Down- and upstream padding a la RFC7830 & RFC8467

2025-12-20 23:00:56 -05:00 · 2020-04-02 18:34:03 +02:00 · 2020-04-02 18:34:03 +02:00 · 4f78b37c61
commit 4f78b37c61
parent 94e92b197a
20 changed files with 7866 additions and 9388 deletions
--- a/daemon/worker.c
+++ b/daemon/worker.c
@ -1286,6 +1286,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			edns.udp_size = EDNS_ADVERTISED_SIZE;
 			edns.bits &= EDNS_DO;
 			edns.opt_list = NULL;
 			edns.padding_block_size = 0;
 			verbose(VERB_ALGO, "query with bad edns version.");
 			log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
 			error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -746,6 +746,12 @@ server:
 	# cipher setting for TLSv1.3
 	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
 	# Pad responses to padded queries received over TLS
 	# pad-responses: yes
 	# Padded responses will be padded to the closest multiple of this size.
 	# pad-responses-block-size: 468
 	# Add the secret file for TLS Session Ticket.
 	# Secret file must be 80 bytes of random data.
 	# First key use to encrypt and decrypt TLS session tickets.
@ -764,6 +770,12 @@ server:
 	# Add system certs to the cert bundle, from the Windows Cert Store
 	# tls-win-cert: no
 	# Pad queries over TLS upstreams
 	# pad-queries: no
 	# Padded queries will be padded to the closest multiple of this size.
 	# pad-queries-block-size: 128
 	# Also serve tls on these port numbers (eg. 443, ...), by listing
 	# tls-additional-port: portno for each of the port numbers.
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -546,6 +546,26 @@ and that is the default.
 Set the list of ciphersuites to allow when serving TLS.  This is for newer
 TLS 1.3 connections.  Use "" for defaults, and that is the default.
 .TP
 .B pad\-responses: \fI<yes or no>
 If enabled, TLS serviced queries that contained an EDNS Padding option will
 cause responses padded to the closest multiple of the size specified in
 \fBpad\-responses\-block\-size\fR.
 Default is yes.
 .TP
 .B pad\-responses\-block\-size: \fI<number>
 The block size with which to pad responses serviced over TLS. Only responses
 to padded queries will be padded.
 Default is 468.
 .TP
 .B pad\-queries: \fI<yes or no>
 If enabled, all queries sent over TLS upstreams will be padded to the closest
 multiple of the size specified in \fBpad\-queries\-block\-size\fR.
 Default is no.
 .TP
 .B pad\-queries\-block\-size: \fI<number>
 The block size with which to pad queries sent over TLS upstreams.
 Default is 128.
 .TP
 .B use\-systemd: \fI<yes or no>
 Enable or disable systemd socket activation.
 Default is no.
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@ -574,6 +574,7 @@ setup_qinfo_edns(struct libworker* w, struct ctx_query* q,
 	edns->edns_version = 0;
 	edns->bits = EDNS_DO;
 	edns->opt_list = NULL;
 	edns->padding_block_size = 0;
 	if(sldns_buffer_capacity(w->back->udp_buff) < 65535)
 		edns->udp_size = (uint16_t)sldns_buffer_capacity(
 			w->back->udp_buff);
--- a/services/authzone.c
+++ b/services/authzone.c
@ -5091,6 +5091,7 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
 	edns.opt_list = NULL;
 	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
 	else	edns.udp_size = 65535;
@ -6278,6 +6279,7 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
 	edns.opt_list = NULL;
 	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
 	else	edns.udp_size = 65535;
--- a/services/outside_network.c
+++ b/services/outside_network.c
@ -1415,7 +1415,8 @@ static struct serviced_query*
 serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
 	int want_dnssec, int nocaps, int tcp_upstream, int ssl_upstream,
 	char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen,
-	uint8_t* zone, size_t zonelen, int qtype, struct edns_option* opt_list)
+	uint8_t* zone, size_t zonelen, int qtype, struct edns_option* opt_list,
 	size_t pad_queries_block_size)
 {
 	struct serviced_query* sq = (struct serviced_query*)malloc(sizeof(*sq));
 #ifdef UNBOUND_DEBUG
@ -1473,6 +1474,7 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
 	sq->status = serviced_initial;
 	sq->retry = 0;
 	sq->to_be_deleted = 0;
 	sq->padding_block_size = pad_queries_block_size;
 #ifdef UNBOUND_DEBUG
 	ins = 
 #else
@ -1591,6 +1593,7 @@ serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
 	if(with_edns) {
 		/* add edns section */
 		struct edns_data edns;
 		struct edns_option padding_option;
 		edns.edns_present = 1;
 		edns.ext_rcode = 0;
 		edns.edns_version = EDNS_ADVERTISED_VERSION;
@ -1613,6 +1616,14 @@ serviced_encode(struct serviced_query* sq, sldns_buffer* buff, int with_edns)
 			edns.bits = EDNS_DO;
 		if(sq->dnssec & BIT_CD)
 			LDNS_CD_SET(sldns_buffer_begin(buff));
 		if (sq->ssl_upstream && sq->padding_block_size) {
 			padding_option.opt_code = LDNS_EDNS_PADDING;
 			padding_option.opt_len = 0;
 			padding_option.opt_data = NULL;
 			padding_option.next = edns.opt_list;
 			edns.opt_list = &padding_option;
 			edns.padding_block_size = sq->padding_block_size;
 		}
 		attach_edns_record(buff, &edns);
 	}
 }
@ -2125,7 +2136,9 @@ outnet_serviced_query(struct outside_network* outnet,
 		sq = serviced_create(outnet, buff, dnssec, want_dnssec, nocaps,
 			tcp_upstream, ssl_upstream, tls_auth_name, addr,
 			addrlen, zone, zonelen, (int)qinfo->qtype,
-			qstate->edns_opts_back_out);
+			qstate->edns_opts_back_out,
 			( ssl_upstream && env->cfg->pad_queries
 			? env->cfg->pad_queries_block_size : 0));
 		if(!sq) {
 			free(cb);
 			return NULL;
--- a/services/outside_network.h
+++ b/services/outside_network.h
@ -390,6 +390,8 @@ struct serviced_query {
 	struct service_callback* cblist;
 	/** the UDP or TCP query that is pending, see status which */
 	void* pending;
 	/** block size with which to pad encrypted queries (default: 128) */
 	size_t padding_block_size;
 };
 /**
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@ -1222,6 +1222,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 		edns.opt_list = qstate->edns_opts_back_out;
 		if(dnssec)
 			edns.bits = EDNS_DO;
 		edns.padding_block_size = 0;
 		attach_edns_record(pend->buffer, &edns);
 	}
 	memcpy(&pend->addr, addr, addrlen);
--- a/util/config_file.c
+++ b/util/config_file.c
@ -322,6 +322,10 @@ config_create(void)
 	cfg->dnscrypt_shared_secret_cache_slabs = 4;
 	cfg->dnscrypt_nonce_cache_size = 4*1024*1024;
 	cfg->dnscrypt_nonce_cache_slabs = 4;
 	cfg->pad_responses = 1;
 	cfg->pad_responses_block_size = 468; /* from RFC8467 */
 	cfg->pad_queries = 0;
 	cfg->pad_queries_block_size = 128; /* from RFC8467 */
 #ifdef USE_IPSECMOD
 	cfg->ipsecmod_enabled = 1;
 	cfg->ipsecmod_ignore_bogus = 0;
@ -693,6 +697,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil)
 	else S_YNO("qname-minimisation:", qname_minimisation)
 	else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
 	else S_YNO("pad-responses:", pad_responses)
 	else S_SIZET_NONZERO("pad-responses-block-size:", pad_responses_block_size)
 	else S_YNO("pad-queries:", pad_queries)
 	else S_SIZET_NONZERO("pad-queries-block-size:", pad_queries_block_size)
 #ifdef USE_IPSECMOD
 	else S_YNO("ipsecmod-enabled:", ipsecmod_enabled)
 	else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus)
@ -1120,6 +1128,10 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
 	else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
 	else O_LS2(opt, "access-control-view", acl_view)
 	else O_YNO(opt, "pad-responses", pad_responses)
 	else O_DEC(opt, "pad-responses-block-size", pad_responses_block_size)
 	else O_YNO(opt, "pad-queries", pad_queries)
 	else O_DEC(opt, "pad-queries-block-size", pad_queries_block_size)
 #ifdef USE_IPSECMOD
 	else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)
 	else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus)
--- a/util/config_file.h
+++ b/util/config_file.h
@ -569,6 +569,17 @@ struct config_file {
 	size_t dnscrypt_nonce_cache_size;
 	/** number of slabs for dnscrypt nonces cache */
 	size_t dnscrypt_nonce_cache_slabs;
 	/** EDNS padding according to FC7830 and RFC8467 */
 	/** true to enable padding of responses (default: on) */
 	int pad_responses;
 	/** block size with which to pad encrypted responses (default: 468) */
 	size_t pad_responses_block_size;
 	/** true to enable padding of queries (default: off) */
 	int pad_queries;
 	/** block size with which to pad encrypted queries (default: 128) */
 	size_t pad_queries_block_size;
 	/** IPsec module */
 #ifdef USE_IPSECMOD
 	/** false to bypass the IPsec module */
--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -488,6 +488,10 @@ dnscrypt-shared-secret-cache-slabs{COLON}	{
 		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
 dnscrypt-nonce-cache-size{COLON}	{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SIZE) }
 dnscrypt-nonce-cache-slabs{COLON}	{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SLABS) }
 pad-responses{COLON}		{ YDVAR(1, VAR_PAD_RESPONSES) }
 pad-responses-block-size{COLON}	{ YDVAR(1, VAR_PAD_RESPONSES_BLOCK_SIZE) }
 pad-queries{COLON}		{ YDVAR(1, VAR_PAD_QUERIES) }
 pad-queries-block-size{COLON}	{ YDVAR(1, VAR_PAD_QUERIES_BLOCK_SIZE) }
 ipsecmod-enabled{COLON}		{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
 ipsecmod-ignore-bogus{COLON}	{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
 ipsecmod-hook{COLON}		{ YDVAR(1, VAR_IPSECMOD_HOOK) }
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -1,643 +1,298 @@
-/* A Bison parser, made by GNU Bison 3.4.1.  */
+#define SPACE 257
-
+#define LETTER 258
-/* Bison interface for Yacc-like parsers in C
+#define NEWLINE 259
-
+#define COMMENT 260
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
+#define COLON 261
-   Inc.
