Merge pull request #200 from yarikk/ipdiffserv

add ip-dscp option to specify the DSCP tag for outgoing packets
2025-12-24 00:29:58 -05:00 · 2020-03-24 09:24:16 +01:00 · 2020-03-24 09:24:16 +01:00 · a96a7a6a20
commit a96a7a6a20
parent cca5cfc88f cfddbcb5be
19 changed files with 6913 additions and 6784 deletions
--- a/daemon/remote.c
+++ b/daemon/remote.c
@ -329,7 +329,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
 		/* open fd */
 		fd = create_tcp_accept_sock(res, 1, &noproto, 0,
-			cfg->ip_transparent, 0, cfg->ip_freebind, cfg->use_systemd);
+			cfg->ip_transparent, 0, cfg->ip_freebind, cfg->use_systemd, cfg->ip_dscp);
 		freeaddrinfo(res);
 	}
--- a/daemon/worker.c
+++ b/daemon/worker.c
@ -1808,7 +1808,7 @@ worker_init(struct worker* worker, struct config_file *cfg,
 	worker->back = outside_network_create(worker->base,
 		cfg->msg_buffer_size, (size_t)cfg->outgoing_num_ports, 
 		cfg->out_ifs, cfg->num_out_ifs, cfg->do_ip4, cfg->do_ip6, 
-		cfg->do_tcp?cfg->outgoing_num_tcp:0, 
+		cfg->do_tcp?cfg->outgoing_num_tcp:0, cfg->ip_dscp,
 		worker->daemon->env->infra_cache, worker->rndstate,
 		cfg->use_caps_bits_for_id, worker->ports, worker->numports,
 		cfg->unwanted_threshold, cfg->outgoing_tcp_mss,
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -323,6 +323,12 @@ IP addresses that are nonlocal or do not exist, like when the network
 interface or IP address is down.  Exists only on Linux, where the similar
 ip\-transparent option is also available.
 .TP
 .B ip-dscp: \fI<number>
 The value of the Differentiated Services Codepoint (DSCP) in the
 differentiated services field (DS) of the outgoing IP packet headers.
 The field replaces the outdated IPv4 Type-Of-Service field and the
 IPV6 traffic class field.
 .TP
 .B rrset\-cache\-size: \fI<number>
 Number of bytes size of the RRset cache. Default is 4 megabytes.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@ -233,7 +233,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 	w->back = outside_network_create(w->base, cfg->msg_buffer_size,
 		(size_t)cfg->outgoing_num_ports, cfg->out_ifs,
 		cfg->num_out_ifs, cfg->do_ip4, cfg->do_ip6, 
-		cfg->do_tcp?cfg->outgoing_num_tcp:0,
+		cfg->do_tcp?cfg->outgoing_num_tcp:0, cfg->ip_dscp,
 		w->env->infra_cache, w->env->rnd, cfg->use_caps_bits_for_id,
 		ports, numports, cfg->unwanted_threshold,
 		cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@ -179,9 +179,10 @@ int
 create_udp_sock(int family, int socktype, struct sockaddr* addr,
        socklen_t addrlen, int v6only, int* inuse, int* noproto,
 	int rcv, int snd, int listen, int* reuseport, int transparent,
-	int freebind, int use_systemd)
+	int freebind, int use_systemd, int dscp)
 {
 	int s;
 	char* err;
 #if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_USE_MIN_MTU)  || defined(IP_TRANSPARENT) || defined(IP_BINDANY) || defined(IP_FREEBIND) || defined (SO_BINDANY)
 	int on=1;
 #endif
@ -451,6 +452,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 #  endif
 #endif /* SO_SNDBUF */
 	}
 	err = set_ip_dscp(s, family, dscp);
 	if(err != NULL)
 		log_warn("error setting IP DiffServ codepoint %d on UDP socket: %s", dscp, err);
 	if(family == AF_INET6) {
 # if defined(IPV6_V6ONLY)
 		if(v6only) {
@ -638,9 +642,10 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 int
 create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
-	int* reuseport, int transparent, int mss, int freebind, int use_systemd)
+	int* reuseport, int transparent, int mss, int freebind, int use_systemd, int dscp)
 {
 	int s;
 	char* err;
 #if defined(SO_REUSEADDR) || defined(SO_REUSEPORT) || defined(IPV6_V6ONLY) || defined(IP_TRANSPARENT) || defined(IP_BINDANY) || defined(IP_FREEBIND) || defined(SO_BINDANY)
 	int on = 1;
 #endif
@ -793,6 +798,9 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
 		strerror(errno));
 	}
 #endif /* IP_TRANSPARENT || IP_BINDANY || SO_BINDANY */
 	err = set_ip_dscp(s, addr->ai_family, dscp);
 	if(err != NULL)
 		log_warn("error setting IP DiffServ codepoint %d on TCP socket: %s", dscp, err);
 	if(
 #ifdef HAVE_SYSTEMD
 		!got_fd_from_systemd &&
@ -866,6 +874,48 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
 	return s;
 }
 char*
 set_ip_dscp(int socket, int addrfamily, int dscp) {
 	int ds;
 	if(dscp == 0)
 		return NULL;
 	ds = dscp << 2;
 	switch(addrfamily) {
 	case AF_INET6:
 		if(setsockopt(socket, IPPROTO_IPV6, IPV6_TCLASS, &ds, sizeof(ds)) < 0)
 			return sock_strerror(errno);
 	default:
 		if(setsockopt(socket, IPPROTO_IP, IP_TOS, &ds, sizeof(ds)) < 0)
 			return sock_strerror(errno);
 	}
 	return NULL;
 }
 #  ifndef USE_WINSOCK
 char*
 sock_strerror(int errn){
 	return strerror(errno);
 }
 void
 sock_close(int socket) {
 	close(socket);
 }
 #  else
 char*
 sock_strerror(int errn){
 	return wsa_strerror(WSAGetLastError()))
 }
 void
 sock_close(int socket) {
 	closesocket(socket);
 }
 #  endif /* USE_WINSOCK */
 int
 create_local_accept_sock(const char *path, int* noproto, int use_systemd)
 {
@ -952,7 +1002,7 @@ err:
 static int
 make_sock(int stype, const char* ifname, const char* port, 
 	struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
-	int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd)
+	int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd, int dscp)
 {
 	struct addrinfo *res = NULL;
 	int r, s, inuse, noproto;
@ -980,7 +1030,7 @@ make_sock(int stype, const char* ifname, const char* port,
 		s = create_udp_sock(res->ai_family, res->ai_socktype,
 			(struct sockaddr*)res->ai_addr, res->ai_addrlen,
 			v6only, &inuse, &noproto, (int)rcv, (int)snd, 1,
-			reuseport, transparent, freebind, use_systemd);
+			reuseport, transparent, freebind, use_systemd, dscp);
 		if(s == -1 && inuse) {
 			log_err("bind: address already in use");
 		} else if(s == -1 && noproto && hints->ai_family == AF_INET6){
@ -988,7 +1038,7 @@ make_sock(int stype, const char* ifname, const char* port,
 		}
 	} else	{
 		s = create_tcp_accept_sock(res, v6only, &noproto, reuseport,
-			transparent, tcp_mss, freebind, use_systemd);
+			transparent, tcp_mss, freebind, use_systemd, dscp);
 		if(s == -1 && noproto && hints->ai_family == AF_INET6){
 			*noip6 = 1;
 		}
@ -1001,7 +1051,7 @@ make_sock(int stype, const char* ifname, const char* port,
 static int
 make_sock_port(int stype, const char* ifname, const char* port, 
 	struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
-	int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd)
+	int* reuseport, int transparent, int tcp_mss, int freebind, int use_systemd, int dscp)
 {
 	char* s = strchr(ifname, '@');
 	if(s) {
@ -1023,10 +1073,10 @@ make_sock_port(int stype, const char* ifname, const char* port,
 		(void)strlcpy(p, s+1, sizeof(p));
 		p[strlen(s+1)]=0;
 		return make_sock(stype, newif, p, hints, v6only, noip6,
-			rcv, snd, reuseport, transparent, tcp_mss, freebind, use_systemd);
+			rcv, snd, reuseport, transparent, tcp_mss, freebind, use_systemd, dscp);
 	}
 	return make_sock(stype, ifname, port, hints, v6only, noip6, rcv, snd,
-		reuseport, transparent, tcp_mss, freebind, use_systemd);
+		reuseport, transparent, tcp_mss, freebind, use_systemd, dscp);
 }
 /**
@ -1154,7 +1204,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 	size_t rcv, size_t snd, int ssl_port,
 	struct config_strlist* tls_additional_port, int* reuseport,
 	int transparent, int tcp_mss, int freebind, int use_systemd,
-	int dnscrypt_port)
+	int dnscrypt_port, int dscp)
 {
 	int s, noip6=0;
 #ifdef USE_DNSCRYPT
@ -1171,7 +1221,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 	if(do_auto) {
 		if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, 
 			&noip6, rcv, snd, reuseport, transparent,
-			tcp_mss, freebind, use_systemd)) == -1) {
+			tcp_mss, freebind, use_systemd, dscp)) == -1) {
 			if(noip6) {
 				log_warn("IPv6 protocol not available");
 				return 1;
@ -1200,7 +1250,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 		/* regular udp socket */
 		if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, 
 			&noip6, rcv, snd, reuseport, transparent,
-			tcp_mss, freebind, use_systemd)) == -1) {
+			tcp_mss, freebind, use_systemd, dscp)) == -1) {
 			if(noip6) {
 				log_warn("IPv6 protocol not available");
 				return 1;
@ -1222,7 +1272,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 			tls_additional_port);
 		if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, 
