Merge branch 'master' of github.com:NLnetLabs/unbound

daemon/worker.c

@@ -1789,8 +1789,8 @@ worker_init(struct worker* worker, struct config_file *cfg,
 			? cfg->tcp_keepalive_timeout
 			: cfg->tcp_idle_timeout,
 		cfg->harden_large_queries, cfg->http_max_streams,
-		cfg->http_endpoint, worker->daemon->tcl,
-		worker->daemon->listen_sslctx,
+		cfg->http_endpoint, cfg->http_notls_downstream,
+		worker->daemon->tcl, worker->daemon->listen_sslctx,
 		dtenv, worker_handle_request, worker);
 	if(!worker->front) {
 		log_err("could not create listening sockets");

doc/Changelog

@@ -1,3 +1,26 @@
+19 October 2020: Ralph
+	- local-zone regional allocations outside of chunk
+
+19 October 2020: Wouter
+	- Fix that http settings have colon in set_option, for
+	  http-endpoint, http-max-streams, http-query-buffer-size,
+	  http-response-buffer-size, and http-nodelay.
+	- Fix memory leak of https port string when reading config.
+	- Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
+	  This adds the option http-notls-downstream: yesno to change that,
+	  and the dohclient test code has the -n option.
+	- Fix python documentation warning on functions.rst inplace_cb_reply.
+	- Fix dnstap test to wait for log timer to see if queries are logged.
+	- Log ip address when http session recv fails, eg. due to tls fail.
+	- Fix to set the tcp handler event toggle flag back to default when
+	  the handler structure is reused.
+	- Clean the fix for out of order TCP processing limits on number
+	  of queries.  It was tested to work.
+
+16 October 2020: Wouter
+	- Fix that the out of order TCP processing does not limit the
+	  number of outstanding queries over a connection.
+
 15 October 2020: George
 	- Fix that if there are reply callbacks for the given rcode, those
 	  are called per reply and a new message created if that was modified

doc/example.conf.in

@@ -788,6 +788,9 @@ server:
 	# service.
 	# http-nodelay: yes
 
+	# Disable TLS for DNS-over-HTTP downstream service.
+	# http-notls-downstream: no
+
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96

doc/unbound.conf.5.in

@@ -587,6 +587,10 @@ megabytes or gigabytes (1024*1024 bytes in a megabyte).
 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
 Ignored if the option is not available. Default is yes.
 .TP
+.B http\-notls\-downstream: \fI<yes or no>
+Disable use of TLS for the downstream DNS-over-HTTP connections.  Useful for
+local back end servers.  Default is no.
+.TP
 .B use\-systemd: \fI<yes or no>
 Enable or disable systemd socket activation.
 Default is no.

pythonmod/doc/modules/functions.rst

@@ -103,7 +103,7 @@ Inplace callbacks
     :param opt_list_out: :class:`edns_option`. EDNS option list to append options to.
     :param region: :class:`regional`
     :param \*\*kwargs: Dictionary that may contain parameters added in a future
-                     release. Current parameters:
+        release. Current parameters:
         ``repinfo``: :class:`comm_reply`. Reply information for a communication point.
 
 .. function:: inplace_cb_query(qinfo, flags, qstate, addr, zone, region)

services/listen_dnsport.c

@@ -81,9 +81,6 @@
 /** number of queued TCP connections for listen() */
 #define TCP_BACKLOG 256 
 
-/** number of simultaneous requests a client can have */
-#define TCP_MAX_REQ_SIMULTANEOUS 32
-
 #ifndef THREADS_DISABLED
 /** lock on the counter of stream buffer memory */
 static lock_basic_type stream_wait_count_lock;
@@ -1244,8 +1241,9 @@ struct listen_dnsport*
 listen_create(struct comm_base* base, struct listen_port* ports,
 	size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
 	int harden_large_queries, uint32_t http_max_streams,
-	char* http_endpoint, struct tcl_list* tcp_conn_limit, void* sslctx,
-	struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg)
+	char* http_endpoint, int http_notls, struct tcl_list* tcp_conn_limit,
+	void* sslctx, struct dt_env* dtenv, comm_point_callback_type* cb,
+	void *cb_arg)
 {
 	struct listen_dnsport* front = (struct listen_dnsport*)
 		malloc(sizeof(struct listen_dnsport));
@@ -1295,15 +1293,19 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 				http_max_streams, http_endpoint,
 				tcp_conn_limit, bufsize, front->udp_buff,
 				ports->ftype, cb, cb_arg);
-			cp->ssl = sslctx;
+			if(http_notls && ports->ftype == listen_type_http)
+				cp->ssl = NULL;
+			else
+				cp->ssl = sslctx;
 			if(ports->ftype == listen_type_http) {
-				if(!sslctx) {
-				log_warn("HTTPS port configured, but no TLS "
+				if(!sslctx && !http_notls) {
+				  log_warn("HTTPS port configured, but no TLS "
 					"tls-service-key or tls-service-pem "
 					"set");
 				}
 #ifndef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
-				log_warn("Unbound is not compiled with an "
+				if(!http_notls)
+				  log_warn("Unbound is not compiled with an "
 					"OpenSSL version supporting ALPN "
 					" (OpenSSL >= 1.0.2). This is required "
 					"to use DNS-over-HTTPS");
@@ -1804,8 +1806,7 @@ tcp_req_info_setup_listen(struct tcp_req_info* req)
 
 	if(!req->cp->tcp_is_reading)
 		wr = 1;
-	if(req->num_open_req + req->num_done_req < TCP_MAX_REQ_SIMULTANEOUS &&
-		!req->read_is_closed)
+	if(!req->read_is_closed)
 		rd = 1;
 	
 	if(wr) {

services/listen_dnsport.h

@@ -159,6 +159,7 @@ int resolve_interface_names(struct config_file* cfg, char*** resif,
  * @param harden_large_queries: whether query size should be limited.
  * @param http_max_streams: maximum number of HTTP/2 streams per connection.
  * @param http_endpoint: HTTP endpoint to service queries on
+ * @param http_notls: no TLS for http downstream
  * @param tcp_conn_limit: TCP connection limit info.
  * @param sslctx: nonNULL if ssl context.
  * @param dtenv: nonNULL if dnstap enabled.
@@ -171,8 +172,9 @@ struct listen_dnsport*
 listen_create(struct comm_base* base, struct listen_port* ports,
 	size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
 	int harden_large_queries, uint32_t http_max_streams,
-	char* http_endpoint, struct tcl_list* tcp_conn_limit, void* sslctx,
-	struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg);
+	char* http_endpoint, int http_notls, struct tcl_list* tcp_conn_limit,
+	void* sslctx, struct dt_env* dtenv, comm_point_callback_type* cb,
+	void *cb_arg);
 
 /**
  * delete the listening structure

services/localzone.c

@@ -157,7 +157,7 @@ local_zone_create(uint8_t* nm, size_t len, int labs,
 	z->namelen = len;
 	z->namelabs = labs;
 	lock_rw_init(&z->lock);
-	z->region = regional_create_custom(sizeof(struct regional));
+	z->region = regional_create_nochunk(sizeof(struct regional));
 	if(!z->region) {
 		free(z);
 		return NULL;

testcode/dohclient.c

@@ -90,6 +90,7 @@ static void usage(char* argv[])
 	printf("-e		HTTP endpoint, default: /dns-query\n");
 	printf("-c		Content-type in request, default: "
 		"application/dns-message\n");
+	printf("-n		no-tls, TLS is disabled\n");
 	printf("-h 		This help text\n");
 	exit(1);
 }
@@ -185,7 +186,10 @@ submit_query(struct http2_session* h2_session, struct sldns_buffer* buf)
 	headers[1].name = (uint8_t*)":path";
 	headers[1].value = (uint8_t*)h2_stream->path;
 	headers[2].name = (uint8_t*)":scheme";
-	headers[2].value = (uint8_t*)"https";
+	if(h2_session->ssl)
+		headers[2].value = (uint8_t*)"https";
+	else
+		headers[2].value = (uint8_t*)"http";
 	headers[3].name = (uint8_t*)":authority";
 	headers[3].value = (uint8_t*)h2_session->authority;
 	headers[4].name = (uint8_t*)"content-type";
@@ -246,6 +250,7 @@ static ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 {
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
 	int r;
+	ssize_t ret;
 	struct timeval tv, *waittv;
 	fd_set rfd;
 	ERR_clear_error();
@@ -267,35 +272,58 @@ static ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 		return NGHTTP2_ERR_WOULDBLOCK;
 	}
 
-	r = SSL_read(h2_session->ssl, buf, len);
-	if(r <= 0) {
-		int want = SSL_get_error(h2_session->ssl, r);
-		if(want == SSL_ERROR_ZERO_RETURN) {
+	if(h2_session->ssl) {
+		r = SSL_read(h2_session->ssl, buf, len);
+		if(r <= 0) {
+			int want = SSL_get_error(h2_session->ssl, r);
+			if(want == SSL_ERROR_ZERO_RETURN) {
+				return NGHTTP2_ERR_EOF;
+			}
+			log_crypto_err("could not SSL_read");
 			return NGHTTP2_ERR_EOF;
 		}
-		log_crypto_err("could not SSL_read");
+		return r;
+	}
+
+	ret = read(h2_session->fd, buf, len);
+	if(ret == 0) {
+		return NGHTTP2_ERR_EOF;
+	} else if(ret < 0) {
+		log_err("could not http2 read: %s", strerror(errno));
 		return NGHTTP2_ERR_EOF;
 	}
-	return r;
+	return ret;
 }
 
 static ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session),
 	const uint8_t* buf, size_t len, int ATTR_UNUSED(flags), void* cb_arg)
 {
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
+	ssize_t ret;
 
