- Merge EDNS Client subnet implementation from feature branch into main branch,

using new EDNS processing framework.


git-svn-id: file:///svn/unbound/trunk@4074 be551aaa-1e26-0410-a405-d3ace91eadb9

Makefile.in

@@ -97,6 +97,9 @@ PYTHONMOD_HEADER=@PYTHONMOD_HEADER@
 PYUNBOUND_SRC=
 # libunbound_wrap.lo if python libunbound wrapper enabled.
 PYUNBOUND_OBJ=@PYUNBOUND_OBJ@
+SUBNET_SRC=edns-subnet/edns-subnet.c edns-subnet/subnetmod.c edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c
+SUBNET_OBJ=@SUBNET_OBJ@
+SUBNET_HEADER=@SUBNET_HEADER@
 COMMON_SRC=services/cache/dns.c services/cache/infra.c services/cache/rrset.c \
 util/as112.c util/data/dname.c util/data/msgencode.c util/data/msgparse.c \
 util/data/msgreply.c util/data/packed_rrset.c iterator/iterator.c \
@@ -116,6 +119,8 @@ validator/autotrust.c validator/val_anchor.c validator/validator.c \
 validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \
 validator/val_nsec3.c validator/val_nsec.c validator/val_secalgo.c \
 validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
+edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
+edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
 cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
 $(DNSTAP_SRC) $(DNSCRYPT_SRC)
 COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
@@ -128,7 +133,7 @@ random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
 slabhash.lo timehist.lo tube.lo winsock_event.lo autotrust.lo val_anchor.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
 val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \
-$(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ)
+$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ)
 COMMON_OBJ_WITHOUT_NETCALL+=respip.lo
 COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
 outside_network.lo
@@ -153,10 +158,11 @@ str2wire.lo
 UNITTEST_SRC=testcode/unitanchor.c testcode/unitdname.c \
 testcode/unitlruhash.c testcode/unitmain.c testcode/unitmsgparse.c \
 testcode/unitneg.c testcode/unitregional.c testcode/unitslabhash.c \
-testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c
+testcode/unitverify.c testcode/readhex.c testcode/testpkts.c testcode/unitldns.c \
+testcode/unitecs.c
 UNITTEST_OBJ=unitanchor.lo unitdname.lo unitlruhash.lo unitmain.lo \
 unitmsgparse.lo unitneg.lo unitregional.lo unitslabhash.lo unitverify.lo \
-readhex.lo testpkts.lo unitldns.lo
+readhex.lo testpkts.lo unitldns.lo unitecs.lo
 UNITTEST_OBJ_LINK=$(UNITTEST_OBJ) worker_cb.lo $(COMMON_OBJ) $(SLDNS_OBJ) \
 $(COMPAT_OBJ)
 DAEMON_SRC=daemon/acl_list.c daemon/cachedump.c daemon/daemon.c \
@@ -598,6 +604,7 @@ depend:
 			-e 's?$$(srcdir)/dnstap/dnstap_config.h??g' \
 			-e 's?$$(srcdir)/dnscrypt/dnscrypt_config.h??g' \
 			-e 's?$$(srcdir)/pythonmod/pythonmod.h?$$(PYTHONMOD_HEADER)?g' \
+			-e 's?$$(srcdir)/edns-subnet/subnetmod.h $$(srcdir)/edns-subnet/subnet-whitelist.h $$(srcdir)/edns-subnet/edns-subnet.h $$(srcdir)/edns-subnet/addrtree.h?$$(SUBNET_HEADER)?g' \
 			-e 's!\(.*\)\.o[ :]*!\1.lo \1.o: !g' \
 			> $(DEPEND_TMP)
 	cp $(DEPEND_TARGET) $(DEPEND_TMP2)
@@ -622,7 +629,7 @@ dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_de
 infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \
  $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
@@ -649,10 +656,11 @@ msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/d
 msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
+  $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h
 packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \
@@ -665,11 +673,11 @@ iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterato
  $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_donotq.h \
  $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h \
  $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/random.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/config_file.h $(srcdir)/util/random.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h
 iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \
  $(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \
@@ -711,7 +719,7 @@ iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/i
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h \
  $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
+  $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
  $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \
  $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/validator/val_anchor.h \
@@ -719,7 +727,7 @@ iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/i
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h
 listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
+  $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
   $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/sldns/sbuffer.h
 localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \
@@ -729,11 +737,11 @@ localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/serv
  $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/as112.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/as112.h
 mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/outbound_list.h \
  $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/timehist.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
@@ -744,11 +752,12 @@ modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/service
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
- $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/respip/respip.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
- $(PYTHONMOD_HEADER) $(srcdir)/cachedb/cachedb.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
 view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \
@@ -756,34 +765,34 @@ view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(s
  $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h
 outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \
  $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
  
 outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \
  $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h  \
+ $(srcdir)/dnscrypt/dnscrypt.h   \
  $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
  $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/dnstap/dnstap.h \
- 
+ $(srcdir)/dnstap/dnstap.h
 alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h util/configparser.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/util/iana_ports.inc
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/iana_ports.inc
 configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \
  $(srcdir)/util/config_file.h util/configparser.h
 configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \
@@ -793,14 +802,14 @@ shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/ut
    $(srcdir)/daemon/worker.h \
  $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/util/rtt.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h
 fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
@@ -814,35 +823,34 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \
  $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h \
- $(PYTHONMOD_HEADER) $(srcdir)/cachedb/cachedb.h
+ $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h $(srcdir)/edns-subnet/addrtree.h \
+ $(srcdir)/edns-subnet/edns-subnet.h
 locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
 mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h
 module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
 netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
+  $(srcdir)/util/ub_event.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
  $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/dnstap/dnstap.h \
-  \
  
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/sldns/parseutil.h \
- $(srcdir)/sldns/wire2str.h \
- 
+ $(srcdir)/sldns/wire2str.h
 random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h
 rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
@@ -855,29 +863,29 @@ dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/s
 lookup3.lo lookup3.o: $(srcdir)/util/storage/lookup3.c config.h $(srcdir)/util/storage/lookup3.h
 lruhash.lo lruhash.o: $(srcdir)/util/storage/lruhash.c config.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
  $(srcdir)/services/modstack.h
 slabhash.lo slabhash.o: $(srcdir)/util/storage/slabhash.c config.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h
 tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
- $(srcdir)/util/ub_event.h
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
 ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h \
- $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
 ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
  $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
- $(srcdir)/util/rbtree.h
+  $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
 winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
 autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@@ -885,11 +893,10 @@ autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/val
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
- $(srcdir)/services/modstack.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/sldns/keyraw.h \
- 
+ $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/services/modstack.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h
 val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/autotrust.h \
@@ -904,8 +911,8 @@ validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/val
  $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_sigcrypt.h \
  $(srcdir)/validator/autotrust.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/sldns/wire2str.h
 val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/validator/val_kcache.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/validator/val_kentry.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
@@ -914,15 +921,13 @@ val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/
 val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- 
-val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \
- $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
- $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h
+val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h
 val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
@@ -938,16 +943,14 @@ val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/valida
 val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \
  $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h \
- 
+ $(srcdir)/sldns/sbuffer.h
 val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \
  $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \
  $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
- 
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
 val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
@@ -961,30 +964,39 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/regional.h
-cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/data/msgencode.h $(srcdir)/services/cache/dns.h $(srcdir)/validator/val_neg.h \
- $(srcdir)/util/rbtree.h $(srcdir)/validator/val_secalgo.h $(srcdir)/iterator/iter_utils.h \
- $(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \
- $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
+edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
+subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
+ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h \
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/edns-subnet/subnet-whitelist.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/services/modstack.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
+addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/edns-subnet/addrtree.h
+subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
+ $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/config_file.h
+cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h
 respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h \
  $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/regional.h $(srcdir)/respip/respip.h
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
+ $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/respip/respip.h
 checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
  $(srcdir)/testcode/checklocks.h
-dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h
 unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@@ -993,15 +1005,14 @@ unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h
-unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/util/log.h \
- $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
+unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \
+ $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/random.h $(srcdir)/respip/respip.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/random.h \
+ $(srcdir)/respip/respip.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/services/localzone.h $(srcdir)/services/view.h
 unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \
  $(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
@@ -1032,123 +1043,125 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
 unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
  $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
+unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h $(srcdir)/util/module.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \
+ $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/edns-subnet.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
-cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \
- $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
+cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \
  $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \
  $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
  $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-   $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
  $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h $(srcdir)/util/random.h \
  $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h $(srcdir)/respip/respip.h
-remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \
- $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h \
+remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \
+ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/alloc.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
  $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
   $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
-  $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \
- $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/view.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/data/dname.h \
- $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kcache.h \
- $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_anchor.h $(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
- $(srcdir)/iterator/iter_delegpt.h $(srcdir)/services/outside_network.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/data/dname.h $(srcdir)/validator/validator.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \
+ $(srcdir)/validator/val_anchor.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_delegpt.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h \
+ $(srcdir)/sldns/wire2str.h
 stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h  $(srcdir)/services/mesh.h \
- $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
+ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
 unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \
  $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
-  $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
+  $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
-  $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
-  $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \
  $(srcdir)/util/shm_side/shm_main.h
 testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \
- $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
- $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/util/log.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-   \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \
- $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
+ $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c \
+ $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
+  $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h
 testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \
  $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
 worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
-  $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \
-  $(srcdir)/daemon/remote.h \
- $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/rtt.h $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
+ $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
+ $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \
  $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/validator/val_anchor.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \
@@ -1160,14 +1173,13 @@ acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/ac
  $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h
-daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
- $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
-   $(srcdir)/daemon/worker.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
+daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
+  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
  $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \
@@ -1176,23 +1188,22 @@ daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \
 stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h \
- $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  $(srcdir)/daemon/daemon.h \
- $(srcdir)/services/modstack.h  $(srcdir)/services/mesh.h \
- $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \
- $(srcdir)/validator/val_kcache.h
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h  \
+ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h
 replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
+  $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h \
  $(srcdir)/util/rbtree.h  $(srcdir)/services/cache/infra.h \
@@ -1201,7 +1212,7 @@ fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/t
  $(srcdir)/services/modstack.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
+  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
  $(srcdir)/services/modstack.h
@@ -1213,7 +1224,7 @@ readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/r
  $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h
 memstats.lo memstats.o: $(srcdir)/testcode/memstats.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
+  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \
  $(srcdir)/services/modstack.h
@@ -1224,14 +1235,14 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
  $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \
  $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h $(PYTHONMOD_HEADER)
+ $(srcdir)/services/view.h $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h
 worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h
+ $(srcdir)/dnscrypt/dnscrypt.h  $(srcdir)/util/module.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h
 context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbound/context.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
  $(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@@ -1239,7 +1250,8 @@ context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbou
  $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
  $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
+ $(srcdir)/sldns/sbuffer.h
 libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
  $(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
@@ -1249,22 +1261,22 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
  $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h \
  $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
  $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/sldns/sbuffer.h
-libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \
- $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h \
- $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
-  $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
- $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
- $(srcdir)/iterator/iter_hints.h $(srcdir)/sldns/str2wire.h
+  $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/sldns/sbuffer.h
+libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h   \
+ $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/localzone.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/sldns/str2wire.h
 unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
 asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
@@ -1275,40 +1287,34 @@ streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util
  $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \
- 
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
 perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \
  $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h
 delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
-unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \
- $(srcdir)/util/log.h \
+unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \
  $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \
  $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h
 unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \
- 
-petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \
- 
+ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h
+petal.lo petal.o: $(srcdir)/testcode/petal.c config.h
 pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h $(srcdir)/util/module.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \
- $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h $(srcdir)/iterator/iter_delegpt.h \
- $(srcdir)/sldns/sbuffer.h \
- 
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \
+ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h
 win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \
  $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
    $(srcdir)/daemon/worker.h \
  $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/dnscrypt/cert.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
- $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h \
- $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \
+ $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h
 w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h
 unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \
  $(srcdir)/winrc/w_inst.h
@@ -1316,14 +1322,11 @@ unbound-service-remove.lo unbound-service-remove.o: $(srcdir)/winrc/unbound-serv
  $(srcdir)/winrc/w_inst.h
 anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h
-keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \
- $(srcdir)/sldns/rrdef.h \
- 
+keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h
 sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h
 wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \
- $(srcdir)/sldns/keyraw.h \
- 
+ $(srcdir)/sldns/keyraw.h
 parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \
  $(srcdir)/sldns/sbuffer.h
 parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h
@@ -1343,11 +1346,9 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
 strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
 strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
-getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \
- 
+getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
 getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
-getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \
- 
+getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
 getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c
 explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h
 arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h

config.h.in

@@ -3,6 +3,9 @@
 /* Directory to chroot to */
 #undef CHROOT_DIR
 
+/* Define this to enable client subnet option. */
+#undef CLIENT_SUBNET
+
 /* Do sha512 definitions in config.h */
 #undef COMPAT_SHA512
 

configure

@@ -674,6 +674,8 @@ staticexe
 PC_LIBEVENT_DEPENDENCY
 UNBOUND_EVENT_UNINSTALL
 UNBOUND_EVENT_INSTALL
+SUBNET_HEADER
+SUBNET_OBJ
 SSLLIB
 HAVE_SSL
 CONFIG_DATE
@@ -788,6 +790,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -845,6 +848,7 @@ with_nettle
 with_ssl
 enable_sha1
 enable_sha2
+enable_subnet
 enable_gost
 enable_ecdsa
 enable_dsa
@@ -924,6 +928,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1176,6 +1181,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1313,7 +1327,7 @@ fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1466,6 +1480,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -1524,6 +1539,7 @@ Optional Features:
   --disable-sha1          Disable SHA1 RRSIG support, does not disable nsec3
                           support
   --disable-sha2          Disable SHA256 and SHA512 RRSIG support
+  --enable-subnet         Enable client subnet
   --disable-gost          Disable GOST support
   --disable-ecdsa         Disable ECDSA support
   --disable-dsa           Disable DSA support
@@ -7895,7 +7911,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-netbsd*)
+netbsd* | netbsdelf*-gnu)
   if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
     lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
   else
@@ -11360,6 +11376,9 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   openbsd* | bitrig*)
     with_gnu_ld=no
     ;;
+  linux* | k*bsd*-gnu | gnu*)
+    link_all_deplibs=no
+    ;;
   esac
 
   ld_shlibs=yes
@@ -11614,7 +11633,7 @@ _LT_EOF
       fi
       ;;
 
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
 	wlarc=
@@ -12284,6 +12303,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
 	if test yes = "$lt_cv_irix_exported_symbol"; then
           archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
 	fi
+	link_all_deplibs=no
       else
 	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
 	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
@@ -12305,7 +12325,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
       esac
       ;;
 
-    netbsd*)
+    netbsd* | netbsdelf*-gnu)
       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
 	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
       else
@@ -13400,9 +13420,6 @@ fi
   # before this can be enabled.
   hardcode_into_libs=yes
 
-  # Add ABI-specific directories to the system library path.
-  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
-
   # Ideally, we could use ldconfig to report *all* directores which are
   # searched for libraries, however this is still not possible.  Aside from not
   # being certain /sbin/ldconfig is available, command
@@ -13411,7 +13428,7 @@ fi
   # appending ld.so.conf contents (and includes) to the search path.
   if test -f /etc/ld.so.conf; then
     lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
   # We used to test for /lib/ld.so.1 and disable shared libraries on
@@ -13423,6 +13440,18 @@ fi
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
+netbsdelf*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='NetBSD ld.elf_so'
+  ;;
+
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -15335,7 +15364,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15381,7 +15410,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15405,7 +15434,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15450,7 +15479,7 @@ else
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -15474,7 +15503,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
     We can't simply define LARGE_OFF_T to be 9223372036854775807,
     since some C++ compilers masquerading as C compilers
     incorrectly reject 9223372036854775807.  */
-#define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62))
+#define LARGE_OFF_T ((((off_t) 1 << 31) << 31) - 1 + (((off_t) 1 << 31) << 31))
   int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721
 		       && LARGE_OFF_T % 2147483647 == 1)
 		      ? 1 : -1];
@@ -17750,6 +17779,25 @@ $as_echo "#define USE_SHA2 1" >>confdefs.h
 	;;
 esac
 
+# Check whether --enable-subnet was given.
+if test "${enable_subnet+set}" = set; then :
+  enableval=$enable_subnet;
+fi
+
+case "$enable_subnet" in
+	yes)
+
+$as_echo "#define CLIENT_SUBNET 1" >>confdefs.h
+
+	SUBNET_OBJ="edns-subnet.lo subnetmod.lo addrtree.lo subnet-whitelist.lo"
+
+	SUBNET_HEADER='$(srcdir)/edns-subnet/subnetmod.h $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/edns-subnet/addrtree.h'
+
+	;;
+	no|*)
+	;;
+esac
+
 # check wether gost also works
 
 # Check whether --enable-gost was given.
@@ -22042,7 +22090,6 @@ $as_echo "$as_me: executing $ac_file commands" >&6;}
     cat <<_LT_EOF >> "$cfgfile"
 #! $SHELL
 # Generated automatically by $as_me ($PACKAGE) $VERSION
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 
 # Provide generalized library-building support services.

configure.ac

@@ -730,6 +730,19 @@ case "$enable_sha2" in
 	;;
 esac
 
+AC_ARG_ENABLE(subnet, AC_HELP_STRING([--enable-subnet], [Enable client subnet]))
+case "$enable_subnet" in
+	yes)
+	AC_DEFINE([CLIENT_SUBNET], [1], [Define this to enable client subnet option.])
+	SUBNET_OBJ="edns-subnet.lo subnetmod.lo addrtree.lo subnet-whitelist.lo"
+	AC_SUBST(SUBNET_OBJ)
+	SUBNET_HEADER='$(srcdir)/edns-subnet/subnetmod.h $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/edns-subnet/addrtree.h'
+	AC_SUBST(SUBNET_HEADER)
+	;;
+	no|*)
+	;;
+esac
+
 # check wether gost also works
 AC_DEFUN([AC_CHECK_GOST_WORKS],
 [AC_REQUIRE([AC_PROG_CC])

doc/Changelog

@@ -1,3 +1,7 @@
+21 March 2017: Ralph
+	- Merge EDNS Client subnet implementation from feature branch into main
+	  branch, using new EDNS processing framework. 
+
 21 March 2017: Wouter
 	- Fix doxygen for dnscrypt files.
 

