Merge branch 'master' into dlv-removal

contrib/aaaa-filter-iterator.patch

@@ -1,10 +1,10 @@
-Index: trunk/doc/unbound.conf.5.in
-===================================================================
---- trunk/doc/unbound.conf.5.in	(revision 4357)
-+++ trunk/doc/unbound.conf.5.in	(working copy)
-@@ -701,6 +701,13 @@
+diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
+index f426ac5f..147fbfa9 100644
+--- a/doc/unbound.conf.5.in
++++ b/doc/unbound.conf.5.in
+@@ -872,6 +872,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when
  this option in enabled. Only use if you know what you are doing.
- This option only has effect when qname-minimisation is enabled. Default is off.
+ This option only has effect when qname-minimisation is enabled. Default is no.
  .TP
 +.B aaaa\-filter: \fI<yes or no>
 +Activate behavior similar to BIND's AAAA-filter.
@@ -16,14 +16,15 @@ Index: trunk/doc/unbound.conf.5.in
  .B aggressive\-nsec: \fI<yes or no>
  Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
  and other denials, using information from previous NXDOMAINs answers.
-Index: trunk/iterator/iter_scrub.c
-===================================================================
---- trunk/iterator/iter_scrub.c	(revision 4357)
-+++ trunk/iterator/iter_scrub.c	(working copy)
-@@ -617,6 +617,32 @@
+diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
+index aae934dd..55c55de0 100644
+--- a/iterator/iter_scrub.c
++++ b/iterator/iter_scrub.c
+@@ -667,6 +667,32 @@ static int sanitize_nsec_is_overreach(struct rrset_parse* rrset,
+ 	return 0;
  }
  
- /**
++/**
 + * ASN: Lookup A records from rrset cache.
 + * @param qinfo: the question originally asked.
 + * @param env: module environment with config and cache.
@@ -49,11 +50,10 @@ Index: trunk/iterator/iter_scrub.c
 +	return 0;
 +}
 +
-+/**
+ /**
   * Given a response event, remove suspect RRsets from the response.
   * "Suspect" rrsets are potentially poison. Note that this routine expects
-  * the response to be in a "normalized" state -- that is, all "irrelevant"
-@@ -635,6 +661,7 @@
+@@ -686,6 +712,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  	struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
  	struct iter_env* ie)
  {
@@ -61,7 +61,7 @@ Index: trunk/iterator/iter_scrub.c
  	int del_addi = 0; /* if additional-holding rrsets are deleted, we
  		do not trust the normalized additional-A-AAAA any more */
  	struct rrset_parse* rrset, *prev;
-@@ -670,6 +697,13 @@
+@@ -721,6 +748,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  		rrset = rrset->rrset_all_next;
  	}
  
@@ -75,11 +75,10 @@ Index: trunk/iterator/iter_scrub.c
  	/* At this point, we brutally remove ALL rrsets that aren't 
  	 * children of the originating zone. The idea here is that, 
  	 * as far as we know, the server that we contacted is ONLY 
-@@ -680,6 +714,24 @@
- 	prev = NULL;
+@@ -732,6 +766,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
  	rrset = msg->rrset_first;
  	while(rrset) {
-+
+ 
 +		/* ASN: For AAAA records only... */
 +		if((ie->aaaa_filter) && (rrset->type == LDNS_RR_TYPE_AAAA)) {
 +			/* ASN: If this is not a AAAA query, then remove AAAA
@@ -97,14 +96,15 @@ Index: trunk/iterator/iter_scrub.c
 +				LDNS_RR_TYPE_AAAA, qinfo->qclass);
 +		}
 +		/* ASN: End of added code */
- 
++
  		/* remove private addresses */
  		if( (rrset->type == LDNS_RR_TYPE_A || 
-Index: trunk/iterator/iter_utils.c
-===================================================================
---- trunk/iterator/iter_utils.c	(revision 4357)
-+++ trunk/iterator/iter_utils.c	(working copy)
-@@ -175,6 +175,7 @@
+ 			rrset->type == LDNS_RR_TYPE_AAAA)) {
+diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
+index 7bc67da6..e10f547a 100644
+--- a/iterator/iter_utils.c
++++ b/iterator/iter_utils.c
+@@ -175,6 +175,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
  	}
  	iter_env->supports_ipv6 = cfg->do_ip6;
  	iter_env->supports_ipv4 = cfg->do_ip4;
@@ -112,11 +112,11 @@ Index: trunk/iterator/iter_utils.c
  	return 1;
  }
  
