git: 790c6b245151 - main - unbound: Vendor import 1.16.2

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Sat, 06 Aug 2022 01:47:23 UTC
The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=790c6b245151d6d5a26b84e5f34fee61453e2e60

commit 790c6b245151d6d5a26b84e5f34fee61453e2e60
Merge: 220818ac0307 9b76d32f2310
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-08-06 01:44:40 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-08-06 01:44:40 +0000

    unbound: Vendor import 1.16.2
    
    Security update to unbound.
    
    PR:             265645
    Security:       CVE-2022-30698, CVE-2022-30699
    Security:       bc43a578-14ec-11ed-856e-d4c9ef517024
    MFC after:      3 days
    
    Merge commit '9b76d32f2310b735dbeb896cbf2776cad61f23e8' into main

 contrib/unbound/SECURITY.md                        |  31 ++
 contrib/unbound/cachedb/cachedb.c                  |   2 +-
 contrib/unbound/configure                          |  25 +-
 contrib/unbound/configure.ac                       |   5 +-
 contrib/unbound/daemon/cachedump.c                 |   5 +-
 contrib/unbound/daemon/worker.c                    |   2 +-
 contrib/unbound/dns64/dns64.c                      |   4 +-
 contrib/unbound/doc/Changelog                      |  30 +-
 contrib/unbound/doc/README                         |   2 +-
 contrib/unbound/doc/example.conf.in                |   8 +-
 contrib/unbound/doc/libunbound.3.in                |   4 +-
 contrib/unbound/doc/unbound-anchor.8.in            |   2 +-
 contrib/unbound/doc/unbound-checkconf.8.in         |   2 +-
 contrib/unbound/doc/unbound-control.8.in           |   2 +-
 contrib/unbound/doc/unbound-host.1.in              |   2 +-
 contrib/unbound/doc/unbound.8.in                   |   4 +-
 contrib/unbound/doc/unbound.conf.5.in              |  15 +-
 contrib/unbound/ipsecmod/ipsecmod.c                |   2 +-
 contrib/unbound/iterator/iter_utils.c              |   6 +-
 contrib/unbound/iterator/iter_utils.h              |   3 +-
 contrib/unbound/iterator/iterator.c                |  23 +-
 contrib/unbound/iterator/iterator.h                |  12 +-
 contrib/unbound/services/authzone.c                |   1 -
 contrib/unbound/services/cache/dns.c               | 111 +++++-
 contrib/unbound/services/cache/dns.h               |  18 +-
 contrib/unbound/services/cache/infra.c             |   6 +-
 contrib/unbound/services/listen_dnsport.c          |  17 +-
 contrib/unbound/services/mesh.c                    |   1 +
 contrib/unbound/sldns/rrdef.c                      |   4 +-
 contrib/unbound/sldns/wire2str.c                   |   2 +-
 contrib/unbound/testdata/iter_ghost_sub.rpl        | 309 ++++++++++++++++
 contrib/unbound/testdata/iter_ghost_timewindow.rpl | 391 +++++++++++++++++++++
 contrib/unbound/util/config_file.c                 |  15 +-
 contrib/unbound/util/config_file.h                 |   4 +-
 contrib/unbound/util/configlexer.lex               |   1 +
 contrib/unbound/util/configparser.y                |  13 +-
 contrib/unbound/util/data/msgreply.c               |   2 +-
 contrib/unbound/util/iana_ports.inc                |   1 +
 contrib/unbound/util/module.h                      |   6 +
 contrib/unbound/util/rtt.c                         |   3 +
 contrib/unbound/util/rtt.h                         |   2 +-
 contrib/unbound/validator/val_utils.c              |   1 -
 contrib/unbound/validator/validator.c              |   7 +-
 43 files changed, 1015 insertions(+), 91 deletions(-)

diff --cc contrib/unbound/SECURITY.md
index 000000000000,5770ccd79918..5770ccd79918
mode 000000,100644..100644
--- a/contrib/unbound/SECURITY.md
+++ b/contrib/unbound/SECURITY.md
diff --cc contrib/unbound/testdata/iter_ghost_sub.rpl
index 000000000000,ccd6b29842e4..ccd6b29842e4
mode 000000,100644..100644
--- a/contrib/unbound/testdata/iter_ghost_sub.rpl
+++ b/contrib/unbound/testdata/iter_ghost_sub.rpl
diff --cc contrib/unbound/testdata/iter_ghost_timewindow.rpl
index 000000000000,566be82a9cf8..566be82a9cf8
mode 000000,100644..100644
--- a/contrib/unbound/testdata/iter_ghost_timewindow.rpl
+++ b/contrib/unbound/testdata/iter_ghost_timewindow.rpl
diff --cc contrib/unbound/util/config_file.c
index 363af3c2c5a9,000000000000..976cb976f48e
mode 100644,000000..100644
--- a/contrib/unbound/util/config_file.c
+++ b/contrib/unbound/util/config_file.c
@@@ -1,2600 -1,0 +1,2611 @@@
 +/*
 + * util/config_file.c - reads and stores the config file for unbound.
 + *
 + * Copyright (c) 2007, NLnet Labs. All rights reserved.
 + *
 + * This software is open source.
 + * 
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 
 + * Redistributions of source code must retain the above copyright notice,
 + * this list of conditions and the following disclaimer.
 + * 
 + * Redistributions in binary form must reproduce the above copyright notice,
 + * this list of conditions and the following disclaimer in the documentation
 + * and/or other materials provided with the distribution.
