Merge branch 'feature/configure-outbound_msg_retry' of git://github.com/countsudoku/unbound into countsudoku-feature/configure-outbound_msg_retry

doc/Changelog

@@ -1,3 +1,7 @@
+8 September 2021: Wouter
+	- Merged #41 from Moritz Schneider: made outbound-msg-retry
+	  configurable.
+
 3 September 2021: Wouter
 	- Fix #538: Fix subnetcache statistics.
 

doc/unbound.conf.5.in

@@ -1704,6 +1704,11 @@ This can make ordinary queries complete (if repeatedly queried for),
 and enter the cache, whilst also mitigating the traffic flow by the
 factor given.
 .TP 5
+.B outbound\-msg\-retry: \fI<number>
+The number of retries unbound will do in case of a non positive response is
+received. If a forward nameserver is used, this is the number of retries per
+forward nameserver in case of throwaway response.
+.TP 5
 .B fast\-server\-permil: \fI<number>
 Specify how many times out of 1000 to pick from the set of fastest servers.
 0 turns the feature off.  A value of 900 would pick from the fastest

iterator/iter_utils.c

@@ -4,22 +4,22 @@
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
  *
  * This software is open source.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 
+ *
  * Redistributions of source code must retain the above copyright notice,
  * this list of conditions and the following disclaimer.
- * 
+ *
  * Redistributions in binary form must reproduce the above copyright notice,
  * this list of conditions and the following disclaimer in the documentation
  * and/or other materials provided with the distribution.
- * 
+ *
  * Neither the name of the NLNET LABS nor the names of its contributors may
  * be used to endorse or promote products derived from this software without
  * specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
@@ -37,7 +37,7 @@
  * \file
  *
  * This file contains functions to assist the iterator module.
- * Configuration options. Forward zones. 
+ * Configuration options. Forward zones.
  */
 #include "config.h"
 #include "iterator/iter_utils.h"
@@ -141,7 +141,7 @@ caps_white_apply_cfg(rbtree_type* ntree, struct config_file* cfg)
 	return 1;
 }
 
-int 
+int
 iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 {
 	int i;
@@ -151,7 +151,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 	for(i=0; i<iter_env->max_dependency_depth+1; i++)
 		verbose(VERB_QUERY, "target fetch policy for level %d is %d",
 			i, iter_env->target_fetch_policy[i]);
-	
+
 	if(!iter_env->donotq)
 		iter_env->donotq = donotq_create();
 	if(!iter_env->donotq || !donotq_apply_cfg(iter_env->donotq, cfg)) {
@@ -176,6 +176,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 	}
 	iter_env->supports_ipv6 = cfg->do_ip6;
 	iter_env->supports_ipv4 = cfg->do_ip4;
+	iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
 	return 1;
 }
 
@@ -212,7 +213,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
  *		dnsseclame servers get penalty
  *	USEFUL_SERVER_TOP_TIMEOUT*3 ..
  *		recursion lame servers get penalty
- *	UNKNOWN_SERVER_NICENESS 
+ *	UNKNOWN_SERVER_NICENESS
  *		If no information is known about the server, this is
  *		returned. 376 msec or so.
  *	+BLACKLIST_PENALTY (of USEFUL_TOP_TIMEOUT*4) for dnssec failed IPs.
@@ -221,11 +222,11 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
  * is turned off (so we do not discard the reply).
  * When a final value is chosen that is recursionlame; RD bit is set on query.
  * Because of the numbers this means recursionlame also have dnssec lameness
- * checking turned off. 
+ * checking turned off.
  */
 static int
 iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
-	uint8_t* name, size_t namelen, uint16_t qtype, time_t now, 
+	uint8_t* name, size_t namelen, uint16_t qtype, time_t now,
 	struct delegpt_addr* a)
 {
 	int rtt, lame, reclame, dnsseclame;
@@ -243,8 +244,8 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
 		return -1; /* there is no ip4 available */
 	}
 	/* check lameness - need zone , class info */
-	if(infra_get_lame_rtt(env->infra_cache, &a->addr, a->addrlen, 
+	if(infra_get_lame_rtt(env->infra_cache, &a->addr, a->addrlen,
-		name, namelen, qtype, &lame, &dnsseclame, &reclame, 
+		name, namelen, qtype, &lame, &dnsseclame, &reclame,
 		&rtt, now)) {
 		log_addr(VERB_ALGO, "servselect", &a->addr, a->addrlen);
 		verbose(VERB_ALGO, "   rtt=%d%s%s%s%s", rtt,
@@ -282,7 +283,7 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
 /** lookup RTT information, and also store fastest rtt (if any) */
 static int
 iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
-	uint8_t* name, size_t namelen, uint16_t qtype, time_t now, 
+	uint8_t* name, size_t namelen, uint16_t qtype, time_t now,
 	struct delegpt* dp, int* best_rtt, struct sock_list* blacklist,
 	size_t* num_suitable_results)
 {
@@ -293,7 +294,7 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
 	if(dp->bogus)
 		return 0; /* NS bogus, all bogus, nothing found */
 	for(a=dp->result_list; a; a = a->next_result) {
-		a->sel_rtt = iter_filter_unsuitable(iter_env, env, 
+		a->sel_rtt = iter_filter_unsuitable(iter_env, env,
 			name, namelen, qtype, now, a);
 		if(a->sel_rtt != -1) {
 			if(sock_list_find(blacklist, &a->addr, a->addrlen))
@@ -329,7 +330,7 @@ nth_rtt(struct delegpt_addr* result_list, size_t num_results, size_t n)
 	int rtt_band;
 	size_t i;
 	int* rtt_list, *rtt_index;
-	
+
 	if(num_results < 1 || n >= num_results) {
 		return -1;
 	}
@@ -361,8 +362,8 @@ nth_rtt(struct delegpt_addr* result_list, size_t num_results, size_t n)
  * returns number of best targets (or 0, no suitable targets) */
 static int
 iter_filter_order(struct iter_env* iter_env, struct module_env* env,
-	uint8_t* name, size_t namelen, uint16_t qtype, time_t now, 
+	uint8_t* name, size_t namelen, uint16_t qtype, time_t now,
-	struct delegpt* dp, int* selected_rtt, int open_target, 
+	struct delegpt* dp, int* selected_rtt, int open_target,
 	struct sock_list* blacklist, time_t prefetch)
 {
 	int got_num = 0, low_rtt = 0, swap_to_front, rtt_band = RTT_BAND, nth;
@@ -370,9 +371,9 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 	struct delegpt_addr* a, *n, *prev=NULL;
 
 	/* fillup sel_rtt and find best rtt in the bunch */
-	got_num = iter_fill_rtt(iter_env, env, name, namelen, qtype, now, dp, 
+	got_num = iter_fill_rtt(iter_env, env, name, namelen, qtype, now, dp,
 		&low_rtt, blacklist, &num_results);
-	if(got_num == 0) 
+	if(got_num == 0)
 		return 0;
 	if(low_rtt >= USEFUL_SERVER_TOP_TIMEOUT &&
 		(delegpt_count_missing_targets(dp) > 0 || open_target > 0)) {
@@ -548,9 +549,9 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 	return got_num;
 }
 
-struct delegpt_addr* 
+struct delegpt_addr*
-iter_server_selection(struct iter_env* iter_env, 
+iter_server_selection(struct iter_env* iter_env,
-	struct module_env* env, struct delegpt* dp, 
+	struct module_env* env, struct delegpt* dp,
 	uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_lame,
 	int* chase_to_rd, int open_target, struct sock_list* blacklist,
 	time_t prefetch)
@@ -592,7 +593,7 @@ iter_server_selection(struct iter_env* iter_env,
 
 	if(num == 1) {
 		a = dp->result_list;
-		if(++a->attempts < OUTBOUND_MSG_RETRY)
+		if(++a->attempts < iter_env->outbound_msg_retry)
 			return a;
 		dp->result_list = a->next_result;
 		return a;
@@ -602,7 +603,7 @@ iter_server_selection(struct iter_env* iter_env,
 	log_assert(num > 1);
 	/* grab secure random number, to pick unexpected server.
 	 * also we need it to be threadsafe. */
-	sel = ub_random_max(env->rnd, num); 
+	sel = ub_random_max(env->rnd, num);
 	a = dp->result_list;
 	prev = NULL;
 	while(sel > 0 && a) {
@@ -612,7 +613,7 @@ iter_server_selection(struct iter_env* iter_env,
 	}
 	if(!a)  /* robustness */
 		return NULL;
-	if(++a->attempts < OUTBOUND_MSG_RETRY)
+	if(++a->attempts < iter_env->outbound_msg_retry)
 		return a;
 	/* remove it from the delegation point result list */
 	if(prev)
@@ -621,8 +622,8 @@ iter_server_selection(struct iter_env* iter_env,
 	return a;
 }
 
-struct dns_msg* 
+struct dns_msg*
-dns_alloc_msg(sldns_buffer* pkt, struct msg_parse* msg, 
+dns_alloc_msg(sldns_buffer* pkt, struct msg_parse* msg,
 	struct regional* region)
 {
 	struct dns_msg* m = (struct dns_msg*)regional_alloc(region,
@@ -637,7 +638,7 @@ dns_alloc_msg(sldns_buffer* pkt, struct msg_parse* msg,
 	return m;
 }
 
-struct dns_msg* 
+struct dns_msg*
 dns_copy_msg(struct dns_msg* from, struct regional* region)
 {
 	struct dns_msg* m = (struct dns_msg*)regional_alloc(region,
@@ -653,7 +654,7 @@ dns_copy_msg(struct dns_msg* from, struct regional* region)
 	return m;
 }
 
-void 
+void
 iter_dns_store(struct module_env* env, struct query_info* msgqinf,
 	struct reply_info* msgrep, int is_referral, time_t leeway, int pside,
 	struct regional* region, uint16_t flags)
@@ -663,7 +664,7 @@ iter_dns_store(struct module_env* env, struct query_info* msgqinf,
 		log_err("out of memory: cannot store data in cache");
 }
 
-int 
+int
 iter_ns_probability(struct ub_randstate* rnd, int n, int m)
 {
 	int sel;
@@ -671,7 +672,7 @@ iter_ns_probability(struct ub_randstate* rnd, int n, int m)
 		return 1;
 	/* we do not need secure random numbers here, but
 	 * we do need it to be threadsafe, so we use this */
-	sel = ub_random_max(rnd, m); 
+	sel = ub_random_max(rnd, m);
 	return (sel < n);
 }
 
@@ -688,12 +689,12 @@ causes_cycle(struct module_qstate* qstate, uint8_t* name, size_t namelen,
 	qinf.local_alias = NULL;
 	fptr_ok(fptr_whitelist_modenv_detect_cycle(
 		qstate->env->detect_cycle));
-	return (*qstate->env->detect_cycle)(qstate, &qinf, 
+	return (*qstate->env->detect_cycle)(qstate, &qinf,
 		(uint16_t)(BIT_RD|BIT_CD), qstate->is_priming,
 		qstate->is_valrec);
 }
 
-void 
+void
 iter_mark_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 {
 	struct delegpt_ns* ns;
@@ -701,21 +702,21 @@ iter_mark_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 		if(ns->resolved)
 			continue;
 		/* see if this ns as target causes dependency cycle */
-		if(causes_cycle(qstate, ns->name, ns->namelen, 
+		if(causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_AAAA, qstate->qinfo.qclass) ||
-		   causes_cycle(qstate, ns->name, ns->namelen, 
+		   causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_A, qstate->qinfo.qclass)) {
 			log_nametypeclass(VERB_QUERY, "skipping target due "
 			 	"to dependency cycle (harden-glue: no may "
-				"fix some of the cycles)", 
+				"fix some of the cycles)",
-				ns->name, LDNS_RR_TYPE_A, 
+				ns->name, LDNS_RR_TYPE_A,
 				qstate->qinfo.qclass);
 			ns->resolved = 1;
 		}
 	}
 }
 
-void 
+void
 iter_mark_pside_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 {
 	struct delegpt_ns* ns;
@@ -723,14 +724,14 @@ iter_mark_pside_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 		if(ns->done_pside4 && ns->done_pside6)
 			continue;
 		/* see if this ns as target causes dependency cycle */
-		if(causes_cycle(qstate, ns->name, ns->namelen, 
+		if(causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_A, qstate->qinfo.qclass)) {
 			log_nametypeclass(VERB_QUERY, "skipping target due "
 			 	"to dependency cycle", ns->name,
 				LDNS_RR_TYPE_A, qstate->qinfo.qclass);
 			ns->done_pside4 = 1;
 		}
-		if(causes_cycle(qstate, ns->name, ns->namelen, 
+		if(causes_cycle(qstate, ns->name, ns->namelen,
 			LDNS_RR_TYPE_AAAA, qstate->qinfo.qclass)) {
 			log_nametypeclass(VERB_QUERY, "skipping target due "
 			 	"to dependency cycle", ns->name,
@@ -740,8 +741,8 @@ iter_mark_pside_cycle_targets(struct module_qstate* qstate, struct delegpt* dp)
 	}
 }
 
