcmp(opt, "define-tag:") ==0) {
return config_add_tag(cfg, val);
/* val_sig_skew_min and max are copied into val_env during init,
@@ -560,15 +606,16 @@ int config_set_option(struct config_file* cfg, const char* opt,
cfg->out_ifs = oi;
} else {
/* unknown or unsupported (from the set_option interface):
- * interface, outgoing-interface, access-control,
+ * interface, outgoing-interface, access-control,
* stub-zone, name, stub-addr, stub-host, stub-prime
* forward-first, stub-first, forward-ssl-upstream,
* stub-ssl-upstream, forward-zone,
* name, forward-addr, forward-host,
* ratelimit-for-domain, ratelimit-below-domain,
- * local-zone-tag, access-control-view
- * send-client-subnet client-subnet-always-forward
- * max-client-subnet-ipv4 max-client-subnet-ipv6 */
+ * local-zone-tag, access-control-view,
+ * send-client-subnet, client-subnet-always-forward,
+ * max-client-subnet-ipv4, max-client-subnet-ipv6, ipsecmod_hook,
+ * ipsecmod_whitelist. */
return 0;
}
return 1;
@@ -834,6 +881,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_LST(opt, "trust-anchor-file", trust_anchor_file_list)
else O_LST(opt, "trust-anchor", trust_anchor_list)
else O_LST(opt, "trusted-keys-file", trusted_keys_file_list)
+ else O_YNO(opt, "trust-anchor-signaling", trust_anchor_signaling)
else O_LST(opt, "dlv-anchor", dlv_anchor_list)
else O_LST(opt, "control-interface", control_ifs)
else O_LST(opt, "domain-insecure", domain_insecure)
@@ -842,11 +890,39 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
#ifdef CLIENT_SUBNET
else O_LST(opt, "send-client-subnet", client_subnet)
+ else O_LST(opt, "client-subnet-zone", client_subnet_zone)
else O_DEC(opt, "max-client-subnet-ipv4", max_client_subnet_ipv4)
else O_DEC(opt, "max-client-subnet-ipv6", max_client_subnet_ipv6)
else O_YNO(opt, "client-subnet-always-forward:",
client_subnet_always_forward)
#endif
+#ifdef USE_DNSTAP
+ else O_YNO(opt, "dnstap-enable", dnstap)
+ else O_STR(opt, "dnstap-socket-path", dnstap_socket_path)
+ else O_YNO(opt, "dnstap-send-identity", dnstap_send_identity)
+ else O_YNO(opt, "dnstap-send-version", dnstap_send_version)
+ else O_STR(opt, "dnstap-identity", dnstap_identity)
+ else O_STR(opt, "dnstap-version", dnstap_version)
+ else O_YNO(opt, "dnstap-log-resolver-query-messages",
+ dnstap_log_resolver_query_messages)
+ else O_YNO(opt, "dnstap-log-resolver-response-messages",
+ dnstap_log_resolver_response_messages)
+ else O_YNO(opt, "dnstap-log-client-query-messages",
+ dnstap_log_client_query_messages)
+ else O_YNO(opt, "dnstap-log-client-response-messages",
+ dnstap_log_client_response_messages)
+ else O_YNO(opt, "dnstap-log-forwarder-query-messages",
+ dnstap_log_forwarder_query_messages)
+ else O_YNO(opt, "dnstap-log-forwarder-response-messages",
+ dnstap_log_forwarder_response_messages)
+#endif
+#ifdef USE_DNSCRYPT
+ else O_YNO(opt, "dnscrypt-enable", dnscrypt)
+ else O_DEC(opt, "dnscrypt-port", dnscrypt_port)
+ else O_STR(opt, "dnscrypt-provider", dnscrypt_provider)
+ else O_LST(opt, "dnscrypt-provider-cert", dnscrypt_provider_cert)
+ else O_LST(opt, "dnscrypt-secret-key", dnscrypt_secret_key)
+#endif
else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
else O_DEC(opt, "max-udp-size", max_udp_size)
@@ -874,6 +950,14 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
else O_LS2(opt, "access-control-view", acl_view)
+#ifdef USE_IPSECMOD
+ else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)
+ else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus)
+ else O_STR(opt, "ipsecmod-hook", ipsecmod_hook)
+ else O_DEC(opt, "ipsecmod-max-ttl", ipsecmod_max_ttl)
+ else O_LST(opt, "ipsecmod-whitelist", ipsecmod_whitelist)
+ else O_YNO(opt, "ipsecmod-strict", ipsecmod_strict)
+#endif
/* not here:
* outgoing-permit, outgoing-avoid - have list of ports
* local-zone - zones and nodefault variables
@@ -1131,11 +1215,13 @@ config_delete(struct config_file* cfg)
config_delstrlist(cfg->root_hints);
#ifdef CLIENT_SUBNET
config_delstrlist(cfg->client_subnet);
+ config_delstrlist(cfg->client_subnet_zone);
#endif
free(cfg->identity);
free(cfg->version);
free(cfg->module_conf);
free(cfg->outgoing_avail_ports);
+ free(cfg->python_script);
config_delstrlist(cfg->caps_whitelist);
config_delstrlist(cfg->private_address);
config_delstrlist(cfg->private_domain);
@@ -1169,6 +1255,10 @@ config_delete(struct config_file* cfg)
free(cfg->dnstap_version);
config_deldblstrlist(cfg->ratelimit_for_domain);
config_deldblstrlist(cfg->ratelimit_below_domain);
+#ifdef USE_IPSECMOD
+ free(cfg->ipsecmod_hook);
+ config_delstrlist(cfg->ipsecmod_whitelist);
+#endif
free(cfg);
}
diff --git a/util/config_file.h b/util/config_file.h
index 79b094894022..bb7a292050b4 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -176,6 +176,8 @@ struct config_file {
/** list of servers we send edns-client-subnet option to and
* accept option from, linked list */
struct config_strlist* client_subnet;
+ /** list of zones we send edns-client-subnet option for */
+ struct config_strlist* client_subnet_zone;
/** opcode assigned by IANA for edns0-client-subnet option */
uint16_t client_subnet_opcode;
/** Do not check whitelist if incoming query contains an ECS record */
@@ -274,6 +276,8 @@ struct config_file {
struct config_strlist* dlv_anchor_list;
/** insecure domain list */
struct config_strlist* domain_insecure;
+ /** send key tag query */
+ int trust_anchor_signaling;
/** if not 0, this value is the validation date for RRSIGs */
int32_t val_date_override;
@@ -317,6 +321,8 @@ struct config_file {
struct config_str2list* local_zones;
/** local zones nodefault list */
struct config_strlist* local_zones_nodefault;
+ /** do not add any default local zone */
+ int local_zones_disable_default;
/** local data RRs configured */
struct config_strlist* local_data;
/** local zone override types per netblock */
@@ -458,6 +464,22 @@ struct config_file {
struct config_strlist* dnscrypt_secret_key;
/** dnscrypt provider certs 1.cert */
struct config_strlist* dnscrypt_provider_cert;
+
+ /** IPsec module */
+#ifdef USE_IPSECMOD
+ /** false to bypass the IPsec module */
+ int ipsecmod_enabled;
+ /** whitelisted domains for ipsecmod */
+ struct config_strlist* ipsecmod_whitelist;
+ /** path to external hook */
+ char* ipsecmod_hook;
+ /** true to proceed even with a bogus IPSECKEY */
+ int ipsecmod_ignore_bogus;
+ /** max TTL for the A/AAAA records that call the hook */
+ int ipsecmod_max_ttl;
+ /** false to proceed even when ipsecmod_hook fails */
+ int ipsecmod_strict;
+#endif
};
/** from cfg username, after daemonise setup performed */
diff --git a/util/configlexer.c b/util/configlexer.c
index 0043165c2d2f..b180068c5392 100644
--- a/util/configlexer.c
+++ b/util/configlexer.c
@@ -378,8 +378,8 @@ static void yy_fatal_error (yyconst char msg[] );
*yy_cp = '\0'; \
(yy_c_buf_p) = yy_cp;
-#define YY_NUM_RULES 221
-#define YY_END_OF_BUFFER 222
+#define YY_NUM_RULES 229
+#define YY_END_OF_BUFFER 230
/* This struct is not used in this scanner,
but its presence is necessary. */
struct yy_trans_info
@@ -387,246 +387,254 @@ struct yy_trans_info
flex_int32_t yy_verify;
flex_int32_t yy_nxt;
};
-static yyconst flex_int16_t yy_accept[2165] =
+static yyconst flex_int16_t yy_accept[2238] =
{ 0,
- 1, 1, 203, 203, 207, 207, 211, 211, 215, 215,
- 1, 1, 222, 219, 1, 201, 201, 220, 2, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 220,
- 203, 204, 204, 205, 220, 207, 208, 208, 209, 220,
- 214, 211, 212, 212, 213, 220, 215, 216, 216, 217,
- 220, 218, 202, 2, 206, 218, 220, 219, 0, 1,
- 2, 2, 2, 2, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 203, 0, 207, 0, 214, 0, 211, 215, 0, 218,
- 0, 2, 2, 218, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 218, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
-
- 218, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 77, 219, 219, 219,
- 219, 219, 219, 8, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 88, 218, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 218,
- 219, 219, 219, 219, 219, 37, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 168, 219,
- 14, 15, 219, 18, 17, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 154, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 219, 3, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 218, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 210, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 40, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 41, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 143, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 20, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 102, 219, 210, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 195, 219, 219, 219, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 118, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 101, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 75, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 25, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 38, 219, 219, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 39, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 119, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 28, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 183, 219, 219, 219,
-
- 219, 219, 219, 219, 219, 219, 219, 32, 219, 33,
- 219, 219, 219, 78, 219, 79, 219, 219, 76, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 7, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 161, 219, 219, 219, 219, 104, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 29, 219, 219, 219,
-
- 219, 219, 219, 219, 135, 219, 134, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 16, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 42, 219, 219,
- 219, 219, 219, 219, 142, 219, 219, 219, 219, 81,
- 80, 219, 219, 219, 219, 219, 219, 219, 219, 129,
- 219, 219, 219, 219, 219, 219, 219, 219, 89, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 60, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 64, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 36, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 132,
- 133, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 6, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 193, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 26, 219, 219, 219, 219, 219, 219, 219, 219, 125,
-
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 147, 219, 126, 219, 219, 159, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 27, 219, 219, 219, 219, 84, 219, 85, 219, 83,
- 219, 219, 219, 219, 219, 219, 219, 219, 99, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 182, 219, 219, 127, 219, 219, 219, 219, 219, 130,
- 219, 219, 158, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 74, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 219, 34, 219, 219, 22, 219,
- 219, 219, 219, 19, 219, 109, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 49, 51, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 197, 219, 219, 169, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 86, 219, 219, 219, 219, 219, 219, 219, 98, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 103, 219, 219, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 219, 219, 153, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 117, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 113, 219, 120, 219, 219, 219,
- 219, 219, 92, 219, 219, 70, 219, 219, 219, 145,
- 219, 219, 219, 219, 219, 160, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 174, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 116, 219, 219, 219, 219, 219, 52, 53, 219, 219,
- 219, 219, 219, 35, 59, 121, 219, 136, 219, 162,
-
- 131, 219, 219, 219, 45, 219, 123, 219, 219, 219,
- 219, 219, 9, 219, 219, 219, 73, 219, 219, 219,
- 219, 187, 219, 144, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 105, 196, 219, 219, 173, 219, 219, 219, 219, 219,
- 219, 219, 219, 155, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 122, 219, 219, 219, 44, 46,
-
- 219, 219, 219, 219, 219, 219, 219, 72, 219, 219,
- 219, 219, 185, 219, 192, 219, 219, 219, 219, 219,
- 149, 23, 24, 219, 219, 219, 219, 219, 219, 219,
- 219, 69, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 151, 148, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 43,
- 219, 219, 219, 219, 219, 219, 219, 219, 100, 13,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 12, 219, 219, 21, 219, 219,
- 219, 191, 219, 194, 47, 219, 157, 219, 150, 219,
-
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 112, 111, 219, 219, 219, 219, 219, 219, 152,
- 146, 219, 219, 198, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 54, 219, 219, 219, 186, 219,
- 219, 219, 156, 219, 219, 219, 219, 219, 219, 219,
- 219, 48, 219, 219, 219, 82, 219, 106, 108, 137,
- 219, 219, 219, 110, 219, 219, 163, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 170, 219, 219, 219, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 219, 138, 219, 219, 184, 219,
- 219, 219, 30, 219, 219, 219, 219, 4, 219, 219,
- 93, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 166, 219, 219, 219, 219, 219, 219, 199, 219, 219,
- 219, 219, 219, 172, 219, 219, 141, 219, 219, 219,
- 219, 219, 219, 219, 219, 57, 219, 31, 190, 167,
- 219, 219, 11, 219, 219, 219, 219, 219, 219, 139,
- 61, 219, 219, 219, 115, 219, 219, 219, 219, 219,
- 95, 219, 219, 219, 219, 219, 219, 219, 171, 90,
- 219, 87, 219, 219, 219, 63, 67, 62, 219, 55,
-
- 219, 219, 10, 219, 219, 219, 188, 219, 219, 114,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 68, 66, 219, 56, 219,
- 219, 219, 128, 219, 219, 140, 219, 219, 219, 219,
- 107, 50, 219, 219, 200, 219, 219, 219, 219, 219,
- 219, 91, 65, 96, 97, 58, 219, 189, 219, 219,
- 219, 165, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 71, 219, 164, 219, 181, 219, 219,
- 219, 219, 219, 219, 5, 219, 219, 219, 219, 219,
-
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 94, 219, 219, 219, 219, 219, 219, 124,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 177, 219,
- 219, 219, 219, 219, 219, 219, 219, 219, 219, 219,
- 219, 219, 175, 219, 178, 179, 219, 219, 219, 219,
- 219, 176, 180, 0
+ 1, 1, 211, 211, 215, 215, 219, 219, 223, 223,
+ 1, 1, 230, 227, 1, 209, 209, 228, 2, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 228,
+ 211, 212, 212, 213, 228, 215, 216, 216, 217, 228,
+ 222, 219, 220, 220, 221, 228, 223, 224, 224, 225,
+ 228, 226, 210, 2, 214, 226, 228, 227, 0, 1,
+ 2, 2, 2, 2, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 211, 0, 215, 0, 222, 0, 219, 223, 0, 226,
+ 0, 2, 2, 226, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 226, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 226, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 77,
+ 227, 227, 227, 227, 227, 227, 8, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 227, 227, 227, 227, 88, 226, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 226, 227, 227, 227, 227, 227, 37,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 170, 227, 14, 15, 227, 18, 17, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 156,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 3, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 226, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 218,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 40, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 41, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 145,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 20, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 103, 227, 218, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 197, 227, 227,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 120,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 102, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 75, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 25, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 38,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 39, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 121, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 28, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 185,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 32, 227, 33, 227, 227, 227, 78, 227, 79, 227,
+ 227, 76, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 7, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 163, 227, 227, 227, 227, 105,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 29,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 137, 227, 136, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 16, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 42, 227, 227, 227,
+ 227, 227, 227, 144, 227, 227, 227, 227, 81, 80,
+ 227, 227, 227, 227, 227, 227, 227, 227, 131, 227,
+ 227, 227, 227, 227, 227, 227, 227, 89, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 60, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 64, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 36, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 134, 135, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 6, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 195, 227, 227, 227, 227,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 26, 227, 227, 227, 227,
+ 227, 227, 227, 227, 127, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 149, 227, 128, 227, 227,
+ 161, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 27, 227, 227, 227, 227,
+ 84, 227, 85, 227, 83, 227, 227, 227, 227, 227,
+ 227, 227, 227, 100, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 184, 227, 227, 227, 227,
+ 227, 227, 227, 227, 129, 227, 227, 227, 227, 227,
+
+ 132, 227, 227, 160, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 74, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 34, 227, 227, 22,
+ 227, 227, 227, 227, 19, 227, 110, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 49, 51, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 199, 227, 227, 171, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 86, 227, 227, 227, 227, 227, 227, 227, 99,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 205, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 104,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 155, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 119, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 115, 227, 122, 227, 227, 227, 227, 227,
+ 92, 227, 227, 70, 227, 227, 227, 227, 147, 227,
+ 227, 227, 227, 227, 162, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 227, 227, 176, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 118,
+ 227, 227, 227, 227, 227, 52, 53, 227, 227, 227,
+ 227, 227, 35, 227, 227, 227, 227, 227, 59, 123,
+ 227, 138, 227, 164, 133, 227, 227, 227, 45, 227,
+ 125, 227, 227, 227, 227, 227, 9, 227, 227, 227,
+ 73, 227, 227, 227, 227, 189, 227, 146, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 227, 227, 227, 106, 198, 227, 227,
+ 175, 227, 227, 227, 227, 227, 227, 227, 227, 157,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 208, 227, 124, 227, 227, 227, 44,
+ 46, 227, 227, 227, 227, 227, 227, 227, 72, 227,
+ 227, 227, 227, 187, 227, 194, 227, 227, 227, 227,
+ 227, 151, 23, 24, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 69, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 153,
+
+ 150, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 43, 227, 227, 227, 227, 227, 227, 227,
+ 227, 101, 13, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 203, 227, 206, 227, 227, 227, 227, 227,
+ 227, 12, 227, 227, 21, 227, 227, 227, 193, 227,
+ 196, 47, 227, 159, 227, 152, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 114,
+ 113, 227, 227, 227, 227, 227, 227, 227, 154, 148,
+ 227, 227, 200, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 54, 227, 227, 227, 188, 227, 227,
+ 227, 227, 227, 158, 227, 227, 227, 227, 227, 227,
+ 227, 227, 48, 227, 227, 227, 82, 227, 107, 227,
+ 109, 139, 227, 227, 227, 112, 227, 227, 165, 227,
+ 227, 227, 227, 227, 94, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 172, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 140, 227,
+ 227, 186, 227, 207, 227, 227, 227, 30, 227, 227,
+ 227, 227, 4, 227, 227, 93, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 168, 227, 227, 227,
+
+ 227, 227, 227, 201, 227, 227, 227, 227, 227, 174,
+ 227, 227, 143, 227, 227, 227, 227, 227, 227, 227,
+ 227, 57, 227, 31, 192, 227, 169, 227, 227, 11,
+ 227, 227, 227, 227, 227, 227, 141, 61, 227, 227,
+ 227, 227, 117, 227, 227, 227, 227, 227, 96, 227,
+ 227, 227, 227, 227, 227, 227, 173, 90, 227, 87,
+ 227, 227, 227, 63, 67, 62, 227, 55, 227, 227,
+ 227, 10, 227, 227, 227, 190, 227, 227, 227, 116,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 68, 66, 227, 56, 204,
+
+ 227, 227, 227, 130, 227, 227, 142, 227, 227, 227,
+ 227, 227, 108, 50, 227, 227, 202, 227, 227, 227,
+ 227, 227, 227, 91, 65, 97, 98, 58, 227, 191,
+ 111, 227, 227, 227, 167, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 227, 71, 227, 166, 227,
+ 183, 227, 227, 227, 227, 227, 227, 5, 227, 227,
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 95, 227, 227, 227, 227,
+ 227, 227, 126, 227, 227, 227, 227, 227, 227, 227,
+
+ 227, 227, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 179, 227, 227, 227, 227, 227, 227, 227, 227,
+ 227, 227, 227, 227, 227, 177, 227, 180, 181, 227,
+ 227, 227, 227, 227, 178, 182, 0
} ;
static yyconst YY_CHAR yy_ec[256] =
@@ -672,493 +680,511 @@ static yyconst YY_CHAR yy_meta[67] =
1, 1, 1, 1, 1, 1
} ;
-static yyconst flex_uint16_t yy_base[2179] =
+static yyconst flex_uint16_t yy_base[2252] =
{ 0,
0, 0, 64, 67, 70, 72, 78, 84, 89, 92,
- 131, 137, 473, 390, 96, 6214, 6214, 6214, 109, 111,
+ 131, 137, 420, 366, 96, 6399, 6399, 6399, 109, 111,
142, 180, 86, 133, 138, 172, 50, 151, 91, 181,
197, 124, 241, 187, 225, 289, 233, 228, 253, 307,
- 385, 6214, 6214, 6214, 95, 362, 6214, 6214, 6214, 102,
- 331, 364, 6214, 6214, 6214, 311, 317, 6214, 6214, 6214,
- 116, 245, 6214, 321, 6214, 265, 328, 221, 334, 160,
+ 362, 6399, 6399, 6399, 95, 359, 6399, 6399, 6399, 102,
+ 326, 355, 6399, 6399, 6399, 311, 245, 6399, 6399, 6399,
+ 116, 221, 6399, 321, 6399, 265, 328, 212, 334, 160,
0, 338, 0, 0, 141, 206, 184, 330, 322, 255,
323, 335, 324, 222, 268, 350, 325, 334, 344, 357,
- 358, 352, 367, 364, 389, 160, 361, 388, 394, 214,
-
- 373, 400, 391, 383, 399, 416, 410, 414, 407, 421,
- 437, 424, 448, 425, 434, 178, 431, 464, 441, 460,
- 458, 462, 461, 468, 263, 490, 488, 487, 476, 491,
- 212, 171, 170, 241, 164, 533, 146, 85, 284, 77,
- 539, 543, 0, 509, 511, 534, 526, 536, 523, 530,
- 546, 527, 539, 554, 553, 559, 557, 580, 624, 561,
- 571, 572, 586, 569, 589, 597, 581, 579, 619, 585,
- 609, 610, 646, 612, 627, 570, 622, 661, 630, 626,
- 642, 653, 670, 673, 681, 671, 669, 677, 665, 680,
- 662, 679, 688, 690, 703, 700, 699, 715, 717, 702,
-
- 704, 714, 708, 729, 723, 727, 728, 738, 741, 735,
- 763, 742, 764, 744, 758, 755, 765, 745, 772, 769,
- 760, 784, 761, 789, 778, 782, 792, 810, 813, 578,
- 797, 816, 819, 802, 806, 823, 824, 822, 832, 838,
- 837, 834, 849, 841, 836, 839, 846, 847, 868, 872,
- 853, 866, 859, 881, 873, 876, 883, 886, 878, 902,
- 897, 904, 899, 909, 938, 359, 924, 915, 928, 936,
- 944, 901, 951, 949, 942, 955, 946, 917, 959, 966,
- 961, 971, 970, 984, 987, 977, 994, 996, 999, 998,
- 1007, 980, 997, 1017, 1026, 1019, 1071, 1021, 1032, 1043,
-
- 1030, 1035, 1034, 1044, 1040, 1042, 1055, 1057, 1078, 1084,
- 1079, 1100, 1076, 1095, 1101, 1102, 1099, 1092, 1104, 1134,
- 1098, 1114, 1121, 1125, 1136, 1140, 1143, 1128, 1142, 1159,
- 1149, 1145, 1171, 1151, 1164, 1161, 1174, 1186, 1187, 1173,
- 1183, 1189, 1039, 1195, 1202, 1199, 1191, 1200, 1206, 1213,
- 1216, 1220, 1230, 1229, 1214, 1236, 6214, 1243, 1227, 1238,
- 1240, 1233, 1247, 6214, 1261, 1257, 1255, 1209, 1263, 1273,
- 1271, 1260, 1288, 1286, 1296, 1280, 1292, 1295, 1282, 1298,
- 1305, 1306, 1310, 1308, 1354, 1316, 1312, 1318, 1345, 1339,
- 1329, 1265, 1332, 1347, 1337, 1356, 1363, 1366, 1364, 1383,
-
- 1387, 1375, 1377, 1393, 6214, 1397, 1376, 1404, 1283, 1395,
- 1390, 979, 1411, 1406, 1414, 1415, 1426, 1417, 1425, 1431,
- 1420, 1421, 1451, 1442, 1440, 1449, 1465, 1450, 1462, 1470,
- 1447, 1466, 1453, 1467, 1469, 1484, 1477, 1483, 1480, 1486,
- 1488, 1482, 1476, 1513, 1500, 1504, 1502, 1514, 1517, 1509,
- 1529, 1526, 1527, 1533, 1534, 1546, 1542, 1550, 1560, 1561,
- 1552, 1555, 1547, 1566, 1573, 1577, 1578, 1557, 1582, 1586,
- 1584, 1603, 1588, 1601, 1617, 1595, 1607, 1619, 1602, 1615,
- 1622, 1614, 1627, 1636, 1637, 1618, 1648, 1639, 1653, 1642,
- 1644, 1649, 1652, 1657, 1647, 1663, 1673, 1667, 1666, 1697,
-
- 1677, 1679, 1700, 1699, 1704, 1702, 1693, 1692, 1708, 1705,
- 1717, 1726, 1732, 1735, 1723, 1736, 1738, 1731, 1742, 1749,
- 1752, 1753, 1725, 1774, 1762, 6214, 1758, 1761, 1766, 1787,
- 1778, 1776, 1792, 1788, 1779, 1782, 1800, 1843, 6214, 1784,
- 6214, 6214, 1795, 6214, 6214, 1822, 1802, 1826, 1815, 1832,
- 1805, 1892, 1836, 1819, 1827, 1839, 1847, 1844, 1849, 1860,
- 1858, 1879, 1876, 1875, 1885, 1895, 1874, 1906, 1889, 1908,
- 1907, 1913, 1903, 1929, 1921, 1920, 1923, 1944, 1941, 1842,
- 1934, 1948, 1947, 1949, 1950, 1942, 1959, 1955, 1969, 1963,
- 1956, 1971, 1954, 1974, 6214, 1985, 1986, 1996, 1992, 1989,
-
- 2001, 1990, 1991, 1980, 2022, 6214, 2007, 2008, 2016, 2034,
- 2017, 2020, 2019, 2028, 2036, 2046, 2024, 2035, 2044, 2047,
- 2043, 2052, 2056, 2062, 2064, 2081, 2092, 2084, 2071, 2083,
- 2089, 2072, 2096, 2101, 2099, 2086, 2087, 2106, 2098, 2107,
- 2114, 2112, 2120, 2133, 2117, 2116, 2124, 2122, 2125, 2171,
- 2156, 2144, 2139, 2143, 2173, 2163, 2167, 2175, 2158, 2179,
- 2184, 2181, 2207, 2186, 2183, 2200, 2203, 2219, 2231, 2228,
- 75, 2258, 2223, 2224, 2226, 2230, 2244, 2233, 2246, 2247,
- 2249, 2251, 2236, 2271, 6214, 2252, 2279, 2273, 2267, 2288,
- 2285, 2286, 2287, 2294, 2283, 2307, 2301, 2313, 2302, 2310,
-
- 2311, 2326, 2327, 2306, 6214, 2325, 2323, 2328, 2329, 2343,
- 2352, 2354, 2351, 2340, 2366, 2361, 6214, 2349, 2377, 2379,
- 2382, 2375, 2370, 2376, 2369, 2378, 2392, 2373, 2403, 2397,
- 2406, 2409, 2415, 6214, 2393, 2407, 2422, 2429, 2430, 2419,
- 2440, 2426, 2432, 2425, 2434, 2436, 2453, 2455, 6214, 2450,
- 2459, 2454, 2457, 2478, 2480, 2461, 2474, 2483, 2471, 2477,
- 2481, 291, 2482, 2485, 2492, 2472, 6214, 2495, 68, 2488,
- 2498, 2496, 2531, 2533, 2525, 2532, 2537, 2521, 2522, 2539,
- 2538, 2527, 2540, 2541, 2551, 2545, 2561, 2558, 2571, 2559,
- 2589, 6214, 2554, 2582, 2583, 2585, 2588, 2566, 2586, 2596,
-
- 2573, 2602, 2606, 6214, 2620, 2623, 2615, 2616, 2611, 2621,
- 2632, 2628, 2618, 2635, 2626, 2643, 2645, 2641, 2653, 2665,
- 6214, 2651, 2655, 2667, 2657, 2676, 2678, 2691, 2666, 2683,
- 2682, 2688, 2686, 2698, 2684, 2705, 2709, 2710, 2715, 2716,
- 2722, 2708, 2718, 2724, 2717, 2712, 2743, 2745, 2747, 2749,
- 2772, 2766, 153, 2751, 6214, 2756, 2758, 2750, 2755, 2771,
- 2770, 2787, 2782, 2794, 2789, 2791, 2795, 2806, 2785, 2815,
- 2807, 2811, 2825, 6214, 2832, 2822, 2817, 2839, 2821, 2840,
- 2838, 2829, 2845, 2837, 2853, 2847, 2856, 2859, 2851, 2865,
- 2866, 2862, 6214, 2881, 2884, 2885, 2886, 2882, 2876, 2883,
-
- 2897, 2879, 2887, 2878, 2909, 2905, 2896, 2903, 2906, 2911,
- 2926, 2917, 2914, 2913, 2930, 2945, 2928, 2943, 6214, 2940,
- 2965, 2941, 2953, 2949, 2956, 2964, 2977, 2967, 2978, 2980,
- 2976, 2966, 2973, 2991, 2990, 2992, 2993, 6214, 2998, 2997,
- 2970, 3011, 3007, 3012, 3016, 3014, 3025, 3028, 3039, 3029,
- 3036, 3048, 3038, 3040, 3043, 3054, 3056, 3066, 3067, 3076,
- 6214, 3069, 3074, 3070, 3071, 3080, 3073, 3063, 3113, 3115,
- 3072, 3098, 3099, 3101, 3107, 3095, 3104, 3105, 3129, 3108,
- 3114, 3124, 3130, 3125, 3132, 3131, 3135, 3134, 3155, 3165,
- 3163, 3170, 3156, 3162, 3159, 3185, 6214, 3158, 3184, 3175,
-
- 3176, 3189, 3186, 3192, 3195, 3182, 3207, 6214, 3199, 6214,
- 3216, 3222, 3229, 6214, 3225, 6214, 3228, 3214, 6214, 3232,
- 3237, 3224, 3220, 3226, 3231, 3246, 3254, 3256, 3248, 3269,
- 3249, 3263, 3273, 3259, 3275, 6214, 3279, 3264, 3285, 3283,
- 3287, 3288, 3293, 3294, 3311, 3297, 3320, 3318, 3298, 3307,
- 3333, 6214, 3315, 3331, 3332, 3330, 6214, 3328, 3338, 3340,
- 3319, 3346, 3345, 3350, 3349, 3368, 3358, 3365, 3372, 3375,
- 3357, 3384, 3388, 3389, 3373, 3385, 3383, 3398, 3400, 3399,
- 3396, 3401, 3420, 3416, 3411, 3414, 3415, 3410, 3422, 3427,
- 3431, 3445, 3430, 3432, 3441, 3443, 6214, 3453, 3440, 3468,
-
- 3454, 3458, 3466, 3467, 6214, 3484, 6214, 3449, 3486, 3488,
- 3487, 3470, 3493, 3491, 3494, 3500, 3497, 3513, 3517, 3508,
- 3512, 3510, 3511, 3514, 3526, 3531, 6214, 3520, 3530, 3550,
- 3536, 3553, 3549, 3559, 3555, 3565, 3566, 6214, 3570, 3572,
- 3573, 3579, 3576, 3582, 6214, 3575, 3578, 3585, 3604, 6214,
- 6214, 3577, 3600, 3601, 3602, 3597, 3623, 3603, 3615, 6214,
- 3621, 3612, 3622, 3631, 3639, 3640, 3628, 3629, 6214, 3642,
- 3638, 3647, 3655, 3656, 3658, 3654, 3660, 3659, 3663, 3674,
- 3671, 3651, 3688, 3676, 6214, 3689, 3684, 3696, 3687, 3703,
- 3686, 3690, 3704, 3719, 3700, 3698, 3713, 3729, 3726, 3718,
-
- 3727, 3741, 3749, 3731, 3740, 3723, 3747, 3737, 3760, 3745,
- 3763, 3767, 3778, 3774, 6214, 3783, 3762, 3786, 3770, 3779,
- 3785, 3787, 3796, 3805, 3800, 3801, 3804, 3806, 6214, 3808,
- 3802, 3809, 3811, 3813, 3833, 3822, 3828, 3836, 3825, 6214,
- 6214, 3832, 3835, 3854, 3843, 3860, 3862, 3846, 3864, 3848,
- 3863, 6214, 3873, 3881, 3866, 3875, 3885, 3889, 3888, 3890,
- 3887, 3877, 3884, 3898, 3904, 3900, 3893, 3920, 3911, 3924,
- 6214, 3913, 3914, 3916, 3938, 3927, 3930, 3936, 3956, 3949,
- 3931, 3947, 3948, 3955, 3964, 3978, 3975, 3954, 3965, 3989,
- 6214, 3973, 3982, 3981, 3962, 3995, 3974, 4002, 3991, 6214,
-
- 4007, 3997, 4006, 4011, 3999, 4020, 4015, 4012, 4022, 4018,
- 6214, 4026, 6214, 4029, 4023, 6214, 4024, 4040, 4041, 4034,
- 4055, 4057, 4044, 4056, 4048, 4050, 4068, 4071, 4078, 4067,
- 6214, 4073, 4062, 4077, 4079, 6214, 4090, 6214, 4093, 6214,
- 4087, 4083, 4116, 4101, 4120, 4117, 4122, 4115, 6214, 4124,
- 4105, 4126, 4128, 4112, 4129, 4145, 4147, 4108, 4148, 4160,
- 6214, 4142, 4150, 6214, 4168, 4138, 4153, 4176, 4175, 6214,
- 4169, 4183, 6214, 4174, 4191, 4187, 4189, 4190, 4199, 4202,
- 4193, 4203, 4227, 4219, 4212, 4220, 6214, 4214, 4218, 4235,
- 4236, 4229, 4222, 4241, 4238, 4246, 4245, 4252, 4260, 4265,
-
- 4256, 4255, 4266, 4269, 4279, 6214, 4262, 4281, 6214, 4282,
- 4270, 4280, 4283, 6214, 4294, 6214, 4296, 4297, 4289, 4306,
- 4311, 4310, 4320, 4309, 4326, 4327, 4318, 4340, 4335, 4324,
- 6214, 6214, 4334, 4348, 4341, 4352, 4355, 4353, 4342, 4369,
- 4361, 4372, 4368, 6214, 4370, 4358, 6214, 4359, 4376, 4371,
- 4387, 4386, 4388, 4393, 4389, 4400, 4392, 4405, 4396, 4398,
- 6214, 4411, 4401, 4415, 4416, 4419, 4414, 4427, 6214, 4432,
- 4445, 4449, 4437, 4441, 4443, 4457, 4460, 4461, 4454, 4465,
- 4462, 4482, 4471, 4473, 4480, 4474, 4486, 4477, 4497, 4499,
- 4488, 4484, 6214, 4501, 4508, 4498, 4510, 4496, 4513, 4509,
-
- 4515, 4527, 4526, 4523, 4528, 4532, 6214, 4529, 4525, 4536,
- 4530, 4560, 4543, 4564, 4546, 4561, 4553, 4570, 4558, 4575,
- 6214, 4557, 4576, 4565, 4573, 4578, 4596, 4602, 4594, 4603,
- 4605, 4597, 4588, 4606, 6214, 4598, 6214, 4613, 4615, 4624,
- 4626, 4628, 6214, 4629, 4637, 6214, 4640, 4604, 4645, 6214,
- 4655, 4654, 4641, 4651, 4660, 6214, 4665, 4664, 4671, 4670,
- 4662, 4673, 4668, 4679, 4675, 4682, 6214, 4695, 4701, 4705,
- 4703, 4691, 4692, 4700, 4709, 4696, 4710, 4722, 4718, 4707,
- 6214, 4717, 4741, 4734, 4739, 4748, 6214, 6214, 4740, 4752,
- 4755, 4730, 4761, 6214, 6214, 6214, 4759, 6214, 4745, 6214,
-
- 6214, 4760, 4764, 4770, 6214, 4771, 6214, 4781, 4777, 4768,
- 4772, 4788, 6214, 4782, 4790, 4800, 6214, 4797, 4808, 4789,
- 4795, 6214, 4812, 6214, 4813, 4818, 4820, 4817, 4809, 4816,
- 4821, 4831, 4832, 4838, 4837, 4824, 4853, 4843, 4844, 4848,
- 4857, 4841, 4863, 4858, 4846, 4859, 4864, 4868, 4882, 4873,
- 4884, 4880, 4875, 4885, 4900, 4905, 4909, 4878, 4913, 4915,
- 6214, 6214, 4899, 4907, 6214, 4901, 4904, 4911, 4919, 4920,
- 4930, 4934, 4953, 6214, 4951, 4946, 4940, 4956, 4944, 4947,
- 4957, 4960, 4943, 4964, 4968, 4974, 4970, 4978, 4977, 4967,
- 4980, 4986, 5003, 5007, 6214, 4989, 4990, 4992, 6214, 6214,
-
- 4994, 5015, 5012, 5013, 5004, 5024, 5025, 6214, 5017, 5039,
- 5026, 5033, 6214, 5047, 6214, 5048, 5031, 5054, 5052, 5061,
- 6214, 6214, 6214, 5062, 5042, 5055, 5056, 5066, 5067, 5059,
- 5077, 6214, 5081, 5075, 5082, 5086, 5076, 5097, 5093, 5105,
- 5111, 5112, 5114, 5103, 5116, 5119, 6214, 6214, 5108, 5131,
- 5120, 5127, 5129, 5135, 5141, 5134, 5128, 5146, 5145, 6214,
- 5156, 5148, 5147, 5158, 5155, 5160, 5178, 5161, 6214, 6214,
- 5162, 5173, 5175, 5190, 5176, 5192, 5184, 5204, 5188, 5205,
- 5139, 5210, 5206, 5208, 6214, 5203, 5211, 6214, 5219, 5202,
- 5227, 6214, 5217, 6214, 6214, 5225, 6214, 5228, 6214, 5229,
-
- 5246, 5253, 5254, 5258, 5259, 5260, 5243, 5250, 5267, 5263,
- 5262, 6214, 6214, 5272, 5255, 5265, 5270, 5275, 5279, 6214,
- 6214, 5290, 5293, 6214, 5276, 5291, 5299, 5289, 5292, 5297,
- 5313, 5302, 5306, 5318, 5324, 5329, 5331, 5326, 5338, 5327,
- 5323, 5335, 5340, 5341, 6214, 5346, 5352, 5345, 6214, 5366,
- 5370, 5368, 6214, 5362, 5378, 5379, 5372, 5369, 5391, 5385,
- 5392, 6214, 5394, 5400, 5402, 6214, 5388, 6214, 6214, 6214,
- 5411, 5419, 5408, 6214, 5418, 5429, 6214, 5422, 5415, 5412,
- 5407, 5443, 5436, 5447, 5437, 5434, 5449, 5440, 5467, 5441,
- 5465, 6214, 5450, 5456, 5472, 5460, 5474, 5475, 5464, 5470,
-
- 5482, 5481, 5477, 5488, 5487, 6214, 5495, 5510, 6214, 5512,
- 5502, 5514, 6214, 5520, 5501, 5500, 5505, 6214, 5525, 5517,
- 6214, 5513, 5534, 5536, 5530, 5542, 5539, 5538, 5540, 5555,
- 6214, 5548, 5544, 5547, 5568, 5569, 5561, 6214, 5573, 5558,
- 5585, 5575, 5584, 6214, 5589, 5571, 6214, 5594, 5596, 5583,
- 5598, 5607, 5608, 5609, 5610, 6214, 5613, 6214, 6214, 6214,
- 5600, 5617, 6214, 5614, 5612, 5611, 5620, 5632, 5628, 6214,
- 6214, 5635, 5646, 5645, 6214, 5634, 5637, 5647, 5636, 5659,
- 6214, 5658, 5649, 5653, 5651, 5670, 5662, 5663, 6214, 6214,
- 5679, 6214, 5682, 5691, 5696, 6214, 6214, 6214, 5701, 6214,
-
- 5704, 5703, 6214, 5705, 5690, 5697, 6214, 5712, 5698, 6214,
- 5702, 5710, 5715, 5721, 5722, 5718, 5731, 5741, 5725, 5729,
- 5730, 5748, 5749, 5740, 5755, 6214, 6214, 5761, 6214, 5762,
- 5764, 5765, 6214, 5757, 5769, 6214, 5758, 5771, 5768, 5773,
- 6214, 6214, 5776, 5784, 6214, 5779, 5788, 5785, 5782, 5786,
- 5789, 6214, 6214, 6214, 6214, 6214, 5815, 6214, 5803, 5799,
- 5806, 6214, 5800, 5797, 5809, 5821, 5825, 5828, 5812, 5826,
- 5831, 5838, 5845, 5856, 5858, 5857, 5855, 5861, 5848, 5847,
- 5868, 5863, 5869, 6214, 5864, 6214, 5874, 6214, 5875, 5881,
- 5885, 5883, 5886, 5884, 6214, 5891, 5910, 5888, 5896, 5904,
-
- 5901, 5911, 5922, 5906, 5929, 5934, 5937, 5940, 5941, 5931,
- 5944, 5948, 6214, 5952, 5936, 5938, 5956, 5947, 5963, 6214,
- 5965, 5961, 5962, 5972, 5977, 5982, 5975, 5990, 5995, 5993,
- 5999, 5992, 6000, 6003, 6008, 5997, 6023, 6012, 6214, 6024,
- 6027, 6017, 6021, 6033, 6022, 6026, 6046, 6052, 6050, 6062,
- 6064, 6058, 6214, 6061, 6214, 6214, 6070, 6059, 6063, 6069,
- 6071, 6214, 6214, 6214, 6122, 6129, 6136, 6143, 6150, 100,
- 6157, 6164, 6171, 6178, 6185, 6192, 6199, 6206
+ 358, 352, 367, 364, 389, 385, 369, 393, 394, 214,
+
+ 373, 402, 128, 400, 403, 419, 414, 399, 435, 420,
+ 443, 422, 449, 431, 441, 178, 436, 453, 459, 416,
+ 461, 463, 456, 469, 263, 487, 488, 480, 477, 497,
+ 170, 284, 164, 241, 160, 514, 174, 85, 367, 77,
+ 534, 541, 0, 514, 504, 518, 512, 513, 515, 523,
+ 542, 526, 540, 556, 550, 551, 548, 560, 604, 561,
+ 539, 559, 565, 571, 568, 588, 582, 585, 590, 583,
+ 606, 609, 636, 617, 599, 623, 576, 633, 652, 621,
+ 644, 638, 635, 650, 648, 662, 660, 657, 666, 668,
+ 684, 651, 683, 679, 669, 687, 682, 685, 699, 703,
+
+ 686, 721, 709, 725, 713, 720, 716, 726, 718, 712,
+ 740, 743, 747, 744, 735, 745, 750, 748, 749, 754,
+ 770, 751, 765, 762, 768, 783, 773, 784, 792, 800,
+ 804, 781, 802, 811, 789, 807, 810, 816, 806, 809,
+ 821, 828, 823, 836, 849, 825, 838, 832, 833, 857,
+ 851, 843, 860, 848, 868, 859, 871, 855, 862, 876,
+ 878, 891, 883, 894, 886, 895, 926, 676, 913, 903,
+ 910, 905, 922, 912, 939, 932, 930, 941, 936, 934,
+ 947, 956, 949, 970, 959, 973, 974, 953, 966, 981,
+ 975, 983, 986, 996, 1003, 1005, 1017, 1008, 1062, 1006,
+
+ 1015, 1055, 1004, 1010, 1012, 1033, 1043, 1034, 1039, 1048,
+ 1052, 1066, 1058, 1045, 1063, 1075, 1082, 1093, 1072, 1090,
+ 1102, 1113, 1095, 1100, 1103, 1104, 1123, 1117, 1122, 1110,
+ 1124, 1147, 1127, 1130, 1154, 1150, 1137, 1139, 1155, 1166,
+ 1168, 1151, 1174, 1163, 1179, 1178, 1188, 1152, 1195, 1183,
+ 1187, 1198, 1196, 1197, 1213, 1211, 1215, 1200, 1227, 6399,
+ 1229, 1216, 1224, 1236, 1226, 1238, 6399, 1240, 1241, 1235,
+ 1257, 1262, 1264, 1252, 1267, 1279, 1277, 1283, 1256, 1276,
+ 1268, 1265, 1278, 1284, 1295, 1296, 1297, 1343, 1294, 1306,
+ 1302, 1341, 1327, 1311, 1333, 1315, 1336, 1305, 1338, 1357,
+
+ 1329, 1352, 1361, 1371, 1363, 1368, 1375, 6399, 1387, 1358,
+ 1385, 1376, 1379, 1396, 1400, 1360, 1393, 1416, 1401, 1412,
+ 1402, 1420, 1419, 1414, 1410, 1450, 1421, 1435, 1436, 1443,
+ 1451, 1454, 1460, 1437, 1461, 1440, 1448, 1464, 1470, 1465,
+ 1453, 1467, 1462, 1478, 1474, 1476, 1499, 1486, 1509, 1494,
+ 1495, 1503, 1501, 1505, 1489, 1514, 1516, 1529, 1513, 1539,
+ 1532, 1536, 1546, 1543, 1537, 1542, 1530, 1556, 1558, 1564,
+ 1560, 1550, 1570, 1563, 1569, 1577, 1583, 1588, 1603, 1587,
+ 1589, 1604, 1590, 1596, 1615, 1595, 1614, 1626, 1611, 1610,
+ 1622, 1621, 1623, 1629, 1636, 1638, 1639, 1651, 1634, 1649,
+
+ 1650, 1652, 1658, 1663, 1653, 1656, 1686, 1665, 1677, 1684,
+ 1678, 1674, 1690, 1699, 1692, 1700, 1704, 1705, 1711, 1701,
+ 1713, 1698, 1714, 1737, 1740, 1741, 1725, 1750, 1735, 6399,
+ 1728, 1753, 1734, 1756, 1763, 1739, 1758, 1768, 1761, 1764,
+ 1772, 1815, 6399, 1767, 6399, 6399, 1781, 6399, 6399, 1787,
+ 1795, 1808, 1803, 1816, 1770, 1864, 1806, 1805, 1818, 1788,
+ 1843, 1821, 1822, 1851, 1835, 1857, 1854, 1869, 1862, 1873,
+ 1878, 1861, 1870, 1884, 1887, 1900, 1911, 1898, 1901, 1842,
+ 1907, 1916, 1918, 1917, 1925, 1928, 1923, 1924, 1929, 1933,
+ 1936, 1942, 1951, 1940, 1961, 1953, 1957, 1971, 1956, 6399,
+
+ 1963, 1964, 1967, 1974, 1968, 1976, 1978, 1987, 1983, 2005,
+ 6399, 2009, 2012, 1992, 2010, 1997, 2001, 1995, 2006, 2020,
+ 2023, 2028, 2022, 2042, 2040, 2043, 2053, 2031, 2044, 2047,
+ 2035, 2065, 2062, 2056, 2070, 2067, 2060, 2076, 2068, 2093,
+ 2080, 2087, 2106, 2085, 2110, 2095, 2111, 2101, 2114, 2102,
+ 2107, 2112, 2115, 2103, 2160, 2145, 2143, 2137, 2130, 2157,
+ 2141, 2162, 2164, 2159, 2166, 2173, 2170, 2194, 2190, 2187,
+ 2189, 2188, 2200, 2216, 2213, 75, 2243, 2207, 2215, 2204,
+ 2211, 2229, 2227, 2231, 2234, 2233, 2236, 2241, 2260, 6399,
+ 2240, 2250, 2246, 2259, 2279, 2276, 2266, 2274, 2275, 2278,
+
+ 2293, 2286, 2271, 2292, 2280, 2301, 2289, 2305, 2316, 2323,
+ 6399, 2312, 2310, 2313, 2318, 2330, 2339, 2341, 2338, 2348,
+ 2328, 2321, 6399, 2343, 2369, 2350, 2360, 2353, 2352, 2368,
+ 2387, 2364, 2382, 2371, 2388, 2373, 2396, 2397, 2391, 6399,
+ 2398, 2390, 2399, 2407, 2412, 2395, 2424, 2417, 2418, 2416,
+ 2425, 2446, 2442, 2444, 6399, 2432, 2452, 2445, 2441, 2451,
+ 2462, 2443, 2461, 2460, 2448, 2470, 2469, 291, 2468, 2482,
+ 2471, 2474, 6399, 2473, 68, 2488, 2489, 2483, 2510, 2511,
+ 2507, 2518, 2509, 2508, 2513, 2516, 2517, 2506, 2535, 2531,
+ 2534, 2523, 2537, 2538, 2549, 2540, 2552, 6399, 2562, 2561,
+
+ 2565, 2567, 2574, 2573, 2576, 2570, 2586, 2601, 2588, 6399,
+ 2596, 2610, 2600, 2602, 2592, 2615, 2613, 2604, 2626, 2625,
+ 2621, 2629, 2634, 2631, 2640, 2641, 6399, 2627, 2655, 2656,
+ 2643, 2654, 2653, 2679, 2666, 2657, 2662, 2687, 2711, 2681,
+ 2686, 2702, 2698, 2696, 2691, 2704, 2705, 2732, 2715, 2731,
+ 2712, 2727, 2737, 2750, 2753, 2744, 2748, 2774, 2768, 153,
+ 2759, 6399, 2762, 2757, 2760, 2764, 2803, 2793, 2795, 2787,
+ 2800, 2797, 2798, 2809, 2805, 2801, 2824, 2813, 2822, 2816,
+ 6399, 2838, 2839, 2827, 2842, 2828, 2847, 2852, 2840, 2858,
+ 2843, 2854, 2864, 2855, 2875, 2862, 2871, 2885, 2870, 6399,
+
+ 2758, 2867, 2873, 2898, 2886, 2882, 2897, 2896, 2891, 2894,
+ 2893, 2920, 2912, 2907, 2917, 2919, 2913, 2935, 2910, 2923,
+ 2924, 2940, 2949, 2938, 2947, 6399, 2951, 2971, 2946, 2956,
+ 2954, 2962, 2979, 2983, 2972, 2992, 2989, 2990, 2975, 2982,
+ 2978, 2995, 2997, 2998, 6399, 2999, 3011, 3012, 3020, 3019,
+ 3021, 3022, 3024, 3035, 3007, 3039, 3034, 3041, 3053, 3042,
+ 3049, 3051, 3060, 3058, 3078, 3073, 3082, 6399, 3075, 3084,
+ 3077, 3071, 3076, 3079, 3100, 3092, 3098, 3087, 3103, 3109,
+ 3105, 3131, 3133, 3117, 3119, 3120, 3121, 3102, 3115, 3130,
+ 3146, 3148, 3134, 3135, 3136, 3150, 3145, 3157, 3156, 3173,
+
+ 3167, 3175, 3185, 3183, 3186, 3176, 3182, 3179, 3202, 6399,
+ 3200, 3195, 3199, 3218, 3203, 3205, 3206, 3216, 3233, 3237,
+ 6399, 3222, 6399, 3234, 3241, 3246, 6399, 3244, 6399, 3253,
+ 3238, 6399, 3252, 3256, 3243, 3247, 3248, 3271, 3263, 3259,
+ 3273, 3267, 3290, 3266, 3281, 3293, 3282, 3302, 6399, 3295,
+ 3294, 3296, 3305, 3308, 3311, 3316, 3317, 3320, 3321, 3328,
+ 3322, 3347, 3339, 3350, 6399, 3337, 3346, 3342, 3354, 6399,
+ 3338, 3355, 3366, 3352, 3357, 3368, 3363, 3365, 3397, 3381,
+ 3386, 3387, 3399, 3380, 3398, 3411, 3408, 3392, 3402, 3413,
+ 3416, 3412, 3425, 3418, 3429, 3422, 3442, 3428, 3430, 3431,
+
+ 3439, 3440, 3452, 3449, 3468, 3445, 3455, 3456, 3463, 6399,
+ 3459, 3467, 3466, 3495, 3473, 3485, 3477, 3489, 3494, 3490,
+ 3502, 3515, 3492, 6399, 3498, 6399, 3506, 3510, 3520, 3535,
+ 3522, 3534, 3528, 3537, 3529, 3551, 3543, 3555, 3553, 3547,
+ 3556, 3554, 3562, 3561, 3573, 6399, 3532, 3568, 3590, 3581,
+ 3583, 3588, 3601, 3613, 3587, 3606, 6399, 3603, 3608, 3612,
+ 3604, 3628, 3615, 6399, 3607, 3642, 3631, 3638, 6399, 6399,
+ 3632, 3637, 3633, 3639, 3643, 3655, 3640, 3658, 6399, 3611,
+ 3659, 3671, 3672, 3682, 3683, 3654, 3668, 6399, 3665, 3693,
+ 3686, 3689, 3685, 3699, 3698, 3674, 3710, 3707, 3704, 3702,
+
+ 3728, 3727, 3732, 6399, 3731, 3724, 3739, 3729, 3738, 3723,
+ 3720, 3734, 3748, 3755, 3750, 3756, 3767, 3765, 3758, 3761,
+ 3773, 3786, 3763, 3777, 3775, 3793, 3788, 3797, 3785, 3807,
+ 3805, 3791, 3813, 6399, 3815, 3799, 3824, 3800, 3818, 3828,
+ 3829, 3834, 3846, 3819, 3827, 3836, 3842, 6399, 3872, 3823,
+ 3851, 3857, 3855, 3854, 3866, 3856, 3850, 3879, 3864, 3887,
+ 3874, 3878, 3895, 3904, 6399, 6399, 3898, 3889, 3908, 3897,
+ 3902, 3911, 3892, 3925, 3906, 3914, 6399, 3923, 3916, 3922,
+ 3933, 3949, 3951, 3948, 3953, 3945, 3936, 3943, 3952, 3963,
+ 3947, 3960, 3967, 3946, 3978, 6399, 3977, 3984, 3981, 3993,
+
+ 3995, 3994, 4002, 4020, 4006, 3989, 4005, 3987, 4017, 4015,
+ 4040, 4022, 4012, 4029, 4023, 6399, 4033, 4039, 4042, 4026,
+ 4053, 4030, 4060, 4047, 6399, 4058, 4063, 4062, 4071, 4055,
+ 4078, 4070, 4072, 4086, 4074, 6399, 4079, 6399, 4090, 4082,
+ 6399, 4088, 4095, 4096, 4099, 4109, 4112, 4098, 4115, 4110,
+ 4111, 4125, 4126, 4121, 4119, 6399, 4142, 4122, 4123, 4135,
+ 6399, 4147, 6399, 4145, 6399, 4148, 4150, 4170, 4149, 4167,
+ 4171, 4178, 4172, 6399, 4175, 4159, 4183, 4176, 4187, 4177,
+ 4201, 4203, 4191, 4204, 4214, 6399, 4202, 4209, 4196, 4207,
+ 4212, 4223, 4238, 4231, 6399, 4240, 4235, 4236, 4250, 4249,
+
+ 6399, 4248, 4259, 6399, 4252, 4268, 4247, 4264, 4278, 4282,
+ 4284, 4267, 4270, 4197, 4293, 4279, 4291, 6399, 4283, 4294,
+ 4301, 4303, 4300, 4312, 4276, 4317, 4311, 4321, 4323, 4335,
+ 4325, 4339, 4326, 4343, 4345, 4344, 6399, 4350, 4352, 6399,
+ 4360, 4338, 4349, 4353, 6399, 4372, 6399, 4380, 4374, 4363,
+ 4366, 4392, 4394, 4395, 4379, 4393, 4399, 4396, 4417, 4400,
+ 4412, 6399, 6399, 4410, 4427, 4402, 4414, 4433, 4431, 4422,
+ 4438, 4441, 4445, 4447, 6399, 4444, 4430, 6399, 4437, 4451,
+ 4458, 4461, 4477, 4466, 4470, 4463, 4483, 4479, 4490, 4465,
+ 4480, 6399, 4493, 4473, 4474, 4497, 4506, 4503, 4507, 6399,
+
+ 4504, 4502, 4529, 4522, 4523, 4525, 4539, 4536, 4541, 4530,
+ 4531, 4546, 4566, 4553, 4555, 6399, 4556, 4549, 4550, 4567,
+ 4581, 4584, 4571, 4585, 4568, 4589, 4591, 4587, 4573, 6399,
+ 4594, 4603, 4588, 4604, 4602, 4616, 4606, 4623, 4610, 4608,
+ 4617, 4619, 4625, 6399, 4621, 4630, 4640, 4652, 4642, 4643,
+ 4645, 4644, 4651, 4634, 4672, 4654, 4674, 6399, 4665, 4670,
+ 4659, 4680, 4667, 4690, 4691, 4683, 4697, 4699, 4700, 4702,
+ 4710, 4715, 6399, 4694, 6399, 4703, 4727, 4718, 4731, 4729,
+ 6399, 4723, 4725, 6399, 4735, 4737, 4733, 4745, 6399, 4741,
+ 4758, 4746, 4765, 4769, 6399, 4770, 4774, 4786, 4782, 4773,
+
+ 4788, 4771, 4780, 4772, 4801, 6399, 4799, 4792, 4805, 4806,
+ 4797, 4800, 4798, 4804, 4814, 4818, 4841, 4831, 4822, 6399,
+ 4826, 4838, 4851, 4844, 4846, 6399, 6399, 4845, 4853, 4857,
+ 4829, 4861, 6399, 4870, 4856, 4864, 4863, 4868, 6399, 6399,
+ 4866, 6399, 4867, 6399, 6399, 4887, 4891, 4898, 6399, 4899,
+ 6399, 4905, 4901, 4890, 4886, 4904, 6399, 4888, 4910, 4911,
+ 6399, 4912, 4915, 4923, 4925, 6399, 4916, 6399, 4919, 4924,
+ 4939, 4928, 4931, 4942, 4948, 4927, 4959, 4960, 4949, 4946,
+ 4962, 4958, 4965, 4967, 4966, 4976, 4975, 4979, 4973, 4972,
+ 4987, 4983, 4988, 4997, 5015, 5004, 4999, 5005, 5006, 5018,
+
+ 5014, 5025, 5031, 5019, 5020, 5034, 6399, 6399, 5032, 5026,
+ 6399, 5040, 5047, 5044, 5048, 5042, 5052, 5055, 5069, 6399,
+ 5049, 5071, 5063, 5076, 5074, 5067, 5084, 5088, 5086, 5091,
+ 5106, 5093, 5096, 5094, 5098, 5119, 5107, 5108, 5121, 5120,
+ 5130, 5135, 5138, 6399, 5123, 6399, 5131, 5125, 5141, 6399,
+ 6399, 5136, 5158, 5139, 5144, 5152, 5173, 5171, 6399, 5162,
+ 5172, 5174, 5165, 6399, 5180, 6399, 5181, 5163, 5184, 5186,
+ 5193, 6399, 6399, 6399, 5194, 5188, 5199, 5187, 5201, 5202,
+ 5214, 5198, 5222, 6399, 5209, 5226, 5227, 5220, 5234, 5238,
+ 5233, 5237, 5250, 5243, 5251, 5241, 5258, 5255, 5266, 6399,
+
+ 6399, 5259, 5276, 5268, 5279, 5277, 5275, 5278, 5269, 5283,
+ 5289, 5285, 6399, 5295, 5296, 5299, 5300, 5306, 5310, 5308,
+ 5311, 6399, 6399, 5312, 5314, 5324, 5329, 5326, 5321, 5335,
+ 5332, 5333, 6399, 5339, 6399, 5344, 5351, 5368, 5349, 5357,
+ 5362, 6399, 5360, 5361, 6399, 5371, 5359, 5370, 6399, 5379,
+ 6399, 6399, 5383, 6399, 5384, 6399, 5388, 5389, 5393, 5396,
+ 5403, 5412, 5405, 5409, 5400, 5407, 5419, 5422, 5420, 6399,
+ 6399, 5433, 5402, 5431, 5443, 5416, 5438, 5444, 6399, 6399,
+ 5445, 5451, 6399, 5428, 5439, 5458, 5449, 5455, 5447, 5459,
+ 5460, 5465, 5470, 5490, 5492, 5494, 5480, 5498, 5481, 5478,
+
+ 5500, 5506, 5512, 6399, 5510, 5508, 5497, 6399, 5513, 5507,
+ 5529, 5538, 5535, 6399, 5527, 5546, 5547, 5539, 5534, 5552,
+ 5537, 5554, 6399, 5555, 5558, 5556, 6399, 5559, 6399, 5575,
+ 6399, 6399, 5564, 5579, 5583, 6399, 5588, 5596, 6399, 5589,
+ 5590, 5578, 5582, 5603, 6399, 5609, 5607, 5613, 5610, 5616,
+ 5611, 5623, 5617, 5622, 6399, 5614, 5630, 5632, 5634, 5648,
+ 5637, 5635, 5636, 5657, 5649, 5640, 5653, 5658, 6399, 5668,
+ 5670, 6399, 5662, 6399, 5671, 5672, 5681, 6399, 5687, 5674,
+ 5673, 5684, 6399, 5689, 5691, 6399, 5680, 5706, 5709, 5710,
+ 5693, 5713, 5704, 5722, 5723, 5727, 6399, 5729, 5715, 5732,
+
+ 5734, 5740, 5720, 6399, 5739, 5745, 5750, 5756, 5748, 6399,
+ 5757, 5759, 6399, 5758, 5755, 5749, 5775, 5769, 5779, 5781,
+ 5783, 6399, 5789, 6399, 6399, 5776, 6399, 5770, 5793, 6399,
+ 5798, 5785, 5784, 5800, 5813, 5812, 6399, 6399, 5810, 5806,
+ 5818, 5823, 6399, 5815, 5826, 5825, 5820, 5837, 6399, 5821,
+ 5834, 5831, 5844, 5848, 5842, 5862, 6399, 6399, 5852, 6399,
+ 5868, 5874, 5873, 6399, 6399, 6399, 5878, 6399, 5880, 5884,
+ 5881, 6399, 5886, 5870, 5882, 6399, 5891, 5895, 5883, 6399,
+ 5899, 5894, 5905, 5914, 5916, 5904, 5915, 5924, 5909, 5912,
+ 5928, 5930, 5932, 5921, 5938, 6399, 6399, 5945, 6399, 6399,
+
+ 5950, 5952, 5953, 6399, 5947, 5958, 6399, 5960, 5951, 5965,
+ 5954, 5968, 6399, 6399, 5955, 5967, 6399, 5976, 5961, 5979,
+ 5972, 5971, 5985, 6399, 6399, 6399, 6399, 6399, 5983, 6399,
+ 6399, 6000, 5987, 5994, 6399, 5982, 6006, 6002, 6003, 6018,
+ 6010, 5998, 6024, 6020, 6019, 6029, 6041, 6042, 6048, 6047,
+ 6049, 6030, 6044, 6063, 6046, 6061, 6399, 6057, 6399, 6062,
+ 6399, 6058, 6067, 6069, 6064, 6070, 6073, 6399, 6079, 6091,
+ 6082, 6085, 6089, 6084, 6108, 6109, 6096, 6117, 6120, 6119,
+ 6122, 6126, 6118, 6138, 6132, 6399, 6136, 6133, 6142, 6139,
+ 6148, 6144, 6399, 6145, 6149, 6154, 6165, 6155, 6169, 6166,
+
+ 6179, 6186, 6184, 6183, 6172, 6197, 6195, 6196, 6200, 6193,
+ 6207, 6399, 6204, 6210, 6213, 6214, 6220, 6216, 6225, 6227,
+ 6238, 6242, 6239, 6245, 6243, 6399, 6246, 6399, 6399, 6252,
+ 6237, 6248, 6258, 6261, 6399, 6399, 6399, 6307, 6314, 6321,
+ 6328, 6335, 100, 6342, 6349, 6356, 6363, 6370, 6377, 6384,
+ 6391
} ;
-static yyconst flex_int16_t yy_def[2179] =
+static yyconst flex_int16_t yy_def[2252] =
{ 0,
- 2164, 1, 2165, 2165, 2166, 2166, 2167, 2167, 2168, 2168,
- 2169, 2169, 2164, 2170, 2164, 2164, 2164, 2164, 2171, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2172, 2164, 2164, 2164, 2172, 2173, 2164, 2164, 2164, 2173,
- 2174, 2164, 2164, 2164, 2164, 2174, 2175, 2164, 2164, 2164,
- 2175, 2176, 2164, 2177, 2164, 2176, 2176, 2170, 2170, 2164,
- 2178, 2171, 2178, 2171, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2172, 2172, 2173, 2173, 2174, 2174, 2164, 2175, 2175, 2176,
- 2176, 2177, 2177, 2176, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2176, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2176, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2164, 2176, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2176,
- 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170,
- 2164, 2164, 2170, 2164, 2164, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2176, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2176, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2164,
- 2170, 2170, 2170, 2164, 2170, 2164, 2170, 2170, 2164, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2164, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2164, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170,
- 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2164,
- 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164,
- 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164,
-
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2164, 2170, 2170, 2164, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2170, 2170, 2170, 2164, 2170, 2164, 2170, 2164,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2164,
- 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2164, 2170,
- 2170, 2170, 2170, 2164, 2170, 2164, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2164, 2170, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2164, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2164, 2170, 2170, 2164, 2170, 2170, 2170, 2164,
- 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2170, 2170, 2170, 2170, 2164, 2164, 2170, 2170,