 + * 
 + * Neither the name of the NLNET LABS nor the names of its contributors may
 + * be used to endorse or promote products derived from this software without
 + * specific prior written permission.
 + * 
 + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 + */
 +
 +/**
 + * \file
 + *
 + * This file contains functions for the config file.
 + */
 +
 +#include "config.h"
 +#include <ctype.h>
 +#include <stdarg.h>
 +#ifdef HAVE_TIME_H
 +#include <time.h>
 +#endif
 +#include "util/log.h"
 +#include "util/configyyrename.h"
 +#include "util/config_file.h"
 +#include "configparser.h"
 +#include "util/net_help.h"
 +#include "util/data/msgparse.h"
 +#include "util/module.h"
 +#include "util/regional.h"
 +#include "util/fptr_wlist.h"
 +#include "util/data/dname.h"
 +#include "util/rtt.h"
 +#include "services/cache/infra.h"
 +#include "sldns/wire2str.h"
 +#include "sldns/parseutil.h"
 +#include "iterator/iterator.h"
 +#ifdef HAVE_GLOB_H
 +# include <glob.h>
 +#endif
 +#ifdef CLIENT_SUBNET
 +#include "edns-subnet/edns-subnet.h"
 +#endif
 +#ifdef HAVE_PWD_H
 +#include <pwd.h>
 +#endif
 +
 +/** from cfg username, after daemonize setup performed */
 +uid_t cfg_uid = (uid_t)-1;
 +/** from cfg username, after daemonize setup performed */
 +gid_t cfg_gid = (gid_t)-1;
 +/** for debug allow small timeout values for fast rollovers */
 +int autr_permit_small_holddown = 0;
 +/** size (in bytes) of stream wait buffers max */
 +size_t stream_wait_max = 4 * 1024 * 1024;
 +size_t http2_query_buffer_max = 4 * 1024 * 1024;
 +size_t http2_response_buffer_max = 4 * 1024 * 1024;
 +
 +/** global config during parsing */
 +struct config_parser_state* cfg_parser = 0;
 +
 +/** init ports possible for use */
 +static void init_outgoing_availports(int* array, int num);
 +
 +struct config_file* 
 +config_create(void)
 +{
 +	struct config_file* cfg;
 +	cfg = (struct config_file*)calloc(1, sizeof(struct config_file));
 +	if(!cfg)
 +		return NULL;
 +	/* the defaults if no config is present */
 +	cfg->verbosity = 1;
 +	cfg->stat_interval = 0;
 +	cfg->stat_cumulative = 0;
 +	cfg->stat_extended = 0;
 +	cfg->num_threads = 1;
 +	cfg->port = UNBOUND_DNS_PORT;
 +	cfg->do_ip4 = 1;
 +	cfg->do_ip6 = 1;
 +	cfg->do_udp = 1;
 +	cfg->do_tcp = 1;
 +	cfg->tcp_reuse_timeout = 60 * 1000; /* 60s in milisecs */
 +	cfg->max_reuse_tcp_queries = 200;
 +	cfg->tcp_upstream = 0;
 +	cfg->udp_upstream_without_downstream = 0;
 +	cfg->tcp_mss = 0;
 +	cfg->outgoing_tcp_mss = 0;
 +	cfg->tcp_idle_timeout = 30 * 1000; /* 30s in millisecs */
 +	cfg->tcp_auth_query_timeout = 3 * 1000; /* 3s in millisecs */
 +	cfg->do_tcp_keepalive = 0;
 +	cfg->tcp_keepalive_timeout = 120 * 1000; /* 120s in millisecs */
 +	cfg->ssl_service_key = NULL;
 +	cfg->ssl_service_pem = NULL;
 +	cfg->ssl_port = UNBOUND_DNS_OVER_TLS_PORT;
 +	cfg->ssl_upstream = 0;
 +	cfg->tls_cert_bundle = NULL;
 +	cfg->tls_win_cert = 0;
 +	cfg->tls_use_sni = 1;
 +	cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
 +	if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit;
 +	cfg->http_max_streams = 100;
 +	cfg->http_query_buffer_size = 4*1024*1024;
 +	cfg->http_response_buffer_size = 4*1024*1024;
 +	cfg->http_nodelay = 1;
 +	cfg->use_syslog = 1;
 +	cfg->log_identity = NULL; /* changed later with argv[0] */
 +	cfg->log_time_ascii = 0;
 +	cfg->log_queries = 0;
 +	cfg->log_replies = 0;
 +	cfg->log_tag_queryreply = 0;
 +	cfg->log_local_actions = 0;
 +	cfg->log_servfail = 0;
 +#ifndef USE_WINSOCK
 +#  ifdef USE_MINI_EVENT
 +	/* select max 1024 sockets */
 +	cfg->outgoing_num_ports = 960;
 +	cfg->num_queries_per_thread = 512;
 +#  else
 +	/* libevent can use many sockets */
 +	cfg->outgoing_num_ports = 4096;
 +	cfg->num_queries_per_thread = 1024;
 +#  endif
 +	cfg->outgoing_num_tcp = 10;
 +	cfg->incoming_num_tcp = 10;
