From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] dnsmasq: 2.76test10 with latest patches (001-004)
Date: Fri, 26 Feb 2016 18:29:28 +0100
Message-ID: <1456507768-1796-1-git-send-email-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8339380555630392447=="
List-Id: <development.lists.ipfire.org>

--===============8339380555630392447==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This is 'dnsmasq 2.76test10', based on current 'next', containing latest patc=
hes.

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 lfs/dnsmasq                                        |   39 +-
 ...TL_parameter_to_--host-record_and_--cname.patch |  265 +++
 ...01-include_0_0_0_0_8_in_DNS_rebind_checks.patch |   41 -
 .../dnsmasq/002-Add_--dhcp-ttl_option.patch        |  117 ++
 ...subnet_to_allow_arbitary_subnet_addresses.patch |  271 ---
 src/patches/dnsmasq/003-Update_CHANGELOG.patch     |   17 +
 ...h_zones_locally_when_localise_queries_set.patch |   34 -
 .../dnsmasq/004-Add_--tftp-mtu_option.patch        |  136 ++
 .../004-fix_behaviour_of_empty_dhcp-option.patch   |   38 -
 ...ution_to_ENOMEM_error_with_IPv6_multicast.patch |   50 -
 ...page_on_RDNSS_set_in_router_advertisement.patch |   35 -
 ...gned_dangling_CNAME_replies_to_DS_queries.patch |   30 -
 ...6_option_56_does_not_hold_an_address_list.patch |   25 -
 ...pect_the_--no_resolv_flag_in_inotify_code.patch |   47 -
 ..._5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch |   26 -
 ...11-Catch_errors_from_sendmsg_in_DHCP_code.patch |   32 -
 ...12-Update_list_of_subnet_for_--bogus-priv.patch |   48 -
 ...y_address_from_DNS_overlays_A_record_from.patch |   43 -
 ...14-Handle_unknown_DS_hash_algos_correctly.patch |   39 -
 .../015-Fix_crash_at_start_up_with_conf-dir.patch  |   38 -
 ...ajor_rationalisation_of_DNSSEC_validation.patch | 2209 ------------------=
--
 ...hing_RRSIGs_and_returning_them_from_cache.patch |  612 ------
 ...caches_DS_records_to_a_more_logical_place.patch |  269 ---
 ...lise_RR-filtering_code_for_use_with_EDNS0.patch |  755 -------
 .../dnsmasq/020-DNSSEC_validation_tweak.patch      |  134 --
 ...1-Tweaks_to_EDNS0_handling_in_DNS_replies.patch |  133 --
 ..._code_Check_zone_status_is_NSEC_proof_bad.patch |  409 ----
 ...023-Fix_brace_botch_in_dnssec_validate_ds.patch |   98 -
 ...ning_which_DNSSEC_sig_algos_are_supported.patch |  145 --
 ...EDNS0_handling_and_computation_use_of_udp.patch |  643 ------
 ...aks_in_handling_unknown_DNSSEC_algorithms.patch |  262 ---
 ...obscure_off-by-one_in_DNSSEC_hostname_cmp.patch |   27 -
 .../028-Minor_tweak_to_previous_commit.patch       |   39 -
 .../dnsmasq/029-NSEC3_check_RFC5155_para_8_2.patch |   39 -
 34 files changed, 542 insertions(+), 6603 deletions(-)
 create mode 100644 src/patches/dnsmasq/001-Add_TTL_parameter_to_--host-recor=
d_and_--cname.patch
 delete mode 100644 src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_c=
hecks.patch
 create mode 100644 src/patches/dnsmasq/002-Add_--dhcp-ttl_option.patch
 delete mode 100644 src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbit=
ary_subnet_addresses.patch
 create mode 100644 src/patches/dnsmasq/003-Update_CHANGELOG.patch
 delete mode 100644 src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_=
auth_zones_locally_when_localise_queries_set.patch
 create mode 100644 src/patches/dnsmasq/004-Add_--tftp-mtu_option.patch
 delete mode 100644 src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-optio=
n.patch
 delete mode 100644 src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_=
with_IPv6_multicast.patch
 delete mode 100644 src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_=
router_advertisement.patch
 delete mode 100644 src/patches/dnsmasq/007-handle_signed_dangling_CNAME_repl=
ies_to_DS_queries.patch
 delete mode 100644 src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an=
_address_list.patch
 delete mode 100644 src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_i=
notify_code.patch
 delete mode 100644 src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794=
513abe510817e2cf3ca.patch
 delete mode 100644 src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP=
_code.patch
 delete mode 100644 src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus=
-priv.patch
 delete mode 100644 src/patches/dnsmasq/013-Fix_crash_when_empty_address_from=
_DNS_overlays_A_record_from.patch
 delete mode 100644 src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_corr=
ectly.patch
 delete mode 100644 src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-d=
ir.patch
 delete mode 100644 src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_v=
alidation.patch
 delete mode 100644 src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_return=
ing_them_from_cache.patch
 delete mode 100644 src/patches/dnsmasq/018-Move_code_which_caches_DS_records=
_to_a_more_logical_place.patch
 delete mode 100644 src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_=
use_with_EDNS0.patch
 delete mode 100644 src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch
 delete mode 100644 src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_r=
eplies.patch
 delete mode 100644 src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code=
_Check_zone_status_is_NSEC_proof_bad.patch
 delete mode 100644 src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validat=
e_ds.patch
 delete mode 100644 src/patches/dnsmasq/024-Do_a_better_job_of_determining_wh=
ich_DNSSEC_sig_algos_are_supported.patch
 delete mode 100644 src/patches/dnsmasq/025-Major_tidy_up_of_EDNS0_handling_a=
nd_computation_use_of_udp.patch
 delete mode 100644 src/patches/dnsmasq/026-More_tweaks_in_handling_unknown_D=
NSSEC_algorithms.patch
 delete mode 100644 src/patches/dnsmasq/027-Nasty_rare_and_obscure_off-by-one=
_in_DNSSEC_hostname_cmp.patch
 delete mode 100644 src/patches/dnsmasq/028-Minor_tweak_to_previous_commit.pa=
tch
 delete mode 100644 src/patches/dnsmasq/029-NSEC3_check_RFC5155_para_8_2.patch

diff --git a/lfs/dnsmasq b/lfs/dnsmasq
index 8058663..29d7895 100644
--- a/lfs/dnsmasq
+++ b/lfs/dnsmasq
@@ -1,7 +1,7 @@
 ############################################################################=
###
 #                                                                           =
  #
 # IPFire.org - A linux based firewall                                       =
  #
-# Copyright (C) 2015  Michael Tremer & Christian Schmidt                    =
  #
+# Copyright (C) 2016  Michael Tremer & Christian Schmidt                    =
  #
 #                                                                           =
  #
 # This program is free software: you can redistribute it and/or modify      =
  #
 # it under the terms of the GNU General Public License as published by      =
  #
@@ -24,7 +24,7 @@
=20
 include Config
=20
-VER        =3D 2.75
+VER        =3D 2.76test10
=20
 THISAPP    =3D dnsmasq-$(VER)
 DL_FILE    =3D $(THISAPP).tar.xz
@@ -43,7 +43,7 @@ objects =3D $(DL_FILE)
=20
 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
=20
-$(DL_FILE)_MD5 =3D 887236f1ddde6eb57cdb9d01916c9f72
+$(DL_FILE)_MD5 =3D 4b51474ed6081b18c61407077f254cf7
=20
 install : $(TARGET)
=20
@@ -73,35 +73,10 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-include_0=
_0_0_0_8_in_DNS_rebind_checks.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-enhance_a=
dd_subnet_to_allow_arbitary_subnet_addresses.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-dont_answ=
er_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-fix_behav=
iour_of_empty_dhcp-option.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-suggest_s=
olution_to_ENOMEM_error_with_IPv6_multicast.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-clarify_m=
an_page_on_RDNSS_set_in_router_advertisement.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-handle_si=
gned_dangling_CNAME_replies_to_DS_queries.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-DHCPv6_op=
tion_56_does_not_hold_an_address_list.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-Respect_t=
he_--no_resolv_flag_in_inotify_code.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Rationali=
se_5e3e464ac4022ee0b3794513abe510817e2cf3ca.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Catch_err=
ors_from_sendmsg_in_DHCP_code.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Update_li=
st_of_subnet_for_--bogus-priv.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-Fix_crash=
_when_empty_address_from_DNS_overlays_A_record_from.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Handle_un=
known_DS_hash_algos_correctly.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Fix_crash=
_at_start_up_with_conf-dir.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/016-Major_rat=
ionalisation_of_DNSSEC_validation.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/017-Abandon_c=
aching_RRSIGs_and_returning_them_from_cache.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/018-Move_code=
_which_caches_DS_records_to_a_more_logical_place.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/019-Generalis=
e_RR-filtering_code_for_use_with_EDNS0.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/020-DNSSEC_va=
lidation_tweak.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/021-Tweaks_to=
_EDNS0_handling_in_DNS_replies.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/022-Tidy_up_D=
NSSEC_non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/023-Fix_brace=
_botch_in_dnssec_validate_ds.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/024-Do_a_bett=
er_job_of_determining_which_DNSSEC_sig_algos_are_supported.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/025-Major_tid=
y_up_of_EDNS0_handling_and_computation_use_of_udp.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/026-More_twea=
ks_in_handling_unknown_DNSSEC_algorithms.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/027-Nasty_rar=
e_and_obscure_off-by-one_in_DNSSEC_hostname_cmp.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/028-Minor_twe=
ak_to_previous_commit.patch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/029-NSEC3_che=
ck_RFC5155_para_8_2.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-Add_TTL_p=
arameter_to_--host-record_and_--cname.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Add_--dhc=
p-ttl_option.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Update_CH=
ANGELOG.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-Add_--tft=
p-mtu_option.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-t=
o-read-ISC-DHCP-lease-file.patch
=20
 	cd $(DIR_APP) && sed -i src/config.h \
diff --git a/src/patches/dnsmasq/001-Add_TTL_parameter_to_--host-record_and_-=
-cname.patch b/src/patches/dnsmasq/001-Add_TTL_parameter_to_--host-record_and=
_--cname.patch
new file mode 100644
index 0000000..86fbc9c
--- /dev/null
+++ b/src/patches/dnsmasq/001-Add_TTL_parameter_to_--host-record_and_--cname.=
patch
@@ -0,0 +1,265 @@
+From df3d54f776a3c9b60735b45c0b7fd88b66a2d5c4 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Wed, 24 Feb 2016 21:03:38 +0000
+Subject: [PATCH] Add TTL parameter to --host-record and --cname.
+
+---
+ man/dnsmasq.8 |   12 ++++++++++--
+ src/cache.c   |    7 +++++++
+ src/dnsmasq.h |    2 ++
+ src/option.c  |   46 ++++++++++++++++++++++++++++++++++++++--------
+ src/rfc1035.c |    6 +++++-
+ 5 files changed, 62 insertions(+), 11 deletions(-)
+
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index b782eaf..7bc1394 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -529,7 +529,7 @@ zone files: the port, weight and priority numbers are in=
 a different
+ order. More than one SRV record for a given service/domain is allowed,
+ all that match are returned.
+ .TP
+-.B --host-record=3D<name>[,<name>....],[<IPv4-address>],[<IPv6-address>]
++.B --host-record=3D<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<=
TTL>]
+ Add A, AAAA and PTR records to the DNS. This adds one or more names to
+ the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may
+ appear in more than one=20
+@@ -546,6 +546,10 @@ is in effect. Short and long names may appear in the sa=
me
+ .B host-record,
+ eg.=20
+ .B --host-record=3Dlaptop,laptop.thekelleys.org,192.168.0.1,1234::100
++
++If the time-to-live is given, it overrides the default, which is zero
++or the value of --local-ttl. The value is a positive integer and gives=20
++the time-to-live in seconds.
+ .TP
+ .B \-Y, --txt-record=3D<name>[[,<text>],<text>]
+ Return a TXT DNS record. The value of TXT record is a set of strings,
+@@ -559,7 +563,7 @@ Return a PTR DNS record.
+ .B --naptr-record=3D<name>,<order>,<preference>,<flags>,<service>,<regexp>[=
,<replacement>]
+ Return an NAPTR DNS record, as specified in RFC3403.
+ .TP
+-.B --cname=3D<cname>,<target>
++.B --cname=3D<cname>,<target>[,<TTL>]
+ Return a CNAME record which indicates that <cname> is really
+ <target>. There are significant limitations on the target; it must be a
+ DNS name which is known to dnsmasq from /etc/hosts (or additional
+@@ -568,6 +572,10 @@ hosts files), from DHCP, from --interface-name or from =
another
+ If the target does not satisfy this
+ criteria, the whole cname is ignored. The cname must be unique, but it
+ is permissable to have more than one cname pointing to the same target.
++
++If the time-to-live is given, it overrides the default, which is zero
++or the value of -local-ttl. The value is a positive integer and gives=20
++the time-to-live in seconds.
+ .TP
+ .B --dns-rr=3D<name>,<RR-number>,[<hex data>]
+ Return an arbitrary DNS Resource Record. The number is the type of the
+diff --git a/src/cache.c b/src/cache.c
+index a9eaa65..4ecd535 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -778,6 +778,7 @@ static void add_hosts_cname(struct crec *target)
+ 	(crec =3D whine_malloc(sizeof(struct crec))))
+       {
+ 	crec->flags =3D F_FORWARD | F_IMMORTAL | F_NAMEP | F_CONFIG | F_CNAME;
++	crec->ttd =3D a->ttl;
+ 	crec->name.namep =3D a->alias;
+ 	crec->addr.cname.target.cache =3D target;
+ 	crec->addr.cname.uid =3D target->uid;
+@@ -981,6 +982,7 @@ int read_hostsfile(char *filename, unsigned int index, i=
nt cache_size, struct cr
+ 		  strcat(cache->name.sname, ".");
+ 		  strcat(cache->name.sname, domain_suffix);
+ 		  cache->flags =3D flags;
++		  cache->ttd =3D daemon->local_ttl;
+ 		  add_hosts_entry(cache, &addr, addrlen, index, rhash, hashsz);
+ 		  name_count++;
+ 		}
+@@ -988,6 +990,7 @@ int read_hostsfile(char *filename, unsigned int index, i=
nt cache_size, struct cr
+ 		{
+ 		  strcpy(cache->name.sname, canon);
+ 		  cache->flags =3D flags;
++		  cache->ttd =3D daemon->local_ttl;
+ 		  add_hosts_entry(cache, &addr, addrlen, index, rhash, hashsz);
+ 		  name_count++;
+ 		}
+@@ -1057,6 +1060,7 @@ void cache_reload(void)
+ 	  ((cache =3D whine_malloc(sizeof(struct crec)))))
+ 	{
+ 	  cache->flags =3D F_FORWARD | F_NAMEP | F_CNAME | F_IMMORTAL | F_CONFIG;
++	  cache->ttd =3D a->ttl;
+ 	  cache->name.namep =3D a->alias;
+ 	  cache->addr.cname.target.int_name =3D intr;
+ 	  cache->addr.cname.uid =3D SRC_INTERFACE;
+@@ -1071,6 +1075,7 @@ void cache_reload(void)
+ 	(cache->addr.ds.keydata =3D blockdata_alloc(ds->digest, ds->digestlen)))
+       {
+ 	cache->flags =3D F_FORWARD | F_IMMORTAL | F_DS | F_CONFIG | F_NAMEP;
++	cache->ttd =3D daemon->local_ttl;
+ 	cache->name.namep =3D ds->name;
+ 	cache->addr.ds.keylen =3D ds->digestlen;
+ 	cache->addr.ds.algo =3D ds->algo;
+@@ -1095,6 +1100,7 @@ void cache_reload(void)
+ 	    (cache =3D whine_malloc(sizeof(struct crec))))
+ 	  {
+ 	    cache->name.namep =3D nl->name;
++	    cache->ttd =3D hr->ttl;
+ 	    cache->flags =3D F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV4=
 | F_NAMEP | F_CONFIG;
+ 	    add_hosts_entry(cache, (struct all_addr *)&hr->addr, INADDRSZ, SRC_CON=
FIG, (struct crec **)daemon->packet, revhashsz);
+ 	  }
+@@ -1103,6 +1109,7 @@ void cache_reload(void)
+ 	    (cache =3D whine_malloc(sizeof(struct crec))))
+ 	  {
+ 	    cache->name.namep =3D nl->name;
++	    cache->ttd =3D hr->ttl;
+ 	    cache->flags =3D F_HOSTS | F_IMMORTAL | F_FORWARD | F_REVERSE | F_IPV6=
 | F_NAMEP | F_CONFIG;
+ 	    add_hosts_entry(cache, (struct all_addr *)&hr->addr6, IN6ADDRSZ, SRC_C=
ONFIG, (struct crec **)daemon->packet, revhashsz);
+ 	  }
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index 6d1c5ae..6344df5 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -308,6 +308,7 @@ struct ptr_record {
+ };
+=20
+ struct cname {
++  int ttl;
+   char *alias, *target;
+   struct cname *next;
+ };=20
+@@ -344,6 +345,7 @@ struct auth_zone {
+=20
+=20
+ struct host_record {
++  int ttl;
+   struct name_list {
+     char *name;
+     struct name_list *next;
+diff --git a/src/option.c b/src/option.c
+index c98bdc9..7c5e6bc 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -448,20 +448,20 @@ static struct {
+   { LOPT_GEN_NAMES, ARG_DUP, "[=3Dtag:<tag>]", gettext_noop("Generate hostn=
ames based on MAC address for nameless clients."), NULL},
+   { LOPT_PROXY, ARG_DUP, "[=3D<ipaddr>]...", gettext_noop("Use these DHCP r=
elays as full proxies."), NULL },
+   { LOPT_RELAY, ARG_DUP, "<local-addr>,<server>[,<interface>]", gettext_noo=
p("Relay DHCP requests to a remote server"), NULL},
+-  { LOPT_CNAME, ARG_DUP, "<alias>,<target>", gettext_noop("Specify alias na=
me for LOCAL DNS name."), NULL },
++  { LOPT_CNAME, ARG_DUP, "<alias>,<target>[,<ttl>]", gettext_noop("Specify =
alias name for LOCAL DNS name."), NULL },
+   { LOPT_PXE_PROMT, ARG_DUP, "<prompt>,[<timeout>]", gettext_noop("Prompt t=
o send to PXE clients."), NULL },
+   { LOPT_PXE_SERV, ARG_DUP, "<service>", gettext_noop("Boot service for PXE=
 menu."), NULL },
+   { LOPT_TEST, 0, NULL, gettext_noop("Check configuration syntax."), NULL },
+   { LOPT_ADD_MAC, ARG_DUP, "[=3Dbase64|text]", gettext_noop("Add requestor'=
s MAC address to forwarded DNS queries."), NULL },
+   { LOPT_ADD_SBNET, ARG_ONE, "<v4 pref>[,<v6 pref>]", gettext_noop("Add spe=
cified IP subnet to forwarded DNS queries."), NULL },
+-   { LOPT_CPE_ID, ARG_ONE, "<text>", gettext_noop("Add client identificatio=
n to forwarded DNS queries."), NULL },
++  { LOPT_CPE_ID, ARG_ONE, "<text>", gettext_noop("Add client identification=
 to forwarded DNS queries."), NULL },
+   { LOPT_DNSSEC, OPT_DNSSEC_PROXY, NULL, gettext_noop("Proxy DNSSEC validat=
ion results from upstream nameservers."), NULL },
+   { LOPT_INCR_ADDR, OPT_CONSEC_ADDR, NULL, gettext_noop("Attempt to allocat=
e sequential IP addresses to DHCP clients."), NULL },
+   { LOPT_CONNTRACK, OPT_CONNTRACK, NULL, gettext_noop("Copy connection-trac=
k mark from queries to upstream connections."), NULL },
+   { LOPT_FQDN, OPT_FQDN_UPDATE, NULL, gettext_noop("Allow DHCP clients to d=
o their own DDNS updates."), NULL },
+   { LOPT_RA, OPT_RA, NULL, gettext_noop("Send router-advertisements for int=
erfaces doing DHCPv6"), NULL },
+   { LOPT_DUID, ARG_ONE, "<enterprise>,<duid>", gettext_noop("Specify DUID_E=
N-type DHCPv6 server DUID"), NULL },
+-  { LOPT_HOST_REC, ARG_DUP, "<name>,<address>", gettext_noop("Specify host =
(A/AAAA and PTR) records"), NULL },
++  { LOPT_HOST_REC, ARG_DUP, "<name>,<address>[,<ttl>]", gettext_noop("Speci=
fy host (A/AAAA and PTR) records"), NULL },
+   { LOPT_RR, ARG_DUP, "<name>,<RR-number>,[<data>]", gettext_noop("Specify =
arbitrary DNS resource record"), NULL },
+   { LOPT_CLVERBIND, OPT_CLEVERBIND, NULL, gettext_noop("Bind to interfaces =
in use - check for new interfaces"), NULL },
+   { LOPT_AUTHSERV, ARG_ONE, "<NS>,<interface>", gettext_noop("Export local =
names to global DNS"), NULL },
+@@ -3692,12 +3692,15 @@ static int one_opt(int option, char *arg, char *errs=
tr, char *gen_err, int comma
+     case LOPT_CNAME: /* --cname */
+       {
+ 	struct cname *new;
+-	char *alias;
+-	char *target;
++	char *alias, *target, *ttls;
++	int ttl =3D -1;
+=20
+ 	if (!(comma =3D split(arg)))
+ 	  ret_err(gen_err);
+ =09
++	if ((ttls =3D split(comma)) && !atoi_check(ttls, &ttl))
++	  ret_err(_("bad TTL"));
++=09
+ 	alias =3D canonicalise_opt(arg);
+ 	target =3D canonicalise_opt(comma);
+ 	   =20
+@@ -3713,6 +3716,7 @@ static int one_opt(int option, char *arg, char *errstr=
, char *gen_err, int comma
+ 	    daemon->cnames =3D new;
+ 	    new->alias =3D alias;
+ 	    new->target =3D target;
++	    new->ttl =3D ttl;
+ 	  }
+      =20
+ 	break;
+@@ -3913,14 +3917,22 @@ static int one_opt(int option, char *arg, char *errs=
tr, char *gen_err, int comma
+       {
+ 	struct host_record *new =3D opt_malloc(sizeof(struct host_record));
+ 	memset(new, 0, sizeof(struct host_record));
+-=09
++	new->ttl =3D -1;
++
+ 	if (!arg || !(comma =3D split(arg)))
+ 	  ret_err(_("Bad host-record"));
+ =09
+ 	while (arg)
+ 	  {
+ 	    struct all_addr addr;
+-	    if (inet_pton(AF_INET, arg, &addr))
++	    char *dig;
++
++	    for (dig =3D arg; *dig !=3D 0; dig++)
++	      if (*dig < '0' || *dig > '9')
++		break;
++	    if (*dig =3D=3D 0)
++	      new->ttl =3D atoi(arg);
++	    else if (inet_pton(AF_INET, arg, &addr))
+ 	      new->addr =3D addr.addr.addr4;
+ #ifdef HAVE_IPV6
+ 	    else if (inet_pton(AF_INET6, arg, &addr))
+@@ -4601,7 +4613,25 @@ void read_opts(int argc, char **argv, char *compile_o=
pts)
+ 	    }
+ 	}=20
+     }
+- =20
++
++  if (daemon->host_records)
++    {
++      struct host_record *hr;
++     =20
++      for (hr =3D daemon->host_records; hr; hr =3D hr->next)
++	if (hr->ttl =3D=3D -1)
++	  hr->ttl =3D daemon->local_ttl;
++    }
++
++  if (daemon->cnames)
++    {
++      struct cname *cn;
++     =20
++      for (cn =3D daemon->cnames; cn; cn =3D cn->next)
++	if (cn->ttl =3D=3D -1)
++	  cn->ttl =3D daemon->local_ttl;
++    }
++
+   if (daemon->if_addrs)
+     { =20
+       struct iname *tmp;
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 9c0ddb5..3535a71 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1169,9 +1169,13 @@ static unsigned long crec_ttl(struct crec *crecp, tim=
e_t now)
+   /* Return 0 ttl for DHCP entries, which might change
+      before the lease expires. */
+=20
+-  if  (crecp->flags & (F_IMMORTAL | F_DHCP))
++  if (crecp->flags & F_DHCP)
+     return daemon->local_ttl;
+  =20
++  /* Immortal entries other than DHCP are local, and hold TTL in TTD field.=
 */
++  if (crecp->flags & F_IMMORTAL)
++    return crecp->ttd;
++
+   /* Return the Max TTL value if it is lower then the actual TTL */
+   if (daemon->max_ttl =3D=3D 0 || ((unsigned)(crecp->ttd - now) < daemon->m=
ax_ttl))
+     return crecp->ttd - now;
+--=20
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.p=
atch b/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch
deleted file mode 100644
index 8a2557a..0000000
--- a/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From d2aa7dfbb6d1088dcbea9fecc61b9293b320eb95 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Mon, 3 Aug 2015 21:52:12 +0100
-Subject: [PATCH] Include 0.0.0.0/8 in DNS rebind checks.
-
----
- CHANGELOG     |    7 +++++++
- src/rfc1035.c |    3 ++-
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/CHANGELOG b/CHANGELOG
-index 901da47..3f4026d 100644
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -1,3 +1,10 @@
-+version 2.76
-+            Include 0.0.0.0/8 in DNS rebind checks. This range=20
-+	    translates to hosts on  the local network, or, at=20
-+	    least, 0.0.0.0 accesses the local host, so could
-+	    be targets for DNS rebinding. See RFC 5735 section 3=20
-+	    for details. Thanks to Stephen R=C3=83=C2=B6ttger for the bug report.
-+	   =20
- version 2.75
-             Fix reversion on 2.74 which caused 100% CPU use when a=20
- 	    dhcp-script is configured. Thanks to Adrian Davey for
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 56647b0..29e9e65 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -728,7 +728,8 @@ int private_net(struct in_addr addr, int ban_localhost)
-   in_addr_t ip_addr =3D ntohl(addr.s_addr);
-=20
-   return
--    (((ip_addr & 0xFF000000) =3D=3D 0x7F000000) && ban_localhost)  /* 127.0=
.0.0/8    (loopback) */ ||=20
-+    (((ip_addr & 0xFF000000) =3D=3D 0x7F000000) && ban_localhost)  /* 127.0=
.0.0/8    (loopback) */ ||
-+    ((ip_addr & 0xFF000000) =3D=3D 0x00000000)  /* RFC 5735 section 3. "her=
e" network */ ||
-     ((ip_addr & 0xFFFF0000) =3D=3D 0xC0A80000)  /* 192.168.0.0/16 (private)=
  */ ||
-     ((ip_addr & 0xFF000000) =3D=3D 0x0A000000)  /* 10.0.0.0/8     (private)=
  */ ||
-     ((ip_addr & 0xFFF00000) =3D=3D 0xAC100000)  /* 172.16.0.0/12  (private)=
  */ ||
---=20
-1.7.10.4
diff --git a/src/patches/dnsmasq/002-Add_--dhcp-ttl_option.patch b/src/patche=
s/dnsmasq/002-Add_--dhcp-ttl_option.patch
new file mode 100644
index 0000000..45e3b9b
--- /dev/null
+++ b/src/patches/dnsmasq/002-Add_--dhcp-ttl_option.patch
@@ -0,0 +1,117 @@
+From 832e47beab95c2918b5264f0504f2fe6fe523e4c Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Wed, 24 Feb 2016 21:24:45 +0000
+Subject: [PATCH] Add --dhcp-ttl option.
+
+---
+ man/dnsmasq.8 |    5 ++++-
+ src/dnsmasq.h |    2 +-
+ src/option.c  |   13 +++++++++++--
+ src/rfc1035.c |    2 +-
+ 4 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index 7bc1394..2bcce20 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -60,7 +60,7 @@ in the same way as for DHCP-derived names. Note that this =
does not
+ apply to domain names in cnames, PTR records, TXT records etc.
+ .TP
+ .B \-T, --local-ttl=3D<time>
+-When replying with information from /etc/hosts or the DHCP leases
++When replying with information from /etc/hosts or configuration or the DHCP=
 leases
+ file dnsmasq by default sets the time-to-live field to zero, meaning
+ that the requester should not itself cache the information. This is
+ the correct thing to do in almost all situations. This option allows a
+@@ -68,6 +68,9 @@ time-to-live (in seconds) to be given for these replies. T=
his will
+ reduce the load on the server at the expense of clients using stale
+ data under some circumstances.
+ .TP
++.B --dhcp-ttl=3D<time>
++As for --local-ttl, but affects only replies with information from DHCP lea=
ses. If both are given, --dhcp-ttl applies for DHCP information, and --local-=
ttl for others. Setting this to zero eliminates the effect of --local-ttl for=
 DHCP.
++.TP
+ .B --neg-ttl=3D<time>
+ Negative replies from upstream servers normally contain time-to-live
+ information in SOA records which dnsmasq uses for caching. If the
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index 6344df5..9f73c3b 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -955,7 +955,7 @@ extern struct daemon {
+   int max_logs;  /* queue limit */
+   int cachesize, ftabsize;
+   int port, query_port, min_port, max_port;
+-  unsigned long local_ttl, neg_ttl, max_ttl, min_cache_ttl, max_cache_ttl, =
auth_ttl;
++  unsigned long local_ttl, neg_ttl, max_ttl, min_cache_ttl, max_cache_ttl, =
auth_ttl, dhcp_ttl, use_dhcp_ttl;
+   char *dns_client_id;
+   struct hostsfile *addn_hosts;
+   struct dhcp_context *dhcp, *dhcp6;
+diff --git a/src/option.c b/src/option.c
+index 7c5e6bc..3f6d162 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -157,6 +157,7 @@ struct myoption {
+ #define LOPT_MAXPORT       345
+ #define LOPT_CPE_ID        346
+ #define LOPT_SCRIPT_ARP    347
++#define LOPT_DHCPTTL       348
+=20
+ #ifdef HAVE_GETOPT_LONG
+ static const struct option opts[] =3D =20
+@@ -319,6 +320,7 @@ static const struct myoption opts[] =3D
+     { "quiet-ra", 0, 0, LOPT_QUIET_RA },
+     { "dns-loop-detect", 0, 0, LOPT_LOOP_DETECT },
+     { "script-arp", 0, 0, LOPT_SCRIPT_ARP },
++    { "dhcp-ttl", 1, 0 , LOPT_DHCPTTL },
+     { NULL, 0, 0, 0 }
+   };
+=20
+@@ -485,9 +487,10 @@ static struct {
+   { LOPT_QUIET_DHCP, OPT_QUIET_DHCP, NULL, gettext_noop("Do not log routine=
 DHCP."), NULL },
+   { LOPT_QUIET_DHCP6, OPT_QUIET_DHCP6, NULL, gettext_noop("Do not log routi=
ne DHCPv6."), NULL },
+   { LOPT_QUIET_RA, OPT_QUIET_RA, NULL, gettext_noop("Do not log RA."), NULL=
 },
+-  { LOPT_LOCAL_SERVICE, OPT_LOCAL_SERVICE, NULL, gettext_noop("Accept queri=
es only from directly-connected networks"), NULL },
+-  { LOPT_LOOP_DETECT, OPT_LOOP_DETECT, NULL, gettext_noop("Detect and remov=
e DNS forwarding loops"), NULL },
++  { LOPT_LOCAL_SERVICE, OPT_LOCAL_SERVICE, NULL, gettext_noop("Accept queri=
es only from directly-connected networks."), NULL },
++  { LOPT_LOOP_DETECT, OPT_LOOP_DETECT, NULL, gettext_noop("Detect and remov=
e DNS forwarding loops."), NULL },
+   { LOPT_IGNORE_ADDR, ARG_DUP, "<ipaddr>", gettext_noop("Ignore DNS respons=
es containing ipaddr."), NULL },=20
++  { LOPT_DHCPTTL, ARG_ONE, "<ttl>", gettext_noop("Set TTL in DNS responses =
with DHCP-derived addresses."), NULL },=20
+   { 0, 0, NULL, NULL, NULL }
+ };=20
+=20
+@@ -2580,6 +2583,7 @@ static int one_opt(int option, char *arg, char *errstr=
, char *gen_err, int comma
+     case LOPT_MINCTTL: /* --min-cache-ttl */
+     case LOPT_MAXCTTL: /* --max-cache-ttl */
+     case LOPT_AUTHTTL: /* --auth-ttl */
++    case LOPT_DHCPTTL: /* --dhcp-ttl */
+       {
+ 	int ttl;
+ 	if (!atoi_check(arg, &ttl))
+@@ -2598,6 +2602,11 @@ static int one_opt(int option, char *arg, char *errst=
r, char *gen_err, int comma
+ 	  daemon->max_cache_ttl =3D (unsigned long)ttl;
+ 	else if (option =3D=3D LOPT_AUTHTTL)
+ 	  daemon->auth_ttl =3D (unsigned long)ttl;
++	else if (option =3D=3D LOPT_DHCPTTL)
++	  {
++	    daemon->dhcp_ttl =3D (unsigned long)ttl;
++	    daemon->use_dhcp_ttl =3D 1;
++	  }
+ 	else
+ 	  daemon->local_ttl =3D (unsigned long)ttl;
+ 	break;
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 3535a71..8f1e3b4 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1170,7 +1170,7 @@ static unsigned long crec_ttl(struct crec *crecp, time=
_t now)
+      before the lease expires. */
+=20
+   if (crecp->flags & F_DHCP)
+-    return daemon->local_ttl;
++    return daemon->use_dhcp_ttl ? daemon->dhcp_ttl : daemon->local_ttl;
+  =20
+   /* Immortal entries other than DHCP are local, and hold TTL in TTD field.=
 */
+   if (crecp->flags & F_IMMORTAL)
+--=20
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_sub=
net_addresses.patch b/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arb=
itary_subnet_addresses.patch
deleted file mode 100644
index 2d3d6e4..0000000
--- a/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_add=
resses.patch
+++ /dev/null
@@ -1,271 +0,0 @@
-From a7369bef8abd241c3d85633fa9c870943f091e76 Mon Sep 17 00:00:00 2001
-From: Ed Bardsley <ebardsley(a)google.com>
-Date: Wed, 5 Aug 2015 21:17:18 +0100
-Subject: [PATCH] Enhance --add-subnet to allow arbitary subnet addresses.
-
----
- CHANGELOG     |    4 ++++
- man/dnsmasq.8 |   32 ++++++++++++++++++++-----------
- src/dnsmasq.h |   13 ++++++++++---
- src/option.c  |   59 ++++++++++++++++++++++++++++++++++++++++++++++++++++--=
---
- src/rfc1035.c |   39 +++++++++++++++++++++++++++++++-------
- 5 files changed, 121 insertions(+), 26 deletions(-)
-
-diff --git a/CHANGELOG b/CHANGELOG
-index 3f4026d..bbc2834 100644
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -4,6 +4,10 @@ version 2.76
- 	    least, 0.0.0.0 accesses the local host, so could
- 	    be targets for DNS rebinding. See RFC 5735 section 3=20
- 	    for details. Thanks to Stephen R=C3=83=C2=B6ttger for the bug report.
-+
-+	    Enhance --add-subnet to allow arbitrary subnet addresses.
-+            Thanks to Ed Barsley for the patch.
-+=09
- 	   =20
- version 2.75
-             Fix reversion on 2.74 which caused 100% CPU use when a=20
-diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
-index c8913b5..a23c898 100644
---- a/man/dnsmasq.8
-+++ b/man/dnsmasq.8
-@@ -604,17 +604,27 @@ experimental. Also note that exposing MAC addresses in=
 this way may
- have security and privacy implications. The warning about caching
- given for --add-subnet applies to --add-mac too.
- .TP=20
--.B --add-subnet[[=3D<IPv4 prefix length>],<IPv6 prefix length>]
--Add the subnet address of the requestor to the DNS queries which are
--forwarded upstream. The amount of the address forwarded depends on the
--prefix length parameter: 32 (128 for IPv6) forwards the whole address,
--zero forwards none of it but still marks the request so that no
--upstream nameserver will add client address information either. The
--default is zero for both IPv4 and IPv6. Note that upstream nameservers
--may be configured to return different results based on this
--information, but the dnsmasq cache does not take account. If a dnsmasq
--instance is configured such that different results may be encountered,
--caching should be disabled.
-+.B --add-subnet[[=3D[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>=
/]<IPv6 prefix length>]]
-+Add a subnet address to the DNS queries which are forwarded
-+upstream. If an address is specified in the flag, it will be used,
-+otherwise, the address of the requestor will be used. The amount of
-+the address forwarded depends on the prefix length parameter: 32 (128
-+for IPv6) forwards the whole address, zero forwards none of it but
-+still marks the request so that no upstream nameserver will add client
-+address information either. The default is zero for both IPv4 and
-+IPv6. Note that upstream nameservers may be configured to return
-+different results based on this information, but the dnsmasq cache
-+does not take account. If a dnsmasq instance is configured such that
-+different results may be encountered, caching should be disabled.
-+
-+For example,
-+.B --add-subnet=3D24,96
-+will add the /24 and /96 subnets of the requestor for IPv4 and IPv6 request=
ors, respectively.
-+.B --add-subnet=3D1.2.3.4/24
-+will add 1.2.3.0/24 for IPv4 requestors and ::/0 for IPv6 requestors.
-+.B --add-subnet=3D1.2.3.4/24,1.2.3.4/24
-+will add 1.2.3.0/24 for both IPv4 and IPv6 requestors.
-+
- .TP
- .B \-c, --cache-size=3D<cachesize>
- Set the size of dnsmasq's cache. The default is 150 names. Setting the cach=
e size to zero disables caching.