- 2170, 2170, 2170, 2164, 2164, 2164, 2170, 2164, 2170, 2164,
-
- 2164, 2170, 2170, 2170, 2164, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2164, 2170, 2170, 2170, 2164, 2170, 2170, 2170,
- 2170, 2164, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2164, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2164, 2164,
-
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170,
- 2170, 2170, 2164, 2170, 2164, 2170, 2170, 2170, 2170, 2170,
- 2164, 2164, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2164, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2164,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2164, 2170, 2170,
- 2170, 2164, 2170, 2164, 2164, 2170, 2164, 2170, 2164, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2164, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2164,
- 2164, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2164, 2170,
- 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2164, 2170, 2170, 2170, 2164, 2170, 2164, 2164, 2164,
- 2170, 2170, 2170, 2164, 2170, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2164, 2170,
- 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2164, 2170, 2170,
- 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2170,
- 2170, 2170, 2170, 2164, 2170, 2170, 2164, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2164, 2170, 2164, 2164, 2164,
- 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2164,
- 2164, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170,
- 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2164,
- 2170, 2164, 2170, 2170, 2170, 2164, 2164, 2164, 2170, 2164,
-
- 2170, 2170, 2164, 2170, 2170, 2170, 2164, 2170, 2170, 2164,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2164, 2164, 2170, 2164, 2170,
- 2170, 2170, 2164, 2170, 2170, 2164, 2170, 2170, 2170, 2170,
- 2164, 2164, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170,
- 2170, 2164, 2164, 2164, 2164, 2164, 2170, 2164, 2170, 2170,
- 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2164, 2170, 2164, 2170, 2164, 2170, 2170,
- 2170, 2170, 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170,
-
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2164, 2170, 2170, 2170, 2170, 2170, 2170, 2164,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2164, 2170,
- 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170, 2170,
- 2170, 2170, 2164, 2170, 2164, 2164, 2170, 2170, 2170, 2170,
- 2170, 2164, 2164, 0, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164
+ 2237, 1, 2238, 2238, 2239, 2239, 2240, 2240, 2241, 2241,
+ 2242, 2242, 2237, 2243, 2237, 2237, 2237, 2237, 2244, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2245, 2237, 2237, 2237, 2245, 2246, 2237, 2237, 2237, 2246,
+ 2247, 2237, 2237, 2237, 2237, 2247, 2248, 2237, 2237, 2237,
+ 2248, 2249, 2237, 2250, 2237, 2249, 2249, 2243, 2243, 2237,
+ 2251, 2244, 2251, 2244, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2245, 2245, 2246, 2246, 2247, 2247, 2237, 2248, 2248, 2249,
+ 2249, 2250, 2250, 2249, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2249, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2249, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2249, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2249, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2237, 2243, 2237, 2237, 2243, 2237, 2237, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2249, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2237, 2243, 2249, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2237, 2243, 2237, 2243, 2243, 2243, 2237, 2243, 2237, 2243,
+ 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2237, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2237, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2237, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2237, 2243, 2243,
+ 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2237, 2243, 2237, 2243, 2237, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243,
+
+ 2237, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2237, 2243, 2237, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2237, 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2237, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2237, 2243, 2237, 2243, 2243, 2243, 2243, 2243,
+ 2237, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2237, 2243,
+ 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2237, 2243, 2243, 2243,
+ 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2237, 2237,
+ 2243, 2237, 2243, 2237, 2237, 2243, 2243, 2243, 2237, 2243,
+ 2237, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243,
+ 2237, 2243, 2243, 2243, 2243, 2237, 2243, 2237, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2237, 2243, 2243,
+ 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2237, 2243, 2237, 2243, 2243, 2243, 2237,
+ 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243,
+ 2243, 2243, 2243, 2237, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2237, 2237, 2237, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+
+ 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2237, 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2237, 2243, 2237, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2237, 2243, 2243, 2237, 2243, 2243, 2243, 2237, 2243,
+ 2237, 2237, 2243, 2237, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2237,
+ 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2237, 2243, 2243,
+ 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2237, 2243, 2243, 2243, 2237, 2243, 2237, 2243,
+ 2237, 2237, 2243, 2243, 2243, 2237, 2243, 2243, 2237, 2243,
+ 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243,
+ 2243, 2237, 2243, 2237, 2243, 2243, 2243, 2237, 2243, 2243,
+ 2243, 2243, 2237, 2243, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2237, 2243, 2237, 2237, 2243, 2237, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2237, 2243, 2243,
+ 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2237, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2237, 2243, 2237,
+ 2243, 2243, 2243, 2237, 2237, 2237, 2243, 2237, 2243, 2243,
+ 2243, 2237, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2237,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2237, 2243, 2237, 2237,
+
+ 2243, 2243, 2243, 2237, 2243, 2243, 2237, 2243, 2243, 2243,
+ 2243, 2243, 2237, 2237, 2243, 2243, 2237, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2237, 2237, 2237, 2237, 2237, 2243, 2237,
+ 2237, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2237, 2243,
+ 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+
+ 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2237, 2243, 2243, 2243, 2243, 2243, 2243, 2243, 2243,
+ 2243, 2243, 2243, 2243, 2243, 2237, 2243, 2237, 2237, 2243,
+ 2243, 2243, 2243, 2243, 2237, 2237, 0, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237
} ;
-static yyconst flex_uint16_t yy_nxt[6281] =
+static yyconst flex_uint16_t yy_nxt[6466] =
{ 0,
14, 15, 16, 17, 18, 19, 18, 14, 14, 14,
14, 14, 18, 20, 14, 21, 22, 23, 24, 14,
@@ -1168,691 +1194,712 @@ static yyconst flex_uint16_t yy_nxt[6281] =
28, 29, 30, 31, 32, 33, 34, 35, 36, 37,
38, 39, 14, 14, 14, 14, 42, 43, 44, 42,
43, 44, 47, 48, 47, 48, 49, 97, 49, 52,
- 53, 54, 55, 805, 18, 52, 53, 54, 55, 69,
+ 53, 54, 55, 811, 18, 52, 53, 54, 55, 69,
18, 58, 59, 60, 58, 59, 60, 70, 131, 131,
68, 71, 87, 45, 97, 133, 45, 141, 133, 50,
73, 50, 73, 73, 69, 73, 141, 56, 99, 138,
138, 73, 88, 56, 139, 69, 75, 76, 61, 87,
69, 61, 15, 16, 17, 63, 64, 65, 15, 16,
- 17, 63, 64, 65, 77, 99, 89, 137, 74, 88,
+ 17, 63, 64, 65, 77, 99, 89, 183, 74, 88,
69, 91, 66, 75, 76, 78, 145, 107, 66, 92,
- 90, 70, 79, 69, 990, 71, 80, 173, 98, 81,
- 67, 77, 69, 89, 131, 131, 67, 69, 91, 66,
+ 90, 70, 79, 69, 1003, 71, 80, 69, 98, 81,
+ 67, 77, 69, 89, 183, 137, 67, 69, 91, 66,
69, 69, 78, 145, 107, 66, 92, 90, 93, 79,
- 69, 94, 69, 80, 100, 98, 81, 82, 95, 69,
+ 69, 94, 69, 80, 100, 98, 81, 82, 95, 136,
- 96, 83, 101, 136, 84, 197, 85, 86, 102, 134,
+ 96, 83, 101, 134, 84, 198, 85, 86, 102, 132,
104, 69, 103, 113, 105, 93, 147, 69, 94, 69,
69, 100, 146, 69, 82, 95, 69, 96, 83, 101,
- 106, 84, 197, 85, 86, 102, 69, 104, 114, 103,
+ 106, 84, 198, 85, 86, 102, 69, 104, 114, 103,
113, 105, 115, 147, 133, 69, 123, 133, 124, 146,
- 179, 132, 116, 69, 126, 117, 157, 106, 108, 127,
- 69, 69, 109, 125, 69, 114, 128, 69, 110, 115,
- 129, 111, 69, 123, 130, 124, 151, 179, 112, 116,
- 69, 126, 117, 157, 141, 108, 127, 138, 138, 109,
- 125, 144, 69, 128, 69, 110, 208, 129, 111, 158,
+ 180, 69, 116, 69, 126, 117, 157, 106, 108, 127,
+ 141, 69, 109, 125, 69, 114, 128, 69, 110, 115,
+ 129, 111, 69, 123, 130, 124, 151, 180, 112, 116,
+ 69, 126, 117, 157, 139, 108, 127, 131, 131, 109,
+ 125, 144, 69, 128, 69, 110, 209, 129, 111, 158,
- 897, 130, 69, 151, 141, 112, 118, 69, 68, 119,
+ 904, 130, 69, 151, 141, 112, 118, 69, 68, 119,
68, 68, 135, 68, 135, 135, 120, 135, 144, 68,
- 121, 122, 73, 208, 73, 73, 158, 73, 69, 140,
+ 121, 122, 73, 209, 73, 73, 158, 73, 69, 140,
69, 140, 140, 118, 140, 68, 119, 68, 68, 73,
68, 73, 73, 120, 73, 148, 68, 121, 122, 152,
- 73, 161, 150, 153, 155, 156, 139, 159, 149, 154,
- 143, 69, 69, 69, 69, 137, 162, 163, 166, 69,
- 136, 357, 148, 69, 69, 160, 152, 74, 161, 150,
+ 73, 161, 150, 153, 155, 156, 137, 159, 149, 154,
+ 143, 69, 69, 69, 69, 136, 162, 163, 166, 69,
+ 138, 138, 148, 69, 69, 160, 152, 74, 161, 150,
153, 155, 156, 69, 167, 149, 154, 164, 165, 69,
- 168, 69, 174, 162, 163, 166, 69, 69, 69, 180,
-
- 69, 134, 160, 69, 169, 175, 69, 170, 183, 177,
- 182, 167, 69, 178, 164, 165, 181, 168, 184, 174,
- 171, 172, 69, 188, 132, 176, 180, 69, 69, 69,
- 69, 169, 175, 69, 170, 183, 177, 182, 69, 69,
- 178, 185, 186, 181, 187, 184, 69, 171, 172, 69,
- 188, 189, 176, 69, 190, 69, 192, 194, 191, 195,
- 69, 193, 198, 69, 69, 196, 201, 202, 185, 186,
- 69, 187, 2164, 69, 2164, 204, 69, 2164, 189, 2164,
- 69, 190, 203, 192, 194, 191, 195, 69, 193, 198,
- 199, 206, 196, 201, 200, 205, 207, 69, 2164, 69,
-
- 69, 69, 204, 69, 209, 211, 213, 69, 214, 203,
- 2164, 212, 2164, 2164, 2164, 69, 2164, 199, 206, 2164,
- 2164, 200, 205, 207, 215, 210, 69, 69, 216, 69,
- 69, 209, 211, 213, 135, 214, 135, 135, 212, 135,
- 140, 217, 140, 140, 73, 140, 73, 73, 141, 73,
- 69, 215, 210, 218, 220, 216, 219, 221, 2164, 223,
- 224, 225, 69, 222, 229, 69, 69, 226, 2164, 69,
- 227, 2164, 228, 69, 238, 69, 2164, 258, 69, 2164,
- 218, 220, 143, 219, 221, 69, 223, 224, 316, 240,
- 222, 230, 69, 69, 226, 231, 69, 227, 69, 228,
-
- 69, 238, 239, 241, 242, 243, 246, 245, 69, 69,
- 69, 69, 232, 2164, 244, 249, 240, 69, 69, 69,
- 69, 2164, 231, 2164, 69, 69, 250, 251, 69, 239,
- 241, 242, 243, 246, 245, 259, 69, 262, 2164, 232,
- 233, 244, 249, 247, 256, 234, 248, 263, 69, 69,
- 235, 69, 2164, 250, 251, 257, 236, 237, 69, 252,
- 265, 69, 259, 69, 253, 69, 69, 233, 260, 69,
- 247, 256, 234, 248, 263, 264, 254, 235, 255, 261,
- 267, 69, 257, 236, 237, 69, 252, 266, 268, 2164,
- 269, 253, 69, 2164, 270, 271, 274, 272, 273, 275,
-
- 69, 69, 264, 254, 69, 255, 261, 277, 69, 69,
- 69, 284, 69, 276, 266, 287, 69, 269, 69, 69,
- 69, 270, 271, 274, 272, 273, 275, 69, 279, 69,
- 278, 280, 281, 282, 277, 291, 283, 289, 69, 69,
- 276, 69, 69, 69, 285, 286, 290, 69, 294, 297,
- 2164, 2164, 304, 69, 69, 279, 69, 278, 280, 281,
- 282, 288, 69, 283, 289, 293, 69, 69, 69, 292,
- 295, 285, 286, 290, 69, 294, 306, 69, 298, 300,
- 69, 69, 301, 69, 69, 303, 302, 307, 288, 305,
- 2164, 309, 293, 296, 69, 299, 292, 141, 311, 69,
-
- 69, 2164, 69, 69, 69, 298, 300, 313, 69, 301,
- 308, 69, 303, 302, 307, 310, 305, 69, 309, 312,
- 296, 69, 299, 69, 314, 311, 315, 317, 69, 318,
- 320, 69, 319, 321, 313, 2164, 69, 308, 322, 325,
- 323, 69, 310, 324, 327, 69, 312, 328, 330, 69,
- 2164, 314, 69, 315, 317, 69, 318, 320, 69, 319,
- 321, 69, 69, 69, 326, 322, 329, 323, 331, 332,
- 324, 69, 334, 69, 328, 69, 69, 69, 69, 333,
- 69, 335, 338, 337, 2164, 69, 69, 336, 69, 339,
- 343, 326, 69, 329, 340, 331, 332, 2164, 69, 334,
-
- 342, 344, 345, 341, 2164, 69, 333, 69, 335, 338,
- 337, 69, 69, 364, 336, 69, 339, 69, 350, 351,
- 69, 340, 69, 346, 353, 69, 2164, 342, 344, 345,
- 341, 347, 348, 354, 349, 2164, 69, 352, 69, 358,
- 69, 69, 2164, 69, 359, 350, 351, 360, 69, 370,
- 346, 353, 355, 356, 69, 361, 69, 362, 347, 348,
- 354, 349, 366, 69, 352, 363, 358, 69, 365, 367,
- 369, 359, 368, 372, 360, 69, 370, 69, 374, 355,
- 356, 69, 361, 69, 362, 69, 371, 375, 69, 366,
- 69, 526, 363, 373, 69, 365, 367, 369, 69, 368,
-
- 69, 376, 378, 380, 379, 69, 385, 377, 2164, 69,
- 69, 2164, 389, 371, 375, 386, 69, 384, 69, 69,
- 373, 2164, 381, 69, 390, 382, 69, 383, 376, 378,
- 380, 379, 387, 69, 377, 69, 69, 69, 69, 389,
- 388, 392, 386, 391, 384, 394, 69, 410, 402, 381,
- 404, 390, 382, 403, 383, 405, 69, 393, 69, 387,
- 69, 408, 2164, 406, 452, 69, 407, 388, 392, 141,
- 391, 69, 394, 69, 69, 402, 409, 411, 69, 69,
- 403, 69, 69, 69, 393, 395, 396, 412, 408, 413,
- 406, 452, 2164, 407, 69, 397, 69, 398, 399, 400,
-
- 2164, 415, 401, 409, 411, 414, 416, 417, 418, 421,
- 69, 2164, 395, 396, 412, 69, 413, 69, 69, 419,
- 423, 424, 397, 69, 398, 399, 400, 420, 415, 401,
- 427, 69, 414, 416, 69, 418, 422, 69, 69, 69,
- 69, 69, 428, 69, 425, 426, 419, 423, 424, 429,
- 431, 430, 2164, 69, 420, 2164, 432, 427, 435, 433,
- 69, 2164, 441, 422, 69, 2164, 2164, 69, 436, 428,
- 440, 444, 443, 69, 434, 69, 429, 431, 430, 69,
- 437, 69, 69, 432, 69, 435, 433, 442, 69, 441,
- 69, 438, 446, 439, 445, 436, 450, 440, 69, 443,
-
- 69, 434, 447, 69, 448, 449, 451, 437, 453, 454,
- 69, 2164, 69, 69, 442, 455, 476, 457, 438, 446,
- 439, 445, 69, 450, 456, 69, 69, 458, 69, 447,
- 69, 448, 449, 451, 69, 453, 461, 459, 69, 69,
- 460, 69, 455, 462, 457, 69, 463, 464, 69, 465,
- 2164, 456, 69, 69, 458, 69, 466, 2164, 468, 69,
- 467, 469, 2164, 461, 459, 470, 69, 460, 69, 69,
- 462, 471, 69, 463, 464, 69, 465, 69, 507, 69,
- 480, 475, 69, 466, 477, 468, 69, 467, 469, 474,
- 478, 472, 470, 473, 69, 481, 69, 479, 471, 69,
-
- 69, 482, 69, 483, 69, 507, 485, 480, 475, 486,
- 69, 477, 69, 523, 489, 488, 474, 478, 472, 69,
- 473, 69, 69, 491, 479, 69, 484, 69, 482, 487,
- 2164, 69, 490, 485, 69, 69, 486, 69, 492, 493,
- 523, 489, 488, 501, 69, 69, 502, 69, 500, 69,
- 491, 69, 503, 484, 505, 69, 487, 69, 2164, 490,
- 509, 506, 504, 2164, 510, 492, 493, 494, 69, 508,
- 501, 69, 495, 502, 496, 500, 69, 2164, 69, 2164,
- 511, 505, 497, 521, 69, 498, 69, 509, 506, 504,
- 512, 510, 499, 69, 494, 69, 508, 513, 514, 495,
-
- 515, 496, 69, 69, 518, 69, 517, 511, 516, 497,
- 525, 519, 498, 520, 69, 69, 69, 512, 527, 499,
- 524, 529, 69, 2164, 513, 514, 69, 515, 522, 69,
- 528, 518, 69, 517, 69, 516, 141, 525, 519, 530,
- 520, 531, 533, 69, 532, 69, 534, 524, 535, 537,
- 69, 536, 541, 69, 69, 522, 69, 528, 538, 69,
- 69, 542, 544, 539, 69, 69, 530, 540, 531, 533,
- 69, 532, 543, 534, 545, 535, 537, 546, 536, 69,
- 547, 69, 2164, 548, 549, 551, 69, 550, 69, 69,
- 69, 552, 69, 553, 540, 557, 2164, 555, 2164, 558,
-
- 2164, 69, 559, 2164, 69, 69, 69, 547, 69, 69,
- 548, 549, 551, 554, 550, 69, 69, 564, 556, 69,
- 553, 69, 69, 69, 555, 69, 558, 69, 560, 559,
- 563, 566, 565, 561, 567, 568, 569, 562, 2164, 69,
- 554, 69, 571, 69, 564, 556, 2164, 570, 69, 572,
- 2164, 574, 69, 69, 582, 560, 69, 563, 566, 565,
- 561, 567, 568, 575, 562, 69, 69, 2164, 69, 571,
- 576, 573, 69, 69, 570, 577, 572, 578, 574, 581,
- 580, 69, 579, 2164, 583, 69, 69, 587, 584, 69,
- 575, 69, 585, 589, 69, 586, 69, 576, 573, 69,
-
- 69, 590, 577, 592, 578, 69, 581, 580, 588, 579,
- 591, 583, 69, 2164, 587, 584, 69, 69, 593, 585,
- 596, 69, 586, 69, 594, 69, 598, 69, 590, 595,
- 592, 2164, 597, 599, 69, 588, 600, 601, 603, 2164,
- 69, 69, 69, 605, 604, 593, 69, 596, 606, 2164,
- 607, 2164, 602, 69, 69, 608, 69, 69, 69, 597,
- 599, 69, 609, 600, 601, 603, 69, 611, 617, 2164,
- 610, 604, 612, 616, 613, 69, 69, 607, 69, 602,
- 614, 69, 608, 69, 615, 2164, 69, 69, 69, 609,
- 618, 69, 69, 621, 611, 617, 69, 610, 620, 612,
-
- 616, 613, 69, 619, 622, 69, 69, 614, 623, 2164,
- 624, 615, 69, 625, 2164, 626, 69, 618, 69, 628,
- 621, 629, 2164, 630, 632, 620, 2164, 627, 2164, 2164,
- 619, 69, 69, 631, 633, 623, 69, 624, 69, 69,
- 625, 69, 626, 69, 69, 634, 628, 69, 629, 635,
- 630, 632, 636, 637, 627, 638, 69, 640, 645, 639,
- 631, 633, 69, 641, 69, 69, 642, 643, 650, 644,
- 69, 69, 634, 2164, 69, 69, 635, 69, 2164, 636,
- 637, 69, 638, 648, 640, 645, 639, 646, 141, 649,
- 641, 69, 69, 642, 643, 647, 644, 69, 651, 655,
-
- 69, 69, 653, 652, 2164, 69, 654, 2164, 656, 657,
- 648, 665, 672, 69, 646, 69, 649, 69, 69, 658,
- 668, 69, 647, 69, 666, 651, 69, 69, 670, 653,
- 652, 69, 659, 654, 69, 656, 657, 2164, 665, 69,
- 2164, 69, 669, 667, 69, 671, 658, 668, 2164, 707,
- 2164, 666, 681, 680, 69, 670, 685, 682, 69, 659,
- 660, 69, 684, 2164, 661, 69, 69, 662, 686, 669,
- 667, 69, 671, 687, 663, 69, 683, 664, 69, 681,
- 680, 69, 69, 69, 682, 688, 69, 660, 69, 684,
- 691, 661, 689, 690, 662, 686, 2164, 69, 694, 69,
-
- 687, 663, 692, 683, 664, 673, 674, 2164, 675, 693,
- 2164, 676, 688, 69, 69, 69, 677, 691, 69, 689,
- 690, 696, 678, 679, 69, 694, 699, 698, 69, 692,
- 700, 69, 673, 674, 69, 675, 693, 695, 676, 697,
- 704, 708, 69, 677, 703, 69, 69, 69, 696, 678,
- 679, 702, 69, 699, 698, 701, 705, 700, 706, 69,
- 69, 720, 69, 709, 695, 710, 697, 704, 69, 711,
- 712, 703, 713, 69, 715, 717, 714, 718, 702, 2164,
- 69, 69, 701, 69, 2164, 706, 69, 69, 69, 69,
- 709, 719, 710, 69, 69, 69, 711, 712, 69, 713,
-
- 716, 715, 69, 714, 718, 721, 722, 723, 69, 725,
- 69, 724, 729, 69, 727, 726, 730, 728, 719, 69,
- 734, 733, 2164, 2164, 69, 69, 2164, 716, 69, 69,
- 69, 69, 721, 722, 723, 69, 725, 731, 724, 729,
- 69, 727, 726, 730, 728, 732, 69, 69, 733, 735,
- 737, 736, 738, 739, 743, 69, 69, 741, 69, 69,
- 740, 69, 742, 69, 731, 745, 744, 69, 749, 747,
- 748, 746, 732, 69, 69, 69, 735, 737, 736, 738,
- 739, 743, 69, 69, 741, 69, 69, 740, 752, 742,
- 751, 69, 745, 744, 750, 69, 747, 748, 746, 753,
-
- 754, 69, 755, 69, 2164, 759, 758, 756, 761, 760,
- 69, 69, 764, 765, 762, 757, 763, 751, 2164, 767,
- 69, 750, 69, 69, 769, 69, 69, 754, 69, 755,
- 766, 69, 759, 758, 756, 69, 760, 69, 69, 764,
- 69, 762, 757, 763, 768, 69, 69, 770, 772, 771,
- 774, 141, 773, 69, 775, 69, 69, 766, 776, 69,
- 784, 69, 2164, 69, 69, 791, 785, 2164, 2164, 783,
- 792, 768, 69, 2164, 770, 772, 771, 774, 69, 773,
- 786, 775, 69, 69, 789, 776, 777, 784, 778, 787,
- 788, 2164, 779, 785, 780, 69, 783, 69, 2164, 781,
-
- 794, 790, 69, 798, 782, 793, 69, 786, 795, 799,
- 69, 789, 69, 777, 69, 778, 787, 788, 69, 779,
- 69, 780, 69, 69, 796, 69, 781, 794, 790, 801,
- 798, 782, 793, 800, 797, 795, 799, 802, 803, 69,
- 804, 812, 69, 2164, 2164, 2164, 69, 811, 821, 2164,
- 816, 796, 813, 2164, 814, 2164, 801, 815, 69, 823,
- 800, 797, 69, 69, 802, 69, 817, 69, 812, 69,
- 69, 806, 69, 818, 811, 69, 807, 816, 808, 813,
- 819, 814, 820, 69, 815, 69, 69, 822, 69, 809,
- 69, 69, 826, 817, 824, 827, 810, 69, 806, 2164,
-
- 818, 2164, 828, 807, 825, 808, 69, 819, 830, 820,
- 69, 832, 69, 841, 822, 831, 809, 829, 69, 826,
- 2164, 824, 69, 810, 69, 69, 69, 69, 833, 828,
- 835, 825, 834, 69, 836, 830, 837, 2164, 832, 2164,
- 69, 69, 831, 838, 829, 69, 69, 839, 840, 69,
- 69, 842, 69, 850, 843, 833, 845, 835, 844, 834,
- 846, 836, 69, 837, 69, 69, 69, 69, 69, 847,
- 838, 848, 849, 851, 839, 840, 862, 853, 842, 69,
- 850, 843, 69, 845, 854, 844, 852, 846, 69, 855,
- 69, 69, 856, 69, 2164, 857, 847, 858, 848, 849,
-
- 69, 859, 860, 861, 853, 69, 865, 864, 69, 69,
- 863, 871, 69, 852, 69, 69, 69, 69, 69, 856,
- 866, 69, 857, 868, 858, 867, 869, 2164, 859, 860,
- 861, 69, 69, 865, 864, 872, 69, 863, 871, 870,
- 873, 874, 69, 882, 2164, 69, 69, 866, 69, 876,
- 868, 875, 867, 869, 69, 877, 878, 880, 69, 881,
- 2164, 69, 872, 879, 69, 69, 870, 873, 69, 69,
- 883, 69, 884, 69, 886, 69, 876, 887, 875, 69,
- 885, 888, 877, 878, 880, 889, 881, 890, 891, 69,
- 879, 892, 69, 69, 69, 893, 69, 883, 69, 884,
-
- 69, 886, 894, 895, 887, 896, 899, 885, 888, 901,
- 69, 69, 898, 69, 903, 891, 69, 69, 892, 69,
- 69, 69, 69, 900, 69, 904, 902, 69, 905, 894,
- 895, 69, 896, 899, 69, 69, 901, 69, 906, 898,
- 907, 903, 908, 2164, 2164, 2164, 909, 911, 912, 2164,
- 900, 2164, 904, 902, 910, 905, 913, 919, 915, 916,
- 69, 69, 2164, 2164, 69, 914, 69, 927, 917, 908,
- 69, 69, 69, 909, 911, 912, 69, 69, 69, 69,
- 69, 910, 918, 913, 69, 915, 916, 920, 921, 922,
- 69, 923, 914, 69, 927, 917, 932, 69, 69, 928,
-
- 69, 2164, 929, 931, 935, 69, 924, 933, 2164, 918,
- 69, 930, 69, 934, 920, 921, 922, 925, 923, 936,
- 926, 69, 69, 932, 69, 69, 928, 69, 69, 929,
- 931, 935, 938, 924, 933, 69, 940, 937, 930, 939,
- 934, 69, 942, 941, 925, 69, 936, 926, 943, 946,
- 69, 944, 945, 2164, 69, 69, 948, 69, 954, 69,
- 69, 949, 69, 940, 937, 69, 939, 69, 947, 942,
- 941, 69, 950, 951, 69, 943, 946, 2164, 944, 945,
- 69, 955, 69, 948, 69, 952, 953, 956, 949, 957,
- 69, 968, 69, 958, 69, 947, 69, 962, 960, 950,
-
- 951, 965, 959, 961, 69, 69, 69, 964, 955, 963,
- 2164, 966, 952, 953, 956, 69, 957, 69, 969, 967,
- 958, 69, 69, 69, 962, 69, 970, 69, 965, 959,
- 69, 971, 972, 973, 964, 974, 963, 69, 966, 976,
- 975, 977, 979, 978, 69, 969, 967, 69, 69, 69,
- 980, 69, 981, 970, 69, 69, 69, 69, 971, 972,
- 973, 69, 974, 69, 982, 983, 976, 975, 977, 979,
- 978, 2164, 992, 2164, 991, 2164, 995, 2164, 996, 989,
- 994, 2164, 69, 997, 69, 993, 69, 2164, 69, 69,
- 69, 982, 983, 984, 69, 69, 998, 69, 985, 992,
-
- 986, 991, 987, 995, 988, 69, 989, 994, 999, 69,
- 69, 69, 993, 1000, 1001, 1002, 1004, 1003, 2164, 1008,
- 984, 69, 1006, 998, 69, 985, 69, 986, 69, 987,
- 69, 988, 1007, 69, 69, 999, 1005, 1010, 1009, 1012,
- 1000, 1001, 1002, 1004, 1003, 69, 69, 1011, 1013, 1006,
- 69, 1014, 1016, 1015, 69, 1017, 69, 1019, 2164, 1007,
- 69, 69, 1018, 1005, 69, 1009, 1012, 1022, 69, 1020,
- 1021, 69, 1024, 1023, 1011, 1013, 69, 69, 69, 69,
- 1015, 1025, 1017, 1026, 69, 1027, 69, 1028, 1029, 1018,
- 69, 1030, 69, 1032, 1022, 69, 1020, 1021, 69, 1024,
-
- 1023, 69, 1031, 1033, 69, 69, 1035, 1034, 1025, 1036,
- 1026, 1037, 1027, 1039, 1028, 69, 1040, 69, 69, 1038,
- 69, 69, 69, 69, 69, 69, 69, 1044, 1043, 1031,
- 1033, 1041, 1045, 1035, 1034, 69, 69, 1042, 1037, 1047,
- 1039, 1046, 69, 1050, 69, 69, 1038, 1051, 69, 1048,
- 69, 1049, 69, 69, 1044, 1043, 69, 1052, 1041, 1045,
- 1054, 2164, 1058, 1053, 1042, 69, 1047, 69, 1046, 69,
- 1050, 1055, 1056, 1059, 1051, 1060, 1048, 1057, 1049, 69,
- 69, 1063, 69, 1061, 69, 1066, 1062, 1054, 69, 1058,
- 1053, 1064, 69, 1065, 2164, 69, 1067, 1069, 1055, 1068,
-
- 1059, 1077, 1060, 69, 69, 69, 69, 1072, 1063, 69,
- 1061, 1070, 69, 1062, 1075, 69, 69, 69, 1064, 69,
- 1065, 1071, 1073, 1067, 1069, 1074, 1068, 1076, 1077, 69,
- 69, 69, 69, 1079, 1072, 1078, 69, 69, 1070, 1080,
- 2164, 1075, 1083, 1081, 2164, 1082, 69, 1084, 1071, 1073,
- 69, 69, 1074, 69, 1076, 69, 1085, 1087, 1090, 1086,
- 1079, 1088, 1078, 1093, 69, 1089, 1080, 69, 69, 1083,
- 1081, 1092, 1082, 1094, 1084, 69, 1091, 69, 69, 69,
- 1095, 1097, 69, 1085, 1087, 1090, 1086, 69, 1088, 1096,
- 1098, 1099, 1089, 69, 1103, 69, 2164, 1101, 1092, 1102,
-
- 2164, 1100, 69, 1091, 1108, 69, 69, 1095, 69, 69,
- 69, 69, 69, 69, 1112, 69, 1096, 1098, 1099, 69,
- 1104, 1103, 1106, 1115, 1101, 1105, 1102, 1107, 1100, 1109,
- 1110, 1108, 1111, 1113, 69, 1114, 1116, 69, 69, 1117,
- 69, 2164, 2164, 69, 69, 1118, 69, 69, 1124, 1125,
- 1115, 1121, 69, 69, 69, 1119, 1109, 1110, 1123, 1111,
- 1113, 1120, 1114, 69, 69, 1122, 1117, 2164, 69, 69,
- 69, 69, 1118, 69, 69, 1124, 1125, 1127, 1121, 1126,
- 1128, 1130, 1119, 1131, 1132, 1123, 1129, 1138, 1120, 1144,
- 1136, 2164, 1122, 1139, 69, 69, 2164, 69, 69, 1133,
-
- 2164, 69, 69, 1134, 69, 1140, 1126, 1128, 1130, 69,
- 1131, 1132, 1137, 1129, 69, 69, 1135, 1136, 1141, 1145,
- 1139, 69, 1142, 69, 69, 69, 1133, 1143, 69, 1146,
- 1134, 69, 1140, 1147, 69, 1148, 1149, 1150, 69, 1137,
- 1151, 2164, 1152, 1135, 2164, 1141, 69, 1153, 1158, 1142,
- 1154, 1155, 1157, 69, 1143, 69, 1146, 1156, 2164, 69,
- 1147, 69, 1148, 69, 69, 69, 1160, 69, 69, 1152,
- 69, 69, 1161, 1159, 1153, 1158, 69, 1154, 1155, 1157,
- 1162, 2164, 1163, 1164, 1156, 69, 1165, 69, 69, 1166,
- 1167, 1169, 1168, 69, 1170, 69, 1172, 2164, 69, 1161,
-
- 1159, 2164, 69, 69, 1173, 1181, 2164, 1162, 69, 1163,
- 1164, 1171, 69, 1165, 69, 1176, 1166, 1167, 69, 1168,
- 1174, 1170, 69, 1172, 69, 1175, 69, 69, 1177, 1178,
- 2164, 1173, 69, 69, 1179, 1180, 69, 69, 1171, 1182,
- 1183, 1184, 1176, 1185, 2164, 2164, 69, 1174, 1187, 1191,
- 69, 1189, 1175, 1190, 69, 1177, 1178, 69, 69, 69,
- 1193, 1179, 1180, 1186, 1188, 1199, 1182, 69, 1184, 69,
- 69, 69, 69, 1192, 1194, 1187, 1191, 69, 1189, 69,
- 1190, 1195, 1200, 1196, 69, 69, 1197, 1193, 69, 69,
- 1186, 1188, 1202, 1201, 1203, 1205, 69, 69, 1198, 1204,
-
- 1192, 1194, 1206, 1207, 69, 1210, 1212, 69, 1195, 1200,
- 1196, 69, 69, 1197, 69, 1209, 1208, 1211, 1214, 1202,
- 1201, 1203, 69, 69, 69, 1198, 1204, 69, 69, 1206,
- 1207, 1213, 1215, 1216, 2164, 69, 1220, 69, 69, 69,
- 69, 1217, 1209, 1208, 1211, 1214, 1218, 1219, 1221, 69,
- 69, 1222, 1224, 69, 69, 69, 1223, 2164, 1213, 69,
- 1216, 69, 1225, 1220, 1226, 1229, 69, 1227, 1217, 69,
- 69, 69, 1230, 1218, 1219, 1221, 1228, 1233, 1222, 69,
- 69, 1232, 69, 1223, 69, 1231, 1239, 1234, 69, 1225,
- 1235, 1226, 69, 69, 1227, 1236, 2164, 69, 1240, 1230,
-
- 1241, 1243, 1242, 1228, 1233, 69, 69, 69, 1232, 69,
- 1244, 1237, 1231, 1239, 1234, 1246, 1238, 1235, 1248, 1245,
- 1252, 1249, 1236, 69, 1251, 69, 69, 69, 1243, 1242,
- 69, 1247, 69, 69, 1250, 1254, 69, 1244, 1237, 69,
- 1256, 1255, 1246, 1238, 1253, 1248, 1245, 69, 1249, 69,
- 69, 69, 69, 69, 1257, 1258, 69, 1259, 1247, 69,
- 1260, 1250, 1254, 1261, 1262, 69, 1264, 1256, 1255, 69,
- 69, 1253, 1265, 1270, 1263, 69, 1267, 1272, 1271, 1268,
- 1274, 1257, 1258, 1276, 1259, 1279, 1266, 1260, 69, 69,
- 1261, 1262, 69, 1264, 69, 1269, 1275, 2164, 69, 1265,
-
- 1277, 1263, 1273, 1267, 69, 69, 1268, 1278, 1283, 69,
- 1280, 69, 69, 1266, 69, 69, 69, 69, 69, 1281,
- 1284, 69, 1269, 1275, 69, 1282, 1285, 1277, 1287, 1273,
- 1288, 1289, 1286, 1291, 1278, 1283, 69, 1280, 1293, 69,
- 69, 69, 69, 69, 1292, 1290, 1281, 1284, 1294, 1297,
- 1300, 69, 1282, 1285, 69, 1287, 1295, 1296, 1289, 1286,
- 69, 69, 69, 1311, 1298, 1293, 1307, 69, 69, 1299,
- 69, 1292, 1290, 1301, 1302, 1294, 1297, 69, 69, 69,
- 1303, 69, 1304, 1295, 1296, 1305, 69, 1308, 1313, 1310,
- 69, 1298, 1306, 69, 69, 69, 1299, 69, 69, 69,
-
- 1301, 1302, 69, 1312, 1309, 1315, 1314, 1303, 1316, 1304,
- 69, 1317, 1305, 69, 1308, 69, 1310, 1318, 1319, 1306,
- 2164, 1323, 1324, 69, 1320, 69, 69, 69, 69, 69,
- 1312, 1309, 1315, 1314, 1321, 69, 1322, 69, 1317, 69,
- 1325, 2164, 69, 69, 1318, 1319, 1326, 1327, 1323, 1324,
- 1329, 1320, 69, 1331, 1330, 1335, 1332, 69, 69, 1336,
- 1328, 1321, 69, 1322, 1333, 69, 69, 1325, 69, 1337,
- 69, 1334, 1338, 1326, 1327, 1340, 69, 1329, 1339, 69,
- 69, 1330, 1335, 1341, 69, 1342, 69, 1328, 69, 1343,
- 1344, 1333, 1345, 1346, 1348, 2164, 1337, 1349, 1334, 69,
-
- 1350, 69, 69, 1351, 2164, 1339, 69, 1347, 2164, 69,
- 1341, 1358, 2164, 69, 2164, 1360, 1343, 69, 69, 1345,
- 1361, 1348, 69, 1364, 69, 69, 69, 1350, 1362, 1352,
- 1353, 1354, 1356, 1357, 1347, 69, 1355, 1370, 1359, 69,
- 69, 69, 1363, 69, 69, 69, 1366, 69, 69, 1369,
- 69, 1365, 69, 1371, 1367, 1362, 1352, 1353, 1354, 1356,
- 1357, 69, 1368, 1355, 69, 1359, 1373, 69, 1372, 1363,
- 1374, 69, 69, 1366, 69, 69, 1369, 1378, 1365, 1375,
- 1371, 1367, 69, 1376, 1377, 69, 1379, 69, 1382, 1368,
- 1381, 1380, 1385, 69, 1384, 1372, 1386, 1374, 1383, 69,
-
- 1387, 69, 69, 69, 1378, 69, 1375, 1388, 1389, 1390,
- 1376, 1377, 69, 1379, 69, 1391, 69, 1381, 1380, 1393,
- 69, 1384, 1392, 69, 69, 1383, 69, 69, 69, 69,
- 1394, 1395, 69, 1396, 1388, 1389, 1390, 69, 1397, 69,
- 1398, 1401, 1391, 69, 1400, 1404, 1393, 1402, 1406, 1392,
- 69, 1405, 69, 69, 1403, 69, 1399, 1394, 1395, 69,
- 1396, 1409, 1413, 69, 1410, 1397, 69, 1398, 1401, 69,
- 69, 1400, 1404, 1411, 1402, 69, 1414, 69, 1405, 1407,
- 1412, 1403, 1417, 1399, 1408, 1415, 69, 69, 69, 1419,
- 1416, 1410, 1418, 69, 69, 69, 1420, 1421, 1422, 1424,
-
- 1411, 69, 1425, 69, 69, 1423, 1407, 1412, 1426, 1427,
- 1430, 1408, 69, 69, 69, 1428, 1419, 69, 1431, 1418,
- 69, 69, 1429, 1432, 1421, 1422, 1424, 1434, 69, 1436,
- 69, 1433, 1423, 1435, 69, 1426, 69, 1430, 69, 1438,
- 1437, 69, 1428, 1439, 1440, 69, 69, 1441, 1442, 1429,
- 69, 69, 2164, 1444, 69, 1445, 1436, 69, 1433, 69,
- 1435, 69, 69, 69, 1443, 69, 1438, 1437, 69, 1447,
- 1439, 1440, 1446, 69, 1441, 1442, 1448, 1449, 1450, 69,
- 69, 1451, 1445, 69, 1452, 1454, 1456, 69, 1453, 69,
- 2164, 1443, 1458, 1455, 69, 69, 69, 1457, 1459, 1446,
-
- 1460, 69, 1461, 1448, 1449, 1450, 69, 69, 1451, 1464,
- 69, 1452, 69, 1456, 1463, 1453, 69, 69, 69, 1458,
- 1455, 1462, 69, 1465, 1457, 1459, 69, 1460, 2164, 69,
- 1466, 1468, 69, 1467, 1469, 1470, 1464, 1472, 2164, 1473,
- 69, 1463, 2164, 1471, 69, 1475, 1479, 69, 1462, 1474,
- 2164, 69, 1486, 1476, 69, 69, 69, 1466, 1468, 69,
- 1467, 69, 1470, 69, 1472, 69, 1473, 69, 69, 1477,
- 1471, 1478, 1475, 1479, 1483, 1480, 1474, 69, 1481, 1486,
- 1476, 69, 1484, 1487, 69, 1485, 69, 69, 2164, 69,
- 1490, 1482, 69, 1488, 1489, 2164, 1477, 1491, 1478, 69,
-
- 1492, 1483, 1480, 1493, 1496, 1481, 1495, 69, 69, 1484,
- 1487, 2164, 1485, 69, 69, 69, 1497, 1490, 1482, 1498,
- 1488, 1489, 69, 1499, 1491, 1494, 69, 1492, 69, 69,
- 69, 1496, 69, 1495, 1501, 1500, 1502, 1503, 69, 2164,
- 1504, 69, 69, 1497, 1506, 1505, 1498, 1507, 1511, 1508,
- 1499, 69, 1494, 69, 1510, 1512, 1509, 69, 69, 69,
- 1513, 69, 1500, 1502, 1503, 1515, 69, 1504, 69, 1514,
- 1519, 1506, 1505, 1516, 69, 69, 1508, 69, 1521, 1524,
- 69, 1510, 1512, 1509, 69, 69, 1517, 1513, 1520, 1518,
- 1522, 69, 1515, 2164, 69, 69, 1514, 1519, 1525, 69,
-
- 1516, 69, 1527, 1523, 69, 69, 1524, 1526, 69, 69,
- 1528, 1529, 1530, 1517, 1531, 1520, 1518, 1522, 69, 69,
- 69, 69, 69, 1535, 1532, 1525, 1533, 1534, 69, 1527,
- 1523, 1536, 1537, 69, 1526, 69, 69, 1528, 1529, 1530,
- 1538, 1531, 1539, 1541, 1540, 69, 1546, 1542, 69, 69,
- 69, 1532, 1543, 1533, 1534, 1544, 1545, 69, 1536, 69,
- 2164, 1547, 1549, 69, 1550, 69, 69, 1538, 1551, 1539,
- 1541, 1540, 1553, 69, 69, 1548, 1554, 1552, 1555, 69,
- 69, 69, 1544, 1545, 1556, 1557, 1558, 69, 1547, 1549,
- 1559, 69, 69, 1561, 69, 1551, 1560, 69, 69, 1553,
-
- 69, 1567, 1548, 1564, 1552, 1555, 1562, 69, 69, 69,
- 69, 69, 1557, 1558, 1563, 69, 1568, 1559, 1565, 1569,
- 1561, 1566, 1570, 1560, 2164, 69, 69, 69, 69, 1572,
- 1564, 69, 69, 1562, 1571, 69, 1574, 69, 1578, 69,
- 69, 1563, 1573, 1568, 69, 1565, 1569, 1576, 1566, 1570,
- 69, 1575, 1577, 69, 69, 69, 1572, 1581, 69, 1580,
- 1579, 1571, 1583, 1574, 1582, 1578, 69, 1584, 1585, 1573,
- 1586, 69, 1587, 1588, 1576, 1591, 69, 2164, 1575, 1577,
- 69, 1589, 69, 1594, 69, 1595, 1580, 1579, 69, 1583,
- 1590, 1582, 1596, 69, 1584, 1585, 69, 1586, 1598, 69,
-
- 69, 69, 1591, 1592, 69, 1597, 1593, 1599, 1589, 1600,
- 69, 1601, 69, 69, 1602, 1603, 69, 1590, 1604, 69,
- 1605, 69, 1607, 69, 1610, 69, 1608, 69, 1611, 1606,
- 1592, 1609, 1597, 1593, 1599, 69, 69, 69, 69, 1613,
- 69, 1602, 1603, 1612, 1617, 1604, 1621, 69, 69, 69,
- 1615, 1610, 69, 1608, 69, 1611, 1606, 1614, 1609, 1616,
- 1619, 1618, 69, 1620, 69, 69, 69, 69, 69, 69,
- 1612, 69, 1622, 1621, 1623, 69, 1624, 1615, 1625, 1629,
- 1626, 1631, 69, 1628, 1614, 69, 1616, 1619, 1618, 1630,
- 1620, 1627, 69, 1632, 2164, 1642, 69, 69, 1634, 69,
-
- 69, 1623, 1633, 69, 69, 1625, 1629, 1626, 1631, 69,
- 1628, 1635, 69, 1636, 69, 69, 1630, 69, 1627, 1637,
- 1632, 1638, 1643, 1641, 1639, 1634, 1640, 69, 1646, 1633,
- 1644, 1647, 1655, 69, 1645, 69, 69, 69, 1635, 1648,
- 1636, 69, 69, 69, 69, 69, 1637, 1649, 1638, 1643,
- 1641, 1639, 69, 1640, 69, 1646, 1652, 1644, 1653, 1655,
- 1650, 1645, 1651, 69, 1654, 69, 1648, 69, 69, 1656,
- 1657, 1658, 1661, 1659, 1649, 1660, 69, 1662, 1664, 69,
- 69, 1663, 1665, 1652, 69, 1653, 1667, 1650, 1666, 1651,
- 69, 1654, 1668, 69, 69, 1671, 1656, 1657, 1658, 69,
-
- 1659, 69, 1660, 69, 69, 1669, 1670, 69, 1663, 69,
- 69, 1672, 69, 1667, 69, 1666, 1673, 1674, 69, 1668,
- 1675, 69, 1671, 1676, 1677, 1679, 1678, 1681, 1680, 1682,
- 69, 69, 1669, 1670, 69, 69, 1683, 1684, 1672, 69,
- 69, 1687, 69, 1673, 69, 1685, 69, 1675, 69, 69,
- 1676, 1677, 1679, 1678, 1681, 1680, 69, 69, 1686, 1688,
- 2164, 69, 1689, 1683, 1684, 1691, 1690, 2164, 1693, 69,
- 1692, 1695, 1685, 69, 1694, 1696, 2164, 1697, 69, 69,
- 69, 1698, 1699, 1700, 69, 1686, 1688, 69, 1701, 1689,
- 1702, 69, 1691, 1690, 69, 1693, 1703, 1692, 69, 69,
-
- 69, 1694, 1696, 69, 1697, 1705, 1704, 69, 1698, 69,
- 69, 69, 1708, 1706, 1707, 1710, 69, 1702, 1709, 1711,
- 69, 69, 1712, 1703, 1713, 2164, 1714, 69, 69, 69,
- 1715, 1717, 1705, 1704, 69, 1718, 69, 1716, 1720, 69,
- 1706, 1707, 1719, 1721, 1722, 1709, 1711, 69, 69, 1712,
- 1723, 69, 69, 1714, 1725, 69, 69, 69, 1717, 69,
- 69, 1724, 1718, 69, 1716, 1720, 1726, 1727, 1728, 1719,
- 69, 69, 1729, 1731, 1730, 1732, 69, 69, 2164, 1733,
- 69, 1725, 69, 69, 1734, 69, 1739, 69, 1724, 1736,
- 1747, 1735, 69, 1726, 1727, 1728, 69, 69, 69, 1729,
-
- 1731, 1730, 69, 69, 1737, 1740, 1733, 69, 1738, 1742,
- 1741, 1734, 69, 1739, 69, 1744, 1736, 69, 1735, 69,
- 1743, 69, 1745, 69, 69, 1748, 1746, 2164, 1749, 1750,
- 1751, 1737, 1740, 1752, 1753, 1738, 1742, 1741, 69, 69,
- 69, 1756, 1744, 69, 69, 1754, 69, 1743, 69, 1745,
- 69, 1755, 69, 1746, 69, 1749, 1750, 1751, 69, 69,
- 1752, 1753, 1757, 1760, 1758, 2164, 1759, 1761, 1756, 69,
- 1762, 1764, 1754, 69, 1768, 1763, 1769, 1765, 1755, 69,
- 1770, 1771, 69, 69, 1775, 69, 69, 1766, 1767, 1757,
- 69, 1758, 69, 1759, 1761, 69, 69, 1762, 1764, 69,
-
- 1772, 1768, 1763, 69, 1765, 1773, 69, 69, 1774, 69,
- 1780, 1775, 1776, 69, 1766, 1767, 69, 69, 1777, 69,
- 1778, 1779, 1781, 1782, 1785, 69, 1783, 1772, 69, 69,
- 1784, 69, 1773, 69, 1787, 1774, 1788, 1780, 1792, 1776,
- 1786, 1789, 69, 69, 1790, 1777, 69, 1778, 1779, 1781,
- 1782, 69, 69, 1783, 69, 1791, 69, 1784, 1793, 1794,
- 1795, 1787, 1796, 69, 69, 69, 1797, 1786, 1789, 1798,
- 69, 1790, 69, 1799, 2164, 1800, 1801, 1803, 69, 2164,
- 1802, 69, 1791, 1804, 1805, 1793, 69, 69, 1812, 1796,
- 1806, 69, 1809, 69, 69, 69, 1798, 1807, 69, 1810,
-
- 69, 69, 1800, 1801, 1803, 69, 69, 1802, 1808, 1813,
- 1804, 1805, 1814, 1811, 69, 69, 69, 1806, 1816, 1809,
- 69, 69, 1815, 2164, 1807, 69, 1810, 1818, 1820, 1817,
- 1819, 1821, 69, 1822, 1826, 1808, 69, 1825, 1823, 1814,
- 1811, 2164, 69, 1824, 69, 1827, 1852, 69, 1831, 1815,
- 69, 69, 1828, 69, 1818, 69, 1817, 1819, 69, 69,
- 1822, 1830, 1829, 1832, 1825, 1835, 69, 69, 69, 1833,
- 69, 1834, 1827, 69, 69, 1831, 1838, 1836, 69, 1828,
- 69, 1839, 1841, 1837, 69, 69, 69, 69, 1830, 1829,
- 1832, 1840, 1835, 1842, 69, 69, 1833, 69, 1834, 69,
-
- 69, 69, 1845, 1838, 1836, 1843, 1844, 1846, 1839, 1841,
- 1837, 1848, 69, 1847, 69, 69, 1849, 69, 1840, 1850,
- 1842, 1851, 1853, 69, 1856, 1855, 1854, 69, 1859, 69,
- 1861, 69, 1843, 1844, 1846, 1858, 1857, 1862, 1848, 2164,
- 1847, 69, 69, 69, 69, 69, 1850, 69, 1851, 69,
- 69, 1856, 1855, 1854, 1860, 1859, 69, 1861, 69, 1865,
- 1863, 1864, 1858, 1857, 69, 1866, 69, 69, 69, 1867,
- 1868, 1869, 1870, 1871, 1873, 1874, 1872, 1880, 1875, 1876,
- 2164, 1860, 69, 1879, 1877, 69, 1865, 1863, 1864, 69,
- 1878, 2164, 69, 69, 69, 1882, 1867, 69, 69, 69,
-
- 1871, 69, 69, 1872, 69, 1875, 69, 1883, 1884, 69,
- 1879, 69, 1881, 1885, 69, 69, 1888, 1878, 69, 1889,
- 1886, 1887, 1882, 1891, 1890, 1892, 1894, 2164, 69, 69,
- 69, 69, 69, 1893, 1883, 1884, 69, 1896, 69, 1881,
- 1885, 69, 1897, 1888, 1898, 69, 1889, 1886, 1887, 1895,
- 1891, 1890, 69, 1894, 1899, 1900, 1903, 69, 1906, 1901,
- 1893, 1902, 69, 69, 1896, 69, 69, 1907, 69, 1897,
- 69, 1898, 1904, 1905, 69, 1908, 1895, 69, 1909, 69,
- 69, 1899, 1900, 1903, 69, 69, 1901, 1910, 1902, 1911,
- 1913, 69, 1912, 1915, 1907, 1914, 1916, 2164, 1917, 1904,
-
- 1905, 69, 1908, 1918, 2164, 69, 1921, 69, 69, 69,
- 1919, 69, 2164, 1920, 1910, 2164, 1911, 69, 69, 1912,
- 1915, 1922, 1914, 1916, 69, 1924, 1923, 69, 1925, 1927,
- 69, 69, 1926, 69, 1931, 1928, 1932, 1919, 1934, 69,
- 1920, 69, 1929, 1936, 1933, 1930, 69, 69, 1922, 1938,
- 69, 69, 1924, 1923, 69, 1925, 1927, 69, 69, 1926,
- 1935, 69, 1928, 1932, 1937, 1934, 1940, 1939, 69, 1929,
- 1941, 1933, 1930, 69, 1942, 69, 69, 1944, 1943, 69,
- 69, 1945, 69, 1946, 1947, 1948, 69, 1935, 69, 69,
- 1949, 1937, 1951, 1940, 1939, 69, 1950, 1941, 1954, 69,
-
- 1956, 1952, 1953, 69, 69, 1943, 69, 1958, 1945, 69,
- 1946, 69, 1948, 69, 69, 1955, 69, 1949, 1957, 1951,
- 69, 69, 1959, 1950, 1960, 1954, 69, 69, 1952, 1953,
- 1961, 1962, 1963, 1964, 69, 1965, 1966, 2164, 1967, 69,
- 69, 69, 1955, 1968, 69, 1957, 1970, 1969, 1971, 69,
- 1975, 69, 69, 69, 1980, 1976, 69, 1961, 1962, 69,
- 1964, 1972, 1965, 1966, 69, 1967, 1973, 2164, 1977, 69,
- 1968, 1974, 1978, 69, 1969, 69, 1979, 69, 69, 69,
- 1981, 69, 1976, 69, 1982, 2164, 69, 69, 1972, 1985,
- 1984, 1983, 1986, 1973, 69, 1977, 1989, 69, 1974, 1978,
-
- 69, 1990, 1991, 1979, 1987, 1988, 1992, 69, 69, 1994,
- 69, 1982, 69, 1993, 69, 1995, 1985, 1984, 1983, 1996,
- 1997, 1998, 69, 69, 69, 2000, 2003, 1999, 69, 1991,
- 2002, 1987, 1988, 69, 2001, 69, 1994, 69, 2004, 69,
- 1993, 2006, 1995, 2005, 2007, 2008, 69, 69, 69, 69,
- 69, 69, 69, 69, 1999, 2009, 69, 2002, 2010, 69,
- 2015, 2001, 2011, 2164, 2014, 2004, 2012, 69, 2006, 2013,
- 2005, 69, 2008, 69, 69, 69, 69, 2016, 2017, 2020,
- 2024, 2018, 2009, 2019, 69, 69, 69, 2015, 69, 2011,
- 69, 2014, 69, 2012, 2026, 2023, 2013, 69, 69, 2021,
-
- 2022, 69, 69, 2027, 2016, 2017, 2020, 2024, 2018, 69,
- 2019, 2025, 2028, 2029, 2030, 2031, 2164, 2033, 69, 2032,
- 2034, 69, 2023, 2035, 2036, 2037, 2021, 2022, 2040, 69,
- 69, 2039, 2038, 2041, 2042, 69, 69, 69, 2025, 2028,
- 69, 69, 69, 69, 69, 2043, 2032, 2034, 2044, 69,
- 2035, 69, 2037, 2045, 69, 2040, 2047, 69, 2039, 2038,
- 69, 69, 2046, 2048, 69, 2049, 2050, 2052, 69, 69,
- 69, 2051, 2043, 2053, 2054, 2044, 2055, 2056, 2057, 69,
- 69, 2058, 2059, 2047, 2060, 2062, 2065, 69, 69, 2046,
- 2048, 2164, 2049, 2050, 69, 2061, 69, 69, 2051, 2064,
-
- 69, 69, 2067, 69, 69, 2057, 2063, 69, 69, 2059,
- 69, 2060, 69, 2068, 2066, 69, 2069, 2070, 69, 2072,
- 2076, 69, 2061, 69, 69, 69, 2064, 69, 69, 2067,
- 2071, 2073, 2074, 2063, 2077, 2075, 69, 2164, 69, 69,
- 2068, 2066, 69, 2069, 2070, 69, 2072, 2076, 69, 2081,
- 2084, 69, 2078, 2082, 69, 2079, 2080, 2071, 2073, 2074,
- 69, 2077, 2075, 2083, 69, 69, 2085, 69, 2086, 2088,
- 69, 2087, 2089, 2164, 2092, 2093, 2081, 69, 2090, 2078,
- 2082, 2095, 2079, 2080, 69, 2091, 69, 69, 2099, 2094,
- 2083, 2096, 2100, 2085, 69, 69, 69, 69, 2087, 2089,
-
- 69, 2092, 69, 69, 2097, 2090, 2098, 69, 69, 2101,
- 2164, 2102, 2091, 69, 69, 2103, 2094, 2104, 2096, 2106,
- 69, 2107, 69, 69, 69, 69, 2105, 69, 2110, 2108,
- 69, 2097, 2109, 2098, 2164, 69, 2101, 2112, 2102, 2111,
- 69, 2113, 2103, 69, 2104, 69, 2106, 2114, 2107, 69,
- 69, 2119, 2164, 2105, 2115, 2110, 2108, 2116, 2117, 2109,
- 2120, 69, 2118, 2124, 2112, 2164, 2111, 2122, 69, 2123,
- 69, 2121, 2164, 69, 2114, 69, 69, 69, 2125, 69,
- 69, 2115, 2127, 69, 2116, 2117, 69, 69, 2126, 2118,
- 2131, 69, 2128, 2129, 2122, 69, 2123, 2130, 2121, 2132,
-
- 69, 69, 69, 2134, 69, 2125, 2133, 2164, 2135, 2127,
- 2136, 69, 2139, 2164, 69, 2126, 69, 2131, 2137, 2128,
- 2129, 69, 2140, 2138, 2130, 2164, 2132, 2141, 2142, 69,
- 2134, 69, 69, 2133, 69, 2135, 69, 2136, 69, 69,
- 2143, 2145, 69, 2144, 2146, 2137, 2149, 69, 2147, 2140,
- 2138, 69, 2148, 2150, 2141, 2142, 69, 2151, 2164, 2152,
- 69, 69, 69, 69, 2153, 69, 69, 2143, 2145, 2154,
- 2144, 2146, 69, 2149, 2155, 2147, 2156, 2157, 2158, 2148,
- 2150, 2162, 2164, 2163, 2151, 69, 2152, 2159, 2164, 69,
- 2160, 69, 2164, 2164, 2161, 2164, 2154, 69, 69, 2164,
-
- 69, 69, 69, 69, 2157, 2158, 2164, 2164, 69, 69,
- 69, 2164, 2164, 2164, 2159, 2164, 2164, 2160, 2164, 2164,
- 2164, 2161, 41, 41, 41, 41, 41, 41, 41, 46,
- 46, 46, 46, 46, 46, 46, 51, 51, 51, 51,
- 51, 51, 51, 57, 57, 57, 57, 57, 57, 57,
- 62, 62, 62, 62, 62, 62, 62, 72, 72, 2164,
- 72, 72, 72, 72, 131, 131, 2164, 2164, 2164, 131,
- 131, 133, 133, 2164, 2164, 133, 2164, 133, 135, 2164,
- 2164, 2164, 2164, 2164, 135, 138, 138, 2164, 2164, 2164,
- 138, 138, 140, 2164, 2164, 2164, 2164, 2164, 140, 142,
-
- 142, 2164, 142, 142, 142, 142, 73, 73, 2164, 73,
- 73, 73, 73, 13, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164
+ 168, 69, 173, 162, 163, 166, 69, 69, 134, 181,
+
+ 175, 132, 160, 69, 169, 69, 69, 170, 69, 178,
+ 176, 167, 69, 179, 164, 165, 174, 168, 182, 2237,
+ 171, 172, 185, 203, 69, 184, 181, 175, 69, 188,
+ 177, 169, 69, 69, 170, 2237, 178, 176, 69, 69,
+ 179, 69, 69, 174, 186, 182, 187, 171, 172, 185,
+ 190, 189, 184, 69, 193, 69, 188, 177, 69, 69,
+ 191, 69, 194, 195, 192, 2237, 196, 199, 2237, 2237,
+ 69, 186, 197, 187, 69, 69, 205, 190, 189, 200,
+ 69, 193, 69, 201, 202, 204, 207, 191, 69, 194,
+ 195, 192, 69, 196, 199, 69, 206, 208, 69, 197,
+
+ 69, 210, 69, 205, 213, 212, 200, 214, 69, 2237,
+ 201, 202, 204, 207, 215, 135, 69, 135, 135, 69,
+ 135, 217, 211, 206, 208, 218, 69, 69, 210, 216,
+ 2237, 213, 212, 220, 214, 140, 69, 140, 140, 219,
+ 140, 215, 73, 69, 73, 73, 221, 73, 217, 211,
+ 222, 69, 69, 141, 69, 230, 216, 69, 224, 223,
+ 220, 225, 69, 226, 229, 69, 219, 228, 2237, 227,
+ 240, 231, 2237, 221, 239, 232, 241, 222, 69, 69,
+ 143, 69, 242, 260, 244, 224, 223, 69, 225, 69,
+ 69, 229, 233, 2237, 228, 69, 227, 240, 69, 69,
+
+ 69, 239, 232, 241, 69, 245, 243, 69, 246, 242,
+ 69, 244, 247, 250, 248, 69, 2237, 249, 2237, 233,
+ 234, 69, 69, 251, 69, 235, 252, 69, 264, 69,
+ 236, 258, 245, 243, 257, 246, 237, 238, 69, 247,
+ 250, 248, 267, 69, 249, 69, 261, 234, 69, 253,
+ 251, 259, 235, 252, 254, 269, 69, 236, 258, 262,
+ 69, 257, 69, 237, 238, 265, 255, 268, 256, 270,
+ 263, 266, 69, 261, 69, 69, 253, 69, 259, 271,
+ 2237, 254, 272, 69, 273, 276, 279, 69, 360, 69,
+ 69, 69, 265, 255, 268, 256, 69, 263, 266, 69,
+
+ 274, 69, 275, 277, 278, 69, 271, 69, 69, 272,
+ 281, 273, 276, 279, 280, 69, 283, 282, 69, 284,
+ 285, 69, 69, 69, 69, 69, 69, 274, 286, 275,
+ 277, 278, 289, 293, 291, 292, 295, 281, 69, 287,
+ 288, 280, 69, 283, 282, 290, 284, 285, 69, 294,
+ 297, 69, 69, 296, 299, 69, 306, 69, 300, 69,
+ 69, 291, 292, 295, 69, 69, 287, 288, 305, 303,
+ 302, 307, 290, 298, 69, 301, 294, 308, 309, 69,
+ 296, 304, 69, 69, 141, 300, 69, 69, 69, 69,
+ 69, 310, 311, 69, 312, 305, 303, 302, 307, 315,
+
+ 298, 69, 301, 313, 69, 309, 316, 69, 304, 69,
+ 314, 319, 69, 317, 318, 320, 327, 322, 310, 311,
+ 69, 312, 69, 69, 321, 324, 315, 326, 69, 2237,
+ 313, 69, 325, 316, 323, 329, 330, 314, 319, 69,
+ 317, 69, 320, 69, 322, 69, 69, 328, 69, 69,
+ 69, 321, 324, 331, 326, 69, 332, 333, 336, 325,
+ 69, 323, 69, 330, 69, 335, 338, 69, 334, 346,
+ 337, 69, 69, 339, 328, 69, 340, 69, 341, 345,
+ 331, 342, 69, 2237, 333, 336, 344, 69, 69, 343,
+ 69, 347, 335, 338, 69, 334, 69, 337, 69, 69,
+
+ 339, 69, 348, 340, 353, 341, 345, 69, 342, 354,
+ 69, 356, 349, 344, 2237, 69, 343, 69, 347, 357,
+ 350, 351, 69, 352, 367, 69, 365, 355, 361, 348,
+ 69, 353, 362, 69, 69, 363, 354, 364, 356, 349,
+ 358, 359, 69, 366, 69, 369, 357, 350, 351, 69,
+ 352, 69, 69, 365, 355, 361, 368, 370, 371, 362,
+ 372, 69, 363, 375, 364, 69, 373, 358, 359, 69,
+ 366, 69, 369, 69, 374, 69, 378, 377, 69, 383,
+ 69, 376, 388, 368, 370, 371, 69, 372, 69, 381,
+ 379, 382, 69, 373, 384, 69, 380, 385, 69, 386,
+
+ 389, 374, 387, 378, 2237, 69, 383, 2237, 376, 69,
+ 2237, 390, 69, 69, 69, 2237, 381, 379, 382, 391,
+ 69, 384, 69, 380, 385, 69, 386, 389, 392, 387,
+ 393, 394, 395, 405, 397, 69, 406, 409, 390, 411,
+ 2237, 410, 69, 141, 69, 69, 391, 69, 396, 69,
+ 413, 69, 420, 2237, 69, 392, 69, 393, 394, 395,
+ 405, 397, 407, 406, 409, 412, 411, 408, 410, 414,
+ 2237, 415, 69, 69, 2237, 396, 398, 399, 69, 417,
+ 416, 2237, 69, 418, 69, 419, 400, 69, 401, 402,
+ 403, 69, 412, 404, 69, 421, 414, 69, 415, 422,
+
+ 424, 69, 69, 398, 399, 69, 417, 416, 423, 425,
+ 418, 69, 419, 400, 69, 401, 402, 403, 426, 427,
+ 404, 69, 421, 428, 429, 2237, 422, 430, 431, 69,
+ 433, 432, 69, 435, 69, 423, 425, 434, 436, 69,
+ 438, 69, 69, 69, 447, 426, 427, 444, 443, 69,
+ 439, 2237, 69, 437, 430, 431, 69, 433, 432, 458,
+ 435, 69, 69, 69, 434, 436, 69, 438, 440, 69,
+ 445, 446, 448, 449, 444, 443, 69, 439, 69, 441,
+ 437, 442, 450, 452, 2237, 451, 69, 453, 454, 69,
+ 69, 69, 2237, 69, 69, 440, 455, 445, 446, 448,
+
+ 449, 457, 69, 456, 461, 69, 441, 69, 442, 450,
+ 452, 459, 451, 69, 453, 454, 460, 69, 69, 462,
+ 463, 464, 69, 455, 466, 2237, 69, 69, 457, 465,
+ 456, 461, 467, 468, 69, 69, 69, 69, 459, 69,
+ 469, 2237, 470, 460, 472, 2237, 462, 463, 464, 471,
+ 69, 466, 69, 2237, 69, 69, 465, 473, 474, 467,
+ 468, 479, 475, 69, 480, 69, 69, 469, 69, 470,
+ 476, 472, 477, 478, 69, 69, 471, 69, 483, 69,
+ 69, 482, 489, 481, 473, 474, 485, 484, 479, 475,
+ 487, 69, 486, 490, 493, 69, 69, 476, 492, 477,
+
+ 478, 69, 491, 69, 69, 483, 69, 69, 482, 489,
+ 481, 494, 495, 488, 484, 69, 69, 69, 69, 486,
+ 490, 493, 69, 69, 496, 492, 504, 2237, 497, 491,
+ 506, 2237, 514, 69, 69, 69, 69, 505, 494, 495,
+ 488, 69, 509, 510, 69, 69, 511, 2237, 507, 513,
+ 69, 496, 512, 504, 69, 497, 498, 506, 508, 514,
+ 517, 499, 515, 500, 505, 525, 69, 531, 69, 509,
+ 510, 501, 69, 511, 502, 69, 513, 69, 519, 512,
+ 69, 503, 69, 498, 516, 508, 518, 517, 499, 515,
+ 500, 69, 520, 523, 521, 522, 69, 69, 501, 69,
+
+ 69, 502, 69, 524, 528, 519, 527, 69, 503, 526,
+ 69, 516, 530, 518, 69, 69, 529, 532, 69, 520,
+ 523, 521, 522, 533, 69, 534, 141, 535, 2237, 536,
+ 524, 528, 69, 527, 538, 69, 526, 537, 541, 69,
+ 69, 69, 539, 529, 532, 540, 544, 545, 546, 69,
+ 547, 69, 534, 69, 535, 69, 536, 542, 69, 69,
+ 69, 538, 543, 548, 537, 541, 549, 550, 554, 539,
+ 551, 553, 540, 544, 69, 69, 69, 556, 552, 69,
+ 555, 557, 69, 558, 559, 561, 2237, 69, 2237, 69,
+ 69, 562, 69, 69, 560, 554, 574, 551, 553, 69,
+
+ 69, 69, 563, 69, 69, 552, 69, 555, 557, 69,
+ 558, 559, 570, 69, 564, 69, 567, 69, 562, 565,
+ 571, 560, 568, 566, 569, 69, 2237, 572, 69, 563,
+ 579, 576, 573, 69, 69, 575, 2237, 587, 69, 570,
+ 69, 564, 69, 567, 69, 577, 565, 571, 69, 568,
+ 566, 569, 69, 69, 572, 69, 580, 579, 576, 573,
+ 581, 582, 575, 583, 584, 585, 586, 578, 69, 69,
+ 594, 69, 577, 589, 588, 69, 69, 591, 69, 590,
+ 592, 69, 69, 580, 596, 69, 595, 581, 582, 69,
+ 583, 584, 585, 586, 578, 69, 593, 69, 597, 69,
+
+ 589, 588, 69, 69, 591, 598, 590, 592, 69, 69,
+ 599, 603, 601, 595, 602, 600, 69, 605, 2237, 608,
+ 2237, 604, 69, 593, 612, 597, 69, 69, 69, 69,
+ 606, 609, 598, 610, 69, 69, 614, 616, 611, 601,
+ 2237, 602, 69, 69, 605, 607, 608, 613, 604, 69,
+ 69, 612, 615, 69, 69, 622, 2237, 606, 609, 617,
+ 69, 69, 69, 614, 616, 69, 618, 621, 69, 619,
+ 627, 620, 607, 69, 613, 69, 623, 69, 69, 615,
+ 624, 631, 622, 625, 628, 626, 617, 629, 69, 69,
+ 69, 69, 69, 618, 621, 69, 619, 69, 620, 630,
+
+ 632, 633, 69, 623, 69, 635, 634, 624, 631, 638,
+ 625, 628, 626, 69, 629, 636, 69, 69, 637, 639,
+ 643, 640, 641, 69, 645, 69, 630, 632, 633, 69,
+ 2237, 69, 635, 634, 644, 646, 638, 69, 69, 69,
+ 69, 642, 636, 69, 69, 637, 639, 643, 640, 641,
+ 69, 645, 69, 69, 647, 648, 653, 649, 650, 654,
+ 655, 644, 646, 651, 69, 660, 656, 69, 642, 659,
+ 2237, 652, 657, 69, 69, 2237, 141, 677, 69, 69,
+ 69, 647, 648, 653, 649, 650, 654, 658, 661, 69,
+ 651, 662, 69, 656, 670, 69, 659, 69, 652, 657,
+
+ 69, 663, 69, 69, 664, 2237, 69, 69, 672, 69,
+ 671, 69, 2237, 673, 658, 661, 675, 2237, 662, 2237,
+ 69, 670, 2237, 685, 674, 688, 69, 69, 663, 676,
+ 2237, 664, 665, 690, 69, 672, 666, 671, 686, 667,
+ 673, 691, 69, 675, 69, 69, 668, 69, 687, 669,
+ 685, 674, 688, 2237, 69, 69, 676, 69, 689, 665,
+ 69, 69, 693, 666, 692, 686, 667, 2237, 691, 2237,
+ 694, 695, 708, 668, 69, 687, 669, 678, 679, 697,
+ 680, 69, 69, 681, 696, 689, 701, 698, 682, 693,
+ 69, 692, 700, 69, 683, 684, 69, 694, 695, 708,
+
+ 69, 69, 699, 69, 678, 679, 697, 680, 69, 69,
+ 681, 696, 69, 701, 698, 682, 702, 69, 703, 700,
+ 704, 683, 684, 69, 705, 706, 69, 707, 2237, 699,
+ 711, 709, 713, 710, 712, 714, 2237, 69, 715, 69,
+ 69, 2237, 716, 702, 2237, 703, 69, 704, 2237, 717,
+ 69, 705, 706, 718, 707, 69, 69, 69, 709, 720,
+ 710, 712, 69, 69, 69, 715, 719, 69, 69, 716,
+ 721, 722, 69, 723, 724, 69, 717, 725, 726, 69,
+ 718, 69, 730, 2237, 728, 729, 720, 727, 2237, 733,
+ 69, 731, 69, 719, 732, 69, 69, 721, 722, 2237,
+
+ 69, 724, 69, 69, 725, 734, 69, 69, 735, 730,
+ 69, 728, 729, 69, 727, 69, 733, 69, 731, 736,
+ 737, 732, 69, 739, 740, 741, 69, 742, 738, 745,
+ 743, 69, 734, 744, 69, 735, 69, 2237, 746, 748,
+ 69, 747, 758, 755, 69, 69, 736, 737, 69, 69,
+ 739, 69, 741, 750, 742, 738, 745, 743, 749, 69,
+ 744, 69, 69, 751, 752, 746, 748, 69, 747, 753,
+ 69, 754, 759, 757, 69, 767, 756, 2237, 760, 69,
+ 750, 69, 69, 69, 764, 749, 69, 761, 2237, 766,
+ 751, 752, 69, 765, 762, 69, 753, 2237, 754, 69,
+
+ 757, 69, 763, 756, 69, 760, 69, 69, 768, 69,
+ 769, 764, 770, 771, 761, 69, 766, 772, 2237, 69,
+ 765, 762, 773, 775, 69, 774, 69, 2237, 776, 763,
+ 777, 2237, 69, 778, 69, 768, 782, 769, 780, 770,
+ 69, 69, 69, 779, 772, 69, 69, 781, 2237, 69,
+ 141, 69, 774, 69, 69, 776, 2237, 777, 789, 790,
+ 778, 2237, 2237, 782, 791, 780, 797, 792, 794, 69,
+ 779, 798, 2237, 793, 781, 783, 69, 784, 2237, 795,
+ 69, 785, 69, 786, 69, 789, 790, 2237, 787, 800,
+ 796, 791, 799, 788, 792, 794, 69, 801, 69, 69,
+
+ 793, 69, 783, 69, 784, 69, 795, 804, 785, 69,
+ 786, 802, 69, 805, 807, 787, 800, 796, 808, 799,
+ 788, 803, 806, 809, 801, 810, 69, 69, 69, 69,
+ 819, 817, 818, 69, 804, 820, 2237, 2237, 802, 69,
+ 805, 807, 821, 69, 822, 808, 69, 829, 803, 806,
+ 69, 823, 69, 827, 69, 69, 812, 819, 817, 818,
+ 824, 813, 820, 814, 825, 830, 69, 826, 69, 821,
+ 69, 822, 69, 69, 815, 69, 828, 831, 823, 69,
+ 69, 816, 69, 812, 832, 69, 833, 824, 813, 69,
+ 814, 825, 830, 834, 826, 836, 837, 835, 69, 69,
+
+ 839, 815, 841, 828, 831, 69, 838, 840, 816, 842,
+ 69, 832, 843, 69, 69, 69, 2237, 69, 69, 69,
+ 834, 845, 836, 837, 835, 69, 846, 844, 69, 841,
+ 848, 69, 69, 838, 840, 858, 842, 847, 849, 843,
+ 69, 850, 2237, 851, 69, 852, 859, 853, 845, 69,
+ 2237, 69, 69, 846, 844, 69, 854, 69, 855, 856,
+ 69, 857, 69, 863, 847, 849, 864, 69, 850, 69,
+ 851, 860, 852, 859, 853, 865, 861, 69, 69, 866,
+ 69, 862, 69, 854, 867, 855, 856, 69, 857, 69,
+ 863, 69, 69, 864, 869, 868, 870, 871, 860, 69,
+
+ 2237, 874, 865, 69, 872, 873, 866, 69, 69, 2237,
+ 69, 867, 69, 875, 876, 877, 878, 880, 879, 881,