 +#else
 +	cfg->outgoing_num_ports = 48; /* windows is limited in num fds */
 +	cfg->num_queries_per_thread = 24;
 +	cfg->outgoing_num_tcp = 2; /* leaves 64-52=12 for: 4if,1stop,thread4 */
 +	cfg->incoming_num_tcp = 2; 
 +#endif
 +	cfg->stream_wait_size = 4 * 1024 * 1024;
 +	cfg->edns_buffer_size = 1232; /* from DNS flagday recommendation */
 +	cfg->msg_buffer_size = 65552; /* 64 k + a small margin */
 +	cfg->msg_cache_size = 4 * 1024 * 1024;
 +	cfg->msg_cache_slabs = 4;
 +	cfg->jostle_time = 200;
 +	cfg->rrset_cache_size = 4 * 1024 * 1024;
 +	cfg->rrset_cache_slabs = 4;
 +	cfg->host_ttl = 900;
 +	cfg->bogus_ttl = 60;
 +	cfg->min_ttl = 0;
 +	cfg->max_ttl = 3600 * 24;
 +	cfg->max_negative_ttl = 3600;
 +	cfg->prefetch = 0;
 +	cfg->prefetch_key = 0;
 +	cfg->deny_any = 0;
 +	cfg->infra_cache_slabs = 4;
 +	cfg->infra_cache_numhosts = 10000;
 +	cfg->infra_cache_min_rtt = 50;
++	cfg->infra_cache_max_rtt = 120000;
 +	cfg->infra_keep_probing = 0;
 +	cfg->delay_close = 0;
 +	cfg->udp_connect = 1;
 +	if(!(cfg->outgoing_avail_ports = (int*)calloc(65536, sizeof(int))))
 +		goto error_exit;
 +	init_outgoing_availports(cfg->outgoing_avail_ports, 65536);
 +	if(!(cfg->username = strdup(UB_USERNAME))) goto error_exit;
 +#ifdef HAVE_CHROOT
 +	if(!(cfg->chrootdir = strdup(CHROOT_DIR))) goto error_exit;
 +#endif
 +	if(!(cfg->directory = strdup(RUN_DIR))) goto error_exit;
 +	if(!(cfg->logfile = strdup(""))) goto error_exit;
 +	if(!(cfg->pidfile = strdup(PIDFILE))) goto error_exit;
 +	if(!(cfg->target_fetch_policy = strdup("3 2 1 0 0"))) goto error_exit;
 +	cfg->fast_server_permil = 0;
 +	cfg->fast_server_num = 3;
 +	cfg->donotqueryaddrs = NULL;
 +	cfg->donotquery_localhost = 1;
 +	cfg->root_hints = NULL;
 +	cfg->use_systemd = 0;
 +	cfg->do_daemonize = 1;
 +	cfg->if_automatic = 0;
 +	cfg->if_automatic_ports = NULL;
 +	cfg->so_rcvbuf = 0;
 +	cfg->so_sndbuf = 0;
 +	cfg->so_reuseport = REUSEPORT_DEFAULT;
 +	cfg->ip_transparent = 0;
 +	cfg->ip_freebind = 0;
 +	cfg->ip_dscp = 0;
 +	cfg->num_ifs = 0;
 +	cfg->ifs = NULL;
 +	cfg->num_out_ifs = 0;
 +	cfg->out_ifs = NULL;
 +	cfg->stubs = NULL;
 +	cfg->forwards = NULL;
 +	cfg->auths = NULL;
 +#ifdef CLIENT_SUBNET
 +	cfg->client_subnet = NULL;
 +	cfg->client_subnet_zone = NULL;
 +	cfg->client_subnet_opcode = LDNS_EDNS_CLIENT_SUBNET;
 +	cfg->client_subnet_always_forward = 0;
 +	cfg->max_client_subnet_ipv4 = 24;
 +	cfg->max_client_subnet_ipv6 = 56;
 +	cfg->min_client_subnet_ipv4 = 0;
 +	cfg->min_client_subnet_ipv6 = 0;
 +	cfg->max_ecs_tree_size_ipv4 = 100;
 +	cfg->max_ecs_tree_size_ipv6 = 100;
 +#endif
 +	cfg->views = NULL;
 +	cfg->acls = NULL;
 +	cfg->tcp_connection_limits = NULL;
 +	cfg->harden_short_bufsize = 1;
 +	cfg->harden_large_queries = 0;
 +	cfg->harden_glue = 1;
 +	cfg->harden_dnssec_stripped = 1;
 +	cfg->harden_below_nxdomain = 1;
 +	cfg->harden_referral_path = 0;
 +	cfg->harden_algo_downgrade = 0;
 +	cfg->use_caps_bits_for_id = 0;
 +	cfg->caps_whitelist = NULL;
 +	cfg->private_address = NULL;
 +	cfg->private_domain = NULL;
 +	cfg->unwanted_threshold = 0;
 +	cfg->hide_identity = 0;
 +	cfg->hide_version = 0;
 +	cfg->hide_trustanchor = 0;
 +	cfg->hide_http_user_agent = 0;
 +	cfg->identity = NULL;
 +	cfg->version = NULL;
 +	cfg->http_user_agent = NULL;
 +	cfg->nsid_cfg_str = NULL;
 +	cfg->nsid = NULL;
 +	cfg->nsid_len = 0;
 +	cfg->auto_trust_anchor_file_list = NULL;
 +	cfg->trust_anchor_file_list = NULL;
 +	cfg->trust_anchor_list = NULL;
 +	cfg->trusted_keys_file_list = NULL;
 +	cfg->trust_anchor_signaling = 1;
 +	cfg->root_key_sentinel = 1;
 +	cfg->domain_insecure = NULL;
 +	cfg->val_date_override = 0;
 +	cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */
 +	cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */
 +	cfg->val_max_restart = 5;
 +	cfg->val_clean_additional = 1;