-	int r;
-	ERR_clear_error();
-	r = SSL_write(h2_session->ssl, buf, len);
-	if(r <= 0) {
-		int want = SSL_get_error(h2_session->ssl, r);
-		if(want == SSL_ERROR_ZERO_RETURN) {
+	if(h2_session->ssl) {
+		int r;
+		ERR_clear_error();
+		r = SSL_write(h2_session->ssl, buf, len);
+		if(r <= 0) {
+			int want = SSL_get_error(h2_session->ssl, r);
+			if(want == SSL_ERROR_ZERO_RETURN) {
+				return NGHTTP2_ERR_CALLBACK_FAILURE;
+			}
+			log_crypto_err("could not SSL_write");
 			return NGHTTP2_ERR_CALLBACK_FAILURE;
 		}
-		log_crypto_err("could not SSL_write");
+		return r;
+	}
+
+	ret = write(h2_session->fd, buf, len);
+	if(ret == 0) {
+		return NGHTTP2_ERR_CALLBACK_FAILURE;
+	} else if(ret < 0) {
+		log_err("could not http2 write: %s", strerror(errno));
 		return NGHTTP2_ERR_CALLBACK_FAILURE;
 	}
-	return r;
+	return ret;
 }
 
 static int http2_stream_close_cb(nghttp2_session* ATTR_UNUSED(session),
@@ -459,7 +487,7 @@ http2_read(struct http2_session* h2_session)
 }
 
 static void
-run(struct http2_session* h2_session, int port, int count, char** q)
+run(struct http2_session* h2_session, int port, int no_tls, int count, char** q)
 {
 	int i;
 	SSL_CTX* ctx = NULL;
@@ -470,26 +498,28 @@ run(struct http2_session* h2_session, int port, int count, char** q)
 	fd = open_svr(h2_session->authority, port);
 	h2_session->fd = fd;
 
-	ctx = connect_sslctx_create(NULL, NULL, NULL, 0);
-	if(!ctx) fatal_exit("cannot create ssl ctx");
-	SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)"\x02h2", 3);
-	ssl = outgoing_ssl_fd(ctx, fd);
-	if(!ssl) {
-		printf("cannot create ssl\n");
-		exit(1);
-	}
-	h2_session->ssl = ssl;
-	while(1) {
-		int r;
-		ERR_clear_error();
-		if( (r=SSL_do_handshake(ssl)) == 1)
-			break;
-		r = SSL_get_error(ssl, r);
-		if(r != SSL_ERROR_WANT_READ &&
-			r != SSL_ERROR_WANT_WRITE) {
-			log_crypto_err("could not ssl_handshake");
+	if(!no_tls) {
+		ctx = connect_sslctx_create(NULL, NULL, NULL, 0);
+		if(!ctx) fatal_exit("cannot create ssl ctx");
+		SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)"\x02h2", 3);
+		ssl = outgoing_ssl_fd(ctx, fd);
+		if(!ssl) {
+			printf("cannot create ssl\n");
 			exit(1);
 		}
+		h2_session->ssl = ssl;
+		while(1) {
+			int r;
+			ERR_clear_error();
+			if( (r=SSL_do_handshake(ssl)) == 1)
+				break;
+			r = SSL_get_error(ssl, r);
+			if(r != SSL_ERROR_WANT_READ &&
+				r != SSL_ERROR_WANT_WRITE) {
+				log_crypto_err("could not ssl_handshake");
+				exit(1);
+			}
+		}
 	}
 
 	http2_submit_setting(h2_session);
@@ -511,9 +541,13 @@ run(struct http2_session* h2_session, int port, int count, char** q)
 
 	/* shutdown */
 	http2_session_delete(h2_session);
-	SSL_shutdown(ssl);
-	SSL_free(ssl);
-	SSL_CTX_free(ctx);
+	if(ssl) {
+		SSL_shutdown(ssl);
+		SSL_free(ssl);
+	}
+	if(ctx) {
+		SSL_CTX_free(ctx);
+	}
 	close(fd);
 }
 
@@ -524,10 +558,21 @@ extern char* optarg;
 int main(int argc, char** argv)
 {
 	int c;
-	int port = UNBOUND_DNS_OVER_HTTPS_PORT;
-	struct http2_session* h2_session = http2_session_create();
-	if(!h2_session) fatal_exit("out of memory");
+	int port = UNBOUND_DNS_OVER_HTTPS_PORT, no_tls = 0;
+	struct http2_session* h2_session;
 
+#ifdef USE_WINSOCK
+	WSADATA wsa_data;
+	if(WSAStartup(MAKEWORD(2,2), &wsa_data) != 0) {
+		printf("WSAStartup failed\n");
+		return 1;
+	}
+#endif
+	log_init(0, 0, 0);
+	checklock_start();
+
+	h2_session = http2_session_create();
+	if(!h2_session) fatal_exit("out of memory");
 	if(argc == 1) {
 		usage(argv);
 	}
@@ -537,7 +582,7 @@ int main(int argc, char** argv)
 	h2_session->endpoint = "/dns-query";
 	h2_session->content_type = "application/dns-message";
 
-	while((c=getopt(argc, argv, "c:e:hs:p:P")) != -1) {
+	while((c=getopt(argc, argv, "c:e:hns:p:P")) != -1) {
 		switch(c) {
 			case 'c':
 				h2_session->content_type = optarg;
@@ -545,6 +590,9 @@ int main(int argc, char** argv)
 			case 'e':
 				h2_session->endpoint = optarg;
 				break;
+			case 'n':
+				no_tls = 1;
+				break;
 			case 'p':
 				if(atoi(optarg)==0 && strcmp(optarg,"0")!=0) {
 					printf("error parsing port, "
@@ -573,8 +621,12 @@ int main(int argc, char** argv)
 	}
 
 
-	run(h2_session, port, argc, argv);
+	run(h2_session, port, no_tls, argc, argv);
 
+	checklock_stop();
+#ifdef USE_WINSOCK
+	WSACleanup();
+#endif
 	return 0;
 }
 #else

testcode/fake_event.c

@@ -872,6 +872,7 @@ listen_create(struct comm_base* base, struct listen_port* ATTR_UNUSED(ports),
 	int ATTR_UNUSED(harden_large_queries),
 	uint32_t ATTR_UNUSED(http_max_streams),
 	char* ATTR_UNUSED(http_endpoint),
+	int ATTR_UNUSED(http_notls),
 	struct tcl_list* ATTR_UNUSED(tcp_conn_limit),
 	void* ATTR_UNUSED(sslctx), struct dt_env* ATTR_UNUSED(dtenv),
 	comm_point_callback_type* cb, void *cb_arg)

testdata/dnstap.tdir/dnstap.test

@@ -59,6 +59,8 @@ dig @127.0.0.1 -p $UNBOUND_PORT q7.example.net.
 dig @127.0.0.1 -p $UNBOUND_PORT q8.example.net.
 dig @127.0.0.1 -p $UNBOUND_PORT q9.example.net.
 dig @127.0.0.1 -p $UNBOUND_PORT q10.example.net.
+echo "> wait for log to happen on timer"
+sleep 3
 for x in q1 q2 q3 q4 5 q6 q7 q8 q9 q10; do
 	if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi
 	if grep "$x.example.net" tap.log >/dev/null; then :; else sleep 1; fi

testdata/doh_downstream_notls.tdir/doh_downstream_notls.conf

@@ -0,0 +1,28 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1@@PORT@
+	https-port: @PORT@
+	tls-service-key: "unbound_server.key"
+	tls-service-pem: "unbound_server.pem"
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	http-query-buffer-size: 1G
+	http-response-buffer-size: 1G
+	http-max-streams: 200
+	http-notls-downstream: yes
+
+	local-zone: "example.net" static
+	local-data: "www1.example.net. IN A 1.2.3.1"
+	local-data: "www2.example.net. IN A 1.2.3.2"
+	local-data: "www3.example.net. IN A 1.2.3.3"
+	local-zone: "drop.net" deny
+	tcp-upstream: yes
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"

testdata/doh_downstream_notls.tdir/doh_downstream_notls.dsc

@@ -0,0 +1,16 @@
+BaseName: doh_downstream_notls
+Version: 1.0
+Description: Test DNS-over-HTTP query processing with no-tls
+CreationDate: Mon Jun 12 12:00:00 CET 2020
+Maintainer:
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: doh_downstream_notls.pre
+Post: doh_downstream_notls.post
+Test: doh_downstream_notls.test
+AuxFiles: 
+Passed:
+Failure:

testdata/doh_downstream_notls.tdir/doh_downstream_notls.post

@@ -0,0 +1,13 @@
+# #-- doh_downstream_notls.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+cat unbound.log

testdata/doh_downstream_notls.tdir/doh_downstream_notls.pre

@@ -0,0 +1,33 @@
+# #-- doh_downstream_notls.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT doh_downstream_notls.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < doh_downstream_notls.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -vvvv -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+