 			&noip6, 0, 0, reuseport, transparent, tcp_mss,
-			freebind, use_systemd)) == -1) {
+			freebind, use_systemd, dscp)) == -1) {
 			if(noip6) {
 				/*log_warn("IPv6 protocol not available");*/
 				return 1;
@ -1421,7 +1471,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				cfg->ssl_port, cfg->tls_additional_port,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
-				cfg->dnscrypt_port)) {
+				cfg->dnscrypt_port, cfg->ip_dscp)) {
 				listening_ports_free(list);
 				return NULL;
 			}
@ -1435,7 +1485,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				cfg->ssl_port, cfg->tls_additional_port,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
-				cfg->dnscrypt_port)) {
+				cfg->dnscrypt_port, cfg->ip_dscp)) {
 				listening_ports_free(list);
 				return NULL;
 			}
@ -1451,7 +1501,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				cfg->ssl_port, cfg->tls_additional_port,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
-				cfg->dnscrypt_port)) {
+				cfg->dnscrypt_port, cfg->ip_dscp)) {
 				listening_ports_free(list);
 				return NULL;
 			}
@ -1465,7 +1515,7 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				cfg->ssl_port, cfg->tls_additional_port,
 				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
-				cfg->dnscrypt_port)) {
+				cfg->dnscrypt_port, cfg->ip_dscp)) {
 				listening_ports_free(list);
 				return NULL;
 			}
--- a/services/listen_dnsport.h
+++ b/services/listen_dnsport.h
@ -209,7 +209,7 @@ void listen_start_accept(struct listen_dnsport* listen);
 */
 int create_udp_sock(int family, int socktype, struct sockaddr* addr, 
 	socklen_t addrlen, int v6only, int* inuse, int* noproto, int rcv,
-	int snd, int listen, int* reuseport, int transparent, int freebind, int use_systemd);
+	int snd, int listen, int* reuseport, int transparent, int freebind, int use_systemd, int dscp);
 /**
 * Create and bind TCP listening socket
@ -225,7 +225,7 @@ int create_udp_sock(int family, int socktype, struct sockaddr* addr,
 * @return: the socket. -1 on error.
 */
 int create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
-	int* reuseport, int transparent, int mss, int freebind, int use_systemd);
+	int* reuseport, int transparent, int mss, int freebind, int use_systemd, int dscp);
 /**
 * Create and bind local listening socket
@ -367,4 +367,7 @@ int tcp_req_info_handle_read_close(struct tcp_req_info* req);
 /** get the size of currently used tcp stream wait buffers (in bytes) */
 size_t tcp_req_info_get_stream_buffer_size(void);
 char* set_ip_dscp(int socket, int addrfamily, int ds);
 char* sock_strerror(int errn);
 #endif /* LISTEN_DNSPORT_H */
--- a/services/outside_network.c
+++ b/services/outside_network.c
@ -205,18 +205,25 @@ pick_outgoing_tcp(struct waiting_tcp* w, int s)
 /** get TCP file descriptor for address, returns -1 on failure,
 * tcp_mss is 0 or maxseg size to set for TCP packets. */
 int
-outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss)
+outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss, int dscp)
 {
 	int s;
 	int af;
 	char* err;
 #ifdef SO_REUSEADDR
 	int on = 1;
 #endif
 #ifdef INET6
-	if(addr_is_ip6(addr, addrlen))
+	if(addr_is_ip6(addr, addrlen)){
 		s = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP);
-	else
+		af = AF_INET6;
 	} else {
 #else
 	{
 #endif
 		af = AF_INET;
 		s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
 	}
 	if(s == -1) {
 #ifndef USE_WINSOCK
 		log_err_addr("outgoing tcp: socket", strerror(errno),
@ -236,6 +243,12 @@ outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss)
 	}
 #endif
 	err = set_ip_dscp(s, af, dscp);
 	if(err != NULL) {
 		verbose(VERB_ALGO, "outgoing tcp:"
 			"error setting IP DiffServ codepoint on socket");
 	}
 	if(tcp_mss > 0) {
 #if defined(IPPROTO_TCP) && defined(TCP_MAXSEG)
 		if(setsockopt(s, IPPROTO_TCP, TCP_MAXSEG,
@ -291,7 +304,7 @@ outnet_tcp_take_into_use(struct waiting_tcp* w, uint8_t* pkt, size_t pkt_len)
 	log_assert(pkt);
 	log_assert(w->addrlen > 0);
 	/* open socket */
-	s = outnet_get_tcp_fd(&w->addr, w->addrlen, w->outnet->tcp_mss);
+	s = outnet_get_tcp_fd(&w->addr, w->addrlen, w->outnet->tcp_mss, w->outnet->ip_dscp);
 	if(s == -1)
 		return 0;
@ -719,7 +732,7 @@ static int setup_if(struct port_if* pif, const char* addrstr,
 struct outside_network* 
 outside_network_create(struct comm_base *base, size_t bufsize, 
 	size_t num_ports, char** ifs, int num_ifs, int do_ip4, 
-	int do_ip6, size_t num_tcp, struct infra_cache* infra,
+	int do_ip6, size_t num_tcp, int dscp, struct infra_cache* infra,
 	struct ub_randstate* rnd, int use_caps_for_id, int* availports, 
 	int numavailports, size_t unwanted_threshold, int tcp_mss,
 	void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
@ -752,6 +765,7 @@ outside_network_create(struct comm_base *base, size_t bufsize,
 	outnet->use_caps_for_id = use_caps_for_id;
 	outnet->do_udp = do_udp;
 	outnet->tcp_mss = tcp_mss;
 	outnet->ip_dscp = dscp;
 #ifndef S_SPLINT_S
 	if(delayclose) {
 		outnet->delayclose = 1;
@ -1041,7 +1055,7 @@ sai6_putrandom(struct sockaddr_in6 *sa, int pfxlen, struct ub_randstate *rnd)
 */
 static int
 udp_sockport(struct sockaddr_storage* addr, socklen_t addrlen, int pfxlen,
-	int port, int* inuse, struct ub_randstate* rnd)
+	int port, int* inuse, struct ub_randstate* rnd, int dscp)
 {
 	int fd, noproto;
 	if(addr_is_ip6(addr, addrlen)) {
@ -1056,13 +1070,13 @@ udp_sockport(struct sockaddr_storage* addr, socklen_t addrlen, int pfxlen,
 		}
 		fd = create_udp_sock(AF_INET6, SOCK_DGRAM, 
 			(struct sockaddr*)&sa, addrlen, 1, inuse, &noproto,
-			0, 0, 0, NULL, 0, freebind, 0);
+			0, 0, 0, NULL, 0, freebind, 0, dscp);
 	} else {
 		struct sockaddr_in* sa = (struct sockaddr_in*)addr;
 		sa->sin_port = (in_port_t)htons((uint16_t)port);
 		fd = create_udp_sock(AF_INET, SOCK_DGRAM, 
 			(struct sockaddr*)addr, addrlen, 1, inuse, &noproto,
-			0, 0, 0, NULL, 0, 0, 0);
+			0, 0, 0, NULL, 0, 0, 0, dscp);
 	}
 	return fd;
 }
@ -1127,7 +1141,7 @@ select_ifport(struct outside_network* outnet, struct pending* pend,
 		my_port = portno = 0;
 #endif
 		fd = udp_sockport(&pif->addr, pif->addrlen, pif->pfxlen,
-			portno, &inuse, outnet->rnd);
+			portno, &inuse, outnet->rnd, outnet->ip_dscp);
 		if(fd == -1 && !inuse) {
 			/* nonrecoverable error making socket */
 			return 0;
@ -2176,10 +2190,11 @@ fd_for_dest(struct outside_network* outnet, struct sockaddr_storage* to_addr,
 {
 	struct sockaddr_storage* addr;
 	socklen_t addrlen;
-	int i, try, pnum;
+	int i, try, pnum, dscp;
 	struct port_if* pif;
 	/* create fd */
 	dscp = outnet->ip_dscp;
 	for(try = 0; try<1000; try++) {
 		int port = 0;
 		int freebind = 0;
@ -2226,13 +2241,13 @@ fd_for_dest(struct outside_network* outnet, struct sockaddr_storage* to_addr,
 			sa.sin6_port = (in_port_t)htons((uint16_t)port);
 			fd = create_udp_sock(AF_INET6, SOCK_DGRAM,
 				(struct sockaddr*)&sa, addrlen, 1, &inuse, &noproto,
-				0, 0, 0, NULL, 0, freebind, 0);
+				0, 0, 0, NULL, 0, freebind, 0, dscp);
 		} else {
 			struct sockaddr_in* sa = (struct sockaddr_in*)addr;
 			sa->sin_port = (in_port_t)htons((uint16_t)port);
 			fd = create_udp_sock(AF_INET, SOCK_DGRAM, 
 				(struct sockaddr*)addr, addrlen, 1, &inuse, &noproto,
-				0, 0, 0, NULL, 0, freebind, 0);
+				0, 0, 0, NULL, 0, freebind, 0, dscp);
 		}
 		if(fd != -1) {
 			return fd;
@ -2324,7 +2339,7 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
 	sldns_buffer* query, int timeout, int ssl, char* host)
 {
 	struct comm_point* cp;
-	int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss);
+	int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss, outnet->ip_dscp);
 	if(fd == -1) {
 		return 0;
 	}
@ -2386,7 +2401,7 @@ outnet_comm_point_for_http(struct outside_network* outnet,
 {
 	/* cp calls cb with err=NETEVENT_DONE when transfer is done */
 	struct comm_point* cp;
-	int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss);
+	int fd = outnet_get_tcp_fd(to_addr, to_addrlen, outnet->tcp_mss, outnet->ip_dscp);
 	if(fd == -1) {
 		return 0;
 	}
--- a/services/outside_network.h
+++ b/services/outside_network.h
@ -138,6 +138,8 @@ struct outside_network {
 #endif
 	/** maximum segment size of tcp socket */
 	int tcp_mss;
 	/** IP_TOS socket option requested on the sockets */
 	int ip_dscp;
 	/**
 	 * Array of tcp pending used for outgoing TCP connections.