-int 
+int
-iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags, 
+iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
 	struct delegpt* dp)
 {
 	struct delegpt_ns* ns;
@@ -760,14 +761,14 @@ iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
 	/* either available or unused targets */
 	if(dp->usable_list || dp->result_list)
 		return 0;
-	
+
 	/* see if query is for one of the nameservers, which is glue */
 	if( (qinfo->qtype == LDNS_RR_TYPE_A ||
 		qinfo->qtype == LDNS_RR_TYPE_AAAA) &&
 		dname_subdomain_c(qinfo->qname, dp->name) &&
 		delegpt_find_ns(dp, qinfo->qname, qinfo->qname_len))
 		return 1;
-	
+
 	for(ns = dp->nslist; ns; ns = ns->next) {
 		if(ns->resolved) /* skip failed targets */
 			continue;
@@ -785,7 +786,7 @@ iter_qname_indicates_dnssec(struct module_env* env, struct query_info *qinfo)
 		return 0;
 	/* a trust anchor exists above the name? */
 	if((a=anchors_lookup(env->anchors, qinfo->qname, qinfo->qname_len,
-		qinfo->qclass))) { 
+		qinfo->qclass))) {
 		if(a->numDS == 0 && a->numDNSKEY == 0) {
 			/* insecure trust point */
 			lock_basic_unlock(&a->lock);
@@ -798,7 +799,7 @@ iter_qname_indicates_dnssec(struct module_env* env, struct query_info *qinfo)
 	return 0;
 }
 
-int 
+int
 iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
         struct dns_msg* msg, uint16_t dclass)
 {
@@ -842,7 +843,7 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
 	return 0;
 }
 
-int 
+int
 iter_msg_has_dnssec(struct dns_msg* msg)
 {
 	size_t i;
@@ -875,7 +876,7 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
 		 * and referral to example.com. NS ... , then origin zone
 		 * is .com. For a referral to sub.example.com. NS ... then
 		 * we do not know, since example.com. may be in between. */
-		for(i=0; i<msg->rep->an_numrrsets+msg->rep->ns_numrrsets; 
+		for(i=0; i<msg->rep->an_numrrsets+msg->rep->ns_numrrsets;
 			i++) {
 			struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
 			if(ntohs(s->rk.type) == LDNS_RR_TYPE_NS &&
@@ -890,7 +891,7 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
 		return 0;
 	}
 	log_assert(type==RESPONSE_TYPE_ANSWER || type==RESPONSE_TYPE_CNAME);
-	/* not a referral, and not lame delegation (upwards), so, 
+	/* not a referral, and not lame delegation (upwards), so,
 	 * any NS rrset must be from the zone itself */
 	if(reply_find_rrset_section_an(msg->rep, dp->name, dp->namelen,
 		LDNS_RR_TYPE_NS, dclass) ||
@@ -906,7 +907,7 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
 }
 
 /**
- * check equality of two rrsets 
+ * check equality of two rrsets
  * @param k1: rrset
  * @param k2: rrset
  * @return true if equal
@@ -935,7 +936,7 @@ rrset_equal(struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2)
 	for(i=0; i<t; i++) {
 		if(d1->rr_len[i] != d2->rr_len[i] ||
 			/* no ttl check: d1->rr_ttl[i] != d2->rr_ttl[i] ||*/
-			memcmp(d1->rr_data[i], d2->rr_data[i], 
+			memcmp(d1->rr_data[i], d2->rr_data[i],
 				d1->rr_len[i]) != 0)
 			return 0;
 	}
@@ -966,7 +967,7 @@ rrset_canonical_sort_cmp(const void* x, const void* y)
 	return 0;
 }
 
-int 
+int
 reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region)
 {
 	size_t i;
@@ -1024,7 +1025,7 @@ reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region)
 	return 1;
 }
 
-void 
+void
 caps_strip_reply(struct reply_info* rep)
 {
 	size_t i;
@@ -1066,8 +1067,8 @@ int caps_failed_rcode(struct reply_info* rep)
 		FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN);
 }
 
-void 
+void
-iter_store_parentside_rrset(struct module_env* env, 
+iter_store_parentside_rrset(struct module_env* env,
 	struct ub_packed_rrset_key* rrset)
 {
 	struct rrset_ref ref;
@@ -1107,12 +1108,12 @@ iter_store_parentside_NS(struct module_env* env, struct reply_info* rep)
 	}
 }
 
-void iter_store_parentside_neg(struct module_env* env, 
+void iter_store_parentside_neg(struct module_env* env,
         struct query_info* qinfo, struct reply_info* rep)
 {
 	/* TTL: NS from referral in iq->deleg_msg,
 	 *      or first RR from iq->response,
-	 *      or servfail5secs if !iq->response */ 
+	 *      or servfail5secs if !iq->response */
 	time_t ttl = NORR_TTL;
 	struct ub_packed_rrset_key* neg;
 	struct packed_rrset_data* newd;
@@ -1133,7 +1134,7 @@ void iter_store_parentside_neg(struct module_env* env,
 	neg->rk.type = htons(qinfo->qtype);
 	neg->rk.rrset_class = htons(qinfo->qclass);
 	neg->rk.flags = 0;
-	neg->rk.dname = regional_alloc_init(env->scratch, qinfo->qname, 
+	neg->rk.dname = regional_alloc_init(env->scratch, qinfo->qname,
 		qinfo->qname_len);
 	if(!neg->rk.dname) {
 		log_err("out of memory in store_parentside_neg");
@@ -1141,7 +1142,7 @@ void iter_store_parentside_neg(struct module_env* env,
 	}
 	neg->rk.dname_len = qinfo->qname_len;
 	neg->entry.hash = rrset_key_hash(&neg->rk);
-	newd = (struct packed_rrset_data*)regional_alloc_zero(env->scratch, 
+	newd = (struct packed_rrset_data*)regional_alloc_zero(env->scratch,
 		sizeof(struct packed_rrset_data) + sizeof(size_t) +
 		sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t));
 	if(!newd) {
@@ -1166,13 +1167,13 @@ void iter_store_parentside_neg(struct module_env* env,
 	iter_store_parentside_rrset(env, neg);
 }
 
-int 
+int
 iter_lookup_parent_NS_from_cache(struct module_env* env, struct delegpt* dp,
 	struct regional* region, struct query_info* qinfo)
 {
 	struct ub_packed_rrset_key* akey;
-	akey = rrset_cache_lookup(env->rrset_cache, dp->name, 
+	akey = rrset_cache_lookup(env->rrset_cache, dp->name,
-		dp->namelen, LDNS_RR_TYPE_NS, qinfo->qclass, 
+		dp->namelen, LDNS_RR_TYPE_NS, qinfo->qclass,
 		PACKED_RRSET_PARENT_SIDE, *env->now, 0);
 	if(akey) {
 		log_rrset_key(VERB_ALGO, "found parent-side NS in cache", akey);
@@ -1195,8 +1196,8 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
 	size_t num = delegpt_count_targets(dp);
 	for(ns = dp->nslist; ns; ns = ns->next) {
 		/* get cached parentside A */
-		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
+		akey = rrset_cache_lookup(env->rrset_cache, ns->name,
-			ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass, 
+			ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass,
 			PACKED_RRSET_PARENT_SIDE, *env->now, 0);
 		if(akey) {
 			log_rrset_key(VERB_ALGO, "found parent-side", akey);
@@ -1207,8 +1208,8 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
 			lock_rw_unlock(&akey->entry.lock);
 		}
 		/* get cached parentside AAAA */
-		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
+		akey = rrset_cache_lookup(env->rrset_cache, ns->name,
-			ns->namelen, LDNS_RR_TYPE_AAAA, qinfo->qclass, 
+			ns->namelen, LDNS_RR_TYPE_AAAA, qinfo->qclass,
 			PACKED_RRSET_PARENT_SIDE, *env->now, 0);
 		if(akey) {
 			log_rrset_key(VERB_ALGO, "found parent-side", akey);
@@ -1223,8 +1224,8 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
 	return delegpt_count_targets(dp) != num;
 }
 
-int 
+int
-iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd, 
+iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
 	uint16_t* c)
 {
 	uint16_t c1 = *c, c2 = *c;
@@ -1246,7 +1247,7 @@ void
 iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
 {
 	/* Only the DS record for the delegation itself is expected.
-	 * We allow DS for everything between the bailiwick and the 
+	 * We allow DS for everything between the bailiwick and the
 	 * zonecut, thus DS records must be at or above the zonecut.
 	 * And the DS records must be below the server authority zone.
 	 * The answer section is already scrubbed. */
@@ -1260,7 +1261,7 @@ iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
 				s->rk.dname, ntohs(s->rk.type),
 				ntohs(s->rk.rrset_class));
 			memmove(msg->rep->rrsets+i, msg->rep->rrsets+i+1,
-				sizeof(struct ub_packed_rrset_key*) * 
+				sizeof(struct ub_packed_rrset_key*) *
 				(msg->rep->rrset_count-i-1));
 			msg->rep->ns_numrrsets--;
 			msg->rep->rrset_count--;
@@ -1284,11 +1285,11 @@ iter_scrub_nxdomain(struct dns_msg* msg)
 	msg->rep->an_numrrsets = 0;
 }
 
-void iter_dec_attempts(struct delegpt* dp, int d)
+void iter_dec_attempts(struct delegpt* dp, int d, size_t outbound_msg_retry)
 {
 	struct delegpt_addr* a;
 	for(a=dp->target_list; a; a = a->next_target) {
-		if(a->attempts >= OUTBOUND_MSG_RETRY) {
+		if(a->attempts >= outbound_msg_retry) {
 			/* add back to result list */
 			a->next_result = dp->result_list;
 			dp->result_list = a;
@@ -1299,7 +1300,7 @@ void iter_dec_attempts(struct delegpt* dp, int d)
 	}
 }
 
-void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old)
+void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old, size_t outbound_msg_retry)
 {
 	struct delegpt_addr* a, *o, *prev;
 	for(a=dp->target_list; a; a = a->next_target) {
@@ -1313,7 +1314,7 @@ void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old)
 	prev = NULL;
 	a = dp->usable_list;
 	while(a) {
-		if(a->attempts >= OUTBOUND_MSG_RETRY) {
+		if(a->attempts >= outbound_msg_retry) {
 			log_addr(VERB_ALGO, "remove from usable list dp",
 				&a->addr, a->addrlen);
 			/* remove from result list */

iterator/iter_utils.h

@@ -347,16 +347,19 @@ void iter_scrub_nxdomain(struct dns_msg* msg);
  * Remove query attempts from all available ips. For 0x20.
  * @param dp: delegpt.
  * @param d: decrease.
+ * @param outbound_msg_retry: number of retries of outgoing queries
  */
-void iter_dec_attempts(struct delegpt* dp, int d);
+void iter_dec_attempts(struct delegpt* dp, int d, size_t outbound_msg_retry);
 
 /**
  * Add retry counts from older delegpt to newer delegpt.
  * Does not waste time on timeout'd (or other failing) addresses.
  * @param dp: new delegationpoint.
  * @param old: old delegationpoint.
+ * @param outbound_msg_retry: number of retries of outgoing queries
  */
-void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old);
+void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old,
+	size_t outbound_msg_retry);
 
 /**
  * See if a DS response (type ANSWER) is too low: a nodata answer with 

iterator/iterator.c

@@ -2298,7 +2298,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		iq->minimise_count++;
 		iq->timeout_count = 0;
 
-		iter_dec_attempts(iq->dp, 1);
+		iter_dec_attempts(iq->dp, 1, ie->outbound_msg_retry);
 
 		/* Limit number of iterations for QNAMEs with more
 		 * than MAX_MINIMISE_COUNT labels. Send first MINIMISE_ONE_LAB
@@ -2500,7 +2500,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 				(int)iq->caps_server+1, (int)naddr*3);
 			iq->response = iq->caps_response;
 			iq->caps_fallback = 0;
-			iter_dec_attempts(iq->dp, 3); /* space for fallback */
+			iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry); /* space for fallback */
 			iq->num_current_queries++; /* RespState decrements it*/
 			iq->referral_count++; /* make sure we don't loop */
 			iq->sent_count = 0;
@@ -2605,7 +2605,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 						(int)iq->caps_server+1);
 					iq->response = iq->caps_response;
 					iq->caps_fallback = 0;
-					iter_dec_attempts(iq->dp, 3); /* space for fallback */
+					iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry); /* space for fallback */
 					iq->num_current_queries++; /* RespState decrements it*/
 					iq->referral_count++; /* make sure we don't loop */
 					iq->sent_count = 0;
@@ -2732,7 +2732,7 @@ find_NS(struct reply_info* rep, size_t from, size_t to)
  */
 static int
 processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
-	int id)
+	int id, size_t outbound_msg_retry)
 {
 	int dnsseclame = 0;
 	enum response_type type;
@@ -3002,7 +3002,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		}
 		if(iq->store_parent_NS && query_dname_compare(iq->dp->name,
 			iq->store_parent_NS->name) == 0)
-			iter_merge_retry_counts(iq->dp, iq->store_parent_NS);
+			iter_merge_retry_counts(iq->dp, iq->store_parent_NS, outbound_msg_retry);
 		delegpt_log(VERB_ALGO, iq->dp);
 		/* Count this as a referral. */
 		iq->referral_count++;
@@ -3746,7 +3746,8 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
 				cont = processQueryTargets(qstate, iq, ie, id);
 				break;
 			case QUERY_RESP_STATE:
-				cont = processQueryResponse(qstate, iq, id);
+				cont = processQueryResponse(
+					qstate, iq, id, ie->outbound_msg_retry);
 				break;
 			case PRIME_RESP_STATE:
 				cont = processPrimeResponse(qstate, id);
@@ -3816,7 +3817,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 			iq->num_current_queries--;
 			/* need fresh attempts for the 0x20 fallback, if
 			 * that was the cause for the failure */
-			iter_dec_attempts(iq->dp, 3);
+			iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry);
 			verbose(VERB_DETAIL, "Capsforid: timeouts, starting fallback");
 			goto handle_it;
 		}

iterator/iterator.h

@@ -94,8 +94,6 @@ extern int UNKNOWN_SERVER_NICENESS;
  * Equals RTT_MAX_TIMEOUT
  */
 #define USEFUL_SERVER_TOP_TIMEOUT	120000
-/** number of retries on outgoing queries */
-#define OUTBOUND_MSG_RETRY 5
 /** RTT band, within this amount from the best, servers are chosen randomly.
  * Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a 
  * fast server, this causes server exploration as a side benefit. msec. */
@@ -139,6 +137,9 @@ struct iter_env {
 	lock_basic_type queries_ratelimit_lock;
 	/** number of queries that have been ratelimited */
 	size_t num_queries_ratelimited;
+
+	/** number of retries on outgoing queries */
+	size_t outbound_msg_retry;
 };
 