+ 2237, 69, 868, 870, 871, 883, 69, 69, 874, 69,
+ 69, 872, 873, 882, 69, 69, 69, 69, 69, 884,
+ 875, 876, 877, 878, 880, 879, 69, 885, 887, 886,
+ 888, 69, 883, 889, 2237, 69, 69, 69, 896, 890,
+ 882, 891, 892, 69, 69, 895, 884, 893, 894, 897,
+ 898, 69, 900, 2237, 885, 887, 886, 888, 899, 901,
+ 69, 69, 69, 69, 69, 69, 890, 69, 891, 892,
+ 69, 69, 895, 903, 893, 894, 902, 898, 905, 69,
+
+ 69, 69, 907, 906, 909, 899, 901, 69, 69, 69,
+ 69, 908, 69, 69, 910, 912, 911, 913, 914, 2237,
+ 903, 69, 69, 902, 915, 905, 917, 69, 69, 907,
+ 906, 909, 916, 920, 918, 926, 2237, 922, 908, 919,
+ 2237, 910, 912, 911, 921, 69, 69, 69, 69, 69,
+ 69, 915, 69, 917, 923, 69, 69, 69, 924, 916,
+ 920, 918, 69, 927, 922, 925, 919, 929, 928, 931,
+ 69, 921, 930, 69, 69, 934, 69, 69, 935, 69,
+ 932, 923, 2237, 933, 936, 924, 2237, 941, 69, 938,
+ 927, 69, 925, 937, 929, 928, 931, 940, 2237, 930,
+
+ 69, 69, 934, 939, 69, 935, 69, 932, 945, 69,
+ 933, 936, 69, 69, 941, 69, 938, 942, 943, 944,
+ 937, 947, 2237, 949, 940, 69, 946, 69, 952, 948,
+ 939, 69, 951, 2237, 961, 69, 2237, 2237, 2237, 69,
+ 69, 69, 950, 69, 942, 943, 944, 956, 947, 69,
+ 949, 955, 69, 946, 69, 952, 948, 953, 954, 951,
+ 69, 957, 960, 958, 69, 69, 69, 2237, 69, 950,
+ 69, 965, 959, 69, 956, 964, 963, 966, 955, 69,
+ 69, 962, 69, 970, 953, 954, 967, 971, 957, 960,
+ 958, 968, 69, 69, 69, 69, 69, 969, 965, 959,
+
+ 972, 69, 964, 963, 966, 69, 979, 980, 962, 981,
+ 970, 982, 984, 983, 971, 2237, 2237, 2237, 69, 2237,
+ 69, 985, 986, 2237, 969, 69, 69, 972, 973, 990,
+ 69, 974, 975, 979, 980, 69, 976, 69, 982, 984,
+ 983, 69, 977, 69, 69, 987, 978, 988, 985, 986,
+ 69, 69, 989, 991, 69, 973, 990, 993, 974, 975,
+ 994, 995, 2237, 976, 996, 1042, 69, 992, 2237, 977,
+ 69, 69, 987, 978, 988, 2237, 69, 2237, 1005, 989,
+ 991, 1002, 1004, 69, 1006, 1008, 2237, 69, 995, 69,
+ 1007, 996, 69, 2237, 992, 997, 69, 69, 69, 69,
+
+ 998, 69, 999, 69, 1000, 1005, 1001, 69, 1002, 1004,
+ 1009, 1006, 1008, 69, 2237, 1010, 1012, 1007, 1013, 1011,
+ 1014, 2237, 997, 1015, 1016, 1021, 69, 998, 1023, 999,
+ 1017, 1000, 69, 1001, 69, 1018, 69, 69, 1019, 69,
+ 69, 1020, 69, 1012, 69, 1013, 1011, 1014, 69, 1022,
+ 1015, 1016, 69, 1024, 1027, 69, 1025, 1017, 1026, 1029,
+ 1028, 69, 1018, 69, 2237, 1019, 69, 69, 1020, 1030,
+ 1032, 1034, 1036, 1031, 1043, 1033, 1022, 69, 69, 69,
+ 1024, 69, 69, 1025, 1035, 1026, 69, 1028, 1037, 1039,
+ 1044, 69, 1038, 69, 69, 1041, 1030, 69, 1034, 1036,
+
+ 1031, 69, 1033, 69, 1040, 1045, 69, 1046, 1049, 69,
+ 69, 1035, 69, 1047, 69, 1037, 1039, 1044, 2237, 1038,
+ 1048, 69, 1041, 1050, 69, 69, 1051, 1053, 1052, 2237,
+ 69, 1040, 69, 69, 1046, 69, 69, 69, 1054, 1056,
+ 1047, 1057, 1061, 1059, 1055, 1058, 69, 1048, 1060, 69,
+ 1050, 69, 69, 1051, 1063, 1052, 69, 1064, 69, 69,
+ 1062, 1065, 69, 69, 1067, 1054, 1056, 1071, 1057, 1061,
+ 1059, 1055, 1058, 1066, 69, 1060, 1072, 69, 1069, 69,
+ 1073, 1063, 1068, 1070, 1064, 69, 69, 1062, 69, 1074,
+ 69, 1067, 1075, 69, 1071, 69, 1076, 1077, 1078, 1079,
+
+ 1066, 69, 2237, 1072, 2237, 1080, 1082, 1073, 1084, 1068,
+ 69, 69, 1085, 1081, 69, 1088, 1074, 69, 69, 1075,
+ 1083, 69, 69, 1076, 1077, 1078, 1097, 1086, 69, 69,
+ 1087, 69, 1080, 1082, 69, 1084, 69, 69, 69, 1085,
+ 1081, 1089, 1088, 1090, 1091, 1092, 69, 1083, 1093, 1094,
+ 69, 69, 1096, 1097, 1086, 1095, 1098, 1087, 69, 69,
+ 69, 69, 1100, 69, 1099, 1106, 1101, 1103, 1089, 1102,
+ 1090, 1091, 1092, 69, 69, 1093, 1094, 1105, 69, 1096,
+ 69, 69, 1095, 1098, 1104, 1107, 1108, 1110, 69, 1100,
+ 69, 1099, 69, 1101, 1103, 1109, 1102, 69, 1112, 69,
+
+ 1111, 1113, 1114, 2237, 1105, 1117, 1115, 1119, 2237, 1131,
+ 69, 1104, 69, 1108, 69, 69, 69, 69, 69, 1116,
+ 1120, 69, 1109, 69, 2237, 1112, 69, 1111, 1113, 1114,
+ 1118, 69, 1117, 1115, 1119, 1121, 1122, 69, 1123, 69,
+ 1125, 69, 69, 1124, 69, 1126, 1116, 1120, 69, 1127,
+ 1128, 1129, 1130, 1132, 69, 1135, 69, 1118, 69, 69,
+ 69, 1133, 1121, 1122, 1134, 1136, 1137, 1138, 2237, 69,
+ 69, 1140, 69, 69, 69, 69, 1127, 1128, 1129, 1130,
+ 1132, 1139, 1144, 1142, 69, 69, 1143, 69, 1133, 69,
+ 1141, 1134, 1136, 1137, 1138, 69, 69, 1146, 1140, 1145,
+
+ 1147, 1149, 1148, 1150, 1151, 2237, 69, 2237, 1139, 1144,
+ 1142, 1157, 69, 1143, 69, 69, 1152, 1141, 69, 1159,
+ 1153, 69, 69, 1156, 69, 69, 1145, 1147, 1149, 1148,
+ 1150, 1151, 1155, 1154, 69, 1158, 1161, 1160, 69, 69,
+ 1163, 69, 69, 1152, 69, 69, 1159, 1153, 1162, 1164,
+ 1156, 1166, 1165, 1168, 1167, 69, 1169, 69, 2237, 1155,
+ 1154, 69, 1158, 1161, 1160, 1170, 1171, 1172, 2237, 1173,
+ 1174, 1179, 69, 69, 1176, 1162, 69, 69, 1166, 1165,
+ 69, 1167, 69, 69, 1175, 69, 69, 69, 1177, 1180,
+ 1178, 69, 69, 1171, 1172, 69, 1173, 1174, 69, 1181,
+
+ 1183, 1176, 69, 1182, 1184, 69, 69, 1188, 2237, 1185,
+ 69, 1175, 69, 1186, 2237, 1177, 1180, 1178, 1191, 1187,
+ 69, 69, 1190, 2237, 1189, 1192, 1181, 1183, 2237, 69,
+ 1182, 1184, 69, 69, 69, 69, 1185, 1196, 1195, 1199,
+ 1186, 69, 1198, 1193, 69, 1191, 1187, 69, 1194, 1190,
+ 69, 1189, 1192, 1197, 1200, 69, 69, 1202, 1204, 69,
+ 69, 69, 2237, 1203, 1196, 1195, 1199, 69, 1208, 1198,
+ 1193, 1201, 1206, 1205, 1207, 1194, 69, 69, 69, 1209,
+ 1197, 69, 1210, 1212, 1211, 69, 69, 1213, 1218, 69,
+ 1203, 69, 2237, 69, 69, 1208, 69, 1214, 1201, 1206,
+
+ 1205, 1207, 69, 1219, 69, 69, 1209, 69, 1220, 1210,
+ 1212, 1211, 1215, 1223, 1213, 1216, 1221, 1222, 1224, 69,
+ 69, 1225, 1226, 1229, 1214, 69, 69, 1217, 2237, 1230,
+ 1219, 69, 1231, 1227, 1234, 1220, 69, 69, 69, 1215,
+ 1223, 69, 1216, 1221, 1222, 1228, 1233, 69, 1225, 1226,
+ 69, 69, 69, 1232, 1217, 69, 1230, 69, 1236, 1235,
+ 1227, 69, 1237, 1238, 69, 1239, 1240, 69, 69, 69,
+ 69, 1248, 1228, 1233, 1242, 1243, 1241, 1244, 69, 69,
+ 1232, 69, 1246, 1250, 69, 1236, 1235, 1245, 69, 1237,
+ 1238, 69, 1239, 1240, 69, 69, 1247, 2237, 69, 1249,
+
+ 1252, 1242, 69, 1241, 1244, 69, 69, 69, 1251, 1246,
+ 1250, 1253, 69, 1254, 1245, 1256, 69, 1257, 2237, 1255,
+ 1261, 1258, 1265, 1247, 69, 1262, 1249, 1252, 69, 69,
+ 1263, 69, 1266, 69, 69, 1251, 1259, 69, 1253, 1260,
+ 1254, 69, 1256, 1264, 1257, 69, 1255, 1261, 1258, 69,
+ 1267, 1269, 1262, 1268, 69, 2237, 1270, 1263, 1271, 69,
+ 1272, 69, 1276, 1259, 1275, 1277, 1260, 69, 69, 1284,
+ 1264, 69, 1273, 69, 69, 1274, 69, 1267, 1269, 1278,
+ 1268, 1279, 69, 1270, 1280, 1271, 69, 1272, 1281, 1282,
+ 69, 1275, 69, 69, 69, 69, 1284, 1283, 1285, 1273,
+
+ 69, 69, 1274, 1286, 1288, 1289, 1278, 69, 1279, 1287,
+ 1297, 1280, 69, 1295, 1290, 1281, 1282, 1294, 1296, 1299,
+ 69, 1300, 69, 1316, 1283, 1285, 69, 69, 1291, 69,
+ 1286, 1288, 1289, 1302, 1292, 1301, 1287, 1293, 1298, 1303,
+ 69, 1290, 69, 69, 1294, 69, 69, 69, 1300, 1304,
+ 69, 69, 69, 1306, 69, 1291, 1305, 1309, 1310, 1307,
+ 1302, 1292, 1313, 1308, 1293, 1298, 1303, 69, 1314, 1311,
+ 69, 69, 69, 2237, 1312, 1322, 69, 69, 69, 69,
+ 1306, 69, 69, 1305, 1309, 1310, 1307, 1318, 1315, 1319,
+ 1308, 1317, 1324, 69, 69, 1314, 1311, 69, 69, 1320,
+
+ 1321, 1312, 1322, 1323, 69, 1325, 1331, 69, 1327, 1328,
+ 69, 69, 1326, 69, 1318, 1315, 1319, 1332, 1317, 1324,
+ 1335, 69, 69, 1329, 69, 69, 1320, 1321, 69, 1330,
+ 1323, 1333, 69, 1331, 1334, 1327, 1328, 69, 69, 1326,
+ 1336, 69, 1337, 69, 1338, 1340, 69, 1335, 1339, 69,
+ 1329, 1341, 1343, 1342, 1345, 1344, 1330, 2237, 1333, 69,
+ 2237, 1334, 69, 69, 1346, 1347, 69, 69, 69, 1337,
+ 69, 69, 1340, 69, 1349, 1339, 1348, 69, 69, 1343,
+ 1342, 1345, 1344, 1350, 1351, 1356, 1352, 69, 1355, 69,
+ 1354, 1346, 1347, 1357, 69, 69, 1358, 69, 1367, 1353,
+
+ 69, 1349, 69, 1348, 69, 1361, 69, 1360, 1359, 1363,
+ 1350, 1351, 69, 1352, 69, 1355, 69, 1354, 1364, 1365,
+ 1362, 1366, 1369, 1358, 69, 69, 1353, 69, 1368, 1370,
+ 69, 1371, 69, 1373, 1360, 1359, 69, 1372, 69, 69,
+ 1374, 1376, 1375, 1383, 69, 1364, 69, 1362, 1366, 1387,
+ 2237, 1381, 69, 2237, 69, 1368, 1370, 69, 69, 1382,
+ 1373, 1391, 69, 69, 1372, 1388, 69, 69, 69, 1375,
+ 1377, 1378, 1379, 69, 1384, 69, 1387, 1380, 1381, 1385,
+ 1389, 69, 1390, 1394, 1386, 69, 1382, 1392, 1393, 69,
+ 69, 1395, 1388, 69, 69, 69, 69, 1377, 1378, 1379,
+
+ 1397, 1384, 1396, 69, 1380, 69, 1398, 1389, 1400, 1390,
+ 1394, 69, 1399, 69, 1392, 1393, 1401, 69, 69, 1402,
+ 1404, 1406, 1403, 1413, 1405, 2237, 69, 1397, 69, 1396,
+ 1408, 69, 1407, 1398, 69, 1400, 69, 69, 1409, 1399,
+ 1412, 69, 1411, 69, 1410, 69, 1402, 69, 1406, 1403,
+ 69, 1405, 1415, 69, 1414, 69, 1416, 1408, 1417, 1407,
+ 1418, 69, 69, 2237, 69, 1409, 1420, 1412, 1421, 1411,
+ 1419, 1410, 69, 1428, 1422, 69, 1423, 1425, 1424, 1415,
+ 1427, 1414, 69, 2237, 69, 69, 69, 69, 69, 2237,
+ 69, 69, 69, 1420, 1429, 1421, 2237, 1419, 1426, 69,
+
+ 1428, 1422, 69, 1423, 1425, 1424, 69, 1427, 1431, 1434,
+ 1430, 1432, 1433, 1435, 1437, 1436, 69, 69, 1440, 1443,
+ 69, 1429, 1441, 69, 1444, 1426, 69, 1445, 69, 1448,
+ 1451, 1442, 69, 69, 69, 1431, 1434, 1430, 1432, 1433,
+ 1435, 69, 1436, 1438, 69, 69, 1443, 1446, 1439, 1441,
+ 1449, 69, 1447, 1450, 69, 1453, 69, 1452, 1442, 69,
+ 1456, 69, 69, 1455, 1457, 69, 1454, 1458, 69, 69,
+ 1438, 1459, 69, 1460, 1462, 1439, 1461, 1449, 69, 69,
+ 1450, 69, 1453, 1463, 1452, 1465, 69, 1464, 1466, 1467,
+ 1455, 1457, 69, 1454, 69, 1469, 1470, 69, 1459, 69,
+
+ 1460, 69, 69, 1461, 1468, 1471, 1472, 2237, 1475, 69,
+ 69, 69, 1473, 69, 1464, 1466, 1467, 69, 69, 1474,
+ 1476, 69, 1469, 1470, 1478, 69, 1477, 69, 1485, 69,
+ 1479, 1468, 1471, 1472, 69, 69, 1480, 69, 69, 1473,
+ 1481, 1483, 1482, 1484, 1490, 1486, 1474, 1476, 69, 69,
+ 69, 69, 1489, 1477, 69, 1487, 1491, 1479, 69, 1492,
+ 69, 69, 69, 1480, 69, 69, 1488, 1481, 1483, 1482,
+ 1484, 1490, 1486, 1493, 69, 1494, 1495, 1496, 1497, 1489,
+ 1498, 69, 1487, 1491, 69, 1499, 69, 69, 69, 69,
+ 1500, 1503, 1501, 1488, 1502, 2237, 1504, 1505, 69, 2237,
+
+ 1493, 1507, 1494, 1495, 1538, 1497, 69, 1498, 1516, 69,
+ 69, 69, 1499, 2237, 69, 69, 69, 69, 1503, 1501,
+ 1506, 1502, 69, 1504, 1505, 1508, 69, 1509, 1507, 1510,
+ 69, 1511, 1512, 1515, 1514, 69, 69, 1517, 1519, 2237,
+ 69, 69, 69, 69, 1518, 1513, 69, 1506, 69, 1523,
+ 2237, 69, 1508, 69, 1509, 1520, 1510, 1522, 1511, 1512,
+ 1515, 1514, 69, 1521, 1517, 1519, 1524, 1525, 1526, 1527,
+ 69, 1518, 1513, 1528, 69, 69, 1523, 69, 1529, 69,
+ 1530, 1532, 1520, 1548, 1522, 1531, 69, 69, 69, 69,
+ 1521, 69, 1533, 1524, 1525, 1526, 1527, 1536, 69, 1534,
+
+ 1528, 1535, 1537, 69, 1540, 1529, 69, 69, 1532, 69,
+ 1539, 1541, 1531, 1544, 1542, 69, 1545, 69, 69, 1533,
+ 1543, 69, 69, 69, 1536, 1550, 1534, 1546, 1535, 1537,
+ 69, 1540, 69, 69, 1549, 2237, 1552, 1539, 1541, 69,
+ 69, 1542, 69, 1545, 1547, 1551, 1554, 1543, 1553, 1555,
+ 69, 69, 1550, 1556, 1546, 1558, 69, 2237, 2237, 1557,
+ 69, 1549, 69, 1552, 69, 69, 1559, 1561, 1560, 1562,
+ 1564, 1547, 1551, 1554, 69, 1553, 1555, 69, 69, 1565,
+ 1556, 1566, 69, 69, 69, 1563, 1557, 1572, 69, 69,
+ 1567, 69, 69, 1559, 1561, 1560, 1562, 1564, 1569, 69,
+
+ 1571, 1570, 69, 1568, 1573, 69, 1565, 1575, 1566, 1577,
+ 1576, 69, 1563, 69, 1572, 1574, 1578, 1567, 69, 69,
+ 1582, 1579, 1584, 1588, 1580, 1569, 1589, 1571, 1570, 1581,
+ 1568, 69, 69, 69, 69, 69, 1577, 1576, 69, 69,
+ 1585, 69, 1574, 1578, 1583, 1593, 1590, 1582, 1579, 69,
+ 1588, 69, 1592, 69, 1586, 1591, 69, 1595, 1594, 2237,
+ 1597, 69, 1598, 2237, 1596, 1587, 69, 1585, 1600, 69,
+ 69, 1583, 69, 1590, 1599, 1606, 69, 69, 2237, 1592,
+ 69, 1586, 1591, 69, 69, 1594, 69, 1597, 1602, 1598,
+ 69, 1596, 1587, 1601, 1603, 1600, 1604, 69, 1605, 1607,
+
+ 69, 1599, 69, 1610, 69, 69, 1608, 1609, 1613, 69,
+ 1614, 1611, 69, 69, 1620, 1602, 69, 2237, 69, 69,
+ 1601, 1603, 69, 1604, 1612, 1605, 1607, 1617, 1615, 69,
+ 1610, 1619, 69, 1608, 1609, 1613, 69, 1614, 1611, 1616,
+ 1618, 69, 69, 69, 1621, 69, 69, 1622, 1626, 1623,
+ 1624, 1612, 1625, 1627, 1617, 1615, 1629, 1628, 1619, 1630,
+ 2237, 69, 69, 2237, 69, 1633, 1616, 1618, 69, 69,
+ 69, 1621, 1634, 1635, 1622, 69, 1623, 1624, 69, 1625,
+ 69, 1636, 1637, 1629, 1628, 69, 1630, 1631, 69, 69,
+ 1632, 1638, 69, 1639, 69, 69, 1640, 1642, 1643, 1634,
+
+ 1635, 1644, 1641, 1645, 1647, 69, 69, 69, 1636, 1637,
+ 69, 1648, 69, 1646, 1631, 1649, 1651, 1632, 1638, 1650,
+ 69, 1654, 1657, 69, 69, 1643, 69, 69, 69, 1641,
+ 69, 1647, 1652, 69, 1653, 2237, 1655, 1661, 1648, 1658,
+ 1646, 69, 69, 69, 1659, 69, 1650, 69, 1654, 69,
+ 1660, 1656, 2237, 1662, 1666, 69, 69, 1668, 69, 1652,
+ 69, 1653, 69, 1655, 69, 1663, 1658, 1664, 1665, 69,
+ 1670, 1659, 1671, 69, 1667, 1673, 1669, 1660, 1656, 69,
+ 1662, 69, 69, 69, 69, 1672, 2237, 1676, 1674, 1675,
+ 69, 69, 1663, 69, 1664, 1665, 1677, 1670, 69, 1671,
+
+ 1679, 1667, 1673, 1669, 69, 1678, 69, 1680, 1681, 69,
+ 1682, 69, 1672, 69, 1676, 1674, 1675, 1687, 1683, 69,
+ 1684, 1685, 69, 1677, 1690, 1692, 1689, 1679, 1686, 69,
+ 69, 1688, 1678, 69, 1680, 1681, 69, 1682, 69, 69,
+ 1691, 69, 69, 2237, 1693, 1683, 1698, 1684, 1685, 69,
+ 1697, 1690, 1694, 1689, 69, 1686, 1703, 69, 1688, 1699,
+ 1701, 1695, 69, 1696, 69, 1700, 69, 1691, 69, 1702,
+ 69, 1693, 69, 1698, 69, 1704, 69, 1697, 1705, 1694,
+ 69, 1707, 1708, 1703, 69, 69, 1699, 1701, 1695, 1706,
+ 1696, 1709, 1700, 1710, 1711, 1714, 1702, 69, 2237, 1712,
+
+ 2237, 1713, 1704, 1716, 69, 1705, 1715, 1719, 69, 69,
+ 69, 69, 69, 69, 1717, 1718, 1706, 1720, 1709, 69,
+ 1725, 69, 1714, 1721, 1724, 69, 1712, 69, 1713, 1722,
+ 1716, 69, 1723, 1715, 1719, 1727, 69, 69, 69, 69,
+ 69, 1717, 1718, 69, 69, 69, 1726, 1725, 1728, 1729,
+ 1721, 1724, 1730, 69, 1731, 1732, 1722, 69, 1733, 1723,
+ 1735, 69, 1727, 1742, 1734, 69, 1737, 1739, 69, 2237,
+ 69, 1736, 1738, 1726, 1740, 1744, 1729, 69, 1746, 1730,
+ 69, 1731, 1732, 69, 69, 69, 1741, 1735, 1743, 1745,
+ 69, 1734, 69, 1737, 1739, 69, 69, 1747, 1736, 1738,
+
+ 69, 1740, 69, 69, 1748, 69, 69, 69, 1749, 69,
+ 1750, 1751, 1752, 1741, 1753, 1743, 1745, 2237, 1754, 1757,
+ 1755, 1756, 1761, 1759, 1747, 69, 69, 69, 1764, 69,
+ 69, 1748, 1765, 1760, 1758, 1749, 1766, 69, 69, 1772,
+ 69, 1753, 1768, 69, 69, 1754, 1757, 1755, 1756, 69,
+ 69, 69, 1763, 1762, 69, 69, 1767, 1769, 69, 1765,
+ 1760, 1758, 69, 69, 69, 1771, 69, 69, 1770, 1768,
+ 69, 1773, 1774, 1775, 2237, 1777, 1776, 2237, 69, 1763,
+ 1762, 69, 1778, 1767, 1769, 69, 1780, 69, 69, 1779,
+ 1781, 1784, 1771, 1782, 1785, 1770, 2237, 69, 69, 69,
+
+ 1775, 69, 1777, 1776, 69, 69, 69, 1783, 1788, 1778,
+ 1786, 69, 69, 1780, 69, 69, 1779, 1781, 69, 1787,
+ 1782, 1785, 69, 1790, 1789, 1792, 69, 69, 1791, 1793,
+ 2237, 1800, 1801, 1796, 1783, 1788, 69, 1786, 69, 1794,
+ 1797, 1795, 1798, 69, 69, 69, 1787, 1802, 1799, 1804,
+ 1790, 1789, 1792, 69, 69, 1791, 1793, 69, 69, 69,
+ 1796, 1813, 1803, 1809, 69, 69, 1794, 1797, 1795, 1798,
+ 69, 69, 1805, 69, 1802, 1799, 1804, 1806, 1807, 69,
+ 1808, 69, 1812, 69, 1810, 1811, 69, 69, 69, 1803,
+ 1809, 69, 1814, 1815, 69, 1816, 2237, 1818, 2237, 1805,
+
+ 1824, 1817, 69, 1822, 1806, 1807, 69, 1808, 69, 1812,
+ 69, 1810, 1811, 69, 1819, 69, 1820, 1821, 1823, 1814,
+ 1815, 1826, 1816, 69, 1818, 69, 1825, 69, 1817, 1827,
+ 69, 2237, 69, 69, 1832, 69, 1828, 69, 1831, 1829,
+ 1830, 1819, 1833, 1820, 1821, 69, 69, 69, 1826, 1834,
+ 1835, 1842, 1837, 1825, 1836, 2237, 1827, 1838, 69, 69,
+ 69, 1832, 69, 1828, 69, 1831, 1829, 1830, 1840, 69,
+ 69, 1843, 1839, 1841, 69, 69, 1834, 69, 69, 1837,
+ 69, 1836, 1844, 69, 1838, 1845, 1849, 1846, 1848, 1847,
+ 1850, 69, 1851, 1852, 1853, 1840, 1854, 69, 1843, 1839,
+
+ 1841, 69, 69, 1855, 69, 1856, 2237, 1857, 1860, 1844,
+ 69, 69, 69, 69, 1846, 1848, 1847, 1850, 1861, 69,
+ 69, 1853, 1858, 69, 1859, 69, 69, 69, 1862, 1864,
+ 1855, 1863, 69, 69, 1857, 1860, 1866, 69, 69, 2237,
+ 69, 69, 1865, 1867, 1868, 1861, 1870, 1869, 69, 1858,
+ 1871, 1859, 1872, 69, 1873, 1862, 1864, 1874, 1863, 69,
+ 1875, 69, 2237, 1866, 1876, 69, 69, 1879, 1877, 1865,
+ 1867, 1868, 69, 69, 1869, 1878, 69, 69, 1880, 1872,
+ 69, 1873, 69, 1882, 1881, 1884, 1885, 1875, 1883, 69,
+ 69, 1876, 1887, 1886, 69, 1877, 1889, 69, 69, 1888,
+
+ 2237, 2237, 1878, 1890, 2237, 69, 1891, 69, 69, 1892,
+ 1893, 1881, 1884, 1894, 69, 69, 69, 69, 69, 1887,
+ 1886, 1899, 69, 1889, 69, 1896, 1888, 1897, 69, 1895,
+ 1890, 1898, 1900, 1891, 69, 69, 1892, 1893, 69, 69,
+ 1894, 1904, 1906, 1901, 1908, 69, 1902, 69, 1899, 69,
+ 69, 69, 1896, 69, 1897, 1903, 1895, 1905, 1898, 1900,
+ 69, 1914, 1907, 69, 1909, 69, 1910, 1912, 69, 1906,
+ 1901, 69, 69, 1902, 69, 1913, 1911, 1915, 69, 1916,
+ 2237, 1917, 1903, 69, 1905, 1920, 1918, 1919, 69, 1907,
+ 69, 1909, 1922, 1910, 1912, 1923, 69, 1921, 69, 69,
+
+ 69, 69, 1926, 1911, 1915, 1927, 1916, 69, 1917, 69,
+ 69, 1928, 1920, 1918, 1919, 1929, 1924, 1931, 69, 1922,
+ 1925, 1932, 69, 69, 1921, 1930, 1935, 69, 69, 1926,
+ 1933, 2237, 69, 1934, 1936, 69, 1937, 1940, 1928, 69,
+ 1938, 69, 69, 1924, 69, 1939, 69, 1925, 69, 1941,
+ 1942, 69, 1930, 1943, 1944, 69, 1945, 1933, 69, 69,
+ 1934, 69, 1946, 1937, 1940, 1948, 1947, 69, 1949, 1950,
+ 69, 1955, 69, 1954, 2237, 1951, 1941, 69, 69, 1952,
+ 1943, 1944, 69, 69, 69, 1957, 69, 1953, 69, 1946,
+ 69, 1956, 1948, 1947, 69, 1949, 1950, 69, 69, 69,
+
+ 1954, 1958, 1951, 1959, 69, 1960, 1952, 1961, 1962, 69,
+ 2237, 2237, 1957, 1964, 1953, 1963, 1965, 69, 1956, 69,
+ 69, 1966, 1969, 1970, 2237, 1972, 1973, 1971, 1958, 69,
+ 1959, 69, 1960, 69, 1961, 1962, 69, 69, 1967, 69,
+ 1964, 1974, 1963, 1965, 1968, 69, 69, 69, 1966, 69,
+ 1970, 69, 69, 1973, 1971, 1975, 1976, 1977, 1978, 1982,
+ 1980, 1981, 1984, 1979, 1983, 1967, 69, 1986, 69, 2237,
+ 2237, 1968, 2237, 69, 69, 1985, 69, 69, 69, 1987,
+ 1988, 1991, 1975, 1976, 1977, 69, 69, 1980, 1981, 1984,
+ 1979, 69, 1992, 69, 69, 69, 1989, 69, 69, 1990,
+
+ 2237, 1997, 1985, 69, 1993, 1994, 1987, 1988, 1991, 1995,
+ 1999, 1998, 1996, 2000, 69, 2237, 2002, 69, 69, 1992,
+ 2001, 69, 69, 1989, 2003, 2004, 1990, 69, 69, 69,
+ 2008, 1993, 1994, 2006, 2010, 69, 1995, 1999, 1998, 1996,
+ 2000, 2007, 69, 2005, 2013, 2011, 69, 2001, 69, 69,
+ 69, 2003, 69, 69, 2009, 69, 69, 2012, 2016, 2014,
+ 2006, 69, 69, 2017, 2015, 2022, 2020, 2018, 2007, 69,
+ 2005, 69, 2011, 69, 69, 69, 69, 2019, 2021, 69,
+ 2024, 2009, 2025, 2027, 2012, 2016, 2014, 69, 69, 2023,
+ 2017, 2015, 69, 2020, 2018, 2026, 69, 69, 2029, 2030,
+
+ 2028, 69, 2034, 2237, 2019, 2021, 2031, 69, 2032, 69,
+ 69, 69, 69, 69, 2036, 2033, 2023, 2035, 2037, 69,
+ 69, 2038, 2026, 69, 2040, 2029, 69, 2028, 69, 2034,
+ 69, 2039, 69, 2031, 2043, 2032, 2042, 2041, 2044, 2048,
+ 2045, 2036, 2033, 69, 2035, 69, 2049, 2047, 69, 69,
+ 2051, 2040, 69, 2046, 69, 2050, 2052, 2054, 2039, 69,
+ 2057, 69, 69, 2042, 2041, 2044, 69, 2045, 69, 2058,
+ 2060, 69, 2061, 69, 2047, 2062, 2053, 2051, 69, 69,
+ 2046, 2064, 2050, 2052, 69, 2055, 2056, 69, 69, 69,
+ 2059, 2065, 2063, 2066, 69, 69, 69, 69, 69, 2061,
+
+ 2067, 2068, 2062, 2053, 2070, 2237, 2071, 2069, 69, 69,
+ 2072, 2073, 2055, 2056, 69, 69, 2074, 2059, 69, 2063,
+ 69, 2075, 69, 69, 69, 2076, 2079, 2067, 69, 2077,
+ 2080, 2070, 69, 2071, 2069, 2237, 2078, 69, 2073, 69,
+ 2081, 2087, 2084, 2074, 2085, 69, 2237, 2082, 2075, 69,
+ 2237, 69, 69, 2079, 69, 2086, 2077, 69, 2083, 69,
+ 69, 2089, 69, 2078, 69, 69, 2088, 2081, 2087, 2084,
+ 69, 2085, 2090, 69, 2082, 2093, 69, 2091, 2092, 2094,
+ 2096, 69, 2086, 69, 2095, 2083, 2097, 69, 2089, 2098,
+ 2099, 69, 2100, 2088, 2101, 2102, 2237, 2103, 2104, 2090,
+
+ 2105, 69, 2093, 2107, 2091, 2092, 2094, 69, 2106, 69,
+ 2109, 2095, 69, 69, 2108, 2111, 2098, 69, 2112, 69,
+ 69, 69, 69, 69, 2103, 69, 2113, 2105, 2114, 2110,
+ 69, 2115, 2116, 69, 69, 2106, 2117, 2109, 69, 2119,
+ 2237, 2108, 2111, 69, 69, 2112, 2118, 2121, 69, 2122,
+ 2124, 69, 2123, 69, 69, 69, 2110, 2125, 2115, 2116,
+ 69, 2120, 2126, 69, 2127, 2128, 2119, 69, 2129, 69,
+ 2130, 69, 2131, 2118, 2121, 2132, 2122, 69, 2133, 2123,
+ 2135, 2134, 2137, 2138, 69, 2136, 69, 2139, 2120, 69,
+ 69, 69, 69, 69, 69, 2129, 2140, 69, 2144, 69,
+
+ 69, 2142, 2132, 2141, 69, 2133, 69, 69, 2134, 2137,
+ 69, 69, 2136, 2143, 2139, 69, 2145, 2148, 69, 2146,
+ 2147, 69, 69, 2140, 69, 2144, 69, 2150, 2142, 2149,
+ 2141, 2157, 2237, 69, 2151, 2154, 2237, 69, 2153, 69,
+ 2143, 69, 69, 2145, 2148, 69, 2146, 2147, 2152, 69,
+ 2158, 2155, 2156, 2159, 2150, 2160, 2149, 69, 69, 69,
+ 2161, 2151, 2154, 69, 2162, 2153, 2163, 2164, 69, 69,
+ 2166, 2165, 2167, 2168, 2172, 2152, 2173, 2158, 2155, 2156,
+ 69, 69, 2160, 69, 2169, 69, 69, 69, 69, 2171,
+ 2174, 2162, 2170, 2163, 2164, 2175, 69, 69, 2165, 2167,
+
+ 69, 69, 69, 69, 2176, 2177, 69, 2178, 69, 69,
+ 2180, 2169, 69, 2179, 2181, 2182, 2171, 2174, 69, 2170,
+ 2237, 69, 2175, 69, 69, 2183, 2184, 2185, 69, 2186,
+ 69, 2176, 2177, 2187, 2178, 69, 2188, 2180, 2237, 2189,
+ 2179, 2181, 2182, 2190, 2193, 2192, 2197, 69, 69, 2191,
+ 2237, 2237, 2183, 2184, 2185, 2194, 69, 69, 69, 69,
+ 2187, 69, 2200, 2188, 2195, 69, 2189, 2237, 2204, 2199,
+ 2190, 69, 69, 2196, 2237, 69, 2191, 69, 69, 2198,
+ 2201, 69, 2194, 69, 69, 2202, 2205, 69, 69, 2200,
+ 2203, 2195, 2207, 69, 69, 2204, 2199, 2206, 2237, 2208,
+
+ 2196, 2209, 2210, 2211, 69, 69, 2198, 2201, 69, 2212,
+ 2216, 69, 2202, 2205, 2213, 2214, 2237, 2203, 69, 2207,
+ 2237, 2218, 69, 69, 2206, 69, 2208, 2219, 2209, 2210,
+ 2211, 2215, 69, 2222, 69, 69, 69, 2216, 2217, 69,
+ 2225, 2213, 2214, 69, 2220, 2221, 69, 2223, 2218, 69,
+ 2226, 2228, 69, 69, 2219, 69, 2224, 2229, 2215, 69,
+ 2222, 2227, 2230, 2231, 69, 2217, 69, 2225, 2233, 2232,
+ 2235, 2220, 2221, 2236, 2223, 2237, 69, 69, 69, 2234,
+ 2237, 69, 69, 2224, 69, 69, 2237, 69, 2227, 2230,
+ 2231, 69, 2237, 2237, 2237, 2233, 2232, 69, 2237, 2237,
+
+ 69, 2237, 2237, 2237, 2237, 2237, 2234, 41, 41, 41,
+ 41, 41, 41, 41, 46, 46, 46, 46, 46, 46,
+ 46, 51, 51, 51, 51, 51, 51, 51, 57, 57,
+ 57, 57, 57, 57, 57, 62, 62, 62, 62, 62,
+ 62, 62, 72, 72, 2237, 72, 72, 72, 72, 131,
+ 131, 2237, 2237, 2237, 131, 131, 133, 133, 2237, 2237,
+ 133, 2237, 133, 135, 2237, 2237, 2237, 2237, 2237, 135,
+ 138, 138, 2237, 2237, 2237, 138, 138, 140, 2237, 2237,
+ 2237, 2237, 2237, 140, 142, 142, 2237, 142, 142, 142,
+ 142, 73, 73, 2237, 73, 73, 73, 73, 13, 2237,
+
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237
} ;
-static yyconst flex_int16_t yy_chk[6281] =
+static yyconst flex_int16_t yy_chk[6466] =
{ 0,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
@@ -1862,688 +1909,709 @@ static yyconst flex_int16_t yy_chk[6281] =
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 3, 3, 3, 4,
4, 4, 5, 5, 6, 6, 5, 27, 6, 7,
- 7, 7, 7, 671, 7, 8, 8, 8, 8, 27,
+ 7, 7, 7, 676, 7, 8, 8, 8, 8, 27,
8, 9, 9, 9, 10, 10, 10, 15, 45, 45,
- 2170, 15, 23, 3, 27, 50, 4, 769, 50, 5,
- 19, 6, 19, 19, 671, 19, 140, 7, 29, 61,
+ 2243, 15, 23, 3, 27, 50, 4, 775, 50, 5,
+ 19, 6, 19, 19, 676, 19, 140, 7, 29, 61,
61, 19, 23, 8, 138, 23, 20, 20, 9, 23,
29, 10, 11, 11, 11, 11, 11, 11, 12, 12,
- 12, 12, 12, 12, 20, 29, 24, 137, 19, 23,
+ 12, 12, 12, 12, 20, 29, 24, 103, 19, 23,
20, 25, 11, 20, 20, 21, 75, 32, 12, 25,
- 24, 70, 21, 32, 853, 70, 21, 96, 28, 21,
- 11, 20, 24, 24, 132, 132, 12, 25, 25, 11,
+ 24, 70, 21, 32, 860, 70, 21, 103, 28, 21,
+ 11, 20, 24, 24, 103, 137, 12, 25, 25, 11,
75, 21, 21, 75, 32, 12, 25, 24, 26, 21,
- 28, 26, 853, 21, 30, 28, 21, 22, 26, 96,
+ 28, 26, 860, 21, 30, 28, 21, 22, 26, 135,
- 26, 22, 30, 135, 22, 116, 22, 22, 30, 133,
+ 26, 22, 30, 133, 22, 116, 22, 22, 30, 131,
31, 26, 30, 34, 31, 26, 77, 116, 26, 22,
30, 30, 76, 77, 22, 26, 34, 26, 22, 30,
31, 22, 116, 22, 22, 30, 31, 31, 35, 30,
34, 31, 35, 77, 134, 76, 37, 134, 37, 76,
- 100, 131, 35, 100, 38, 35, 84, 31, 33, 38,
- 68, 84, 33, 37, 35, 35, 39, 38, 33, 35,
+ 100, 68, 35, 100, 38, 35, 84, 31, 33, 38,
+ 62, 84, 33, 37, 35, 35, 39, 38, 33, 35,
39, 33, 37, 37, 39, 37, 80, 100, 33, 35,
- 33, 38, 35, 84, 62, 33, 38, 139, 139, 33,
+ 33, 38, 35, 84, 57, 33, 38, 132, 132, 33,
37, 66, 39, 39, 80, 33, 125, 39, 33, 85,
- 762, 39, 125, 80, 66, 33, 36, 85, 40, 36,
+ 768, 39, 125, 80, 66, 33, 36, 85, 40, 36,
40, 40, 56, 40, 56, 56, 36, 56, 66, 40,
36, 36, 64, 125, 64, 64, 85, 64, 36, 67,
- 762, 67, 67, 36, 67, 69, 36, 69, 69, 72,
+ 768, 67, 67, 36, 67, 69, 36, 69, 69, 72,
69, 72, 72, 36, 72, 78, 69, 36, 36, 81,
- 72, 87, 79, 82, 83, 83, 57, 86, 78, 82,
- 64, 79, 81, 83, 87, 52, 88, 89, 92, 78,
- 51, 266, 78, 88, 82, 86, 81, 72, 87, 79,
+ 72, 87, 79, 82, 83, 83, 52, 86, 78, 82,
+ 64, 79, 81, 83, 87, 51, 88, 89, 92, 78,
+ 139, 139, 78, 88, 82, 86, 81, 72, 87, 79,
82, 83, 83, 89, 93, 78, 82, 90, 91, 86,
- 94, 92, 97, 88, 89, 92, 90, 91, 266, 101,
-
- 97, 46, 86, 94, 95, 98, 93, 95, 104, 99,
- 103, 93, 101, 99, 90, 91, 102, 94, 105, 97,
- 95, 95, 104, 109, 41, 98, 101, 98, 95, 14,
- 103, 95, 98, 99, 95, 104, 99, 103, 105, 102,
- 99, 106, 107, 102, 108, 105, 109, 95, 95, 107,
- 109, 110, 98, 108, 111, 106, 112, 114, 111, 115,
- 110, 113, 117, 112, 114, 115, 119, 120, 106, 107,
- 117, 108, 13, 115, 0, 122, 111, 0, 110, 0,
- 119, 111, 121, 112, 114, 111, 115, 113, 113, 117,
- 118, 123, 115, 119, 118, 122, 124, 121, 0, 120,
-
- 123, 122, 122, 118, 126, 127, 129, 124, 130, 121,
- 0, 128, 0, 0, 0, 129, 0, 118, 123, 0,
- 0, 118, 122, 124, 144, 126, 128, 127, 145, 126,
- 130, 126, 127, 129, 136, 130, 136, 136, 128, 136,
- 141, 146, 141, 141, 142, 141, 142, 142, 144, 142,
- 145, 144, 126, 147, 149, 145, 148, 150, 0, 152,
- 153, 154, 149, 151, 157, 147, 152, 154, 0, 150,
- 155, 0, 156, 146, 160, 148, 0, 176, 153, 0,
- 147, 149, 142, 148, 150, 151, 152, 153, 230, 162,
- 151, 158, 155, 154, 154, 158, 157, 155, 156, 156,
-
- 160, 160, 161, 163, 164, 165, 168, 167, 164, 176,
- 161, 162, 158, 0, 166, 170, 162, 230, 168, 158,
- 167, 0, 158, 0, 170, 163, 171, 172, 165, 161,
- 163, 164, 165, 168, 167, 177, 166, 179, 0, 158,
- 159, 166, 170, 169, 174, 159, 169, 180, 171, 172,
- 159, 174, 0, 171, 172, 175, 159, 159, 169, 173,
- 182, 177, 177, 159, 173, 180, 175, 159, 178, 179,
- 169, 174, 159, 169, 180, 181, 173, 159, 173, 178,
- 184, 181, 175, 159, 159, 173, 173, 183, 185, 0,
- 186, 173, 182, 0, 187, 188, 191, 189, 190, 192,
-
- 178, 191, 181, 173, 189, 173, 178, 194, 187, 183,
- 186, 201, 184, 193, 183, 203, 188, 186, 192, 190,
- 185, 187, 188, 191, 189, 190, 192, 193, 196, 194,
- 195, 197, 198, 199, 194, 207, 200, 205, 197, 196,
- 193, 200, 195, 201, 202, 202, 206, 203, 210, 212,
- 0, 0, 218, 202, 198, 196, 199, 195, 197, 198,
- 199, 204, 205, 200, 205, 209, 206, 207, 204, 208,
- 211, 202, 202, 206, 210, 210, 220, 208, 213, 214,
- 209, 212, 215, 214, 218, 217, 216, 221, 204, 219,
- 0, 223, 209, 211, 216, 213, 208, 215, 225, 221,
-
- 223, 0, 211, 213, 217, 213, 214, 227, 220, 215,
- 222, 219, 217, 216, 221, 224, 219, 225, 223, 226,
- 211, 226, 213, 222, 228, 225, 229, 231, 224, 232,
- 234, 227, 233, 235, 227, 0, 231, 222, 236, 239,
- 237, 234, 224, 238, 241, 235, 226, 242, 244, 228,
- 0, 228, 229, 229, 231, 232, 232, 234, 233, 233,
- 235, 238, 236, 237, 240, 236, 243, 237, 245, 246,
- 238, 239, 248, 242, 242, 245, 241, 240, 246, 247,
- 244, 249, 252, 251, 0, 247, 248, 250, 243, 253,
- 257, 240, 251, 243, 254, 245, 246, 0, 253, 248,
-
- 256, 258, 259, 255, 0, 252, 247, 249, 249, 252,
- 251, 250, 255, 272, 250, 256, 253, 259, 261, 262,
- 254, 254, 257, 260, 263, 258, 0, 256, 258, 259,
- 255, 260, 260, 264, 260, 0, 261, 262, 263, 267,
- 272, 260, 0, 262, 268, 261, 262, 268, 264, 278,
- 260, 263, 265, 265, 268, 269, 278, 270, 260, 260,
- 264, 260, 274, 267, 262, 271, 267, 269, 273, 275,
- 277, 268, 276, 280, 268, 270, 278, 265, 282, 265,
- 265, 275, 269, 271, 270, 277, 279, 283, 274, 274,
- 273, 412, 271, 281, 276, 273, 275, 277, 279, 276,
-
- 281, 284, 285, 286, 285, 280, 289, 284, 0, 283,
- 282, 0, 292, 279, 283, 290, 286, 288, 412, 292,
- 281, 0, 287, 284, 293, 287, 285, 287, 284, 285,
- 286, 285, 291, 287, 284, 288, 293, 290, 289, 292,
- 291, 295, 290, 294, 288, 296, 291, 305, 298, 287,
- 300, 293, 287, 299, 287, 300, 294, 295, 296, 291,
- 298, 303, 0, 301, 343, 295, 302, 291, 295, 301,
- 294, 299, 296, 303, 302, 298, 304, 306, 343, 305,
- 299, 306, 300, 304, 295, 297, 297, 307, 303, 308,
- 301, 343, 0, 302, 307, 297, 308, 297, 297, 297,
-
- 0, 310, 297, 304, 306, 309, 311, 312, 313, 316,
- 297, 0, 297, 297, 307, 313, 308, 309, 311, 314,
- 318, 319, 297, 310, 297, 297, 297, 315, 310, 297,
- 321, 318, 309, 311, 314, 313, 317, 321, 317, 312,
- 315, 316, 322, 319, 320, 320, 314, 318, 319, 323,
- 325, 324, 0, 322, 315, 0, 326, 321, 328, 327,
- 323, 0, 332, 317, 324, 0, 0, 328, 329, 322,
- 331, 335, 334, 320, 327, 325, 323, 325, 324, 326,
- 330, 329, 327, 326, 332, 328, 327, 333, 331, 332,
- 334, 330, 337, 330, 336, 329, 341, 331, 330, 334,
-
- 336, 327, 338, 335, 339, 340, 342, 330, 344, 345,
- 333, 0, 340, 337, 333, 346, 368, 348, 330, 337,
- 330, 336, 341, 341, 347, 338, 339, 349, 342, 338,
- 347, 339, 340, 342, 344, 344, 352, 350, 346, 348,
- 351, 345, 346, 353, 348, 349, 354, 355, 368, 356,
- 0, 347, 350, 355, 349, 351, 358, 0, 360, 352,
- 359, 361, 0, 352, 350, 362, 359, 351, 354, 353,
- 353, 363, 362, 354, 355, 356, 356, 360, 392, 361,
- 372, 367, 358, 358, 369, 360, 363, 359, 361, 366,
- 370, 365, 362, 365, 367, 373, 366, 371, 363, 372,
-
- 365, 374, 369, 375, 392, 392, 376, 372, 367, 377,
- 371, 369, 370, 409, 380, 379, 366, 370, 365, 376,
- 365, 379, 409, 382, 371, 374, 375, 373, 374, 378,
- 0, 377, 381, 376, 378, 375, 377, 380, 383, 384,
- 409, 380, 379, 387, 381, 382, 388, 384, 386, 383,
- 382, 387, 389, 375, 390, 386, 378, 388, 0, 381,
- 394, 391, 389, 0, 395, 383, 384, 385, 391, 393,
- 387, 393, 385, 388, 385, 386, 395, 0, 390, 0,
- 396, 390, 385, 407, 389, 385, 394, 394, 391, 389,
- 397, 395, 385, 385, 385, 396, 393, 398, 399, 385,
-
- 400, 385, 397, 399, 403, 398, 402, 396, 401, 385,
- 411, 404, 385, 406, 402, 407, 403, 397, 413, 385,
- 410, 415, 400, 0, 398, 399, 401, 400, 408, 411,
- 414, 403, 404, 402, 410, 401, 406, 411, 404, 416,
- 406, 417, 419, 408, 418, 414, 420, 410, 421, 422,
- 413, 421, 425, 415, 416, 408, 418, 414, 423, 421,
- 422, 426, 428, 423, 419, 417, 416, 424, 417, 419,
- 420, 418, 427, 420, 429, 421, 422, 430, 421, 425,
- 431, 424, 0, 432, 433, 435, 431, 434, 426, 428,
- 423, 436, 433, 437, 424, 441, 0, 439, 0, 442,
-
- 0, 429, 443, 0, 427, 432, 434, 431, 435, 430,
- 432, 433, 435, 438, 434, 443, 437, 446, 440, 439,
- 437, 442, 438, 436, 439, 440, 442, 441, 444, 443,
- 445, 448, 447, 444, 449, 450, 451, 444, 0, 445,
- 438, 447, 453, 446, 446, 440, 0, 452, 450, 454,
- 0, 455, 444, 448, 463, 444, 449, 445, 448, 447,
- 444, 449, 450, 456, 444, 452, 453, 0, 451, 453,
- 457, 454, 454, 455, 452, 458, 454, 459, 455, 462,
- 461, 457, 460, 0, 464, 456, 463, 468, 465, 458,
- 456, 461, 466, 470, 462, 467, 468, 457, 454, 459,
-
- 460, 471, 458, 473, 459, 464, 462, 461, 469, 460,
- 472, 464, 465, 0, 468, 465, 466, 467, 474, 466,
- 476, 469, 467, 471, 475, 470, 478, 473, 471, 475,
- 473, 0, 477, 479, 476, 469, 480, 481, 482, 0,
- 474, 479, 472, 484, 483, 474, 477, 476, 484, 0,
- 485, 0, 481, 482, 480, 486, 475, 486, 478, 477,
- 479, 481, 487, 480, 481, 482, 483, 489, 495, 0,
- 488, 483, 490, 494, 491, 484, 485, 485, 488, 481,
- 492, 490, 486, 491, 493, 0, 495, 487, 492, 487,
- 496, 493, 489, 499, 489, 495, 494, 488, 498, 490,
-
- 494, 491, 496, 497, 500, 499, 498, 492, 501, 0,
- 502, 493, 497, 503, 0, 504, 501, 496, 502, 506,
- 499, 507, 0, 508, 510, 498, 0, 505, 0, 0,
- 497, 508, 507, 509, 511, 501, 500, 502, 504, 503,
- 503, 506, 504, 505, 510, 512, 506, 509, 507, 513,
- 508, 510, 514, 515, 505, 516, 511, 518, 523, 517,
- 509, 511, 515, 519, 523, 512, 520, 521, 528, 522,
- 518, 513, 512, 0, 514, 516, 513, 517, 0, 514,
- 515, 519, 516, 525, 518, 523, 517, 524, 520, 527,
- 519, 521, 522, 520, 521, 524, 522, 527, 529, 533,
-
- 528, 525, 531, 530, 0, 529, 532, 0, 534, 535,
- 525, 540, 551, 524, 524, 532, 527, 531, 535, 536,
- 547, 536, 524, 540, 543, 529, 530, 534, 549, 531,
- 530, 533, 537, 532, 543, 534, 535, 0, 540, 537,
- 0, 547, 548, 546, 551, 550, 536, 547, 0, 580,
- 0, 543, 554, 553, 549, 549, 558, 555, 554, 537,
- 538, 546, 557, 0, 538, 548, 555, 538, 559, 548,
- 546, 550, 550, 560, 538, 553, 556, 538, 556, 554,
- 553, 580, 538, 558, 555, 561, 557, 538, 559, 557,
- 564, 538, 562, 563, 538, 559, 0, 561, 567, 560,
-
- 560, 538, 565, 556, 538, 552, 552, 0, 552, 566,
- 0, 552, 561, 567, 564, 563, 552, 564, 562, 562,
- 563, 569, 552, 552, 565, 567, 572, 571, 569, 565,
- 573, 552, 552, 552, 566, 552, 566, 568, 552, 570,
- 577, 581, 573, 552, 576, 568, 571, 570, 569, 552,
- 552, 575, 572, 572, 571, 574, 578, 573, 579, 576,
- 575, 593, 577, 582, 568, 583, 570, 577, 574, 584,
- 585, 576, 586, 581, 588, 590, 587, 591, 575, 0,
- 579, 586, 574, 578, 0, 579, 583, 582, 584, 585,
- 582, 592, 583, 593, 588, 591, 584, 585, 587, 586,
-
- 589, 588, 590, 587, 591, 594, 596, 597, 589, 599,
- 592, 598, 603, 594, 601, 600, 604, 602, 592, 604,
- 608, 607, 0, 0, 596, 597, 0, 589, 600, 602,
- 603, 599, 594, 596, 597, 598, 599, 605, 598, 603,
- 601, 601, 600, 604, 602, 605, 607, 608, 607, 609,
- 611, 610, 612, 613, 617, 609, 611, 615, 613, 612,
- 614, 605, 616, 617, 605, 619, 618, 614, 623, 621,
- 622, 620, 605, 610, 618, 615, 609, 611, 610, 612,
- 613, 617, 621, 619, 615, 616, 620, 614, 626, 616,
- 625, 622, 619, 618, 624, 623, 621, 622, 620, 627,
-
- 628, 624, 629, 625, 0, 632, 631, 630, 634, 633,
- 629, 632, 637, 638, 635, 630, 636, 625, 0, 640,
- 626, 624, 630, 628, 642, 636, 637, 628, 631, 629,
- 639, 627, 632, 631, 630, 633, 633, 639, 635, 637,
- 634, 635, 630, 636, 641, 638, 640, 643, 645, 644,
- 647, 642, 646, 641, 648, 646, 645, 639, 649, 643,
- 652, 648, 0, 647, 649, 659, 653, 0, 0, 651,
- 659, 641, 644, 0, 643, 645, 644, 647, 653, 646,
- 654, 648, 654, 652, 657, 649, 650, 652, 650, 655,
- 656, 0, 650, 653, 650, 651, 651, 659, 0, 650,
-
- 661, 658, 656, 664, 650, 660, 657, 654, 662, 665,
- 650, 657, 655, 650, 658, 650, 655, 656, 660, 650,
- 662, 650, 665, 661, 663, 664, 650, 661, 658, 667,
- 664, 650, 660, 666, 663, 662, 665, 668, 669, 666,
- 670, 674, 667, 0, 0, 0, 663, 673, 683, 0,
- 678, 663, 675, 0, 676, 0, 667, 677, 668, 686,
- 666, 663, 673, 674, 668, 675, 679, 670, 674, 676,
- 669, 672, 678, 680, 673, 683, 672, 678, 672, 675,
- 681, 676, 682, 677, 677, 679, 680, 684, 681, 672,
- 682, 686, 689, 679, 687, 690, 672, 672, 672, 0,
-
- 680, 0, 691, 672, 688, 672, 689, 681, 693, 682,
- 684, 695, 688, 704, 684, 694, 672, 692, 687, 689,
- 0, 687, 695, 672, 691, 692, 693, 690, 696, 691,
- 698, 688, 697, 694, 699, 693, 700, 0, 695, 0,
- 697, 699, 694, 701, 692, 704, 696, 702, 703, 700,
- 701, 706, 698, 714, 707, 696, 709, 698, 708, 697,
- 710, 699, 707, 700, 706, 702, 703, 708, 709, 711,
- 701, 712, 713, 715, 702, 703, 725, 718, 706, 714,
- 714, 707, 710, 709, 719, 708, 716, 710, 718, 719,
- 713, 711, 720, 712, 0, 720, 711, 721, 712, 713,
-
- 716, 722, 723, 724, 718, 715, 728, 727, 725, 723,
- 726, 735, 728, 716, 722, 724, 719, 726, 720, 720,
- 729, 721, 720, 731, 721, 730, 732, 0, 722, 723,
- 724, 727, 735, 728, 727, 736, 730, 726, 735, 733,
- 737, 738, 729, 746, 0, 731, 736, 729, 732, 740,
- 731, 739, 730, 732, 733, 741, 742, 744, 740, 745,
- 0, 737, 736, 743, 744, 742, 733, 737, 738, 739,
- 747, 743, 748, 745, 751, 746, 740, 752, 739, 741,
- 750, 753, 741, 742, 744, 754, 745, 755, 756, 750,
- 743, 757, 747, 752, 748, 758, 753, 747, 751, 748,
-
- 756, 751, 759, 760, 752, 761, 764, 750, 753, 766,
- 759, 766, 763, 757, 770, 756, 760, 754, 757, 755,
- 761, 763, 758, 765, 764, 771, 768, 770, 772, 759,
- 760, 765, 761, 764, 768, 772, 766, 771, 773, 763,
- 774, 770, 775, 0, 0, 0, 776, 778, 779, 0,
- 765, 0, 771, 768, 777, 772, 780, 786, 782, 783,
- 778, 779, 0, 0, 775, 781, 782, 793, 784, 775,
- 773, 776, 774, 776, 778, 779, 777, 781, 780, 783,
- 784, 777, 785, 780, 786, 782, 783, 787, 788, 789,
- 785, 790, 781, 793, 793, 784, 798, 788, 790, 794,
-
- 787, 0, 795, 797, 801, 798, 791, 799, 0, 785,
- 789, 796, 801, 800, 787, 788, 789, 791, 790, 802,
- 791, 794, 795, 798, 796, 799, 794, 797, 791, 795,
- 797, 801, 805, 791, 799, 800, 807, 803, 796, 806,
- 800, 802, 809, 808, 791, 803, 802, 791, 810, 813,
- 809, 811, 812, 0, 807, 808, 815, 813, 822, 805,
- 810, 816, 806, 807, 803, 815, 806, 812, 814, 809,
- 808, 811, 817, 818, 814, 810, 813, 0, 811, 812,
- 818, 823, 816, 815, 817, 819, 820, 824, 816, 825,
- 822, 835, 819, 826, 823, 814, 825, 829, 828, 817,
-
- 818, 832, 827, 828, 820, 829, 824, 831, 823, 830,
- 0, 833, 819, 820, 824, 826, 825, 827, 836, 834,
- 826, 831, 830, 835, 829, 833, 837, 832, 832, 827,
- 828, 838, 839, 840, 831, 841, 830, 834, 833, 843,
- 842, 844, 846, 845, 836, 836, 834, 842, 837, 838,
- 847, 846, 848, 837, 839, 840, 845, 843, 838, 839,
- 840, 841, 841, 844, 849, 850, 843, 842, 844, 846,
- 845, 0, 856, 0, 854, 0, 859, 0, 860, 852,
- 858, 0, 847, 860, 848, 857, 849, 0, 850, 858,
- 854, 849, 850, 851, 859, 856, 861, 857, 851, 856,
-
- 851, 854, 851, 859, 851, 852, 852, 858, 862, 861,
- 860, 851, 857, 863, 864, 865, 867, 866, 0, 871,
- 851, 863, 869, 861, 869, 851, 862, 851, 865, 851,
- 866, 851, 870, 864, 867, 862, 868, 873, 872, 876,
- 863, 864, 865, 867, 866, 868, 871, 875, 877, 869,
- 872, 878, 880, 879, 870, 881, 877, 883, 0, 870,
- 879, 876, 882, 868, 873, 872, 876, 886, 882, 884,
- 885, 875, 888, 887, 875, 877, 884, 881, 878, 880,
- 879, 889, 881, 890, 883, 891, 886, 892, 894, 882,
- 889, 895, 885, 897, 886, 887, 884, 885, 888, 888,
-
- 887, 892, 896, 898, 890, 891, 900, 899, 889, 901,
- 890, 902, 891, 904, 892, 899, 905, 904, 902, 903,
- 894, 898, 900, 895, 896, 897, 903, 908, 907, 896,
- 898, 906, 909, 900, 899, 907, 901, 906, 902, 911,
- 904, 910, 908, 914, 906, 909, 903, 915, 905, 912,
- 910, 913, 914, 913, 908, 907, 912, 916, 906, 909,
- 918, 0, 922, 917, 906, 911, 911, 917, 910, 915,
- 914, 920, 921, 923, 915, 924, 912, 921, 913, 920,
- 922, 926, 918, 925, 916, 929, 925, 918, 924, 922,
- 917, 927, 923, 928, 0, 925, 930, 932, 920, 931,
-
- 923, 941, 924, 926, 921, 932, 928, 935, 926, 941,
- 925, 933, 933, 925, 939, 931, 927, 929, 927, 930,
- 928, 934, 936, 930, 932, 937, 931, 940, 941, 935,
- 934, 936, 937, 943, 935, 942, 940, 939, 933, 944,
- 0, 939, 947, 945, 0, 946, 943, 948, 934, 936,
- 942, 944, 937, 946, 940, 945, 949, 951, 954, 950,
- 943, 952, 942, 957, 947, 953, 944, 948, 950, 947,
- 945, 956, 946, 958, 948, 951, 955, 953, 949, 954,
- 959, 962, 955, 949, 951, 954, 950, 952, 952, 960,
- 963, 964, 953, 956, 968, 957, 0, 966, 956, 967,
-
- 0, 965, 968, 955, 971, 958, 959, 959, 962, 964,
- 965, 971, 967, 963, 975, 960, 960, 963, 964, 966,
- 969, 968, 970, 978, 966, 969, 967, 970, 965, 972,
- 973, 971, 974, 976, 976, 977, 979, 972, 973, 980,
- 974, 0, 0, 977, 978, 981, 975, 980, 987, 988,
- 978, 984, 969, 981, 970, 982, 972, 973, 986, 974,
- 976, 983, 977, 982, 984, 985, 980, 0, 979, 983,
- 986, 985, 981, 988, 987, 987, 988, 990, 984, 989,
- 991, 993, 982, 994, 995, 986, 992, 1000, 983, 1006,
- 998, 0, 985, 1001, 989, 993, 0, 998, 995, 996,
-
- 0, 994, 991, 996, 990, 1002, 989, 991, 993, 992,
- 994, 995, 999, 992, 1000, 1001, 996, 998, 1003, 1007,
- 1001, 1006, 1004, 999, 996, 1003, 996, 1005, 1002, 1009,
- 996, 1004, 1002, 1011, 1005, 1012, 1013, 1015, 1009, 999,
- 1017, 0, 1018, 996, 0, 1003, 1007, 1020, 1025, 1004,
- 1021, 1022, 1024, 1018, 1005, 1011, 1009, 1023, 0, 1023,
- 1011, 1012, 1012, 1022, 1015, 1024, 1027, 1017, 1013, 1018,
- 1025, 1020, 1028, 1026, 1020, 1025, 1021, 1021, 1022, 1024,
- 1029, 0, 1030, 1031, 1023, 1026, 1032, 1029, 1031, 1033,
- 1034, 1037, 1035, 1027, 1038, 1028, 1040, 0, 1034, 1028,
-
- 1026, 0, 1032, 1038, 1041, 1049, 0, 1029, 1030, 1030,
- 1031, 1039, 1033, 1032, 1035, 1044, 1033, 1034, 1037, 1035,
- 1042, 1038, 1040, 1040, 1039, 1043, 1041, 1042, 1045, 1046,
- 0, 1041, 1043, 1044, 1047, 1048, 1046, 1049, 1039, 1050,
- 1051, 1053, 1044, 1054, 0, 0, 1050, 1042, 1056, 1061,
- 1045, 1059, 1043, 1060, 1053, 1045, 1046, 1048, 1061, 1047,
- 1063, 1047, 1048, 1055, 1058, 1067, 1050, 1058, 1053, 1056,
- 1054, 1055, 1051, 1062, 1064, 1056, 1061, 1059, 1059, 1060,
- 1060, 1065, 1068, 1066, 1063, 1062, 1066, 1063, 1065, 1064,
- 1055, 1058, 1070, 1069, 1071, 1073, 1071, 1067, 1066, 1072,
-
- 1062, 1064, 1074, 1075, 1068, 1078, 1080, 1066, 1065, 1068,
- 1066, 1069, 1075, 1066, 1070, 1077, 1076, 1079, 1082, 1070,
- 1069, 1071, 1077, 1072, 1076, 1066, 1072, 1073, 1074, 1074,
- 1075, 1081, 1083, 1084, 0, 1081, 1088, 1078, 1080, 1079,
- 1082, 1085, 1077, 1076, 1079, 1082, 1086, 1087, 1089, 1088,
- 1085, 1090, 1092, 1086, 1087, 1084, 1091, 0, 1081, 1083,
- 1084, 1089, 1093, 1088, 1094, 1098, 1090, 1095, 1085, 1093,
- 1091, 1094, 1099, 1086, 1087, 1089, 1096, 1102, 1090, 1099,
- 1095, 1101, 1096, 1091, 1092, 1100, 1108, 1103, 1108, 1093,
- 1103, 1094, 1098, 1101, 1095, 1104, 0, 1102, 1109, 1099,
-
- 1110, 1112, 1111, 1096, 1102, 1103, 1104, 1100, 1101, 1112,
- 1113, 1106, 1100, 1108, 1103, 1115, 1106, 1103, 1117, 1114,
- 1120, 1117, 1104, 1106, 1119, 1109, 1111, 1110, 1112, 1111,
- 1114, 1116, 1113, 1115, 1118, 1122, 1117, 1113, 1106, 1116,
- 1124, 1123, 1115, 1106, 1121, 1117, 1114, 1120, 1117, 1122,
- 1123, 1121, 1118, 1124, 1125, 1126, 1119, 1128, 1116, 1128,
- 1129, 1118, 1122, 1130, 1131, 1125, 1133, 1124, 1123, 1129,
- 1126, 1121, 1134, 1137, 1132, 1131, 1135, 1139, 1137, 1135,
- 1141, 1125, 1126, 1143, 1128, 1147, 1134, 1129, 1133, 1130,
- 1130, 1131, 1132, 1133, 1135, 1136, 1142, 0, 1134, 1134,
-
- 1144, 1132, 1140, 1135, 1136, 1137, 1135, 1146, 1152, 1139,
- 1148, 1140, 1141, 1134, 1146, 1143, 1152, 1147, 1142, 1149,
- 1153, 1144, 1136, 1142, 1148, 1149, 1154, 1144, 1156, 1140,
- 1157, 1158, 1155, 1161, 1146, 1152, 1156, 1148, 1163, 1153,
- 1154, 1155, 1158, 1149, 1162, 1159, 1149, 1153, 1164, 1167,
- 1171, 1162, 1149, 1154, 1159, 1156, 1165, 1166, 1158, 1155,
- 1161, 1163, 1157, 1182, 1168, 1163, 1178, 1167, 1168, 1170,
- 1164, 1162, 1159, 1172, 1173, 1164, 1167, 1171, 1165, 1166,
- 1174, 1170, 1175, 1165, 1166, 1176, 1172, 1179, 1184, 1181,
- 1182, 1168, 1177, 1176, 1173, 1174, 1170, 1175, 1178, 1177,
-
- 1172, 1173, 1179, 1183, 1180, 1187, 1186, 1174, 1188, 1175,
- 1181, 1189, 1176, 1180, 1179, 1184, 1181, 1190, 1191, 1177,
- 0, 1195, 1196, 1187, 1192, 1191, 1189, 1183, 1186, 1192,
- 1183, 1180, 1187, 1186, 1193, 1188, 1194, 1196, 1189, 1195,
- 1197, 0, 1190, 1193, 1190, 1191, 1198, 1199, 1195, 1196,
- 1200, 1192, 1197, 1202, 1201, 1206, 1203, 1200, 1194, 1207,
- 1199, 1193, 1206, 1194, 1204, 1199, 1201, 1197, 1198, 1208,
- 1204, 1205, 1209, 1198, 1199, 1211, 1208, 1200, 1210, 1205,
- 1202, 1201, 1206, 1212, 1210, 1213, 1207, 1199, 1203, 1214,
- 1216, 1204, 1217, 1218, 1220, 0, 1208, 1221, 1205, 1209,
-
- 1222, 1217, 1211, 1223, 0, 1210, 1212, 1219, 0, 1219,
- 1212, 1227, 0, 1214, 0, 1230, 1214, 1213, 1220, 1217,
- 1230, 1220, 1216, 1233, 1221, 1218, 1222, 1222, 1231, 1224,
- 1224, 1224, 1225, 1226, 1219, 1223, 1224, 1239, 1228, 1225,
- 1226, 1231, 1232, 1227, 1224, 1228, 1235, 1230, 1232, 1238,
- 1233, 1234, 1234, 1242, 1236, 1231, 1224, 1224, 1224, 1225,
- 1226, 1236, 1237, 1224, 1239, 1228, 1244, 1237, 1243, 1232,
- 1245, 1242, 1235, 1235, 1243, 1238, 1238, 1249, 1234, 1246,
- 1242, 1236, 1245, 1247, 1248, 1248, 1250, 1250, 1254, 1237,
- 1253, 1251, 1257, 1244, 1256, 1243, 1258, 1245, 1255, 1246,
-
- 1259, 1247, 1251, 1249, 1249, 1255, 1246, 1260, 1261, 1262,
- 1247, 1248, 1253, 1250, 1256, 1263, 1262, 1253, 1251, 1265,
- 1254, 1256, 1264, 1263, 1257, 1255, 1261, 1259, 1258, 1260,
- 1266, 1267, 1267, 1268, 1260, 1261, 1262, 1264, 1269, 1266,
- 1270, 1273, 1263, 1265, 1272, 1276, 1265, 1274, 1278, 1264,
- 1269, 1277, 1272, 1273, 1275, 1274, 1270, 1266, 1267, 1268,
- 1268, 1280, 1284, 1270, 1281, 1269, 1276, 1270, 1273, 1277,
- 1281, 1272, 1276, 1282, 1274, 1278, 1285, 1275, 1277, 1279,
- 1283, 1275, 1287, 1270, 1279, 1286, 1282, 1283, 1280, 1289,
- 1286, 1281, 1288, 1288, 1284, 1279, 1290, 1292, 1293, 1295,
-
- 1282, 1295, 1296, 1285, 1289, 1294, 1279, 1283, 1297, 1298,
- 1302, 1279, 1292, 1297, 1287, 1299, 1289, 1286, 1303, 1288,
- 1294, 1293, 1301, 1304, 1292, 1293, 1295, 1306, 1290, 1308,
- 1299, 1305, 1294, 1307, 1296, 1297, 1302, 1302, 1305, 1310,
- 1309, 1298, 1299, 1312, 1314, 1303, 1301, 1315, 1317, 1301,
- 1304, 1308, 0, 1319, 1307, 1320, 1308, 1310, 1305, 1306,
- 1307, 1309, 1315, 1317, 1318, 1312, 1310, 1309, 1314, 1322,
- 1312, 1314, 1321, 1320, 1315, 1317, 1323, 1324, 1325, 1318,
- 1319, 1326, 1320, 1323, 1327, 1329, 1332, 1325, 1328, 1326,
- 0, 1318, 1333, 1330, 1321, 1324, 1322, 1332, 1334, 1321,
-
- 1335, 1333, 1337, 1323, 1324, 1325, 1330, 1327, 1326, 1342,
- 1328, 1327, 1332, 1332, 1341, 1328, 1334, 1329, 1335, 1333,
- 1330, 1339, 1342, 1343, 1332, 1334, 1341, 1335, 0, 1337,
- 1344, 1346, 1339, 1345, 1347, 1348, 1342, 1351, 0, 1352,
- 1344, 1341, 0, 1350, 1351, 1354, 1358, 1358, 1339, 1353,
- 0, 1354, 1366, 1355, 1348, 1343, 1346, 1344, 1346, 1345,
- 1345, 1347, 1348, 1350, 1351, 1352, 1352, 1353, 1355, 1356,
- 1350, 1357, 1354, 1358, 1362, 1359, 1353, 1366, 1360, 1366,
- 1355, 1362, 1363, 1367, 1356, 1365, 1357, 1359, 0, 1363,
- 1371, 1360, 1367, 1368, 1369, 0, 1356, 1372, 1357, 1360,
-
- 1374, 1362, 1359, 1375, 1378, 1360, 1377, 1365, 1371, 1363,
- 1367, 0, 1365, 1374, 1369, 1368, 1379, 1371, 1360, 1380,
- 1368, 1369, 1372, 1381, 1372, 1376, 1376, 1374, 1377, 1378,
- 1375, 1378, 1381, 1377, 1383, 1382, 1384, 1385, 1379, 0,
- 1386, 1380, 1382, 1379, 1389, 1388, 1380, 1390, 1394, 1391,
- 1381, 1385, 1376, 1388, 1393, 1395, 1392, 1389, 1384, 1386,
- 1396, 1393, 1382, 1384, 1385, 1398, 1383, 1386, 1392, 1397,
- 1401, 1389, 1388, 1399, 1390, 1391, 1391, 1395, 1403, 1407,
- 1394, 1393, 1395, 1392, 1397, 1396, 1400, 1396, 1402, 1400,
- 1404, 1398, 1398, 0, 1402, 1401, 1397, 1401, 1408, 1399,
-
- 1399, 1407, 1411, 1405, 1400, 1403, 1407, 1410, 1404, 1411,
- 1412, 1413, 1415, 1400, 1417, 1402, 1400, 1404, 1405, 1412,
- 1408, 1410, 1413, 1421, 1418, 1408, 1419, 1420, 1419, 1411,
- 1405, 1422, 1423, 1415, 1410, 1417, 1418, 1412, 1413, 1415,
- 1424, 1417, 1425, 1427, 1426, 1420, 1433, 1428, 1424, 1422,
- 1421, 1418, 1428, 1419, 1420, 1429, 1430, 1427, 1422, 1423,
- 0, 1434, 1435, 1430, 1436, 1425, 1426, 1424, 1437, 1425,
- 1427, 1426, 1439, 1433, 1429, 1434, 1440, 1438, 1441, 1428,
- 1435, 1439, 1429, 1430, 1442, 1443, 1445, 1434, 1434, 1435,
- 1446, 1436, 1438, 1449, 1437, 1437, 1448, 1446, 1448, 1439,
-
- 1441, 1455, 1434, 1452, 1438, 1441, 1450, 1443, 1440, 1445,
- 1450, 1442, 1443, 1445, 1451, 1449, 1456, 1446, 1453, 1457,
- 1449, 1454, 1458, 1448, 0, 1452, 1451, 1453, 1455, 1460,
- 1452, 1457, 1454, 1450, 1459, 1459, 1463, 1460, 1467, 1456,
- 1463, 1451, 1462, 1456, 1458, 1453, 1457, 1465, 1454, 1458,
- 1462, 1464, 1466, 1467, 1464, 1465, 1460, 1471, 1466, 1470,
- 1468, 1459, 1473, 1463, 1472, 1467, 1468, 1474, 1475, 1462,
- 1476, 1470, 1477, 1478, 1465, 1481, 1473, 0, 1464, 1466,
- 1474, 1479, 1475, 1483, 1471, 1484, 1470, 1468, 1472, 1473,
- 1480, 1472, 1485, 1479, 1474, 1475, 1476, 1476, 1487, 1477,
-
- 1478, 1481, 1481, 1482, 1480, 1486, 1482, 1488, 1479, 1489,
- 1483, 1490, 1484, 1486, 1491, 1492, 1488, 1480, 1494, 1485,
- 1495, 1482, 1497, 1492, 1500, 1487, 1498, 1491, 1501, 1496,
- 1482, 1499, 1486, 1482, 1488, 1498, 1489, 1496, 1490, 1502,
- 1494, 1491, 1492, 1501, 1506, 1494, 1511, 1495, 1500, 1497,
- 1504, 1500, 1499, 1498, 1501, 1501, 1496, 1503, 1499, 1505,
- 1509, 1508, 1504, 1510, 1509, 1503, 1502, 1505, 1508, 1511,
- 1501, 1506, 1512, 1511, 1513, 1510, 1514, 1504, 1515, 1519,
- 1516, 1522, 1513, 1518, 1503, 1515, 1505, 1509, 1508, 1520,
- 1510, 1517, 1517, 1523, 0, 1533, 1522, 1519, 1525, 1512,
-
- 1516, 1513, 1524, 1514, 1524, 1515, 1519, 1516, 1522, 1518,
- 1518, 1526, 1525, 1527, 1520, 1523, 1520, 1526, 1517, 1528,
- 1523, 1529, 1534, 1532, 1530, 1525, 1531, 1533, 1539, 1524,
- 1536, 1540, 1548, 1529, 1538, 1527, 1532, 1536, 1526, 1541,
- 1527, 1528, 1530, 1548, 1531, 1534, 1528, 1541, 1529, 1534,
- 1532, 1530, 1538, 1531, 1539, 1539, 1544, 1536, 1545, 1548,
- 1542, 1538, 1542, 1540, 1547, 1541, 1541, 1542, 1544, 1549,
- 1551, 1552, 1555, 1553, 1541, 1554, 1545, 1557, 1559, 1547,
- 1553, 1558, 1560, 1544, 1549, 1545, 1562, 1542, 1561, 1542,
- 1554, 1547, 1563, 1552, 1551, 1566, 1549, 1551, 1552, 1555,
-
- 1553, 1561, 1554, 1558, 1557, 1564, 1565, 1563, 1558, 1560,
- 1559, 1568, 1562, 1562, 1565, 1561, 1569, 1570, 1564, 1563,
- 1571, 1566, 1566, 1572, 1573, 1575, 1574, 1577, 1576, 1578,
- 1572, 1573, 1564, 1565, 1568, 1576, 1579, 1580, 1568, 1574,
- 1569, 1584, 1571, 1569, 1570, 1582, 1580, 1571, 1575, 1577,
- 1572, 1573, 1575, 1574, 1577, 1576, 1582, 1579, 1583, 1585,
- 0, 1578, 1586, 1579, 1580, 1590, 1589, 0, 1592, 1592,
- 1591, 1597, 1582, 1584, 1593, 1599, 0, 1602, 1585, 1589,
- 1583, 1603, 1604, 1606, 1599, 1583, 1585, 1586, 1608, 1586,
- 1609, 1590, 1590, 1589, 1591, 1592, 1610, 1591, 1597, 1602,
-
- 1593, 1593, 1599, 1603, 1602, 1612, 1611, 1610, 1603, 1604,
- 1606, 1611, 1616, 1614, 1615, 1619, 1609, 1609, 1618, 1620,
- 1608, 1614, 1621, 1610, 1623, 0, 1625, 1612, 1620, 1615,
- 1626, 1628, 1612, 1611, 1621, 1629, 1618, 1627, 1631, 1616,
- 1614, 1615, 1630, 1632, 1633, 1618, 1620, 1619, 1629, 1621,
- 1634, 1623, 1625, 1625, 1636, 1630, 1628, 1626, 1628, 1627,
- 1631, 1635, 1629, 1636, 1627, 1631, 1637, 1638, 1639, 1630,
- 1632, 1633, 1640, 1642, 1641, 1643, 1635, 1634, 0, 1644,
- 1642, 1636, 1638, 1639, 1645, 1645, 1650, 1640, 1635, 1647,
- 1658, 1646, 1637, 1637, 1638, 1639, 1641, 1644, 1646, 1640,
-
- 1642, 1641, 1643, 1647, 1648, 1651, 1644, 1648, 1649, 1653,
- 1652, 1645, 1650, 1650, 1653, 1655, 1647, 1658, 1646, 1652,
- 1654, 1649, 1656, 1651, 1654, 1659, 1657, 0, 1660, 1663,
- 1664, 1648, 1651, 1666, 1667, 1649, 1653, 1652, 1663, 1655,
- 1666, 1670, 1655, 1667, 1656, 1668, 1664, 1654, 1657, 1656,
- 1668, 1669, 1659, 1657, 1660, 1660, 1663, 1664, 1669, 1670,
- 1666, 1667, 1671, 1675, 1672, 0, 1673, 1676, 1670, 1671,
- 1677, 1679, 1668, 1672, 1683, 1678, 1684, 1680, 1669, 1677,
- 1685, 1686, 1683, 1679, 1690, 1676, 1680, 1681, 1682, 1671,
- 1675, 1672, 1673, 1673, 1676, 1678, 1681, 1677, 1679, 1682,
-
- 1687, 1683, 1678, 1684, 1680, 1688, 1690, 1685, 1689, 1687,
- 1696, 1690, 1691, 1686, 1681, 1682, 1689, 1688, 1692, 1691,
- 1693, 1694, 1697, 1698, 1703, 1692, 1701, 1687, 1696, 1697,
- 1702, 1698, 1688, 1701, 1705, 1689, 1706, 1696, 1711, 1691,
- 1704, 1707, 1693, 1705, 1709, 1692, 1694, 1693, 1694, 1697,
- 1698, 1703, 1704, 1701, 1702, 1710, 1709, 1702, 1712, 1714,
- 1716, 1705, 1717, 1706, 1707, 1711, 1718, 1704, 1707, 1719,
- 1717, 1709, 1712, 1720, 0, 1724, 1725, 1727, 1710, 0,
- 1726, 1725, 1710, 1728, 1729, 1712, 1714, 1716, 1737, 1717,
- 1730, 1719, 1734, 1718, 1726, 1727, 1719, 1731, 1730, 1735,
-
- 1720, 1724, 1724, 1725, 1727, 1728, 1729, 1726, 1733, 1738,
- 1728, 1729, 1739, 1736, 1734, 1737, 1731, 1730, 1741, 1734,
- 1733, 1735, 1740, 0, 1731, 1736, 1735, 1743, 1745, 1742,
- 1744, 1746, 1739, 1749, 1752, 1733, 1738, 1751, 1750, 1739,