-Index: trunk/iterator/iterator.c
-===================================================================
---- trunk/iterator/iterator.c	(revision 4357)
-+++ trunk/iterator/iterator.c	(working copy)
-@@ -1847,6 +1847,53 @@
+diff --git a/iterator/iterator.c b/iterator/iterator.c
+index 23b07ea9..ca29b48c 100644
+--- a/iterator/iterator.c
++++ b/iterator/iterator.c
+@@ -2127,6 +2127,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
  
  	return 0;
  }
@@ -170,7 +170,7 @@ Index: trunk/iterator/iterator.c
  	
  /** 
   * This is the request event state where the request will be sent to one of
-@@ -1894,6 +1941,13 @@
+@@ -2186,6 +2233,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
  		return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
  	}
  	
@@ -184,7 +184,7 @@ Index: trunk/iterator/iterator.c
  	/* Make sure we have a delegation point, otherwise priming failed
  	 * or another failure occurred */
  	if(!iq->dp) {
-@@ -3095,6 +3149,61 @@
+@@ -3574,6 +3628,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
  	return 0;
  }
  
@@ -246,7 +246,7 @@ Index: trunk/iterator/iterator.c
  /*
   * Return priming query results to interested super querystates.
   * 
-@@ -3114,6 +3223,9 @@
+@@ -3593,6 +3702,9 @@ iter_inform_super(struct module_qstate* qstate, int id,
  	else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*)
  		super->minfo[id])->state == DSNS_FIND_STATE)
  		processDSNSResponse(qstate, id, super);
@@ -256,7 +256,7 @@ Index: trunk/iterator/iterator.c
  	else if(qstate->return_rcode != LDNS_RCODE_NOERROR)
  		error_supers(qstate, id, super);
  	else if(qstate->is_priming)
-@@ -3151,6 +3263,9 @@
+@@ -3630,6 +3742,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq,
  			case INIT_REQUEST_3_STATE:
  				cont = processInitRequest3(qstate, iq, id);
  				break;
@@ -266,7 +266,7 @@ Index: trunk/iterator/iterator.c
  			case QUERYTARGETS_STATE:
  				cont = processQueryTargets(qstate, iq, ie, id);
  				break;
-@@ -3460,6 +3575,8 @@
+@@ -3961,6 +4076,8 @@ iter_state_to_string(enum iter_state state)
  		return "INIT REQUEST STATE (stage 2)";
  	case INIT_REQUEST_3_STATE:
  		return "INIT REQUEST STATE (stage 3)";
@@ -275,7 +275,7 @@ Index: trunk/iterator/iterator.c
  	case QUERYTARGETS_STATE :
  		return "QUERY TARGETS STATE";
  	case PRIME_RESP_STATE :
-@@ -3484,6 +3601,7 @@
+@@ -3985,6 +4102,7 @@ iter_state_is_responsestate(enum iter_state s)
  		case INIT_REQUEST_STATE :
  		case INIT_REQUEST_2_STATE :
  		case INIT_REQUEST_3_STATE :
@@ -283,11 +283,11 @@ Index: trunk/iterator/iterator.c
  		case QUERYTARGETS_STATE :
  		case COLLECT_CLASS_STATE :
  			return 0;
-Index: trunk/iterator/iterator.h
-===================================================================
---- trunk/iterator/iterator.h	(revision 4357)
-+++ trunk/iterator/iterator.h	(working copy)
-@@ -130,6 +130,9 @@
+diff --git a/iterator/iterator.h b/iterator/iterator.h
+index 342ac207..731948d1 100644
+--- a/iterator/iterator.h
++++ b/iterator/iterator.h
+@@ -135,6 +135,9 @@ struct iter_env {
  	 */
  	int* target_fetch_policy;
  
@@ -297,10 +297,11 @@ Index: trunk/iterator/iterator.h
  	/** lock on ratelimit counter */
  	lock_basic_type queries_ratelimit_lock;
  	/** number of queries that have been ratelimited */
-@@ -182,6 +185,14 @@
+@@ -186,6 +189,14 @@ enum iter_state {
+ 	 */
  	INIT_REQUEST_3_STATE,
  