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index cf1a782..f42acdb 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -541,6 +541,13 @@ struct iname {
-   struct iname *next;
- };
-=20
-+/* subnet parameters from command line */
-+struct mysubnet {
-+  union mysockaddr addr;
-+  int addr_used;
-+  int mask;
-+};
-+
- /* resolv-file parms from command-line */
- struct resolvc {
-   struct resolvc *next;
-@@ -935,9 +942,9 @@ extern struct daemon {
-   struct auth_zone *auth_zones;
-   struct interface_name *int_names;
-   char *mxtarget;
--  int addr4_netmask;
--  int addr6_netmask;
--  char *lease_file;=20
-+  struct mysubnet *add_subnet4;
-+  struct mysubnet *add_subnet6;
-+  char *lease_file;
-   char *username, *groupname, *scriptuser;
-   char *luascript;
-   char *authserver, *hostmaster;
-diff --git a/src/option.c b/src/option.c
-index ecc2619..746cd11 100644
---- a/src/option.c
-+++ b/src/option.c
-@@ -445,7 +445,7 @@ static struct {
-   { LOPT_PXE_SERV, ARG_DUP, "<service>", gettext_noop("Boot service for PXE=
 menu."), NULL },
-   { LOPT_TEST, 0, NULL, gettext_noop("Check configuration syntax."), NULL },
-   { LOPT_ADD_MAC, OPT_ADD_MAC, NULL, gettext_noop("Add requestor's MAC addr=
ess to forwarded DNS queries."), NULL },
--  { LOPT_ADD_SBNET, ARG_ONE, "<v4 pref>[,<v6 pref>]", gettext_noop("Add req=
uestor's IP subnet to forwarded DNS queries."), NULL },
-+  { LOPT_ADD_SBNET, ARG_ONE, "<v4 pref>[,<v6 pref>]", gettext_noop("Add spe=
cified IP subnet to forwarded DNS queries."), NULL },
-   { LOPT_DNSSEC, OPT_DNSSEC_PROXY, NULL, gettext_noop("Proxy DNSSEC validat=
ion results from upstream nameservers."), NULL },
-   { LOPT_INCR_ADDR, OPT_CONSEC_ADDR, NULL, gettext_noop("Attempt to allocat=
e sequential IP addresses to DHCP clients."), NULL },
-   { LOPT_CONNTRACK, OPT_CONNTRACK, NULL, gettext_noop("Copy connection-trac=
k mark from queries to upstream connections."), NULL },
-@@ -722,6 +722,20 @@ static void do_usage(void)
-=20
- #define ret_err(x) do { strcpy(errstr, (x)); return 0; } while (0)
-=20
-+static char *parse_mysockaddr(char *arg, union mysockaddr *addr)=20
-+{
-+  if (inet_pton(AF_INET, arg, &addr->in.sin_addr) > 0)
-+    addr->sa.sa_family =3D AF_INET;
-+#ifdef HAVE_IPV6
-+  else if (inet_pton(AF_INET6, arg, &addr->in6.sin6_addr) > 0)
-+    addr->sa.sa_family =3D AF_INET6;
-+#endif
-+  else
-+    return _("bad address");
-+  =20
-+  return NULL;
-+}
-+
- char *parse_server(char *arg, union mysockaddr *addr, union mysockaddr *sou=
rce_addr, char *interface, int *flags)
- {
-   int source_port =3D 0, serv_port =3D NAMESERVER_PORT;
-@@ -1585,7 +1599,7 @@ static int one_opt(int option, char *arg, char *errstr=
, char *gen_err, int comma
- 	    li =3D match_suffix->next;
- 	    free(match_suffix->suffix);
- 	    free(match_suffix);
--	  }   =20
-+	  }
- 	break;
-       }
-=20
-@@ -1593,10 +1607,45 @@ static int one_opt(int option, char *arg, char *errs=
tr, char *gen_err, int comma
-       set_option_bool(OPT_CLIENT_SUBNET);
-       if (arg)
- 	{
-+          char *err, *end;
- 	  comma =3D split(arg);
--	  if (!atoi_check(arg, &daemon->addr4_netmask) ||=20
--	      (comma && !atoi_check(comma, &daemon->addr6_netmask)))
--	     ret_err(gen_err);
-+
-+          struct mysubnet* new =3D opt_malloc(sizeof(struct mysubnet));
-+          if ((end =3D split_chr(arg, '/')))
-+	    {
-+	      /* has subnet+len */
-+	      err =3D parse_mysockaddr(arg, &new->addr);
-+	      if (err)
-+		ret_err(err);
-+	      if (!atoi_check(end, &new->mask))
-+		ret_err(gen_err);
-+	      new->addr_used =3D 1;
-+	    }=20
-+	  else if (!atoi_check(arg, &new->mask))
-+	    ret_err(gen_err);
-+	   =20
-+          daemon->add_subnet4 =3D new;
-+
-+          new =3D opt_malloc(sizeof(struct mysubnet));
-+          if (comma)
-+            {
-+              if ((end =3D split_chr(comma, '/')))
-+                {
-+                  /* has subnet+len */
-+                  err =3D parse_mysockaddr(comma, &new->addr);
-+                  if (err)
-+                    ret_err(err);
-+                  if (!atoi_check(end, &new->mask))
-+                    ret_err(gen_err);
-+                  new->addr_used =3D 1;
-+                }
-+              else
-+                {
-+                  if (!atoi_check(comma, &new->mask))
-+                    ret_err(gen_err);
-+                }
-+            }
-+          daemon->add_subnet6 =3D new;
- 	}
-       break;
-=20
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 29e9e65..6a51b30 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -629,26 +629,47 @@ struct subnet_opt {
- #endif
- };
-=20
-+static void *get_addrp(union mysockaddr *addr, const short family)=20
-+{
-+#ifdef HAVE_IPV6
-+  if (family =3D=3D AF_INET6)
-+    return &addr->in6.sin6_addr;
-+#endif
-+
-+  return &addr->in.sin_addr;
-+}
-+
- static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *sou=
rce)
- {
-   /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
-  =20
-   int len;
-   void *addrp;
-+  int sa_family =3D source->sa.sa_family;
-=20
- #ifdef HAVE_IPV6
-   if (source->sa.sa_family =3D=3D AF_INET6)
-     {
--      opt->family =3D htons(2);
--      opt->source_netmask =3D daemon->addr6_netmask;
--      addrp =3D &source->in6.sin6_addr;
-+      opt->source_netmask =3D daemon->add_subnet6->mask;
-+      if (daemon->add_subnet6->addr_used)=20
-+	{
-+	  sa_family =3D daemon->add_subnet6->addr.sa.sa_family;
-+	  addrp =3D get_addrp(&daemon->add_subnet6->addr, sa_family);
-+	}=20
-+      else=20
-+	addrp =3D &source->in6.sin6_addr;
-     }
-   else
- #endif
-     {
--      opt->family =3D htons(1);
--      opt->source_netmask =3D daemon->addr4_netmask;
--      addrp =3D &source->in.sin_addr;
-+      opt->source_netmask =3D daemon->add_subnet4->mask;
-+      if (daemon->add_subnet4->addr_used)
-+	{
-+	  sa_family =3D daemon->add_subnet4->addr.sa.sa_family;
-+	  addrp =3D get_addrp(&daemon->add_subnet4->addr, sa_family);
-+	}=20
-+      else=20
-+	addrp =3D &source->in.sin_addr;
-     }
-  =20
-   opt->scope_netmask =3D 0;
-@@ -656,6 +677,11 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, u=
nion mysockaddr *source)
-  =20
-   if (opt->source_netmask !=3D 0)
-     {
-+#ifdef HAVE_IPV6
-+      opt->family =3D htons(sa_family =3D=3D AF_INET6 ? 2 : 1);
-+#else
-+      opt->family =3D htons(1);
-+#endif
-       len =3D ((opt->source_netmask - 1) >> 3) + 1;
-       memcpy(opt->addr, addrp, len);
-       if (opt->source_netmask & 7)
-@@ -2335,4 +2361,3 @@ size_t answer_request(struct dns_header *header, char =
*limit, size_t qlen,
-  =20
-   return len;
- }
--
---=20
-1.7.10.4
diff --git a/src/patches/dnsmasq/003-Update_CHANGELOG.patch b/src/patches/dns=
masq/003-Update_CHANGELOG.patch
new file mode 100644
index 0000000..f04f943
--- /dev/null
+++ b/src/patches/dnsmasq/003-Update_CHANGELOG.patch
@@ -0,0 +1,17 @@
+X-Git-Url: http://thekelleys.org.uk/gitweb/?p=3Ddnsmasq.git;a=3Dblobdiff_pla=
in;f=3DCHANGELOG;h=3D6d9ba490488f80ef565f459cef3c110bdf31212c;hp=3D14354f2506=
a7fbf8360cd32c96e1d7ce1bfeb3f9;hb=3De06e6e34bffd781b7cefa49b25fb8ae863654ca2;=
hpb=3D832e47beab95c2918b5264f0504f2fe6fe523e4c
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 14354f2..6d9ba49 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -48,6 +48,10 @@ version 2.76
+ 	    (ie xx::0 to xx::ffff:ffff:ffff:ffff)=20
+ 	    Thanks to Laurent Bendel for spotting this problem.
+=20
++	    Add support for a TTL parameter in --host-record and
++	    --cname.
++
++	    Add --dhcp-ttl option.
+=20
+ version 2.75
+             Fix reversion on 2.74 which caused 100% CPU use when a=20
diff --git a/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zo=
nes_locally_when_localise_queries_set.patch b/src/patches/dnsmasq/003-dont_an=
swer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch
deleted file mode 100644
index cfbcdfb..0000000
--- a/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_loc=
ally_when_localise_queries_set.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 3a3965ac21b1b759eab8799b6edb09195b671306 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Sun, 9 Aug 2015 17:45:06 +0100
-Subject: [PATCH] Don't answer non-auth queries for auth zones locally when
- --localise-queries set.
-
----
- src/forward.c |    4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/forward.c b/src/forward.c
-index 2731b90..b76a974 100644
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -1365,7 +1365,7 @@ void receive_query(struct listener *listen, time_t now)
-=20
- #ifdef HAVE_AUTH
-       /* find queries for zones we're authoritative for, and answer them di=
rectly */
--      if (!auth_dns)
-+      if (!auth_dns && !option_bool(OPT_LOCALISE))
- 	for (zone =3D daemon->auth_zones; zone; zone =3D zone->next)
- 	  if (in_zone(zone, daemon->namebuff, NULL))
- 	    {
-@@ -1904,7 +1904,7 @@ unsigned char *tcp_request(int confd, time_t now,
- 	 =20
- #ifdef HAVE_AUTH
- 	  /* find queries for zones we're authoritative for, and answer them direc=
tly */
--	  if (!auth_dns)
-+	  if (!auth_dns && !option_bool(OPT_LOCALISE))
- 	    for (zone =3D daemon->auth_zones; zone; zone =3D zone->next)
- 	      if (in_zone(zone, daemon->namebuff, NULL))
- 		{
---=20
-1.7.10.4
diff --git a/src/patches/dnsmasq/004-Add_--tftp-mtu_option.patch b/src/patche=
s/dnsmasq/004-Add_--tftp-mtu_option.patch
new file mode 100644
index 0000000..c06705a
--- /dev/null
+++ b/src/patches/dnsmasq/004-Add_--tftp-mtu_option.patch
@@ -0,0 +1,136 @@
+From bec366b4041df72b559e713f1c924177676e6eb0 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Wed, 24 Feb 2016 22:03:26 +0000
+Subject: [PATCH] Add --tftp-mtu option.
+
+---
+ CHANGELOG     |    4 ++++
+ man/dnsmasq.8 |    4 ++++
+ src/dnsmasq.h |    2 +-
+ src/option.c  |   10 +++++++++-
+ src/tftp.c    |   14 ++++++++++++--
+ 5 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 6d9ba49..9218b8c 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -53,6 +53,10 @@ version 2.76
+=20
+ 	    Add --dhcp-ttl option.
+=20
++	    Add --tftp-mtu option. Thanks to Patrick McLean for the=20
++	    initial patch.
++
++
+ version 2.75
+             Fix reversion on 2.74 which caused 100% CPU use when a=20
+ 	    dhcp-script is configured. Thanks to Adrian Davey for
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index 2bcce20..3cf48cd 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -1810,6 +1810,10 @@ require about (2*n) + 10 descriptors. If
+ .B --tftp-port-range
+ is given, that can affect the number of concurrent connections.
+ .TP
++.B --tftp-mtu=3D<mtu size>
++Use size as the ceiling of the MTU supported by the intervening network whe=
n=20
++negotiating TFTP blocksize, overriding the MTU setting of the local interfa=
ce  if it is larger.
++.TP
+ .B --tftp-no-blocksize
+ Stop the TFTP server from negotiating the "blocksize" option with a
+ client. Some buggy clients request this option but then behave badly
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index 9f73c3b..280ad9d 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -975,7 +975,7 @@ extern struct daemon {
+   struct dhcp_netid_list *dhcp_ignore, *dhcp_ignore_names, *dhcp_gen_names;=
=20
+   struct dhcp_netid_list *force_broadcast, *bootp_dynamic;
+   struct hostsfile *dhcp_hosts_file, *dhcp_opts_file, *dynamic_dirs;
+-  int dhcp_max, tftp_max;
++  int dhcp_max, tftp_max, tftp_mtu;
+   int dhcp_server_port, dhcp_client_port;
+   int start_tftp_port, end_tftp_port;=20
+   unsigned int min_leasetime;
+diff --git a/src/option.c b/src/option.c
+index 3f6d162..765965f 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -158,7 +158,8 @@ struct myoption {
+ #define LOPT_CPE_ID        346
+ #define LOPT_SCRIPT_ARP    347
+ #define LOPT_DHCPTTL       348
+-
++#define LOPT_TFTP_MTU      349
++=20
+ #ifdef HAVE_GETOPT_LONG
+ static const struct option opts[] =3D =20
+ #else
+@@ -244,6 +245,7 @@ static const struct myoption opts[] =3D
+     { "tftp-unique-root", 0, 0, LOPT_APREF },
+     { "tftp-root", 1, 0, LOPT_PREFIX },
+     { "tftp-max", 1, 0, LOPT_TFTP_MAX },
++    { "tftp-mtu", 1, 0, LOPT_TFTP_MTU },
+     { "tftp-lowercase", 0, 0, LOPT_TFTP_LC },
+     { "ptr-record", 1, 0, LOPT_PTR },
+     { "naptr-record", 1, 0, LOPT_NAPTR },
+@@ -432,6 +434,7 @@ static struct {
+   { LOPT_SECURE, OPT_TFTP_SECURE, NULL, gettext_noop("Allow access only to =
files owned by the user running dnsmasq."), NULL },
+   { LOPT_TFTP_NO_FAIL, OPT_TFTP_NO_FAIL, NULL, gettext_noop("Do not termina=
te the service if TFTP directories are inaccessible."), NULL },
+   { LOPT_TFTP_MAX, ARG_ONE, "<integer>", gettext_noop("Maximum number of co=
nncurrent TFTP transfers (defaults to %s)."), "#" },
++  { LOPT_TFTP_MTU, ARG_ONE, "<integer>", gettext_noop("Maximum MTU to use f=
or TFTP transfers."), NULL },
+   { LOPT_NOBLOCK, OPT_TFTP_NOBLOCK, NULL, gettext_noop("Disable the TFTP bl=
ocksize extension."), NULL },
+   { LOPT_TFTP_LC, OPT_TFTP_LC, NULL, gettext_noop("Convert TFTP filenames t=
o lowercase"), NULL },
+   { LOPT_TFTPPORTS, ARG_ONE, "<start>,<end>", gettext_noop("Ephemeral port =
range for use by TFTP transfers."), NULL },
+@@ -2625,6 +2628,11 @@ static int one_opt(int option, char *arg, char *errst=
r, char *gen_err, int comma
+ 	ret_err(gen_err);
+       break; =20
+=20
++    case LOPT_TFTP_MTU:  /*  --tftp-mtu */
++      if (!atoi_check(arg, &daemon->tftp_mtu))
++	ret_err(gen_err);
++      break;
++
+     case LOPT_PREFIX: /* --tftp-prefix */
+       comma =3D split(arg);
+       if (comma)
+diff --git a/src/tftp.c b/src/tftp.c
+index 00ed2fc..dc4aa85 100644
+--- a/src/tftp.c
++++ b/src/tftp.c
+@@ -103,8 +103,10 @@ void tftp_request(struct listener *listen, time_t now)
+       if (listen->iface)
+ 	{
+ 	  addr =3D listen->iface->addr;
+-	  mtu =3D listen->iface->mtu;
+ 	  name =3D listen->iface->name;
++	  mtu =3D listen->iface->mtu;
++	  if (daemon->tftp_mtu !=3D 0 && daemon->tftp_mtu < mtu)
++	    mtu =3D daemon->tftp_mtu;
+ 	}
+       else
+ 	{
+@@ -234,9 +236,17 @@ void tftp_request(struct listener *listen, time_t now)
+=20
+       strncpy(ifr.ifr_name, name, IF_NAMESIZE);
+       if (ioctl(listen->tftpfd, SIOCGIFMTU, &ifr) !=3D -1)
+-	mtu =3D ifr.ifr_mtu;     =20
++	{
++	  mtu =3D ifr.ifr_mtu; =20
++	  if (daemon->tftp_mtu !=3D 0 && daemon->tftp_mtu < mtu)
++	    mtu =3D daemon->tftp_mtu;   =20
++	}
+     }
+=20
++  /* Failed to get interface mtu - can use configured value. */
++  if (mtu =3D=3D 0)
++    mtu =3D daemon->tftp_mtu;
++
+   if (name)
+     {
+       /* check for per-interface prefix */=20
+--=20
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch=
 b/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch
deleted file mode 100644
index 492ada9..0000000
--- a/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 5e3e464ac4022ee0b3794513abe510817e2cf3ca Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Tue, 25 Aug 2015 23:08:39 +0100
-Subject: [PATCH] Fix behaviour of empty dhcp-option=3Doption6:dns-server, wh=
ich
- should inhibit sending option.
-
----
- src/rfc3315.c |    9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/src/rfc3315.c b/src/rfc3315.c
-index 2665d0d..3f1f9ee 100644
---- a/src/rfc3315.c
-+++ b/src/rfc3315.c
-@@ -1320,15 +1320,16 @@ static struct dhcp_netid *add_options(struct state *=
state, int do_refresh)
-      =20
-       if (opt_cfg->opt =3D=3D OPTION6_REFRESH_TIME)
- 	done_refresh =3D 1;
-+      =20
-+      if (opt_cfg->opt =3D=3D OPTION6_DNS_SERVER)
-+	done_dns =3D 1;
-      =20
--      if (opt_cfg->flags & DHOPT_ADDR6)
-+      /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */
-+      if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt =3D=3D OPTION6_DNS=
_SERVER)
- 	{
- 	  int len, j;
- 	  struct in6_addr *a;
- 	 =20
--	  if (opt_cfg->opt =3D=3D OPTION6_DNS_SERVER)
--	    done_dns =3D 1;
--	 =20
- 	  for (a =3D (struct in6_addr *)opt_cfg->val, len =3D opt_cfg->len, j =3D =
0;=20
- 	       j < opt_cfg->len; j +=3D IN6ADDRSZ, a++)
- 	    if ((IN6_IS_ADDR_ULA_ZERO(a) && IN6_IS_ADDR_UNSPECIFIED(state->ula_add=
r)) ||
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IP=
v6_multicast.patch b/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error=
_with_IPv6_multicast.patch
deleted file mode 100644
index c7cee60..0000000
--- a/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_mult=
icast.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 9cdcfe9f19ffd45bac4e5b459879bf7c50a287ed Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Wed, 26 Aug 2015 22:38:08 +0100
-Subject: [PATCH] Suggest solution to ENOMEM error with IPv6 multicast.
-
----
- src/network.c |   13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/src/network.c b/src/network.c
-index a1d90c8..819302f 100644
---- a/src/network.c
-+++ b/src/network.c
-@@ -1076,23 +1076,30 @@ void join_multicast(int dienow)
- 	   =20
- 	    if ((daemon->doing_dhcp6 || daemon->relay6) &&
- 		setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(=
mreq)) =3D=3D -1)
--	      err =3D 1;
-+	      err =3D errno;
- 	   =20
- 	    inet_pton(AF_INET6, ALL_SERVERS, &mreq.ipv6mr_multiaddr);
- 	   =20
- 	    if (daemon->doing_dhcp6 &&=20
- 		setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(=
mreq)) =3D=3D -1)
--	      err =3D 1;
-+	      err =3D errno;
- 	   =20
- 	    inet_pton(AF_INET6, ALL_ROUTERS, &mreq.ipv6mr_multiaddr);
- 	   =20
- 	    if (daemon->doing_ra &&
- 		setsockopt(daemon->icmp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(=
mreq)) =3D=3D -1)
--	      err =3D 1;
-+	      err =3D errno;
- 	   =20
- 	    if (err)
- 	      {
- 		char *s =3D _("interface %s failed to join DHCPv6 multicast group: %s");
-+		errno =3D err;
-+
-+#ifdef HAVE_LINUX_NETWORK
-+		if (errno =3D=3D ENOMEM)
-+		  my_syslog(LOG_ERR, _("try increasing /proc/sys/net/core/optmem_max"));
-+#endif
-+
- 		if (dienow)
- 		  die(s, iface->name, EC_BADNET);
- 		else
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_=
advertisement.patch b/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_i=
n_router_advertisement.patch
deleted file mode 100644
index 19c76e6..0000000
--- a/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_adverti=
sement.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 20fd11e11a9d09edcea94de135396ae1541fbbab Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Wed, 26 Aug 2015 22:48:13 +0100
-Subject: [PATCH] Clarify man page on RDNSS set in router advertisement.
-
----
- man/dnsmasq.8 |    6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
-index a23c898..d51b10f 100644
---- a/man/dnsmasq.8
-+++ b/man/dnsmasq.8
-@@ -1687,15 +1687,15 @@ creation are handled by a different protocol. When D=
HCP is in use,
- only a subset of this is needed, and dnsmasq can handle it, using
- existing DHCP configuration to provide most data. When RA is enabled,
- dnsmasq will advertise a prefix for each dhcp-range, with default
--router and recursive DNS server as the relevant link-local address on=20
--the machine running dnsmasq. By default, he "managed address" bits are set,=
 and
-+router  as the relevant link-local address on=20
-+the machine running dnsmasq. By default, the "managed address" bits are set=
, and
- the "use SLAAC" bit is reset. This can be changed for individual
- subnets with the mode keywords described in
- .B --dhcp-range.
- RFC6106 DNS parameters are included in the advertisements. By default,
- the relevant link-local address of the machine running dnsmasq is sent
- as recursive DNS server. If provided, the DHCPv6 options dns-server and
--domain-search are used for RDNSS and DNSSL.
-+domain-search are used for the DNS server (RDNSS) and the domain serach lis=
t (DNSSL).
- .TP
- .B --ra-param=3D<interface>,[high|low],[[<ra-interval>],<router lifetime>]
- Set non-default values for router advertisements sent via an
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_=
DS_queries.patch b/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_repli=
es_to_DS_queries.patch
deleted file mode 100644
index 832a22e..0000000
--- a/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_quer=
ies.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 6de81f1250fd323c9155de065d5a9dc200a6f20b Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Wed, 9 Sep 2015 22:51:13 +0100
-Subject: [PATCH] Handle signed dangling CNAME replies to DS queries.
-
----
- src/dnssec.c |    7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 4deda24..67ce486 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1232,11 +1232,8 @@ int dnssec_validate_ds(time_t now, struct dns_header =
*header, size_t plen, char
-   =20
-   /* If we return STAT_NO_SIG, name contains the name of the DS query */
-   if (val =3D=3D STAT_NO_SIG)
--    {
--      *keyname =3D 0;
--      return val;
--    } =20
--
-+    return val;
-+ =20
-   /* If the key needed to validate the DS is on the same domain as the DS, =
we'll
-      loop getting nowhere. Stop that now. This can happen of the DS answer =
comes
-      from the DS's zone, and not the parent zone. */
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_addres=
s_list.patch b/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_addr=
ess_list.patch
deleted file mode 100644
index fdccd0e..0000000
--- a/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.=
patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 102208df695e886a3086754d32bf7f8c541fbe46 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Thu, 10 Sep 2015 21:50:00 +0100
-Subject: [PATCH] DHCPv6 option 56 does not hold an address list. (RFC 5908).
-
----
- src/dhcp-common.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/dhcp-common.c b/src/dhcp-common.c
-index bc48f41..8fc171a 100644
---- a/src/dhcp-common.c
-+++ b/src/dhcp-common.c
-@@ -599,7 +599,7 @@ static const struct opttab_t opttab6[] =3D {
-   { "sntp-server", 31,  OT_ADDR_LIST },
-   { "information-refresh-time", 32, OT_TIME },
-   { "FQDN", 39, OT_INTERNAL | OT_RFC1035_NAME },
--  { "ntp-server", 56,  OT_ADDR_LIST },
-+  { "ntp-server", 56,  0 },
-   { "bootfile-url", 59, OT_NAME },
-   { "bootfile-param", 60, OT_CSTRING },
-   { NULL, 0, 0 }
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_=
code.patch b/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_=
code.patch
deleted file mode 100644
index 2014fdb..0000000
--- a/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.pa=
tch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 77607cbea0ad0f876dfb79c8b2c121ee400d57d0 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Thu, 10 Sep 2015 23:08:43 +0100
-Subject: [PATCH] Respect the --no-resolv flag in inotify code.
-
----
- CHANGELOG        |    7 ++++++-
- debian/changelog |    6 ++++++
- src/inotify.c    |    3 +++
- 3 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/CHANGELOG b/CHANGELOG
-index bbc2834..d6e309f 100644
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -7,8 +7,13 @@ version 2.76
-=20
- 	    Enhance --add-subnet to allow arbitrary subnet addresses.
-             Thanks to Ed Barsley for the patch.
-+
-+	    Respect the --no-resolv flag in inotify code. Fixes bug
-+	    which caused dnsmasq to fail to start if a resolv-file=20
-+	    was a dangling symbolic link, even of --no-resolv set.
-+	    Thanks to Alexander Kurtz for spotting the problem.
-+
- =09
--	   =20
- version 2.75
-             Fix reversion on 2.74 which caused 100% CPU use when a=20
- 	    dhcp-script is configured. Thanks to Adrian Davey for
-diff --git a/src/inotify.c b/src/inotify.c
-index 52d412f..ef05c58 100644
---- a/src/inotify.c
-+++ b/src/inotify.c
-@@ -90,6 +90,9 @@ void inotify_dnsmasq_init()
-  =20
-   if (daemon->inotifyfd =3D=3D -1)
-     die(_("failed to create inotify: %s"), NULL, EC_MISC);
-+
-+  if (option_bool(OPT_NO_RESOLV))
-+    return;
-  =20
-   for (res =3D daemon->resolv_files; res; res =3D res->next)
-     {
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe5=
10817e2cf3ca.patch b/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b379=
4513abe510817e2cf3ca.patch
deleted file mode 100644
index 281697f..0000000
--- a/src/patches/dnsmasq/010-Rationalise_5e3e464ac4022ee0b3794513abe510817e2=
cf3ca.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 27b78d990b7cd901866ad6f1a17b9d633a95fdce Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Sat, 26 Sep 2015 21:40:45 +0100
-Subject: [PATCH] Rationalise 5e3e464ac4022ee0b3794513abe510817e2cf3ca
-
----
- src/rfc3315.c |    3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/src/rfc3315.c b/src/rfc3315.c
-index 3f1f9ee..3ed8623 100644
---- a/src/rfc3315.c
-+++ b/src/rfc3315.c
-@@ -1324,8 +1324,7 @@ static struct dhcp_netid *add_options(struct state *st=
ate, int do_refresh)
-       if (opt_cfg->opt =3D=3D OPTION6_DNS_SERVER)
- 	done_dns =3D 1;
-      =20
--      /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */
--      if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt =3D=3D OPTION6_DNS=
_SERVER)
-+      if (opt_cfg->flags & DHOPT_ADDR6)
- 	{
- 	  int len, j;
- 	  struct in6_addr *a;
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.p=
atch b/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch
deleted file mode 100644
index 631495f..0000000
--- a/src/patches/dnsmasq/011-Catch_errors_from_sendmsg_in_DHCP_code.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 98079ea89851da1df4966dfdfa1852a98da02912 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Tue, 13 Oct 2015 20:30:32 +0100
-Subject: [PATCH] Catch errors from sendmsg in DHCP code.  Logs, eg,  iptables
- DROPS of dest 255.255.255.255
-
----
- src/dhcp.c |    7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/dhcp.c b/src/dhcp.c
-index e6fceb1..1c85e42 100644
---- a/src/dhcp.c
-+++ b/src/dhcp.c
-@@ -452,8 +452,13 @@ void dhcp_packet(time_t now, int pxe_fd)
- #endif
-  =20
-   while(retry_send(sendmsg(fd, &msg, 0)));
-+
-+  /* This can fail when, eg, iptables DROPS destination 255.255.255.255 */
-+  if (errno !=3D 0)
-+    my_syslog(MS_DHCP | LOG_WARNING, _("Error sending DHCP packet to %s: %s=
"),
-+	      inet_ntoa(dest.sin_addr), strerror(errno));
- }
--=20
-+
- /* check against secondary interface addresses */
- static int check_listen_addrs(struct in_addr local, int if_index, char *lab=
el,
- 			      struct in_addr netmask, struct in_addr broadcast, void *vparam)
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.p=
atch b/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch
deleted file mode 100644
index 3ba98fc..0000000
--- a/src/patches/dnsmasq/012-Update_list_of_subnet_for_--bogus-priv.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 90477fb79420a34124b66ebd808c578817a30e4c Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Tue, 20 Oct 2015 21:21:32 +0100
-Subject: [PATCH] Update list of subnet for --bogus-priv
-
-RFC6303 specifies & recommends following zones not be forwarded
-to globally facing servers.
-+------------------------------+-----------------------+
-| Zone                         | Description           |
-+------------------------------+-----------------------+
-| 0.IN-ADDR.ARPA               | IPv4 "THIS" NETWORK   |
-| 127.IN-ADDR.ARPA             | IPv4 Loopback NETWORK |
-| 254.169.IN-ADDR.ARPA         | IPv4 LINK LOCAL       |
-| 2.0.192.IN-ADDR.ARPA         | IPv4 TEST-NET-1       |
-| 100.51.198.IN-ADDR.ARPA      | IPv4 TEST-NET-2       |
-| 113.0.203.IN-ADDR.ARPA       | IPv4 TEST-NET-3       |
-| 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST        |
-+------------------------------+-----------------------+
-
-Signed-off-by: Kevin Darbyshire-Bryant <kevin(a)darbyshire-bryant.me.uk>
----
- src/rfc1035.c |    8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 6a51b30..4eb1772 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -756,10 +756,14 @@ int private_net(struct in_addr addr, int ban_localhost)
-   return
-     (((ip_addr & 0xFF000000) =3D=3D 0x7F000000) && ban_localhost)  /* 127.0=
.0.0/8    (loopback) */ ||
-     ((ip_addr & 0xFF000000) =3D=3D 0x00000000)  /* RFC 5735 section 3. "her=
e" network */ ||
--    ((ip_addr & 0xFFFF0000) =3D=3D 0xC0A80000)  /* 192.168.0.0/16 (private)=
  */ ||
-     ((ip_addr & 0xFF000000) =3D=3D 0x0A000000)  /* 10.0.0.0/8     (private)=
  */ ||
-     ((ip_addr & 0xFFF00000) =3D=3D 0xAC100000)  /* 172.16.0.0/12  (private)=
  */ ||
--    ((ip_addr & 0xFFFF0000) =3D=3D 0xA9FE0000)  /* 169.254.0.0/16 (zeroconf=
) */ ;
-+    ((ip_addr & 0xFFFF0000) =3D=3D 0xC0A80000)  /* 192.168.0.0/16 (private)=
  */ ||
-+    ((ip_addr & 0xFFFF0000) =3D=3D 0xA9FE0000)  /* 169.254.0.0/16 (zeroconf=
) */ ||
-+    ((ip_addr & 0xFFFFFF00) =3D=3D 0xC0000200)  /* 192.0.2.0/24   (test-net=
) */ ||
-+    ((ip_addr & 0xFFFFFF00) =3D=3D 0xC6336400)  /* 198.51.100.0/24(test-net=
) */ ||
-+    ((ip_addr & 0xFFFFFF00) =3D=3D 0xCB007100)  /* 203.0.113.0/24 (test-net=
) */ ||
-+    ((ip_addr & 0xFFFFFFFF) =3D=3D 0xFFFFFFFF)  /* 255.255.255.255/32 (broa=
dcast)*/ ;
- }
-=20
- static unsigned char *do_doctor(unsigned char *p, int count, struct dns_hea=
der *header, size_t qlen, char *name, int *doctored)
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_ov=
erlays_A_record_from.patch b/src/patches/dnsmasq/013-Fix_crash_when_empty_add=
ress_from_DNS_overlays_A_record_from.patch
deleted file mode 100644
index 736cf38..0000000
--- a/src/patches/dnsmasq/013-Fix_crash_when_empty_address_from_DNS_overlays_=
A_record_from.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 41a8d9e99be9f2cc8b02051dd322cb45e0faac87 Mon Sep 17 00:00:00 2001
-From: =3D?utf8?q?Edwin=3D20T=3DC3=3DB6r=3DC3=3DB6k?=3D <edwin+ml-cerowrt(a)e=
torok.net>
-Date: Sat, 14 Nov 2015 17:45:48 +0000
-Subject: [PATCH] Fix crash when empty address from DNS overlays A record from
- hosts.
-
----
- CHANGELOG   |    5 +++++
- src/cache.c |    2 +-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/CHANGELOG b/CHANGELOG
-index d6e309f..93c73d0 100644
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -13,6 +13,11 @@ version 2.76
- 	    was a dangling symbolic link, even of --no-resolv set.
- 	    Thanks to Alexander Kurtz for spotting the problem.
-=20
-+	    Fix crash when an A or AAAA record is defined locally,
-+	    in a hosts file, and an upstream server sends a reply
-+	    that the same name is empty. Thanks to Edwin T=C3=83=C2=B6r=C3=83=C2=
=B6k for
-+	    the patch.
-+
- =09
- version 2.75
-             Fix reversion on 2.74 which caused 100% CPU use when a=20
-diff --git a/src/cache.c b/src/cache.c
-index 178d654..1b76b67 100644
---- a/src/cache.c
-+++ b/src/cache.c
-@@ -481,7 +481,7 @@ struct crec *cache_insert(char *name, struct all_addr *a=
ddr,
- 	 existing record is for an A or AAAA and
- 	 the record we're trying to insert is the same,=20
- 	 just drop the insert, but don't error the whole process. */
--      if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD))
-+      if ((flags & (F_IPV4 | F_IPV6)) && (flags & F_FORWARD) && addr)
- 	{
- 	  if ((flags & F_IPV4) && (new->flags & F_IPV4) &&
- 	      new->addr.addr.addr.addr4.s_addr =3D=3D addr->addr.addr4.s_addr)
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.p=
atch b/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch
deleted file mode 100644
index 8b17431..0000000
--- a/src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 67ab3285b5d9a1b1e20e034cf272867fdab8a0f9 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Fri, 20 Nov 2015 23:20:47 +0000
-Subject: [PATCH] Handle unknown DS hash algos correctly.
-
-When we can validate a DS RRset, but don't speak the hash algo it
-contains, treat that the same as an NSEC/3 proving that the DS
-doesn't exist. 4025 5.2
----
- src/dnssec.c |   13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 67ce486..b4dc14e 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_head=
er *header, size_t plen, ch
-   if (crecp->flags & F_NEG)
-     return STAT_INSECURE_DS;
-  =20
-+  /* 4035 5.2=20
-+     If the validator does not support any of the algorithms listed in an
-+     authenticated DS RRset, then the resolver has no supported
-+     authentication path leading from the parent to the child.  The
-+     resolver should treat this case as it would the case of an
-+     authenticated NSEC RRset proving that no DS RRset exists,  */
-+  for (recp1 =3D crecp; recp1; recp1 =3D cache_find_by_name(recp1, name, no=
w, F_DS))
-+    if (hash_find(ds_digest_name(recp1->addr.ds.digest)))
-+      break;
-+ =20
-+  if (!recp1)
-+    return STAT_INSECURE_DS;
-+
-   /* NOTE, we need to find ONE DNSKEY which matches the DS */
-   for (valid =3D 0, j =3D ntohs(header->ancount); j !=3D 0 && !valid; j--) =

-     {
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patc=
h b/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch
deleted file mode 100644
index a9102c1..0000000
--- a/src/patches/dnsmasq/015-Fix_crash_at_start_up_with_conf-dir.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 0007ee90646a5a78a96ee729932e89d31c69513a Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Sat, 21 Nov 2015 21:47:41 +0000
-Subject: [PATCH] Fix crash at start up with conf-dir=3D/path,*
-
-Thanks to Brian Carpenter and American Fuzzy Lop for finding the bug.
----
- src/option.c |   14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/src/option.c b/src/option.c
-index 746cd11..71beb98 100644
---- a/src/option.c
-+++ b/src/option.c
-@@ -1515,10 +1515,16 @@ static int one_opt(int option, char *arg, char *errs=
tr, char *gen_err, int comma
- 		li =3D opt_malloc(sizeof(struct list));
- 		if (*arg =3D=3D '*')
- 		  {
--		    li->next =3D match_suffix;
--		    match_suffix =3D li;
--		    /* Have to copy: buffer is overwritten */
--		    li->suffix =3D opt_string_alloc(arg+1);
-+		    /* "*" with no suffix is a no-op */
-+		    if (arg[1] =3D=3D 0)
-+		      free(li);
-+		    else
-+		      {
-+			li->next =3D match_suffix;
-+			match_suffix =3D li;
-+			/* Have to copy: buffer is overwritten */
-+			li->suffix =3D opt_string_alloc(arg+1);
-+		      }
- 		  }
- 		else
- 		  {
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validati=
on.patch b/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation=
.patch
deleted file mode 100644
index 7f25066..0000000
--- a/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch
+++ /dev/null
@@ -1,2209 +0,0 @@
-From 9a31b68b59adcac01016d4026d906b69c4216c01 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Tue, 15 Dec 2015 10:20:39 +0000
-Subject: [PATCH] Major rationalisation of DNSSEC validation.
-
-Much gnarly special-case code removed and replaced with correct
-general implementaion. Checking of zone-status moved to DNSSEC code,
-where it should be, vastly simplifying query-forwarding code.
----
- src/dnsmasq.h |   19 +-
- src/dnssec.c  |  926 ++++++++++++++++++++++++++++++------------------------=
---
- src/forward.c |  741 ++++++++++-----------------------------------
- 3 files changed, 653 insertions(+), 1033 deletions(-)
-
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index f42acdb..023a1cf 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -586,12 +586,8 @@ struct hostsfile {
- #define STAT_NEED_KEY           5
- #define STAT_TRUNCATED          6
- #define STAT_SECURE_WILDCARD    7
--#define STAT_NO_SIG             8
--#define STAT_NO_DS              9
--#define STAT_NO_NS             10
--#define STAT_NEED_DS_NEG       11
--#define STAT_CHASE_CNAME       12
--#define STAT_INSECURE_DS       13
-+#define STAT_OK                 8
-+#define STAT_ABANDONED          9
-=20
- #define FREC_NOREBIND           1
- #define FREC_CHECKING_DISABLED  2
-@@ -601,8 +597,7 @@ struct hostsfile {
- #define FREC_AD_QUESTION       32
- #define FREC_DO_QUESTION       64
- #define FREC_ADDED_PHEADER    128
--#define FREC_CHECK_NOSIGN     256
--#define FREC_TEST_PKTSZ       512
-+#define FREC_TEST_PKTSZ       256
-=20
- #ifdef HAVE_DNSSEC
- #define HASH_SIZE 20 /* SHA-1 digest size */
-@@ -626,9 +621,7 @@ struct frec {
- #ifdef HAVE_DNSSEC=20
-   int class, work_counter;
-   struct blockdata *stash; /* Saved reply, whilst we validate */
--  struct blockdata *orig_domain; /* domain of original query, whilst
--				    we're seeing is if in unsigned domain */
--  size_t stash_len, name_start, name_len;
-+  size_t stash_len;
-   struct frec *dependent; /* Query awaiting internally-generated DNSKEY or =
DS query */
-   struct frec *blocking_query; /* Query which is blocking us. */
- #endif
-@@ -1162,8 +1155,8 @@ int in_zone(struct auth_zone *zone, char *name, char *=
*cut);
- size_t dnssec_generate_query(struct dns_header *header, char *end, char *na=
me, int class, int type, union mysockaddr *addr, int edns_pktsz);
- int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t n, =
char *name, char *keyname, int class);
- int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, =
char *name, char *keyname, int class);
--int dnssec_validate_reply(time_t now, struct dns_header *header, size_t ple=
n, char *name, char *keyname, int *class, int *neganswer, int *nons);
--int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, =
char *name, char *keyname);
-+int dnssec_validate_reply(time_t now, struct dns_header *header, size_t ple=
n, char *name, char *keyname, int *class,
-+			  int check_unsigned, int *neganswer, int *nons);
- int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen);
- size_t filter_rrsigs(struct dns_header *header, size_t plen);
- unsigned char* hash_questions(struct dns_header *header, size_t plen, char =
*name);
-diff --git a/src/dnssec.c b/src/dnssec.c
-index b4dc14e..de7b335 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -65,8 +65,10 @@ static char *algo_digest_name(int algo)
-     case 8: return "sha256";
-     case 10: return "sha512";
-     case 12: return "gosthash94";
-+#ifndef NO_NETTLE_ECC
-     case 13: return "sha256";
-     case 14: return "sha384";
-+#endif
-     default: return NULL;
-     }
- }
-@@ -592,30 +594,30 @@ static int get_rdata(struct dns_header *header, size_t=
 plen, unsigned char *end,
-     }
- }
-=20
--static int expand_workspace(unsigned char ***wkspc, int *sz, int new)
-+static int expand_workspace(unsigned char ***wkspc, int *szp, int new)
- {
-   unsigned char **p;
--  int new_sz =3D *sz;
-- =20
--  if (new_sz > new)
-+  int old =3D *szp;
-+
-+  if (old >=3D new+1)
-     return 1;
-=20
-   if (new >=3D 100)
-     return 0;
-=20
--  new_sz +=3D 5;
-+  new +=3D 5;
-  =20
--  if (!(p =3D whine_malloc((new_sz) * sizeof(unsigned char **))))
-+  if (!(p =3D whine_malloc(new * sizeof(unsigned char **))))
-     return 0; =20
-  =20
--  if (*wkspc)
-+  if (old !=3D 0 && *wkspc)
-     {
--      memcpy(p, *wkspc, *sz * sizeof(unsigned char **));
-+      memcpy(p, *wkspc, old * sizeof(unsigned char **));
-       free(*wkspc);
-     }
-  =20
-   *wkspc =3D p;
--  *sz =3D new_sz;
-+  *szp =3D new;
-=20
-   return 1;
- }
-@@ -706,47 +708,28 @@ static void sort_rrset(struct dns_header *header, size=
_t plen, u16 *rr_desc, int
-     } while (swap);
- }
-=20
--/* Validate a single RRset (class, type, name) in the supplied DNS reply=20
--   Return code:
--   STAT_SECURE   if it validates.