@ -419,7 +421,7 @@ struct serviced_query {
 */
 struct outside_network* outside_network_create(struct comm_base* base,
 	size_t bufsize, size_t num_ports, char** ifs, int num_ifs,
-	int do_ip4, int do_ip6, size_t num_tcp, struct infra_cache* infra, 
+	int do_ip4, int do_ip6, size_t num_tcp, int dscp, struct infra_cache* infra, 
 	struct ub_randstate* rnd, int use_caps_for_id, int* availports, 
 	int numavailports, size_t unwanted_threshold, int tcp_mss,
 	void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
@ -542,7 +544,7 @@ size_t serviced_get_mem(struct serviced_query* sq);
 /** get TCP file descriptor for address, returns -1 on failure,
 * tcp_mss is 0 or maxseg size to set for TCP packets. */
-int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss);
+int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss, int dscp);
 /**
 * Create udp commpoint suitable for sending packets to the destination.
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@ -1031,6 +1031,7 @@ outside_network_create(struct comm_base* base, size_t bufsize,
 	size_t ATTR_UNUSED(num_ports), char** ATTR_UNUSED(ifs), 
 	int ATTR_UNUSED(num_ifs), int ATTR_UNUSED(do_ip4), 
 	int ATTR_UNUSED(do_ip6), size_t ATTR_UNUSED(num_tcp), 
 	int ATTR_UNUSED(dscp),
 	struct infra_cache* infra,
 	struct ub_randstate* ATTR_UNUSED(rnd), 
 	int ATTR_UNUSED(use_caps_for_id), int* ATTR_UNUSED(availports),
@ -1583,7 +1584,7 @@ int create_udp_sock(int ATTR_UNUSED(family), int ATTR_UNUSED(socktype),
 	int* ATTR_UNUSED(noproto), int ATTR_UNUSED(rcv), int ATTR_UNUSED(snd),
 	int ATTR_UNUSED(listen), int* ATTR_UNUSED(reuseport),
 	int ATTR_UNUSED(transparent), int ATTR_UNUSED(freebind),
-	int ATTR_UNUSED(use_systemd))
+	int ATTR_UNUSED(use_systemd), int ATTR_UNUSED(dscp))
 {
 	/* if you actually print to this, it'll be stdout during test */
 	return 1;
@ -1790,7 +1791,7 @@ int comm_point_send_udp_msg(struct comm_point *c, sldns_buffer* packet,
 }
 int outnet_get_tcp_fd(struct sockaddr_storage* ATTR_UNUSED(addr),
-	socklen_t ATTR_UNUSED(addrlen), int ATTR_UNUSED(tcp_mss))
+	socklen_t ATTR_UNUSED(addrlen), int ATTR_UNUSED(tcp_mss), int ATTR_UNUSED(dscp))
 {
 	log_assert(0);
 	return -1;
--- a/testdata/04-checkconf.tdir/bad.dscp
+++ b/testdata/04-checkconf.tdir/bad.dscp
@ -0,0 +1,5 @@
 include: "good.min"
 server:
 	# an abnormal value for the option
 	ip-dscp: 500
--- a/testdata/04-checkconf.tdir/good.all
+++ b/testdata/04-checkconf.tdir/good.all
@ -220,6 +220,10 @@ server:
 	# more slabs reduce lock contention, but fragment memory usage.
 	key-cache-slabs: 4
 	# the value of the Differentiated Services Codepoint (DSCP)
 	# in the differentiated services field (DS) of the outgoing
 	# IP packets
 	ip-dscp: 5
 # Stub zones.
 # Create entries like below, to make all queries for 'example.com' and 
--- a/testdata/04-checkconf.tdir/good.min
+++ b/testdata/04-checkconf.tdir/good.min
@ -0,0 +1,7 @@
 # the minimal passing config - include in your bad.x to verify that
 # it is your option which triggers failure
 server:
 	chroot: ""
 	username: ""
 	directory: "."
 	pidfile: ""
--- a/util/config_file.c
+++ b/util/config_file.c
@ -186,6 +186,7 @@ config_create(void)
 	cfg->so_reuseport = REUSEPORT_DEFAULT;
 	cfg->ip_transparent = 0;
 	cfg->ip_freebind = 0;
 	cfg->ip_dscp = 0;
 	cfg->num_ifs = 0;
 	cfg->ifs = NULL;
 	cfg->num_out_ifs = 0;
@ -923,6 +924,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "so-reuseport", so_reuseport)
 	else O_YNO(opt, "ip-transparent", ip_transparent)
 	else O_YNO(opt, "ip-freebind", ip_freebind)
 	else O_DEC(opt, "ip-dscp", ip_dscp)
 	else O_MEM(opt, "rrset-cache-size", rrset_cache_size)
 	else O_DEC(opt, "rrset-cache-slabs", rrset_cache_slabs)
 	else O_YNO(opt, "prefetch-key", prefetch_key)
--- a/util/config_file.h
+++ b/util/config_file.h
@ -188,6 +188,8 @@ struct config_file {
 	int ip_transparent;
 	/** IP_FREEBIND socket option request on port 53 sockets */
 	int ip_freebind;
 	/** IP_TOS socket option requested on port 53 sockets */
 	int ip_dscp;
 	/** number of interfaces to open. If 0 default all interfaces. */
 	int num_ifs;
--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -259,6 +259,7 @@ so-sndbuf{COLON}		{ YDVAR(1, VAR_SO_SNDBUF) }
 so-reuseport{COLON}		{ YDVAR(1, VAR_SO_REUSEPORT) }
 ip-transparent{COLON}		{ YDVAR(1, VAR_IP_TRANSPARENT) }
 ip-freebind{COLON}		{ YDVAR(1, VAR_IP_FREEBIND) }
 ip-dscp{COLON}		{ YDVAR(1, VAR_IP_DSCP) }
 chroot{COLON}			{ YDVAR(1, VAR_CHROOT) }
 username{COLON}			{ YDVAR(1, VAR_USERNAME) }
 directory{COLON}		{ YDVAR(1, VAR_DIRECTORY) }
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -1,14 +1,14 @@
-/* A Bison parser, made by GNU Bison 3.4.1.  */
+/* A Bison parser, made by GNU Bison 2.3.  */
-/* Bison interface for Yacc-like parsers in C
+/* Skeleton interface for Bison's Yacc-like parsers in C
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
-   Inc.
+   Free Software Foundation, Inc.
-   This program is free software: you can redistribute it and/or modify
+   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation, either version 3 of the License, or
+   the Free Software Foundation; either version 2, or (at your option)
-   (at your option) any later version.
+   any later version.
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
@ -16,7 +16,9 @@
   GNU General Public License for more details.