- 1736, 0, 1744, 1750, 1740, 1753, 1781, 1749, 1757, 1740,
- 1741, 1742, 1754, 1743, 1743, 1745, 1742, 1744, 1746, 1751,
- 1749, 1756, 1755, 1758, 1751, 1762, 1752, 1757, 1753, 1759,
- 1750, 1761, 1753, 1756, 1754, 1757, 1765, 1763, 1781, 1754,
- 1755, 1766, 1768, 1764, 1759, 1758, 1763, 1762, 1756, 1755,
- 1758, 1767, 1762, 1771, 1765, 1761, 1759, 1764, 1761, 1766,
-
- 1768, 1771, 1774, 1765, 1763, 1772, 1773, 1775, 1766, 1768,
- 1764, 1777, 1772, 1776, 1773, 1775, 1778, 1767, 1767, 1779,
- 1771, 1780, 1782, 1777, 1786, 1784, 1783, 1779, 1790, 1774,
- 1793, 1776, 1772, 1773, 1775, 1789, 1787, 1796, 1777, 0,
- 1776, 1790, 1786, 1778, 1780, 1783, 1779, 1784, 1780, 1782,
- 1787, 1786, 1784, 1783, 1791, 1790, 1793, 1793, 1789, 1801,
- 1798, 1800, 1789, 1787, 1796, 1802, 1791, 1798, 1800, 1803,
- 1804, 1805, 1806, 1807, 1809, 1810, 1808, 1817, 1811, 1814,
- 0, 1791, 1807, 1816, 1814, 1801, 1801, 1798, 1800, 1808,
- 1815, 0, 1802, 1803, 1815, 1819, 1803, 1804, 1805, 1806,
-
- 1807, 1811, 1810, 1808, 1816, 1811, 1809, 1822, 1823, 1817,
- 1816, 1814, 1818, 1825, 1818, 1825, 1827, 1815, 1819, 1828,
- 1826, 1826, 1819, 1830, 1829, 1831, 1833, 0, 1828, 1822,
- 1826, 1829, 1823, 1832, 1822, 1823, 1830, 1835, 1827, 1818,
- 1825, 1832, 1836, 1827, 1837, 1833, 1828, 1826, 1826, 1834,
- 1830, 1829, 1831, 1833, 1838, 1839, 1842, 1834, 1846, 1840,
- 1832, 1841, 1841, 1835, 1835, 1838, 1840, 1847, 1836, 1836,
- 1837, 1837, 1843, 1844, 1842, 1848, 1834, 1839, 1850, 1843,
- 1844, 1838, 1839, 1842, 1848, 1846, 1840, 1851, 1841, 1852,
- 1855, 1847, 1854, 1857, 1847, 1856, 1858, 0, 1859, 1843,
-
- 1844, 1854, 1848, 1859, 0, 1850, 1863, 1852, 1858, 1851,
- 1860, 1857, 0, 1861, 1851, 0, 1852, 1855, 1856, 1854,
- 1857, 1864, 1856, 1858, 1860, 1867, 1865, 1867, 1871, 1873,
- 1859, 1861, 1872, 1863, 1878, 1875, 1879, 1860, 1881, 1864,
- 1861, 1865, 1876, 1883, 1880, 1876, 1881, 1873, 1864, 1885,
- 1871, 1880, 1867, 1865, 1879, 1871, 1873, 1875, 1872, 1872,
- 1882, 1878, 1875, 1879, 1884, 1881, 1887, 1886, 1876, 1876,
- 1888, 1880, 1876, 1886, 1889, 1883, 1885, 1891, 1890, 1888,
- 1890, 1893, 1882, 1894, 1895, 1896, 1884, 1882, 1887, 1893,
- 1897, 1884, 1899, 1887, 1886, 1894, 1898, 1888, 1902, 1896,
-
- 1904, 1900, 1901, 1899, 1891, 1890, 1889, 1907, 1893, 1900,
- 1894, 1895, 1896, 1897, 1898, 1903, 1903, 1897, 1905, 1899,
- 1902, 1901, 1908, 1898, 1910, 1902, 1905, 1904, 1900, 1901,
- 1911, 1912, 1914, 1915, 1907, 1916, 1917, 0, 1919, 1916,
- 1915, 1911, 1903, 1920, 1917, 1905, 1923, 1922, 1924, 1908,
- 1928, 1910, 1922, 1912, 1934, 1929, 1920, 1911, 1912, 1914,
- 1915, 1925, 1916, 1917, 1919, 1919, 1926, 0, 1930, 1925,
- 1920, 1927, 1932, 1923, 1922, 1924, 1933, 1928, 1927, 1929,
- 1935, 1926, 1929, 1933, 1936, 0, 1934, 1932, 1925, 1940,
- 1939, 1937, 1941, 1926, 1930, 1930, 1943, 1940, 1927, 1932,
-
- 1937, 1945, 1946, 1933, 1942, 1942, 1948, 1935, 1936, 1950,
- 1946, 1936, 1939, 1949, 1942, 1951, 1940, 1939, 1937, 1952,
- 1953, 1954, 1950, 1943, 1941, 1957, 1964, 1955, 1945, 1946,
- 1962, 1942, 1942, 1948, 1961, 1949, 1950, 1951, 1965, 1961,
- 1949, 1967, 1951, 1966, 1968, 1969, 1952, 1953, 1954, 1955,
- 1966, 1965, 1957, 1964, 1955, 1972, 1962, 1962, 1973, 1967,
- 1979, 1961, 1974, 0, 1978, 1965, 1976, 1969, 1967, 1977,
- 1966, 1968, 1969, 1976, 1972, 1979, 1977, 1980, 1982, 1985,
- 1988, 1983, 1972, 1984, 1974, 1973, 1978, 1979, 1983, 1974,
- 1985, 1978, 1984, 1976, 1993, 1987, 1977, 1982, 1980, 1986,
-
- 1986, 1987, 1988, 1994, 1980, 1982, 1985, 1988, 1983, 1986,
- 1984, 1991, 1995, 1999, 2001, 2001, 0, 2004, 1991, 2002,
- 2005, 1993, 1987, 2006, 2008, 2009, 1986, 1986, 2013, 2005,
- 1994, 2012, 2011, 2014, 2015, 1995, 2006, 2009, 1991, 1995,
- 1999, 2011, 2002, 2001, 2004, 2016, 2002, 2005, 2017, 2012,
- 2006, 2008, 2009, 2018, 2013, 2013, 2020, 2016, 2012, 2011,
- 2014, 2015, 2019, 2021, 2019, 2022, 2023, 2025, 2020, 2021,
- 2017, 2024, 2016, 2028, 2030, 2017, 2031, 2032, 2034, 2024,
- 2018, 2035, 2037, 2020, 2038, 2040, 2046, 2022, 2023, 2019,
- 2021, 0, 2022, 2023, 2025, 2039, 2034, 2037, 2024, 2044,
-
- 2028, 2030, 2048, 2031, 2032, 2034, 2043, 2039, 2035, 2037,
- 2038, 2038, 2040, 2049, 2047, 2043, 2050, 2051, 2046, 2059,
- 2064, 2049, 2039, 2044, 2048, 2050, 2044, 2047, 2051, 2048,
- 2057, 2060, 2061, 2043, 2065, 2063, 2064, 0, 2060, 2063,
- 2049, 2047, 2059, 2050, 2051, 2061, 2059, 2064, 2065, 2069,
- 2072, 2069, 2066, 2070, 2057, 2067, 2068, 2057, 2060, 2061,
- 2066, 2065, 2063, 2071, 2067, 2070, 2073, 2068, 2074, 2076,
- 2071, 2075, 2077, 0, 2080, 2081, 2069, 2072, 2078, 2066,
- 2070, 2083, 2067, 2068, 2073, 2079, 2080, 2079, 2090, 2082,
- 2071, 2085, 2091, 2073, 2077, 2074, 2076, 2075, 2075, 2077,
-
- 2078, 2080, 2082, 2085, 2087, 2078, 2089, 2081, 2083, 2092,
- 0, 2093, 2079, 2087, 2089, 2094, 2082, 2096, 2085, 2098,
- 2090, 2099, 2092, 2094, 2091, 2093, 2097, 2098, 2102, 2100,
- 2096, 2087, 2101, 2089, 0, 2099, 2092, 2104, 2093, 2103,
- 2101, 2105, 2094, 2100, 2096, 2104, 2098, 2106, 2099, 2097,
- 2102, 2111, 0, 2097, 2107, 2102, 2100, 2108, 2109, 2101,
- 2112, 2103, 2110, 2117, 2104, 0, 2103, 2115, 2105, 2116,
- 2110, 2114, 0, 2106, 2106, 2115, 2107, 2116, 2118, 2108,
- 2109, 2107, 2121, 2111, 2108, 2109, 2118, 2112, 2119, 2110,
- 2125, 2114, 2122, 2123, 2115, 2117, 2116, 2124, 2114, 2126,
-
- 2122, 2123, 2119, 2128, 2121, 2118, 2127, 0, 2129, 2121,
- 2130, 2124, 2133, 0, 2127, 2119, 2125, 2125, 2131, 2122,
- 2123, 2126, 2134, 2132, 2124, 0, 2126, 2135, 2136, 2128,
- 2128, 2132, 2130, 2127, 2129, 2129, 2136, 2130, 2131, 2133,
- 2137, 2140, 2134, 2138, 2141, 2131, 2144, 2135, 2142, 2134,
- 2132, 2138, 2143, 2145, 2135, 2136, 2142, 2146, 0, 2147,
- 2143, 2145, 2137, 2140, 2148, 2146, 2141, 2137, 2140, 2149,
- 2138, 2141, 2144, 2144, 2150, 2142, 2151, 2152, 2154, 2143,
- 2145, 2160, 0, 2161, 2146, 2147, 2147, 2157, 0, 2149,
- 2158, 2148, 0, 0, 2159, 0, 2149, 2152, 2158, 0,
-
- 2154, 2150, 2159, 2151, 2152, 2154, 0, 0, 2160, 2157,
- 2161, 0, 0, 0, 2157, 0, 0, 2158, 0, 0,
- 0, 2159, 2165, 2165, 2165, 2165, 2165, 2165, 2165, 2166,
- 2166, 2166, 2166, 2166, 2166, 2166, 2167, 2167, 2167, 2167,
- 2167, 2167, 2167, 2168, 2168, 2168, 2168, 2168, 2168, 2168,
- 2169, 2169, 2169, 2169, 2169, 2169, 2169, 2171, 2171, 0,
- 2171, 2171, 2171, 2171, 2172, 2172, 0, 0, 0, 2172,
- 2172, 2173, 2173, 0, 0, 2173, 0, 2173, 2174, 0,
- 0, 0, 0, 0, 2174, 2175, 2175, 0, 0, 0,
- 2175, 2175, 2176, 0, 0, 0, 0, 0, 2176, 2177,
-
- 2177, 0, 2177, 2177, 2177, 2177, 2178, 2178, 0, 2178,
- 2178, 2178, 2178, 2164, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164,
- 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164, 2164
+ 94, 92, 96, 88, 89, 92, 90, 91, 46, 101,
+
+ 97, 41, 86, 94, 95, 14, 93, 95, 97, 99,
+ 98, 93, 101, 99, 90, 91, 96, 94, 102, 13,
+ 95, 95, 105, 120, 96, 104, 101, 97, 95, 108,
+ 98, 95, 98, 99, 95, 0, 99, 98, 108, 104,
+ 99, 102, 105, 96, 106, 102, 107, 95, 95, 105,
+ 110, 109, 104, 107, 112, 120, 108, 98, 106, 110,
+ 111, 112, 113, 114, 111, 0, 115, 117, 0, 0,
+ 114, 106, 115, 107, 109, 117, 122, 110, 109, 118,
+ 115, 112, 111, 118, 119, 121, 123, 111, 113, 113,
+ 114, 111, 118, 115, 117, 123, 122, 124, 119, 115,
+
+ 121, 126, 122, 122, 128, 127, 118, 129, 124, 0,
+ 118, 119, 121, 123, 130, 136, 129, 136, 136, 128,
+ 136, 145, 126, 122, 124, 146, 126, 127, 126, 144,
+ 0, 128, 127, 148, 129, 141, 130, 141, 141, 147,
+ 141, 130, 142, 145, 142, 142, 149, 142, 145, 126,
+ 150, 147, 148, 144, 149, 157, 144, 146, 152, 151,
+ 148, 153, 150, 154, 156, 152, 147, 155, 0, 154,
+ 161, 158, 0, 149, 160, 158, 162, 150, 161, 153,
+ 142, 151, 163, 177, 165, 152, 151, 157, 153, 155,
+ 156, 156, 158, 0, 155, 154, 154, 161, 162, 158,
+
+ 160, 160, 158, 162, 163, 166, 164, 165, 167, 163,
+ 164, 165, 168, 170, 169, 177, 0, 169, 0, 158,
+ 159, 167, 170, 171, 168, 159, 172, 166, 180, 169,
+ 159, 175, 166, 164, 174, 167, 159, 159, 175, 168,
+ 170, 169, 183, 159, 169, 171, 178, 159, 172, 173,
+ 171, 176, 159, 172, 173, 185, 174, 159, 175, 179,
+ 180, 174, 176, 159, 159, 181, 173, 184, 173, 186,
+ 179, 182, 178, 178, 183, 173, 173, 182, 176, 187,
+ 0, 173, 188, 181, 189, 192, 195, 185, 268, 184,
+ 192, 179, 181, 173, 184, 173, 188, 179, 182, 187,
+
+ 190, 186, 191, 193, 194, 189, 187, 190, 195, 188,
+ 197, 189, 192, 195, 196, 268, 199, 198, 194, 200,
+ 201, 197, 193, 191, 198, 201, 196, 190, 202, 191,
+ 193, 194, 204, 208, 206, 207, 210, 197, 199, 203,
+ 203, 196, 200, 199, 198, 205, 200, 201, 203, 209,
+ 212, 210, 205, 211, 213, 207, 219, 209, 214, 206,
+ 202, 206, 207, 210, 204, 208, 203, 203, 218, 216,
+ 215, 220, 205, 212, 215, 214, 209, 221, 222, 211,
+ 211, 217, 212, 214, 216, 214, 213, 218, 219, 217,
+ 222, 223, 224, 220, 225, 218, 216, 215, 220, 228,
+
+ 212, 224, 214, 226, 223, 222, 229, 225, 217, 221,
+ 227, 232, 227, 230, 231, 233, 240, 235, 223, 224,
+ 232, 225, 226, 228, 234, 237, 228, 239, 235, 0,
+ 226, 229, 238, 229, 236, 242, 243, 227, 232, 230,
+ 230, 233, 233, 231, 235, 239, 236, 241, 240, 237,
+ 234, 234, 237, 244, 239, 238, 245, 246, 249, 238,
+ 241, 236, 243, 243, 246, 248, 251, 242, 247, 259,
+ 250, 248, 249, 252, 241, 244, 253, 247, 254, 258,
+ 244, 255, 252, 0, 246, 249, 257, 254, 245, 256,
+ 251, 260, 248, 251, 258, 247, 250, 250, 256, 253,
+
+ 252, 259, 261, 253, 263, 254, 258, 255, 255, 264,
+ 257, 265, 262, 257, 0, 260, 256, 261, 260, 266,
+ 262, 262, 263, 262, 274, 265, 272, 264, 269, 261,
+ 262, 263, 270, 264, 266, 270, 264, 271, 265, 262,
+ 267, 267, 270, 273, 272, 276, 266, 262, 262, 271,
+ 262, 274, 269, 272, 264, 269, 275, 277, 278, 270,
+ 279, 273, 270, 282, 271, 267, 280, 267, 267, 277,
+ 273, 276, 276, 280, 281, 279, 285, 284, 275, 288,
+ 278, 283, 291, 275, 277, 278, 281, 279, 283, 287,
+ 286, 287, 288, 280, 289, 282, 286, 289, 285, 289,
+
+ 292, 281, 290, 285, 0, 289, 288, 0, 283, 284,
+ 0, 293, 286, 287, 291, 0, 287, 286, 287, 293,
+ 290, 289, 292, 286, 289, 293, 289, 292, 294, 290,
+ 295, 296, 297, 300, 298, 294, 301, 303, 293, 305,
+ 0, 304, 295, 303, 296, 300, 293, 298, 297, 304,
+ 307, 305, 314, 0, 301, 294, 297, 295, 296, 297,
+ 300, 298, 302, 301, 303, 306, 305, 302, 304, 308,
+ 0, 309, 306, 308, 0, 297, 299, 299, 309, 311,
+ 310, 0, 307, 312, 314, 313, 299, 310, 299, 299,
+ 299, 311, 306, 299, 302, 315, 308, 313, 309, 316,
+
+ 318, 299, 315, 299, 299, 312, 311, 310, 317, 319,
+ 312, 319, 313, 299, 316, 299, 299, 299, 320, 321,
+ 299, 317, 315, 322, 322, 0, 316, 323, 324, 320,
+ 326, 325, 318, 328, 323, 317, 319, 327, 329, 324,
+ 330, 321, 325, 326, 337, 320, 321, 334, 333, 330,
+ 331, 0, 322, 329, 323, 324, 328, 326, 325, 348,
+ 328, 329, 327, 331, 327, 329, 333, 330, 332, 334,
+ 335, 336, 338, 339, 334, 333, 337, 331, 338, 332,
+ 329, 332, 340, 342, 0, 341, 332, 343, 344, 336,
+ 342, 348, 0, 335, 339, 332, 345, 335, 336, 338,
+
+ 339, 347, 344, 346, 351, 340, 332, 341, 332, 340,
+ 342, 349, 341, 343, 343, 344, 350, 346, 345, 352,
+ 353, 354, 350, 345, 356, 0, 351, 347, 347, 355,
+ 346, 351, 357, 358, 349, 353, 354, 352, 349, 358,
+ 359, 0, 361, 350, 363, 0, 352, 353, 354, 362,
+ 356, 356, 355, 0, 357, 362, 355, 364, 365, 357,
+ 358, 370, 366, 363, 371, 365, 359, 359, 361, 361,
+ 368, 363, 368, 369, 370, 364, 362, 366, 374, 368,
+ 369, 373, 379, 372, 364, 365, 376, 375, 370, 366,
+ 378, 374, 377, 380, 383, 379, 371, 368, 382, 368,
+
+ 369, 372, 381, 373, 382, 374, 375, 381, 373, 379,
+ 372, 384, 385, 378, 375, 380, 377, 383, 376, 377,
+ 380, 383, 378, 384, 386, 382, 389, 0, 387, 381,
+ 391, 0, 398, 389, 385, 386, 387, 390, 384, 385,
+ 378, 391, 393, 394, 398, 390, 395, 0, 392, 397,
+ 394, 386, 396, 389, 396, 387, 388, 391, 392, 398,
+ 401, 388, 399, 388, 390, 410, 393, 416, 401, 393,
+ 394, 388, 395, 395, 388, 397, 397, 399, 403, 396,
+ 392, 388, 388, 388, 400, 392, 402, 401, 388, 399,
+ 388, 402, 404, 407, 405, 406, 400, 410, 388, 416,
+
+ 403, 388, 405, 409, 413, 403, 412, 406, 388, 411,
+ 404, 400, 415, 402, 407, 412, 414, 417, 413, 404,
+ 407, 405, 406, 418, 411, 419, 409, 420, 0, 421,
+ 409, 413, 417, 412, 423, 414, 411, 422, 425, 415,
+ 419, 421, 424, 414, 417, 424, 427, 428, 429, 425,
+ 430, 420, 419, 424, 420, 418, 421, 426, 423, 422,
+ 427, 423, 426, 431, 422, 425, 432, 433, 437, 424,
+ 434, 436, 424, 427, 428, 429, 434, 439, 435, 436,
+ 438, 440, 430, 441, 442, 444, 0, 437, 0, 426,
+ 431, 445, 441, 432, 443, 437, 455, 434, 436, 433,
+
+ 435, 443, 446, 438, 440, 435, 442, 438, 440, 439,
+ 441, 442, 451, 445, 447, 446, 448, 444, 445, 447,
+ 452, 443, 449, 447, 450, 448, 0, 453, 455, 446,
+ 459, 457, 454, 450, 451, 456, 0, 467, 447, 451,
+ 453, 447, 452, 448, 454, 458, 447, 452, 449, 449,
+ 447, 450, 459, 456, 453, 457, 460, 459, 457, 454,
+ 461, 462, 456, 463, 464, 465, 466, 458, 458, 467,
+ 474, 461, 458, 469, 468, 462, 465, 471, 460, 470,
+ 472, 466, 464, 460, 476, 463, 475, 461, 462, 472,
+ 463, 464, 465, 466, 458, 468, 473, 469, 477, 471,
+
+ 469, 468, 474, 470, 471, 478, 470, 472, 475, 473,
+ 479, 482, 480, 475, 481, 479, 476, 484, 0, 486,
+ 0, 483, 477, 473, 489, 477, 480, 478, 481, 483,
+ 485, 487, 478, 488, 486, 484, 491, 493, 488, 480,
+ 0, 481, 479, 482, 484, 485, 486, 490, 483, 490,
+ 489, 489, 492, 487, 485, 499, 0, 485, 487, 494,
+ 492, 491, 493, 491, 493, 488, 495, 498, 494, 496,
+ 504, 497, 485, 499, 490, 495, 500, 496, 497, 492,
+ 501, 508, 499, 502, 505, 503, 494, 506, 500, 501,
+ 498, 502, 505, 495, 498, 506, 496, 503, 497, 507,
+
+ 509, 510, 504, 500, 508, 512, 511, 501, 508, 515,
+ 502, 505, 503, 512, 506, 513, 509, 511, 514, 516,
+ 520, 517, 518, 510, 522, 507, 507, 509, 510, 513,
+ 0, 515, 512, 511, 521, 523, 515, 522, 514, 516,
+ 520, 519, 513, 517, 518, 514, 516, 520, 517, 518,
+ 519, 522, 521, 523, 524, 525, 529, 526, 527, 531,
+ 532, 521, 523, 528, 527, 537, 533, 531, 519, 536,
+ 0, 528, 534, 533, 529, 0, 524, 555, 536, 525,
+ 526, 524, 525, 529, 526, 527, 531, 535, 538, 528,
+ 528, 539, 532, 533, 544, 534, 536, 537, 528, 534,
+
+ 539, 540, 535, 540, 541, 0, 544, 538, 550, 555,
+ 547, 541, 0, 551, 535, 538, 553, 0, 539, 0,
+ 547, 544, 0, 557, 552, 560, 550, 560, 540, 554,
+ 0, 541, 542, 562, 551, 550, 542, 547, 558, 542,
+ 551, 563, 553, 553, 558, 557, 542, 552, 559, 542,
+ 557, 552, 560, 0, 542, 554, 554, 559, 561, 542,
+ 562, 563, 565, 542, 564, 558, 542, 0, 563, 0,
+ 566, 567, 580, 542, 565, 559, 542, 556, 556, 569,
+ 556, 580, 561, 556, 568, 561, 573, 570, 556, 565,
+ 564, 564, 572, 567, 556, 556, 566, 566, 567, 580,
+
+ 572, 569, 571, 556, 556, 556, 569, 556, 568, 573,
+ 556, 568, 570, 573, 570, 556, 574, 571, 575, 572,
+ 576, 556, 556, 574, 577, 578, 575, 579, 0, 571,
+ 583, 581, 585, 582, 584, 586, 0, 578, 587, 576,
+ 579, 0, 588, 574, 0, 575, 581, 576, 0, 589,
+ 577, 577, 578, 590, 579, 582, 584, 583, 581, 592,
+ 582, 584, 587, 588, 585, 587, 591, 586, 589, 588,
+ 593, 594, 590, 595, 596, 591, 589, 597, 598, 594,
+ 590, 592, 603, 0, 601, 602, 592, 599, 0, 606,
+ 593, 604, 596, 591, 605, 599, 597, 593, 594, 0,
+
+ 595, 596, 601, 602, 597, 607, 603, 605, 608, 603,
+ 598, 601, 602, 604, 599, 606, 606, 607, 604, 609,
+ 610, 605, 609, 612, 613, 614, 608, 615, 610, 618,
+ 616, 614, 607, 617, 618, 608, 616, 0, 619, 621,
+ 617, 620, 631, 628, 610, 619, 609, 610, 612, 615,
+ 612, 613, 614, 623, 615, 610, 618, 616, 622, 620,
+ 617, 623, 621, 624, 625, 619, 621, 622, 620, 626,
+ 628, 627, 632, 630, 631, 639, 629, 0, 633, 625,
+ 623, 624, 626, 629, 636, 622, 630, 634, 0, 638,
+ 624, 625, 627, 637, 635, 634, 626, 0, 627, 637,
+
+ 630, 633, 635, 629, 632, 633, 636, 639, 640, 635,
+ 641, 636, 642, 643, 634, 638, 638, 644, 0, 641,
+ 637, 635, 645, 647, 644, 646, 642, 0, 648, 635,
+ 649, 0, 640, 650, 646, 640, 654, 641, 652, 642,
+ 648, 650, 654, 651, 644, 643, 651, 653, 0, 645,
+ 647, 652, 646, 649, 653, 648, 0, 649, 656, 657,
+ 650, 0, 0, 654, 658, 652, 664, 659, 661, 659,
+ 651, 664, 0, 660, 653, 655, 658, 655, 0, 662,
+ 661, 655, 657, 655, 656, 656, 657, 0, 655, 666,
+ 663, 658, 665, 655, 659, 661, 660, 667, 664, 655,
+
+ 660, 662, 655, 663, 655, 665, 662, 669, 655, 667,
+ 655, 668, 666, 670, 672, 655, 666, 663, 673, 665,
+ 655, 668, 671, 674, 667, 675, 670, 672, 671, 669,
+ 680, 678, 679, 668, 669, 681, 0, 0, 668, 673,
+ 670, 672, 682, 680, 683, 673, 678, 691, 668, 671,
+ 681, 684, 675, 688, 679, 674, 677, 680, 678, 679,
+ 685, 677, 681, 677, 686, 692, 683, 687, 682, 682,
+ 684, 683, 686, 685, 677, 687, 689, 693, 684, 691,
+ 688, 677, 677, 677, 694, 693, 695, 685, 677, 692,
+ 677, 686, 692, 696, 687, 698, 699, 697, 694, 689,
+
+ 701, 677, 703, 689, 693, 697, 700, 702, 677, 704,
+ 703, 694, 705, 698, 699, 696, 0, 700, 695, 705,
+ 696, 707, 698, 699, 697, 702, 708, 706, 707, 703,
+ 710, 704, 701, 700, 702, 721, 704, 709, 712, 705,
+ 706, 713, 0, 714, 708, 715, 722, 716, 707, 713,
+ 0, 712, 714, 708, 706, 709, 717, 715, 718, 719,
+ 722, 720, 710, 726, 709, 712, 726, 721, 713, 716,
+ 714, 724, 715, 722, 716, 727, 725, 719, 717, 728,
+ 718, 725, 724, 717, 729, 718, 719, 720, 720, 726,
+ 726, 729, 728, 726, 731, 730, 732, 733, 724, 727,
+
+ 0, 736, 727, 732, 734, 735, 728, 730, 725, 0,
+ 734, 729, 736, 737, 738, 739, 741, 743, 742, 744,
+ 0, 733, 730, 732, 733, 746, 731, 735, 736, 742,
+ 739, 734, 735, 745, 746, 737, 738, 741, 743, 747,
+ 737, 738, 739, 741, 743, 742, 744, 748, 750, 749,
+ 751, 745, 746, 752, 0, 750, 748, 749, 760, 753,
+ 745, 754, 756, 747, 751, 759, 747, 757, 758, 761,
+ 762, 756, 764, 0, 748, 750, 749, 751, 763, 765,
+ 759, 753, 762, 754, 758, 752, 753, 765, 754, 756,
+ 760, 757, 759, 767, 757, 758, 766, 762, 769, 764,
+
+ 763, 761, 771, 770, 774, 763, 765, 769, 767, 766,
+ 771, 772, 774, 772, 776, 778, 777, 779, 780, 0,
+ 767, 770, 778, 766, 781, 769, 783, 776, 777, 771,
+ 770, 774, 782, 786, 784, 792, 0, 788, 772, 785,
+ 0, 776, 778, 777, 787, 788, 781, 784, 783, 779,
+ 780, 781, 785, 783, 789, 786, 787, 782, 790, 782,
+ 786, 784, 792, 793, 788, 791, 785, 795, 794, 797,
+ 790, 787, 796, 791, 789, 799, 793, 794, 800, 796,
+ 797, 789, 0, 797, 801, 790, 0, 806, 795, 803,
+ 793, 797, 791, 802, 795, 794, 797, 805, 0, 796,
+
+ 800, 799, 799, 804, 801, 800, 802, 797, 811, 806,
+ 797, 801, 804, 803, 806, 805, 803, 807, 808, 809,
+ 802, 813, 0, 815, 805, 807, 812, 809, 818, 814,
+ 804, 815, 817, 0, 828, 811, 0, 0, 0, 813,
+ 808, 814, 816, 818, 807, 808, 809, 822, 813, 812,
+ 815, 821, 817, 812, 816, 818, 814, 819, 820, 817,
+ 821, 823, 826, 824, 820, 819, 828, 0, 822, 816,
+ 824, 832, 825, 823, 822, 831, 830, 833, 821, 825,
+ 826, 829, 831, 836, 819, 820, 834, 837, 823, 826,
+ 824, 834, 833, 832, 829, 830, 836, 835, 832, 825,
+
+ 838, 837, 831, 830, 833, 835, 840, 841, 829, 842,
+ 836, 843, 845, 844, 837, 0, 0, 0, 834, 0,
+ 840, 846, 847, 0, 835, 841, 838, 838, 839, 851,
+ 845, 839, 839, 840, 841, 844, 839, 843, 843, 845,
+ 844, 842, 839, 846, 847, 848, 839, 849, 846, 847,
+ 839, 851, 850, 852, 849, 839, 851, 854, 839, 839,
+ 855, 856, 0, 839, 857, 901, 852, 853, 0, 839,
+ 850, 848, 848, 839, 849, 0, 853, 0, 863, 850,
+ 852, 859, 861, 856, 864, 866, 0, 857, 856, 854,
+ 865, 857, 855, 0, 853, 858, 864, 901, 861, 865,
+
+ 858, 863, 858, 866, 858, 863, 858, 859, 859, 861,
+ 867, 864, 866, 858, 0, 867, 869, 865, 870, 868,
+ 871, 0, 858, 872, 873, 878, 870, 858, 880, 858,
+ 874, 858, 868, 858, 869, 875, 872, 873, 876, 871,
+ 876, 877, 867, 869, 875, 870, 868, 871, 874, 879,
+ 872, 873, 878, 882, 885, 880, 883, 874, 884, 887,
+ 886, 879, 875, 877, 0, 876, 884, 886, 877, 888,
+ 890, 892, 894, 889, 902, 891, 879, 882, 883, 889,
+ 882, 885, 891, 883, 893, 884, 887, 886, 895, 897,
+ 903, 888, 896, 892, 894, 899, 888, 890, 892, 894,
+
+ 889, 896, 891, 893, 898, 904, 902, 905, 908, 899,
+ 897, 893, 903, 906, 895, 895, 897, 903, 0, 896,
+ 907, 906, 899, 909, 898, 905, 910, 912, 911, 0,
+ 909, 898, 911, 910, 905, 908, 907, 904, 913, 914,
+ 906, 915, 919, 917, 913, 916, 914, 907, 918, 919,
+ 909, 913, 917, 910, 921, 911, 915, 922, 916, 912,
+ 920, 923, 920, 921, 925, 913, 914, 929, 915, 919,
+ 917, 913, 916, 924, 918, 918, 930, 924, 928, 922,
+ 931, 921, 927, 928, 922, 929, 925, 920, 923, 932,
+ 927, 925, 932, 931, 929, 930, 933, 934, 935, 936,
+
+ 924, 932, 0, 930, 0, 937, 939, 931, 941, 927,
+ 928, 935, 942, 938, 939, 946, 932, 941, 933, 932,
+ 940, 940, 934, 933, 934, 935, 955, 943, 937, 938,
+ 944, 936, 937, 939, 942, 941, 943, 944, 946, 942,
+ 938, 947, 946, 948, 949, 950, 955, 940, 951, 952,
+ 947, 948, 954, 955, 943, 953, 956, 944, 950, 949,
+ 951, 952, 958, 953, 957, 964, 959, 961, 947, 960,
+ 948, 949, 950, 957, 954, 951, 952, 963, 956, 954,
+ 958, 960, 953, 956, 962, 965, 966, 969, 961, 958,
+ 962, 957, 959, 959, 961, 967, 960, 964, 971, 963,
+
+ 970, 972, 973, 0, 963, 976, 974, 978, 0, 988,
+ 972, 962, 966, 966, 969, 973, 971, 965, 974, 975,
+ 979, 967, 967, 970, 0, 971, 978, 970, 972, 973,
+ 977, 976, 976, 974, 978, 980, 981, 977, 982, 975,
+ 983, 988, 979, 982, 981, 983, 975, 979, 980, 984,
+ 985, 986, 987, 989, 989, 992, 984, 977, 985, 986,
+ 987, 990, 980, 981, 991, 993, 994, 995, 0, 990,
+ 982, 997, 983, 993, 994, 995, 984, 985, 986, 987,
+ 989, 996, 1001, 999, 997, 991, 1000, 992, 990, 996,
+ 998, 991, 993, 994, 995, 999, 998, 1003, 997, 1002,
+
+ 1004, 1006, 1005, 1007, 1008, 0, 1001, 0, 996, 1001,
+ 999, 1013, 1000, 1000, 1002, 1006, 1009, 998, 1008, 1015,
+ 1009, 1007, 1004, 1012, 1003, 1005, 1002, 1004, 1006, 1005,
+ 1007, 1008, 1011, 1009, 1012, 1014, 1017, 1016, 1013, 1011,
+ 1019, 1009, 1015, 1009, 1016, 1017, 1015, 1009, 1018, 1020,
+ 1012, 1024, 1022, 1026, 1025, 1018, 1028, 1014, 0, 1011,
+ 1009, 1022, 1014, 1017, 1016, 1030, 1031, 1033, 0, 1034,
+ 1035, 1040, 1019, 1024, 1037, 1018, 1020, 1031, 1024, 1022,
+ 1025, 1025, 1035, 1028, 1036, 1026, 1036, 1037, 1038, 1041,
+ 1039, 1033, 1030, 1031, 1033, 1034, 1034, 1035, 1040, 1042,
+
+ 1044, 1037, 1039, 1043, 1045, 1044, 1042, 1050, 0, 1046,
+ 1038, 1036, 1041, 1047, 0, 1038, 1041, 1039, 1053, 1048,
+ 1045, 1047, 1052, 0, 1051, 1054, 1042, 1044, 0, 1043,
+ 1043, 1045, 1046, 1051, 1050, 1052, 1046, 1058, 1057, 1061,
+ 1047, 1048, 1060, 1055, 1053, 1053, 1048, 1054, 1056, 1052,
+ 1055, 1051, 1054, 1059, 1062, 1056, 1057, 1064, 1067, 1058,
+ 1059, 1061, 0, 1066, 1058, 1057, 1061, 1060, 1072, 1060,
+ 1055, 1063, 1069, 1068, 1071, 1056, 1066, 1071, 1063, 1073,
+ 1059, 1068, 1074, 1076, 1075, 1067, 1062, 1077, 1080, 1064,
+ 1066, 1074, 0, 1069, 1072, 1072, 1075, 1078, 1063, 1069,
+
+ 1068, 1071, 1077, 1081, 1078, 1073, 1073, 1076, 1082, 1074,
+ 1076, 1075, 1079, 1085, 1077, 1079, 1083, 1084, 1086, 1084,
+ 1080, 1087, 1088, 1091, 1078, 1081, 1082, 1079, 0, 1092,
+ 1081, 1088, 1093, 1089, 1096, 1082, 1079, 1085, 1083, 1079,
+ 1085, 1089, 1079, 1083, 1084, 1090, 1095, 1087, 1087, 1088,
+ 1086, 1092, 1090, 1094, 1079, 1091, 1092, 1094, 1098, 1097,
+ 1089, 1096, 1099, 1100, 1093, 1101, 1102, 1098, 1095, 1099,
+ 1100, 1111, 1090, 1095, 1104, 1105, 1103, 1106, 1101, 1102,
+ 1094, 1097, 1108, 1113, 1106, 1098, 1097, 1107, 1104, 1099,
+ 1100, 1103, 1101, 1102, 1107, 1108, 1109, 0, 1111, 1112,
+
+ 1115, 1104, 1109, 1103, 1106, 1113, 1112, 1105, 1114, 1108,
+ 1113, 1116, 1115, 1117, 1107, 1119, 1117, 1120, 0, 1118,
+ 1123, 1121, 1128, 1109, 1116, 1125, 1112, 1115, 1118, 1120,
+ 1125, 1123, 1129, 1119, 1114, 1114, 1122, 1125, 1116, 1122,
+ 1117, 1121, 1119, 1127, 1120, 1127, 1118, 1123, 1121, 1128,
+ 1130, 1132, 1125, 1131, 1122, 0, 1133, 1125, 1134, 1129,
+ 1135, 1131, 1138, 1122, 1137, 1139, 1122, 1133, 1135, 1147,
+ 1127, 1147, 1136, 1132, 1130, 1136, 1134, 1130, 1132, 1140,
+ 1131, 1141, 1137, 1133, 1142, 1134, 1140, 1135, 1143, 1144,
+ 1136, 1137, 1139, 1142, 1138, 1141, 1147, 1145, 1148, 1136,
+
+ 1144, 1143, 1136, 1149, 1151, 1152, 1140, 1148, 1141, 1150,
+ 1158, 1142, 1145, 1156, 1153, 1143, 1144, 1155, 1156, 1160,
+ 1150, 1161, 1151, 1180, 1145, 1148, 1155, 1152, 1153, 1149,
+ 1149, 1151, 1152, 1163, 1154, 1162, 1150, 1154, 1159, 1165,
+ 1153, 1153, 1158, 1161, 1155, 1156, 1165, 1159, 1161, 1166,
+ 1180, 1160, 1154, 1168, 1163, 1153, 1167, 1172, 1173, 1168,
+ 1163, 1154, 1176, 1171, 1154, 1159, 1165, 1162, 1177, 1174,
+ 1167, 1171, 1173, 0, 1175, 1186, 1172, 1168, 1174, 1177,
+ 1168, 1166, 1175, 1167, 1172, 1173, 1168, 1182, 1178, 1183,
+ 1171, 1181, 1189, 1186, 1176, 1177, 1174, 1178, 1181, 1184,
+
+ 1185, 1175, 1186, 1187, 1189, 1190, 1196, 1187, 1192, 1193,
+ 1182, 1183, 1191, 1196, 1182, 1178, 1183, 1197, 1181, 1189,
+ 1200, 1184, 1185, 1194, 1193, 1191, 1184, 1185, 1192, 1195,
+ 1187, 1198, 1190, 1196, 1199, 1192, 1193, 1195, 1194, 1191,
+ 1201, 1200, 1202, 1199, 1203, 1206, 1198, 1200, 1205, 1197,
+ 1194, 1207, 1209, 1208, 1211, 1210, 1195, 0, 1198, 1211,
+ 0, 1199, 1210, 1206, 1212, 1213, 1202, 1201, 1208, 1202,
+ 1205, 1203, 1206, 1212, 1215, 1205, 1214, 1209, 1207, 1209,
+ 1208, 1211, 1210, 1216, 1217, 1221, 1218, 1213, 1220, 1215,
+ 1219, 1212, 1213, 1222, 1214, 1216, 1223, 1219, 1232, 1218,
+
+ 1220, 1215, 1223, 1214, 1218, 1226, 1217, 1225, 1224, 1228,
+ 1216, 1217, 1221, 1218, 1225, 1220, 1224, 1219, 1229, 1230,
+ 1227, 1231, 1235, 1223, 1229, 1222, 1218, 1227, 1233, 1236,
+ 1232, 1237, 1226, 1239, 1225, 1224, 1228, 1238, 1236, 1238,
+ 1240, 1242, 1241, 1246, 1231, 1229, 1230, 1227, 1231, 1250,
+ 0, 1244, 1233, 0, 1235, 1233, 1236, 1239, 1244, 1245,
+ 1239, 1254, 1250, 1237, 1238, 1251, 1245, 1240, 1241, 1241,
+ 1243, 1243, 1243, 1242, 1247, 1246, 1250, 1243, 1244, 1249,
+ 1252, 1247, 1253, 1257, 1249, 1243, 1245, 1255, 1256, 1257,
+ 1251, 1258, 1251, 1254, 1253, 1256, 1252, 1243, 1243, 1243,
+
+ 1260, 1247, 1259, 1259, 1243, 1255, 1261, 1252, 1263, 1253,
+ 1257, 1249, 1262, 1261, 1255, 1256, 1264, 1262, 1258, 1267,
+ 1269, 1271, 1268, 1279, 1270, 0, 1260, 1260, 1268, 1259,
+ 1273, 1273, 1272, 1261, 1263, 1263, 1270, 1267, 1274, 1262,
+ 1278, 1271, 1276, 1264, 1275, 1275, 1267, 1269, 1271, 1268,
+ 1272, 1270, 1281, 1276, 1280, 1279, 1282, 1273, 1283, 1272,
+ 1284, 1280, 1278, 0, 1274, 1274, 1286, 1278, 1287, 1276,
+ 1285, 1275, 1281, 1294, 1288, 1287, 1289, 1291, 1290, 1281,
+ 1293, 1280, 1288, 0, 1286, 1294, 1291, 1284, 1282, 0,
+ 1283, 1289, 1285, 1286, 1295, 1287, 0, 1285, 1292, 1292,
+
+ 1294, 1288, 1290, 1289, 1291, 1290, 1293, 1293, 1297, 1300,
+ 1295, 1298, 1299, 1301, 1303, 1302, 1297, 1295, 1305, 1308,
+ 1299, 1295, 1306, 1298, 1309, 1292, 1308, 1310, 1306, 1312,
+ 1315, 1307, 1300, 1302, 1301, 1297, 1300, 1295, 1298, 1299,
+ 1301, 1303, 1302, 1304, 1307, 1305, 1308, 1311, 1304, 1306,
+ 1313, 1313, 1311, 1314, 1310, 1318, 1309, 1317, 1307, 1304,
+ 1321, 1312, 1315, 1320, 1322, 1320, 1319, 1323, 1314, 1322,
+ 1304, 1324, 1317, 1326, 1328, 1304, 1327, 1313, 1318, 1311,
+ 1314, 1319, 1318, 1329, 1317, 1331, 1324, 1330, 1332, 1333,
+ 1320, 1322, 1321, 1319, 1330, 1335, 1337, 1326, 1324, 1323,
+
+ 1326, 1328, 1327, 1327, 1334, 1339, 1340, 0, 1344, 1332,
+ 1329, 1333, 1342, 1335, 1330, 1332, 1333, 1331, 1337, 1343,
+ 1345, 1340, 1335, 1337, 1347, 1334, 1346, 1342, 1354, 1339,
+ 1348, 1334, 1339, 1340, 1343, 1344, 1349, 1348, 1345, 1342,
+ 1350, 1352, 1351, 1353, 1359, 1355, 1343, 1345, 1346, 1350,
+ 1351, 1347, 1358, 1346, 1349, 1357, 1360, 1348, 1355, 1362,
+ 1354, 1358, 1359, 1349, 1352, 1353, 1357, 1350, 1352, 1351,
+ 1353, 1359, 1355, 1364, 1360, 1366, 1367, 1368, 1369, 1358,
+ 1370, 1357, 1357, 1360, 1364, 1371, 1362, 1366, 1369, 1367,
+ 1372, 1376, 1373, 1357, 1375, 0, 1377, 1378, 1376, 0,
+
+ 1364, 1380, 1366, 1367, 1414, 1369, 1370, 1370, 1389, 1368,
+ 1371, 1373, 1371, 0, 1375, 1378, 1380, 1372, 1376, 1373,
+ 1379, 1375, 1377, 1377, 1378, 1381, 1379, 1382, 1380, 1383,
+ 1383, 1384, 1385, 1388, 1387, 1389, 1414, 1390, 1392, 0,
+ 1381, 1387, 1382, 1384, 1391, 1385, 1390, 1379, 1388, 1397,
+ 0, 1391, 1381, 1385, 1382, 1393, 1383, 1396, 1384, 1385,
+ 1388, 1387, 1392, 1394, 1390, 1392, 1398, 1399, 1400, 1402,
+ 1394, 1391, 1385, 1403, 1397, 1398, 1397, 1393, 1405, 1396,
+ 1406, 1408, 1393, 1425, 1396, 1407, 1407, 1402, 1400, 1399,
+ 1394, 1405, 1409, 1398, 1399, 1400, 1402, 1412, 1403, 1410,
+
+ 1403, 1411, 1413, 1408, 1416, 1405, 1412, 1406, 1408, 1413,
+ 1415, 1417, 1407, 1421, 1419, 1425, 1422, 1409, 1416, 1409,
+ 1420, 1410, 1419, 1411, 1412, 1427, 1410, 1423, 1411, 1413,
+ 1417, 1416, 1415, 1420, 1426, 0, 1429, 1415, 1417, 1423,
+ 1421, 1419, 1422, 1422, 1424, 1428, 1431, 1420, 1430, 1431,
+ 1427, 1424, 1427, 1432, 1423, 1434, 1426, 0, 0, 1433,
+ 1428, 1426, 1429, 1429, 1431, 1433, 1435, 1438, 1436, 1439,
+ 1442, 1424, 1428, 1431, 1430, 1430, 1431, 1442, 1432, 1443,
+ 1432, 1444, 1434, 1436, 1435, 1441, 1433, 1451, 1443, 1438,
+ 1446, 1439, 1444, 1435, 1438, 1436, 1439, 1442, 1448, 1441,
+
+ 1450, 1449, 1450, 1446, 1452, 1451, 1443, 1454, 1444, 1456,
+ 1455, 1446, 1441, 1449, 1451, 1453, 1457, 1446, 1455, 1448,
+ 1460, 1458, 1464, 1466, 1459, 1448, 1467, 1450, 1449, 1459,
+ 1446, 1452, 1456, 1453, 1454, 1458, 1456, 1455, 1457, 1460,
+ 1465, 1466, 1453, 1457, 1461, 1471, 1468, 1460, 1458, 1464,
+ 1466, 1461, 1470, 1467, 1465, 1469, 1459, 1473, 1472, 0,
+ 1476, 1470, 1477, 0, 1474, 1465, 1465, 1465, 1480, 1477,
+ 1469, 1461, 1468, 1468, 1479, 1486, 1479, 1471, 0, 1470,
+ 1472, 1465, 1469, 1476, 1473, 1472, 1474, 1476, 1482, 1477,
+ 1480, 1474, 1465, 1481, 1483, 1480, 1484, 1481, 1485, 1487,
+
+ 1482, 1479, 1486, 1490, 1490, 1484, 1488, 1489, 1494, 1485,
+ 1495, 1491, 1494, 1495, 1502, 1482, 1483, 0, 1488, 1491,
+ 1481, 1483, 1487, 1484, 1493, 1485, 1487, 1498, 1496, 1489,
+ 1490, 1501, 1493, 1488, 1489, 1494, 1496, 1495, 1491, 1497,
+ 1499, 1502, 1498, 1501, 1503, 1497, 1499, 1504, 1508, 1505,
+ 1506, 1493, 1507, 1509, 1498, 1496, 1511, 1510, 1501, 1512,
+ 0, 1504, 1505, 0, 1506, 1514, 1497, 1499, 1503, 1510,
+ 1511, 1503, 1515, 1517, 1504, 1508, 1505, 1506, 1507, 1507,
+ 1509, 1518, 1519, 1511, 1510, 1512, 1512, 1513, 1518, 1519,
+ 1513, 1520, 1514, 1521, 1515, 1517, 1522, 1524, 1525, 1515,
+
+ 1517, 1526, 1523, 1527, 1529, 1513, 1520, 1525, 1518, 1519,
+ 1523, 1531, 1529, 1528, 1513, 1532, 1534, 1513, 1520, 1533,
+ 1521, 1537, 1539, 1522, 1524, 1525, 1528, 1533, 1526, 1523,
+ 1527, 1529, 1535, 1531, 1536, 0, 1538, 1543, 1531, 1540,
+ 1528, 1535, 1532, 1534, 1541, 1537, 1533, 1540, 1537, 1539,
+ 1542, 1538, 0, 1545, 1549, 1536, 1541, 1551, 1542, 1535,
+ 1545, 1536, 1538, 1538, 1543, 1546, 1540, 1547, 1548, 1546,
+ 1553, 1541, 1554, 1554, 1550, 1556, 1552, 1542, 1538, 1547,
+ 1545, 1549, 1550, 1552, 1551, 1555, 0, 1560, 1557, 1559,
+ 1553, 1548, 1546, 1556, 1547, 1548, 1561, 1553, 1561, 1554,
+
+ 1563, 1550, 1556, 1552, 1559, 1562, 1563, 1564, 1565, 1560,
+ 1566, 1555, 1555, 1557, 1560, 1557, 1559, 1571, 1567, 1562,
+ 1568, 1569, 1566, 1561, 1576, 1578, 1574, 1563, 1570, 1564,
+ 1565, 1572, 1562, 1574, 1564, 1565, 1567, 1566, 1568, 1569,
+ 1577, 1570, 1576, 0, 1579, 1567, 1583, 1568, 1569, 1571,
+ 1582, 1576, 1579, 1574, 1572, 1570, 1590, 1578, 1572, 1585,
+ 1587, 1580, 1582, 1580, 1583, 1586, 1577, 1577, 1580, 1588,
+ 1579, 1579, 1587, 1583, 1585, 1591, 1586, 1582, 1592, 1579,
+ 1590, 1594, 1596, 1590, 1588, 1592, 1585, 1587, 1580, 1593,
+ 1580, 1597, 1586, 1598, 1599, 1602, 1588, 1591, 0, 1600,
+
+ 0, 1601, 1591, 1604, 1593, 1592, 1603, 1608, 1594, 1596,
+ 1602, 1604, 1600, 1597, 1605, 1607, 1593, 1609, 1597, 1603,
+ 1614, 1599, 1602, 1610, 1613, 1598, 1600, 1601, 1601, 1611,
+ 1604, 1608, 1612, 1603, 1608, 1616, 1611, 1613, 1607, 1612,
+ 1605, 1605, 1607, 1614, 1609, 1610, 1615, 1614, 1617, 1618,
+ 1610, 1613, 1619, 1615, 1621, 1622, 1611, 1616, 1623, 1612,
+ 1625, 1619, 1616, 1635, 1624, 1621, 1629, 1631, 1631, 0,
+ 1618, 1628, 1630, 1615, 1632, 1637, 1618, 1622, 1641, 1619,
+ 1617, 1621, 1622, 1624, 1628, 1625, 1634, 1625, 1636, 1638,
+ 1623, 1624, 1629, 1629, 1631, 1635, 1630, 1643, 1628, 1630,
+
+ 1632, 1632, 1637, 1636, 1646, 1641, 1643, 1638, 1647, 1634,
+ 1648, 1650, 1652, 1634, 1653, 1636, 1638, 0, 1654, 1658,
+ 1655, 1656, 1663, 1660, 1643, 1655, 1646, 1658, 1667, 1654,
+ 1647, 1646, 1669, 1662, 1659, 1647, 1670, 1648, 1650, 1676,
+ 1653, 1653, 1672, 1656, 1652, 1654, 1658, 1655, 1656, 1659,
+ 1660, 1662, 1665, 1664, 1663, 1667, 1671, 1673, 1669, 1669,
+ 1662, 1659, 1664, 1670, 1665, 1675, 1676, 1672, 1674, 1672,
+ 1673, 1677, 1678, 1679, 0, 1681, 1680, 0, 1671, 1665,
+ 1664, 1674, 1682, 1671, 1673, 1680, 1684, 1675, 1679, 1683,
+ 1685, 1688, 1675, 1686, 1689, 1674, 0, 1682, 1677, 1678,
+
+ 1679, 1681, 1681, 1680, 1683, 1685, 1684, 1687, 1692, 1682,
+ 1690, 1690, 1689, 1684, 1687, 1686, 1683, 1685, 1688, 1691,
+ 1686, 1689, 1692, 1694, 1693, 1696, 1691, 1693, 1695, 1697,
+ 0, 1704, 1705, 1700, 1687, 1692, 1694, 1690, 1697, 1698,
+ 1701, 1699, 1702, 1696, 1698, 1699, 1691, 1706, 1703, 1710,
+ 1694, 1693, 1696, 1701, 1695, 1695, 1697, 1700, 1704, 1705,
+ 1700, 1721, 1709, 1716, 1702, 1710, 1698, 1701, 1699, 1702,
+ 1703, 1709, 1712, 1706, 1706, 1703, 1710, 1713, 1714, 1712,
+ 1715, 1716, 1719, 1714, 1717, 1718, 1713, 1715, 1721, 1709,
+ 1716, 1717, 1722, 1723, 1718, 1724, 0, 1726, 0, 1712,
+
+ 1732, 1725, 1723, 1730, 1713, 1714, 1726, 1715, 1719, 1719,
+ 1722, 1717, 1718, 1725, 1727, 1724, 1728, 1729, 1731, 1722,
+ 1723, 1734, 1724, 1727, 1726, 1729, 1733, 1728, 1725, 1735,
+ 1730, 0, 1732, 1734, 1740, 1733, 1736, 1735, 1739, 1737,
+ 1738, 1727, 1741, 1728, 1729, 1731, 1737, 1738, 1734, 1742,
+ 1743, 1754, 1747, 1733, 1745, 0, 1735, 1748, 1736, 1740,
+ 1739, 1740, 1745, 1736, 1748, 1739, 1737, 1738, 1752, 1741,
+ 1747, 1755, 1749, 1753, 1742, 1752, 1742, 1743, 1754, 1747,
+ 1749, 1745, 1756, 1755, 1748, 1757, 1762, 1758, 1761, 1760,
+ 1763, 1756, 1765, 1767, 1768, 1752, 1769, 1753, 1755, 1749,
+
+ 1753, 1760, 1768, 1770, 1763, 1771, 0, 1775, 1778, 1756,
+ 1758, 1761, 1757, 1762, 1758, 1761, 1760, 1763, 1779, 1765,
+ 1767, 1768, 1776, 1769, 1777, 1770, 1778, 1776, 1780, 1782,
+ 1770, 1781, 1771, 1775, 1775, 1778, 1785, 1782, 1777, 0,
+ 1779, 1780, 1783, 1786, 1787, 1779, 1789, 1788, 1785, 1776,
+ 1790, 1777, 1791, 1781, 1792, 1780, 1782, 1793, 1781, 1788,
+ 1794, 1783, 0, 1785, 1795, 1786, 1787, 1798, 1796, 1783,
+ 1786, 1787, 1791, 1789, 1788, 1797, 1792, 1790, 1799, 1791,
+ 1796, 1792, 1794, 1803, 1802, 1804, 1805, 1794, 1803, 1793,
+ 1795, 1795, 1807, 1806, 1798, 1796, 1809, 1797, 1802, 1808,
+
+ 0, 0, 1797, 1810, 0, 1799, 1811, 1804, 1809, 1812,
+ 1814, 1802, 1804, 1815, 1807, 1803, 1806, 1808, 1805, 1807,
+ 1806, 1820, 1810, 1809, 1812, 1817, 1808, 1818, 1811, 1816,
+ 1810, 1819, 1821, 1811, 1814, 1815, 1812, 1814, 1816, 1817,
+ 1815, 1827, 1829, 1824, 1831, 1818, 1825, 1820, 1820, 1819,
+ 1821, 1824, 1817, 1825, 1818, 1826, 1816, 1828, 1819, 1821,
+ 1829, 1839, 1830, 1826, 1832, 1828, 1834, 1837, 1827, 1829,
+ 1824, 1831, 1832, 1825, 1830, 1838, 1836, 1840, 1834, 1841,
+ 0, 1843, 1826, 1836, 1828, 1847, 1844, 1846, 1839, 1830,
+ 1837, 1832, 1850, 1834, 1837, 1853, 1840, 1848, 1847, 1843,
+
+ 1844, 1841, 1858, 1836, 1840, 1859, 1841, 1838, 1843, 1848,
+ 1846, 1860, 1847, 1844, 1846, 1861, 1855, 1863, 1850, 1850,
+ 1857, 1864, 1853, 1855, 1848, 1862, 1867, 1857, 1858, 1858,
+ 1865, 0, 1859, 1866, 1868, 1860, 1869, 1873, 1860, 1865,
+ 1872, 1873, 1861, 1855, 1863, 1872, 1866, 1857, 1864, 1874,
+ 1875, 1862, 1862, 1876, 1877, 1876, 1878, 1865, 1867, 1869,
+ 1866, 1868, 1881, 1869, 1873, 1884, 1882, 1884, 1885, 1885,
+ 1874, 1890, 1872, 1889, 0, 1886, 1874, 1877, 1885, 1887,
+ 1876, 1877, 1875, 1878, 1881, 1892, 1889, 1888, 1887, 1881,
+ 1882, 1891, 1884, 1882, 1888, 1885, 1885, 1886, 1890, 1891,
+
+ 1889, 1893, 1886, 1894, 1892, 1895, 1887, 1896, 1897, 1893,
+ 0, 0, 1892, 1899, 1888, 1898, 1900, 1900, 1891, 1897,
+ 1899, 1901, 1905, 1906, 0, 1909, 1910, 1907, 1893, 1894,
+ 1894, 1895, 1895, 1896, 1896, 1897, 1907, 1898, 1902, 1901,
+ 1899, 1911, 1898, 1900, 1903, 1902, 1910, 1906, 1901, 1905,
+ 1906, 1903, 1909, 1910, 1907, 1912, 1913, 1915, 1916, 1920,
+ 1918, 1919, 1921, 1917, 1920, 1902, 1915, 1924, 1911, 0,
+ 0, 1903, 0, 1919, 1913, 1922, 1921, 1912, 1918, 1925,
+ 1926, 1933, 1912, 1913, 1915, 1916, 1917, 1918, 1919, 1921,
+ 1917, 1920, 1934, 1922, 1924, 1926, 1928, 1925, 1928, 1930,
+
+ 0, 1940, 1922, 1933, 1935, 1937, 1925, 1926, 1933, 1938,
+ 1942, 1941, 1938, 1943, 1930, 0, 1946, 1942, 1934, 1934,
+ 1944, 1943, 1935, 1928, 1947, 1948, 1930, 1937, 1940, 1941,
+ 1952, 1935, 1937, 1950, 1954, 1938, 1938, 1942, 1941, 1938,
+ 1943, 1951, 1944, 1949, 1958, 1956, 1947, 1944, 1946, 1949,
+ 1951, 1947, 1948, 1956, 1953, 1950, 1953, 1957, 1961, 1959,
+ 1950, 1954, 1952, 1962, 1960, 1967, 1965, 1963, 1951, 1957,
+ 1949, 1958, 1956, 1959, 1962, 1963, 1961, 1964, 1966, 1966,
+ 1970, 1953, 1971, 1975, 1957, 1961, 1959, 1960, 1965, 1968,
+ 1962, 1960, 1967, 1965, 1963, 1973, 1964, 1968, 1977, 1979,
+
+ 1976, 1973, 1984, 0, 1964, 1966, 1980, 1970, 1981, 1971,
+ 1975, 1976, 1981, 1980, 1987, 1982, 1968, 1985, 1988, 1987,
+ 1977, 1989, 1973, 1982, 1991, 1977, 1979, 1976, 1984, 1984,
+ 1985, 1990, 1991, 1980, 1994, 1981, 1993, 1992, 1995, 2000,
+ 1996, 1987, 1982, 1993, 1985, 1988, 2001, 1999, 1989, 1990,
+ 2003, 1991, 1992, 1998, 1999, 2002, 2005, 2007, 1990, 2003,
+ 2009, 1994, 1995, 1993, 1992, 1995, 1996, 1996, 1998, 2011,
+ 2014, 2000, 2015, 2001, 1999, 2016, 2006, 2003, 2005, 2002,
+ 1998, 2018, 2002, 2005, 2006, 2008, 2008, 2009, 2016, 2007,
+ 2012, 2019, 2017, 2020, 2015, 2008, 2011, 2014, 2012, 2015,
+
+ 2021, 2023, 2016, 2006, 2028, 0, 2029, 2026, 2018, 2028,
+ 2031, 2032, 2008, 2008, 2017, 2026, 2033, 2012, 2019, 2017,
+ 2020, 2034, 2021, 2033, 2032, 2035, 2040, 2021, 2023, 2036,
+ 2041, 2028, 2029, 2029, 2026, 0, 2039, 2031, 2032, 2034,
+ 2042, 2050, 2046, 2033, 2047, 2040, 0, 2044, 2034, 2039,
+ 0, 2036, 2035, 2040, 2044, 2048, 2036, 2041, 2045, 2047,
+ 2050, 2052, 2042, 2039, 2046, 2045, 2051, 2042, 2050, 2046,
+ 2052, 2047, 2053, 2051, 2044, 2055, 2048, 2054, 2054, 2056,
+ 2061, 2055, 2048, 2053, 2059, 2045, 2062, 2054, 2052, 2063,
+ 2067, 2059, 2069, 2051, 2070, 2070, 0, 2071, 2073, 2053,
+
+ 2074, 2056, 2055, 2077, 2054, 2054, 2056, 2061, 2075, 2074,
+ 2079, 2059, 2063, 2062, 2078, 2082, 2063, 2067, 2083, 2069,
+ 2071, 2075, 2079, 2070, 2071, 2073, 2084, 2074, 2085, 2081,
+ 2077, 2086, 2087, 2082, 2078, 2075, 2088, 2079, 2081, 2090,
+ 0, 2078, 2082, 2086, 2083, 2083, 2089, 2092, 2089, 2093,
+ 2095, 2090, 2094, 2084, 2087, 2085, 2081, 2098, 2086, 2087,
+ 2094, 2091, 2101, 2088, 2102, 2103, 2090, 2091, 2105, 2092,
+ 2106, 2093, 2108, 2089, 2092, 2109, 2093, 2095, 2110, 2094,
+ 2112, 2111, 2116, 2118, 2098, 2115, 2105, 2119, 2091, 2101,
+ 2109, 2102, 2103, 2111, 2115, 2105, 2120, 2106, 2129, 2108,
+
+ 2119, 2122, 2109, 2121, 2110, 2110, 2116, 2112, 2111, 2116,
+ 2122, 2121, 2115, 2123, 2119, 2118, 2132, 2136, 2120, 2133,
+ 2134, 2136, 2129, 2120, 2123, 2129, 2133, 2138, 2122, 2137,
+ 2121, 2145, 0, 2134, 2139, 2142, 0, 2142, 2141, 2132,
+ 2123, 2138, 2139, 2132, 2136, 2137, 2133, 2134, 2140, 2141,
+ 2146, 2143, 2144, 2147, 2138, 2148, 2137, 2140, 2145, 2144,
+ 2149, 2139, 2142, 2143, 2150, 2141, 2151, 2152, 2146, 2152,
+ 2154, 2153, 2155, 2156, 2163, 2140, 2164, 2146, 2143, 2144,
+ 2147, 2148, 2148, 2153, 2158, 2155, 2150, 2149, 2151, 2162,
+ 2165, 2150, 2160, 2151, 2152, 2166, 2158, 2162, 2153, 2155,
+
+ 2156, 2160, 2154, 2165, 2167, 2169, 2163, 2170, 2164, 2166,
+ 2172, 2158, 2167, 2171, 2173, 2174, 2162, 2165, 2169, 2160,
+ 0, 2171, 2166, 2174, 2172, 2175, 2176, 2177, 2173, 2178,
+ 2170, 2167, 2169, 2179, 2170, 2177, 2180, 2172, 0, 2181,
+ 2171, 2173, 2174, 2182, 2185, 2184, 2190, 2175, 2176, 2183,
+ 0, 0, 2175, 2176, 2177, 2187, 2178, 2183, 2180, 2179,
+ 2179, 2181, 2194, 2180, 2188, 2182, 2181, 0, 2198, 2192,
+ 2182, 2185, 2188, 2189, 0, 2187, 2183, 2184, 2190, 2191,
+ 2195, 2189, 2187, 2192, 2194, 2196, 2199, 2191, 2195, 2194,
+ 2197, 2188, 2201, 2196, 2198, 2198, 2192, 2200, 0, 2202,
+
+ 2189, 2203, 2204, 2205, 2197, 2200, 2191, 2195, 2199, 2206,
+ 2210, 2205, 2196, 2199, 2207, 2208, 0, 2197, 2201, 2201,
+ 0, 2213, 2204, 2203, 2200, 2202, 2202, 2214, 2203, 2204,
+ 2205, 2209, 2210, 2217, 2207, 2208, 2206, 2210, 2211, 2209,
+ 2220, 2207, 2208, 2213, 2215, 2216, 2211, 2218, 2213, 2214,
+ 2221, 2223, 2215, 2216, 2214, 2218, 2219, 2224, 2209, 2217,
+ 2217, 2222, 2225, 2227, 2219, 2211, 2220, 2220, 2231, 2230,
+ 2233, 2215, 2216, 2234, 2218, 0, 2231, 2221, 2223, 2232,
+ 0, 2222, 2225, 2219, 2224, 2227, 0, 2232, 2222, 2225,
+ 2227, 2230, 0, 0, 0, 2231, 2230, 2233, 0, 0,
+
+ 2234, 0, 0, 0, 0, 0, 2232, 2238, 2238, 2238,
+ 2238, 2238, 2238, 2238, 2239, 2239, 2239, 2239, 2239, 2239,
+ 2239, 2240, 2240, 2240, 2240, 2240, 2240, 2240, 2241, 2241,
+ 2241, 2241, 2241, 2241, 2241, 2242, 2242, 2242, 2242, 2242,
+ 2242, 2242, 2244, 2244, 0, 2244, 2244, 2244, 2244, 2245,
+ 2245, 0, 0, 0, 2245, 2245, 2246, 2246, 0, 0,
+ 2246, 0, 2246, 2247, 0, 0, 0, 0, 0, 2247,
+ 2248, 2248, 0, 0, 0, 2248, 2248, 2249, 0, 0,
+ 0, 0, 0, 2249, 2250, 2250, 0, 2250, 2250, 2250,
+ 2250, 2251, 2251, 0, 2251, 2251, 2251, 2251, 2237, 2237,
+
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237, 2237,
+ 2237, 2237, 2237, 2237, 2237
} ;
static yy_state_type yy_last_accepting_state;
@@ -2754,7 +2822,7 @@ static void config_end_include(void)
#define YY_NO_INPUT 1
#endif
-#line 2756 "<stdout>"
+#line 2824 "<stdout>"
#define INITIAL 0
#define quotedstring 1
@@ -2977,7 +3045,7 @@ YY_DECL
{
#line 207 "util/configlexer.lex"
-#line 2979 "<stdout>"
+#line 3047 "<stdout>"
while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */
{
@@ -3010,13 +3078,13 @@ yy_match:
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 2165 )
+ if ( yy_current_state >= 2238 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
++yy_cp;
}
- while ( yy_base[yy_current_state] != 6214 );
+ while ( yy_base[yy_current_state] != 6399 );
yy_find_action:
yy_act = yy_accept[yy_current_state];
@@ -3511,580 +3579,620 @@ YY_RULE_SETUP
case 94:
YY_RULE_SETUP
#line 304 "util/configlexer.lex"
-{ YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) }
+{ YDVAR(1, VAR_CLIENT_SUBNET_ZONE) }
YY_BREAK
case 95:
YY_RULE_SETUP
#line 305 "util/configlexer.lex"
-{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
+{ YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) }
YY_BREAK
case 96:
YY_RULE_SETUP
#line 306 "util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
+{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
YY_BREAK
case 97:
YY_RULE_SETUP
#line 307 "util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) }
+{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
YY_BREAK
case 98:
YY_RULE_SETUP
#line 308 "util/configlexer.lex"
-{ YDVAR(1, VAR_HIDE_IDENTITY) }
+{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) }
YY_BREAK
case 99:
YY_RULE_SETUP
#line 309 "util/configlexer.lex"
-{ YDVAR(1, VAR_HIDE_VERSION) }
+{ YDVAR(1, VAR_HIDE_IDENTITY) }
YY_BREAK
case 100:
YY_RULE_SETUP
#line 310 "util/configlexer.lex"
-{ YDVAR(1, VAR_HIDE_TRUSTANCHOR) }
+{ YDVAR(1, VAR_HIDE_VERSION) }
YY_BREAK
case 101:
YY_RULE_SETUP
#line 311 "util/configlexer.lex"
-{ YDVAR(1, VAR_IDENTITY) }
+{ YDVAR(1, VAR_HIDE_TRUSTANCHOR) }
YY_BREAK
case 102:
YY_RULE_SETUP
#line 312 "util/configlexer.lex"
-{ YDVAR(1, VAR_VERSION) }
+{ YDVAR(1, VAR_IDENTITY) }
YY_BREAK
case 103:
YY_RULE_SETUP
#line 313 "util/configlexer.lex"
-{ YDVAR(1, VAR_MODULE_CONF) }
+{ YDVAR(1, VAR_VERSION) }
YY_BREAK
case 104:
YY_RULE_SETUP
#line 314 "util/configlexer.lex"
-{ YDVAR(1, VAR_DLV_ANCHOR) }
+{ YDVAR(1, VAR_MODULE_CONF) }
YY_BREAK
case 105:
YY_RULE_SETUP
#line 315 "util/configlexer.lex"
-{ YDVAR(1, VAR_DLV_ANCHOR_FILE) }
+{ YDVAR(1, VAR_DLV_ANCHOR) }
YY_BREAK
case 106:
YY_RULE_SETUP
#line 316 "util/configlexer.lex"
-{ YDVAR(1, VAR_TRUST_ANCHOR_FILE) }
+{ YDVAR(1, VAR_DLV_ANCHOR_FILE) }
YY_BREAK
case 107:
YY_RULE_SETUP
#line 317 "util/configlexer.lex"
-{ YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) }
+{ YDVAR(1, VAR_TRUST_ANCHOR_FILE) }
YY_BREAK
case 108:
YY_RULE_SETUP
#line 318 "util/configlexer.lex"
-{ YDVAR(1, VAR_TRUSTED_KEYS_FILE) }
+{ YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) }
YY_BREAK
case 109:
YY_RULE_SETUP
#line 319 "util/configlexer.lex"
-{ YDVAR(1, VAR_TRUST_ANCHOR) }
+{ YDVAR(1, VAR_TRUSTED_KEYS_FILE) }
YY_BREAK
case 110:
YY_RULE_SETUP
#line 320 "util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
+{ YDVAR(1, VAR_TRUST_ANCHOR) }
YY_BREAK
case 111:
YY_RULE_SETUP
#line 321 "util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
+{ YDVAR(1, VAR_TRUST_ANCHOR_SIGNALING) }
YY_BREAK
case 112:
YY_RULE_SETUP
#line 322 "util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
+{ YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
YY_BREAK
case 113:
YY_RULE_SETUP
#line 323 "util/configlexer.lex"
-{ YDVAR(1, VAR_BOGUS_TTL) }
+{ YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
YY_BREAK
case 114:
YY_RULE_SETUP
#line 324 "util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
+{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
YY_BREAK
case 115:
YY_RULE_SETUP
#line 325 "util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
+{ YDVAR(1, VAR_BOGUS_TTL) }
YY_BREAK
case 116:
YY_RULE_SETUP
#line 326 "util/configlexer.lex"
-{ YDVAR(1, VAR_IGNORE_CD_FLAG) }
+{ YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
YY_BREAK
case 117:
YY_RULE_SETUP
#line 327 "util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_EXPIRED) }
+{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
YY_BREAK
case 118:
YY_RULE_SETUP
#line 328 "util/configlexer.lex"
-{ YDVAR(1, VAR_FAKE_DSA) }
+{ YDVAR(1, VAR_IGNORE_CD_FLAG) }
YY_BREAK
case 119:
YY_RULE_SETUP
#line 329 "util/configlexer.lex"
-{ YDVAR(1, VAR_FAKE_SHA1) }
+{ YDVAR(1, VAR_SERVE_EXPIRED) }
YY_BREAK
case 120:
YY_RULE_SETUP
#line 330 "util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_LOG_LEVEL) }
+{ YDVAR(1, VAR_FAKE_DSA) }
YY_BREAK
case 121:
YY_RULE_SETUP
#line 331 "util/configlexer.lex"
-{ YDVAR(1, VAR_KEY_CACHE_SIZE) }
+{ YDVAR(1, VAR_FAKE_SHA1) }
YY_BREAK
case 122:
YY_RULE_SETUP
#line 332 "util/configlexer.lex"
-{ YDVAR(1, VAR_KEY_CACHE_SLABS) }
+{ YDVAR(1, VAR_VAL_LOG_LEVEL) }
YY_BREAK
case 123:
YY_RULE_SETUP
#line 333 "util/configlexer.lex"
-{ YDVAR(1, VAR_NEG_CACHE_SIZE) }
+{ YDVAR(1, VAR_KEY_CACHE_SIZE) }
YY_BREAK
case 124:
YY_RULE_SETUP
#line 334 "util/configlexer.lex"
-{
- YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
+{ YDVAR(1, VAR_KEY_CACHE_SLABS) }
YY_BREAK
case 125:
YY_RULE_SETUP
-#line 336 "util/configlexer.lex"
-{ YDVAR(1, VAR_ADD_HOLDDOWN) }
+#line 335 "util/configlexer.lex"
+{ YDVAR(1, VAR_NEG_CACHE_SIZE) }
YY_BREAK
case 126:
YY_RULE_SETUP
-#line 337 "util/configlexer.lex"
-{ YDVAR(1, VAR_DEL_HOLDDOWN) }
+#line 336 "util/configlexer.lex"
+{
+ YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
YY_BREAK
case 127:
YY_RULE_SETUP
#line 338 "util/configlexer.lex"
-{ YDVAR(1, VAR_KEEP_MISSING) }
+{ YDVAR(1, VAR_ADD_HOLDDOWN) }
YY_BREAK
case 128:
YY_RULE_SETUP
#line 339 "util/configlexer.lex"
-{ YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) }
+{ YDVAR(1, VAR_DEL_HOLDDOWN) }
YY_BREAK
case 129:
YY_RULE_SETUP
#line 340 "util/configlexer.lex"
-{ YDVAR(1, VAR_USE_SYSLOG) }
+{ YDVAR(1, VAR_KEEP_MISSING) }
YY_BREAK
case 130:
YY_RULE_SETUP
#line 341 "util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_IDENTITY) }
+{ YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) }
YY_BREAK
case 131:
YY_RULE_SETUP
#line 342 "util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_TIME_ASCII) }
+{ YDVAR(1, VAR_USE_SYSLOG) }
YY_BREAK
case 132:
YY_RULE_SETUP
#line 343 "util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_QUERIES) }
+{ YDVAR(1, VAR_LOG_IDENTITY) }
YY_BREAK
case 133:
YY_RULE_SETUP
#line 344 "util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_REPLIES) }
+{ YDVAR(1, VAR_LOG_TIME_ASCII) }
YY_BREAK
case 134:
YY_RULE_SETUP
#line 345 "util/configlexer.lex"
-{ YDVAR(2, VAR_LOCAL_ZONE) }
+{ YDVAR(1, VAR_LOG_QUERIES) }
YY_BREAK
case 135:
YY_RULE_SETUP
#line 346 "util/configlexer.lex"
-{ YDVAR(1, VAR_LOCAL_DATA) }
+{ YDVAR(1, VAR_LOG_REPLIES) }
YY_BREAK
case 136:
YY_RULE_SETUP
#line 347 "util/configlexer.lex"
-{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
+{ YDVAR(2, VAR_LOCAL_ZONE) }
YY_BREAK
case 137:
YY_RULE_SETUP
#line 348 "util/configlexer.lex"
-{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
+{ YDVAR(1, VAR_LOCAL_DATA) }
YY_BREAK
case 138:
YY_RULE_SETUP
#line 349 "util/configlexer.lex"
-{ YDVAR(1, VAR_INSECURE_LAN_ZONES) }
+{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
YY_BREAK
case 139:
YY_RULE_SETUP
#line 350 "util/configlexer.lex"
-{ YDVAR(1, VAR_STATISTICS_INTERVAL) }
+{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
YY_BREAK
case 140:
YY_RULE_SETUP
#line 351 "util/configlexer.lex"
-{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
+{ YDVAR(1, VAR_INSECURE_LAN_ZONES) }
YY_BREAK
case 141:
YY_RULE_SETUP
#line 352 "util/configlexer.lex"
-{ YDVAR(1, VAR_EXTENDED_STATISTICS) }
+{ YDVAR(1, VAR_STATISTICS_INTERVAL) }
YY_BREAK
case 142:
YY_RULE_SETUP
#line 353 "util/configlexer.lex"
-{ YDVAR(1, VAR_SHM_ENABLE) }
+{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
YY_BREAK
case 143:
YY_RULE_SETUP
#line 354 "util/configlexer.lex"
-{ YDVAR(1, VAR_SHM_KEY) }
+{ YDVAR(1, VAR_EXTENDED_STATISTICS) }
YY_BREAK
case 144:
YY_RULE_SETUP
#line 355 "util/configlexer.lex"
-{ YDVAR(0, VAR_REMOTE_CONTROL) }
+{ YDVAR(1, VAR_SHM_ENABLE) }
YY_BREAK
case 145:
YY_RULE_SETUP
#line 356 "util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_ENABLE) }
+{ YDVAR(1, VAR_SHM_KEY) }
YY_BREAK
case 146:
YY_RULE_SETUP
#line 357 "util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_INTERFACE) }
+{ YDVAR(0, VAR_REMOTE_CONTROL) }
YY_BREAK
case 147:
YY_RULE_SETUP
#line 358 "util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_PORT) }
+{ YDVAR(1, VAR_CONTROL_ENABLE) }
YY_BREAK
case 148:
YY_RULE_SETUP
#line 359 "util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_USE_CERT) }
+{ YDVAR(1, VAR_CONTROL_INTERFACE) }
YY_BREAK
case 149:
YY_RULE_SETUP
#line 360 "util/configlexer.lex"
-{ YDVAR(1, VAR_SERVER_KEY_FILE) }
+{ YDVAR(1, VAR_CONTROL_PORT) }
YY_BREAK
case 150:
YY_RULE_SETUP
#line 361 "util/configlexer.lex"
-{ YDVAR(1, VAR_SERVER_CERT_FILE) }
+{ YDVAR(1, VAR_CONTROL_USE_CERT) }
YY_BREAK
case 151:
YY_RULE_SETUP
#line 362 "util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_KEY_FILE) }
+{ YDVAR(1, VAR_SERVER_KEY_FILE) }
YY_BREAK
case 152:
YY_RULE_SETUP
#line 363 "util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_CERT_FILE) }
+{ YDVAR(1, VAR_SERVER_CERT_FILE) }
YY_BREAK
case 153:
YY_RULE_SETUP
#line 364 "util/configlexer.lex"
-{ YDVAR(1, VAR_PYTHON_SCRIPT) }
+{ YDVAR(1, VAR_CONTROL_KEY_FILE) }
YY_BREAK
case 154:
YY_RULE_SETUP
#line 365 "util/configlexer.lex"
-{ YDVAR(0, VAR_PYTHON) }
+{ YDVAR(1, VAR_CONTROL_CERT_FILE) }
YY_BREAK
case 155:
YY_RULE_SETUP
#line 366 "util/configlexer.lex"
-{ YDVAR(1, VAR_DOMAIN_INSECURE) }