+#define ANY 262
-
+#define ZONESTR 263
-   This program is free software: you can redistribute it and/or modify
+#define STRING_ARG 264
-   it under the terms of the GNU General Public License as published by
+#define VAR_SERVER 265
-   the Free Software Foundation, either version 3 of the License, or
+#define VAR_VERBOSITY 266
-   (at your option) any later version.
+#define VAR_NUM_THREADS 267
-
+#define VAR_PORT 268
-   This program is distributed in the hope that it will be useful,
+#define VAR_OUTGOING_RANGE 269
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#define VAR_INTERFACE 270
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#define VAR_PREFER_IP4 271
-   GNU General Public License for more details.
+#define VAR_DO_IP4 272
-
+#define VAR_DO_IP6 273
-   You should have received a copy of the GNU General Public License
+#define VAR_PREFER_IP6 274
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
+#define VAR_DO_UDP 275
-
+#define VAR_DO_TCP 276
-/* As a special exception, you may create a larger work that contains
+#define VAR_TCP_MSS 277
-   part or all of the Bison parser skeleton and distribute that work
+#define VAR_OUTGOING_TCP_MSS 278
-   under terms of your choice, so long as that work isn't itself a
+#define VAR_TCP_IDLE_TIMEOUT 279
-   parser generator using the skeleton or a modified version thereof
+#define VAR_EDNS_TCP_KEEPALIVE 280
-   as a parser skeleton.  Alternatively, if you modify or redistribute
+#define VAR_EDNS_TCP_KEEPALIVE_TIMEOUT 281
-   the parser skeleton itself, you may (at your option) remove this
+#define VAR_CHROOT 282
-   special exception, which will cause the skeleton and the resulting
+#define VAR_USERNAME 283
-   Bison output files to be licensed under the GNU General Public
+#define VAR_DIRECTORY 284
-   License without this special exception.
+#define VAR_LOGFILE 285
-
+#define VAR_PIDFILE 286
-   This special exception was added by the Free Software Foundation in
+#define VAR_MSG_CACHE_SIZE 287
-   version 2.2 of Bison.  */
+#define VAR_MSG_CACHE_SLABS 288
-
+#define VAR_NUM_QUERIES_PER_THREAD 289
-/* Undocumented macros, especially those whose name start with YY_,
+#define VAR_RRSET_CACHE_SIZE 290
-   are private implementation details.  Do not rely on them.  */
+#define VAR_RRSET_CACHE_SLABS 291
-
+#define VAR_OUTGOING_NUM_TCP 292
-#ifndef YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
+#define VAR_INFRA_HOST_TTL 293
-# define YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
+#define VAR_INFRA_LAME_TTL 294
-/* Debug traces.  */
+#define VAR_INFRA_CACHE_SLABS 295
-#ifndef YYDEBUG
+#define VAR_INFRA_CACHE_NUMHOSTS 296
-# define YYDEBUG 0
+#define VAR_INFRA_CACHE_LAME_SIZE 297
 #define VAR_NAME 298
 #define VAR_STUB_ZONE 299
 #define VAR_STUB_HOST 300
 #define VAR_STUB_ADDR 301
 #define VAR_TARGET_FETCH_POLICY 302
 #define VAR_HARDEN_SHORT_BUFSIZE 303
 #define VAR_HARDEN_LARGE_QUERIES 304
 #define VAR_FORWARD_ZONE 305
 #define VAR_FORWARD_HOST 306
 #define VAR_FORWARD_ADDR 307
 #define VAR_DO_NOT_QUERY_ADDRESS 308
 #define VAR_HIDE_IDENTITY 309
 #define VAR_HIDE_VERSION 310
 #define VAR_IDENTITY 311
 #define VAR_VERSION 312
 #define VAR_HARDEN_GLUE 313
 #define VAR_MODULE_CONF 314
 #define VAR_TRUST_ANCHOR_FILE 315
 #define VAR_TRUST_ANCHOR 316
 #define VAR_VAL_OVERRIDE_DATE 317
 #define VAR_BOGUS_TTL 318
 #define VAR_VAL_CLEAN_ADDITIONAL 319
 #define VAR_VAL_PERMISSIVE_MODE 320
 #define VAR_INCOMING_NUM_TCP 321
 #define VAR_MSG_BUFFER_SIZE 322
 #define VAR_KEY_CACHE_SIZE 323
 #define VAR_KEY_CACHE_SLABS 324
 #define VAR_TRUSTED_KEYS_FILE 325
 #define VAR_VAL_NSEC3_KEYSIZE_ITERATIONS 326
 #define VAR_USE_SYSLOG 327
 #define VAR_OUTGOING_INTERFACE 328
 #define VAR_ROOT_HINTS 329
 #define VAR_DO_NOT_QUERY_LOCALHOST 330
 #define VAR_CACHE_MAX_TTL 331
 #define VAR_HARDEN_DNSSEC_STRIPPED 332
 #define VAR_ACCESS_CONTROL 333
 #define VAR_LOCAL_ZONE 334
 #define VAR_LOCAL_DATA 335
 #define VAR_INTERFACE_AUTOMATIC 336
 #define VAR_STATISTICS_INTERVAL 337
 #define VAR_DO_DAEMONIZE 338
 #define VAR_USE_CAPS_FOR_ID 339
 #define VAR_STATISTICS_CUMULATIVE 340
 #define VAR_OUTGOING_PORT_PERMIT 341
 #define VAR_OUTGOING_PORT_AVOID 342
 #define VAR_DLV_ANCHOR_FILE 343
 #define VAR_DLV_ANCHOR 344
 #define VAR_NEG_CACHE_SIZE 345
 #define VAR_HARDEN_REFERRAL_PATH 346
 #define VAR_PRIVATE_ADDRESS 347
 #define VAR_PRIVATE_DOMAIN 348
 #define VAR_REMOTE_CONTROL 349
 #define VAR_CONTROL_ENABLE 350
 #define VAR_CONTROL_INTERFACE 351
 #define VAR_CONTROL_PORT 352
 #define VAR_SERVER_KEY_FILE 353
 #define VAR_SERVER_CERT_FILE 354
 #define VAR_CONTROL_KEY_FILE 355
 #define VAR_CONTROL_CERT_FILE 356
 #define VAR_CONTROL_USE_CERT 357
 #define VAR_EXTENDED_STATISTICS 358
 #define VAR_LOCAL_DATA_PTR 359
 #define VAR_JOSTLE_TIMEOUT 360
 #define VAR_STUB_PRIME 361
 #define VAR_UNWANTED_REPLY_THRESHOLD 362
 #define VAR_LOG_TIME_ASCII 363
 #define VAR_DOMAIN_INSECURE 364
 #define VAR_PYTHON 365
 #define VAR_PYTHON_SCRIPT 366
 #define VAR_VAL_SIG_SKEW_MIN 367
 #define VAR_VAL_SIG_SKEW_MAX 368
 #define VAR_CACHE_MIN_TTL 369
 #define VAR_VAL_LOG_LEVEL 370
 #define VAR_AUTO_TRUST_ANCHOR_FILE 371
 #define VAR_KEEP_MISSING 372
 #define VAR_ADD_HOLDDOWN 373
 #define VAR_DEL_HOLDDOWN 374
 #define VAR_SO_RCVBUF 375
 #define VAR_EDNS_BUFFER_SIZE 376