   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
+   along with this program; if not, write to the Free Software
   Foundation, Inc., 51 Franklin Street, Fifth Floor,
   Boston, MA 02110-1301, USA.  */
 /* As a special exception, you may create a larger work that contains
   part or all of the Bison parser skeleton and distribute that work
@ -31,307 +33,296 @@
   This special exception was added by the Free Software Foundation in
   version 2.2 of Bison.  */
-/* Undocumented macros, especially those whose name start with YY_,
+/* Tokens.  */
   are private implementation details.  Do not rely on them.  */
 #ifndef YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
 # define YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
 /* Debug traces.  */
 #ifndef YYDEBUG
 # define YYDEBUG 0
 #endif
 #if YYDEBUG
 extern int yydebug;
 #endif
 /* Token type.  */
 #ifndef YYTOKENTYPE
 # define YYTOKENTYPE
-  enum yytokentype
+   /* Put the tokens into the symbol table, so that GDB and other debuggers
-  {
+      know about them.  */
-    SPACE = 258,
+   enum yytokentype {
-    LETTER = 259,
+     SPACE = 258,
-    NEWLINE = 260,
+     LETTER = 259,
-    COMMENT = 261,
+     NEWLINE = 260,
-    COLON = 262,
+     COMMENT = 261,
-    ANY = 263,
+     COLON = 262,
-    ZONESTR = 264,
+     ANY = 263,
-    STRING_ARG = 265,
+     ZONESTR = 264,
-    VAR_SERVER = 266,
+     STRING_ARG = 265,
-    VAR_VERBOSITY = 267,
+     VAR_SERVER = 266,
-    VAR_NUM_THREADS = 268,
+     VAR_VERBOSITY = 267,
-    VAR_PORT = 269,
+     VAR_NUM_THREADS = 268,
-    VAR_OUTGOING_RANGE = 270,
+     VAR_PORT = 269,
-    VAR_INTERFACE = 271,
+     VAR_OUTGOING_RANGE = 270,
-    VAR_PREFER_IP4 = 272,
+     VAR_INTERFACE = 271,
-    VAR_DO_IP4 = 273,
+     VAR_PREFER_IP4 = 272,
-    VAR_DO_IP6 = 274,
+     VAR_DO_IP4 = 273,
-    VAR_PREFER_IP6 = 275,
+     VAR_DO_IP6 = 274,
-    VAR_DO_UDP = 276,
+     VAR_PREFER_IP6 = 275,
-    VAR_DO_TCP = 277,
+     VAR_DO_UDP = 276,
-    VAR_TCP_MSS = 278,
+     VAR_DO_TCP = 277,
-    VAR_OUTGOING_TCP_MSS = 279,
+     VAR_TCP_MSS = 278,
-    VAR_TCP_IDLE_TIMEOUT = 280,
+     VAR_OUTGOING_TCP_MSS = 279,
-    VAR_EDNS_TCP_KEEPALIVE = 281,
+     VAR_TCP_IDLE_TIMEOUT = 280,
-    VAR_EDNS_TCP_KEEPALIVE_TIMEOUT = 282,
+     VAR_EDNS_TCP_KEEPALIVE = 281,
-    VAR_CHROOT = 283,
+     VAR_EDNS_TCP_KEEPALIVE_TIMEOUT = 282,
-    VAR_USERNAME = 284,
+     VAR_CHROOT = 283,
-    VAR_DIRECTORY = 285,
+     VAR_USERNAME = 284,
-    VAR_LOGFILE = 286,
+     VAR_DIRECTORY = 285,
-    VAR_PIDFILE = 287,
+     VAR_LOGFILE = 286,
-    VAR_MSG_CACHE_SIZE = 288,
+     VAR_PIDFILE = 287,
-    VAR_MSG_CACHE_SLABS = 289,
+     VAR_MSG_CACHE_SIZE = 288,
-    VAR_NUM_QUERIES_PER_THREAD = 290,
+     VAR_MSG_CACHE_SLABS = 289,
-    VAR_RRSET_CACHE_SIZE = 291,
+     VAR_NUM_QUERIES_PER_THREAD = 290,
-    VAR_RRSET_CACHE_SLABS = 292,
+     VAR_RRSET_CACHE_SIZE = 291,
-    VAR_OUTGOING_NUM_TCP = 293,
+     VAR_RRSET_CACHE_SLABS = 292,
-    VAR_INFRA_HOST_TTL = 294,
+     VAR_OUTGOING_NUM_TCP = 293,
-    VAR_INFRA_LAME_TTL = 295,
+     VAR_INFRA_HOST_TTL = 294,
-    VAR_INFRA_CACHE_SLABS = 296,
+     VAR_INFRA_LAME_TTL = 295,
-    VAR_INFRA_CACHE_NUMHOSTS = 297,
+     VAR_INFRA_CACHE_SLABS = 296,
-    VAR_INFRA_CACHE_LAME_SIZE = 298,
+     VAR_INFRA_CACHE_NUMHOSTS = 297,
-    VAR_NAME = 299,
+     VAR_INFRA_CACHE_LAME_SIZE = 298,
-    VAR_STUB_ZONE = 300,
+     VAR_NAME = 299,
-    VAR_STUB_HOST = 301,
+     VAR_STUB_ZONE = 300,
-    VAR_STUB_ADDR = 302,
+     VAR_STUB_HOST = 301,
-    VAR_TARGET_FETCH_POLICY = 303,
+     VAR_STUB_ADDR = 302,
-    VAR_HARDEN_SHORT_BUFSIZE = 304,
+     VAR_TARGET_FETCH_POLICY = 303,
-    VAR_HARDEN_LARGE_QUERIES = 305,
+     VAR_HARDEN_SHORT_BUFSIZE = 304,
-    VAR_FORWARD_ZONE = 306,
+     VAR_HARDEN_LARGE_QUERIES = 305,
-    VAR_FORWARD_HOST = 307,
+     VAR_FORWARD_ZONE = 306,
-    VAR_FORWARD_ADDR = 308,
+     VAR_FORWARD_HOST = 307,
-    VAR_DO_NOT_QUERY_ADDRESS = 309,
+     VAR_FORWARD_ADDR = 308,
-    VAR_HIDE_IDENTITY = 310,
+     VAR_DO_NOT_QUERY_ADDRESS = 309,
-    VAR_HIDE_VERSION = 311,
+     VAR_HIDE_IDENTITY = 310,
-    VAR_IDENTITY = 312,
+     VAR_HIDE_VERSION = 311,
-    VAR_VERSION = 313,
+     VAR_IDENTITY = 312,
-    VAR_HARDEN_GLUE = 314,
+     VAR_VERSION = 313,
-    VAR_MODULE_CONF = 315,
+     VAR_HARDEN_GLUE = 314,
-    VAR_TRUST_ANCHOR_FILE = 316,
+     VAR_MODULE_CONF = 315,
-    VAR_TRUST_ANCHOR = 317,
+     VAR_TRUST_ANCHOR_FILE = 316,
-    VAR_VAL_OVERRIDE_DATE = 318,
+     VAR_TRUST_ANCHOR = 317,
-    VAR_BOGUS_TTL = 319,
+     VAR_VAL_OVERRIDE_DATE = 318,
-    VAR_VAL_CLEAN_ADDITIONAL = 320,
+     VAR_BOGUS_TTL = 319,
-    VAR_VAL_PERMISSIVE_MODE = 321,
+     VAR_VAL_CLEAN_ADDITIONAL = 320,
-    VAR_INCOMING_NUM_TCP = 322,
+     VAR_VAL_PERMISSIVE_MODE = 321,
-    VAR_MSG_BUFFER_SIZE = 323,
+     VAR_INCOMING_NUM_TCP = 322,
-    VAR_KEY_CACHE_SIZE = 324,
+     VAR_MSG_BUFFER_SIZE = 323,
-    VAR_KEY_CACHE_SLABS = 325,
+     VAR_KEY_CACHE_SIZE = 324,
-    VAR_TRUSTED_KEYS_FILE = 326,
+     VAR_KEY_CACHE_SLABS = 325,
-    VAR_VAL_NSEC3_KEYSIZE_ITERATIONS = 327,
+     VAR_TRUSTED_KEYS_FILE = 326,
-    VAR_USE_SYSLOG = 328,
+     VAR_VAL_NSEC3_KEYSIZE_ITERATIONS = 327,
-    VAR_OUTGOING_INTERFACE = 329,
+     VAR_USE_SYSLOG = 328,
-    VAR_ROOT_HINTS = 330,
+     VAR_OUTGOING_INTERFACE = 329,
-    VAR_DO_NOT_QUERY_LOCALHOST = 331,
+     VAR_ROOT_HINTS = 330,
-    VAR_CACHE_MAX_TTL = 332,
+     VAR_DO_NOT_QUERY_LOCALHOST = 331,
-    VAR_HARDEN_DNSSEC_STRIPPED = 333,
+     VAR_CACHE_MAX_TTL = 332,
-    VAR_ACCESS_CONTROL = 334,
+     VAR_HARDEN_DNSSEC_STRIPPED = 333,
-    VAR_LOCAL_ZONE = 335,
+     VAR_ACCESS_CONTROL = 334,
-    VAR_LOCAL_DATA = 336,
+     VAR_LOCAL_ZONE = 335,
-    VAR_INTERFACE_AUTOMATIC = 337,
+     VAR_LOCAL_DATA = 336,
-    VAR_STATISTICS_INTERVAL = 338,
+     VAR_INTERFACE_AUTOMATIC = 337,
-    VAR_DO_DAEMONIZE = 339,
+     VAR_STATISTICS_INTERVAL = 338,
-    VAR_USE_CAPS_FOR_ID = 340,
+     VAR_DO_DAEMONIZE = 339,