--   STAT_SECURE_WILDCARD if it validates and is the result of wildcard expan=
sion.
--   (In this case *wildcard_out points to the "body" of the wildcard within =
name.)=20
--   STAT_NO_SIG no RRsigs found.
--   STAT_INSECURE RRset empty.
--   STAT_BOGUS    signature is wrong, bad packet.
--   STAT_NEED_KEY need DNSKEY to complete validation (name is returned in ke=
yname)
--
--   if key is non-NULL, use that key, which has the algo and tag given in th=
e params of those names,
--   otherwise find the key in the cache.
-+static unsigned char **rrset =3D NULL, **sigs =3D NULL;
-=20
--   name is unchanged on exit. keyname is used as workspace and trashed.
--*/
--static int validate_rrset(time_t now, struct dns_header *header, size_t ple=
n, int class, int type,=20
--			  char *name, char *keyname, char **wildcard_out, struct blockdata *key,=
 int keylen, int algo_in, int keytag_in)
-+/* Get pointers to RRset menbers and signature(s) for same.
-+   Check signatures, and return keyname associated in keyname. */
-+static int explore_rrset(struct dns_header *header, size_t plen, int class,=
 int type,=20
-+			 char *name, char *keyname, int *sigcnt, int *rrcnt)
- {
--  static unsigned char **rrset =3D NULL, **sigs =3D NULL;
--  static int rrset_sz =3D 0, sig_sz =3D 0;
-- =20
-+  static int rrset_sz =3D 0, sig_sz =3D 0;=20
-   unsigned char *p;
--  int rrsetidx, sigidx, res, rdlen, j, name_labels;
--  struct crec *crecp =3D NULL;
--  int type_covered, algo, labels, orig_ttl, sig_expiration, sig_inception, =
key_tag;
--  u16 *rr_desc =3D get_desc(type);
--=20
--  if (wildcard_out)
--    *wildcard_out =3D NULL;
-- =20
-+  int rrsetidx, sigidx, j, rdlen, res;
-+  int name_labels =3D count_labels(name); /* For 4035 5.3.2 check */
-+  int gotkey =3D 0;
-+
-   if (!(p =3D skip_questions(header, plen)))
-     return STAT_BOGUS;
-- =20
--  name_labels =3D count_labels(name); /* For 4035 5.3.2 check */
-=20
--  /* look for RRSIGs for this RRset and get pointers to each RR in the set.=
 */
-+   /* look for RRSIGs for this RRset and get pointers to each RR in the set=
. */
-   for (rrsetidx =3D 0, sigidx =3D 0, j =3D ntohs(header->ancount) + ntohs(h=
eader->nscount);=20
-        j !=3D 0; j--)=20
-     {
-       unsigned char *pstart, *pdata;
--      int stype, sclass;
-+      int stype, sclass, algo, type_covered, labels, sig_expiration, sig_in=
ception;
-=20
-       pstart =3D p;
-      =20
-@@ -762,14 +745,14 @@ static int validate_rrset(time_t now, struct dns_heade=
r *header, size_t plen, in
-       GETSHORT(rdlen, p);
-      =20
-       if (!CHECK_LEN(header, p, plen, rdlen))
--	return STAT_BOGUS;=20
-+	return 0;=20
-      =20
-       if (res =3D=3D 1 && sclass =3D=3D class)
- 	{
- 	  if (stype =3D=3D type)
- 	    {
- 	      if (!expand_workspace(&rrset, &rrset_sz, rrsetidx))
--		return STAT_BOGUS;=20
-+		return 0;=20
- 	     =20
- 	      rrset[rrsetidx++] =3D pstart;
- 	    }
-@@ -777,14 +760,54 @@ static int validate_rrset(time_t now, struct dns_heade=
r *header, size_t plen, in
- 	  if (stype =3D=3D T_RRSIG)
- 	    {
- 	      if (rdlen < 18)
--		return STAT_BOGUS; /* bad packet */=20
-+		return 0; /* bad packet */=20
- 	     =20
- 	      GETSHORT(type_covered, p);
-+	      algo =3D *p++;
-+	      labels =3D *p++;
-+	      p +=3D 4; /* orig_ttl */
-+	      GETLONG(sig_expiration, p);
-+	      GETLONG(sig_inception, p);
-+	      p +=3D 2; /* key_tag */
- 	     =20
--	      if (type_covered =3D=3D type)
-+	      if (gotkey)
-+		{
-+		  /* If there's more than one SIG, ensure they all have same keyname */
-+		  if (extract_name(header, plen, &p, keyname, 0, 0) !=3D 1)
-+		    return 0;
-+		}
-+	      else
-+		{
-+		  gotkey =3D 1;
-+		 =20
-+		  if (!extract_name(header, plen, &p, keyname, 1, 0))
-+		    return 0;
-+		 =20
-+		  /* RFC 4035 5.3.1 says that the Signer's Name field MUST equal
-+		     the name of the zone containing the RRset. We can't tell that
-+		     for certain, but we can check that  the RRset name is equal to
-+		     or encloses the signers name, which should be enough to stop=20
-+		     an attacker using signatures made with the key of an unrelated=20
-+		     zone he controls. Note that the root key is always allowed. */
-+		  if (*keyname !=3D 0)
-+		    {
-+		      char *name_start;
-+		      for (name_start =3D name; !hostname_isequal(name_start, keyname); )
-+			if ((name_start =3D strchr(name_start, '.')))
-+			  name_start++; /* chop a label off and try again */
-+			else
-+			  return 0;
-+		    }
-+		}
-+		 =20
-+	      /* Don't count signatures for algos we don't support */
-+	      if (check_date_range(sig_inception, sig_expiration) &&
-+		  labels <=3D name_labels &&
-+		  type_covered =3D=3D type &&=20
-+		  algo_digest_name(algo))
- 		{
- 		  if (!expand_workspace(&sigs, &sig_sz, sigidx))
--		    return STAT_BOGUS;=20
-+		    return 0;=20
- 		 =20
- 		  sigs[sigidx++] =3D pdata;
- 		}=20
-@@ -794,17 +817,45 @@ static int validate_rrset(time_t now, struct dns_heade=
r *header, size_t plen, in
- 	}
-      =20
-       if (!ADD_RDLEN(header, p, plen, rdlen))
--	return STAT_BOGUS;
-+	return 0;
-     }
-  =20
--  /* RRset empty */
--  if (rrsetidx =3D=3D 0)
--    return STAT_INSECURE;=20
-+  *sigcnt =3D sigidx;
-+  *rrcnt =3D rrsetidx;
-+
-+  return 1;
-+}
-+
-+/* Validate a single RRset (class, type, name) in the supplied DNS reply=20
-+   Return code:
-+   STAT_SECURE   if it validates.
-+   STAT_SECURE_WILDCARD if it validates and is the result of wildcard expan=
sion.
-+   (In this case *wildcard_out points to the "body" of the wildcard within =
name.)=20
-+   STAT_BOGUS    signature is wrong, bad packet.
-+   STAT_NEED_KEY need DNSKEY to complete validation (name is returned in ke=
yname)
-+   STAT_NEED_DS  need DS to complete validation (name is returned in keynam=
e)
-+
-+   if key is non-NULL, use that key, which has the algo and tag given in th=
e params of those names,
-+   otherwise find the key in the cache.
-=20
--  /* no RRSIGs */
--  if (sigidx =3D=3D 0)
--    return STAT_NO_SIG;=20
-+   name is unchanged on exit. keyname is used as workspace and trashed.
-+
-+   Call explore_rrset first to find and count RRs and sigs.
-+*/
-+static int validate_rrset(time_t now, struct dns_header *header, size_t ple=
n, int class, int type, int sigidx, int rrsetidx,=20
-+			  char *name, char *keyname, char **wildcard_out, struct blockdata *key,=
 int keylen, int algo_in, int keytag_in)
-+{
-+  unsigned char *p;
-+  int rdlen, j, name_labels;
-+  struct crec *crecp =3D NULL;
-+  int algo, labels, orig_ttl, key_tag;
-+  u16 *rr_desc =3D get_desc(type);
-+=20
-+  if (wildcard_out)
-+    *wildcard_out =3D NULL;
-  =20
-+  name_labels =3D count_labels(name); /* For 4035 5.3.2 check */
-+
-   /* Sort RRset records into canonical order.=20
-      Note that at this point keyname and daemon->workspacename buffs are
-      unused, and used as workspace by the sort. */
-@@ -828,44 +879,16 @@ static int validate_rrset(time_t now, struct dns_heade=
r *header, size_t plen, in
-       algo =3D *p++;
-       labels =3D *p++;
-       GETLONG(orig_ttl, p);
--      GETLONG(sig_expiration, p);
--      GETLONG(sig_inception, p);
-+      p +=3D 8; /* sig_expiration, sig_inception already checked */
-       GETSHORT(key_tag, p);
-      =20
-       if (!extract_name(header, plen, &p, keyname, 1, 0))
- 	return STAT_BOGUS;
-=20
--      /* RFC 4035 5.3.1 says that the Signer's Name field MUST equal
--	 the name of the zone containing the RRset. We can't tell that
--	 for certain, but we can check that  the RRset name is equal to
--	 or encloses the signers name, which should be enough to stop=20
--	 an attacker using signatures made with the key of an unrelated=20
--	 zone he controls. Note that the root key is always allowed. */
--      if (*keyname !=3D 0)
--	{
--	  int failed =3D 0;
--	 =20
--	  for (name_start =3D name; !hostname_isequal(name_start, keyname); )
--	    if ((name_start =3D strchr(name_start, '.')))
--	      name_start++; /* chop a label off and try again */
--	    else
--	      {
--		failed =3D 1;
--		break;
--	      }
--
--	  /* Bad sig, try another */
--	  if (failed)
--	    continue;
--	}
--     =20
--      /* Other 5.3.1 checks */
--      if (!check_date_range(sig_inception, sig_expiration) ||
--	  labels > name_labels ||
--	  !(hash =3D hash_find(algo_digest_name(algo))) ||
-+      if (!(hash =3D hash_find(algo_digest_name(algo))) ||
- 	  !hash_init(hash, &ctx, &digest))
- 	continue;
--=09
-+     =20
-       /* OK, we have the signature record, see if the relevant DNSKEY is in=
 the cache. */
-       if (!key && !(crecp =3D cache_find_by_name(NULL, keyname, now, F_DNSK=
EY)))
- 	return STAT_NEED_KEY;
-@@ -971,10 +994,11 @@ static int validate_rrset(time_t now, struct dns_heade=
r *header, size_t plen, in
- /* The DNS packet is expected to contain the answer to a DNSKEY query.
-    Put all DNSKEYs in the answer which are valid into the cache.
-    return codes:
--         STAT_SECURE   At least one valid DNSKEY found and in cache.
--	 STAT_BOGUS    No DNSKEYs found, which  can be validated with DS,
--	               or self-sign for DNSKEY RRset is not valid, bad packet.
--	 STAT_NEED_DS  DS records to validate a key not found, name in keyname=20
-+         STAT_OK           Done, key(s) in cache.
-+	 STAT_BOGUS        No DNSKEYs found, which  can be validated with DS,
-+	                   or self-sign for DNSKEY RRset is not valid, bad packet.
-+	 STAT_NEED_DS      DS records to validate a key not found, name in keyname=
=20
-+	 STAT_NEED_DNSKEY  DNSKEY records to validate a key not found, name in key=
name=20
- */
- int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t ple=
n, char *name, char *keyname, int class)
- {
-@@ -1001,23 +1025,6 @@ int dnssec_validate_by_ds(time_t now, struct dns_head=
er *header, size_t plen, ch
-       return STAT_NEED_DS;
-     }
-  =20
--  /* If we've cached that DS provably doesn't exist, result must be INSECUR=
E */
--  if (crecp->flags & F_NEG)
--    return STAT_INSECURE_DS;
-- =20
--  /* 4035 5.2=20
--     If the validator does not support any of the algorithms listed in an
--     authenticated DS RRset, then the resolver has no supported
--     authentication path leading from the parent to the child.  The
--     resolver should treat this case as it would the case of an
--     authenticated NSEC RRset proving that no DS RRset exists,  */
--  for (recp1 =3D crecp; recp1; recp1 =3D cache_find_by_name(recp1, name, no=
w, F_DS))
--    if (hash_find(ds_digest_name(recp1->addr.ds.digest)))
--      break;
-- =20
--  if (!recp1)
--    return STAT_INSECURE_DS;
--
-   /* NOTE, we need to find ONE DNSKEY which matches the DS */
-   for (valid =3D 0, j =3D ntohs(header->ancount); j !=3D 0 && !valid; j--) =

-     {
-@@ -1070,7 +1077,8 @@ int dnssec_validate_by_ds(time_t now, struct dns_heade=
r *header, size_t plen, ch
- 	  void *ctx;
- 	  unsigned char *digest, *ds_digest;
- 	  const struct nettle_hash *hash;
--	 =20
-+	  int sigcnt, rrcnt;
-+
- 	  if (recp1->addr.ds.algo =3D=3D algo &&=20
- 	      recp1->addr.ds.keytag =3D=3D keytag &&
- 	      recp1->uid =3D=3D (unsigned int)class &&
-@@ -1088,10 +1096,14 @@ int dnssec_validate_by_ds(time_t now, struct dns_hea=
der *header, size_t plen, ch
- 	     =20
- 	      from_wire(name);
- 	     =20
--	      if (recp1->addr.ds.keylen =3D=3D (int)hash->digest_size &&
-+	      if (!(recp1->flags & F_NEG) &&
-+		  recp1->addr.ds.keylen =3D=3D (int)hash->digest_size &&
- 		  (ds_digest =3D blockdata_retrieve(recp1->addr.key.keydata, recp1->addr.=
ds.keylen, NULL)) &&
- 		  memcmp(ds_digest, digest, recp1->addr.ds.keylen) =3D=3D 0 &&
--		  validate_rrset(now, header, plen, class, T_DNSKEY, name, keyname, NULL,=
 key, rdlen - 4, algo, keytag) =3D=3D STAT_SECURE)
-+		  explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &r=
rcnt) &&
-+		  sigcnt !=3D 0 && rrcnt !=3D 0 &&
-+		  validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name,=
 keyname,=20
-+				 NULL, key, rdlen - 4, algo, keytag) =3D=3D STAT_SECURE)
- 		{
- 		  valid =3D 1;
- 		  break;
-@@ -1112,7 +1124,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_heade=
r *header, size_t plen, ch
- 	{
- 	  /* Ensure we have type, class  TTL and length */
- 	  if (!(rc =3D extract_name(header, plen, &p, name, 0, 10)))
--	    return STAT_INSECURE; /* bad packet */
-+	    return STAT_BOGUS; /* bad packet */
- 	 =20
- 	  GETSHORT(qtype, p);=20
- 	  GETSHORT(qclass, p);
-@@ -1198,7 +1210,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_heade=
r *header, size_t plen, ch
-      =20
-       /* commit cache insert. */
-       cache_end_insert();
--      return STAT_SECURE;
-+      return STAT_OK;
-     }
-=20
-   log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DNSKEY");
-@@ -1207,12 +1219,14 @@ int dnssec_validate_by_ds(time_t now, struct dns_hea=
der *header, size_t plen, ch
-=20
- /* The DNS packet is expected to contain the answer to a DS query
-    Put all DSs in the answer which are valid into the cache.
-+   Also handles replies which prove that there's no DS at this location,=20
-+   either because the zone is unsigned or this isn't a zone cut. These are
-+   cached too.
-    return codes:
--   STAT_SECURE      At least one valid DS found and in cache.
--   STAT_NO_DS       It's proved there's no DS here.
--   STAT_NO_NS       It's proved there's no DS _or_ NS here.
-+   STAT_OK          At least one valid DS found and in cache.
-    STAT_BOGUS       no DS in reply or not signed, fails validation, bad pac=
ket.
-    STAT_NEED_KEY    DNSKEY records to validate a DS not found, name in keyn=
ame
-+   STAT_NEED_DS     DS record needed.
- */
-=20
- int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, =
char *name, char *keyname, int class)
-@@ -1230,7 +1244,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *=
header, size_t plen, char
-   if (qtype !=3D T_DS || qclass !=3D class)
-     val =3D STAT_BOGUS;
-   else
--    val =3D dnssec_validate_reply(now, header, plen, name, keyname, NULL, &=
neganswer, &nons);
-+    val =3D dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0=
, &neganswer, &nons);
-   /* Note dnssec_validate_reply() will have cached positive answers */
-  =20
-   if (val =3D=3D STAT_INSECURE)
-@@ -1242,22 +1256,21 @@ int dnssec_validate_ds(time_t now, struct dns_header=
 *header, size_t plen, char
-  =20
-   if (!(p =3D skip_section(p, ntohs(header->ancount), header, plen)))
-     val =3D STAT_BOGUS;
--  =20
--  /* If we return STAT_NO_SIG, name contains the name of the DS query */
--  if (val =3D=3D STAT_NO_SIG)
--    return val;
-  =20
-   /* If the key needed to validate the DS is on the same domain as the DS, =
we'll
-      loop getting nowhere. Stop that now. This can happen of the DS answer =
comes
-      from the DS's zone, and not the parent zone. */
--  if (val =3D=3D STAT_BOGUS ||  (val =3D=3D STAT_NEED_KEY && hostname_isequ=
al(name, keyname)))
-+  if (val =3D=3D STAT_BOGUS || (val =3D=3D STAT_NEED_KEY && hostname_isequa=
l(name, keyname)))
-     {
-       log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS");
-       return STAT_BOGUS;
-     }
-+ =20
-+  if (val !=3D STAT_SECURE)
-+    return val;
-=20
-   /* By here, the answer is proved secure, and a positive answer has been c=
ached. */
--  if (val =3D=3D STAT_SECURE && neganswer)
-+  if (neganswer)
-     {
-       int rdlen, flags =3D F_FORWARD | F_DS | F_NEG | F_DNSSECOK;
-       unsigned long ttl, minttl =3D ULONG_MAX;
-@@ -1317,15 +1330,14 @@ int dnssec_validate_ds(time_t now, struct dns_header=
 *header, size_t plen, char
- 	 =20
- 	  cache_end_insert(); =20
- 	 =20
--	  log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, nons ? "no delegation" : "=
no DS");
-+	  log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "no DS");
- 	}
--
--      return nons ? STAT_NO_NS : STAT_NO_DS;=20
-     }
-=20
--  return val;
-+  return STAT_OK;
- }
-=20
-+
- /* 4034 6.1 */
- static int hostname_cmp(const char *a, const char *b)
- {
-@@ -1452,7 +1464,7 @@ static int prove_non_existence_nsec(struct dns_header =
*header, size_t plen, unsi
-   int mask =3D 0x80 >> (type & 0x07);
-=20
-   if (nons)
--    *nons =3D 0;
-+    *nons =3D 1;
-  =20
-   /* Find NSEC record that proves name doesn't exist */
-   for (i =3D 0; i < nsec_count; i++)
-@@ -1480,9 +1492,22 @@ static int prove_non_existence_nsec(struct dns_header=
 *header, size_t plen, unsi
- 	  /* rdlen is now length of type map, and p points to it */
- 	 =20
- 	  /* If we can prove that there's no NS record, return that information. */
--	  if (nons && rdlen >=3D 2 && p[0] =3D=3D 0 && (p[2] & (0x80 >> T_NS)) =3D=
=3D 0)
--	    *nons =3D 1;
-+	  if (nons && rdlen >=3D 2 && p[0] =3D=3D 0 && (p[2] & (0x80 >> T_NS)) !=
=3D 0)
-+	    *nons =3D 0;
- 	 =20
-+	  if (rdlen >=3D 2 && p[0] =3D=3D 0)
-+	    {
-+	      /* A CNAME answer would also be valid, so if there's a CNAME is shou=
ld=20
-+		 have been returned. */
-+	      if ((p[2] & (0x80 >> T_CNAME)) !=3D 0)
-+		return STAT_BOGUS;
-+	     =20
-+	      /* If the SOA bit is set for a DS record, then we have the
-+		 DS from the wrong side of the delegation. */
-+	      if (type =3D=3D T_DS && (p[2] & (0x80 >> T_SOA)) !=3D 0)
-+		return STAT_BOGUS;
-+	    }
-+
- 	  while (rdlen >=3D 2)
- 	    {
- 	      if (!CHECK_LEN(header, p, plen, rdlen))
-@@ -1586,7 +1611,7 @@ static int base32_decode(char *in, unsigned char *out)
- static int check_nsec3_coverage(struct dns_header *header, size_t plen, int=
 digest_len, unsigned char *digest, int type,
- 				char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_cou=
nt, int *nons)
- {
--  int i, hash_len, salt_len, base32_len, rdlen;
-+  int i, hash_len, salt_len, base32_len, rdlen, flags;
-   unsigned char *p, *psave;
-=20
-   for (i =3D 0; i < nsec_count; i++)
-@@ -1599,7 +1624,9 @@ static int check_nsec3_coverage(struct dns_header *hea=
der, size_t plen, int dige
- 	p +=3D 8; /* class, type, TTL */
- 	GETSHORT(rdlen, p);
- 	psave =3D p;
--	p +=3D 4; /* algo, flags, iterations */
-+	p++; /* algo */
-+	flags =3D *p++; /* flags */
-+	p +=3D 2; /* iterations */
- 	salt_len =3D *p++; /* salt_len */
- 	p +=3D salt_len; /* salt */
- 	hash_len =3D *p++; /* p now points to next hashed name */
-@@ -1626,16 +1653,29 @@ static int check_nsec3_coverage(struct dns_header *h=
eader, size_t plen, int dige
- 		  return 0;
- 	=09
- 		/* If we can prove that there's no NS record, return that information. */
--		if (nons && rdlen >=3D 2 && p[0] =3D=3D 0 && (p[2] & (0x80 >> T_NS)) =3D=
=3D 0)
--		  *nons =3D 1;
-+		if (nons && rdlen >=3D 2 && p[0] =3D=3D 0 && (p[2] & (0x80 >> T_NS)) !=3D=
 0)
-+		  *nons =3D 0;
- 	=09
-+		if (rdlen >=3D 2 && p[0] =3D=3D 0)
-+		  {
-+		    /* A CNAME answer would also be valid, so if there's a CNAME is shoul=
d=20
-+		       have been returned. */
-+		    if ((p[2] & (0x80 >> T_CNAME)) !=3D 0)
-+		      return 0;
-+		   =20
-+		    /* If the SOA bit is set for a DS record, then we have the
-+		       DS from the wrong side of the delegation. */
-+		    if (type =3D=3D T_DS && (p[2] & (0x80 >> T_SOA)) !=3D 0)
-+		      return 0;
-+		  }
-+
- 		while (rdlen >=3D 2)
- 		  {
- 		    if (p[0] =3D=3D type >> 8)
- 		      {
- 			/* Does the NSEC3 say our type exists? */
- 			if (offset < p[1] && (p[offset+2] & mask) !=3D 0)
--			  return STAT_BOGUS;
-+			  return 0;
- 		=09
- 			break; /* finshed checking */
- 		      }
-@@ -1643,7 +1683,7 @@ static int check_nsec3_coverage(struct dns_header *hea=
der, size_t plen, int dige
- 		    rdlen -=3D p[1];
- 		    p +=3D  p[1];
- 		  }
--
-+	=09
- 		return 1;
- 	      }
- 	    else if (rc < 0)
-@@ -1651,16 +1691,27 @@ static int check_nsec3_coverage(struct dns_header *h=
eader, size_t plen, int dige
- 		/* Normal case, hash falls between NSEC3 name-hash and next domain name-h=
ash,
- 		   wrap around case, name-hash falls between NSEC3 name-hash and end */
- 		if (memcmp(p, digest, digest_len) >=3D 0 || memcmp(workspace2, p, digest_=
len) >=3D 0)
--		  return 1;
-+		  {
-+		    if ((flags & 0x01) && nons) /* opt out */
-+		      *nons =3D 0;
-+
-+		    return 1;
-+		  }
- 	      }
- 	    else=20
- 	      {
- 		/* wrap around case, name falls between start and next domain name */
- 		if (memcmp(workspace2, p, digest_len) >=3D 0 && memcmp(p, digest, digest_=
len) >=3D 0)
--		  return 1;
-+		  {
-+		    if ((flags & 0x01) && nons) /* opt out */
-+		      *nons =3D 0;
-+
-+		    return 1;
-+		  }
- 	      }
- 	  }
-       }
-+
-   return 0;
- }
-=20
-@@ -1673,7 +1724,7 @@ static int prove_non_existence_nsec3(struct dns_header=
 *header, size_t plen, uns
-   char *closest_encloser, *next_closest, *wildcard;
-  =20
-   if (nons)
--    *nons =3D 0;
-+    *nons =3D 1;
-  =20
-   /* Look though the NSEC3 records to find the first one with=20
-      an algorithm we support (currently only algo =3D=3D 1).
-@@ -1813,16 +1864,81 @@ static int prove_non_existence_nsec3(struct dns_head=
er *header, size_t plen, uns
-  =20
-   return STAT_SECURE;
- }
--   =20
--/* Validate all the RRsets in the answer and authority sections of the repl=
y (4035:3.2.3) */
--/* Returns are the same as validate_rrset, plus the class if the missing ke=
y is in *class */
-+
-+/* Check signing status of name.
-+   returns:
-+   STAT_SECURE zone is signed.
-+   STAT_INSECURE zone proved unsigned.
-+   STAT_NEED_DS require DS record of name returned in keyname.
-+  =20
-+   name returned unaltered.
-+*/
-+static int zone_status(char *name, int class, char *keyname, time_t now)
-+{
-+  int name_start =3D strlen(name);
-+  struct crec *crecp;
-+  char *p;
-+ =20
-+  while (1)
-+    {
-+      strcpy(keyname, &name[name_start]);
-+     =20
-+      if (!(crecp =3D cache_find_by_name(NULL, keyname, now, F_DS)))
-+	return STAT_NEED_DS;
-+      else
-+	do=20
-+	  {
-+	    if (crecp->uid =3D=3D (unsigned int)class)
-+	      {
-+		/* F_DNSSECOK misused in DS cache records to non-existance of NS record.
-+		   F_NEG && !F_DNSSECOK implies that we've proved there's no DS record he=
re,
-+		   but that's because there's no NS record either, ie this isn't the start
-+		   of a zone. We only prove that the DNS tree below a node is unsigned wh=
en
-+		   we prove that we're at a zone cut AND there's no DS record.
-+		*/	 =20
-+		if (crecp->flags & F_NEG)
-+		  {
-+		    if (crecp->flags & F_DNSSECOK)
-+		      return STAT_INSECURE; /* proved no DS here */
-+		  }
-+		else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crec=
p->addr.ds.algo))
-+		  return STAT_INSECURE; /* algo we can't use - insecure */
-+	      }
-+	  }
-+	while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DS)));
-+     =20
-+      if (name_start =3D=3D 0)
-+	break;
-+
-+      for (p =3D &name[name_start-2]; (*p !=3D '.') && (p !=3D name); p--);
-+     =20
-+      if (p !=3D name)
-+        p++;
-+     =20
-+      name_start =3D p - name;
-+    }=20
-+
-+  return STAT_SECURE;
-+}
-+      =20
-+/* Validate all the RRsets in the answer and authority sections of the repl=
y (4035:3.2.3)=20
-+   Return code:
-+   STAT_SECURE   if it validates.
-+   STAT_INSECURE at least one RRset not validated, because in unsigned zone.
-+   STAT_BOGUS    signature is wrong, bad packet, no validation where there =
should be.
-+   STAT_NEED_KEY need DNSKEY to complete validation (name is returned in ke=
yname, class in *class)
-+   STAT_NEED_DS  need DS to complete validation (name is returned in keynam=
e)=20
-+*/
- int dnssec_validate_reply(time_t now, struct dns_header *header, size_t ple=
n, char *name, char *keyname,=20
--			  int *class, int *neganswer, int *nons)
-+			  int *class, int check_unsigned, int *neganswer, int *nons)
- {
--  unsigned char *ans_start, *qname, *p1, *p2, **nsecs;
--  int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype;
--  int i, j, rc, nsec_count, cname_count =3D CNAME_CHAIN;
--  int nsec_type =3D 0, have_answer =3D 0;
-+  static unsigned char **targets =3D NULL;
-+  static int target_sz =3D 0;
-+
-+  unsigned char *ans_start, *p1, *p2, **nsecs;
-+  int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype, targetid=
x;
-+  int i, j, rc, nsec_count;
-+  int nsec_type;
-=20
-   if (neganswer)
-     *neganswer =3D 0;
-@@ -1833,70 +1949,51 @@ int dnssec_validate_reply(time_t now, struct dns_hea=
der *header, size_t plen, ch
-   if (RCODE(header) !=3D NXDOMAIN && RCODE(header) !=3D NOERROR)
-     return STAT_INSECURE;
-=20
--  qname =3D p1 =3D (unsigned char *)(header+1);
-+  p1 =3D (unsigned char *)(header+1);
-  =20
-+   /* Find all the targets we're looking for answers to.
-+     The zeroth array element is for the query, subsequent ones
-+     for CNAME targets, unless the query is for a CNAME. */
-+
-+  if (!expand_workspace(&targets, &target_sz, 0))
-+    return STAT_BOGUS;
-+ =20
-+  targets[0] =3D p1;
-+  targetidx =3D 1;
-+  =20
-   if (!extract_name(header, plen, &p1, name, 1, 4))
-     return STAT_BOGUS;
--
-+ =20
-   GETSHORT(qtype, p1);
-   GETSHORT(qclass, p1);
-   ans_start =3D p1;
--
--  if (qtype =3D=3D T_ANY)
--    have_answer =3D 1;
- =20
--  /* Can't validate an RRISG query */
-+  /* Can't validate an RRSIG query */
-   if (qtype =3D=3D T_RRSIG)
-     return STAT_INSECURE;
--=20
-- cname_loop:
--  for (j =3D ntohs(header->ancount); j !=3D 0; j--)=20
--    {
--      /* leave pointer to missing name in qname */
--          =20
--      if (!(rc =3D extract_name(header, plen, &p1, name, 0, 10)))
--	return STAT_BOGUS; /* bad packet */
--     =20
--      GETSHORT(type2, p1);=20
--      GETSHORT(class2, p1);
--      p1 +=3D 4; /* TTL */
--      GETSHORT(rdlen2, p1);
--
--      if (rc =3D=3D 1 && qclass =3D=3D class2)
--	{
--	  /* Do we have an answer for the question? */
--	  if (type2 =3D=3D qtype)
--	    {
--	      have_answer =3D 1;
--	      break;
--	    }
--	  else if (type2 =3D=3D T_CNAME)
--	    {
--	      qname =3D p1;
--	     =20
--	      /* looped CNAMES */
--	      if (!cname_count-- || !extract_name(header, plen, &p1, name, 1, 0))
--		return STAT_BOGUS;
--	      =20
--	      p1 =3D ans_start;
--	      goto cname_loop;
--	    }
--	}=20
--
--      if (!ADD_RDLEN(header, p1, plen, rdlen2))
--	return STAT_BOGUS;
--    }
--  =20
--  if (neganswer && !have_answer)
--    *neganswer =3D 1;
-  =20
--  /* No data, therefore no sigs */
--  if (ntohs(header->ancount) + ntohs(header->nscount) =3D=3D 0)
--    {
--      *keyname =3D 0;
--      return STAT_NO_SIG;
--    }
--
-+  if (qtype !=3D T_CNAME)
-+    for (j =3D ntohs(header->ancount); j !=3D 0; j--)=20
-+      {
-+	if (!(p1 =3D skip_name(p1, header, plen, 10)))
-+	  return STAT_BOGUS; /* bad packet */
-+=09
-+	GETSHORT(type2, p1);=20
-+	p1 +=3D 6; /* class, TTL */
-+	GETSHORT(rdlen2, p1); =20
-+=09
-+	if (type2 =3D=3D T_CNAME)
-+	  {
-+	    if (!expand_workspace(&targets, &target_sz, targetidx))
-+	      return STAT_BOGUS;
-+	   =20
-+	    targets[targetidx++] =3D p1; /* pointer to target name */
-+	  }
-+=09
-+	if (!ADD_RDLEN(header, p1, plen, rdlen2))
-+	  return STAT_BOGUS;
-+      }
-+ =20
-   for (p1 =3D ans_start, i =3D 0; i < ntohs(header->ancount) + ntohs(header=
->nscount); i++)
-     {
-       if (!extract_name(header, plen, &p1, name, 1, 10))
-@@ -1931,7 +2028,7 @@ int dnssec_validate_reply(time_t now, struct dns_heade=
r *header, size_t plen, ch
- 	  /* Not done, validate now */
- 	  if (j =3D=3D i)
- 	    {
--	      int ttl, keytag, algo, digest, type_covered;
-+	      int ttl, keytag, algo, digest, type_covered, sigcnt, rrcnt;
- 	      unsigned char *psave;
- 	      struct all_addr a;
- 	      struct blockdata *key;
-@@ -1939,143 +2036,186 @@ int dnssec_validate_reply(time_t now, struct dns_h=
eader *header, size_t plen, ch
- 	      char *wildname;
- 	      int have_wildcard =3D 0;
-=20
--	      rc =3D validate_rrset(now, header, plen, class1, type1, name, keynam=
e, &wildname, NULL, 0, 0, 0);
--	     =20
--	      if (rc =3D=3D STAT_SECURE_WILDCARD)
--		{
--		  have_wildcard =3D 1;
--
--		  /* An attacker replay a wildcard answer with a different
--		     answer and overlay a genuine RR. To prove this
--		     hasn't happened, the answer must prove that
--		     the gennuine record doesn't exist. Check that here. */
--		  if (!nsec_type && !(nsec_type =3D find_nsec_records(header, plen, &nsec=
s, &nsec_count, class1)))
--		    return STAT_BOGUS; /* No NSECs or bad packet */
--		 =20
--		  if (nsec_type =3D=3D T_NSEC)
--		    rc =3D prove_non_existence_nsec(header, plen, nsecs, nsec_count, daem=
on->workspacename, keyname, name, type1, NULL);
--		  else
--		    rc =3D prove_non_existence_nsec3(header, plen, nsecs, nsec_count, dae=
mon->workspacename,=20
--						   keyname, name, type1, wildname, NULL);
--		 =20
--		  if (rc !=3D STAT_SECURE)
--		    return rc;
--		}=20
--	      else if (rc !=3D STAT_SECURE)
--		{
--		  if (class)
--		    *class =3D class1; /* Class for DS or DNSKEY */
-+	      if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigc=
nt, &rrcnt))
-+		return STAT_BOGUS;
-=20
--		  if (rc =3D=3D STAT_NO_SIG)
-+	      /* No signatures for RRset. We can be configured to assume this is O=
K and return a INSECURE result. */
-+	      if (sigcnt =3D=3D 0)
-+		{
-+		  if (check_unsigned)
- 		    {
--		      /* If we dropped off the end of a CNAME chain, return
--			 STAT_NO_SIG and the last name is keyname. This is used for proving non-=
existence
--			 if DS records in CNAME chains. */
--		      if (cname_count =3D=3D CNAME_CHAIN || i < ntohs(header->ancount))=20
--			/* No CNAME chain, or no sig in answer section, return empty name. */
--			*keyname =3D 0;
--		      else if (!extract_name(header, plen, &qname, keyname, 1, 0))
--			return STAT_BOGUS;
-+		      rc =3D zone_status(name, class1, keyname, now);
-+		      if (rc =3D=3D STAT_SECURE)
-+			rc =3D STAT_BOGUS;
-+		       if (class)
-+			 *class =3D class1; /* Class for NEED_DS or NEED_DNSKEY */
- 		    }
--=20
-+		  else=20
-+		    rc =3D STAT_INSECURE;=20
-+		 =20
- 		  return rc;
- 		}
- 	     =20
--	      /* Cache RRsigs in answer section, and if we just validated a DS RRs=
et, cache it */
--	      cache_start_insert();
-+	      /* explore_rrset() gives us key name from sigs in keyname.