doc/unbound.conf.5.in

@@ -1476,6 +1476,43 @@ times.
 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs. This option
 may be specified multiple times.
+.SS "EDNS Client Subnet Module Options"
+.LP
+The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
+validator iterator" directive and be compiled into the daemon to be
+enabled.  These settings go in the \fBserver:\fR section.
+.LP
+If the destination address is whitelisted with Unbound will add the EDNS0 option
+to the query containing the relevant part of the client's address. When an
+answer contains the ECS option the response and the option are placed in a
+specialized cache. If the authority indicated no support, the response is stored
+in the regular cache.
+.LP
+Additionally, when a client includes the option in its queries, Unbound will
+forward the option to the authority regardless of the authorities presence in
+the whitelist. In this case the lookup in the regular cache is skipped.
+.LP
+The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
+configuration file. On top of that, for each query only 100 different subnets
+are allowed to be stored for each address family. Exceeding that number, older
+entries will be purged from cache.
+.TP
+.B send\-client\-subnet: \fI<IP address>\fR
+Send client source address to this authority. Append /num to indicate a
+classless delegation netblock, for example like 10.2.3.4/24 or 2001::11/64. Can
+be given multiple times. Authorities not listed will not receive edns-subnet
+information.
+.TP
+.B client\-subnet\-opcode: \fI<number>\fR
+Specify positive integer smaller than 65536. Defaults to 8.
+.TP
+.B max\-client\-subnet\-ipv6: \fI<number>\fR
+Specifies the maximum prefix length of the client source address we are willing
+to expose to third parties for IPv6.  Defaults to 64.
+.TP
+.B max\-clienti-subnet\-ipv4: \fI<number>\fR
+Specifies the maximum prefix length of the client source address we are willing
+to expose to third parties for IPv4. Defaults to 24.
 .SH "MEMORY CONTROL EXAMPLE"
 In the example config settings below memory usage is reduced. Some service
 levels are lower, notable very large data and a high TCP load are no longer

edns-subnet/addrtree.c

@@ -0,0 +1,531 @@
+/*
+ * edns-subnet/addrtree.c -- radix tree for edns subnet cache.
+ *
+ * Copyright (c) 2013, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/** \file 
+ * addrtree -- radix tree for edns subnet cache.
+ */
+
+#include "config.h"
+#include "util/log.h"
+#include "util/data/msgreply.h"
+#include "util/module.h"
+#include "addrtree.h"
+
+/** 
+ * Create a new edge
+ * @param node: Child node this edge will connect to.
+ * @param addr: full key to this edge.
+ * @param addrlen: length of relevant part of key for this node
+ * @param parent_node: Parent node for node
+ * @param parent_index: Index of child node at parent node
+ * @return new addredge or NULL on failure
+ */
+static struct addredge * 
+edge_create(struct addrnode *node, const addrkey_t *addr, 
+	addrlen_t addrlen, struct addrnode *parent_node, int parent_index)
+{
+	size_t n;
+	struct addredge *edge = (struct addredge *)malloc( sizeof (*edge) );
+	if (!edge)
+		return NULL;
+	edge->node = node;
+	edge->len = addrlen;
+	edge->parent_index = parent_index;
+	edge->parent_node = parent_node;
+	/* ceil() */
+	n = (size_t)((addrlen / KEYWIDTH) + ((addrlen % KEYWIDTH != 0)?1:0));
+	edge->str = (addrkey_t *)calloc(n, sizeof (addrkey_t));
+	if (!edge->str) {
+		free(edge);
+		return NULL;
+	}
+	memcpy(edge->str, addr, n * sizeof (addrkey_t));
+	/* Only manipulate other objects after successful alloc */
+	node->parent_edge = edge;
+	log_assert(parent_node->edge[parent_index] == NULL);
+	parent_node->edge[parent_index] = edge;
+	return edge;
+}
+
+/** 
+ * Create a new node
+ * @param tree: Tree the node lives in.
+ * @param elem: Element to store at this node
+ * @param scope: Scopemask from server reply
+ * @param ttl: Element is valid up to this time. Absolute, seconds
+ * @return new addrnode or NULL on failure
+ */
+static struct addrnode * 
+node_create(struct addrtree *tree, void *elem, addrlen_t scope, 
+	time_t ttl)
+{
+	struct addrnode* node = (struct addrnode *)malloc( sizeof (*node) );
+	if (!node)
+		return NULL;
+	node->elem = elem;
+	tree->node_count++;
+	node->scope = scope;
+	node->ttl = ttl;
+	node->edge[0] = NULL;
+	node->edge[1] = NULL;
+	node->parent_edge = NULL;
+	node->next = NULL;
+	node->prev = NULL;
+	return node;
+}
+
+/** Size in bytes of node and parent edge
+ * @param tree: tree the node lives in
+ * @param n: node which size must be calculated 
+ * @return size in bytes.
+ **/
+static inline size_t 
+node_size(const struct addrtree *tree, const struct addrnode *n)
+{
+	return sizeof *n + sizeof *n->parent_edge + n->parent_edge->len + 
+		(n->elem?tree->sizefunc(n->elem):0);
+}
+
+struct addrtree * 
+addrtree_create(addrlen_t max_depth, void (*delfunc)(void *, void *), 
+	size_t (*sizefunc)(void *), void *env, unsigned int max_node_count)
+{
+	struct addrtree *tree;
+	log_assert(delfunc != NULL);
+	log_assert(sizefunc != NULL);
+	tree = (struct addrtree *)malloc( sizeof (*tree) );
+	if (!tree)
+		return NULL;
+	tree->root = node_create(tree, NULL, 0, 0);
+	if (!tree->root) {
+		free(tree);
+		return NULL;
+	}
+	tree->size_bytes = sizeof *tree + sizeof *tree->root;
+	tree->first = NULL;
+	tree->last = NULL;
+	tree->max_depth = max_depth;
+	tree->delfunc = delfunc;
+	tree->sizefunc = sizefunc;
+	tree->env = env;
+	tree->node_count = 0;
+	tree->max_node_count = max_node_count;
+	return tree;
+}
+
+/** 
+ * Scrub a node clean of elem
+ * @param tree: tree the node lives in.
+ * @param node: node to be cleaned.
+ */
+static void
+clean_node(struct addrtree *tree, struct addrnode *node)
+{
+	if (!node->elem) return;
+	tree->size_bytes -= tree->sizefunc(node->elem);
+	tree->delfunc(tree->env, node->elem);
+	node->elem = NULL;
+}
+
+/** Remove specified node from LRU list */
+static void
+lru_pop(struct addrtree *tree, struct addrnode *node)
+{
+	if (node == tree->first) {
+		if (!node->next) { /* it is the last as well */
+			tree->first = NULL;
+			tree->last = NULL;
+		} else {
+			tree->first = node->next;
+			tree->first->prev = NULL;
+		}
+	} else if (node == tree->last) { /* but not the first */
+		tree->last = node->prev;
+		tree->last->next = NULL;
+	} else {
+		node->prev->next = node->next;
+		node->next->prev = node->prev;
+	}
+}
+
+/** Add node to LRU list as most recently used. */
+static void
+lru_push(struct addrtree *tree, struct addrnode *node)
+{
+	if (!tree->first) {
+		tree->first = node;
+		node->prev = NULL;
+	} else {
+		tree->last->next = node;
+		node->prev = tree->last;
+	}
+	tree->last = node;
+	node->next = NULL;
+}
+
+/** Move node to the end of LRU list */
+static void
+lru_update(struct addrtree *tree, struct addrnode *node)
+{
+	if (tree->root == node) return;
+	lru_pop(tree, node);
+	lru_push(tree, node);
+}
+
+/** 
+ * Purge a node from the tree. Node and parentedge are cleaned and 
+ * free'd.
+ * @param tree: Tree the node lives in.
+ * @param node: Node to be freed
+ */
+static void
+purge_node(struct addrtree *tree, struct addrnode *node)
+{
+	struct addredge *parent_edge, *child_edge = NULL;
+	int index;
+	int keep = node->edge[0] && node->edge[1];
+	
+	clean_node(tree, node);
+	parent_edge = node->parent_edge;
+	if (keep || !parent_edge) return;
+	tree->node_count--;
+	index = parent_edge->parent_index;
+	child_edge = node->edge[!node->edge[0]];
+	if (child_edge) {
+		child_edge->parent_node  = parent_edge->parent_node;
+		child_edge->parent_index = index;
+	}
+	parent_edge->parent_node->edge[index] = child_edge;
+	tree->size_bytes -= node_size(tree, node);
+	free(parent_edge->str);
+	free(parent_edge);
+	lru_pop(tree, node);
+	free(node);
+}
+
+/**
+ * If a limit is set remove old nodes while above that limit.
+ * @param tree: Tree to be cleaned up.
+ */
+static void
+lru_cleanup(struct addrtree *tree)
+{
+	struct addrnode *n, *p;
+	int children;
+	if (tree->max_node_count == 0) return;
+	while (tree->node_count > tree->max_node_count) {
+		n = tree->first;
+		if (!n) break;
+		children = (n->edge[0] != NULL) + (n->edge[1] != NULL);
+		/** Don't remove this node, it is either the root or we can't
+		 * do without it because it has 2 children */
+		if (children == 2 || !n->parent_edge) {
+			lru_update(tree, n);
+			continue;
+		}
+		p = n->parent_edge->parent_node;
+		purge_node(tree, n);
+		/** Since we removed n, n's parent p is eligible for deletion
+		 * if it is not the root node, caries no data and has only 1
+		 * child */
+		children = (p->edge[0] != NULL) + (p->edge[1] != NULL);
+		if (!p->elem && children == 1 && p->parent_edge) {
+			purge_node(tree, p);
+		}
+	}
+}
+
+inline size_t
+addrtree_size(const struct addrtree *tree)
+{
+	return tree?tree->size_bytes:0;
+}
+
+void addrtree_delete(struct addrtree *tree)
+{
+	struct addrnode *n;
+	if (!tree) return;
+	clean_node(tree, tree->root);
+	free(tree->root);
+	tree->size_bytes -= sizeof(struct addrnode);
+	while ((n = tree->first)) {
+		tree->first = n->next;
+		clean_node(tree, n);
+		tree->size_bytes -= node_size(tree, n);
+		free(n->parent_edge->str);
+		free(n->parent_edge);
+		free(n);
+	}
+	log_assert(sizeof *tree == addrtree_size(tree));
+	free(tree);
+}
+
+/**
+ * Get N'th bit from address 
+ * @param addr: address to inspect
+ * @param addrlen: length of addr in bits
+ * @param n: index of bit to test. Must be in range [0, addrlen)
+ * @return 0 or 1
+ */
+static int 
+getbit(const addrkey_t *addr, addrlen_t addrlen, addrlen_t n)
+{
+	log_assert(addrlen > n);
+	return (int)(addr[n/KEYWIDTH]>>((KEYWIDTH-1)-(n%KEYWIDTH))) & 1;
+}
+
+/**
+ * Test for equality on N'th bit.
+ * @return 0 for equal, 1 otherwise 
+ */
+static inline int 
+cmpbit(const addrkey_t *key1, const addrkey_t *key2, addrlen_t n)
+{
+	addrkey_t c = key1[n/KEYWIDTH] ^ key2[n/KEYWIDTH];
+	return (int)(c >> ((KEYWIDTH-1)-(n%KEYWIDTH))) & 1;
+}
+
+/**
+ * Common number of bits in prefix.
+ * @param s1: first prefix.
+ * @param l1: length of s1 in bits.
+ * @param s2: second prefix.
+ * @param l2: length of s2 in bits.
+ * @param skip: nr of bits already checked.
+ * @return common number of bits.
+ */
+static addrlen_t 
+bits_common(const addrkey_t *s1, addrlen_t l1, 
+	const addrkey_t *s2, addrlen_t l2, addrlen_t skip)
+{
+	addrlen_t len, i;
+	len = (l1 > l2) ? l2 : l1;
+	log_assert(skip < len);
+	for (i = skip; i < len; i++) {
+		if (cmpbit(s1, s2, i)) return i;
+	}
+	return len;
+} 
+
+/**
+ * Tests if s1 is a substring of s2
+ * @param s1: first prefix.
+ * @param l1: length of s1 in bits.
+ * @param s2: second prefix.
+ * @param l2: length of s2 in bits.
+ * @param skip: nr of bits already checked.
+ * @return 1 for substring, 0 otherwise 
+ */
+static int 
+issub(const addrkey_t *s1, addrlen_t l1, 
+	const addrkey_t *s2, addrlen_t l2,  addrlen_t skip)
+{
+	return bits_common(s1, l1, s2, l2, skip) == l1;
+}
+
+void
+addrtree_insert(struct addrtree *tree, const addrkey_t *addr, 
+	addrlen_t sourcemask, addrlen_t scope, void *elem, time_t ttl, 
+	time_t now)
+{
+	struct addrnode *newnode, *node;
+	struct addredge *edge;
+	int index;
+	addrlen_t common, depth;
+
+	node = tree->root;
+	log_assert(node != NULL);
+
+	/* Protect our cache against too much fine-grained data */
+	if (tree->max_depth < scope) scope = tree->max_depth;
+	/* Server answer was less specific than question */
+	if (scope < sourcemask) sourcemask = scope;
+
+	depth = 0;
+	while (1) {
+		log_assert(depth <= sourcemask);
+		/* Case 1: update existing node */
+		if (depth == sourcemask) {
+			/* update this node's scope and data */
+			clean_node(tree, node);
+			node->ttl = ttl;
+			node->elem = elem;
+			node->scope = scope;
+			tree->size_bytes += tree->sizefunc(elem);
+			return;
+		}
+		index = getbit(addr, sourcemask, depth);
+		/* Get an edge to an unexpired node */
+		edge = node->edge[index];
+		while (edge) {
+			/* Purge all expired nodes on path */
+			if (!edge->node->elem || edge->node->ttl >= now)
+				break;
+			purge_node(tree, edge->node);
+			edge = node->edge[index];
+		}
+		/* Case 2: New leafnode */
+		if (!edge) {
+			newnode = node_create(tree, elem, scope, ttl);
+			if (!newnode) return;
+			if (!edge_create(newnode, addr, sourcemask, node,
+				index)) {
+				clean_node(tree, newnode);
+				tree->node_count--;
+				free(newnode);
+				return;
+			}
+			tree->size_bytes += node_size(tree, newnode);
+			lru_push(tree, newnode);
+			lru_cleanup(tree);
+			return;
+		}
+		/* Case 3: Traverse edge */
+		common = bits_common(edge->str, edge->len, addr, sourcemask,
+			depth);
+		if (common == edge->len) {
+			/* We update the scope of intermediate nodes. Apparently
+			 * the * authority changed its mind. If we would not do
+			 * this we might not be able to reach our new node. */
+			node->scope = scope;
+			depth = edge->len;
+			node = edge->node;
+			continue;
+		}
+		/* Case 4: split. */
+		if (!(newnode = node_create(tree, NULL, 0, 0)))
+			return;
+		node->edge[index] = NULL;
+		if (!edge_create(newnode, addr, common, node, index)) {
+			node->edge[index] = edge;
+			clean_node(tree, newnode);
+			tree->node_count--;
+			free(newnode);
+			return;
+		}
+		lru_push(tree, newnode);
+		/* connect existing child to our new node */
+		index = getbit(edge->str, edge->len, common);
+		newnode->edge[index] = edge;
+		edge->parent_node = newnode;
+		edge->parent_index = (int)index;
+		
+		if (common == sourcemask) {
+			/* Data is stored in the node */
+			newnode->elem = elem;
+			newnode->scope = scope;
+			newnode->ttl = ttl;
+		} 
+		
+		tree->size_bytes += node_size(tree, newnode);
+
+		if (common != sourcemask) {
+			/* Data is stored in other leafnode */
+			node = newnode;
+			newnode = node_create(tree, elem, scope, ttl);
+			if (!edge_create(newnode, addr, sourcemask, node,
+				index^1)) {
+				clean_node(tree, newnode);
+				tree->node_count--;
+				free(newnode);
+				return;
+			}
+			tree->size_bytes += node_size(tree, newnode);
+			lru_push(tree, newnode);
+		}
+		lru_cleanup(tree);
+		return;
+	}
+}
+
+struct addrnode *
+addrtree_find(struct addrtree *tree, const addrkey_t *addr, 
+	addrlen_t sourcemask, time_t now)
+{
+	struct addrnode *node = tree->root;
+	struct addredge *edge = NULL;
+	addrlen_t depth = 0;
+
+	log_assert(node != NULL);
+	while (1) {
+		/* Current node more specific then question. */
+		log_assert(depth <= sourcemask);
+		/* does this node have data? if yes, see if we have a match */
+		if (node->elem && node->ttl >= now) {
+			/* saved at wrong depth */;
+			log_assert(node->scope >= depth) 
+			if (depth == node->scope ||
+				(node->scope > sourcemask &&
+				 depth == sourcemask)) {
+				/* Authority indicates it does not have a more
+				 * precise answer or we cannot ask a more
+				 * specific question. */
+				lru_update(tree, node);
+				return node;
+			}
+		}
+		/* This is our final depth, but we haven't found an answer. */
+		if (depth == sourcemask)
+			return NULL;
+		/* Find an edge to traverse */
+		edge = node->edge[getbit(addr, sourcemask, depth)];
+		if (!edge || !edge->node)
+			return NULL;
+		if (edge->len > sourcemask )
+			return NULL;
+		if (!issub(edge->str, edge->len, addr, sourcemask, depth))
+			return NULL;
+		log_assert(depth < edge->len);
+		depth = edge->len;
+		node = edge->node;
+	}
+}
+
+/** Wrappers for static functions to unit test */
+int unittest_wrapper_addrtree_cmpbit(const addrkey_t *key1, 
+	const addrkey_t *key2, addrlen_t n) {
+	return cmpbit(key1, key2, n);
+}
+addrlen_t unittest_wrapper_addrtree_bits_common(const addrkey_t *s1, 
+	addrlen_t l1, const addrkey_t *s2, addrlen_t l2, addrlen_t skip) {
+	return bits_common(s1, l1, s2, l2, skip);
+}
+int unittest_wrapper_addrtree_getbit(const addrkey_t *addr, 
+	addrlen_t addrlen, addrlen_t n) {
+	return getbit(addr, addrlen, n);
+}
+int unittest_wrapper_addrtree_issub(const addrkey_t *s1, addrlen_t l1, 
+	const addrkey_t *s2, addrlen_t l2,  addrlen_t skip) {
+	return issub(s1, l1, s2, l2, skip);
+}

edns-subnet/addrtree.h

@@ -0,0 +1,187 @@
+/*
+ * edns-subnet/addrtree.h -- radix tree for edns subnet cache.
+ *
+ * Copyright (c) 2013, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ * The addrtree is a radix tree designed for edns subnet. Most notable
+ * is the addition of 'scope' to a node. Scope is only relevant for
+ * nodes with elem set, it indicates the number of bits the authority
+ * desires.
+ *
+ * For retrieving data one needs an address and address length
+ * (sourcemask). While traversing the tree the first matching node is
+ * returned. A node matches when
+ * 		node.scope<=sourcemask && node.elem!=NULL
+ * 		(This is the most specific answer the authority has.)
+ * or
+ * 		node.sourcemask==sourcemask && node.elem!=NULL
+ * 		(This is the most specific question the client can ask.)
+ *
+ * Insertion needs an address, sourcemask and scope. The length of the
+ * address is capped by min(sourcemask, scope). While traversing the
+ * tree the scope of all visited nodes is updated. This ensures we are
+ * always able to find the most specific answer available.
+ */
+
+#ifndef ADDRTREE_H
+#define ADDRTREE_H
+
+typedef uint8_t addrlen_t;
+typedef uint8_t addrkey_t;
+#define KEYWIDTH 8
+
+struct addrtree {
+	struct addrnode *root;
+	/** Number of elements in the tree (not always equal to number of 
+	 * nodes) */
+	unsigned int node_count;
+	/** Maximum number of allowed nodes, will be enforced by LRU list.
+	 * Excluding the root node, 0 for unlimited */
+	unsigned int max_node_count;
+	/** Size of tree in bytes */
+	size_t size_bytes;
+	/** Maximum prefix length we are willing to cache. */
+	addrlen_t max_depth;
+	/** External function to delete elem. Called as 
+	 * delfunc(addrnode->elem, addrtree->env) */
+	void (*delfunc)(void *, void *);
+	/** Environment for delfunc */
+	void *env;
+	/** External function returning size of elem. Called as
+	 * sizefunc(addrnode->elem) */
+	size_t (*sizefunc)(void *);
+	/** first node in LRU list, first candidate to go */
+	struct addrnode* first;
+	/** last node in LRU list, last candidate to go */
+	struct addrnode *last;
+};
+
+struct addrnode {
+	/** Payload of node, may be NULL */
+	void *elem;
+	/** Abs time in seconds in which elem is meaningful */
+	time_t ttl;
+	/** Number of significant bits in address. */
+	addrlen_t scope;
+	/** A node can have 0-2 edges, set to NULL for unused */
+	struct addredge *edge[2];
+	/** edge between this node and parent */
+	struct addredge *parent_edge;
+	/** previous node in LRU list */
+	struct addrnode *prev;
+	/** next node in LRU list */
+	struct addrnode *next;
+};
+
+struct addredge {
+	/** address of connected node */
+	addrkey_t *str;
+	/** lenght in bits of str */
+	addrlen_t len;
+	/** child node this edge is connected to */
+	struct addrnode *node;
+	/** Parent node this ege is connected to */
+	struct addrnode *parent_node;
+	/** Index of this edge in parent_node */
+	int parent_index;
+};
+
+/**
+ * Size of tree in bytes.
+ * @param tree: Tree.
+ * @return size of tree in bytes.
+ */
+size_t addrtree_size(const struct addrtree *tree);
+
+/** 
+ * Create a new tree.
+ * @param max_depth: Tree will cap keys to this length.
+ * @param delfunc: f(element, env) delete element.
+ * @param sizefunc: f(element) returning the size of element.
+ * @param env: Module environment for alloc information.
+ * @param max_node_count: Maximum size of this data structure in nodes. 
+ * 			0 for unlimited.
+ * @return new addrtree or NULL on failure.
+ */
+struct addrtree * 
+addrtree_create(addrlen_t max_depth, void (*delfunc)(void *, void *), 
+	size_t (*sizefunc)(void *), void *env, unsigned int max_node_count);
+
+/** 
+ * Free tree and all nodes below.
+ * @param tree: Tree to be freed.
+ */
+void addrtree_delete(struct addrtree *tree);
+
+/**
+ * Insert an element in the tree. Failures are silent. Sourcemask and
+ * scope might be changed according to local policy. Caller should no 
+ * longer access elem, it could be free'd now or later during future
+ * inserts.
+ * 
+ * @param tree: Tree insert elem in.
+ * @param addr: key for element lookup.
+ * @param sourcemask: Length of addr in bits.
+ * @param scope: Number of significant bits in addr.
+ * @param elem: data to store in the tree.
+ * @param ttl: elem is valid up to this time, seconds.
+ * @param now: Current time in seconds.
+ */
+void addrtree_insert(struct addrtree *tree, const addrkey_t *addr, 
+	addrlen_t sourcemask, addrlen_t scope, void *elem, time_t ttl, 
+	time_t now);
+
+/**
+ * Find a node containing an element in the tree.
+ * 
+ * @param tree: Tree to search.
+ * @param addr: key for element lookup.
+ * @param sourcemask: Length of addr in bits.
+ * @param now: Current time in seconds.
+ * @return addrnode or NULL on miss.
+ */
+struct addrnode * addrtree_find(struct addrtree *tree, 
+	const addrkey_t *addr, addrlen_t sourcemask, time_t now);
+
+/** Wrappers for static functions to unit test */
+int unittest_wrapper_addrtree_cmpbit(const addrkey_t *key1, 
+	const addrkey_t *key2, addrlen_t n);
+addrlen_t unittest_wrapper_addrtree_bits_common(const addrkey_t *s1, 
+	addrlen_t l1, const addrkey_t *s2, addrlen_t l2, addrlen_t skip);
+int unittest_wrapper_addrtree_getbit(const addrkey_t *addr, 
+	addrlen_t addrlen, addrlen_t n);
+int unittest_wrapper_addrtree_issub(const addrkey_t *s1, addrlen_t l1, 
+	const addrkey_t *s2, addrlen_t l2,  addrlen_t skip);
+#endif /* ADDRTREE_H */