testdata/doh_downstream_notls.tdir/doh_downstream_notls.test

@@ -0,0 +1,339 @@
+# #-- doh_downstream_notls.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+get_make
+(cd $PRE; $MAKE dohclient)
+
+
+# this test query should just work (server is up)
+echo "> query www1.example.net."
+$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+echo "OK"
+
+# multiple requests (from localdata)
+echo "> query www1.example.net. www2.example.net. www3.example.net."
+$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www2.example.net A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+echo ""
+echo "> query www1.example.net. www.example.com. www2.example.net. www2.example.com. www3.example.net."
+$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www.example.com. A IN www2.example.net A IN www2.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www.example.com" outfile | grep "10.20.30.40"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.com" outfile | grep "10.20.30.42"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+# www.example.com present twice, answered twice.
+echo ""
+echo "> query www1.example.net. www.example.com. www2.example.net. www.example.com. www3.example.net."
+$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www.example.com. A IN www2.example.net A IN www.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www.example.com" outfile | grep "10.20.30.40"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+# www3.example.com present twice, answered twice.
+echo ""
+echo "> query www1.example.net. www3.example.com. www2.example.net. www3.example.com. www3.example.net."
+$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www1.example.net. A IN www3.example.com. A IN www2.example.net A IN www3.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.com" outfile | grep "10.20.30.43"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+echo ""
+echo "> query www4.example.com. www3.example.net."
+$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www4.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www4.example.com" outfile | grep "10.20.30.44"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+
+echo ""
+echo "> query a1.example.com. - a90.example.com."
+$PRE/dohclient -n -s 127.0.0.1 -p $UNBOUND_PORT www6.example.com. A IN a1.a.example.com. A IN a2.a.example.com. A IN a3.a.example.com. A IN a4.a.example.com. A IN a5.a.example.com. A IN a6.a.example.com. A IN a7.a.example.com. A IN a8.a.example.com. A IN a9.a.example.com. A IN a10.a.example.com. A IN a11.a.example.com. A IN a12.a.example.com. A IN a13.a.example.com. A IN a14.a.example.com. A IN a15.a.example.com. A IN a16.a.example.com. A IN a17.a.example.com. A IN a18.a.example.com. A IN a19.a.example.com. A IN a20.a.example.com. A IN a21.a.example.com. A IN a22.a.example.com. A IN a23.a.example.com. A IN a24.a.example.com. A IN a25.a.example.com. A IN a26.a.example.com. A IN a27.a.example.com. A IN a28.a.example.com. A IN a29.a.example.com. A IN a30.a.example.com. A IN a31.a.example.com. A IN a32.a.example.com. A IN a33.a.example.com. A IN a34.a.example.com. A IN a35.a.example.com. A IN a36.a.example.com. A IN a37.a.example.com. A IN a38.a.example.com. A IN a39.a.example.com. A IN a40.a.example.com. A IN a41.a.example.com. A IN a42.a.example.com. A IN a43.a.example.com. A IN a44.a.example.com. A IN a45.a.example.com. A IN a46.a.example.com. A IN a47.a.example.com. A IN a48.a.example.com. A IN a49.a.example.com. A IN a50.a.example.com. A IN a51.a.example.com. A IN a52.a.example.com. A IN a53.a.example.com. A IN a54.a.example.com. A IN a55.a.example.com. A IN a56.a.example.com. A IN a57.a.example.com. A IN a58.a.example.com. A IN a59.a.example.com. A IN a60.a.example.com. A IN a61.a.example.com. A IN a62.a.example.com. A IN a63.a.example.com. A IN a64.a.example.com. A IN a65.a.example.com. A IN a66.a.example.com. A IN a67.a.example.com. A IN a68.a.example.com. A IN a69.a.example.com. A IN a70.a.example.com. A IN a71.a.example.com. A IN a72.a.example.com. A IN a73.a.example.com. A IN a74.a.example.com. A IN a75.a.example.com. A IN a76.a.example.com. A IN a77.a.example.com. A IN a78.a.example.com. A IN a79.a.example.com. A IN a80.a.example.com. A IN a81.a.example.com. A IN a82.a.example.com. A IN a83.a.example.com. A IN a84.a.example.com. A IN a85.a.example.com. A IN a86.a.example.com. A IN a87.a.example.com. A IN a88.a.example.com. A IN a89.a.example.com. A IN a90.a.example.com. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+num_ans=$(grep -B 3 "a.example.com.	IN	A" outfile | grep "rcode: NOERROR" | wc -l )
+if test "$num_ans" -ne 90; then
+	echo "number of answers not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "OK"
+exit 0

testdata/doh_downstream_notls.tdir/doh_downstream_notls.testns

@@ -0,0 +1,74 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.43
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.45
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www6	IN	A
+SECTION ANSWER
+www6	IN	A	10.20.30.46
+ENTRY_END
+
+; lots of noerror/nodata answers for other queries (a.. queries)
+ENTRY_BEGIN
+MATCH opcode qtype subdomain
+REPLY QR AA NOERROR
+ADJUST copy_id copy_query
+SECTION QUESTION
+a.example.com.	IN	A
+SECTION AUTHORITY
+example.com.	IN SOA ns hostmaster 2019 28800 7200 604800 3600
+ENTRY_END

testdata/doh_downstream_notls.tdir/unbound_server.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----

testdata/doh_downstream_notls.tdir/unbound_server.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----

util/config_file.c

@@ -522,11 +522,12 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STR("tls-ciphersuites:", tls_ciphersuites)
 	else S_YNO("tls-use-sni:", tls_use_sni)
 	else S_NUMBER_NONZERO("https-port:", https_port)
-	else S_STR("http-endpoint", http_endpoint)
-	else S_NUMBER_NONZERO("http-max-streams", http_max_streams)
-	else S_MEMSIZE("http-query-buffer-size", http_query_buffer_size)
-	else S_MEMSIZE("http-response-buffer-size", http_response_buffer_size)
-	else S_YNO("http-nodelay", http_nodelay)
+	else S_STR("http-endpoint:", http_endpoint)
+	else S_NUMBER_NONZERO("http-max-streams:", http_max_streams)
+	else S_MEMSIZE("http-query-buffer-size:", http_query_buffer_size)
+	else S_MEMSIZE("http-response-buffer-size:", http_response_buffer_size)
+	else S_YNO("http-nodelay:", http_nodelay)
+	else S_YNO("http-notls-downstream:", http_notls_downstream)
 	else S_YNO("interface-automatic:", if_automatic)
 	else S_YNO("use-systemd:", use_systemd)
 	else S_YNO("do-daemonize:", do_daemonize)
@@ -990,6 +991,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_MEM(opt, "http-query-buffer-size", http_query_buffer_size)
 	else O_MEM(opt, "http-response-buffer-size", http_response_buffer_size)
 	else O_YNO(opt, "http-nodelay", http_nodelay)
+	else O_YNO(opt, "http-notls-downstream", http_notls_downstream)
 	else O_YNO(opt, "use-systemd", use_systemd)
 	else O_YNO(opt, "do-daemonize", do_daemonize)
 	else O_STR(opt, "chroot", chrootdir)

util/config_file.h

@@ -143,6 +143,8 @@ struct config_file {
 	size_t http_response_buffer_size;
 	/** set TCP_NODELAY option for http sockets */
 	int http_nodelay;
+	/** Disable TLS for http sockets downstream */
+	int http_notls_downstream;
 
 	/** outgoing port range number of ports (per thread) */
 	int outgoing_num_ports;

util/configlexer.lex

@@ -262,6 +262,7 @@ http-max-streams{COLON}		{ YDVAR(1, VAR_HTTP_MAX_STREAMS) }
 http-query-buffer-size{COLON}	{ YDVAR(1, VAR_HTTP_QUERY_BUFFER_SIZE) }
 http-response-buffer-size{COLON} { YDVAR(1, VAR_HTTP_RESPONSE_BUFFER_SIZE) }
 http-nodelay{COLON}		{ YDVAR(1, VAR_HTTP_NODELAY) }
+http-notls-downstream{COLON}	{ YDVAR(1, VAR_HTTP_NOTLS_DOWNSTREAM) }
 use-systemd{COLON}		{ YDVAR(1, VAR_USE_SYSTEMD) }
 do-daemonize{COLON}		{ YDVAR(1, VAR_DO_DAEMONIZE) }
 interface{COLON}		{ YDVAR(1, VAR_INTERFACE) }

util/configparser.h

@@ -1,8 +1,8 @@
-/* A Bison parser, made by GNU Bison 3.5.1.  */
+/* A Bison parser, made by GNU Bison 3.4.1.  */
 
 /* Bison interface for Yacc-like parsers in C
 
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2020 Free Software Foundation,
+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
    Inc.
 