-+		 Can't overwrite name here. */
-+	      strcpy(daemon->workspacename, keyname);
-+	      rc =3D zone_status(daemon->workspacename, class1, keyname, now);
-+	      if (rc !=3D STAT_SECURE)
-+		{
-+		  /* Zone is insecure, don't need to validate RRset */
-+		  if (class)
-+		    *class =3D class1; /* Class for NEED_DS or NEED_DNSKEY */
-+		  return rc;
-+		}=20
-+	     =20
-+	      rc =3D validate_rrset(now, header, plen, class1, type1, sigcnt, rrcn=
t, name, keyname, &wildname, NULL, 0, 0, 0);
- 	     =20
--	      for (p2 =3D ans_start, j =3D 0; j < ntohs(header->ancount); j++)
-+	      if (rc =3D=3D STAT_BOGUS || rc =3D=3D STAT_NEED_KEY || rc =3D=3D STA=
T_NEED_DS)
- 		{
--		  if (!(rc =3D extract_name(header, plen, &p2, name, 0, 10)))
--		    return STAT_BOGUS; /* bad packet */
-+		  if (class)
-+		    *class =3D class1; /* Class for DS or DNSKEY */
-+		  return rc;
-+		}=20
-+	      else=20
-+		{
-+		  /* rc is now STAT_SECURE or STAT_SECURE_WILDCARD */
-+		=20
-+		  /* Note if we've validated either the answer to the question
-+		     or the target of a CNAME. Any not noted will need NSEC or
-+		     to be in unsigned space. */
-+
-+		  for (j =3D 0; j <targetidx; j++)
-+		    if ((p2 =3D targets[j]))
-+		      {
-+			if (!(rc =3D extract_name(header, plen, &p2, name, 0, 10)))
-+			  return STAT_BOGUS; /* bad packet */
-+		=09
-+			if (class1 =3D=3D qclass && rc =3D=3D 1 && (type1 =3D=3D T_CNAME || type=
1 =3D=3D qtype || qtype =3D=3D T_ANY ))
-+			  targets[j] =3D NULL;
-+		      }
-+			   =20
-+		  if (rc =3D=3D STAT_SECURE_WILDCARD)
-+		    {
-+		      have_wildcard =3D 1;
- 		     =20
--		  GETSHORT(type2, p2);
--		  GETSHORT(class2, p2);
--		  GETLONG(ttl, p2);
--		  GETSHORT(rdlen2, p2);
--		      =20
--		  if (!CHECK_LEN(header, p2, plen, rdlen2))
--		    return STAT_BOGUS; /* bad packet */
--		 =20
--		  if (class2 =3D=3D class1 && rc =3D=3D 1)
--		    {=20
--		      psave =3D p2;
-+		      /* An attacker replay a wildcard answer with a different
-+			 answer and overlay a genuine RR. To prove this
-+			 hasn't happened, the answer must prove that
-+			 the gennuine record doesn't exist. Check that here. */
-+		      if (!(nsec_type =3D find_nsec_records(header, plen, &nsecs, &nsec_c=
ount, class1)))
-+			return STAT_BOGUS; /* No NSECs or bad packet */
-+		     =20
-+		      /* Note that we may not yet have validated the NSEC/NSEC3 RRsets. S=
ince the check
-+			 below returns either SECURE or BOGUS, that's not a problem. If the RRse=
ts later fail
-+			 we'll return BOGUS then. */
-=20
--		      if (type1 =3D=3D T_DS && type2 =3D=3D T_DS)
--			{
--			  if (rdlen2 < 4)
--			    return STAT_BOGUS; /* bad packet */
--			 =20
--			  GETSHORT(keytag, p2);
--			  algo =3D *p2++;
--			  digest =3D *p2++;
--			 =20
--			  /* Cache needs to known class for DNSSEC stuff */
--			  a.addr.dnssec.class =3D class2;
--			 =20
--			  if ((key =3D blockdata_alloc((char*)p2, rdlen2 - 4)))
--			    {
--			      if (!(crecp =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_DS =
| F_DNSSECOK)))
--				blockdata_free(key);
--			      else
--				{
--				  a.addr.keytag =3D keytag;
--				  log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u"=
);
--				  crecp->addr.ds.digest =3D digest;
--				  crecp->addr.ds.keydata =3D key;
--				  crecp->addr.ds.algo =3D algo;
--				  crecp->addr.ds.keytag =3D keytag;
--				  crecp->addr.ds.keylen =3D rdlen2 - 4;=20
--				}=20
--			    }
--			}
--		      else if (type2 =3D=3D T_RRSIG)
--			{
--			  if (rdlen2 < 18)
--			    return STAT_BOGUS; /* bad packet */
-+		      if (nsec_type =3D=3D T_NSEC)
-+			rc =3D prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon-=
>workspacename, keyname, name, type1, NULL);
-+		      else
-+			rc =3D prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon=
->workspacename,=20
-+						       keyname, name, type1, wildname, NULL);
-+		     =20
-+		      if (rc =3D=3D STAT_BOGUS)
-+			return rc;
-+		    }=20
-+		 =20
-+		  /* Cache RRsigs in answer section, and if we just validated a DS RRset,=
 cache it */
-+		  /* Also note if the RRset is the answer to the question, or the target =
of a CNAME */
-+		  cache_start_insert();
-+		 =20
-+		  for (p2 =3D ans_start, j =3D 0; j < ntohs(header->ancount); j++)
-+		    {
-+		      if (!(rc =3D extract_name(header, plen, &p2, name, 0, 10)))
-+			return STAT_BOGUS; /* bad packet */
-+		     =20
-+		      GETSHORT(type2, p2);
-+		      GETSHORT(class2, p2);
-+		      GETLONG(ttl, p2);
-+		      GETSHORT(rdlen2, p2);
-+		     =20
-+		      if (!CHECK_LEN(header, p2, plen, rdlen2))
-+			return STAT_BOGUS; /* bad packet */
-+		     =20
-+		      if (class2 =3D=3D class1 && rc =3D=3D 1)
-+			{=20
-+			  psave =3D p2;
- 			 =20
--			  GETSHORT(type_covered, p2);
--
--			  if (type_covered =3D=3D type1 &&=20
--			      (type_covered =3D=3D T_A || type_covered =3D=3D T_AAAA ||
--			       type_covered =3D=3D T_CNAME || type_covered =3D=3D T_DS ||=20
--			       type_covered =3D=3D T_DNSKEY || type_covered =3D=3D T_PTR))=20
-+			  if (type1 =3D=3D T_DS && type2 =3D=3D T_DS)
- 			    {
--			      a.addr.dnssec.type =3D type_covered;
--			      a.addr.dnssec.class =3D class1;
-+			      if (rdlen2 < 4)
-+				return STAT_BOGUS; /* bad packet */
- 			     =20
--			      algo =3D *p2++;
--			      p2 +=3D 13; /* labels, orig_ttl, expiration, inception */
- 			      GETSHORT(keytag, p2);
-+			      algo =3D *p2++;
-+			      digest =3D *p2++;
-+			     =20
-+			      /* Cache needs to known class for DNSSEC stuff */
-+			      a.addr.dnssec.class =3D class2;
- 			     =20
--			      /* We don't cache sigs for wildcard answers, because to reproduce =
the
--				 answer from the cache will require one or more NSEC/NSEC3 records=20
--				 which we don't cache. The lack of the RRSIG ensures that a query for
--				 this RRset asking for a secure answer will always be forwarded. */
--			      if (!have_wildcard && (key =3D blockdata_alloc((char*)psave, rdlen=
2)))
-+			      if ((key =3D blockdata_alloc((char*)p2, rdlen2 - 4)))
- 				{
--				  if (!(crecp =3D cache_insert(name, &a, now, ttl,  F_FORWARD | F_DNSKE=
Y | F_DS)))
-+				  if (!(crecp =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F=
_DNSSECOK)))
- 				    blockdata_free(key);
- 				  else
- 				    {
--				      crecp->addr.sig.keydata =3D key;
--				      crecp->addr.sig.keylen =3D rdlen2;
--				      crecp->addr.sig.keytag =3D keytag;
--				      crecp->addr.sig.type_covered =3D type_covered;
--				      crecp->addr.sig.algo =3D algo;
-+				      a.addr.keytag =3D keytag;
-+				      log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag=
 %u");
-+				      crecp->addr.ds.digest =3D digest;
-+				      crecp->addr.ds.keydata =3D key;
-+				      crecp->addr.ds.algo =3D algo;
-+				      crecp->addr.ds.keytag =3D keytag;
-+				      crecp->addr.ds.keylen =3D rdlen2 - 4;=20
-+				    }=20
-+				}
-+			    }
-+			  else if (type2 =3D=3D T_RRSIG)
-+			    {
-+			      if (rdlen2 < 18)
-+				return STAT_BOGUS; /* bad packet */
-+			     =20
-+			      GETSHORT(type_covered, p2);
-+			     =20
-+			      if (type_covered =3D=3D type1 &&=20
-+				  (type_covered =3D=3D T_A || type_covered =3D=3D T_AAAA ||
-+				   type_covered =3D=3D T_CNAME || type_covered =3D=3D T_DS ||=20
-+				   type_covered =3D=3D T_DNSKEY || type_covered =3D=3D T_PTR))=20
-+				{
-+				  a.addr.dnssec.type =3D type_covered;
-+				  a.addr.dnssec.class =3D class1;
-+				 =20
-+				  algo =3D *p2++;
-+				  p2 +=3D 13; /* labels, orig_ttl, expiration, inception */
-+				  GETSHORT(keytag, p2);
-+				 =20
-+				  /* We don't cache sigs for wildcard answers, because to reproduce the
-+				     answer from the cache will require one or more NSEC/NSEC3 records =

-+				     which we don't cache. The lack of the RRSIG ensures that a query f=
or
-+				     this RRset asking for a secure answer will always be forwarded. */
-+				  if (!have_wildcard && (key =3D blockdata_alloc((char*)psave, rdlen2)))
-+				    {
-+				      if (!(crecp =3D cache_insert(name, &a, now, ttl,  F_FORWARD | F_D=
NSKEY | F_DS)))
-+					blockdata_free(key);
-+				      else
-+					{
-+					  crecp->addr.sig.keydata =3D key;
-+					  crecp->addr.sig.keylen =3D rdlen2;
-+					  crecp->addr.sig.keytag =3D keytag;
-+					  crecp->addr.sig.type_covered =3D type_covered;
-+					  crecp->addr.sig.algo =3D algo;
-+					}
- 				    }
- 				}
- 			    }
-+			 =20
-+			  p2 =3D psave;
- 			}
- 		     =20
--		      p2 =3D psave;
-+		      if (!ADD_RDLEN(header, p2, plen, rdlen2))
-+			return STAT_BOGUS; /* bad packet */
- 		    }
- 		 =20
--		  if (!ADD_RDLEN(header, p2, plen, rdlen2))
--		    return STAT_BOGUS; /* bad packet */
-+		  cache_end_insert();
- 		}
--		 =20
--	      cache_end_insert();
- 	    }
- 	}
-=20
-@@ -2083,143 +2223,49 @@ int dnssec_validate_reply(time_t now, struct dns_he=
ader *header, size_t plen, ch
- 	return STAT_BOGUS;
-     }
-=20
--  /* OK, all the RRsets validate, now see if we have a NODATA or NXDOMAIN r=
eply */
--  if (have_answer)
--    return STAT_SECURE;
--    =20
--  /* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist=
 */
--  /* First marshall the NSEC records, if we've not done it previously */
--  if (!nsec_type && !(nsec_type =3D find_nsec_records(header, plen, &nsecs,=
 &nsec_count, qclass)))
--    {
--      /* No NSEC records. If we dropped off the end of a CNAME chain, return
--	 STAT_NO_SIG and the last name is keyname. This is used for proving non-ex=
istence
--	 if DS records in CNAME chains. */
--      if (cname_count =3D=3D CNAME_CHAIN) /* No CNAME chain, return empty n=
ame. */
--	*keyname =3D 0;
--      else if (!extract_name(header, plen, &qname, keyname, 1, 0))
--	return STAT_BOGUS;
--      return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME po=
inting into
--			     an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */
--    }
--  =20
--  /* Get name of missing answer */
--  if (!extract_name(header, plen, &qname, name, 1, 0))
--    return STAT_BOGUS;
-- =20
--  if (nsec_type =3D=3D T_NSEC)
--    return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon=
->workspacename, keyname, name, qtype, nons);
--  else
--    return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemo=
n->workspacename, keyname, name, qtype, NULL, nons);
--}
--
--/* Chase the CNAME chain in the packet until the first record which _doesn'=
t validate.
--   Needed for proving answer in unsigned space.
--   Return STAT_NEED_*=20
--          STAT_BOGUS - error
--          STAT_INSECURE - name of first non-secure record in name=20
--*/
--int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, =
char *name, char *keyname)
--{
--  unsigned char *p =3D (unsigned char *)(header+1);
--  int type, class, qclass, rdlen, j, rc;
--  int cname_count =3D CNAME_CHAIN;
--  char *wildname;
--
--  /* Get question */
--  if (!extract_name(header, plen, &p, name, 1, 4))
--    return STAT_BOGUS;
-- =20
--  p +=3D2; /* type */
--  GETSHORT(qclass, p);
--
--  while (1)
--    {
--      for (j =3D ntohs(header->ancount); j !=3D 0; j--)=20
--	{
--	  if (!(rc =3D extract_name(header, plen, &p, name, 0, 10)))
--	    return STAT_BOGUS; /* bad packet */
--	 =20
--	  GETSHORT(type, p);=20
--	  GETSHORT(class, p);
--	  p +=3D 4; /* TTL */
--	  GETSHORT(rdlen, p);
--
--	  /* Not target, loop */
--	  if (rc =3D=3D 2 || qclass !=3D class)
--	    {
--	      if (!ADD_RDLEN(header, p, plen, rdlen))
--		return STAT_BOGUS;
--	      continue;
--	    }
--	 =20
--	  /* Got to end of CNAME chain. */
--	  if (type !=3D T_CNAME)
--	    return STAT_INSECURE;
--	 =20
--	  /* validate CNAME chain, return if insecure or need more data */
--	  rc =3D validate_rrset(now, header, plen, class, type, name, keyname, &wi=
ldname, NULL, 0, 0, 0);
--	  =20
--	  if (rc =3D=3D STAT_SECURE_WILDCARD)
--	    {
--	      int nsec_type, nsec_count, i;
--	      unsigned char **nsecs;
--
--	      /* An attacker can replay a wildcard answer with a different
--		 answer and overlay a genuine RR. To prove this
--		 hasn't happened, the answer must prove that
--		 the genuine record doesn't exist. Check that here. */
--	      if (!(nsec_type =3D find_nsec_records(header, plen, &nsecs, &nsec_co=
unt, class)))
--		return STAT_BOGUS; /* No NSECs or bad packet */
--	     =20
--	      /* Note that we're called here because something didn't validate in =
validate_reply,
--		 so we can't assume that any NSEC records have been validated. We do them=
 by steam here */
--
--	      for (i =3D 0; i < nsec_count; i++)
--		{
--		  unsigned char *p1 =3D nsecs[i];
--		 =20
--		  if (!extract_name(header, plen, &p1, daemon->workspacename, 1, 0))
--		    return STAT_BOGUS;
--
--		  rc =3D validate_rrset(now, header, plen, class, nsec_type, daemon->work=
spacename, keyname, NULL, NULL, 0, 0, 0);
-+  /* OK, all the RRsets validate, now see if we have a missing answer or CN=
AME target. */
-+  for (j =3D 0; j <targetidx; j++)
-+    if ((p2 =3D targets[j]))
-+      {
-+	if (neganswer)
-+	  *neganswer =3D 1;
-=20
--		  /* NSECs can't be wildcards. */
--		  if (rc =3D=3D STAT_SECURE_WILDCARD)
--		    rc =3D STAT_BOGUS;
-+	if (!extract_name(header, plen, &p2, name, 1, 10))
-+	  return STAT_BOGUS; /* bad packet */
-+	   =20
-+	/* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) =
*/
-=20
--		  if (rc !=3D STAT_SECURE)
-+	/* For anything other than a DS record, this situation is OK if either
-+	   the answer is in an unsigned zone, or there's a NSEC records. */
-+	if (!(nsec_type =3D find_nsec_records(header, plen, &nsecs, &nsec_count, q=
class)))
-+	  {
-+	    /* Empty DS without NSECS */
-+	    if (qtype =3D=3D T_DS)
-+	      return STAT_BOGUS;
-+	    else
-+	      {
-+		rc =3D zone_status(name, qclass, keyname, now);
-+		if (rc !=3D STAT_SECURE)
-+		  {
-+		    if (class)
-+		      *class =3D qclass; /* Class for NEED_DS or NEED_DNSKEY */
- 		    return rc;
--		}
--
--	      if (nsec_type =3D=3D T_NSEC)
--		rc =3D prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->=
workspacename, keyname, name, type, NULL);
--	      else
--		rc =3D prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon-=
>workspacename,=20
--					       keyname, name, type, wildname, NULL);
--	     =20
--	      if (rc !=3D STAT_SECURE)
--		return rc;
--	    }
--	 =20
--	  if (rc !=3D STAT_SECURE)
--	    {
--	      if (rc =3D=3D STAT_NO_SIG)
--		rc =3D STAT_INSECURE;
--	      return rc;
--	    }
-+		  }=20
-+	=09
-+		return STAT_BOGUS; /* signed zone, no NSECs */
-+	      }
-+	  }
-=20
--	  /* Loop down CNAME chain/ */
--	  if (!cname_count-- ||=20
--	      !extract_name(header, plen, &p, name, 1, 0) ||
--	      !(p =3D skip_questions(header, plen)))
--	    return STAT_BOGUS;
--	 =20
--	  break;
--	}
-+	  if (nsec_type =3D=3D T_NSEC)
-+	  rc =3D prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon-=
>workspacename, keyname, name, qtype, nons);
-+	else
-+	  rc =3D prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon=
->workspacename, keyname, name, qtype, NULL, nons);
-=20
--      /* End of CNAME chain */
--      return STAT_INSECURE;=09
--    }
-+	if (rc !=3D STAT_SECURE)
-+	  return rc;
-+      }
-+ =20
-+  return STAT_SECURE;
- }
-=20
-=20
-diff --git a/src/forward.c b/src/forward.c
-index b76a974..dd22a62 100644
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -23,15 +23,6 @@ static struct frec *lookup_frec_by_sender(unsigned short =
id,
- static unsigned short get_id(void);
- static void free_frec(struct frec *f);
-=20
--#ifdef HAVE_DNSSEC
--static int tcp_key_recurse(time_t now, int status, struct dns_header *heade=
r, size_t n,=20
--			   int class, char *name, char *keyname, struct server *server, int *key=
count);
--static int do_check_sign(struct frec *forward, int status, time_t now, char=
 *name, char *keyname);
--static int send_check_sign(struct frec *forward, time_t now, struct dns_hea=
der *header, size_t plen,=20
--			   char *name, char *keyname);
--#endif
--
--
- /* Send a UDP packet with its source address set as "source"=20
-    unless nowild is true, when we just send it with the kernel default */
- int send_from(int fd, int nowild, char *packet, size_t len,=20
-@@ -825,236 +816,142 @@ void reply_query(int fd, int family, time_t now)
- #ifdef HAVE_DNSSEC
-       if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FRE=
C_CHECKING_DISABLED))
- 	{
--	  int status;
-+	  int status =3D 0;
-=20
- 	  /* We've had a reply already, which we're validating. Ignore this duplic=
ate */
- 	  if (forward->blocking_query)
- 	    return;
--
--	  if (header->hb3 & HB3_TC)
--	    {
--	      /* Truncated answer can't be validated.
-+	 =20
-+	   /* Truncated answer can't be validated.
- 		 If this is an answer to a DNSSEC-generated query, we still
- 		 need to get the client to retry over TCP, so return
- 		 an answer with the TC bit set, even if the actual answer fits.
- 	      */
--	      status =3D STAT_TRUNCATED;
--	    }
--	  else if (forward->flags & FREC_DNSKEY_QUERY)
--	    status =3D dnssec_validate_by_ds(now, header, n, daemon->namebuff, dae=
mon->keyname, forward->class);
--	  else if (forward->flags & FREC_DS_QUERY)
--	    {
--	      status =3D dnssec_validate_ds(now, header, n, daemon->namebuff, daem=
on->keyname, forward->class);
--	      /* Provably no DS, everything below is insecure, even if signatures =
are offered */
--	      if (status =3D=3D STAT_NO_DS)
--		/* We only cache sigs when we've validated a reply.
--		   Avoid caching a reply with sigs if there's a vaildated break in the=20
--		   DS chain, so we don't return replies from cache missing sigs. */
--              	status =3D STAT_INSECURE_DS;
--	      else if (status =3D=3D STAT_NO_SIG)
--                {
--                  if (option_bool(OPT_DNSSEC_NO_SIGN))
--                    {
--		      status =3D send_check_sign(forward, now, header, n, daemon->namebuf=
f, daemon->keyname);
--		      if (status =3D=3D STAT_INSECURE)
--			status =3D STAT_INSECURE_DS;
--		    }
--		  else
--		    status =3D STAT_INSECURE_DS;
--		}
--              else if (status =3D=3D STAT_NO_NS)
--		status =3D STAT_BOGUS;
--	    }
--	  else if (forward->flags & FREC_CHECK_NOSIGN)
--	    {
--	      status =3D dnssec_validate_ds(now, header, n, daemon->namebuff, daem=
on->keyname, forward->class);
--	      if (status !=3D STAT_NEED_KEY)
--		status =3D do_check_sign(forward, status, now, daemon->namebuff, daemon->=
keyname);
--	    }
--	  else
-+	  if (header->hb3 & HB3_TC)
-+	    status =3D STAT_TRUNCATED;
-+	 =20
-+	  while (1)
- 	    {
--	      status =3D dnssec_validate_reply(now, header, n, daemon->namebuff, d=
aemon->keyname, &forward->class, NULL, NULL);
--	      if (status =3D=3D STAT_NO_SIG)
-+	      /* As soon as anything returns BOGUS, we stop and unwind, to do othe=
rwise
-+		 would invite infinite loops, since the answers to DNSKEY and DS queries
-+		 will not be cached, so they'll be repeated. */
-+	      if (status !=3D STAT_BOGUS && status !=3D STAT_TRUNCATED && status !=
=3D STAT_ABANDONED)
- 		{
--		  if (option_bool(OPT_DNSSEC_NO_SIGN))
--		    status =3D send_check_sign(forward, now, header, n, daemon->namebuff,=
 daemon->keyname);
-+		  if (forward->flags & FREC_DNSKEY_QUERY)
-+		    status =3D dnssec_validate_by_ds(now, header, n, daemon->namebuff, da=
emon->keyname, forward->class);
-+		  else if (forward->flags & FREC_DS_QUERY)
-+		    status =3D dnssec_validate_ds(now, header, n, daemon->namebuff, daemo=
n->keyname, forward->class);
- 		  else
--		    status =3D STAT_INSECURE;
-+		    status =3D dnssec_validate_reply(now, header, n, daemon->namebuff, da=
emon->keyname, &forward->class,=20
-+						   option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL);
- 		}
--	    }
--	  /* Can't validate, as we're missing key data. Put this
--	     answer aside, whilst we get that. */    =20
--	  if (status =3D=3D STAT_NEED_DS || status =3D=3D STAT_NEED_DS_NEG || stat=
us =3D=3D STAT_NEED_KEY)
--	    {
--	      struct frec *new, *orig;
--	     =20
--	      /* Free any saved query */
--	      if (forward->stash)
--		blockdata_free(forward->stash);
--	     =20
--	      /* Now save reply pending receipt of key data */
--	      if (!(forward->stash =3D blockdata_alloc((char *)header, n)))
--		return;
--	      forward->stash_len =3D n;
- 	     =20
--	    anotherkey:	     =20
--	      /* Find the original query that started it all.... */
--	      for (orig =3D forward; orig->dependent; orig =3D orig->dependent);
--
--	      if (--orig->work_counter =3D=3D 0 || !(new =3D get_new_frec(now, NUL=
L, 1)))
--		status =3D STAT_INSECURE;
--	      else
-+	      /* Can't validate, as we're missing key data. Put this
-+		 answer aside, whilst we get that. */    =20
-+	      if (status =3D=3D STAT_NEED_DS || status =3D=3D STAT_NEED_KEY)
- 		{
--		  int fd;
--		  struct frec *next =3D new->next;
--		  *new =3D *forward; /* copy everything, then overwrite */
--		  new->next =3D next;
--		  new->blocking_query =3D NULL;
--		  new->sentto =3D server;
--		  new->rfd4 =3D NULL;
--		  new->orig_domain =3D NULL;
--#ifdef HAVE_IPV6
--		  new->rfd6 =3D NULL;
--#endif
--		  new->flags &=3D ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN=
);
-+		  struct frec *new, *orig;
- 		 =20
--		  new->dependent =3D forward; /* to find query awaiting new one. */
--		  forward->blocking_query =3D new; /* for garbage cleaning */
--		  /* validate routines leave name of required record in daemon->keyname */
--		  if (status =3D=3D STAT_NEED_KEY)
--		    {
--		      new->flags |=3D FREC_DNSKEY_QUERY;=20
--		      nn =3D dnssec_generate_query(header, ((char *) header) + daemon->pa=
cket_buff_sz,
--						 daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->ed=
ns_pktsz);
--		    }
--		  else=20
--		    {
--		      if (status =3D=3D STAT_NEED_DS_NEG)
--			new->flags |=3D FREC_CHECK_NOSIGN;
--		      else
--			new->flags |=3D FREC_DS_QUERY;
--		      nn =3D dnssec_generate_query(header,((char *) header) + daemon->pac=
ket_buff_sz,
--						 daemon->keyname, forward->class, T_DS, &server->addr, server->edns_p=
ktsz);
--		    }
--		  if ((hash =3D hash_questions(header, nn, daemon->namebuff)))
--		    memcpy(new->hash, hash, HASH_SIZE);
--		  new->new_id =3D get_id();
--		  header->id =3D htons(new->new_id);
--		  /* Save query for retransmission */
--		  if (!(new->stash =3D blockdata_alloc((char *)header, nn)))
-+		  /* Free any saved query */
-+		  if (forward->stash)
-+		    blockdata_free(forward->stash);
-+		 =20
-+		  /* Now save reply pending receipt of key data */
-+		  if (!(forward->stash =3D blockdata_alloc((char *)header, n)))
- 		    return;
--		     =20
--		  new->stash_len =3D nn;
-+		  forward->stash_len =3D n;
- 		 =20
--		  /* Don't resend this. */
--		  daemon->srv_save =3D NULL;
-+		  /* Find the original query that started it all.... */
-+		  for (orig =3D forward; orig->dependent; orig =3D orig->dependent);
- 		 =20
--		  if (server->sfd)
--		    fd =3D server->sfd->fd;
-+		  if (--orig->work_counter =3D=3D 0 || !(new =3D get_new_frec(now, NULL, =
1)))
-+		    status =3D STAT_ABANDONED;
- 		  else
- 		    {
--		      fd =3D -1;
-+		      int fd;
-+		      struct frec *next =3D new->next;
-+		      *new =3D *forward; /* copy everything, then overwrite */
-+		      new->next =3D next;
-+		      new->blocking_query =3D NULL;
-+		      new->sentto =3D server;
-+		      new->rfd4 =3D NULL;
- #ifdef HAVE_IPV6
--		      if (server->addr.sa.sa_family =3D=3D AF_INET6)
-+		      new->rfd6 =3D NULL;
-+#endif
-+		      new->flags &=3D ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
-+		     =20
-+		      new->dependent =3D forward; /* to find query awaiting new one. */
-+		      forward->blocking_query =3D new; /* for garbage cleaning */
-+		      /* validate routines leave name of required record in daemon->keyna=
me */
-+		      if (status =3D=3D STAT_NEED_KEY)
-+			{
-+			  new->flags |=3D FREC_DNSKEY_QUERY;=20
-+			  nn =3D dnssec_generate_query(header, ((char *) header) + daemon->packe=
t_buff_sz,
-+						     daemon->keyname, forward->class, T_DNSKEY, &server->addr, server=
->edns_pktsz);
-+			}
-+		      else=20
- 			{
--			  if (new->rfd6 || (new->rfd6 =3D allocate_rfd(AF_INET6)))
--			    fd =3D new->rfd6->fd;
-+			  new->flags |=3D FREC_DS_QUERY;
-+			  nn =3D dnssec_generate_query(header,((char *) header) + daemon->packet=
_buff_sz,
-+						     daemon->keyname, forward->class, T_DS, &server->addr, server->ed=
ns_pktsz);
- 			}
-+		      if ((hash =3D hash_questions(header, nn, daemon->namebuff)))
-+			memcpy(new->hash, hash, HASH_SIZE);
-+		      new->new_id =3D get_id();
-+		      header->id =3D htons(new->new_id);
-+		      /* Save query for retransmission */
-+		      new->stash =3D blockdata_alloc((char *)header, nn);
-+		      new->stash_len =3D nn;
-+		     =20
-+		      /* Don't resend this. */
-+		      daemon->srv_save =3D NULL;
-+		     =20
-+		      if (server->sfd)
-+			fd =3D server->sfd->fd;
- 		      else
-+			{
-+			  fd =3D -1;
-+#ifdef HAVE_IPV6
-+			  if (server->addr.sa.sa_family =3D=3D AF_INET6)
-+			    {
-+			      if (new->rfd6 || (new->rfd6 =3D allocate_rfd(AF_INET6)))
-+				fd =3D new->rfd6->fd;
-+			    }
-+			  else
- #endif
-+			    {
-+			      if (new->rfd4 || (new->rfd4 =3D allocate_rfd(AF_INET)))
-+				fd =3D new->rfd4->fd;
-+			    }
-+			}
-+		     =20
-+		      if (fd !=3D -1)
- 			{
--			  if (new->rfd4 || (new->rfd4 =3D allocate_rfd(AF_INET)))
--			    fd =3D new->rfd4->fd;
-+			  while (retry_send(sendto(fd, (char *)header, nn, 0,=20
-+						   &server->addr.sa,=20
-+						   sa_len(&server->addr))));=20
-+			  server->queries++;
- 			}
--		    }
--		 =20
--		  if (fd !=3D -1)
--		    {
--		      while (retry_send(sendto(fd, (char *)header, nn, 0,=20
--					       &server->addr.sa,=20
--					       sa_len(&server->addr))));=20
--		      server->queries++;
--		    }
--		 =20
-+		    }		 =20
- 		  return;
- 		}
--	    }
- 	 =20
--	  /* Ok, we reached far enough up the chain-of-trust that we can validate =
something.
--	     Now wind back down, pulling back answers which wouldn't previously va=
lidate
--	     and validate them with the new data. Note that if an answer needs mul=
tiple
--	     keys to validate, we may find another key is needed, in which case we=
 set off
--	     down another branch of the tree. Once we get to the original answer=20
--	     (FREC_DNSSEC_QUERY not set) and it validates, return it to the origin=
al requestor. */
--	  while (forward->dependent)
--	    {
-+	      /* Validated original answer, all done. */
-+	      if (!forward->dependent)
-+		break;
-+	     =20
-+	      /* validated subsdiary query, (and cached result)
-+		 pop that and return to the previous query we were working on. */
- 	      struct frec *prev =3D forward->dependent;
- 	      free_frec(forward);
- 	      forward =3D prev;
- 	      forward->blocking_query =3D NULL; /* already gone */
- 	      blockdata_retrieve(forward->stash, forward->stash_len, (void *)heade=
r);
- 	      n =3D forward->stash_len;
--	     =20
--	      if (status =3D=3D STAT_SECURE)
--		{
--		  if (forward->flags & FREC_DNSKEY_QUERY)
--		    status =3D dnssec_validate_by_ds(now, header, n, daemon->namebuff, da=
emon->keyname, forward->class);
--		  else if (forward->flags & FREC_DS_QUERY)
--		    {
--		      status =3D dnssec_validate_ds(now, header, n, daemon->namebuff, dae=
mon->keyname, forward->class);
--		       /* Provably no DS, everything below is insecure, even if signature=
s are offered */
--		      if (status =3D=3D STAT_NO_DS)
--			/* We only cache sigs when we've validated a reply.
--			   Avoid caching a reply with sigs if there's a vaildated break in the=20
--			   DS chain, so we don't return replies from cache missing sigs. */
--			status =3D STAT_INSECURE_DS;
--		       else if (status =3D=3D STAT_NO_SIG)
--			 {
--			   if (option_bool(OPT_DNSSEC_NO_SIGN))
--			     {
--			       status =3D send_check_sign(forward, now, header, n, daemon->nameb=
uff, daemon->keyname);=20
--			       if (status =3D=3D STAT_INSECURE)
--				 status =3D STAT_INSECURE_DS;
--			     }
--			   else
--			     status =3D STAT_INSECURE_DS;
--			 }
--		       else if (status =3D=3D STAT_NO_NS)
--			 status =3D STAT_BOGUS;
--		    }
--		  else if (forward->flags & FREC_CHECK_NOSIGN)
--		    {
--		      status =3D dnssec_validate_ds(now, header, n, daemon->namebuff, dae=
mon->keyname, forward->class);
--		      if (status !=3D STAT_NEED_KEY)
--			status =3D do_check_sign(forward, status, now, daemon->namebuff, daemon-=
>keyname);
--		    }
--		  else
--		    {
--		      status =3D dnssec_validate_reply(now, header, n, daemon->namebuff, =
daemon->keyname, &forward->class, NULL, NULL);=09
--		      if (status =3D=3D STAT_NO_SIG)
--			{
--			  if (option_bool(OPT_DNSSEC_NO_SIGN))
--			    status =3D send_check_sign(forward, now, header, n, daemon->namebuff=
, daemon->keyname);
--			  else
--			    status =3D STAT_INSECURE;
--			}
--		    }
--	      =20
--		  if (status =3D=3D STAT_NEED_DS || status =3D=3D STAT_NEED_DS_NEG || sta=
tus =3D=3D STAT_NEED_KEY)
--		    goto anotherkey;
--		}
- 	    }
-+=09
- 	 =20
- 	  no_cache_dnssec =3D 0;
--
--	  if (status =3D=3D STAT_INSECURE_DS)
--	    {
--	      /* We only cache sigs when we've validated a reply.
--		 Avoid caching a reply with sigs if there's a vaildated break in the=20
--		 DS chain, so we don't return replies from cache missing sigs. */
--	      status =3D STAT_INSECURE;
--	      no_cache_dnssec =3D 1;
--	    }
- 	 =20
- 	  if (status =3D=3D STAT_TRUNCATED)
- 	    header->hb3 |=3D HB3_TC;
-@@ -1062,7 +959,7 @@ void reply_query(int fd, int family, time_t now)
- 	    {
- 	      char *result, *domain =3D "result";
- 	     =20
--	      if (forward->work_counter =3D=3D 0)
-+	      if (status =3D=3D STAT_ABANDONED)
- 		{
- 		  result =3D "ABANDONED";
- 		  status =3D STAT_BOGUS;
-@@ -1072,7 +969,7 @@ void reply_query(int fd, int family, time_t now)
- 	     =20
- 	      if (status =3D=3D STAT_BOGUS && extract_request(header, n, daemon->n=
amebuff, NULL))
- 		domain =3D daemon->namebuff;
--
-+	     =20
- 	      log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
- 	    }
- 	 =20
-@@ -1415,315 +1312,49 @@ void receive_query(struct listener *listen, time_t =
now)
- }
-=20
- #ifdef HAVE_DNSSEC
--
--/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove =
there's no DS
--   and therefore the answer shouldn't be signed, or STAT_BOGUS if it should=
 be, or=20
--   STAT_NEED_DS_NEG and keyname if we need to do the query. */
--static int send_check_sign(struct frec *forward, time_t now, struct dns_hea=
der *header, size_t plen,=20
--			   char *name, char *keyname)
--{
--  int status =3D dnssec_chase_cname(now, header, plen, name, keyname);
-- =20
--  if (status !=3D STAT_INSECURE)
--    return status;
--
--  /* Store the domain we're trying to check. */
--  forward->name_start =3D strlen(name);
--  forward->name_len =3D forward->name_start + 1;
--  if (!(forward->orig_domain =3D blockdata_alloc(name, forward->name_len)))
--    return STAT_BOGUS;
-- =20
--  return do_check_sign(forward, 0, now, name, keyname);
--}
--=20
--/* We either have a a reply (header non-NULL, or we need to start by lookin=
g in the cache */=20
--static int do_check_sign(struct frec *forward, int status, time_t now, char=
 *name, char *keyname)
--{
--  /* get domain we're checking back from blockdata store, it's stored on th=
e original query. */
--  while (forward->dependent && !forward->orig_domain)
--    forward =3D forward->dependent;
--
--  blockdata_retrieve(forward->orig_domain, forward->name_len, name);
-- =20
--  while (1)
--    {
--      char *p;=20
--
--      if (status =3D=3D 0)
--	{
--	  struct crec *crecp;
--
--	  /* Haven't received answer, see if in cache */
--	  if (!(crecp =3D cache_find_by_name(NULL, &name[forward->name_start], now=
, F_DS)))
--	    {
--	      /* put name of DS record we're missing into keyname */
--	      strcpy(keyname, &name[forward->name_start]);
--	      /* and wait for reply to arrive */
--	      return STAT_NEED_DS_NEG;
--	    }
--
--	  /* F_DNSSECOK misused in DS cache records to non-existance of NS record =
*/=20
--	  if (!(crecp->flags & F_NEG))
--	    status =3D STAT_SECURE;
--	  else if (crecp->flags & F_DNSSECOK)
--	    status =3D STAT_NO_DS;
--	  else
--	    status =3D STAT_NO_NS;
--	}
--     =20
--      /* Have entered non-signed part of DNS tree. */=20
--      if (status =3D=3D STAT_NO_DS)
--	return forward->dependent ? STAT_INSECURE_DS : STAT_INSECURE;
--
--      if (status =3D=3D STAT_BOGUS)
--	return STAT_BOGUS;
--
--      if (status =3D=3D STAT_NO_SIG && *keyname !=3D 0)
--	{
--	  /* There is a validated CNAME chain that doesn't end in a DS record. Sta=
rt=20
--	     the search again in that domain. */
--	  blockdata_free(forward->orig_domain);
--	  forward->name_start =3D strlen(keyname);
--	  forward->name_len =3D forward->name_start + 1;
--	  if (!(forward->orig_domain =3D blockdata_alloc(keyname, forward->name_le=
n)))
--	    return STAT_BOGUS;
--	 =20
--	  strcpy(name, keyname);
--	  status =3D 0; /* force to cache when we iterate. */
--	  continue;
--	}
--     =20
--      /* There's a proven DS record, or we're within a zone, where there do=
esn't need
--	 to be a DS record. Add a name and try again.=20
--	 If we've already tried the whole name, then fail */
--
--      if (forward->name_start =3D=3D 0)
--	return STAT_BOGUS;
--     =20
--      for (p =3D &name[forward->name_start-2]; (*p !=3D '.') && (p !=3D nam=
e); p--);
--     =20
--      if (p !=3D name)
--	p++;
--     =20
--      forward->name_start =3D p - name;
--      status =3D 0; /* force to cache when we iterate. */
--    }
--}
--
--/* Move down from the root, until we find a signed non-existance of a DS, i=
n which case
--   an unsigned answer is OK, or we find a signed DS, in which case there sh=
ould be=20
--   a signature, and the answer is BOGUS */
--static int  tcp_check_for_unsigned_zone(time_t now, struct dns_header *head=
er, size_t plen, int class, char *name,=20
--					char *keyname, struct server *server, int *keycount)
--{
--  size_t m;
--  unsigned char *packet, *payload;
--  u16 *length;
--  int status, name_len;
--  struct blockdata *block;
--
--  char *name_start;
--
--  /* Get first insecure entry in CNAME chain */
--  status =3D tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, na=
me, keyname, server, keycount);
--  if (status =3D=3D STAT_BOGUS)
--    return STAT_BOGUS;
-- =20
--  if (!(packet =3D whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))=
))
--    return STAT_BOGUS;
-- =20
--  payload =3D &packet[2];
--  header =3D (struct dns_header *)payload;
--  length =3D (u16 *)packet;
--
--  /* Stash the name away, since the buffer will be trashed when we recurse =
*/
--  name_len =3D strlen(name) + 1;
--  name_start =3D name + name_len - 1;
-- =20
--  if (!(block =3D blockdata_alloc(name, name_len)))
--    {
--      free(packet);
--      return STAT_BOGUS;
--    }
--
--  while (1)
--    {
--      unsigned char c1, c2;
--      struct crec *crecp;
--
--      if (--(*keycount) =3D=3D 0)
--	{
--	  free(packet);
--	  blockdata_free(block);
--	  return STAT_BOGUS;   =20
--	}
--     =20
--      while ((crecp =3D cache_find_by_name(NULL, name_start, now, F_DS)))
--	{     =20
--	  if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
--	    {
--	      /* Found a secure denial of DS - delegation is indeed insecure */
--	      free(packet);
--	      blockdata_free(block);
--	      return STAT_INSECURE;
--	    }
--     =20
--	  /* Here, either there's a secure DS, or no NS and no DS, and therefore n=
o delegation.
--	     Add another label and continue. */
--=20
--	  if (name_start =3D=3D name)
--	    {
--	      free(packet);
--	      blockdata_free(block);
--	      return STAT_BOGUS; /* run out of labels */
--	    }
--	 =20
--	  name_start -=3D 2;
--	  while (*name_start !=3D '.' && name_start !=3D name)=20
--	    name_start--;
--	  if (name_start !=3D name)
--	    name_start++;
--	}
--     =20
--      /* Can't find it in the cache, have to send a query */
--
--      m =3D dnssec_generate_query(header, ((char *) header) + 65536, name_s=
tart, class, T_DS, &server->addr, server->edns_pktsz);
--     =20
--      *length =3D htons(m);
--     =20
--      if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
--	  read_write(server->tcpfd, &c1, 1, 1) &&
--	  read_write(server->tcpfd, &c2, 1, 1) &&
--	  read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
--	{
--	  m =3D (c1 << 8) | c2;
--	 =20
--	  /* Note this trashes all three name workspaces */
--	  status =3D tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name=
, keyname, server, keycount);
--	 =20
--	  if (status =3D=3D STAT_NO_DS)
--	    {
--	      /* Found a secure denial of DS - delegation is indeed insecure */
--	      free(packet);
--	      blockdata_free(block);
--	      return STAT_INSECURE;
--	    }
--	 =20
--	  if (status =3D=3D STAT_NO_SIG && *keyname !=3D 0)
--	    {
--	      /* There is a validated CNAME chain that doesn't end in a DS record.=
 Start=20
--		 the search again in that domain. */
--	      blockdata_free(block);
--	      name_len =3D strlen(keyname) + 1;
--	      name_start =3D name + name_len - 1;
--	     =20
--	      if (!(block =3D blockdata_alloc(keyname, name_len)))
--		return STAT_BOGUS;
--	     =20
--	      strcpy(name, keyname);
--	      continue;
--	    }
--	 =20
--	  if (status =3D=3D STAT_BOGUS)
--	    {
--	      free(packet);
--	      blockdata_free(block);
--	      return STAT_BOGUS;
--	    }
--	 =20
--	  /* Here, either there's a secure DS, or no NS and no DS, and therefore n=
o delegation.
