- Merge #461 from Christian Allred: Add max-query-restarts option.

2025-12-23 00:00:51 -05:00 · 2022-12-13 15:50:45 +01:00 · 2022-12-13 15:50:45 +01:00 · af2ef61c49
commit af2ef61c49
parent 67cf625608 df411b3f28
13 changed files with 4948 additions and 4879 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -3,6 +3,9 @@
 	  default value retains Unbound's behavior.
 	- Expose 'max-sent-count' as a configuration option; the
 	  default value retains Unbound's behavior.
 	- Merge #461 from Christian Allred: Add max-query-restarts option.
 	  Exposes an internal configuration but the default value retains
 	  Unbound's behavior.
 13 December 2022: Wouter
 	- Merge #808: Wrap Makefile script's directory variables in quotes.
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -183,6 +183,10 @@ server:
 	# It resets on query restarts (e.g., CNAME) and referrals.
 	# max-sent-count: 32
 	# Hard limit on the number of times Unbound is allowed to restart a
 	# query upon encountering a CNAME record.
 	# max-query-restarts: 11
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -1831,9 +1831,18 @@ Default is 5.
 .B max\-sent\-count: \fI<number>
 Hard limit on the number of outgoing queries Unbound will make while resolving
 a name, making sure large NS sets do not loop.
 Results in SERVFAIL when reached.
 It resets on query restarts (e.g., CNAME) and referrals.
 Default is 32.
 .TP 5
 .B max\-query\-restarts: \fI<number>
 Hard limit on the number of times Unbound is allowed to restart a query upon
 encountering a CNAME record.
 Results in SERVFAIL when reached.
 Changing this value needs caution as it can allow long CNAME chains to be
 accepted, where Unbound needs to verify (resolve) each link individually.
 Default is 11.
 .TP 5
 .B fast\-server\-permil: \fI<number>
 Specify how many times out of 1000 to pick from the set of fastest servers.
 0 turns the feature off.  A value of 900 would pick from the fastest
@ -1867,7 +1876,7 @@ errors. Default is "no".
 When the \fBval-log-level\fR option is also set to \fB2\fR, responses with
 Extended DNS Errors concerning DNSSEC failures that are not served from cache,
 will also contain a descriptive text message about the reason for the failure.
-.TP
+.TP 5
 .B ede\-serve\-expired: \fI<yes or no>
 If enabled, Unbound will attach an Extended DNS Error (RFC8914) Code 3 - Stale
 Answer as EDNS0 option to the expired response. Note that this will not attach
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@ -176,6 +176,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 	iter_env->supports_ipv4 = cfg->do_ip4;
 	iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
 	iter_env->max_sent_count = cfg->max_sent_count;
 	iter_env->max_query_restarts = cfg->max_query_restarts;
 	return 1;
 }
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@ -1314,7 +1314,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* We enforce a maximum number of query restarts. This is primarily a
 	 * cheap way to prevent CNAME loops. */
-	if(iq->query_restart_count > MAX_RESTART_COUNT) {
+	if(iq->query_restart_count > ie->max_query_restarts) {
 		verbose(VERB_QUERY, "request has exceeded the maximum number"
 			" of query restarts with %d", iq->query_restart_count);
 		errinf(qstate, "request has exceeded the maximum number "
--- a/iterator/iterator.h
+++ b/iterator/iterator.h
@ -63,8 +63,6 @@ struct rbtree_type;
 /** max number of nxdomains allowed for target lookups for a query and
 * its subqueries when fallback has kicked in */
 #define MAX_TARGET_NX_FALLBACK	(MAX_TARGET_NX*2)
 /** max number of query restarts. Determines max number of CNAME chain. */
 #define MAX_RESTART_COUNT	11
 /** max number of referrals. Makes sure resolver does not run away */
 #define MAX_REFERRAL_COUNT	130
 /** max number of queries for which to perform dnsseclameness detection,
@ -146,6 +144,9 @@ struct iter_env {
 	/** number of queries_sent */
 	int max_sent_count;
 	/** max number of query restarts to limit length of CNAME chain */
 	int max_query_restarts;
 };
 /**
--- a/util/config_file.c
+++ b/util/config_file.c
@ -338,6 +338,7 @@ config_create(void)
 	cfg->ratelimit_backoff = 0;
 	cfg->outbound_msg_retry = 5;
 	cfg->max_sent_count = 32;
 	cfg->max_query_restarts = 11;
 	cfg->qname_minimisation = 1;
 	cfg->qname_minimisation_strict = 0;
 	cfg->shm_enable = 0;
@ -781,7 +782,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("ip-ratelimit-backoff:", ip_ratelimit_backoff)
 	else S_YNO("ratelimit-backoff:", ratelimit_backoff)
 	else S_NUMBER_NONZERO("outbound-msg-retry:", outbound_msg_retry)
-	else S_NUMBER_NONZERO("max-sent-count", max_sent_count)
+	else S_NUMBER_NONZERO("max-sent-count:", max_sent_count)
 	else S_NUMBER_NONZERO("max-query-restarts:", max_query_restarts)
 	else S_SIZET_NONZERO("fast-server-num:", fast_server_num)
 	else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil)
 	else S_YNO("qname-minimisation:", qname_minimisation)
@ -1244,6 +1246,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "ratelimit-backoff", ratelimit_backoff)
 	else O_UNS(opt, "outbound-msg-retry", outbound_msg_retry)
 	else O_UNS(opt, "max-sent-count", max_sent_count)
 	else O_UNS(opt, "max-query-restarts", max_query_restarts)
 	else O_DEC(opt, "fast-server-num", fast_server_num)
 	else O_DEC(opt, "fast-server-permil", fast_server_permil)
 	else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
--- a/util/config_file.h
+++ b/util/config_file.h
@ -611,8 +611,10 @@ struct config_file {
 	/** number of retries on outgoing queries */
 	int outbound_msg_retry;
 	/** max sent queries per qstate; resets on query restarts (e.g.,
-	 *  CNAMES) and referrals. */
+	 *  CNAMES) and referrals */
 	int max_sent_count;
 	/** max number of query restarts; determines max length of CNAME chain */
 	int max_query_restarts;
 	/** minimise outgoing QNAME and hide original QTYPE if possible */
 	int qname_minimisation;
 	/** minimise QNAME in strict mode, minimise according to RFC.