 /**

testdata/fwd_error.rpl

@@ -9,7 +9,7 @@ SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
 ; But the pending query fails due to error (say TCP failure or malloc or ...)
-; This is iterator/iterator.h OUTBOUND_MSG_RETRY number of errors.
+; This is util/config_file.c outbound-msg-retry number of errors.
 STEP 2 ERROR
 STEP 3 ERROR
 STEP 4 ERROR

testdata/fwd_error_retries.rpl

@@ -0,0 +1,27 @@
+; config options
+server:
+	outbound-msg-retry: 1
+
+forward-zone:
+	name: "."
+	forward-addr: 216.0.0.1
+CONFIG_END
+SCENARIO_BEGIN Test basic forwarding with servfail and retry of 1
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+; query fails with servfail, now we make only outgoing-msg-retry=1 retries
+STEP 2 ERROR
+; returns servfail
+STEP 14 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH opcode qname qtype
+SECTION QUESTION
+REPLY SERVFAIL QR RD RA
+MATCH all
+www.example.com. IN A
+ENTRY_END
+SCENARIO_END

testdata/fwd_timeout.rpl

@@ -9,7 +9,7 @@ SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
 ; But the pending query times out!
-; OUTBOUND_MSG_RETRY times timeout.
+; outbound-msg-retry times timeout.
 STEP 2 TIMEOUT
 STEP 3 TIMEOUT
 STEP 4 TIMEOUT

util/config_file.c

@@ -328,6 +328,7 @@ config_create(void)
 	cfg->ratelimit_size = 4*1024*1024;
 	cfg->ratelimit_for_domain = NULL;
 	cfg->ratelimit_below_domain = NULL;
+	cfg->outbound_msg_retry = 5;
 	cfg->ip_ratelimit_factor = 10;
 	cfg->ratelimit_factor = 10;
 	cfg->qname_minimisation = 1;
@@ -752,6 +753,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_POW2("ratelimit-slabs:", ratelimit_slabs)
 	else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor)
 	else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
+	else S_SIZET_NONZERO("outbound-msg-retry", outbound_msg_retry)
 	else S_SIZET_NONZERO("fast-server-num:", fast_server_num)
 	else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil)
 	else S_YNO("qname-minimisation:", qname_minimisation)
@@ -1195,6 +1197,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LS2(opt, "ratelimit-below-domain", ratelimit_below_domain)
 	else O_DEC(opt, "ip-ratelimit-factor", ip_ratelimit_factor)
 	else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
+	else O_UNS(opt, "outbound-msg-retry", outbound_msg_retry)
 	else O_DEC(opt, "fast-server-num", fast_server_num)
 	else O_DEC(opt, "fast-server-permil", fast_server_permil)
 	else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)

util/config_file.h

@@ -578,6 +578,8 @@ struct config_file {
 	struct config_str2list* ratelimit_below_domain;
 	/** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
 	int ratelimit_factor;
+	/** number of retries on outgoing queries */
+	size_t outbound_msg_retry;
 	/** minimise outgoing QNAME and hide original QTYPE if possible */
 	int qname_minimisation;
 	/** minimise QNAME in strict mode, minimise according to RFC.

util/configlexer.lex

@@ -501,6 +501,7 @@ ratelimit-for-domain{COLON}	{ YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) }
 ratelimit-below-domain{COLON}	{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
 ip-ratelimit-factor{COLON}		{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
 ratelimit-factor{COLON}		{ YDVAR(1, VAR_RATELIMIT_FACTOR) }
+outbound-msg-retry{COLON}		{ YDVAR(1, VAR_OUTBOUND_MSG_RETRY) }
 low-rtt{COLON}			{ YDVAR(1, VAR_LOW_RTT) }
 fast-server-num{COLON}		{ YDVAR(1, VAR_FAST_SERVER_NUM) }
 low-rtt-pct{COLON}		{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }

util/configparser.h

@@ -252,125 +252,126 @@ extern int yydebug;
     VAR_RATELIMIT = 453,           /* VAR_RATELIMIT  */
     VAR_RATELIMIT_SLABS = 454,     /* VAR_RATELIMIT_SLABS  */
     VAR_RATELIMIT_SIZE = 455,      /* VAR_RATELIMIT_SIZE  */
-    VAR_RATELIMIT_FOR_DOMAIN = 456, /* VAR_RATELIMIT_FOR_DOMAIN  */
+    VAR_OUTBOUND_MSG_RETRY = 456,  /* VAR_OUTBOUND_MSG_RETRY  */
-    VAR_RATELIMIT_BELOW_DOMAIN = 457, /* VAR_RATELIMIT_BELOW_DOMAIN  */
+    VAR_RATELIMIT_FOR_DOMAIN = 457, /* VAR_RATELIMIT_FOR_DOMAIN  */
-    VAR_IP_RATELIMIT_FACTOR = 458, /* VAR_IP_RATELIMIT_FACTOR  */
+    VAR_RATELIMIT_BELOW_DOMAIN = 458, /* VAR_RATELIMIT_BELOW_DOMAIN  */
-    VAR_RATELIMIT_FACTOR = 459,    /* VAR_RATELIMIT_FACTOR  */
+    VAR_IP_RATELIMIT_FACTOR = 459, /* VAR_IP_RATELIMIT_FACTOR  */
-    VAR_SEND_CLIENT_SUBNET = 460,  /* VAR_SEND_CLIENT_SUBNET  */
+    VAR_RATELIMIT_FACTOR = 460,    /* VAR_RATELIMIT_FACTOR  */
-    VAR_CLIENT_SUBNET_ZONE = 461,  /* VAR_CLIENT_SUBNET_ZONE  */
+    VAR_SEND_CLIENT_SUBNET = 461,  /* VAR_SEND_CLIENT_SUBNET  */
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 462, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD  */
+    VAR_CLIENT_SUBNET_ZONE = 462,  /* VAR_CLIENT_SUBNET_ZONE  */
-    VAR_CLIENT_SUBNET_OPCODE = 463, /* VAR_CLIENT_SUBNET_OPCODE  */
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 463, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD  */
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 464, /* VAR_MAX_CLIENT_SUBNET_IPV4  */
+    VAR_CLIENT_SUBNET_OPCODE = 464, /* VAR_CLIENT_SUBNET_OPCODE  */
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 465, /* VAR_MAX_CLIENT_SUBNET_IPV6  */
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 465, /* VAR_MAX_CLIENT_SUBNET_IPV4  */
-    VAR_MIN_CLIENT_SUBNET_IPV4 = 466, /* VAR_MIN_CLIENT_SUBNET_IPV4  */
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 466, /* VAR_MAX_CLIENT_SUBNET_IPV6  */
-    VAR_MIN_CLIENT_SUBNET_IPV6 = 467, /* VAR_MIN_CLIENT_SUBNET_IPV6  */
+    VAR_MIN_CLIENT_SUBNET_IPV4 = 467, /* VAR_MIN_CLIENT_SUBNET_IPV4  */
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 468, /* VAR_MAX_ECS_TREE_SIZE_IPV4  */
+    VAR_MIN_CLIENT_SUBNET_IPV6 = 468, /* VAR_MIN_CLIENT_SUBNET_IPV6  */
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 469, /* VAR_MAX_ECS_TREE_SIZE_IPV6  */
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 469, /* VAR_MAX_ECS_TREE_SIZE_IPV4  */
-    VAR_CAPS_WHITELIST = 470,      /* VAR_CAPS_WHITELIST  */
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 470, /* VAR_MAX_ECS_TREE_SIZE_IPV6  */
-    VAR_CACHE_MAX_NEGATIVE_TTL = 471, /* VAR_CACHE_MAX_NEGATIVE_TTL  */
+    VAR_CAPS_WHITELIST = 471,      /* VAR_CAPS_WHITELIST  */
-    VAR_PERMIT_SMALL_HOLDDOWN = 472, /* VAR_PERMIT_SMALL_HOLDDOWN  */
+    VAR_CACHE_MAX_NEGATIVE_TTL = 472, /* VAR_CACHE_MAX_NEGATIVE_TTL  */
-    VAR_QNAME_MINIMISATION = 473,  /* VAR_QNAME_MINIMISATION  */
+    VAR_PERMIT_SMALL_HOLDDOWN = 473, /* VAR_PERMIT_SMALL_HOLDDOWN  */
-    VAR_QNAME_MINIMISATION_STRICT = 474, /* VAR_QNAME_MINIMISATION_STRICT  */
+    VAR_QNAME_MINIMISATION = 474,  /* VAR_QNAME_MINIMISATION  */
-    VAR_IP_FREEBIND = 475,         /* VAR_IP_FREEBIND  */
+    VAR_QNAME_MINIMISATION_STRICT = 475, /* VAR_QNAME_MINIMISATION_STRICT  */
-    VAR_DEFINE_TAG = 476,          /* VAR_DEFINE_TAG  */
+    VAR_IP_FREEBIND = 476,         /* VAR_IP_FREEBIND  */
-    VAR_LOCAL_ZONE_TAG = 477,      /* VAR_LOCAL_ZONE_TAG  */
+    VAR_DEFINE_TAG = 477,          /* VAR_DEFINE_TAG  */
-    VAR_ACCESS_CONTROL_TAG = 478,  /* VAR_ACCESS_CONTROL_TAG  */
+    VAR_LOCAL_ZONE_TAG = 478,      /* VAR_LOCAL_ZONE_TAG  */
-    VAR_LOCAL_ZONE_OVERRIDE = 479, /* VAR_LOCAL_ZONE_OVERRIDE  */
+    VAR_ACCESS_CONTROL_TAG = 479,  /* VAR_ACCESS_CONTROL_TAG  */
-    VAR_ACCESS_CONTROL_TAG_ACTION = 480, /* VAR_ACCESS_CONTROL_TAG_ACTION  */
+    VAR_LOCAL_ZONE_OVERRIDE = 480, /* VAR_LOCAL_ZONE_OVERRIDE  */
-    VAR_ACCESS_CONTROL_TAG_DATA = 481, /* VAR_ACCESS_CONTROL_TAG_DATA  */
+    VAR_ACCESS_CONTROL_TAG_ACTION = 481, /* VAR_ACCESS_CONTROL_TAG_ACTION  */
-    VAR_VIEW = 482,                /* VAR_VIEW  */
+    VAR_ACCESS_CONTROL_TAG_DATA = 482, /* VAR_ACCESS_CONTROL_TAG_DATA  */
-    VAR_ACCESS_CONTROL_VIEW = 483, /* VAR_ACCESS_CONTROL_VIEW  */
+    VAR_VIEW = 483,                /* VAR_VIEW  */
-    VAR_VIEW_FIRST = 484,          /* VAR_VIEW_FIRST  */
+    VAR_ACCESS_CONTROL_VIEW = 484, /* VAR_ACCESS_CONTROL_VIEW  */
-    VAR_SERVE_EXPIRED = 485,       /* VAR_SERVE_EXPIRED  */
+    VAR_VIEW_FIRST = 485,          /* VAR_VIEW_FIRST  */
-    VAR_SERVE_EXPIRED_TTL = 486,   /* VAR_SERVE_EXPIRED_TTL  */
+    VAR_SERVE_EXPIRED = 486,       /* VAR_SERVE_EXPIRED  */
-    VAR_SERVE_EXPIRED_TTL_RESET = 487, /* VAR_SERVE_EXPIRED_TTL_RESET  */
+    VAR_SERVE_EXPIRED_TTL = 487,   /* VAR_SERVE_EXPIRED_TTL  */
-    VAR_SERVE_EXPIRED_REPLY_TTL = 488, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
+    VAR_SERVE_EXPIRED_TTL_RESET = 488, /* VAR_SERVE_EXPIRED_TTL_RESET  */
-    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 489, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
+    VAR_SERVE_EXPIRED_REPLY_TTL = 489, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
-    VAR_SERVE_ORIGINAL_TTL = 490,  /* VAR_SERVE_ORIGINAL_TTL  */
+    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 490, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
-    VAR_FAKE_DSA = 491,            /* VAR_FAKE_DSA  */
+    VAR_SERVE_ORIGINAL_TTL = 491,  /* VAR_SERVE_ORIGINAL_TTL  */
-    VAR_FAKE_SHA1 = 492,           /* VAR_FAKE_SHA1  */
+    VAR_FAKE_DSA = 492,            /* VAR_FAKE_DSA  */
-    VAR_LOG_IDENTITY = 493,        /* VAR_LOG_IDENTITY  */
+    VAR_FAKE_SHA1 = 493,           /* VAR_FAKE_SHA1  */
-    VAR_HIDE_TRUSTANCHOR = 494,    /* VAR_HIDE_TRUSTANCHOR  */
+    VAR_LOG_IDENTITY = 494,        /* VAR_LOG_IDENTITY  */
-    VAR_HIDE_HTTP_USER_AGENT = 495, /* VAR_HIDE_HTTP_USER_AGENT  */
+    VAR_HIDE_TRUSTANCHOR = 495,    /* VAR_HIDE_TRUSTANCHOR  */
-    VAR_HTTP_USER_AGENT = 496,     /* VAR_HTTP_USER_AGENT  */
+    VAR_HIDE_HTTP_USER_AGENT = 496, /* VAR_HIDE_HTTP_USER_AGENT  */
-    VAR_TRUST_ANCHOR_SIGNALING = 497, /* VAR_TRUST_ANCHOR_SIGNALING  */
+    VAR_HTTP_USER_AGENT = 497,     /* VAR_HTTP_USER_AGENT  */
-    VAR_AGGRESSIVE_NSEC = 498,     /* VAR_AGGRESSIVE_NSEC  */
+    VAR_TRUST_ANCHOR_SIGNALING = 498, /* VAR_TRUST_ANCHOR_SIGNALING  */
-    VAR_USE_SYSTEMD = 499,         /* VAR_USE_SYSTEMD  */
+    VAR_AGGRESSIVE_NSEC = 499,     /* VAR_AGGRESSIVE_NSEC  */
-    VAR_SHM_ENABLE = 500,          /* VAR_SHM_ENABLE  */
+    VAR_USE_SYSTEMD = 500,         /* VAR_USE_SYSTEMD  */
-    VAR_SHM_KEY = 501,             /* VAR_SHM_KEY  */
+    VAR_SHM_ENABLE = 501,          /* VAR_SHM_ENABLE  */
-    VAR_ROOT_KEY_SENTINEL = 502,   /* VAR_ROOT_KEY_SENTINEL  */
+    VAR_SHM_KEY = 502,             /* VAR_SHM_KEY  */
-    VAR_DNSCRYPT = 503,            /* VAR_DNSCRYPT  */
+    VAR_ROOT_KEY_SENTINEL = 503,   /* VAR_ROOT_KEY_SENTINEL  */
-    VAR_DNSCRYPT_ENABLE = 504,     /* VAR_DNSCRYPT_ENABLE  */
+    VAR_DNSCRYPT = 504,            /* VAR_DNSCRYPT  */
-    VAR_DNSCRYPT_PORT = 505,       /* VAR_DNSCRYPT_PORT  */
+    VAR_DNSCRYPT_ENABLE = 505,     /* VAR_DNSCRYPT_ENABLE  */
-    VAR_DNSCRYPT_PROVIDER = 506,   /* VAR_DNSCRYPT_PROVIDER  */
+    VAR_DNSCRYPT_PORT = 506,       /* VAR_DNSCRYPT_PORT  */
-    VAR_DNSCRYPT_SECRET_KEY = 507, /* VAR_DNSCRYPT_SECRET_KEY  */
+    VAR_DNSCRYPT_PROVIDER = 507,   /* VAR_DNSCRYPT_PROVIDER  */
-    VAR_DNSCRYPT_PROVIDER_CERT = 508, /* VAR_DNSCRYPT_PROVIDER_CERT  */
+    VAR_DNSCRYPT_SECRET_KEY = 508, /* VAR_DNSCRYPT_SECRET_KEY  */
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 509, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
+    VAR_DNSCRYPT_PROVIDER_CERT = 509, /* VAR_DNSCRYPT_PROVIDER_CERT  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 510, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 510, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 511, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 511, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 512, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 512, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 513, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 513, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
-    VAR_PAD_RESPONSES = 514,       /* VAR_PAD_RESPONSES  */
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 514, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
-    VAR_PAD_RESPONSES_BLOCK_SIZE = 515, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
+    VAR_PAD_RESPONSES = 515,       /* VAR_PAD_RESPONSES  */
-    VAR_PAD_QUERIES = 516,         /* VAR_PAD_QUERIES  */
+    VAR_PAD_RESPONSES_BLOCK_SIZE = 516, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
-    VAR_PAD_QUERIES_BLOCK_SIZE = 517, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
+    VAR_PAD_QUERIES = 517,         /* VAR_PAD_QUERIES  */
-    VAR_IPSECMOD_ENABLED = 518,    /* VAR_IPSECMOD_ENABLED  */
+    VAR_PAD_QUERIES_BLOCK_SIZE = 518, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
-    VAR_IPSECMOD_HOOK = 519,       /* VAR_IPSECMOD_HOOK  */
+    VAR_IPSECMOD_ENABLED = 519,    /* VAR_IPSECMOD_ENABLED  */
-    VAR_IPSECMOD_IGNORE_BOGUS = 520, /* VAR_IPSECMOD_IGNORE_BOGUS  */
+    VAR_IPSECMOD_HOOK = 520,       /* VAR_IPSECMOD_HOOK  */
-    VAR_IPSECMOD_MAX_TTL = 521,    /* VAR_IPSECMOD_MAX_TTL  */
+    VAR_IPSECMOD_IGNORE_BOGUS = 521, /* VAR_IPSECMOD_IGNORE_BOGUS  */
-    VAR_IPSECMOD_WHITELIST = 522,  /* VAR_IPSECMOD_WHITELIST  */
+    VAR_IPSECMOD_MAX_TTL = 522,    /* VAR_IPSECMOD_MAX_TTL  */
-    VAR_IPSECMOD_STRICT = 523,     /* VAR_IPSECMOD_STRICT  */
+    VAR_IPSECMOD_WHITELIST = 523,  /* VAR_IPSECMOD_WHITELIST  */
-    VAR_CACHEDB = 524,             /* VAR_CACHEDB  */
+    VAR_IPSECMOD_STRICT = 524,     /* VAR_IPSECMOD_STRICT  */
-    VAR_CACHEDB_BACKEND = 525,     /* VAR_CACHEDB_BACKEND  */
+    VAR_CACHEDB = 525,             /* VAR_CACHEDB  */
-    VAR_CACHEDB_SECRETSEED = 526,  /* VAR_CACHEDB_SECRETSEED  */
+    VAR_CACHEDB_BACKEND = 526,     /* VAR_CACHEDB_BACKEND  */
-    VAR_CACHEDB_REDISHOST = 527,   /* VAR_CACHEDB_REDISHOST  */
+    VAR_CACHEDB_SECRETSEED = 527,  /* VAR_CACHEDB_SECRETSEED  */
-    VAR_CACHEDB_REDISPORT = 528,   /* VAR_CACHEDB_REDISPORT  */
+    VAR_CACHEDB_REDISHOST = 528,   /* VAR_CACHEDB_REDISHOST  */
-    VAR_CACHEDB_REDISTIMEOUT = 529, /* VAR_CACHEDB_REDISTIMEOUT  */
+    VAR_CACHEDB_REDISPORT = 529,   /* VAR_CACHEDB_REDISPORT  */
-    VAR_CACHEDB_REDISEXPIRERECORDS = 530, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
+    VAR_CACHEDB_REDISTIMEOUT = 530, /* VAR_CACHEDB_REDISTIMEOUT  */
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 531, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
+    VAR_CACHEDB_REDISEXPIRERECORDS = 531, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
-    VAR_FOR_UPSTREAM = 532,        /* VAR_FOR_UPSTREAM  */
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 532, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
-    VAR_AUTH_ZONE = 533,           /* VAR_AUTH_ZONE  */
+    VAR_FOR_UPSTREAM = 533,        /* VAR_FOR_UPSTREAM  */
-    VAR_ZONEFILE = 534,            /* VAR_ZONEFILE  */
+    VAR_AUTH_ZONE = 534,           /* VAR_AUTH_ZONE  */
-    VAR_MASTER = 535,              /* VAR_MASTER  */
+    VAR_ZONEFILE = 535,            /* VAR_ZONEFILE  */
-    VAR_URL = 536,                 /* VAR_URL  */
+    VAR_MASTER = 536,              /* VAR_MASTER  */
-    VAR_FOR_DOWNSTREAM = 537,      /* VAR_FOR_DOWNSTREAM  */
+    VAR_URL = 537,                 /* VAR_URL  */
-    VAR_FALLBACK_ENABLED = 538,    /* VAR_FALLBACK_ENABLED  */
+    VAR_FOR_DOWNSTREAM = 538,      /* VAR_FOR_DOWNSTREAM  */
-    VAR_TLS_ADDITIONAL_PORT = 539, /* VAR_TLS_ADDITIONAL_PORT  */
+    VAR_FALLBACK_ENABLED = 539,    /* VAR_FALLBACK_ENABLED  */
-    VAR_LOW_RTT = 540,             /* VAR_LOW_RTT  */
+    VAR_TLS_ADDITIONAL_PORT = 540, /* VAR_TLS_ADDITIONAL_PORT  */
-    VAR_LOW_RTT_PERMIL = 541,      /* VAR_LOW_RTT_PERMIL  */
+    VAR_LOW_RTT = 541,             /* VAR_LOW_RTT  */
-    VAR_FAST_SERVER_PERMIL = 542,  /* VAR_FAST_SERVER_PERMIL  */
+    VAR_LOW_RTT_PERMIL = 542,      /* VAR_LOW_RTT_PERMIL  */
-    VAR_FAST_SERVER_NUM = 543,     /* VAR_FAST_SERVER_NUM  */
+    VAR_FAST_SERVER_PERMIL = 543,  /* VAR_FAST_SERVER_PERMIL  */
-    VAR_ALLOW_NOTIFY = 544,        /* VAR_ALLOW_NOTIFY  */
+    VAR_FAST_SERVER_NUM = 544,     /* VAR_FAST_SERVER_NUM  */
-    VAR_TLS_WIN_CERT = 545,        /* VAR_TLS_WIN_CERT  */
+    VAR_ALLOW_NOTIFY = 545,        /* VAR_ALLOW_NOTIFY  */