--	     Add another label and continue. */
--	 =20
--	  /* Get name we're checking back. */
--	  blockdata_retrieve(block, name_len, name);
--	 =20
--	  if (name_start =3D=3D name)
--	    {
--	      free(packet);
--	      blockdata_free(block);
--	      return STAT_BOGUS; /* run out of labels */
--	    }
--	 =20
--	  name_start -=3D 2;
--	  while (*name_start !=3D '.' && name_start !=3D name)=20
--	    name_start--;
--	  if (name_start !=3D name)
--	    name_start++;
--	}
--      else
--	{
--	  /* IO failure */
--	  free(packet);
--	  blockdata_free(block);
--	  return STAT_BOGUS; /* run out of labels */
--	}
--    }
--}
--
- static int tcp_key_recurse(time_t now, int status, struct dns_header *heade=
r, size_t n,=20
- 			   int class, char *name, char *keyname, struct server *server, int *key=
count)
- {
-   /* Recurse up the key heirarchy */
-   int new_status;
-+  unsigned char *packet =3D NULL;
-+  size_t m;=20
-+  unsigned char *payload =3D NULL;
-+  struct dns_header *new_header =3D NULL;
-+  u16 *length =3D NULL;
-+  unsigned char c1, c2;
-=20
--  /* limit the amount of work we do, to avoid cycling forever on loops in t=
he DNS */
--  if (--(*keycount) =3D=3D 0)
--    return STAT_INSECURE;
-- =20
--  if (status =3D=3D STAT_NEED_KEY)
--    new_status =3D dnssec_validate_by_ds(now, header, n, name, keyname, cla=
ss);
--  else if (status =3D=3D STAT_NEED_DS || status =3D=3D STAT_NEED_DS_NEG)
-+  while (1)
-     {
--      new_status =3D dnssec_validate_ds(now, header, n, name, keyname, clas=
s);
--      if (status =3D=3D STAT_NEED_DS)
-+      /* limit the amount of work we do, to avoid cycling forever on loops =
in the DNS */
-+      if (--(*keycount) =3D=3D 0)
-+	new_status =3D STAT_ABANDONED;
-+      else if (status =3D=3D STAT_NEED_KEY)
-+	new_status =3D dnssec_validate_by_ds(now, header, n, name, keyname, class);
-+      else if (status =3D=3D STAT_NEED_DS)
-+	new_status =3D dnssec_validate_ds(now, header, n, name, keyname, class);
-+      else=20
-+	new_status =3D dnssec_validate_reply(now, header, n, name, keyname, &class=
, option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL);
-+     =20
-+      if (new_status !=3D STAT_NEED_DS && new_status !=3D STAT_NEED_KEY)
-+	break;
-+
-+      /* Can't validate because we need a key/DS whose name now in keyname.
-+	 Make query for same, and recurse to validate */
-+      if (!packet)
- 	{
--	  if (new_status =3D=3D STAT_NO_DS)
--	    new_status =3D STAT_INSECURE_DS;
--	  if (new_status =3D=3D STAT_NO_SIG)
--	   {
--	     if (option_bool(OPT_DNSSEC_NO_SIGN))
--	       {
--		 new_status =3D tcp_check_for_unsigned_zone(now, header, n, class, name, =
keyname, server, keycount);
--		 if (new_status =3D=3D STAT_INSECURE)
--		   new_status =3D STAT_INSECURE_DS;
--	       }
--	     else
--	       new_status =3D STAT_INSECURE_DS;
--	   }
--	  else if (new_status =3D=3D STAT_NO_NS)
--	    new_status =3D STAT_BOGUS;
-+	  packet =3D whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
-+	  payload =3D &packet[2];
-+	  new_header =3D (struct dns_header *)payload;
-+	  length =3D (u16 *)packet;
- 	}
--    }
--  else if (status =3D=3D STAT_CHASE_CNAME)
--    new_status =3D dnssec_chase_cname(now, header, n, name, keyname);
--  else=20
--    {
--      new_status =3D dnssec_validate_reply(now, header, n, name, keyname, &=
class, NULL, NULL);
-      =20
--      if (new_status =3D=3D STAT_NO_SIG)
-+      if (!packet)
- 	{
--	  if (option_bool(OPT_DNSSEC_NO_SIGN))
--	    new_status =3D tcp_check_for_unsigned_zone(now, header, n, class, name=
, keyname, server, keycount);
--	  else
--	    new_status =3D STAT_INSECURE;
-+	  new_status =3D STAT_ABANDONED;
-+	  break;
- 	}
--    }
--
--  /* Can't validate because we need a key/DS whose name now in keyname.
--     Make query for same, and recurse to validate */
--  if (new_status =3D=3D STAT_NEED_DS || new_status =3D=3D STAT_NEED_KEY)
--    {
--      size_t m;=20
--      unsigned char *packet =3D whine_malloc(65536 + MAXDNAME + RRFIXEDSZ +=
 sizeof(u16));
--      unsigned char *payload =3D &packet[2];
--      struct dns_header *new_header =3D (struct dns_header *)payload;
--      u16 *length =3D (u16 *)packet;
--      unsigned char c1, c2;
--      =20
--      if (!packet)
--	return STAT_INSECURE;
--
--    another_tcp_key:
-+	=20
-       m =3D dnssec_generate_query(new_header, ((char *) new_header) + 65536=
, keyname, class,=20
- 				new_status =3D=3D STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, serve=
r->edns_pktsz);
-      =20
-@@ -1733,65 +1364,22 @@ static int tcp_key_recurse(time_t now, int status, s=
truct dns_header *header, si
- 	  !read_write(server->tcpfd, &c1, 1, 1) ||
- 	  !read_write(server->tcpfd, &c2, 1, 1) ||
- 	  !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
--	new_status =3D STAT_INSECURE;
--      else
- 	{
--	  m =3D (c1 << 8) | c2;
--	 =20
--	  new_status =3D tcp_key_recurse(now, new_status, new_header, m, class, na=
me, keyname, server, keycount);
--	 =20
--	  if (new_status =3D=3D STAT_SECURE)
--	    {
--	      /* Reached a validated record, now try again at this level.
--		 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
--		 If so, go round again. */
--	     =20
--	      if (status =3D=3D STAT_NEED_KEY)
--		new_status =3D dnssec_validate_by_ds(now, header, n, name, keyname, class=
);
--	      else if (status =3D=3D STAT_NEED_DS || status =3D=3D STAT_NEED_DS_NE=
G)
--		{
--		  new_status =3D dnssec_validate_ds(now, header, n, name, keyname, class);
--		  if (status =3D=3D STAT_NEED_DS)
--		    {
--		      if (new_status =3D=3D STAT_NO_DS)
--			new_status =3D STAT_INSECURE_DS;
--		      else if (new_status =3D=3D STAT_NO_SIG)
--			{
--			  if (option_bool(OPT_DNSSEC_NO_SIGN))
--			    {
--			      new_status =3D tcp_check_for_unsigned_zone(now, header, n, class, =
name, keyname, server, keycount);=20
--			      if (new_status =3D=3D STAT_INSECURE)
--				new_status =3D STAT_INSECURE_DS;
--			    }
--			  else
--			    new_status =3D STAT_INSECURE_DS;
--			}
--		      else if (new_status =3D=3D STAT_NO_NS)
--			new_status =3D STAT_BOGUS;
--		    }
--		}
--	      else if (status =3D=3D STAT_CHASE_CNAME)
--		new_status =3D dnssec_chase_cname(now, header, n, name, keyname);
--	      else=20
--		{
--		  new_status =3D dnssec_validate_reply(now, header, n, name, keyname, &cl=
ass, NULL, NULL);
--		 =20
--		  if (new_status =3D=3D STAT_NO_SIG)
--		    {
--		      if (option_bool(OPT_DNSSEC_NO_SIGN))
--			new_status =3D tcp_check_for_unsigned_zone(now, header, n, class, name, =
keyname, server, keycount);
--		      else
--			new_status =3D STAT_INSECURE;
--		    }
--		}
--	     =20
--	      if (new_status =3D=3D STAT_NEED_DS || new_status =3D=3D STAT_NEED_KE=
Y)
--		goto another_tcp_key;
--	    }
-+	  new_status =3D STAT_ABANDONED;
-+	  break;
- 	}
-+
-+      m =3D (c1 << 8) | c2;
-      =20
--      free(packet);
-+      new_status =3D tcp_key_recurse(now, new_status, new_header, m, class,=
 name, keyname, server, keycount);
-+     =20
-+      if (new_status !=3D STAT_OK)
-+	break;
-     }
-+
-+  if (packet)
-+    free(packet);
-+   =20
-   return new_status;
- }
- #endif
-@@ -2075,19 +1663,10 @@ unsigned char *tcp_request(int confd, time_t now,
- 		      if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
- 			{
- 			  int keycount =3D DNSSEC_WORK; /* Limit to number of DNSSEC questions, =
to catch loops and avoid filling cache. */
--			  int status =3D tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daem=
on->namebuff, daemon->keyname, last_server, &keycount);
-+			  int status =3D tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->nam=
ebuff, daemon->keyname, last_server, &keycount);
- 			  char *result, *domain =3D "result";
--
--			  if (status =3D=3D STAT_INSECURE_DS)
--			    {
--			      /* We only cache sigs when we've validated a reply.
--				 Avoid caching a reply with sigs if there's a vaildated break in the=20
--				 DS chain, so we don't return replies from cache missing sigs. */
--			      status =3D STAT_INSECURE;
--			      no_cache_dnssec =3D 1;
--			    }
- 			 =20
--			  if (keycount =3D=3D 0)
-+			  if (status =3D=3D STAT_ABANDONED)
- 			    {
- 			      result =3D "ABANDONED";
- 			      status =3D STAT_BOGUS;
-@@ -2179,7 +1758,6 @@ static struct frec *allocate_frec(time_t now)
-       f->dependent =3D NULL;
-       f->blocking_query =3D NULL;
-       f->stash =3D NULL;
--      f->orig_domain =3D NULL;
- #endif
-       daemon->frec_list =3D f;
-     }
-@@ -2248,12 +1826,6 @@ static void free_frec(struct frec *f)
-       f->stash =3D NULL;
-     }
-=20
--  if (f->orig_domain)
--    {
--      blockdata_free(f->orig_domain);
--      f->orig_domain =3D NULL;
--    }
--
-   /* Anything we're waiting on is pointless now, too */
-   if (f->blocking_query)
-     free_frec(f->blocking_query);
-@@ -2281,14 +1853,23 @@ struct frec *get_new_frec(time_t now, int *wait, int=
 force)
-       target =3D f;
-     else=20
-       {
--	if (difftime(now, f->time) >=3D 4*TIMEOUT)
--	  {
--	    free_frec(f);
--	    target =3D f;
--	  }
--=09
--	if (!oldest || difftime(f->time, oldest->time) <=3D 0)
--	  oldest =3D f;
-+#ifdef HAVE_DNSSEC
-+	    /* Don't free DNSSEC sub-queries here, as we may end up with
-+	       dangling references to them. They'll go when their "real" query=20
-+	       is freed. */
-+	    if (!f->dependent)
-+#endif
-+	      {
-+		if (difftime(now, f->time) >=3D 4*TIMEOUT)
-+		  {
-+		    free_frec(f);
-+		    target =3D f;
-+		  }
-+	    =20
-+	   =20
-+		if (!oldest || difftime(f->time, oldest->time) <=3D 0)
-+		  oldest =3D f;
-+	      }
-       }
-=20
-   if (target)
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_the=
m_from_cache.patch b/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_retur=
ning_them_from_cache.patch
deleted file mode 100644
index 5ffaf97..0000000
--- a/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_=
cache.patch
+++ /dev/null
@@ -1,612 +0,0 @@
-From 93be5b1e023b0c661e1ec2cd6d811a8ec9055c49 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Tue, 15 Dec 2015 12:04:40 +0000
-Subject: [PATCH] Abandon caching RRSIGs and returning them from cache.
-
-The list of exceptions to being able to locally answer
-cached data for validated records when DNSSEC data is requested
-was getting too long, so don't ever do that. This means
-that the cache no longer has to hold RRSIGS and allows
-us to lose lots of code. Note that cached validated
-answers are still returned as long as do=3D0
----
- src/cache.c   |   38 ++---------
- src/dnsmasq.h |   10 +--
- src/dnssec.c  |   94 ++++-----------------------
- src/rfc1035.c |  197 ++++++------------------------------------------------=
---
- 4 files changed, 42 insertions(+), 297 deletions(-)
-
-diff --git a/src/cache.c b/src/cache.c
-index 1b76b67..51ba7cc 100644
---- a/src/cache.c
-+++ b/src/cache.c
-@@ -189,12 +189,7 @@ static void cache_hash(struct crec *crecp)
- static void cache_blockdata_free(struct crec *crecp)
- {
-   if (crecp->flags & F_DNSKEY)
--    {
--      if (crecp->flags & F_DS)
--	blockdata_free(crecp->addr.sig.keydata);
--      else
--	blockdata_free(crecp->addr.key.keydata);
--    }
-+    blockdata_free(crecp->addr.key.keydata);
-   else if ((crecp->flags & F_DS) && !(crecp->flags & F_NEG))
-     blockdata_free(crecp->addr.ds.keydata);
- }
-@@ -369,13 +364,8 @@ static struct crec *cache_scan_free(char *name, struct =
all_addr *addr, time_t no
- 		}
- 	     =20
- #ifdef HAVE_DNSSEC
--	      /* Deletion has to be class-sensitive for DS, DNSKEY, RRSIG, also=20
--		 type-covered sensitive for  RRSIG */
--	      if ((flags & (F_DNSKEY | F_DS)) &&
--		  (flags & (F_DNSKEY | F_DS)) =3D=3D (crecp->flags & (F_DNSKEY | F_DS)) &&
--		  crecp->uid =3D=3D addr->addr.dnssec.class &&
--		  (!((flags & (F_DS | F_DNSKEY)) =3D=3D (F_DS | F_DNSKEY)) ||=20
--		   crecp->addr.sig.type_covered =3D=3D addr->addr.dnssec.type))
-+	      /* Deletion has to be class-sensitive for DS and DNSKEY */
-+	      if ((flags & crecp->flags & (F_DNSKEY | F_DS)) && crecp->uid =3D=3D =
addr->addr.dnssec.class)
- 		{
- 		  if (crecp->flags & F_CONFIG)
- 		    return crecp;
-@@ -532,13 +522,9 @@ struct crec *cache_insert(char *name, struct all_addr *=
addr,
- 	    struct all_addr free_addr =3D new->addr.addr;;
-=20
- #ifdef HAVE_DNSSEC
--	    /* For DNSSEC records, addr holds class and type_covered for RRSIG */
-+	    /* For DNSSEC records, addr holds class. */
- 	    if (new->flags & (F_DS | F_DNSKEY))
--	      {
--		free_addr.addr.dnssec.class =3D new->uid;
--		if ((new->flags & (F_DS | F_DNSKEY)) =3D=3D (F_DS | F_DNSKEY))
--		  free_addr.addr.dnssec.type =3D new->addr.sig.type_covered;
--	      }
-+	      free_addr.addr.dnssec.class =3D new->uid;
- #endif
- 	   =20
- 	    free_avail =3D 1; /* Must be free space now. */
-@@ -653,9 +639,6 @@ struct crec *cache_find_by_name(struct crec *crecp, char=
 *name, time_t now, unsi
- 	  if (!is_expired(now, crecp) && !is_outdated_cname_pointer(crecp))
- 	    {
- 	      if ((crecp->flags & F_FORWARD) &&=20
--#ifdef HAVE_DNSSEC
--		  (((crecp->flags & (F_DNSKEY | F_DS)) =3D=3D (prot & (F_DNSKEY | F_DS)))=
 || (prot & F_NSIGMATCH)) &&
--#endif
- 		  (crecp->flags & prot) &&
- 		  hostname_isequal(cache_get_name(crecp), name))
- 		{
-@@ -713,9 +696,6 @@ struct crec *cache_find_by_name(struct crec *crecp, char=
 *name, time_t now, unsi
-=20
-   if (ans &&=20
-       (ans->flags & F_FORWARD) &&
--#ifdef HAVE_DNSSEC
--      (((ans->flags & (F_DNSKEY | F_DS)) =3D=3D (prot & (F_DNSKEY | F_DS)))=
 || (prot & F_NSIGMATCH)) &&
--#endif
-       (ans->flags & prot) &&    =20
-       hostname_isequal(cache_get_name(ans), name))
-     return ans;
-@@ -1472,11 +1452,7 @@ void dump_cache(time_t now)
- #ifdef HAVE_DNSSEC
- 	    else if (cache->flags & F_DS)
- 	      {
--		if (cache->flags & F_DNSKEY)
--		  /* RRSIG */
--		  sprintf(a, "%5u %3u %s", cache->addr.sig.keytag,
--			  cache->addr.sig.algo, querystr("", cache->addr.sig.type_covered));
--		else if (!(cache->flags & F_NEG))
-+		if (!(cache->flags & F_NEG))
- 		  sprintf(a, "%5u %3u %3u", cache->addr.ds.keytag,
- 			  cache->addr.ds.algo, cache->addr.ds.digest);
- 	      }
-@@ -1502,8 +1478,6 @@ void dump_cache(time_t now)
- 	    else if (cache->flags & F_CNAME)
- 	      t =3D "C";
- #ifdef HAVE_DNSSEC
--	    else if ((cache->flags & (F_DS | F_DNSKEY)) =3D=3D (F_DS | F_DNSKEY))
--	      t =3D "G"; /* DNSKEY and DS set -> RRISG */
- 	    else if (cache->flags & F_DS)
- 	      t =3D "S";
- 	    else if (cache->flags & F_DNSKEY)
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 023a1cf..4344cae 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -398,14 +398,9 @@ struct crec {
-       unsigned char algo;
-       unsigned char digest;=20
-     } ds;=20
--    struct {
--      struct blockdata *keydata;
--      unsigned short keylen, type_covered, keytag;
--      char algo;
--    } sig;
-   } addr;
-   time_t ttd; /* time to die */
--  /* used as class if DNSKEY/DS/RRSIG, index to source for F_HOSTS */
-+  /* used as class if DNSKEY/DS, index to source for F_HOSTS */
-   unsigned int uid;=20
-   unsigned short flags;
-   union {
-@@ -445,8 +440,7 @@ struct crec {
- #define F_SECSTAT   (1u<<24)
- #define F_NO_RR     (1u<<25)
- #define F_IPSET     (1u<<26)
--#define F_NSIGMATCH (1u<<27)
--#define F_NOEXTRA   (1u<<28)
-+#define F_NOEXTRA   (1u<<27)
-=20
- /* Values of uid in crecs with F_CONFIG bit set. */
- #define SRC_INTERFACE 0
-diff --git a/src/dnssec.c b/src/dnssec.c
-index de7b335..1ae03a6 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1004,7 +1004,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_heade=
r *header, size_t plen, ch
- {
-   unsigned char *psave, *p =3D (unsigned char *)(header+1);
-   struct crec *crecp, *recp1;
--  int rc, j, qtype, qclass, ttl, rdlen, flags, algo, valid, keytag, type_co=
vered;
-+  int rc, j, qtype, qclass, ttl, rdlen, flags, algo, valid, keytag;
-   struct blockdata *key;
-   struct all_addr a;
-=20
-@@ -1115,7 +1115,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_heade=
r *header, size_t plen, ch
-=20
-   if (valid)
-     {
--      /* DNSKEY RRset determined to be OK, now cache it and the RRsigs that=
 sign it. */
-+      /* DNSKEY RRset determined to be OK, now cache it. */
-       cache_start_insert();
-      =20
-       p =3D skip_questions(header, plen);
-@@ -1155,7 +1155,10 @@ int dnssec_validate_by_ds(time_t now, struct dns_head=
er *header, size_t plen, ch
- 		  if ((key =3D blockdata_alloc((char*)p, rdlen - 4)))
- 		    {
- 		      if (!(recp1 =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSK=
EY | F_DNSSECOK)))
--			blockdata_free(key);
-+			{
-+			  blockdata_free(key);
-+			  return STAT_BOGUS;
-+			}
- 		      else
- 			{
- 			  a.addr.keytag =3D keytag;
-@@ -1169,38 +1172,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_head=
er *header, size_t plen, ch
- 			}
- 		    }
- 		}
--	      else if (qtype =3D=3D T_RRSIG)
--		{
--		  /* RRSIG, cache if covers DNSKEY RRset */
--		  if (rdlen < 18)
--		    return STAT_BOGUS; /* bad packet */
--		 =20
--		  GETSHORT(type_covered, p);
--		 =20
--		  if (type_covered =3D=3D T_DNSKEY)
--		    {
--		      a.addr.dnssec.class =3D class;
--		      a.addr.dnssec.type =3D type_covered;
--		     =20
--		      algo =3D *p++;
--		      p +=3D 13; /* labels, orig_ttl, expiration, inception */
--		      GETSHORT(keytag, p);=09
--		      if ((key =3D blockdata_alloc((char*)psave, rdlen)))
--			{
--			  if (!(crecp =3D cache_insert(name, &a, now, ttl,  F_FORWARD | F_DNSKEY=
 | F_DS)))
--			    blockdata_free(key);
--			  else
--			    {
--			      crecp->addr.sig.keydata =3D key;
--			      crecp->addr.sig.keylen =3D rdlen;
--			      crecp->addr.sig.keytag =3D keytag;
--			      crecp->addr.sig.type_covered =3D type_covered;
--			      crecp->addr.sig.algo =3D algo;
--			    }
--			}
--		    }
--		}
--	     =20
-+	      	     =20
- 	      p =3D psave;
- 	    }
-=20
-@@ -1326,7 +1298,8 @@ int dnssec_validate_ds(time_t now, struct dns_header *=
header, size_t plen, char
- 	  cache_start_insert();
- 	 =20
- 	  a.addr.dnssec.class =3D class;
--	  cache_insert(name, &a, now, ttl, flags);
-+	  if (!cache_insert(name, &a, now, ttl, flags))
-+	    return STAT_BOGUS;
- 	 =20
- 	  cache_end_insert(); =20
- 	 =20
-@@ -2028,14 +2001,13 @@ int dnssec_validate_reply(time_t now, struct dns_hea=
der *header, size_t plen, ch
- 	  /* Not done, validate now */
- 	  if (j =3D=3D i)
- 	    {
--	      int ttl, keytag, algo, digest, type_covered, sigcnt, rrcnt;
-+	      int ttl, keytag, algo, digest, sigcnt, rrcnt;
- 	      unsigned char *psave;
- 	      struct all_addr a;
- 	      struct blockdata *key;
- 	      struct crec *crecp;
- 	      char *wildname;
--	      int have_wildcard =3D 0;
--
-+	     =20
- 	      if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigc=
nt, &rrcnt))
- 		return STAT_BOGUS;
-=20
-@@ -2096,8 +2068,6 @@ int dnssec_validate_reply(time_t now, struct dns_heade=
r *header, size_t plen, ch
- 			   =20
- 		  if (rc =3D=3D STAT_SECURE_WILDCARD)
- 		    {
--		      have_wildcard =3D 1;
--		     =20
- 		      /* An attacker replay a wildcard answer with a different
- 			 answer and overlay a genuine RR. To prove this
- 			 hasn't happened, the answer must prove that
-@@ -2119,7 +2089,7 @@ int dnssec_validate_reply(time_t now, struct dns_heade=
r *header, size_t plen, ch
- 			return rc;
- 		    }=20
- 		 =20
--		  /* Cache RRsigs in answer section, and if we just validated a DS RRset,=
 cache it */
-+		  /* If we just validated a DS RRset, cache it */
- 		  /* Also note if the RRset is the answer to the question, or the target =
of a CNAME */
- 		  cache_start_insert();
- 		 =20
-@@ -2168,45 +2138,7 @@ int dnssec_validate_reply(time_t now, struct dns_head=
er *header, size_t plen, ch
- 				    }=20
- 				}
- 			    }
--			  else if (type2 =3D=3D T_RRSIG)
--			    {
--			      if (rdlen2 < 18)
--				return STAT_BOGUS; /* bad packet */
--			     =20
--			      GETSHORT(type_covered, p2);
--			     =20
--			      if (type_covered =3D=3D type1 &&=20
--				  (type_covered =3D=3D T_A || type_covered =3D=3D T_AAAA ||
--				   type_covered =3D=3D T_CNAME || type_covered =3D=3D T_DS ||=20
--				   type_covered =3D=3D T_DNSKEY || type_covered =3D=3D T_PTR))=20
--				{
--				  a.addr.dnssec.type =3D type_covered;
--				  a.addr.dnssec.class =3D class1;
--				 =20
--				  algo =3D *p2++;
--				  p2 +=3D 13; /* labels, orig_ttl, expiration, inception */
--				  GETSHORT(keytag, p2);
--				 =20
--				  /* We don't cache sigs for wildcard answers, because to reproduce the
--				     answer from the cache will require one or more NSEC/NSEC3 records =

--				     which we don't cache. The lack of the RRSIG ensures that a query f=
or
--				     this RRset asking for a secure answer will always be forwarded. */
--				  if (!have_wildcard && (key =3D blockdata_alloc((char*)psave, rdlen2)))
--				    {
--				      if (!(crecp =3D cache_insert(name, &a, now, ttl,  F_FORWARD | F_D=
NSKEY | F_DS)))
--					blockdata_free(key);
--				      else
--					{
--					  crecp->addr.sig.keydata =3D key;
--					  crecp->addr.sig.keylen =3D rdlen2;
--					  crecp->addr.sig.keytag =3D keytag;
--					  crecp->addr.sig.type_covered =3D type_covered;
--					  crecp->addr.sig.algo =3D algo;
--					}
--				    }
--				}
--			    }
--			 =20
-+
- 			  p2 =3D psave;
- 			}
- 		     =20
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 4eb1772..def8fa0 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -1275,11 +1275,9 @@ int check_for_local_domain(char *name, time_t now)
-   struct naptr *naptr;
-=20
-   /* Note: the call to cache_find_by_name is intended to find any record wh=
ich matches
--     ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting bot=
h F_DS and F_DNSKEY,
--     cache_find_by name ordinarily only returns records with an exact match=
 on those bits (ie
--     for the call below, only DS records). The F_NSIGMATCH bit changes this=
 behaviour */
-+     ie A, AAAA, CNAME. */
-=20
--  if ((crecp =3D cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CN=
AME | F_DS | F_NO_RR | F_NSIGMATCH)) &&
-+  if ((crecp =3D cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CN=
AME |F_NO_RR)) &&
-       (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)))
-     return 1;
-  =20
-@@ -1566,9 +1564,11 @@ size_t answer_request(struct dns_header *header, char=
 *limit, size_t qlen,
-       GETSHORT(flags, pheader);
-      =20
-       if ((sec_reqd =3D flags & 0x8000))
--	*do_bit =3D 1;/* do bit */=20
-+	{
-+	  *do_bit =3D 1;/* do bit */=20
-+	  *ad_reqd =3D 1;
-+	}
-=20
--      *ad_reqd =3D 1;
-       dryrun =3D 1;
-     }
-=20
-@@ -1636,98 +1636,6 @@ size_t answer_request(struct dns_header *header, char=
 *limit, size_t qlen,
- 	    }
- 	}
-=20
--#ifdef HAVE_DNSSEC
--      if (option_bool(OPT_DNSSEC_VALID) && (qtype =3D=3D T_DNSKEY || qtype =
=3D=3D T_DS))
--	{
--	  int gotone =3D 0;
--	  struct blockdata *keydata;
--
--	  /* Do we have RRSIG? Can't do DS or DNSKEY otherwise. */
--	  if (sec_reqd)
--	    {
--	      crecp =3D NULL;
--	      while ((crecp =3D cache_find_by_name(crecp, name, now, F_DNSKEY | F_=
DS)))
--		if (crecp->uid =3D=3D qclass && crecp->addr.sig.type_covered =3D=3D qtype)
--		  break;
--	    }
--	 =20
--	  if (!sec_reqd || crecp)
--	    {
--	      if (qtype =3D=3D T_DS)
--		{
--		  crecp =3D NULL;
--		  while ((crecp =3D cache_find_by_name(crecp, name, now, F_DS)))
--		    if (crecp->uid =3D=3D qclass)
--		      {
--			gotone =3D 1;=20
--			if (!dryrun)
--			  {
--			    if (crecp->flags & F_NEG)
--			      {
--				if (crecp->flags & F_NXDOMAIN)
--				  nxdomain =3D 1;
--				log_query(F_UPSTREAM, name, NULL, "no DS");=09
--			      }
--			    else if ((keydata =3D blockdata_retrieve(crecp->addr.ds.keydata, cre=
cp->addr.ds.keylen, NULL)))
--			      {			     			     =20
--				struct all_addr a;
--				a.addr.keytag =3D  crecp->addr.ds.keytag;
--				log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DS keytag %u=
");
--				if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,=20
--							crec_ttl(crecp, now), &nameoffset,
--							T_DS, qclass, "sbbt",=20
--							crecp->addr.ds.keytag, crecp->addr.ds.algo,=20
--							crecp->addr.ds.digest, crecp->addr.ds.keylen, keydata))
--				  anscount++;
--			=09
--			      }=20
--			  }
--		      }
--		}
--	      else /* DNSKEY */
--		{
--		  crecp =3D NULL;
--		  while ((crecp =3D cache_find_by_name(crecp, name, now, F_DNSKEY)))
--		    if (crecp->uid =3D=3D qclass)
--		      {
--			gotone =3D 1;
--			if (!dryrun && (keydata =3D blockdata_retrieve(crecp->addr.key.keydata, =
crecp->addr.key.keylen, NULL)))
--			  {			     			     =20
--			    struct all_addr a;
--			    a.addr.keytag =3D  crecp->addr.key.keytag;
--			    log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DNSKEY ke=
ytag %u");
--			    if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,=20
--						    crec_ttl(crecp, now), &nameoffset,
--						    T_DNSKEY, qclass, "sbbt",=20
--						    crecp->addr.key.flags, 3, crecp->addr.key.algo, crecp->addr.key.k=
eylen, keydata))
--			      anscount++;
--			  }
--		      }
--		}
--	    }
--	 =20
--	  /* Now do RRSIGs */
--	  if (gotone)
--	    {
--	      ans =3D 1;
--	      auth =3D 0;
--	      if (!dryrun && sec_reqd)
--		{
--		  crecp =3D NULL;
--		  while ((crecp =3D cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS)=
))
--		    if (crecp->uid =3D=3D qclass && crecp->addr.sig.type_covered =3D=3D q=
type &&
--			(keydata =3D blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig=
.keylen, NULL)))
--		      {
--			add_resource_record(header, limit, &trunc, nameoffset, &ansp,=20
--					    crec_ttl(crecp, now), &nameoffset,
--					    T_RRSIG, qclass, "t", crecp->addr.sig.keylen, keydata);
--			anscount++;
--		      }
--		}
--	    }
--	}
--#endif	    =20
--     =20
-       if (qclass =3D=3D C_IN)
- 	{
- 	  struct txt_record *t;
-@@ -1736,6 +1644,7 @@ size_t answer_request(struct dns_header *header, char =
*limit, size_t qlen,
- 	    if ((t->class =3D=3D qtype || qtype =3D=3D T_ANY) && hostname_isequal(=
name, t->name))
- 	      {
- 		ans =3D 1;
-+		sec_data =3D 0;
- 		if (!dryrun)
- 		  {
- 		    log_query(F_CONFIG | F_RRNAME, name, NULL, "<RR>");
-@@ -1792,6 +1701,7 @@ size_t answer_request(struct dns_header *header, char =
*limit, size_t qlen,
- 	     =20
- 	      if (intr)
- 		{
-+		  sec_data =3D 0;
- 		  ans =3D 1;
- 		  if (!dryrun)
- 		    {
-@@ -1805,6 +1715,7 @@ size_t answer_request(struct dns_header *header, char =
*limit, size_t qlen,
- 	      else if (ptr)
- 		{
- 		  ans =3D 1;
-+		  sec_data =3D 0;
- 		  if (!dryrun)
- 		    {
- 		      log_query(F_CONFIG | F_RRNAME, name, NULL, "<PTR>");
-@@ -1819,38 +1730,8 @@ size_t answer_request(struct dns_header *header, char=
 *limit, size_t qlen,
- 		}
- 	      else if ((crecp =3D cache_find_by_addr(NULL, &addr, now, is_arpa)))
- 		{
--		  if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd)
--		    {
--		      if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (c=
recp->flags & F_DNSSECOK)))
--			crecp =3D NULL;
--#ifdef HAVE_DNSSEC
--		      else if (crecp->flags & F_DNSSECOK)
--			{
--			  int gotsig =3D 0;
--			  struct crec *rr_crec =3D NULL;
--
--			  while ((rr_crec =3D cache_find_by_name(rr_crec, name, now, F_DS | F_DN=
SKEY)))
--			    {
--			      if (rr_crec->addr.sig.type_covered =3D=3D T_PTR && rr_crec->uid =
=3D=3D C_IN)
--				{
--				  char *sigdata =3D blockdata_retrieve(rr_crec->addr.sig.keydata, rr_cr=
ec->addr.sig.keylen, NULL);
--				  gotsig =3D 1;
--				 =20
--				  if (!dryrun &&=20
--				      add_resource_record(header, limit, &trunc, nameoffset, &ansp,=20
--							  rr_crec->ttd - now, &nameoffset,
--							  T_RRSIG, C_IN, "t", crecp->addr.sig.keylen, sigdata))
--				    anscount++;
--				}
--			    }=20
--			 =20
--			  if (!gotsig)
--			    crecp =3D NULL;
--			}
--#endif
--		    }
--
--		  if (crecp)
-+		  /* Don't use cache when DNSSEC data required. */
-+		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(cr=
ecp->flags & F_DNSSECOK))
- 		    {
- 		      do=20
- 			{=20
-@@ -1860,19 +1741,19 @@ size_t answer_request(struct dns_header *header, cha=
r *limit, size_t qlen,
- 			 =20
- 			  if (!(crecp->flags & F_DNSSECOK))
- 			    sec_data =3D 0;
--			 =20
-+			  =20
-+			  ans =3D 1;
-+			  =20
- 			  if (crecp->flags & F_NEG)
- 			    {
--			      ans =3D 1;
- 			      auth =3D 0;
- 			      if (crecp->flags & F_NXDOMAIN)
- 				nxdomain =3D 1;
- 			      if (!dryrun)
- 				log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL);
- 			    }
--			  else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd || option_bo=
ol(OPT_DNSSEC_VALID))
-+			  else
- 			    {
--			      ans =3D 1;
- 			      if (!(crecp->flags & (F_HOSTS | F_DHCP)))
- 				auth =3D 0;
- 			      if (!dryrun)
-@@ -1892,6 +1773,7 @@ size_t answer_request(struct dns_header *header, char =
*limit, size_t qlen,
- 	      else if (is_rev_synth(is_arpa, &addr, name))
- 		{
- 		  ans =3D 1;
-+		  sec_data =3D 0;
- 		  if (!dryrun)
- 		    {
- 		      log_query(F_CONFIG | F_REVERSE | is_arpa, name, &addr, NULL);=20
-@@ -1908,6 +1790,7 @@ size_t answer_request(struct dns_header *header, char =
*limit, size_t qlen,
- 		{
- 		  /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */
- 		  ans =3D 1;
-+		  sec_data =3D 0;
- 		  nxdomain =3D 1;
- 		  if (!dryrun)
- 		    log_query(F_CONFIG | F_REVERSE | F_IPV4 | F_NEG | F_NXDOMAIN,=20
-@@ -1955,6 +1838,7 @@ size_t answer_request(struct dns_header *header, char =
*limit, size_t qlen,
- 		  if (i =3D=3D 4)
- 		    {
- 		      ans =3D 1;
-+		      sec_data =3D 0;
- 		      if (!dryrun)
- 			{
- 			  addr.addr.addr4.s_addr =3D htonl(a);
-@@ -1993,6 +1877,7 @@ size_t answer_request(struct dns_header *header, char =
*limit, size_t qlen,
- 				continue;
- #endif=09
- 			      ans =3D 1;=09
-+			      sec_data =3D 0;
- 			      if (!dryrun)
- 				{
- 				  gotit =3D 1;
-@@ -2032,48 +1917,8 @@ size_t answer_request(struct dns_header *header, char=
 *limit, size_t qlen,
- 		      crecp =3D save;
- 		    }
-=20
--		  /* If the client asked for DNSSEC and we can't provide RRSIGs, either
--		     because we've not doing DNSSEC or the cached answer is signed by neg=
ative,
--		     don't answer from the cache, forward instead. */
--		  if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd)
--		    {
--		      if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (c=
recp->flags & F_DNSSECOK)))
--			crecp =3D NULL;
--#ifdef HAVE_DNSSEC
--		      else if (crecp->flags & F_DNSSECOK)
--			{
--			  /* We're returning validated data, need to return the RRSIG too. */
--			  struct crec *rr_crec =3D NULL;
--			  int sigtype =3D type;
--			  /* The signature may have expired even though the data is still in cac=
he,=20
--			     forward instead of answering from cache if so. */
--			  int gotsig =3D 0;
--			 =20
--			  if (crecp->flags & F_CNAME)
--			    sigtype =3D T_CNAME;
--			 =20
--			  while ((rr_crec =3D cache_find_by_name(rr_crec, name, now, F_DS | F_DN=
SKEY)))
--			    {
--			      if (rr_crec->addr.sig.type_covered =3D=3D sigtype && rr_crec->uid =
=3D=3D C_IN)
--				{
--				  char *sigdata =3D blockdata_retrieve(rr_crec->addr.sig.keydata, rr_cr=
ec->addr.sig.keylen, NULL);
--				  gotsig =3D 1;
--				 =20
--				  if (!dryrun &&=20
--				      add_resource_record(header, limit, &trunc, nameoffset, &ansp,=20
--							  rr_crec->ttd - now, &nameoffset,
--							  T_RRSIG, C_IN, "t", rr_crec->addr.sig.keylen, sigdata))
--				    anscount++;
--				}
--			    }
--			 =20
--			  if (!gotsig)
--			    crecp =3D NULL;
--			}
--#endif
--		    }		=20
--
--		  if (crecp)
-+		  /* If the client asked for DNSSEC  don't use cached data. */
-+		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(cr=
ecp->flags & F_DNSSECOK))
- 		    do
- 		      {=20
- 			/* don't answer wildcard queries with data not from /etc/hosts
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_m=
ore_logical_place.patch b/src/patches/dnsmasq/018-Move_code_which_caches_DS_r=
ecords_to_a_more_logical_place.patch
deleted file mode 100644
index ff055f7..0000000
--- a/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_log=
ical_place.patch
+++ /dev/null
@@ -1,269 +0,0 @@
-From d64c81fff7faf4392b688223ef3a617c5c07e7dc Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Tue, 15 Dec 2015 16:11:06 +0000
-Subject: [PATCH] Move code which caches DS records to a more logical place.