--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -516,6 +516,7 @@ ip-ratelimit-backoff{COLON}		{ YDVAR(1, VAR_IP_RATELIMIT_BACKOFF) }
 ratelimit-backoff{COLON}		{ YDVAR(1, VAR_RATELIMIT_BACKOFF) }
 outbound-msg-retry{COLON}		{ YDVAR(1, VAR_OUTBOUND_MSG_RETRY) }
 max-sent-count{COLON}		{ YDVAR(1, VAR_MAX_SENT_COUNT) }
 max-query-restarts{COLON}	{ YDVAR(1, VAR_MAX_QUERY_RESTARTS) }
 low-rtt{COLON}			{ YDVAR(1, VAR_LOW_RTT) }
 fast-server-num{COLON}		{ YDVAR(1, VAR_FAST_SERVER_NUM) }
 low-rtt-pct{COLON}		{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -255,138 +255,139 @@ extern int yydebug;
    VAR_RATELIMIT_SIZE = 456,      /* VAR_RATELIMIT_SIZE  */
    VAR_OUTBOUND_MSG_RETRY = 457,  /* VAR_OUTBOUND_MSG_RETRY  */
    VAR_MAX_SENT_COUNT = 458,      /* VAR_MAX_SENT_COUNT  */
-    VAR_RATELIMIT_FOR_DOMAIN = 459, /* VAR_RATELIMIT_FOR_DOMAIN  */
+    VAR_MAX_QUERY_RESTARTS = 459,  /* VAR_MAX_QUERY_RESTARTS  */
-    VAR_RATELIMIT_BELOW_DOMAIN = 460, /* VAR_RATELIMIT_BELOW_DOMAIN  */
+    VAR_RATELIMIT_FOR_DOMAIN = 460, /* VAR_RATELIMIT_FOR_DOMAIN  */
-    VAR_IP_RATELIMIT_FACTOR = 461, /* VAR_IP_RATELIMIT_FACTOR  */
+    VAR_RATELIMIT_BELOW_DOMAIN = 461, /* VAR_RATELIMIT_BELOW_DOMAIN  */
-    VAR_RATELIMIT_FACTOR = 462,    /* VAR_RATELIMIT_FACTOR  */
+    VAR_IP_RATELIMIT_FACTOR = 462, /* VAR_IP_RATELIMIT_FACTOR  */
-    VAR_IP_RATELIMIT_BACKOFF = 463, /* VAR_IP_RATELIMIT_BACKOFF  */
+    VAR_RATELIMIT_FACTOR = 463,    /* VAR_RATELIMIT_FACTOR  */
-    VAR_RATELIMIT_BACKOFF = 464,   /* VAR_RATELIMIT_BACKOFF  */
+    VAR_IP_RATELIMIT_BACKOFF = 464, /* VAR_IP_RATELIMIT_BACKOFF  */
-    VAR_SEND_CLIENT_SUBNET = 465,  /* VAR_SEND_CLIENT_SUBNET  */
+    VAR_RATELIMIT_BACKOFF = 465,   /* VAR_RATELIMIT_BACKOFF  */
-    VAR_CLIENT_SUBNET_ZONE = 466,  /* VAR_CLIENT_SUBNET_ZONE  */
+    VAR_SEND_CLIENT_SUBNET = 466,  /* VAR_SEND_CLIENT_SUBNET  */
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 467, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD  */
+    VAR_CLIENT_SUBNET_ZONE = 467,  /* VAR_CLIENT_SUBNET_ZONE  */
-    VAR_CLIENT_SUBNET_OPCODE = 468, /* VAR_CLIENT_SUBNET_OPCODE  */
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 468, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD  */
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 469, /* VAR_MAX_CLIENT_SUBNET_IPV4  */
+    VAR_CLIENT_SUBNET_OPCODE = 469, /* VAR_CLIENT_SUBNET_OPCODE  */
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 470, /* VAR_MAX_CLIENT_SUBNET_IPV6  */
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 470, /* VAR_MAX_CLIENT_SUBNET_IPV4  */
-    VAR_MIN_CLIENT_SUBNET_IPV4 = 471, /* VAR_MIN_CLIENT_SUBNET_IPV4  */
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 471, /* VAR_MAX_CLIENT_SUBNET_IPV6  */
-    VAR_MIN_CLIENT_SUBNET_IPV6 = 472, /* VAR_MIN_CLIENT_SUBNET_IPV6  */
+    VAR_MIN_CLIENT_SUBNET_IPV4 = 472, /* VAR_MIN_CLIENT_SUBNET_IPV4  */
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 473, /* VAR_MAX_ECS_TREE_SIZE_IPV4  */
+    VAR_MIN_CLIENT_SUBNET_IPV6 = 473, /* VAR_MIN_CLIENT_SUBNET_IPV6  */
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 474, /* VAR_MAX_ECS_TREE_SIZE_IPV6  */
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 474, /* VAR_MAX_ECS_TREE_SIZE_IPV4  */
-    VAR_CAPS_WHITELIST = 475,      /* VAR_CAPS_WHITELIST  */
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 475, /* VAR_MAX_ECS_TREE_SIZE_IPV6  */
-    VAR_CACHE_MAX_NEGATIVE_TTL = 476, /* VAR_CACHE_MAX_NEGATIVE_TTL  */
+    VAR_CAPS_WHITELIST = 476,      /* VAR_CAPS_WHITELIST  */
-    VAR_PERMIT_SMALL_HOLDDOWN = 477, /* VAR_PERMIT_SMALL_HOLDDOWN  */
+    VAR_CACHE_MAX_NEGATIVE_TTL = 477, /* VAR_CACHE_MAX_NEGATIVE_TTL  */
-    VAR_QNAME_MINIMISATION = 478,  /* VAR_QNAME_MINIMISATION  */
+    VAR_PERMIT_SMALL_HOLDDOWN = 478, /* VAR_PERMIT_SMALL_HOLDDOWN  */
-    VAR_QNAME_MINIMISATION_STRICT = 479, /* VAR_QNAME_MINIMISATION_STRICT  */
+    VAR_QNAME_MINIMISATION = 479,  /* VAR_QNAME_MINIMISATION  */
-    VAR_IP_FREEBIND = 480,         /* VAR_IP_FREEBIND  */
+    VAR_QNAME_MINIMISATION_STRICT = 480, /* VAR_QNAME_MINIMISATION_STRICT  */
-    VAR_DEFINE_TAG = 481,          /* VAR_DEFINE_TAG  */
+    VAR_IP_FREEBIND = 481,         /* VAR_IP_FREEBIND  */
-    VAR_LOCAL_ZONE_TAG = 482,      /* VAR_LOCAL_ZONE_TAG  */
+    VAR_DEFINE_TAG = 482,          /* VAR_DEFINE_TAG  */