 +	cfg->val_log_level = 0;
 +	cfg->val_log_squelch = 0;
 +	cfg->val_permissive_mode = 0;
 +	cfg->aggressive_nsec = 1;
 +	cfg->ignore_cd = 0;
 +	cfg->serve_expired = 0;
 +	cfg->serve_expired_ttl = 0;
 +	cfg->serve_expired_ttl_reset = 0;
 +	cfg->serve_expired_reply_ttl = 30;
 +	cfg->serve_expired_client_timeout = 0;
 +	cfg->ede_serve_expired = 0;
 +	cfg->serve_original_ttl = 0;
 +	cfg->zonemd_permissive_mode = 0;
 +	cfg->add_holddown = 30*24*3600;
 +	cfg->del_holddown = 30*24*3600;
 +	cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
 +	cfg->permit_small_holddown = 0;
 +	cfg->key_cache_size = 4 * 1024 * 1024;
 +	cfg->key_cache_slabs = 4;
 +	cfg->neg_cache_size = 1 * 1024 * 1024;
 +	cfg->local_zones = NULL;
 +	cfg->local_zones_nodefault = NULL;
 +#ifdef USE_IPSET
 +	cfg->local_zones_ipset = NULL;
 +#endif
 +	cfg->local_zones_disable_default = 0;
 +	cfg->local_data = NULL;
 +	cfg->local_zone_overrides = NULL;
 +	cfg->unblock_lan_zones = 0;
 +	cfg->insecure_lan_zones = 0;
 +	cfg->python_script = NULL;
 +	cfg->dynlib_file = NULL;
 +	cfg->remote_control_enable = 0;
 +	cfg->control_ifs.first = NULL;
 +	cfg->control_ifs.last = NULL;
 +	cfg->control_port = UNBOUND_CONTROL_PORT;
 +	cfg->control_use_cert = 1;
 +	cfg->minimal_responses = 1;
 +	cfg->rrset_roundrobin = 1;
 +	cfg->unknown_server_time_limit = 376;
 +	cfg->max_udp_size = 4096;
 +	if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key"))) 
 +		goto error_exit;
 +	if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem"))) 
 +		goto error_exit;
 +	if(!(cfg->control_key_file = strdup(RUN_DIR"/unbound_control.key"))) 
 +		goto error_exit;
 +	if(!(cfg->control_cert_file = strdup(RUN_DIR"/unbound_control.pem"))) 
 +		goto error_exit;
 +
 +#ifdef CLIENT_SUBNET
 +	if(!(cfg->module_conf = strdup("subnetcache validator iterator"))) goto error_exit;
 +#else
 +	if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
 +#endif
 +	if(!(cfg->val_nsec3_key_iterations = 
 +		strdup("1024 150 2048 150 4096 150"))) goto error_exit;
 +#if defined(DNSTAP_SOCKET_PATH)
 +	if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH)))
 +		goto error_exit;
 +#endif
 +	cfg->dnstap_bidirectional = 1;
 +	cfg->dnstap_tls = 1;
 +	cfg->disable_dnssec_lame_check = 0;
 +	cfg->ip_ratelimit = 0;
 +	cfg->ratelimit = 0;
 +	cfg->ip_ratelimit_slabs = 4;
 +	cfg->ratelimit_slabs = 4;
 +	cfg->ip_ratelimit_size = 4*1024*1024;
 +	cfg->ratelimit_size = 4*1024*1024;
 +	cfg->ratelimit_for_domain = NULL;
 +	cfg->ratelimit_below_domain = NULL;
 +	cfg->ip_ratelimit_factor = 10;
 +	cfg->ratelimit_factor = 10;
 +	cfg->ip_ratelimit_backoff = 0;
 +	cfg->ratelimit_backoff = 0;
 +	cfg->outbound_msg_retry = 5;
 +	cfg->qname_minimisation = 1;
 +	cfg->qname_minimisation_strict = 0;
 +	cfg->shm_enable = 0;
 +	cfg->shm_key = 11777;
 +	cfg->edns_client_strings = NULL;
 +	cfg->edns_client_string_opcode = 65001;
 +	cfg->dnscrypt = 0;
 +	cfg->dnscrypt_port = 0;
 +	cfg->dnscrypt_provider = NULL;
 +	cfg->dnscrypt_provider_cert = NULL;
 +	cfg->dnscrypt_provider_cert_rotated = NULL;
 +	cfg->dnscrypt_secret_key = NULL;
 +	cfg->dnscrypt_shared_secret_cache_size = 4*1024*1024;
 +	cfg->dnscrypt_shared_secret_cache_slabs = 4;
 +	cfg->dnscrypt_nonce_cache_size = 4*1024*1024;
 +	cfg->dnscrypt_nonce_cache_slabs = 4;
 +	cfg->pad_responses = 1;
 +	cfg->pad_responses_block_size = 468; /* from RFC8467 */
 +	cfg->pad_queries = 1;
 +	cfg->pad_queries_block_size = 128; /* from RFC8467 */
 +#ifdef USE_IPSECMOD
 +	cfg->ipsecmod_enabled = 1;
 +	cfg->ipsecmod_ignore_bogus = 0;
 +	cfg->ipsecmod_hook = NULL;
 +	cfg->ipsecmod_max_ttl = 3600;
 +	cfg->ipsecmod_whitelist = NULL;
 +	cfg->ipsecmod_strict = 0;
 +#endif
 +#ifdef USE_CACHEDB
 +	if(!(cfg->cachedb_backend = strdup("testframe"))) goto error_exit;
 +	if(!(cfg->cachedb_secret = strdup("default"))) goto error_exit;