 #define VAR_PREFETCH 377
 #define VAR_PREFETCH_KEY 378
 #define VAR_SO_SNDBUF 379
 #define VAR_SO_REUSEPORT 380
 #define VAR_HARDEN_BELOW_NXDOMAIN 381
 #define VAR_IGNORE_CD_FLAG 382
 #define VAR_LOG_QUERIES 383
 #define VAR_LOG_REPLIES 384
 #define VAR_LOG_LOCAL_ACTIONS 385
 #define VAR_TCP_UPSTREAM 386
 #define VAR_SSL_UPSTREAM 387
 #define VAR_SSL_SERVICE_KEY 388
 #define VAR_SSL_SERVICE_PEM 389
 #define VAR_SSL_PORT 390
 #define VAR_FORWARD_FIRST 391
 #define VAR_STUB_SSL_UPSTREAM 392
 #define VAR_FORWARD_SSL_UPSTREAM 393
 #define VAR_TLS_CERT_BUNDLE 394
 #define VAR_STUB_FIRST 395
 #define VAR_MINIMAL_RESPONSES 396
 #define VAR_RRSET_ROUNDROBIN 397
 #define VAR_MAX_UDP_SIZE 398
 #define VAR_DELAY_CLOSE 399
 #define VAR_UNBLOCK_LAN_ZONES 400
 #define VAR_INSECURE_LAN_ZONES 401
 #define VAR_INFRA_CACHE_MIN_RTT 402
 #define VAR_DNS64_PREFIX 403
 #define VAR_DNS64_SYNTHALL 404
 #define VAR_DNS64_IGNORE_AAAA 405
 #define VAR_DNSTAP 406
 #define VAR_DNSTAP_ENABLE 407
 #define VAR_DNSTAP_SOCKET_PATH 408
 #define VAR_DNSTAP_IP 409
 #define VAR_DNSTAP_TLS 410
 #define VAR_DNSTAP_TLS_SERVER_NAME 411
 #define VAR_DNSTAP_TLS_CERT_BUNDLE 412
 #define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 413
 #define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 414
 #define VAR_DNSTAP_SEND_IDENTITY 415
 #define VAR_DNSTAP_SEND_VERSION 416
 #define VAR_DNSTAP_IDENTITY 417
 #define VAR_DNSTAP_VERSION 418
 #define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 419
 #define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 420
 #define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 421
 #define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 422
 #define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 423
 #define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 424
 #define VAR_RESPONSE_IP_TAG 425
 #define VAR_RESPONSE_IP 426
 #define VAR_RESPONSE_IP_DATA 427
 #define VAR_HARDEN_ALGO_DOWNGRADE 428
 #define VAR_IP_TRANSPARENT 429
 #define VAR_IP_DSCP 430
 #define VAR_DISABLE_DNSSEC_LAME_CHECK 431
 #define VAR_IP_RATELIMIT 432
 #define VAR_IP_RATELIMIT_SLABS 433
 #define VAR_IP_RATELIMIT_SIZE 434
 #define VAR_RATELIMIT 435
 #define VAR_RATELIMIT_SLABS 436
 #define VAR_RATELIMIT_SIZE 437
 #define VAR_RATELIMIT_FOR_DOMAIN 438
 #define VAR_RATELIMIT_BELOW_DOMAIN 439
 #define VAR_IP_RATELIMIT_FACTOR 440
 #define VAR_RATELIMIT_FACTOR 441
 #define VAR_SEND_CLIENT_SUBNET 442
 #define VAR_CLIENT_SUBNET_ZONE 443
 #define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 444
 #define VAR_CLIENT_SUBNET_OPCODE 445
 #define VAR_MAX_CLIENT_SUBNET_IPV4 446
 #define VAR_MAX_CLIENT_SUBNET_IPV6 447
 #define VAR_MIN_CLIENT_SUBNET_IPV4 448
 #define VAR_MIN_CLIENT_SUBNET_IPV6 449
 #define VAR_MAX_ECS_TREE_SIZE_IPV4 450
 #define VAR_MAX_ECS_TREE_SIZE_IPV6 451
 #define VAR_CAPS_WHITELIST 452
 #define VAR_CACHE_MAX_NEGATIVE_TTL 453
 #define VAR_PERMIT_SMALL_HOLDDOWN 454
 #define VAR_QNAME_MINIMISATION 455
 #define VAR_QNAME_MINIMISATION_STRICT 456
 #define VAR_IP_FREEBIND 457
 #define VAR_DEFINE_TAG 458
 #define VAR_LOCAL_ZONE_TAG 459
 #define VAR_ACCESS_CONTROL_TAG 460
 #define VAR_LOCAL_ZONE_OVERRIDE 461
 #define VAR_ACCESS_CONTROL_TAG_ACTION 462
 #define VAR_ACCESS_CONTROL_TAG_DATA 463
 #define VAR_VIEW 464
 #define VAR_ACCESS_CONTROL_VIEW 465
 #define VAR_VIEW_FIRST 466
 #define VAR_SERVE_EXPIRED 467
 #define VAR_SERVE_EXPIRED_TTL 468
 #define VAR_SERVE_EXPIRED_TTL_RESET 469
 #define VAR_SERVE_EXPIRED_REPLY_TTL 470
 #define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 471
 #define VAR_FAKE_DSA 472
 #define VAR_FAKE_SHA1 473
 #define VAR_LOG_IDENTITY 474
 #define VAR_HIDE_TRUSTANCHOR 475
 #define VAR_TRUST_ANCHOR_SIGNALING 476
 #define VAR_AGGRESSIVE_NSEC 477
 #define VAR_USE_SYSTEMD 478
 #define VAR_SHM_ENABLE 479
 #define VAR_SHM_KEY 480
 #define VAR_ROOT_KEY_SENTINEL 481
 #define VAR_DNSCRYPT 482
 #define VAR_DNSCRYPT_ENABLE 483
 #define VAR_DNSCRYPT_PORT 484
 #define VAR_DNSCRYPT_PROVIDER 485
 #define VAR_DNSCRYPT_SECRET_KEY 486
 #define VAR_DNSCRYPT_PROVIDER_CERT 487
 #define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 488
 #define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 489
 #define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 490
 #define VAR_DNSCRYPT_NONCE_CACHE_SIZE 491
 #define VAR_DNSCRYPT_NONCE_CACHE_SLABS 492
 #define VAR_PAD_RESPONSES 493
 #define VAR_PAD_RESPONSES_BLOCK_SIZE 494
 #define VAR_PAD_QUERIES 495
 #define VAR_PAD_QUERIES_BLOCK_SIZE 496
 #define VAR_IPSECMOD_ENABLED 497
 #define VAR_IPSECMOD_HOOK 498
 #define VAR_IPSECMOD_IGNORE_BOGUS 499
 #define VAR_IPSECMOD_MAX_TTL 500
 #define VAR_IPSECMOD_WHITELIST 501
 #define VAR_IPSECMOD_STRICT 502
 #define VAR_CACHEDB 503
 #define VAR_CACHEDB_BACKEND 504
 #define VAR_CACHEDB_SECRETSEED 505
 #define VAR_CACHEDB_REDISHOST 506
 #define VAR_CACHEDB_REDISPORT 507
 #define VAR_CACHEDB_REDISTIMEOUT 508
 #define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 509
 #define VAR_FOR_UPSTREAM 510
 #define VAR_AUTH_ZONE 511
 #define VAR_ZONEFILE 512
 #define VAR_MASTER 513
 #define VAR_URL 514
 #define VAR_FOR_DOWNSTREAM 515
 #define VAR_FALLBACK_ENABLED 516
 #define VAR_TLS_ADDITIONAL_PORT 517
 #define VAR_LOW_RTT 518
 #define VAR_LOW_RTT_PERMIL 519