-    VAR_ACCESS_CONTROL_TAG = 483,  /* VAR_ACCESS_CONTROL_TAG  */
+    VAR_LOCAL_ZONE_TAG = 483,      /* VAR_LOCAL_ZONE_TAG  */
-    VAR_LOCAL_ZONE_OVERRIDE = 484, /* VAR_LOCAL_ZONE_OVERRIDE  */
+    VAR_ACCESS_CONTROL_TAG = 484,  /* VAR_ACCESS_CONTROL_TAG  */
-    VAR_ACCESS_CONTROL_TAG_ACTION = 485, /* VAR_ACCESS_CONTROL_TAG_ACTION  */
+    VAR_LOCAL_ZONE_OVERRIDE = 485, /* VAR_LOCAL_ZONE_OVERRIDE  */
-    VAR_ACCESS_CONTROL_TAG_DATA = 486, /* VAR_ACCESS_CONTROL_TAG_DATA  */
+    VAR_ACCESS_CONTROL_TAG_ACTION = 486, /* VAR_ACCESS_CONTROL_TAG_ACTION  */
-    VAR_VIEW = 487,                /* VAR_VIEW  */
+    VAR_ACCESS_CONTROL_TAG_DATA = 487, /* VAR_ACCESS_CONTROL_TAG_DATA  */
-    VAR_ACCESS_CONTROL_VIEW = 488, /* VAR_ACCESS_CONTROL_VIEW  */
+    VAR_VIEW = 488,                /* VAR_VIEW  */
-    VAR_VIEW_FIRST = 489,          /* VAR_VIEW_FIRST  */
+    VAR_ACCESS_CONTROL_VIEW = 489, /* VAR_ACCESS_CONTROL_VIEW  */
-    VAR_SERVE_EXPIRED = 490,       /* VAR_SERVE_EXPIRED  */
+    VAR_VIEW_FIRST = 490,          /* VAR_VIEW_FIRST  */
-    VAR_SERVE_EXPIRED_TTL = 491,   /* VAR_SERVE_EXPIRED_TTL  */
+    VAR_SERVE_EXPIRED = 491,       /* VAR_SERVE_EXPIRED  */
-    VAR_SERVE_EXPIRED_TTL_RESET = 492, /* VAR_SERVE_EXPIRED_TTL_RESET  */
+    VAR_SERVE_EXPIRED_TTL = 492,   /* VAR_SERVE_EXPIRED_TTL  */
-    VAR_SERVE_EXPIRED_REPLY_TTL = 493, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
+    VAR_SERVE_EXPIRED_TTL_RESET = 493, /* VAR_SERVE_EXPIRED_TTL_RESET  */
-    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 494, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
+    VAR_SERVE_EXPIRED_REPLY_TTL = 494, /* VAR_SERVE_EXPIRED_REPLY_TTL  */
-    VAR_EDE_SERVE_EXPIRED = 495,   /* VAR_EDE_SERVE_EXPIRED  */
+    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 495, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT  */
-    VAR_SERVE_ORIGINAL_TTL = 496,  /* VAR_SERVE_ORIGINAL_TTL  */
+    VAR_EDE_SERVE_EXPIRED = 496,   /* VAR_EDE_SERVE_EXPIRED  */
-    VAR_FAKE_DSA = 497,            /* VAR_FAKE_DSA  */
+    VAR_SERVE_ORIGINAL_TTL = 497,  /* VAR_SERVE_ORIGINAL_TTL  */
-    VAR_FAKE_SHA1 = 498,           /* VAR_FAKE_SHA1  */
+    VAR_FAKE_DSA = 498,            /* VAR_FAKE_DSA  */
-    VAR_LOG_IDENTITY = 499,        /* VAR_LOG_IDENTITY  */
+    VAR_FAKE_SHA1 = 499,           /* VAR_FAKE_SHA1  */
-    VAR_HIDE_TRUSTANCHOR = 500,    /* VAR_HIDE_TRUSTANCHOR  */
+    VAR_LOG_IDENTITY = 500,        /* VAR_LOG_IDENTITY  */
-    VAR_HIDE_HTTP_USER_AGENT = 501, /* VAR_HIDE_HTTP_USER_AGENT  */
+    VAR_HIDE_TRUSTANCHOR = 501,    /* VAR_HIDE_TRUSTANCHOR  */
-    VAR_HTTP_USER_AGENT = 502,     /* VAR_HTTP_USER_AGENT  */
+    VAR_HIDE_HTTP_USER_AGENT = 502, /* VAR_HIDE_HTTP_USER_AGENT  */
-    VAR_TRUST_ANCHOR_SIGNALING = 503, /* VAR_TRUST_ANCHOR_SIGNALING  */
+    VAR_HTTP_USER_AGENT = 503,     /* VAR_HTTP_USER_AGENT  */
-    VAR_AGGRESSIVE_NSEC = 504,     /* VAR_AGGRESSIVE_NSEC  */
+    VAR_TRUST_ANCHOR_SIGNALING = 504, /* VAR_TRUST_ANCHOR_SIGNALING  */
-    VAR_USE_SYSTEMD = 505,         /* VAR_USE_SYSTEMD  */
+    VAR_AGGRESSIVE_NSEC = 505,     /* VAR_AGGRESSIVE_NSEC  */
-    VAR_SHM_ENABLE = 506,          /* VAR_SHM_ENABLE  */
+    VAR_USE_SYSTEMD = 506,         /* VAR_USE_SYSTEMD  */
-    VAR_SHM_KEY = 507,             /* VAR_SHM_KEY  */
+    VAR_SHM_ENABLE = 507,          /* VAR_SHM_ENABLE  */
-    VAR_ROOT_KEY_SENTINEL = 508,   /* VAR_ROOT_KEY_SENTINEL  */
+    VAR_SHM_KEY = 508,             /* VAR_SHM_KEY  */
-    VAR_DNSCRYPT = 509,            /* VAR_DNSCRYPT  */
+    VAR_ROOT_KEY_SENTINEL = 509,   /* VAR_ROOT_KEY_SENTINEL  */
-    VAR_DNSCRYPT_ENABLE = 510,     /* VAR_DNSCRYPT_ENABLE  */
+    VAR_DNSCRYPT = 510,            /* VAR_DNSCRYPT  */
-    VAR_DNSCRYPT_PORT = 511,       /* VAR_DNSCRYPT_PORT  */
+    VAR_DNSCRYPT_ENABLE = 511,     /* VAR_DNSCRYPT_ENABLE  */
-    VAR_DNSCRYPT_PROVIDER = 512,   /* VAR_DNSCRYPT_PROVIDER  */
+    VAR_DNSCRYPT_PORT = 512,       /* VAR_DNSCRYPT_PORT  */
-    VAR_DNSCRYPT_SECRET_KEY = 513, /* VAR_DNSCRYPT_SECRET_KEY  */
+    VAR_DNSCRYPT_PROVIDER = 513,   /* VAR_DNSCRYPT_PROVIDER  */
-    VAR_DNSCRYPT_PROVIDER_CERT = 514, /* VAR_DNSCRYPT_PROVIDER_CERT  */
+    VAR_DNSCRYPT_SECRET_KEY = 514, /* VAR_DNSCRYPT_SECRET_KEY  */
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 515, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