    This program is free software: you can redistribute it and/or modify
@@ -194,158 +194,159 @@ extern int yydebug;
     VAR_HTTP_QUERY_BUFFER_SIZE = 400,
     VAR_HTTP_RESPONSE_BUFFER_SIZE = 401,
     VAR_HTTP_NODELAY = 402,
-    VAR_STUB_FIRST = 403,
-    VAR_MINIMAL_RESPONSES = 404,
-    VAR_RRSET_ROUNDROBIN = 405,
-    VAR_MAX_UDP_SIZE = 406,
-    VAR_DELAY_CLOSE = 407,
-    VAR_UNBLOCK_LAN_ZONES = 408,
-    VAR_INSECURE_LAN_ZONES = 409,
-    VAR_INFRA_CACHE_MIN_RTT = 410,
-    VAR_DNS64_PREFIX = 411,
-    VAR_DNS64_SYNTHALL = 412,
-    VAR_DNS64_IGNORE_AAAA = 413,
-    VAR_DNSTAP = 414,
-    VAR_DNSTAP_ENABLE = 415,
-    VAR_DNSTAP_SOCKET_PATH = 416,
-    VAR_DNSTAP_IP = 417,
-    VAR_DNSTAP_TLS = 418,
-    VAR_DNSTAP_TLS_SERVER_NAME = 419,
-    VAR_DNSTAP_TLS_CERT_BUNDLE = 420,
-    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 421,
-    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 422,
-    VAR_DNSTAP_SEND_IDENTITY = 423,
-    VAR_DNSTAP_SEND_VERSION = 424,
-    VAR_DNSTAP_BIDIRECTIONAL = 425,
-    VAR_DNSTAP_IDENTITY = 426,
-    VAR_DNSTAP_VERSION = 427,
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 428,
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 429,
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 430,
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 431,
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 432,
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 433,
-    VAR_RESPONSE_IP_TAG = 434,
-    VAR_RESPONSE_IP = 435,
-    VAR_RESPONSE_IP_DATA = 436,
-    VAR_HARDEN_ALGO_DOWNGRADE = 437,
-    VAR_IP_TRANSPARENT = 438,
-    VAR_IP_DSCP = 439,
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 440,
-    VAR_IP_RATELIMIT = 441,
-    VAR_IP_RATELIMIT_SLABS = 442,
-    VAR_IP_RATELIMIT_SIZE = 443,
-    VAR_RATELIMIT = 444,
-    VAR_RATELIMIT_SLABS = 445,
-    VAR_RATELIMIT_SIZE = 446,
-    VAR_RATELIMIT_FOR_DOMAIN = 447,
-    VAR_RATELIMIT_BELOW_DOMAIN = 448,
-    VAR_IP_RATELIMIT_FACTOR = 449,
-    VAR_RATELIMIT_FACTOR = 450,
-    VAR_SEND_CLIENT_SUBNET = 451,
-    VAR_CLIENT_SUBNET_ZONE = 452,
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 453,
-    VAR_CLIENT_SUBNET_OPCODE = 454,
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 455,
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 456,
-    VAR_MIN_CLIENT_SUBNET_IPV4 = 457,
-    VAR_MIN_CLIENT_SUBNET_IPV6 = 458,
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 459,
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 460,
-    VAR_CAPS_WHITELIST = 461,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 462,
-    VAR_PERMIT_SMALL_HOLDDOWN = 463,
-    VAR_QNAME_MINIMISATION = 464,
-    VAR_QNAME_MINIMISATION_STRICT = 465,
-    VAR_IP_FREEBIND = 466,
-    VAR_DEFINE_TAG = 467,
-    VAR_LOCAL_ZONE_TAG = 468,
-    VAR_ACCESS_CONTROL_TAG = 469,
-    VAR_LOCAL_ZONE_OVERRIDE = 470,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 471,
-    VAR_ACCESS_CONTROL_TAG_DATA = 472,
-    VAR_VIEW = 473,
-    VAR_ACCESS_CONTROL_VIEW = 474,
-    VAR_VIEW_FIRST = 475,
-    VAR_SERVE_EXPIRED = 476,
-    VAR_SERVE_EXPIRED_TTL = 477,
-    VAR_SERVE_EXPIRED_TTL_RESET = 478,
-    VAR_SERVE_EXPIRED_REPLY_TTL = 479,
-    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 480,
-    VAR_FAKE_DSA = 481,
-    VAR_FAKE_SHA1 = 482,
-    VAR_LOG_IDENTITY = 483,
-    VAR_HIDE_TRUSTANCHOR = 484,
-    VAR_TRUST_ANCHOR_SIGNALING = 485,
-    VAR_AGGRESSIVE_NSEC = 486,
-    VAR_USE_SYSTEMD = 487,
-    VAR_SHM_ENABLE = 488,
-    VAR_SHM_KEY = 489,
-    VAR_ROOT_KEY_SENTINEL = 490,
-    VAR_DNSCRYPT = 491,
-    VAR_DNSCRYPT_ENABLE = 492,
-    VAR_DNSCRYPT_PORT = 493,
-    VAR_DNSCRYPT_PROVIDER = 494,
-    VAR_DNSCRYPT_SECRET_KEY = 495,
-    VAR_DNSCRYPT_PROVIDER_CERT = 496,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 497,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 498,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 499,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 500,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 501,
-    VAR_IPSECMOD_ENABLED = 502,
-    VAR_IPSECMOD_HOOK = 503,
-    VAR_IPSECMOD_IGNORE_BOGUS = 504,
-    VAR_IPSECMOD_MAX_TTL = 505,
-    VAR_IPSECMOD_WHITELIST = 506,
-    VAR_IPSECMOD_STRICT = 507,
-    VAR_CACHEDB = 508,
-    VAR_CACHEDB_BACKEND = 509,
-    VAR_CACHEDB_SECRETSEED = 510,
-    VAR_CACHEDB_REDISHOST = 511,
-    VAR_CACHEDB_REDISPORT = 512,
-    VAR_CACHEDB_REDISTIMEOUT = 513,
-    VAR_CACHEDB_REDISEXPIRERECORDS = 514,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 515,
-    VAR_FOR_UPSTREAM = 516,
-    VAR_AUTH_ZONE = 517,
-    VAR_ZONEFILE = 518,
-    VAR_MASTER = 519,
-    VAR_URL = 520,
-    VAR_FOR_DOWNSTREAM = 521,
-    VAR_FALLBACK_ENABLED = 522,
-    VAR_TLS_ADDITIONAL_PORT = 523,
-    VAR_LOW_RTT = 524,
-    VAR_LOW_RTT_PERMIL = 525,
-    VAR_FAST_SERVER_PERMIL = 526,
-    VAR_FAST_SERVER_NUM = 527,
-    VAR_ALLOW_NOTIFY = 528,
-    VAR_TLS_WIN_CERT = 529,
-    VAR_TCP_CONNECTION_LIMIT = 530,
-    VAR_FORWARD_NO_CACHE = 531,
-    VAR_STUB_NO_CACHE = 532,
-    VAR_LOG_SERVFAIL = 533,
-    VAR_DENY_ANY = 534,
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 535,
-    VAR_LOG_TAG_QUERYREPLY = 536,
-    VAR_STREAM_WAIT_SIZE = 537,
-    VAR_TLS_CIPHERS = 538,
-    VAR_TLS_CIPHERSUITES = 539,
-    VAR_TLS_USE_SNI = 540,
-    VAR_IPSET = 541,
-    VAR_IPSET_NAME_V4 = 542,
-    VAR_IPSET_NAME_V6 = 543,
-    VAR_TLS_SESSION_TICKET_KEYS = 544,
-    VAR_RPZ = 545,
-    VAR_TAGS = 546,
-    VAR_RPZ_ACTION_OVERRIDE = 547,
-    VAR_RPZ_CNAME_OVERRIDE = 548,
-    VAR_RPZ_LOG = 549,
-    VAR_RPZ_LOG_NAME = 550,
-    VAR_DYNLIB = 551,
-    VAR_DYNLIB_FILE = 552,
-    VAR_EDNS_CLIENT_TAG = 553,
-    VAR_EDNS_CLIENT_TAG_OPCODE = 554
+    VAR_HTTP_NOTLS_DOWNSTREAM = 403,
+    VAR_STUB_FIRST = 404,
+    VAR_MINIMAL_RESPONSES = 405,
+    VAR_RRSET_ROUNDROBIN = 406,
+    VAR_MAX_UDP_SIZE = 407,
+    VAR_DELAY_CLOSE = 408,
+    VAR_UNBLOCK_LAN_ZONES = 409,
+    VAR_INSECURE_LAN_ZONES = 410,
+    VAR_INFRA_CACHE_MIN_RTT = 411,
+    VAR_DNS64_PREFIX = 412,
+    VAR_DNS64_SYNTHALL = 413,
+    VAR_DNS64_IGNORE_AAAA = 414,
+    VAR_DNSTAP = 415,
+    VAR_DNSTAP_ENABLE = 416,
+    VAR_DNSTAP_SOCKET_PATH = 417,
+    VAR_DNSTAP_IP = 418,
+    VAR_DNSTAP_TLS = 419,
+    VAR_DNSTAP_TLS_SERVER_NAME = 420,
+    VAR_DNSTAP_TLS_CERT_BUNDLE = 421,
+    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 422,
+    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 423,
+    VAR_DNSTAP_SEND_IDENTITY = 424,
+    VAR_DNSTAP_SEND_VERSION = 425,
+    VAR_DNSTAP_BIDIRECTIONAL = 426,
+    VAR_DNSTAP_IDENTITY = 427,
+    VAR_DNSTAP_VERSION = 428,
+    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 429,
+    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 430,
+    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 431,
+    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 432,
+    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 433,
+    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 434,
+    VAR_RESPONSE_IP_TAG = 435,
+    VAR_RESPONSE_IP = 436,
+    VAR_RESPONSE_IP_DATA = 437,
+    VAR_HARDEN_ALGO_DOWNGRADE = 438,
+    VAR_IP_TRANSPARENT = 439,
+    VAR_IP_DSCP = 440,
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 441,
+    VAR_IP_RATELIMIT = 442,
+    VAR_IP_RATELIMIT_SLABS = 443,
+    VAR_IP_RATELIMIT_SIZE = 444,
+    VAR_RATELIMIT = 445,
+    VAR_RATELIMIT_SLABS = 446,
+    VAR_RATELIMIT_SIZE = 447,
+    VAR_RATELIMIT_FOR_DOMAIN = 448,
+    VAR_RATELIMIT_BELOW_DOMAIN = 449,
+    VAR_IP_RATELIMIT_FACTOR = 450,
+    VAR_RATELIMIT_FACTOR = 451,
+    VAR_SEND_CLIENT_SUBNET = 452,
+    VAR_CLIENT_SUBNET_ZONE = 453,
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 454,
+    VAR_CLIENT_SUBNET_OPCODE = 455,
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 456,
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 457,
+    VAR_MIN_CLIENT_SUBNET_IPV4 = 458,
+    VAR_MIN_CLIENT_SUBNET_IPV6 = 459,
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 460,
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 461,
+    VAR_CAPS_WHITELIST = 462,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 463,
+    VAR_PERMIT_SMALL_HOLDDOWN = 464,
+    VAR_QNAME_MINIMISATION = 465,
+    VAR_QNAME_MINIMISATION_STRICT = 466,
+    VAR_IP_FREEBIND = 467,
+    VAR_DEFINE_TAG = 468,
+    VAR_LOCAL_ZONE_TAG = 469,
+    VAR_ACCESS_CONTROL_TAG = 470,
+    VAR_LOCAL_ZONE_OVERRIDE = 471,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 472,
+    VAR_ACCESS_CONTROL_TAG_DATA = 473,
+    VAR_VIEW = 474,
+    VAR_ACCESS_CONTROL_VIEW = 475,
+    VAR_VIEW_FIRST = 476,
+    VAR_SERVE_EXPIRED = 477,
+    VAR_SERVE_EXPIRED_TTL = 478,
+    VAR_SERVE_EXPIRED_TTL_RESET = 479,
+    VAR_SERVE_EXPIRED_REPLY_TTL = 480,
+    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 481,
+    VAR_FAKE_DSA = 482,
+    VAR_FAKE_SHA1 = 483,
+    VAR_LOG_IDENTITY = 484,
+    VAR_HIDE_TRUSTANCHOR = 485,
+    VAR_TRUST_ANCHOR_SIGNALING = 486,
+    VAR_AGGRESSIVE_NSEC = 487,
+    VAR_USE_SYSTEMD = 488,
+    VAR_SHM_ENABLE = 489,
+    VAR_SHM_KEY = 490,
+    VAR_ROOT_KEY_SENTINEL = 491,
+    VAR_DNSCRYPT = 492,
+    VAR_DNSCRYPT_ENABLE = 493,
+    VAR_DNSCRYPT_PORT = 494,
+    VAR_DNSCRYPT_PROVIDER = 495,
+    VAR_DNSCRYPT_SECRET_KEY = 496,
+    VAR_DNSCRYPT_PROVIDER_CERT = 497,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 498,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 499,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 500,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 501,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 502,
+    VAR_IPSECMOD_ENABLED = 503,
+    VAR_IPSECMOD_HOOK = 504,
+    VAR_IPSECMOD_IGNORE_BOGUS = 505,
+    VAR_IPSECMOD_MAX_TTL = 506,
+    VAR_IPSECMOD_WHITELIST = 507,
+    VAR_IPSECMOD_STRICT = 508,
+    VAR_CACHEDB = 509,
+    VAR_CACHEDB_BACKEND = 510,
+    VAR_CACHEDB_SECRETSEED = 511,
+    VAR_CACHEDB_REDISHOST = 512,
+    VAR_CACHEDB_REDISPORT = 513,
+    VAR_CACHEDB_REDISTIMEOUT = 514,
+    VAR_CACHEDB_REDISEXPIRERECORDS = 515,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 516,
+    VAR_FOR_UPSTREAM = 517,
+    VAR_AUTH_ZONE = 518,
+    VAR_ZONEFILE = 519,
+    VAR_MASTER = 520,
+    VAR_URL = 521,
+    VAR_FOR_DOWNSTREAM = 522,
+    VAR_FALLBACK_ENABLED = 523,
+    VAR_TLS_ADDITIONAL_PORT = 524,
+    VAR_LOW_RTT = 525,
+    VAR_LOW_RTT_PERMIL = 526,
+    VAR_FAST_SERVER_PERMIL = 527,
+    VAR_FAST_SERVER_NUM = 528,
+    VAR_ALLOW_NOTIFY = 529,
+    VAR_TLS_WIN_CERT = 530,
+    VAR_TCP_CONNECTION_LIMIT = 531,
+    VAR_FORWARD_NO_CACHE = 532,
+    VAR_STUB_NO_CACHE = 533,
+    VAR_LOG_SERVFAIL = 534,
+    VAR_DENY_ANY = 535,
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 536,
+    VAR_LOG_TAG_QUERYREPLY = 537,
+    VAR_STREAM_WAIT_SIZE = 538,
+    VAR_TLS_CIPHERS = 539,
+    VAR_TLS_CIPHERSUITES = 540,
+    VAR_TLS_USE_SNI = 541,
+    VAR_IPSET = 542,
+    VAR_IPSET_NAME_V4 = 543,
+    VAR_IPSET_NAME_V6 = 544,
+    VAR_TLS_SESSION_TICKET_KEYS = 545,
+    VAR_RPZ = 546,
+    VAR_TAGS = 547,
+    VAR_RPZ_ACTION_OVERRIDE = 548,
+    VAR_RPZ_CNAME_OVERRIDE = 549,
+    VAR_RPZ_LOG = 550,
+    VAR_RPZ_LOG_NAME = 551,
+    VAR_DYNLIB = 552,
+    VAR_DYNLIB_FILE = 553,
+    VAR_EDNS_CLIENT_TAG = 554,
+    VAR_EDNS_CLIENT_TAG_OPCODE = 555
   };
 #endif
 /* Tokens.  */
@@ -494,158 +495,159 @@ extern int yydebug;