 +#ifdef USE_REDIS
 +	if(!(cfg->redis_server_host = strdup("127.0.0.1"))) goto error_exit;
 +	cfg->redis_timeout = 100;
 +	cfg->redis_server_port = 6379;
 +	cfg->redis_expire_records = 0;
 +#endif  /* USE_REDIS */
 +#endif  /* USE_CACHEDB */
 +#ifdef USE_IPSET
 +	cfg->ipset_name_v4 = NULL;
 +	cfg->ipset_name_v6 = NULL;
 +#endif
 +	cfg->ede = 0;
 +	return cfg;
 +error_exit:
 +	config_delete(cfg);
 +	return NULL;
 +}
 +
 +struct config_file* config_create_forlib(void)
 +{
 +	struct config_file* cfg = config_create();
 +	if(!cfg) return NULL;
 +	/* modifications for library use, less verbose, less memory */
 +	free(cfg->chrootdir);
 +	cfg->chrootdir = NULL;
 +	cfg->verbosity = 0;
 +	cfg->outgoing_num_ports = 16; /* in library use, this is 'reasonable'
 +		and probably within the ulimit(maxfds) of the user */
 +	cfg->outgoing_num_tcp = 2;
 +	cfg->msg_cache_size = 1024*1024;
 +	cfg->msg_cache_slabs = 1;
 +	cfg->rrset_cache_size = 1024*1024;
 +	cfg->rrset_cache_slabs = 1;
 +	cfg->infra_cache_slabs = 1;
 +	cfg->use_syslog = 0;
 +	cfg->key_cache_size = 1024*1024;
 +	cfg->key_cache_slabs = 1;
 +	cfg->neg_cache_size = 100 * 1024;
 +	cfg->donotquery_localhost = 0; /* allow, so that you can ask a
 +		forward nameserver running on localhost */
 +	cfg->val_log_level = 2; /* to fill why_bogus with */
 +	cfg->val_log_squelch = 1;
 +	cfg->minimal_responses = 0;
 +	cfg->harden_short_bufsize = 1;
 +	return cfg;
 +}
 +
 +/** check that the value passed is >= 0 */
 +#define IS_NUMBER_OR_ZERO \
 +	if(atoi(val) == 0 && strcmp(val, "0") != 0) return 0
 +/** check that the value passed is > 0 */
 +#define IS_NONZERO_NUMBER \
 +	if(atoi(val) == 0) return 0
 +/** check that the value passed is not 0 and a power of 2 */
 +#define IS_POW2_NUMBER \
 +	if(atoi(val) == 0 || !is_pow2((size_t)atoi(val))) return 0
 +/** check that the value passed is yes or no */
 +#define IS_YES_OR_NO \
 +	if(strcmp(val, "yes") != 0 && strcmp(val, "no") != 0) return 0
 +/** put integer_or_zero into variable */
 +#define S_NUMBER_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \
 +	{ IS_NUMBER_OR_ZERO; cfg->var = atoi(val); }
 +/** put integer_nonzero into variable */
 +#define S_NUMBER_NONZERO(str, var) if(strcmp(opt, str) == 0) \
 +	{ IS_NONZERO_NUMBER; cfg->var = atoi(val); }
 +/** put integer_or_zero into unsigned */
 +#define S_UNSIGNED_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \
 +	{ IS_NUMBER_OR_ZERO; cfg->var = (unsigned)atoi(val); }
 +/** put integer_or_zero into size_t */
 +#define S_SIZET_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \
 +	{ IS_NUMBER_OR_ZERO; cfg->var = (size_t)atoi(val); }
 +/** put integer_nonzero into size_t */
 +#define S_SIZET_NONZERO(str, var) if(strcmp(opt, str) == 0) \
 +	{ IS_NONZERO_NUMBER; cfg->var = (size_t)atoi(val); }
 +/** put yesno into variable */
 +#define S_YNO(str, var) if(strcmp(opt, str) == 0) \
 +	{ IS_YES_OR_NO; cfg->var = (strcmp(val, "yes") == 0); }
 +/** put memsize into variable */
 +#define S_MEMSIZE(str, var) if(strcmp(opt, str)==0) \
 +	{ return cfg_parse_memsize(val, &cfg->var); }
 +/** put pow2 number into variable */
 +#define S_POW2(str, var) if(strcmp(opt, str)==0) \
 +	{ IS_POW2_NUMBER; cfg->var = (size_t)atoi(val); }
 +/** put string into variable */
 +#define S_STR(str, var) if(strcmp(opt, str)==0) \
 +	{ free(cfg->var); return (cfg->var = strdup(val)) != NULL; }
 +/** put string into strlist */
 +#define S_STRLIST(str, var) if(strcmp(opt, str)==0) \
 +	{ return cfg_strlist_insert(&cfg->var, strdup(val)); }
 +/** put string into strlist if not present yet*/
 +#define S_STRLIST_UNIQ(str, var) if(strcmp(opt, str)==0) \
 +	{ if(cfg_strlist_find(cfg->var, val)) { return 0;} \
 +	  return cfg_strlist_insert(&cfg->var, strdup(val)); }
