From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] dnsmasq 2.75: latest patches from upstream (051-055) Date: Sat, 23 Jan 2016 12:13:55 +0100 Message-ID: <1453547636-1048-1-git-send-email-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1618413666369889875==" List-Id: --===============1618413666369889875== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable For the records: I'm testing this one since a few days. No problems yet. For details see: http://thekelleys.org.uk/gitweb/?p=3Ddnsmasq.git;a=3Dsummary Signed-off-by: Matthias Fischer --- lfs/dnsmasq | 5 + .../051-Fix_botch_in_forward_c_flags_code.patch | 29 +++ .../052-Fix_sporadic_crash_in_find_mac.patch | 27 +++ ..._code_and_set_conntrack_on_DNSSEC_queries.patch | 270 +++++++++++++++++++= ++ ...ms_in_last_commit_when_DNSSEC_not_enabled.patch | 58 +++++ ...main-needed_set_and_no_servers_configured.patch | 91 +++++++ 6 files changed, 480 insertions(+) create mode 100644 src/patches/dnsmasq/051-Fix_botch_in_forward_c_flags_code= .patch create mode 100644 src/patches/dnsmasq/052-Fix_sporadic_crash_in_find_mac.pa= tch create mode 100644 src/patches/dnsmasq/053-Complete_DNSSEC_server-selection_= code_and_set_conntrack_on_DNSSEC_queries.patch create mode 100644 src/patches/dnsmasq/054-Fix_problems_in_last_commit_when_= DNSSEC_not_enabled.patch create mode 100644 src/patches/dnsmasq/055-Fix_wrong_reply_to_simple_name_wh= en_--domain-needed_set_and_no_servers_configured.patch diff --git a/lfs/dnsmasq b/lfs/dnsmasq index 4e5951f..5134c13 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -123,6 +123,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/048-Disable_D= NSSEC_for_server_domain_servers_unless_trust-anchor_provided.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/049-arp_c_tid= y_up.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/050-Complete_= work_to_allow_DNSSEC_validation_with_private_DNS_servers.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/051-Fix_botch= _in_forward_c_flags_code.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/052-Fix_spora= dic_crash_in_find_mac.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/053-Complete_= DNSSEC_server-selection_code_and_set_conntrack_on_DNSSEC_queries.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/054-Fix_probl= ems_in_last_commit_when_DNSSEC_not_enabled.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/055-Fix_wrong= _reply_to_simple_name_when_--domain-needed_set_and_no_servers_configured.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-t= o-read-ISC-DHCP-lease-file.patch =20 cd $(DIR_APP) && sed -i src/config.h \ diff --git a/src/patches/dnsmasq/051-Fix_botch_in_forward_c_flags_code.patch = b/src/patches/dnsmasq/051-Fix_botch_in_forward_c_flags_code.patch new file mode 100644 index 0000000..aff7f37 --- /dev/null +++ b/src/patches/dnsmasq/051-Fix_botch_in_forward_c_flags_code.patch @@ -0,0 +1,29 @@ +From 1801a29226c53e8af3f7a0f149d3ec9f06c04f3c Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Sun, 17 Jan 2016 21:53:57 +0000 +Subject: [PATCH] Fix botch in forward.c flags code. + +Thanks to Matthias Anfree for spotting this. +--- + src/forward.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/forward.c b/src/forward.c +index c48fd75..95c5ef9 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -810,9 +810,9 @@ void reply_query(int fd, int family, time_t now) + { + header->hb3 &=3D ~(HB3_QR | HB3_AA | HB3_TC); + header->hb4 &=3D ~(HB4_RA | HB4_RCODE | HB4_CD | HB4_AD); +- if (forward->flags |=3D FREC_CHECKING_DISABLED) ++ if (forward->flags & FREC_CHECKING_DISABLED) + header->hb4 |=3D HB4_CD; +- if (forward->flags |=3D FREC_AD_QUESTION) ++ if (forward->flags & FREC_AD_QUESTION) + header->hb4 |=3D HB4_AD; + if (forward->flags & FREC_DO_QUESTION) + add_do_bit(header, nn, (unsigned char *)pheader + plen); +--=20 +1.7.10.4 + diff --git a/src/patches/dnsmasq/052-Fix_sporadic_crash_in_find_mac.patch