 #define VAR_HTTP_QUERY_BUFFER_SIZE 400
 #define VAR_HTTP_RESPONSE_BUFFER_SIZE 401
 #define VAR_HTTP_NODELAY 402
-#define VAR_STUB_FIRST 403
-#define VAR_MINIMAL_RESPONSES 404
-#define VAR_RRSET_ROUNDROBIN 405
-#define VAR_MAX_UDP_SIZE 406
-#define VAR_DELAY_CLOSE 407
-#define VAR_UNBLOCK_LAN_ZONES 408
-#define VAR_INSECURE_LAN_ZONES 409
-#define VAR_INFRA_CACHE_MIN_RTT 410
-#define VAR_DNS64_PREFIX 411
-#define VAR_DNS64_SYNTHALL 412
-#define VAR_DNS64_IGNORE_AAAA 413
-#define VAR_DNSTAP 414
-#define VAR_DNSTAP_ENABLE 415
-#define VAR_DNSTAP_SOCKET_PATH 416
-#define VAR_DNSTAP_IP 417
-#define VAR_DNSTAP_TLS 418
-#define VAR_DNSTAP_TLS_SERVER_NAME 419
-#define VAR_DNSTAP_TLS_CERT_BUNDLE 420
-#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 421
-#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 422
-#define VAR_DNSTAP_SEND_IDENTITY 423
-#define VAR_DNSTAP_SEND_VERSION 424
-#define VAR_DNSTAP_BIDIRECTIONAL 425
-#define VAR_DNSTAP_IDENTITY 426
-#define VAR_DNSTAP_VERSION 427
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 428
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 429
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 430
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 431
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 432
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 433
-#define VAR_RESPONSE_IP_TAG 434
-#define VAR_RESPONSE_IP 435
-#define VAR_RESPONSE_IP_DATA 436
-#define VAR_HARDEN_ALGO_DOWNGRADE 437
-#define VAR_IP_TRANSPARENT 438
-#define VAR_IP_DSCP 439
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 440
-#define VAR_IP_RATELIMIT 441
-#define VAR_IP_RATELIMIT_SLABS 442
-#define VAR_IP_RATELIMIT_SIZE 443
-#define VAR_RATELIMIT 444
-#define VAR_RATELIMIT_SLABS 445
-#define VAR_RATELIMIT_SIZE 446
-#define VAR_RATELIMIT_FOR_DOMAIN 447
-#define VAR_RATELIMIT_BELOW_DOMAIN 448
-#define VAR_IP_RATELIMIT_FACTOR 449
-#define VAR_RATELIMIT_FACTOR 450
-#define VAR_SEND_CLIENT_SUBNET 451
-#define VAR_CLIENT_SUBNET_ZONE 452
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 453
-#define VAR_CLIENT_SUBNET_OPCODE 454
-#define VAR_MAX_CLIENT_SUBNET_IPV4 455
-#define VAR_MAX_CLIENT_SUBNET_IPV6 456
-#define VAR_MIN_CLIENT_SUBNET_IPV4 457
-#define VAR_MIN_CLIENT_SUBNET_IPV6 458
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 459
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 460
-#define VAR_CAPS_WHITELIST 461
-#define VAR_CACHE_MAX_NEGATIVE_TTL 462
-#define VAR_PERMIT_SMALL_HOLDDOWN 463
-#define VAR_QNAME_MINIMISATION 464
-#define VAR_QNAME_MINIMISATION_STRICT 465
-#define VAR_IP_FREEBIND 466
-#define VAR_DEFINE_TAG 467
-#define VAR_LOCAL_ZONE_TAG 468
-#define VAR_ACCESS_CONTROL_TAG 469
-#define VAR_LOCAL_ZONE_OVERRIDE 470
-#define VAR_ACCESS_CONTROL_TAG_ACTION 471
-#define VAR_ACCESS_CONTROL_TAG_DATA 472
-#define VAR_VIEW 473
-#define VAR_ACCESS_CONTROL_VIEW 474
-#define VAR_VIEW_FIRST 475
-#define VAR_SERVE_EXPIRED 476
-#define VAR_SERVE_EXPIRED_TTL 477
-#define VAR_SERVE_EXPIRED_TTL_RESET 478
-#define VAR_SERVE_EXPIRED_REPLY_TTL 479
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 480
-#define VAR_FAKE_DSA 481
-#define VAR_FAKE_SHA1 482
-#define VAR_LOG_IDENTITY 483
-#define VAR_HIDE_TRUSTANCHOR 484
-#define VAR_TRUST_ANCHOR_SIGNALING 485
-#define VAR_AGGRESSIVE_NSEC 486
-#define VAR_USE_SYSTEMD 487
-#define VAR_SHM_ENABLE 488
-#define VAR_SHM_KEY 489
-#define VAR_ROOT_KEY_SENTINEL 490
-#define VAR_DNSCRYPT 491
-#define VAR_DNSCRYPT_ENABLE 492
-#define VAR_DNSCRYPT_PORT 493
-#define VAR_DNSCRYPT_PROVIDER 494
-#define VAR_DNSCRYPT_SECRET_KEY 495
-#define VAR_DNSCRYPT_PROVIDER_CERT 496
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 497
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 498
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 499
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 500
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 501
-#define VAR_IPSECMOD_ENABLED 502
-#define VAR_IPSECMOD_HOOK 503
-#define VAR_IPSECMOD_IGNORE_BOGUS 504
-#define VAR_IPSECMOD_MAX_TTL 505
-#define VAR_IPSECMOD_WHITELIST 506
-#define VAR_IPSECMOD_STRICT 507
-#define VAR_CACHEDB 508
-#define VAR_CACHEDB_BACKEND 509
-#define VAR_CACHEDB_SECRETSEED 510
-#define VAR_CACHEDB_REDISHOST 511
-#define VAR_CACHEDB_REDISPORT 512
-#define VAR_CACHEDB_REDISTIMEOUT 513
-#define VAR_CACHEDB_REDISEXPIRERECORDS 514
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 515
-#define VAR_FOR_UPSTREAM 516
-#define VAR_AUTH_ZONE 517
-#define VAR_ZONEFILE 518
-#define VAR_MASTER 519
-#define VAR_URL 520
-#define VAR_FOR_DOWNSTREAM 521
-#define VAR_FALLBACK_ENABLED 522
-#define VAR_TLS_ADDITIONAL_PORT 523
-#define VAR_LOW_RTT 524
-#define VAR_LOW_RTT_PERMIL 525
-#define VAR_FAST_SERVER_PERMIL 526
-#define VAR_FAST_SERVER_NUM 527
-#define VAR_ALLOW_NOTIFY 528
-#define VAR_TLS_WIN_CERT 529
-#define VAR_TCP_CONNECTION_LIMIT 530
-#define VAR_FORWARD_NO_CACHE 531
-#define VAR_STUB_NO_CACHE 532
-#define VAR_LOG_SERVFAIL 533
-#define VAR_DENY_ANY 534
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 535
-#define VAR_LOG_TAG_QUERYREPLY 536
-#define VAR_STREAM_WAIT_SIZE 537
-#define VAR_TLS_CIPHERS 538
-#define VAR_TLS_CIPHERSUITES 539
-#define VAR_TLS_USE_SNI 540
-#define VAR_IPSET 541
-#define VAR_IPSET_NAME_V4 542
-#define VAR_IPSET_NAME_V6 543
-#define VAR_TLS_SESSION_TICKET_KEYS 544
-#define VAR_RPZ 545
-#define VAR_TAGS 546
-#define VAR_RPZ_ACTION_OVERRIDE 547
-#define VAR_RPZ_CNAME_OVERRIDE 548
-#define VAR_RPZ_LOG 549
-#define VAR_RPZ_LOG_NAME 550
-#define VAR_DYNLIB 551
-#define VAR_DYNLIB_FILE 552
-#define VAR_EDNS_CLIENT_TAG 553
-#define VAR_EDNS_CLIENT_TAG_OPCODE 554
+#define VAR_HTTP_NOTLS_DOWNSTREAM 403
+#define VAR_STUB_FIRST 404
+#define VAR_MINIMAL_RESPONSES 405
+#define VAR_RRSET_ROUNDROBIN 406
+#define VAR_MAX_UDP_SIZE 407
+#define VAR_DELAY_CLOSE 408
+#define VAR_UNBLOCK_LAN_ZONES 409
+#define VAR_INSECURE_LAN_ZONES 410
+#define VAR_INFRA_CACHE_MIN_RTT 411
+#define VAR_DNS64_PREFIX 412
+#define VAR_DNS64_SYNTHALL 413
+#define VAR_DNS64_IGNORE_AAAA 414
+#define VAR_DNSTAP 415
+#define VAR_DNSTAP_ENABLE 416
+#define VAR_DNSTAP_SOCKET_PATH 417
+#define VAR_DNSTAP_IP 418
+#define VAR_DNSTAP_TLS 419
+#define VAR_DNSTAP_TLS_SERVER_NAME 420
+#define VAR_DNSTAP_TLS_CERT_BUNDLE 421
+#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 422
+#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 423
+#define VAR_DNSTAP_SEND_IDENTITY 424
+#define VAR_DNSTAP_SEND_VERSION 425
+#define VAR_DNSTAP_BIDIRECTIONAL 426
+#define VAR_DNSTAP_IDENTITY 427
+#define VAR_DNSTAP_VERSION 428
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 429
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 430
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 431
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 432
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 433
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 434
+#define VAR_RESPONSE_IP_TAG 435
+#define VAR_RESPONSE_IP 436
+#define VAR_RESPONSE_IP_DATA 437
+#define VAR_HARDEN_ALGO_DOWNGRADE 438
+#define VAR_IP_TRANSPARENT 439
+#define VAR_IP_DSCP 440
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 441
+#define VAR_IP_RATELIMIT 442
+#define VAR_IP_RATELIMIT_SLABS 443
+#define VAR_IP_RATELIMIT_SIZE 444
+#define VAR_RATELIMIT 445
+#define VAR_RATELIMIT_SLABS 446
+#define VAR_RATELIMIT_SIZE 447
+#define VAR_RATELIMIT_FOR_DOMAIN 448
+#define VAR_RATELIMIT_BELOW_DOMAIN 449
+#define VAR_IP_RATELIMIT_FACTOR 450
+#define VAR_RATELIMIT_FACTOR 451
+#define VAR_SEND_CLIENT_SUBNET 452
+#define VAR_CLIENT_SUBNET_ZONE 453
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 454
+#define VAR_CLIENT_SUBNET_OPCODE 455
+#define VAR_MAX_CLIENT_SUBNET_IPV4 456
+#define VAR_MAX_CLIENT_SUBNET_IPV6 457
+#define VAR_MIN_CLIENT_SUBNET_IPV4 458
+#define VAR_MIN_CLIENT_SUBNET_IPV6 459
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 460
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 461
+#define VAR_CAPS_WHITELIST 462
+#define VAR_CACHE_MAX_NEGATIVE_TTL 463
+#define VAR_PERMIT_SMALL_HOLDDOWN 464
+#define VAR_QNAME_MINIMISATION 465
+#define VAR_QNAME_MINIMISATION_STRICT 466
+#define VAR_IP_FREEBIND 467
+#define VAR_DEFINE_TAG 468
+#define VAR_LOCAL_ZONE_TAG 469
+#define VAR_ACCESS_CONTROL_TAG 470
+#define VAR_LOCAL_ZONE_OVERRIDE 471
+#define VAR_ACCESS_CONTROL_TAG_ACTION 472
+#define VAR_ACCESS_CONTROL_TAG_DATA 473
+#define VAR_VIEW 474
+#define VAR_ACCESS_CONTROL_VIEW 475
+#define VAR_VIEW_FIRST 476
+#define VAR_SERVE_EXPIRED 477
+#define VAR_SERVE_EXPIRED_TTL 478
+#define VAR_SERVE_EXPIRED_TTL_RESET 479
+#define VAR_SERVE_EXPIRED_REPLY_TTL 480
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 481
+#define VAR_FAKE_DSA 482
+#define VAR_FAKE_SHA1 483
+#define VAR_LOG_IDENTITY 484
+#define VAR_HIDE_TRUSTANCHOR 485
+#define VAR_TRUST_ANCHOR_SIGNALING 486
+#define VAR_AGGRESSIVE_NSEC 487
+#define VAR_USE_SYSTEMD 488
+#define VAR_SHM_ENABLE 489
+#define VAR_SHM_KEY 490
+#define VAR_ROOT_KEY_SENTINEL 491
+#define VAR_DNSCRYPT 492
+#define VAR_DNSCRYPT_ENABLE 493
+#define VAR_DNSCRYPT_PORT 494
+#define VAR_DNSCRYPT_PROVIDER 495
+#define VAR_DNSCRYPT_SECRET_KEY 496
+#define VAR_DNSCRYPT_PROVIDER_CERT 497
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 498
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 499
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 500
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 501
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 502
+#define VAR_IPSECMOD_ENABLED 503
+#define VAR_IPSECMOD_HOOK 504
+#define VAR_IPSECMOD_IGNORE_BOGUS 505
+#define VAR_IPSECMOD_MAX_TTL 506
+#define VAR_IPSECMOD_WHITELIST 507
+#define VAR_IPSECMOD_STRICT 508
+#define VAR_CACHEDB 509
+#define VAR_CACHEDB_BACKEND 510
+#define VAR_CACHEDB_SECRETSEED 511
+#define VAR_CACHEDB_REDISHOST 512
+#define VAR_CACHEDB_REDISPORT 513
+#define VAR_CACHEDB_REDISTIMEOUT 514
+#define VAR_CACHEDB_REDISEXPIRERECORDS 515
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 516
+#define VAR_FOR_UPSTREAM 517
+#define VAR_AUTH_ZONE 518
+#define VAR_ZONEFILE 519
+#define VAR_MASTER 520
+#define VAR_URL 521
+#define VAR_FOR_DOWNSTREAM 522
+#define VAR_FALLBACK_ENABLED 523
+#define VAR_TLS_ADDITIONAL_PORT 524
+#define VAR_LOW_RTT 525
+#define VAR_LOW_RTT_PERMIL 526
+#define VAR_FAST_SERVER_PERMIL 527
+#define VAR_FAST_SERVER_NUM 528
+#define VAR_ALLOW_NOTIFY 529
+#define VAR_TLS_WIN_CERT 530
+#define VAR_TCP_CONNECTION_LIMIT 531
+#define VAR_FORWARD_NO_CACHE 532
+#define VAR_STUB_NO_CACHE 533
+#define VAR_LOG_SERVFAIL 534
+#define VAR_DENY_ANY 535
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 536
+#define VAR_LOG_TAG_QUERYREPLY 537
+#define VAR_STREAM_WAIT_SIZE 538
+#define VAR_TLS_CIPHERS 539
+#define VAR_TLS_CIPHERSUITES 540
+#define VAR_TLS_USE_SNI 541
+#define VAR_IPSET 542
+#define VAR_IPSET_NAME_V4 543
+#define VAR_IPSET_NAME_V6 544
+#define VAR_TLS_SESSION_TICKET_KEYS 545
+#define VAR_RPZ 546
+#define VAR_TAGS 547
+#define VAR_RPZ_ACTION_OVERRIDE 548
+#define VAR_RPZ_CNAME_OVERRIDE 549
+#define VAR_RPZ_LOG 550
+#define VAR_RPZ_LOG_NAME 551
+#define VAR_DYNLIB 552
+#define VAR_DYNLIB_FILE 553
+#define VAR_EDNS_CLIENT_TAG 554
+#define VAR_EDNS_CLIENT_TAG_OPCODE 555
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -655,7 +657,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 659 "util/configparser.h"
+#line 661 "util/configparser.h"
 