 +/** append string to strlist */
 +#define S_STRLIST_APPEND(str, var) if(strcmp(opt, str)==0) \
 +	{ return cfg_strlist_append(&cfg->var, strdup(val)); }
 +
 +int config_set_option(struct config_file* cfg, const char* opt,
 +	const char* val)
 +{
 +	char buf[64];
 +	if(!opt) return 0;
 +	if(opt[strlen(opt)-1] != ':' && strlen(opt)+2<sizeof(buf)) {
 +		snprintf(buf, sizeof(buf), "%s:", opt);
 +		opt = buf;
 +	}
 +	S_NUMBER_OR_ZERO("verbosity:", verbosity)
 +	else if(strcmp(opt, "statistics-interval:") == 0) {
 +		if(strcmp(val, "0") == 0 || strcmp(val, "") == 0)
 +			cfg->stat_interval = 0;
 +		else if(atoi(val) == 0)
 +			return 0;
 +		else cfg->stat_interval = atoi(val);
 +	} else if(strcmp(opt, "num-threads:") == 0) {
 +		/* not supported, library must have 1 thread in bgworker */
 +		return 0;
 +	} else if(strcmp(opt, "outgoing-port-permit:") == 0) {
 +		return cfg_mark_ports(val, 1, 
 +			cfg->outgoing_avail_ports, 65536);
 +	} else if(strcmp(opt, "outgoing-port-avoid:") == 0) {
 +		return cfg_mark_ports(val, 0, 
 +			cfg->outgoing_avail_ports, 65536);
 +	} else if(strcmp(opt, "local-zone:") == 0) {
 +		return cfg_parse_local_zone(cfg, val);
 +	} else if(strcmp(opt, "val-override-date:") == 0) {
 +		if(strcmp(val, "") == 0 || strcmp(val, "0") == 0) {
 +			cfg->val_date_override = 0;
 +		} else if(strlen(val) == 14) {
 +			cfg->val_date_override = cfg_convert_timeval(val);
 +			return cfg->val_date_override != 0;
 +		} else {
 +			if(atoi(val) == 0) return 0;
 +			cfg->val_date_override = (uint32_t)atoi(val);
 +		}
 +	} else if(strcmp(opt, "local-data-ptr:") == 0) { 
 +		char* ptr = cfg_ptr_reverse((char*)opt);
 +		return cfg_strlist_insert(&cfg->local_data, ptr);
 +	} else if(strcmp(opt, "logfile:") == 0) {
 +		cfg->use_syslog = 0;
 +		free(cfg->logfile);
 +		return (cfg->logfile = strdup(val)) != NULL;
 +	}
 +	else if(strcmp(opt, "log-time-ascii:") == 0)
 +	{ IS_YES_OR_NO; cfg->log_time_ascii = (strcmp(val, "yes") == 0);
 +	  log_set_time_asc(cfg->log_time_ascii); }
 +	else S_SIZET_NONZERO("max-udp-size:", max_udp_size)
 +	else S_YNO("use-syslog:", use_syslog)
 +	else S_STR("log-identity:", log_identity)
 +	else S_YNO("extended-statistics:", stat_extended)
 +	else S_YNO("statistics-cumulative:", stat_cumulative)
 +	else S_YNO("shm-enable:", shm_enable)
 +	else S_NUMBER_OR_ZERO("shm-key:", shm_key)
 +	else S_YNO("do-ip4:", do_ip4)
 +	else S_YNO("do-ip6:", do_ip6)
 +	else S_YNO("do-udp:", do_udp)
 +	else S_YNO("do-tcp:", do_tcp)
 +	else S_YNO("prefer-ip4:", prefer_ip4)
 +	else S_YNO("prefer-ip6:", prefer_ip6)
 +	else S_YNO("tcp-upstream:", tcp_upstream)
 +	else S_YNO("udp-upstream-without-downstream:",
 +		udp_upstream_without_downstream)
 +	else S_NUMBER_NONZERO("tcp-mss:", tcp_mss)
 +	else S_NUMBER_NONZERO("outgoing-tcp-mss:", outgoing_tcp_mss)
 +	else S_NUMBER_NONZERO("tcp-auth-query-timeout:", tcp_auth_query_timeout)
 +	else S_NUMBER_NONZERO("tcp-idle-timeout:", tcp_idle_timeout)
 +	else S_NUMBER_NONZERO("max-reuse-tcp-queries:", max_reuse_tcp_queries)
 +	else S_NUMBER_NONZERO("tcp-reuse-timeout:", tcp_reuse_timeout)
 +	else S_YNO("edns-tcp-keepalive:", do_tcp_keepalive)
 +	else S_NUMBER_NONZERO("edns-tcp-keepalive-timeout:", tcp_keepalive_timeout)
 +	else S_YNO("ssl-upstream:", ssl_upstream)
 +	else S_YNO("tls-upstream:", ssl_upstream)
 +	else S_STR("ssl-service-key:", ssl_service_key)
 +	else S_STR("tls-service-key:", ssl_service_key)
 +	else S_STR("ssl-service-pem:", ssl_service_pem)
 +	else S_STR("tls-service-pem:", ssl_service_pem)
 +	else S_NUMBER_NONZERO("ssl-port:", ssl_port)
 +	else S_NUMBER_NONZERO("tls-port:", ssl_port)
 +	else S_STR("ssl-cert-bundle:", tls_cert_bundle)
 +	else S_STR("tls-cert-bundle:", tls_cert_bundle)
 +	else S_YNO("tls-win-cert:", tls_win_cert)
 +	else S_YNO("tls-system-cert:", tls_win_cert)