edns-subnet/edns-subnet.c

@@ -0,0 +1,70 @@
+/*
+ * edns-subnet/edns-subnet.c - Subnet option related constants 
+ *
+ * Copyright (c) 2013, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ * Subnet option related constants. 
+ */
+
+#include "config.h"
+
+#ifdef CLIENT_SUBNET /* keeps splint happy */
+#include "edns-subnet/edns-subnet.h"
+#include <string.h>
+
+/** Opcode for edns subnet option, as assigned by IANA. */
+uint16_t EDNSSUBNET_OPCODE = 8;
+uint8_t EDNSSUBNET_MAX_SUBNET_IP4 = 24;
+uint8_t EDNSSUBNET_MAX_SUBNET_IP6 = 64;
+
+int
+copy_clear(uint8_t* dst, size_t dstlen, uint8_t* src, size_t srclen, size_t n)
+{
+	size_t intpart = n / 8;  /* bytes */
+	size_t fracpart = n % 8; /* bits */
+	size_t written = intpart;
+	if (intpart > dstlen || intpart > srclen)
+		return 1;
+	if (fracpart && (intpart+1 > dstlen || intpart+1 > srclen))
+		return 1;
+	memcpy(dst, src, intpart);
+	if (fracpart) {
+		dst[intpart] = src[intpart] & ~(0xFF >> fracpart);
+		written++;
+	}
+	memset(dst + written, 0, dstlen - written);
+	return 0;
+}
+
+#endif /* CLIENT_SUBNET */

edns-subnet/edns-subnet.h

@@ -0,0 +1,73 @@
+/*
+ * edns-subnet/edns-subnet.h - Subnet option related constants 
+ *
+ * Copyright (c) 2013, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ * Subnet option related constants. 
+ */
+
+#include "util/net_help.h"
+
+#ifndef EDNSSUBNET_EDNSSUBNET_H
+#define EDNSSUBNET_EDNSSUBNET_H
+
+/** In use by the edns subnet option code, as assigned by IANA */
+#define EDNSSUBNET_ADDRFAM_IP4 1
+#define EDNSSUBNET_ADDRFAM_IP6 2
+
+/** Opcode for edns subnet option */
+extern uint16_t EDNSSUBNET_OPCODE;
+/** Maximum number of bits we are willing to expose */
+extern uint8_t EDNSSUBNET_MAX_SUBNET_IP4;
+extern uint8_t EDNSSUBNET_MAX_SUBNET_IP6;
+
+/**
+ * ECS option
+ */
+struct ecs_data {
+	uint16_t subnet_addr_fam;
+	uint8_t subnet_source_mask;
+	uint8_t subnet_scope_mask;
+	uint8_t subnet_addr[INET6_SIZE];
+	int subnet_validdata;
+};
+
+/** 
+ * copy the first n BITS from src to dst iff both src and dst 
+ * are large enough, return 0 on succes
+ */
+int
+copy_clear(uint8_t* dst, size_t dstlen, uint8_t* src, size_t srclen, size_t n);
+
+#endif /* EDNSSUBNET_EDNSSUBNET_H */

edns-subnet/subnet-whitelist.c

@@ -0,0 +1,153 @@
+/*
+ * edns-subnet/subnet-whitelist.c - Hosts we actively try to send subnet option
+ * to.
+ *
+ * Copyright (c) 2013, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ *
+ * Keep track of the white listed servers for subnet option. Based
+ * on acl_list.c|h
+ */
+
+#include "config.h"
+
+#ifdef CLIENT_SUBNET /* keeps splint happy */
+#include "edns-subnet/edns-subnet.h"
+#include "edns-subnet/subnet-whitelist.h"
+#include "util/regional.h"
+#include "util/log.h"
+#include "util/config_file.h"
+#include "util/net_help.h"
+#include "util/storage/dnstree.h"
+
+struct ednssubnet_upstream* 
+upstream_create(void)
+{
+	struct ednssubnet_upstream* upstream = 
+		(struct ednssubnet_upstream*)calloc(1,
+		sizeof(struct ednssubnet_upstream));
+	if(!upstream)
+		return NULL;
+	upstream->region = regional_create();
+	if(!upstream->region) {
+		upstream_delete(upstream);
+		return NULL;
+	}
+	return upstream;
+}
+
+void 
+upstream_delete(struct ednssubnet_upstream* upstream)
+{
+	if(!upstream) 
+		return;
+	regional_destroy(upstream->region);
+	free(upstream);
+}
+
+/** insert new address into upstream structure */
+static int
+upstream_insert(struct ednssubnet_upstream* upstream, 
+	struct sockaddr_storage* addr, socklen_t addrlen, int net)
+{
+	struct addr_tree_node* node = (struct addr_tree_node*)regional_alloc(
+		upstream->region, sizeof(*node));
+	if(!node)
+		return 0;
+	if(!addr_tree_insert(&upstream->tree, node, addr, addrlen, net)) {
+		verbose(VERB_QUERY,
+			"duplicate send-client-subnet address ignored.");
+	}
+	return 1;
+}
+
+/** apply edns-subnet string */
+static int
+upstream_str_cfg(struct ednssubnet_upstream* upstream, const char* str)
+{
+	struct sockaddr_storage addr;
+	int net;
+	socklen_t addrlen;
+	verbose(VERB_ALGO, "send-client-subnet: %s", str);
+	if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
+		log_err("cannot parse send-client-subnet netblock: %s", str);
+		return 0;
+	}
+	if(!upstream_insert(upstream, &addr, addrlen, net)) {
+		log_err("out of memory");
+		return 0;
+	}
+	return 1;
+}
+
+/** read client_subnet config */
+static int 
+read_upstream(struct ednssubnet_upstream* upstream, struct config_file* cfg)
+{
+	struct config_strlist* p;
+	for(p = cfg->client_subnet; p; p = p->next) {
+		log_assert(p->str);
+		if(!upstream_str_cfg(upstream, p->str))
+			return 0;
+	}
+	return 1;
+}
+
+int 
+upstream_apply_cfg(struct ednssubnet_upstream* upstream,
+	struct config_file* cfg)
+{
+	regional_free_all(upstream->region);
+	addr_tree_init(&upstream->tree);
+	if(!read_upstream(upstream, cfg))
+		return 0;
+	addr_tree_init_parents(&upstream->tree);
+	return 1;
+}
+
+int 
+upstream_is_whitelisted(struct ednssubnet_upstream* upstream,
+	struct sockaddr_storage* addr, socklen_t addrlen)
+{
+	return addr_tree_lookup(&upstream->tree, addr, addrlen) != NULL;
+}
+
+size_t 
+upstream_get_mem(struct ednssubnet_upstream* upstream)
+{
+	if(!upstream) return 0;
+	return sizeof(*upstream) + regional_get_mem(upstream->region);
+}
+
+#endif /* CLIENT_SUBNET */

edns-subnet/subnet-whitelist.h

@@ -0,0 +1,102 @@
+/*
+ * edns-subnet/subnet-whitelist.h - Hosts we actively try to send subnet option
+ * to.
+ *
+ * Copyright (c) 2013, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ *
+ * Keep track of the white listed servers for subnet option. Based
+ * on acl_list.c|h
+ */
+
+#ifndef EDNSSUBNET_WHITELIST_H
+#define EDNSSUBNET_WHITELIST_H
+#include "util/storage/dnstree.h"
+
+struct config_file;
+struct regional;
+
+/**
+ * ednssubnet_upstream structure
+ */
+struct ednssubnet_upstream {
+	/** regional for allocation */
+	struct regional* region;
+	/** 
+	 * Tree of the address spans that are whitelisted.
+	 * contents of type addr_tree_node. Each node is an address span 
+	 * Unbound will append subnet option for.
+	 */
+	rbtree_type tree;
+};
+
+/**
+ * Create ednssubnet_upstream structure 
+ * @return new structure or NULL on error.
+ */
+struct ednssubnet_upstream* upstream_create(void);
+
+/**
+ * Delete ednssubnet_upstream structure.
+ * @param upstream: to delete.
+ */
+void upstream_delete(struct ednssubnet_upstream* upstream);
+
+/**
+ * Process ednssubnet_upstream config.
+ * @param upstream: where to store.
+ * @param cfg: config options.
+ * @return 0 on error.
+ */
+int upstream_apply_cfg(struct ednssubnet_upstream* upstream,
+	struct config_file* cfg);
+
+/**
+ * See if an address is whitelisted.
+ * @param upstream: structure for address storage.
+ * @param addr: address to check
+ * @param addrlen: length of addr.
+ * @return: true if the address is whitelisted for subnet option. 
+ */
+int upstream_is_whitelisted(struct ednssubnet_upstream* upstream,
+	struct sockaddr_storage* addr, socklen_t addrlen);
+
+/**
+ * Get memory used by ednssubnet_upstream structure.
+ * @param upstream: structure for address storage.
+ * @return bytes in use.
+ */
+size_t upstream_get_mem(struct ednssubnet_upstream* upstream);
+
+#endif /* EDNSSUBNET_WHITELIST_H */