+    VAR_DNSCRYPT_PROVIDER_CERT = 515, /* VAR_DNSCRYPT_PROVIDER_CERT  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 516, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 516, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED  */
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 517, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 517, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE  */
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 518, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 518, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS  */
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 519, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 519, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE  */
-    VAR_PAD_RESPONSES = 520,       /* VAR_PAD_RESPONSES  */
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 520, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS  */
-    VAR_PAD_RESPONSES_BLOCK_SIZE = 521, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
+    VAR_PAD_RESPONSES = 521,       /* VAR_PAD_RESPONSES  */
-    VAR_PAD_QUERIES = 522,         /* VAR_PAD_QUERIES  */
+    VAR_PAD_RESPONSES_BLOCK_SIZE = 522, /* VAR_PAD_RESPONSES_BLOCK_SIZE  */
-    VAR_PAD_QUERIES_BLOCK_SIZE = 523, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
+    VAR_PAD_QUERIES = 523,         /* VAR_PAD_QUERIES  */
-    VAR_IPSECMOD_ENABLED = 524,    /* VAR_IPSECMOD_ENABLED  */
+    VAR_PAD_QUERIES_BLOCK_SIZE = 524, /* VAR_PAD_QUERIES_BLOCK_SIZE  */
-    VAR_IPSECMOD_HOOK = 525,       /* VAR_IPSECMOD_HOOK  */
+    VAR_IPSECMOD_ENABLED = 525,    /* VAR_IPSECMOD_ENABLED  */
-    VAR_IPSECMOD_IGNORE_BOGUS = 526, /* VAR_IPSECMOD_IGNORE_BOGUS  */
+    VAR_IPSECMOD_HOOK = 526,       /* VAR_IPSECMOD_HOOK  */
-    VAR_IPSECMOD_MAX_TTL = 527,    /* VAR_IPSECMOD_MAX_TTL  */
+    VAR_IPSECMOD_IGNORE_BOGUS = 527, /* VAR_IPSECMOD_IGNORE_BOGUS  */
-    VAR_IPSECMOD_WHITELIST = 528,  /* VAR_IPSECMOD_WHITELIST  */
+    VAR_IPSECMOD_MAX_TTL = 528,    /* VAR_IPSECMOD_MAX_TTL  */
-    VAR_IPSECMOD_STRICT = 529,     /* VAR_IPSECMOD_STRICT  */
+    VAR_IPSECMOD_WHITELIST = 529,  /* VAR_IPSECMOD_WHITELIST  */
-    VAR_CACHEDB = 530,             /* VAR_CACHEDB  */
+    VAR_IPSECMOD_STRICT = 530,     /* VAR_IPSECMOD_STRICT  */
-    VAR_CACHEDB_BACKEND = 531,     /* VAR_CACHEDB_BACKEND  */
+    VAR_CACHEDB = 531,             /* VAR_CACHEDB  */
-    VAR_CACHEDB_SECRETSEED = 532,  /* VAR_CACHEDB_SECRETSEED  */
+    VAR_CACHEDB_BACKEND = 532,     /* VAR_CACHEDB_BACKEND  */
-    VAR_CACHEDB_REDISHOST = 533,   /* VAR_CACHEDB_REDISHOST  */
+    VAR_CACHEDB_SECRETSEED = 533,  /* VAR_CACHEDB_SECRETSEED  */
-    VAR_CACHEDB_REDISPORT = 534,   /* VAR_CACHEDB_REDISPORT  */
+    VAR_CACHEDB_REDISHOST = 534,   /* VAR_CACHEDB_REDISHOST  */
-    VAR_CACHEDB_REDISTIMEOUT = 535, /* VAR_CACHEDB_REDISTIMEOUT  */
+    VAR_CACHEDB_REDISPORT = 535,   /* VAR_CACHEDB_REDISPORT  */
-    VAR_CACHEDB_REDISEXPIRERECORDS = 536, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
+    VAR_CACHEDB_REDISTIMEOUT = 536, /* VAR_CACHEDB_REDISTIMEOUT  */
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 537, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
+    VAR_CACHEDB_REDISEXPIRERECORDS = 537, /* VAR_CACHEDB_REDISEXPIRERECORDS  */
-    VAR_FOR_UPSTREAM = 538,        /* VAR_FOR_UPSTREAM  */
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 538, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM  */
-    VAR_AUTH_ZONE = 539,           /* VAR_AUTH_ZONE  */
+    VAR_FOR_UPSTREAM = 539,        /* VAR_FOR_UPSTREAM  */
-    VAR_ZONEFILE = 540,            /* VAR_ZONEFILE  */
+    VAR_AUTH_ZONE = 540,           /* VAR_AUTH_ZONE  */
-    VAR_MASTER = 541,              /* VAR_MASTER  */
+    VAR_ZONEFILE = 541,            /* VAR_ZONEFILE  */
-    VAR_URL = 542,                 /* VAR_URL  */
+    VAR_MASTER = 542,              /* VAR_MASTER  */
-    VAR_FOR_DOWNSTREAM = 543,      /* VAR_FOR_DOWNSTREAM  */
+    VAR_URL = 543,                 /* VAR_URL  */
-    VAR_FALLBACK_ENABLED = 544,    /* VAR_FALLBACK_ENABLED  */
+    VAR_FOR_DOWNSTREAM = 544,      /* VAR_FOR_DOWNSTREAM  */
-    VAR_TLS_ADDITIONAL_PORT = 545, /* VAR_TLS_ADDITIONAL_PORT  */
+    VAR_FALLBACK_ENABLED = 545,    /* VAR_FALLBACK_ENABLED  */