+{ YDVAR(1, VAR_PYTHON_SCRIPT) }
YY_BREAK
case 156:
YY_RULE_SETUP
#line 367 "util/configlexer.lex"
-{ YDVAR(1, VAR_MINIMAL_RESPONSES) }
+{ YDVAR(0, VAR_PYTHON) }
YY_BREAK
case 157:
YY_RULE_SETUP
#line 368 "util/configlexer.lex"
-{ YDVAR(1, VAR_RRSET_ROUNDROBIN) }
+{ YDVAR(1, VAR_DOMAIN_INSECURE) }
YY_BREAK
case 158:
YY_RULE_SETUP
#line 369 "util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_UDP_SIZE) }
+{ YDVAR(1, VAR_MINIMAL_RESPONSES) }
YY_BREAK
case 159:
YY_RULE_SETUP
#line 370 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNS64_PREFIX) }
+{ YDVAR(1, VAR_RRSET_ROUNDROBIN) }
YY_BREAK
case 160:
YY_RULE_SETUP
#line 371 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNS64_SYNTHALL) }
+{ YDVAR(1, VAR_MAX_UDP_SIZE) }
YY_BREAK
case 161:
YY_RULE_SETUP
#line 372 "util/configlexer.lex"
-{ YDVAR(1, VAR_DEFINE_TAG) }
+{ YDVAR(1, VAR_DNS64_PREFIX) }
YY_BREAK
case 162:
YY_RULE_SETUP
#line 373 "util/configlexer.lex"
-{ YDVAR(2, VAR_LOCAL_ZONE_TAG) }
+{ YDVAR(1, VAR_DNS64_SYNTHALL) }
YY_BREAK
case 163:
YY_RULE_SETUP
#line 374 "util/configlexer.lex"
-{ YDVAR(2, VAR_ACCESS_CONTROL_TAG) }
+{ YDVAR(1, VAR_DEFINE_TAG) }
YY_BREAK
case 164:
YY_RULE_SETUP
#line 375 "util/configlexer.lex"
-{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) }
+{ YDVAR(2, VAR_LOCAL_ZONE_TAG) }
YY_BREAK
case 165:
YY_RULE_SETUP
#line 376 "util/configlexer.lex"
-{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) }
+{ YDVAR(2, VAR_ACCESS_CONTROL_TAG) }
YY_BREAK
case 166:
YY_RULE_SETUP
#line 377 "util/configlexer.lex"
-{ YDVAR(2, VAR_ACCESS_CONTROL_VIEW) }
+{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) }
YY_BREAK
case 167:
YY_RULE_SETUP
#line 378 "util/configlexer.lex"
-{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
+{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) }
YY_BREAK
case 168:
YY_RULE_SETUP
#line 379 "util/configlexer.lex"
-{ YDVAR(0, VAR_DNSTAP) }
+{ YDVAR(2, VAR_ACCESS_CONTROL_VIEW) }
YY_BREAK
case 169:
YY_RULE_SETUP
#line 380 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_ENABLE) }
+{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
YY_BREAK
case 170:
YY_RULE_SETUP
#line 381 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_SOCKET_PATH) }
+{ YDVAR(0, VAR_DNSTAP) }
YY_BREAK
case 171:
YY_RULE_SETUP
#line 382 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_SEND_IDENTITY) }
+{ YDVAR(1, VAR_DNSTAP_ENABLE) }
YY_BREAK
case 172:
YY_RULE_SETUP
#line 383 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_SEND_VERSION) }
+{ YDVAR(1, VAR_DNSTAP_SOCKET_PATH) }
YY_BREAK
case 173:
YY_RULE_SETUP
#line 384 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_IDENTITY) }
+{ YDVAR(1, VAR_DNSTAP_SEND_IDENTITY) }
YY_BREAK
case 174:
YY_RULE_SETUP
#line 385 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_VERSION) }
+{ YDVAR(1, VAR_DNSTAP_SEND_VERSION) }
YY_BREAK
case 175:
YY_RULE_SETUP
#line 386 "util/configlexer.lex"
-{
- YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES) }
+{ YDVAR(1, VAR_DNSTAP_IDENTITY) }
YY_BREAK
case 176:
YY_RULE_SETUP
-#line 388 "util/configlexer.lex"
-{
- YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES) }
+#line 387 "util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_VERSION) }
YY_BREAK
case 177:
YY_RULE_SETUP
-#line 390 "util/configlexer.lex"
+#line 388 "util/configlexer.lex"
{
- YDVAR(1, VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES) }
+ YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES) }
YY_BREAK
case 178:
YY_RULE_SETUP
-#line 392 "util/configlexer.lex"
+#line 390 "util/configlexer.lex"
{
- YDVAR(1, VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES) }
+ YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES) }
YY_BREAK
case 179:
YY_RULE_SETUP
-#line 394 "util/configlexer.lex"
+#line 392 "util/configlexer.lex"
{
- YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
+ YDVAR(1, VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES) }
YY_BREAK
case 180:
YY_RULE_SETUP
-#line 396 "util/configlexer.lex"
+#line 394 "util/configlexer.lex"
{
- YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
+ YDVAR(1, VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES) }
YY_BREAK
case 181:
YY_RULE_SETUP
-#line 398 "util/configlexer.lex"
-{ YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
+#line 396 "util/configlexer.lex"
+{
+ YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
YY_BREAK
case 182:
YY_RULE_SETUP
-#line 399 "util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT) }
+#line 398 "util/configlexer.lex"
+{
+ YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
YY_BREAK
case 183:
YY_RULE_SETUP
#line 400 "util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT) }
+{ YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
YY_BREAK
case 184:
YY_RULE_SETUP
#line 401 "util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT_SLABS) }
+{ YDVAR(1, VAR_IP_RATELIMIT) }
YY_BREAK
case 185:
YY_RULE_SETUP
#line 402 "util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT_SLABS) }
+{ YDVAR(1, VAR_RATELIMIT) }
YY_BREAK
case 186:
YY_RULE_SETUP
#line 403 "util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT_SIZE) }
+{ YDVAR(1, VAR_IP_RATELIMIT_SLABS) }
YY_BREAK
case 187:
YY_RULE_SETUP
#line 404 "util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT_SIZE) }
+{ YDVAR(1, VAR_RATELIMIT_SLABS) }
YY_BREAK
case 188:
YY_RULE_SETUP
#line 405 "util/configlexer.lex"
-{ YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) }
+{ YDVAR(1, VAR_IP_RATELIMIT_SIZE) }
YY_BREAK
case 189:
YY_RULE_SETUP
#line 406 "util/configlexer.lex"
-{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
+{ YDVAR(1, VAR_RATELIMIT_SIZE) }
YY_BREAK
case 190:
YY_RULE_SETUP
#line 407 "util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
+{ YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) }
YY_BREAK
case 191:
YY_RULE_SETUP
#line 408 "util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT_FACTOR) }
+{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
YY_BREAK
case 192:
YY_RULE_SETUP
#line 409 "util/configlexer.lex"
-{ YDVAR(2, VAR_RESPONSE_IP_TAG) }
+{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
YY_BREAK
case 193:
YY_RULE_SETUP
#line 410 "util/configlexer.lex"
-{ YDVAR(2, VAR_RESPONSE_IP) }
+{ YDVAR(1, VAR_RATELIMIT_FACTOR) }
YY_BREAK
case 194:
YY_RULE_SETUP
#line 411 "util/configlexer.lex"
-{ YDVAR(2, VAR_RESPONSE_IP_DATA) }
+{ YDVAR(2, VAR_RESPONSE_IP_TAG) }
YY_BREAK
case 195:
YY_RULE_SETUP
#line 412 "util/configlexer.lex"
-{ YDVAR(0, VAR_DNSCRYPT) }
+{ YDVAR(2, VAR_RESPONSE_IP) }
YY_BREAK
case 196:
YY_RULE_SETUP
#line 413 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_ENABLE) }
+{ YDVAR(2, VAR_RESPONSE_IP_DATA) }
YY_BREAK
case 197:
YY_RULE_SETUP
#line 414 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_PORT) }
+{ YDVAR(0, VAR_DNSCRYPT) }
YY_BREAK
case 198:
YY_RULE_SETUP
#line 415 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
+{ YDVAR(1, VAR_DNSCRYPT_ENABLE) }
YY_BREAK
case 199:
YY_RULE_SETUP
#line 416 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
+{ YDVAR(1, VAR_DNSCRYPT_PORT) }
YY_BREAK
case 200:
YY_RULE_SETUP
#line 417 "util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
+{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
YY_BREAK
case 201:
-/* rule 201 can match eol */
YY_RULE_SETUP
#line 418 "util/configlexer.lex"
-{ LEXOUT(("NL\n")); cfg_parser->line++; }
+{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
YY_BREAK
-/* Quoted strings. Strip leading and ending quotes */
case 202:
YY_RULE_SETUP
+#line 419 "util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
+ YY_BREAK
+case 203:
+YY_RULE_SETUP
+#line 420 "util/configlexer.lex"
+{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
+ YY_BREAK
+case 204:
+YY_RULE_SETUP
#line 421 "util/configlexer.lex"
+{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
+ YY_BREAK
+case 205:
+YY_RULE_SETUP
+#line 422 "util/configlexer.lex"
+{ YDVAR(1, VAR_IPSECMOD_HOOK) }
+ YY_BREAK
+case 206:
+YY_RULE_SETUP
+#line 423 "util/configlexer.lex"
+{ YDVAR(1, VAR_IPSECMOD_MAX_TTL) }
+ YY_BREAK
+case 207:
+YY_RULE_SETUP
+#line 424 "util/configlexer.lex"
+{ YDVAR(1, VAR_IPSECMOD_WHITELIST) }
+ YY_BREAK
+case 208:
+YY_RULE_SETUP
+#line 425 "util/configlexer.lex"
+{ YDVAR(1, VAR_IPSECMOD_STRICT) }
+ YY_BREAK
+case 209:
+/* rule 209 can match eol */
+YY_RULE_SETUP
+#line 426 "util/configlexer.lex"
+{ LEXOUT(("NL\n")); cfg_parser->line++; }
+ YY_BREAK
+/* Quoted strings. Strip leading and ending quotes */
+case 210:
+YY_RULE_SETUP
+#line 429 "util/configlexer.lex"
{ BEGIN(quotedstring); LEXOUT(("QS ")); }
YY_BREAK
case YY_STATE_EOF(quotedstring):
-#line 422 "util/configlexer.lex"
+#line 430 "util/configlexer.lex"
{
yyerror("EOF inside quoted string");
if(--num_args == 0) { BEGIN(INITIAL); }
else { BEGIN(val); }
}
YY_BREAK
-case 203:
+case 211:
YY_RULE_SETUP
-#line 427 "util/configlexer.lex"
+#line 435 "util/configlexer.lex"
{ LEXOUT(("STR(%s) ", yytext)); yymore(); }
YY_BREAK
-case 204:
-/* rule 204 can match eol */
+case 212:
+/* rule 212 can match eol */
YY_RULE_SETUP
-#line 428 "util/configlexer.lex"
+#line 436 "util/configlexer.lex"
{ yyerror("newline inside quoted string, no end \"");
cfg_parser->line++; BEGIN(INITIAL); }
YY_BREAK
-case 205:
+case 213:
YY_RULE_SETUP
-#line 430 "util/configlexer.lex"
+#line 438 "util/configlexer.lex"
{
LEXOUT(("QE "));
if(--num_args == 0) { BEGIN(INITIAL); }
@@ -4097,34 +4205,34 @@ YY_RULE_SETUP
}
YY_BREAK
/* Single Quoted strings. Strip leading and ending quotes */
-case 206:
+case 214:
YY_RULE_SETUP
-#line 442 "util/configlexer.lex"
+#line 450 "util/configlexer.lex"
{ BEGIN(singlequotedstr); LEXOUT(("SQS ")); }
YY_BREAK
case YY_STATE_EOF(singlequotedstr):
-#line 443 "util/configlexer.lex"
+#line 451 "util/configlexer.lex"
{
yyerror("EOF inside quoted string");
if(--num_args == 0) { BEGIN(INITIAL); }
else { BEGIN(val); }
}
YY_BREAK
-case 207:
+case 215:
YY_RULE_SETUP
-#line 448 "util/configlexer.lex"
+#line 456 "util/configlexer.lex"
{ LEXOUT(("STR(%s) ", yytext)); yymore(); }
YY_BREAK
-case 208:
-/* rule 208 can match eol */
+case 216:
+/* rule 216 can match eol */
YY_RULE_SETUP
-#line 449 "util/configlexer.lex"
+#line 457 "util/configlexer.lex"
{ yyerror("newline inside quoted string, no end '");
cfg_parser->line++; BEGIN(INITIAL); }
YY_BREAK
-case 209:
+case 217:
YY_RULE_SETUP
-#line 451 "util/configlexer.lex"
+#line 459 "util/configlexer.lex"
{
LEXOUT(("SQE "));
if(--num_args == 0) { BEGIN(INITIAL); }
@@ -4137,38 +4245,38 @@ YY_RULE_SETUP
}
YY_BREAK
/* include: directive */
-case 210:
+case 218:
YY_RULE_SETUP
-#line 463 "util/configlexer.lex"
+#line 471 "util/configlexer.lex"
{
LEXOUT(("v(%s) ", yytext)); inc_prev = YYSTATE; BEGIN(include); }
YY_BREAK
case YY_STATE_EOF(include):
-#line 465 "util/configlexer.lex"
+#line 473 "util/configlexer.lex"
{
yyerror("EOF inside include directive");
BEGIN(inc_prev);
}
YY_BREAK
-case 211:
+case 219:
YY_RULE_SETUP
-#line 469 "util/configlexer.lex"
+#line 477 "util/configlexer.lex"
{ LEXOUT(("ISP ")); /* ignore */ }
YY_BREAK
-case 212:
-/* rule 212 can match eol */
+case 220:
+/* rule 220 can match eol */
YY_RULE_SETUP
-#line 470 "util/configlexer.lex"
+#line 478 "util/configlexer.lex"
{ LEXOUT(("NL\n")); cfg_parser->line++;}
YY_BREAK
-case 213:
+case 221:
YY_RULE_SETUP
-#line 471 "util/configlexer.lex"
+#line 479 "util/configlexer.lex"
{ LEXOUT(("IQS ")); BEGIN(include_quoted); }
YY_BREAK
-case 214:
+case 222:
YY_RULE_SETUP
-#line 472 "util/configlexer.lex"
+#line 480 "util/configlexer.lex"
{
LEXOUT(("Iunquotedstr(%s) ", yytext));
config_start_include_glob(yytext);
@@ -4176,27 +4284,27 @@ YY_RULE_SETUP
}
YY_BREAK
case YY_STATE_EOF(include_quoted):
-#line 477 "util/configlexer.lex"
+#line 485 "util/configlexer.lex"
{
yyerror("EOF inside quoted string");
BEGIN(inc_prev);
}
YY_BREAK
-case 215:
+case 223:
YY_RULE_SETUP
-#line 481 "util/configlexer.lex"
+#line 489 "util/configlexer.lex"
{ LEXOUT(("ISTR(%s) ", yytext)); yymore(); }
YY_BREAK
-case 216:
-/* rule 216 can match eol */
+case 224:
+/* rule 224 can match eol */
YY_RULE_SETUP
-#line 482 "util/configlexer.lex"
+#line 490 "util/configlexer.lex"
{ yyerror("newline before \" in include name");
cfg_parser->line++; BEGIN(inc_prev); }
YY_BREAK
-case 217:
+case 225:
YY_RULE_SETUP
-#line 484 "util/configlexer.lex"
+#line 492 "util/configlexer.lex"
{
LEXOUT(("IQE "));
yytext[yyleng - 1] = '\0';
@@ -4206,7 +4314,7 @@ YY_RULE_SETUP
YY_BREAK
case YY_STATE_EOF(INITIAL):
case YY_STATE_EOF(val):
-#line 490 "util/configlexer.lex"
+#line 498 "util/configlexer.lex"
{
LEXOUT(("LEXEOF "));
yy_set_bol(1); /* Set beginning of line, so "^" rules match. */
@@ -4218,33 +4326,33 @@ case YY_STATE_EOF(val):
}
}
YY_BREAK
-case 218:
+case 226:
YY_RULE_SETUP
-#line 501 "util/configlexer.lex"
+#line 509 "util/configlexer.lex"
{ LEXOUT(("unquotedstr(%s) ", yytext));
if(--num_args == 0) { BEGIN(INITIAL); }
yylval.str = strdup(yytext); return STRING_ARG; }
YY_BREAK
-case 219:
+case 227:
YY_RULE_SETUP
-#line 505 "util/configlexer.lex"
+#line 513 "util/configlexer.lex"
{
ub_c_error_msg("unknown keyword '%s'", yytext);
}
YY_BREAK
-case 220:
+case 228:
YY_RULE_SETUP
-#line 509 "util/configlexer.lex"
+#line 517 "util/configlexer.lex"
{
ub_c_error_msg("stray '%s'", yytext);
}
YY_BREAK
-case 221:
+case 229:
YY_RULE_SETUP
-#line 513 "util/configlexer.lex"
+#line 521 "util/configlexer.lex"
ECHO;
YY_BREAK
-#line 4246 "<stdout>"
+#line 4354 "<stdout>"
case YY_END_OF_BUFFER:
{
@@ -4535,7 +4643,7 @@ static int yy_get_next_buffer (void)
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 2165 )
+ if ( yy_current_state >= 2238 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
@@ -4563,11 +4671,11 @@ static int yy_get_next_buffer (void)
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 2165 )
+ if ( yy_current_state >= 2238 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
- yy_is_jam = (yy_current_state == 2164);
+ yy_is_jam = (yy_current_state == 2237);
return yy_is_jam ? 0 : yy_current_state;
}
@@ -5206,7 +5314,7 @@ void yyfree (void * ptr )
#define YYTABLES_NAME "yytables"
-#line 513 "util/configlexer.lex"
+#line 521 "util/configlexer.lex"
diff --git a/util/configlexer.lex b/util/configlexer.lex
index a6323f2c1436..d9b8e281c568 100644
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -301,6 +301,7 @@ do-not-query-address{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }
do-not-query-localhost{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) }
access-control{COLON} { YDVAR(2, VAR_ACCESS_CONTROL) }
send-client-subnet{COLON} { YDVAR(1, VAR_SEND_CLIENT_SUBNET) }
+client-subnet-zone{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ZONE) }
client-subnet-always-forward{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) }
client-subnet-opcode{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
max-client-subnet-ipv4{COLON} { YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
@@ -317,6 +318,7 @@ trust-anchor-file{COLON} { YDVAR(1, VAR_TRUST_ANCHOR_FILE) }
auto-trust-anchor-file{COLON} { YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) }
trusted-keys-file{COLON} { YDVAR(1, VAR_TRUSTED_KEYS_FILE) }
trust-anchor{COLON} { YDVAR(1, VAR_TRUST_ANCHOR) }
+trust-anchor-signaling{COLON} { YDVAR(1, VAR_TRUST_ANCHOR_SIGNALING) }
val-override-date{COLON} { YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
val-sig-skew-min{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
val-sig-skew-max{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
@@ -415,6 +417,12 @@ dnscrypt-port{COLON} { YDVAR(1, VAR_DNSCRYPT_PORT) }
dnscrypt-provider{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
dnscrypt-secret-key{COLON} { YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
dnscrypt-provider-cert{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
+ipsecmod-enabled{COLON} { YDVAR(1, VAR_IPSECMOD_ENABLED) }
+ipsecmod-ignore-bogus{COLON} { YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
+ipsecmod-hook{COLON} { YDVAR(1, VAR_IPSECMOD_HOOK) }
+ipsecmod-max-ttl{COLON} { YDVAR(1, VAR_IPSECMOD_MAX_TTL) }
+ipsecmod-whitelist{COLON} { YDVAR(1, VAR_IPSECMOD_WHITELIST) }
+ipsecmod-strict{COLON} { YDVAR(1, VAR_IPSECMOD_STRICT) }
<INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; }
/* Quoted strings. Strip leading and ending quotes */
diff --git a/util/configparser.c b/util/configparser.c
index f70b948b75d2..9fa436b02886 100644
--- a/util/configparser.c
+++ b/util/configparser.c
@@ -298,39 +298,47 @@ extern int yydebug;
VAR_IP_RATELIMIT_FACTOR = 427,
VAR_RATELIMIT_FACTOR = 428,
VAR_SEND_CLIENT_SUBNET = 429,
- VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 430,
- VAR_CLIENT_SUBNET_OPCODE = 431,
- VAR_MAX_CLIENT_SUBNET_IPV4 = 432,
- VAR_MAX_CLIENT_SUBNET_IPV6 = 433,
- VAR_CAPS_WHITELIST = 434,
- VAR_CACHE_MAX_NEGATIVE_TTL = 435,
- VAR_PERMIT_SMALL_HOLDDOWN = 436,
- VAR_QNAME_MINIMISATION = 437,
- VAR_QNAME_MINIMISATION_STRICT = 438,
- VAR_IP_FREEBIND = 439,
- VAR_DEFINE_TAG = 440,
- VAR_LOCAL_ZONE_TAG = 441,
- VAR_ACCESS_CONTROL_TAG = 442,
- VAR_LOCAL_ZONE_OVERRIDE = 443,
- VAR_ACCESS_CONTROL_TAG_ACTION = 444,
- VAR_ACCESS_CONTROL_TAG_DATA = 445,
- VAR_VIEW = 446,
- VAR_ACCESS_CONTROL_VIEW = 447,
- VAR_VIEW_FIRST = 448,
- VAR_SERVE_EXPIRED = 449,
- VAR_FAKE_DSA = 450,
- VAR_FAKE_SHA1 = 451,
- VAR_LOG_IDENTITY = 452,
- VAR_HIDE_TRUSTANCHOR = 453,
- VAR_USE_SYSTEMD = 454,
- VAR_SHM_ENABLE = 455,
- VAR_SHM_KEY = 456,
- VAR_DNSCRYPT = 457,
- VAR_DNSCRYPT_ENABLE = 458,
- VAR_DNSCRYPT_PORT = 459,
- VAR_DNSCRYPT_PROVIDER = 460,
- VAR_DNSCRYPT_SECRET_KEY = 461,
- VAR_DNSCRYPT_PROVIDER_CERT = 462
+ VAR_CLIENT_SUBNET_ZONE = 430,
+ VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 431,
+ VAR_CLIENT_SUBNET_OPCODE = 432,
+ VAR_MAX_CLIENT_SUBNET_IPV4 = 433,
+ VAR_MAX_CLIENT_SUBNET_IPV6 = 434,
+ VAR_CAPS_WHITELIST = 435,
+ VAR_CACHE_MAX_NEGATIVE_TTL = 436,
+ VAR_PERMIT_SMALL_HOLDDOWN = 437,
+ VAR_QNAME_MINIMISATION = 438,
+ VAR_QNAME_MINIMISATION_STRICT = 439,
+ VAR_IP_FREEBIND = 440,
+ VAR_DEFINE_TAG = 441,
+ VAR_LOCAL_ZONE_TAG = 442,
+ VAR_ACCESS_CONTROL_TAG = 443,
+ VAR_LOCAL_ZONE_OVERRIDE = 444,
+ VAR_ACCESS_CONTROL_TAG_ACTION = 445,
+ VAR_ACCESS_CONTROL_TAG_DATA = 446,
+ VAR_VIEW = 447,
+ VAR_ACCESS_CONTROL_VIEW = 448,
+ VAR_VIEW_FIRST = 449,
+ VAR_SERVE_EXPIRED = 450,
+ VAR_FAKE_DSA = 451,
+ VAR_FAKE_SHA1 = 452,
+ VAR_LOG_IDENTITY = 453,
+ VAR_HIDE_TRUSTANCHOR = 454,
+ VAR_TRUST_ANCHOR_SIGNALING = 455,
+ VAR_USE_SYSTEMD = 456,
+ VAR_SHM_ENABLE = 457,
+ VAR_SHM_KEY = 458,
+ VAR_DNSCRYPT = 459,
+ VAR_DNSCRYPT_ENABLE = 460,
+ VAR_DNSCRYPT_PORT = 461,
+ VAR_DNSCRYPT_PROVIDER = 462,
+ VAR_DNSCRYPT_SECRET_KEY = 463,
+ VAR_DNSCRYPT_PROVIDER_CERT = 464,
+ VAR_IPSECMOD_ENABLED = 465,
+ VAR_IPSECMOD_HOOK = 466,
+ VAR_IPSECMOD_IGNORE_BOGUS = 467,
+ VAR_IPSECMOD_MAX_TTL = 468,
+ VAR_IPSECMOD_WHITELIST = 469,
+ VAR_IPSECMOD_STRICT = 470
};
#endif
/* Tokens. */
@@ -506,39 +514,47 @@ extern int yydebug;
#define VAR_IP_RATELIMIT_FACTOR 427
#define VAR_RATELIMIT_FACTOR 428
#define VAR_SEND_CLIENT_SUBNET 429
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 430
-#define VAR_CLIENT_SUBNET_OPCODE 431
-#define VAR_MAX_CLIENT_SUBNET_IPV4 432
-#define VAR_MAX_CLIENT_SUBNET_IPV6 433
-#define VAR_CAPS_WHITELIST 434
-#define VAR_CACHE_MAX_NEGATIVE_TTL 435
-#define VAR_PERMIT_SMALL_HOLDDOWN 436
-#define VAR_QNAME_MINIMISATION 437
-#define VAR_QNAME_MINIMISATION_STRICT 438
-#define VAR_IP_FREEBIND 439
-#define VAR_DEFINE_TAG 440
-#define VAR_LOCAL_ZONE_TAG 441
-#define VAR_ACCESS_CONTROL_TAG 442
-#define VAR_LOCAL_ZONE_OVERRIDE 443
-#define VAR_ACCESS_CONTROL_TAG_ACTION 444
-#define VAR_ACCESS_CONTROL_TAG_DATA 445
-#define VAR_VIEW 446
-#define VAR_ACCESS_CONTROL_VIEW 447
-#define VAR_VIEW_FIRST 448
-#define VAR_SERVE_EXPIRED 449
-#define VAR_FAKE_DSA 450
-#define VAR_FAKE_SHA1 451
-#define VAR_LOG_IDENTITY 452
-#define VAR_HIDE_TRUSTANCHOR 453
-#define VAR_USE_SYSTEMD 454
-#define VAR_SHM_ENABLE 455
-#define VAR_SHM_KEY 456
-#define VAR_DNSCRYPT 457
-#define VAR_DNSCRYPT_ENABLE 458
-#define VAR_DNSCRYPT_PORT 459
-#define VAR_DNSCRYPT_PROVIDER 460
-#define VAR_DNSCRYPT_SECRET_KEY 461
-#define VAR_DNSCRYPT_PROVIDER_CERT 462
+#define VAR_CLIENT_SUBNET_ZONE 430
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 431
+#define VAR_CLIENT_SUBNET_OPCODE 432
+#define VAR_MAX_CLIENT_SUBNET_IPV4 433
+#define VAR_MAX_CLIENT_SUBNET_IPV6 434
+#define VAR_CAPS_WHITELIST 435
+#define VAR_CACHE_MAX_NEGATIVE_TTL 436
+#define VAR_PERMIT_SMALL_HOLDDOWN 437
+#define VAR_QNAME_MINIMISATION 438
+#define VAR_QNAME_MINIMISATION_STRICT 439
+#define VAR_IP_FREEBIND 440
+#define VAR_DEFINE_TAG 441
+#define VAR_LOCAL_ZONE_TAG 442
+#define VAR_ACCESS_CONTROL_TAG 443
+#define VAR_LOCAL_ZONE_OVERRIDE 444
+#define VAR_ACCESS_CONTROL_TAG_ACTION 445
+#define VAR_ACCESS_CONTROL_TAG_DATA 446
+#define VAR_VIEW 447
+#define VAR_ACCESS_CONTROL_VIEW 448
+#define VAR_VIEW_FIRST 449
+#define VAR_SERVE_EXPIRED 450
+#define VAR_FAKE_DSA 451
+#define VAR_FAKE_SHA1 452
+#define VAR_LOG_IDENTITY 453
+#define VAR_HIDE_TRUSTANCHOR 454
+#define VAR_TRUST_ANCHOR_SIGNALING 455
+#define VAR_USE_SYSTEMD 456
+#define VAR_SHM_ENABLE 457
+#define VAR_SHM_KEY 458
+#define VAR_DNSCRYPT 459
+#define VAR_DNSCRYPT_ENABLE 460
+#define VAR_DNSCRYPT_PORT 461
+#define VAR_DNSCRYPT_PROVIDER 462
+#define VAR_DNSCRYPT_SECRET_KEY 463
+#define VAR_DNSCRYPT_PROVIDER_CERT 464
+#define VAR_IPSECMOD_ENABLED 465
+#define VAR_IPSECMOD_HOOK 466
+#define VAR_IPSECMOD_IGNORE_BOGUS 467
+#define VAR_IPSECMOD_MAX_TTL 468
+#define VAR_IPSECMOD_WHITELIST 469
+#define VAR_IPSECMOD_STRICT 470
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -549,7 +565,7 @@ union YYSTYPE
char* str;
-#line 553 "util/configparser.c" /* yacc.c:355 */
+#line 569 "util/configparser.c" /* yacc.c:355 */
};
typedef union YYSTYPE YYSTYPE;
@@ -566,7 +582,7 @@ int yyparse (void);
/* Copy the second part of user declarations. */
-#line 570 "util/configparser.c" /* yacc.c:358 */
+#line 586 "util/configparser.c" /* yacc.c:358 */
#ifdef short
# undef short
@@ -808,21 +824,21 @@ union yyalloc
/* YYFINAL -- State number of the termination state. */
#define YYFINAL 2
/* YYLAST -- Last index in YYTABLE. */
-#define YYLAST 421
+#define YYLAST 442
/* YYNTOKENS -- Number of terminals. */
-#define YYNTOKENS 208
+#define YYNTOKENS 216
/* YYNNTS -- Number of nonterminals. */
-#define YYNNTS 223
+#define YYNNTS 231
/* YYNRULES -- Number of rules. */
-#define YYNRULES 427
+#define YYNRULES 443
/* YYNSTATES -- Number of states. */
-#define YYNSTATES 643
+#define YYNSTATES 667
/* YYTRANSLATE[YYX] -- Symbol number corresponding to YYX as returned
by yylex, with out-of-bounds checking. */
#define YYUNDEFTOK 2
-#define YYMAXUTOK 462
+#define YYMAXUTOK 470
#define YYTRANSLATE(YYX) \
((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
@@ -877,56 +893,59 @@ static const yytype_uint8 yytranslate[] =
175, 176, 177, 178, 179, 180, 181, 182, 183, 184,
185, 186, 187, 188, 189, 190, 191, 192, 193, 194,
195, 196, 197, 198, 199, 200, 201, 202, 203, 204,
- 205, 206, 207
+ 205, 206, 207, 208, 209, 210, 211, 212, 213, 214,
+ 215
};
#if YYDEBUG
/* YYRLINE[YYN] -- Source line where rule number YYN was defined. */
static const yytype_uint16 yyrline[] =
{
- 0, 149, 149, 149, 150, 150, 151, 151, 152, 152,
- 152, 154, 158, 163, 164, 165, 165, 165, 166, 166,
- 167, 167, 168, 168, 169, 169, 170, 170, 170, 171,
- 171, 171, 172, 172, 173, 173, 174, 174, 175, 175,
- 176, 176, 177, 177, 178, 178, 179, 179, 180, 180,
- 180, 181, 181, 181, 182, 182, 182, 183, 183, 184,
- 184, 185, 185, 186, 186, 187, 187, 187, 188, 188,
- 189, 189, 190, 190, 190, 191, 191, 192, 192, 193,
- 193, 194, 194, 194, 195, 195, 196, 196, 197, 197,
- 198, 198, 199, 199, 200, 200, 200, 201, 201, 202,
- 202, 202, 203, 203, 203, 204, 204, 204, 205, 205,
- 205, 205, 206, 206, 206, 207, 207, 207, 208, 208,
- 209, 209, 210, 210, 211, 211, 212, 212, 212, 213,
- 213, 214, 214, 215, 216, 216, 217, 217, 218, 219,
- 220, 220, 221, 221, 222, 222, 223, 223, 223, 224,
- 224, 225, 225, 226, 226, 227, 227, 228, 228, 228,
- 229, 229, 229, 230, 230, 230, 231, 233, 245, 246,
- 247, 247, 247, 247, 247, 248, 250, 262, 263, 264,
- 264, 264, 264, 265, 267, 281, 282, 283, 283, 283,
- 283, 284, 284, 284, 286, 295, 304, 315, 324, 333,
- 342, 353, 362, 374, 389, 400, 417, 434, 447, 462,
- 471, 480, 489, 498, 507, 516, 525, 534, 543, 552,
- 561, 570, 579, 588, 597, 604, 611, 620, 629, 638,
- 652, 661, 670, 679, 686, 693, 719, 727, 734, 741,
- 748, 755, 763, 771, 779, 786, 793, 802, 811, 820,
- 827, 834, 842, 850, 860, 870, 880, 893, 904, 912,
- 925, 934, 943, 952, 962, 972, 980, 993, 1002, 1010,
- 1019, 1027, 1040, 1049, 1056, 1066, 1076, 1086, 1096, 1106,
- 1116, 1126, 1136, 1143, 1150, 1157, 1166, 1175, 1184, 1191,
- 1201, 1218, 1225, 1243, 1256, 1269, 1278, 1287, 1296, 1305,
- 1315, 1325, 1334, 1343, 1356, 1369, 1378, 1385, 1394, 1403,
- 1412, 1421, 1429, 1442, 1450, 1478, 1485, 1500, 1510, 1520,
- 1527, 1534, 1543, 1557, 1576, 1595, 1607, 1619, 1631, 1642,
- 1661, 1671, 1680, 1688, 1696, 1709, 1722, 1735, 1748, 1757,
- 1766, 1776, 1786, 1796, 1803, 1810, 1819, 1829, 1839, 1849,
- 1856, 1863, 1872, 1882, 1892, 1921, 1931, 1939, 1948, 1963,
- 1972, 1977, 1978, 1979, 1979, 1979, 1980, 1980, 1980, 1981,
- 1981, 1983, 1993, 2002, 2009, 2019, 2026, 2033, 2040, 2047,
- 2052, 2053, 2054, 2054, 2055, 2055, 2056, 2056, 2057, 2058,
- 2059, 2060, 2061, 2062, 2064, 2072, 2079, 2087, 2095, 2102,
- 2109, 2118, 2127, 2136, 2145, 2154, 2163, 2168, 2169, 2170,
- 2172, 2178, 2188, 2195, 2204, 2212, 2218, 2219, 2221, 2221,
- 2221, 2222, 2222, 2224, 2233, 2243, 2250, 2257
+ 0, 151, 151, 151, 152, 152, 153, 153, 154, 154,
+ 154, 156, 160, 165, 166, 167, 167, 167, 168, 168,
+ 169, 169, 170, 170, 171, 171, 172, 172, 172, 173,
+ 173, 173, 174, 174, 175, 175, 176, 176, 177, 177,
+ 178, 178, 179, 179, 180, 180, 181, 181, 182, 182,
+ 182, 183, 183, 183, 184, 184, 184, 185, 185, 186,
+ 186, 187, 187, 188, 188, 189, 189, 189, 190, 190,
+ 191, 191, 192, 192, 192, 193, 193, 194, 194, 195,
+ 195, 196, 196, 196, 197, 197, 198, 198, 199, 199,
+ 200, 200, 201, 201, 202, 202, 202, 203, 203, 204,
+ 204, 204, 205, 205, 205, 206, 206, 206, 207, 207,
+ 207, 207, 208, 208, 208, 209, 209, 209, 210, 210,
+ 211, 211, 212, 212, 213, 213, 214, 214, 214, 215,
+ 215, 216, 216, 217, 218, 218, 219, 219, 220, 220,
+ 221, 222, 222, 223, 223, 224, 224, 225, 225, 225,
+ 226, 226, 227, 227, 228, 228, 229, 229, 230, 230,
+ 230, 231, 231, 231, 232, 232, 232, 233, 233, 234,
+ 234, 235, 235, 236, 236, 238, 250, 251, 252, 252,
+ 252, 252, 252, 253, 255, 267, 268, 269, 269, 269,
+ 269, 270, 272, 286, 287, 288, 288, 288, 288, 289,
+ 289, 289, 291, 300, 309, 320, 329, 338, 347, 358,
+ 367, 378, 391, 406, 417, 434, 451, 464, 479, 488,
+ 497, 506, 515, 524, 533, 542, 551, 560, 569, 578,
+ 587, 596, 605, 614, 621, 628, 637, 646, 655, 669,
+ 678, 687, 696, 703, 710, 736, 744, 751, 758, 765,
+ 772, 780, 788, 796, 803, 814, 821, 830, 839, 848,
+ 855, 862, 870, 878, 888, 898, 908, 921, 932, 940,
+ 953, 962, 971, 980, 990, 1000, 1008, 1021, 1030, 1038,
+ 1047, 1055, 1068, 1077, 1084, 1094, 1104, 1114, 1124, 1134,
+ 1144, 1154, 1164, 1171, 1178, 1185, 1194, 1203, 1212, 1219,
+ 1229, 1246, 1253, 1271, 1284, 1297, 1306, 1315, 1324, 1333,
+ 1343, 1353, 1362, 1371, 1384, 1397, 1406, 1413, 1422, 1431,
+ 1440, 1449, 1457, 1470, 1478, 1506, 1513, 1528, 1538, 1548,
+ 1555, 1562, 1571, 1585, 1604, 1623, 1635, 1647, 1659, 1670,
+ 1689, 1699, 1708, 1716, 1724, 1737, 1750, 1763, 1776, 1785,
+ 1794, 1804, 1814, 1827, 1840, 1851, 1864, 1875, 1888, 1898,
+ 1905, 1912, 1921, 1931, 1941, 1951, 1958, 1965, 1974, 1984,
+ 1994, 2023, 2033, 2041, 2050, 2065, 2074, 2079, 2080, 2081,
+ 2081, 2081, 2082, 2082, 2082, 2083, 2083, 2085, 2095, 2104,
+ 2111, 2121, 2128, 2135, 2142, 2149, 2154, 2155, 2156, 2156,
+ 2157, 2157, 2158, 2158, 2159, 2160, 2161, 2162, 2163, 2164,
+ 2166, 2174, 2181, 2189, 2197, 2204, 2211, 2220, 2229, 2238,
+ 2247, 2256, 2265, 2270, 2271, 2272, 2274, 2280, 2290, 2297,
+ 2306, 2314, 2320, 2321, 2323, 2323, 2323, 2324, 2324, 2326,
+ 2336, 2346, 2353, 2360
};
#endif
@@ -995,30 +1014,33 @@ static const char *const yytname[] =
"VAR_RATELIMIT", "VAR_RATELIMIT_SLABS", "VAR_RATELIMIT_SIZE",
"VAR_RATELIMIT_FOR_DOMAIN", "VAR_RATELIMIT_BELOW_DOMAIN",
"VAR_IP_RATELIMIT_FACTOR", "VAR_RATELIMIT_FACTOR",
- "VAR_SEND_CLIENT_SUBNET", "VAR_CLIENT_SUBNET_ALWAYS_FORWARD",
- "VAR_CLIENT_SUBNET_OPCODE", "VAR_MAX_CLIENT_SUBNET_IPV4",
- "VAR_MAX_CLIENT_SUBNET_IPV6", "VAR_CAPS_WHITELIST",
- "VAR_CACHE_MAX_NEGATIVE_TTL", "VAR_PERMIT_SMALL_HOLDDOWN",
- "VAR_QNAME_MINIMISATION", "VAR_QNAME_MINIMISATION_STRICT",
- "VAR_IP_FREEBIND", "VAR_DEFINE_TAG", "VAR_LOCAL_ZONE_TAG",
- "VAR_ACCESS_CONTROL_TAG", "VAR_LOCAL_ZONE_OVERRIDE",
- "VAR_ACCESS_CONTROL_TAG_ACTION", "VAR_ACCESS_CONTROL_TAG_DATA",
- "VAR_VIEW", "VAR_ACCESS_CONTROL_VIEW", "VAR_VIEW_FIRST",
- "VAR_SERVE_EXPIRED", "VAR_FAKE_DSA", "VAR_FAKE_SHA1", "VAR_LOG_IDENTITY",
- "VAR_HIDE_TRUSTANCHOR", "VAR_USE_SYSTEMD", "VAR_SHM_ENABLE",
- "VAR_SHM_KEY", "VAR_DNSCRYPT", "VAR_DNSCRYPT_ENABLE",
- "VAR_DNSCRYPT_PORT", "VAR_DNSCRYPT_PROVIDER", "VAR_DNSCRYPT_SECRET_KEY",
- "VAR_DNSCRYPT_PROVIDER_CERT", "$accept", "toplevelvars", "toplevelvar",
- "serverstart", "contents_server", "content_server", "stubstart",
- "contents_stub", "content_stub", "forwardstart", "contents_forward",
- "content_forward", "viewstart", "contents_view", "content_view",
- "server_num_threads", "server_verbosity", "server_statistics_interval",
+ "VAR_SEND_CLIENT_SUBNET", "VAR_CLIENT_SUBNET_ZONE",
+ "VAR_CLIENT_SUBNET_ALWAYS_FORWARD", "VAR_CLIENT_SUBNET_OPCODE",
+ "VAR_MAX_CLIENT_SUBNET_IPV4", "VAR_MAX_CLIENT_SUBNET_IPV6",
+ "VAR_CAPS_WHITELIST", "VAR_CACHE_MAX_NEGATIVE_TTL",
+ "VAR_PERMIT_SMALL_HOLDDOWN", "VAR_QNAME_MINIMISATION",
+ "VAR_QNAME_MINIMISATION_STRICT", "VAR_IP_FREEBIND", "VAR_DEFINE_TAG",
+ "VAR_LOCAL_ZONE_TAG", "VAR_ACCESS_CONTROL_TAG",
+ "VAR_LOCAL_ZONE_OVERRIDE", "VAR_ACCESS_CONTROL_TAG_ACTION",
+ "VAR_ACCESS_CONTROL_TAG_DATA", "VAR_VIEW", "VAR_ACCESS_CONTROL_VIEW",
+ "VAR_VIEW_FIRST", "VAR_SERVE_EXPIRED", "VAR_FAKE_DSA", "VAR_FAKE_SHA1",
+ "VAR_LOG_IDENTITY", "VAR_HIDE_TRUSTANCHOR", "VAR_TRUST_ANCHOR_SIGNALING",
+ "VAR_USE_SYSTEMD", "VAR_SHM_ENABLE", "VAR_SHM_KEY", "VAR_DNSCRYPT",
+ "VAR_DNSCRYPT_ENABLE", "VAR_DNSCRYPT_PORT", "VAR_DNSCRYPT_PROVIDER",
+ "VAR_DNSCRYPT_SECRET_KEY", "VAR_DNSCRYPT_PROVIDER_CERT",
+ "VAR_IPSECMOD_ENABLED", "VAR_IPSECMOD_HOOK", "VAR_IPSECMOD_IGNORE_BOGUS",
+ "VAR_IPSECMOD_MAX_TTL", "VAR_IPSECMOD_WHITELIST", "VAR_IPSECMOD_STRICT",
+ "$accept", "toplevelvars", "toplevelvar", "serverstart",
+ "contents_server", "content_server", "stubstart", "contents_stub",
+ "content_stub", "forwardstart", "contents_forward", "content_forward",
+ "viewstart", "contents_view", "content_view", "server_num_threads",
+ "server_verbosity", "server_statistics_interval",
"server_statistics_cumulative", "server_extended_statistics",
"server_shm_enable", "server_shm_key", "server_port",
- "server_send_client_subnet", "server_client_subnet_always_forward",
- "server_client_subnet_opcode", "server_max_client_subnet_ipv4",
- "server_max_client_subnet_ipv6", "server_interface",
- "server_outgoing_interface", "server_outgoing_range",
+ "server_send_client_subnet", "server_client_subnet_zone",
+ "server_client_subnet_always_forward", "server_client_subnet_opcode",
+ "server_max_client_subnet_ipv4", "server_max_client_subnet_ipv6",
+ "server_interface", "server_outgoing_interface", "server_outgoing_range",
"server_outgoing_port_permit", "server_outgoing_port_avoid",
"server_outgoing_num_tcp", "server_incoming_num_tcp",
"server_interface_automatic", "server_do_ip4", "server_do_ip6",
@@ -1031,36 +1053,36 @@ static const char *const yytname[] =
"server_pidfile", "server_root_hints", "server_dlv_anchor_file",
"server_dlv_anchor", "server_auto_trust_anchor_file",
"server_trust_anchor_file", "server_trusted_keys_file",
- "server_trust_anchor", "server_domain_insecure", "server_hide_identity",
- "server_hide_version", "server_hide_trustanchor", "server_identity",
- "server_version", "server_so_rcvbuf", "server_so_sndbuf",
- "server_so_reuseport", "server_ip_transparent", "server_ip_freebind",
- "server_edns_buffer_size", "server_msg_buffer_size",
- "server_msg_cache_size", "server_msg_cache_slabs",
- "server_num_queries_per_thread", "server_jostle_timeout",
- "server_delay_close", "server_unblock_lan_zones",
- "server_insecure_lan_zones", "server_rrset_cache_size",
- "server_rrset_cache_slabs", "server_infra_host_ttl",
- "server_infra_lame_ttl", "server_infra_cache_numhosts",
- "server_infra_cache_lame_size", "server_infra_cache_slabs",
- "server_infra_cache_min_rtt", "server_target_fetch_policy",
- "server_harden_short_bufsize", "server_harden_large_queries",
- "server_harden_glue", "server_harden_dnssec_stripped",
- "server_harden_below_nxdomain", "server_harden_referral_path",
- "server_harden_algo_downgrade", "server_use_caps_for_id",
- "server_caps_whitelist", "server_private_address",
- "server_private_domain", "server_prefetch", "server_prefetch_key",
- "server_unwanted_reply_threshold", "server_do_not_query_address",
- "server_do_not_query_localhost", "server_access_control",
- "server_module_conf", "server_val_override_date",
- "server_val_sig_skew_min", "server_val_sig_skew_max",
- "server_cache_max_ttl", "server_cache_max_negative_ttl",
- "server_cache_min_ttl", "server_bogus_ttl",
- "server_val_clean_additional", "server_val_permissive_mode",
- "server_ignore_cd_flag", "server_serve_expired", "server_fake_dsa",
- "server_fake_sha1", "server_val_log_level",
- "server_val_nsec3_keysize_iterations", "server_add_holddown",
- "server_del_holddown", "server_keep_missing",
+ "server_trust_anchor", "server_trust_anchor_signaling",
+ "server_domain_insecure", "server_hide_identity", "server_hide_version",
+ "server_hide_trustanchor", "server_identity", "server_version",
+ "server_so_rcvbuf", "server_so_sndbuf", "server_so_reuseport",
+ "server_ip_transparent", "server_ip_freebind", "server_edns_buffer_size",
+ "server_msg_buffer_size", "server_msg_cache_size",
+ "server_msg_cache_slabs", "server_num_queries_per_thread",
+ "server_jostle_timeout", "server_delay_close",
+ "server_unblock_lan_zones", "server_insecure_lan_zones",
+ "server_rrset_cache_size", "server_rrset_cache_slabs",
+ "server_infra_host_ttl", "server_infra_lame_ttl",
+ "server_infra_cache_numhosts", "server_infra_cache_lame_size",
+ "server_infra_cache_slabs", "server_infra_cache_min_rtt",
+ "server_target_fetch_policy", "server_harden_short_bufsize",
+ "server_harden_large_queries", "server_harden_glue",
+ "server_harden_dnssec_stripped", "server_harden_below_nxdomain",
+ "server_harden_referral_path", "server_harden_algo_downgrade",
+ "server_use_caps_for_id", "server_caps_whitelist",
+ "server_private_address", "server_private_domain", "server_prefetch",
+ "server_prefetch_key", "server_unwanted_reply_threshold",
+ "server_do_not_query_address", "server_do_not_query_localhost",
+ "server_access_control", "server_module_conf",
+ "server_val_override_date", "server_val_sig_skew_min",
+ "server_val_sig_skew_max", "server_cache_max_ttl",
+ "server_cache_max_negative_ttl", "server_cache_min_ttl",
+ "server_bogus_ttl", "server_val_clean_additional",
+ "server_val_permissive_mode", "server_ignore_cd_flag",
+ "server_serve_expired", "server_fake_dsa", "server_fake_sha1",
+ "server_val_log_level", "server_val_nsec3_keysize_iterations",
+ "server_add_holddown", "server_del_holddown", "server_keep_missing",
"server_permit_small_holddown", "server_key_cache_size",
"server_key_cache_slabs", "server_neg_cache_size", "server_local_zone",
"server_local_data", "server_local_data_ptr", "server_minimal_responses",
@@ -1074,18 +1096,21 @@ static const char *const yytname[] =
"server_ratelimit_slabs", "server_ratelimit_for_domain",
"server_ratelimit_below_domain", "server_ip_ratelimit_factor",
"server_ratelimit_factor", "server_qname_minimisation",
- "server_qname_minimisation_strict", "stub_name", "stub_host",
- "stub_addr", "stub_first", "stub_ssl_upstream", "stub_prime",
- "forward_name", "forward_host", "forward_addr", "forward_first",
- "forward_ssl_upstream", "view_name", "view_local_zone",
- "view_response_ip", "view_response_ip_data", "view_local_data",
- "view_local_data_ptr", "view_first", "rcstart", "contents_rc",
- "content_rc", "rc_control_enable", "rc_control_port",
- "rc_control_interface", "rc_control_use_cert", "rc_server_key_file",
- "rc_server_cert_file", "rc_control_key_file", "rc_control_cert_file",
- "dtstart", "contents_dt", "content_dt", "dt_dnstap_enable",
- "dt_dnstap_socket_path", "dt_dnstap_send_identity",
- "dt_dnstap_send_version", "dt_dnstap_identity", "dt_dnstap_version",
+ "server_qname_minimisation_strict", "server_ipsecmod_enabled",
+ "server_ipsecmod_ignore_bogus", "server_ipsecmod_hook",
+ "server_ipsecmod_max_ttl", "server_ipsecmod_whitelist",
+ "server_ipsecmod_strict", "stub_name", "stub_host", "stub_addr",
+ "stub_first", "stub_ssl_upstream", "stub_prime", "forward_name",
+ "forward_host", "forward_addr", "forward_first", "forward_ssl_upstream",
+ "view_name", "view_local_zone", "view_response_ip",
+ "view_response_ip_data", "view_local_data", "view_local_data_ptr",
+ "view_first", "rcstart", "contents_rc", "content_rc",
+ "rc_control_enable", "rc_control_port", "rc_control_interface",
+ "rc_control_use_cert", "rc_server_key_file", "rc_server_cert_file",
+ "rc_control_key_file", "rc_control_cert_file", "dtstart", "contents_dt",
+ "content_dt", "dt_dnstap_enable", "dt_dnstap_socket_path",
+ "dt_dnstap_send_identity", "dt_dnstap_send_version",
+ "dt_dnstap_identity", "dt_dnstap_version",
"dt_dnstap_log_resolver_query_messages",
"dt_dnstap_log_resolver_response_messages",
"dt_dnstap_log_client_query_messages",
@@ -1126,14 +1151,15 @@ static const yytype_uint16 yytoknum[] =
425, 426, 427, 428, 429, 430, 431, 432, 433, 434,
435, 436, 437, 438, 439, 440, 441, 442, 443, 444,
445, 446, 447, 448, 449, 450, 451, 452, 453, 454,
- 455, 456, 457, 458, 459, 460, 461, 462
+ 455, 456, 457, 458, 459, 460, 461, 462, 463, 464,
+ 465, 466, 467, 468, 469, 470
};
# endif
-#define YYPACT_NINF -162
+#define YYPACT_NINF -200
#define yypact_value_is_default(Yystate) \
- (!!((Yystate) == (-162)))
+ (!!((Yystate) == (-200)))
#define YYTABLE_NINF -1
@@ -1144,71 +1170,73 @@ static const yytype_uint16 yytoknum[] =
STATE-NUM. */
static const yytype_int16 yypact[] =
{
- -162, 0, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- 191, -38, -34, -39, -64, -130, -105, -161, -3, -2,
- -1, 2, 3, 26, 29, 30, 38, 39, 40, 41,
- 42, 43, 44, 45, 46, 47, 48, 49, 50, 51,
- 53, 54, 56, 57, 58, 59, 60, 61, 62, 63,
- 64, 65, 66, 67, 68, 69, 70, 71, 72, 73,
- 74, 75, 76, 77, 78, 79, 80, 82, 83, 84,
- 86, 89, 91, 92, 93, 94, 95, 96, 98, 99,
- 100, 101, 102, 103, 104, 105, 106, 107, 108, 109,
- 112, 113, 114, 115, 116, 117, 118, 119, 120, 121,
- 122, 123, 124, 125, 126, 127, 128, 129, 130, 131,
- 132, 133, 134, 136, 137, 138, 139, 140, 141, 142,
- 143, 145, 146, 147, 148, 149, 150, 151, 152, 153,
- 154, 155, 156, 157, 158, 159, 160, 161, 162, 163,
- 164, 165, 166, 167, 168, 169, 170, 171, 172, 173,
- 174, 175, 176, 177, 178, 179, 180, 182, 183, 184,
- 185, 186, 187, 188, 189, 190, 221, 222, 223, 224,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, 228, 229, 230, 272, 273, 274, -162,
- -162, -162, -162, -162, -162, -162, 275, 276, 277, 278,
- 279, -162, -162, -162, -162, -162, -162, 280, 284, 288,
- 289, 313, 314, 315, -162, -162, -162, -162, -162, -162,
- -162, -162, 316, 326, 327, 328, 329, 330, 331, 332,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, 333,
- 334, 335, 336, 337, 338, 372, 374, 383, 384, 385,
- 386, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, 387, -162, -162, 388, 389, 390,
- 391, 392, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, 393, 394, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, 395, 396,
- 397, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- 398, 399, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, 400, 401, 402, 403,
- 404, 405, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, 406, -162, -162, 407, 408, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, 409, 410, 411, -162, -162, -162, -162,
- -162, -162, -162
+ -200, 0, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ 96, -39, -35, 248, -65, -131, -106, -199, 2, 25,
+ 26, 27, 28, 29, 30, 32, 33, 34, 35, 36,
+ 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
+ 48, 49, 50, 51, 52, 53, 55, 56, 57, 58,
+ 59, 60, 61, 62, 63, 64, 65, 66, 67, 68,
+ 69, 70, 71, 72, 73, 74, 75, 76, 77, 78,
+ 79, 80, 82, 83, 85, 88, 90, 91, 92, 93,
+ 94, 95, 126, 127, 128, 129, 133, 134, 177, 178,
+ 179, 180, 181, 183, 184, 185, 189, 193, 218, 219,
+ 220, 221, 231, 232, 233, 234, 235, 236, 237, 238,
+ 239, 240, 241, 242, 243, 280, 290, 291, 292, 293,
+ 294, 295, 302, 303, 304, 305, 306, 307, 308, 309,
+ 310, 311, 312, 313, 316, 317, 318, 319, 320, 321,
+ 322, 323, 324, 325, 326, 327, 328, 329, 330, 331,
+ 332, 333, 334, 335, 336, 337, 338, 340, 341, 342,
+ 343, 344, 345, 346, 347, 348, 349, 350, 351, 352,
+ 353, 354, 355, 356, 357, 358, 359, 360, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, 361,
+ 362, 363, 364, 365, 366, -200, -200, -200, -200, -200,
+ -200, -200, 367, 368, 369, 370, 371, -200, -200, -200,
+ -200, -200, -200, 372, 373, 374, 375, 376, 377, 378,
+ -200, -200, -200, -200, -200, -200, -200, -200, 379, 380,
+ 381, 382, 383, 384, 385, 386, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, 387, 388, 389, 390, 391,
+ 392, 393, 394, 395, 396, 399, 400, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ 401, -200, -200, 402, 403, 404, 405, 406, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ 407, 408, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, 409, 410, 411, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, 412, 413, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, 414, 415, 416, 417, 418, 419, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, 420, -200, -200, 421,
+ 422, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, 423, 424, 425,
+ -200, -200, -200, -200, -200, -200, -200
};
/* YYDEFACT[STATE-NUM] -- Default reduction number in state STATE-NUM.
@@ -1216,8 +1244,8 @@ static const yytype_int16 yypact[] =
means the default is an error. */
static const yytype_uint16 yydefact[] =
{
- 2, 0, 1, 12, 167, 176, 360, 406, 379, 184,
- 415, 3, 14, 169, 178, 186, 362, 381, 408, 417,
+ 2, 0, 1, 12, 175, 184, 376, 422, 395, 192,
+ 431, 3, 14, 177, 186, 194, 378, 397, 424, 433,
4, 5, 6, 10, 8, 9, 7, 11, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
@@ -1234,109 +1262,113 @@ static const yytype_uint16 yydefact[] =
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 13, 15, 16, 75, 78, 87, 163, 164, 17, 137,
- 138, 139, 140, 141, 26, 66, 18, 79, 80, 37,
- 59, 74, 19, 20, 22, 23, 21, 24, 25, 110,
- 111, 112, 113, 114, 159, 76, 65, 91, 108, 109,
- 27, 28, 29, 30, 31, 67, 81, 82, 97, 53,
- 63, 54, 92, 47, 48, 166, 49, 50, 101, 105,
- 118, 126, 146, 102, 60, 32, 33, 34, 89, 119,
+ 0, 0, 0, 0, 0, 0, 0, 0, 13, 15,
+ 16, 75, 78, 87, 164, 165, 17, 137, 138, 139,
+ 140, 141, 142, 26, 66, 18, 79, 80, 37, 59,
+ 74, 19, 20, 22, 23, 21, 24, 25, 110, 111,
+ 112, 113, 114, 160, 76, 65, 91, 108, 109, 27,
+ 28, 29, 30, 31, 67, 81, 82, 97, 53, 63,
+ 54, 168, 92, 47, 48, 167, 49, 50, 101, 105,
+ 118, 126, 147, 102, 60, 32, 33, 34, 89, 119,
120, 121, 35, 36, 38, 39, 41, 42, 40, 124,
- 43, 44, 45, 51, 70, 106, 84, 125, 77, 142,
+ 43, 44, 45, 51, 70, 106, 84, 125, 77, 143,
85, 86, 103, 104, 90, 46, 68, 71, 52, 55,
- 93, 94, 69, 143, 95, 56, 57, 58, 107, 156,
- 157, 165, 96, 64, 98, 99, 100, 144, 61, 62,
- 83, 72, 73, 88, 115, 116, 117, 122, 123, 147,
- 148, 150, 152, 153, 151, 154, 160, 127, 128, 131,
- 132, 129, 130, 133, 134, 136, 135, 145, 155, 149,
- 158, 161, 162, 0, 0, 0, 0, 0, 0, 168,
- 170, 171, 172, 174, 175, 173, 0, 0, 0, 0,
- 0, 177, 179, 180, 181, 182, 183, 0, 0, 0,
- 0, 0, 0, 0, 185, 187, 188, 191, 192, 189,
- 193, 190, 0, 0, 0, 0, 0, 0, 0, 0,
- 361, 363, 365, 364, 370, 366, 367, 368, 369, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 380, 382, 383, 384, 385, 386, 387, 388, 389,
- 390, 391, 392, 393, 0, 407, 409, 0, 0, 0,
- 0, 0, 416, 418, 419, 420, 422, 421, 195, 194,
- 201, 209, 207, 215, 216, 219, 217, 218, 220, 221,
- 233, 234, 235, 236, 237, 258, 259, 260, 265, 266,
- 212, 267, 268, 271, 269, 270, 273, 274, 275, 288,
- 246, 247, 249, 250, 276, 291, 242, 244, 292, 298,
- 299, 300, 213, 257, 311, 312, 243, 306, 229, 208,
- 238, 289, 295, 277, 0, 0, 315, 214, 196, 228,
- 281, 197, 210, 211, 239, 240, 313, 279, 283, 284,
- 198, 316, 261, 287, 230, 245, 293, 294, 297, 305,
- 241, 309, 307, 308, 251, 256, 285, 286, 252, 253,
- 278, 301, 231, 232, 222, 223, 224, 225, 226, 317,
- 318, 319, 262, 263, 264, 272, 320, 321, 0, 0,
- 0, 280, 254, 411, 330, 334, 332, 331, 335, 333,
- 0, 0, 338, 339, 202, 203, 204, 205, 206, 282,
- 296, 310, 340, 341, 255, 322, 0, 0, 0, 0,
- 0, 0, 302, 303, 304, 412, 248, 227, 199, 200,
- 342, 343, 344, 347, 346, 345, 348, 349, 350, 351,
- 352, 353, 0, 357, 358, 0, 0, 359, 371, 373,
- 372, 375, 376, 377, 378, 374, 394, 395, 396, 397,
- 398, 399, 400, 401, 402, 403, 404, 405, 410, 423,
- 424, 425, 427, 426, 290, 314, 329, 413, 414, 336,
- 337, 323, 324, 0, 0, 0, 328, 354, 355, 356,
- 327, 325, 326
+ 93, 94, 69, 144, 95, 56, 57, 58, 107, 157,
+ 158, 166, 96, 64, 98, 99, 100, 145, 61, 62,
+ 83, 72, 73, 88, 115, 116, 117, 122, 123, 148,
+ 149, 151, 153, 154, 152, 155, 161, 127, 128, 131,
+ 132, 129, 130, 133, 134, 136, 135, 146, 156, 169,
+ 171, 170, 172, 173, 174, 150, 159, 162, 163, 0,
+ 0, 0, 0, 0, 0, 176, 178, 179, 180, 182,
+ 183, 181, 0, 0, 0, 0, 0, 185, 187, 188,
+ 189, 190, 191, 0, 0, 0, 0, 0, 0, 0,
+ 193, 195, 196, 199, 200, 197, 201, 198, 0, 0,
+ 0, 0, 0, 0, 0, 0, 377, 379, 381, 380,
+ 386, 382, 383, 384, 385, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 396, 398, 399,
+ 400, 401, 402, 403, 404, 405, 406, 407, 408, 409,
+ 0, 423, 425, 0, 0, 0, 0, 0, 432, 434,
+ 435, 436, 438, 437, 203, 202, 209, 218, 216, 224,
+ 225, 228, 226, 227, 229, 230, 242, 243, 244, 245,
+ 246, 268, 269, 270, 275, 276, 221, 277, 278, 281,
+ 279, 280, 283, 284, 285, 298, 256, 257, 259, 260,
+ 286, 301, 251, 253, 302, 308, 309, 310, 222, 267,
+ 321, 322, 252, 316, 238, 217, 247, 299, 305, 287,
+ 0, 0, 325, 223, 204, 237, 291, 205, 219, 220,
+ 248, 249, 323, 289, 293, 294, 206, 326, 271, 297,
+ 239, 255, 303, 304, 307, 315, 250, 319, 317, 318,
+ 261, 266, 295, 296, 262, 263, 288, 311, 240, 241,
+ 231, 232, 233, 234, 235, 327, 328, 329, 272, 273,
+ 274, 282, 330, 331, 0, 0, 0, 290, 264, 427,
+ 340, 344, 342, 341, 345, 343, 0, 0, 348, 349,
+ 210, 211, 212, 213, 214, 215, 292, 306, 320, 350,
+ 351, 265, 332, 0, 0, 0, 0, 0, 0, 312,
+ 313, 314, 428, 258, 254, 236, 207, 208, 352, 354,
+ 353, 355, 356, 357, 358, 359, 360, 363, 362, 361,
+ 364, 365, 366, 367, 368, 369, 0, 373, 374, 0,
+ 0, 375, 387, 389, 388, 391, 392, 393, 394, 390,
+ 410, 411, 412, 413, 414, 415, 416, 417, 418, 419,
+ 420, 421, 426, 439, 440, 441, 443, 442, 300, 324,
+ 339, 429, 430, 346, 347, 333, 334, 0, 0, 0,
+ 338, 370, 371, 372, 337, 335, 336
};
/* YYPGOTO[NTERM-NUM]. */
static const yytype_int16 yypgoto[] =
{
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162, -162, -162, -162, -162, -162, -162, -162,
- -162, -162, -162
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200, -200, -200, -200, -200, -200, -200, -200, -200, -200,
+ -200
};
/* YYDEFGOTO[NTERM-NUM]. */
static const yytype_int16 yydefgoto[] =
{
- -1, 1, 11, 12, 20, 180, 13, 21, 339, 14,
- 22, 351, 15, 23, 364, 181, 182, 183, 184, 185,
- 186, 187, 188, 189, 190, 191, 192, 193, 194, 195,
- 196, 197, 198, 199, 200, 201, 202, 203, 204, 205,
- 206, 207, 208, 209, 210, 211, 212, 213, 214, 215,
- 216, 217, 218, 219, 220, 221, 222, 223, 224, 225,
- 226, 227, 228, 229, 230, 231, 232, 233, 234, 235,
- 236, 237, 238, 239, 240, 241, 242, 243, 244, 245,
- 246, 247, 248, 249, 250, 251, 252, 253, 254, 255,
- 256, 257, 258, 259, 260, 261, 262, 263, 264, 265,
- 266, 267, 268, 269, 270, 271, 272, 273, 274, 275,
- 276, 277, 278, 279, 280, 281, 282, 283, 284, 285,
- 286, 287, 288, 289, 290, 291, 292, 293, 294, 295,
- 296, 297, 298, 299, 300, 301, 302, 303, 304, 305,
- 306, 307, 308, 309, 310, 311, 312, 313, 314, 315,
- 316, 317, 318, 319, 320, 321, 322, 323, 324, 325,
- 326, 327, 328, 340, 341, 342, 343, 344, 345, 352,
- 353, 354, 355, 356, 365, 366, 367, 368, 369, 370,
- 371, 16, 24, 380, 381, 382, 383, 384, 385, 386,
- 387, 388, 17, 25, 401, 402, 403, 404, 405, 406,
- 407, 408, 409, 410, 411, 412, 413, 18, 26, 415,
- 416, 329, 330, 331, 332, 19, 27, 422, 423, 424,
- 425, 426, 427
+ -1, 1, 11, 12, 20, 188, 13, 21, 355, 14,
+ 22, 367, 15, 23, 380, 189, 190, 191, 192, 193,
+ 194, 195, 196, 197, 198, 199, 200, 201, 202, 203,
+ 204, 205, 206, 207, 208, 209, 210, 211, 212, 213,
+ 214, 215, 216, 217, 218, 219, 220, 221, 222, 223,
+ 224, 225, 226, 227, 228, 229, 230, 231, 232, 233,
+ 234, 235, 236, 237, 238, 239, 240, 241, 242, 243,
+ 244, 245, 246, 247, 248, 249, 250, 251, 252, 253,
+ 254, 255, 256, 257, 258, 259, 260, 261, 262, 263,
+ 264, 265, 266, 267, 268, 269, 270, 271, 272, 273,
+ 274, 275, 276, 277, 278, 279, 280, 281, 282, 283,
+ 284, 285, 286, 287, 288, 289, 290, 291, 292, 293,
+ 294, 295, 296, 297, 298, 299, 300, 301, 302, 303,
+ 304, 305, 306, 307, 308, 309, 310, 311, 312, 313,
+ 314, 315, 316, 317, 318, 319, 320, 321, 322, 323,
+ 324, 325, 326, 327, 328, 329, 330, 331, 332, 333,
+ 334, 335, 336, 337, 338, 339, 340, 341, 342, 343,
+ 344, 356, 357, 358, 359, 360, 361, 368, 369, 370,
+ 371, 372, 381, 382, 383, 384, 385, 386, 387, 16,
+ 24, 396, 397, 398, 399, 400, 401, 402, 403, 404,
+ 17, 25, 417, 418, 419, 420, 421, 422, 423, 424,
+ 425, 426, 427, 428, 429, 18, 26, 431, 432, 345,
+ 346, 347, 348, 19, 27, 438, 439, 440, 441, 442,
+ 443
};
/* YYTABLE[YYPACT[STATE-NUM]] -- What to do in state STATE-NUM. If
@@ -1344,105 +1376,109 @@ static const yytype_int16 yydefgoto[] =
number is the opposite. If YYTABLE_NINF, syntax error. */
static const yytype_uint16 yytable[] =
{
- 2, 357, 333, 414, 334, 335, 346, 428, 429, 430,
- 0, 3, 431, 432, 347, 348, 389, 390, 391, 392,
- 393, 394, 395, 396, 397, 398, 399, 400, 372, 373,
- 374, 375, 376, 377, 378, 379, 433, 358, 359, 434,
- 435, 4, 417, 418, 419, 420, 421, 5, 436, 437,
- 438, 439, 440, 441, 442, 443, 444, 445, 446, 447,