-    VAR_TCP_CONNECTION_LIMIT = 546, /* VAR_TCP_CONNECTION_LIMIT  */
+    VAR_TLS_WIN_CERT = 546,        /* VAR_TLS_WIN_CERT  */
-    VAR_FORWARD_NO_CACHE = 547,    /* VAR_FORWARD_NO_CACHE  */
+    VAR_TCP_CONNECTION_LIMIT = 547, /* VAR_TCP_CONNECTION_LIMIT  */
-    VAR_STUB_NO_CACHE = 548,       /* VAR_STUB_NO_CACHE  */
+    VAR_FORWARD_NO_CACHE = 548,    /* VAR_FORWARD_NO_CACHE  */
-    VAR_LOG_SERVFAIL = 549,        /* VAR_LOG_SERVFAIL  */
+    VAR_STUB_NO_CACHE = 549,       /* VAR_STUB_NO_CACHE  */
-    VAR_DENY_ANY = 550,            /* VAR_DENY_ANY  */
+    VAR_LOG_SERVFAIL = 550,        /* VAR_LOG_SERVFAIL  */
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 551, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
+    VAR_DENY_ANY = 551,            /* VAR_DENY_ANY  */
-    VAR_LOG_TAG_QUERYREPLY = 552,  /* VAR_LOG_TAG_QUERYREPLY  */
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 552, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
-    VAR_STREAM_WAIT_SIZE = 553,    /* VAR_STREAM_WAIT_SIZE  */
+    VAR_LOG_TAG_QUERYREPLY = 553,  /* VAR_LOG_TAG_QUERYREPLY  */
-    VAR_TLS_CIPHERS = 554,         /* VAR_TLS_CIPHERS  */
+    VAR_STREAM_WAIT_SIZE = 554,    /* VAR_STREAM_WAIT_SIZE  */
-    VAR_TLS_CIPHERSUITES = 555,    /* VAR_TLS_CIPHERSUITES  */
+    VAR_TLS_CIPHERS = 555,         /* VAR_TLS_CIPHERS  */
-    VAR_TLS_USE_SNI = 556,         /* VAR_TLS_USE_SNI  */
+    VAR_TLS_CIPHERSUITES = 556,    /* VAR_TLS_CIPHERSUITES  */
-    VAR_IPSET = 557,               /* VAR_IPSET  */
+    VAR_TLS_USE_SNI = 557,         /* VAR_TLS_USE_SNI  */
-    VAR_IPSET_NAME_V4 = 558,       /* VAR_IPSET_NAME_V4  */
+    VAR_IPSET = 558,               /* VAR_IPSET  */
-    VAR_IPSET_NAME_V6 = 559,       /* VAR_IPSET_NAME_V6  */
+    VAR_IPSET_NAME_V4 = 559,       /* VAR_IPSET_NAME_V4  */
-    VAR_TLS_SESSION_TICKET_KEYS = 560, /* VAR_TLS_SESSION_TICKET_KEYS  */
+    VAR_IPSET_NAME_V6 = 560,       /* VAR_IPSET_NAME_V6  */
-    VAR_RPZ = 561,                 /* VAR_RPZ  */
+    VAR_TLS_SESSION_TICKET_KEYS = 561, /* VAR_TLS_SESSION_TICKET_KEYS  */
-    VAR_TAGS = 562,                /* VAR_TAGS  */
+    VAR_RPZ = 562,                 /* VAR_RPZ  */
-    VAR_RPZ_ACTION_OVERRIDE = 563, /* VAR_RPZ_ACTION_OVERRIDE  */
+    VAR_TAGS = 563,                /* VAR_TAGS  */
-    VAR_RPZ_CNAME_OVERRIDE = 564,  /* VAR_RPZ_CNAME_OVERRIDE  */
+    VAR_RPZ_ACTION_OVERRIDE = 564, /* VAR_RPZ_ACTION_OVERRIDE  */
-    VAR_RPZ_LOG = 565,             /* VAR_RPZ_LOG  */
+    VAR_RPZ_CNAME_OVERRIDE = 565,  /* VAR_RPZ_CNAME_OVERRIDE  */
-    VAR_RPZ_LOG_NAME = 566,        /* VAR_RPZ_LOG_NAME  */
+    VAR_RPZ_LOG = 566,             /* VAR_RPZ_LOG  */
-    VAR_DYNLIB = 567,              /* VAR_DYNLIB  */
+    VAR_RPZ_LOG_NAME = 567,        /* VAR_RPZ_LOG_NAME  */
-    VAR_DYNLIB_FILE = 568,         /* VAR_DYNLIB_FILE  */
+    VAR_DYNLIB = 568,              /* VAR_DYNLIB  */
-    VAR_EDNS_CLIENT_STRING = 569,  /* VAR_EDNS_CLIENT_STRING  */
+    VAR_DYNLIB_FILE = 569,         /* VAR_DYNLIB_FILE  */
-    VAR_EDNS_CLIENT_STRING_OPCODE = 570, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
+    VAR_EDNS_CLIENT_STRING = 570,  /* VAR_EDNS_CLIENT_STRING  */
-    VAR_NSID = 571,                /* VAR_NSID  */
+    VAR_EDNS_CLIENT_STRING_OPCODE = 571, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
-    VAR_ZONEMD_PERMISSIVE_MODE = 572, /* VAR_ZONEMD_PERMISSIVE_MODE  */
+    VAR_NSID = 572,                /* VAR_NSID  */
-    VAR_ZONEMD_CHECK = 573,        /* VAR_ZONEMD_CHECK  */
+    VAR_ZONEMD_PERMISSIVE_MODE = 573, /* VAR_ZONEMD_PERMISSIVE_MODE  */
-    VAR_ZONEMD_REJECT_ABSENCE = 574 /* VAR_ZONEMD_REJECT_ABSENCE  */
+    VAR_ZONEMD_CHECK = 574,        /* VAR_ZONEMD_CHECK  */
+    VAR_ZONEMD_REJECT_ABSENCE = 575 /* VAR_ZONEMD_REJECT_ABSENCE  */
   };
   typedef enum yytokentype yytoken_kind_t;
 #endif
@@ -576,125 +577,126 @@ extern int yydebug;
 #define VAR_RATELIMIT 453
 #define VAR_RATELIMIT_SLABS 454
 #define VAR_RATELIMIT_SIZE 455
-#define VAR_RATELIMIT_FOR_DOMAIN 456
+#define VAR_OUTBOUND_MSG_RETRY 456
-#define VAR_RATELIMIT_BELOW_DOMAIN 457
+#define VAR_RATELIMIT_FOR_DOMAIN 457
-#define VAR_IP_RATELIMIT_FACTOR 458
+#define VAR_RATELIMIT_BELOW_DOMAIN 458
-#define VAR_RATELIMIT_FACTOR 459
+#define VAR_IP_RATELIMIT_FACTOR 459
-#define VAR_SEND_CLIENT_SUBNET 460
+#define VAR_RATELIMIT_FACTOR 460
-#define VAR_CLIENT_SUBNET_ZONE 461
+#define VAR_SEND_CLIENT_SUBNET 461
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 462
+#define VAR_CLIENT_SUBNET_ZONE 462
-#define VAR_CLIENT_SUBNET_OPCODE 463
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 463
-#define VAR_MAX_CLIENT_SUBNET_IPV4 464
+#define VAR_CLIENT_SUBNET_OPCODE 464
-#define VAR_MAX_CLIENT_SUBNET_IPV6 465
+#define VAR_MAX_CLIENT_SUBNET_IPV4 465
-#define VAR_MIN_CLIENT_SUBNET_IPV4 466
+#define VAR_MAX_CLIENT_SUBNET_IPV6 466
-#define VAR_MIN_CLIENT_SUBNET_IPV6 467
+#define VAR_MIN_CLIENT_SUBNET_IPV4 467
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 468
+#define VAR_MIN_CLIENT_SUBNET_IPV6 468
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 469
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 469
-#define VAR_CAPS_WHITELIST 470
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 470
-#define VAR_CACHE_MAX_NEGATIVE_TTL 471
+#define VAR_CAPS_WHITELIST 471
-#define VAR_PERMIT_SMALL_HOLDDOWN 472
+#define VAR_CACHE_MAX_NEGATIVE_TTL 472
-#define VAR_QNAME_MINIMISATION 473
+#define VAR_PERMIT_SMALL_HOLDDOWN 473
-#define VAR_QNAME_MINIMISATION_STRICT 474
+#define VAR_QNAME_MINIMISATION 474
-#define VAR_IP_FREEBIND 475
+#define VAR_QNAME_MINIMISATION_STRICT 475
-#define VAR_DEFINE_TAG 476
+#define VAR_IP_FREEBIND 476
-#define VAR_LOCAL_ZONE_TAG 477
+#define VAR_DEFINE_TAG 477
-#define VAR_ACCESS_CONTROL_TAG 478
+#define VAR_LOCAL_ZONE_TAG 478
-#define VAR_LOCAL_ZONE_OVERRIDE 479
+#define VAR_ACCESS_CONTROL_TAG 479
-#define VAR_ACCESS_CONTROL_TAG_ACTION 480
+#define VAR_LOCAL_ZONE_OVERRIDE 480
-#define VAR_ACCESS_CONTROL_TAG_DATA 481
+#define VAR_ACCESS_CONTROL_TAG_ACTION 481
-#define VAR_VIEW 482
+#define VAR_ACCESS_CONTROL_TAG_DATA 482
-#define VAR_ACCESS_CONTROL_VIEW 483
+#define VAR_VIEW 483
-#define VAR_VIEW_FIRST 484
+#define VAR_ACCESS_CONTROL_VIEW 484
-#define VAR_SERVE_EXPIRED 485
+#define VAR_VIEW_FIRST 485
-#define VAR_SERVE_EXPIRED_TTL 486
+#define VAR_SERVE_EXPIRED 486
-#define VAR_SERVE_EXPIRED_TTL_RESET 487
+#define VAR_SERVE_EXPIRED_TTL 487
-#define VAR_SERVE_EXPIRED_REPLY_TTL 488
+#define VAR_SERVE_EXPIRED_TTL_RESET 488
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 489
+#define VAR_SERVE_EXPIRED_REPLY_TTL 489
-#define VAR_SERVE_ORIGINAL_TTL 490
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 490
-#define VAR_FAKE_DSA 491
+#define VAR_SERVE_ORIGINAL_TTL 491
-#define VAR_FAKE_SHA1 492
+#define VAR_FAKE_DSA 492
-#define VAR_LOG_IDENTITY 493
+#define VAR_FAKE_SHA1 493
-#define VAR_HIDE_TRUSTANCHOR 494
+#define VAR_LOG_IDENTITY 494
-#define VAR_HIDE_HTTP_USER_AGENT 495
+#define VAR_HIDE_TRUSTANCHOR 495
-#define VAR_HTTP_USER_AGENT 496
+#define VAR_HIDE_HTTP_USER_AGENT 496
-#define VAR_TRUST_ANCHOR_SIGNALING 497
+#define VAR_HTTP_USER_AGENT 497
-#define VAR_AGGRESSIVE_NSEC 498
+#define VAR_TRUST_ANCHOR_SIGNALING 498
-#define VAR_USE_SYSTEMD 499
+#define VAR_AGGRESSIVE_NSEC 499
-#define VAR_SHM_ENABLE 500
+#define VAR_USE_SYSTEMD 500
-#define VAR_SHM_KEY 501
+#define VAR_SHM_ENABLE 501
-#define VAR_ROOT_KEY_SENTINEL 502
+#define VAR_SHM_KEY 502
-#define VAR_DNSCRYPT 503
+#define VAR_ROOT_KEY_SENTINEL 503
-#define VAR_DNSCRYPT_ENABLE 504
+#define VAR_DNSCRYPT 504
-#define VAR_DNSCRYPT_PORT 505
+#define VAR_DNSCRYPT_ENABLE 505
-#define VAR_DNSCRYPT_PROVIDER 506
+#define VAR_DNSCRYPT_PORT 506
-#define VAR_DNSCRYPT_SECRET_KEY 507
+#define VAR_DNSCRYPT_PROVIDER 507
-#define VAR_DNSCRYPT_PROVIDER_CERT 508
+#define VAR_DNSCRYPT_SECRET_KEY 508
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 509
+#define VAR_DNSCRYPT_PROVIDER_CERT 509
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 510
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 510
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 511
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 511
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 512
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 512
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 513
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 513
-#define VAR_PAD_RESPONSES 514
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 514
-#define VAR_PAD_RESPONSES_BLOCK_SIZE 515
+#define VAR_PAD_RESPONSES 515
-#define VAR_PAD_QUERIES 516
+#define VAR_PAD_RESPONSES_BLOCK_SIZE 516
-#define VAR_PAD_QUERIES_BLOCK_SIZE 517
+#define VAR_PAD_QUERIES 517
-#define VAR_IPSECMOD_ENABLED 518
+#define VAR_PAD_QUERIES_BLOCK_SIZE 518
-#define VAR_IPSECMOD_HOOK 519
+#define VAR_IPSECMOD_ENABLED 519
-#define VAR_IPSECMOD_IGNORE_BOGUS 520
+#define VAR_IPSECMOD_HOOK 520
-#define VAR_IPSECMOD_MAX_TTL 521
+#define VAR_IPSECMOD_IGNORE_BOGUS 521
-#define VAR_IPSECMOD_WHITELIST 522
+#define VAR_IPSECMOD_MAX_TTL 522
-#define VAR_IPSECMOD_STRICT 523
+#define VAR_IPSECMOD_WHITELIST 523
-#define VAR_CACHEDB 524
+#define VAR_IPSECMOD_STRICT 524
-#define VAR_CACHEDB_BACKEND 525
+#define VAR_CACHEDB 525
-#define VAR_CACHEDB_SECRETSEED 526
+#define VAR_CACHEDB_BACKEND 526
-#define VAR_CACHEDB_REDISHOST 527
+#define VAR_CACHEDB_SECRETSEED 527
-#define VAR_CACHEDB_REDISPORT 528
+#define VAR_CACHEDB_REDISHOST 528
-#define VAR_CACHEDB_REDISTIMEOUT 529
+#define VAR_CACHEDB_REDISPORT 529
-#define VAR_CACHEDB_REDISEXPIRERECORDS 530
+#define VAR_CACHEDB_REDISTIMEOUT 530
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 531
+#define VAR_CACHEDB_REDISEXPIRERECORDS 531
-#define VAR_FOR_UPSTREAM 532
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 532
-#define VAR_AUTH_ZONE 533
+#define VAR_FOR_UPSTREAM 533
-#define VAR_ZONEFILE 534
+#define VAR_AUTH_ZONE 534
-#define VAR_MASTER 535
+#define VAR_ZONEFILE 535
-#define VAR_URL 536
+#define VAR_MASTER 536
-#define VAR_FOR_DOWNSTREAM 537
+#define VAR_URL 537
-#define VAR_FALLBACK_ENABLED 538
+#define VAR_FOR_DOWNSTREAM 538
-#define VAR_TLS_ADDITIONAL_PORT 539
+#define VAR_FALLBACK_ENABLED 539
-#define VAR_LOW_RTT 540
+#define VAR_TLS_ADDITIONAL_PORT 540
-#define VAR_LOW_RTT_PERMIL 541
+#define VAR_LOW_RTT 541
-#define VAR_FAST_SERVER_PERMIL 542
+#define VAR_LOW_RTT_PERMIL 542
-#define VAR_FAST_SERVER_NUM 543
+#define VAR_FAST_SERVER_PERMIL 543
-#define VAR_ALLOW_NOTIFY 544
+#define VAR_FAST_SERVER_NUM 544
-#define VAR_TLS_WIN_CERT 545
+#define VAR_ALLOW_NOTIFY 545
-#define VAR_TCP_CONNECTION_LIMIT 546
+#define VAR_TLS_WIN_CERT 546
-#define VAR_FORWARD_NO_CACHE 547
+#define VAR_TCP_CONNECTION_LIMIT 547
-#define VAR_STUB_NO_CACHE 548
+#define VAR_FORWARD_NO_CACHE 548
-#define VAR_LOG_SERVFAIL 549
+#define VAR_STUB_NO_CACHE 549
-#define VAR_DENY_ANY 550
+#define VAR_LOG_SERVFAIL 550
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 551
+#define VAR_DENY_ANY 551
-#define VAR_LOG_TAG_QUERYREPLY 552
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 552
-#define VAR_STREAM_WAIT_SIZE 553
+#define VAR_LOG_TAG_QUERYREPLY 553
-#define VAR_TLS_CIPHERS 554
+#define VAR_STREAM_WAIT_SIZE 554
-#define VAR_TLS_CIPHERSUITES 555
+#define VAR_TLS_CIPHERS 555
-#define VAR_TLS_USE_SNI 556
+#define VAR_TLS_CIPHERSUITES 556
-#define VAR_IPSET 557
+#define VAR_TLS_USE_SNI 557
-#define VAR_IPSET_NAME_V4 558
+#define VAR_IPSET 558
-#define VAR_IPSET_NAME_V6 559
+#define VAR_IPSET_NAME_V4 559
-#define VAR_TLS_SESSION_TICKET_KEYS 560
+#define VAR_IPSET_NAME_V6 560
-#define VAR_RPZ 561
+#define VAR_TLS_SESSION_TICKET_KEYS 561
-#define VAR_TAGS 562
+#define VAR_RPZ 562
-#define VAR_RPZ_ACTION_OVERRIDE 563
+#define VAR_TAGS 563
-#define VAR_RPZ_CNAME_OVERRIDE 564
+#define VAR_RPZ_ACTION_OVERRIDE 564
-#define VAR_RPZ_LOG 565
+#define VAR_RPZ_CNAME_OVERRIDE 565
-#define VAR_RPZ_LOG_NAME 566
+#define VAR_RPZ_LOG 566
-#define VAR_DYNLIB 567
+#define VAR_RPZ_LOG_NAME 567
-#define VAR_DYNLIB_FILE 568
+#define VAR_DYNLIB 568
-#define VAR_EDNS_CLIENT_STRING 569
+#define VAR_DYNLIB_FILE 569
-#define VAR_EDNS_CLIENT_STRING_OPCODE 570
+#define VAR_EDNS_CLIENT_STRING 570
-#define VAR_NSID 571
+#define VAR_EDNS_CLIENT_STRING_OPCODE 571
-#define VAR_ZONEMD_PERMISSIVE_MODE 572
+#define VAR_NSID 572
-#define VAR_ZONEMD_CHECK 573
+#define VAR_ZONEMD_PERMISSIVE_MODE 573
-#define VAR_ZONEMD_REJECT_ABSENCE 574
+#define VAR_ZONEMD_CHECK 574
+#define VAR_ZONEMD_REJECT_ABSENCE 575
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -704,7 +706,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 708 "util/configparser.h"
+#line 710 "util/configparser.h"
 