b/s= rc/patches/dnsmasq/052-Fix_sporadic_crash_in_find_mac.patch new file mode 100644 index 0000000..54efae9 --- /dev/null +++ b/src/patches/dnsmasq/052-Fix_sporadic_crash_in_find_mac.patch @@ -0,0 +1,27 @@ +From f4d0c660ca403e933d51093167c0d01526c7f9d1 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Mon, 18 Jan 2016 12:51:08 +0000 +Subject: [PATCH] Fix sporadic crash in find_mac() - hwlen must be zero for + empty entries. + +--- + src/arp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/arp.c b/src/arp.c +index 968455c..d70d2af 100644 +--- a/src/arp.c ++++ b/src/arp.c +@@ -188,7 +188,8 @@ int find_mac(union mysockaddr *addr, unsigned char *mac,= int lazy, time_t now) + arps =3D arp; + arp->status =3D ARP_EMPTY; + arp->family =3D addr->sa.sa_family; +- =20 ++ arp->hwlen =3D 0; ++ + if (addr->sa.sa_family =3D=3D AF_INET) + arp->addr.addr.addr4.s_addr =3D addr->in.sin_addr.s_addr; + #ifdef HAVE_IPV6 +--=20 +1.7.10.4 + diff --git a/src/patches/dnsmasq/053-Complete_DNSSEC_server-selection_code_an= d_set_conntrack_on_DNSSEC_queries.patch b/src/patches/dnsmasq/053-Complete_DN= SSEC_server-selection_code_and_set_conntrack_on_DNSSEC_queries.patch new file mode 100644 index 0000000..3f8b053 --- /dev/null +++ b/src/patches/dnsmasq/053-Complete_DNSSEC_server-selection_code_and_set_c= onntrack_on_DNSSEC_queries.patch @@ -0,0 +1,270 @@ +From f344dbc62216570b6471c81e4e39fc99bf47af5f Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Mon, 18 Jan 2016 18:04:17 +0000 +Subject: [PATCH] Complete DNSSEC server-selection code and set conntrack on + DNSSEC queries. + +--- + src/forward.c | 148 ++++++++++++++++++++++++++++++++++++++++++++++--------= --- + 1 file changed, 121 insertions(+), 27 deletions(-) + +diff --git a/src/forward.c b/src/forward.c +index 95c5ef9..506d194 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -923,7 +923,7 @@ void reply_query(int fd, int family, time_t now) + status =3D STAT_ABANDONED; + else + { +- int fd, type; ++ int fd, type =3D SERV_DO_DNSSEC; + struct frec *next =3D new->next; + char *domain; + =20 +@@ -936,7 +936,7 @@ void reply_query(int fd, int family, time_t now) + servers for domains are involved. */ =20 + if (search_servers(now, NULL, F_QUERY, daemon->keyname, &type, &dom= ain, NULL) =3D=3D 0) + { +- struct server *start =3D server; ++ struct server *start =3D server, *new_server =3D NULL; + type &=3D ~SERV_DO_DNSSEC; + =20 + while (1) +@@ -945,8 +945,12 @@ void reply_query(int fd, int family, time_t now) + (type !=3D SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain= )) && + !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) + { +- server =3D start; +- break; ++ new_server =3D start; ++ if (server =3D=3D start) ++ { ++ new_server =3D NULL; ++ break; ++ } + } + =20 + if (!(start =3D start->next)) +@@ -954,7 +958,11 @@ void reply_query(int fd, int family, time_t now) + if (start =3D=3D server) + break; + } ++ =09 ++ if (new_server) ++ server =3D new_server; + } ++ + new->sentto =3D server; +=20 + new->rfd4 =3D NULL; +@@ -1010,6 +1018,15 @@ void reply_query(int fd, int family, time_t now) + =20 + if (fd !=3D -1) + { ++#ifdef HAVE_CONNTRACK ++ /* Copy connection mark of incoming query to outgoing connection. */ ++ if (option_bool(OPT_CONNTRACK)) ++ { ++ unsigned int mark; ++ if (get_incoming_mark(&orig->source, &orig->dest, 0, &mark)) ++ setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); ++ } ++#endif + while (retry_send(sendto(fd, (char *)header, nn, 0,=20 + &server->addr.sa,=20 + sa_len(&server->addr))));=20 +@@ -1072,7 +1089,7 @@ void reply_query(int fd, int family, time_t now) + else + header->hb4 &=3D ~HB4_CD; + =20 +- if ((nn =3D process_reply(header, now, server, (size_t)n, check_rebin= d, no_cache_dnssec, cache_secure, bogusanswer,=20 ++ if ((nn =3D process_reply(header, now, forward->sentto, (size_t)n, ch= eck_rebind, no_cache_dnssec, cache_secure, bogusanswer,=20 + forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTI= ON,=20 + forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUB= NET, &forward->source))) + { +@@ -1433,20 +1450,27 @@ void receive_query(struct listener *listen, time_t n= ow) + } +=20 + #ifdef HAVE_DNSSEC ++/* Recurse up the key heirarchy */ + static int tcp_key_recurse(time_t now, int status, struct dns_header *heade= r, size_t n,=20 +- int class, char *name, char *keyname, struct server *server, int *key= count) ++ int class, char *name, char *keyname, struct server *server,=20 ++ int have_mark, unsigned int mark, int *keycount) + { +- /* Recurse up the key heirarchy */ + int new_status; + unsigned char *packet =3D NULL; +- size_t m;=20 + unsigned char *payload =3D NULL; + struct dns_header *new_header =3D NULL; + u16 *length =3D NULL; +- unsigned char c1, c2; ++ ++ (void)have_mark; ++ (void)mark; +=20 + while (1) + { ++ int type =3D SERV_DO_DNSSEC; ++ char *domain; ++ size_t m;=20 ++ unsigned char c1, c2; ++ =20 + /* limit the amount of work we do, to avoid cycling forever on loops = in the DNS */ + if (--(*keycount) =3D=3D 0) + new_status =3D STAT_ABANDONED; +@@ -1480,6 +1504,67 @@ static int tcp_key_recurse(time_t now, int status, st= ruct dns_header *header, si + new_status =3D=3D STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, serve= r->edns_pktsz); + =20 + *length =3D htons(m); ++ ++ /* Find server to forward to. This will normally be the=20 ++ same as for the original query, but may be another if ++ servers for domains are involved. */ =20 ++ if (search_servers(now, NULL, F_QUERY, keyname, &type, &domain, NULL)= =3D=3D 0) ++ { ++ struct server *start =3D server, *new_server =3D NULL; ++ type &=3D ~SERV_DO_DNSSEC; ++ =20 ++ while (1) ++ { ++ if (type =3D=3D (start->flags & SERV_TYPE) && ++ (type !=3D SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) = && ++ !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) ++ { ++ new_server =3D start; ++ if (server =3D=3D start) ++ { ++ new_server =3D NULL; ++ break; ++ } ++ } ++ =20 ++ if (!(start =3D start->next)) ++ start =3D daemon->servers; ++ if (start =3D=3D server) ++ break; ++ } ++ =20 ++ ++ if (new_server) ++ { ++ server =3D new_server; ++ /* may need to make new connection. */ ++ if (server->tcpfd =3D=3D -1) ++ { ++ if ((server->tcpfd =3D socket(server->addr.sa.sa_family, SOCK_STREAM, 0= )) =3D=3D -1) ++ { ++ new_status =3D STAT_ABANDONED; ++ break; ++ } ++ ++#ifdef HAVE_CONNTRACK ++ /* Copy connection mark of incoming query to outgoing connection. */ ++ if (have_mark) ++ setsockopt(server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned= int)); ++#endif=09 ++ =20 ++ if (!local_bind(server->tcpfd, &server->source_addr, server->interface= , 1) || ++ connect(server->tcpfd, &server->addr.sa, sa_len(&server->addr)) =3D= =3D -1) ++ { ++ close(server->tcpfd); ++ server->tcpfd =3D -1; ++ new_status =3D STAT_ABANDONED; ++ break; ++ } ++ ++ } ++ } ++ } ++ + =20 + if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) || + !read_write(server->tcpfd, &c1, 1, 1) || +@@ -1492,7 +1577,7 @@ static int tcp_key_recurse(time_t now, int status, str= uct dns_header *header, si +=20 + m =3D (c1 << 8) | c2; + =20 +- new_status =3D tcp_key_recurse(now, new_status, new_header, m, class,= name, keyname, server, keycount); ++ new_status =3D tcp_key_recurse(now, new_status, new_header, m, class,= name, keyname, server, have_mark, mark, keycount); + =20 + if (new_status !