 #define VAR_FAST_SERVER_PERMIL 520
 #define VAR_FAST_SERVER_NUM 521
 #define VAR_ALLOW_NOTIFY 522
 #define VAR_TLS_WIN_CERT 523
 #define VAR_TCP_CONNECTION_LIMIT 524
 #define VAR_FORWARD_NO_CACHE 525
 #define VAR_STUB_NO_CACHE 526
 #define VAR_LOG_SERVFAIL 527
 #define VAR_DENY_ANY 528
 #define VAR_UNKNOWN_SERVER_TIME_LIMIT 529
 #define VAR_LOG_TAG_QUERYREPLY 530
 #define VAR_STREAM_WAIT_SIZE 531
 #define VAR_TLS_CIPHERS 532
 #define VAR_TLS_CIPHERSUITES 533
 #define VAR_IPSET 534
 #define VAR_IPSET_NAME_V4 535
 #define VAR_IPSET_NAME_V6 536
 #define VAR_TLS_SESSION_TICKET_KEYS 537
 #define VAR_RPZ 538
 #define VAR_TAGS 539
 #define VAR_RPZ_ACTION_OVERRIDE 540
 #define VAR_RPZ_CNAME_OVERRIDE 541
 #define VAR_RPZ_LOG 542
 #define VAR_RPZ_LOG_NAME 543
 #ifdef YYSTYPE
 #undef  YYSTYPE_IS_DECLARED
 #define YYSTYPE_IS_DECLARED 1
 #endif
-#if YYDEBUG
+#ifndef YYSTYPE_IS_DECLARED
-extern int yydebug;
+#define YYSTYPE_IS_DECLARED 1
-#endif
+typedef union {
 /* Token type.  */
 #ifndef YYTOKENTYPE
 # define YYTOKENTYPE
  enum yytokentype
  {
    SPACE = 258,
    LETTER = 259,
    NEWLINE = 260,
    COMMENT = 261,
    COLON = 262,
    ANY = 263,
    ZONESTR = 264,
    STRING_ARG = 265,
    VAR_SERVER = 266,
    VAR_VERBOSITY = 267,
    VAR_NUM_THREADS = 268,
    VAR_PORT = 269,
    VAR_OUTGOING_RANGE = 270,
    VAR_INTERFACE = 271,
    VAR_PREFER_IP4 = 272,
    VAR_DO_IP4 = 273,
    VAR_DO_IP6 = 274,
    VAR_PREFER_IP6 = 275,
    VAR_DO_UDP = 276,
    VAR_DO_TCP = 277,
    VAR_TCP_MSS = 278,
    VAR_OUTGOING_TCP_MSS = 279,
    VAR_TCP_IDLE_TIMEOUT = 280,
    VAR_EDNS_TCP_KEEPALIVE = 281,
    VAR_EDNS_TCP_KEEPALIVE_TIMEOUT = 282,
    VAR_CHROOT = 283,
    VAR_USERNAME = 284,
    VAR_DIRECTORY = 285,
    VAR_LOGFILE = 286,
    VAR_PIDFILE = 287,
    VAR_MSG_CACHE_SIZE = 288,
    VAR_MSG_CACHE_SLABS = 289,
    VAR_NUM_QUERIES_PER_THREAD = 290,
    VAR_RRSET_CACHE_SIZE = 291,
    VAR_RRSET_CACHE_SLABS = 292,
    VAR_OUTGOING_NUM_TCP = 293,
    VAR_INFRA_HOST_TTL = 294,
    VAR_INFRA_LAME_TTL = 295,
    VAR_INFRA_CACHE_SLABS = 296,
    VAR_INFRA_CACHE_NUMHOSTS = 297,
    VAR_INFRA_CACHE_LAME_SIZE = 298,
    VAR_NAME = 299,
    VAR_STUB_ZONE = 300,
    VAR_STUB_HOST = 301,
    VAR_STUB_ADDR = 302,
    VAR_TARGET_FETCH_POLICY = 303,
    VAR_HARDEN_SHORT_BUFSIZE = 304,
    VAR_HARDEN_LARGE_QUERIES = 305,
    VAR_FORWARD_ZONE = 306,
    VAR_FORWARD_HOST = 307,
    VAR_FORWARD_ADDR = 308,
    VAR_DO_NOT_QUERY_ADDRESS = 309,
    VAR_HIDE_IDENTITY = 310,
    VAR_HIDE_VERSION = 311,
    VAR_IDENTITY = 312,
    VAR_VERSION = 313,
    VAR_HARDEN_GLUE = 314,
    VAR_MODULE_CONF = 315,
    VAR_TRUST_ANCHOR_FILE = 316,
    VAR_TRUST_ANCHOR = 317,
    VAR_VAL_OVERRIDE_DATE = 318,
    VAR_BOGUS_TTL = 319,
    VAR_VAL_CLEAN_ADDITIONAL = 320,
    VAR_VAL_PERMISSIVE_MODE = 321,
    VAR_INCOMING_NUM_TCP = 322,
    VAR_MSG_BUFFER_SIZE = 323,
    VAR_KEY_CACHE_SIZE = 324,
    VAR_KEY_CACHE_SLABS = 325,
    VAR_TRUSTED_KEYS_FILE = 326,
    VAR_VAL_NSEC3_KEYSIZE_ITERATIONS = 327,
    VAR_USE_SYSLOG = 328,
    VAR_OUTGOING_INTERFACE = 329,
    VAR_ROOT_HINTS = 330,
    VAR_DO_NOT_QUERY_LOCALHOST = 331,
    VAR_CACHE_MAX_TTL = 332,
    VAR_HARDEN_DNSSEC_STRIPPED = 333,
    VAR_ACCESS_CONTROL = 334,
    VAR_LOCAL_ZONE = 335,
    VAR_LOCAL_DATA = 336,
    VAR_INTERFACE_AUTOMATIC = 337,
    VAR_STATISTICS_INTERVAL = 338,
    VAR_DO_DAEMONIZE = 339,
    VAR_USE_CAPS_FOR_ID = 340,
    VAR_STATISTICS_CUMULATIVE = 341,
    VAR_OUTGOING_PORT_PERMIT = 342,
    VAR_OUTGOING_PORT_AVOID = 343,
    VAR_DLV_ANCHOR_FILE = 344,
    VAR_DLV_ANCHOR = 345,
    VAR_NEG_CACHE_SIZE = 346,
    VAR_HARDEN_REFERRAL_PATH = 347,
    VAR_PRIVATE_ADDRESS = 348,
    VAR_PRIVATE_DOMAIN = 349,
    VAR_REMOTE_CONTROL = 350,
    VAR_CONTROL_ENABLE = 351,
    VAR_CONTROL_INTERFACE = 352,
    VAR_CONTROL_PORT = 353,
    VAR_SERVER_KEY_FILE = 354,
    VAR_SERVER_CERT_FILE = 355,
    VAR_CONTROL_KEY_FILE = 356,
    VAR_CONTROL_CERT_FILE = 357,
    VAR_CONTROL_USE_CERT = 358,
    VAR_EXTENDED_STATISTICS = 359,
    VAR_LOCAL_DATA_PTR = 360,
    VAR_JOSTLE_TIMEOUT = 361,
    VAR_STUB_PRIME = 362,
    VAR_UNWANTED_REPLY_THRESHOLD = 363,
    VAR_LOG_TIME_ASCII = 364,
    VAR_DOMAIN_INSECURE = 365,
    VAR_PYTHON = 366,
    VAR_PYTHON_SCRIPT = 367,
    VAR_VAL_SIG_SKEW_MIN = 368,
    VAR_VAL_SIG_SKEW_MAX = 369,
    VAR_CACHE_MIN_TTL = 370,
    VAR_VAL_LOG_LEVEL = 371,
    VAR_AUTO_TRUST_ANCHOR_FILE = 372,
    VAR_KEEP_MISSING = 373,
    VAR_ADD_HOLDDOWN = 374,
    VAR_DEL_HOLDDOWN = 375,
    VAR_SO_RCVBUF = 376,
    VAR_EDNS_BUFFER_SIZE = 377,
    VAR_PREFETCH = 378,
    VAR_PREFETCH_KEY = 379,
    VAR_SO_SNDBUF = 380,
    VAR_SO_REUSEPORT = 381,
    VAR_HARDEN_BELOW_NXDOMAIN = 382,
    VAR_IGNORE_CD_FLAG = 383,
    VAR_LOG_QUERIES = 384,
    VAR_LOG_REPLIES = 385,
    VAR_LOG_LOCAL_ACTIONS = 386,
    VAR_TCP_UPSTREAM = 387,
    VAR_SSL_UPSTREAM = 388,
    VAR_SSL_SERVICE_KEY = 389,
    VAR_SSL_SERVICE_PEM = 390,
    VAR_SSL_PORT = 391,
    VAR_FORWARD_FIRST = 392,
    VAR_STUB_SSL_UPSTREAM = 393,
    VAR_FORWARD_SSL_UPSTREAM = 394,
    VAR_TLS_CERT_BUNDLE = 395,
    VAR_STUB_FIRST = 396,
    VAR_MINIMAL_RESPONSES = 397,
    VAR_RRSET_ROUNDROBIN = 398,
    VAR_MAX_UDP_SIZE = 399,
    VAR_DELAY_CLOSE = 400,
    VAR_UNBLOCK_LAN_ZONES = 401,
    VAR_INSECURE_LAN_ZONES = 402,