-    VAR_STATISTICS_CUMULATIVE = 341,
+     VAR_USE_CAPS_FOR_ID = 340,
-    VAR_OUTGOING_PORT_PERMIT = 342,
+     VAR_STATISTICS_CUMULATIVE = 341,
-    VAR_OUTGOING_PORT_AVOID = 343,
+     VAR_OUTGOING_PORT_PERMIT = 342,
-    VAR_DLV_ANCHOR_FILE = 344,
+     VAR_OUTGOING_PORT_AVOID = 343,
-    VAR_DLV_ANCHOR = 345,
+     VAR_DLV_ANCHOR_FILE = 344,
-    VAR_NEG_CACHE_SIZE = 346,
+     VAR_DLV_ANCHOR = 345,
-    VAR_HARDEN_REFERRAL_PATH = 347,
+     VAR_NEG_CACHE_SIZE = 346,
-    VAR_PRIVATE_ADDRESS = 348,
+     VAR_HARDEN_REFERRAL_PATH = 347,
-    VAR_PRIVATE_DOMAIN = 349,
+     VAR_PRIVATE_ADDRESS = 348,
-    VAR_REMOTE_CONTROL = 350,
+     VAR_PRIVATE_DOMAIN = 349,
-    VAR_CONTROL_ENABLE = 351,
+     VAR_REMOTE_CONTROL = 350,
-    VAR_CONTROL_INTERFACE = 352,
+     VAR_CONTROL_ENABLE = 351,
-    VAR_CONTROL_PORT = 353,
+     VAR_CONTROL_INTERFACE = 352,
-    VAR_SERVER_KEY_FILE = 354,
+     VAR_CONTROL_PORT = 353,
-    VAR_SERVER_CERT_FILE = 355,
+     VAR_SERVER_KEY_FILE = 354,
-    VAR_CONTROL_KEY_FILE = 356,
+     VAR_SERVER_CERT_FILE = 355,
-    VAR_CONTROL_CERT_FILE = 357,
+     VAR_CONTROL_KEY_FILE = 356,
-    VAR_CONTROL_USE_CERT = 358,
+     VAR_CONTROL_CERT_FILE = 357,
-    VAR_EXTENDED_STATISTICS = 359,
+     VAR_CONTROL_USE_CERT = 358,
-    VAR_LOCAL_DATA_PTR = 360,
+     VAR_EXTENDED_STATISTICS = 359,
-    VAR_JOSTLE_TIMEOUT = 361,
+     VAR_LOCAL_DATA_PTR = 360,
-    VAR_STUB_PRIME = 362,
+     VAR_JOSTLE_TIMEOUT = 361,
-    VAR_UNWANTED_REPLY_THRESHOLD = 363,
+     VAR_STUB_PRIME = 362,
-    VAR_LOG_TIME_ASCII = 364,
+     VAR_UNWANTED_REPLY_THRESHOLD = 363,
-    VAR_DOMAIN_INSECURE = 365,
+     VAR_LOG_TIME_ASCII = 364,
-    VAR_PYTHON = 366,
+     VAR_DOMAIN_INSECURE = 365,
-    VAR_PYTHON_SCRIPT = 367,
+     VAR_PYTHON = 366,
-    VAR_VAL_SIG_SKEW_MIN = 368,
+     VAR_PYTHON_SCRIPT = 367,
-    VAR_VAL_SIG_SKEW_MAX = 369,
+     VAR_VAL_SIG_SKEW_MIN = 368,
-    VAR_CACHE_MIN_TTL = 370,
+     VAR_VAL_SIG_SKEW_MAX = 369,
-    VAR_VAL_LOG_LEVEL = 371,
+     VAR_CACHE_MIN_TTL = 370,
-    VAR_AUTO_TRUST_ANCHOR_FILE = 372,
+     VAR_VAL_LOG_LEVEL = 371,
-    VAR_KEEP_MISSING = 373,
+     VAR_AUTO_TRUST_ANCHOR_FILE = 372,
-    VAR_ADD_HOLDDOWN = 374,
+     VAR_KEEP_MISSING = 373,
-    VAR_DEL_HOLDDOWN = 375,
+     VAR_ADD_HOLDDOWN = 374,
-    VAR_SO_RCVBUF = 376,
+     VAR_DEL_HOLDDOWN = 375,
-    VAR_EDNS_BUFFER_SIZE = 377,
+     VAR_SO_RCVBUF = 376,
-    VAR_PREFETCH = 378,
+     VAR_EDNS_BUFFER_SIZE = 377,
-    VAR_PREFETCH_KEY = 379,
+     VAR_PREFETCH = 378,
-    VAR_SO_SNDBUF = 380,
+     VAR_PREFETCH_KEY = 379,
-    VAR_SO_REUSEPORT = 381,
+     VAR_SO_SNDBUF = 380,
-    VAR_HARDEN_BELOW_NXDOMAIN = 382,
+     VAR_SO_REUSEPORT = 381,
-    VAR_IGNORE_CD_FLAG = 383,
+     VAR_HARDEN_BELOW_NXDOMAIN = 382,
-    VAR_LOG_QUERIES = 384,
+     VAR_IGNORE_CD_FLAG = 383,
-    VAR_LOG_REPLIES = 385,
+     VAR_LOG_QUERIES = 384,
-    VAR_LOG_LOCAL_ACTIONS = 386,
+     VAR_LOG_REPLIES = 385,
-    VAR_TCP_UPSTREAM = 387,
+     VAR_LOG_LOCAL_ACTIONS = 386,
-    VAR_SSL_UPSTREAM = 388,
+     VAR_TCP_UPSTREAM = 387,
-    VAR_SSL_SERVICE_KEY = 389,
+     VAR_SSL_UPSTREAM = 388,
-    VAR_SSL_SERVICE_PEM = 390,
+     VAR_SSL_SERVICE_KEY = 389,
-    VAR_SSL_PORT = 391,
+     VAR_SSL_SERVICE_PEM = 390,
-    VAR_FORWARD_FIRST = 392,
+     VAR_SSL_PORT = 391,
-    VAR_STUB_SSL_UPSTREAM = 393,
+     VAR_FORWARD_FIRST = 392,
-    VAR_FORWARD_SSL_UPSTREAM = 394,
+     VAR_STUB_SSL_UPSTREAM = 393,
-    VAR_TLS_CERT_BUNDLE = 395,
+     VAR_FORWARD_SSL_UPSTREAM = 394,
-    VAR_STUB_FIRST = 396,
+     VAR_TLS_CERT_BUNDLE = 395,
-    VAR_MINIMAL_RESPONSES = 397,
+     VAR_STUB_FIRST = 396,
-    VAR_RRSET_ROUNDROBIN = 398,
+     VAR_MINIMAL_RESPONSES = 397,
-    VAR_MAX_UDP_SIZE = 399,
+     VAR_RRSET_ROUNDROBIN = 398,
-    VAR_DELAY_CLOSE = 400,
+     VAR_MAX_UDP_SIZE = 399,
-    VAR_UNBLOCK_LAN_ZONES = 401,
+     VAR_DELAY_CLOSE = 400,
-    VAR_INSECURE_LAN_ZONES = 402,
+     VAR_UNBLOCK_LAN_ZONES = 401,
-    VAR_INFRA_CACHE_MIN_RTT = 403,
+     VAR_INSECURE_LAN_ZONES = 402,
-    VAR_DNS64_PREFIX = 404,
+     VAR_INFRA_CACHE_MIN_RTT = 403,
-    VAR_DNS64_SYNTHALL = 405,
+     VAR_DNS64_PREFIX = 404,
-    VAR_DNS64_IGNORE_AAAA = 406,
+     VAR_DNS64_SYNTHALL = 405,
-    VAR_DNSTAP = 407,
+     VAR_DNS64_IGNORE_AAAA = 406,
-    VAR_DNSTAP_ENABLE = 408,
+     VAR_DNSTAP = 407,
-    VAR_DNSTAP_SOCKET_PATH = 409,
+     VAR_DNSTAP_ENABLE = 408,
-    VAR_DNSTAP_IP = 410,
+     VAR_DNSTAP_SOCKET_PATH = 409,
-    VAR_DNSTAP_TLS = 411,
+     VAR_DNSTAP_IP = 410,
-    VAR_DNSTAP_TLS_SERVER_NAME = 412,
+     VAR_DNSTAP_TLS = 411,
-    VAR_DNSTAP_TLS_CERT_BUNDLE = 413,
+     VAR_DNSTAP_TLS_SERVER_NAME = 412,
-    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 414,
+     VAR_DNSTAP_TLS_CERT_BUNDLE = 413,
-    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 415,
+     VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 414,
-    VAR_DNSTAP_SEND_IDENTITY = 416,
+     VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 415,
-    VAR_DNSTAP_SEND_VERSION = 417,
+     VAR_DNSTAP_SEND_IDENTITY = 416,
-    VAR_DNSTAP_IDENTITY = 418,
+     VAR_DNSTAP_SEND_VERSION = 417,
-    VAR_DNSTAP_VERSION = 419,
+     VAR_DNSTAP_IDENTITY = 418,
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 420,
+     VAR_DNSTAP_VERSION = 419,
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 421,
+     VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 420,
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 422,
+     VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 421,
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 423,
+     VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 422,
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 424,
+     VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 423,
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 425,
+     VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 424,
-    VAR_RESPONSE_IP_TAG = 426,
+     VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 425,