 +	else S_STRLIST("additional-ssl-port:", tls_additional_port)
 +	else S_STRLIST("additional-tls-port:", tls_additional_port)
 +	else S_STRLIST("tls-additional-ports:", tls_additional_port)
 +	else S_STRLIST("tls-additional-port:", tls_additional_port)
 +	else S_STRLIST_APPEND("tls-session-ticket-keys:", tls_session_ticket_keys)
 +	else S_STR("tls-ciphers:", tls_ciphers)
 +	else S_STR("tls-ciphersuites:", tls_ciphersuites)
 +	else S_YNO("tls-use-sni:", tls_use_sni)
 +	else S_NUMBER_NONZERO("https-port:", https_port)
 +	else S_STR("http-endpoint:", http_endpoint)
 +	else S_NUMBER_NONZERO("http-max-streams:", http_max_streams)
 +	else S_MEMSIZE("http-query-buffer-size:", http_query_buffer_size)
 +	else S_MEMSIZE("http-response-buffer-size:", http_response_buffer_size)
 +	else S_YNO("http-nodelay:", http_nodelay)
 +	else S_YNO("http-notls-downstream:", http_notls_downstream)
 +	else S_YNO("interface-automatic:", if_automatic)
 +	else S_STR("interface-automatic-ports:", if_automatic_ports)
 +	else S_YNO("use-systemd:", use_systemd)
 +	else S_YNO("do-daemonize:", do_daemonize)
 +	else S_NUMBER_NONZERO("port:", port)
 +	else S_NUMBER_NONZERO("outgoing-range:", outgoing_num_ports)
 +	else S_SIZET_OR_ZERO("outgoing-num-tcp:", outgoing_num_tcp)
 +	else S_SIZET_OR_ZERO("incoming-num-tcp:", incoming_num_tcp)
 +	else S_MEMSIZE("stream-wait-size:", stream_wait_size)
 +	else S_SIZET_NONZERO("edns-buffer-size:", edns_buffer_size)
 +	else S_SIZET_NONZERO("msg-buffer-size:", msg_buffer_size)
 +	else S_MEMSIZE("msg-cache-size:", msg_cache_size)
 +	else S_POW2("msg-cache-slabs:", msg_cache_slabs)
 +	else S_SIZET_NONZERO("num-queries-per-thread:",num_queries_per_thread)
 +	else S_SIZET_OR_ZERO("jostle-timeout:", jostle_time)
 +	else S_MEMSIZE("so-rcvbuf:", so_rcvbuf)
 +	else S_MEMSIZE("so-sndbuf:", so_sndbuf)
 +	else S_YNO("so-reuseport:", so_reuseport)
 +	else S_YNO("ip-transparent:", ip_transparent)
 +	else S_YNO("ip-freebind:", ip_freebind)
 +	else S_NUMBER_OR_ZERO("ip-dscp:", ip_dscp)
 +	else S_MEMSIZE("rrset-cache-size:", rrset_cache_size)
 +	else S_POW2("rrset-cache-slabs:", rrset_cache_slabs)
 +	else S_YNO("prefetch:", prefetch)
 +	else S_YNO("prefetch-key:", prefetch_key)
 +	else S_YNO("deny-any:", deny_any)
 +	else if(strcmp(opt, "cache-max-ttl:") == 0)
 +	{ IS_NUMBER_OR_ZERO; cfg->max_ttl = atoi(val); MAX_TTL=(time_t)cfg->max_ttl;}
 +	else if(strcmp(opt, "cache-max-negative-ttl:") == 0)
 +	{ IS_NUMBER_OR_ZERO; cfg->max_negative_ttl = atoi(val); MAX_NEG_TTL=(time_t)cfg->max_negative_ttl;}
 +	else if(strcmp(opt, "cache-min-ttl:") == 0)
 +	{ IS_NUMBER_OR_ZERO; cfg->min_ttl = atoi(val); MIN_TTL=(time_t)cfg->min_ttl;}
 +	else if(strcmp(opt, "infra-cache-min-rtt:") == 0) {
- 	    IS_NUMBER_OR_ZERO; cfg->infra_cache_min_rtt = atoi(val);
- 	    RTT_MIN_TIMEOUT=cfg->infra_cache_min_rtt;
++	 	IS_NUMBER_OR_ZERO; cfg->infra_cache_min_rtt = atoi(val);
++		RTT_MIN_TIMEOUT=cfg->infra_cache_min_rtt;
++	}
++	else if(strcmp(opt, "infra-cache-max-rtt:") == 0) {
++		IS_NUMBER_OR_ZERO; cfg->infra_cache_max_rtt = atoi(val);
++		RTT_MAX_TIMEOUT=cfg->infra_cache_max_rtt;
++		USEFUL_SERVER_TOP_TIMEOUT = RTT_MAX_TIMEOUT;
++		BLACKLIST_PENALTY = USEFUL_SERVER_TOP_TIMEOUT*4;
 +	}
 +	else S_YNO("infra-keep-probing:", infra_keep_probing)
 +	else S_NUMBER_OR_ZERO("infra-host-ttl:", host_ttl)
 +	else S_POW2("infra-cache-slabs:", infra_cache_slabs)
 +	else S_SIZET_NONZERO("infra-cache-numhosts:", infra_cache_numhosts)
 +	else S_NUMBER_OR_ZERO("delay-close:", delay_close)
 +	else S_YNO("udp-connect:", udp_connect)
 +	else S_STR("chroot:", chrootdir)
 +	else S_STR("username:", username)
 +	else S_STR("directory:", directory)
 +	else S_STR("pidfile:", pidfile)
 +	else S_YNO("hide-identity:", hide_identity)
 +	else S_YNO("hide-version:", hide_version)