- 	/**
++	/**
 +	 * This state is responsible for intercepting AAAA queries,
 +	 * and launch a A subquery on the same target, to populate the
 +	 * cache with A records, so the AAAA filter scrubbing logic can
@@ -308,29 +309,28 @@ Index: trunk/iterator/iterator.h
 +	 */
 +	ASN_FETCH_A_FOR_AAAA_STATE,
 +
-+	/**
+ 	/**
  	 * Each time a delegation point changes for a given query or a 
  	 * query times out and/or wakes up, this state is (re)visited. 
- 	 * This state is responsible for iterating through a list of 
-@@ -364,6 +375,13 @@
- 	 * be used when creating the state. A higher one will be attempted.
+@@ -375,6 +386,13 @@ struct iter_qstate {
  	 */
  	int refetch_glue;
-+
+ 
 +	/**
 +	 * ASN: This is a flag that, if true, means that this query is
 +	 * for fetching A records to populate cache and determine if we must
 +	 * return AAAA records or not.
 +	 */
 +	int fetch_a_for_aaaa;
- 
++
  	/** list of pending queries to authoritative servers. */
  	struct outbound_list outlist;
-Index: trunk/pythonmod/interface.i
-===================================================================
---- trunk/pythonmod/interface.i	(revision 4357)
-+++ trunk/pythonmod/interface.i	(working copy)
-@@ -851,6 +851,7 @@
+ 
+diff --git a/pythonmod/interface.i b/pythonmod/interface.i
+index f08b575d..47f1bb2e 100644
+--- a/pythonmod/interface.i
++++ b/pythonmod/interface.i
+@@ -975,6 +975,7 @@ struct config_file {
     int harden_dnssec_stripped;
     int harden_referral_path;
     int use_caps_bits_for_id;
@@ -338,11 +338,11 @@ Index: trunk/pythonmod/interface.i
     struct config_strlist* private_address;
     struct config_strlist* private_domain;
     size_t unwanted_threshold;
-Index: trunk/util/config_file.c
-===================================================================
---- trunk/util/config_file.c	(revision 4357)
-+++ trunk/util/config_file.c	(working copy)
-@@ -195,6 +195,7 @@
+diff --git a/util/config_file.c b/util/config_file.c
+index 0ab8614a..729fb147 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -218,6 +218,7 @@ config_create(void)
  	cfg->harden_referral_path = 0;
  	cfg->harden_algo_downgrade = 0;
  	cfg->use_caps_bits_for_id = 0;
@@ -350,11 +350,11 @@ Index: trunk/util/config_file.c
  	cfg->caps_whitelist = NULL;
  	cfg->private_address = NULL;
  	cfg->private_domain = NULL;
-Index: trunk/util/config_file.h
-===================================================================
---- trunk/util/config_file.h	(revision 4357)
-+++ trunk/util/config_file.h	(working copy)
-@@ -209,6 +209,8 @@
+diff --git a/util/config_file.h b/util/config_file.h
+index e61257a3..dabaa7bb 100644
+--- a/util/config_file.h
++++ b/util/config_file.h
+@@ -260,6 +260,8 @@ struct config_file {
  	int harden_algo_downgrade;
  	/** use 0x20 bits in query as random ID bits */
  	int use_caps_bits_for_id;
@@ -363,11 +363,11 @@ Index: trunk/util/config_file.h
  	/** 0x20 whitelist, domains that do not use capsforid */
  	struct config_strlist* caps_whitelist;
  	/** strip away these private addrs from answers, no DNS Rebinding */
-Index: trunk/util/configlexer.lex
-===================================================================
---- trunk/util/configlexer.lex	(revision 4357)
-+++ trunk/util/configlexer.lex	(working copy)
-@@ -279,6 +279,7 @@
+diff --git a/util/configlexer.lex b/util/configlexer.lex
+index 79a0edca..4eaec678 100644
+--- a/util/configlexer.lex
++++ b/util/configlexer.lex
+@@ -304,6 +304,7 @@ harden-algo-downgrade{COLON}	{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
  use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
  caps-whitelist{COLON}		{ YDVAR(1, VAR_CAPS_WHITELIST) }
  unwanted-reply-threshold{COLON}	{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
@@ -375,11 +375,11 @@ Index: trunk/util/configlexer.lex
  private-address{COLON}		{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
  private-domain{COLON}		{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
  prefetch-key{COLON}		{ YDVAR(1, VAR_PREFETCH_KEY) }
-Index: trunk/util/configparser.y
-===================================================================
---- trunk/util/configparser.y	(revision 4357)
-+++ trunk/util/configparser.y	(working copy)
-@@ -95,6 +95,7 @@
+diff --git a/util/configparser.y b/util/configparser.y
+index 1d0e8658..f284dd43 100644
+--- a/util/configparser.y
++++ b/util/configparser.y
+@@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser;
  %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
  %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
  %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS
@@ -387,7 +387,7 @@ Index: trunk/util/configparser.y
  %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
  %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
  %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
-@@ -203,6 +204,7 @@
+@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port |
  	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
  	server_harden_referral_path | server_private_address |
  	server_private_domain | server_extended_statistics | 
@@ -395,12 +395,10 @@ Index: trunk/util/configparser.y
  	server_local_data_ptr | server_jostle_timeout | 
  	server_unwanted_reply_threshold | server_log_time_ascii | 
  	server_domain_insecure | server_val_sig_skew_min | 
-@@ -1183,6 +1185,15 @@
- 		OUTYY(("P(server_caps_whitelist:%s)\n", $2));
- 		if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, $2))
+@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG
  			yyerror("out of memory");
-+	}
-+	;
+ 	}
+ 	;
 +server_aaaa_filter: VAR_AAAA_FILTER STRING_ARG
 +	{
 +		OUTYY(("P(server_aaaa_filter:%s)\n", $2));
@@ -408,6 +406,8 @@ Index: trunk/util/configparser.y
 +			yyerror("expected yes or no.");
 +		else cfg_parser->cfg->aaaa_filter = (strcmp($2, "yes")==0);
 +		free($2);
- 	}
- 	;
++	}
++	;
  server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG
+ 	{
+ 		OUTYY(("P(server_private_address:%s)\n", $2));