 };
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -114,7 +114,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
 %token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS
 %token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
-%token VAR_HTTP_NODELAY
+%token VAR_HTTP_NODELAY VAR_HTTP_NOTLS_DOWNSTREAM
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
 %token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
 %token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
@@ -249,7 +249,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
 	server_https_port | server_http_endpoint | server_http_max_streams |
 	server_http_query_buffer_size | server_http_response_buffer_size |
-	server_http_nodelay |
+	server_http_nodelay | server_http_notls_downstream |
 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
 	server_so_reuseport | server_delay_close |
 	server_unblock_lan_zones | server_insecure_lan_zones |
@@ -982,6 +982,7 @@ server_https_port: VAR_HTTPS_PORT STRING_ARG
 		if(atoi($2) == 0)
 			yyerror("port number expected");
 		else cfg_parser->cfg->https_port = atoi($2);
+		free($2);
 	};
 server_http_endpoint: VAR_HTTP_ENDPOINT STRING_ARG
 	{
@@ -1030,6 +1031,14 @@ server_http_nodelay: VAR_HTTP_NODELAY STRING_ARG
 			yyerror("expected yes or no.");
 		else cfg_parser->cfg->http_nodelay = (strcmp($2, "yes")==0);
 		free($2);
+	}
+server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
+	{
+		OUTYY(("P(server_http_notls_downstream:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->http_notls_downstream = (strcmp($2, "yes")==0);
+		free($2);
 	};
 server_use_systemd: VAR_USE_SYSTEMD STRING_ARG
 	{