-    VAR_LOW_RTT = 546,             /* VAR_LOW_RTT  */
+    VAR_TLS_ADDITIONAL_PORT = 546, /* VAR_TLS_ADDITIONAL_PORT  */
-    VAR_LOW_RTT_PERMIL = 547,      /* VAR_LOW_RTT_PERMIL  */
+    VAR_LOW_RTT = 547,             /* VAR_LOW_RTT  */
-    VAR_FAST_SERVER_PERMIL = 548,  /* VAR_FAST_SERVER_PERMIL  */
+    VAR_LOW_RTT_PERMIL = 548,      /* VAR_LOW_RTT_PERMIL  */
-    VAR_FAST_SERVER_NUM = 549,     /* VAR_FAST_SERVER_NUM  */
+    VAR_FAST_SERVER_PERMIL = 549,  /* VAR_FAST_SERVER_PERMIL  */
-    VAR_ALLOW_NOTIFY = 550,        /* VAR_ALLOW_NOTIFY  */
+    VAR_FAST_SERVER_NUM = 550,     /* VAR_FAST_SERVER_NUM  */
-    VAR_TLS_WIN_CERT = 551,        /* VAR_TLS_WIN_CERT  */
+    VAR_ALLOW_NOTIFY = 551,        /* VAR_ALLOW_NOTIFY  */
-    VAR_TCP_CONNECTION_LIMIT = 552, /* VAR_TCP_CONNECTION_LIMIT  */
+    VAR_TLS_WIN_CERT = 552,        /* VAR_TLS_WIN_CERT  */
-    VAR_FORWARD_NO_CACHE = 553,    /* VAR_FORWARD_NO_CACHE  */
+    VAR_TCP_CONNECTION_LIMIT = 553, /* VAR_TCP_CONNECTION_LIMIT  */
-    VAR_STUB_NO_CACHE = 554,       /* VAR_STUB_NO_CACHE  */
+    VAR_FORWARD_NO_CACHE = 554,    /* VAR_FORWARD_NO_CACHE  */
-    VAR_LOG_SERVFAIL = 555,        /* VAR_LOG_SERVFAIL  */
+    VAR_STUB_NO_CACHE = 555,       /* VAR_STUB_NO_CACHE  */
-    VAR_DENY_ANY = 556,            /* VAR_DENY_ANY  */
+    VAR_LOG_SERVFAIL = 556,        /* VAR_LOG_SERVFAIL  */
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 557, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
+    VAR_DENY_ANY = 557,            /* VAR_DENY_ANY  */
-    VAR_LOG_TAG_QUERYREPLY = 558,  /* VAR_LOG_TAG_QUERYREPLY  */
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 558, /* VAR_UNKNOWN_SERVER_TIME_LIMIT  */
-    VAR_STREAM_WAIT_SIZE = 559,    /* VAR_STREAM_WAIT_SIZE  */
+    VAR_LOG_TAG_QUERYREPLY = 559,  /* VAR_LOG_TAG_QUERYREPLY  */
-    VAR_TLS_CIPHERS = 560,         /* VAR_TLS_CIPHERS  */
+    VAR_STREAM_WAIT_SIZE = 560,    /* VAR_STREAM_WAIT_SIZE  */
-    VAR_TLS_CIPHERSUITES = 561,    /* VAR_TLS_CIPHERSUITES  */
+    VAR_TLS_CIPHERS = 561,         /* VAR_TLS_CIPHERS  */
-    VAR_TLS_USE_SNI = 562,         /* VAR_TLS_USE_SNI  */
+    VAR_TLS_CIPHERSUITES = 562,    /* VAR_TLS_CIPHERSUITES  */
-    VAR_IPSET = 563,               /* VAR_IPSET  */
+    VAR_TLS_USE_SNI = 563,         /* VAR_TLS_USE_SNI  */
-    VAR_IPSET_NAME_V4 = 564,       /* VAR_IPSET_NAME_V4  */
+    VAR_IPSET = 564,               /* VAR_IPSET  */
-    VAR_IPSET_NAME_V6 = 565,       /* VAR_IPSET_NAME_V6  */
+    VAR_IPSET_NAME_V4 = 565,       /* VAR_IPSET_NAME_V4  */
-    VAR_TLS_SESSION_TICKET_KEYS = 566, /* VAR_TLS_SESSION_TICKET_KEYS  */
+    VAR_IPSET_NAME_V6 = 566,       /* VAR_IPSET_NAME_V6  */
-    VAR_RPZ = 567,                 /* VAR_RPZ  */
+    VAR_TLS_SESSION_TICKET_KEYS = 567, /* VAR_TLS_SESSION_TICKET_KEYS  */
-    VAR_TAGS = 568,                /* VAR_TAGS  */
+    VAR_RPZ = 568,                 /* VAR_RPZ  */
-    VAR_RPZ_ACTION_OVERRIDE = 569, /* VAR_RPZ_ACTION_OVERRIDE  */
+    VAR_TAGS = 569,                /* VAR_TAGS  */
-    VAR_RPZ_CNAME_OVERRIDE = 570,  /* VAR_RPZ_CNAME_OVERRIDE  */
+    VAR_RPZ_ACTION_OVERRIDE = 570, /* VAR_RPZ_ACTION_OVERRIDE  */
-    VAR_RPZ_LOG = 571,             /* VAR_RPZ_LOG  */
+    VAR_RPZ_CNAME_OVERRIDE = 571,  /* VAR_RPZ_CNAME_OVERRIDE  */
-    VAR_RPZ_LOG_NAME = 572,        /* VAR_RPZ_LOG_NAME  */
+    VAR_RPZ_LOG = 572,             /* VAR_RPZ_LOG  */
-    VAR_DYNLIB = 573,              /* VAR_DYNLIB  */
+    VAR_RPZ_LOG_NAME = 573,        /* VAR_RPZ_LOG_NAME  */
-    VAR_DYNLIB_FILE = 574,         /* VAR_DYNLIB_FILE  */
+    VAR_DYNLIB = 574,              /* VAR_DYNLIB  */
-    VAR_EDNS_CLIENT_STRING = 575,  /* VAR_EDNS_CLIENT_STRING  */
+    VAR_DYNLIB_FILE = 575,         /* VAR_DYNLIB_FILE  */
-    VAR_EDNS_CLIENT_STRING_OPCODE = 576, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
+    VAR_EDNS_CLIENT_STRING = 576,  /* VAR_EDNS_CLIENT_STRING  */
-    VAR_NSID = 577,                /* VAR_NSID  */
+    VAR_EDNS_CLIENT_STRING_OPCODE = 577, /* VAR_EDNS_CLIENT_STRING_OPCODE  */
-    VAR_ZONEMD_PERMISSIVE_MODE = 578, /* VAR_ZONEMD_PERMISSIVE_MODE  */
+    VAR_NSID = 578,                /* VAR_NSID  */
-    VAR_ZONEMD_CHECK = 579,        /* VAR_ZONEMD_CHECK  */
+    VAR_ZONEMD_PERMISSIVE_MODE = 579, /* VAR_ZONEMD_PERMISSIVE_MODE  */
-    VAR_ZONEMD_REJECT_ABSENCE = 580, /* VAR_ZONEMD_REJECT_ABSENCE  */