    VAR_INFRA_CACHE_MIN_RTT = 403,
    VAR_DNS64_PREFIX = 404,
    VAR_DNS64_SYNTHALL = 405,
    VAR_DNS64_IGNORE_AAAA = 406,
    VAR_DNSTAP = 407,
    VAR_DNSTAP_ENABLE = 408,
    VAR_DNSTAP_SOCKET_PATH = 409,
    VAR_DNSTAP_IP = 410,
    VAR_DNSTAP_TLS = 411,
    VAR_DNSTAP_TLS_SERVER_NAME = 412,
    VAR_DNSTAP_TLS_CERT_BUNDLE = 413,
    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 414,
    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 415,
    VAR_DNSTAP_SEND_IDENTITY = 416,
    VAR_DNSTAP_SEND_VERSION = 417,
    VAR_DNSTAP_IDENTITY = 418,
    VAR_DNSTAP_VERSION = 419,
    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 420,
    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 421,
    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 422,
    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 423,
    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 424,
    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 425,
    VAR_RESPONSE_IP_TAG = 426,
    VAR_RESPONSE_IP = 427,
    VAR_RESPONSE_IP_DATA = 428,
    VAR_HARDEN_ALGO_DOWNGRADE = 429,
    VAR_IP_TRANSPARENT = 430,
    VAR_IP_DSCP = 431,
    VAR_DISABLE_DNSSEC_LAME_CHECK = 432,
    VAR_IP_RATELIMIT = 433,
    VAR_IP_RATELIMIT_SLABS = 434,
    VAR_IP_RATELIMIT_SIZE = 435,
    VAR_RATELIMIT = 436,
    VAR_RATELIMIT_SLABS = 437,
    VAR_RATELIMIT_SIZE = 438,
    VAR_RATELIMIT_FOR_DOMAIN = 439,
    VAR_RATELIMIT_BELOW_DOMAIN = 440,
    VAR_IP_RATELIMIT_FACTOR = 441,
    VAR_RATELIMIT_FACTOR = 442,
    VAR_SEND_CLIENT_SUBNET = 443,
    VAR_CLIENT_SUBNET_ZONE = 444,
    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 445,
    VAR_CLIENT_SUBNET_OPCODE = 446,
    VAR_MAX_CLIENT_SUBNET_IPV4 = 447,
    VAR_MAX_CLIENT_SUBNET_IPV6 = 448,
    VAR_MIN_CLIENT_SUBNET_IPV4 = 449,
    VAR_MIN_CLIENT_SUBNET_IPV6 = 450,
    VAR_MAX_ECS_TREE_SIZE_IPV4 = 451,
    VAR_MAX_ECS_TREE_SIZE_IPV6 = 452,
    VAR_CAPS_WHITELIST = 453,
    VAR_CACHE_MAX_NEGATIVE_TTL = 454,
    VAR_PERMIT_SMALL_HOLDDOWN = 455,
    VAR_QNAME_MINIMISATION = 456,
    VAR_QNAME_MINIMISATION_STRICT = 457,
    VAR_IP_FREEBIND = 458,
    VAR_DEFINE_TAG = 459,
    VAR_LOCAL_ZONE_TAG = 460,
    VAR_ACCESS_CONTROL_TAG = 461,
    VAR_LOCAL_ZONE_OVERRIDE = 462,
    VAR_ACCESS_CONTROL_TAG_ACTION = 463,
    VAR_ACCESS_CONTROL_TAG_DATA = 464,
    VAR_VIEW = 465,
    VAR_ACCESS_CONTROL_VIEW = 466,
    VAR_VIEW_FIRST = 467,
    VAR_SERVE_EXPIRED = 468,
    VAR_SERVE_EXPIRED_TTL = 469,
    VAR_SERVE_EXPIRED_TTL_RESET = 470,
    VAR_SERVE_EXPIRED_REPLY_TTL = 471,
    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 472,
    VAR_FAKE_DSA = 473,
    VAR_FAKE_SHA1 = 474,
    VAR_LOG_IDENTITY = 475,
    VAR_HIDE_TRUSTANCHOR = 476,
    VAR_TRUST_ANCHOR_SIGNALING = 477,
    VAR_AGGRESSIVE_NSEC = 478,
    VAR_USE_SYSTEMD = 479,
    VAR_SHM_ENABLE = 480,
    VAR_SHM_KEY = 481,
    VAR_ROOT_KEY_SENTINEL = 482,
    VAR_DNSCRYPT = 483,
    VAR_DNSCRYPT_ENABLE = 484,
    VAR_DNSCRYPT_PORT = 485,
    VAR_DNSCRYPT_PROVIDER = 486,
    VAR_DNSCRYPT_SECRET_KEY = 487,
    VAR_DNSCRYPT_PROVIDER_CERT = 488,
    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 489,
    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 490,
    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 491,
    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 492,
    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 493,
    VAR_IPSECMOD_ENABLED = 494,
    VAR_IPSECMOD_HOOK = 495,
    VAR_IPSECMOD_IGNORE_BOGUS = 496,
    VAR_IPSECMOD_MAX_TTL = 497,
    VAR_IPSECMOD_WHITELIST = 498,
    VAR_IPSECMOD_STRICT = 499,
    VAR_CACHEDB = 500,
    VAR_CACHEDB_BACKEND = 501,
    VAR_CACHEDB_SECRETSEED = 502,
    VAR_CACHEDB_REDISHOST = 503,
    VAR_CACHEDB_REDISPORT = 504,
    VAR_CACHEDB_REDISTIMEOUT = 505,
    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 506,
    VAR_FOR_UPSTREAM = 507,
    VAR_AUTH_ZONE = 508,
    VAR_ZONEFILE = 509,
    VAR_MASTER = 510,
    VAR_URL = 511,
    VAR_FOR_DOWNSTREAM = 512,
    VAR_FALLBACK_ENABLED = 513,
    VAR_TLS_ADDITIONAL_PORT = 514,
    VAR_LOW_RTT = 515,
    VAR_LOW_RTT_PERMIL = 516,
    VAR_FAST_SERVER_PERMIL = 517,
    VAR_FAST_SERVER_NUM = 518,
    VAR_ALLOW_NOTIFY = 519,
    VAR_TLS_WIN_CERT = 520,
    VAR_TCP_CONNECTION_LIMIT = 521,
    VAR_FORWARD_NO_CACHE = 522,
    VAR_STUB_NO_CACHE = 523,
    VAR_LOG_SERVFAIL = 524,
    VAR_DENY_ANY = 525,
    VAR_UNKNOWN_SERVER_TIME_LIMIT = 526,
    VAR_LOG_TAG_QUERYREPLY = 527,
    VAR_STREAM_WAIT_SIZE = 528,
    VAR_TLS_CIPHERS = 529,
    VAR_TLS_CIPHERSUITES = 530,
    VAR_IPSET = 531,
    VAR_IPSET_NAME_V4 = 532,
    VAR_IPSET_NAME_V6 = 533,
    VAR_TLS_SESSION_TICKET_KEYS = 534,
    VAR_RPZ = 535,
    VAR_TAGS = 536,
    VAR_RPZ_ACTION_OVERRIDE = 537,
    VAR_RPZ_CNAME_OVERRIDE = 538,
    VAR_RPZ_LOG = 539,
    VAR_RPZ_LOG_NAME = 540
  };
 #endif
 /* Tokens.  */
 #define SPACE 258
 #define LETTER 259
 #define NEWLINE 260
 #define COMMENT 261
 #define COLON 262
 #define ANY 263
 #define ZONESTR 264
 #define STRING_ARG 265
 #define VAR_SERVER 266
 #define VAR_VERBOSITY 267
 #define VAR_NUM_THREADS 268
 #define VAR_PORT 269
 #define VAR_OUTGOING_RANGE 270
 #define VAR_INTERFACE 271
 #define VAR_PREFER_IP4 272
 #define VAR_DO_IP4 273
 #define VAR_DO_IP6 274