 };
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -4,24 +4,24 @@
  * Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
  *
  * Copyright (c) 2007, NLnet Labs. All rights reserved.
- * 
+ *
  * This software is open source.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 
+ *
  * Redistributions of source code must retain the above copyright notice,
  * this list of conditions and the following disclaimer.
- * 
+ *
  * Redistributions in binary form must reproduce the above copyright notice,
  * this list of conditions and the following disclaimer in the documentation
  * and/or other materials provided with the distribution.
- * 
+ *
  * Neither the name of the NLNET LABS nor the names of its contributors may
  * be used to endorse or promote products derived from this software without
  * specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
@@ -88,13 +88,13 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_TRUST_ANCHOR_FILE VAR_TRUST_ANCHOR VAR_VAL_OVERRIDE_DATE
 %token VAR_BOGUS_TTL VAR_VAL_CLEAN_ADDITIONAL VAR_VAL_PERMISSIVE_MODE
 %token VAR_INCOMING_NUM_TCP VAR_MSG_BUFFER_SIZE VAR_KEY_CACHE_SIZE
-%token VAR_KEY_CACHE_SLABS VAR_TRUSTED_KEYS_FILE 
+%token VAR_KEY_CACHE_SLABS VAR_TRUSTED_KEYS_FILE
-%token VAR_VAL_NSEC3_KEYSIZE_ITERATIONS VAR_USE_SYSLOG 
+%token VAR_VAL_NSEC3_KEYSIZE_ITERATIONS VAR_USE_SYSLOG
 %token VAR_OUTGOING_INTERFACE VAR_ROOT_HINTS VAR_DO_NOT_QUERY_LOCALHOST
 %token VAR_CACHE_MAX_TTL VAR_HARDEN_DNSSEC_STRIPPED VAR_ACCESS_CONTROL
 %token VAR_LOCAL_ZONE VAR_LOCAL_DATA VAR_INTERFACE_AUTOMATIC
 %token VAR_STATISTICS_INTERVAL VAR_DO_DAEMONIZE VAR_USE_CAPS_FOR_ID
-%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
+%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT
 %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
 %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
 %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
@@ -139,6 +139,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DISABLE_DNSSEC_LAME_CHECK
 %token VAR_IP_RATELIMIT VAR_IP_RATELIMIT_SLABS VAR_IP_RATELIMIT_SIZE
 %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
+%token VAR_OUTBOUND_MSG_RETRY
 %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN
 %token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR
 %token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE
@@ -190,7 +191,7 @@ extern struct config_parser_state* cfg_parser;
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
 toplevelvar: serverstart contents_server | stubstart contents_stub |
-	forwardstart contents_forward | pythonstart contents_py | 
+	forwardstart contents_forward | pythonstart contents_py |
 	rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
 	dnscstart contents_dnsc | cachedbstart contents_cachedb |
 	ipsetstart contents_ipset | authstart contents_auth |
@@ -204,7 +205,7 @@ force_toplevel: VAR_FORCE_TOPLEVEL
 	;
 /* server: declaration */
 serverstart: VAR_SERVER
-	{ 
+	{
 		OUTYY(("\nP(server:)\n"));
 	}
 	;
@@ -216,14 +217,14 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_do_udp | server_do_tcp |
 	server_tcp_mss | server_outgoing_tcp_mss | server_tcp_idle_timeout |
 	server_tcp_keepalive | server_tcp_keepalive_timeout |
-	server_interface | server_chroot | server_username | 
+	server_interface | server_chroot | server_username |
 	server_directory | server_logfile | server_pidfile |
 	server_msg_cache_size | server_msg_cache_slabs |
-	server_num_queries_per_thread | server_rrset_cache_size | 
+	server_num_queries_per_thread | server_rrset_cache_size |
-	server_rrset_cache_slabs | server_outgoing_num_tcp | 
+	server_rrset_cache_slabs | server_outgoing_num_tcp |
-	server_infra_host_ttl | server_infra_lame_ttl | 
+	server_infra_host_ttl | server_infra_lame_ttl |
 	server_infra_cache_slabs | server_infra_cache_numhosts |
-	server_infra_cache_lame_size | server_target_fetch_policy | 
+	server_infra_cache_lame_size | server_target_fetch_policy |
 	server_harden_short_bufsize | server_harden_large_queries |
 	server_do_not_query_address | server_hide_identity |
 	server_hide_version | server_identity | server_version |
@@ -231,22 +232,22 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_harden_glue | server_module_conf | server_trust_anchor_file |
 	server_trust_anchor | server_val_override_date | server_bogus_ttl |
 	server_val_clean_additional | server_val_permissive_mode |
-	server_incoming_num_tcp | server_msg_buffer_size | 
+	server_incoming_num_tcp | server_msg_buffer_size |
-	server_key_cache_size | server_key_cache_slabs | 
+	server_key_cache_size | server_key_cache_slabs |
 	server_trusted_keys_file | server_val_nsec3_keysize_iterations |
 	server_use_syslog | server_outgoing_interface | server_root_hints |
 	server_do_not_query_localhost | server_cache_max_ttl |
 	server_harden_dnssec_stripped | server_access_control |
 	server_local_zone | server_local_data | server_interface_automatic |
-	server_statistics_interval | server_do_daemonize | 
+	server_statistics_interval | server_do_daemonize |
 	server_use_caps_for_id | server_statistics_cumulative |
 	server_outgoing_port_permit | server_outgoing_port_avoid |
 	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
 	server_harden_referral_path | server_private_address |
-	server_private_domain | server_extended_statistics | 
+	server_private_domain | server_extended_statistics |
-	server_local_data_ptr | server_jostle_timeout | 
+	server_local_data_ptr | server_jostle_timeout |
-	server_unwanted_reply_threshold | server_log_time_ascii | 
+	server_unwanted_reply_threshold | server_log_time_ascii |
-	server_domain_insecure | server_val_sig_skew_min | 
+	server_domain_insecure | server_val_sig_skew_min |
 	server_val_sig_skew_max | server_val_max_restart |
 	server_cache_min_ttl | server_val_log_level |
 	server_auto_trust_anchor_file |	server_add_holddown |
@@ -270,9 +271,9 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ip_ratelimit_size | server_ratelimit_size |
 	server_ratelimit_for_domain |
 	server_ratelimit_below_domain | server_ratelimit_factor |
-	server_ip_ratelimit_factor | server_send_client_subnet |
+	server_ip_ratelimit_factor | server_outbound_msg_retry |
-	server_client_subnet_zone | server_client_subnet_always_forward |
+	server_send_client_subnet | server_client_subnet_zone |
-	server_client_subnet_opcode |
+	server_client_subnet_always_forward | server_client_subnet_opcode |
 	server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
 	server_min_client_subnet_ipv4 | server_min_client_subnet_ipv6 |
 	server_max_ecs_tree_size_ipv4 | server_max_ecs_tree_size_ipv6 |
@@ -313,16 +314,16 @@ content_server: server_num_threads | server_verbosity | server_port |
 stubstart: VAR_STUB_ZONE
 	{
 		struct config_stub* s;
-		OUTYY(("\nP(stub_zone:)\n")); 
+		OUTYY(("\nP(stub_zone:)\n"));
 		s = (struct config_stub*)calloc(1, sizeof(struct config_stub));
 		if(s) {
 			s->next = cfg_parser->cfg->stubs;
 			cfg_parser->cfg->stubs = s;
-		} else 
+		} else
 			yyerror("out of memory");
 	}
 	;
-contents_stub: contents_stub content_stub 
+contents_stub: contents_stub content_stub
 	| ;
 content_stub: stub_name | stub_host | stub_addr | stub_prime | stub_first |
 	stub_no_cache | stub_ssl_upstream | stub_tcp_upstream
@@ -330,16 +331,16 @@ content_stub: stub_name | stub_host | stub_addr | stub_prime | stub_first |
 forwardstart: VAR_FORWARD_ZONE
 	{
 		struct config_stub* s;
-		OUTYY(("\nP(forward_zone:)\n")); 
+		OUTYY(("\nP(forward_zone:)\n"));
 		s = (struct config_stub*)calloc(1, sizeof(struct config_stub));
 		if(s) {
 			s->next = cfg_parser->cfg->forwards;
 			cfg_parser->cfg->forwards = s;
-		} else 
+		} else
 			yyerror("out of memory");
 	}
 	;
-contents_forward: contents_forward content_forward 
+contents_forward: contents_forward content_forward
 	| ;
 content_forward: forward_name | forward_host | forward_addr | forward_first |
 	forward_no_cache | forward_ssl_upstream | forward_tcp_upstream
@@ -347,18 +348,18 @@ content_forward: forward_name | forward_host | forward_addr | forward_first |
 viewstart: VAR_VIEW
 	{
 		struct config_view* s;
-		OUTYY(("\nP(view:)\n")); 
+		OUTYY(("\nP(view:)\n"));
 		s = (struct config_view*)calloc(1, sizeof(struct config_view));
 		if(s) {
 			s->next = cfg_parser->cfg->views;
 			if(s->next && !s->next->name)
 				yyerror("view without name");
 			cfg_parser->cfg->views = s;
-		} else 
+		} else
 			yyerror("out of memory");
 	}
 	;
-contents_view: contents_view content_view 
+contents_view: contents_view content_view
 	| ;
 content_view: view_name | view_local_zone | view_local_data | view_first |
 		view_response_ip | view_response_ip_data | view_local_data_ptr
@@ -366,7 +367,7 @@ content_view: view_name | view_local_zone | view_local_data | view_first |
 authstart: VAR_AUTH_ZONE
 	{
 		struct config_auth* s;
-		OUTYY(("\nP(auth_zone:)\n")); 
+		OUTYY(("\nP(auth_zone:)\n"));
 		s = (struct config_auth*)calloc(1, sizeof(struct config_auth));
 		if(s) {
 			s->next = cfg_parser->cfg->auths;
@@ -378,11 +379,11 @@ authstart: VAR_AUTH_ZONE
 			s->zonemd_check = 0;
 			s->zonemd_reject_absence = 0;
 			s->isrpz = 0;
-		} else 
+		} else
 			yyerror("out of memory");
 	}
 	;
-contents_auth: contents_auth content_auth 
+contents_auth: contents_auth content_auth
 	| ;
 content_auth: auth_name | auth_zonefile | auth_master | auth_url |
 	auth_for_downstream | auth_for_upstream | auth_fallback_enabled |
@@ -474,27 +475,27 @@ content_rpz: auth_name | auth_zonefile | rpz_tag | auth_master | auth_url |
 	   auth_allow_notify | rpz_action_override | rpz_cname_override |
 	   rpz_log | rpz_log_name
 	;
-server_num_threads: VAR_NUM_THREADS STRING_ARG 
+server_num_threads: VAR_NUM_THREADS STRING_ARG
-	{ 
+	{
-		OUTYY(("P(server_num_threads:%s)\n", $2)); 
+		OUTYY(("P(server_num_threads:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->num_threads = atoi($2);
 		free($2);
 	}
 	;
-server_verbosity: VAR_VERBOSITY STRING_ARG 
+server_verbosity: VAR_VERBOSITY STRING_ARG
-	{ 
+	{
-		OUTYY(("P(server_verbosity:%s)\n", $2)); 
+		OUTYY(("P(server_verbosity:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->verbosity = atoi($2);
 		free($2);
 	}
 	;
-server_statistics_interval: VAR_STATISTICS_INTERVAL STRING_ARG 
+server_statistics_interval: VAR_STATISTICS_INTERVAL STRING_ARG
-	{ 
+	{
-		OUTYY(("P(server_statistics_interval:%s)\n", $2)); 
+		OUTYY(("P(server_statistics_interval:%s)\n", $2));
 		if(strcmp($2, "") == 0 || strcmp($2, "0") == 0)
 			cfg_parser->cfg->stat_interval = 0;
 		else if(atoi($2) == 0)
@@ -530,9 +531,9 @@ server_shm_enable: VAR_SHM_ENABLE STRING_ARG
 		free($2);
 	}
 	;
-server_shm_key: VAR_SHM_KEY STRING_ARG 
+server_shm_key: VAR_SHM_KEY STRING_ARG
-	{ 
+	{
-		OUTYY(("P(server_shm_key:%s)\n", $2)); 
+		OUTYY(("P(server_shm_key:%s)\n", $2));
 		if(strcmp($2, "") == 0 || strcmp($2, "0") == 0)
 			cfg_parser->cfg->shm_key = 0;
 		else if(atoi($2) == 0)
@@ -705,7 +706,7 @@ server_interface: VAR_INTERFACE STRING_ARG
 		OUTYY(("P(server_interface:%s)\n", $2));
 		if(cfg_parser->cfg->num_ifs == 0)
 			cfg_parser->cfg->ifs = calloc(1, sizeof(char*));
-		else 	cfg_parser->cfg->ifs = realloc(cfg_parser->cfg->ifs,
+		else cfg_parser->cfg->ifs = realloc(cfg_parser->cfg->ifs,