+    VAR_ZONEMD_CHECK = 580,        /* VAR_ZONEMD_CHECK  */
-    VAR_RPZ_SIGNAL_NXDOMAIN_RA = 581, /* VAR_RPZ_SIGNAL_NXDOMAIN_RA  */
+    VAR_ZONEMD_REJECT_ABSENCE = 581, /* VAR_ZONEMD_REJECT_ABSENCE  */
-    VAR_INTERFACE_AUTOMATIC_PORTS = 582, /* VAR_INTERFACE_AUTOMATIC_PORTS  */
+    VAR_RPZ_SIGNAL_NXDOMAIN_RA = 582, /* VAR_RPZ_SIGNAL_NXDOMAIN_RA  */
-    VAR_EDE = 583,                 /* VAR_EDE  */
+    VAR_INTERFACE_AUTOMATIC_PORTS = 583, /* VAR_INTERFACE_AUTOMATIC_PORTS  */
-    VAR_INTERFACE_ACTION = 584,    /* VAR_INTERFACE_ACTION  */
+    VAR_EDE = 584,                 /* VAR_EDE  */
-    VAR_INTERFACE_VIEW = 585,      /* VAR_INTERFACE_VIEW  */
+    VAR_INTERFACE_ACTION = 585,    /* VAR_INTERFACE_ACTION  */
-    VAR_INTERFACE_TAG = 586,       /* VAR_INTERFACE_TAG  */
+    VAR_INTERFACE_VIEW = 586,      /* VAR_INTERFACE_VIEW  */
-    VAR_INTERFACE_TAG_ACTION = 587, /* VAR_INTERFACE_TAG_ACTION  */
+    VAR_INTERFACE_TAG = 587,       /* VAR_INTERFACE_TAG  */
-    VAR_INTERFACE_TAG_DATA = 588,  /* VAR_INTERFACE_TAG_DATA  */
+    VAR_INTERFACE_TAG_ACTION = 588, /* VAR_INTERFACE_TAG_ACTION  */
-    VAR_PROXY_PROTOCOL_PORT = 589, /* VAR_PROXY_PROTOCOL_PORT  */
+    VAR_INTERFACE_TAG_DATA = 589,  /* VAR_INTERFACE_TAG_DATA  */
-    VAR_STATISTICS_INHIBIT_ZERO = 590 /* VAR_STATISTICS_INHIBIT_ZERO  */
+    VAR_PROXY_PROTOCOL_PORT = 590, /* VAR_PROXY_PROTOCOL_PORT  */
    VAR_STATISTICS_INHIBIT_ZERO = 591 /* VAR_STATISTICS_INHIBIT_ZERO  */
  };
  typedef enum yytokentype yytoken_kind_t;
 #endif
@ -596,138 +597,139 @@ extern int yydebug;
 #define VAR_RATELIMIT_SIZE 456
 #define VAR_OUTBOUND_MSG_RETRY 457
 #define VAR_MAX_SENT_COUNT 458
-#define VAR_RATELIMIT_FOR_DOMAIN 459
+#define VAR_MAX_QUERY_RESTARTS 459
-#define VAR_RATELIMIT_BELOW_DOMAIN 460
+#define VAR_RATELIMIT_FOR_DOMAIN 460
-#define VAR_IP_RATELIMIT_FACTOR 461
+#define VAR_RATELIMIT_BELOW_DOMAIN 461
-#define VAR_RATELIMIT_FACTOR 462
+#define VAR_IP_RATELIMIT_FACTOR 462
-#define VAR_IP_RATELIMIT_BACKOFF 463
+#define VAR_RATELIMIT_FACTOR 463
-#define VAR_RATELIMIT_BACKOFF 464
+#define VAR_IP_RATELIMIT_BACKOFF 464
-#define VAR_SEND_CLIENT_SUBNET 465
+#define VAR_RATELIMIT_BACKOFF 465
-#define VAR_CLIENT_SUBNET_ZONE 466
+#define VAR_SEND_CLIENT_SUBNET 466
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 467
+#define VAR_CLIENT_SUBNET_ZONE 467
-#define VAR_CLIENT_SUBNET_OPCODE 468
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 468
-#define VAR_MAX_CLIENT_SUBNET_IPV4 469
+#define VAR_CLIENT_SUBNET_OPCODE 469
-#define VAR_MAX_CLIENT_SUBNET_IPV6 470
+#define VAR_MAX_CLIENT_SUBNET_IPV4 470
-#define VAR_MIN_CLIENT_SUBNET_IPV4 471
+#define VAR_MAX_CLIENT_SUBNET_IPV6 471
-#define VAR_MIN_CLIENT_SUBNET_IPV6 472
+#define VAR_MIN_CLIENT_SUBNET_IPV4 472
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 473
+#define VAR_MIN_CLIENT_SUBNET_IPV6 473
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 474
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 474
-#define VAR_CAPS_WHITELIST 475
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 475
-#define VAR_CACHE_MAX_NEGATIVE_TTL 476
+#define VAR_CAPS_WHITELIST 476
-#define VAR_PERMIT_SMALL_HOLDDOWN 477
+#define VAR_CACHE_MAX_NEGATIVE_TTL 477
-#define VAR_QNAME_MINIMISATION 478
+#define VAR_PERMIT_SMALL_HOLDDOWN 478
-#define VAR_QNAME_MINIMISATION_STRICT 479
+#define VAR_QNAME_MINIMISATION 479
-#define VAR_IP_FREEBIND 480
+#define VAR_QNAME_MINIMISATION_STRICT 480
-#define VAR_DEFINE_TAG 481
+#define VAR_IP_FREEBIND 481
-#define VAR_LOCAL_ZONE_TAG 482
+#define VAR_DEFINE_TAG 482
-#define VAR_ACCESS_CONTROL_TAG 483
+#define VAR_LOCAL_ZONE_TAG 483
-#define VAR_LOCAL_ZONE_OVERRIDE 484
+#define VAR_ACCESS_CONTROL_TAG 484
-#define VAR_ACCESS_CONTROL_TAG_ACTION 485
+#define VAR_LOCAL_ZONE_OVERRIDE 485
-#define VAR_ACCESS_CONTROL_TAG_DATA 486
+#define VAR_ACCESS_CONTROL_TAG_ACTION 486
-#define VAR_VIEW 487
+#define VAR_ACCESS_CONTROL_TAG_DATA 487
-#define VAR_ACCESS_CONTROL_VIEW 488
+#define VAR_VIEW 488
-#define VAR_VIEW_FIRST 489
+#define VAR_ACCESS_CONTROL_VIEW 489
-#define VAR_SERVE_EXPIRED 490
+#define VAR_VIEW_FIRST 490
-#define VAR_SERVE_EXPIRED_TTL 491
+#define VAR_SERVE_EXPIRED 491
-#define VAR_SERVE_EXPIRED_TTL_RESET 492
+#define VAR_SERVE_EXPIRED_TTL 492
-#define VAR_SERVE_EXPIRED_REPLY_TTL 493
+#define VAR_SERVE_EXPIRED_TTL_RESET 493