daemon/daemon.c

@@ -77,6 +77,7 @@
 #include "util/storage/lookup3.h"
 #include "util/storage/slabhash.h"
 #include "util/tcp_conn_limit.h"
+#include "util/edns.h"
 #include "services/listen_dnsport.h"
 #include "services/cache/rrset.h"
 #include "services/cache/infra.h"
@@ -290,6 +291,15 @@ daemon_init(void)
 		free(daemon);
 		return NULL;
 	}
+	if(!(daemon->env->edns_tags = edns_tags_create())) {
+		auth_zones_delete(daemon->env->auth_zones);
+		acl_list_delete(daemon->acl);
+		tcl_list_delete(daemon->tcl);
+		edns_known_options_delete(daemon->env);
+		free(daemon->env);
+		free(daemon);
+		return NULL;
+	}
 	return daemon;	
 }
 
@@ -619,6 +629,10 @@ daemon_fork(struct daemon* daemon)
 		&daemon->use_rpz))
 		fatal_exit("auth_zones could not be setup");
 
+	/* Set-up EDNS tags */
+	if(!edns_tags_apply_cfg(daemon->env->edns_tags, daemon->cfg))
+		fatal_exit("Could not set up EDNS tags");
+
 	/* setup modules */
 	daemon_setup_modules(daemon);
 
@@ -750,6 +764,7 @@ daemon_delete(struct daemon* daemon)
 		rrset_cache_delete(daemon->env->rrset_cache);
 		infra_delete(daemon->env->infra_cache);
 		edns_known_options_delete(daemon->env);
+		edns_tags_delete(daemon->env->edns_tags);
 		auth_zones_delete(daemon->env->auth_zones);
 	}
 	ub_randfree(daemon->rand);

daemon/unbound.c

@@ -92,7 +92,7 @@
 #include <TargetConditionals.h>
 #endif
 
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 #undef HAVE_FORK
 #endif
 

doc/Changelog

@@ -1,3 +1,15 @@
+5 August 2020: Wouter
+	- contrib/aaaa-filter-iterator.patch file renewed diff content to
+	  apply cleanly to the current coderepo for the current code version.
+
+5 August 2020: Ralph
+	- Merge PR #272: Add EDNS client tag functionality.
+
+4 August 2020: George
+	- Improve error log message when inserting rpz RR.
+	- Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
+	  definedness, by Felipe Gasper.
+
 4 August 2020: Wouter
 	- Fix mini_event.h on OpenBSD cannot find fd_set.
 

doc/unbound.conf.5.in

@@ -1501,6 +1501,12 @@ servers set. The default for fast\-server\-permil is 0.
 Set the number of servers that should be used for fast server selection. Only
 use the fastest specified number of servers with the fast\-server\-permil
 option, that turns this on or off. The default is to use the fastest 3 servers.
+.TP 5
+.B edns\-client\-tag: \fI<IP netblock> <tag data>
+Include an edns-client-tag option in queries with destination address matching
+the configured IP netblock. This configuration option can be used multiple
+times. The most specific match will be used. The tag data is configured in
+decimal format, from 0 to 65535.
 .SS "Remote Control Options"
 In the
 .B remote\-control:

libunbound/libworker.c

@@ -78,7 +78,7 @@
 #include <TargetConditionals.h>
 #endif
 
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 #undef HAVE_FORK
 #endif
 

services/outside_network.c

@@ -58,6 +58,7 @@
 #include "util/net_help.h"
 #include "util/random.h"
 #include "util/fptr_wlist.h"
+#include "util/edns.h"
 #include "sldns/sbuffer.h"
 #include "dnstap/dnstap.h"
 #ifdef HAVE_OPENSSL_SSL_H
@@ -2111,9 +2112,20 @@ outnet_serviced_query(struct outside_network* outnet,
 {
 	struct serviced_query* sq;
 	struct service_callback* cb;
+	struct edns_tag_addr* client_tag_addr;
+
 	if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone, zonelen,
 		qstate, qstate->region))
 			return NULL;
+
+	if((client_tag_addr = edns_tag_addr_lookup(&env->edns_tags->client_tags,
+		addr, addrlen))) {
+		uint16_t client_tag = htons(client_tag_addr->tag_data);
+		edns_opt_list_append(&qstate->edns_opts_back_out,
+			LDNS_EDNS_CLIENT_TAG, 2,
+			(uint8_t*)&client_tag, qstate->region);
+	}
+
 	serviced_gen_query(buff, qinfo->qname, qinfo->qname_len, qinfo->qtype,
 		qinfo->qclass, flags);
 	sq = lookup_serviced(outnet, buff, dnssec, addr, addrlen,

services/rpz.c

@@ -597,8 +597,18 @@ rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
 	uint8_t* policydname;
 
 	if(!dname_subdomain_c(dname, azname)) {
-		log_err("RPZ: name of record to insert into RPZ is not a "
-			"subdomain of the configured name of the RPZ zone");
+		char* dname_str = sldns_wire2str_dname(dname, dnamelen);
+		char* azname_str = sldns_wire2str_dname(azname, aznamelen);
+		if(dname_str && azname_str) {
+			log_err("RPZ: name of record (%s) to insert into RPZ is not a "
+				"subdomain of the configured name of the RPZ zone (%s)",
+				dname_str, azname_str);
+		} else {
+			log_err("RPZ: name of record to insert into RPZ is not a "
+				"subdomain of the configured name of the RPZ zone");
+		}
+		free(dname_str);
+		free(azname_str);
 		return 0;
 	}
 

sldns/rrdef.h

@@ -426,7 +426,8 @@ enum sldns_enum_edns_option
 	LDNS_EDNS_N3U = 7, /* RFC6975 */
 	LDNS_EDNS_CLIENT_SUBNET = 8, /* RFC7871 */
 	LDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
-	LDNS_EDNS_PADDING = 12 /* RFC7830 */
+	LDNS_EDNS_PADDING = 12, /* RFC7830 */
+	LDNS_EDNS_CLIENT_TAG = 16 /* draft-bellis-dnsop-edns-tags-01 */
 };
 typedef enum sldns_enum_edns_option sldns_edns_option;
 

smallapp/unbound-control.c

@@ -886,7 +886,7 @@ int main(int argc, char* argv[])
 	if(argc == 0)
 		usage();
 	if(argc >= 1 && strcmp(argv[0], "start")==0) {
-#if defined(TARGET_OS_TV) || defined(TARGET_OS_WATCH)
+#if (defined(TARGET_OS_TV) && TARGET_OS_TV) || (defined(TARGET_OS_WATCH) && TARGET_OS_WATCH)
 		fatal_exit("could not exec unbound: %s",
 			strerror(ENOSYS));
 #else