-
----
- src/dnssec.c |  179 +++++++++++++++++++++++++++++--------------------------=
---
- 1 file changed, 90 insertions(+), 89 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 1ae03a6..359231f 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1204,7 +1204,10 @@ int dnssec_validate_by_ds(time_t now, struct dns_head=
er *header, size_t plen, ch
- int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, =
char *name, char *keyname, int class)
- {
-   unsigned char *p =3D (unsigned char *)(header+1);
--  int qtype, qclass, val, i, neganswer, nons;
-+  int qtype, qclass, rc, i, neganswer, nons;
-+  int aclass, atype, rdlen;
-+  unsigned long ttl;
-+  struct all_addr a;
-=20
-   if (ntohs(header->qdcount) !=3D 1 ||
-       !(p =3D skip_name(p, header, plen, 4)))
-@@ -1214,40 +1217,100 @@ int dnssec_validate_ds(time_t now, struct dns_heade=
r *header, size_t plen, char
-   GETSHORT(qclass, p);
-=20
-   if (qtype !=3D T_DS || qclass !=3D class)
--    val =3D STAT_BOGUS;
-+    rc =3D STAT_BOGUS;
-   else
--    val =3D dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0=
, &neganswer, &nons);
-+    rc =3D dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0,=
 &neganswer, &nons);
-   /* Note dnssec_validate_reply() will have cached positive answers */
-  =20
--  if (val =3D=3D STAT_INSECURE)
--    val =3D STAT_BOGUS;
--
-+  if (rc =3D=3D STAT_INSECURE)
-+    rc =3D STAT_BOGUS;
-+=20
-   p =3D (unsigned char *)(header+1);
-   extract_name(header, plen, &p, name, 1, 4);
-   p +=3D 4; /* qtype, qclass */
-  =20
--  if (!(p =3D skip_section(p, ntohs(header->ancount), header, plen)))
--    val =3D STAT_BOGUS;
-- =20
-   /* If the key needed to validate the DS is on the same domain as the DS, =
we'll
-      loop getting nowhere. Stop that now. This can happen of the DS answer =
comes
-      from the DS's zone, and not the parent zone. */
--  if (val =3D=3D STAT_BOGUS || (val =3D=3D STAT_NEED_KEY && hostname_isequa=
l(name, keyname)))
-+  if (rc =3D=3D STAT_BOGUS || (rc =3D=3D STAT_NEED_KEY && hostname_isequal(=
name, keyname)))
-     {
-       log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS");
-       return STAT_BOGUS;
-     }
-  =20
--  if (val !=3D STAT_SECURE)
--    return val;
--
--  /* By here, the answer is proved secure, and a positive answer has been c=
ached. */
--  if (neganswer)
-+  if (rc !=3D STAT_SECURE)
-+    return rc;
-+  =20
-+  if (!neganswer)
-     {
--      int rdlen, flags =3D F_FORWARD | F_DS | F_NEG | F_DNSSECOK;
--      unsigned long ttl, minttl =3D ULONG_MAX;
--      struct all_addr a;
-+      cache_start_insert();
-+     =20
-+      for (i =3D 0; i < ntohs(header->ancount); i++)
-+	{
-+	  if (!(rc =3D extract_name(header, plen, &p, name, 0, 10)))
-+	    return STAT_BOGUS; /* bad packet */
-+	 =20
-+	  GETSHORT(atype, p);
-+	  GETSHORT(aclass, p);
-+	  GETLONG(ttl, p);
-+	  GETSHORT(rdlen, p);
-+	 =20
-+	  if (!CHECK_LEN(header, p, plen, rdlen))
-+	    return STAT_BOGUS; /* bad packet */
-+	 =20
-+	  if (aclass =3D=3D class && atype =3D=3D T_DS && rc =3D=3D 1)
-+	    {=20
-+	      int algo, digest, keytag;
-+	      unsigned char *psave =3D p;
-+	      struct blockdata *key;
-+	      struct crec *crecp;
-=20
-+	      if (rdlen < 4)
-+		return STAT_BOGUS; /* bad packet */
-+	     =20
-+	      GETSHORT(keytag, p);
-+	      algo =3D *p++;
-+	      digest =3D *p++;
-+	     =20
-+	      /* Cache needs to known class for DNSSEC stuff */
-+	      a.addr.dnssec.class =3D class;
-+	     =20
-+	      if ((key =3D blockdata_alloc((char*)p, rdlen - 4)))
-+		{
-+		  if (!(crecp =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F_D=
NSSECOK)))
-+		    {
-+		      blockdata_free(key);
-+		      return STAT_BOGUS;
-+		    }
-+		  else
-+		    {
-+		      a.addr.keytag =3D keytag;
-+		      log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %=
u");
-+		      crecp->addr.ds.digest =3D digest;
-+		      crecp->addr.ds.keydata =3D key;
-+		      crecp->addr.ds.algo =3D algo;
-+		      crecp->addr.ds.keytag =3D keytag;
-+		      crecp->addr.ds.keylen =3D rdlen - 4;=20
-+		    }=20
-+		}
-+	     =20
-+	      p =3D psave;
-+	     =20
-+	      if (!ADD_RDLEN(header, p, plen, rdlen))
-+		return STAT_BOGUS; /* bad packet */
-+	    }
-+	 =20
-+	  cache_end_insert();
-+	}
-+    }
-+  else
-+    {
-+      int flags =3D F_FORWARD | F_DS | F_NEG | F_DNSSECOK;
-+      unsigned long minttl =3D ULONG_MAX;
-+     =20
-+      if (!(p =3D skip_section(p, ntohs(header->ancount), header, plen)))
-+	return STAT_BOGUS;
-+     =20
-       if (RCODE(header) =3D=3D NXDOMAIN)
- 	flags |=3D F_NXDOMAIN;
-      =20
-@@ -1261,20 +1324,20 @@ int dnssec_validate_ds(time_t now, struct dns_header=
 *header, size_t plen, char
- 	  if (!(p =3D skip_name(p, header, plen, 0)))
- 	    return STAT_BOGUS;
- 	 =20
--	  GETSHORT(qtype, p);=20
--	  GETSHORT(qclass, p);
-+	  GETSHORT(atype, p);=20
-+	  GETSHORT(aclass, p);
- 	  GETLONG(ttl, p);
- 	  GETSHORT(rdlen, p);
--
-+	 =20
- 	  if (!CHECK_LEN(header, p, plen, rdlen))
- 	    return STAT_BOGUS; /* bad packet */
--	   =20
--	  if (qclass !=3D class || qtype !=3D T_SOA)
-+	 =20
-+	  if (aclass !=3D class || atype !=3D T_SOA)
- 	    {
- 	      p +=3D rdlen;
- 	      continue;
- 	    }
--          =20
-+	 =20
- 	  if (ttl < minttl)
- 	    minttl =3D ttl;
- 	 =20
-@@ -1306,7 +1369,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *=
header, size_t plen, char
- 	  log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "no DS");
- 	}
-     }
--
-+     =20
-   return STAT_OK;
- }
-=20
-@@ -2001,11 +2064,7 @@ int dnssec_validate_reply(time_t now, struct dns_head=
er *header, size_t plen, ch
- 	  /* Not done, validate now */
- 	  if (j =3D=3D i)
- 	    {
--	      int ttl, keytag, algo, digest, sigcnt, rrcnt;
--	      unsigned char *psave;
--	      struct all_addr a;
--	      struct blockdata *key;
--	      struct crec *crecp;
-+	      int sigcnt, rrcnt;
- 	      char *wildname;
- 	     =20
- 	      if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigc=
nt, &rrcnt))
-@@ -2032,6 +2091,7 @@ int dnssec_validate_reply(time_t now, struct dns_heade=
r *header, size_t plen, ch
- 		 Can't overwrite name here. */
- 	      strcpy(daemon->workspacename, keyname);
- 	      rc =3D zone_status(daemon->workspacename, class1, keyname, now);
-+
- 	      if (rc !=3D STAT_SECURE)
- 		{
- 		  /* Zone is insecure, don't need to validate RRset */
-@@ -2088,65 +2148,6 @@ int dnssec_validate_reply(time_t now, struct dns_head=
er *header, size_t plen, ch
- 		      if (rc =3D=3D STAT_BOGUS)
- 			return rc;
- 		    }=20
--		 =20
--		  /* If we just validated a DS RRset, cache it */
--		  /* Also note if the RRset is the answer to the question, or the target =
of a CNAME */
--		  cache_start_insert();
--		 =20
--		  for (p2 =3D ans_start, j =3D 0; j < ntohs(header->ancount); j++)
--		    {
--		      if (!(rc =3D extract_name(header, plen, &p2, name, 0, 10)))
--			return STAT_BOGUS; /* bad packet */
--		     =20
--		      GETSHORT(type2, p2);
--		      GETSHORT(class2, p2);
--		      GETLONG(ttl, p2);
--		      GETSHORT(rdlen2, p2);
--		     =20
--		      if (!CHECK_LEN(header, p2, plen, rdlen2))
--			return STAT_BOGUS; /* bad packet */
--		     =20
--		      if (class2 =3D=3D class1 && rc =3D=3D 1)
--			{=20
--			  psave =3D p2;
--			 =20
--			  if (type1 =3D=3D T_DS && type2 =3D=3D T_DS)
--			    {
--			      if (rdlen2 < 4)
--				return STAT_BOGUS; /* bad packet */
--			     =20
--			      GETSHORT(keytag, p2);
--			      algo =3D *p2++;
--			      digest =3D *p2++;
--			     =20
--			      /* Cache needs to known class for DNSSEC stuff */
--			      a.addr.dnssec.class =3D class2;
--			     =20
--			      if ((key =3D blockdata_alloc((char*)p2, rdlen2 - 4)))
--				{
--				  if (!(crecp =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F=
_DNSSECOK)))
--				    blockdata_free(key);
--				  else
--				    {
--				      a.addr.keytag =3D keytag;
--				      log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag=
 %u");
--				      crecp->addr.ds.digest =3D digest;
--				      crecp->addr.ds.keydata =3D key;
--				      crecp->addr.ds.algo =3D algo;
--				      crecp->addr.ds.keytag =3D keytag;
--				      crecp->addr.ds.keylen =3D rdlen2 - 4;=20
--				    }=20
--				}
--			    }
--
--			  p2 =3D psave;
--			}
--		     =20
--		      if (!ADD_RDLEN(header, p2, plen, rdlen2))
--			return STAT_BOGUS; /* bad packet */
--		    }
--		 =20
--		  cache_end_insert();
- 		}
- 	    }
- 	}
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_wit=
h_EDNS0.patch b/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_=
with_EDNS0.patch
deleted file mode 100644
index 0a4942a..0000000
--- a/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0=
.patch
+++ /dev/null
@@ -1,755 +0,0 @@
-From c2bcd1e183bcc5fdd63811c045355fc57e36ecfd Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Tue, 15 Dec 2015 17:25:21 +0000
-Subject: [PATCH] Generalise RR-filtering code, for use with EDNS0.
-
----
- Makefile       |    3 +-
- bld/Android.mk |    2 +-
- src/dnsmasq.h  |    5 +
- src/dnssec.c   |  307 +-------------------------------------------------
- src/forward.c  |    2 +-
- src/rrfilter.c |  339 +++++++++++++++++++++++++++++++++++++++++++++++++++++=
+++
- 6 files changed, 349 insertions(+), 309 deletions(-)
- create mode 100644 src/rrfilter.c
-
-diff --git a/Makefile b/Makefile
-index 4c87ea9..b664160 100644
---- a/Makefile
-+++ b/Makefile
-@@ -73,7 +73,8 @@ objs =3D cache.o rfc1035.o util.o option.o forward.o netwo=
rk.o \
-        dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
-        helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
-        dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
--       domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o
-+       domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
-+       poll.o rrfilter.o
-=20
- hdrs =3D dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
-        dns-protocol.h radv-protocol.h ip6addr.h
-diff --git a/bld/Android.mk b/bld/Android.mk
-index 5364ee7..67b9c4b 100644
---- a/bld/Android.mk
-+++ b/bld/Android.mk
-@@ -10,7 +10,7 @@ LOCAL_SRC_FILES :=3D  bpf.c cache.c dbus.c dhcp.c dnsmasq.=
c \
- 		    dhcp6.c rfc3315.c dhcp-common.c outpacket.c \
- 		    radv.c slaac.c auth.c ipset.c domain.c \
- 	            dnssec.c dnssec-openssl.c blockdata.c tables.c \
--		    loop.c inotify.c poll.c
-+		    loop.c inotify.c poll.c rrfilter.c
-=20
- LOCAL_MODULE :=3D dnsmasq
-=20
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 4344cae..39a930c 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -1513,3 +1513,8 @@ int poll_check(int fd, short event);
- void poll_listen(int fd, short event);
- int do_poll(int timeout);
-=20
-+/* rrfilter.c */
-+size_t rrfilter(struct dns_header *header, size_t plen, int mode);
-+u16 *rrfilter_desc(int type);
-+int expand_workspace(unsigned char ***wkspc, int *szp, int new);
-+
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 359231f..fa3eb81 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -507,50 +507,6 @@ static int check_date_range(unsigned long date_start, u=
nsigned long date_end)
-     && serial_compare_32(curtime, date_end) =3D=3D SERIAL_LT;
- }
-=20
--static u16 *get_desc(int type)
--{
--  /* List of RRtypes which include domains in the data.
--     0 -> domain
--     integer -> no of plain bytes
--     -1 -> end
--
--     zero is not a valid RRtype, so the final entry is returned for
--     anything which needs no mangling.
--  */
-- =20
--  static u16 rr_desc[] =3D=20
--    {=20
--      T_NS, 0, -1,=20
--      T_MD, 0, -1,
--      T_MF, 0, -1,
--      T_CNAME, 0, -1,
--      T_SOA, 0, 0, -1,
--      T_MB, 0, -1,
--      T_MG, 0, -1,
--      T_MR, 0, -1,
--      T_PTR, 0, -1,
--      T_MINFO, 0, 0, -1,
--      T_MX, 2, 0, -1,
--      T_RP, 0, 0, -1,
--      T_AFSDB, 2, 0, -1,
--      T_RT, 2, 0, -1,
--      T_SIG, 18, 0, -1,
--      T_PX, 2, 0, 0, -1,
--      T_NXT, 0, -1,
--      T_KX, 2, 0, -1,
--      T_SRV, 6, 0, -1,
--      T_DNAME, 0, -1,
--      0, -1 /* wildcard/catchall */
--    };=20
-- =20
--  u16 *p =3D rr_desc;
-- =20
--  while (*p !=3D type && *p !=3D 0)
--    while (*p++ !=3D (u16)-1);
--
--  return p+1;
--}
--
- /* Return bytes of canonicalised rdata, when the return value is zero, the =
remaining=20
-    data, pointed to by *p, should be used raw. */
- static int get_rdata(struct dns_header *header, size_t plen, unsigned char =
*end, char *buff, int bufflen,
-@@ -594,34 +550,6 @@ static int get_rdata(struct dns_header *header, size_t =
plen, unsigned char *end,
-     }
- }
-=20
--static int expand_workspace(unsigned char ***wkspc, int *szp, int new)
--{
--  unsigned char **p;
--  int old =3D *szp;
--
--  if (old >=3D new+1)
--    return 1;
--
--  if (new >=3D 100)
--    return 0;
--
--  new +=3D 5;
-- =20
--  if (!(p =3D whine_malloc(new * sizeof(unsigned char **))))
--    return 0; =20
-- =20
--  if (old !=3D 0 && *wkspc)
--    {
--      memcpy(p, *wkspc, old * sizeof(unsigned char **));
--      free(*wkspc);
--    }
-- =20
--  *wkspc =3D p;
--  *szp =3D new;
--
--  return 1;
--}
--
- /* Bubble sort the RRset into the canonical order.=20
-    Note that the byte-streams from two RRs may get unsynced: consider=20
-    RRs which have two domain-names at the start and then other data.
-@@ -849,7 +777,7 @@ static int validate_rrset(time_t now, struct dns_header =
*header, size_t plen, in
-   int rdlen, j, name_labels;
-   struct crec *crecp =3D NULL;
-   int algo, labels, orig_ttl, key_tag;
--  u16 *rr_desc =3D get_desc(type);
-+  u16 *rr_desc =3D rrfilter_desc(type);
- =20
-   if (wildcard_out)
-     *wildcard_out =3D NULL;
-@@ -2266,239 +2194,6 @@ size_t dnssec_generate_query(struct dns_header *head=
er, char *end, char *name, i
-   return ret;
- }
-=20
--/* Go through a domain name, find "pointers" and fix them up based on how m=
any bytes
--   we've chopped out of the packet, or check they don't point into an elide=
d part.  */
--static int check_name(unsigned char **namep, struct dns_header *header, siz=
e_t plen, int fixup, unsigned char **rrs, int rr_count)
--{
--  unsigned char *ansp =3D *namep;
--
--  while(1)
--    {
--      unsigned int label_type;
--     =20
--      if (!CHECK_LEN(header, ansp, plen, 1))
--	return 0;
--     =20
--      label_type =3D (*ansp) & 0xc0;
--
--      if (label_type =3D=3D 0xc0)
--	{
--	  /* pointer for compression. */
--	  unsigned int offset;
--	  int i;
--	  unsigned char *p;
--	 =20
--	  if (!CHECK_LEN(header, ansp, plen, 2))
--	    return 0;
--
--	  offset =3D ((*ansp++) & 0x3f) << 8;
--	  offset |=3D *ansp++;
--
--	  p =3D offset + (unsigned char *)header;
--	 =20
--	  for (i =3D 0; i < rr_count; i++)
--	    if (p < rrs[i])
--	      break;
--	    else
--	      if (i & 1)
--		offset -=3D rrs[i] - rrs[i-1];
--
--	  /* does the pointer end up in an elided RR? */
--	  if (i & 1)
--	    return 0;
--
--	  /* No, scale the pointer */
--	  if (fixup)
--	    {
--	      ansp -=3D 2;
--	      *ansp++ =3D (offset >> 8) | 0xc0;
--	      *ansp++ =3D offset & 0xff;
--	    }
--	  break;
--	}
--      else if (label_type =3D=3D 0x80)
--	return 0; /* reserved */
--      else if (label_type =3D=3D 0x40)
--	{
--	  /* Extended label type */
--	  unsigned int count;
--	 =20
--	  if (!CHECK_LEN(header, ansp, plen, 2))
--	    return 0;
--	 =20
--	  if (((*ansp++) & 0x3f) !=3D 1)
--	    return 0; /* we only understand bitstrings */
--	 =20
--	  count =3D *(ansp++); /* Bits in bitstring */
--	 =20
--	  if (count =3D=3D 0) /* count =3D=3D 0 means 256 bits */
--	    ansp +=3D 32;
--	  else
--	    ansp +=3D ((count-1)>>3)+1;
--	}
--      else
--	{ /* label type =3D=3D 0 Bottom six bits is length */
--	  unsigned int len =3D (*ansp++) & 0x3f;
--	 =20
--	  if (!ADD_RDLEN(header, ansp, plen, len))
--	    return 0;
--
--	  if (len =3D=3D 0)
--	    break; /* zero length label marks the end. */
--	}
--    }
--
--  *namep =3D ansp;
--
--  return 1;
--}
--
--/* Go through RRs and check or fixup the domain names contained within */
--static int check_rrs(unsigned char *p, struct dns_header *header, size_t pl=
en, int fixup, unsigned char **rrs, int rr_count)
--{
--  int i, type, class, rdlen;
--  unsigned char *pp;
-- =20
--  for (i =3D 0; i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs=
(header->arcount); i++)
--    {
--      pp =3D p;
--
--      if (!(p =3D skip_name(p, header, plen, 10)))
--	return 0;
--     =20
--      GETSHORT(type, p);=20
--      GETSHORT(class, p);
--      p +=3D 4; /* TTL */
--      GETSHORT(rdlen, p);
--
--      if (type !=3D T_NSEC && type !=3D T_NSEC3 && type !=3D T_RRSIG)
--	{
--	  /* fixup name of RR */
--	  if (!check_name(&pp, header, plen, fixup, rrs, rr_count))
--	    return 0;
--	 =20
--	  if (class =3D=3D C_IN)
--	    {
--	      u16 *d;
--=20
--	      for (pp =3D p, d =3D get_desc(type); *d !=3D (u16)-1; d++)
--		{
--		  if (*d !=3D 0)
--		    pp +=3D *d;
--		  else if (!check_name(&pp, header, plen, fixup, rrs, rr_count))
--		    return 0;
--		}
--	    }
--	}
--     =20
--      if (!ADD_RDLEN(header, p, plen, rdlen))
--	return 0;
--    }
-- =20
--  return 1;
--}
--=09
--
--size_t filter_rrsigs(struct dns_header *header, size_t plen)
--{
--  static unsigned char **rrs;
--  static int rr_sz =3D 0;
-- =20
--  unsigned char *p =3D (unsigned char *)(header+1);
--  int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns, chop_ar;
--
--  if (ntohs(header->qdcount) !=3D 1 ||
--      !(p =3D skip_name(p, header, plen, 4)))
--    return plen;
-- =20
--  GETSHORT(qtype, p);
--  GETSHORT(qclass, p);
--
--  /* First pass, find pointers to start and end of all the records we wish =
to elide:
--     records added for DNSSEC, unless explicity queried for */
--  for (rr_found =3D 0, chop_ns =3D 0, chop_an =3D 0, chop_ar =3D 0, i =3D 0=
;=20
--       i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->=
arcount);
--       i++)
--    {
--      unsigned char *pstart =3D p;
--      int type, class;
--
--      if (!(p =3D skip_name(p, header, plen, 10)))
--	return plen;
--     =20
--      GETSHORT(type, p);=20
--      GETSHORT(class, p);
--      p +=3D 4; /* TTL */
--      GETSHORT(rdlen, p);
--     =20
--      if ((type =3D=3D T_NSEC || type =3D=3D T_NSEC3 || type =3D=3D T_RRSIG=
) &&=20
--	  (type !=3D qtype || class !=3D qclass))
--	{
--	  if (!expand_workspace(&rrs, &rr_sz, rr_found + 1))
--	    return plen;=20
--	 =20
--	  rrs[rr_found++] =3D pstart;
--
--	  if (!ADD_RDLEN(header, p, plen, rdlen))
--	    return plen;
--	 =20
--	  rrs[rr_found++] =3D p;
--	 =20
--	  if (i < ntohs(header->ancount))
--	    chop_an++;
--	  else if (i < (ntohs(header->nscount) + ntohs(header->ancount)))
--	    chop_ns++;
--	  else
--	    chop_ar++;
--	}
--      else if (!ADD_RDLEN(header, p, plen, rdlen))
--	return plen;
--    }
-- =20
--  /* Nothing to do. */
--  if (rr_found =3D=3D 0)
--    return plen;
--
--  /* Second pass, look for pointers in names in the records we're keeping a=
nd make sure they don't
--     point to records we're going to elide. This is theoretically possible,=
 but unlikely. If
--     it happens, we give up and leave the answer unchanged. */
--  p =3D (unsigned char *)(header+1);
-- =20
--  /* question first */
--  if (!check_name(&p, header, plen, 0, rrs, rr_found))
--    return plen;
--  p +=3D 4; /* qclass, qtype */
-- =20
--  /* Now answers and NS */
--  if (!check_rrs(p, header, plen, 0, rrs, rr_found))
--    return plen;
-- =20
--  /* Third pass, elide records */
--  for (p =3D rrs[0], i =3D 1; i < rr_found; i +=3D 2)
--    {
--      unsigned char *start =3D rrs[i];
--      unsigned char *end =3D (i !=3D rr_found - 1) ? rrs[i+1] : ((unsigned =
char *)(header+1)) + plen;
--     =20
--      memmove(p, start, end-start);
--      p +=3D end-start;
--    }
--    =20
--  plen =3D p - (unsigned char *)header;
--  header->ancount =3D htons(ntohs(header->ancount) - chop_an);
--  header->nscount =3D htons(ntohs(header->nscount) - chop_ns);
--  header->arcount =3D htons(ntohs(header->arcount) - chop_ar);
--
--  /* Fourth pass, fix up pointers in the remaining records */
--  p =3D (unsigned char *)(header+1);
-- =20
--  check_name(&p, header, plen, 1, rrs, rr_found);
--  p +=3D 4; /* qclass, qtype */
-- =20
--  check_rrs(p, header, plen, 1, rrs, rr_found);
-- =20
--  return plen;
--}
--
- unsigned char* hash_questions(struct dns_header *header, size_t plen, char =
*name)
- {
-   int q;
-diff --git a/src/forward.c b/src/forward.c
-index dd22a62..3e801c8 100644
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -662,7 +662,7 @@ static size_t process_reply(struct dns_header *header, t=
ime_t now, struct server
-=20
-   /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
-   if (!do_bit)
--    n =3D filter_rrsigs(header, n);
-+    n =3D rrfilter(header, n, 1);
- #endif
-=20
-   /* do this after extract_addresses. Ensure NODATA reply and remove
-diff --git a/src/rrfilter.c b/src/rrfilter.c
-new file mode 100644
-index 0000000..ae12261
---- /dev/null
-+++ b/src/rrfilter.c
-@@ -0,0 +1,339 @@
-+/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
-+
-+   This program is free software; you can redistribute it and/or modify
-+   it under the terms of the GNU General Public License as published by
-+   the Free Software Foundation; version 2 dated June, 1991, or
-+   (at your option) version 3 dated 29 June, 2007.
-+=20
-+   This program is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+   GNU General Public License for more details.
-+    =20
-+   You should have received a copy of the GNU General Public License
-+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+/* Code to safely remove RRs from an DNS answer */=20
-+
-+#include "dnsmasq.h"
-+
-+/* Go through a domain name, find "pointers" and fix them up based on how m=
any bytes
-+   we've chopped out of the packet, or check they don't point into an elide=
d part.  */
-+static int check_name(unsigned char **namep, struct dns_header *header, siz=
e_t plen, int fixup, unsigned char **rrs, int rr_count)
-+{
-+  unsigned char *ansp =3D *namep;
-+
-+  while(1)
-+    {
-+      unsigned int label_type;
-+     =20
-+      if (!CHECK_LEN(header, ansp, plen, 1))
-+	return 0;
-+     =20
-+      label_type =3D (*ansp) & 0xc0;
-+
-+      if (label_type =3D=3D 0xc0)
-+	{
-+	  /* pointer for compression. */
-+	  unsigned int offset;
-+	  int i;
-+	  unsigned char *p;
-+	 =20
-+	  if (!CHECK_LEN(header, ansp, plen, 2))
-+	    return 0;
-+
-+	  offset =3D ((*ansp++) & 0x3f) << 8;
-+	  offset |=3D *ansp++;
-+
-+	  p =3D offset + (unsigned char *)header;
-+	 =20
-+	  for (i =3D 0; i < rr_count; i++)
-+	    if (p < rrs[i])
-+	      break;
-+	    else
-+	      if (i & 1)
-+		offset -=3D rrs[i] - rrs[i-1];
-+
-+	  /* does the pointer end up in an elided RR? */
-+	  if (i & 1)
-+	    return 0;
-+
-+	  /* No, scale the pointer */
-+	  if (fixup)
-+	    {
-+	      ansp -=3D 2;
-+	      *ansp++ =3D (offset >> 8) | 0xc0;
-+	      *ansp++ =3D offset & 0xff;
-+	    }
-+	  break;
-+	}
-+      else if (label_type =3D=3D 0x80)
-+	return 0; /* reserved */
-+      else if (label_type =3D=3D 0x40)
-+	{
-+	  /* Extended label type */
-+	  unsigned int count;
-+	 =20
-+	  if (!CHECK_LEN(header, ansp, plen, 2))
-+	    return 0;
-+	 =20
-+	  if (((*ansp++) & 0x3f) !=3D 1)
-+	    return 0; /* we only understand bitstrings */
-+	 =20
-+	  count =3D *(ansp++); /* Bits in bitstring */
-+	 =20
-+	  if (count =3D=3D 0) /* count =3D=3D 0 means 256 bits */
-+	    ansp +=3D 32;
-+	  else
-+	    ansp +=3D ((count-1)>>3)+1;
-+	}
-+      else
-+	{ /* label type =3D=3D 0 Bottom six bits is length */
-+	  unsigned int len =3D (*ansp++) & 0x3f;
-+	 =20
-+	  if (!ADD_RDLEN(header, ansp, plen, len))
-+	    return 0;
-+
-+	  if (len =3D=3D 0)
-+	    break; /* zero length label marks the end. */
-+	}
-+    }
-+
-+  *namep =3D ansp;
-+
-+  return 1;
-+}
-+
-+/* Go through RRs and check or fixup the domain names contained within */
-+static int check_rrs(unsigned char *p, struct dns_header *header, size_t pl=
en, int fixup, unsigned char **rrs, int rr_count)
-+{
-+  int i, j, type, class, rdlen;
-+  unsigned char *pp;
-+ =20
-+  for (i =3D 0; i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs=
(header->arcount); i++)
-+    {
-+      pp =3D p;
-+
-+      if (!(p =3D skip_name(p, header, plen, 10)))
-+	return 0;
-+     =20
-+      GETSHORT(type, p);=20
-+      GETSHORT(class, p);
-+      p +=3D 4; /* TTL */
-+      GETSHORT(rdlen, p);
-+
-+      /* If this RR is to be elided, don't fix up its contents */
-+      for (j =3D 0; j < rr_count; j +=3D 2)
-+	if (rrs[j] =3D=3D pp)
-+	  break;
-+
-+      if (j >=3D rr_count)
-+	{
-+	  /* fixup name of RR */
-+	  if (!check_name(&pp, header, plen, fixup, rrs, rr_count))
-+	    return 0;
-+	 =20
-+	  if (class =3D=3D C_IN)
-+	    {
-+	      u16 *d;
-+=20
-+	      for (pp =3D p, d =3D rrfilter_desc(type); *d !=3D (u16)-1; d++)
-+		{
-+		  if (*d !=3D 0)
-+		    pp +=3D *d;
-+		  else if (!check_name(&pp, header, plen, fixup, rrs, rr_count))
-+		    return 0;
-+		}
-+	    }
-+	}
-+     =20
-+      if (!ADD_RDLEN(header, p, plen, rdlen))
-+	return 0;
-+    }
-+ =20
-+  return 1;
-+}
-+=09
-+
-+/* mode is 0 to remove EDNS0, 1 to filter DNSSEC RRs */
-+size_t rrfilter(struct dns_header *header, size_t plen, int mode)
-+{
-+  static unsigned char **rrs;
-+  static int rr_sz =3D 0;
-+
-+  unsigned char *p =3D (unsigned char *)(header+1);
-+  int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns, chop_ar;
-+
-+  if (ntohs(header->qdcount) !=3D 1 ||
-+      !(p =3D skip_name(p, header, plen, 4)))
-+    return plen;
-+ =20
-+  GETSHORT(qtype, p);
-+  GETSHORT(qclass, p);
-+
-+  /* First pass, find pointers to start and end of all the records we wish =
to elide:
-+     records added for DNSSEC, unless explicity queried for */
-+  for (rr_found =3D 0, chop_ns =3D 0, chop_an =3D 0, chop_ar =3D 0, i =3D 0=
;=20
-+       i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->=
arcount);
-+       i++)
-+    {
-+      unsigned char *pstart =3D p;
-+      int type, class;
-+
-+      if (!(p =3D skip_name(p, header, plen, 10)))
-+	return plen;
-+     =20
-+      GETSHORT(type, p);=20
-+      GETSHORT(class, p);
-+      p +=3D 4; /* TTL */
-+      GETSHORT(rdlen, p);
-+       =20
-+      if (!ADD_RDLEN(header, p, plen, rdlen))
-+	return plen;
-+
-+      /* Don't remove the answer. */
-+      if (i < ntohs(header->ancount) && type =3D=3D qtype && class =3D=3D q=
class)
-+	continue;
-+     =20
-+      if (mode =3D=3D 0) /* EDNS */
-+	{
-+	  /* EDNS mode, remove T_OPT from additional section only */
-+	  if (i < (ntohs(header->nscount) + ntohs(header->ancount)) || type !=3D T=
_OPT)
-+	    continue;
-+	}
-+      else if (type !=3D T_NSEC && type !=3D T_NSEC3 && type !=3D T_RRSIG)
-+	/* DNSSEC mode, remove SIGs and NSECs from all three sections. */
-+	continue;
-+     =20
-+     =20
-+      if (!expand_workspace(&rrs, &rr_sz, rr_found + 1))
-+	return plen;=20
-+     =20
-+      rrs[rr_found++] =3D pstart;
-+      rrs[rr_found++] =3D p;
-+     =20
-+      if (i < ntohs(header->ancount))
-+	chop_an++;
-+      else if (i < (ntohs(header->nscount) + ntohs(header->ancount)))
-+	chop_ns++;
-+      else
-+	chop_ar++;
-+    }
-+ =20
-+  /* Nothing to do. */
-+  if (rr_found =3D=3D 0)
-+    return plen;
-+
-+  /* Second pass, look for pointers in names in the records we're keeping a=
nd make sure they don't
-+     point to records we're going to elide. This is theoretically possible,=
 but unlikely. If
-+     it happens, we give up and leave the answer unchanged. */
-+  p =3D (unsigned char *)(header+1);
-+ =20
-+  /* question first */
-+  if (!check_name(&p, header, plen, 0, rrs, rr_found))
-+    return plen;
-+  p +=3D 4; /* qclass, qtype */
-+ =20
-+  /* Now answers and NS */
-+  if (!check_rrs(p, header, plen, 0, rrs, rr_found))
-+    return plen;
-+ =20
-+  /* Third pass, elide records */
-+  for (p =3D rrs[0], i =3D 1; i < rr_found; i +=3D 2)
-+    {
-+      unsigned char *start =3D rrs[i];
-+      unsigned char *end =3D (i !=3D rr_found - 1) ? rrs[i+1] : ((unsigned =
char *)(header+1)) + plen;
-+     =20
-+      memmove(p, start, end-start);
-+      p +=3D end-start;
-+    }
-+    =20
-+  plen =3D p - (unsigned char *)header;
-+  header->ancount =3D htons(ntohs(header->ancount) - chop_an);
-+  header->nscount =3D htons(ntohs(header->nscount) - chop_ns);
-+  header->arcount =3D htons(ntohs(header->arcount) - chop_ar);
-+
-+  /* Fourth pass, fix up pointers in the remaining records */
-+  p =3D (unsigned char *)(header+1);
-+ =20
-+  check_name(&p, header, plen, 1, rrs, rr_found);
-+  p +=3D 4; /* qclass, qtype */
-+ =20
-+  check_rrs(p, header, plen, 1, rrs, rr_found);
-+ =20
-+  return plen;
-+}
-+
-+/* This is used in the DNSSEC code too, hence it's exported */
-+u16 *rrfilter_desc(int type)
-+{
-+  /* List of RRtypes which include domains in the data.
-+     0 -> domain
-+     integer -> no of plain bytes
-+     -1 -> end
-+
-+     zero is not a valid RRtype, so the final entry is returned for
-+     anything which needs no mangling.
-+  */
-+ =20
-+  static u16 rr_desc[] =3D=20
-+    {=20
-+      T_NS, 0, -1,=20
-+      T_MD, 0, -1,
-+      T_MF, 0, -1,
-+      T_CNAME, 0, -1,
-+      T_SOA, 0, 0, -1,
-+      T_MB, 0, -1,
-+      T_MG, 0, -1,
-+      T_MR, 0, -1,
-+      T_PTR, 0, -1,
-+      T_MINFO, 0, 0, -1,
-+      T_MX, 2, 0, -1,
-+      T_RP, 0, 0, -1,
-+      T_AFSDB, 2, 0, -1,
-+      T_RT, 2, 0, -1,
-+      T_SIG, 18, 0, -1,
-+      T_PX, 2, 0, 0, -1,
-+      T_NXT, 0, -1,
-+      T_KX, 2, 0, -1,
-+      T_SRV, 6, 0, -1,
-+      T_DNAME, 0, -1,
-+      0, -1 /* wildcard/catchall */
-+    };=20
-+ =20
-+  u16 *p =3D rr_desc;
-+ =20
-+  while (*p !=3D type && *p !=3D 0)
-+    while (*p++ !=3D (u16)-1);
-+
-+  return p+1;
-+}
-+
-+int expand_workspace(unsigned char ***wkspc, int *szp, int new)
-+{
-+  unsigned char **p;
-+  int old =3D *szp;
-+
-+  if (old >=3D new+1)
-+    return 1;
-+
-+  if (new >=3D 100)
-+    return 0;
-+
-+  new +=3D 5;
-+ =20
-+  if (!(p =3D whine_malloc(new * sizeof(unsigned char **))))
-+    return 0; =20
-+ =20
-+  if (old !=3D 0 && *wkspc)
-+    {
-+      memcpy(p, *wkspc, old * sizeof(unsigned char **));
-+      free(*wkspc);
-+    }
-+ =20
-+  *wkspc =3D p;
-+  *szp =3D new;
-+
-+  return 1;
-+}
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch b/src/patc=
hes/dnsmasq/020-DNSSEC_validation_tweak.patch
deleted file mode 100644
index ffb412b..0000000
--- a/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From 2dbba34b2c1289a108f876c78b84889f2a93115d Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Wed, 16 Dec 2015 13:41:58 +0000
-Subject: [PATCH] DNSSEC validation tweak.
-
-A zone which has at least one key with an algorithm we don't
-support should be considered as insecure.
----
- src/dnssec.c |   82 ++++++++++++++++++++++++++++++++++++++-----------------=
---
- 1 file changed, 54 insertions(+), 28 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index fa3eb81..dc563e0 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -763,10 +763,10 @@ static int explore_rrset(struct dns_header *header, si=
ze_t plen, int class, int
-    STAT_NEED_KEY need DNSKEY to complete validation (name is returned in ke=
yname)
-    STAT_NEED_DS  need DS to complete validation (name is returned in keynam=
e)
-=20
--   if key is non-NULL, use that key, which has the algo and tag given in th=
e params of those names,
-+   If key is non-NULL, use that key, which has the algo and tag given in th=
e params of those names,
-    otherwise find the key in the cache.
-=20
--   name is unchanged on exit. keyname is used as workspace and trashed.
-+   Name is unchanged on exit. keyname is used as workspace and trashed.
-=20
-    Call explore_rrset first to find and count RRs and sigs.
- */
-@@ -919,6 +919,7 @@ static int validate_rrset(time_t now, struct dns_header =
*header, size_t plen, in
-   return STAT_BOGUS;
- }
- =20
-+
- /* The DNS packet is expected to contain the answer to a DNSKEY query.
-    Put all DNSKEYs in the answer which are valid into the cache.
-    return codes:
-@@ -1831,15 +1832,15 @@ static int prove_non_existence_nsec3(struct dns_head=
er *header, size_t plen, uns
-=20
- /* Check signing status of name.
-    returns:
--   STAT_SECURE zone is signed.
--   STAT_INSECURE zone proved unsigned.
--   STAT_NEED_DS require DS record of name returned in keyname.
--  =20
-+   STAT_SECURE      zone is signed.
-+   STAT_INSECURE    zone proved unsigned.
-+   STAT_NEED_DS     require DS record of name returned in keyname.
-+   STAT_NEED_DNSKEY require DNSKEY record of name returned in keyname.
-    name returned unaltered.
- */
- static int zone_status(char *name, int class, char *keyname, time_t now)
- {
--  int name_start =3D strlen(name);
-+  int secure_ds, name_start =3D strlen(name);
-   struct crec *crecp;
-   char *p;
-  =20
-@@ -1850,27 +1851,52 @@ static int zone_status(char *name, int class, char *=
keyname, time_t now)
-       if (!(crecp =3D cache_find_by_name(NULL, keyname, now, F_DS)))
- 	return STAT_NEED_DS;
-       else
--	do=20
--	  {
--	    if (crecp->uid =3D=3D (unsigned int)class)
--	      {
--		/* F_DNSSECOK misused in DS cache records to non-existance of NS record.
--		   F_NEG && !F_DNSSECOK implies that we've proved there's no DS record he=
re,
--		   but that's because there's no NS record either, ie this isn't the start
--		   of a zone. We only prove that the DNS tree below a node is unsigned wh=
en
--		   we prove that we're at a zone cut AND there's no DS record.
--		*/	 =20
--		if (crecp->flags & F_NEG)
--		  {
--		    if (crecp->flags & F_DNSSECOK)
--		      return STAT_INSECURE; /* proved no DS here */
--		  }
--		else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crec=
p->addr.ds.algo))
--		  return STAT_INSECURE; /* algo we can't use - insecure */
--	      }
--	  }
--	while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DS)));
--     =20
-+	{
-+	  secure_ds =3D 0;
-+	 =20
-+	  do=20
-+	    {
-+	      if (crecp->uid =3D=3D (unsigned int)class)
-+		{
-+		  /* F_DNSSECOK misused in DS cache records to non-existance of NS record.
-+		     F_NEG && !F_DNSSECOK implies that we've proved there's no DS record =
here,
-+		     but that's because there's no NS record either, ie this isn't the st=
art
-+		     of a zone. We only prove that the DNS tree below a node is unsigned =
when
-+		     we prove that we're at a zone cut AND there's no DS record.