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 494
+#define VAR_SERVE_EXPIRED_REPLY_TTL 494
-#define VAR_EDE_SERVE_EXPIRED 495
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 495
-#define VAR_SERVE_ORIGINAL_TTL 496
+#define VAR_EDE_SERVE_EXPIRED 496
-#define VAR_FAKE_DSA 497
+#define VAR_SERVE_ORIGINAL_TTL 497
-#define VAR_FAKE_SHA1 498
+#define VAR_FAKE_DSA 498
-#define VAR_LOG_IDENTITY 499
+#define VAR_FAKE_SHA1 499
-#define VAR_HIDE_TRUSTANCHOR 500
+#define VAR_LOG_IDENTITY 500
-#define VAR_HIDE_HTTP_USER_AGENT 501
+#define VAR_HIDE_TRUSTANCHOR 501
-#define VAR_HTTP_USER_AGENT 502
+#define VAR_HIDE_HTTP_USER_AGENT 502
-#define VAR_TRUST_ANCHOR_SIGNALING 503
+#define VAR_HTTP_USER_AGENT 503
-#define VAR_AGGRESSIVE_NSEC 504
+#define VAR_TRUST_ANCHOR_SIGNALING 504
-#define VAR_USE_SYSTEMD 505
+#define VAR_AGGRESSIVE_NSEC 505
-#define VAR_SHM_ENABLE 506
+#define VAR_USE_SYSTEMD 506
-#define VAR_SHM_KEY 507
+#define VAR_SHM_ENABLE 507
-#define VAR_ROOT_KEY_SENTINEL 508
+#define VAR_SHM_KEY 508
-#define VAR_DNSCRYPT 509
+#define VAR_ROOT_KEY_SENTINEL 509
-#define VAR_DNSCRYPT_ENABLE 510
+#define VAR_DNSCRYPT 510
-#define VAR_DNSCRYPT_PORT 511
+#define VAR_DNSCRYPT_ENABLE 511
-#define VAR_DNSCRYPT_PROVIDER 512
+#define VAR_DNSCRYPT_PORT 512
-#define VAR_DNSCRYPT_SECRET_KEY 513
+#define VAR_DNSCRYPT_PROVIDER 513
-#define VAR_DNSCRYPT_PROVIDER_CERT 514
+#define VAR_DNSCRYPT_SECRET_KEY 514
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 515
+#define VAR_DNSCRYPT_PROVIDER_CERT 515
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 516
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 516
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 517
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 517
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 518
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 518
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 519
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 519
-#define VAR_PAD_RESPONSES 520
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 520
-#define VAR_PAD_RESPONSES_BLOCK_SIZE 521
+#define VAR_PAD_RESPONSES 521
-#define VAR_PAD_QUERIES 522
+#define VAR_PAD_RESPONSES_BLOCK_SIZE 522
-#define VAR_PAD_QUERIES_BLOCK_SIZE 523
+#define VAR_PAD_QUERIES 523
-#define VAR_IPSECMOD_ENABLED 524
+#define VAR_PAD_QUERIES_BLOCK_SIZE 524
-#define VAR_IPSECMOD_HOOK 525
+#define VAR_IPSECMOD_ENABLED 525
-#define VAR_IPSECMOD_IGNORE_BOGUS 526
+#define VAR_IPSECMOD_HOOK 526
-#define VAR_IPSECMOD_MAX_TTL 527
+#define VAR_IPSECMOD_IGNORE_BOGUS 527
-#define VAR_IPSECMOD_WHITELIST 528
+#define VAR_IPSECMOD_MAX_TTL 528
-#define VAR_IPSECMOD_STRICT 529
+#define VAR_IPSECMOD_WHITELIST 529
-#define VAR_CACHEDB 530
+#define VAR_IPSECMOD_STRICT 530
-#define VAR_CACHEDB_BACKEND 531
+#define VAR_CACHEDB 531
-#define VAR_CACHEDB_SECRETSEED 532
+#define VAR_CACHEDB_BACKEND 532
-#define VAR_CACHEDB_REDISHOST 533
+#define VAR_CACHEDB_SECRETSEED 533
-#define VAR_CACHEDB_REDISPORT 534
+#define VAR_CACHEDB_REDISHOST 534
-#define VAR_CACHEDB_REDISTIMEOUT 535
+#define VAR_CACHEDB_REDISPORT 535
-#define VAR_CACHEDB_REDISEXPIRERECORDS 536
+#define VAR_CACHEDB_REDISTIMEOUT 536
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 537
+#define VAR_CACHEDB_REDISEXPIRERECORDS 537
-#define VAR_FOR_UPSTREAM 538
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 538
-#define VAR_AUTH_ZONE 539
+#define VAR_FOR_UPSTREAM 539
-#define VAR_ZONEFILE 540
+#define VAR_AUTH_ZONE 540
-#define VAR_MASTER 541
+#define VAR_ZONEFILE 541
-#define VAR_URL 542
+#define VAR_MASTER 542
-#define VAR_FOR_DOWNSTREAM 543
+#define VAR_URL 543
-#define VAR_FALLBACK_ENABLED 544
+#define VAR_FOR_DOWNSTREAM 544
-#define VAR_TLS_ADDITIONAL_PORT 545
+#define VAR_FALLBACK_ENABLED 545
-#define VAR_LOW_RTT 546
+#define VAR_TLS_ADDITIONAL_PORT 546
-#define VAR_LOW_RTT_PERMIL 547
+#define VAR_LOW_RTT 547
-#define VAR_FAST_SERVER_PERMIL 548
+#define VAR_LOW_RTT_PERMIL 548
-#define VAR_FAST_SERVER_NUM 549
+#define VAR_FAST_SERVER_PERMIL 549
-#define VAR_ALLOW_NOTIFY 550
+#define VAR_FAST_SERVER_NUM 550
-#define VAR_TLS_WIN_CERT 551
+#define VAR_ALLOW_NOTIFY 551
-#define VAR_TCP_CONNECTION_LIMIT 552
+#define VAR_TLS_WIN_CERT 552
-#define VAR_FORWARD_NO_CACHE 553
+#define VAR_TCP_CONNECTION_LIMIT 553
-#define VAR_STUB_NO_CACHE 554