=3D STAT_OK) + break; +@@ -1536,10 +1621,30 @@ unsigned char *tcp_request(int confd, time_t now, + socklen_t peer_len =3D sizeof(union mysockaddr); + int query_count =3D 0; + unsigned char *pheader; ++#ifdef HAVE_CONNTRACK ++ unsigned int mark =3D 0; ++ int have_mark =3D 0; ++#endif +=20 + if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) =3D=3D -= 1) + return packet; +- =20 ++ ++#ifdef HAVE_CONNTRACK ++ /* Get connection mark of incoming query to set on outgoing connections. = */ ++ if (option_bool(OPT_CONNTRACK)) ++ { ++ struct all_addr local; ++#ifdef HAVE_IPV6 =20 ++ if (local_addr->sa.sa_family =3D=3D AF_INET6) ++ local.addr.addr6 =3D local_addr->in6.sin6_addr; ++ else ++#endif ++ local.addr.addr4 =3D local_addr->in.sin_addr; ++ =20 ++ have_mark =3D get_incoming_mark(&peer_addr, &local, 1, &mark); ++ } ++#endif=09 ++ + /* We can be configured to only accept queries from at-most-one-hop-away = addresses. */ + if (option_bool(OPT_LOCAL_SERVICE)) + { +@@ -1665,7 +1770,7 @@ unsigned char *tcp_request(int confd, time_t now, + { + unsigned int flags =3D 0; + struct all_addr *addrp =3D NULL; +- int type =3D 0; ++ int type =3D SERV_DO_DNSSEC; + char *domain =3D NULL; + size_t new_size =3D add_edns0_config(header, size, ((unsigned char *= ) header) + 65536, &peer_addr, now, &check_subnet); +=20 +@@ -1728,20 +1833,8 @@ unsigned char *tcp_request(int confd, time_t now, + =20 + #ifdef HAVE_CONNTRACK + /* Copy connection mark of incoming query to outgoing connection. */ +- if (option_bool(OPT_CONNTRACK)) +- { +- unsigned int mark; +- struct all_addr local; +-#ifdef HAVE_IPV6 =20 +- if (local_addr->sa.sa_family =3D=3D AF_INET6) +- local.addr.addr6 =3D local_addr->in6.sin6_addr; +- else +-#endif +- local.addr.addr4 =3D local_addr->in.sin_addr; +- =20 +- if (get_incoming_mark(&peer_addr, &local, 1, &mark)) +- setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsig= ned int)); +- } ++ if (have_mark) ++ setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(un= signed int)); + #endif=09 + =20 + if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_= server->interface, 1) || +@@ -1802,7 +1895,8 @@ unsigned char *tcp_request(int confd, time_t now, + if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled && (last_se= rver->flags & SERV_DO_DNSSEC)) + { + int keycount =3D DNSSEC_WORK; /* Limit to number of DNSSEC questions, = to catch loops and avoid filling cache. */ +- int status =3D tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->nam= ebuff, daemon->keyname, last_server, &keycount); ++ int status =3D tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->nam= ebuff, daemon->keyname,=20 ++ last_server, have_mark, mark, &keycount); + char *result, *domain =3D "result"; + =20 + if (status =3D=3D STAT_ABANDONED) +--=20 +1.7.10.4 + diff --git a/src/patches/dnsmasq/054-Fix_problems_in_last_commit_when_DNSSEC_= not_enabled.patch b/src/patches/dnsmasq/054-Fix_problems_in_last_commit_when_= DNSSEC_not_enabled.patch new file mode 100644 index 0000000..f409038 --- /dev/null +++ b/src/patches/dnsmasq/054-Fix_problems_in_last_commit_when_DNSSEC_not_ena= bled.patch @@ -0,0 +1,58 @@ +From f7443d76f7b4ff1c2eb05a0313619b0a4bb8787e Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 19 Jan 2016 20:29:57 +0000 +Subject: [PATCH] Fix problems in last commit when DNSSEC not enabled. + +--- + src/forward.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/src/forward.c b/src/forward.c +index 506d194..ff0ab7e 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -331,8 +331,8 @@ static int forward_query(int udpfd, union mysockaddr *ud= paddr, + =20 + #ifdef HAVE_DNSSEC + do_dnssec =3D type & SERV_DO_DNSSEC; +- type &=3D ~SERV_DO_DNSSEC; +-#endif =20 ++#endif ++ type &=3D ~SERV_DO_DNSSEC; =20 +=20 + if (!flags && !(forward =3D get_new_frec(now, NULL, 0))) + /* table full - server failure. */ +@@ -1461,9 +1461,6 @@ static int tcp_key_recurse(time_t now, int status, str= uct dns_header *header, si + struct dns_header *new_header =3D NULL; + u16 *length =3D NULL; +=20 +- (void)have_mark; +- (void)mark; +- + while (1) + { + int type =3D SERV_DO_DNSSEC; +@@ -1621,10 +1618,8 @@ unsigned char *tcp_request(int confd, time_t now, + socklen_t peer_len =3D sizeof(union mysockaddr); + int query_count =3D 0; + unsigned char *pheader; +-#ifdef HAVE_CONNTRACK + unsigned int mark =3D 0; + int have_mark =3D 0; +-#endif +=20 + if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) =3D=3D -= 1) + return packet; +@@ -1783,9 +1778,7 @@ unsigned char *tcp_request(int confd, time_t now, + if (gotname) + flags =3D search_servers(now, &addrp, gotname, daemon->namebuff, &type, &= domain, &norebind); + =20 +-#ifdef HAVE_DNSSEC + type &=3D ~SERV_DO_DNSSEC; +-#endif + =20 + if (type !