-+		  */	 =20
-+		  if (crecp->flags & F_NEG)
-+		    {
-+		      if (crecp->flags & F_DNSSECOK)
-+			return STAT_INSECURE; /* proved no DS here */
-+		    }
-+		  else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(cr=
ecp->addr.ds.algo))
-+		    return STAT_INSECURE; /* algo we can't use - insecure */
-+		  else
-+		    secure_ds =3D 1;
-+		}
-+	    }
-+	  while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DS)));
-+	}
-+
-+      if (secure_ds)
-+	{
-+	  /* We've found only DS records that attest to the DNSKEY RRset in the zo=
ne, so we believe
-+	     that RRset is good. Furthermore the DNSKEY whose hash is proved by th=
e DS record is
-+	     one we can use. However the DNSKEY RRset may contain more than one ke=
y and
-+	     one of the other keys may use an algorithm we don't support. If that'=
s=20
-+	     the case the zone is insecure for us. */
-+	 =20
-+	  if (!(crecp =3D cache_find_by_name(NULL, keyname, now, F_DNSKEY)))
-+	    return STAT_NEED_KEY;
-+
-+	  do=20
-+	    {
-+	      if (crecp->uid =3D=3D (unsigned int)class && !algo_digest_name(crecp=
->addr.key.algo))
-+		return STAT_INSECURE;
-+	    }
-+	  while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DNSKEY)));
-+	}
-+
-       if (name_start =3D=3D 0)
- 	break;
-=20
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.=
patch b/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch
deleted file mode 100644
index c3c74cc..0000000
--- a/src/patches/dnsmasq/021-Tweaks_to_EDNS0_handling_in_DNS_replies.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-From dd4ad9ac7ea6d51dcc34a1f2cd2da14efbb87714 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Thu, 17 Dec 2015 10:44:58 +0000
-Subject: [PATCH] Tweaks to EDNS0 handling in DNS replies.
-
----
- src/dnssec.c  |   20 +++++++++-----------
- src/rfc1035.c |   57 +++++++++++++++++++++++++++++++++---------------------=
---
- 2 files changed, 42 insertions(+), 35 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index dc563e0..012b2a6 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -2129,18 +2129,16 @@ int dnssec_validate_reply(time_t now, struct dns_hea=
der *header, size_t plen, ch
- 	    /* Empty DS without NSECS */
- 	    if (qtype =3D=3D T_DS)
- 	      return STAT_BOGUS;
--	    else
-+	   =20
-+	    rc =3D zone_status(name, qclass, keyname, now);
-+	    if (rc !=3D STAT_SECURE)
- 	      {
--		rc =3D zone_status(name, qclass, keyname, now);
--		if (rc !=3D STAT_SECURE)
--		  {
--		    if (class)
--		      *class =3D qclass; /* Class for NEED_DS or NEED_DNSKEY */
--		    return rc;
--		  }=20
--	=09
--		return STAT_BOGUS; /* signed zone, no NSECs */
--	      }
-+		if (class)
-+		  *class =3D qclass; /* Class for NEED_DS or NEED_DNSKEY */
-+		return rc;
-+	      }=20
-+	   =20
-+	    return STAT_BOGUS; /* signed zone, no NSECs */
- 	  }
-=20
- 	  if (nsec_type =3D=3D T_NSEC)
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index def8fa0..188d05f 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -1539,7 +1539,13 @@ size_t answer_request(struct dns_header *header, char=
 *limit, size_t qlen,
-   int nxdomain =3D 0, auth =3D 1, trunc =3D 0, sec_data =3D 1;
-   struct mx_srv_record *rec;
-   size_t len;
--=20
-+ =20
-+  if (ntohs(header->ancount) !=3D 0 ||
-+      ntohs(header->nscount) !=3D 0 ||
-+      ntohs(header->qdcount) =3D=3D 0 ||=20
-+      OPCODE(header) !=3D QUERY )
-+    return 0;
-+ =20
-   /* Don't return AD set if checking disabled. */
-   if (header->hb4 & HB4_CD)
-     sec_data =3D 0;
-@@ -1548,33 +1554,32 @@ size_t answer_request(struct dns_header *header, cha=
r *limit, size_t qlen,
-   *ad_reqd =3D header->hb4 & HB4_AD;
-   *do_bit =3D 0;
-=20
--  /* If there is an RFC2671 pseudoheader then it will be overwritten by
-+  /* If there is an  additional data section then it will be overwritten by
-      partial replies, so we have to do a dry run to see if we can answer
--     the query. We check to see if the do bit is set, if so we always
--     forward rather than answering from the cache, which doesn't include
--     security information, unless we're in DNSSEC validation mode. */
-+     the query. */
-=20
--  if (find_pseudoheader(header, qlen, NULL, &pheader, NULL))
--    {=20
--      unsigned short flags;
--     =20
--      have_pseudoheader =3D 1;
-+  if (ntohs(header->arcount) !=3D 0)
-+    {
-+      dryrun =3D 1;
-=20
--      pheader +=3D 4; /* udp size, ext_rcode */
--      GETSHORT(flags, pheader);
--     =20
--      if ((sec_reqd =3D flags & 0x8000))
--	{
--	  *do_bit =3D 1;/* do bit */=20
--	  *ad_reqd =3D 1;
-+      /* If there's an additional section, there might be an EDNS(0) pseudo=
header */
-+      if (find_pseudoheader(header, qlen, NULL, &pheader, NULL))
-+	{=20
-+	  unsigned short flags;
-+	 =20
-+	  have_pseudoheader =3D 1;
-+	 =20
-+	  pheader +=3D 4; /* udp size, ext_rcode */
-+	  GETSHORT(flags, pheader);
-+	 =20
-+	  if ((sec_reqd =3D flags & 0x8000))
-+	    {
-+	      *do_bit =3D 1;/* do bit */=20
-+	      *ad_reqd =3D 1;
-+	    }
- 	}
--
--      dryrun =3D 1;
-     }
-=20
--  if (ntohs(header->qdcount) =3D=3D 0 || OPCODE(header) !=3D QUERY )
--    return 0;
-- =20
-   for (rec =3D daemon->mxnames; rec; rec =3D rec->next)
-     rec->offset =3D 0;
-  =20
-@@ -1730,8 +1735,12 @@ size_t answer_request(struct dns_header *header, char=
 *limit, size_t qlen,
- 		}
- 	      else if ((crecp =3D cache_find_by_addr(NULL, &addr, now, is_arpa)))
- 		{
--		  /* Don't use cache when DNSSEC data required. */
--		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(cr=
ecp->flags & F_DNSSECOK))
-+		  /* Don't use cache when DNSSEC data required, unless we know that
-+		     the zone is unsigned, which implies that we're doing
-+		     validation. */
-+		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||=20
-+		      !sec_reqd ||=20
-+		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
- 		    {
- 		      do=20
- 			{=20
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_=
zone_status_is_NSEC_proof_bad.patch b/src/patches/dnsmasq/022-Tidy_up_DNSSEC_=
non-existence_code_Check_zone_status_is_NSEC_proof_bad.patch
deleted file mode 100644
index 60503e9..0000000
--- a/src/patches/dnsmasq/022-Tidy_up_DNSSEC_non-existence_code_Check_zone_st=
atus_is_NSEC_proof_bad.patch
+++ /dev/null
@@ -1,409 +0,0 @@
-From b40f26c0199235073abc37e1e1d6ed93bed372f5 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Thu, 17 Dec 2015 11:57:26 +0000
-Subject: [PATCH] Tidy up DNSSEC non-existence code. Check zone status is NSEC
- proof bad.
-
----
- src/dnssec.c |  207 +++++++++++++++++++++++++------------------------------=
---
- 1 file changed, 90 insertions(+), 117 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 012b2a6..ddae497 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1367,59 +1367,6 @@ static int hostname_cmp(const char *a, const char *b)
-     }
- }
-=20
--/* Find all the NSEC or NSEC3 records in a reply.
--   return an array of pointers to them. */
--static int find_nsec_records(struct dns_header *header, size_t plen, unsign=
ed char ***nsecsetp, int *nsecsetl, int class_reqd)
--{
--  static unsigned char **nsecset =3D NULL;
--  static int nsecset_sz =3D 0;
-- =20
--  int type_found =3D 0;
--  unsigned char *p =3D skip_questions(header, plen);
--  int type, class, rdlen, i, nsecs_found;
--
--  /* Move to NS section */
--  if (!p || !(p =3D skip_section(p, ntohs(header->ancount), header, plen)))
--    return 0;
-- =20
--  for (nsecs_found =3D 0, i =3D ntohs(header->nscount); i !=3D 0; i--)
--    {
--      unsigned char *pstart =3D p;
--     =20
--      if (!(p =3D skip_name(p, header, plen, 10)))
--	return 0;
--     =20
--      GETSHORT(type, p);=20
--      GETSHORT(class, p);
--      p +=3D 4; /* TTL */
--      GETSHORT(rdlen, p);
--
--      if (class =3D=3D class_reqd && (type =3D=3D T_NSEC || type =3D=3D T_N=
SEC3))
--	{
--	  /* No mixed NSECing 'round here, thankyouverymuch */
--	  if (type_found =3D=3D T_NSEC && type =3D=3D T_NSEC3)
--	    return 0;
--	  if (type_found =3D=3D T_NSEC3 && type =3D=3D T_NSEC)
--	    return 0;
--
--	  type_found =3D type;
--
--	  if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found))
--	    return 0;=20
--	 =20
--	  nsecset[nsecs_found++] =3D pstart;
--	}
--     =20
--      if (!ADD_RDLEN(header, p, plen, rdlen))
--	return 0;
--    }
-- =20
--  *nsecsetp =3D nsecset;
--  *nsecsetl =3D nsecs_found;
-- =20
--  return type_found;
--}
--
- static int prove_non_existence_nsec(struct dns_header *header, size_t plen,=
 unsigned char **nsecs, int nsec_count,
- 				    char *workspace1, char *workspace2, char *name, int type, int *nons)
- {
-@@ -1436,12 +1383,12 @@ static int prove_non_existence_nsec(struct dns_heade=
r *header, size_t plen, unsi
-     {
-       p =3D nsecs[i];
-       if (!extract_name(header, plen, &p, workspace1, 1, 10))
--	return STAT_BOGUS;
-+	return 0;
-       p +=3D 8; /* class, type, TTL */
-       GETSHORT(rdlen, p);
-       psave =3D p;
-       if (!extract_name(header, plen, &p, workspace2, 1, 10))
--	return STAT_BOGUS;
-+	return 0;
-      =20
-       rc =3D hostname_cmp(workspace1, name);
-      =20
-@@ -1449,7 +1396,7 @@ static int prove_non_existence_nsec(struct dns_header =
*header, size_t plen, unsi
- 	{
- 	  /* 4035 para 5.4. Last sentence */
- 	  if (type =3D=3D T_NSEC || type =3D=3D T_RRSIG)
--	    return STAT_SECURE;
-+	    return 1;
-=20
- 	  /* NSEC with the same name as the RR we're testing, check
- 	     that the type in question doesn't appear in the type map */
-@@ -1465,24 +1412,24 @@ static int prove_non_existence_nsec(struct dns_heade=
r *header, size_t plen, unsi
- 	      /* A CNAME answer would also be valid, so if there's a CNAME is shou=
ld=20
- 		 have been returned. */
- 	      if ((p[2] & (0x80 >> T_CNAME)) !=3D 0)
--		return STAT_BOGUS;
-+		return 0;
- 	     =20
- 	      /* If the SOA bit is set for a DS record, then we have the
- 		 DS from the wrong side of the delegation. */
- 	      if (type =3D=3D T_DS && (p[2] & (0x80 >> T_SOA)) !=3D 0)
--		return STAT_BOGUS;
-+		return 0;
- 	    }
-=20
- 	  while (rdlen >=3D 2)
- 	    {
- 	      if (!CHECK_LEN(header, p, plen, rdlen))
--		return STAT_BOGUS;
-+		return 0;
- 	     =20
- 	      if (p[0] =3D=3D type >> 8)
- 		{
- 		  /* Does the NSEC say our type exists? */
- 		  if (offset < p[1] && (p[offset+2] & mask) !=3D 0)
--		    return STAT_BOGUS;
-+		    return 0;
- 		 =20
- 		  break; /* finshed checking */
- 		}
-@@ -1491,24 +1438,24 @@ static int prove_non_existence_nsec(struct dns_heade=
r *header, size_t plen, unsi
- 	      p +=3D  p[1];
- 	    }
- 	 =20
--	  return STAT_SECURE;
-+	  return 1;
- 	}
-       else if (rc =3D=3D -1)
- 	{
- 	  /* Normal case, name falls between NSEC name and next domain name,
- 	     wrap around case, name falls between NSEC name (rc =3D=3D -1) and end=
 */
- 	  if (hostname_cmp(workspace2, name) >=3D 0 || hostname_cmp(workspace1, wo=
rkspace2) >=3D 0)
--	    return STAT_SECURE;
-+	    return 1;
- 	}
-       else=20
- 	{
- 	  /* wrap around case, name falls between start and next domain name */
- 	  if (hostname_cmp(workspace1, workspace2) >=3D 0 && hostname_cmp(workspac=
e2, name) >=3D0 )
--	    return STAT_SECURE;
-+	    return 1;
- 	}
-     }
-  =20
--  return STAT_BOGUS;
-+  return 0;
- }
-=20
- /* return digest length, or zero on error */
-@@ -1701,7 +1648,7 @@ static int prove_non_existence_nsec3(struct dns_header=
 *header, size_t plen, uns
-   for (i =3D 0; i < nsec_count; i++)
-     {
-       if (!(p =3D skip_name(nsecs[i], header, plen, 15)))
--	return STAT_BOGUS; /* bad packet */
-+	return 0; /* bad packet */
-      =20
-       p +=3D 10; /* type, class, TTL, rdlen */
-       algo =3D *p++;
-@@ -1712,14 +1659,14 @@ static int prove_non_existence_nsec3(struct dns_head=
er *header, size_t plen, uns
-=20
-   /* No usable NSEC3s */
-   if (i =3D=3D nsec_count)
--    return STAT_BOGUS;
-+    return 0;
-=20
-   p++; /* flags */
-   GETSHORT (iterations, p);
-   salt_len =3D *p++;
-   salt =3D p;
-   if (!CHECK_LEN(header, salt, plen, salt_len))
--    return STAT_BOGUS; /* bad packet */
-+    return 0; /* bad packet */
-    =20
-   /* Now prune so we only have NSEC3 records with same iterations, salt and=
 algo */
-   for (i =3D 0; i < nsec_count; i++)
-@@ -1730,7 +1677,7 @@ static int prove_non_existence_nsec3(struct dns_header=
 *header, size_t plen, uns
-       nsecs[i] =3D NULL; /* Speculative, will be restored if OK. */
-      =20
-       if (!(p =3D skip_name(nsec3p, header, plen, 15)))
--	return STAT_BOGUS; /* bad packet */
-+	return 0; /* bad packet */
-      =20
-       p +=3D 10; /* type, class, TTL, rdlen */
-      =20
-@@ -1747,7 +1694,7 @@ static int prove_non_existence_nsec3(struct dns_header=
 *header, size_t plen, uns
- 	continue;
-      =20
-       if (!CHECK_LEN(header, p, plen, salt_len))
--	return STAT_BOGUS; /* bad packet */
-+	return 0; /* bad packet */
-=20
-       if (memcmp(p, salt, salt_len) !=3D 0)
- 	continue;
-@@ -1758,13 +1705,13 @@ static int prove_non_existence_nsec3(struct dns_head=
er *header, size_t plen, uns
-=20
-   /* Algo is checked as 1 above */
-   if (!(hash =3D hash_find("sha1")))
--    return STAT_BOGUS;
-+    return 0;
-=20
-   if ((digest_len =3D hash_name(name, &digest, hash, salt, salt_len, iterat=
ions)) =3D=3D 0)
--    return STAT_BOGUS;
-+    return 0;
-  =20
-   if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspac=
e1, workspace2, nsecs, nsec_count, nons))
--    return STAT_SECURE;
-+    return 1;
-=20
-   /* Can't find an NSEC3 which covers the name directly, we need the "close=
st encloser NSEC3"=20
-      or an answer inferred from a wildcard record. */
-@@ -1780,14 +1727,14 @@ static int prove_non_existence_nsec3(struct dns_head=
er *header, size_t plen, uns
- 	break;
-=20
-       if ((digest_len =3D hash_name(closest_encloser, &digest, hash, salt, =
salt_len, iterations)) =3D=3D 0)
--	return STAT_BOGUS;
-+	return 0;
-      =20
-       for (i =3D 0; i < nsec_count; i++)
- 	if ((p =3D nsecs[i]))
- 	  {
- 	    if (!extract_name(header, plen, &p, workspace1, 1, 0) ||
- 		!(base32_len =3D base32_decode(workspace1, (unsigned char *)workspace2)))
--	      return STAT_BOGUS;
-+	      return 0;
- 	 =20
- 	    if (digest_len =3D=3D base32_len &&
- 		memcmp(digest, workspace2, digest_len) =3D=3D 0)
-@@ -1802,32 +1749,81 @@ static int prove_non_existence_nsec3(struct dns_head=
er *header, size_t plen, uns
-   while ((closest_encloser =3D strchr(closest_encloser, '.')));
-  =20
-   if (!closest_encloser)
--    return STAT_BOGUS;
-+    return 0;
-  =20
-   /* Look for NSEC3 that proves the non-existence of the next-closest enclo=
ser */
-   if ((digest_len =3D hash_name(next_closest, &digest, hash, salt, salt_len=
, iterations)) =3D=3D 0)
--    return STAT_BOGUS;
-+    return 0;
-=20
-   if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspa=
ce1, workspace2, nsecs, nsec_count, NULL))
--    return STAT_BOGUS;
-+    return 0;
-  =20
-   /* Finally, check that there's no seat of wildcard synthesis */
-   if (!wildname)
-     {
-       if (!(wildcard =3D strchr(next_closest, '.')) || wildcard =3D=3D next=
_closest)
--	return STAT_BOGUS;
-+	return 0;
-      =20
-       wildcard--;
-       *wildcard =3D '*';
-      =20
-       if ((digest_len =3D hash_name(wildcard, &digest, hash, salt, salt_len=
, iterations)) =3D=3D 0)
--	return STAT_BOGUS;
-+	return 0;
-      =20
-       if (!check_nsec3_coverage(header, plen, digest_len, digest, type, wor=
kspace1, workspace2, nsecs, nsec_count, NULL))
--	return STAT_BOGUS;
-+	return 0;
-     }
-  =20
--  return STAT_SECURE;
-+  return 1;
-+}
-+
-+static int prove_non_existence(struct dns_header *header, size_t plen, char=
 *keyname, char *name, int qtype, int qclass, char *wildname, int *nons)
-+{
-+  static unsigned char **nsecset =3D NULL;
-+  static int nsecset_sz =3D 0;
-+ =20
-+  int type_found =3D 0;
-+  unsigned char *p =3D skip_questions(header, plen);
-+  int type, class, rdlen, i, nsecs_found;
-+ =20
-+  /* Move to NS section */
-+  if (!p || !(p =3D skip_section(p, ntohs(header->ancount), header, plen)))
-+    return 0;
-+ =20
-+  for (nsecs_found =3D 0, i =3D ntohs(header->nscount); i !=3D 0; i--)
-+    {
-+      unsigned char *pstart =3D p;
-+     =20
-+      if (!(p =3D skip_name(p, header, plen, 10)))
-+	return 0;
-+     =20
-+      GETSHORT(type, p);=20
-+      GETSHORT(class, p);
-+      p +=3D 4; /* TTL */
-+      GETSHORT(rdlen, p);
-+
-+      if (class =3D=3D qclass && (type =3D=3D T_NSEC || type =3D=3D T_NSEC3=
))
-+	{
-+	  /* No mixed NSECing 'round here, thankyouverymuch */
-+	  if (type_found !=3D 0 && type_found !=3D type)
-+	    return 0;
-+
-+	  type_found =3D type;
-+
-+	  if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found))
-+	    return 0;=20
-+	 =20
-+	  nsecset[nsecs_found++] =3D pstart;
-+	}
-+     =20
-+      if (!ADD_RDLEN(header, p, plen, rdlen))
-+	return 0;
-+    }
-+ =20
-+  if (type_found =3D=3D T_NSEC)
-+    return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, dae=
mon->workspacename, keyname, name, qtype, nons);
-+  else
-+    return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, da=
emon->workspacename, keyname, name, qtype, wildname, nons);
- }
-=20
- /* Check signing status of name.
-@@ -1925,10 +1921,9 @@ int dnssec_validate_reply(time_t now, struct dns_head=
er *header, size_t plen, ch
-   static unsigned char **targets =3D NULL;
-   static int target_sz =3D 0;
-=20
--  unsigned char *ans_start, *p1, *p2, **nsecs;
-+  unsigned char *ans_start, *p1, *p2;
-   int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype, targetid=
x;
--  int i, j, rc, nsec_count;
--  int nsec_type;
-+  int i, j, rc;
-=20
-   if (neganswer)
-     *neganswer =3D 0;
-@@ -2080,28 +2075,15 @@ int dnssec_validate_reply(time_t now, struct dns_hea=
der *header, size_t plen, ch
- 			  targets[j] =3D NULL;
- 		      }
- 			   =20
--		  if (rc =3D=3D STAT_SECURE_WILDCARD)
--		    {
--		      /* An attacker replay a wildcard answer with a different
--			 answer and overlay a genuine RR. To prove this
--			 hasn't happened, the answer must prove that
--			 the gennuine record doesn't exist. Check that here. */
--		      if (!(nsec_type =3D find_nsec_records(header, plen, &nsecs, &nsec_c=
ount, class1)))
--			return STAT_BOGUS; /* No NSECs or bad packet */
--		     =20
--		      /* Note that we may not yet have validated the NSEC/NSEC3 RRsets. S=
ince the check
--			 below returns either SECURE or BOGUS, that's not a problem. If the RRse=
ts later fail
--			 we'll return BOGUS then. */
--
--		      if (nsec_type =3D=3D T_NSEC)
--			rc =3D prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon-=
>workspacename, keyname, name, type1, NULL);
--		      else
--			rc =3D prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon=
->workspacename,=20
--						       keyname, name, type1, wildname, NULL);
--		     =20
--		      if (rc =3D=3D STAT_BOGUS)
--			return rc;
--		    }=20
-+		   /* An attacker replay a wildcard answer with a different
-+		      answer and overlay a genuine RR. To prove this
-+		      hasn't happened, the answer must prove that
-+		      the gennuine record doesn't exist. Check that here.=20
-+		      Note that we may not yet have validated the NSEC/NSEC3 RRsets.=20
-+		      That's not a problem since if the RRsets later fail
-+		      we'll return BOGUS then. */
-+		  if (rc =3D=3D STAT_SECURE_WILDCARD && !prove_non_existence(header, plen=
, keyname, name, type1, class1, wildname, NULL))
-+		    return STAT_BOGUS;
- 		}
- 	    }
- 	}
-@@ -2124,14 +2106,13 @@ int dnssec_validate_reply(time_t now, struct dns_hea=
der *header, size_t plen, ch
-=20
- 	/* For anything other than a DS record, this situation is OK if either
- 	   the answer is in an unsigned zone, or there's a NSEC records. */
--	if (!(nsec_type =3D find_nsec_records(header, plen, &nsecs, &nsec_count, q=
class)))
-+	if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL,=
 nons))
- 	  {
- 	    /* Empty DS without NSECS */
- 	    if (qtype =3D=3D T_DS)
- 	      return STAT_BOGUS;
- 	   =20
--	    rc =3D zone_status(name, qclass, keyname, now);
--	    if (rc !=3D STAT_SECURE)
-+	    if ((rc =3D zone_status(name, qclass, keyname, now)) !=3D STAT_SECURE)
- 	      {
- 		if (class)
- 		  *class =3D qclass; /* Class for NEED_DS or NEED_DNSKEY */
-@@ -2140,14 +2121,6 @@ int dnssec_validate_reply(time_t now, struct dns_head=
er *header, size_t plen, ch
- 	   =20
- 	    return STAT_BOGUS; /* signed zone, no NSECs */
- 	  }
--
--	  if (nsec_type =3D=3D T_NSEC)
--	  rc =3D prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon-=
>workspacename, keyname, name, qtype, nons);
--	else
--	  rc =3D prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon=
->workspacename, keyname, name, qtype, NULL, nons);
--
--	if (rc !=3D STAT_SECURE)
--	  return rc;
-       }
-  =20
-   return STAT_SECURE;
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.pa=
tch b/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch
deleted file mode 100644
index eda6fbd..0000000
--- a/src/patches/dnsmasq/023-Fix_brace_botch_in_dnssec_validate_ds.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 3b799c826db05fc2da1c6d15cbe372e394209d27 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Thu, 17 Dec 2015 16:58:04 +0000
-Subject: [PATCH] Fix brace botch in dnssec_validate_ds()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=3Dutf8
-Content-Transfer-Encoding: 8bit
-
-Thanks to Micha=C3=85=C2=82 K=C3=84=C2=99pie=C3=85=C2=84 for spotting this.
----
- src/dnssec.c |   34 +++++++++++++++++-----------------
- 1 file changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index ddae497..1f8c954 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -923,11 +923,11 @@ static int validate_rrset(time_t now, struct dns_heade=
r *header, size_t plen, in
- /* The DNS packet is expected to contain the answer to a DNSKEY query.
-    Put all DNSKEYs in the answer which are valid into the cache.
-    return codes:
--         STAT_OK           Done, key(s) in cache.
--	 STAT_BOGUS        No DNSKEYs found, which  can be validated with DS,
--	                   or self-sign for DNSKEY RRset is not valid, bad packet.
--	 STAT_NEED_DS      DS records to validate a key not found, name in keyname=
=20
--	 STAT_NEED_DNSKEY  DNSKEY records to validate a key not found, name in key=
name=20
-+         STAT_OK        Done, key(s) in cache.
-+	 STAT_BOGUS     No DNSKEYs found, which  can be validated with DS,
-+	                or self-sign for DNSKEY RRset is not valid, bad packet.
-+	 STAT_NEED_DS   DS records to validate a key not found, name in keyname=20
-+	 STAT_NEED_KEY  DNSKEY records to validate a key not found, name in keynam=
e=20
- */
- int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t ple=
n, char *name, char *keyname, int class)
- {
-@@ -1224,13 +1224,13 @@ int dnssec_validate_ds(time_t now, struct dns_header=
 *header, size_t plen, char
- 		}
- 	     =20
- 	      p =3D psave;
--	     =20
--	      if (!ADD_RDLEN(header, p, plen, rdlen))
--		return STAT_BOGUS; /* bad packet */
- 	    }
--	 =20
--	  cache_end_insert();
-+	  if (!ADD_RDLEN(header, p, plen, rdlen))
-+	    return STAT_BOGUS; /* bad packet */
- 	}
-+
-+      cache_end_insert();
-+
-     }
-   else
-     {
-@@ -1828,10 +1828,10 @@ static int prove_non_existence(struct dns_header *he=
ader, size_t plen, char *key
-=20
- /* Check signing status of name.
-    returns:
--   STAT_SECURE      zone is signed.
--   STAT_INSECURE    zone proved unsigned.
--   STAT_NEED_DS     require DS record of name returned in keyname.
--   STAT_NEED_DNSKEY require DNSKEY record of name returned in keyname.
-+   STAT_SECURE   zone is signed.
-+   STAT_INSECURE zone proved unsigned.
-+   STAT_NEED_DS  require DS record of name returned in keyname.
-+   STAT_NEED_KEY require DNSKEY record of name returned in keyname.
-    name returned unaltered.
- */
- static int zone_status(char *name, int class, char *keyname, time_t now)
-@@ -2028,7 +2028,7 @@ int dnssec_validate_reply(time_t now, struct dns_heade=
r *header, size_t plen, ch
- 		      if (rc =3D=3D STAT_SECURE)
- 			rc =3D STAT_BOGUS;
- 		       if (class)
--			 *class =3D class1; /* Class for NEED_DS or NEED_DNSKEY */
-+			 *class =3D class1; /* Class for NEED_DS or NEED_KEY */
- 		    }
- 		  else=20
- 		    rc =3D STAT_INSECURE;=20
-@@ -2045,7 +2045,7 @@ int dnssec_validate_reply(time_t now, struct dns_heade=
r *header, size_t plen, ch
- 		{
- 		  /* Zone is insecure, don't need to validate RRset */
- 		  if (class)
--		    *class =3D class1; /* Class for NEED_DS or NEED_DNSKEY */
-+		    *class =3D class1; /* Class for NEED_DS or NEED_KEY */
- 		  return rc;
- 		}=20
- 	     =20
-@@ -2115,7 +2115,7 @@ int dnssec_validate_reply(time_t now, struct dns_heade=
r *header, size_t plen, ch
- 	    if ((rc =3D zone_status(name, qclass, keyname, now)) !=3D STAT_SECURE)
- 	      {
- 		if (class)
--		  *class =3D qclass; /* Class for NEED_DS or NEED_DNSKEY */
-+		  *class =3D qclass; /* Class for NEED_DS or NEED_KEY */
- 		return rc;
- 	      }=20
- 	   =20
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNS=
SEC_sig_algos_are_supported.patch b/src/patches/dnsmasq/024-Do_a_better_job_o=
f_determining_which_DNSSEC_sig_algos_are_supported.patch
deleted file mode 100644
index abcae5c..0000000
--- a/src/patches/dnsmasq/024-Do_a_better_job_of_determining_which_DNSSEC_sig=
_algos_are_supported.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 14a4ae883d51130d33da7133287e8867c64bab65 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Thu, 17 Dec 2015 17:23:03 +0000
-Subject: [PATCH] Do a better job of determining which DNSSEC sig algos are
- supported.
-
----
- src/dnssec.c |   52 +++++++++++++++++++++++++++++++++++++---------------
- 1 file changed, 37 insertions(+), 15 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 1f8c954..82394ee 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -65,10 +65,9 @@ static char *algo_digest_name(int algo)
-     case 8: return "sha256";
-     case 10: return "sha512";
-     case 12: return "gosthash94";
--#ifndef NO_NETTLE_ECC
-     case 13: return "sha256";
-     case 14: return "sha384";
--#endif
-+
-     default: return NULL;
-     }
- }
-@@ -129,13 +128,15 @@ static int hash_init(const struct nettle_hash *hash, v=
oid **ctxp, unsigned char
- }
-  =20
- static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_=
len, unsigned char *sig, size_t sig_len,
--			      unsigned char *digest, int algo)
-+			      unsigned char *digest, size_t digest_len, int algo)
- {
-   unsigned char *p;
-   size_t exp_len;
-  =20
-   static struct rsa_public_key *key =3D NULL;
-   static mpz_t sig_mpz;
-+
-+  (void)digest_len;
-  =20
-   if (key =3D=3D NULL)
-     {
-@@ -181,7 +182,7 @@ static int dnsmasq_rsa_verify(struct blockdata *key_data=
, unsigned int key_len,
- } =20
-=20
- static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_=
len, unsigned char *sig, size_t sig_len,
--			      unsigned char *digest, int algo)
-+			      unsigned char *digest, size_t digest_len, int algo)
- {
-   unsigned char *p;
-   unsigned int t;
-@@ -189,6 +190,8 @@ static int dnsmasq_dsa_verify(struct blockdata *key_data=
, unsigned int key_len,
-   static struct dsa_public_key *key =3D NULL;
-   static struct dsa_signature *sig_struct;
-  =20
-+  (void)digest_len;
-+
-   if (key =3D=3D NULL)
-     {
-       if (!(sig_struct =3D whine_malloc(sizeof(struct dsa_signature))) ||=20
-@@ -292,26 +295,45 @@ static int dnsmasq_ecdsa_verify(struct blockdata *key_=
data, unsigned int key_len
- }=20
- #endif=20
-=20
--static int verify(struct blockdata *key_data, unsigned int key_len, unsigne=
d char *sig, size_t sig_len,
--		  unsigned char *digest, size_t digest_len, int algo)
-+static int (*verify_func(int algo))(struct blockdata *key_data, unsigned in=
t key_len, unsigned char *sig, size_t sig_len,
-+				    unsigned char *digest, size_t digest_len, int algo)
- {
--  (void)digest_len;
--
-+   =20
-+  /* Enure at runtime that we have support for this digest */
-+  if (!hash_find(algo_digest_name(algo)))
-+    return NULL;
-+ =20
-+  /* This switch defines which sig algorithms we support, can't introspect =
Nettle for that. */
-   switch (algo)
-     {
-     case 1: case 5: case 7: case 8: case 10:
--      return dnsmasq_rsa_verify(key_data, key_len, sig, sig_len, digest, al=
go);
-+      return dnsmasq_rsa_verify;
-      =20
-     case 3: case 6:=20
--      return dnsmasq_dsa_verify(key_data, key_len, sig, sig_len, digest, al=
go);
-+      return dnsmasq_dsa_verify;
- =20
- #ifndef NO_NETTLE_ECC  =20
-     case 13: case 14:
--      return dnsmasq_ecdsa_verify(key_data, key_len, sig, sig_len, digest, =
digest_len, algo);
-+      return dnsmasq_ecdsa_verify;
- #endif
-     }
-  =20
--  return 0;
-+  return NULL;
-+}
-+
-+static int verify(struct blockdata *key_data, unsigned int key_len, unsigne=
d char *sig, size_t sig_len,
-+		  unsigned char *digest, size_t digest_len, int algo)
-+{
-+
-+  int (*func)(struct blockdata *key_data, unsigned int key_len, unsigned ch=
ar *sig, size_t sig_len,
-+	      unsigned char *digest, size_t digest_len, int algo);
-+ =20
-+  func =3D verify_func(algo);
-+ =20
-+  if (!func)
-+    return 0;
-+
-+  return (*func)(key_data, key_len, sig, sig_len, digest, digest_len, algo);
- }
-=20
- /* Convert from presentation format to wire format, in place.
-@@ -732,7 +754,7 @@ static int explore_rrset(struct dns_header *header, size=
_t plen, int class, int
- 	      if (check_date_range(sig_inception, sig_expiration) &&
- 		  labels <=3D name_labels &&
- 		  type_covered =3D=3D type &&=20
--		  algo_digest_name(algo))
-+		  verify_func(algo))
- 		{
- 		  if (!expand_workspace(&sigs, &sig_sz, sigidx))
- 		    return 0;=20
-@@ -1865,7 +1887,7 @@ static int zone_status(char *name, int class, char *ke=
yname, time_t now)
- 		      if (crecp->flags & F_DNSSECOK)
- 			return STAT_INSECURE; /* proved no DS here */
- 		    }
--		  else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(cr=
ecp->addr.ds.algo))
-+		  else if (!hash_find(ds_digest_name(crecp->addr.ds.digest)) || !verify_f=
unc(crecp->addr.ds.algo))
- 		    return STAT_INSECURE; /* algo we can't use - insecure */
- 		  else
- 		    secure_ds =3D 1;
-@@ -1887,7 +1909,7 @@ static int zone_status(char *name, int class, char *ke=
yname, time_t now)
-=20
- 	  do=20
- 	    {
--	      if (crecp->uid =3D=3D (unsigned int)class && !algo_digest_name(crecp=
->addr.key.algo))
-+	      if (crecp->uid =3D=3D (unsigned int)class && !verify_func(crecp->add=
r.key.algo))
- 		return STAT_INSECURE;
- 	    }
- 	  while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DNSKEY)));
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/025-Major_tidy_up_of_EDNS0_handling_and_comp=
utation_use_of_udp.patch b/src/patches/dnsmasq/025-Major_tidy_up_of_EDNS0_han=
dling_and_computation_use_of_udp.patch
deleted file mode 100644
index c016e73..0000000
--- a/src/patches/dnsmasq/025-Major_tidy_up_of_EDNS0_handling_and_computation=
_use_of_udp.patch
+++ /dev/null
@@ -1,643 +0,0 @@
-From fa14bec83b2db010fd076910fddab56957b9375d Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Sun, 20 Dec 2015 17:12:16 +0000
-Subject: [PATCH] Major tidy up of EDNS0 handling and computation/use of udp
- packet size.
-
----
- src/auth.c     |    8 ++-
- src/dnsmasq.h  |    7 ++-
- src/dnssec.c   |    1 -
- src/forward.c  |  184 ++++++++++++++++++++++++++++++++++++++++-------------=
---
- src/netlink.c  |    3 +-
- src/rfc1035.c  |   81 +++++++------------------
- src/rrfilter.c |    2 +-
- 7 files changed, 168 insertions(+), 118 deletions(-)
-
-diff --git a/src/auth.c b/src/auth.c
-index 2b0b7d6..85bd5e7 100644
---- a/src/auth.c
-+++ b/src/auth.c
-@@ -81,7 +81,8 @@ int in_zone(struct auth_zone *zone, char *name, char **cut)
- }
-=20
-=20
--size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, tim=
e_t now, union mysockaddr *peer_addr, int local_query)=20
-+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, tim=
e_t now, union mysockaddr *peer_addr,=20
-+		   int local_query, int do_bit, int have_pseudoheader)=20
- {
-   char *name =3D daemon->namebuff;
-   unsigned char *p, *ansp;
-@@ -820,6 +821,11 @@ size_t answer_auth(struct dns_header *header, char *lim=
it, size_t qlen, time_t n
-   header->ancount =3D htons(anscount);
-   header->nscount =3D htons(authcount);
-   header->arcount =3D htons(0);
-+
-+  /* Advertise our packet size limit in our reply */
-+  if (have_pseudoheader)
-+    return add_pseudoheader(header,  ansp - (unsigned char *)header, (unsig=
ned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit);
-+
-   return ansp - (unsigned char *)header;
- }
-  =20
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 39a930c..abb34c5 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -1113,7 +1113,7 @@ int extract_addresses(struct dns_header *header, size_=
t qlen, char *namebuff,
- 		      int no_cache, int secure, int *doctored);
- size_t answer_request(struct dns_header *header, char *limit, size_t qlen, =
=20
- 		      struct in_addr local_addr, struct in_addr local_netmask,=20
--		      time_t now, int *ad_reqd, int *do_bit);
-+		      time_t now, int ad_reqd, int do_bit, int have_pseudoheader);
- int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *=
name,=20
- 			     struct bogus_addr *addr, time_t now);
- int check_for_ignored_address(struct dns_header *header, size_t qlen, struc=
t bogus_addr *baddr);
-@@ -1123,6 +1123,8 @@ int check_for_local_domain(char *name, time_t now);
- unsigned int questions_crc(struct dns_header *header, size_t plen, char *bu=
ff);
- size_t resize_packet(struct dns_header *header, size_t plen,=20
- 		  unsigned char *pheader, size_t hlen);
-+size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned ch=
ar *limit,=20
-+			unsigned short udp_sz, int optno, unsigned char *opt, size_t optlen, int=
 set_do);
- size_t add_mac(struct dns_header *header, size_t plen, char *limit, union m=
ysockaddr *l3);
- size_t add_source_addr(struct dns_header *header, size_t plen, char *limit,=
 union mysockaddr *source);
- #ifdef HAVE_DNSSEC
-@@ -1141,7 +1143,8 @@ int private_net(struct in_addr addr, int ban_localhost=
);
- /* auth.c */
- #ifdef HAVE_AUTH
- size_t answer_auth(struct dns_header *header, char *limit, size_t qlen,=20
--		   time_t now, union mysockaddr *peer_addr, int local_query);
-+		   time_t now, union mysockaddr *peer_addr, int local_query,
-+		   int do_bit, int have_pseudoheader);
- int in_zone(struct auth_zone *zone, char *name, char **cut);
- #endif
-=20
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 82394ee..299ca64 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -67,7 +67,6 @@ static char *algo_digest_name(int algo)
-     case 12: return "gosthash94";
-     case 13: return "sha256";
-     case 14: return "sha384";
--
-     default: return NULL;
-     }
- }
-diff --git a/src/forward.c b/src/forward.c
-index 3e801c8..041353c 100644
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -244,7 +244,6 @@ static int forward_query(int udpfd, union mysockaddr *ud=
paddr,
-   void *hash =3D &crc;
- #endif
-  unsigned int gotname =3D extract_request(header, plen, daemon->namebuff, N=
ULL);
-- unsigned char *pheader;
-=20
-  (void)do_bit;
-=20
-@@ -264,7 +263,8 @@ static int forward_query(int udpfd, union mysockaddr *ud=
paddr,
- 	 there's no point retrying the query, retry the key query instead...... */
-       if (forward->blocking_query)
- 	{
--	  int fd;
-+	  int fd, is_sign;
-+	  unsigned char *pheader;
- 	 =20
- 	  forward->flags &=3D ~FREC_TEST_PKTSZ;
- 	 =20
-@@ -276,8 +276,8 @@ static int forward_query(int udpfd, union mysockaddr *ud=
paddr,
- 	  blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
- 	  plen =3D forward->stash_len;
- 	 =20
--	  if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
--	    PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : forward->se=
ntto->edns_pktsz, pheader);
-+	  if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign) && !is_sig=
n)
-+	    PUTSHORT(SAFE_PKTSZ, pheader);
-=20
- 	  if (forward->sentto->addr.sa.sa_family =3D=3D AF_INET)=20
- 	    log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&=
forward->sentto->addr.in.sin_addr, "dnssec");
-@@ -394,32 +394,40 @@ static int forward_query(int udpfd, union mysockaddr *=
udpaddr,
-       forward->log_id =3D daemon->log_id;
-      =20
-       if (option_bool(OPT_ADD_MAC))
--	plen =3D add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz,=
 &forward->source);
--     =20
-+	{
-+	  size_t new =3D add_mac(header, plen, ((char *) header) + daemon->packet_=
buff_sz, &forward->source);
-+	  if (new !=3D plen)
-+	    {
-+	      plen =3D new;
-+	      forward->flags |=3D FREC_ADDED_PHEADER;
-+	    }
-+	}
-+
-       if (option_bool(OPT_CLIENT_SUBNET))
- 	{
- 	  size_t new =3D add_source_addr(header, plen, ((char *) header) + daemon-=
>packet_buff_sz, &forward->source);=20
- 	  if (new !=3D plen)
- 	    {
- 	      plen =3D new;
--	      forward->flags |=3D FREC_HAS_SUBNET;
-+	      forward->flags |=3D FREC_HAS_SUBNET | FREC_ADDED_PHEADER;
- 	    }
- 	}
-=20
- #ifdef HAVE_DNSSEC
-       if (option_bool(OPT_DNSSEC_VALID))
- 	{
--	  size_t new_plen =3D add_do_bit(header, plen, ((char *) header) + daemon-=
>packet_buff_sz);
-+	  size_t new =3D add_do_bit(header, plen, ((char *) header) + daemon->pack=
et_buff_sz);
- 	=20
-+	  if (new !=3D plen)
-+	    forward->flags |=3D FREC_ADDED_PHEADER;
-+
-+	  plen =3D new;
-+	     =20
- 	  /* For debugging, set Checking Disabled, otherwise, have the upstream ch=
eck too,
- 	     this allows it to select auth servers when one is returning bad data.=
 */
- 	  if (option_bool(OPT_DNSSEC_DEBUG))
- 	    header->hb4 |=3D HB4_CD;
-=20
--	  if (new_plen !=3D plen)
--	    forward->flags |=3D FREC_ADDED_PHEADER;
--
--	  plen =3D new_plen;
- 	}
- #endif
-      =20
-@@ -469,10 +477,23 @@ static int forward_query(int udpfd, union mysockaddr *=
udpaddr,
- 		    }
- #endif
- 		}
--
--	      if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
--		PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : start->edns_pk=
tsz, pheader);
- 	     =20
-+#ifdef HAVE_DNSSEC
-+	      if (option_bool(OPT_DNSSEC_VALID) && !do_bit)
-+		{
-+		  /* Difficult one here. If our client didn't send EDNS0, we will have se=
t the UDP
-+		     packet size to 512. But that won't provide space for the RRSIGS in m=
any cases.