 				(cfg_parser->cfg->num_ifs+1)*sizeof(char*));
 		if(!cfg_parser->cfg->ifs)
 			yyerror("out of memory");
@@ -718,8 +719,8 @@ server_outgoing_interface: VAR_OUTGOING_INTERFACE STRING_ARG
 		OUTYY(("P(server_outgoing_interface:%s)\n", $2));
 		if(cfg_parser->cfg->num_out_ifs == 0)
 			cfg_parser->cfg->out_ifs = calloc(1, sizeof(char*));
-		else 	cfg_parser->cfg->out_ifs = realloc(
+		else cfg_parser->cfg->out_ifs = realloc(
-			cfg_parser->cfg->out_ifs, 
+			cfg_parser->cfg->out_ifs,
 			(cfg_parser->cfg->num_out_ifs+1)*sizeof(char*));
 		if(!cfg_parser->cfg->out_ifs)
 			yyerror("out of memory");
@@ -740,7 +741,7 @@ server_outgoing_range: VAR_OUTGOING_RANGE STRING_ARG
 server_outgoing_port_permit: VAR_OUTGOING_PORT_PERMIT STRING_ARG
 	{
 		OUTYY(("P(server_outgoing_port_permit:%s)\n", $2));
-		if(!cfg_mark_ports($2, 1, 
+		if(!cfg_mark_ports($2, 1,
 			cfg_parser->cfg->outgoing_avail_ports, 65536))
 			yyerror("port number or range (\"low-high\") expected");
 		free($2);
@@ -749,7 +750,7 @@ server_outgoing_port_permit: VAR_OUTGOING_PORT_PERMIT STRING_ARG
 server_outgoing_port_avoid: VAR_OUTGOING_PORT_AVOID STRING_ARG
 	{
 		OUTYY(("P(server_outgoing_port_avoid:%s)\n", $2));
-		if(!cfg_mark_ports($2, 0, 
+		if(!cfg_mark_ports($2, 0,
 			cfg_parser->cfg->outgoing_avail_ports, 65536))
 			yyerror("port number or range (\"low-high\") expected");
 		free($2);
@@ -839,10 +840,10 @@ server_prefer_ip6: VAR_PREFER_IP6 STRING_ARG
 server_tcp_mss: VAR_TCP_MSS STRING_ARG
 	{
 		OUTYY(("P(server_tcp_mss:%s)\n", $2));
-                if(atoi($2) == 0 && strcmp($2, "0") != 0)
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
-                        yyerror("number expected");
+				yyerror("number expected");
-                else cfg_parser->cfg->tcp_mss = atoi($2);
+		else cfg_parser->cfg->tcp_mss = atoi($2);
-                free($2);
+		free($2);
 	}
 	;
 server_outgoing_tcp_mss: VAR_OUTGOING_TCP_MSS STRING_ARG
@@ -1142,23 +1143,23 @@ server_log_queries: VAR_LOG_QUERIES STRING_ARG
 	}
 	;
 server_log_replies: VAR_LOG_REPLIES STRING_ARG
-  {
+	{
-  	OUTYY(("P(server_log_replies:%s)\n", $2));
+		OUTYY(("P(server_log_replies:%s)\n", $2));
-  	if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-  		yyerror("expected yes or no.");
+			yyerror("expected yes or no.");
-  	else cfg_parser->cfg->log_replies = (strcmp($2, "yes")==0);
+		else cfg_parser->cfg->log_replies = (strcmp($2, "yes")==0);
-  	free($2);
+		free($2);
-  }
+	}
-  ;
+	;
 server_log_tag_queryreply: VAR_LOG_TAG_QUERYREPLY STRING_ARG
-  {
+	{
-  	OUTYY(("P(server_log_tag_queryreply:%s)\n", $2));
+		OUTYY(("P(server_log_tag_queryreply:%s)\n", $2));
-  	if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-  		yyerror("expected yes or no.");
+			yyerror("expected yes or no.");
-  	else cfg_parser->cfg->log_tag_queryreply = (strcmp($2, "yes")==0);
+		else cfg_parser->cfg->log_tag_queryreply = (strcmp($2, "yes")==0);
-  	free($2);
+		free($2);
-  }
+	}
-  ;
+	;
 server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG
 	{
 		OUTYY(("P(server_log_servfail:%s)\n", $2));
@@ -1169,14 +1170,14 @@ server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG
 	}
 	;
 server_log_local_actions: VAR_LOG_LOCAL_ACTIONS STRING_ARG
-  {
+	{
-  	OUTYY(("P(server_log_local_actions:%s)\n", $2));
+		OUTYY(("P(server_log_local_actions:%s)\n", $2));
-  	if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-  		yyerror("expected yes or no.");
+			yyerror("expected yes or no.");
-  	else cfg_parser->cfg->log_local_actions = (strcmp($2, "yes")==0);
+		else cfg_parser->cfg->log_local_actions = (strcmp($2, "yes")==0);
-  	free($2);
+		free($2);
-  }
+	}
-  ;
+	;
 server_chroot: VAR_CHROOT STRING_ARG
 	{
 		OUTYY(("P(server_chroot:%s)\n", $2));
@@ -1210,7 +1211,7 @@ server_directory: VAR_DIRECTORY STRING_ARG
 				cfg_parser->chroot)) == 0)
 				d += strlen(cfg_parser->chroot);
 			if(d[0]) {
-			    if(chdir(d))
+				if(chdir(d))
 				log_err("cannot chdir to directory: %s (%s)",
 					d, strerror(errno));
 			}
@@ -1403,35 +1404,35 @@ server_so_sndbuf: VAR_SO_SNDBUF STRING_ARG
 	}
 	;
 server_so_reuseport: VAR_SO_REUSEPORT STRING_ARG
-    {
+	{
-        OUTYY(("P(server_so_reuseport:%s)\n", $2));
+		OUTYY(("P(server_so_reuseport:%s)\n", $2));
-        if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-            yyerror("expected yes or no.");
+			yyerror("expected yes or no.");
-        else cfg_parser->cfg->so_reuseport =
+		else cfg_parser->cfg->so_reuseport =
-            (strcmp($2, "yes")==0);
+			(strcmp($2, "yes")==0);
-        free($2);
+		free($2);
-    }
+	}
-    ;
+	;
 server_ip_transparent: VAR_IP_TRANSPARENT STRING_ARG
-    {
+	{
-        OUTYY(("P(server_ip_transparent:%s)\n", $2));
+		OUTYY(("P(server_ip_transparent:%s)\n", $2));
-        if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-            yyerror("expected yes or no.");
+			yyerror("expected yes or no.");
-        else cfg_parser->cfg->ip_transparent =
+		else cfg_parser->cfg->ip_transparent =
-            (strcmp($2, "yes")==0);
+			(strcmp($2, "yes")==0);
-        free($2);
+		free($2);
-    }
+	}
-    ;
+	;
 server_ip_freebind: VAR_IP_FREEBIND STRING_ARG
-    {
+	{
-        OUTYY(("P(server_ip_freebind:%s)\n", $2));
+		OUTYY(("P(server_ip_freebind:%s)\n", $2));
-        if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
-            yyerror("expected yes or no.");
+			yyerror("expected yes or no.");
-        else cfg_parser->cfg->ip_freebind =
+		else cfg_parser->cfg->ip_freebind =
-            (strcmp($2, "yes")==0);
+			(strcmp($2, "yes")==0);
-        free($2);
+		free($2);
-    }
+	}
-    ;
+	;
 server_ip_dscp: VAR_IP_DSCP STRING_ARG
 	{
 		OUTYY(("P(server_ip_dscp:%s)\n", $2));
@@ -1540,7 +1541,7 @@ server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG
 		OUTYY(("P(server_unblock_lan_zones:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->unblock_lan_zones = 
+		else cfg_parser->cfg->unblock_lan_zones =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1550,7 +1551,7 @@ server_insecure_lan_zones: VAR_INSECURE_LAN_ZONES STRING_ARG
 		OUTYY(("P(server_insecure_lan_zones:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->insecure_lan_zones = 
+		else cfg_parser->cfg->insecure_lan_zones =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1654,7 +1655,7 @@ server_harden_short_bufsize: VAR_HARDEN_SHORT_BUFSIZE STRING_ARG
 		OUTYY(("P(server_harden_short_bufsize:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_short_bufsize = 
+		else cfg_parser->cfg->harden_short_bufsize =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1664,7 +1665,7 @@ server_harden_large_queries: VAR_HARDEN_LARGE_QUERIES STRING_ARG
 		OUTYY(("P(server_harden_large_queries:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_large_queries = 
+		else cfg_parser->cfg->harden_large_queries =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1674,7 +1675,7 @@ server_harden_glue: VAR_HARDEN_GLUE STRING_ARG
 		OUTYY(("P(server_harden_glue:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_glue = 
+		else cfg_parser->cfg->harden_glue =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1684,7 +1685,7 @@ server_harden_dnssec_stripped: VAR_HARDEN_DNSSEC_STRIPPED STRING_ARG
 		OUTYY(("P(server_harden_dnssec_stripped:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_dnssec_stripped = 
+		else cfg_parser->cfg->harden_dnssec_stripped =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1694,7 +1695,7 @@ server_harden_below_nxdomain: VAR_HARDEN_BELOW_NXDOMAIN STRING_ARG
 		OUTYY(("P(server_harden_below_nxdomain:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_below_nxdomain = 
+		else cfg_parser->cfg->harden_below_nxdomain =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1704,7 +1705,7 @@ server_harden_referral_path: VAR_HARDEN_REFERRAL_PATH STRING_ARG
 		OUTYY(("P(server_harden_referral_path:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_referral_path = 
+		else cfg_parser->cfg->harden_referral_path =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1714,7 +1715,7 @@ server_harden_algo_downgrade: VAR_HARDEN_ALGO_DOWNGRADE STRING_ARG
 		OUTYY(("P(server_harden_algo_downgrade:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->harden_algo_downgrade = 
+		else cfg_parser->cfg->harden_algo_downgrade =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1724,7 +1725,7 @@ server_use_caps_for_id: VAR_USE_CAPS_FOR_ID STRING_ARG
 		OUTYY(("P(server_use_caps_for_id:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->use_caps_bits_for_id = 
+		else cfg_parser->cfg->use_caps_bits_for_id =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1798,7 +1799,7 @@ server_do_not_query_localhost: VAR_DO_NOT_QUERY_LOCALHOST STRING_ARG
 		OUTYY(("P(server_do_not_query_localhost:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->donotquery_localhost = 
+		else cfg_parser->cfg->donotquery_localhost =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1809,8 +1810,8 @@ server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG
 		if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
 			strcmp($3, "deny_non_local")!=0 &&
 			strcmp($3, "refuse_non_local")!=0 &&
-			strcmp($3, "allow_setrd")!=0 && 
+			strcmp($3, "allow_setrd")!=0 &&
-			strcmp($3, "allow")!=0 && 
+			strcmp($3, "allow")!=0 &&
 			strcmp($3, "allow_snoop")!=0) {
 			yyerror("expected deny, refuse, deny_non_local, "
 				"refuse_non_local, allow, allow_setrd or "
@@ -1836,7 +1837,7 @@ server_val_override_date: VAR_VAL_OVERRIDE_DATE STRING_ARG
 		if(*$2 == '\0' || strcmp($2, "0") == 0) {
 			cfg_parser->cfg->val_date_override = 0;
 		} else if(strlen($2) == 14) {
-			cfg_parser->cfg->val_date_override = 
+			cfg_parser->cfg->val_date_override =
 				cfg_convert_timeval($2);
 			if(!cfg_parser->cfg->val_date_override)
 				yyerror("bad date/time specification");
@@ -1928,7 +1929,7 @@ server_val_clean_additional: VAR_VAL_CLEAN_ADDITIONAL STRING_ARG
 		OUTYY(("P(server_val_clean_additional:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->val_clean_additional = 
+		else cfg_parser->cfg->val_clean_additional =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -1938,7 +1939,7 @@ server_val_permissive_mode: VAR_VAL_PERMISSIVE_MODE STRING_ARG
 		OUTYY(("P(server_val_permissive_mode:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->val_permissive_mode = 
+		else cfg_parser->cfg->val_permissive_mode =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -2172,7 +2173,7 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 			free($3);
 #endif
 		} else {
-			if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones, 
+			if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones,
 				$2, $3))
 				fatal_exit("out of memory adding local-zone");
 		}
@@ -2380,9 +2381,9 @@ server_response_ip_tag: VAR_RESPONSE_IP_TAG STRING_ARG STRING_ARG
 		}
 	}
 	;
-server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG 
+server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG
-	{ 
+	{
-		OUTYY(("P(server_ip_ratelimit:%s)\n", $2)); 
+		OUTYY(("P(server_ip_ratelimit:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->ip_ratelimit = atoi($2);
@@ -2390,9 +2391,9 @@ server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG
 	}
 	;
 