edns-subnet/subnetmod.c

@@ -0,0 +1,755 @@
+/*
+ * edns-subnet/subnetmod.c - edns subnet module. Must be called before validator
+ * and iterator.
+ *
+ * Copyright (c) 2013, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+ /**
+ * \file
+ * subnet module for unbound.
+ */
+
+#include "config.h"
+
+#ifdef CLIENT_SUBNET /* keeps splint happy */
+
+#include "edns-subnet/subnetmod.h"
+#include "edns-subnet/edns-subnet.h"
+#include "edns-subnet/addrtree.h"
+#include "edns-subnet/subnet-whitelist.h"
+
+#include "services/mesh.h"
+#include "services/cache/dns.h"
+#include "util/module.h"
+#include "util/regional.h"
+#include "util/storage/slabhash.h"
+#include "util/config_file.h"
+#include "util/data/msgreply.h"
+#include "sldns/sbuffer.h"
+
+#define ECS_MAX_TREESIZE 100
+
+/** externally called */
+void 
+subnet_data_delete(void *d, void *ATTR_UNUSED(arg))
+{
+	struct subnet_msg_cache_data *r;
+	r = (struct subnet_msg_cache_data*)d;
+	addrtree_delete(r->tree4);
+	addrtree_delete(r->tree6);
+	free(r);
+}
+
+/** externally called */
+size_t 
+msg_cache_sizefunc(void *k, void *d)
+{
+	struct msgreply_entry *q = (struct msgreply_entry*)k;
+	struct subnet_msg_cache_data *r = (struct subnet_msg_cache_data*)d;
+	size_t s = sizeof(struct msgreply_entry) 
+		+ sizeof(struct subnet_msg_cache_data)
+		+ q->key.qname_len + lock_get_mem(&q->entry.lock);
+	s += addrtree_size(r->tree4);
+	s += addrtree_size(r->tree6);
+	return s;
+}
+
+/** new query for ecs module */
+static int
+subnet_new_qstate(struct module_qstate *qstate, int id)
+{
+	struct subnet_qstate *sq = (struct subnet_qstate*)regional_alloc(
+		qstate->region, sizeof(struct subnet_qstate));
+	if(!sq) 
+		return 0;
+	qstate->minfo[id] = sq;
+	memset(sq, 0, sizeof(*sq));
+	return 1;
+}
+
+/** Add ecs struct to edns list, after parsing it to wire format. */
+static void
+ecs_opt_list_append(struct ecs_data* ecs, struct edns_option** list,
+	struct module_qstate *qstate)
+{
+	size_t sn_octs, sn_octs_remainder;
+	sldns_buffer* buf = qstate->env->scratch_buffer;
+
+	if(ecs->subnet_validdata) {
+		log_assert(ecs->subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP4 || 
+			ecs->subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP6);
+		log_assert(ecs->subnet_addr_fam != EDNSSUBNET_ADDRFAM_IP4 || 
+			ecs->subnet_source_mask <=  INET_SIZE*8);
+		log_assert(ecs->subnet_addr_fam != EDNSSUBNET_ADDRFAM_IP6 || 
+			ecs->subnet_source_mask <= INET6_SIZE*8);
+
+		sn_octs = ecs->subnet_source_mask / 8;
+		sn_octs_remainder =
+			(size_t)((ecs->subnet_source_mask % 8)>0?1:0);
+		
+		log_assert(sn_octs + sn_octs_remainder <= INET6_SIZE);
+		
+		sldns_buffer_clear(buf);
+		sldns_buffer_write_u16(buf, ecs->subnet_addr_fam);
+		sldns_buffer_write_u8(buf, ecs->subnet_source_mask);
+		sldns_buffer_write_u8(buf, ecs->subnet_scope_mask);
+		sldns_buffer_write(buf, ecs->subnet_addr, sn_octs);
+		if(sn_octs_remainder)
+			sldns_buffer_write_u8(buf, ecs->subnet_addr[sn_octs] & 
+				~(0xFF >> (ecs->subnet_source_mask % 8)));
+		sldns_buffer_flip(buf);
+
+		edns_opt_list_append(list, EDNSSUBNET_OPCODE,
+				sn_octs + sn_octs_remainder + 4,
+				sldns_buffer_begin(buf), qstate->region);
+	}
+}
+
+int ecs_whitelist_check(struct query_info* ATTR_UNUSED(qinfo),
+	uint16_t ATTR_UNUSED(flags), struct module_qstate* qstate,
+	struct sockaddr_storage* addr, socklen_t addrlen,
+	uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen),
+	struct regional* ATTR_UNUSED(region), void* cbargs)
+{
+	int id = *((int*)cbargs);
+	struct subnet_qstate *sq;
+	struct subnet_env *sn_env;
+	
+	if(!(sq=(struct subnet_qstate*)qstate->minfo[id]))
+		return 1;
+	sn_env = (struct subnet_env*)qstate->env->modinfo[id];
+
+	/* Cache by default, might be disabled after parsing EDNS option
+	 * received from nameserver. */
+	qstate->no_cache_store = 0;
+
+	if(sq->ecs_server_out.subnet_validdata && (sq->subnet_downstream ||
+		upstream_is_whitelisted(sn_env->edns_subnet_upstreams, 
+		addr, addrlen))) {
+		/* Address on whitelist or client query contains ECS option, we
+		 * want to sent out ECS. Only add option if it is not already
+		 * set. */
+		if(!(sq->subnet_sent)) {
+			ecs_opt_list_append(&sq->ecs_server_out,
+				&qstate->edns_opts_back_out, qstate);
+			sq->subnet_sent = 1;
+		}
+	}
+	else if(sq->subnet_sent) {
+		/* Outgoing ECS option is set, but we don't want to sent it to
+		 * this address, remove option. */
+		edns_opt_list_remove(&qstate->edns_opts_back_out,
+			EDNSSUBNET_OPCODE);
+		sq->subnet_sent = 0;
+	}
+	return 1;
+}
+
+
+int
+subnetmod_init(struct module_env *env, int id)
+{
+	struct subnet_env *sn_env = (struct subnet_env*)calloc(1,
+		sizeof(struct subnet_env));
+	if(!sn_env) {
+		log_err("malloc failure");
+		return 0;
+	}
+	alloc_init(&sn_env->alloc, NULL, 0);
+	env->modinfo[id] = (void*)sn_env;
+	/* Copy msg_cache settings */
+	sn_env->subnet_msg_cache = slabhash_create(env->cfg->msg_cache_slabs,
+		HASH_DEFAULT_STARTARRAY, env->cfg->msg_cache_size,
+		msg_cache_sizefunc, query_info_compare, query_entry_delete,
+		subnet_data_delete, NULL);
+	if(!sn_env->subnet_msg_cache) {
+		log_err("subnet: could not create cache");
+		free(sn_env);
+		env->modinfo[id] = NULL;
+		return 0;
+	}
+	/* whitelist for edns subnet capable servers */
+	sn_env->edns_subnet_upstreams = upstream_create();
+	if(!sn_env->edns_subnet_upstreams ||
+		!upstream_apply_cfg(sn_env->edns_subnet_upstreams, env->cfg)) {
+		log_err("subnet: could not create ECS whitelist");
+		slabhash_delete(sn_env->subnet_msg_cache);
+		free(sn_env);
+		env->modinfo[id] = NULL;
+		return 0;
+	}
+
+	verbose(VERB_QUERY, "subnet: option registered (%d)", EDNSSUBNET_OPCODE);
+	/* Create new mesh state for all queries. */
+	env->unique_mesh = 1;
+	if(!edns_register_option(EDNSSUBNET_OPCODE,
+		1 /* bypass cache */, 0 /* no aggregation */, env)) {
+		log_err("subnet: could not register opcode");
+		upstream_delete(sn_env->edns_subnet_upstreams);
+		slabhash_delete(sn_env->subnet_msg_cache);
+		free(sn_env);
+		env->modinfo[id] = NULL;
+		return 0;
+	}
+	inplace_cb_query_register(ecs_whitelist_check, &id, sizeof(id), env);
+	inplace_cb_edns_back_parsed_register(ecs_edns_back_parsed, &id,
+		sizeof(id), env);
+	lock_rw_init(&sn_env->biglock);
+	return 1;
+}
+
+void
+subnetmod_deinit(struct module_env *env, int id)
+{
+	struct subnet_env *sn_env;
+	if(!env || !env->modinfo[id])
+		return;
+	sn_env = (struct subnet_env*)env->modinfo[id];
+	lock_rw_destroy(&sn_env->biglock);
+	inplace_cb_edns_back_parsed_delete(env);
+	inplace_cb_query_delete(env);
+	upstream_delete(sn_env->edns_subnet_upstreams);
+	slabhash_delete(sn_env->subnet_msg_cache);
+	alloc_clear(&sn_env->alloc);
+	free(sn_env);
+	env->modinfo[id] = NULL;
+}
+
+/** Tells client that upstream has no/improper support */
+static void
+cp_edns_bad_response(struct ecs_data *target, struct ecs_data *source)
+{
+	target->subnet_scope_mask  = 0;
+	target->subnet_source_mask = source->subnet_source_mask;
+	target->subnet_addr_fam    = source->subnet_addr_fam;
+	memcpy(target->subnet_addr, source->subnet_addr, INET6_SIZE);
+	target->subnet_validdata = 1;
+}
+
+static void
+delfunc(void *envptr, void *elemptr) {
+	struct reply_info *elem = (struct reply_info *)elemptr;
+	struct subnet_env *env = (struct subnet_env *)envptr;
+	reply_info_parsedelete(elem, &env->alloc);
+}
+
+static size_t
+sizefunc(void *elemptr) {
+	struct reply_info *elem  = (struct reply_info *)elemptr;
+	return sizeof (struct reply_info) - sizeof (struct rrset_ref)
+		+ elem->rrset_count * sizeof (struct rrset_ref)
+		+ elem->rrset_count * sizeof (struct ub_packed_rrset_key *);
+}
+
+/**
+ * Select tree from cache entry based on edns data.
+ * If for address family not present it will create a new one.
+ * NULL on failure to create. */
+static struct addrtree* 
+get_tree(struct subnet_msg_cache_data *data, struct ecs_data *edns, 
+	struct subnet_env *env)
+{
+	struct addrtree *tree;
+	if (edns->subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP4) {
+		if (!data->tree4)
+			data->tree4 = addrtree_create(EDNSSUBNET_MAX_SUBNET_IP4, 
+				&delfunc, &sizefunc, env, ECS_MAX_TREESIZE);
+		tree = data->tree4;
+	} else {
+		if (!data->tree6)
+			data->tree6 = addrtree_create(EDNSSUBNET_MAX_SUBNET_IP6, 
+				&delfunc, &sizefunc, env, ECS_MAX_TREESIZE);
+		tree = data->tree6;
+	}
+	return tree;
+}
+
+static void
+update_cache(struct module_qstate *qstate, int id)
+{
+	struct msgreply_entry *mrep_entry;
+	struct addrtree *tree;
+	struct reply_info *rep;
+	struct query_info qinf;
+	struct subnet_env *sne = qstate->env->modinfo[id];
+	struct subnet_qstate *sq = (struct subnet_qstate*)qstate->minfo[id];
+	struct slabhash *subnet_msg_cache = sne->subnet_msg_cache;
+	struct ecs_data *edns = &sq->ecs_client_in;
+	size_t i;
+
+	/** We already calculated hash upon lookup */
+	hashvalue_type h = qstate->minfo[id] ? 
+		((struct subnet_qstate*)qstate->minfo[id])->qinfo_hash : 
+		query_info_hash(&qstate->qinfo, qstate->query_flags);
+	/** Step 1, general qinfo lookup */
+	struct lruhash_entry *lru_entry = slabhash_lookup(subnet_msg_cache, h,
+		&qstate->qinfo, 1);
+	int acquired_lock = (lru_entry != NULL);
+	if (!lru_entry) {
+		qinf = qstate->qinfo;
+		qinf.qname = memdup(qstate->qinfo.qname,
+			qstate->qinfo.qname_len);
+		if(!qinf.qname) {
+			log_err("memdup failed");
+			return;
+		}
+		mrep_entry = query_info_entrysetup(&qinf, NULL, h);
+		free(qinf.qname); /* if qname 'consumed', it is set to NULL */
+		if (!mrep_entry) {
+			log_err("query_info_entrysetup failed");
+			return;
+		}
+		lru_entry = &mrep_entry->entry;
+		lru_entry->data = calloc(1,
+			sizeof(struct subnet_msg_cache_data));
+		if (!lru_entry->data) {
+			log_err("malloc failed");
+			return;
+		}
+	}
+	/** Step 2, find the correct tree */
+	if (!(tree = get_tree(lru_entry->data, edns, sne))) {
+		if (acquired_lock) lock_rw_unlock(&lru_entry->lock);
+		log_err("Subnet cache insertion failed");
+		return;
+	}
+	rep = reply_info_copy(qstate->return_msg->rep, &sne->alloc, NULL);
+	if (!rep) {
+		if (acquired_lock) lock_rw_unlock(&lru_entry->lock);
+		log_err("Subnet cache insertion failed");
+		return;
+	}
+	
+	/* store RRsets */
+	for(i=0; i<rep->rrset_count; i++) {
+		rep->ref[i].key = rep->rrsets[i];
+		rep->ref[i].id = rep->rrsets[i]->id;
+	}
+	reply_info_set_ttls(rep, *qstate->env->now);
+	rep->flags |= (BIT_RA | BIT_QR); /* fix flags to be sensible for */
+	rep->flags &= ~(BIT_AA | BIT_CD);/* a reply based on the cache   */
+	addrtree_insert(tree, (addrkey_t*)edns->subnet_addr, 
+		edns->subnet_source_mask, 
+		sq->ecs_server_in.subnet_scope_mask, rep,
+		rep->ttl + *qstate->env->now, *qstate->env->now);
+	if (acquired_lock) {
+		lock_rw_unlock(&lru_entry->lock);
+	} else {
+		slabhash_insert(subnet_msg_cache, h, lru_entry, lru_entry->data,
+			NULL);
+	}
+}
+
+/* return true iff reply is sent. */
+static int
+lookup_and_reply(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
+{
+	struct lruhash_entry *e;
+	struct module_env *env = qstate->env;
+	struct subnet_env *sne = (struct subnet_env*)env->modinfo[id];
+	hashvalue_type h = query_info_hash(&qstate->qinfo, qstate->query_flags);
+	struct subnet_msg_cache_data *data;
+	struct ecs_data *ecs = &sq->ecs_client_in;
+	struct addrtree *tree;
+	struct addrnode *node;
+	uint8_t scope;
+
+	memset(&sq->ecs_client_out, 0, sizeof(sq->ecs_client_out));
+
+	if (sq) sq->qinfo_hash = h; /** Might be useful on cache miss */
+	e = slabhash_lookup(sne->subnet_msg_cache, h, &qstate->qinfo, 1);
+	if (!e) return 0; /** qinfo not in cache */
+	data = e->data;
+	tree = (ecs->subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP4)?
+		data->tree4 : data->tree6;
+	if (!tree) { /** qinfo in cache but not for this family */
+		lock_rw_unlock(&e->lock);
+		return 0;
+	}
+	node = addrtree_find(tree, (addrkey_t*)ecs->subnet_addr, 
+		ecs->subnet_source_mask, *env->now);
+	if (!node) { /** plain old cache miss */
+		lock_rw_unlock(&e->lock);
+		return 0;
+	}
+
+	qstate->return_msg = tomsg(env, &qstate->qinfo,
+		(struct reply_info *)node->elem, qstate->region, *env->now,
+		env->scratch);
+	scope = (uint8_t)node->scope;
+	lock_rw_unlock(&e->lock);
+	
+	if (!qstate->return_msg) { /** TTL expired */
+		return 0;
+	}
+	
+	if (sq->subnet_downstream) { /* relay to interested client */
+		sq->ecs_client_out.subnet_scope_mask = scope;
+		sq->ecs_client_out.subnet_addr_fam = ecs->subnet_addr_fam;
+		sq->ecs_client_out.subnet_source_mask = ecs->subnet_source_mask;
+		memcpy(&sq->ecs_client_out.subnet_addr, &ecs->subnet_addr,
+			INET6_SIZE);
+		sq->ecs_client_out.subnet_validdata = 1;
+	}
+	return 1;
+}
+
+/**
+ * Test first bits of addresses for equality. Caller is responsible
+ * for making sure that both a and b are at least net/8 octets long.
+ * @param a: first address.
+ * @param a: seconds address.
+ * @param net: Number of bits to test.
+ * @return: 1 if equal, 0 otherwise.
+ */
+static int 
+common_prefix(uint8_t *a, uint8_t *b, uint8_t net)
+{
+	size_t n = (size_t)net / 8;
+	return !memcmp(a, b, n) && ((net % 8) == 0 || a[n] == b[n]);
+}
+
+static enum module_ext_state
+eval_response(struct module_qstate *qstate, int id, struct subnet_qstate *sq)
+{
+	struct subnet_env *sne = qstate->env->modinfo[id];
+
+	struct ecs_data *c_in  = &sq->ecs_client_in; /* rcvd from client */
+	struct ecs_data *c_out = &sq->ecs_client_out;/* will send to client */
+	struct ecs_data *s_in  = &sq->ecs_server_in; /* rcvd from auth */
+	struct ecs_data *s_out = &sq->ecs_server_out;/* sent to auth */
+
+	memset(c_out, 0, sizeof(*c_out));
+
+	if (!qstate->return_msg) return module_error;
+	
+	/** We have not asked for subnet data */
+	if (!sq->subnet_sent) {
+		if (s_in->subnet_validdata)
+			verbose(VERB_QUERY, "subnet: received spurious data");
+		if (sq->subnet_downstream) /** Copy back to client */
+			cp_edns_bad_response(c_out, c_in);
+		return module_finished;
+	}
+	
+	/** subnet sent but nothing came back */
+	if (!s_in->subnet_validdata) {
+		/** The authority indicated no support for edns subnet. As a
+		 * consequence the answer ended up in the regular cache. It
+		 * is still usefull to put it in the edns subnet cache for
+		 * when a client explicitly asks for subnet specific answer. */
+		verbose(VERB_QUERY, "subnet: Authority indicates no support");
+		lock_rw_wrlock(&sne->biglock);
+		update_cache(qstate, id);
+		lock_rw_unlock(&sne->biglock);
+		if (sq->subnet_downstream)
+			cp_edns_bad_response(c_out, c_in);
+		return module_finished;
+	}
+	
+	/** Being here means we have asked for and got a subnet specific 
+	 * answer. Also, the answer from the authority is not yet cached 
+	 * anywhere. */
+	
+	/** can we accept response? */
+	if(s_out->subnet_addr_fam != s_in->subnet_addr_fam ||
+		s_out->subnet_source_mask != s_in->subnet_source_mask ||
+		!common_prefix(s_out->subnet_addr, s_in->subnet_addr, 
+			s_out->subnet_source_mask))
+	{
+		/** we can not accept, restart query without option */
+		verbose(VERB_QUERY, "subnet: forged data");
+		s_out->subnet_validdata = 0;
+		(void)edns_opt_list_remove(&qstate->edns_opts_back_out,
+			EDNSSUBNET_OPCODE);
+		sq->subnet_sent = 0;
+		return module_wait_module;
+	}
+
+	lock_rw_wrlock(&sne->biglock);
+	update_cache(qstate, id);
+	lock_rw_unlock(&sne->biglock);
+	
+	if (sq->subnet_downstream) {
+		/** Client wants to see the answer, echo option back
+		 * and adjust the scope. */
+		c_out->subnet_addr_fam = c_in->subnet_addr_fam;
+		c_out->subnet_source_mask = c_in->subnet_source_mask;
+		memcpy(&c_out->subnet_addr, &c_in->subnet_addr, INET6_SIZE);
+		c_out->subnet_scope_mask = s_in->subnet_scope_mask;
+		c_out->subnet_validdata = 1;
+	}
+	return module_finished;
+}
+
+/** Parse EDNS opt data containing ECS */
+static int
+parse_subnet_option(struct edns_option* ecs_option,
+	struct ecs_data* ecs)
+{
+	memset(ecs, 0, sizeof(*ecs));
+	if (ecs_option->opt_len < 4)
+		return 0;
+
+	ecs->subnet_addr_fam = sldns_read_uint16(ecs_option->opt_data);
+	ecs->subnet_source_mask = ecs_option->opt_data[2];
+	ecs->subnet_scope_mask = ecs_option->opt_data[3];
+	/* remaing bytes indicate address */
+	
+	/* validate input*/
+	/* option length matches calculated length? */
+	if (ecs_option->opt_len != (size_t)((ecs->subnet_source_mask+7)/8 + 4))
+		return 0;
+	if (ecs_option->opt_len - 4 > INET6_SIZE || ecs_option->opt_len == 0)
+		return 0;
+	if (ecs->subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP4) {
+		if (ecs->subnet_source_mask > 32 || ecs->subnet_scope_mask > 32)
+			return 0;
+	} else if (ecs->subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP6) {
+		if (ecs->subnet_source_mask > 128 ||
+			ecs->subnet_scope_mask > 128)
+			return 0;
+	} else
+		return 0;
+	
+	/* valid ECS data, write to ecs_data */
+	if (copy_clear(ecs->subnet_addr, INET6_SIZE, ecs_option->opt_data + 4, 
+		ecs_option->opt_len - 4, ecs->subnet_source_mask))
+		return 0;
+	ecs->subnet_validdata = 1;
+	return 1;
+}
+
+static void
+subnet_option_from_ss(struct sockaddr_storage *ss, struct ecs_data* ecs)
+{
+	void* sinaddr;
+	/* Construct subnet option from original query */
+	if(((struct sockaddr_in*)ss)->sin_family == AF_INET) {
+		ecs->subnet_source_mask = EDNSSUBNET_MAX_SUBNET_IP4;
+		ecs->subnet_addr_fam = EDNSSUBNET_ADDRFAM_IP4;
+		sinaddr = &((struct sockaddr_in*)ss)->sin_addr;
+		if (!copy_clear( ecs->subnet_addr, INET6_SIZE,
+			(uint8_t *)sinaddr, INET_SIZE,
+			EDNSSUBNET_MAX_SUBNET_IP4)) {
+			ecs->subnet_validdata = 1;
+		}
+	}
+#ifdef INET6
+	else {
+		ecs->subnet_source_mask = EDNSSUBNET_MAX_SUBNET_IP6;
+		ecs->subnet_addr_fam = EDNSSUBNET_ADDRFAM_IP6;
+		sinaddr = &((struct sockaddr_in6*)ss)->sin6_addr;
+		if (!copy_clear( ecs->subnet_addr, INET6_SIZE,
+			(uint8_t *)sinaddr, INET6_SIZE,
+			EDNSSUBNET_MAX_SUBNET_IP6)) {
+			ecs->subnet_validdata = 1;
+		}
+	}
+#else
+			/* We don't know how to handle ip6, just pass */
+#endif /* INET6 */
+}
+
+int
+ecs_edns_back_parsed(struct module_qstate* qstate, void* cbargs)
+{
+	int id = *((int*)cbargs);
+	struct subnet_qstate *sq;
+	struct edns_option* ecs_opt;
+	
+	if(!(sq=(struct subnet_qstate*)qstate->minfo[id]))
+		return 1;
+	if((ecs_opt = edns_opt_list_find(
+		qstate->edns_opts_back_in, EDNSSUBNET_OPCODE))) {
+		if(parse_subnet_option(ecs_opt, &sq->ecs_server_in) &&
+			sq->subnet_sent && sq->ecs_server_in.subnet_validdata)
+			/* Only skip global cache store if we sent an ECS option
+			 * and received one back. Answers from non-whitelisted
+			 * servers will end up in global cache. Ansers for
+			 * queries with 0 source will not (unless nameserver
+			 * does not support ECS). */
+			qstate->no_cache_store = 1;
+	}
+
+	return 1;
+}
+
+void
+subnetmod_operate(struct module_qstate *qstate, enum module_ev event, 
+	int id, struct outbound_entry* outbound)
+{
+	struct subnet_env *sne = qstate->env->modinfo[id];
+	struct subnet_qstate *sq = (struct subnet_qstate*)qstate->minfo[id];
+	
+	verbose(VERB_QUERY, "subnet[module %d] operate: extstate:%s "
+		"event:%s", id, strextstate(qstate->ext_state[id]), 
+		strmodulevent(event));
+	log_query_info(VERB_QUERY, "subnet operate: query", &qstate->qinfo);
+
+	if(event == module_event_new && sq == NULL) {
+		struct edns_option* ecs_opt;
+		if(!subnet_new_qstate(qstate, id)) {
+			qstate->return_msg = NULL;
+			qstate->ext_state[id] = module_finished;
+			return;
+		}
+
+		sq = (struct subnet_qstate*)qstate->minfo[id];
+
+		if((ecs_opt = edns_opt_list_find(
+			qstate->edns_opts_front_in, EDNSSUBNET_OPCODE))) {
+			if(parse_subnet_option(ecs_opt, &sq->ecs_client_in)) {
+				sq->subnet_downstream = 1;
+			}
+		}
+		else if(qstate->mesh_info->reply_list) {
+			subnet_option_from_ss(
+				&qstate->mesh_info->reply_list->query_reply.addr,
+				&sq->ecs_client_in);
+		}
+		
+		if(sq->ecs_client_in.subnet_validdata == 0) {
+			/* No clients are interested in result or we could not
+			 * parse it, we don't do client subnet */
+			sq->ecs_server_out.subnet_validdata = 0;
+			verbose(VERB_ALGO, "subnet: pass to next module");
+			qstate->ext_state[id] = module_wait_module;
+			return;
+		}
+
+		lock_rw_wrlock(&sne->biglock);
+		if (lookup_and_reply(qstate, id, sq)) {
+			lock_rw_unlock(&sne->biglock);
+			verbose(VERB_QUERY, "subnet: answered from cache");
+			qstate->ext_state[id] = module_finished;
+
+			ecs_opt_list_append(&sq->ecs_client_out,
+				&qstate->edns_opts_front_out, qstate);
+			return;
+		}
+		lock_rw_unlock(&sne->biglock);
+		
+		sq->ecs_server_out.subnet_addr_fam =
+			sq->ecs_client_in.subnet_addr_fam;
+		sq->ecs_server_out.subnet_source_mask =
+			sq->ecs_client_in.subnet_source_mask;
+		memcpy(&sq->ecs_server_out.subnet_addr,
+			sq->ecs_client_in.subnet_addr, INET6_SIZE);
+		sq->ecs_server_out.subnet_scope_mask = 0;
+		sq->ecs_server_out.subnet_validdata = 1;
+		if(sq->ecs_server_out.subnet_source_mask != 0 &&
+			sq->subnet_downstream)
+			/* ECS specific data required, do not look at the global
+			 * cache in other modules. */
+			qstate->no_cache_lookup = 1;
+		
+		/* pass request to next module */
+		verbose(VERB_ALGO,
+			"subnet: not found in cache. pass to next module");
+		qstate->ext_state[id] = module_wait_module;
+		return;
+	}
+	/* Query handed back by next module, we have a 'final' answer */
+	if(sq && event == module_event_moddone) {
+		qstate->ext_state[id] = eval_response(qstate, id, sq);
+		if(qstate->ext_state[id] == module_finished) {
+			ecs_opt_list_append(&sq->ecs_client_out,
+				&qstate->edns_opts_front_out, qstate);
+		}
+		return;
+	}
+	if(sq && outbound) {
+		return;
+	}
+	/* We are being revisited */
+	if(event == module_event_pass || event == module_event_new) {
+		/* Just pass it on, we already did the work */
+		verbose(VERB_ALGO, "subnet: pass to next module");
+		qstate->ext_state[id] = module_wait_module;
+		return;
+	}
+	if(!sq && (event == module_event_moddone)) {
+		/* during priming, module done but we never started */
+		qstate->ext_state[id] = module_finished;
+		return;
+	}
+	log_err("subnet: bad event %s", strmodulevent(event));
+	qstate->ext_state[id] = module_error;
+	return;
+}
+
+void
+subnetmod_clear(struct module_qstate *ATTR_UNUSED(qstate),
+	int ATTR_UNUSED(id))
+{
+	/* qstate has no data outside region */
+}
+
+void
+subnetmod_inform_super(struct module_qstate *ATTR_UNUSED(qstate),
+	int ATTR_UNUSED(id), struct module_qstate *ATTR_UNUSED(super))
+{
+	/* Not used */
+}
+
+size_t
+subnetmod_get_mem(struct module_env *env, int id)
+{
+	struct subnet_env *sn_env = env->modinfo[id];
+	if (!sn_env) return 0;
+	return sizeof(*sn_env) + 
+		slabhash_get_mem(sn_env->subnet_msg_cache);
+}
+
+/**
+ * The module function block 
+ */
+static struct module_func_block subnetmod_block = {
+	"subnet", &subnetmod_init, &subnetmod_deinit, &subnetmod_operate,
+	&subnetmod_inform_super, &subnetmod_clear, &subnetmod_get_mem
+};
+
+struct module_func_block*
+subnetmod_get_funcblock(void)
+{
+	return &subnetmod_block;
+}
+
+/** Wrappers for static functions to unit test */
+size_t
+unittest_wrapper_subnetmod_sizefunc(void *elemptr)
+{
+	return sizefunc(elemptr);
+}
+
+#endif  /* CLIENT_SUBNET */

edns-subnet/subnetmod.h

@@ -0,0 +1,126 @@
+/*
+ * edns-subnet/subnetmod.h - edns subnet module. Must be called before validator
+ * and iterator.
+ *
+ * Copyright (c) 2013, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/**
+ * \file
+ * subnet module for unbound.
+ */
+
+#ifndef SUBNETMOD_H
+#define SUBNETMOD_H
+#include "util/module.h"
+#include "services/outbound_list.h"
+#include "util/alloc.h"
+#include "util/net_help.h"
+#include "util/storage/slabhash.h"
+#include "edns-subnet/addrtree.h"
+#include "edns-subnet/edns-subnet.h"
+
+/**
+ * Global state for the subnet module.
+ */
+struct subnet_env {
+	/** shared message cache
+	 * key: struct query_info*
+	 * data: struct subnet_msg_cache_data* */
+	struct slabhash* subnet_msg_cache;
+	/** access control, which upstream servers we send client address */
+	struct ednssubnet_upstream* edns_subnet_upstreams;
+	/** allocation service */
+	struct alloc_cache alloc;
+	lock_rw_type biglock;
+};
+
+struct subnet_msg_cache_data {
+	struct addrtree* tree4;
+	struct addrtree* tree6;
+};
+
+struct subnet_qstate {
+	/** We need the hash for both cache lookup and insert */
+	hashvalue_type qinfo_hash;
+	/** ecs_data for client communication */
+	struct ecs_data	ecs_client_in;
+	struct ecs_data	ecs_client_out;
+	/** ecss data for server communication */
+	struct ecs_data	ecs_server_in;
+	struct ecs_data	ecs_server_out;
+	int subnet_downstream;
+	int subnet_sent;
+};
+
+void subnet_data_delete(void* d, void* ATTR_UNUSED(arg));
+size_t msg_cache_sizefunc(void* k, void* d);
+
+/**
+ * Get the module function block.
+ * @return: function block with function pointers to module methods.
+ */
+struct module_func_block* subnetmod_get_funcblock(void);
+
+/** subnet module init */
+int subnetmod_init(struct module_env* env, int id);
+
+/** subnet module deinit */
+void subnetmod_deinit(struct module_env* env, int id);
+
+/** subnet module operate on a query */
+void subnetmod_operate(struct module_qstate* qstate, enum module_ev event,
+	int id, struct outbound_entry* outbound);
+
+/** subnet module  */
+void subnetmod_inform_super(struct module_qstate* qstate, int id,
+	struct module_qstate* super);
+
+/** subnet module cleanup query state */
+void subnetmod_clear(struct module_qstate* qstate, int id);
+
+/** subnet module alloc size routine */
+size_t subnetmod_get_mem(struct module_env* env, int id);
+
+/** Wrappers for static functions to unit test */
+size_t unittest_wrapper_subnetmod_sizefunc(void *elemptr);
+
+/** Whitelist check, called just before query is sent upstream. */
+int ecs_whitelist_check(struct query_info* qinfo, uint16_t flags,
+	struct module_qstate* qstate, struct sockaddr_storage* addr,
+	socklen_t addrlen, uint8_t* zone, size_t zonelen,
+	struct regional* region, void* cbargs);
+
+/** Check whether reponse from server contains ECS record, if so, skip cache
+ * store. Called just after parsing EDNS data from server. */
+int ecs_edns_back_parsed(struct module_qstate* qstate, void* cbargs);
+
+#endif /* SUBNETMOD_H */

iterator/iterator.c

@@ -3202,6 +3202,10 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 			/* like packet got dropped */
 			goto handle_it;
 		}
+		if(!inplace_cb_edns_back_parsed_call(qstate->env, qstate)) {
+			log_err("unable to call edns_back_parsed callback");
+			goto handle_it;
+		}
 	}
 