util/netevent.c

@@ -965,6 +965,10 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
 	/* clear leftover flags from previous use, and then set the
 	 * correct event base for the event structure for libevent */
 	ub_event_free(c_hdl->ev->ev);
+	if((c_hdl->type == comm_tcp && c_hdl->tcp_req_info) ||
+		c_hdl->type == comm_local || c_hdl->type == comm_raw)
+		c_hdl->tcp_do_toggle_rw = 0;
+	else	c_hdl->tcp_do_toggle_rw = 1;
 
 	if(c_hdl->type == comm_http) {
 #ifdef HAVE_NGHTTP2
@@ -978,6 +982,10 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
 			log_warn("failed to submit http2 settings");
 			return;
 		}
+		if(!c->ssl) {
+			c_hdl->tcp_do_toggle_rw = 0;
+			c_hdl->use_h2 = 1;
+		}
 #endif
 		c_hdl->ev->ev = ub_event_new(c_hdl->ev->base->eb->base, -1,
 			UB_EV_PERSIST | UB_EV_READ | UB_EV_TIMEOUT,
@@ -2359,48 +2367,76 @@ int http2_stream_close_cb(nghttp2_session* ATTR_UNUSED(session),
 ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session), uint8_t* buf,
 	size_t len, int ATTR_UNUSED(flags), void* cb_arg)
 {
-#ifdef HAVE_SSL
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
-	int r;
+	ssize_t ret;
 
 	log_assert(h2_session->c->type == comm_http);
 	log_assert(h2_session->c->h2_session);
 
-	if(!h2_session->c->ssl)
-		return 0;
-
-	ERR_clear_error();
-	r = SSL_read(h2_session->c->ssl, buf, len);
-	if(r <= 0) {
-		int want = SSL_get_error(h2_session->c->ssl, r);
-		if(want == SSL_ERROR_ZERO_RETURN) {
-			return NGHTTP2_ERR_EOF;
-		} else if(want == SSL_ERROR_WANT_READ) {
-			return NGHTTP2_ERR_WOULDBLOCK;
-		} else if(want == SSL_ERROR_WANT_WRITE) {
-			h2_session->c->ssl_shake_state = comm_ssl_shake_hs_write;
-			comm_point_listen_for_rw(h2_session->c, 0, 1);
-			return NGHTTP2_ERR_WOULDBLOCK;
-		} else if(want == SSL_ERROR_SYSCALL) {
+#ifdef HAVE_SSL
+	if(h2_session->c->ssl) {
+		int r;
+		ERR_clear_error();
+		r = SSL_read(h2_session->c->ssl, buf, len);
+		if(r <= 0) {
+			int want = SSL_get_error(h2_session->c->ssl, r);
+			if(want == SSL_ERROR_ZERO_RETURN) {
+				return NGHTTP2_ERR_EOF;
+			} else if(want == SSL_ERROR_WANT_READ) {
+				return NGHTTP2_ERR_WOULDBLOCK;
+			} else if(want == SSL_ERROR_WANT_WRITE) {
+				h2_session->c->ssl_shake_state = comm_ssl_shake_hs_write;
+				comm_point_listen_for_rw(h2_session->c, 0, 1);
+				return NGHTTP2_ERR_WOULDBLOCK;
+			} else if(want == SSL_ERROR_SYSCALL) {
 #ifdef ECONNRESET
-			if(errno == ECONNRESET && verbosity < 2)
-				return NGHTTP2_ERR_CALLBACK_FAILURE;
+				if(errno == ECONNRESET && verbosity < 2)
+					return NGHTTP2_ERR_CALLBACK_FAILURE;
 #endif
-			if(errno != 0)
-				log_err("SSL_read syscall: %s",
-					strerror(errno));
+				if(errno != 0)
+					log_err("SSL_read syscall: %s",
+						strerror(errno));
+				return NGHTTP2_ERR_CALLBACK_FAILURE;
+			}
+			log_crypto_err("could not SSL_read");
 			return NGHTTP2_ERR_CALLBACK_FAILURE;
 		}
-		log_crypto_err("could not SSL_read");
+		return r;
+	}
+#endif /* HAVE_SSL */
+
+	ret = recv(h2_session->c->fd, buf, len, 0);
+	if(ret == 0) {
+		return NGHTTP2_ERR_EOF;
+	} else if(ret < 0) {
+#ifndef USE_WINSOCK
+		if(errno == EINTR || errno == EAGAIN)
+			return NGHTTP2_ERR_WOULDBLOCK;
+#ifdef ECONNRESET
+		if(errno == ECONNRESET && verbosity < 2)
+			return NGHTTP2_ERR_CALLBACK_FAILURE;
+#endif
+		log_err_addr("could not http2 recv: %s", strerror(errno),
+			&h2_session->c->repinfo.addr,
+			h2_session->c->repinfo.addrlen);
+#else /* USE_WINSOCK */
+		if(WSAGetLastError() == WSAECONNRESET)
+			return NGHTTP2_ERR_CALLBACK_FAILURE;
+		if(WSAGetLastError() == WSAEINPROGRESS)
+			return NGHTTP2_ERR_WOULDBLOCK;
+		if(WSAGetLastError() == WSAEWOULDBLOCK) {
+			ub_winsock_tcp_wouldblock(h2_session->c->ev->ev,
+				UB_EV_READ);
+			return NGHTTP2_ERR_WOULDBLOCK;
+		}
+		log_err_addr("could not http2 recv: %s",
+			wsa_strerror(WSAGetLastError()),
+			&h2_session->c->repinfo.addr,
+			h2_session->c->repinfo.addrlen);
+#endif
 		return NGHTTP2_ERR_CALLBACK_FAILURE;
 	}
-	return r;
-#else
-	(void)buf;
-	(void)len;
-	(void)cb_arg;
-	return -1;
-#endif
+	return ret;
 }
 #endif /* HAVE_NGHTTP2 */
 