testcode/fake_event.c

@@ -52,6 +52,7 @@
 #include "util/data/msgreply.h"
 #include "util/data/msgencode.h"
 #include "util/data/dname.h"
+#include "util/edns.h"
 #include "util/config_file.h"
 #include "services/listen_dnsport.h"
 #include "services/outside_network.h"
@@ -1180,7 +1181,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	socklen_t addrlen, uint8_t* zone, size_t zonelen,
 	struct module_qstate* qstate, comm_point_callback_type* callback,
 	void* callback_arg, sldns_buffer* ATTR_UNUSED(buff),
-	struct module_env* ATTR_UNUSED(env))
+	struct module_env* env)
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)outnet->base;
 	struct fake_pending* pend = (struct fake_pending*)calloc(1,
@@ -1209,6 +1210,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	sldns_buffer_flip(pend->buffer);
 	if(1) {
 		struct edns_data edns;
+		struct edns_tag_addr* client_tag_addr;
 		if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen,
 			zone, zonelen, qstate, qstate->region)) {
 			free(pend);
@@ -1220,9 +1222,17 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 		edns.edns_version = EDNS_ADVERTISED_VERSION;
 		edns.udp_size = EDNS_ADVERTISED_SIZE;
 		edns.bits = 0;
-		edns.opt_list = qstate->edns_opts_back_out;
 		if(dnssec)
 			edns.bits = EDNS_DO;
+		if((client_tag_addr = edns_tag_addr_lookup(
+			&env->edns_tags->client_tags,
+			addr, addrlen))) {
+			uint16_t client_tag = htons(client_tag_addr->tag_data);
+			edns_opt_list_append(&qstate->edns_opts_back_out,
+				LDNS_EDNS_CLIENT_TAG, 2,
+				(uint8_t*)&client_tag, qstate->region);
+		}
+		edns.opt_list = qstate->edns_opts_back_out;
 		attach_edns_record(pend->buffer, &edns);
 	}
 	memcpy(&pend->addr, addr, addrlen);

testdata/edns_client_tag.rpl

@@ -0,0 +1,151 @@
+; config options
+server:
+	edns-client-tag: 10.0.0.0/24 1234
+	edns-client-tag: 10.0.0.10/32 5678
+
+stub-zone:
+	name: "tag1234."
+	stub-addr: 10.0.0.1
+
+stub-zone:
+	name: "tag5678."
+	stub-addr: 10.0.0.10
+
+stub-zone:
+	name: "notag."
+	stub-addr: 10.10.0.1
+
+CONFIG_END
+
+SCENARIO_BEGIN Test EDNS client tag option
+
+RANGE_BEGIN 0 1000
+	ADDRESS 10.0.0.1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+tag1234. IN A
+SECTION ANSWER
+tag1234. IN A 10.20.30.40
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 0 1000
+	ADDRESS 10.0.0.10
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+tag5678. IN A
+SECTION ANSWER
+tag5678. IN A 10.20.30.40
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 0 1000
+	ADDRESS 10.10.0.1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+notag. IN A
+SECTION ANSWER
+notag. IN A 10.20.30.40
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+tag1234. IN A
+ENTRY_END
+
+STEP 20 CHECK_OUT_QUERY
+ENTRY_BEGIN
+MATCH qname qtype opcode ednsdata
+SECTION QUESTION
+tag1234. IN A
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+		00 10           ; Opcode 16
+		00 02           ; Length 2
+		04 d2           ; 1234
+	HEX_EDNSDATA_END
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+tag1234. IN A
+SECTION ANSWER
+tag1234. IN A 10.20.30.40
+ENTRY_END
+
+STEP 110 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+tag5678. IN A
+ENTRY_END
+
+STEP 120 CHECK_OUT_QUERY
+ENTRY_BEGIN
+MATCH qname qtype opcode ednsdata
+SECTION QUESTION
+tag5678. IN A
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+		00 10           ; Opcode 16
+		00 02           ; Length 2
+		16 2e           ; 5678
+	HEX_EDNSDATA_END
+ENTRY_END
+
+STEP 130 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+tag5678. IN A
+SECTION ANSWER
+tag5678. IN A 10.20.30.40
+ENTRY_END
+
+STEP 210 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+notag. IN A
+ENTRY_END
+
+STEP 220 CHECK_OUT_QUERY
+ENTRY_BEGIN
+MATCH qname qtype opcode ednsdata
+SECTION QUESTION
+notag. IN A
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+	HEX_EDNSDATA_END
+ENTRY_END
+
+STEP 230 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+notag. IN A
+SECTION ANSWER
+notag. IN A 10.20.30.40
+ENTRY_END
+
+SCENARIO_END

util/config_file.c

@@ -313,6 +313,7 @@ config_create(void)
 	cfg->qname_minimisation_strict = 0;
 	cfg->shm_enable = 0;
 	cfg->shm_key = 11777;
+	cfg->edns_client_tags = NULL;
 	cfg->dnscrypt = 0;
 	cfg->dnscrypt_port = 0;
 	cfg->dnscrypt_provider = NULL;
@@ -1124,6 +1125,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
 	else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
 	else O_LS2(opt, "access-control-view", acl_view)
+	else O_LS2(opt, "edns_client_tags", edns_client_tags)
 #ifdef USE_IPSECMOD
 	else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)
 	else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus)
@@ -1491,6 +1493,7 @@ config_delete(struct config_file* cfg)
 	config_deldblstrlist(cfg->ratelimit_below_domain);
 	config_delstrlist(cfg->python_script);
 	config_delstrlist(cfg->dynlib_file);
+	config_deldblstrlist(cfg->edns_client_tags);
 #ifdef USE_IPSECMOD
 	free(cfg->ipsecmod_hook);
 	config_delstrlist(cfg->ipsecmod_whitelist);

util/config_file.h

@@ -549,6 +549,9 @@ struct config_file {
 	/** SHM data - key for the shm */
 	int shm_key;
 