 	/* remove CD-bit, we asked for in case we handle validation ourself */

ltmain.sh

@@ -31,7 +31,7 @@
 
 PROGRAM=libtool
 PACKAGE=libtool
-VERSION=2.4.6
+VERSION="2.4.6 Debian-2.4.6-1"
 package_revision=2.4.6
 
 
@@ -1977,7 +1977,7 @@ func_version ()
 # End:
 
 # Set a version string.
-scriptversion='(GNU libtool) 2.4.6'
+scriptversion='(GNU libtool) 2.4.6 Debian-2.4.6-1'
 
 
 # func_echo ARG...
@@ -2068,12 +2068,12 @@ include the following information:
        compiler:       $LTCC
        compiler flags: $LTCFLAGS
        linker:         $LD (gnu? $with_gnu_ld)
-       version:        $progname (GNU libtool) 2.4.6
+       version:        $progname $scriptversion
        automake:       `($AUTOMAKE --version) 2>/dev/null |$SED 1q`
        autoconf:       `($AUTOCONF --version) 2>/dev/null |$SED 1q`
 
 Report bugs to <bug-libtool@gnu.org>.
-GNU libtool home page: <http://www.gnu.org/software/libtool/>.
+GNU libtool home page: <http://www.gnu.org/s/libtool/>.
 General help using GNU software: <http://www.gnu.org/gethelp/>."
     exit 0
 }
@@ -7272,10 +7272,13 @@ func_mode_link ()
       # -tp=*                Portland pgcc target processor selection
       # --sysroot=*          for sysroot support
       # -O*, -g*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
+      # -specs=*             GCC specs files
       # -stdlib=*            select c++ std lib with clang
+      # -fsanitize=*         Clang/GCC memory and address sanitizer
       -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
       -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
-      -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*)
+      -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*| \
+      -specs=*|-fsanitize=*)
         func_quote_for_eval "$arg"
 	arg=$func_quote_for_eval_result
         func_append compile_command " $arg"
@@ -7568,7 +7571,10 @@ func_mode_link ()
 	case $pass in
 	dlopen) libs=$dlfiles ;;
 	dlpreopen) libs=$dlprefiles ;;
-	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
+	link)
+	  libs="$deplibs %DEPLIBS%"
+	  test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs"
+	  ;;
 	esac
       fi
       if test lib,dlpreopen = "$linkmode,$pass"; then
@@ -7887,19 +7893,19 @@ func_mode_link ()
 	    # It is a libtool convenience library, so add in its objects.
 	    func_append convenience " $ladir/$objdir/$old_library"
 	    func_append old_convenience " $ladir/$objdir/$old_library"
+	    tmp_libs=
+	    for deplib in $dependency_libs; do
+	      deplibs="$deplib $deplibs"
+	      if $opt_preserve_dup_deps; then
+		case "$tmp_libs " in
+		*" $deplib "*) func_append specialdeplibs " $deplib" ;;
+		esac
+	      fi
+	      func_append tmp_libs " $deplib"
+	    done
 	  elif test prog != "$linkmode" && test lib != "$linkmode"; then
 	    func_fatal_error "'$lib' is not a convenience library"
 	  fi
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    deplibs="$deplib $deplibs"
-	    if $opt_preserve_dup_deps; then
-	      case "$tmp_libs " in
-	      *" $deplib "*) func_append specialdeplibs " $deplib" ;;
-	      esac
-	    fi
-	    func_append tmp_libs " $deplib"
-	  done
 	  continue
 	fi # $pass = conv
 
@@ -8823,6 +8829,9 @@ func_mode_link ()
 	    revision=$number_minor
 	    lt_irix_increment=no
 	    ;;
+	  *)
+	    func_fatal_configuration "$modename: unknown library version type '$version_type'"
+	    ;;
 	  esac
 	  ;;
 	no)

services/cache/dns.c

@@ -479,8 +479,7 @@ gen_dns_msg(struct regional* region, struct query_info* q, size_t num)
 	return msg;
 }
 
-/** generate dns_msg from cached message */
-static struct dns_msg*
+struct dns_msg*
 tomsg(struct module_env* env, struct query_info* q, struct reply_info* r, 
 	struct regional* region, time_t now, struct regional* scratch)
 {

services/cache/dns.h

@@ -126,6 +126,19 @@ struct delegpt* dns_cache_find_delegation(struct module_env* env,
 	uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass, 
 	struct regional* region, struct dns_msg** msg, time_t timenow);
 
+/**
+ * generate dns_msg from cached message
+ * @param env: module environment with the DNS cache.
+ * @param q: query info, contains qname that will make up the dns message.
+ * @param r: reply info that, together with qname, will make up the dns message.
+ * @param region: where to allocate dns message.
+ * @param now: the time now, for check if TTL on cache entry is ok.
+ * @param scratch: where to allocate temporary data.
+ * */
+struct dns_msg* tomsg(struct module_env* env, struct query_info* q,
+	struct reply_info* r, struct regional* region, time_t now,
+	struct regional* scratch);
+
 /** 
  * Find cached message 
  * @param env: module environment with the DNS cache.

services/mesh.c

@@ -348,7 +348,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
 	struct edns_data* edns, struct comm_reply* rep, uint16_t qid)
 {
 	struct mesh_state* s = NULL;
-	int unique = edns_unique_mesh_state(edns->opt_list, mesh->env);
+	int unique = unique_mesh_state(edns->opt_list, mesh->env);
 	int was_detached = 0;
 	int was_noreply = 0;
 	int added = 0;
@@ -470,7 +470,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
 	uint16_t qid, mesh_cb_func_type cb, void* cb_arg)
 {
 	struct mesh_state* s = NULL;
-	int unique = edns_unique_mesh_state(edns->opt_list, mesh->env);
+	int unique = unique_mesh_state(edns->opt_list, mesh->env);
 	int was_detached = 0;
 	int was_noreply = 0;
 	int added = 0;

services/modstack.c

@@ -54,6 +54,9 @@
 #ifdef USE_CACHEDB
 #include "cachedb/cachedb.h"
 #endif
+#ifdef CLIENT_SUBNET
+#include "edns-subnet/subnetmod.h"
+#endif
 
 /** count number of modules (words) in the string */
 static int
@@ -127,6 +130,9 @@ module_list_avail(void)
 #endif
 #ifdef USE_CACHEDB
 		"cachedb",
+#endif
+#ifdef CLIENT_SUBNET
+		"subnetcache", 
 #endif
 		"respip",
 		"validator", 
@@ -149,6 +155,9 @@ module_funcs_avail(void)
 #endif
 #ifdef USE_CACHEDB
 		&cachedb_get_funcblock,
+#endif
+#ifdef CLIENT_SUBNET
+		&subnetmod_get_funcblock, 
 #endif
 		&respip_get_funcblock,
 		&val_get_funcblock, 

sldns/rrdef.h

@@ -422,7 +422,7 @@ enum sldns_enum_edns_option
 	LDNS_EDNS_DAU = 5, /* RFC6975 */
 	LDNS_EDNS_DHU = 6, /* RFC6975 */
 	LDNS_EDNS_N3U = 7, /* RFC6975 */
-	LDNS_EDNS_CLIENT_SUBNET = 8, /* draft-vandergaast-edns-client-subnet */
+	LDNS_EDNS_CLIENT_SUBNET = 8, /* RFC7871 */
 	LDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
 	LDNS_EDNS_PADDING = 12 /* RFC7830 */
 };

smallapp/unbound-checkconf.c

@@ -455,6 +455,8 @@ morechecks(struct config_file* cfg, const char* fname)
 		&& strcmp(cfg->module_conf, "cachedb iterator") != 0
 		&& strcmp(cfg->module_conf, "dns64 validator cachedb iterator") != 0
 		&& strcmp(cfg->module_conf, "dns64 cachedb iterator") != 0
+#endif
+#if defined(WITH_PYTHONMODULE) && defined(USE_CACHEDB)
 		&& strcmp(cfg->module_conf, "python dns64 cachedb iterator") != 0
 		&& strcmp(cfg->module_conf, "python dns64 validator cachedb iterator") != 0
 		&& strcmp(cfg->module_conf, "dns64 python cachedb iterator") != 0
@@ -464,6 +466,18 @@ morechecks(struct config_file* cfg, const char* fname)
 		&& strcmp(cfg->module_conf, "cachedb python iterator") != 0
 		&& strcmp(cfg->module_conf, "validator cachedb python iterator") != 0
 		&& strcmp(cfg->module_conf, "validator python cachedb iterator") != 0
+#endif
+#ifdef CLIENT_SUBNET
+		&& strcmp(cfg->module_conf, "subnetcache iterator") != 0 
+		&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
+#endif
+#if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET)
+		&& strcmp(cfg->module_conf, "python subnetcache iterator") != 0
+		&& strcmp(cfg->module_conf, "subnetcache python iterator") != 0 
+		&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
+		&& strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0
+		&& strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0
+		&& strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0
 #endif
 		) {
 		fatal_exit("module conf '%s' is not known to work",

testcode/fake_event.c

@@ -1070,8 +1070,13 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
 	sldns_buffer_write_u16(pend->buffer, qinfo->qclass);
 	sldns_buffer_flip(pend->buffer);
 	if(1) {
-		/* add edns */
 		struct edns_data edns;
+		if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen,
+			zone, zonelen, qstate, qstate->region)) {
+			free(pend);
+			return NULL;
+		}
+		/* add edns */
 		edns.edns_present = 1;
 		edns.ext_rcode = 0;
 		edns.edns_version = EDNS_ADVERTISED_VERSION;

testcode/testbound.c

@@ -77,6 +77,7 @@ testbound_usage(void)
 	printf("-2 	detect SHA256 support (exit code 0 or 1)\n");
 	printf("-g 	detect GOST support (exit code 0 or 1)\n");
 	printf("-e 	detect ECDSA support (exit code 0 or 1)\n");
+	printf("-c 	detect CLIENT_SUBNET support (exit code 0 or 1)\n");
 	printf("-s 	testbound self-test - unit test of testbound parts.\n");
 	printf("-o str  unbound commandline options separated by spaces.\n");
 	printf("Version %s\n", PACKAGE_VERSION);
@@ -325,6 +326,15 @@ main(int argc, char* argv[])
 #else
 			printf("GOST not supported\n");
 			exit(1);
+#endif
+			break;
+		case 'c':
+#ifdef CLIENT_SUBNET
+			printf("CLIENT_SUBNET supported\n");
+			exit(0);
+#else
+			printf("CLIENT_SUBNET not supported\n");
+			exit(1);
 #endif
 			break;
 		case 'p':

testcode/testpkts.c

@@ -98,6 +98,7 @@ entry_add_reply(struct entry* entry)
 	pkt->packet_sleep = 0;
 	pkt->reply_pkt = NULL;
 	pkt->reply_from_hex = NULL;
+	pkt->raw_ednsdata = NULL;
 	/* link at end */
 	while(*p)
 		p = &((*p)->next);
@@ -134,6 +135,8 @@ static void matchline(char* line, struct entry* e)
 			e->match_do = 1;
 		} else if(str_keyword(&parse, "noedns")) {
 			e->match_noedns = 1;
+		} else if(str_keyword(&parse, "ednsdata")) {
+			e->match_ednsdata_raw = 1;
 		} else if(str_keyword(&parse, "UDP")) {
 			e->match_transport = transport_udp;
 		} else if(str_keyword(&parse, "TCP")) {
@@ -230,6 +233,8 @@ static void adjustline(char* line, struct entry* e,
 			e->copy_id = 1;
 		} else if(str_keyword(&parse, "copy_query")) {
 			e->copy_query = 1;
+		} else if(str_keyword(&parse, "copy_ednsdata_assume_clientsubnet")) {
+			e->copy_ednsdata_assume_clientsubnet = 1;
 		} else if(str_keyword(&parse, "sleep=")) {
 			e->sleeptime = (unsigned int) strtol(parse, (char**)&parse, 10);
 			while(isspace((unsigned char)*parse)) 
@@ -267,6 +272,7 @@ static struct entry* new_entry(void)
 	e->reply_list = NULL;
 	e->copy_id = 0;
 	e->copy_query = 0;
+	e->copy_ednsdata_assume_clientsubnet = 0;
 	e->sleeptime = 0;
 	e->next = NULL;
 	return e;
@@ -484,25 +490,28 @@ static void add_rr(char* rrstr, uint8_t* pktbuf, size_t pktsize,
 	else error("internal error bad section %d", (int)add_section);
 }
 
-/* add EDNS 4096 DO opt record */
+/* add EDNS 4096 opt record */
 static void
-add_do_flag(uint8_t* pktbuf, size_t pktsize, size_t* pktlen)
+add_edns(uint8_t* pktbuf, size_t pktsize, int do_flag, uint8_t *ednsdata,
+	uint16_t ednslen, size_t* pktlen)
 {
 	uint8_t edns[] = {0x00, /* root label */
 		0x00, LDNS_RR_TYPE_OPT, /* type */
 		0x10, 0x00, /* class is UDPSIZE 4096 */
 		0x00, /* TTL[0] is ext rcode */
 		0x00, /* TTL[1] is edns version */
-		0x80, 0x00, /* TTL[2-3] is edns flags, DO */
-		0x00, 0x00 /* rdatalength (0 options) */
+		(uint8_t)(do_flag?0x80:0x00), 0x00, /* TTL[2-3] is edns flags, DO */
+		(uint8_t)((ednslen >> 8) & 0xff),
+		(uint8_t)(ednslen  & 0xff), /* rdatalength */
 	};
 	if(*pktlen < LDNS_HEADER_SIZE)
 		return;
-	if(*pktlen + sizeof(edns) > pktsize)
+	if(*pktlen + sizeof(edns) + ednslen > pktsize)
 		error("not enough space for EDNS OPT record");
 	memmove(pktbuf+*pktlen, edns, sizeof(edns));
+	memmove(pktbuf+*pktlen+sizeof(edns), ednsdata, ednslen);
 	sldns_write_uint16(pktbuf+10, LDNS_ARCOUNT(pktbuf)+1);
-	*pktlen += sizeof(edns);
+	*pktlen += (sizeof(edns) + ednslen);
 }
 
 /* Reads one entry from file. Returns entry or NULL on error. */
@@ -516,7 +525,9 @@ read_entry(FILE* in, const char* name, struct sldns_file_parse_state* pstate,
 	sldns_pkt_section add_section = LDNS_SECTION_QUESTION;
 	struct reply_packet *cur_reply = NULL;
 	int reading_hex = 0;
+	int reading_hex_ednsdata = 0;
 	sldns_buffer* hex_data_buffer = NULL;
+	sldns_buffer* hex_ednsdata_buffer = NULL;
 	uint8_t pktbuf[MAX_PACKETLEN];
 	size_t pktlen = LDNS_HEADER_SIZE;
 	int do_flag = 0; /* DO flag in EDNS */
@@ -583,21 +594,45 @@ read_entry(FILE* in, const char* name, struct sldns_file_parse_state* pstate,
 			cur_reply->reply_from_hex = hex_buffer2wire(hex_data_buffer);
 			sldns_buffer_free(hex_data_buffer);
 			hex_data_buffer = NULL;
+		} else if(reading_hex) {
+			sldns_buffer_printf(hex_data_buffer, "%s", line);
+		} else if(str_keyword(&parse, "HEX_EDNSDATA_BEGIN")) {
+			hex_ednsdata_buffer = sldns_buffer_new(MAX_PACKETLEN);
+			reading_hex_ednsdata = 1;
+		} else if(str_keyword(&parse, "HEX_EDNSDATA_END")) {
+			if (!reading_hex_ednsdata) {
+				error("%s line %d: HEX_EDNSDATA_END read but no"
+					"HEX_EDNSDATA_BEGIN keyword seen", name, pstate->lineno);
+			}
+			reading_hex_ednsdata = 0;
+			cur_reply->raw_ednsdata = hex_buffer2wire(hex_ednsdata_buffer);
+			sldns_buffer_free(hex_ednsdata_buffer);
+			hex_ednsdata_buffer = NULL;
+		} else if(reading_hex_ednsdata) {
+			sldns_buffer_printf(hex_ednsdata_buffer, "%s", line);
 		} else if(str_keyword(&parse, "ENTRY_END")) {
 			if(hex_data_buffer)
 				sldns_buffer_free(hex_data_buffer);
+			if(hex_ednsdata_buffer)
+				sldns_buffer_free(hex_ednsdata_buffer);
 			if(pktlen != 0) {
-				if(do_flag)
-					add_do_flag(pktbuf, sizeof(pktbuf),
-						&pktlen);
+				if(do_flag || cur_reply->raw_ednsdata) {
+					if(cur_reply->raw_ednsdata &&
+						sldns_buffer_limit(cur_reply->raw_ednsdata))
+						add_edns(pktbuf, sizeof(pktbuf), do_flag,
+							sldns_buffer_begin(cur_reply->raw_ednsdata),
+							(uint16_t)sldns_buffer_limit(cur_reply->raw_ednsdata),
+							&pktlen);
+					else
+						add_edns(pktbuf, sizeof(pktbuf), do_flag,
+							NULL, 0, &pktlen);
+				}
 				cur_reply->reply_pkt = memdup(pktbuf, pktlen);
 				cur_reply->reply_len = pktlen;
 				if(!cur_reply->reply_pkt)
 					error("out of memory");
 			}
 			return current;
-		} else if(reading_hex) {
-			sldns_buffer_printf(hex_data_buffer, "%s", line);
 		} else {
 			add_rr(skip_whitespace?parse:line, pktbuf,
 				sizeof(pktbuf), &pktlen, pstate, add_section,
@@ -605,10 +640,14 @@ read_entry(FILE* in, const char* name, struct sldns_file_parse_state* pstate,
 		}
 
 	}
-	if (reading_hex) {
+	if(reading_hex) {
 		error("%s: End of file reached while still reading hex, "
 			"missing HEX_ANSWER_END\n", name);
 	}
+	if(reading_hex_ednsdata) {
+		error("%s: End of file reached while still reading edns data, "
+			"missing HEX_EDNSDATA_END\n", name);
+	}
 	if(current) {
 		error("%s: End of file reached while reading entry. "
 			"missing ENTRY_END\n", name);
@@ -778,16 +817,16 @@ pkt_find_edns_opt(uint8_t** p, size_t* plen)
 	wlen -= LDNS_HEADER_SIZE;
 
 	/* skip other records with wire2str_scan */
-	for(i=0; i < LDNS_QDCOUNT(p); i++)
+	for(i=0; i < LDNS_QDCOUNT(*p); i++)
 		(void)sldns_wire2str_rrquestion_scan(&w, &wlen, &snull, &sl,
 			*p, *plen);
-	for(i=0; i < LDNS_ANCOUNT(p); i++)
+	for(i=0; i < LDNS_ANCOUNT(*p); i++)
 		(void)sldns_wire2str_rr_scan(&w, &wlen, &snull, &sl, *p, *plen);
-	for(i=0; i < LDNS_NSCOUNT(p); i++)
+	for(i=0; i < LDNS_NSCOUNT(*p); i++)
 		(void)sldns_wire2str_rr_scan(&w, &wlen, &snull, &sl, *p, *plen);
 
 	/* walk through additional section */
-	for(i=0; i < LDNS_ARCOUNT(p); i++) {
+	for(i=0; i < LDNS_ARCOUNT(*p); i++) {
 		/* if this is OPT then done */
 		uint8_t* dstart = w;
 		size_t dlen = wlen;
@@ -1338,6 +1377,31 @@ static int subdomain_dname(uint8_t* q, size_t qlen, uint8_t* p, size_t plen)
 	return 0;
 }
 