+#define VAR_FORWARD_NO_CACHE 554
-#define VAR_LOG_SERVFAIL 555
+#define VAR_STUB_NO_CACHE 555
-#define VAR_DENY_ANY 556
+#define VAR_LOG_SERVFAIL 556
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 557
+#define VAR_DENY_ANY 557
-#define VAR_LOG_TAG_QUERYREPLY 558
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 558
-#define VAR_STREAM_WAIT_SIZE 559
+#define VAR_LOG_TAG_QUERYREPLY 559
-#define VAR_TLS_CIPHERS 560
+#define VAR_STREAM_WAIT_SIZE 560
-#define VAR_TLS_CIPHERSUITES 561
+#define VAR_TLS_CIPHERS 561
-#define VAR_TLS_USE_SNI 562
+#define VAR_TLS_CIPHERSUITES 562
-#define VAR_IPSET 563
+#define VAR_TLS_USE_SNI 563
-#define VAR_IPSET_NAME_V4 564
+#define VAR_IPSET 564
-#define VAR_IPSET_NAME_V6 565
+#define VAR_IPSET_NAME_V4 565
-#define VAR_TLS_SESSION_TICKET_KEYS 566
+#define VAR_IPSET_NAME_V6 566
-#define VAR_RPZ 567
+#define VAR_TLS_SESSION_TICKET_KEYS 567
-#define VAR_TAGS 568
+#define VAR_RPZ 568
-#define VAR_RPZ_ACTION_OVERRIDE 569
+#define VAR_TAGS 569
-#define VAR_RPZ_CNAME_OVERRIDE 570
+#define VAR_RPZ_ACTION_OVERRIDE 570
-#define VAR_RPZ_LOG 571
+#define VAR_RPZ_CNAME_OVERRIDE 571
-#define VAR_RPZ_LOG_NAME 572
+#define VAR_RPZ_LOG 572
-#define VAR_DYNLIB 573
+#define VAR_RPZ_LOG_NAME 573
-#define VAR_DYNLIB_FILE 574
+#define VAR_DYNLIB 574
-#define VAR_EDNS_CLIENT_STRING 575
+#define VAR_DYNLIB_FILE 575
-#define VAR_EDNS_CLIENT_STRING_OPCODE 576
+#define VAR_EDNS_CLIENT_STRING 576
-#define VAR_NSID 577
+#define VAR_EDNS_CLIENT_STRING_OPCODE 577
-#define VAR_ZONEMD_PERMISSIVE_MODE 578
+#define VAR_NSID 578
-#define VAR_ZONEMD_CHECK 579
+#define VAR_ZONEMD_PERMISSIVE_MODE 579
-#define VAR_ZONEMD_REJECT_ABSENCE 580
+#define VAR_ZONEMD_CHECK 580
-#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 581
+#define VAR_ZONEMD_REJECT_ABSENCE 581
-#define VAR_INTERFACE_AUTOMATIC_PORTS 582
+#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 582
-#define VAR_EDE 583
+#define VAR_INTERFACE_AUTOMATIC_PORTS 583
-#define VAR_INTERFACE_ACTION 584
+#define VAR_EDE 584
-#define VAR_INTERFACE_VIEW 585
+#define VAR_INTERFACE_ACTION 585
-#define VAR_INTERFACE_TAG 586
+#define VAR_INTERFACE_VIEW 586
-#define VAR_INTERFACE_TAG_ACTION 587
+#define VAR_INTERFACE_TAG 587
-#define VAR_INTERFACE_TAG_DATA 588
+#define VAR_INTERFACE_TAG_ACTION 588
-#define VAR_PROXY_PROTOCOL_PORT 589
+#define VAR_INTERFACE_TAG_DATA 589
-#define VAR_STATISTICS_INHIBIT_ZERO 590
+#define VAR_PROXY_PROTOCOL_PORT 590
 #define VAR_STATISTICS_INHIBIT_ZERO 591
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -737,7 +739,7 @@ union YYSTYPE
 	char*	str;
-#line 741 "util/configparser.h"
+#line 743 "util/configparser.h"
 };
 typedef union YYSTYPE YYSTYPE;
--- a/util/configparser.y
+++ b/util/configparser.y
@ -140,7 +140,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DISABLE_DNSSEC_LAME_CHECK
 %token VAR_IP_RATELIMIT VAR_IP_RATELIMIT_SLABS VAR_IP_RATELIMIT_SIZE
 %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
-%token VAR_OUTBOUND_MSG_RETRY VAR_MAX_SENT_COUNT
+%token VAR_OUTBOUND_MSG_RETRY VAR_MAX_SENT_COUNT VAR_MAX_QUERY_RESTARTS
 %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN
 %token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR
 %token VAR_IP_RATELIMIT_BACKOFF VAR_RATELIMIT_BACKOFF
@ -281,7 +281,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ratelimit_for_domain |
 	server_ratelimit_below_domain | server_ratelimit_factor |
 	server_ip_ratelimit_factor | server_ratelimit_backoff |
-	server_ip_ratelimit_backoff | server_outbound_msg_retry | server_max_sent_count |
+	server_ip_ratelimit_backoff | server_outbound_msg_retry |
 	server_max_sent_count | server_max_query_restarts |
 	server_send_client_subnet | server_client_subnet_zone |
 	server_client_subnet_always_forward | server_client_subnet_opcode |
 	server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
@ -2654,6 +2655,15 @@ server_max_sent_count: VAR_MAX_SENT_COUNT STRING_ARG
 		free($2);
 	}
 	;
 server_max_query_restarts: VAR_MAX_QUERY_RESTARTS STRING_ARG
 	{
 		OUTYY(("P(server_max_query_restarts:%s)\n", $2));
 		if(atoi($2) == 0 && strcmp($2, "0") != 0)
 			yyerror("number expected");
 		else cfg_parser->cfg->max_query_restarts = atoi($2);
 		free($2);
 	}
 	;
 server_low_rtt: VAR_LOW_RTT STRING_ARG
 	{
 		OUTYY(("P(low-rtt option is deprecated, use fast-server-num instead)\n"));