+	/** list of EDNS client tag entries, linked list */
+	struct config_str2list* edns_client_tags;
+
 	/** DNSCrypt */
 	/** true to enable dnscrypt */
 	int dnscrypt;

util/configlexer.lex

@@ -517,6 +517,7 @@ name-v4{COLON}			{ YDVAR(1, VAR_IPSET_NAME_V4) }
 name-v6{COLON}			{ YDVAR(1, VAR_IPSET_NAME_V6) }
 udp-upstream-without-downstream{COLON} { YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) }
 tcp-connection-limit{COLON}	{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
+edns-client-tag{COLON}		{ YDVAR(2, VAR_EDNS_CLIENT_TAG) }
 <INITIAL,val>{NEWLINE}		{ LEXOUT(("NL\n")); cfg_parser->line++; }
 
 	/* Quoted strings. Strip leading and ending quotes */

util/configparser.h

@@ -337,7 +337,8 @@ extern int yydebug;
     VAR_RPZ_LOG = 543,
     VAR_RPZ_LOG_NAME = 544,
     VAR_DYNLIB = 545,
-    VAR_DYNLIB_FILE = 546
+    VAR_DYNLIB_FILE = 546,
+    VAR_EDNS_CLIENT_TAG = 547
   };
 #endif
 /* Tokens.  */
@@ -630,6 +631,7 @@ extern int yydebug;
 #define VAR_RPZ_LOG_NAME 544
 #define VAR_DYNLIB 545
 #define VAR_DYNLIB_FILE 546
+#define VAR_EDNS_CLIENT_TAG 547
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -639,7 +641,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 643 "util/configparser.h"
+#line 645 "util/configparser.h"
 
 };
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -175,7 +175,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
 %token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE
 %token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
-%token VAR_DYNLIB VAR_DYNLIB_FILE
+%token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_TAG
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -285,7 +285,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_unknown_server_time_limit | server_log_tag_queryreply |
 	server_stream_wait_size | server_tls_ciphers |
 	server_tls_ciphersuites | server_tls_session_ticket_keys |
-	server_tls_use_sni
+	server_tls_use_sni | server_edns_client_tag
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -2403,6 +2403,21 @@ server_ipsecmod_strict: VAR_IPSECMOD_STRICT STRING_ARG
 	#endif
 	}
 	;
+server_edns_client_tag: VAR_EDNS_CLIENT_TAG STRING_ARG STRING_ARG
+	{
+		int tag_data;
+		OUTYY(("P(server_edns_client_tag:%s %s)\n", $2, $3));
+		tag_data = atoi($3);
+		if(tag_data > 65535 || tag_data < 0 ||
+			(tag_data == 0 && (strlen($3) != 1 || $3[0] != '0')))
+			yyerror("edns-client-tag data invalid, needs to be a "
+				"number from 0 to 65535");
+		if(!cfg_str2list_insert(
+			&cfg_parser->cfg->edns_client_tags, $2, $3))
+			fatal_exit("out of memory adding "
+				"edns-client-tag");
+	}
+	;
 stub_name: VAR_NAME STRING_ARG
 	{
 		OUTYY(("P(name:%s)\n", $2));

util/edns.c

@@ -43,10 +43,87 @@
 #include "util/edns.h"
 #include "util/config_file.h"
 #include "util/netevent.h"
+#include "util/net_help.h"
 #include "util/regional.h"
 #include "util/data/msgparse.h"
 #include "util/data/msgreply.h"
 