@@ -2411,15 +2447,17 @@ comm_point_http2_handle_read(int ATTR_UNUSED(fd), struct comm_point* c)
 #ifdef HAVE_NGHTTP2
 	int ret;
 	log_assert(c->h2_session);
-	log_assert(c->ssl);
 
 	/* reading until recv cb returns NGHTTP2_ERR_WOULDBLOCK */
 	ret = nghttp2_session_recv(c->h2_session->session);
 	if(ret) {
 		if(ret != NGHTTP2_ERR_EOF &&
 			ret != NGHTTP2_ERR_CALLBACK_FAILURE) {
-			verbose(VERB_QUERY, "http2: session_recv failed, "
-				"error: %s", nghttp2_strerror(ret));
+			char a[256];
+			addr_to_str(&c->repinfo.addr, c->repinfo.addrlen,
+				a, sizeof(a));
+			verbose(VERB_QUERY, "http2: session_recv from %s failed, "
+				"error: %s", a, nghttp2_strerror(ret));
 		}
 		return 0;
 	}
@@ -2648,47 +2686,81 @@ http_write_more(int fd, struct comm_point* c)
 ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session), const uint8_t* buf,
 	size_t len, int ATTR_UNUSED(flags), void* cb_arg)
 {
-#ifdef HAVE_SSL
-	int r;
+	ssize_t ret;
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
 	log_assert(h2_session->c->type == comm_http);
 	log_assert(h2_session->c->h2_session);
 
-	if(!h2_session->c->ssl)
-		return 0;
-
-	ERR_clear_error();
-	r = SSL_write(h2_session->c->ssl, buf, len);
-	if(r <= 0) {
-		int want = SSL_get_error(h2_session->c->ssl, r);
-		if(want == SSL_ERROR_ZERO_RETURN) {
-			return NGHTTP2_ERR_CALLBACK_FAILURE;
-		} else if(want == SSL_ERROR_WANT_READ) {
-			h2_session->c->ssl_shake_state = comm_ssl_shake_hs_read;
-			comm_point_listen_for_rw(h2_session->c, 1, 0);
-			return NGHTTP2_ERR_WOULDBLOCK;
-		} else if(want == SSL_ERROR_WANT_WRITE) {
-			return NGHTTP2_ERR_WOULDBLOCK;
-		} else if(want == SSL_ERROR_SYSCALL) {
-#ifdef EPIPE
-			if(errno == EPIPE && verbosity < 2)
+#ifdef HAVE_SSL
+	if(h2_session->c->ssl) {
+		int r;
+		ERR_clear_error();
+		r = SSL_write(h2_session->c->ssl, buf, len);
+		if(r <= 0) {
+			int want = SSL_get_error(h2_session->c->ssl, r);
+			if(want == SSL_ERROR_ZERO_RETURN) {
 				return NGHTTP2_ERR_CALLBACK_FAILURE;
+			} else if(want == SSL_ERROR_WANT_READ) {
+				h2_session->c->ssl_shake_state = comm_ssl_shake_hs_read;
+				comm_point_listen_for_rw(h2_session->c, 1, 0);
+				return NGHTTP2_ERR_WOULDBLOCK;
+			} else if(want == SSL_ERROR_WANT_WRITE) {
+				return NGHTTP2_ERR_WOULDBLOCK;
+			} else if(want == SSL_ERROR_SYSCALL) {
+#ifdef EPIPE
+				if(errno == EPIPE && verbosity < 2)
+					return NGHTTP2_ERR_CALLBACK_FAILURE;
 #endif
-			if(errno != 0)
-				log_err("SSL_write syscall: %s",
-					strerror(errno));
+				if(errno != 0)
+					log_err("SSL_write syscall: %s",
+						strerror(errno));
+				return NGHTTP2_ERR_CALLBACK_FAILURE;
+			}
+			log_crypto_err("could not SSL_write");
 			return NGHTTP2_ERR_CALLBACK_FAILURE;
 		}
-		log_crypto_err("could not SSL_write");
+		return r;
+	}
+#endif /* HAVE_SSL */
+
+	ret = send(h2_session->c->fd, buf, len, 0);
+	if(ret == 0) {
+		return NGHTTP2_ERR_CALLBACK_FAILURE;
+	} else if(ret < 0) {
+#ifndef USE_WINSOCK
+		if(errno == EINTR || errno == EAGAIN)
+			return NGHTTP2_ERR_WOULDBLOCK;
+#ifdef EPIPE
+		if(errno == EPIPE && verbosity < 2)
+			return NGHTTP2_ERR_CALLBACK_FAILURE;
+#endif
+#ifdef ECONNRESET
+		if(errno == ECONNRESET && verbosity < 2)
+			return NGHTTP2_ERR_CALLBACK_FAILURE;
+#endif
+		log_err_addr("could not http2 write: %s", strerror(errno),
+			&h2_session->c->repinfo.addr,
+			h2_session->c->repinfo.addrlen);
+#else /* USE_WINSOCK */
+		if(WSAGetLastError() == WSAENOTCONN)
+			return NGHTTP2_ERR_WOULDBLOCK;
+		if(WSAGetLastError() == WSAEINPROGRESS)
+			return NGHTTP2_ERR_WOULDBLOCK;
+		if(WSAGetLastError() == WSAEWOULDBLOCK) {
+			ub_winsock_tcp_wouldblock(h2_session->c->ev->ev,
+				UB_EV_WRITE);
+			return NGHTTP2_ERR_WOULDBLOCK;
+		}
+		if(WSAGetLastError() == WSAECONNRESET && verbosity < 2)
+			return NGHTTP2_ERR_CALLBACK_FAILURE;
+		log_err_addr("could not http2 write: %s",
+			wsa_strerror(WSAGetLastError()),
+			&h2_session->c->repinfo.addr,
+			h2_session->c->repinfo.addrlen);
+#endif
 		return NGHTTP2_ERR_CALLBACK_FAILURE;
 	}
-	return r;
-#else
-	(void)buf;
-	(void)len;
-	(void)cb_arg;
-	return -1;
-#endif
+	return ret;
 }
 #endif /* HAVE_NGHTTP2 */
 
@@ -2699,7 +2771,6 @@ comm_point_http2_handle_write(int ATTR_UNUSED(fd), struct comm_point* c)
 #ifdef HAVE_NGHTTP2
 	int ret;
 	log_assert(c->h2_session);
-	log_assert(c->ssl);
 
 	ret = nghttp2_session_send(c->h2_session->session);
 	if(ret) {

util/regional.c

@@ -80,18 +80,38 @@ regional_init(struct regional* r)
 	r->total_large = 0;
 }
 
-struct regional* 
-regional_create_custom(size_t size)
+/**
+ * Create a new region, with custom first block and large-object sizes.
+ * @param size: length of first block.
+ * @param large_object_size: outside of chunk allocation threshold.
+ * @return: newly allocated regional.
+ */
+static struct regional*
+regional_create_custom_large_object(size_t size, size_t large_object_size)
 {
 	struct regional* r = (struct regional*)malloc(size);
 	size = ALIGN_UP(size, ALIGNMENT);
 	log_assert(sizeof(struct regional) <= size);
 	if(!r) return NULL;
 	r->first_size = size;
+	r->large_object_size = large_object_size;
 	regional_init(r);
 	return r;
 }
 
+struct regional*
+regional_create_custom(size_t size)
+{
+	return regional_create_custom_large_object(size,
+		REGIONAL_LARGE_OBJECT_SIZE);
+}
+
+struct regional*
+regional_create_nochunk(size_t size)
+{
+	return regional_create_custom_large_object(size, 0);
+}
+
 void 
 regional_free_all(struct regional *r)
 {
@@ -134,7 +154,7 @@ regional_alloc(struct regional *r, size_t size)
 			malloc and ALIGN_UP */
 	a = ALIGN_UP(size, ALIGNMENT);
 	/* large objects */
-	if(a > REGIONAL_LARGE_OBJECT_SIZE) {
+	if(a > r->large_object_size) {
 		s = malloc(ALIGNMENT + size);
 		if(!s) return NULL;
 		r->total_large += ALIGNMENT+size;
@@ -219,7 +239,7 @@ regional_log_stats(struct regional *r)
 	/* some basic assertions put here (non time critical code) */
 	log_assert(ALIGNMENT >= sizeof(char*));
 	log_assert(REGIONAL_CHUNK_SIZE > ALIGNMENT);
-	log_assert(REGIONAL_CHUNK_SIZE-ALIGNMENT > REGIONAL_LARGE_OBJECT_SIZE);
+	log_assert(REGIONAL_CHUNK_SIZE-ALIGNMENT > r->large_object_size);
 	log_assert(REGIONAL_CHUNK_SIZE >= sizeof(struct regional));
 	/* debug print */
 	log_info("regional %u chunks, %u large",

util/regional.h

@@ -74,6 +74,8 @@ struct regional
 	size_t available;
 	/** current chunk data position. */
 	char* data;
+	/** threshold for outside of chunk allocations */
+	size_t large_object_size;
 };
 
 /**
@@ -88,6 +90,14 @@ struct regional* regional_create(void);
  * @return: newly allocated regional.
  */
 struct regional* regional_create_custom(size_t size);
+
+/**
+ * Create a new region, with custom settings, that will allocate everything
+ * outside the region chunk.
+ * @param size: length of first block.
+ * @return: newly allocated regional.
+ */
+struct regional* regional_create_nochunk(size_t size);
 	
 /**
  * Free all memory associated with regional. Only keeps the first block with