-    VAR_RESPONSE_IP = 427,
+     VAR_RESPONSE_IP_TAG = 426,
-    VAR_RESPONSE_IP_DATA = 428,
+     VAR_RESPONSE_IP = 427,
-    VAR_HARDEN_ALGO_DOWNGRADE = 429,
+     VAR_RESPONSE_IP_DATA = 428,
-    VAR_IP_TRANSPARENT = 430,
+     VAR_HARDEN_ALGO_DOWNGRADE = 429,
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 431,
+     VAR_IP_TRANSPARENT = 430,
-    VAR_IP_RATELIMIT = 432,
+     VAR_IP_DSCP = 431,
-    VAR_IP_RATELIMIT_SLABS = 433,
+     VAR_DISABLE_DNSSEC_LAME_CHECK = 432,
-    VAR_IP_RATELIMIT_SIZE = 434,
+     VAR_IP_RATELIMIT = 433,
-    VAR_RATELIMIT = 435,
+     VAR_IP_RATELIMIT_SLABS = 434,
-    VAR_RATELIMIT_SLABS = 436,
+     VAR_IP_RATELIMIT_SIZE = 435,
-    VAR_RATELIMIT_SIZE = 437,
+     VAR_RATELIMIT = 436,
-    VAR_RATELIMIT_FOR_DOMAIN = 438,
+     VAR_RATELIMIT_SLABS = 437,
-    VAR_RATELIMIT_BELOW_DOMAIN = 439,
+     VAR_RATELIMIT_SIZE = 438,
-    VAR_IP_RATELIMIT_FACTOR = 440,
+     VAR_RATELIMIT_FOR_DOMAIN = 439,
-    VAR_RATELIMIT_FACTOR = 441,
+     VAR_RATELIMIT_BELOW_DOMAIN = 440,
-    VAR_SEND_CLIENT_SUBNET = 442,
+     VAR_IP_RATELIMIT_FACTOR = 441,
-    VAR_CLIENT_SUBNET_ZONE = 443,
+     VAR_RATELIMIT_FACTOR = 442,
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 444,
+     VAR_SEND_CLIENT_SUBNET = 443,
-    VAR_CLIENT_SUBNET_OPCODE = 445,
+     VAR_CLIENT_SUBNET_ZONE = 444,
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 446,
+     VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 445,
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 447,
+     VAR_CLIENT_SUBNET_OPCODE = 446,
-    VAR_MIN_CLIENT_SUBNET_IPV4 = 448,
+     VAR_MAX_CLIENT_SUBNET_IPV4 = 447,
-    VAR_MIN_CLIENT_SUBNET_IPV6 = 449,
+     VAR_MAX_CLIENT_SUBNET_IPV6 = 448,
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 450,
+     VAR_MIN_CLIENT_SUBNET_IPV4 = 449,
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 451,
+     VAR_MIN_CLIENT_SUBNET_IPV6 = 450,
-    VAR_CAPS_WHITELIST = 452,
+     VAR_MAX_ECS_TREE_SIZE_IPV4 = 451,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 453,
+     VAR_MAX_ECS_TREE_SIZE_IPV6 = 452,
-    VAR_PERMIT_SMALL_HOLDDOWN = 454,
+     VAR_CAPS_WHITELIST = 453,
-    VAR_QNAME_MINIMISATION = 455,
+     VAR_CACHE_MAX_NEGATIVE_TTL = 454,
-    VAR_QNAME_MINIMISATION_STRICT = 456,
+     VAR_PERMIT_SMALL_HOLDDOWN = 455,
-    VAR_IP_FREEBIND = 457,
+     VAR_QNAME_MINIMISATION = 456,
-    VAR_DEFINE_TAG = 458,
+     VAR_QNAME_MINIMISATION_STRICT = 457,
-    VAR_LOCAL_ZONE_TAG = 459,
+     VAR_IP_FREEBIND = 458,
-    VAR_ACCESS_CONTROL_TAG = 460,
+     VAR_DEFINE_TAG = 459,
-    VAR_LOCAL_ZONE_OVERRIDE = 461,
+     VAR_LOCAL_ZONE_TAG = 460,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 462,
+     VAR_ACCESS_CONTROL_TAG = 461,
-    VAR_ACCESS_CONTROL_TAG_DATA = 463,
+     VAR_LOCAL_ZONE_OVERRIDE = 462,
-    VAR_VIEW = 464,
+     VAR_ACCESS_CONTROL_TAG_ACTION = 463,
-    VAR_ACCESS_CONTROL_VIEW = 465,
+     VAR_ACCESS_CONTROL_TAG_DATA = 464,
-    VAR_VIEW_FIRST = 466,
+     VAR_VIEW = 465,
-    VAR_SERVE_EXPIRED = 467,
+     VAR_ACCESS_CONTROL_VIEW = 466,
-    VAR_SERVE_EXPIRED_TTL = 468,
+     VAR_VIEW_FIRST = 467,
-    VAR_SERVE_EXPIRED_TTL_RESET = 469,
+     VAR_SERVE_EXPIRED = 468,
-    VAR_SERVE_EXPIRED_REPLY_TTL = 470,
+     VAR_SERVE_EXPIRED_TTL = 469,
-    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 471,
+     VAR_SERVE_EXPIRED_TTL_RESET = 470,
-    VAR_FAKE_DSA = 472,
+     VAR_SERVE_EXPIRED_REPLY_TTL = 471,
-    VAR_FAKE_SHA1 = 473,
+     VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 472,
-    VAR_LOG_IDENTITY = 474,
+     VAR_FAKE_DSA = 473,
-    VAR_HIDE_TRUSTANCHOR = 475,
+     VAR_FAKE_SHA1 = 474,
-    VAR_TRUST_ANCHOR_SIGNALING = 476,
+     VAR_LOG_IDENTITY = 475,
-    VAR_AGGRESSIVE_NSEC = 477,
+     VAR_HIDE_TRUSTANCHOR = 476,
-    VAR_USE_SYSTEMD = 478,
+     VAR_TRUST_ANCHOR_SIGNALING = 477,
-    VAR_SHM_ENABLE = 479,
+     VAR_AGGRESSIVE_NSEC = 478,
-    VAR_SHM_KEY = 480,
+     VAR_USE_SYSTEMD = 479,
-    VAR_ROOT_KEY_SENTINEL = 481,
+     VAR_SHM_ENABLE = 480,
-    VAR_DNSCRYPT = 482,
+     VAR_SHM_KEY = 481,
-    VAR_DNSCRYPT_ENABLE = 483,
+     VAR_ROOT_KEY_SENTINEL = 482,
-    VAR_DNSCRYPT_PORT = 484,
+     VAR_DNSCRYPT = 483,
-    VAR_DNSCRYPT_PROVIDER = 485,
+     VAR_DNSCRYPT_ENABLE = 484,
-    VAR_DNSCRYPT_SECRET_KEY = 486,
+     VAR_DNSCRYPT_PORT = 485,
-    VAR_DNSCRYPT_PROVIDER_CERT = 487,
+     VAR_DNSCRYPT_PROVIDER = 486,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 488,
+     VAR_DNSCRYPT_SECRET_KEY = 487,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 489,
+     VAR_DNSCRYPT_PROVIDER_CERT = 488,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 490,
+     VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 489,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 491,
+     VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 490,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 492,
+     VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 491,
-    VAR_IPSECMOD_ENABLED = 493,
+     VAR_DNSCRYPT_NONCE_CACHE_SIZE = 492,
-    VAR_IPSECMOD_HOOK = 494,
+     VAR_DNSCRYPT_NONCE_CACHE_SLABS = 493,
-    VAR_IPSECMOD_IGNORE_BOGUS = 495,
+     VAR_IPSECMOD_ENABLED = 494,
-    VAR_IPSECMOD_MAX_TTL = 496,
+     VAR_IPSECMOD_HOOK = 495,
-    VAR_IPSECMOD_WHITELIST = 497,
+     VAR_IPSECMOD_IGNORE_BOGUS = 496,
-    VAR_IPSECMOD_STRICT = 498,
+     VAR_IPSECMOD_MAX_TTL = 497,
-    VAR_CACHEDB = 499,
+     VAR_IPSECMOD_WHITELIST = 498,
-    VAR_CACHEDB_BACKEND = 500,
+     VAR_IPSECMOD_STRICT = 499,
-    VAR_CACHEDB_SECRETSEED = 501,
+     VAR_CACHEDB = 500,
-    VAR_CACHEDB_REDISHOST = 502,
+     VAR_CACHEDB_BACKEND = 501,
-    VAR_CACHEDB_REDISPORT = 503,
+     VAR_CACHEDB_SECRETSEED = 502,
-    VAR_CACHEDB_REDISTIMEOUT = 504,
+     VAR_CACHEDB_REDISHOST = 503,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 505,
+     VAR_CACHEDB_REDISPORT = 504,
-    VAR_FOR_UPSTREAM = 506,
+     VAR_CACHEDB_REDISTIMEOUT = 505,
-    VAR_AUTH_ZONE = 507,