- 448, 449, 360, 450, 451, 336, 452, 453, 454, 455,
- 456, 457, 458, 459, 460, 461, 462, 463, 464, 465,
- 466, 467, 468, 469, 470, 471, 472, 473, 474, 475,
- 476, 6, 477, 478, 479, 337, 480, 338, 349, 481,
- 350, 482, 483, 484, 485, 486, 487, 7, 488, 489,
- 490, 491, 492, 493, 494, 495, 496, 497, 498, 499,
- 361, 362, 500, 501, 502, 503, 504, 505, 506, 507,
- 508, 509, 510, 511, 512, 513, 514, 515, 516, 517,
- 518, 519, 520, 521, 522, 8, 523, 524, 525, 526,
- 527, 528, 529, 530, 363, 531, 532, 533, 534, 535,
- 536, 537, 538, 539, 540, 541, 542, 543, 544, 545,
- 546, 547, 548, 549, 550, 551, 552, 553, 554, 555,
- 556, 557, 558, 559, 560, 561, 562, 563, 564, 565,
- 566, 9, 567, 568, 569, 570, 571, 572, 573, 574,
- 575, 0, 10, 28, 29, 30, 31, 32, 33, 34,
- 35, 36, 37, 38, 39, 40, 41, 42, 43, 44,
- 45, 46, 47, 48, 49, 50, 51, 52, 53, 54,
- 55, 576, 577, 578, 579, 56, 57, 58, 580, 581,
- 582, 59, 60, 61, 62, 63, 64, 65, 66, 67,
- 68, 69, 70, 71, 72, 73, 74, 75, 76, 77,
- 78, 79, 80, 81, 82, 83, 84, 85, 86, 87,
- 88, 89, 90, 91, 92, 93, 94, 95, 96, 97,
- 98, 99, 583, 584, 585, 586, 587, 588, 589, 590,
- 591, 100, 101, 102, 592, 103, 104, 105, 593, 594,
- 106, 107, 108, 109, 110, 111, 112, 113, 114, 115,
- 116, 117, 118, 119, 120, 121, 122, 123, 124, 125,
- 126, 127, 128, 595, 596, 597, 598, 129, 130, 131,
- 132, 133, 134, 135, 136, 137, 599, 600, 601, 602,
- 603, 604, 605, 606, 607, 608, 609, 610, 611, 138,
- 139, 140, 141, 142, 143, 144, 145, 146, 147, 148,
- 149, 150, 151, 152, 153, 154, 155, 156, 157, 158,
- 159, 160, 161, 162, 163, 164, 165, 166, 167, 168,
- 169, 170, 612, 171, 613, 172, 173, 174, 175, 176,
- 177, 178, 179, 614, 615, 616, 617, 618, 619, 620,
- 621, 622, 623, 624, 625, 626, 627, 628, 629, 630,
- 631, 632, 633, 634, 635, 636, 637, 638, 639, 640,
- 641, 642
+ 2, 349, 430, 350, 351, 362, 433, 434, 435, 436,
+ 437, 3, 444, 363, 364, 405, 406, 407, 408, 409,
+ 410, 411, 412, 413, 414, 415, 416, 388, 389, 390,
+ 391, 392, 393, 394, 395, 445, 446, 447, 448, 449,
+ 450, 4, 451, 452, 453, 454, 455, 5, 456, 457,
+ 458, 459, 460, 461, 462, 463, 464, 465, 466, 467,
+ 468, 469, 470, 471, 352, 472, 473, 474, 475, 476,
+ 477, 478, 479, 480, 481, 482, 483, 484, 485, 486,
+ 487, 488, 489, 490, 491, 492, 493, 494, 495, 496,
+ 497, 6, 498, 499, 353, 500, 354, 365, 501, 366,
+ 502, 503, 504, 505, 506, 507, 0, 7, 28, 29,
+ 30, 31, 32, 33, 34, 35, 36, 37, 38, 39,
+ 40, 41, 42, 43, 44, 45, 46, 47, 48, 49,
+ 50, 51, 52, 53, 54, 55, 508, 509, 510, 511,
+ 56, 57, 58, 512, 513, 8, 59, 60, 61, 62,
+ 63, 64, 65, 66, 67, 68, 69, 70, 71, 72,
+ 73, 74, 75, 76, 77, 78, 79, 80, 81, 82,
+ 83, 84, 85, 86, 87, 88, 89, 90, 91, 92,
+ 93, 94, 95, 96, 97, 98, 99, 514, 515, 516,
+ 517, 518, 9, 519, 520, 521, 100, 101, 102, 522,
+ 103, 104, 105, 523, 10, 106, 107, 108, 109, 110,
+ 111, 112, 113, 114, 115, 116, 117, 118, 119, 120,
+ 121, 122, 123, 124, 125, 126, 127, 128, 524, 525,
+ 526, 527, 129, 130, 131, 132, 133, 134, 135, 136,
+ 137, 528, 529, 530, 531, 532, 533, 534, 535, 536,
+ 537, 538, 539, 540, 138, 139, 140, 141, 142, 143,
+ 144, 145, 146, 147, 148, 149, 150, 151, 152, 153,
+ 154, 155, 156, 157, 158, 159, 160, 161, 162, 163,
+ 164, 165, 166, 167, 168, 169, 170, 171, 373, 172,
+ 541, 173, 174, 175, 176, 177, 178, 179, 180, 181,
+ 542, 543, 544, 545, 546, 547, 182, 183, 184, 185,
+ 186, 187, 548, 549, 550, 551, 552, 553, 554, 555,
+ 556, 557, 558, 559, 374, 375, 560, 561, 562, 563,
+ 564, 565, 566, 567, 568, 569, 570, 571, 572, 573,
+ 574, 575, 576, 577, 578, 579, 580, 581, 582, 376,
+ 583, 584, 585, 586, 587, 588, 589, 590, 591, 592,
+ 593, 594, 595, 596, 597, 598, 599, 600, 601, 602,
+ 603, 604, 605, 606, 607, 608, 609, 610, 611, 612,
+ 613, 614, 615, 616, 617, 618, 619, 620, 621, 622,
+ 623, 624, 625, 626, 627, 628, 629, 630, 631, 632,
+ 633, 634, 635, 636, 637, 638, 639, 377, 378, 640,
+ 641, 642, 643, 644, 645, 646, 647, 648, 649, 650,
+ 651, 652, 653, 654, 655, 656, 657, 658, 659, 660,
+ 661, 662, 663, 664, 665, 666, 0, 0, 0, 0,
+ 0, 0, 379
};
static const yytype_int16 yycheck[] =
{
- 0, 40, 40, 108, 42, 43, 40, 10, 10, 10,
- -1, 11, 10, 10, 48, 49, 146, 147, 148, 149,
- 150, 151, 152, 153, 154, 155, 156, 157, 92, 93,
- 94, 95, 96, 97, 98, 99, 10, 76, 77, 10,
- 10, 41, 203, 204, 205, 206, 207, 47, 10, 10,
+ 0, 40, 108, 42, 43, 40, 205, 206, 207, 208,
+ 209, 11, 10, 48, 49, 146, 147, 148, 149, 150,
+ 151, 152, 153, 154, 155, 156, 157, 92, 93, 94,
+ 95, 96, 97, 98, 99, 10, 10, 10, 10, 10,
+ 10, 41, 10, 10, 10, 10, 10, 47, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
- 10, 10, 101, 10, 10, 103, 10, 10, 10, 10,
+ 10, 10, 10, 10, 103, 10, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
- 10, 91, 10, 10, 10, 133, 10, 135, 132, 10,
- 134, 10, 10, 10, 10, 10, 10, 107, 10, 10,
+ 10, 91, 10, 10, 133, 10, 135, 132, 10, 134,
+ 10, 10, 10, 10, 10, 10, -1, 107, 12, 13,
+ 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
+ 24, 25, 26, 27, 28, 29, 30, 31, 32, 33,
+ 34, 35, 36, 37, 38, 39, 10, 10, 10, 10,
+ 44, 45, 46, 10, 10, 145, 50, 51, 52, 53,
+ 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
+ 64, 65, 66, 67, 68, 69, 70, 71, 72, 73,
+ 74, 75, 76, 77, 78, 79, 80, 81, 82, 83,
+ 84, 85, 86, 87, 88, 89, 90, 10, 10, 10,
+ 10, 10, 192, 10, 10, 10, 100, 101, 102, 10,
+ 104, 105, 106, 10, 204, 109, 110, 111, 112, 113,
+ 114, 115, 116, 117, 118, 119, 120, 121, 122, 123,
+ 124, 125, 126, 127, 128, 129, 130, 131, 10, 10,
+ 10, 10, 136, 137, 138, 139, 140, 141, 142, 143,
+ 144, 10, 10, 10, 10, 10, 10, 10, 10, 10,
+ 10, 10, 10, 10, 158, 159, 160, 161, 162, 163,
+ 164, 165, 166, 167, 168, 169, 170, 171, 172, 173,
+ 174, 175, 176, 177, 178, 179, 180, 181, 182, 183,
+ 184, 185, 186, 187, 188, 189, 190, 191, 40, 193,
+ 10, 195, 196, 197, 198, 199, 200, 201, 202, 203,
+ 10, 10, 10, 10, 10, 10, 210, 211, 212, 213,
+ 214, 215, 10, 10, 10, 10, 10, 10, 10, 10,
+ 10, 10, 10, 10, 76, 77, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
- 159, 160, 10, 10, 10, 10, 10, 10, 10, 10,
+ 10, 10, 10, 10, 10, 10, 10, 10, 10, 101,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
- 10, 10, 10, 10, 10, 145, 10, 10, 10, 10,
- 10, 10, 10, 10, 193, 10, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
- 10, 191, 10, 10, 10, 10, 10, 10, 10, 10,
- 10, -1, 202, 12, 13, 14, 15, 16, 17, 18,
- 19, 20, 21, 22, 23, 24, 25, 26, 27, 28,
- 29, 30, 31, 32, 33, 34, 35, 36, 37, 38,
- 39, 10, 10, 10, 10, 44, 45, 46, 10, 10,
- 10, 50, 51, 52, 53, 54, 55, 56, 57, 58,
- 59, 60, 61, 62, 63, 64, 65, 66, 67, 68,
- 69, 70, 71, 72, 73, 74, 75, 76, 77, 78,
- 79, 80, 81, 82, 83, 84, 85, 86, 87, 88,
- 89, 90, 10, 10, 10, 10, 10, 10, 10, 10,
- 10, 100, 101, 102, 10, 104, 105, 106, 10, 10,
- 109, 110, 111, 112, 113, 114, 115, 116, 117, 118,
- 119, 120, 121, 122, 123, 124, 125, 126, 127, 128,
- 129, 130, 131, 10, 10, 10, 10, 136, 137, 138,
- 139, 140, 141, 142, 143, 144, 10, 10, 10, 10,
- 10, 10, 10, 10, 10, 10, 10, 10, 10, 158,
- 159, 160, 161, 162, 163, 164, 165, 166, 167, 168,
- 169, 170, 171, 172, 173, 174, 175, 176, 177, 178,
- 179, 180, 181, 182, 183, 184, 185, 186, 187, 188,
- 189, 190, 10, 192, 10, 194, 195, 196, 197, 198,
- 199, 200, 201, 10, 10, 10, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
+ 10, 10, 10, 10, 10, 10, 10, 159, 160, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
- 10, 10
+ 10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
+ 10, 10, 10, 10, 10, 10, -1, -1, -1, -1,
+ -1, -1, 194
};
/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
symbol of state STATE-NUM. */
static const yytype_uint16 yystos[] =
{
- 0, 209, 0, 11, 41, 47, 91, 107, 145, 191,
- 202, 210, 211, 214, 217, 220, 389, 400, 415, 423,
- 212, 215, 218, 221, 390, 401, 416, 424, 12, 13,
+ 0, 217, 0, 11, 41, 47, 91, 107, 145, 192,
+ 204, 218, 219, 222, 225, 228, 405, 416, 431, 439,
+ 220, 223, 226, 229, 406, 417, 432, 440, 12, 13,
14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
24, 25, 26, 27, 28, 29, 30, 31, 32, 33,
34, 35, 36, 37, 38, 39, 44, 45, 46, 50,
@@ -1457,8 +1493,8 @@ static const yytype_uint16 yystos[] =
160, 161, 162, 163, 164, 165, 166, 167, 168, 169,
170, 171, 172, 173, 174, 175, 176, 177, 178, 179,
180, 181, 182, 183, 184, 185, 186, 187, 188, 189,
- 190, 192, 194, 195, 196, 197, 198, 199, 200, 201,
- 213, 223, 224, 225, 226, 227, 228, 229, 230, 231,
+ 190, 191, 193, 195, 196, 197, 198, 199, 200, 201,
+ 202, 203, 210, 211, 212, 213, 214, 215, 221, 231,
232, 233, 234, 235, 236, 237, 238, 239, 240, 241,
242, 243, 244, 245, 246, 247, 248, 249, 250, 251,
252, 253, 254, 255, 256, 257, 258, 259, 260, 261,
@@ -1472,17 +1508,19 @@ static const yytype_uint16 yystos[] =
332, 333, 334, 335, 336, 337, 338, 339, 340, 341,
342, 343, 344, 345, 346, 347, 348, 349, 350, 351,
352, 353, 354, 355, 356, 357, 358, 359, 360, 361,
- 362, 363, 364, 365, 366, 367, 368, 369, 370, 419,
- 420, 421, 422, 40, 42, 43, 103, 133, 135, 216,
- 371, 372, 373, 374, 375, 376, 40, 48, 49, 132,
- 134, 219, 377, 378, 379, 380, 381, 40, 76, 77,
- 101, 159, 160, 193, 222, 382, 383, 384, 385, 386,
- 387, 388, 92, 93, 94, 95, 96, 97, 98, 99,
- 391, 392, 393, 394, 395, 396, 397, 398, 399, 146,
- 147, 148, 149, 150, 151, 152, 153, 154, 155, 156,
- 157, 402, 403, 404, 405, 406, 407, 408, 409, 410,
- 411, 412, 413, 414, 108, 417, 418, 203, 204, 205,
- 206, 207, 425, 426, 427, 428, 429, 430, 10, 10,
+ 362, 363, 364, 365, 366, 367, 368, 369, 370, 371,
+ 372, 373, 374, 375, 376, 377, 378, 379, 380, 381,
+ 382, 383, 384, 385, 386, 435, 436, 437, 438, 40,
+ 42, 43, 103, 133, 135, 224, 387, 388, 389, 390,
+ 391, 392, 40, 48, 49, 132, 134, 227, 393, 394,
+ 395, 396, 397, 40, 76, 77, 101, 159, 160, 194,
+ 230, 398, 399, 400, 401, 402, 403, 404, 92, 93,
+ 94, 95, 96, 97, 98, 99, 407, 408, 409, 410,
+ 411, 412, 413, 414, 415, 146, 147, 148, 149, 150,
+ 151, 152, 153, 154, 155, 156, 157, 418, 419, 420,
+ 421, 422, 423, 424, 425, 426, 427, 428, 429, 430,
+ 108, 433, 434, 205, 206, 207, 208, 209, 441, 442,
+ 443, 444, 445, 446, 10, 10, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
@@ -1504,33 +1542,33 @@ static const yytype_uint16 yystos[] =
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
10, 10, 10, 10, 10, 10, 10, 10, 10, 10,
- 10, 10, 10
+ 10, 10, 10, 10, 10, 10, 10
};
/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives. */
static const yytype_uint16 yyr1[] =
{
- 0, 208, 209, 209, 210, 210, 210, 210, 210, 210,
- 210, 210, 211, 212, 212, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 213, 213, 213,
- 213, 213, 213, 213, 213, 213, 213, 214, 215, 215,
- 216, 216, 216, 216, 216, 216, 217, 218, 218, 219,
- 219, 219, 219, 219, 220, 221, 221, 222, 222, 222,
- 222, 222, 222, 222, 223, 224, 225, 226, 227, 228,
- 229, 230, 231, 232, 233, 234, 235, 236, 237, 238,
+ 0, 216, 217, 217, 218, 218, 218, 218, 218, 218,
+ 218, 218, 219, 220, 220, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 221, 221, 222, 223, 223, 224, 224,
+ 224, 224, 224, 224, 225, 226, 226, 227, 227, 227,
+ 227, 227, 228, 229, 229, 230, 230, 230, 230, 230,
+ 230, 230, 231, 232, 233, 234, 235, 236, 237, 238,
239, 240, 241, 242, 243, 244, 245, 246, 247, 248,
249, 250, 251, 252, 253, 254, 255, 256, 257, 258,
259, 260, 261, 262, 263, 264, 265, 266, 267, 268,
@@ -1546,13 +1584,15 @@ static const yytype_uint16 yyr1[] =
359, 360, 361, 362, 363, 364, 365, 366, 367, 368,
369, 370, 371, 372, 373, 374, 375, 376, 377, 378,
379, 380, 381, 382, 383, 384, 385, 386, 387, 388,
- 389, 390, 390, 391, 391, 391, 391, 391, 391, 391,
- 391, 392, 393, 394, 395, 396, 397, 398, 399, 400,
- 401, 401, 402, 402, 402, 402, 402, 402, 402, 402,
- 402, 402, 402, 402, 403, 404, 405, 406, 407, 408,
- 409, 410, 411, 412, 413, 414, 415, 416, 416, 417,
- 418, 419, 420, 421, 422, 423, 424, 424, 425, 425,
- 425, 425, 425, 426, 427, 428, 429, 430
+ 389, 390, 391, 392, 393, 394, 395, 396, 397, 398,
+ 399, 400, 401, 402, 403, 404, 405, 406, 406, 407,
+ 407, 407, 407, 407, 407, 407, 407, 408, 409, 410,
+ 411, 412, 413, 414, 415, 416, 417, 417, 418, 418,
+ 418, 418, 418, 418, 418, 418, 418, 418, 418, 418,
+ 419, 420, 421, 422, 423, 424, 425, 426, 427, 428,
+ 429, 430, 431, 432, 432, 433, 434, 435, 436, 437,
+ 438, 439, 440, 440, 441, 441, 441, 441, 441, 442,
+ 443, 444, 445, 446
};
/* YYR2[YYN] -- Number of symbols on the right hand side of rule YYN. */
@@ -1574,10 +1614,11 @@ static const yytype_uint8 yyr2[] =
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 2, 0,
- 1, 1, 1, 1, 1, 1, 1, 2, 0, 1,
+ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1, 1, 2, 0, 1, 1,
1, 1, 1, 1, 1, 2, 0, 1, 1, 1,
- 1, 1, 1, 1, 2, 2, 2, 2, 2, 2,
+ 1, 1, 1, 2, 0, 1, 1, 1, 1, 1,
+ 1, 1, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
@@ -1593,14 +1634,15 @@ static const yytype_uint8 yyr2[] =
2, 2, 2, 3, 3, 4, 4, 4, 3, 3,
2, 2, 2, 2, 2, 2, 3, 3, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 3, 3, 3, 2, 2, 2,
- 1, 2, 0, 1, 1, 1, 1, 1, 1, 1,
- 1, 2, 2, 2, 2, 2, 2, 2, 2, 1,
- 2, 0, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 2, 2, 2, 1, 2, 0, 1,
- 2, 2, 2, 3, 3, 1, 2, 0, 1, 1,
- 1, 1, 1, 2, 2, 2, 2, 2
+ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+ 3, 3, 3, 2, 2, 2, 1, 2, 0, 1,
+ 1, 1, 1, 1, 1, 1, 1, 2, 2, 2,
+ 2, 2, 2, 2, 2, 1, 2, 0, 1, 1,
+ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+ 2, 2, 1, 2, 0, 1, 2, 2, 2, 3,
+ 3, 1, 2, 0, 1, 1, 1, 1, 1, 2,
+ 2, 2, 2, 2
};
@@ -2277,15 +2319,15 @@ yyreduce:
switch (yyn)
{
case 12:
-#line 159 "util/configparser.y" /* yacc.c:1646 */
+#line 161 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("\nP(server:)\n"));
}
-#line 2285 "util/configparser.c" /* yacc.c:1646 */
+#line 2327 "util/configparser.c" /* yacc.c:1646 */
break;
- case 167:
-#line 234 "util/configparser.y" /* yacc.c:1646 */
+ case 175:
+#line 239 "util/configparser.y" /* yacc.c:1646 */
{
struct config_stub* s;
OUTYY(("\nP(stub_zone:)\n"));
@@ -2296,11 +2338,11 @@ yyreduce:
} else
yyerror("out of memory");
}
-#line 2300 "util/configparser.c" /* yacc.c:1646 */
+#line 2342 "util/configparser.c" /* yacc.c:1646 */
break;
- case 176:
-#line 251 "util/configparser.y" /* yacc.c:1646 */
+ case 184:
+#line 256 "util/configparser.y" /* yacc.c:1646 */
{
struct config_stub* s;
OUTYY(("\nP(forward_zone:)\n"));
@@ -2311,11 +2353,11 @@ yyreduce:
} else
yyerror("out of memory");
}
-#line 2315 "util/configparser.c" /* yacc.c:1646 */
+#line 2357 "util/configparser.c" /* yacc.c:1646 */
break;
- case 184:
-#line 268 "util/configparser.y" /* yacc.c:1646 */
+ case 192:
+#line 273 "util/configparser.y" /* yacc.c:1646 */
{
struct config_view* s;
OUTYY(("\nP(view:)\n"));
@@ -2328,11 +2370,11 @@ yyreduce:
} else
yyerror("out of memory");
}
-#line 2332 "util/configparser.c" /* yacc.c:1646 */
+#line 2374 "util/configparser.c" /* yacc.c:1646 */
break;
- case 194:
-#line 287 "util/configparser.y" /* yacc.c:1646 */
+ case 202:
+#line 292 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_num_threads:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -2340,11 +2382,11 @@ yyreduce:
else cfg_parser->cfg->num_threads = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 2344 "util/configparser.c" /* yacc.c:1646 */
+#line 2386 "util/configparser.c" /* yacc.c:1646 */
break;
- case 195:
-#line 296 "util/configparser.y" /* yacc.c:1646 */
+ case 203:
+#line 301 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_verbosity:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -2352,11 +2394,11 @@ yyreduce:
else cfg_parser->cfg->verbosity = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 2356 "util/configparser.c" /* yacc.c:1646 */
+#line 2398 "util/configparser.c" /* yacc.c:1646 */
break;
- case 196:
-#line 305 "util/configparser.y" /* yacc.c:1646 */
+ case 204:
+#line 310 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_statistics_interval:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "") == 0 || strcmp((yyvsp[0].str), "0") == 0)
@@ -2366,11 +2408,11 @@ yyreduce:
else cfg_parser->cfg->stat_interval = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 2370 "util/configparser.c" /* yacc.c:1646 */
+#line 2412 "util/configparser.c" /* yacc.c:1646 */
break;
- case 197:
-#line 316 "util/configparser.y" /* yacc.c:1646 */
+ case 205:
+#line 321 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_statistics_cumulative:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2378,11 +2420,11 @@ yyreduce:
else cfg_parser->cfg->stat_cumulative = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2382 "util/configparser.c" /* yacc.c:1646 */
+#line 2424 "util/configparser.c" /* yacc.c:1646 */
break;
- case 198:
-#line 325 "util/configparser.y" /* yacc.c:1646 */
+ case 206:
+#line 330 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_extended_statistics:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2390,11 +2432,11 @@ yyreduce:
else cfg_parser->cfg->stat_extended = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2394 "util/configparser.c" /* yacc.c:1646 */
+#line 2436 "util/configparser.c" /* yacc.c:1646 */
break;
- case 199:
-#line 334 "util/configparser.y" /* yacc.c:1646 */
+ case 207:
+#line 339 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_shm_enable:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2402,11 +2444,11 @@ yyreduce:
else cfg_parser->cfg->shm_enable = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2406 "util/configparser.c" /* yacc.c:1646 */
+#line 2448 "util/configparser.c" /* yacc.c:1646 */
break;
- case 200:
-#line 343 "util/configparser.y" /* yacc.c:1646 */
+ case 208:
+#line 348 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_shm_key:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "") == 0 || strcmp((yyvsp[0].str), "0") == 0)
@@ -2416,11 +2458,11 @@ yyreduce:
else cfg_parser->cfg->shm_key = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 2420 "util/configparser.c" /* yacc.c:1646 */
+#line 2462 "util/configparser.c" /* yacc.c:1646 */
break;
- case 201:
-#line 354 "util/configparser.y" /* yacc.c:1646 */
+ case 209:
+#line 359 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_port:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -2428,11 +2470,11 @@ yyreduce:
else cfg_parser->cfg->port = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 2432 "util/configparser.c" /* yacc.c:1646 */
+#line 2474 "util/configparser.c" /* yacc.c:1646 */
break;
- case 202:
-#line 363 "util/configparser.y" /* yacc.c:1646 */
+ case 210:
+#line 368 "util/configparser.y" /* yacc.c:1646 */
{
#ifdef CLIENT_SUBNET
OUTYY(("P(server_send_client_subnet:%s)\n", (yyvsp[0].str)));
@@ -2442,11 +2484,26 @@ yyreduce:
OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
#endif
}
-#line 2446 "util/configparser.c" /* yacc.c:1646 */
+#line 2488 "util/configparser.c" /* yacc.c:1646 */
break;
- case 203:
-#line 375 "util/configparser.y" /* yacc.c:1646 */
+ case 211:
+#line 379 "util/configparser.y" /* yacc.c:1646 */
+ {
+ #ifdef CLIENT_SUBNET
+ OUTYY(("P(server_client_subnet_zone:%s)\n", (yyvsp[0].str)));
+ if(!cfg_strlist_insert(&cfg_parser->cfg->client_subnet_zone,
+ (yyvsp[0].str)))
+ fatal_exit("out of memory adding client-subnet-zone");
+ #else
+ OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
+ #endif
+ }
+#line 2503 "util/configparser.c" /* yacc.c:1646 */
+ break;
+
+ case 212:
+#line 392 "util/configparser.y" /* yacc.c:1646 */
{
#ifdef CLIENT_SUBNET
OUTYY(("P(server_client_subnet_always_forward:%s)\n", (yyvsp[0].str)));
@@ -2460,11 +2517,11 @@ yyreduce:
#endif
free((yyvsp[0].str));
}
-#line 2464 "util/configparser.c" /* yacc.c:1646 */
+#line 2521 "util/configparser.c" /* yacc.c:1646 */
break;
- case 204:
-#line 390 "util/configparser.y" /* yacc.c:1646 */
+ case 213:
+#line 407 "util/configparser.y" /* yacc.c:1646 */
{
#ifdef CLIENT_SUBNET
OUTYY(("P(client_subnet_opcode:%s)\n", (yyvsp[0].str)));
@@ -2474,11 +2531,11 @@ yyreduce:
#endif
free((yyvsp[0].str));
}
-#line 2478 "util/configparser.c" /* yacc.c:1646 */
+#line 2535 "util/configparser.c" /* yacc.c:1646 */
break;
- case 205:
-#line 401 "util/configparser.y" /* yacc.c:1646 */
+ case 214:
+#line 418 "util/configparser.y" /* yacc.c:1646 */
{
#ifdef CLIENT_SUBNET
OUTYY(("P(max_client_subnet_ipv4:%s)\n", (yyvsp[0].str)));
@@ -2494,11 +2551,11 @@ yyreduce:
#endif
free((yyvsp[0].str));
}
-#line 2498 "util/configparser.c" /* yacc.c:1646 */
+#line 2555 "util/configparser.c" /* yacc.c:1646 */
break;
- case 206:
-#line 418 "util/configparser.y" /* yacc.c:1646 */
+ case 215:
+#line 435 "util/configparser.y" /* yacc.c:1646 */
{
#ifdef CLIENT_SUBNET
OUTYY(("P(max_client_subnet_ipv6:%s)\n", (yyvsp[0].str)));
@@ -2514,11 +2571,11 @@ yyreduce:
#endif
free((yyvsp[0].str));
}
-#line 2518 "util/configparser.c" /* yacc.c:1646 */
+#line 2575 "util/configparser.c" /* yacc.c:1646 */
break;
- case 207:
-#line 435 "util/configparser.y" /* yacc.c:1646 */
+ case 216:
+#line 452 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_interface:%s)\n", (yyvsp[0].str)));
if(cfg_parser->cfg->num_ifs == 0)
@@ -2530,11 +2587,11 @@ yyreduce:
else
cfg_parser->cfg->ifs[cfg_parser->cfg->num_ifs++] = (yyvsp[0].str);
}
-#line 2534 "util/configparser.c" /* yacc.c:1646 */
+#line 2591 "util/configparser.c" /* yacc.c:1646 */
break;
- case 208:
-#line 448 "util/configparser.y" /* yacc.c:1646 */
+ case 217:
+#line 465 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_outgoing_interface:%s)\n", (yyvsp[0].str)));
if(cfg_parser->cfg->num_out_ifs == 0)
@@ -2548,11 +2605,11 @@ yyreduce:
cfg_parser->cfg->out_ifs[
cfg_parser->cfg->num_out_ifs++] = (yyvsp[0].str);
}
-#line 2552 "util/configparser.c" /* yacc.c:1646 */
+#line 2609 "util/configparser.c" /* yacc.c:1646 */
break;
- case 209:
-#line 463 "util/configparser.y" /* yacc.c:1646 */
+ case 218:
+#line 480 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_outgoing_range:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -2560,11 +2617,11 @@ yyreduce:
else cfg_parser->cfg->outgoing_num_ports = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 2564 "util/configparser.c" /* yacc.c:1646 */
+#line 2621 "util/configparser.c" /* yacc.c:1646 */
break;
- case 210:
-#line 472 "util/configparser.y" /* yacc.c:1646 */
+ case 219:
+#line 489 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_outgoing_port_permit:%s)\n", (yyvsp[0].str)));
if(!cfg_mark_ports((yyvsp[0].str), 1,
@@ -2572,11 +2629,11 @@ yyreduce:
yyerror("port number or range (\"low-high\") expected");
free((yyvsp[0].str));
}
-#line 2576 "util/configparser.c" /* yacc.c:1646 */
+#line 2633 "util/configparser.c" /* yacc.c:1646 */
break;
- case 211:
-#line 481 "util/configparser.y" /* yacc.c:1646 */
+ case 220:
+#line 498 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_outgoing_port_avoid:%s)\n", (yyvsp[0].str)));
if(!cfg_mark_ports((yyvsp[0].str), 0,
@@ -2584,11 +2641,11 @@ yyreduce:
yyerror("port number or range (\"low-high\") expected");
free((yyvsp[0].str));
}
-#line 2588 "util/configparser.c" /* yacc.c:1646 */
+#line 2645 "util/configparser.c" /* yacc.c:1646 */
break;
- case 212:
-#line 490 "util/configparser.y" /* yacc.c:1646 */
+ case 221:
+#line 507 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_outgoing_num_tcp:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -2596,11 +2653,11 @@ yyreduce:
else cfg_parser->cfg->outgoing_num_tcp = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 2600 "util/configparser.c" /* yacc.c:1646 */
+#line 2657 "util/configparser.c" /* yacc.c:1646 */
break;
- case 213:
-#line 499 "util/configparser.y" /* yacc.c:1646 */
+ case 222:
+#line 516 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_incoming_num_tcp:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -2608,11 +2665,11 @@ yyreduce:
else cfg_parser->cfg->incoming_num_tcp = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 2612 "util/configparser.c" /* yacc.c:1646 */
+#line 2669 "util/configparser.c" /* yacc.c:1646 */
break;
- case 214:
-#line 508 "util/configparser.y" /* yacc.c:1646 */
+ case 223:
+#line 525 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_interface_automatic:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2620,11 +2677,11 @@ yyreduce:
else cfg_parser->cfg->if_automatic = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2624 "util/configparser.c" /* yacc.c:1646 */
+#line 2681 "util/configparser.c" /* yacc.c:1646 */
break;
- case 215:
-#line 517 "util/configparser.y" /* yacc.c:1646 */
+ case 224:
+#line 534 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_do_ip4:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2632,11 +2689,11 @@ yyreduce:
else cfg_parser->cfg->do_ip4 = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2636 "util/configparser.c" /* yacc.c:1646 */
+#line 2693 "util/configparser.c" /* yacc.c:1646 */
break;
- case 216:
-#line 526 "util/configparser.y" /* yacc.c:1646 */
+ case 225:
+#line 543 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_do_ip6:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2644,11 +2701,11 @@ yyreduce:
else cfg_parser->cfg->do_ip6 = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2648 "util/configparser.c" /* yacc.c:1646 */
+#line 2705 "util/configparser.c" /* yacc.c:1646 */
break;
- case 217:
-#line 535 "util/configparser.y" /* yacc.c:1646 */
+ case 226:
+#line 552 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_do_udp:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2656,11 +2713,11 @@ yyreduce:
else cfg_parser->cfg->do_udp = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2660 "util/configparser.c" /* yacc.c:1646 */
+#line 2717 "util/configparser.c" /* yacc.c:1646 */
break;
- case 218:
-#line 544 "util/configparser.y" /* yacc.c:1646 */
+ case 227:
+#line 561 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_do_tcp:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2668,11 +2725,11 @@ yyreduce:
else cfg_parser->cfg->do_tcp = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2672 "util/configparser.c" /* yacc.c:1646 */
+#line 2729 "util/configparser.c" /* yacc.c:1646 */
break;
- case 219:
-#line 553 "util/configparser.y" /* yacc.c:1646 */
+ case 228:
+#line 570 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_prefer_ip6:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2680,11 +2737,11 @@ yyreduce:
else cfg_parser->cfg->prefer_ip6 = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2684 "util/configparser.c" /* yacc.c:1646 */
+#line 2741 "util/configparser.c" /* yacc.c:1646 */
break;
- case 220:
-#line 562 "util/configparser.y" /* yacc.c:1646 */
+ case 229:
+#line 579 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_tcp_mss:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -2692,11 +2749,11 @@ yyreduce:
else cfg_parser->cfg->tcp_mss = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 2696 "util/configparser.c" /* yacc.c:1646 */
+#line 2753 "util/configparser.c" /* yacc.c:1646 */
break;
- case 221:
-#line 571 "util/configparser.y" /* yacc.c:1646 */
+ case 230:
+#line 588 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_outgoing_tcp_mss:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -2704,11 +2761,11 @@ yyreduce:
else cfg_parser->cfg->outgoing_tcp_mss = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 2708 "util/configparser.c" /* yacc.c:1646 */
+#line 2765 "util/configparser.c" /* yacc.c:1646 */
break;
- case 222:
-#line 580 "util/configparser.y" /* yacc.c:1646 */
+ case 231:
+#line 597 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_tcp_upstream:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2716,11 +2773,11 @@ yyreduce:
else cfg_parser->cfg->tcp_upstream = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2720 "util/configparser.c" /* yacc.c:1646 */
+#line 2777 "util/configparser.c" /* yacc.c:1646 */
break;
- case 223:
-#line 589 "util/configparser.y" /* yacc.c:1646 */
+ case 232:
+#line 606 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ssl_upstream:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2728,31 +2785,31 @@ yyreduce:
else cfg_parser->cfg->ssl_upstream = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2732 "util/configparser.c" /* yacc.c:1646 */
+#line 2789 "util/configparser.c" /* yacc.c:1646 */
break;
- case 224:
-#line 598 "util/configparser.y" /* yacc.c:1646 */
+ case 233:
+#line 615 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ssl_service_key:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->ssl_service_key);
cfg_parser->cfg->ssl_service_key = (yyvsp[0].str);
}
-#line 2742 "util/configparser.c" /* yacc.c:1646 */
+#line 2799 "util/configparser.c" /* yacc.c:1646 */
break;
- case 225:
-#line 605 "util/configparser.y" /* yacc.c:1646 */
+ case 234:
+#line 622 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ssl_service_pem:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->ssl_service_pem);
cfg_parser->cfg->ssl_service_pem = (yyvsp[0].str);
}
-#line 2752 "util/configparser.c" /* yacc.c:1646 */
+#line 2809 "util/configparser.c" /* yacc.c:1646 */
break;
- case 226:
-#line 612 "util/configparser.y" /* yacc.c:1646 */
+ case 235:
+#line 629 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ssl_port:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -2760,11 +2817,11 @@ yyreduce:
else cfg_parser->cfg->ssl_port = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 2764 "util/configparser.c" /* yacc.c:1646 */
+#line 2821 "util/configparser.c" /* yacc.c:1646 */
break;
- case 227:
-#line 621 "util/configparser.y" /* yacc.c:1646 */
+ case 236:
+#line 638 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_use_systemd:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2772,11 +2829,11 @@ yyreduce:
else cfg_parser->cfg->use_systemd = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2776 "util/configparser.c" /* yacc.c:1646 */
+#line 2833 "util/configparser.c" /* yacc.c:1646 */
break;
- case 228:
-#line 630 "util/configparser.y" /* yacc.c:1646 */
+ case 237:
+#line 647 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_do_daemonize:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2784,11 +2841,11 @@ yyreduce:
else cfg_parser->cfg->do_daemonize = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2788 "util/configparser.c" /* yacc.c:1646 */
+#line 2845 "util/configparser.c" /* yacc.c:1646 */
break;
- case 229:
-#line 639 "util/configparser.y" /* yacc.c:1646 */
+ case 238:
+#line 656 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_use_syslog:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2801,11 +2858,11 @@ yyreduce:
#endif
free((yyvsp[0].str));
}
-#line 2805 "util/configparser.c" /* yacc.c:1646 */
+#line 2862 "util/configparser.c" /* yacc.c:1646 */
break;
- case 230:
-#line 653 "util/configparser.y" /* yacc.c:1646 */
+ case 239:
+#line 670 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_log_time_ascii:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2813,11 +2870,11 @@ yyreduce:
else cfg_parser->cfg->log_time_ascii = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2817 "util/configparser.c" /* yacc.c:1646 */
+#line 2874 "util/configparser.c" /* yacc.c:1646 */
break;
- case 231:
-#line 662 "util/configparser.y" /* yacc.c:1646 */
+ case 240:
+#line 679 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_log_queries:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2825,11 +2882,11 @@ yyreduce:
else cfg_parser->cfg->log_queries = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2829 "util/configparser.c" /* yacc.c:1646 */
+#line 2886 "util/configparser.c" /* yacc.c:1646 */
break;
- case 232:
-#line 671 "util/configparser.y" /* yacc.c:1646 */
+ case 241:
+#line 688 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_log_replies:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -2837,31 +2894,31 @@ yyreduce:
else cfg_parser->cfg->log_replies = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 2841 "util/configparser.c" /* yacc.c:1646 */
+#line 2898 "util/configparser.c" /* yacc.c:1646 */
break;
- case 233:
-#line 680 "util/configparser.y" /* yacc.c:1646 */
+ case 242:
+#line 697 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_chroot:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->chrootdir);
cfg_parser->cfg->chrootdir = (yyvsp[0].str);
}
-#line 2851 "util/configparser.c" /* yacc.c:1646 */
+#line 2908 "util/configparser.c" /* yacc.c:1646 */
break;
- case 234:
-#line 687 "util/configparser.y" /* yacc.c:1646 */
+ case 243:
+#line 704 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_username:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->username);
cfg_parser->cfg->username = (yyvsp[0].str);
}
-#line 2861 "util/configparser.c" /* yacc.c:1646 */
+#line 2918 "util/configparser.c" /* yacc.c:1646 */
break;
- case 235:
-#line 694 "util/configparser.y" /* yacc.c:1646 */
+ case 244:
+#line 711 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_directory:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->directory);
@@ -2886,115 +2943,129 @@ yyreduce:
}
}
}
-#line 2890 "util/configparser.c" /* yacc.c:1646 */
+#line 2947 "util/configparser.c" /* yacc.c:1646 */
break;
- case 236:
-#line 720 "util/configparser.y" /* yacc.c:1646 */
+ case 245:
+#line 737 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_logfile:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->logfile);
cfg_parser->cfg->logfile = (yyvsp[0].str);
cfg_parser->cfg->use_syslog = 0;
}
-#line 2901 "util/configparser.c" /* yacc.c:1646 */
+#line 2958 "util/configparser.c" /* yacc.c:1646 */
break;
- case 237:
-#line 728 "util/configparser.y" /* yacc.c:1646 */
+ case 246:
+#line 745 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_pidfile:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->pidfile);
cfg_parser->cfg->pidfile = (yyvsp[0].str);
}
-#line 2911 "util/configparser.c" /* yacc.c:1646 */
+#line 2968 "util/configparser.c" /* yacc.c:1646 */
break;
- case 238:
-#line 735 "util/configparser.y" /* yacc.c:1646 */
+ case 247:
+#line 752 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_root_hints:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->root_hints, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 2921 "util/configparser.c" /* yacc.c:1646 */
+#line 2978 "util/configparser.c" /* yacc.c:1646 */
break;
- case 239:
-#line 742 "util/configparser.y" /* yacc.c:1646 */
+ case 248:
+#line 759 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_dlv_anchor_file:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->dlv_anchor_file);
cfg_parser->cfg->dlv_anchor_file = (yyvsp[0].str);
}
-#line 2931 "util/configparser.c" /* yacc.c:1646 */
+#line 2988 "util/configparser.c" /* yacc.c:1646 */
break;
- case 240:
-#line 749 "util/configparser.y" /* yacc.c:1646 */
+ case 249:
+#line 766 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_dlv_anchor:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->dlv_anchor_list, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 2941 "util/configparser.c" /* yacc.c:1646 */
+#line 2998 "util/configparser.c" /* yacc.c:1646 */
break;
- case 241:
-#line 756 "util/configparser.y" /* yacc.c:1646 */
+ case 250:
+#line 773 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_auto_trust_anchor_file:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->
auto_trust_anchor_file_list, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 2952 "util/configparser.c" /* yacc.c:1646 */
+#line 3009 "util/configparser.c" /* yacc.c:1646 */
break;
- case 242:
-#line 764 "util/configparser.y" /* yacc.c:1646 */
+ case 251:
+#line 781 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_trust_anchor_file:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->
trust_anchor_file_list, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 2963 "util/configparser.c" /* yacc.c:1646 */
+#line 3020 "util/configparser.c" /* yacc.c:1646 */
break;
- case 243:
-#line 772 "util/configparser.y" /* yacc.c:1646 */
+ case 252:
+#line 789 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_trusted_keys_file:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->
trusted_keys_file_list, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 2974 "util/configparser.c" /* yacc.c:1646 */
+#line 3031 "util/configparser.c" /* yacc.c:1646 */
break;
- case 244:
-#line 780 "util/configparser.y" /* yacc.c:1646 */
+ case 253:
+#line 797 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_trust_anchor:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->trust_anchor_list, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 2984 "util/configparser.c" /* yacc.c:1646 */
+#line 3041 "util/configparser.c" /* yacc.c:1646 */
break;
- case 245:
-#line 787 "util/configparser.y" /* yacc.c:1646 */
+ case 254:
+#line 804 "util/configparser.y" /* yacc.c:1646 */
+ {
+ OUTYY(("P(server_trust_anchor_signaling:%s)\n", (yyvsp[0].str)));
+ if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+ yyerror("expected yes or no.");
+ else
+ cfg_parser->cfg->trust_anchor_signaling =
+ (strcmp((yyvsp[0].str), "yes")==0);
+ free((yyvsp[0].str));
+ }
+#line 3055 "util/configparser.c" /* yacc.c:1646 */
+ break;
+
+ case 255:
+#line 815 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_domain_insecure:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->domain_insecure, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 2994 "util/configparser.c" /* yacc.c:1646 */
+#line 3065 "util/configparser.c" /* yacc.c:1646 */
break;
- case 246:
-#line 794 "util/configparser.y" /* yacc.c:1646 */
+ case 256:
+#line 822 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_hide_identity:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3002,11 +3073,11 @@ yyreduce:
else cfg_parser->cfg->hide_identity = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3006 "util/configparser.c" /* yacc.c:1646 */
+#line 3077 "util/configparser.c" /* yacc.c:1646 */
break;
- case 247:
-#line 803 "util/configparser.y" /* yacc.c:1646 */
+ case 257:
+#line 831 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_hide_version:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3014,11 +3085,11 @@ yyreduce:
else cfg_parser->cfg->hide_version = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3018 "util/configparser.c" /* yacc.c:1646 */
+#line 3089 "util/configparser.c" /* yacc.c:1646 */
break;
- case 248:
-#line 812 "util/configparser.y" /* yacc.c:1646 */
+ case 258:
+#line 840 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_hide_trustanchor:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3026,53 +3097,53 @@ yyreduce:
else cfg_parser->cfg->hide_trustanchor = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3030 "util/configparser.c" /* yacc.c:1646 */
+#line 3101 "util/configparser.c" /* yacc.c:1646 */
break;
- case 249:
-#line 821 "util/configparser.y" /* yacc.c:1646 */
+ case 259:
+#line 849 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_identity:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->identity);
cfg_parser->cfg->identity = (yyvsp[0].str);
}
-#line 3040 "util/configparser.c" /* yacc.c:1646 */
+#line 3111 "util/configparser.c" /* yacc.c:1646 */
break;
- case 250:
-#line 828 "util/configparser.y" /* yacc.c:1646 */
+ case 260:
+#line 856 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_version:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->version);
cfg_parser->cfg->version = (yyvsp[0].str);
}
-#line 3050 "util/configparser.c" /* yacc.c:1646 */
+#line 3121 "util/configparser.c" /* yacc.c:1646 */
break;
- case 251:
-#line 835 "util/configparser.y" /* yacc.c:1646 */
+ case 261:
+#line 863 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_so_rcvbuf:%s)\n", (yyvsp[0].str)));
if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->so_rcvbuf))
yyerror("buffer size expected");
free((yyvsp[0].str));
}
-#line 3061 "util/configparser.c" /* yacc.c:1646 */
+#line 3132 "util/configparser.c" /* yacc.c:1646 */
break;
- case 252:
-#line 843 "util/configparser.y" /* yacc.c:1646 */
+ case 262:
+#line 871 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_so_sndbuf:%s)\n", (yyvsp[0].str)));
if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->so_sndbuf))
yyerror("buffer size expected");
free((yyvsp[0].str));
}
-#line 3072 "util/configparser.c" /* yacc.c:1646 */
+#line 3143 "util/configparser.c" /* yacc.c:1646 */
break;
- case 253:
-#line 851 "util/configparser.y" /* yacc.c:1646 */
+ case 263:
+#line 879 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_so_reuseport:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3081,11 +3152,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3085 "util/configparser.c" /* yacc.c:1646 */
+#line 3156 "util/configparser.c" /* yacc.c:1646 */
break;
- case 254:
-#line 861 "util/configparser.y" /* yacc.c:1646 */
+ case 264:
+#line 889 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ip_transparent:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3094,11 +3165,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3098 "util/configparser.c" /* yacc.c:1646 */
+#line 3169 "util/configparser.c" /* yacc.c:1646 */
break;
- case 255:
-#line 871 "util/configparser.y" /* yacc.c:1646 */
+ case 265:
+#line 899 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ip_freebind:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3107,11 +3178,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3111 "util/configparser.c" /* yacc.c:1646 */
+#line 3182 "util/configparser.c" /* yacc.c:1646 */
break;
- case 256:
-#line 881 "util/configparser.y" /* yacc.c:1646 */
+ case 266:
+#line 909 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_edns_buffer_size:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -3123,11 +3194,11 @@ yyreduce:
else cfg_parser->cfg->edns_buffer_size = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3127 "util/configparser.c" /* yacc.c:1646 */
+#line 3198 "util/configparser.c" /* yacc.c:1646 */
break;
- case 257:
-#line 894 "util/configparser.y" /* yacc.c:1646 */
+ case 267:
+#line 922 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_msg_buffer_size:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -3137,22 +3208,22 @@ yyreduce:
else cfg_parser->cfg->msg_buffer_size = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3141 "util/configparser.c" /* yacc.c:1646 */
+#line 3212 "util/configparser.c" /* yacc.c:1646 */
break;
- case 258:
-#line 905 "util/configparser.y" /* yacc.c:1646 */
+ case 268:
+#line 933 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_msg_cache_size:%s)\n", (yyvsp[0].str)));
if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->msg_cache_size))
yyerror("memory size expected");
free((yyvsp[0].str));
}
-#line 3152 "util/configparser.c" /* yacc.c:1646 */
+#line 3223 "util/configparser.c" /* yacc.c:1646 */
break;
- case 259:
-#line 913 "util/configparser.y" /* yacc.c:1646 */
+ case 269:
+#line 941 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_msg_cache_slabs:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -3164,11 +3235,11 @@ yyreduce:
}
free((yyvsp[0].str));
}
-#line 3168 "util/configparser.c" /* yacc.c:1646 */
+#line 3239 "util/configparser.c" /* yacc.c:1646 */
break;
- case 260:
-#line 926 "util/configparser.y" /* yacc.c:1646 */
+ case 270:
+#line 954 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_num_queries_per_thread:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -3176,11 +3247,11 @@ yyreduce:
else cfg_parser->cfg->num_queries_per_thread = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3180 "util/configparser.c" /* yacc.c:1646 */
+#line 3251 "util/configparser.c" /* yacc.c:1646 */
break;
- case 261:
-#line 935 "util/configparser.y" /* yacc.c:1646 */
+ case 271:
+#line 963 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_jostle_timeout:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3188,11 +3259,11 @@ yyreduce:
else cfg_parser->cfg->jostle_time = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3192 "util/configparser.c" /* yacc.c:1646 */
+#line 3263 "util/configparser.c" /* yacc.c:1646 */
break;
- case 262:
-#line 944 "util/configparser.y" /* yacc.c:1646 */
+ case 272:
+#line 972 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_delay_close:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3200,11 +3271,11 @@ yyreduce:
else cfg_parser->cfg->delay_close = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3204 "util/configparser.c" /* yacc.c:1646 */
+#line 3275 "util/configparser.c" /* yacc.c:1646 */
break;
- case 263:
-#line 953 "util/configparser.y" /* yacc.c:1646 */
+ case 273:
+#line 981 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_unblock_lan_zones:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3213,11 +3284,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3217 "util/configparser.c" /* yacc.c:1646 */
+#line 3288 "util/configparser.c" /* yacc.c:1646 */
break;
- case 264:
-#line 963 "util/configparser.y" /* yacc.c:1646 */
+ case 274:
+#line 991 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_insecure_lan_zones:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3226,22 +3297,22 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3230 "util/configparser.c" /* yacc.c:1646 */
+#line 3301 "util/configparser.c" /* yacc.c:1646 */
break;
- case 265:
-#line 973 "util/configparser.y" /* yacc.c:1646 */
+ case 275:
+#line 1001 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_rrset_cache_size:%s)\n", (yyvsp[0].str)));
if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->rrset_cache_size))
yyerror("memory size expected");
free((yyvsp[0].str));
}
-#line 3241 "util/configparser.c" /* yacc.c:1646 */
+#line 3312 "util/configparser.c" /* yacc.c:1646 */
break;
- case 266:
-#line 981 "util/configparser.y" /* yacc.c:1646 */
+ case 276:
+#line 1009 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_rrset_cache_slabs:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -3253,11 +3324,11 @@ yyreduce:
}
free((yyvsp[0].str));
}
-#line 3257 "util/configparser.c" /* yacc.c:1646 */
+#line 3328 "util/configparser.c" /* yacc.c:1646 */
break;
- case 267:
-#line 994 "util/configparser.y" /* yacc.c:1646 */
+ case 277:
+#line 1022 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_infra_host_ttl:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3265,22 +3336,22 @@ yyreduce:
else cfg_parser->cfg->host_ttl = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3269 "util/configparser.c" /* yacc.c:1646 */
+#line 3340 "util/configparser.c" /* yacc.c:1646 */
break;
- case 268:
-#line 1003 "util/configparser.y" /* yacc.c:1646 */
+ case 278:
+#line 1031 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_infra_lame_ttl:%s)\n", (yyvsp[0].str)));
verbose(VERB_DETAIL, "ignored infra-lame-ttl: %s (option "
"removed, use infra-host-ttl)", (yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3280 "util/configparser.c" /* yacc.c:1646 */
+#line 3351 "util/configparser.c" /* yacc.c:1646 */
break;
- case 269:
-#line 1011 "util/configparser.y" /* yacc.c:1646 */
+ case 279:
+#line 1039 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_infra_cache_numhosts:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -3288,22 +3359,22 @@ yyreduce:
else cfg_parser->cfg->infra_cache_numhosts = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3292 "util/configparser.c" /* yacc.c:1646 */
+#line 3363 "util/configparser.c" /* yacc.c:1646 */
break;
- case 270:
-#line 1020 "util/configparser.y" /* yacc.c:1646 */
+ case 280:
+#line 1048 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_infra_cache_lame_size:%s)\n", (yyvsp[0].str)));
verbose(VERB_DETAIL, "ignored infra-cache-lame-size: %s "
"(option removed, use infra-cache-numhosts)", (yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3303 "util/configparser.c" /* yacc.c:1646 */
+#line 3374 "util/configparser.c" /* yacc.c:1646 */
break;
- case 271:
-#line 1028 "util/configparser.y" /* yacc.c:1646 */
+ case 281:
+#line 1056 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_infra_cache_slabs:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -3315,11 +3386,11 @@ yyreduce:
}
free((yyvsp[0].str));
}
-#line 3319 "util/configparser.c" /* yacc.c:1646 */
+#line 3390 "util/configparser.c" /* yacc.c:1646 */
break;
- case 272:
-#line 1041 "util/configparser.y" /* yacc.c:1646 */
+ case 282:
+#line 1069 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_infra_cache_min_rtt:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3327,21 +3398,21 @@ yyreduce:
else cfg_parser->cfg->infra_cache_min_rtt = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3331 "util/configparser.c" /* yacc.c:1646 */
+#line 3402 "util/configparser.c" /* yacc.c:1646 */
break;
- case 273:
-#line 1050 "util/configparser.y" /* yacc.c:1646 */
+ case 283:
+#line 1078 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_target_fetch_policy:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->target_fetch_policy);
cfg_parser->cfg->target_fetch_policy = (yyvsp[0].str);
}
-#line 3341 "util/configparser.c" /* yacc.c:1646 */
+#line 3412 "util/configparser.c" /* yacc.c:1646 */
break;
- case 274:
-#line 1057 "util/configparser.y" /* yacc.c:1646 */
+ case 284:
+#line 1085 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_harden_short_bufsize:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3350,11 +3421,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3354 "util/configparser.c" /* yacc.c:1646 */
+#line 3425 "util/configparser.c" /* yacc.c:1646 */
break;
- case 275:
-#line 1067 "util/configparser.y" /* yacc.c:1646 */
+ case 285:
+#line 1095 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_harden_large_queries:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3363,11 +3434,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3367 "util/configparser.c" /* yacc.c:1646 */
+#line 3438 "util/configparser.c" /* yacc.c:1646 */
break;
- case 276:
-#line 1077 "util/configparser.y" /* yacc.c:1646 */
+ case 286:
+#line 1105 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_harden_glue:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3376,11 +3447,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3380 "util/configparser.c" /* yacc.c:1646 */
+#line 3451 "util/configparser.c" /* yacc.c:1646 */
break;
- case 277:
-#line 1087 "util/configparser.y" /* yacc.c:1646 */
+ case 287:
+#line 1115 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_harden_dnssec_stripped:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3389,11 +3460,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3393 "util/configparser.c" /* yacc.c:1646 */
+#line 3464 "util/configparser.c" /* yacc.c:1646 */
break;
- case 278:
-#line 1097 "util/configparser.y" /* yacc.c:1646 */
+ case 288:
+#line 1125 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_harden_below_nxdomain:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3402,11 +3473,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3406 "util/configparser.c" /* yacc.c:1646 */