-server_ratelimit: VAR_RATELIMIT STRING_ARG 
+server_ratelimit: VAR_RATELIMIT STRING_ARG
-	{ 
+	{
-		OUTYY(("P(server_ratelimit:%s)\n", $2)); 
+		OUTYY(("P(server_ratelimit:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->ratelimit = atoi($2);
@@ -2400,13 +2401,13 @@ server_ratelimit: VAR_RATELIMIT STRING_ARG
 	}
 	;
 server_ip_ratelimit_size: VAR_IP_RATELIMIT_SIZE STRING_ARG
-  {
+{
-  	OUTYY(("P(server_ip_ratelimit_size:%s)\n", $2));
+	OUTYY(("P(server_ip_ratelimit_size:%s)\n", $2));
-  	if(!cfg_parse_memsize($2, &cfg_parser->cfg->ip_ratelimit_size))
+	if(!cfg_parse_memsize($2, &cfg_parser->cfg->ip_ratelimit_size))
-  		yyerror("memory size expected");
+		yyerror("memory size expected");
-  	free($2);
+	free($2);
-  }
+}
-  ;
+;
 server_ratelimit_size: VAR_RATELIMIT_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_ratelimit_size:%s)\n", $2));
@@ -2416,18 +2417,18 @@ server_ratelimit_size: VAR_RATELIMIT_SIZE STRING_ARG
 	}
 	;
 server_ip_ratelimit_slabs: VAR_IP_RATELIMIT_SLABS STRING_ARG
-  {
+{
-  	OUTYY(("P(server_ip_ratelimit_slabs:%s)\n", $2));
+	OUTYY(("P(server_ip_ratelimit_slabs:%s)\n", $2));
-  	if(atoi($2) == 0)
+	if(atoi($2) == 0)
-  		yyerror("number expected");
+		yyerror("number expected");
-  	else {
+	else {
-  		cfg_parser->cfg->ip_ratelimit_slabs = atoi($2);
+		cfg_parser->cfg->ip_ratelimit_slabs = atoi($2);
-  		if(!is_pow2(cfg_parser->cfg->ip_ratelimit_slabs))
+		if(!is_pow2(cfg_parser->cfg->ip_ratelimit_slabs))
-  			yyerror("must be a power of 2");
+			yyerror("must be a power of 2");
-  	}
+	}
-  	free($2);
+	free($2);
-  }
+}
-  ;
+;
 server_ratelimit_slabs: VAR_RATELIMIT_SLABS STRING_ARG
 	{
 		OUTYY(("P(server_ratelimit_slabs:%s)\n", $2));
@@ -2471,42 +2472,51 @@ server_ratelimit_below_domain: VAR_RATELIMIT_BELOW_DOMAIN STRING_ARG STRING_ARG
 		}
 	}
 	;
-server_ip_ratelimit_factor: VAR_IP_RATELIMIT_FACTOR STRING_ARG 
+server_ip_ratelimit_factor: VAR_IP_RATELIMIT_FACTOR STRING_ARG
-  { 
+	{
-  	OUTYY(("P(server_ip_ratelimit_factor:%s)\n", $2)); 
+	OUTYY(("P(server_ip_ratelimit_factor:%s)\n", $2));
-  	if(atoi($2) == 0 && strcmp($2, "0") != 0)
+	if(atoi($2) == 0 && strcmp($2, "0") != 0)
-  		yyerror("number expected");
+		yyerror("number expected");
-  	else cfg_parser->cfg->ip_ratelimit_factor = atoi($2);
+	else cfg_parser->cfg->ip_ratelimit_factor = atoi($2);
-  	free($2);
+	free($2);
 	}
 	;
-server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG 
+server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG
-	{ 
+	{
-		OUTYY(("P(server_ratelimit_factor:%s)\n", $2)); 
+		OUTYY(("P(server_ratelimit_factor:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->ratelimit_factor = atoi($2);
 		free($2);
 	}
 	;
-server_low_rtt: VAR_LOW_RTT STRING_ARG 
+server_outbound_msg_retry: VAR_OUTBOUND_MSG_RETRY STRING_ARG
-	{ 
+{
+	OUTYY(("P(server_outbound_msg_retry:%s)\n", $2));
+	if(atoi($2) == 0 && strcmp($2, "0") != 0)
+		yyerror("number expected");
+	else cfg_parser->cfg->outbound_msg_retry = atoi($2);
+	free($2);
+}
+;
+server_low_rtt: VAR_LOW_RTT STRING_ARG
+	{
 		OUTYY(("P(low-rtt option is deprecated, use fast-server-num instead)\n"));
 		free($2);
 	}
 	;
-server_fast_server_num: VAR_FAST_SERVER_NUM STRING_ARG 
+server_fast_server_num: VAR_FAST_SERVER_NUM STRING_ARG
-	{ 
+	{
-		OUTYY(("P(server_fast_server_num:%s)\n", $2)); 
+		OUTYY(("P(server_fast_server_num:%s)\n", $2));
 		if(atoi($2) <= 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->fast_server_num = atoi($2);
 		free($2);
 	}
 	;
-server_fast_server_permil: VAR_FAST_SERVER_PERMIL STRING_ARG 
+server_fast_server_permil: VAR_FAST_SERVER_PERMIL STRING_ARG
-	{ 
+	{
-		OUTYY(("P(server_fast_server_permil:%s)\n", $2)); 
+		OUTYY(("P(server_fast_server_permil:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->fast_server_permil = atoi($2);
@@ -2518,7 +2528,7 @@ server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG
 		OUTYY(("P(server_qname_minimisation:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->qname_minimisation = 
+		else cfg_parser->cfg->qname_minimisation =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -2528,7 +2538,7 @@ server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG
 		OUTYY(("P(server_qname_minimisation_strict:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->qname_minimisation_strict = 
+		else cfg_parser->cfg->qname_minimisation_strict =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -2717,7 +2727,7 @@ stub_ssl_upstream: VAR_STUB_SSL_UPSTREAM STRING_ARG
 		OUTYY(("P(stub-ssl-upstream:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->stubs->ssl_upstream = 
+		else cfg_parser->cfg->stubs->ssl_upstream =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -2737,7 +2747,7 @@ stub_prime: VAR_STUB_PRIME STRING_ARG
 		OUTYY(("P(stub-prime:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->stubs->isprime = 
+		else cfg_parser->cfg->stubs->isprime =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -2789,7 +2799,7 @@ forward_ssl_upstream: VAR_FORWARD_SSL_UPSTREAM STRING_ARG
 		OUTYY(("P(forward-ssl-upstream:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->forwards->ssl_upstream = 
+		else cfg_parser->cfg->forwards->ssl_upstream =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -2943,7 +2953,7 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 #endif
 		} else {
 			if(!cfg_str2list_insert(
-				&cfg_parser->cfg->views->local_zones, 
+				&cfg_parser->cfg->views->local_zones,
 				$2, $3))
 				fatal_exit("out of memory adding local-zone");
 		}
@@ -3000,11 +3010,11 @@ view_first: VAR_VIEW_FIRST STRING_ARG
 	}
 	;
 rcstart: VAR_REMOTE_CONTROL
-	{ 
+	{
-		OUTYY(("\nP(remote-control:)\n")); 
+		OUTYY(("\nP(remote-control:)\n"));
 	}
 	;
-contents_rc: contents_rc content_rc 
+contents_rc: contents_rc content_rc
 	| ;
 content_rc: rc_control_enable | rc_control_interface | rc_control_port |
 	rc_server_key_file | rc_server_cert_file | rc_control_key_file |
@@ -3015,7 +3025,7 @@ rc_control_enable: VAR_CONTROL_ENABLE STRING_ARG
 		OUTYY(("P(control_enable:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
-		else cfg_parser->cfg->remote_control_enable = 
+		else cfg_parser->cfg->remote_control_enable =
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
@@ -3254,8 +3264,8 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES
 	}
 	;
 pythonstart: VAR_PYTHON
-	{ 
+	{
-		OUTYY(("\nP(python:)\n")); 
+		OUTYY(("\nP(python:)\n"));
 	}
 	;
 contents_py: contents_py content_py
@@ -3386,44 +3396,44 @@ dnsc_dnscrypt_secret_key: VAR_DNSCRYPT_SECRET_KEY STRING_ARG
 	;
 dnsc_dnscrypt_shared_secret_cache_size: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE STRING_ARG
   {
-  	OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", $2));
+	OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", $2));
-  	if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_shared_secret_cache_size))
+	if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_shared_secret_cache_size))
-  		yyerror("memory size expected");
+		yyerror("memory size expected");
-  	free($2);
+	free($2);
   }
   ;
 dnsc_dnscrypt_shared_secret_cache_slabs: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS STRING_ARG
   {
-  	OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", $2));
+	OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", $2));
-  	if(atoi($2) == 0)
+	if(atoi($2) == 0)
-  		yyerror("number expected");
+		yyerror("number expected");
-  	else {
+	else {
-  		cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi($2);
+		cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi($2);
-  		if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs))
+		if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs))
-  			yyerror("must be a power of 2");
+			yyerror("must be a power of 2");
-  	}
+	}
-  	free($2);
+	free($2);
   }
   ;
 dnsc_dnscrypt_nonce_cache_size: VAR_DNSCRYPT_NONCE_CACHE_SIZE STRING_ARG
   {
-  	OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", $2));
+	OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", $2));
-  	if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_nonce_cache_size))
+	if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_nonce_cache_size))
-  		yyerror("memory size expected");
+		yyerror("memory size expected");
-  	free($2);
+	free($2);
   }
   ;
 dnsc_dnscrypt_nonce_cache_slabs: VAR_DNSCRYPT_NONCE_CACHE_SLABS STRING_ARG
   {
-  	OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", $2));
+	OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", $2));
-  	if(atoi($2) == 0)
+	if(atoi($2) == 0)
-  		yyerror("number expected");
+		yyerror("number expected");
-  	else {
+	else {
-  		cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi($2);
+		cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi($2);
-  		if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs))
+		if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs))
-  			yyerror("must be a power of 2");
+			yyerror("must be a power of 2");
-  	}
+	}
-  	free($2);
+	free($2);
   }
   ;
 cachedbstart: VAR_CACHEDB