+/** Match OPT RDATA (not the EDNS payload size or flags) */
+static int
+match_ednsdata(uint8_t* q, size_t qlen, uint8_t* p, size_t plen)
+{
+	uint8_t* walk_q = q;
+	size_t walk_qlen = qlen;
+	uint8_t* walk_p = p;
+	size_t walk_plen = plen;
+
+	if(!pkt_find_edns_opt(&walk_q, &walk_qlen))
+		walk_qlen = 0;
+	if(!pkt_find_edns_opt(&walk_p, &walk_plen))
+		walk_plen = 0;
+
+	/* class + ttl + rdlen = 8 */
+	if(walk_qlen <= 8 && walk_plen <= 8) {
+		verbose(3, "NO edns opt, move on");
+		return 1;
+	}
+	if(walk_qlen != walk_plen)
+		return 0;
+
+	return (memcmp(walk_p+8, walk_q+8, walk_qlen-8) == 0);
+}
+
 /* finds entry in list, or returns NULL */
 struct entry* 
 find_match(struct entry* entries, uint8_t* query_pkt, size_t len,
@@ -1409,6 +1473,11 @@ find_match(struct entry* entries, uint8_t* query_pkt, size_t len,
 			verbose(3, "bad; EDNS OPT present\n");
 			continue;
 		}
+		if(p->match_ednsdata_raw && 
+				!match_ednsdata(query_pkt, len, reply, rlen)) {
+			verbose(3, "bad EDNS data match.\n");
+			continue;
+		}
 		if(p->match_transport != transport_any && p->match_transport != transport) {
 			verbose(3, "bad transport\n");
 			continue;
@@ -1494,6 +1563,29 @@ adjust_packet(struct entry* match, uint8_t** answer_pkt, size_t *answer_len,
 	if(match->copy_id && reslen >= 1)
 		res[0] = orig[0];
 
+	if(match->copy_ednsdata_assume_clientsubnet) {
+		/** Assume there is only one EDNS option, which is ECS.
+		 * Copy source mask from query to scope mask in reply. Assume
+		 * rest of ECS data in response (eg address) matches the query.
+		 */
+		uint8_t* walk_q = orig;
+		size_t walk_qlen = origlen;
+		uint8_t* walk_p = res;
+		size_t walk_plen = reslen;
+
+		if(!pkt_find_edns_opt(&walk_q, &walk_qlen)) {
+			walk_qlen = 0;
+		}
+		if(!pkt_find_edns_opt(&walk_p, &walk_plen)) {
+			walk_plen = 0;
+		}
+		/* class + ttl + rdlen + optcode + optlen + ecs fam + ecs source
+		 * + ecs scope = index 15 */
+		if(walk_qlen >= 15 && walk_plen >= 15) {
+			walk_p[15] = walk_q[14];
+		}	
+	}
+
 	if(match->sleeptime > 0) {
 		verbose(3, "sleeping for %d seconds\n", match->sleeptime);
 #ifdef HAVE_SLEEP
@@ -1587,6 +1679,7 @@ void delete_replylist(struct reply_packet* replist)
 		np = p->next;
 		free(p->reply_pkt);
 		sldns_buffer_free(p->reply_from_hex);
+		sldns_buffer_free(p->raw_ednsdata);
 		free(p);
 		p=np;
 	}

testcode/testpkts.h

@@ -53,6 +53,7 @@ struct sldns_file_parse_state;
 	; 'rcode' makes the query match the rcode from the reply
 	; 'question' makes the query match the question section
 	; 'answer' makes the query match the answer section
+	; 'ednsdata' matches queries to HEX_EDNS section.
 	MATCH [opcode] [qtype] [qname] [serial=<value>] [all] [ttl]
 	MATCH [UDP|TCP] DO
 	MATCH ...
@@ -87,6 +88,11 @@ struct sldns_file_parse_state;
 				; be parsed, ADJUST rules for the answer packet
 				; are ignored. Only copy_id is done.
 	HEX_ANSWER_END
+	HEX_EDNS_BEGIN		; follow with hex data.
+				; Raw EDNS data to match against. It must be an 
+				; exact match (all options are matched) and will be 
+				; evaluated only when 'MATCH ednsdata' given.
+	HEX_EDNS_END
 	ENTRY_END
 
 
@@ -147,6 +153,8 @@ struct reply_packet {
 	uint8_t* reply_pkt;
 	/** length of reply pkt */
 	size_t reply_len;
+	/** Additional EDNS data for matching queries. */
+	struct sldns_buffer* raw_ednsdata;
 	/** or reply pkt in hex if not parsable */
 	struct sldns_buffer* reply_from_hex;
 	/** seconds to sleep before giving packet */
@@ -182,6 +190,8 @@ struct entry {
 	uint8_t match_do;
 	/** match absence of EDNS OPT record in query */
 	uint8_t match_noedns;
+	/** match edns data field given in hex */
+	uint8_t match_ednsdata_raw;
 	/** match query serial with this value. */
 	uint32_t ixfr_soa_serial; 
 	/** match on UDP/TCP */
@@ -195,6 +205,9 @@ struct entry {
 	uint8_t copy_id; 
 	/** copy the query nametypeclass from query into the answer */
 	uint8_t copy_query;
+	/** copy ednsdata to reply, assume it is clientsubnet and
+	 * adjust scopemask to match sourcemask */
+	uint8_t copy_ednsdata_assume_clientsubnet;
 	/** in seconds */
 	unsigned int sleeptime; 
 

testcode/unitecs.c

@@ -0,0 +1,284 @@
+/*
+ * testcode/unitecs.c - unit test for ecs routines.
+ *
+ * Copyright (c) 2013, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+ 
+/**
+ * \file
+ * Calls ecs related unit tests. Exits with code 1 on a failure. 
+ */
+
+#include "config.h"
+
+#ifdef CLIENT_SUBNET
+
+#include "util/log.h"
+#include "util/module.h"
+#include "testcode/unitmain.h"
+#include "edns-subnet/addrtree.h"
+#include "edns-subnet/subnetmod.h"
+
+/*
+	void printkey(addrkey_t *k, addrlen_t bits)
+	{
+		int byte;
+		int bytes = bits/8 + ((bits%8)>0);
+		char msk = 0xFF;
+		for (byte = 0; byte < bytes; byte++) {
+			//~ if (byte+1 == bytes)
+				//~ msk = 0xFF<<(8-bits%8);
+			printf("%02x ", k[byte]&msk);
+		}
+	}
+
+	void print_tree(struct addrnode* node, int indent, int maxdepth)
+	{
+		struct addredge* edge;
+		int i, s, byte;
+		if (indent == 0) printf("-----Tree-----\n");
+		if (indent > maxdepth) {
+			printf("\n");
+			return;
+		}
+		printf("[node elem:%d] (%d)\n", node->elem != NULL, node);
+		for (i = 0; i<2; i++) {
+			if (node->edge[i]) {
+				for (s = 0; s < indent; s++) printf(" ");
+				printkey(node->edge[i]->str, node->edge[i]->len);
+				printf("(len %d bits, %d bytes) ", node->edge[i]->len, 
+					node->edge[i]->len/8 + ((node->edge[i]->len%8)>0));
+				print_tree(node->edge[i]->node, indent+1, maxdepth);
+			}
+		}	
+		if (indent == 0) printf("-----Tree-----");
+	}
+*/
+
+/* what should we check?
+ * X - is it balanced? (a node with 1 child shoudl not have  
+ * a node with 1 child MUST have elem
+ * child must be sub of parent
+ * edge must be longer than parent edge
+ * */
+static int addrtree_inconsistent_subtree(struct addrtree* tree, 
+	struct addredge* parent_edge, addrlen_t depth)
+{
+	struct addredge* edge;
+	struct addrnode* node = parent_edge->node;
+	int childcount, i, r;
+	if (depth > tree->max_depth) return 15;
+	childcount = (node->edge[0] != NULL) + (node->edge[1] != NULL);
+	/* Only nodes with 2 children should possibly have no element. */
+	if (childcount < 2 && !node->elem) return 10;
+	for (i = 0; i<2; i++) {
+		edge = node->edge[i];
+		if (!edge) continue;
+		if (!edge->node) return 11;
+		if (!edge->str) return 12;
+		if (edge->len <= parent_edge->len) return 13;
+		if (!unittest_wrapper_addrtree_issub(parent_edge->str,
+				parent_edge->len, edge->str, edge->len, 0))
+			return 14;
+		if ((r = addrtree_inconsistent_subtree(tree, edge, depth+1)) != 0)
+			return 100+r;
+	}
+	return 0;
+}
+
+static int addrtree_inconsistent(struct addrtree* tree)
+{
+	struct addredge* edge;
+	int i, r;
+	
+	if (!tree) return 0;
+	if (!tree->root) return 1;
+	
+	for (i = 0; i<2; i++) {
+		edge = tree->root->edge[i];
+		if (!edge) continue;
+		if (!edge->node) return 3;
+		if (!edge->str) return 4;
+		if ((r = addrtree_inconsistent_subtree(tree, edge, 1)) != 0)
+			return r;
+	}
+	return 0;
+}
+
+static addrlen_t randomkey(addrkey_t **k, int maxlen)
+{
+	int byte;
+	int bits = rand() % maxlen;
+	int bytes = bits/8 + (bits%8>0); /*ceil*/
+	*k = (addrkey_t *) malloc(bytes * sizeof(addrkey_t));
+	for (byte = 0; byte < bytes; byte++) {
+		(*k)[byte] = (addrkey_t)(rand() & 0xFF);
+	}
+	return (addrlen_t)bits;
+}
+
+static void elemfree(void *envptr, void *elemptr)
+{
+	struct reply_info *elem = (struct reply_info *)elemptr;
+	(void)envptr;
+	free(elem);
+}
+
+static void consistency_test(void)
+{
+	addrlen_t l;
+	time_t i;
+	unsigned int count;
+	addrkey_t *k;
+	struct addrtree* t;
+	struct module_env env;
+	struct reply_info *elem;
+	time_t timenow = 0;
+	unit_show_func("edns-subnet/addrtree.h", "Tree consistency check");
+	srand(9195); /* just some value for reproducibility */
+
+	t = addrtree_create(100, &elemfree, &unittest_wrapper_subnetmod_sizefunc, &env, 0);
+	count = t->node_count;
+	unit_assert(count == 0);
+	for (i = 0; i < 1000; i++) {
+		l = randomkey(&k, 128);
+		elem = (struct reply_info *) calloc(1, sizeof(struct reply_info));
+		addrtree_insert(t, k, l, 64, elem, timenow + 10, timenow);
+		/* This should always hold because no items ever expire. They
+		 * could be overwritten, though. */
+		unit_assert( count <= t->node_count );
+		count = t->node_count;
+		free(k);
+		unit_assert( !addrtree_inconsistent(t) );
+	}
+	addrtree_delete(t);
+
+	unit_show_func("edns-subnet/addrtree.h", "Tree consistency with purge");
+	t = addrtree_create(8, &elemfree, &unittest_wrapper_subnetmod_sizefunc, &env, 0);
+	unit_assert(t->node_count == 0);
+	for (i = 0; i < 1000; i++) {
+		l = randomkey(&k, 128);
+		elem = (struct reply_info *) calloc(1, sizeof(struct reply_info));
+		addrtree_insert(t, k, l, 64, elem, i + 10, i);
+		free(k);
+		unit_assert( !addrtree_inconsistent(t) );
+	}
+	addrtree_delete(t);
+
+	unit_show_func("edns-subnet/addrtree.h", "Tree consistency with limit");
+	t = addrtree_create(8, &elemfree, &unittest_wrapper_subnetmod_sizefunc, &env, 27);
+	unit_assert(t->node_count == 0);
+	for (i = 0; i < 1000; i++) {
+		l = randomkey(&k, 128);
+		elem = (struct reply_info *) calloc(1, sizeof(struct reply_info));
+		addrtree_insert(t, k, l, 64, elem, i + 10, i);
+		unit_assert( t->node_count <= 27);
+		free(k);
+		unit_assert( !addrtree_inconsistent(t) );
+	}
+	addrtree_delete(t);
+}
+
+static void issub_test(void)
+{
+	addrkey_t k1[] = {0x55, 0x55, 0x5A};
+	addrkey_t k2[] = {0x55, 0x5D, 0x5A};
+	unit_show_func("edns-subnet/addrtree.h", "issub");
+	unit_assert( !unittest_wrapper_addrtree_issub(k1, 24, k2, 24,  0) );
+	unit_assert(  unittest_wrapper_addrtree_issub(k1,  8, k2, 16,  0) );
+	unit_assert(  unittest_wrapper_addrtree_issub(k2, 12, k1, 13,  0) );
+	unit_assert( !unittest_wrapper_addrtree_issub(k1, 16, k2, 12,  0) );
+	unit_assert(  unittest_wrapper_addrtree_issub(k1, 12, k2, 12,  0) );
+	unit_assert( !unittest_wrapper_addrtree_issub(k1, 13, k2, 13,  0) );
+	unit_assert(  unittest_wrapper_addrtree_issub(k1, 24, k2, 24, 13) );
+	unit_assert( !unittest_wrapper_addrtree_issub(k1, 24, k2, 20, 13) );
+	unit_assert(  unittest_wrapper_addrtree_issub(k1, 20, k2, 24, 13) );
+}
+
+static void getbit_test(void)
+{
+	addrkey_t k1[] = {0x55, 0x55, 0x5A};
+	int i;
+	unit_show_func("edns-subnet/addrtree.h", "getbit");
+	for(i = 0; i<20; i++) {
+		unit_assert( unittest_wrapper_addrtree_getbit(k1, 20, (addrlen_t)i) == (i&1) );
+	}
+}
+
+static void bits_common_test(void)
+{
+	addrkey_t k1[] = {0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0};
+	addrkey_t k2[] = {0,0,0,0,0,0,0,0};
+	addrlen_t i;
+	
+	unit_show_func("edns-subnet/addrtree.h", "bits_common");
+	for(i = 0; i<64; i++) {
+		unit_assert( unittest_wrapper_addrtree_bits_common(k1, 64, k1, 64, i) == 64 );
+	}
+	for(i = 0; i<8; i++) {
+		k2[i] = k1[i]^(1<<i);
+	}
+	unit_assert( unittest_wrapper_addrtree_bits_common(k1, 64, k2, 64,  0) == 0*8+7 );
+	unit_assert( unittest_wrapper_addrtree_bits_common(k1, 64, k2, 64,  8) == 1*8+6 );
+	unit_assert( unittest_wrapper_addrtree_bits_common(k1, 64, k2, 64, 16) == 2*8+5 );
+	unit_assert( unittest_wrapper_addrtree_bits_common(k1, 64, k2, 64, 24) == 3*8+4 );
+	unit_assert( unittest_wrapper_addrtree_bits_common(k1, 64, k2, 64, 32) == 4*8+3 );
+	unit_assert( unittest_wrapper_addrtree_bits_common(k1, 64, k2, 64, 40) == 5*8+2 );
+	unit_assert( unittest_wrapper_addrtree_bits_common(k1, 64, k2, 64, 48) == 6*8+1 );
+	unit_assert( unittest_wrapper_addrtree_bits_common(k1, 64, k2, 64, 56) == 7*8+0 );
+}
+
+static void cmpbit_test(void)
+{
+	addrkey_t k1[] = {0xA5, 0x0F};
+	addrkey_t k2[] = {0x5A, 0xF0};
+	addrlen_t i;
+	
+	unit_show_func("edns-subnet/addrtree.h", "cmpbit");
+	for(i = 0; i<16; i++) {
+		unit_assert( !unittest_wrapper_addrtree_cmpbit(k1,k1,i) );
+		unit_assert(  unittest_wrapper_addrtree_cmpbit(k1,k2,i) );
+	}
+}
+
+void ecs_test(void)
+{
+	unit_show_feature("ecs");
+	cmpbit_test();
+	bits_common_test();
+	getbit_test();
+	issub_test();
+	consistency_test();
+}
+#endif /* CLIENT_SUBNET */
+

testcode/unitmain.c

@@ -880,6 +880,9 @@ main(int argc, char* argv[])
 	infra_test();
 	ldns_test();
 	msgparse_test();
+#ifdef CLIENT_SUBNET
+	ecs_test();
+#endif /* CLIENT_SUBNET */
 	checklock_stop();
 	printf("%d checks ok.\n", testcount);
 #ifdef HAVE_SSL

testcode/unitmain.h

@@ -72,6 +72,10 @@ void verify_test(void);
 void neg_test(void);
 /** unit test for regional allocator functions */
 void regional_test(void);
+#ifdef CLIENT_SUBNET
+/** Unit test for ECS functions */
+void ecs_test(void);
+#endif /* CLIENT_SUBNET */
 /** unit test for ldns functions */
 void ldns_test(void);
 

testdata/subnet_cached.crpl

@@ -0,0 +1,235 @@
+; Ask the same question twice. Check to see second is answered
+; from cache
+
+server:
+	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+	send-client-subnet: 1.2.3.4
+	client-subnet-opcode: 20730
+	max-client-subnet-ipv4: 17
+	module-config: "subnetcache validator iterator"
+	verbosity: 3
+	access-control: 127.0.0.1 allow_snoop
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with positive response
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			com.	IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN NS
+		SECTION ANSWER
+			com.    IN NS   a.gtld-servers.net.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			a.gtld-servers.net.     IN      A       192.5.6.30
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.         IN      A       1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+	ENTRY_END
+
+	; response to DNSKEY priming query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN DNSKEY
+		SECTION ANSWER
+			example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+			example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+	ENTRY_END
+
+	; response to query of interest
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id copy_ednsdata_assume_clientsubnet
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com. IN A	10.20.30.40
+			ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.0.0.1
+				50 fa 		; OPC
+				00 07 		; option length
+				00 01 		; Family
+				11 00 		; source mask, scopemask
+				7f 00 00 	; address
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+			www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
+	ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+	HEX_ANSWER_BEGIN;
+		00 00 01 00 00 01 00 00		;ID 0
+		00 00 00 01 03 77 77 77		; www.example.com A? (DO)
+		07 65 78 61 6d 70 6c 65 
+		03 63 6f 6d 00 00 01 00
+		01 00 00 29 10 00 00 00 
+		80 00 00 0b
+		
+		50 fa 00 07					; OPC, optlen
+		00 01 11 00					; ip4, scope 17, source 0
+		7f 00 00   					;127.0.0.0/17
+	HEX_ANSWER_END
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ednsdata
+	REPLY QR RD RA AD NOERROR
+	SECTION QUESTION
+		www.example.com. IN A
+	SECTION ANSWER
+		www.example.com. IN A	10.20.30.40
+		www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+		example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+	SECTION ADDITIONAL
+		HEX_EDNSDATA_BEGIN
+						; client is 127.0.0.1
+			50 fa 		; OPC
+			00 07 		; option length
+			00 01 		; Family
+			11 11 		; source mask, scopemask
+			7f 00 00 	; address
+		HEX_EDNSDATA_END
+		ns.example.com.		IN 	A	1.2.3.4
+		ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
+ENTRY_END
+
+STEP 11 QUERY
+
+ENTRY_BEGIN
+	HEX_ANSWER_BEGIN;
+		00 00 00 00 00 01 00 00		;ID 0, no RD
+		00 00 00 01 03 77 77 77		; www.example.com A? (DO)
+		07 65 78 61 6d 70 6c 65 
+		03 63 6f 6d 00 00 01 00
+		01 00 00 29 10 00 00 00 
+		80 00 00 0b
+		
+		50 fa 00 07					; OPC, optlen
+		00 01 12 00					; ip4, scope 18, source 0
+		7f 00 00   					;127.0.0.0/18
+	HEX_ANSWER_END
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ednsdata
+	REPLY QR RA AD NOERROR
+	SECTION QUESTION
+		www.example.com. IN A
+	SECTION ANSWER
+		www.example.com. IN A	10.20.30.40
+		www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+		example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+	SECTION ADDITIONAL
+		HEX_EDNSDATA_BEGIN
+						; client is 127.0.0.1
+			50 fa 		; OPC
+			00 07 		; option length
+			00 01 		; Family
+			12 11 		; source mask, scopemask
+			7f 00 00 	; address
+		HEX_EDNSDATA_END
+		ns.example.com.		IN 	A	1.2.3.4
+		ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
+ENTRY_END
+
+SCENARIO_END

testdata/subnet_derived.crpl

@@ -0,0 +1,164 @@
+server:
+	send-client-subnet: 5.0.15.10
+	send-client-subnet: 193.0.14.129 
+	client-subnet-opcode: 20730
+	max-client-subnet-ipv4: 21
+	verbosity: 3
+	module-config: "subnetcache validator iterator"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Must not send subnet option for 'derived' queries.
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 193.0.14.129 
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			a.gtld-servers.net. IN AAAA
+		SECTION AUTHORITY
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			com.	IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.0.0.1
+				50 fa 		; OPC
+				00 07 		; option length
+				00 01 		; Family
+				15 00 		; source mask, scopemask
+				7f 00 00 	; address
+			HEX_EDNSDATA_END
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+	
+RANGE_END
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 192.5.6.30
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	5.0.15.10
+	ENTRY_END
+	
+RANGE_END
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 5.0.15.10
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.     IN      A       5.0.15.10
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			ns.example.com. IN AAAA
+		SECTION ANSWER
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain ednsdata
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com.	IN A	4.3.2.1
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.0.0.1
+				50 fa 		; OPC
+				00 07 		; option length
+				00 01 		; Family
+				15 00 		; source mask, scopemask
+				7f 00 00 	; address
+			HEX_EDNSDATA_END
+	ENTRY_END
+	
+RANGE_END
+
+;; ----------------------------------------
+
+STEP 1 QUERY
+
+	ENTRY_BEGIN
+		REPLY RD
+		SECTION QUESTION
+		www.example.com. IN A
+	ENTRY_END
+
+STEP 10 CHECK_ANSWER
+
+	ENTRY_BEGIN
+		MATCH all
+		REPLY QR RD RA NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com.	IN A	4.3.2.1
+		SECTION AUTHORITY
+		SECTION ADDITIONAL
+	ENTRY_END
+
+SCENARIO_END