=3D 0 || option_bool(OPT_ORDER) || !daemon->last_server) + last_server =3D daemon->servers; +--=20 +1.7.10.4 + diff --git a/src/patches/dnsmasq/055-Fix_wrong_reply_to_simple_name_when_--do= main-needed_set_and_no_servers_configured.patch b/src/patches/dnsmasq/055-Fix= _wrong_reply_to_simple_name_when_--domain-needed_set_and_no_servers_configure= d.patch new file mode 100644 index 0000000..9eea14a --- /dev/null +++ b/src/patches/dnsmasq/055-Fix_wrong_reply_to_simple_name_when_--domain-ne= eded_set_and_no_servers_configured.patch @@ -0,0 +1,91 @@ +From d05dd58de1113bb99060af2772247a45ceb3a1ad Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 19 Jan 2016 21:23:30 +0000 +Subject: [PATCH] Fix wrong reply to simple name when --domain-needed set and + no servers configured. + +Also return REFUSED and not SERVFAIL when out of memory. + +Thanks to Allain Legacy for problem report. +--- + CHANGELOG | 9 +++++++++ + src/forward.c | 13 +++++++------ + src/rfc1035.c | 4 +--- + 3 files changed, 17 insertions(+), 9 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index dcaa699..d3cf909 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -22,6 +22,15 @@ version 2.76 + reading a hosts-file fails. Thanks to Andr=C3=83=C2=A9 Gl=C3=83=C2=BCp= ker=20 + for the patch. +=20 ++ Fix wrong answer to simple name query when --domain-needed ++ set, but no upstream servers configured. Dnsmasq returned ++ REFUSED, in this case, when it should be the same as when ++ upstream servers are configured - NOERROR. Thanks to=20 ++ Allain Legacy for spotting the problem. ++ ++ Return REFUSED when running out of forwarding table slots, ++ not SERVFAIL. ++ + =09 + version 2.75 + Fix reversion on 2.74 which caused 100% CPU use when a=20 +diff --git a/src/forward.c b/src/forward.c +index ff0ab7e..414f988 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -249,9 +249,7 @@ static int forward_query(int udpfd, union mysockaddr *ud= paddr, + (void)do_bit; +=20 + /* may be no servers available. */ +- if (!daemon->servers) +- forward =3D NULL; +- else if (forward || (hash && (forward =3D lookup_frec_by_sender(ntohs(hea= der->id), udpaddr, hash)))) ++ if (forward || (hash && (forward =3D lookup_frec_by_sender(ntohs(header->= id), udpaddr, hash)))) + { + /* If we didn't get an answer advertising a maximal packet in EDNS, + fall back to 1280, which should work everywhere on IPv6. +@@ -334,9 +332,9 @@ static int forward_query(int udpfd, union mysockaddr *ud= paddr, + #endif + type &=3D ~SERV_DO_DNSSEC; =20 +=20 +- if (!flags && !(forward =3D get_new_frec(now, NULL, 0))) +- /* table full - server failure. */ +- flags =3D F_NEG; ++ if (daemon->servers && !flags) ++ forward =3D get_new_frec(now, NULL, 0); ++ /* table full - flags =3D=3D 0, return REFUSED */ + =20 + if (forward) + { +@@ -1621,6 +1619,9 @@ unsigned char *tcp_request(int confd, time_t now, + unsigned int mark =3D 0; + int have_mark =3D 0; +=20 ++ (void)mark; ++ (void)have_mark; ++ + if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) =3D=3D -= 1) + return packet; +=20 +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 55dec48..9c0ddb5 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -896,9 +896,7 @@ size_t setup_reply(struct dns_header *header, size_t qle= n, + header->nscount =3D htons(0); + header->arcount =3D htons(0); + header->ancount =3D htons(0); /* no answers unless changed below */ +- if (flags =3D=3D F_NEG) +- SET_RCODE(header, SERVFAIL); /* couldn't get memory */ +- else if (flags =3D=3D F_NOERR) ++ if (flags =3D=3D F_NOERR) + SET_RCODE(header, NOERROR); /* empty domain */ + else if (flags =3D=3D F_NXDOMAIN) + SET_RCODE(header, NXDOMAIN); +--=20 +1.7.10.4 + --=20 2.7.0 --===============1618413666369889875==--