 #define VAR_PREFER_IP6 275
 #define VAR_DO_UDP 276
 #define VAR_DO_TCP 277
 #define VAR_TCP_MSS 278
 #define VAR_OUTGOING_TCP_MSS 279
 #define VAR_TCP_IDLE_TIMEOUT 280
 #define VAR_EDNS_TCP_KEEPALIVE 281
 #define VAR_EDNS_TCP_KEEPALIVE_TIMEOUT 282
 #define VAR_CHROOT 283
 #define VAR_USERNAME 284
 #define VAR_DIRECTORY 285
 #define VAR_LOGFILE 286
 #define VAR_PIDFILE 287
 #define VAR_MSG_CACHE_SIZE 288
 #define VAR_MSG_CACHE_SLABS 289
 #define VAR_NUM_QUERIES_PER_THREAD 290
 #define VAR_RRSET_CACHE_SIZE 291
 #define VAR_RRSET_CACHE_SLABS 292
 #define VAR_OUTGOING_NUM_TCP 293
 #define VAR_INFRA_HOST_TTL 294
 #define VAR_INFRA_LAME_TTL 295
 #define VAR_INFRA_CACHE_SLABS 296
 #define VAR_INFRA_CACHE_NUMHOSTS 297
 #define VAR_INFRA_CACHE_LAME_SIZE 298
 #define VAR_NAME 299
 #define VAR_STUB_ZONE 300
 #define VAR_STUB_HOST 301
 #define VAR_STUB_ADDR 302
 #define VAR_TARGET_FETCH_POLICY 303
 #define VAR_HARDEN_SHORT_BUFSIZE 304
 #define VAR_HARDEN_LARGE_QUERIES 305
 #define VAR_FORWARD_ZONE 306
 #define VAR_FORWARD_HOST 307
 #define VAR_FORWARD_ADDR 308
 #define VAR_DO_NOT_QUERY_ADDRESS 309
 #define VAR_HIDE_IDENTITY 310
 #define VAR_HIDE_VERSION 311
 #define VAR_IDENTITY 312
 #define VAR_VERSION 313
 #define VAR_HARDEN_GLUE 314
 #define VAR_MODULE_CONF 315
 #define VAR_TRUST_ANCHOR_FILE 316
 #define VAR_TRUST_ANCHOR 317
 #define VAR_VAL_OVERRIDE_DATE 318
 #define VAR_BOGUS_TTL 319
 #define VAR_VAL_CLEAN_ADDITIONAL 320
 #define VAR_VAL_PERMISSIVE_MODE 321
 #define VAR_INCOMING_NUM_TCP 322
 #define VAR_MSG_BUFFER_SIZE 323
 #define VAR_KEY_CACHE_SIZE 324
 #define VAR_KEY_CACHE_SLABS 325
 #define VAR_TRUSTED_KEYS_FILE 326
 #define VAR_VAL_NSEC3_KEYSIZE_ITERATIONS 327
 #define VAR_USE_SYSLOG 328
 #define VAR_OUTGOING_INTERFACE 329
 #define VAR_ROOT_HINTS 330
 #define VAR_DO_NOT_QUERY_LOCALHOST 331
 #define VAR_CACHE_MAX_TTL 332
 #define VAR_HARDEN_DNSSEC_STRIPPED 333
 #define VAR_ACCESS_CONTROL 334
 #define VAR_LOCAL_ZONE 335
 #define VAR_LOCAL_DATA 336
 #define VAR_INTERFACE_AUTOMATIC 337
 #define VAR_STATISTICS_INTERVAL 338
 #define VAR_DO_DAEMONIZE 339
 #define VAR_USE_CAPS_FOR_ID 340
 #define VAR_STATISTICS_CUMULATIVE 341
 #define VAR_OUTGOING_PORT_PERMIT 342
 #define VAR_OUTGOING_PORT_AVOID 343
 #define VAR_DLV_ANCHOR_FILE 344
 #define VAR_DLV_ANCHOR 345
 #define VAR_NEG_CACHE_SIZE 346
 #define VAR_HARDEN_REFERRAL_PATH 347
 #define VAR_PRIVATE_ADDRESS 348
 #define VAR_PRIVATE_DOMAIN 349
 #define VAR_REMOTE_CONTROL 350
 #define VAR_CONTROL_ENABLE 351
 #define VAR_CONTROL_INTERFACE 352
 #define VAR_CONTROL_PORT 353
 #define VAR_SERVER_KEY_FILE 354
 #define VAR_SERVER_CERT_FILE 355
 #define VAR_CONTROL_KEY_FILE 356
 #define VAR_CONTROL_CERT_FILE 357
 #define VAR_CONTROL_USE_CERT 358
 #define VAR_EXTENDED_STATISTICS 359
 #define VAR_LOCAL_DATA_PTR 360
 #define VAR_JOSTLE_TIMEOUT 361
 #define VAR_STUB_PRIME 362
 #define VAR_UNWANTED_REPLY_THRESHOLD 363
 #define VAR_LOG_TIME_ASCII 364
 #define VAR_DOMAIN_INSECURE 365
 #define VAR_PYTHON 366
 #define VAR_PYTHON_SCRIPT 367
 #define VAR_VAL_SIG_SKEW_MIN 368
 #define VAR_VAL_SIG_SKEW_MAX 369
 #define VAR_CACHE_MIN_TTL 370
 #define VAR_VAL_LOG_LEVEL 371
 #define VAR_AUTO_TRUST_ANCHOR_FILE 372
 #define VAR_KEEP_MISSING 373
 #define VAR_ADD_HOLDDOWN 374
 #define VAR_DEL_HOLDDOWN 375
 #define VAR_SO_RCVBUF 376
 #define VAR_EDNS_BUFFER_SIZE 377
 #define VAR_PREFETCH 378
 #define VAR_PREFETCH_KEY 379
 #define VAR_SO_SNDBUF 380
 #define VAR_SO_REUSEPORT 381
 #define VAR_HARDEN_BELOW_NXDOMAIN 382
 #define VAR_IGNORE_CD_FLAG 383
 #define VAR_LOG_QUERIES 384
 #define VAR_LOG_REPLIES 385
 #define VAR_LOG_LOCAL_ACTIONS 386
 #define VAR_TCP_UPSTREAM 387
 #define VAR_SSL_UPSTREAM 388
 #define VAR_SSL_SERVICE_KEY 389
 #define VAR_SSL_SERVICE_PEM 390
 #define VAR_SSL_PORT 391
 #define VAR_FORWARD_FIRST 392
 #define VAR_STUB_SSL_UPSTREAM 393
 #define VAR_FORWARD_SSL_UPSTREAM 394
 #define VAR_TLS_CERT_BUNDLE 395
 #define VAR_STUB_FIRST 396
 #define VAR_MINIMAL_RESPONSES 397
 #define VAR_RRSET_ROUNDROBIN 398
 #define VAR_MAX_UDP_SIZE 399
 #define VAR_DELAY_CLOSE 400
 #define VAR_UNBLOCK_LAN_ZONES 401
 #define VAR_INSECURE_LAN_ZONES 402
 #define VAR_INFRA_CACHE_MIN_RTT 403
 #define VAR_DNS64_PREFIX 404
 #define VAR_DNS64_SYNTHALL 405
 #define VAR_DNS64_IGNORE_AAAA 406
 #define VAR_DNSTAP 407
 #define VAR_DNSTAP_ENABLE 408
 #define VAR_DNSTAP_SOCKET_PATH 409
 #define VAR_DNSTAP_IP 410
 #define VAR_DNSTAP_TLS 411
 #define VAR_DNSTAP_TLS_SERVER_NAME 412
 #define VAR_DNSTAP_TLS_CERT_BUNDLE 413
 #define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 414
 #define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 415
 #define VAR_DNSTAP_SEND_IDENTITY 416
 #define VAR_DNSTAP_SEND_VERSION 417
 #define VAR_DNSTAP_IDENTITY 418
 #define VAR_DNSTAP_VERSION 419
 #define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 420
 #define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 421
 #define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 422
 #define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 423
 #define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 424
 #define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 425
 #define VAR_RESPONSE_IP_TAG 426
 #define VAR_RESPONSE_IP 427
 #define VAR_RESPONSE_IP_DATA 428
 #define VAR_HARDEN_ALGO_DOWNGRADE 429