+     VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 506,
-    VAR_ZONEFILE = 508,
+     VAR_FOR_UPSTREAM = 507,
-    VAR_MASTER = 509,
+     VAR_AUTH_ZONE = 508,
-    VAR_URL = 510,
+     VAR_ZONEFILE = 509,
-    VAR_FOR_DOWNSTREAM = 511,
+     VAR_MASTER = 510,
-    VAR_FALLBACK_ENABLED = 512,
+     VAR_URL = 511,
-    VAR_TLS_ADDITIONAL_PORT = 513,
+     VAR_FOR_DOWNSTREAM = 512,
-    VAR_LOW_RTT = 514,
+     VAR_FALLBACK_ENABLED = 513,
-    VAR_LOW_RTT_PERMIL = 515,
+     VAR_TLS_ADDITIONAL_PORT = 514,
-    VAR_FAST_SERVER_PERMIL = 516,
+     VAR_LOW_RTT = 515,
-    VAR_FAST_SERVER_NUM = 517,
+     VAR_LOW_RTT_PERMIL = 516,
-    VAR_ALLOW_NOTIFY = 518,
+     VAR_FAST_SERVER_PERMIL = 517,
-    VAR_TLS_WIN_CERT = 519,
+     VAR_FAST_SERVER_NUM = 518,
-    VAR_TCP_CONNECTION_LIMIT = 520,
+     VAR_ALLOW_NOTIFY = 519,
-    VAR_FORWARD_NO_CACHE = 521,
+     VAR_TLS_WIN_CERT = 520,
-    VAR_STUB_NO_CACHE = 522,
+     VAR_TCP_CONNECTION_LIMIT = 521,
-    VAR_LOG_SERVFAIL = 523,
+     VAR_FORWARD_NO_CACHE = 522,
-    VAR_DENY_ANY = 524,
+     VAR_STUB_NO_CACHE = 523,
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 525,
+     VAR_LOG_SERVFAIL = 524,
-    VAR_LOG_TAG_QUERYREPLY = 526,
+     VAR_DENY_ANY = 525,
-    VAR_STREAM_WAIT_SIZE = 527,
+     VAR_UNKNOWN_SERVER_TIME_LIMIT = 526,
-    VAR_TLS_CIPHERS = 528,
+     VAR_LOG_TAG_QUERYREPLY = 527,
-    VAR_TLS_CIPHERSUITES = 529,
+     VAR_STREAM_WAIT_SIZE = 528,
-    VAR_IPSET = 530,
+     VAR_TLS_CIPHERS = 529,
-    VAR_IPSET_NAME_V4 = 531,
+     VAR_TLS_CIPHERSUITES = 530,
-    VAR_IPSET_NAME_V6 = 532,
+     VAR_IPSET = 531,
-    VAR_TLS_SESSION_TICKET_KEYS = 533,
+     VAR_IPSET_NAME_V4 = 532,
-    VAR_RPZ = 534,
+     VAR_IPSET_NAME_V6 = 533,
-    VAR_TAGS = 535,
+     VAR_TLS_SESSION_TICKET_KEYS = 534,
-    VAR_RPZ_ACTION_OVERRIDE = 536,
+     VAR_RPZ = 535,
-    VAR_RPZ_CNAME_OVERRIDE = 537,
+     VAR_TAGS = 536,
-    VAR_RPZ_LOG = 538,
+     VAR_RPZ_ACTION_OVERRIDE = 537,
-    VAR_RPZ_LOG_NAME = 539
+     VAR_RPZ_CNAME_OVERRIDE = 538,
-  };
+     VAR_RPZ_LOG = 539,
     VAR_RPZ_LOG_NAME = 540
   };
 #endif
 /* Tokens.  */
 #define SPACE 258
@ -507,135 +498,133 @@ extern int yydebug;
 #define VAR_RESPONSE_IP_DATA 428
 #define VAR_HARDEN_ALGO_DOWNGRADE 429
 #define VAR_IP_TRANSPARENT 430
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 431
+#define VAR_IP_DSCP 431
-#define VAR_IP_RATELIMIT 432
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 432
-#define VAR_IP_RATELIMIT_SLABS 433
+#define VAR_IP_RATELIMIT 433
-#define VAR_IP_RATELIMIT_SIZE 434
+#define VAR_IP_RATELIMIT_SLABS 434
-#define VAR_RATELIMIT 435
+#define VAR_IP_RATELIMIT_SIZE 435
-#define VAR_RATELIMIT_SLABS 436
+#define VAR_RATELIMIT 436
-#define VAR_RATELIMIT_SIZE 437
+#define VAR_RATELIMIT_SLABS 437
-#define VAR_RATELIMIT_FOR_DOMAIN 438
+#define VAR_RATELIMIT_SIZE 438
-#define VAR_RATELIMIT_BELOW_DOMAIN 439
+#define VAR_RATELIMIT_FOR_DOMAIN 439
-#define VAR_IP_RATELIMIT_FACTOR 440
+#define VAR_RATELIMIT_BELOW_DOMAIN 440
-#define VAR_RATELIMIT_FACTOR 441
+#define VAR_IP_RATELIMIT_FACTOR 441
-#define VAR_SEND_CLIENT_SUBNET 442
+#define VAR_RATELIMIT_FACTOR 442
-#define VAR_CLIENT_SUBNET_ZONE 443
+#define VAR_SEND_CLIENT_SUBNET 443
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 444
+#define VAR_CLIENT_SUBNET_ZONE 444
-#define VAR_CLIENT_SUBNET_OPCODE 445
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 445
-#define VAR_MAX_CLIENT_SUBNET_IPV4 446
+#define VAR_CLIENT_SUBNET_OPCODE 446
-#define VAR_MAX_CLIENT_SUBNET_IPV6 447
+#define VAR_MAX_CLIENT_SUBNET_IPV4 447
-#define VAR_MIN_CLIENT_SUBNET_IPV4 448
+#define VAR_MAX_CLIENT_SUBNET_IPV6 448
-#define VAR_MIN_CLIENT_SUBNET_IPV6 449
+#define VAR_MIN_CLIENT_SUBNET_IPV4 449
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 450
+#define VAR_MIN_CLIENT_SUBNET_IPV6 450
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 451
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 451
-#define VAR_CAPS_WHITELIST 452
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 452
-#define VAR_CACHE_MAX_NEGATIVE_TTL 453
+#define VAR_CAPS_WHITELIST 453
-#define VAR_PERMIT_SMALL_HOLDDOWN 454
+#define VAR_CACHE_MAX_NEGATIVE_TTL 454
-#define VAR_QNAME_MINIMISATION 455
+#define VAR_PERMIT_SMALL_HOLDDOWN 455
-#define VAR_QNAME_MINIMISATION_STRICT 456
+#define VAR_QNAME_MINIMISATION 456
-#define VAR_IP_FREEBIND 457
+#define VAR_QNAME_MINIMISATION_STRICT 457
-#define VAR_DEFINE_TAG 458
+#define VAR_IP_FREEBIND 458
-#define VAR_LOCAL_ZONE_TAG 459
+#define VAR_DEFINE_TAG 459
-#define VAR_ACCESS_CONTROL_TAG 460
+#define VAR_LOCAL_ZONE_TAG 460
-#define VAR_LOCAL_ZONE_OVERRIDE 461
+#define VAR_ACCESS_CONTROL_TAG 461
-#define VAR_ACCESS_CONTROL_TAG_ACTION 462
+#define VAR_LOCAL_ZONE_OVERRIDE 462
-#define VAR_ACCESS_CONTROL_TAG_DATA 463
+#define VAR_ACCESS_CONTROL_TAG_ACTION 463
-#define VAR_VIEW 464
+#define VAR_ACCESS_CONTROL_TAG_DATA 464
-#define VAR_ACCESS_CONTROL_VIEW 465
+#define VAR_VIEW 465
-#define VAR_VIEW_FIRST 466
+#define VAR_ACCESS_CONTROL_VIEW 466
-#define VAR_SERVE_EXPIRED 467
+#define VAR_VIEW_FIRST 467
-#define VAR_SERVE_EXPIRED_TTL 468
+#define VAR_SERVE_EXPIRED 468
-#define VAR_SERVE_EXPIRED_TTL_RESET 469
+#define VAR_SERVE_EXPIRED_TTL 469
-#define VAR_SERVE_EXPIRED_REPLY_TTL 470
+#define VAR_SERVE_EXPIRED_TTL_RESET 470
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 471
+#define VAR_SERVE_EXPIRED_REPLY_TTL 471
-#define VAR_FAKE_DSA 472
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 472
-#define VAR_FAKE_SHA1 473
+#define VAR_FAKE_DSA 473
-#define VAR_LOG_IDENTITY 474
+#define VAR_FAKE_SHA1 474
-#define VAR_HIDE_TRUSTANCHOR 475
+#define VAR_LOG_IDENTITY 475
-#define VAR_TRUST_ANCHOR_SIGNALING 476
+#define VAR_HIDE_TRUSTANCHOR 476
-#define VAR_AGGRESSIVE_NSEC 477
+#define VAR_TRUST_ANCHOR_SIGNALING 477
-#define VAR_USE_SYSTEMD 478
+#define VAR_AGGRESSIVE_NSEC 478
-#define VAR_SHM_ENABLE 479
+#define VAR_USE_SYSTEMD 479
-#define VAR_SHM_KEY 480
+#define VAR_SHM_ENABLE 480
-#define VAR_ROOT_KEY_SENTINEL 481
+#define VAR_SHM_KEY 481