testdata/subnet_format_ip4.crpl

@@ -0,0 +1,161 @@
+server:
+	send-client-subnet: 5.0.15.10
+	client-subnet-opcode: 20730
+	max-client-subnet-ipv4: 21
+	verbosity: 3
+	module-config: "subnetcache validator iterator"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Subnet option ONLY in final query
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 193.0.14.129 
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			a.gtld-servers.net. IN AAAA
+		SECTION AUTHORITY
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			com.	IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+	
+RANGE_END
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 192.5.6.30
+
+	ENTRY_BEGIN
+		MATCH opcode opcode qtype qname ednsdata
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	5.0.15.10
+	ENTRY_END
+	
+RANGE_END
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 5.0.15.10
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.     IN      A       5.0.15.10
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			ns.example.com. IN AAAA
+		SECTION ANSWER
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain ednsdata
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com.	IN A	4.3.2.1
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.0.0.1
+				50 fa 		; OPC
+				00 07 		; option length
+				00 01 		; Family
+				15 00 		; source mask, scopemask
+				7f 00 00 	; address
+			HEX_EDNSDATA_END
+	ENTRY_END
+	
+RANGE_END
+
+;; ----------------------------------------
+
+STEP 1 QUERY
+
+	ENTRY_BEGIN
+		REPLY RD
+		SECTION QUESTION
+		www.example.com. IN A
+	ENTRY_END
+
+STEP 10 CHECK_ANSWER
+
+	ENTRY_BEGIN
+		MATCH all
+		REPLY QR RD RA NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com.	IN A	4.3.2.1
+		SECTION AUTHORITY
+		SECTION ADDITIONAL
+	ENTRY_END
+
+SCENARIO_END

testdata/subnet_nondefault_opc.crpl

@@ -0,0 +1,161 @@
+server:
+	send-client-subnet: 5.0.15.10
+	client-subnet-opcode: 99
+	max-client-subnet-ipv4: 21
+	verbosity: 3
+	module-config: "subnetcache validator iterator"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Works for other than default OPC
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 193.0.14.129 
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			a.gtld-servers.net. IN AAAA
+		SECTION AUTHORITY
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			com.	IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+	
+RANGE_END
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 192.5.6.30
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain ednsdata
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	5.0.15.10
+	ENTRY_END
+	
+RANGE_END
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 5.0.15.10
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.     IN      A       5.0.15.10
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			ns.example.com. IN AAAA
+		SECTION ANSWER
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain ednsdata
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com.	IN A	4.3.2.1
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.0.0.1
+				00 63 		; OPC
+				00 07 		; option length
+				00 01 		; Family
+				15 00 		; source mask, scopemask
+				7f 00 00 	; address
+			HEX_EDNSDATA_END
+	ENTRY_END
+	
+RANGE_END
+
+;; ----------------------------------------
+
+STEP 1 QUERY
+
+	ENTRY_BEGIN
+		REPLY RD
+		SECTION QUESTION
+		www.example.com. IN A
+	ENTRY_END
+
+STEP 10 CHECK_ANSWER
+
+	ENTRY_BEGIN
+		MATCH all
+		REPLY QR RD RA NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com.	IN A	4.3.2.1
+		SECTION AUTHORITY
+		SECTION ADDITIONAL
+	ENTRY_END
+
+SCENARIO_END

testdata/subnet_not_whitelisted.crpl

@@ -0,0 +1,156 @@
+server:
+	send-client-subnet: 9.9.9.9/32
+	client-subnet-opcode: 20730
+	max-client-subnet-ipv4: 21
+	verbosity: 3
+	module-config: "subnetcache validator iterator"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Subnet option MUST NOT be send to any host
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 193.0.14.129 
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			a.gtld-servers.net. IN AAAA
+		SECTION AUTHORITY
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			com.	IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+	
+RANGE_END
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 192.5.6.30
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain ednsdata
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	5.0.15.10
+	ENTRY_END
+	
+RANGE_END
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 5.0.15.10
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.     IN      A       5.0.15.10
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			ns.example.com. IN AAAA
+		SECTION ANSWER
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain ednsdata
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com.	IN A	4.3.2.1
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+	ENTRY_END
+	
+RANGE_END
+
+;; ----------------------------------------
+
+STEP 1 QUERY
+
+	ENTRY_BEGIN
+		REPLY RD
+		SECTION QUESTION
+		www.example.com. IN A
+	ENTRY_END
+
+STEP 10 CHECK_ANSWER
+
+	ENTRY_BEGIN
+		MATCH all
+		REPLY QR RD RA NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com.	IN A	4.3.2.1
+		SECTION AUTHORITY
+		SECTION ADDITIONAL
+	ENTRY_END
+
+SCENARIO_END

testdata/subnet_val_positive.crpl

@@ -0,0 +1,184 @@
+; Test subnet option in combination with dnssec
+
+server:
+	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+	send-client-subnet: 1.2.3.4
+	client-subnet-opcode: 20730
+	max-client-subnet-ipv4: 17
+	module-config: "subnetcache validator iterator"
+	verbosity: 3
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with positive response
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			com.	IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN NS
+		SECTION ANSWER
+			com.    IN NS   a.gtld-servers.net.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			a.gtld-servers.net.     IN      A       192.5.6.30
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.         IN      A       1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+	ENTRY_END
+
+	; response to DNSKEY priming query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN DNSKEY
+		SECTION ANSWER
+			example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+			example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+	ENTRY_END
+
+	; response to query of interest
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com. IN A	10.20.30.40
+			ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.0.0.1
+				50 fa 		; OPC
+				00 07 		; option length
+				00 01 		; Family
+				11 00 		; source mask, scopemask
+				7f 00 00 	; address
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+			www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
+	ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD DO
+	SECTION QUESTION
+		www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ednsdata
+	REPLY QR RD RA AD NOERROR
+	SECTION QUESTION
+		www.example.com. IN A
+	SECTION ANSWER
+		www.example.com. IN A	10.20.30.40
+		www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+		example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+	SECTION ADDITIONAL
+		HEX_EDNSDATA_BEGIN
+			;; we expect to receive empty
+		HEX_EDNSDATA_END
+		ns.example.com.		IN 	A	1.2.3.4
+		ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
+ENTRY_END
+
+SCENARIO_END

testdata/subnet_val_positive_client.crpl

@@ -0,0 +1,195 @@
+; Test subnet option in combination with dnssec
+; Client asks for subnet data
+
+server:
+	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+	send-client-subnet: 1.2.3.4
+	client-subnet-opcode: 20730
+	max-client-subnet-ipv4: 17
+	module-config: "subnetcache validator iterator"
+	verbosity: 3
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with positive response
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			com.	IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN NS
+		SECTION ANSWER
+			com.    IN NS   a.gtld-servers.net.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			a.gtld-servers.net.     IN      A       192.5.6.30
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.         IN      A       1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+	ENTRY_END
+
+	; response to DNSKEY priming query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN DNSKEY
+		SECTION ANSWER
+			example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+			example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+			ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+	ENTRY_END
+
+	; response to query of interest
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com. IN A	10.20.30.40
+			ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+			example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.0.0.1
+				50 fa 		; OPC
+				00 07 		; option length
+				00 01 		; Family
+				11 00 		; source mask, scopemask
+				7f 00 00 	; address
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+			www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
+	ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+	HEX_ANSWER_BEGIN;
+		00 00 01 00 00 01 00 00		;ID 0
+		00 00 00 01 03 77 77 77		; www.example.com A? (DO)
+		07 65 78 61 6d 70 6c 65 
+		03 63 6f 6d 00 00 01 00
+		01 00 00 29 10 00 00 00 
+		80 00 00 0b
+		
+		50 fa 00 07					; OPC, optlen
+		00 01 11 00					; ip4, scope 17, source 0
+		7f 00 00   					;127.0.0.0/17
+	HEX_ANSWER_END
+ENTRY_END
+
+
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ednsdata
+	REPLY QR RD RA AD NOERROR
+	SECTION QUESTION
+		www.example.com. IN A
+	SECTION ANSWER
+		www.example.com. IN A	10.20.30.40
+		www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+		example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+	SECTION ADDITIONAL
+		HEX_EDNSDATA_BEGIN
+						; client is 127.0.0.1
+			50 fa 		; OPC
+			00 07 		; option length
+			00 01 		; Family
+			11 00 		; source mask, scopemask
+			7f 00 00 	; address
+		HEX_EDNSDATA_END
+		ns.example.com.		IN 	A	1.2.3.4
+		ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
+ENTRY_END
+
+SCENARIO_END

testdata/subnet_without_validator.crpl

@@ -0,0 +1,161 @@
+server:
+	send-client-subnet: 5.0.15.10
+	client-subnet-opcode: 20730
+	max-client-subnet-ipv4: 21
+	verbosity: 3
+	module-config: "subnetcache iterator"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Works without validator module
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 193.0.14.129 
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			a.gtld-servers.net. IN AAAA
+		SECTION AUTHORITY
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			com.	IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+	
+RANGE_END
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 192.5.6.30
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain ednsdata
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	5.0.15.10
+	ENTRY_END
+	
+RANGE_END
+
+RANGE_BEGIN 0 100
+
+	ADDRESS 5.0.15.10
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.     IN      A       5.0.15.10
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			ns.example.com. IN AAAA
+		SECTION ANSWER
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode subdomain ednsdata
+		ADJUST copy_id copy_query
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com.	IN A	4.3.2.1
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.0.0.1
+				50 fa 		; OPC
+				00 07 		; option length
+				00 01 		; Family
+				15 00 		; source mask, scopemask
+				7f 00 00 	; address
+			HEX_EDNSDATA_END
+	ENTRY_END
+	
+RANGE_END
+
+;; ----------------------------------------
+
+STEP 1 QUERY
+
+	ENTRY_BEGIN
+		REPLY RD
+		SECTION QUESTION
+		www.example.com. IN A
+	ENTRY_END
+
+STEP 10 CHECK_ANSWER
+
+	ENTRY_BEGIN
+		MATCH all
+		REPLY QR RD RA NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com.	IN A	4.3.2.1
+		SECTION AUTHORITY
+		SECTION ADDITIONAL
+	ENTRY_END
+
+SCENARIO_END

util/config_file.c

@@ -62,6 +62,9 @@
 #ifdef HAVE_GLOB_H
 # include <glob.h>
 #endif
+#ifdef CLIENT_SUBNET
+#include "edns-subnet/edns-subnet.h"
+#endif
 #ifdef HAVE_PWD_H
 #include <pwd.h>
 #endif
@@ -173,6 +176,12 @@ config_create(void)
 	cfg->out_ifs = NULL;
 	cfg->stubs = NULL;
 	cfg->forwards = NULL;
+#ifdef CLIENT_SUBNET
+	cfg->client_subnet = NULL;
+	cfg->client_subnet_opcode = 8;
+	cfg->max_client_subnet_ipv4 = 24;
+	cfg->max_client_subnet_ipv6 = 64;
+#endif
 	cfg->views = NULL;
 	cfg->acls = NULL;
 	cfg->harden_short_bufsize = 0;
@@ -238,7 +247,11 @@ config_create(void)
 	if(!(cfg->control_cert_file = strdup(RUN_DIR"/unbound_control.pem"))) 
 		goto error_exit;
 
+#ifdef CLIENT_SUBNET
+	if(!(cfg->module_conf = strdup("subnetcache validator iterator"))) goto error_exit;
+#else
 	if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
+#endif
 	if(!(cfg->val_nsec3_key_iterations = 
 		strdup("1024 150 2048 500 4096 2500"))) goto error_exit;
 #if defined(DNSTAP_SOCKET_PATH)
@@ -503,6 +516,12 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STR("module-config:", module_conf)
 	else S_STR("python-script:", python_script)
 	else S_YNO("disable-dnssec-lame-check:", disable_dnssec_lame_check)
+#ifdef CLIENT_SUBNET
+	else S_STRLIST("send-client-subnet", client_subnet)
+	else S_NUMBER_OR_ZERO("max-client-subnet-ipv4:", max_client_subnet_ipv4)
+	else S_NUMBER_OR_ZERO("max-client-subnet-ipv6:", max_client_subnet_ipv6)
+	else S_NUMBER_OR_ZERO("client-subnet-opcode:", client_subnet_opcode)
+#endif
 	else if(strcmp(opt, "ip-ratelimit:") == 0) {
 	    IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
 	    infra_ip_ratelimit=cfg->ip_ratelimit;
@@ -818,6 +837,12 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_UNS(opt, "val-override-date", val_date_override)
 	else O_YNO(opt, "minimal-responses", minimal_responses)
 	else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
+#ifdef CLIENT_SUBNET
+	else O_LST(opt, "send-client-subnet", client_subnet)
+	else O_DEC(opt, "max-client-subnet-ipv4", max_client_subnet_ipv4)
+	else O_DEC(opt, "max-client-subnet-ipv6", max_client_subnet_ipv6)
+	else O_DEC(opt, "client-subnet-opcode", client_subnet_opcode)
+#endif
 	else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
 	else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
 	else O_DEC(opt, "max-udp-size", max_udp_size)
@@ -1100,6 +1125,9 @@ config_delete(struct config_file* cfg)
 	config_delviews(cfg->views);
 	config_delstrlist(cfg->donotqueryaddrs);
 	config_delstrlist(cfg->root_hints);
+#ifdef CLIENT_SUBNET
+	config_delstrlist(cfg->client_subnet);
+#endif
 	free(cfg->identity);
 	free(cfg->version);
 	free(cfg->module_conf);
@@ -1596,6 +1624,11 @@ config_apply(struct config_file* config)
 	MAX_NEG_TTL = (time_t)config->max_negative_ttl;
 	RTT_MIN_TIMEOUT = config->infra_cache_min_rtt;
 	EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size;
+#ifdef CLIENT_SUBNET
+	EDNSSUBNET_OPCODE = (uint16_t)config->client_subnet_opcode;
+	EDNSSUBNET_MAX_SUBNET_IP4 = (uint8_t)config->max_client_subnet_ipv4;
+	EDNSSUBNET_MAX_SUBNET_IP6 = (uint8_t)config->max_client_subnet_ipv6;
+#endif
 	MINIMAL_RESPONSES = config->minimal_responses;
 	RRSET_ROUNDROBIN = config->rrset_roundrobin;
 	log_set_time_asc(config->log_time_ascii);

util/config_file.h

@@ -172,6 +172,16 @@ struct config_file {
 	struct config_view* views;
 	/** list of donotquery addresses, linked list */
 	struct config_strlist* donotqueryaddrs;
+#ifdef CLIENT_SUBNET
+	/** list of servers we send edns-client-subnet option to and 
+	 * accept option from, linked list */
+	struct config_strlist* client_subnet;
+	/** opcode assigned by IANA for edns0-client-subnet option */
+	int client_subnet_opcode;
+	/** Subnet length we are willing to give up privacy for */
+	int max_client_subnet_ipv4;
+	int max_client_subnet_ipv6;
+#endif
 	/** list of access control entries, linked list */
 	struct config_str2list* acls;
 	/** use default localhost donotqueryaddr entries */

util/configlexer.lex

@@ -300,6 +300,10 @@ view-first{COLON}		{ YDVAR(1, VAR_VIEW_FIRST) }
 do-not-query-address{COLON}	{ YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }
 do-not-query-localhost{COLON}	{ YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) }
 access-control{COLON}		{ YDVAR(2, VAR_ACCESS_CONTROL) }
+send-client-subnet{COLON}	{ YDVAR(1, VAR_SEND_CLIENT_SUBNET) }
+client-subnet-opcode{COLON}	{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
+max-client-subnet-ipv4{COLON}	{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
+max-client-subnet-ipv6{COLON}	{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) }
 hide-identity{COLON}		{ YDVAR(1, VAR_HIDE_IDENTITY) }
 hide-version{COLON}		{ YDVAR(1, VAR_HIDE_VERSION) }
 hide-trustanchor{COLON}		{ YDVAR(1, VAR_HIDE_TRUSTANCHOR) }

util/configparser.h

@@ -216,35 +216,39 @@ extern int yydebug;
     VAR_RATELIMIT_BELOW_DOMAIN = 426,
     VAR_IP_RATELIMIT_FACTOR = 427,
     VAR_RATELIMIT_FACTOR = 428,
-    VAR_CAPS_WHITELIST = 429,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 430,
-    VAR_PERMIT_SMALL_HOLDDOWN = 431,
-    VAR_QNAME_MINIMISATION = 432,
-    VAR_QNAME_MINIMISATION_STRICT = 433,
-    VAR_IP_FREEBIND = 434,
-    VAR_DEFINE_TAG = 435,
-    VAR_LOCAL_ZONE_TAG = 436,
-    VAR_ACCESS_CONTROL_TAG = 437,
-    VAR_LOCAL_ZONE_OVERRIDE = 438,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 439,
-    VAR_ACCESS_CONTROL_TAG_DATA = 440,
-    VAR_VIEW = 441,
-    VAR_ACCESS_CONTROL_VIEW = 442,
-    VAR_VIEW_FIRST = 443,
-    VAR_SERVE_EXPIRED = 444,
-    VAR_FAKE_DSA = 445,
-    VAR_FAKE_SHA1 = 446,
-    VAR_LOG_IDENTITY = 447,
-    VAR_HIDE_TRUSTANCHOR = 448,
-    VAR_USE_SYSTEMD = 449,
-    VAR_SHM_ENABLE = 450,
-    VAR_SHM_KEY = 451,
-    VAR_DNSCRYPT = 452,
-    VAR_DNSCRYPT_ENABLE = 453,
-    VAR_DNSCRYPT_PORT = 454,
-    VAR_DNSCRYPT_PROVIDER = 455,
-    VAR_DNSCRYPT_SECRET_KEY = 456,
-    VAR_DNSCRYPT_PROVIDER_CERT = 457
+    VAR_SEND_CLIENT_SUBNET = 429,
+    VAR_CLIENT_SUBNET_OPCODE = 430,
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 431,
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 432,
+    VAR_CAPS_WHITELIST = 433,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 434,
+    VAR_PERMIT_SMALL_HOLDDOWN = 435,
+    VAR_QNAME_MINIMISATION = 436,
+    VAR_QNAME_MINIMISATION_STRICT = 437,
+    VAR_IP_FREEBIND = 438,
+    VAR_DEFINE_TAG = 439,
+    VAR_LOCAL_ZONE_TAG = 440,
+    VAR_ACCESS_CONTROL_TAG = 441,
+    VAR_LOCAL_ZONE_OVERRIDE = 442,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 443,
+    VAR_ACCESS_CONTROL_TAG_DATA = 444,
+    VAR_VIEW = 445,
+    VAR_ACCESS_CONTROL_VIEW = 446,
+    VAR_VIEW_FIRST = 447,
+    VAR_SERVE_EXPIRED = 448,
+    VAR_FAKE_DSA = 449,
+    VAR_FAKE_SHA1 = 450,
+    VAR_LOG_IDENTITY = 451,
+    VAR_HIDE_TRUSTANCHOR = 452,
+    VAR_USE_SYSTEMD = 453,
+    VAR_SHM_ENABLE = 454,
+    VAR_SHM_KEY = 455,
+    VAR_DNSCRYPT = 456,
+    VAR_DNSCRYPT_ENABLE = 457,
+    VAR_DNSCRYPT_PORT = 458,
+    VAR_DNSCRYPT_PROVIDER = 459,
+    VAR_DNSCRYPT_SECRET_KEY = 460,
+    VAR_DNSCRYPT_PROVIDER_CERT = 461
   };
 #endif
 /* Tokens.  */
@@ -419,35 +423,39 @@ extern int yydebug;
 #define VAR_RATELIMIT_BELOW_DOMAIN 426
 #define VAR_IP_RATELIMIT_FACTOR 427
 #define VAR_RATELIMIT_FACTOR 428
-#define VAR_CAPS_WHITELIST 429
-#define VAR_CACHE_MAX_NEGATIVE_TTL 430
-#define VAR_PERMIT_SMALL_HOLDDOWN 431
-#define VAR_QNAME_MINIMISATION 432
-#define VAR_QNAME_MINIMISATION_STRICT 433
-#define VAR_IP_FREEBIND 434
-#define VAR_DEFINE_TAG 435
-#define VAR_LOCAL_ZONE_TAG 436
-#define VAR_ACCESS_CONTROL_TAG 437
-#define VAR_LOCAL_ZONE_OVERRIDE 438
-#define VAR_ACCESS_CONTROL_TAG_ACTION 439
-#define VAR_ACCESS_CONTROL_TAG_DATA 440
-#define VAR_VIEW 441
-#define VAR_ACCESS_CONTROL_VIEW 442
-#define VAR_VIEW_FIRST 443
-#define VAR_SERVE_EXPIRED 444
-#define VAR_FAKE_DSA 445
-#define VAR_FAKE_SHA1 446
-#define VAR_LOG_IDENTITY 447
-#define VAR_HIDE_TRUSTANCHOR 448
-#define VAR_USE_SYSTEMD 449
-#define VAR_SHM_ENABLE 450
-#define VAR_SHM_KEY 451
-#define VAR_DNSCRYPT 452
-#define VAR_DNSCRYPT_ENABLE 453
-#define VAR_DNSCRYPT_PORT 454
-#define VAR_DNSCRYPT_PROVIDER 455
-#define VAR_DNSCRYPT_SECRET_KEY 456
-#define VAR_DNSCRYPT_PROVIDER_CERT 457
+#define VAR_SEND_CLIENT_SUBNET 429
+#define VAR_CLIENT_SUBNET_OPCODE 430
+#define VAR_MAX_CLIENT_SUBNET_IPV4 431
+#define VAR_MAX_CLIENT_SUBNET_IPV6 432
+#define VAR_CAPS_WHITELIST 433
+#define VAR_CACHE_MAX_NEGATIVE_TTL 434
+#define VAR_PERMIT_SMALL_HOLDDOWN 435
+#define VAR_QNAME_MINIMISATION 436
+#define VAR_QNAME_MINIMISATION_STRICT 437
+#define VAR_IP_FREEBIND 438
+#define VAR_DEFINE_TAG 439
+#define VAR_LOCAL_ZONE_TAG 440
+#define VAR_ACCESS_CONTROL_TAG 441
+#define VAR_LOCAL_ZONE_OVERRIDE 442
+#define VAR_ACCESS_CONTROL_TAG_ACTION 443
+#define VAR_ACCESS_CONTROL_TAG_DATA 444
+#define VAR_VIEW 445
+#define VAR_ACCESS_CONTROL_VIEW 446
+#define VAR_VIEW_FIRST 447
+#define VAR_SERVE_EXPIRED 448
+#define VAR_FAKE_DSA 449
+#define VAR_FAKE_SHA1 450
+#define VAR_LOG_IDENTITY 451
+#define VAR_HIDE_TRUSTANCHOR 452
+#define VAR_USE_SYSTEMD 453
+#define VAR_SHM_ENABLE 454
+#define VAR_SHM_KEY 455
+#define VAR_DNSCRYPT 456
+#define VAR_DNSCRYPT_ENABLE 457
+#define VAR_DNSCRYPT_PORT 458
+#define VAR_DNSCRYPT_PROVIDER 459
+#define VAR_DNSCRYPT_SECRET_KEY 460
+#define VAR_DNSCRYPT_PROVIDER_CERT 461
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -458,7 +466,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 462 "util/configparser.h" /* yacc.c:1909  */
+#line 470 "util/configparser.h" /* yacc.c:1909  */
 };
 