 #define VAR_IP_TRANSPARENT 430
 #define VAR_IP_DSCP 431
 #define VAR_DISABLE_DNSSEC_LAME_CHECK 432
 #define VAR_IP_RATELIMIT 433
 #define VAR_IP_RATELIMIT_SLABS 434
 #define VAR_IP_RATELIMIT_SIZE 435
 #define VAR_RATELIMIT 436
 #define VAR_RATELIMIT_SLABS 437
 #define VAR_RATELIMIT_SIZE 438
 #define VAR_RATELIMIT_FOR_DOMAIN 439
 #define VAR_RATELIMIT_BELOW_DOMAIN 440
 #define VAR_IP_RATELIMIT_FACTOR 441
 #define VAR_RATELIMIT_FACTOR 442
 #define VAR_SEND_CLIENT_SUBNET 443
 #define VAR_CLIENT_SUBNET_ZONE 444
 #define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 445
 #define VAR_CLIENT_SUBNET_OPCODE 446
 #define VAR_MAX_CLIENT_SUBNET_IPV4 447
 #define VAR_MAX_CLIENT_SUBNET_IPV6 448
 #define VAR_MIN_CLIENT_SUBNET_IPV4 449
 #define VAR_MIN_CLIENT_SUBNET_IPV6 450
 #define VAR_MAX_ECS_TREE_SIZE_IPV4 451
 #define VAR_MAX_ECS_TREE_SIZE_IPV6 452
 #define VAR_CAPS_WHITELIST 453
 #define VAR_CACHE_MAX_NEGATIVE_TTL 454
 #define VAR_PERMIT_SMALL_HOLDDOWN 455
 #define VAR_QNAME_MINIMISATION 456
 #define VAR_QNAME_MINIMISATION_STRICT 457
 #define VAR_IP_FREEBIND 458
 #define VAR_DEFINE_TAG 459
 #define VAR_LOCAL_ZONE_TAG 460
 #define VAR_ACCESS_CONTROL_TAG 461
 #define VAR_LOCAL_ZONE_OVERRIDE 462
 #define VAR_ACCESS_CONTROL_TAG_ACTION 463
 #define VAR_ACCESS_CONTROL_TAG_DATA 464
 #define VAR_VIEW 465
 #define VAR_ACCESS_CONTROL_VIEW 466
 #define VAR_VIEW_FIRST 467
 #define VAR_SERVE_EXPIRED 468
 #define VAR_SERVE_EXPIRED_TTL 469
 #define VAR_SERVE_EXPIRED_TTL_RESET 470
 #define VAR_SERVE_EXPIRED_REPLY_TTL 471
 #define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 472
 #define VAR_FAKE_DSA 473
 #define VAR_FAKE_SHA1 474
 #define VAR_LOG_IDENTITY 475
 #define VAR_HIDE_TRUSTANCHOR 476
 #define VAR_TRUST_ANCHOR_SIGNALING 477
 #define VAR_AGGRESSIVE_NSEC 478
 #define VAR_USE_SYSTEMD 479
 #define VAR_SHM_ENABLE 480
 #define VAR_SHM_KEY 481
 #define VAR_ROOT_KEY_SENTINEL 482
 #define VAR_DNSCRYPT 483
 #define VAR_DNSCRYPT_ENABLE 484
 #define VAR_DNSCRYPT_PORT 485
 #define VAR_DNSCRYPT_PROVIDER 486
 #define VAR_DNSCRYPT_SECRET_KEY 487
 #define VAR_DNSCRYPT_PROVIDER_CERT 488
 #define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 489
 #define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 490
 #define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 491
 #define VAR_DNSCRYPT_NONCE_CACHE_SIZE 492
 #define VAR_DNSCRYPT_NONCE_CACHE_SLABS 493
 #define VAR_IPSECMOD_ENABLED 494
 #define VAR_IPSECMOD_HOOK 495
 #define VAR_IPSECMOD_IGNORE_BOGUS 496
 #define VAR_IPSECMOD_MAX_TTL 497
 #define VAR_IPSECMOD_WHITELIST 498
 #define VAR_IPSECMOD_STRICT 499
 #define VAR_CACHEDB 500
 #define VAR_CACHEDB_BACKEND 501
 #define VAR_CACHEDB_SECRETSEED 502
 #define VAR_CACHEDB_REDISHOST 503
 #define VAR_CACHEDB_REDISPORT 504
 #define VAR_CACHEDB_REDISTIMEOUT 505
 #define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 506
 #define VAR_FOR_UPSTREAM 507
 #define VAR_AUTH_ZONE 508
 #define VAR_ZONEFILE 509
 #define VAR_MASTER 510
 #define VAR_URL 511
 #define VAR_FOR_DOWNSTREAM 512
 #define VAR_FALLBACK_ENABLED 513
 #define VAR_TLS_ADDITIONAL_PORT 514
 #define VAR_LOW_RTT 515
 #define VAR_LOW_RTT_PERMIL 516
 #define VAR_FAST_SERVER_PERMIL 517
 #define VAR_FAST_SERVER_NUM 518
 #define VAR_ALLOW_NOTIFY 519
 #define VAR_TLS_WIN_CERT 520
 #define VAR_TCP_CONNECTION_LIMIT 521
 #define VAR_FORWARD_NO_CACHE 522
 #define VAR_STUB_NO_CACHE 523
 #define VAR_LOG_SERVFAIL 524
 #define VAR_DENY_ANY 525
 #define VAR_UNKNOWN_SERVER_TIME_LIMIT 526
 #define VAR_LOG_TAG_QUERYREPLY 527
 #define VAR_STREAM_WAIT_SIZE 528
 #define VAR_TLS_CIPHERS 529
 #define VAR_TLS_CIPHERSUITES 530
 #define VAR_IPSET 531
 #define VAR_IPSET_NAME_V4 532
 #define VAR_IPSET_NAME_V6 533
 #define VAR_TLS_SESSION_TICKET_KEYS 534
 #define VAR_RPZ 535
 #define VAR_TAGS 536
 #define VAR_RPZ_ACTION_OVERRIDE 537
 #define VAR_RPZ_CNAME_OVERRIDE 538
 #define VAR_RPZ_LOG 539
 #define VAR_RPZ_LOG_NAME 540
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 union YYSTYPE
 {
 #line 66 "./util/configparser.y"
 	char*	str;
-
+} YYSTYPE;
-#line 631 "util/configparser.h"
+#endif /* !YYSTYPE_IS_DECLARED */
 };
 typedef union YYSTYPE YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define YYSTYPE_IS_DECLARED 1
 #endif
 extern YYSTYPE yylval;
 int yyparse (void);
 #endif /* !YY_YY_UTIL_CONFIGPARSER_H_INCLUDED  */
--- a/util/configparser.y
+++ b/util/configparser.y
@ -158,6 +158,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
 %token VAR_DNSCRYPT_NONCE_CACHE_SIZE
 %token VAR_DNSCRYPT_NONCE_CACHE_SLABS
 %token VAR_PAD_RESPONSES VAR_PAD_RESPONSES_BLOCK_SIZE
 %token VAR_PAD_QUERIES VAR_PAD_QUERIES_BLOCK_SIZE
 %token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
 %token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
 %token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
@ -2307,6 +2309,44 @@ server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG
 		free($2);
 	}
 	;
 server_pad_responses: VAR_PAD_RESPONSES STRING_ARG
 	{
 		OUTYY(("P(server_pad_responses:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
 		else cfg_parser->cfg->pad_responses = 
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
 	;
 server_pad_responses_block_size: VAR_PAD_RESPONSES_BLOCK_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_pad_responses_block_size:%s)\n", $2));