+#line 3477 "util/configparser.c" /* yacc.c:1646 */
break;
- case 279:
-#line 1107 "util/configparser.y" /* yacc.c:1646 */
+ case 289:
+#line 1135 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_harden_referral_path:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3415,11 +3486,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3419 "util/configparser.c" /* yacc.c:1646 */
+#line 3490 "util/configparser.c" /* yacc.c:1646 */
break;
- case 280:
-#line 1117 "util/configparser.y" /* yacc.c:1646 */
+ case 290:
+#line 1145 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_harden_algo_downgrade:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3428,11 +3499,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3432 "util/configparser.c" /* yacc.c:1646 */
+#line 3503 "util/configparser.c" /* yacc.c:1646 */
break;
- case 281:
-#line 1127 "util/configparser.y" /* yacc.c:1646 */
+ case 291:
+#line 1155 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_use_caps_for_id:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3441,41 +3512,41 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3445 "util/configparser.c" /* yacc.c:1646 */
+#line 3516 "util/configparser.c" /* yacc.c:1646 */
break;
- case 282:
-#line 1137 "util/configparser.y" /* yacc.c:1646 */
+ case 292:
+#line 1165 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_caps_whitelist:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 3455 "util/configparser.c" /* yacc.c:1646 */
+#line 3526 "util/configparser.c" /* yacc.c:1646 */
break;
- case 283:
-#line 1144 "util/configparser.y" /* yacc.c:1646 */
+ case 293:
+#line 1172 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_private_address:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->private_address, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 3465 "util/configparser.c" /* yacc.c:1646 */
+#line 3536 "util/configparser.c" /* yacc.c:1646 */
break;
- case 284:
-#line 1151 "util/configparser.y" /* yacc.c:1646 */
+ case 294:
+#line 1179 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_private_domain:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->private_domain, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 3475 "util/configparser.c" /* yacc.c:1646 */
+#line 3546 "util/configparser.c" /* yacc.c:1646 */
break;
- case 285:
-#line 1158 "util/configparser.y" /* yacc.c:1646 */
+ case 295:
+#line 1186 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_prefetch:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3483,11 +3554,11 @@ yyreduce:
else cfg_parser->cfg->prefetch = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3487 "util/configparser.c" /* yacc.c:1646 */
+#line 3558 "util/configparser.c" /* yacc.c:1646 */
break;
- case 286:
-#line 1167 "util/configparser.y" /* yacc.c:1646 */
+ case 296:
+#line 1195 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_prefetch_key:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3495,11 +3566,11 @@ yyreduce:
else cfg_parser->cfg->prefetch_key = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3499 "util/configparser.c" /* yacc.c:1646 */
+#line 3570 "util/configparser.c" /* yacc.c:1646 */
break;
- case 287:
-#line 1176 "util/configparser.y" /* yacc.c:1646 */
+ case 297:
+#line 1204 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_unwanted_reply_threshold:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3507,21 +3578,21 @@ yyreduce:
else cfg_parser->cfg->unwanted_threshold = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3511 "util/configparser.c" /* yacc.c:1646 */
+#line 3582 "util/configparser.c" /* yacc.c:1646 */
break;
- case 288:
-#line 1185 "util/configparser.y" /* yacc.c:1646 */
+ case 298:
+#line 1213 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_do_not_query_address:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->donotqueryaddrs, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 3521 "util/configparser.c" /* yacc.c:1646 */
+#line 3592 "util/configparser.c" /* yacc.c:1646 */
break;
- case 289:
-#line 1192 "util/configparser.y" /* yacc.c:1646 */
+ case 299:
+#line 1220 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_do_not_query_localhost:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3530,11 +3601,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3534 "util/configparser.c" /* yacc.c:1646 */
+#line 3605 "util/configparser.c" /* yacc.c:1646 */
break;
- case 290:
-#line 1202 "util/configparser.y" /* yacc.c:1646 */
+ case 300:
+#line 1230 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_access_control:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "deny")!=0 && strcmp((yyvsp[0].str), "refuse")!=0 &&
@@ -3550,21 +3621,21 @@ yyreduce:
fatal_exit("out of memory adding acl");
}
}
-#line 3554 "util/configparser.c" /* yacc.c:1646 */
+#line 3625 "util/configparser.c" /* yacc.c:1646 */
break;
- case 291:
-#line 1219 "util/configparser.y" /* yacc.c:1646 */
+ case 301:
+#line 1247 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_module_conf:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->module_conf);
cfg_parser->cfg->module_conf = (yyvsp[0].str);
}
-#line 3564 "util/configparser.c" /* yacc.c:1646 */
+#line 3635 "util/configparser.c" /* yacc.c:1646 */
break;
- case 292:
-#line 1226 "util/configparser.y" /* yacc.c:1646 */
+ case 302:
+#line 1254 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_val_override_date:%s)\n", (yyvsp[0].str)));
if(*(yyvsp[0].str) == '\0' || strcmp((yyvsp[0].str), "0") == 0) {
@@ -3581,11 +3652,11 @@ yyreduce:
}
free((yyvsp[0].str));
}
-#line 3585 "util/configparser.c" /* yacc.c:1646 */
+#line 3656 "util/configparser.c" /* yacc.c:1646 */
break;
- case 293:
-#line 1244 "util/configparser.y" /* yacc.c:1646 */
+ case 303:
+#line 1272 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_val_sig_skew_min:%s)\n", (yyvsp[0].str)));
if(*(yyvsp[0].str) == '\0' || strcmp((yyvsp[0].str), "0") == 0) {
@@ -3597,11 +3668,11 @@ yyreduce:
}
free((yyvsp[0].str));
}
-#line 3601 "util/configparser.c" /* yacc.c:1646 */
+#line 3672 "util/configparser.c" /* yacc.c:1646 */
break;
- case 294:
-#line 1257 "util/configparser.y" /* yacc.c:1646 */
+ case 304:
+#line 1285 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_val_sig_skew_max:%s)\n", (yyvsp[0].str)));
if(*(yyvsp[0].str) == '\0' || strcmp((yyvsp[0].str), "0") == 0) {
@@ -3613,11 +3684,11 @@ yyreduce:
}
free((yyvsp[0].str));
}
-#line 3617 "util/configparser.c" /* yacc.c:1646 */
+#line 3688 "util/configparser.c" /* yacc.c:1646 */
break;
- case 295:
-#line 1270 "util/configparser.y" /* yacc.c:1646 */
+ case 305:
+#line 1298 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_cache_max_ttl:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3625,11 +3696,11 @@ yyreduce:
else cfg_parser->cfg->max_ttl = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3629 "util/configparser.c" /* yacc.c:1646 */
+#line 3700 "util/configparser.c" /* yacc.c:1646 */
break;
- case 296:
-#line 1279 "util/configparser.y" /* yacc.c:1646 */
+ case 306:
+#line 1307 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_cache_max_negative_ttl:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3637,11 +3708,11 @@ yyreduce:
else cfg_parser->cfg->max_negative_ttl = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3641 "util/configparser.c" /* yacc.c:1646 */
+#line 3712 "util/configparser.c" /* yacc.c:1646 */
break;
- case 297:
-#line 1288 "util/configparser.y" /* yacc.c:1646 */
+ case 307:
+#line 1316 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_cache_min_ttl:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3649,11 +3720,11 @@ yyreduce:
else cfg_parser->cfg->min_ttl = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3653 "util/configparser.c" /* yacc.c:1646 */
+#line 3724 "util/configparser.c" /* yacc.c:1646 */
break;
- case 298:
-#line 1297 "util/configparser.y" /* yacc.c:1646 */
+ case 308:
+#line 1325 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_bogus_ttl:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3661,11 +3732,11 @@ yyreduce:
else cfg_parser->cfg->bogus_ttl = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3665 "util/configparser.c" /* yacc.c:1646 */
+#line 3736 "util/configparser.c" /* yacc.c:1646 */
break;
- case 299:
-#line 1306 "util/configparser.y" /* yacc.c:1646 */
+ case 309:
+#line 1334 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_val_clean_additional:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3674,11 +3745,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3678 "util/configparser.c" /* yacc.c:1646 */
+#line 3749 "util/configparser.c" /* yacc.c:1646 */
break;
- case 300:
-#line 1316 "util/configparser.y" /* yacc.c:1646 */
+ case 310:
+#line 1344 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_val_permissive_mode:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3687,11 +3758,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3691 "util/configparser.c" /* yacc.c:1646 */
+#line 3762 "util/configparser.c" /* yacc.c:1646 */
break;
- case 301:
-#line 1326 "util/configparser.y" /* yacc.c:1646 */
+ case 311:
+#line 1354 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ignore_cd_flag:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3699,11 +3770,11 @@ yyreduce:
else cfg_parser->cfg->ignore_cd = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3703 "util/configparser.c" /* yacc.c:1646 */
+#line 3774 "util/configparser.c" /* yacc.c:1646 */
break;
- case 302:
-#line 1335 "util/configparser.y" /* yacc.c:1646 */
+ case 312:
+#line 1363 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_serve_expired:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3711,11 +3782,11 @@ yyreduce:
else cfg_parser->cfg->serve_expired = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3715 "util/configparser.c" /* yacc.c:1646 */
+#line 3786 "util/configparser.c" /* yacc.c:1646 */
break;
- case 303:
-#line 1344 "util/configparser.y" /* yacc.c:1646 */
+ case 313:
+#line 1372 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_fake_dsa:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3727,11 +3798,11 @@ yyreduce:
#endif
free((yyvsp[0].str));
}
-#line 3731 "util/configparser.c" /* yacc.c:1646 */
+#line 3802 "util/configparser.c" /* yacc.c:1646 */
break;
- case 304:
-#line 1357 "util/configparser.y" /* yacc.c:1646 */
+ case 314:
+#line 1385 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_fake_sha1:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3743,11 +3814,11 @@ yyreduce:
#endif
free((yyvsp[0].str));
}
-#line 3747 "util/configparser.c" /* yacc.c:1646 */
+#line 3818 "util/configparser.c" /* yacc.c:1646 */
break;
- case 305:
-#line 1370 "util/configparser.y" /* yacc.c:1646 */
+ case 315:
+#line 1398 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_val_log_level:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3755,21 +3826,21 @@ yyreduce:
else cfg_parser->cfg->val_log_level = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3759 "util/configparser.c" /* yacc.c:1646 */
+#line 3830 "util/configparser.c" /* yacc.c:1646 */
break;
- case 306:
-#line 1379 "util/configparser.y" /* yacc.c:1646 */
+ case 316:
+#line 1407 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->val_nsec3_key_iterations);
cfg_parser->cfg->val_nsec3_key_iterations = (yyvsp[0].str);
}
-#line 3769 "util/configparser.c" /* yacc.c:1646 */
+#line 3840 "util/configparser.c" /* yacc.c:1646 */
break;
- case 307:
-#line 1386 "util/configparser.y" /* yacc.c:1646 */
+ case 317:
+#line 1414 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_add_holddown:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3777,11 +3848,11 @@ yyreduce:
else cfg_parser->cfg->add_holddown = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3781 "util/configparser.c" /* yacc.c:1646 */
+#line 3852 "util/configparser.c" /* yacc.c:1646 */
break;
- case 308:
-#line 1395 "util/configparser.y" /* yacc.c:1646 */
+ case 318:
+#line 1423 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_del_holddown:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3789,11 +3860,11 @@ yyreduce:
else cfg_parser->cfg->del_holddown = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3793 "util/configparser.c" /* yacc.c:1646 */
+#line 3864 "util/configparser.c" /* yacc.c:1646 */
break;
- case 309:
-#line 1404 "util/configparser.y" /* yacc.c:1646 */
+ case 319:
+#line 1432 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_keep_missing:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -3801,11 +3872,11 @@ yyreduce:
else cfg_parser->cfg->keep_missing = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3805 "util/configparser.c" /* yacc.c:1646 */
+#line 3876 "util/configparser.c" /* yacc.c:1646 */
break;
- case 310:
-#line 1413 "util/configparser.y" /* yacc.c:1646 */
+ case 320:
+#line 1441 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_permit_small_holddown:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3814,22 +3885,22 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3818 "util/configparser.c" /* yacc.c:1646 */
+#line 3889 "util/configparser.c" /* yacc.c:1646 */
break;
- case 311:
-#line 1422 "util/configparser.y" /* yacc.c:1646 */
+ case 321:
+#line 1450 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_key_cache_size:%s)\n", (yyvsp[0].str)));
if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->key_cache_size))
yyerror("memory size expected");
free((yyvsp[0].str));
}
-#line 3829 "util/configparser.c" /* yacc.c:1646 */
+#line 3900 "util/configparser.c" /* yacc.c:1646 */
break;
- case 312:
-#line 1430 "util/configparser.y" /* yacc.c:1646 */
+ case 322:
+#line 1458 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_key_cache_slabs:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -3841,22 +3912,22 @@ yyreduce:
}
free((yyvsp[0].str));
}
-#line 3845 "util/configparser.c" /* yacc.c:1646 */
+#line 3916 "util/configparser.c" /* yacc.c:1646 */
break;
- case 313:
-#line 1443 "util/configparser.y" /* yacc.c:1646 */
+ case 323:
+#line 1471 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_neg_cache_size:%s)\n", (yyvsp[0].str)));
if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->neg_cache_size))
yyerror("memory size expected");
free((yyvsp[0].str));
}
-#line 3856 "util/configparser.c" /* yacc.c:1646 */
+#line 3927 "util/configparser.c" /* yacc.c:1646 */
break;
- case 314:
-#line 1451 "util/configparser.y" /* yacc.c:1646 */
+ case 324:
+#line 1479 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_local_zone:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "static")!=0 && strcmp((yyvsp[0].str), "deny")!=0 &&
@@ -3883,21 +3954,21 @@ yyreduce:
fatal_exit("out of memory adding local-zone");
}
}
-#line 3887 "util/configparser.c" /* yacc.c:1646 */
+#line 3958 "util/configparser.c" /* yacc.c:1646 */
break;
- case 315:
-#line 1479 "util/configparser.y" /* yacc.c:1646 */
+ case 325:
+#line 1507 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_local_data:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->local_data, (yyvsp[0].str)))
fatal_exit("out of memory adding local-data");
}
-#line 3897 "util/configparser.c" /* yacc.c:1646 */
+#line 3968 "util/configparser.c" /* yacc.c:1646 */
break;
- case 316:
-#line 1486 "util/configparser.y" /* yacc.c:1646 */
+ case 326:
+#line 1514 "util/configparser.y" /* yacc.c:1646 */
{
char* ptr;
OUTYY(("P(server_local_data_ptr:%s)\n", (yyvsp[0].str)));
@@ -3911,11 +3982,11 @@ yyreduce:
yyerror("local-data-ptr could not be reversed");
}
}
-#line 3915 "util/configparser.c" /* yacc.c:1646 */
+#line 3986 "util/configparser.c" /* yacc.c:1646 */
break;
- case 317:
-#line 1501 "util/configparser.y" /* yacc.c:1646 */
+ case 327:
+#line 1529 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_minimal_responses:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3924,11 +3995,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3928 "util/configparser.c" /* yacc.c:1646 */
+#line 3999 "util/configparser.c" /* yacc.c:1646 */
break;
- case 318:
-#line 1511 "util/configparser.y" /* yacc.c:1646 */
+ case 328:
+#line 1539 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_rrset_roundrobin:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3937,31 +4008,31 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3941 "util/configparser.c" /* yacc.c:1646 */
+#line 4012 "util/configparser.c" /* yacc.c:1646 */
break;
- case 319:
-#line 1521 "util/configparser.y" /* yacc.c:1646 */
+ case 329:
+#line 1549 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_max_udp_size:%s)\n", (yyvsp[0].str)));
cfg_parser->cfg->max_udp_size = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 3951 "util/configparser.c" /* yacc.c:1646 */
+#line 4022 "util/configparser.c" /* yacc.c:1646 */
break;
- case 320:
-#line 1528 "util/configparser.y" /* yacc.c:1646 */
+ case 330:
+#line 1556 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dns64_prefix:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->dns64_prefix);
cfg_parser->cfg->dns64_prefix = (yyvsp[0].str);
}
-#line 3961 "util/configparser.c" /* yacc.c:1646 */
+#line 4032 "util/configparser.c" /* yacc.c:1646 */
break;
- case 321:
-#line 1535 "util/configparser.y" /* yacc.c:1646 */
+ case 331:
+#line 1563 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_dns64_synthall:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -3969,11 +4040,11 @@ yyreduce:
else cfg_parser->cfg->dns64_synthall = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 3973 "util/configparser.c" /* yacc.c:1646 */
+#line 4044 "util/configparser.c" /* yacc.c:1646 */
break;
- case 322:
-#line 1544 "util/configparser.y" /* yacc.c:1646 */
+ case 332:
+#line 1572 "util/configparser.y" /* yacc.c:1646 */
{
char* p, *s = (yyvsp[0].str);
OUTYY(("P(server_define_tag:%s)\n", (yyvsp[0].str)));
@@ -3986,11 +4057,11 @@ yyreduce:
}
free((yyvsp[0].str));
}
-#line 3990 "util/configparser.c" /* yacc.c:1646 */
+#line 4061 "util/configparser.c" /* yacc.c:1646 */
break;
- case 323:
-#line 1558 "util/configparser.y" /* yacc.c:1646 */
+ case 333:
+#line 1586 "util/configparser.y" /* yacc.c:1646 */
{
size_t len = 0;
uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, (yyvsp[0].str),
@@ -4008,11 +4079,11 @@ yyreduce:
}
}
}
-#line 4012 "util/configparser.c" /* yacc.c:1646 */
+#line 4083 "util/configparser.c" /* yacc.c:1646 */
break;
- case 324:
-#line 1577 "util/configparser.y" /* yacc.c:1646 */
+ case 334:
+#line 1605 "util/configparser.y" /* yacc.c:1646 */
{
size_t len = 0;
uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, (yyvsp[0].str),
@@ -4030,11 +4101,11 @@ yyreduce:
}
}
}
-#line 4034 "util/configparser.c" /* yacc.c:1646 */
+#line 4105 "util/configparser.c" /* yacc.c:1646 */
break;
- case 325:
-#line 1596 "util/configparser.y" /* yacc.c:1646 */
+ case 335:
+#line 1624 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_access_control_tag_action:%s %s %s)\n", (yyvsp[-2].str), (yyvsp[-1].str), (yyvsp[0].str)));
if(!cfg_str3list_insert(&cfg_parser->cfg->acl_tag_actions,
@@ -4045,11 +4116,11 @@ yyreduce:
free((yyvsp[0].str));
}
}
-#line 4049 "util/configparser.c" /* yacc.c:1646 */
+#line 4120 "util/configparser.c" /* yacc.c:1646 */
break;
- case 326:
-#line 1608 "util/configparser.y" /* yacc.c:1646 */
+ case 336:
+#line 1636 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_access_control_tag_data:%s %s %s)\n", (yyvsp[-2].str), (yyvsp[-1].str), (yyvsp[0].str)));
if(!cfg_str3list_insert(&cfg_parser->cfg->acl_tag_datas,
@@ -4060,11 +4131,11 @@ yyreduce:
free((yyvsp[0].str));
}
}
-#line 4064 "util/configparser.c" /* yacc.c:1646 */
+#line 4135 "util/configparser.c" /* yacc.c:1646 */
break;
- case 327:
-#line 1620 "util/configparser.y" /* yacc.c:1646 */
+ case 337:
+#line 1648 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_local_zone_override:%s %s %s)\n", (yyvsp[-2].str), (yyvsp[-1].str), (yyvsp[0].str)));
if(!cfg_str3list_insert(&cfg_parser->cfg->local_zone_overrides,
@@ -4075,11 +4146,11 @@ yyreduce:
free((yyvsp[0].str));
}
}
-#line 4079 "util/configparser.c" /* yacc.c:1646 */
+#line 4150 "util/configparser.c" /* yacc.c:1646 */
break;
- case 328:
-#line 1632 "util/configparser.y" /* yacc.c:1646 */
+ case 338:
+#line 1660 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_access_control_view:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
if(!cfg_str2list_insert(&cfg_parser->cfg->acl_view,
@@ -4089,11 +4160,11 @@ yyreduce:
free((yyvsp[0].str));
}
}
-#line 4093 "util/configparser.c" /* yacc.c:1646 */
+#line 4164 "util/configparser.c" /* yacc.c:1646 */
break;
- case 329:
-#line 1643 "util/configparser.y" /* yacc.c:1646 */
+ case 339:
+#line 1671 "util/configparser.y" /* yacc.c:1646 */
{
size_t len = 0;
uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, (yyvsp[0].str),
@@ -4111,11 +4182,11 @@ yyreduce:
}
}
}
-#line 4115 "util/configparser.c" /* yacc.c:1646 */
+#line 4186 "util/configparser.c" /* yacc.c:1646 */
break;
- case 330:
-#line 1662 "util/configparser.y" /* yacc.c:1646 */
+ case 340:
+#line 1690 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ip_ratelimit:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4123,11 +4194,11 @@ yyreduce:
else cfg_parser->cfg->ip_ratelimit = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 4127 "util/configparser.c" /* yacc.c:1646 */
+#line 4198 "util/configparser.c" /* yacc.c:1646 */
break;
- case 331:
-#line 1672 "util/configparser.y" /* yacc.c:1646 */
+ case 341:
+#line 1700 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ratelimit:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4135,33 +4206,33 @@ yyreduce:
else cfg_parser->cfg->ratelimit = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 4139 "util/configparser.c" /* yacc.c:1646 */
+#line 4210 "util/configparser.c" /* yacc.c:1646 */
break;
- case 332:
-#line 1681 "util/configparser.y" /* yacc.c:1646 */
+ case 342:
+#line 1709 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ip_ratelimit_size:%s)\n", (yyvsp[0].str)));
if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->ip_ratelimit_size))
yyerror("memory size expected");
free((yyvsp[0].str));
}
-#line 4150 "util/configparser.c" /* yacc.c:1646 */
+#line 4221 "util/configparser.c" /* yacc.c:1646 */
break;
- case 333:
-#line 1689 "util/configparser.y" /* yacc.c:1646 */
+ case 343:
+#line 1717 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ratelimit_size:%s)\n", (yyvsp[0].str)));
if(!cfg_parse_memsize((yyvsp[0].str), &cfg_parser->cfg->ratelimit_size))
yyerror("memory size expected");
free((yyvsp[0].str));
}
-#line 4161 "util/configparser.c" /* yacc.c:1646 */
+#line 4232 "util/configparser.c" /* yacc.c:1646 */
break;
- case 334:
-#line 1697 "util/configparser.y" /* yacc.c:1646 */
+ case 344:
+#line 1725 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ip_ratelimit_slabs:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -4173,11 +4244,11 @@ yyreduce:
}
free((yyvsp[0].str));
}
-#line 4177 "util/configparser.c" /* yacc.c:1646 */
+#line 4248 "util/configparser.c" /* yacc.c:1646 */
break;
- case 335:
-#line 1710 "util/configparser.y" /* yacc.c:1646 */
+ case 345:
+#line 1738 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ratelimit_slabs:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -4189,11 +4260,11 @@ yyreduce:
}
free((yyvsp[0].str));
}
-#line 4193 "util/configparser.c" /* yacc.c:1646 */
+#line 4264 "util/configparser.c" /* yacc.c:1646 */
break;
- case 336:
-#line 1723 "util/configparser.y" /* yacc.c:1646 */
+ case 346:
+#line 1751 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ratelimit_for_domain:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0) {
@@ -4205,11 +4276,11 @@ yyreduce:
"ratelimit-for-domain");
}
}
-#line 4209 "util/configparser.c" /* yacc.c:1646 */
+#line 4280 "util/configparser.c" /* yacc.c:1646 */
break;
- case 337:
-#line 1736 "util/configparser.y" /* yacc.c:1646 */
+ case 347:
+#line 1764 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ratelimit_below_domain:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0) {
@@ -4221,11 +4292,11 @@ yyreduce:
"ratelimit-below-domain");
}
}
-#line 4225 "util/configparser.c" /* yacc.c:1646 */
+#line 4296 "util/configparser.c" /* yacc.c:1646 */
break;
- case 338:
-#line 1749 "util/configparser.y" /* yacc.c:1646 */
+ case 348:
+#line 1777 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ip_ratelimit_factor:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4233,11 +4304,11 @@ yyreduce:
else cfg_parser->cfg->ip_ratelimit_factor = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 4237 "util/configparser.c" /* yacc.c:1646 */
+#line 4308 "util/configparser.c" /* yacc.c:1646 */
break;
- case 339:
-#line 1758 "util/configparser.y" /* yacc.c:1646 */
+ case 349:
+#line 1786 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_ratelimit_factor:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
@@ -4245,11 +4316,11 @@ yyreduce:
else cfg_parser->cfg->ratelimit_factor = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 4249 "util/configparser.c" /* yacc.c:1646 */
+#line 4320 "util/configparser.c" /* yacc.c:1646 */
break;
- case 340:
-#line 1767 "util/configparser.y" /* yacc.c:1646 */
+ case 350:
+#line 1795 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_qname_minimisation:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4258,11 +4329,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 4262 "util/configparser.c" /* yacc.c:1646 */
+#line 4333 "util/configparser.c" /* yacc.c:1646 */
break;
- case 341:
-#line 1777 "util/configparser.y" /* yacc.c:1646 */
+ case 351:
+#line 1805 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_qname_minimisation_strict:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4271,11 +4342,103 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 4275 "util/configparser.c" /* yacc.c:1646 */
+#line 4346 "util/configparser.c" /* yacc.c:1646 */
break;
- case 342:
-#line 1787 "util/configparser.y" /* yacc.c:1646 */
+ case 352:
+#line 1815 "util/configparser.y" /* yacc.c:1646 */
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_enabled:%s)\n", (yyvsp[0].str)));
+ if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->ipsecmod_enabled = (strcmp((yyvsp[0].str), "yes")==0);
+ free((yyvsp[0].str));
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+#line 4362 "util/configparser.c" /* yacc.c:1646 */
+ break;
+
+ case 353:
+#line 1828 "util/configparser.y" /* yacc.c:1646 */
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_ignore_bogus:%s)\n", (yyvsp[0].str)));
+ if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->ipsecmod_ignore_bogus = (strcmp((yyvsp[0].str), "yes")==0);
+ free((yyvsp[0].str));
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+#line 4378 "util/configparser.c" /* yacc.c:1646 */
+ break;
+
+ case 354:
+#line 1841 "util/configparser.y" /* yacc.c:1646 */
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_hook:%s)\n", (yyvsp[0].str)));
+ free(cfg_parser->cfg->ipsecmod_hook);
+ cfg_parser->cfg->ipsecmod_hook = (yyvsp[0].str);
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+#line 4392 "util/configparser.c" /* yacc.c:1646 */
+ break;
+
+ case 355:
+#line 1852 "util/configparser.y" /* yacc.c:1646 */
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_max_ttl:%s)\n", (yyvsp[0].str)));
+ if(atoi((yyvsp[0].str)) == 0 && strcmp((yyvsp[0].str), "0") != 0)
+ yyerror("number expected");
+ else cfg_parser->cfg->ipsecmod_max_ttl = atoi((yyvsp[0].str));
+ free((yyvsp[0].str));
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+#line 4408 "util/configparser.c" /* yacc.c:1646 */
+ break;
+
+ case 356:
+#line 1865 "util/configparser.y" /* yacc.c:1646 */
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_whitelist:%s)\n", (yyvsp[0].str)));
+ if(!cfg_strlist_insert(&cfg_parser->cfg->ipsecmod_whitelist, (yyvsp[0].str)))
+ yyerror("out of memory");
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+#line 4422 "util/configparser.c" /* yacc.c:1646 */
+ break;
+
+ case 357:
+#line 1876 "util/configparser.y" /* yacc.c:1646 */
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_strict:%s)\n", (yyvsp[0].str)));
+ if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->ipsecmod_strict = (strcmp((yyvsp[0].str), "yes")==0);
+ free((yyvsp[0].str));
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+#line 4438 "util/configparser.c" /* yacc.c:1646 */
+ break;
+
+ case 358:
+#line 1889 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(name:%s)\n", (yyvsp[0].str)));
if(cfg_parser->cfg->stubs->name)
@@ -4284,31 +4447,31 @@ yyreduce:
free(cfg_parser->cfg->stubs->name);
cfg_parser->cfg->stubs->name = (yyvsp[0].str);
}
-#line 4288 "util/configparser.c" /* yacc.c:1646 */
+#line 4451 "util/configparser.c" /* yacc.c:1646 */
break;
- case 343:
-#line 1797 "util/configparser.y" /* yacc.c:1646 */
+ case 359:
+#line 1899 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(stub-host:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->hosts, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 4298 "util/configparser.c" /* yacc.c:1646 */
+#line 4461 "util/configparser.c" /* yacc.c:1646 */
break;
- case 344:
-#line 1804 "util/configparser.y" /* yacc.c:1646 */
+ case 360:
+#line 1906 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(stub-addr:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->addrs, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 4308 "util/configparser.c" /* yacc.c:1646 */
+#line 4471 "util/configparser.c" /* yacc.c:1646 */
break;
- case 345:
-#line 1811 "util/configparser.y" /* yacc.c:1646 */
+ case 361:
+#line 1913 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(stub-first:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4316,11 +4479,11 @@ yyreduce:
else cfg_parser->cfg->stubs->isfirst=(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 4320 "util/configparser.c" /* yacc.c:1646 */
+#line 4483 "util/configparser.c" /* yacc.c:1646 */
break;
- case 346:
-#line 1820 "util/configparser.y" /* yacc.c:1646 */
+ case 362:
+#line 1922 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(stub-ssl-upstream:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4329,11 +4492,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 4333 "util/configparser.c" /* yacc.c:1646 */
+#line 4496 "util/configparser.c" /* yacc.c:1646 */
break;
- case 347:
-#line 1830 "util/configparser.y" /* yacc.c:1646 */
+ case 363:
+#line 1932 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(stub-prime:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4342,11 +4505,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 4346 "util/configparser.c" /* yacc.c:1646 */
+#line 4509 "util/configparser.c" /* yacc.c:1646 */
break;
- case 348:
-#line 1840 "util/configparser.y" /* yacc.c:1646 */
+ case 364:
+#line 1942 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(name:%s)\n", (yyvsp[0].str)));
if(cfg_parser->cfg->forwards->name)
@@ -4355,31 +4518,31 @@ yyreduce:
free(cfg_parser->cfg->forwards->name);
cfg_parser->cfg->forwards->name = (yyvsp[0].str);
}
-#line 4359 "util/configparser.c" /* yacc.c:1646 */
+#line 4522 "util/configparser.c" /* yacc.c:1646 */
break;
- case 349:
-#line 1850 "util/configparser.y" /* yacc.c:1646 */
+ case 365:
+#line 1952 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(forward-host:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->hosts, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 4369 "util/configparser.c" /* yacc.c:1646 */
+#line 4532 "util/configparser.c" /* yacc.c:1646 */
break;
- case 350:
-#line 1857 "util/configparser.y" /* yacc.c:1646 */
+ case 366:
+#line 1959 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(forward-addr:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->addrs, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 4379 "util/configparser.c" /* yacc.c:1646 */
+#line 4542 "util/configparser.c" /* yacc.c:1646 */
break;
- case 351:
-#line 1864 "util/configparser.y" /* yacc.c:1646 */
+ case 367:
+#line 1966 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(forward-first:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4387,11 +4550,11 @@ yyreduce:
else cfg_parser->cfg->forwards->isfirst=(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 4391 "util/configparser.c" /* yacc.c:1646 */
+#line 4554 "util/configparser.c" /* yacc.c:1646 */
break;
- case 352:
-#line 1873 "util/configparser.y" /* yacc.c:1646 */
+ case 368:
+#line 1975 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(forward-ssl-upstream:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4400,11 +4563,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 4404 "util/configparser.c" /* yacc.c:1646 */
+#line 4567 "util/configparser.c" /* yacc.c:1646 */
break;
- case 353:
-#line 1883 "util/configparser.y" /* yacc.c:1646 */
+ case 369:
+#line 1985 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(name:%s)\n", (yyvsp[0].str)));
if(cfg_parser->cfg->views->name)
@@ -4413,11 +4576,11 @@ yyreduce:
free(cfg_parser->cfg->views->name);
cfg_parser->cfg->views->name = (yyvsp[0].str);
}
-#line 4417 "util/configparser.c" /* yacc.c:1646 */
+#line 4580 "util/configparser.c" /* yacc.c:1646 */
break;
- case 354:
-#line 1893 "util/configparser.y" /* yacc.c:1646 */
+ case 370:
+#line 1995 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(view_local_zone:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "static")!=0 && strcmp((yyvsp[0].str), "deny")!=0 &&
@@ -4445,11 +4608,11 @@ yyreduce:
fatal_exit("out of memory adding local-zone");
}
}
-#line 4449 "util/configparser.c" /* yacc.c:1646 */
+#line 4612 "util/configparser.c" /* yacc.c:1646 */
break;
- case 355:
-#line 1922 "util/configparser.y" /* yacc.c:1646 */
+ case 371:
+#line 2024 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(view_response_ip:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
validate_respip_action((yyvsp[0].str));
@@ -4458,22 +4621,22 @@ yyreduce:
fatal_exit("out of memory adding per-view "
"response-ip action");
}
-#line 4462 "util/configparser.c" /* yacc.c:1646 */
+#line 4625 "util/configparser.c" /* yacc.c:1646 */
break;
- case 356:
-#line 1932 "util/configparser.y" /* yacc.c:1646 */
+ case 372:
+#line 2034 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(view_response_ip_data:%s)\n", (yyvsp[-1].str)));
if(!cfg_str2list_insert(
&cfg_parser->cfg->views->respip_data, (yyvsp[-1].str), (yyvsp[0].str)))
fatal_exit("out of memory adding response-ip-data");
}
-#line 4473 "util/configparser.c" /* yacc.c:1646 */
+#line 4636 "util/configparser.c" /* yacc.c:1646 */
break;
- case 357:
-#line 1940 "util/configparser.y" /* yacc.c:1646 */
+ case 373:
+#line 2042 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(view_local_data:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->views->local_data, (yyvsp[0].str))) {
@@ -4481,11 +4644,11 @@ yyreduce:
free((yyvsp[0].str));
}
}
-#line 4485 "util/configparser.c" /* yacc.c:1646 */
+#line 4648 "util/configparser.c" /* yacc.c:1646 */
break;
- case 358:
-#line 1949 "util/configparser.y" /* yacc.c:1646 */
+ case 374:
+#line 2051 "util/configparser.y" /* yacc.c:1646 */
{
char* ptr;
OUTYY(("P(view_local_data_ptr:%s)\n", (yyvsp[0].str)));
@@ -4499,11 +4662,11 @@ yyreduce:
yyerror("local-data-ptr could not be reversed");
}
}
-#line 4503 "util/configparser.c" /* yacc.c:1646 */
+#line 4666 "util/configparser.c" /* yacc.c:1646 */
break;
- case 359:
-#line 1964 "util/configparser.y" /* yacc.c:1646 */
+ case 375:
+#line 2066 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(view-first:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4511,19 +4674,19 @@ yyreduce:
else cfg_parser->cfg->views->isfirst=(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 4515 "util/configparser.c" /* yacc.c:1646 */
+#line 4678 "util/configparser.c" /* yacc.c:1646 */
break;
- case 360:
-#line 1973 "util/configparser.y" /* yacc.c:1646 */
+ case 376:
+#line 2075 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("\nP(remote-control:)\n"));
}
-#line 4523 "util/configparser.c" /* yacc.c:1646 */
+#line 4686 "util/configparser.c" /* yacc.c:1646 */
break;
- case 371:
-#line 1984 "util/configparser.y" /* yacc.c:1646 */
+ case 387:
+#line 2086 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(control_enable:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4532,11 +4695,11 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 4536 "util/configparser.c" /* yacc.c:1646 */
+#line 4699 "util/configparser.c" /* yacc.c:1646 */
break;
- case 372:
-#line 1994 "util/configparser.y" /* yacc.c:1646 */
+ case 388:
+#line 2096 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(control_port:%s)\n", (yyvsp[0].str)));
if(atoi((yyvsp[0].str)) == 0)
@@ -4544,21 +4707,21 @@ yyreduce:
else cfg_parser->cfg->control_port = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 4548 "util/configparser.c" /* yacc.c:1646 */
+#line 4711 "util/configparser.c" /* yacc.c:1646 */
break;
- case 373:
-#line 2003 "util/configparser.y" /* yacc.c:1646 */
+ case 389:
+#line 2105 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(control_interface:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->control_ifs, (yyvsp[0].str)))
yyerror("out of memory");
}
-#line 4558 "util/configparser.c" /* yacc.c:1646 */
+#line 4721 "util/configparser.c" /* yacc.c:1646 */
break;
- case 374:
-#line 2010 "util/configparser.y" /* yacc.c:1646 */
+ case 390:
+#line 2112 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(control_use_cert:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4567,122 +4730,122 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 4571 "util/configparser.c" /* yacc.c:1646 */
+#line 4734 "util/configparser.c" /* yacc.c:1646 */
break;
- case 375:
-#line 2020 "util/configparser.y" /* yacc.c:1646 */
+ case 391:
+#line 2122 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(rc_server_key_file:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->server_key_file);
cfg_parser->cfg->server_key_file = (yyvsp[0].str);
}
-#line 4581 "util/configparser.c" /* yacc.c:1646 */
+#line 4744 "util/configparser.c" /* yacc.c:1646 */
break;
- case 376:
-#line 2027 "util/configparser.y" /* yacc.c:1646 */
+ case 392:
+#line 2129 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(rc_server_cert_file:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->server_cert_file);
cfg_parser->cfg->server_cert_file = (yyvsp[0].str);
}
-#line 4591 "util/configparser.c" /* yacc.c:1646 */
+#line 4754 "util/configparser.c" /* yacc.c:1646 */
break;
- case 377:
-#line 2034 "util/configparser.y" /* yacc.c:1646 */
+ case 393:
+#line 2136 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(rc_control_key_file:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->control_key_file);
cfg_parser->cfg->control_key_file = (yyvsp[0].str);
}
-#line 4601 "util/configparser.c" /* yacc.c:1646 */
+#line 4764 "util/configparser.c" /* yacc.c:1646 */
break;
- case 378:
-#line 2041 "util/configparser.y" /* yacc.c:1646 */
+ case 394:
+#line 2143 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(rc_control_cert_file:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->control_cert_file);
cfg_parser->cfg->control_cert_file = (yyvsp[0].str);
}
-#line 4611 "util/configparser.c" /* yacc.c:1646 */
+#line 4774 "util/configparser.c" /* yacc.c:1646 */
break;
- case 379:
-#line 2048 "util/configparser.y" /* yacc.c:1646 */
+ case 395:
+#line 2150 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("\nP(dnstap:)\n"));
}
-#line 4619 "util/configparser.c" /* yacc.c:1646 */
+#line 4782 "util/configparser.c" /* yacc.c:1646 */
break;
- case 394:
-#line 2065 "util/configparser.y" /* yacc.c:1646 */
+ case 410:
+#line 2167 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_enable:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->dnstap = (strcmp((yyvsp[0].str), "yes")==0);
}
-#line 4630 "util/configparser.c" /* yacc.c:1646 */
+#line 4793 "util/configparser.c" /* yacc.c:1646 */
break;
- case 395:
-#line 2073 "util/configparser.y" /* yacc.c:1646 */
+ case 411:
+#line 2175 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_socket_path:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->dnstap_socket_path);
cfg_parser->cfg->dnstap_socket_path = (yyvsp[0].str);
}
-#line 4640 "util/configparser.c" /* yacc.c:1646 */
+#line 4803 "util/configparser.c" /* yacc.c:1646 */
break;
- case 396:
-#line 2080 "util/configparser.y" /* yacc.c:1646 */
+ case 412:
+#line 2182 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_send_identity:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->dnstap_send_identity = (strcmp((yyvsp[0].str), "yes")==0);
}
-#line 4651 "util/configparser.c" /* yacc.c:1646 */
+#line 4814 "util/configparser.c" /* yacc.c:1646 */
break;
- case 397:
-#line 2088 "util/configparser.y" /* yacc.c:1646 */
+ case 413:
+#line 2190 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_send_version:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->dnstap_send_version = (strcmp((yyvsp[0].str), "yes")==0);
}
-#line 4662 "util/configparser.c" /* yacc.c:1646 */
+#line 4825 "util/configparser.c" /* yacc.c:1646 */
break;
- case 398:
-#line 2096 "util/configparser.y" /* yacc.c:1646 */
+ case 414:
+#line 2198 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_identity:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->dnstap_identity);
cfg_parser->cfg->dnstap_identity = (yyvsp[0].str);
}
-#line 4672 "util/configparser.c" /* yacc.c:1646 */
+#line 4835 "util/configparser.c" /* yacc.c:1646 */
break;
- case 399:
-#line 2103 "util/configparser.y" /* yacc.c:1646 */
+ case 415:
+#line 2205 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_version:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->dnstap_version);
cfg_parser->cfg->dnstap_version = (yyvsp[0].str);
}
-#line 4682 "util/configparser.c" /* yacc.c:1646 */
+#line 4845 "util/configparser.c" /* yacc.c:1646 */
break;
- case 400:
-#line 2110 "util/configparser.y" /* yacc.c:1646 */
+ case 416:
+#line 2212 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_log_resolver_query_messages:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4690,11 +4853,11 @@ yyreduce:
else cfg_parser->cfg->dnstap_log_resolver_query_messages =
(strcmp((yyvsp[0].str), "yes")==0);
}
-#line 4694 "util/configparser.c" /* yacc.c:1646 */
+#line 4857 "util/configparser.c" /* yacc.c:1646 */
break;
- case 401:
-#line 2119 "util/configparser.y" /* yacc.c:1646 */
+ case 417:
+#line 2221 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_log_resolver_response_messages:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4702,11 +4865,11 @@ yyreduce:
else cfg_parser->cfg->dnstap_log_resolver_response_messages =
(strcmp((yyvsp[0].str), "yes")==0);
}
-#line 4706 "util/configparser.c" /* yacc.c:1646 */
+#line 4869 "util/configparser.c" /* yacc.c:1646 */
break;
- case 402:
-#line 2128 "util/configparser.y" /* yacc.c:1646 */
+ case 418:
+#line 2230 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_log_client_query_messages:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4714,11 +4877,11 @@ yyreduce:
else cfg_parser->cfg->dnstap_log_client_query_messages =
(strcmp((yyvsp[0].str), "yes")==0);
}
-#line 4718 "util/configparser.c" /* yacc.c:1646 */
+#line 4881 "util/configparser.c" /* yacc.c:1646 */
break;
- case 403:
-#line 2137 "util/configparser.y" /* yacc.c:1646 */
+ case 419:
+#line 2239 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_log_client_response_messages:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4726,11 +4889,11 @@ yyreduce:
else cfg_parser->cfg->dnstap_log_client_response_messages =
(strcmp((yyvsp[0].str), "yes")==0);
}
-#line 4730 "util/configparser.c" /* yacc.c:1646 */
+#line 4893 "util/configparser.c" /* yacc.c:1646 */
break;
- case 404:
-#line 2146 "util/configparser.y" /* yacc.c:1646 */
+ case 420:
+#line 2248 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_log_forwarder_query_messages:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4738,11 +4901,11 @@ yyreduce:
else cfg_parser->cfg->dnstap_log_forwarder_query_messages =
(strcmp((yyvsp[0].str), "yes")==0);
}
-#line 4742 "util/configparser.c" /* yacc.c:1646 */
+#line 4905 "util/configparser.c" /* yacc.c:1646 */
break;
- case 405:
-#line 2155 "util/configparser.y" /* yacc.c:1646 */
+ case 421:
+#line 2257 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dt_dnstap_log_forwarder_response_messages:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4750,29 +4913,29 @@ yyreduce:
else cfg_parser->cfg->dnstap_log_forwarder_response_messages =
(strcmp((yyvsp[0].str), "yes")==0);
}
-#line 4754 "util/configparser.c" /* yacc.c:1646 */
+#line 4917 "util/configparser.c" /* yacc.c:1646 */
break;
- case 406:
-#line 2164 "util/configparser.y" /* yacc.c:1646 */
+ case 422:
+#line 2266 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("\nP(python:)\n"));
}
-#line 4762 "util/configparser.c" /* yacc.c:1646 */
+#line 4925 "util/configparser.c" /* yacc.c:1646 */
break;
- case 410:
-#line 2173 "util/configparser.y" /* yacc.c:1646 */
+ case 426:
+#line 2275 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(python-script:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->python_script);
cfg_parser->cfg->python_script = (yyvsp[0].str);
}
-#line 4772 "util/configparser.c" /* yacc.c:1646 */
+#line 4935 "util/configparser.c" /* yacc.c:1646 */
break;
- case 411:
-#line 2179 "util/configparser.y" /* yacc.c:1646 */
+ case 427:
+#line 2281 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(disable_dnssec_lame_check:%s)\n", (yyvsp[0].str)));
if (strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
@@ -4781,21 +4944,21 @@ yyreduce:
(strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
-#line 4785 "util/configparser.c" /* yacc.c:1646 */
+#line 4948 "util/configparser.c" /* yacc.c:1646 */
break;
- case 412:
-#line 2189 "util/configparser.y" /* yacc.c:1646 */
+ case 428:
+#line 2291 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_log_identity:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->log_identity);
cfg_parser->cfg->log_identity = (yyvsp[0].str);
}
-#line 4795 "util/configparser.c" /* yacc.c:1646 */
+#line 4958 "util/configparser.c" /* yacc.c:1646 */
break;
- case 413:
-#line 2196 "util/configparser.y" /* yacc.c:1646 */
+ case 429:
+#line 2298 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_response_ip:%s %s)\n", (yyvsp[-1].str), (yyvsp[0].str)));
validate_respip_action((yyvsp[0].str));
@@ -4803,42 +4966,43 @@ yyreduce:
(yyvsp[-1].str), (yyvsp[0].str)))
fatal_exit("out of memory adding response-ip");
}
-#line 4807 "util/configparser.c" /* yacc.c:1646 */
+#line 4970 "util/configparser.c" /* yacc.c:1646 */
break;
- case 414:
-#line 2205 "util/configparser.y" /* yacc.c:1646 */
+ case 430:
+#line 2307 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(server_response_ip_data:%s)\n", (yyvsp[-1].str)));
if(!cfg_str2list_insert(&cfg_parser->cfg->respip_data,
(yyvsp[-1].str), (yyvsp[0].str)))
fatal_exit("out of memory adding response-ip-data");
}
-#line 4818 "util/configparser.c" /* yacc.c:1646 */
+#line 4981 "util/configparser.c" /* yacc.c:1646 */
break;
- case 415:
-#line 2213 "util/configparser.y" /* yacc.c:1646 */
+ case 431:
+#line 2315 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("\nP(dnscrypt:)\n"));
OUTYY(("\nP(dnscrypt:)\n"));
}
-#line 4827 "util/configparser.c" /* yacc.c:1646 */
+#line 4990 "util/configparser.c" /* yacc.c:1646 */
break;
- case 423:
-#line 2225 "util/configparser.y" /* yacc.c:1646 */
+ case 439:
+#line 2327 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dnsc_dnscrypt_enable:%s)\n", (yyvsp[0].str)));
if(strcmp((yyvsp[0].str), "yes") != 0 && strcmp((yyvsp[0].str), "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->dnscrypt = (strcmp((yyvsp[0].str), "yes")==0);
+ free((yyvsp[0].str));
}
-#line 4838 "util/configparser.c" /* yacc.c:1646 */
+#line 5002 "util/configparser.c" /* yacc.c:1646 */
break;
- case 424:
-#line 2234 "util/configparser.y" /* yacc.c:1646 */
+ case 440:
+#line 2337 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dnsc_dnscrypt_port:%s)\n", (yyvsp[0].str)));
@@ -4847,41 +5011,41 @@ yyreduce:
else cfg_parser->cfg->dnscrypt_port = atoi((yyvsp[0].str));
free((yyvsp[0].str));
}
-#line 4851 "util/configparser.c" /* yacc.c:1646 */
+#line 5015 "util/configparser.c" /* yacc.c:1646 */
break;
- case 425:
-#line 2244 "util/configparser.y" /* yacc.c:1646 */
+ case 441:
+#line 2347 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dnsc_dnscrypt_provider:%s)\n", (yyvsp[0].str)));
free(cfg_parser->cfg->dnscrypt_provider);
cfg_parser->cfg->dnscrypt_provider = (yyvsp[0].str);
}
-#line 4861 "util/configparser.c" /* yacc.c:1646 */
+#line 5025 "util/configparser.c" /* yacc.c:1646 */
break;
- case 426:
-#line 2251 "util/configparser.y" /* yacc.c:1646 */
+ case 442:
+#line 2354 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dnsc_dnscrypt_provider_cert:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_provider_cert, (yyvsp[0].str)))
fatal_exit("out of memory adding dnscrypt-provider-cert");
}
-#line 4871 "util/configparser.c" /* yacc.c:1646 */
+#line 5035 "util/configparser.c" /* yacc.c:1646 */
break;
- case 427:
-#line 2258 "util/configparser.y" /* yacc.c:1646 */
+ case 443:
+#line 2361 "util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(dnsc_dnscrypt_secret_key:%s)\n", (yyvsp[0].str)));
if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_secret_key, (yyvsp[0].str)))
fatal_exit("out of memory adding dnscrypt-secret-key");
}
-#line 4881 "util/configparser.c" /* yacc.c:1646 */
+#line 5045 "util/configparser.c" /* yacc.c:1646 */
break;
-#line 4885 "util/configparser.c" /* yacc.c:1646 */
+#line 5049 "util/configparser.c" /* yacc.c:1646 */
default: break;
}
/* User semantic actions sometimes alter yychar, and that requires
@@ -5109,7 +5273,7 @@ yyreturn:
#endif
return yyresult;
}
-#line 2264 "util/configparser.y" /* yacc.c:1906 */
+#line 2367 "util/configparser.y" /* yacc.c:1906 */
/* parse helper routines could be here */
diff --git a/util/configparser.h b/util/configparser.h
index 937754cfef8f..30373da46cdf 100644
--- a/util/configparser.h
+++ b/util/configparser.h
@@ -217,39 +217,47 @@ extern int yydebug;
VAR_IP_RATELIMIT_FACTOR = 427,
VAR_RATELIMIT_FACTOR = 428,
VAR_SEND_CLIENT_SUBNET = 429,
- VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 430,
- VAR_CLIENT_SUBNET_OPCODE = 431,
- VAR_MAX_CLIENT_SUBNET_IPV4 = 432,
- VAR_MAX_CLIENT_SUBNET_IPV6 = 433,
- VAR_CAPS_WHITELIST = 434,