-+		     The RRSIGS will be stripped out before the answer goes back, so the =
packet should
-+		     shrink again. So, if we added a do-bit, bump the udp packet size to =
the value
-+		     known to be OK for this server. Maybe check returned size after stri=
pping and set
-+		     the truncated bit? */		 =20
-+		  unsigned char *pheader;
-+		  int is_sign;
-+		  if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign))
-+		    PUTSHORT(start->edns_pktsz, pheader);
-+		}
-+#endif
-+
- 	      if (retry_send(sendto(fd, (char *)header, plen, 0,
- 				    &start->addr.sa,
- 				    sa_len(&start->addr))))
-@@ -563,30 +584,34 @@ static size_t process_reply(struct dns_header *header,=
 time_t now, struct server
-     }
- #endif
-  =20
--  /* If upstream is advertising a larger UDP packet size
--     than we allow, trim it so that we don't get overlarge
--     requests for the client. We can't do this for signed packets. */
--
-   if ((pheader =3D find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
-     {
--      unsigned short udpsz;
--      unsigned char *psave =3D sizep;
--     =20
--      GETSHORT(udpsz, sizep);
--
--      if (!is_sign && udpsz > daemon->edns_pktsz)
--	PUTSHORT(daemon->edns_pktsz, psave);
--     =20
-       if (check_subnet && !check_source(header, plen, pheader, query_source=
))
- 	{
- 	  my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch")=
);
- 	  return 0;
- 	}
-      =20
--      if (added_pheader)
-+      if (!is_sign)
- 	{
--	  pheader =3D 0;=20
--	  header->arcount =3D htons(0);
-+	  if (added_pheader)
-+	    {
-+	      /* client didn't send EDNS0, we added one, strip it off before retur=
ning answer. */
-+	      n =3D rrfilter(header, n, 0);
-+	      pheader =3D NULL;
-+	    }
-+	  else
-+	    {
-+	      /* If upstream is advertising a larger UDP packet size
-+		 than we allow, trim it so that we don't get overlarge
-+		 requests for the client. We can't do this for signed packets. */
-+	      unsigned short udpsz;
-+	      unsigned char *psave =3D sizep;
-+	     =20
-+	      GETSHORT(udpsz, sizep);
-+	      if (udpsz > daemon->edns_pktsz)
-+		PUTSHORT(daemon->edns_pktsz, psave);
-+	    }
- 	}
-     }
-  =20
-@@ -655,14 +680,16 @@ static size_t process_reply(struct dns_header *header,=
 time_t now, struct server
-     }
-=20
-   if (option_bool(OPT_DNSSEC_VALID))
--    header->hb4 &=3D ~HB4_AD;
-- =20
--  if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
--    header->hb4 |=3D HB4_AD;
--
--  /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
--  if (!do_bit)
--    n =3D rrfilter(header, n, 1);
-+    {
-+      header->hb4 &=3D ~HB4_AD;
-+     =20
-+      if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
-+	header->hb4 |=3D HB4_AD;
-+     =20
-+      /* If the requestor didn't set the DO bit, don't return DNSSEC info. =
*/
-+      if (!do_bit)
-+	n =3D rrfilter(header, n, 1);
-+    }
- #endif
-=20
-   /* do this after extract_addresses. Ensure NODATA reply and remove
-@@ -761,8 +788,14 @@ void reply_query(int fd, int family, time_t now)
- 	  if ((nn =3D resize_packet(header, (size_t)n, pheader, plen)))
- 	    {
- 	      header->hb3 &=3D ~(HB3_QR | HB3_AA | HB3_TC);
--	      header->hb4 &=3D ~(HB4_RA | HB4_RCODE);
--	      forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
-+	      header->hb4 &=3D ~(HB4_RA | HB4_RCODE | HB4_CD | HB4_AD);
-+	      if (forward->flags |=3D FREC_CHECKING_DISABLED)
-+		header->hb4 |=3D HB4_CD;
-+	      if (forward->flags |=3D FREC_AD_QUESTION)
-+		header->hb4 |=3D HB4_AD;
-+	      if (forward->flags & FREC_DO_QUESTION)
-+		add_do_bit(header, nn,  (char *)pheader + plen);
-+	      forward_query(-1, NULL, NULL, 0, header, nn, now, forward, forward->=
flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION);
- 	      return;
- 	    }
- 	}
-@@ -1007,12 +1040,13 @@ void receive_query(struct listener *listen, time_t n=
ow)
- {
-   struct dns_header *header =3D (struct dns_header *)daemon->packet;
-   union mysockaddr source_addr;
--  unsigned short type;
-+  unsigned char *pheader;
-+  unsigned short type, udp_size =3D PACKETSZ; /* default if no EDNS0 */
-   struct all_addr dst_addr;
-   struct in_addr netmask, dst_addr_4;
-   size_t m;
-   ssize_t n;
--  int if_index =3D 0, auth_dns =3D 0;
-+  int if_index =3D 0, auth_dns =3D 0, do_bit =3D 0, have_pseudoheader =3D 0;
- #ifdef HAVE_AUTH
-   int local_auth =3D 0;
- #endif
-@@ -1279,10 +1313,30 @@ void receive_query(struct listener *listen, time_t n=
ow)
- #endif
-     }
-  =20
-+  if (find_pseudoheader(header, (size_t)n, NULL, &pheader, NULL))
-+    {=20
-+      unsigned short flags;
-+     =20
-+      have_pseudoheader =3D 1;
-+      GETSHORT(udp_size, pheader);
-+      pheader +=3D 2; /* ext_rcode */
-+      GETSHORT(flags, pheader);
-+     =20
-+      if (flags & 0x8000)
-+	do_bit =3D 1;/* do bit */=20
-+=09
-+      /* If the client provides an EDNS0 UDP size, use that to limit our re=
ply.
-+	 (bounded by the maximum configured). If no EDNS0, then it
-+	 defaults to 512 */
-+      if (udp_size > daemon->edns_pktsz)
-+	udp_size =3D daemon->edns_pktsz;
-+    }
-+
- #ifdef HAVE_AUTH
-   if (auth_dns)
-     {
--      m =3D answer_auth(header, ((char *) header) + daemon->packet_buff_sz,=
 (size_t)n, now, &source_addr, local_auth);
-+      m =3D answer_auth(header, ((char *) header) + udp_size, (size_t)n, no=
w, &source_addr,=20
-+		      local_auth, do_bit, have_pseudoheader);
-       if (m >=3D 1)
- 	{
- 	  send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERB=
IND),
-@@ -1293,9 +1347,13 @@ void receive_query(struct listener *listen, time_t no=
w)
-   else
- #endif
-     {
--      int ad_reqd, do_bit;
--      m =3D answer_request(header, ((char *) header) + daemon->packet_buff_=
sz, (size_t)n,=20
--			 dst_addr_4, netmask, now, &ad_reqd, &do_bit);
-+      int ad_reqd =3D do_bit;
-+       /* RFC 6840 5.7 */
-+      if (header->hb4 & HB4_AD)
-+	ad_reqd =3D 1;
-+
-+      m =3D answer_request(header, ((char *) header) + udp_size, (size_t)n,=
=20
-+			 dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader);
-      =20
-       if (m >=3D 1)
- 	{
-@@ -1397,7 +1455,7 @@ unsigned char *tcp_request(int confd, time_t now,
- #ifdef HAVE_AUTH
-   int local_auth =3D 0;
- #endif
--  int checking_disabled, ad_question, do_bit, added_pheader =3D 0;
-+  int checking_disabled, do_bit, added_pheader =3D 0, have_pseudoheader =3D=
 0;
-   int check_subnet, no_cache_dnssec =3D 0, cache_secure =3D 0, bogusanswer =
=3D 0;
-   size_t m;
-   unsigned short qtype;
-@@ -1414,6 +1472,7 @@ unsigned char *tcp_request(int confd, time_t now,
-   union mysockaddr peer_addr;
-   socklen_t peer_len =3D sizeof(union mysockaddr);
-   int query_count =3D 0;
-+  unsigned char *pheader;
-=20
-   if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) =3D=3D -=
1)
-     return packet;
-@@ -1508,15 +1567,35 @@ unsigned char *tcp_request(int confd, time_t now,
-       else
- 	dst_addr_4.s_addr =3D 0;
-      =20
-+      do_bit =3D 0;
-+
-+      if (find_pseudoheader(header, (size_t)size, NULL, &pheader, NULL))
-+	{=20
-+	  unsigned short flags;
-+	 =20
-+	  have_pseudoheader =3D 1;
-+	  pheader +=3D 4; /* udp_size, ext_rcode */
-+	  GETSHORT(flags, pheader);
-+     =20
-+	  if (flags & 0x8000)
-+	    do_bit =3D 1;/* do bit */=20
-+	}
-+
- #ifdef HAVE_AUTH
-       if (auth_dns)
--	m =3D answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &p=
eer_addr, local_auth);
-+	m =3D answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &p=
eer_addr,=20
-+			local_auth, do_bit, have_pseudoheader);
-       else
- #endif
- 	{
--	  /* m > 0 if answered from cache */
--	  m =3D answer_request(header, ((char *) header) + 65536, (size_t)size,=20
--			     dst_addr_4, netmask, now, &ad_question, &do_bit);
-+	   int ad_reqd =3D do_bit;
-+	   /* RFC 6840 5.7 */
-+	   if (header->hb4 & HB4_AD)
-+	     ad_reqd =3D 1;
-+	  =20
-+	   /* m > 0 if answered from cache */
-+	   m =3D answer_request(header, ((char *) header) + 65536, (size_t)size,=20
-+			      dst_addr_4, netmask, now, ad_reqd, do_bit, have_pseudoheader);
- 	 =20
- 	  /* Do this by steam now we're not in the select() loop */
- 	  check_log_writer(1);=20
-@@ -1615,6 +1694,7 @@ unsigned char *tcp_request(int confd, time_t now,
- 			    }
- 			 =20
- #ifdef HAVE_DNSSEC
-+			  added_pheader =3D 0;			 =20
- 			  if (option_bool(OPT_DNSSEC_VALID))
- 			    {
- 			      size_t new_size =3D add_do_bit(header, size, ((char *) header) + 6=
5536);
-@@ -1719,7 +1799,7 @@ unsigned char *tcp_request(int confd, time_t now,
-=20
- 		      m =3D process_reply(header, now, last_server, (unsigned int)m,=20
- 					option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure=
, bogusanswer,
--					ad_question, do_bit, added_pheader, check_subnet, &peer_addr);=20
-+					ad_reqd, do_bit, added_pheader, check_subnet, &peer_addr);=20
- 		     =20
- 		      break;
- 		    }
-diff --git a/src/netlink.c b/src/netlink.c
-index 753784d..3376d68 100644
---- a/src/netlink.c
-+++ b/src/netlink.c
-@@ -288,7 +288,8 @@ int iface_enumerate(int family, void *parm, int (*callba=
ck)())
- 		rta =3D RTA_NEXT(rta, len1);
- 	      }
-=20
--	    if (inaddr && mac && callback_ok)
-+	    if (!(neigh->ndm_state & (NUD_NOARP | NUD_INCOMPLETE | NUD_FAILED)) &&
-+		inaddr && mac && callback_ok)
- 	      if (!((*callback)(neigh->ndm_family, inaddr, mac, maclen, parm)))
- 		callback_ok =3D 0;
- 	  }
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 188d05f..18858a8 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -489,8 +489,8 @@ struct macparm {
-   union mysockaddr *l3;
- };
- =20
--static size_t add_pseudoheader(struct dns_header *header, size_t plen, unsi=
gned char *limit,=20
--			       int optno, unsigned char *opt, size_t optlen, int set_do)
-+size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned ch=
ar *limit,=20
-+			unsigned short udp_sz, int optno, unsigned char *opt, size_t optlen, int=
 set_do)
- {=20
-   unsigned char *lenp, *datap, *p;
-   int rdlen, is_sign;
-@@ -508,7 +508,7 @@ static size_t add_pseudoheader(struct dns_header *header=
, size_t plen, unsigned
- 	return plen;
-       *p++ =3D 0; /* empty name */
-       PUTSHORT(T_OPT, p);
--      PUTSHORT(SAFE_PKTSZ, p); /* max packet length, this will be overwritt=
en */
-+      PUTSHORT(udp_sz, p); /* max packet length, 512 if not given in EDNS0 =
header */
-       PUTSHORT(0, p);    /* extended RCODE and version */
-       PUTSHORT(set_do ? 0x8000 : 0, p); /* DO flag */
-       lenp =3D p;
-@@ -594,7 +594,7 @@ static int filter_mac(int family, char *addrp, char *mac=
, size_t maclen, void *p
-   if (!match)
-     return 1; /* continue */
-=20
--  parm->plen =3D add_pseudoheader(parm->header, parm->plen, parm->limit,  E=
DNS0_OPTION_MAC, (unsigned char *)mac, maclen, 0);
-+  parm->plen =3D add_pseudoheader(parm->header, parm->plen, parm->limit, PA=
CKETSZ, EDNS0_OPTION_MAC, (unsigned char *)mac, maclen, 0);
-  =20
-   return 0; /* done */
- }	     =20
-@@ -603,12 +603,6 @@ size_t add_mac(struct dns_header *header, size_t plen, =
char *limit, union mysock
- {
-   struct macparm parm;
-     =20
--/* Must have an existing pseudoheader as the only ar-record,=20
--   or have no ar-records. Must also not be signed */
--  =20
--  if (ntohs(header->arcount) > 1)
--    return plen;
--
-   parm.header =3D header;
-   parm.limit =3D (unsigned char *)limit;
-   parm.plen =3D plen;
-@@ -699,13 +693,13 @@ size_t add_source_addr(struct dns_header *header, size=
_t plen, char *limit, unio
-   struct subnet_opt opt;
-  =20
-   len =3D calc_subnet_opt(&opt, source);
--  return add_pseudoheader(header, plen, (unsigned char *)limit, EDNS0_OPTIO=
N_CLIENT_SUBNET, (unsigned char *)&opt, len, 0);
-+  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, E=
DNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0);
- }
-=20
- #ifdef HAVE_DNSSEC
- size_t add_do_bit(struct dns_header *header, size_t plen, char *limit)
- {
--  return add_pseudoheader(header, plen, (unsigned char *)limit, 0, NULL, 0,=
 1);
-+  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, 0=
, NULL, 0, 1);
- }
- #endif
-=20
-@@ -1525,16 +1519,16 @@ static unsigned long crec_ttl(struct crec *crecp, ti=
me_t now)
- /* return zero if we can't answer from cache, or packet size if we can */
- size_t answer_request(struct dns_header *header, char *limit, size_t qlen, =
=20
- 		      struct in_addr local_addr, struct in_addr local_netmask,=20
--		      time_t now, int *ad_reqd, int *do_bit)=20
-+		      time_t now, int ad_reqd, int do_bit, int have_pseudoheader)=20
- {
-   char *name =3D daemon->namebuff;
--  unsigned char *p, *ansp, *pheader;
-+  unsigned char *p, *ansp;
-   unsigned int qtype, qclass;
-   struct all_addr addr;
-   int nameoffset;
-   unsigned short flag;
-   int q, ans, anscount =3D 0, addncount =3D 0;
--  int dryrun =3D 0, sec_reqd =3D 0, have_pseudoheader =3D 0;
-+  int dryrun =3D 0;
-   struct crec *crecp;
-   int nxdomain =3D 0, auth =3D 1, trunc =3D 0, sec_data =3D 1;
-   struct mx_srv_record *rec;
-@@ -1550,35 +1544,11 @@ size_t answer_request(struct dns_header *header, cha=
r *limit, size_t qlen,
-   if (header->hb4 & HB4_CD)
-     sec_data =3D 0;
-  =20
--  /* RFC 6840 5.7 */
--  *ad_reqd =3D header->hb4 & HB4_AD;
--  *do_bit =3D 0;
--
-   /* If there is an  additional data section then it will be overwritten by
-      partial replies, so we have to do a dry run to see if we can answer
-      the query. */
--
-   if (ntohs(header->arcount) !=3D 0)
--    {
--      dryrun =3D 1;
--
--      /* If there's an additional section, there might be an EDNS(0) pseudo=
header */
--      if (find_pseudoheader(header, qlen, NULL, &pheader, NULL))
--	{=20
--	  unsigned short flags;
--	 =20
--	  have_pseudoheader =3D 1;
--	 =20
--	  pheader +=3D 4; /* udp size, ext_rcode */
--	  GETSHORT(flags, pheader);
--	 =20
--	  if ((sec_reqd =3D flags & 0x8000))
--	    {
--	      *do_bit =3D 1;/* do bit */=20
--	      *ad_reqd =3D 1;
--	    }
--	}
--    }
-+    dryrun =3D 1;
-=20
-   for (rec =3D daemon->mxnames; rec; rec =3D rec->next)
-     rec->offset =3D 0;
-@@ -1603,11 +1573,6 @@ size_t answer_request(struct dns_header *header, char=
 *limit, size_t qlen,
-       GETSHORT(qtype, p);=20
-       GETSHORT(qclass, p);
-=20
--      /* Don't filter RRSIGS from answers to ANY queries, even if do-bit
--	 not set. */
--      if (qtype =3D=3D T_ANY)
--	*do_bit =3D 1;
--
-       ans =3D 0; /* have we answered this question */
-      =20
-       if (qtype =3D=3D T_TXT || qtype =3D=3D T_ANY)
-@@ -1739,7 +1704,7 @@ size_t answer_request(struct dns_header *header, char =
*limit, size_t qlen,
- 		     the zone is unsigned, which implies that we're doing
- 		     validation. */
- 		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||=20
--		      !sec_reqd ||=20
-+		      !do_bit ||=20
- 		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
- 		    {
- 		      do=20
-@@ -1927,7 +1892,7 @@ size_t answer_request(struct dns_header *header, char =
*limit, size_t qlen,
- 		    }
-=20
- 		  /* If the client asked for DNSSEC  don't use cached data. */
--		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(cr=
ecp->flags & F_DNSSECOK))
-+		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crec=
p->flags & F_DNSSECOK))
- 		    do
- 		      {=20
- 			/* don't answer wildcard queries with data not from /etc/hosts
-@@ -1961,17 +1926,12 @@ size_t answer_request(struct dns_header *header, cha=
r *limit, size_t qlen,
- 		=09
- 			if (crecp->flags & F_NEG)
- 			  {
--			    /* We don't cache NSEC records, so if a DNSSEC-validated negative an=
swer
--			       is cached and the client wants DNSSEC, forward rather than answer=
ing from the cache */
--			    if (!sec_reqd || !(crecp->flags & F_DNSSECOK))
--			      {
--				ans =3D 1;
--				auth =3D 0;
--				if (crecp->flags & F_NXDOMAIN)
--				  nxdomain =3D 1;
--				if (!dryrun)
--				  log_query(crecp->flags, name, NULL, NULL);
--			      }
-+			    ans =3D 1;
-+			    auth =3D 0;
-+			    if (crecp->flags & F_NXDOMAIN)
-+			      nxdomain =3D 1;
-+			    if (!dryrun)
-+			      log_query(crecp->flags, name, NULL, NULL);
- 			  }
- 			else=20
- 			  {
-@@ -2209,10 +2169,11 @@ size_t answer_request(struct dns_header *header, cha=
r *limit, size_t qlen,
-=20
-   len =3D ansp - (unsigned char *)header;
-  =20
-+  /* Advertise our packet size limit in our reply */
-   if (have_pseudoheader)
--    len =3D add_pseudoheader(header, len, (unsigned char *)limit, 0, NULL, =
0, sec_reqd);
-+    len =3D add_pseudoheader(header, len, (unsigned char *)limit, daemon->e=
dns_pktsz, 0, NULL, 0, do_bit);
-  =20
--  if (*ad_reqd && sec_data)
-+  if (ad_reqd && sec_data)
-     header->hb4 |=3D HB4_AD;
-   else
-     header->hb4 &=3D ~HB4_AD;
-diff --git a/src/rrfilter.c b/src/rrfilter.c
-index ae12261..b26b39f 100644
---- a/src/rrfilter.c
-+++ b/src/rrfilter.c
-@@ -243,7 +243,7 @@ size_t rrfilter(struct dns_header *header, size_t plen, =
int mode)
-   for (p =3D rrs[0], i =3D 1; i < rr_found; i +=3D 2)
-     {
-       unsigned char *start =3D rrs[i];
--      unsigned char *end =3D (i !=3D rr_found - 1) ? rrs[i+1] : ((unsigned =
char *)(header+1)) + plen;
-+      unsigned char *end =3D (i !=3D rr_found - 1) ? rrs[i+1] : ((unsigned =
char *)header) + plen;
-      =20
-       memmove(p, start, end-start);
-       p +=3D end-start;
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/026-More_tweaks_in_handling_unknown_DNSSEC_a=
lgorithms.patch b/src/patches/dnsmasq/026-More_tweaks_in_handling_unknown_DNS=
SEC_algorithms.patch
deleted file mode 100644
index 910921b..0000000
--- a/src/patches/dnsmasq/026-More_tweaks_in_handling_unknown_DNSSEC_algorith=
ms.patch
+++ /dev/null
@@ -1,262 +0,0 @@
-From d67ecac59d58f249707d26e38d49c29b552af4d8 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Sun, 20 Dec 2015 20:44:23 +0000
-Subject: [PATCH] More tweaks in handling unknown DNSSEC algorithms.
-
----
- src/dnssec.c |  128 +++++++++++++++++++++++++++++--------------------------=
---
- 1 file changed, 63 insertions(+), 65 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 299ca64..e09f304 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -70,7 +70,17 @@ static char *algo_digest_name(int algo)
-     default: return NULL;
-     }
- }
--     =20
-+ =20
-+/* http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-par=
ameters.xhtml */
-+static char *nsec3_digest_name(int digest)
-+{
-+  switch (digest)
-+    {
-+    case 1: return "sha1";
-+    default: return NULL;
-+    }
-+}
-+=20
- /* Find pointer to correct hash function in nettle library */
- static const struct nettle_hash *hash_find(char *name)
- {
-@@ -667,7 +677,6 @@ static int explore_rrset(struct dns_header *header, size=
_t plen, int class, int
-   static int rrset_sz =3D 0, sig_sz =3D 0;=20
-   unsigned char *p;
-   int rrsetidx, sigidx, j, rdlen, res;
--  int name_labels =3D count_labels(name); /* For 4035 5.3.2 check */
-   int gotkey =3D 0;
-=20
-   if (!(p =3D skip_questions(header, plen)))
-@@ -678,7 +687,7 @@ static int explore_rrset(struct dns_header *header, size=
_t plen, int class, int
-        j !=3D 0; j--)=20
-     {
-       unsigned char *pstart, *pdata;
--      int stype, sclass, algo, type_covered, labels, sig_expiration, sig_in=
ception;
-+      int stype, sclass, type_covered;
-=20
-       pstart =3D p;
-      =20
-@@ -712,12 +721,7 @@ static int explore_rrset(struct dns_header *header, siz=
e_t plen, int class, int
- 		return 0; /* bad packet */=20
- 	     =20
- 	      GETSHORT(type_covered, p);
--	      algo =3D *p++;
--	      labels =3D *p++;
--	      p +=3D 4; /* orig_ttl */
--	      GETLONG(sig_expiration, p);
--	      GETLONG(sig_inception, p);
--	      p +=3D 2; /* key_tag */
-+	      p +=3D 16; /* algo, labels, orig_ttl, sig_expiration, sig_inception,=
 key_tag */
- 	     =20
- 	      if (gotkey)
- 		{
-@@ -749,11 +753,8 @@ static int explore_rrset(struct dns_header *header, siz=
e_t plen, int class, int
- 		    }
- 		}
- 		 =20
--	      /* Don't count signatures for algos we don't support */
--	      if (check_date_range(sig_inception, sig_expiration) &&
--		  labels <=3D name_labels &&
--		  type_covered =3D=3D type &&=20
--		  verify_func(algo))
-+	     =20
-+	      if (type_covered =3D=3D type)
- 		{
- 		  if (!expand_workspace(&sigs, &sig_sz, sigidx))
- 		    return 0;=20
-@@ -795,7 +796,7 @@ static int validate_rrset(time_t now, struct dns_header =
*header, size_t plen, in
- 			  char *name, char *keyname, char **wildcard_out, struct blockdata *key,=
 int keylen, int algo_in, int keytag_in)
- {
-   unsigned char *p;
--  int rdlen, j, name_labels;
-+  int rdlen, j, name_labels, sig_expiration, sig_inception;
-   struct crec *crecp =3D NULL;
-   int algo, labels, orig_ttl, key_tag;
-   u16 *rr_desc =3D rrfilter_desc(type);
-@@ -828,13 +829,16 @@ static int validate_rrset(time_t now, struct dns_heade=
r *header, size_t plen, in
-       algo =3D *p++;
-       labels =3D *p++;
-       GETLONG(orig_ttl, p);
--      p +=3D 8; /* sig_expiration, sig_inception already checked */
-+      GETLONG(sig_expiration, p);
-+      GETLONG(sig_inception, p);
-       GETSHORT(key_tag, p);
-      =20
-       if (!extract_name(header, plen, &p, keyname, 1, 0))
- 	return STAT_BOGUS;
-=20
--      if (!(hash =3D hash_find(algo_digest_name(algo))) ||
-+      if (!check_date_range(sig_inception, sig_expiration) ||
-+	  labels > name_labels ||
-+	  !(hash =3D hash_find(algo_digest_name(algo))) ||
- 	  !hash_init(hash, &ctx, &digest))
- 	continue;
-      =20
-@@ -1112,7 +1116,10 @@ int dnssec_validate_by_ds(time_t now, struct dns_head=
er *header, size_t plen, ch
- 		      else
- 			{
- 			  a.addr.keytag =3D keytag;
--			  log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag =
%u");
-+			  if (verify_func(algo))
-+			    log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keyta=
g %u");
-+			  else
-+			    log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keyta=
g %u (not supported)");
- 			 =20
- 			  recp1->addr.key.keylen =3D rdlen - 4;
- 			  recp1->addr.key.keydata =3D key;
-@@ -1235,7 +1242,11 @@ int dnssec_validate_ds(time_t now, struct dns_header =
*header, size_t plen, char
- 		  else
- 		    {
- 		      a.addr.keytag =3D keytag;
--		      log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %=
u");
-+		      if (hash_find(ds_digest_name(digest)) && verify_func(algo))
-+			log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u");
-+		      else
-+			log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %u (no=
t supported)");
-+		     =20
- 		      crecp->addr.ds.digest =3D digest;
- 		      crecp->addr.ds.keydata =3D key;
- 		      crecp->addr.ds.algo =3D algo;
-@@ -1660,7 +1671,7 @@ static int prove_non_existence_nsec3(struct dns_header=
 *header, size_t plen, uns
-     *nons =3D 1;
-  =20
-   /* Look though the NSEC3 records to find the first one with=20
--     an algorithm we support (currently only algo =3D=3D 1).
-+     an algorithm we support.
-=20
-      Take the algo, iterations, and salt of that record
-      as the ones we're going to use, and prune any=20
-@@ -1674,7 +1685,7 @@ static int prove_non_existence_nsec3(struct dns_header=
 *header, size_t plen, uns
-       p +=3D 10; /* type, class, TTL, rdlen */
-       algo =3D *p++;
-      =20
--      if (algo =3D=3D 1)
-+      if ((hash =3D hash_find(nsec3_digest_name(algo))))
- 	break; /* known algo */
-     }
-=20
-@@ -1724,10 +1735,6 @@ static int prove_non_existence_nsec3(struct dns_heade=
r *header, size_t plen, uns
-       nsecs[i] =3D nsec3p;
-     }
-=20
--  /* Algo is checked as 1 above */
--  if (!(hash =3D hash_find("sha1")))
--    return 0;
--
-   if ((digest_len =3D hash_name(name, &digest, hash, salt, salt_len, iterat=
ions)) =3D=3D 0)
-     return 0;
-  =20
-@@ -1843,8 +1850,10 @@ static int prove_non_existence(struct dns_header *hea=
der, size_t plen, char *key
-  =20
-   if (type_found =3D=3D T_NSEC)
-     return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, dae=
mon->workspacename, keyname, name, qtype, nons);
--  else
-+  else if (type_found =3D=3D T_NSEC3)
-     return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, da=
emon->workspacename, keyname, name, qtype, wildname, nons);
-+  else
-+    return 0;
- }
-=20
- /* Check signing status of name.
-@@ -1857,7 +1866,7 @@ static int prove_non_existence(struct dns_header *head=
er, size_t plen, char *key
- */
- static int zone_status(char *name, int class, char *keyname, time_t now)
- {
--  int secure_ds, name_start =3D strlen(name);
-+  int name_start =3D strlen(name);
-   struct crec *crecp;
-   char *p;
-  =20
-@@ -1867,51 +1876,40 @@ static int zone_status(char *name, int class, char *=
keyname, time_t now)
-      =20
-       if (!(crecp =3D cache_find_by_name(NULL, keyname, now, F_DS)))
- 	return STAT_NEED_DS;
-+     =20
-+       /* F_DNSSECOK misused in DS cache records to non-existance of NS rec=
ord.
-+	  F_NEG && !F_DNSSECOK implies that we've proved there's no DS record here,
-+	  but that's because there's no NS record either, ie this isn't the start
-+	  of a zone. We only prove that the DNS tree below a node is unsigned when
-+	  we prove that we're at a zone cut AND there's no DS record. */
-+      if (crecp->flags & F_NEG)
-+	{
-+	  if (crecp->flags & F_DNSSECOK)
-+	    return STAT_INSECURE; /* proved no DS here */
-+	}
-       else
- 	{
--	  secure_ds =3D 0;
--	 =20
-+	  int gotone =3D 0;
-+
-+	  /* If all the DS records have digest and/or sig algos we don't support,
-+	     then the zone is insecure. Note that if an algo
-+	     appears in the DS, then RRSIGs for that algo MUST
-+	     exist for each RRset: 4035 para 2.2  So if we find
-+	     a DS here with digest and sig we can do, we're entitled
-+	     to assume we can validate the zone and if we can't later,
-+	     because an RRSIG is missing we return BOGUS.
-+	  */
- 	  do=20
- 	    {
--	      if (crecp->uid =3D=3D (unsigned int)class)
--		{
--		  /* F_DNSSECOK misused in DS cache records to non-existance of NS record.
--		     F_NEG && !F_DNSSECOK implies that we've proved there's no DS record =
here,
--		     but that's because there's no NS record either, ie this isn't the st=
art
--		     of a zone. We only prove that the DNS tree below a node is unsigned =
when
--		     we prove that we're at a zone cut AND there's no DS record.
--		  */	 =20
--		  if (crecp->flags & F_NEG)
--		    {
--		      if (crecp->flags & F_DNSSECOK)
--			return STAT_INSECURE; /* proved no DS here */
--		    }
--		  else if (!hash_find(ds_digest_name(crecp->addr.ds.digest)) || !verify_f=
unc(crecp->addr.ds.algo))
--		    return STAT_INSECURE; /* algo we can't use - insecure */
--		  else
--		    secure_ds =3D 1;
--		}
-+	      if (crecp->uid =3D=3D (unsigned int)class &&
-+		  hash_find(ds_digest_name(crecp->addr.ds.digest)) &&
-+		  verify_func(crecp->addr.ds.algo))
-+		gotone =3D 1;
- 	    }
- 	  while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DS)));
--	}
--
--      if (secure_ds)
--	{
--	  /* We've found only DS records that attest to the DNSKEY RRset in the zo=
ne, so we believe
--	     that RRset is good. Furthermore the DNSKEY whose hash is proved by th=
e DS record is
--	     one we can use. However the DNSKEY RRset may contain more than one ke=
y and
--	     one of the other keys may use an algorithm we don't support. If that'=
s=20
--	     the case the zone is insecure for us. */
--	 =20
--	  if (!(crecp =3D cache_find_by_name(NULL, keyname, now, F_DNSKEY)))
--	    return STAT_NEED_KEY;
-=20
--	  do=20
--	    {
--	      if (crecp->uid =3D=3D (unsigned int)class && !verify_func(crecp->add=
r.key.algo))
--		return STAT_INSECURE;
--	    }
--	  while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DNSKEY)));
-+	  if (!gotone)
-+	    return STAT_INSECURE;
- 	}
-=20
-       if (name_start =3D=3D 0)
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/027-Nasty_rare_and_obscure_off-by-one_in_DNS=
SEC_hostname_cmp.patch b/src/patches/dnsmasq/027-Nasty_rare_and_obscure_off-b=
y-one_in_DNSSEC_hostname_cmp.patch
deleted file mode 100644
index 031339e..0000000
--- a/src/patches/dnsmasq/027-Nasty_rare_and_obscure_off-by-one_in_DNSSEC_hos=
tname_cmp.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 3e86d316c4bb406ed813aa5256615c8a95cac6d8 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Sun, 20 Dec 2015 20:50:05 +0000
-Subject: [PATCH] Nasty, rare and obscure off-by-one in DNSSEC hostname_cmp().
-
----
- src/dnssec.c |    4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index e09f304..29848e1 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1394,8 +1394,8 @@ static int hostname_cmp(const char *a, const char *b)
-       if (sb =3D=3D b)
- 	return 1;
-      =20
--      ea =3D sa--;
--      eb =3D sb--;
-+      ea =3D --sa;
-+      eb =3D --sb;
-     }
- }
-=20
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/028-Minor_tweak_to_previous_commit.patch b/s=
rc/patches/dnsmasq/028-Minor_tweak_to_previous_commit.patch
deleted file mode 100644
index f3758fc..0000000
--- a/src/patches/dnsmasq/028-Minor_tweak_to_previous_commit.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From a86fdf437ecc29398f9715ceb5240442a17ac014 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Sun, 20 Dec 2015 21:19:20 +0000
-Subject: [PATCH] Minor tweak to previous commit.
-
----
- src/dnssec.c |    6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 29848e1..9fa64b6 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1889,8 +1889,6 @@ static int zone_status(char *name, int class, char *ke=
yname, time_t now)
- 	}
-       else
- 	{
--	  int gotone =3D 0;
--
- 	  /* If all the DS records have digest and/or sig algos we don't support,
- 	     then the zone is insecure. Note that if an algo
- 	     appears in the DS, then RRSIGs for that algo MUST
-@@ -1904,11 +1902,11 @@ static int zone_status(char *name, int class, char *=
keyname, time_t now)
- 	      if (crecp->uid =3D=3D (unsigned int)class &&
- 		  hash_find(ds_digest_name(crecp->addr.ds.digest)) &&
- 		  verify_func(crecp->addr.ds.algo))
--		gotone =3D 1;
-+		break;
- 	    }
- 	  while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DS)));
-=20
--	  if (!gotone)
-+	  if (!crecp)
- 	    return STAT_INSECURE;
- 	}
-=20
---=20
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/029-NSEC3_check_RFC5155_para_8_2.patch b/src=
/patches/dnsmasq/029-NSEC3_check_RFC5155_para_8_2.patch
deleted file mode 100644
index 33219d2..0000000
--- a/src/patches/dnsmasq/029-NSEC3_check_RFC5155_para_8_2.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From ce5732e84fc46d7f99c152f736cfb4ef5ec98a01 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon(a)thekelleys.org.uk>
-Date: Sun, 20 Dec 2015 21:39:19 +0000
-Subject: [PATCH] NSEC3 check: RFC5155 para 8.2
-
----
- src/dnssec.c |    8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 9fa64b6..486e422 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1704,7 +1704,7 @@ static int prove_non_existence_nsec3(struct dns_header=
 *header, size_t plen, uns
-   for (i =3D 0; i < nsec_count; i++)
-     {
-       unsigned char *nsec3p =3D nsecs[i];
--      int this_iter;
-+      int this_iter, flags;
-=20
-       nsecs[i] =3D NULL; /* Speculative, will be restored if OK. */
-      =20
-@@ -1716,8 +1716,12 @@ static int prove_non_existence_nsec3(struct dns_heade=
r *header, size_t plen, uns
-       if (*p++ !=3D algo)
- 	continue;
- =20
--      p++; /* flags */
-+      flags =3D *p++; /* flags */
-      =20
-+      /* 5155 8.2 */
-+      if (flags !=3D 0 && flags !=3D 1)
-+	continue;
-+
-       GETSHORT(this_iter, p);
-       if (this_iter !=3D iterations)
- 	continue;
---=20
-1.7.10.4
-
--=20
2.7.2


--===============8339380555630392447==--