 		if(atoi($2) == 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->pad_responses_block_size = atoi($2);
 		free($2);
 	}
 	;
 server_pad_queries: VAR_PAD_QUERIES STRING_ARG
 	{
 		OUTYY(("P(server_pad_queries:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
 		else cfg_parser->cfg->pad_queries = 
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
 	;
 server_pad_queries_block_size: VAR_PAD_QUERIES_BLOCK_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_pad_queries_block_size:%s)\n", $2));
 		if(atoi($2) == 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->pad_queries_block_size = atoi($2);
 		free($2);
 	}
 	;
 server_ipsecmod_enabled: VAR_IPSECMOD_ENABLED STRING_ARG
 	{
 	#ifdef USE_IPSECMOD
--- a/util/data/msgencode.c
+++ b/util/data/msgencode.c
@ -798,14 +798,14 @@ calc_edns_field_size(struct edns_data* edns)
 	return 1 + 2 + 2 + 4 + 2 + rdatalen;
 }
-void
+static void
-attach_edns_record(sldns_buffer* pkt, struct edns_data* edns)
+attach_edns_record_max_msg_sz(sldns_buffer* pkt, struct edns_data* edns,
 	uint16_t max_msg_sz)
 {
 	size_t len;
 	size_t rdatapos;
 	struct edns_option* opt;
-	if(!edns || !edns->edns_present)
+	struct edns_option* padding_option = NULL;
 		return;
 	/* inc additional count */
 	sldns_buffer_write_u16_at(pkt, 10,
 		sldns_buffer_read_u16_at(pkt, 10) + 1);
@ -823,17 +823,53 @@ attach_edns_record(sldns_buffer* pkt, struct edns_data* edns)
 	sldns_buffer_write_u16(pkt, 0); /* rdatalen */
 	/* write rdata */
 	for(opt=edns->opt_list; opt; opt=opt->next) {
 		if (opt->opt_code == LDNS_EDNS_PADDING) {
 			padding_option = opt;
 			continue;
 		}
 		sldns_buffer_write_u16(pkt, opt->opt_code);
 		sldns_buffer_write_u16(pkt, opt->opt_len);
 		if(opt->opt_len != 0)
 			sldns_buffer_write(pkt, opt->opt_data, opt->opt_len);
 	}
 	if (padding_option && edns->padding_block_size ) {
 		size_t pad_pos = sldns_buffer_position(pkt);
 		size_t msg_sz = ((pad_pos + 3) / edns->padding_block_size + 1)
 		                               * edns->padding_block_size;
 		size_t pad_sz;
 		if (msg_sz > max_msg_sz)
 			msg_sz = max_msg_sz;
 		/* By use of calc_edns_field_size, calling functions should
 		 * have made sure that there is enough space for at least a
 		 * zero sized padding option, but it cannot harm to leave it
 		 * out if there isn't.
 		 */
 		log_assert(pad_pos + 4 <= msg_sz);
 		pad_sz = msg_sz - pad_pos - 4;
 		sldns_buffer_write_u16(pkt, LDNS_EDNS_PADDING);
 		sldns_buffer_write_u16(pkt, pad_sz);
 		if (pad_sz) {
 			memset(sldns_buffer_current(pkt), 0, pad_sz);
 			sldns_buffer_skip(pkt, pad_sz);
 		}
 	}
 	if(edns->opt_list)
 		sldns_buffer_write_u16_at(pkt, rdatapos, 
 			sldns_buffer_position(pkt)-rdatapos-2);
 	sldns_buffer_flip(pkt);
 }
 void
 attach_edns_record(sldns_buffer* pkt, struct edns_data* edns)
 {
 	if(!edns || !edns->edns_present)
 		return;
 	attach_edns_record_max_msg_sz(pkt, edns, edns->udp_size);
 }
 int 
 reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, 
 	uint16_t id, uint16_t qflags, sldns_buffer* pkt, time_t timenow,
@ -882,7 +918,7 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
 	}
 	if(attach_edns && sldns_buffer_capacity(pkt) >=
 		sldns_buffer_limit(pkt)+attach_edns)
-		attach_edns_record(pkt, edns);
+		attach_edns_record_max_msg_sz(pkt, edns, udpsize+attach_edns);
 	return 1;
 }
--- a/util/data/msgparse.c
+++ b/util/data/msgparse.c
@ -1016,6 +1016,7 @@ parse_extract_edns(struct msg_parse* msg, struct edns_data* edns,
 	edns->bits = sldns_read_uint16(&found->rr_last->ttl_data[2]);
 	edns->udp_size = ntohs(found->rrset_class);
 	edns->opt_list = NULL;
 	edns->padding_block_size = 0;
 	/* take the options */
 	rdata_len = found->rr_first->size-2;
@ -1089,6 +1090,7 @@ parse_edns_from_pkt(sldns_buffer* pkt, struct edns_data* edns,
 	edns->edns_version = sldns_buffer_read_u8(pkt);
 	edns->bits = sldns_buffer_read_u16(pkt);
 	edns->opt_list = NULL;
 	edns->padding_block_size = 0;
 	/* take the options */
 	rdata_len = sldns_buffer_read_u16(pkt);
--- a/util/data/msgparse.h
+++ b/util/data/msgparse.h
@ -225,6 +225,8 @@ struct edns_data {
 	uint16_t udp_size;
 	/** rdata element list, or NULL if none */
 	struct edns_option* opt_list;
 	/** block size to pad */
 	uint16_t padding_block_size;
 };
 /**
--- a/util/edns.c
+++ b/util/edns.c
@ -79,5 +79,15 @@ int apply_edns_options(struct edns_data* edns_out, struct edns_data* edns_in,
 		!edns_keepalive(edns_out, edns_in, c, region))
 		return 0;
 	if(!cfg->pad_responses || c->type != comm_tcp || !c->ssl
 	|| !edns_opt_list_find(edns_in->opt_list, LDNS_EDNS_PADDING))
 	       ; /* pass */
 	else if(!edns_opt_list_append(&edns_out->opt_list, LDNS_EDNS_PADDING
 	                                                 , 0, NULL, region))
 		return 0;
 	else
 		edns_out->padding_block_size = cfg->pad_responses_block_size;
 	return 1;
 }
--- a/validator/autotrust.c
+++ b/validator/autotrust.c
@ -2365,6 +2365,7 @@ probe_anchor(struct module_env* env, struct trust_anchor* tp)
 	edns.edns_version = 0;
 	edns.bits = EDNS_DO;
 	edns.opt_list = NULL;
 	edns.padding_block_size = 0;
 	if(sldns_buffer_capacity(buf) < 65535)
 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
 	else	edns.udp_size = 65535;