- VAR_CACHE_MAX_NEGATIVE_TTL = 435,
- VAR_PERMIT_SMALL_HOLDDOWN = 436,
- VAR_QNAME_MINIMISATION = 437,
- VAR_QNAME_MINIMISATION_STRICT = 438,
- VAR_IP_FREEBIND = 439,
- VAR_DEFINE_TAG = 440,
- VAR_LOCAL_ZONE_TAG = 441,
- VAR_ACCESS_CONTROL_TAG = 442,
- VAR_LOCAL_ZONE_OVERRIDE = 443,
- VAR_ACCESS_CONTROL_TAG_ACTION = 444,
- VAR_ACCESS_CONTROL_TAG_DATA = 445,
- VAR_VIEW = 446,
- VAR_ACCESS_CONTROL_VIEW = 447,
- VAR_VIEW_FIRST = 448,
- VAR_SERVE_EXPIRED = 449,
- VAR_FAKE_DSA = 450,
- VAR_FAKE_SHA1 = 451,
- VAR_LOG_IDENTITY = 452,
- VAR_HIDE_TRUSTANCHOR = 453,
- VAR_USE_SYSTEMD = 454,
- VAR_SHM_ENABLE = 455,
- VAR_SHM_KEY = 456,
- VAR_DNSCRYPT = 457,
- VAR_DNSCRYPT_ENABLE = 458,
- VAR_DNSCRYPT_PORT = 459,
- VAR_DNSCRYPT_PROVIDER = 460,
- VAR_DNSCRYPT_SECRET_KEY = 461,
- VAR_DNSCRYPT_PROVIDER_CERT = 462
+ VAR_CLIENT_SUBNET_ZONE = 430,
+ VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 431,
+ VAR_CLIENT_SUBNET_OPCODE = 432,
+ VAR_MAX_CLIENT_SUBNET_IPV4 = 433,
+ VAR_MAX_CLIENT_SUBNET_IPV6 = 434,
+ VAR_CAPS_WHITELIST = 435,
+ VAR_CACHE_MAX_NEGATIVE_TTL = 436,
+ VAR_PERMIT_SMALL_HOLDDOWN = 437,
+ VAR_QNAME_MINIMISATION = 438,
+ VAR_QNAME_MINIMISATION_STRICT = 439,
+ VAR_IP_FREEBIND = 440,
+ VAR_DEFINE_TAG = 441,
+ VAR_LOCAL_ZONE_TAG = 442,
+ VAR_ACCESS_CONTROL_TAG = 443,
+ VAR_LOCAL_ZONE_OVERRIDE = 444,
+ VAR_ACCESS_CONTROL_TAG_ACTION = 445,
+ VAR_ACCESS_CONTROL_TAG_DATA = 446,
+ VAR_VIEW = 447,
+ VAR_ACCESS_CONTROL_VIEW = 448,
+ VAR_VIEW_FIRST = 449,
+ VAR_SERVE_EXPIRED = 450,
+ VAR_FAKE_DSA = 451,
+ VAR_FAKE_SHA1 = 452,
+ VAR_LOG_IDENTITY = 453,
+ VAR_HIDE_TRUSTANCHOR = 454,
+ VAR_TRUST_ANCHOR_SIGNALING = 455,
+ VAR_USE_SYSTEMD = 456,
+ VAR_SHM_ENABLE = 457,
+ VAR_SHM_KEY = 458,
+ VAR_DNSCRYPT = 459,
+ VAR_DNSCRYPT_ENABLE = 460,
+ VAR_DNSCRYPT_PORT = 461,
+ VAR_DNSCRYPT_PROVIDER = 462,
+ VAR_DNSCRYPT_SECRET_KEY = 463,
+ VAR_DNSCRYPT_PROVIDER_CERT = 464,
+ VAR_IPSECMOD_ENABLED = 465,
+ VAR_IPSECMOD_HOOK = 466,
+ VAR_IPSECMOD_IGNORE_BOGUS = 467,
+ VAR_IPSECMOD_MAX_TTL = 468,
+ VAR_IPSECMOD_WHITELIST = 469,
+ VAR_IPSECMOD_STRICT = 470
};
#endif
/* Tokens. */
@@ -425,39 +433,47 @@ extern int yydebug;
#define VAR_IP_RATELIMIT_FACTOR 427
#define VAR_RATELIMIT_FACTOR 428
#define VAR_SEND_CLIENT_SUBNET 429
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 430
-#define VAR_CLIENT_SUBNET_OPCODE 431
-#define VAR_MAX_CLIENT_SUBNET_IPV4 432
-#define VAR_MAX_CLIENT_SUBNET_IPV6 433
-#define VAR_CAPS_WHITELIST 434
-#define VAR_CACHE_MAX_NEGATIVE_TTL 435
-#define VAR_PERMIT_SMALL_HOLDDOWN 436
-#define VAR_QNAME_MINIMISATION 437
-#define VAR_QNAME_MINIMISATION_STRICT 438
-#define VAR_IP_FREEBIND 439
-#define VAR_DEFINE_TAG 440
-#define VAR_LOCAL_ZONE_TAG 441
-#define VAR_ACCESS_CONTROL_TAG 442
-#define VAR_LOCAL_ZONE_OVERRIDE 443
-#define VAR_ACCESS_CONTROL_TAG_ACTION 444
-#define VAR_ACCESS_CONTROL_TAG_DATA 445
-#define VAR_VIEW 446
-#define VAR_ACCESS_CONTROL_VIEW 447
-#define VAR_VIEW_FIRST 448
-#define VAR_SERVE_EXPIRED 449
-#define VAR_FAKE_DSA 450
-#define VAR_FAKE_SHA1 451
-#define VAR_LOG_IDENTITY 452
-#define VAR_HIDE_TRUSTANCHOR 453
-#define VAR_USE_SYSTEMD 454
-#define VAR_SHM_ENABLE 455
-#define VAR_SHM_KEY 456
-#define VAR_DNSCRYPT 457
-#define VAR_DNSCRYPT_ENABLE 458
-#define VAR_DNSCRYPT_PORT 459
-#define VAR_DNSCRYPT_PROVIDER 460
-#define VAR_DNSCRYPT_SECRET_KEY 461
-#define VAR_DNSCRYPT_PROVIDER_CERT 462
+#define VAR_CLIENT_SUBNET_ZONE 430
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 431
+#define VAR_CLIENT_SUBNET_OPCODE 432
+#define VAR_MAX_CLIENT_SUBNET_IPV4 433
+#define VAR_MAX_CLIENT_SUBNET_IPV6 434
+#define VAR_CAPS_WHITELIST 435
+#define VAR_CACHE_MAX_NEGATIVE_TTL 436
+#define VAR_PERMIT_SMALL_HOLDDOWN 437
+#define VAR_QNAME_MINIMISATION 438
+#define VAR_QNAME_MINIMISATION_STRICT 439
+#define VAR_IP_FREEBIND 440
+#define VAR_DEFINE_TAG 441
+#define VAR_LOCAL_ZONE_TAG 442
+#define VAR_ACCESS_CONTROL_TAG 443
+#define VAR_LOCAL_ZONE_OVERRIDE 444
+#define VAR_ACCESS_CONTROL_TAG_ACTION 445
+#define VAR_ACCESS_CONTROL_TAG_DATA 446
+#define VAR_VIEW 447
+#define VAR_ACCESS_CONTROL_VIEW 448
+#define VAR_VIEW_FIRST 449
+#define VAR_SERVE_EXPIRED 450
+#define VAR_FAKE_DSA 451
+#define VAR_FAKE_SHA1 452
+#define VAR_LOG_IDENTITY 453
+#define VAR_HIDE_TRUSTANCHOR 454
+#define VAR_TRUST_ANCHOR_SIGNALING 455
+#define VAR_USE_SYSTEMD 456
+#define VAR_SHM_ENABLE 457
+#define VAR_SHM_KEY 458
+#define VAR_DNSCRYPT 459
+#define VAR_DNSCRYPT_ENABLE 460
+#define VAR_DNSCRYPT_PORT 461
+#define VAR_DNSCRYPT_PROVIDER 462
+#define VAR_DNSCRYPT_SECRET_KEY 463
+#define VAR_DNSCRYPT_PROVIDER_CERT 464
+#define VAR_IPSECMOD_ENABLED 465
+#define VAR_IPSECMOD_HOOK 466
+#define VAR_IPSECMOD_IGNORE_BOGUS 467
+#define VAR_IPSECMOD_MAX_TTL 468
+#define VAR_IPSECMOD_WHITELIST 469
+#define VAR_IPSECMOD_STRICT 470
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -468,7 +484,7 @@ union YYSTYPE
char* str;
-#line 472 "util/configparser.h" /* yacc.c:1909 */
+#line 488 "util/configparser.h" /* yacc.c:1909 */
};
typedef union YYSTYPE YYSTYPE;
diff --git a/util/configparser.y b/util/configparser.y
index 4a04367f4d41..7c8161442ccd 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -131,8 +131,8 @@ extern struct config_parser_state* cfg_parser;
%token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN
%token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR
-%token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ALWAYS_FORWARD
-%token VAR_CLIENT_SUBNET_OPCODE
+%token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE
+%token VAR_CLIENT_SUBNET_ALWAYS_FORWARD VAR_CLIENT_SUBNET_OPCODE
%token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6
%token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
%token VAR_QNAME_MINIMISATION VAR_QNAME_MINIMISATION_STRICT VAR_IP_FREEBIND
@@ -140,10 +140,12 @@ extern struct config_parser_state* cfg_parser;
%token VAR_LOCAL_ZONE_OVERRIDE VAR_ACCESS_CONTROL_TAG_ACTION
%token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
%token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_FAKE_DSA VAR_FAKE_SHA1
-%token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR
+%token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR VAR_TRUST_ANCHOR_SIGNALING
%token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
%token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
+%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
+%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -215,7 +217,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_ratelimit_for_domain |
server_ratelimit_below_domain | server_ratelimit_factor |
server_ip_ratelimit_factor | server_send_client_subnet |
- server_client_subnet_always_forward |
+ server_client_subnet_zone | server_client_subnet_always_forward |
server_client_subnet_opcode |
server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
server_caps_whitelist | server_cache_max_negative_ttl |
@@ -228,7 +230,10 @@ content_server: server_num_threads | server_verbosity | server_port |
server_fake_dsa | server_log_identity | server_use_systemd |
server_response_ip_tag | server_response_ip | server_response_ip_data |
server_shm_enable | server_shm_key | server_fake_sha1 |
- server_hide_trustanchor
+ server_hide_trustanchor | server_trust_anchor_signaling |
+ server_ipsecmod_enabled | server_ipsecmod_hook |
+ server_ipsecmod_ignore_bogus | server_ipsecmod_max_ttl |
+ server_ipsecmod_whitelist | server_ipsecmod_strict
;
stubstart: VAR_STUB_ZONE
{
@@ -370,6 +375,18 @@ server_send_client_subnet: VAR_SEND_CLIENT_SUBNET STRING_ARG
#endif
}
;
+server_client_subnet_zone: VAR_CLIENT_SUBNET_ZONE STRING_ARG
+ {
+ #ifdef CLIENT_SUBNET
+ OUTYY(("P(server_client_subnet_zone:%s)\n", $2));
+ if(!cfg_strlist_insert(&cfg_parser->cfg->client_subnet_zone,
+ $2))
+ fatal_exit("out of memory adding client-subnet-zone");
+ #else
+ OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
+ #endif
+ }
+ ;
server_client_subnet_always_forward:
VAR_CLIENT_SUBNET_ALWAYS_FORWARD STRING_ARG
{
@@ -783,6 +800,17 @@ server_trust_anchor: VAR_TRUST_ANCHOR STRING_ARG
yyerror("out of memory");
}
;
+server_trust_anchor_signaling: VAR_TRUST_ANCHOR_SIGNALING STRING_ARG
+ {
+ OUTYY(("P(server_trust_anchor_signaling:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else
+ cfg_parser->cfg->trust_anchor_signaling =
+ (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
server_domain_insecure: VAR_DOMAIN_INSECURE STRING_ARG
{
OUTYY(("P(server_domain_insecure:%s)\n", $2));
@@ -1783,6 +1811,80 @@ server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG
free($2);
}
;
+server_ipsecmod_enabled: VAR_IPSECMOD_ENABLED STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_enabled:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->ipsecmod_enabled = (strcmp($2, "yes")==0);
+ free($2);
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
+server_ipsecmod_ignore_bogus: VAR_IPSECMOD_IGNORE_BOGUS STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_ignore_bogus:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->ipsecmod_ignore_bogus = (strcmp($2, "yes")==0);
+ free($2);
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
+server_ipsecmod_hook: VAR_IPSECMOD_HOOK STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_hook:%s)\n", $2));
+ free(cfg_parser->cfg->ipsecmod_hook);
+ cfg_parser->cfg->ipsecmod_hook = $2;
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
+server_ipsecmod_max_ttl: VAR_IPSECMOD_MAX_TTL STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_max_ttl:%s)\n", $2));
+ if(atoi($2) == 0 && strcmp($2, "0") != 0)
+ yyerror("number expected");
+ else cfg_parser->cfg->ipsecmod_max_ttl = atoi($2);
+ free($2);
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
+server_ipsecmod_whitelist: VAR_IPSECMOD_WHITELIST STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_whitelist:%s)\n", $2));
+ if(!cfg_strlist_insert(&cfg_parser->cfg->ipsecmod_whitelist, $2))
+ yyerror("out of memory");
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
+server_ipsecmod_strict: VAR_IPSECMOD_STRICT STRING_ARG
+ {
+ #ifdef USE_IPSECMOD
+ OUTYY(("P(server_ipsecmod_strict:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->ipsecmod_strict = (strcmp($2, "yes")==0);
+ free($2);
+ #else
+ OUTYY(("P(Compiled without IPsec module, ignoring)\n"));
+ #endif
+ }
+ ;
stub_name: VAR_NAME STRING_ARG
{
OUTYY(("P(name:%s)\n", $2));
@@ -2227,6 +2329,7 @@ dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->dnscrypt = (strcmp($2, "yes")==0);
+ free($2);
}
;
diff --git a/util/data/msgencode.c b/util/data/msgencode.c
index 1f72a03b8c64..aab7f5dfecba 100644
--- a/util/data/msgencode.c
+++ b/util/data/msgencode.c
@@ -647,6 +647,8 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
sldns_buffer_clear(buffer);
if(udpsize < sldns_buffer_limit(buffer))
sldns_buffer_set_limit(buffer, udpsize);
+ else if(sldns_buffer_limit(buffer) < udpsize)
+ udpsize = sldns_buffer_limit(buffer);
if(sldns_buffer_remaining(buffer) < LDNS_HEADER_SIZE)
return 0;
@@ -810,7 +812,7 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
struct edns_data* edns, int dnssec, int secure)
{
uint16_t flags;
- int attach_edns = 1;
+ unsigned int attach_edns = 0;
if(!cached || rep->authoritative) {
/* original flags, copy RD and CD bits from query. */
@@ -833,12 +835,15 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
log_assert(flags & BIT_QR); /* QR bit must be on in our replies */
if(udpsize < LDNS_HEADER_SIZE)
return 0;
+ if(sldns_buffer_capacity(pkt) < udpsize)
+ udpsize = sldns_buffer_capacity(pkt);
if(udpsize < LDNS_HEADER_SIZE + calc_edns_field_size(edns)) {
/* packet too small to contain edns, omit it. */
attach_edns = 0;
} else {
/* reserve space for edns record */
- udpsize -= calc_edns_field_size(edns);
+ attach_edns = (unsigned int)calc_edns_field_size(edns);
+ udpsize -= attach_edns;
}
if(!reply_info_encode(qinf, rep, id, flags, pkt, timenow, region,
@@ -846,7 +851,8 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
log_err("reply encode: out of memory");
return 0;
}
- if(attach_edns)
+ if(attach_edns && sldns_buffer_capacity(pkt) >=
+ sldns_buffer_limit(pkt)+attach_edns)
attach_edns_record(pkt, edns);
return 1;
}
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
index 5381500e1523..288720068b10 100644
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@@ -1018,7 +1018,7 @@ parse_extract_edns(struct msg_parse* msg, struct edns_data* edns,
edns->opt_list = NULL;
/* take the options */
- rdata_len = found->rr_first->size;
+ rdata_len = found->rr_first->size-2;
rdata_ptr = found->rr_first->ttl_data+6;
if(!parse_edns_options(rdata_ptr, rdata_len, edns, region))
return 0;
diff --git a/util/fptr_wlist.c b/util/fptr_wlist.c
index 03244a123d69..2797d1fe8449 100644
--- a/util/fptr_wlist.c
+++ b/util/fptr_wlist.c
@@ -49,6 +49,7 @@
#include "services/outside_network.h"
#include "services/mesh.h"
#include "services/localzone.h"
+#include "services/authzone.h"
#include "services/cache/infra.h"
#include "services/cache/rrset.h"
#include "services/view.h"
@@ -83,6 +84,9 @@
#ifdef USE_CACHEDB
#include "cachedb/cachedb.h"
#endif
+#ifdef USE_IPSECMOD
+#include "ipsecmod/ipsecmod.h"
+#endif
#ifdef CLIENT_SUBNET
#include "edns-subnet/subnetmod.h"
#endif
@@ -209,6 +213,8 @@ fptr_whitelist_rbtree_cmp(int (*fptr) (const void *, const void *))
else if(fptr == &probetree_cmp) return 1;
else if(fptr == &replay_var_compare) return 1;
else if(fptr == &view_cmp) return 1;
+ else if(fptr == &auth_zone_cmp) return 1;
+ else if(fptr == &auth_data_cmp) return 1;
return 0;
}
@@ -307,6 +313,16 @@ fptr_whitelist_modenv_attach_sub(int (*fptr)(
}
int
+fptr_whitelist_modenv_add_sub(int (*fptr)(
+ struct module_qstate* qstate, struct query_info* qinfo,
+ uint16_t qflags, int prime, int valrec, struct module_qstate** newq,
+ struct mesh_state** sub))
+{
+ if(fptr == &mesh_add_sub) return 1;
+ return 0;
+}
+
+int
fptr_whitelist_modenv_kill_sub(void (*fptr)(struct module_qstate* newq))
{
if(fptr == &mesh_state_delete) return 1;
@@ -335,6 +351,9 @@ fptr_whitelist_mod_init(int (*fptr)(struct module_env* env, int id))
#ifdef USE_CACHEDB
else if(fptr == &cachedb_init) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_init) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_init) return 1;
#endif
@@ -354,6 +373,9 @@ fptr_whitelist_mod_deinit(void (*fptr)(struct module_env* env, int id))
#ifdef USE_CACHEDB
else if(fptr == &cachedb_deinit) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_deinit) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_deinit) return 1;
#endif
@@ -374,6 +396,9 @@ fptr_whitelist_mod_operate(void (*fptr)(struct module_qstate* qstate,
#ifdef USE_CACHEDB
else if(fptr == &cachedb_operate) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_operate) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_operate) return 1;
#endif
@@ -394,6 +419,9 @@ fptr_whitelist_mod_inform_super(void (*fptr)(
#ifdef USE_CACHEDB
else if(fptr == &cachedb_inform_super) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_inform_super) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_inform_super) return 1;
#endif
@@ -414,6 +442,9 @@ fptr_whitelist_mod_clear(void (*fptr)(struct module_qstate* qstate,
#ifdef USE_CACHEDB
else if(fptr == &cachedb_clear) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_clear) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_clear) return 1;
#endif
@@ -433,6 +464,9 @@ fptr_whitelist_mod_get_mem(size_t (*fptr)(struct module_env* env, int id))
#ifdef USE_CACHEDB
else if(fptr == &cachedb_get_mem) return 1;
#endif
+#ifdef USE_IPSECMOD
+ else if(fptr == &ipsecmod_get_mem) return 1;
+#endif
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_get_mem) return 1;
#endif
diff --git a/util/fptr_wlist.h b/util/fptr_wlist.h
index 653f8f0e75d4..39e3f2d7f21b 100644
--- a/util/fptr_wlist.h
+++ b/util/fptr_wlist.h
@@ -234,6 +234,15 @@ int fptr_whitelist_modenv_attach_sub(int (*fptr)(
uint16_t qflags, int prime, int valrec, struct module_qstate** newq));
/**
+ * Check function pointer whitelist for module_env add_sub callback values.
+ *
+ * @param fptr: function pointer to check.
+ * @return false if not in whitelist.
+ */
+int fptr_whitelist_modenv_add_sub(int (*fptr)(struct module_qstate* qstate,
+ struct query_info* qinfo, uint16_t qflags, int prime, int valrec,
+ struct module_qstate** newq, struct mesh_state** sub));
+/**
* Check function pointer whitelist for module_env kill_sub callback values.
*
* @param fptr: function pointer to check.
diff --git a/util/iana_ports.inc b/util/iana_ports.inc
index 2555b2591525..dba3e62270c6 100644
--- a/util/iana_ports.inc
+++ b/util/iana_ports.inc
@@ -29,7 +29,6 @@
44,
45,
46,
-47,
48,
49,
50,
@@ -41,7 +40,6 @@
57,
58,
59,
-61,
62,
63,
64,
@@ -4575,6 +4573,7 @@
7014,
7015,
7016,
+7017,
7019,
7020,
7021,
@@ -4855,6 +4854,7 @@
8793,
8800,
8804,
+8805,
8808,
8873,
8880,
@@ -5463,3 +5463,4 @@
48556,
48619,
48653,
+49001,
diff --git a/util/log.c b/util/log.c
index 439541a7ce4a..c14b45834add 100644
--- a/util/log.c
+++ b/util/log.c
@@ -103,8 +103,12 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
use_syslog?"syslog":(filename&&filename[0]?filename:"stderr"));
lock_quick_lock(&log_lock);
}
- if(logfile && logfile != stderr)
- fclose(logfile);
+ if(logfile && logfile != stderr) {
+ FILE* cl = logfile;
+ logfile = NULL; /* set to NULL before it is closed, so that
+ other threads have a valid logfile or NULL */
+ fclose(cl);
+ }
#ifdef HAVE_SYSLOG_H
if(logging_to_syslog) {
closelog();
diff --git a/util/module.h b/util/module.h
index 82b50ccd7d06..6e75539d9169 100644
--- a/util/module.h
+++ b/util/module.h
@@ -383,6 +383,37 @@ struct module_env {
int valrec, struct module_qstate** newq);
/**
+ * Add detached query.
+ * Creates it if it does not exist already.
+ * Does not make super/sub references.
+ * Performs a cycle detection - for double check - and fails if there is
+ * one.
+ * Updates stat items in mesh_area structure.
+ * Pass if it is priming query or not.
+ * return:
+ * o if error (malloc) happened.
+ * o need to initialise the new state (module init; it is a new state).
+ * so that the next run of the query with this module is successful.
+ * o no init needed, attachment successful.
+ * o added subquery, created if it did not exist already.
+ *
+ * @param qstate: the state to find mesh state, and that wants to receive
+ * the results from the new subquery.
+ * @param qinfo: what to query for (copied).
+ * @param qflags: what flags to use (RD / CD flag or not).
+ * @param prime: if it is a (stub) priming query.
+ * @param valrec: if it is a validation recursion query (lookup of key, DS).
+ * @param newq: If the new subquery needs initialisation, it is returned,
+ * otherwise NULL is returned.
+ * @param sub: The added mesh state, created if it did not exist already.
+ * @return: false on error, true if success (and init may be needed).
+ */
+ int (*add_sub)(struct module_qstate* qstate,
+ struct query_info* qinfo, uint16_t qflags, int prime,
+ int valrec, struct module_qstate** newq,
+ struct mesh_state** sub);
+
+ /**
* Kill newly attached sub. If attach_sub returns newq for
* initialisation, but that fails, then this routine will cleanup and
* delete the fresly created sub.
diff --git a/util/netevent.c b/util/netevent.c
index 2084cea3ec01..6990cdb36f36 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -666,7 +666,7 @@ comm_point_udp_callback(int fd, short event, void* arg)
struct comm_reply rep;
ssize_t rcv;
int i;
- struct sldns_buffer *buffer;
+ struct sldns_buffer *buffer;
rep.c = (struct comm_point*)arg;
log_assert(rep.c->type == comm_udp);
@@ -704,9 +704,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
if((*rep.c->callback)(rep.c, rep.c->cb_arg, NETEVENT_NOERROR, &rep)) {
/* send back immediate reply */
#ifdef USE_DNSCRYPT
- buffer = rep.c->dnscrypt_buffer;
+ buffer = rep.c->dnscrypt_buffer;
#else
- buffer = rep.c->buffer;
+ buffer = rep.c->buffer;
#endif
(void)comm_point_send_udp_msg(rep.c, buffer,
(struct sockaddr*)&rep.addr, rep.addrlen);
@@ -725,8 +725,8 @@ setup_tcp_handler(struct comm_point* c, int fd, int cur, int max)
log_assert(c->fd == -1);
sldns_buffer_clear(c->buffer);
#ifdef USE_DNSCRYPT
- if (c->dnscrypt)
- sldns_buffer_clear(c->dnscrypt_buffer);
+ if (c->dnscrypt)
+ sldns_buffer_clear(c->dnscrypt_buffer);
#endif
c->tcp_is_reading = 1;
c->tcp_byte_count = 0;
@@ -1407,12 +1407,34 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c)
if(errno == EINTR || errno == EAGAIN)
return 1;
/* Not handling EISCONN here as shouldn't ever hit that case.*/
- if(errno != 0 && verbosity < 2)
+ if(errno != EPIPE && errno != 0 && verbosity < 2)
return 0; /* silence lots of chatter in the logs */
- else if(errno != 0)
+ if(errno != EPIPE && errno != 0) {
log_err_addr("tcp sendmsg", strerror(errno),
&c->repinfo.addr, c->repinfo.addrlen);
- return 0;
+ return 0;
+ }
+ /* fallthrough to nonFASTOPEN
+ * (MSG_FASTOPEN on Linux 3 produces EPIPE)
+ * we need to perform connect() */
+ if(connect(fd, (struct sockaddr *)&c->repinfo.addr, c->repinfo.addrlen) == -1) {
+#ifdef EINPROGRESS
+ if(errno == EINPROGRESS)
+ return 1; /* wait until connect done*/
+#endif
+#ifdef USE_WINSOCK
+ if(WSAGetLastError() == WSAEINPROGRESS ||
+ WSAGetLastError() == WSAEWOULDBLOCK)
+ return 1; /* wait until connect done*/
+#endif
+ if(tcp_connect_errno_needs_log(
+ (struct sockaddr *)&c->repinfo.addr, c->repinfo.addrlen)) {
+ log_err_addr("outgoing tcp: connect after EPIPE for fastopen",
+ strerror(errno), &c->repinfo.addr, c->repinfo.addrlen);
+ }
+ return 0;
+ }
+
} else {
c->tcp_byte_count += r;
if(c->tcp_byte_count < sizeof(uint16_t))
@@ -1525,13 +1547,13 @@ comm_point_tcp_handle_callback(int fd, short event, void* arg)
if(c->tcp_parent) {
c->dnscrypt = c->tcp_parent->dnscrypt;
}
- if(c->dnscrypt && c->dnscrypt_buffer == c->buffer) {
- c->dnscrypt_buffer = sldns_buffer_new(sldns_buffer_capacity(c->buffer));
- if(!c->dnscrypt_buffer) {
- log_err("Could not allocate dnscrypt buffer");
- return;
- }
- }
+ if(c->dnscrypt && c->dnscrypt_buffer == c->buffer) {
+ c->dnscrypt_buffer = sldns_buffer_new(sldns_buffer_capacity(c->buffer));
+ if(!c->dnscrypt_buffer) {
+ log_err("Could not allocate dnscrypt buffer");
+ return;
+ }
+ }
#endif
if(event&UB_EV_READ) {
@@ -1691,8 +1713,8 @@ comm_point_create_udp_ancil(struct comm_base *base, int fd,
c->tcp_do_close = 0;
c->do_not_close = 0;
#ifdef USE_DNSCRYPT
- c->dnscrypt = 0;
- c->dnscrypt_buffer = buffer;
+ c->dnscrypt = 0;
+ c->dnscrypt_buffer = buffer;
#endif
c->inuse = 0;
c->tcp_do_toggle_rw = 0;
@@ -1766,10 +1788,10 @@ comm_point_create_tcp_handler(struct comm_base *base,
c->tcp_do_fastopen = 0;
#endif
#ifdef USE_DNSCRYPT
- c->dnscrypt = 0;
- // We don't know just yet if this is a dnscrypt channel. Allocation
- // will be done when handling the callback.
- c->dnscrypt_buffer = c->buffer;
+ c->dnscrypt = 0;
+ /* We don't know just yet if this is a dnscrypt channel. Allocation
+ * will be done when handling the callback. */
+ c->dnscrypt_buffer = c->buffer;
#endif
c->repinfo.c = c;
c->callback = callback;
@@ -2098,11 +2120,11 @@ comm_point_delete(struct comm_point* c)
if(c->type == comm_tcp || c->type == comm_local) {
sldns_buffer_free(c->buffer);
#ifdef USE_DNSCRYPT
- if(c->dnscrypt && c->dnscrypt_buffer != c->buffer) {
- sldns_buffer_free(c->dnscrypt_buffer);
- }
+ if(c->dnscrypt && c->dnscrypt_buffer != c->buffer) {
+ sldns_buffer_free(c->dnscrypt_buffer);
+ }
#endif
- }
+ }
ub_event_free(c->ev->ev);
free(c->ev);
free(c);
@@ -2115,7 +2137,7 @@ comm_point_send_reply(struct comm_reply *repinfo)
log_assert(repinfo && repinfo->c);
#ifdef USE_DNSCRYPT
buffer = repinfo->c->dnscrypt_buffer;
- if(!dnsc_handle_uncurved_request(repinfo)) {
+ if(!dnsc_handle_uncurved_request(repinfo)) {
return;
}
#else
@@ -2239,12 +2261,12 @@ size_t comm_point_get_mem(struct comm_point* c)
if(c->type == comm_tcp || c->type == comm_local) {
s += sizeof(*c->buffer) + sldns_buffer_capacity(c->buffer);
#ifdef USE_DNSCRYPT
- s += sizeof(*c->dnscrypt_buffer);
- if(c->buffer != c->dnscrypt_buffer) {
- s += sldns_buffer_capacity(c->dnscrypt_buffer);
- }
+ s += sizeof(*c->dnscrypt_buffer);
+ if(c->buffer != c->dnscrypt_buffer) {
+ s += sldns_buffer_capacity(c->dnscrypt_buffer);
+ }
#endif
- }
+ }
if(c->type == comm_tcp_accept) {
int i;
for(i=0; i<c->max_tcp_count; i++)
diff --git a/util/netevent.h b/util/netevent.h
index cb8eb86b9f74..54740266d0a4 100644
--- a/util/netevent.h
+++ b/util/netevent.h
@@ -120,7 +120,7 @@ struct comm_reply {
#ifdef USE_DNSCRYPT
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES];
uint8_t nmkey[crypto_box_BEFORENMBYTES];
- const KeyPair *keypair;
+ const dnsccert *dnsc_cert;
int is_dnscrypted;
#endif
/** the return source interface data */
@@ -133,11 +133,11 @@ struct comm_reply {
#elif defined(IP_RECVDSTADDR)
struct in_addr v4addr;
#endif
- }
+ }
/** variable with return source data */
pktinfo;
- /** max udp size for udp packets */
- size_t max_udp_size;
+ /** max udp size for udp packets */
+ size_t max_udp_size;
};
/**
@@ -248,7 +248,7 @@ struct comm_point {
#endif
#ifdef USE_DNSCRYPT
- /** Is this a dnscrypt channel */
+ /** Is this a dnscrypt channel */
int dnscrypt;
/** encrypted buffer pointer. Either to perthread, or own buffer or NULL */
struct sldns_buffer* dnscrypt_buffer;
diff --git a/util/shm_side/shm_main.c b/util/shm_side/shm_main.c
index cab9aed560bd..bba2a8396333 100644
--- a/util/shm_side/shm_main.c
+++ b/util/shm_side/shm_main.c
@@ -65,17 +65,17 @@
#ifdef HAVE_SHMGET
/** subtract timers and the values do not overflow or become negative */
static void
-timeval_subtract(struct timeval* d, const struct timeval* end,
+stat_timeval_subtract(long long *d_sec, long long *d_usec, const struct timeval* end,
const struct timeval* start)
{
#ifndef S_SPLINT_S
time_t end_usec = end->tv_usec;
- d->tv_sec = end->tv_sec - start->tv_sec;
+ *d_sec = end->tv_sec - start->tv_sec;
if(end_usec < start->tv_usec) {
end_usec += 1000000;
- d->tv_sec--;
+ (*d_sec)--;
}
- d->tv_usec = end_usec - start->tv_usec;
+ *d_usec = end_usec - start->tv_usec;
#endif
}
#endif /* HAVE_SHMGET */
@@ -83,7 +83,7 @@ timeval_subtract(struct timeval* d, const struct timeval* end,
int shm_main_init(struct daemon* daemon)
{
#ifdef HAVE_SHMGET
- struct shm_stat_info *shm_stat;
+ struct ub_shm_stat_info *shm_stat;
size_t shm_size;
/* sanitize */
@@ -95,7 +95,7 @@ int shm_main_init(struct daemon* daemon)
log_warn("shm-enable is yes but statistics-interval is 0");
/* Statistics to maintain the number of thread + total */
- shm_size = (sizeof(struct stats_info) * (daemon->num + 1));
+ shm_size = (sizeof(struct ub_stats_info) * (daemon->num + 1));
/* Allocation of needed memory */
daemon->shm_info = (struct shm_main_info*)calloc(1, shm_size);
@@ -121,7 +121,7 @@ int shm_main_init(struct daemon* daemon)
shmctl(daemon->shm_info->id_arr, IPC_RMID, NULL);
/* SHM: Create the segment */
- daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct shm_stat_info), IPC_CREAT | 0666);
+ daemon->shm_info->id_ctl = shmget(daemon->shm_info->key, sizeof(struct ub_shm_stat_info), IPC_CREAT | 0666);
if (daemon->shm_info->id_ctl < 0)
{
@@ -148,7 +148,7 @@ int shm_main_init(struct daemon* daemon)
}
/* SHM: attach the segment */
- daemon->shm_info->ptr_ctl = (struct shm_stat_info*)
+ daemon->shm_info->ptr_ctl = (struct ub_shm_stat_info*)
shmat(daemon->shm_info->id_ctl, NULL, 0);
if(daemon->shm_info->ptr_ctl == (void *) -1) {
log_err("SHM failed(ctl) cannot shmat(%d) %s",
@@ -160,7 +160,7 @@ int shm_main_init(struct daemon* daemon)
return 0;
}
- daemon->shm_info->ptr_arr = (struct stats_info*)
+ daemon->shm_info->ptr_arr = (struct ub_stats_info*)
shmat(daemon->shm_info->id_arr, NULL, 0);
if (daemon->shm_info->ptr_arr == (void *) -1)
@@ -175,7 +175,7 @@ int shm_main_init(struct daemon* daemon)
}
/* Zero fill SHM to stand clean while is not filled by other events */
- memset(daemon->shm_info->ptr_ctl, 0, sizeof(struct shm_stat_info));
+ memset(daemon->shm_info->ptr_ctl, 0, sizeof(struct ub_shm_stat_info));
memset(daemon->shm_info->ptr_arr, 0, shm_size);
shm_stat = daemon->shm_info->ptr_ctl;
@@ -218,10 +218,9 @@ void shm_main_shutdown(struct daemon* daemon)
void shm_main_run(struct worker *worker)
{
#ifdef HAVE_SHMGET
- struct shm_stat_info *shm_stat;
- struct stats_info *stat_total;
- struct stats_info *stat_info;
- int modstack;
+ struct ub_shm_stat_info *shm_stat;
+ struct ub_stats_info *stat_total;
+ struct ub_stats_info *stat_info;
int offset;
verbose(VERB_DETAIL, "SHM run - worker [%d] - daemon [%p] - timenow(%u) - timeboot(%u)",
@@ -238,40 +237,40 @@ void shm_main_run(struct worker *worker)
if (worker->thread_num == 0) {
/* Copy data to the current position */
- memset(stat_total, 0, sizeof(struct stats_info));
+ memset(stat_total, 0, sizeof(struct ub_stats_info));
/* Point to data into SHM */
shm_stat = worker->daemon->shm_info->ptr_ctl;
- shm_stat->time.now = *worker->env.now_tv;
-
- timeval_subtract(&shm_stat->time.up, &shm_stat->time.now, &worker->daemon->time_boot);
- timeval_subtract(&shm_stat->time.elapsed, &shm_stat->time.now, &worker->daemon->time_last_stat);
-
- shm_stat->mem.msg = slabhash_get_mem(worker->env.msg_cache);
- shm_stat->mem.rrset = slabhash_get_mem(&worker->env.rrset_cache->table);
- shm_stat->mem.val = 0;
- shm_stat->mem.iter = 0;
-
- modstack = modstack_find(&worker->env.mesh->mods, "validator");
- if(modstack != -1) {
- fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem));
- shm_stat->mem.val = (*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack);
- }
- modstack = modstack_find(&worker->env.mesh->mods, "iterator");
- if(modstack != -1) {
- fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem));
- shm_stat->mem.iter = (*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack);
- }
+ shm_stat->time.now_sec = (long long)worker->env.now_tv->tv_sec;
+ shm_stat->time.now_usec = (long long)worker->env.now_tv->tv_usec;
+
+ stat_timeval_subtract(&shm_stat->time.up_sec, &shm_stat->time.up_usec, worker->env.now_tv, &worker->daemon->time_boot);
+ stat_timeval_subtract(&shm_stat->time.elapsed_sec, &shm_stat->time.elapsed_usec, worker->env.now_tv, &worker->daemon->time_last_stat);
+
+ shm_stat->mem.msg = (long long)slabhash_get_mem(worker->env.msg_cache);
+ shm_stat->mem.rrset = (long long)slabhash_get_mem(&worker->env.rrset_cache->table);
+ shm_stat->mem.val = (long long)mod_get_mem(&worker->env,
+ "validator");
+ shm_stat->mem.iter = (long long)mod_get_mem(&worker->env,
+ "iterator");
+ shm_stat->mem.respip = (long long)mod_get_mem(&worker->env,
+ "respip");
+
/* subnet mem value is available in shm, also when not enabled,
* to make the struct easier to memmap by other applications,
* independent of the configuration of unbound */
shm_stat->mem.subnet = 0;
#ifdef CLIENT_SUBNET
- modstack = modstack_find(&worker->env.mesh->mods, "subnet");
- if(modstack != -1) {
- fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->mods.mod[modstack]->get_mem));
- shm_stat->mem.subnet = (*worker->env.mesh->mods.mod[modstack]->get_mem)(&worker->env, modstack);
- }
+ shm_stat->mem.subnet = (long long)mod_get_mem(&worker->env,
+ "subnet");
+#endif
+ /* ipsecmod mem value is available in shm, also when not enabled,
+ * to make the struct easier to memmap by other applications,
+ * independent of the configuration of unbound */
+ shm_stat->mem.ipsecmod = 0;
+#ifdef USE_IPSECMOD
+ shm_stat->mem.ipsecmod = (long long)mod_get_mem(&worker->env,
+ "ipsecmod");
#endif
}
diff --git a/util/shm_side/shm_main.h b/util/shm_side/shm_main.h
index 8e4f4d051026..76c60e484860 100644
--- a/util/shm_side/shm_main.h
+++ b/util/shm_side/shm_main.h
@@ -44,26 +44,8 @@
struct daemon;
struct worker;
-/** Some global statistics that are not in struct stats_info,
- * this struct is shared on a shm segment */
-struct shm_stat_info {
-
- int num_threads;
-
- struct {
- struct timeval now;
- struct timeval up;
- struct timeval elapsed;
- } time;
-
- struct {
- size_t msg;
- size_t rrset;
- size_t val;
- size_t iter;
- size_t subnet;
- } mem;
-};
+/* get struct ub_shm_stat_info */
+#include "libunbound/unbound.h"
/**
* The SHM info.
@@ -71,9 +53,9 @@ struct shm_stat_info {
struct shm_main_info {
/** stats_info array, shared memory segment.
* [0] is totals, [1..thread_num] are per-thread stats */
- struct stats_info* ptr_arr;
+ struct ub_stats_info* ptr_arr;
/** the global stats block, shared memory segment */
- struct shm_stat_info* ptr_ctl;
+ struct ub_shm_stat_info* ptr_ctl;
int key;
int id_ctl;
int id_arr;
diff --git a/util/timehist.c b/util/timehist.c
index dbf5b98417c2..61cc995fd8ef 100644
--- a/util/timehist.c
+++ b/util/timehist.c
@@ -225,23 +225,23 @@ timehist_quartile(struct timehist* hist, double q)
}
void
-timehist_export(struct timehist* hist, size_t* array, size_t sz)
+timehist_export(struct timehist* hist, long long* array, size_t sz)
{
size_t i;
if(!hist) return;
if(sz > hist->num)
sz = hist->num;
for(i=0; i<sz; i++)
- array[i] = hist->buckets[i].count;
+ array[i] = (long long)hist->buckets[i].count;
}
void
-timehist_import(struct timehist* hist, size_t* array, size_t sz)
+timehist_import(struct timehist* hist, long long* array, size_t sz)
{
size_t i;
if(!hist) return;
if(sz > hist->num)
sz = hist->num;
for(i=0; i<sz; i++)
- hist->buckets[i].count = array[i];
+ hist->buckets[i].count = (size_t)array[i];
}
diff --git a/util/timehist.h b/util/timehist.h
index 5c65048b9bb3..5f88a38a9fdf 100644
--- a/util/timehist.h
+++ b/util/timehist.h
@@ -121,7 +121,7 @@ void timehist_log(struct timehist* hist, const char* name);
* @param array: the array to export to.
* @param sz: number of items in array.
*/
-void timehist_export(struct timehist* hist, size_t* array, size_t sz);
+void timehist_export(struct timehist* hist, long long* array, size_t sz);
/**
* Import histogram from an array.
@@ -129,6 +129,6 @@ void timehist_export(struct timehist* hist, size_t* array, size_t sz);
* @param array: the array to import from.
* @param sz: number of items in array.
*/
-void timehist_import(struct timehist* hist, size_t* array, size_t sz);
+void timehist_import(struct timehist* hist, long long* array, size_t sz);
#endif /* UTIL_TIMEHIST_H */
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index be88ff438660..88d23472118f 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -228,6 +228,9 @@ dnskey_algo_id_is_supported(int id)
case LDNS_ECDSAP256SHA256:
case LDNS_ECDSAP384SHA384:
#endif
+#ifdef USE_ED25519
+ case LDNS_ED25519:
+#endif
#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
return 1;
#endif
@@ -555,6 +558,17 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
#endif
break;
#endif /* USE_ECDSA */
+#ifdef USE_ED25519
+ case LDNS_ED25519:
+ *evp_key = sldns_ed255192pkey_raw(key, keylen);
+ if(!*evp_key) {
+ verbose(VERB_QUERY, "verify: "
+ "sldns_ed255192pkey_raw failed");
+ return 0;
+ }
+ *digest_type = NULL;
+ break;
+#endif /* USE_ED25519 */
default:
verbose(VERB_QUERY, "verify: unknown algorithm %d",
algo);
@@ -644,18 +658,29 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
else if(docrypto_free) OPENSSL_free(sigblock);
return sec_status_unchecked;
}
- if(EVP_VerifyInit(ctx, digest_type) == 0) {
- verbose(VERB_QUERY, "verify: EVP_VerifyInit failed");
+#ifndef HAVE_EVP_DIGESTVERIFY
+ if(EVP_DigestInit(ctx, digest_type) == 0) {
+ verbose(VERB_QUERY, "verify: EVP_DigestInit failed");
+#ifdef HAVE_EVP_MD_CTX_NEW
EVP_MD_CTX_destroy(ctx);
+#else
+ EVP_MD_CTX_cleanup(ctx);
+ free(ctx);
+#endif
EVP_PKEY_free(evp_key);
if(dofree) free(sigblock);
else if(docrypto_free) OPENSSL_free(sigblock);
return sec_status_unchecked;
}
- if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
+ if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf),
(unsigned int)sldns_buffer_limit(buf)) == 0) {
- verbose(VERB_QUERY, "verify: EVP_VerifyUpdate failed");
+ verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed");
+#ifdef HAVE_EVP_MD_CTX_NEW
EVP_MD_CTX_destroy(ctx);
+#else
+ EVP_MD_CTX_cleanup(ctx);
+ free(ctx);
+#endif
EVP_PKEY_free(evp_key);
if(dofree) free(sigblock);
else if(docrypto_free) OPENSSL_free(sigblock);
@@ -663,6 +688,24 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
}
res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key);
+#else /* HAVE_EVP_DIGESTVERIFY */
+ if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) {
+ verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed");
+#ifdef HAVE_EVP_MD_CTX_NEW
+ EVP_MD_CTX_destroy(ctx);
+#else
+ EVP_MD_CTX_cleanup(ctx);
+ free(ctx);
+#endif
+ EVP_PKEY_free(evp_key);
+ if(dofree) free(sigblock);
+ else if(docrypto_free) OPENSSL_free(sigblock);
+ return sec_status_unchecked;
+ }
+ res = EVP_DigestVerify(ctx, sigblock, sigblock_len,
+ (unsigned char*)sldns_buffer_begin(buf),
+ sldns_buffer_limit(buf));
+#endif
#ifdef HAVE_EVP_MD_CTX_NEW
EVP_MD_CTX_destroy(ctx);
#else
diff --git a/validator/val_utils.c b/validator/val_utils.c
index e3677e1d9ceb..e4eff1b2523b 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -54,6 +54,7 @@
#include "util/net_help.h"
#include "util/module.h"
#include "util/regional.h"
+#include "util/config_file.h"
#include "sldns/wire2str.h"
#include "sldns/parseutil.h"
@@ -914,7 +915,7 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index)
}
void
-val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
+val_check_nonsecure(struct module_env* env, struct reply_info* rep)
{
size_t i;
/* authority */
@@ -955,7 +956,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
}
}
/* additional */
- if(!ve->clean_additional)
+ if(!env->cfg->val_clean_additional)
return;
for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
if(((struct packed_rrset_data*)rep->rrsets[i]->entry.data)
diff --git a/validator/val_utils.h b/validator/val_utils.h
index 051824abaf84..649adc2d6559 100644
--- a/validator/val_utils.h
+++ b/validator/val_utils.h
@@ -306,10 +306,10 @@ void val_reply_remove_auth(struct reply_info* rep, size_t index);
* So that unsigned data does not get let through to clients, when we have
* found the data to be secure.
*
- * @param ve: validator environment with cleaning options.
+ * @param env: environment with cleaning options.
* @param rep: reply to dump all nonsecure stuff out of.
*/
-void val_check_nonsecure(struct val_env* ve, struct reply_info* rep);
+void val_check_nonsecure(struct module_env* env, struct reply_info* rep);
/**
* Mark all unchecked rrset entries not below a trust anchor as indeterminate.
diff --git a/validator/validator.c b/validator/validator.c
index 81ba5fa17ba2..5f4a1eb4ebed 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -60,6 +60,7 @@
#include "util/fptr_wlist.h"
#include "sldns/rrdef.h"
#include "sldns/wire2str.h"
+#include "sldns/str2wire.h"
/* forward decl for cache response and normal super inform calls of a DS */
static void process_ds_response(struct module_qstate* qstate,
@@ -112,8 +113,6 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
{
int c;
val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl;
- val_env->clean_additional = cfg->val_clean_additional;
- val_env->permissive_mode = cfg->val_permissive_mode;
if(!env->anchors)
env->anchors = anchors_create();
if(!env->anchors) {
@@ -170,7 +169,6 @@ val_init(struct module_env* env, int id)
}
env->modinfo[id] = (void*)val_env;
env->need_to_validate = 1;
- val_env->permissive_mode = 0;
lock_basic_init(&val_env->bogus_lock);
lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus,
sizeof(val_env->num_rrset_bogus));
@@ -364,14 +362,17 @@ already_validated(struct dns_msg* ret_msg)
* @param qtype: query type.
* @param qclass: query class.
* @param flags: additional flags, such as the CD bit (BIT_CD), or 0.
+ * @param newq: If the subquery is newly created, it is returned,
+ * otherwise NULL is returned
+ * @param detached: true if this qstate should not attach to the subquery
* @return false on alloc failure.
*/
static int
generate_request(struct module_qstate* qstate, int id, uint8_t* name,
- size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
+ size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags,
+ struct module_qstate** newq, int detached)
{
struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id];
- struct module_qstate* newq;
struct query_info ask;
int valrec;
ask.qname = name;
@@ -380,22 +381,35 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
ask.qclass = qclass;
ask.local_alias = NULL;
log_query_info(VERB_ALGO, "generate request", &ask);
- fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
/* enable valrec flag to avoid recursion to the same validation
* routine, this lookup is simply a lookup. DLVs need validation */
if(qtype == LDNS_RR_TYPE_DLV)
valrec = 0;
else valrec = 1;
- if(!(*qstate->env->attach_sub)(qstate, &ask,
- (uint16_t)(BIT_RD|flags), 0, valrec, &newq)){
- log_err("Could not generate request: out of memory");
- return 0;
+ if(detached) {
+ struct mesh_state* sub = NULL;
+ fptr_ok(fptr_whitelist_modenv_add_sub(
+ qstate->env->add_sub));
+ if(!(*qstate->env->add_sub)(qstate, &ask,
+ (uint16_t)(BIT_RD|flags), 0, valrec, newq, &sub)){
+ log_err("Could not generate request: out of memory");
+ return 0;
+ }
+ }
+ else {
+ fptr_ok(fptr_whitelist_modenv_attach_sub(
+ qstate->env->attach_sub));
+ if(!(*qstate->env->attach_sub)(qstate, &ask,
+ (uint16_t)(BIT_RD|flags), 0, valrec, newq)){
+ log_err("Could not generate request: out of memory");
+ return 0;
+ }
}
/* newq; validator does not need state created for that
* query, and its a 'normal' for iterator as well */
- if(newq) {
+ if(*newq) {
/* add our blacklist to the query blacklist */
- sock_list_merge(&newq->blacklist, newq->region,
+ sock_list_merge(&(*newq)->blacklist, (*newq)->region,
vq->chain_blacklist);
}
qstate->ext_state[id] = module_wait_subquery;
@@ -403,6 +417,66 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
}
/**
+ * Generate, send and detach key tag signaling query.
+ *
+ * @param qstate: query state.
+ * @param id: module id.
+ * @param ta: trust anchor, locked.
+ * @return false on a processing error.
+ */
+static int
+generate_keytag_query(struct module_qstate* qstate, int id,
+ struct trust_anchor* ta)
+{
+ /* 3 bytes for "_ta", 5 bytes per tag (4 bytes + "-") */
+#define MAX_LABEL_TAGS (LDNS_MAX_LABELLEN-3)/5
+ size_t i, numtag;
+ uint16_t tags[MAX_LABEL_TAGS];
+ char tagstr[LDNS_MAX_LABELLEN+1] = "_ta"; /* +1 for NULL byte */
+ size_t tagstr_left = sizeof(tagstr) - strlen(tagstr);
+ char* tagstr_pos = tagstr + strlen(tagstr);
+ uint8_t dnamebuf[LDNS_MAX_DOMAINLEN+1]; /* +1 for label length byte */
+ size_t dnamebuf_len = sizeof(dnamebuf);
+ uint8_t* keytagdname;
+ struct module_qstate* newq = NULL;
+ enum module_ext_state ext_state = qstate->ext_state[id];
+
+ numtag = anchor_list_keytags(ta, tags, MAX_LABEL_TAGS);
+ if(numtag == 0)
+ return 0;
+
+ for(i=0; i<numtag; i++) {
+ /* Buffer can't overflow; numtag is limited to tags that fit in
+ * the buffer. */
+ snprintf(tagstr_pos, tagstr_left, "-%04x", (unsigned)tags[i]);
+ tagstr_left -= strlen(tagstr_pos);
+ tagstr_pos += strlen(tagstr_pos);
+ }
+
+ sldns_str2wire_dname_buf_origin(tagstr, dnamebuf, &dnamebuf_len,
+ ta->name, ta->namelen);
+ if(!(keytagdname = (uint8_t*)regional_alloc_init(qstate->region,
+ dnamebuf, dnamebuf_len))) {
+ log_err("could not generate key tag query: out of memory");
+ return 0;
+ }
+
+ log_nametypeclass(VERB_ALGO, "keytag query", keytagdname,
+ LDNS_RR_TYPE_NULL, ta->dclass);
+ if(!generate_request(qstate, id, keytagdname, dnamebuf_len,
+ LDNS_RR_TYPE_NULL, ta->dclass, 0, &newq, 1)) {
+ log_err("failed to generate key tag signaling request");
+ return 0;
+ }
+
+ /* Not interrested in subquery response. Restore the ext_state,
+ * that might be changed by generate_request() */
+ qstate->ext_state[id] = ext_state;
+
+ return 1;
+}
+
+/**
* Prime trust anchor for use.
* Generate and dispatch a priming query for the given trust anchor.
* The trust anchor can be DNSKEY or DS and does not have to be signed.
@@ -417,8 +491,16 @@ static int
prime_trust_anchor(struct module_qstate* qstate, struct val_qstate* vq,
int id, struct trust_anchor* toprime)
{
+ struct module_qstate* newq = NULL;
int ret = generate_request(qstate, id, toprime->name, toprime->namelen,
- LDNS_RR_TYPE_DNSKEY, toprime->dclass, BIT_CD);
+ LDNS_RR_TYPE_DNSKEY, toprime->dclass, BIT_CD, &newq, 0);
+
+ if(newq && qstate->env->cfg->trust_anchor_signaling &&
+ !generate_keytag_query(qstate, id, toprime)) {
+ log_err("keytag signaling query failed");
+ return 0;
+ }
+
if(!ret) {
log_err("Could not prime trust anchor: out of memory");
return 0;
@@ -534,9 +616,11 @@ validate_msg_signatures(struct module_qstate* qstate, struct module_env* env,
}
}
- /* attempt to validate the ADDITIONAL section rrsets */
- if(!ve->clean_additional)
+ /* If set, the validator should clean the additional section of
+ * secure messages. */
+ if(!env->cfg->val_clean_additional)
return 1;
+ /* attempt to validate the ADDITIONAL section rrsets */
for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets;
i<chase_reply->rrset_count; i++) {
s = chase_reply->rrsets[i];
@@ -1510,6 +1594,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
uint8_t* target_key_name, *current_key_name;
size_t target_key_len;
int strip_lab;
+ struct module_qstate* newq = NULL;
log_query_info(VERB_ALGO, "validator: FindKey", &vq->qchase);
/* We know that state.key_entry is not 0 or bad key -- if it were,
@@ -1522,7 +1607,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
if(key_entry_isnull(vq->key_entry)) {
if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
- vq->qchase.qclass, BIT_CD)) {
+ vq->qchase.qclass, BIT_CD, &newq, 0)) {
log_err("mem error generating DNSKEY request");
return val_error(qstate, id);
}
@@ -1594,7 +1679,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
vq->key_entry->name) != 0) {
if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
- vq->qchase.qclass, BIT_CD)) {
+ vq->qchase.qclass, BIT_CD, &newq, 0)) {
log_err("mem error generating DNSKEY request");
return val_error(qstate, id);
}
@@ -1623,7 +1708,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
}
if(!generate_request(qstate, id, target_key_name,
target_key_len, LDNS_RR_TYPE_DS, vq->qchase.qclass,
- BIT_CD)) {
+ BIT_CD, &newq, 0)) {
log_err("mem error generating DS request");
return val_error(qstate, id);
}
@@ -1633,7 +1718,7 @@ processFindKey(struct module_qstate* qstate, struct val_qstate* vq, int id)
/* Otherwise, it is time to query for the DNSKEY */
if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
- vq->qchase.qclass, BIT_CD)) {
+ vq->qchase.qclass, BIT_CD, &newq, 0)) {
log_err("mem error generating DNSKEY request");
return val_error(qstate, id);
}
@@ -1847,6 +1932,7 @@ val_dlv_init(struct module_qstate* qstate, struct val_qstate* vq,
{
uint8_t* nm;
size_t nm_len;
+ struct module_qstate* newq = NULL;
/* there must be a DLV configured */
log_assert(qstate->env->anchors->dlv_anchor);
/* this bool is true to avoid looping in the DLV checks */
@@ -1948,7 +2034,7 @@ val_dlv_init(struct module_qstate* qstate, struct val_qstate* vq,
vq->state = VAL_DLVLOOKUP_STATE;
if(!generate_request(qstate, id, vq->dlv_lookup_name,
vq->dlv_lookup_name_len, LDNS_RR_TYPE_DLV,
- vq->qchase.qclass, 0)) {
+ vq->qchase.qclass, 0, &newq, 0)) {
return val_error(qstate, id);
}
@@ -2042,7 +2128,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
* a different signer name). And drop additional rrsets
* that are not secure (if clean-additional option is set) */
/* this may cause the msg to be marked bogus */
- val_check_nonsecure(ve, vq->orig_msg->rep);
+ val_check_nonsecure(qstate->env, vq->orig_msg->rep);
if(vq->orig_msg->rep->security == sec_status_secure) {
log_query_info(VERB_DETAIL, "validation success",
&qstate->qinfo);
@@ -2083,8 +2169,14 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
free(err);
}
}
+ /*
+ * If set, the validator will not make messages bogus, instead
+ * indeterminate is issued, so that no clients receive SERVFAIL.
+ * This allows an operator to run validation 'shadow' without
+ * hurting responses to clients.
+ */
/* If we are in permissive mode, bogus gets indeterminate */
- if(ve->permissive_mode)
+ if(qstate->env->cfg->val_permissive_mode)
vq->orig_msg->rep->security = sec_status_indeterminate;
}
@@ -2128,6 +2220,7 @@ static int
processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq,
struct val_env* ve, int id)
{
+ struct module_qstate* newq = NULL;
/* see if this we are ready to continue normal resolution */
/* we may need more DLV lookups */
if(vq->dlv_status==dlv_error)
@@ -2176,7 +2269,7 @@ processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq,
if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
- vq->qchase.qclass, BIT_CD)) {
+ vq->qchase.qclass, BIT_CD, &newq, 0)) {
log_err("mem error generating DNSKEY request");
return val_error(qstate, id);
}
@@ -2218,7 +2311,7 @@ processDLVLookup(struct module_qstate* qstate, struct val_qstate* vq,
if(!generate_request(qstate, id, vq->dlv_lookup_name,
vq->dlv_lookup_name_len, LDNS_RR_TYPE_DLV,
- vq->qchase.qclass, 0)) {
+ vq->qchase.qclass, 0, &newq, 0)) {
return val_error(qstate, id);
}
@@ -2857,6 +2950,7 @@ process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
ta->name, ta->namelen, LDNS_RR_TYPE_DNSKEY,
ta->dclass);
}
+
if(ta->autr) {
if(!autr_process_prime(qstate->env, ve, ta, dnskey_rrset)) {
/* trust anchor revoked, restart with less anchors */
diff --git a/validator/validator.h b/validator/validator.h
index 23d3072427a2..9a591078f71c 100644
--- a/validator/validator.h
+++ b/validator/validator.h
@@ -93,19 +93,6 @@ struct val_env {
* seconds. */
uint32_t bogus_ttl;
- /** If set, the validator should clean the additional section of
- * secure messages.
- */
- int clean_additional;
-
- /**
- * If set, the validator will not make messages bogus, instead
- * indeterminate is issued, so that no clients receive SERVFAIL.
- * This allows an operator to run validation 'shadow' without
- * hurting responses to clients.
- */
- int permissive_mode;
-
/**
* Number of entries in the NSEC3 maximum iteration count table.
* Keep this table short, and sorted by size
diff --git a/winrc/setup.nsi b/winrc/setup.nsi
index c5d6b2ceb933..8f085228004c 100644
--- a/winrc/setup.nsi
+++ b/winrc/setup.nsi
@@ -90,6 +90,7 @@ section "-hidden.postinstall"
File "..\unbound-service-install.exe"
File "..\unbound-service-remove.exe"
File "..\anchor-update.exe"
+ File "..\root.key"
File "unbound-control-setup.cmd"
File "unbound-website.url"
File "..\doc\example.conf"