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -131,6 +131,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
 %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN
 %token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR
+%token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_OPCODE
+%token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6
 %token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
 %token VAR_QNAME_MINIMISATION VAR_QNAME_MINIMISATION_STRICT VAR_IP_FREEBIND
 %token VAR_DEFINE_TAG VAR_LOCAL_ZONE_TAG VAR_ACCESS_CONTROL_TAG
@@ -212,6 +214,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ratelimit_for_domain |
 	server_ratelimit_below_domain | server_ratelimit_factor |
 	server_ip_ratelimit_factor |
+	server_send_client_subnet | server_client_subnet_opcode |
+	server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
 	server_caps_whitelist | server_cache_max_negative_ttl |
 	server_permit_small_holddown | server_qname_minimisation |
 	server_ip_freebind | server_define_tag | server_local_zone_tag |
@@ -353,6 +357,66 @@ server_port: VAR_PORT STRING_ARG
 		free($2);
 	}
 	;
+server_send_client_subnet: VAR_SEND_CLIENT_SUBNET STRING_ARG
+	{
+	#ifdef CLIENT_SUBNET
+		OUTYY(("P(server_send_client_subnet:%s)\n", $2));
+		if(!cfg_strlist_insert(&cfg_parser->cfg->client_subnet, $2))
+			fatal_exit("out of memory adding client-subnet");
+	#else
+		OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
+	#endif
+	}
+	;
+server_client_subnet_opcode: VAR_CLIENT_SUBNET_OPCODE STRING_ARG
+	{
+	#ifdef CLIENT_SUBNET
+		OUTYY(("P(client_subnet_opcode:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("option code expected");
+		else if(atoi($2) > 65535 || atoi($2) < 0)
+			yyerror("option code must be in interval [0, 65535]");
+		else cfg_parser->cfg->client_subnet_opcode = atoi($2);
+	#else
+		OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
+	#endif
+		free($2);
+	}
+	;
+server_max_client_subnet_ipv4: VAR_MAX_CLIENT_SUBNET_IPV4 STRING_ARG
+	{
+	#ifdef CLIENT_SUBNET
+		OUTYY(("P(max_client_subnet_ipv4:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("IPv4 subnet length expected");
+		else if (atoi($2) > 32)
+			cfg_parser->cfg->max_client_subnet_ipv4 = 32;
+		else if (atoi($2) < 0)
+			cfg_parser->cfg->max_client_subnet_ipv4 = 0;
+		else cfg_parser->cfg->max_client_subnet_ipv4 = atoi($2);
+	#else
+		OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
+	#endif
+		free($2);
+	}
+	;
+server_max_client_subnet_ipv6: VAR_MAX_CLIENT_SUBNET_IPV6 STRING_ARG
+	{
+	#ifdef CLIENT_SUBNET
+		OUTYY(("P(max_client_subnet_ipv6:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("Ipv6 subnet length expected");
+		else if (atoi($2) > 128)
+			cfg_parser->cfg->max_client_subnet_ipv6 = 128;
+		else if (atoi($2) < 0)
+			cfg_parser->cfg->max_client_subnet_ipv6 = 0;
+		else cfg_parser->cfg->max_client_subnet_ipv6 = atoi($2);
+	#else
+		OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
+	#endif
+		free($2);
+	}
+	;
 server_interface: VAR_INTERFACE STRING_ARG
 	{
 		OUTYY(("P(server_interface:%s)\n", $2));

util/data/msgreply.c

@@ -1057,6 +1057,18 @@ int inplace_cb_query_call(struct module_env* env, struct query_info* qinfo,
 	return 1;
 }
 
+int inplace_cb_edns_back_parsed_call(struct module_env* env, 
+	struct module_qstate* qstate)
+{
+	struct inplace_cb_edns_back_parsed* cb =
+		env->inplace_cb_lists[inplace_cb_edns_back_parsed];
+	for(; cb; cb=cb->next) {
+		fptr_ok(fptr_whitelist_inplace_cb_edns_back_parsed(cb->cb));
+		(void)(*cb->cb)(qstate, cb->cb_arg);
+	}
+	return 1;
+}
+
 struct edns_option* edns_opt_copy_region(struct edns_option* list,
         struct regional* region)
 {

util/data/msgreply.h

@@ -52,6 +52,7 @@ struct edns_data;
 struct edns_option;
 struct inplace_cb_reply;
 struct inplace_cb_query;
+struct inplace_cb_edns_back_parsed;
 struct module_qstate;
 struct module_env;
 struct msg_parse;
@@ -622,6 +623,17 @@ int inplace_cb_query_call(struct module_env* env, struct query_info* qinfo,
 	uint8_t* zone, size_t zonelen, struct module_qstate* qstate,
 	struct regional* region);
 
+/**
+ * Call the registered functions in the inplace_cb_edns_back_parsed linked list.
+ * This function is going to get called after receiving a reply from a
+ * nameserver.
+ * @param env: module environment.
+ * @param qstate: module qstate.
+ * @return false on failure (a callback function returned an error).
+ */
+int inplace_cb_edns_back_parsed_call(struct module_env* env, 
+	struct module_qstate* qstate);
+
 /**
  * Copy edns option list allocated to the new region
  */

util/fptr_wlist.c

@@ -83,6 +83,9 @@
 #ifdef USE_CACHEDB
 #include "cachedb/cachedb.h"
 #endif
+#ifdef CLIENT_SUBNET
+#include "edns-subnet/subnetmod.h"
+#endif
 
 int 
 fptr_whitelist_comm_point(comm_point_callback_type *fptr)
@@ -219,6 +222,9 @@ fptr_whitelist_hash_sizefunc(lruhash_sizefunc_type fptr)
 	else if(fptr == &rate_sizefunc) return 1;
 	else if(fptr == &ip_rate_sizefunc) return 1;
 	else if(fptr == &test_slabhash_sizefunc) return 1;
+#ifdef CLIENT_SUBNET
+	else if(fptr == &msg_cache_sizefunc) return 1;
+#endif
 	return 0;
 }
 
@@ -257,6 +263,9 @@ fptr_whitelist_hash_deldatafunc(lruhash_deldatafunc_type fptr)
 	else if(fptr == &key_entry_deldatafunc) return 1;
 	else if(fptr == &rate_deldatafunc) return 1;
 	else if(fptr == &test_slabhash_deldata) return 1;
+#ifdef CLIENT_SUBNET
+	else if(fptr == &subnet_data_delete) return 1;
+#endif
 	return 0;
 }
 
@@ -325,6 +334,9 @@ fptr_whitelist_mod_init(int (*fptr)(struct module_env* env, int id))
 #endif
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_init) return 1;
+#endif
+#ifdef CLIENT_SUBNET
+	else if(fptr == &subnetmod_init) return 1;
 #endif
 	return 0;
 }
@@ -341,6 +353,9 @@ fptr_whitelist_mod_deinit(void (*fptr)(struct module_env* env, int id))
 #endif
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_deinit) return 1;
+#endif
+#ifdef CLIENT_SUBNET
+	else if(fptr == &subnetmod_deinit) return 1;
 #endif
 	return 0;
 }
@@ -358,6 +373,9 @@ fptr_whitelist_mod_operate(void (*fptr)(struct module_qstate* qstate,
 #endif
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_operate) return 1;
+#endif
+#ifdef CLIENT_SUBNET
+	else if(fptr == &subnetmod_operate) return 1;
 #endif
 	return 0;
 }
@@ -375,6 +393,9 @@ fptr_whitelist_mod_inform_super(void (*fptr)(
 #endif
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_inform_super) return 1;
+#endif
+#ifdef CLIENT_SUBNET
+	else if(fptr == &subnetmod_inform_super) return 1;
 #endif
 	return 0;
 }
@@ -392,6 +413,9 @@ fptr_whitelist_mod_clear(void (*fptr)(struct module_qstate* qstate,
 #endif
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_clear) return 1;
+#endif
+#ifdef CLIENT_SUBNET
+	else if(fptr == &subnetmod_clear) return 1;
 #endif
 	return 0;
 }
@@ -408,6 +432,9 @@ fptr_whitelist_mod_get_mem(size_t (*fptr)(struct module_env* env, int id))
 #endif
 #ifdef USE_CACHEDB
 	else if(fptr == &cachedb_get_mem) return 1;
+#endif
+#ifdef CLIENT_SUBNET
+	else if(fptr == &subnetmod_get_mem) return 1;
 #endif
 	return 0;
 }
@@ -471,5 +498,19 @@ int fptr_whitelist_inplace_cb_reply_generic(inplace_cb_reply_func_type* fptr,
 
 int fptr_whitelist_inplace_cb_query(inplace_cb_query_func_type* ATTR_UNUSED(fptr))
 {
+#ifdef CLIENT_SUBNET
+	if(fptr == &ecs_whitelist_check)
+		return 1;
+#endif
+	return 0;
+}
+
+int fptr_whitelist_inplace_cb_edns_back_parsed(
+	inplace_cb_edns_back_parsed_func_type* ATTR_UNUSED(fptr))
+{
+#ifdef CLIENT_SUBNET
+	if(fptr == &ecs_edns_back_parsed)
+		return 1;
+#endif
 	return 0;
 }

util/fptr_wlist.h

@@ -351,6 +351,14 @@ int fptr_whitelist_inplace_cb_reply_generic(inplace_cb_reply_func_type* fptr,
  */
 int fptr_whitelist_inplace_cb_query(inplace_cb_query_func_type* fptr);
 
+/**
+ * Check function pointer whitelist for inplace_cb_edns_back_parsed func values.
+ * @param fptr: function pointer to check.
+ * @return false if not in whitelist.
+ */
+int fptr_whitelist_inplace_cb_edns_back_parsed(
+	inplace_cb_edns_back_parsed_func_type* fptr);
+
 /** Due to module breakage by fptr wlist, these test app declarations
  * are presented here */
 /** 

util/module.c

@@ -216,8 +216,8 @@ void inplace_cb_reply_servfail_delete(struct module_env* env)
 }
 
 int
-inplace_cb_query_register(inplace_cb_query_func_type* cb, void* cb_arg,
-	struct module_env* env)
+inplace_cb_query_register(inplace_cb_query_func_type* cb, void* cbarg,
+	size_t cbarg_len, struct module_env* env)
 {
 	struct inplace_cb_query* callback;
 	struct inplace_cb_query** prevp;
@@ -234,7 +234,15 @@ inplace_cb_query_register(inplace_cb_query_func_type* cb, void* cb_arg,
 	}
 	callback->next = NULL;
 	callback->cb = cb;
-    callback->cb_arg = cb_arg;
+	if(cbarg) {
+		if(!(callback->cb_arg = calloc(1, cbarg_len))){
+			log_err("out of memory during edns callback argument"
+				"registration.");
+			free(callback);
+			return 0;
+		}
+		memcpy(callback->cb_arg, cbarg, cbarg_len);
+	}
 	
 	prevp = (struct inplace_cb_query**)
 		&env->inplace_cb_lists[inplace_cb_query];
@@ -253,6 +261,7 @@ inplace_cb_query_delete(struct module_env* env)
 	/* delete list */
 	while(curr) {
 		tmp = curr->next;
+		free(curr->cb_arg);
 		free(curr);
 		curr = tmp;
 	}
@@ -260,6 +269,61 @@ inplace_cb_query_delete(struct module_env* env)
 	env->inplace_cb_lists[inplace_cb_query] = NULL;
 }
 
+int
+inplace_cb_edns_back_parsed_register(inplace_cb_edns_back_parsed_func_type* cb,
+	void* cbarg, size_t cbarg_len, struct module_env* env)
+{
+	struct inplace_cb_edns_back_parsed* callback;
+	struct inplace_cb_edns_back_parsed** prevp;
+	if(env->worker) {
+		log_err("invalid edns callback registration: "
+			"trying to register callback after module init phase");
+		return 0;
+	}
+
+	callback = (struct inplace_cb_edns_back_parsed*)calloc(1, sizeof(*callback));
+	if(callback == NULL) {
+		log_err("out of memory during edns callback registration.");
+		return 0;
+	}
+	callback->next = NULL;
+	callback->cb = cb;
+	if(cbarg) {
+		if(!(callback->cb_arg = calloc(1, cbarg_len))){
+			log_err("out of memory during edns callback argument"
+				"registration.");
+			free(callback);
+			return 0;
+		}
+		memcpy(callback->cb_arg, cbarg, cbarg_len);
+	}
+	
+	prevp = (struct inplace_cb_edns_back_parsed**)
+		&env->inplace_cb_lists[inplace_cb_edns_back_parsed];
+	/* append at end of list */
+	while(*prevp != NULL)
+		prevp = &((*prevp)->next);
+	*prevp = callback;
+	return 1;
+}
+
+void
+inplace_cb_edns_back_parsed_delete(struct module_env* env)
+{
+	struct inplace_cb_edns_back_parsed* curr =
+		env->inplace_cb_lists[inplace_cb_edns_back_parsed];
+	struct inplace_cb_edns_back_parsed* tmp;
+	/* delete list */
+	while(curr) {
+		tmp = curr->next;
+		free(curr->cb_arg);
+		free(curr);
+		curr = tmp;
+	}
+	/* update head pointer */
+	env->inplace_cb_lists[inplace_cb_edns_back_parsed] = NULL;
+}
+
 void
 inplace_cb_lists_delete(struct module_env* env)
 {
@@ -292,9 +356,11 @@ edns_bypass_cache_stage(struct edns_option* list, struct module_env* env)
 }
 
 int
-edns_unique_mesh_state(struct edns_option* list, struct module_env* env)
+unique_mesh_state(struct edns_option* list, struct module_env* env)
 {
 	size_t i;
+	if(env->unique_mesh)
+		return 1;
 	for(; list; list=list->next)
 		for(i=0; i<env->edns_known_options_num; i++)
 			if(env->edns_known_options[i].opt_code == list->opt_code &&

util/module.h

@@ -197,6 +197,8 @@ enum inplace_cb_list_type {
 	inplace_cb_reply_servfail,
 	/* Inplace callbacks for when a query is ready to be sent to the back.*/
 	inplace_cb_query,
+	/* Inplace callback for when a reply is received from the back. */
+	inplace_cb_edns_back_parsed,
 	/* Total number of types. Used for array initialization.
 	 * Should always be last. */
 	inplace_cb_types_total
@@ -290,6 +292,30 @@ struct inplace_cb_query {
 	void* cb_arg;
 };
 
+/**
+ * Inplace callback function called after receiving reply from back.
+ * Called as func(qstate, cb_args)
+ * Where:
+ *	qstate: the query state
+ *	cb_args: argument passed when registering callback.
+ */
+typedef int inplace_cb_edns_back_parsed_func_type(struct module_qstate* qstate, 
+	void* cb_args);
+
+/**
+ * Inplace callback list of registered routines to be called after receiving a
+ * reply from back.
+ */
+struct inplace_cb_edns_back_parsed {
+	/** next in list */
+	struct inplace_cb_edns_back_parsed* next;
+	/**
+	 * Inplace callback routine for cache stage response.
+	 * called as cb(qstate, cb_args);
+	 */
+	inplace_cb_edns_back_parsed_func_type* cb;
+	void* cb_arg;
+};
 /**
  * Module environment.
  * Services and data provided to the module.
@@ -454,6 +480,9 @@ struct module_env {
 	struct edns_known_option* edns_known_options;
 	/* Number of known edns options */
 	size_t edns_known_options_num;
+
+	/* Make every mesh state unique, do not aggregate mesh states. */
+	int unique_mesh;
 };
 
 /**
@@ -764,13 +793,15 @@ void inplace_cb_reply_servfail_delete(struct module_env* env);
 /**
  * Register an inplace callback function called before quering a nameserver.
  * @param cb: pointer to the callback function.
- * @param cb_arg: optional argument for the callback function.
+ * @param cbarg: optional argument for the callback function.
+ * @param cbarg_len: length of the argument for the callback function, 0 if
+ * empty.
  * @param env: the module environment.
  * @return true on success, false on failure (out of memory or trying to
  *	register after the environment is copied to the threads.)
  */
-int inplace_cb_query_register(inplace_cb_query_func_type* cb, void* cb_arg,
-	struct module_env* env);
+int inplace_cb_query_register(inplace_cb_query_func_type* cb, void* cbarg,
+	size_t cbarg_len, struct module_env* env);
 
 /**
  * Delete the inplace_cb_query callback linked list.
@@ -778,6 +809,26 @@ int inplace_cb_query_register(inplace_cb_query_func_type* cb, void* cb_arg,
  */
 void inplace_cb_query_delete(struct module_env* env);
 
+/**
+ * Register an inplace callback function called after receiving an reply from a
+ * namerserver.
+ * @param cb: pointer to the callback function.
+ * @param cbarg: optional argument for the callback function.
+ * @param cbarg_len: length of the argument for the callback function, 0 if
+ * empty.
+ * @param env: the module environment.
+ * @return true on success, false on failure (out of memory or trying to
+ *	register after the environment is copied to the threads.)
+ */
+int inplace_cb_edns_back_parsed_register(inplace_cb_edns_back_parsed_func_type* cb,
+	void* cbarg, size_t cbarg_len, struct module_env* env);
+
+/**
+ * Delete the inplace_cb_edns_back_parsed callback linked list.
+ * @param env: the module environment.
+ */
+void inplace_cb_edns_back_parsed_delete(struct module_env* env);
+
 /**
  * Delete all the inplace callback linked lists.
  * @param env: the module environment.
@@ -805,13 +856,14 @@ int edns_bypass_cache_stage(struct edns_option* list,
 	struct module_env* env);
 
 /**
- * Check if an edns option needs a unique mesh state.
+ * Check if an unique mesh state is required. Might be triggered by EDNS option
+ * or set for the complete env.
  * @param list: the edns options.
  * @param env: the module environment.
  * @return true if an edns option needs a unique mesh state,
  *	false otherwise.
  */
-int edns_unique_mesh_state(struct edns_option* list, struct module_env* env);
+int unique_mesh_state(struct edns_option* list, struct module_env* env);
 
 /**
  * Log the known edns options.