+struct edns_tags* edns_tags_create(void)
+{
+	struct edns_tags* edns_tags = calloc(1, sizeof(struct edns_tags));
+	if(!edns_tags)
+		return NULL;
+	if(!(edns_tags->region = regional_create())) {
+		edns_tags_delete(edns_tags);
+		return NULL;
+	}
+	return edns_tags;
+}
+
+void edns_tags_delete(struct edns_tags* edns_tags)
+{
+	if(!edns_tags)
+		return;
+	regional_destroy(edns_tags->region);
+	free(edns_tags);
+}
+
+static int
+edns_tags_client_insert(struct edns_tags* edns_tags,
+	struct sockaddr_storage* addr, socklen_t addrlen, int net,
+	uint16_t tag_data)
+{
+	struct edns_tag_addr* eta = regional_alloc_zero(edns_tags->region,
+		sizeof(struct edns_tag_addr));
+	if(!eta)
+		return 0;
+	eta->tag_data = tag_data;
+	if(!addr_tree_insert(&edns_tags->client_tags, &eta->node, addr, addrlen,
+		net)) {
+		verbose(VERB_QUERY, "duplicate EDNS client tag ignored.");
+	}
+	return 1;
+}
+
+int edns_tags_apply_cfg(struct edns_tags* edns_tags,
+	struct config_file* config)
+{
+	struct config_str2list* c;
+	regional_free_all(edns_tags->region);
+	addr_tree_init(&edns_tags->client_tags);
+
+	for(c=config->edns_client_tags; c; c=c->next) {
+		struct sockaddr_storage addr;
+		socklen_t addrlen;
+		int net;
+		uint16_t tag_data;
+		log_assert(c->str && c->str2);
+
+		if(!netblockstrtoaddr(c->str, UNBOUND_DNS_PORT, &addr, &addrlen,
+			&net)) {
+			log_err("cannot parse EDNS client tag IP netblock: %s",
+				c->str);
+			return 0;
+		}
+		tag_data = atoi(c->str2); /* validated in config parser */
+		if(!edns_tags_client_insert(edns_tags, &addr, addrlen, net,
+			tag_data)) {
+			log_err("out of memory while adding EDNS tags");
+			return 0;
+		}
+	}
+
+	addr_tree_init_parents(&edns_tags->client_tags);
+	return 1;
+}
+
+struct edns_tag_addr*
+edns_tag_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
+	socklen_t addrlen)
+{
+	return (struct edns_tag_addr*)addr_tree_lookup(tree, addr, addrlen);
+}
+
 static int edns_keepalive(struct edns_data* edns_out, struct edns_data* edns_in,
 		struct comm_point* c, struct regional* region)
 {

util/edns.h

@@ -42,11 +42,66 @@
 #ifndef UTIL_EDNS_H
 #define UTIL_EDNS_H
 
+#include "util/storage/dnstree.h"
+
 struct edns_data;
 struct config_file;
 struct comm_point;
 struct regional;
 
+/**
+ * Structure containing all EDNS tags.
+ */
+struct edns_tags {
+	/** Tree of EDNS client tags to use in upstream queries, per address
+	 * prefix. Contains nodes of type edns_tag_addr. */
+	rbtree_type client_tags;
+	/** region to allocate tree nodes in */
+	struct regional* region;
+};
+
+/**
+ * EDNS tag. Node of rbtree, containing tag and prefix.
+ */
+struct edns_tag_addr {
+	/** node in address tree, used for tree lookups. Need to be the first
+	 * member of this struct. */
+	struct addr_tree_node node;
+	/** tag data, in host byte ordering */
+	uint16_t tag_data;
+};
+
+/**
+ * Create structure to hold EDNS tags
+ * @return: newly created edns_tags, NULL on alloc failure.
+ */
+struct edns_tags* edns_tags_create(void);
+
+/** Delete EDNS tags structure
+ * @param edns_tags: struct to delete
+ */
+void edns_tags_delete(struct edns_tags* edns_tags);
+
+/**
+ * Add configured EDNS tags
+ * @param edns_tags: edns tags to apply config to
+ * @param config: struct containing EDNS tags configuration
+ * @return 0 on error
+ */
+int edns_tags_apply_cfg(struct edns_tags* edns_tags,
+	struct config_file* config);
+
+/**
+ * Find tag for address.
+ * @param tree: tree containing EDNS tags per address prefix.
+ * @param addr: address to use for tree lookup
+ * @param addrlen: length of address
+ * @return: matching tree node, NULL otherwise
+ */
+struct edns_tag_addr*
+edns_tag_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
+	socklen_t addrlen);
+
 /**
  * Apply common EDNS options.
  *

util/module.h

@@ -520,6 +520,8 @@ struct module_env {
 	struct edns_known_option* edns_known_options;
 	/* Number of known edns options */
 	size_t edns_known_options_num;
+	/** EDNS client tag information */
+	struct edns_tags* edns_tags;
 
 	/* Make every mesh state unique, do not aggregate mesh states. */
 	int unique_mesh;