-#define VAR_DNSCRYPT 482
+#define VAR_ROOT_KEY_SENTINEL 482
-#define VAR_DNSCRYPT_ENABLE 483
+#define VAR_DNSCRYPT 483
-#define VAR_DNSCRYPT_PORT 484
+#define VAR_DNSCRYPT_ENABLE 484
-#define VAR_DNSCRYPT_PROVIDER 485
+#define VAR_DNSCRYPT_PORT 485
-#define VAR_DNSCRYPT_SECRET_KEY 486
+#define VAR_DNSCRYPT_PROVIDER 486
-#define VAR_DNSCRYPT_PROVIDER_CERT 487
+#define VAR_DNSCRYPT_SECRET_KEY 487
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 488
+#define VAR_DNSCRYPT_PROVIDER_CERT 488
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 489
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 489
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 490
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 490
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 491
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 491
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 492
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 492
-#define VAR_IPSECMOD_ENABLED 493
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 493
-#define VAR_IPSECMOD_HOOK 494
+#define VAR_IPSECMOD_ENABLED 494
-#define VAR_IPSECMOD_IGNORE_BOGUS 495
+#define VAR_IPSECMOD_HOOK 495
-#define VAR_IPSECMOD_MAX_TTL 496
+#define VAR_IPSECMOD_IGNORE_BOGUS 496
-#define VAR_IPSECMOD_WHITELIST 497
+#define VAR_IPSECMOD_MAX_TTL 497
-#define VAR_IPSECMOD_STRICT 498
+#define VAR_IPSECMOD_WHITELIST 498
-#define VAR_CACHEDB 499
+#define VAR_IPSECMOD_STRICT 499
-#define VAR_CACHEDB_BACKEND 500
+#define VAR_CACHEDB 500
-#define VAR_CACHEDB_SECRETSEED 501
+#define VAR_CACHEDB_BACKEND 501
-#define VAR_CACHEDB_REDISHOST 502
+#define VAR_CACHEDB_SECRETSEED 502
-#define VAR_CACHEDB_REDISPORT 503
+#define VAR_CACHEDB_REDISHOST 503
-#define VAR_CACHEDB_REDISTIMEOUT 504
+#define VAR_CACHEDB_REDISPORT 504
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 505
+#define VAR_CACHEDB_REDISTIMEOUT 505
-#define VAR_FOR_UPSTREAM 506
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 506
-#define VAR_AUTH_ZONE 507
+#define VAR_FOR_UPSTREAM 507
-#define VAR_ZONEFILE 508
+#define VAR_AUTH_ZONE 508
-#define VAR_MASTER 509
+#define VAR_ZONEFILE 509
-#define VAR_URL 510
+#define VAR_MASTER 510
-#define VAR_FOR_DOWNSTREAM 511
+#define VAR_URL 511
-#define VAR_FALLBACK_ENABLED 512
+#define VAR_FOR_DOWNSTREAM 512
-#define VAR_TLS_ADDITIONAL_PORT 513
+#define VAR_FALLBACK_ENABLED 513
-#define VAR_LOW_RTT 514
+#define VAR_TLS_ADDITIONAL_PORT 514
-#define VAR_LOW_RTT_PERMIL 515
+#define VAR_LOW_RTT 515
-#define VAR_FAST_SERVER_PERMIL 516
+#define VAR_LOW_RTT_PERMIL 516
-#define VAR_FAST_SERVER_NUM 517
+#define VAR_FAST_SERVER_PERMIL 517
-#define VAR_ALLOW_NOTIFY 518
+#define VAR_FAST_SERVER_NUM 518
-#define VAR_TLS_WIN_CERT 519
+#define VAR_ALLOW_NOTIFY 519
-#define VAR_TCP_CONNECTION_LIMIT 520
+#define VAR_TLS_WIN_CERT 520
-#define VAR_FORWARD_NO_CACHE 521
+#define VAR_TCP_CONNECTION_LIMIT 521
-#define VAR_STUB_NO_CACHE 522
+#define VAR_FORWARD_NO_CACHE 522
-#define VAR_LOG_SERVFAIL 523
+#define VAR_STUB_NO_CACHE 523
-#define VAR_DENY_ANY 524
+#define VAR_LOG_SERVFAIL 524
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 525
+#define VAR_DENY_ANY 525
-#define VAR_LOG_TAG_QUERYREPLY 526
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 526
-#define VAR_STREAM_WAIT_SIZE 527
+#define VAR_LOG_TAG_QUERYREPLY 527
-#define VAR_TLS_CIPHERS 528
+#define VAR_STREAM_WAIT_SIZE 528
-#define VAR_TLS_CIPHERSUITES 529
+#define VAR_TLS_CIPHERS 529
-#define VAR_IPSET 530
+#define VAR_TLS_CIPHERSUITES 530
-#define VAR_IPSET_NAME_V4 531
+#define VAR_IPSET 531
-#define VAR_IPSET_NAME_V6 532
+#define VAR_IPSET_NAME_V4 532
-#define VAR_TLS_SESSION_TICKET_KEYS 533
+#define VAR_IPSET_NAME_V6 533
-#define VAR_RPZ 534
+#define VAR_TLS_SESSION_TICKET_KEYS 534
-#define VAR_TAGS 535
+#define VAR_RPZ 535
-#define VAR_RPZ_ACTION_OVERRIDE 536
+#define VAR_TAGS 536
-#define VAR_RPZ_CNAME_OVERRIDE 537
+#define VAR_RPZ_ACTION_OVERRIDE 537
-#define VAR_RPZ_LOG 538
+#define VAR_RPZ_CNAME_OVERRIDE 538
-#define VAR_RPZ_LOG_NAME 539
+#define VAR_RPZ_LOG 539
 #define VAR_RPZ_LOG_NAME 540
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-union YYSTYPE
+typedef union YYSTYPE
 {
 #line 66 "./util/configparser.y"
-
+{
 	char*	str;
-
+}
-#line 629 "util/configparser.h"
+/* Line 1529 of yacc.c.  */
-
+#line 623 "util/configparser.h"
-};
+	YYSTYPE;
-typedef union YYSTYPE YYSTYPE;
+# define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_TRIVIAL 1
 # define YYSTYPE_IS_DECLARED 1
 # define YYSTYPE_IS_TRIVIAL 1
 #endif
 extern YYSTYPE yylval;
 int yyparse (void);
 #endif /* !YY_YY_UTIL_CONFIGPARSER_H_INCLUDED  */
--- a/util/configparser.y
+++ b/util/configparser.y
@ -129,6 +129,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
 %token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
 %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
 %token VAR_IP_DSCP
 %token VAR_DISABLE_DNSSEC_LAME_CHECK
 %token VAR_IP_RATELIMIT VAR_IP_RATELIMIT_SLABS VAR_IP_RATELIMIT_SIZE
 %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
@ -241,6 +242,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_dns64_prefix | server_dns64_synthall | server_dns64_ignore_aaaa |
 	server_infra_cache_min_rtt | server_harden_algo_downgrade |
 	server_ip_transparent | server_ip_ratelimit | server_ratelimit |
 	server_ip_dscp |
 	server_ip_ratelimit_slabs | server_ratelimit_slabs |
 	server_ip_ratelimit_size | server_ratelimit_size |
 	server_ratelimit_for_domain |
@ -1258,6 +1260,20 @@ server_ip_freebind: VAR_IP_FREEBIND STRING_ARG
        free($2);
    }
    ;
 server_ip_dscp: VAR_IP_DSCP STRING_ARG
 	{
 		OUTYY(("P(server_ip_dscp:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else if (atoi($2) > 63)
 			yyerror("value too large (max 63)");
 		else if (atoi($2) < 0)
 			yyerror("value too small (min 0)");
 		else
 			cfg_parser->cfg->ip_dscp = atoi($2);
 		free($2);
 	}
 	;
 server_stream_wait_size: VAR_STREAM_WAIT_SIZE STRING_ARG
 	{
 		OUTYY(("P(server_stream_wait_size:%s)\n", $2));