 +	else S_YNO("hide-trustanchor:", hide_trustanchor)
 +	else S_YNO("hide-http-user-agent:", hide_http_user_agent)
 +	else S_STR("identity:", identity)
 +	else S_STR("version:", version)
 +	else S_STR("http-user-agent:", http_user_agent)
 +	else if(strcmp(opt, "nsid:") == 0) {
 +		free(cfg->nsid_cfg_str);
 +		if (!(cfg->nsid_cfg_str = strdup(val)))
 +			return 0;
 +		/* Empty string is just validly unsetting nsid */
 +		if (*val == 0) {
 +			free(cfg->nsid);
 +			cfg->nsid = NULL;
 +			cfg->nsid_len = 0;
 +			return 1;
 +		}
 +		cfg->nsid = cfg_parse_nsid(val, &cfg->nsid_len);
 +		return cfg->nsid != NULL;
 +	}
 +	else S_STRLIST("root-hints:", root_hints)
 +	else S_STR("target-fetch-policy:", target_fetch_policy)
 +	else S_YNO("harden-glue:", harden_glue)
 +	else S_YNO("harden-short-bufsize:", harden_short_bufsize)
 +	else S_YNO("harden-large-queries:", harden_large_queries)
 +	else S_YNO("harden-dnssec-stripped:", harden_dnssec_stripped)
 +	else S_YNO("harden-below-nxdomain:", harden_below_nxdomain)
 +	else S_YNO("harden-referral-path:", harden_referral_path)
 +	else S_YNO("harden-algo-downgrade:", harden_algo_downgrade)
 +	else S_YNO("use-caps-for-id:", use_caps_bits_for_id)
 +	else S_STRLIST("caps-whitelist:", caps_whitelist)
 +	else S_SIZET_OR_ZERO("unwanted-reply-threshold:", unwanted_threshold)
 +	else S_STRLIST("private-address:", private_address)
 +	else S_STRLIST("private-domain:", private_domain)
 +	else S_YNO("do-not-query-localhost:", donotquery_localhost)
 +	else S_STRLIST("do-not-query-address:", donotqueryaddrs)
 +	else S_STRLIST("auto-trust-anchor-file:", auto_trust_anchor_file_list)
 +	else S_STRLIST("trust-anchor-file:", trust_anchor_file_list)
 +	else S_STRLIST("trust-anchor:", trust_anchor_list)
 +	else S_STRLIST("trusted-keys-file:", trusted_keys_file_list)
 +	else S_YNO("trust-anchor-signaling:", trust_anchor_signaling)
 +	else S_YNO("root-key-sentinel:", root_key_sentinel)
 +	else S_STRLIST("domain-insecure:", domain_insecure)
 +	else S_NUMBER_OR_ZERO("val-bogus-ttl:", bogus_ttl)
 +	else S_YNO("val-clean-additional:", val_clean_additional)
 +	else S_NUMBER_OR_ZERO("val-log-level:", val_log_level)
 +	else S_YNO("val-log-squelch:", val_log_squelch)
 +	else S_YNO("log-queries:", log_queries)
 +	else S_YNO("log-replies:", log_replies)
 +	else S_YNO("log-tag-queryreply:", log_tag_queryreply)
 +	else S_YNO("log-local-actions:", log_local_actions)
 +	else S_YNO("log-servfail:", log_servfail)
 +	else S_YNO("val-permissive-mode:", val_permissive_mode)
 +	else S_YNO("aggressive-nsec:", aggressive_nsec)
 +	else S_YNO("ignore-cd-flag:", ignore_cd)
 +	else if(strcmp(opt, "serve-expired:") == 0)
 +	{ IS_YES_OR_NO; cfg->serve_expired = (strcmp(val, "yes") == 0);
 +	  SERVE_EXPIRED = cfg->serve_expired; }
 +	else if(strcmp(opt, "serve-expired-ttl:") == 0)
 +	{ IS_NUMBER_OR_ZERO; cfg->serve_expired_ttl = atoi(val); SERVE_EXPIRED_TTL=(time_t)cfg->serve_expired_ttl;}
 +	else S_YNO("serve-expired-ttl-reset:", serve_expired_ttl_reset)
 +	else if(strcmp(opt, "serve-expired-reply-ttl:") == 0)
 +	{ IS_NUMBER_OR_ZERO; cfg->serve_expired_reply_ttl = atoi(val); SERVE_EXPIRED_REPLY_TTL=(time_t)cfg->serve_expired_reply_ttl;}
 +	else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout)
 +	else S_YNO("ede:", ede)	
 +	else S_YNO("ede-serve-expired:", ede_serve_expired)
 +	else S_YNO("serve-original-ttl:", serve_original_ttl)
 +	else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations)
 +	else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode)
 +	else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
 +	else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
 +	else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing)
 +	else if(strcmp(opt, "permit-small-holddown:") == 0)
 +	{ IS_YES_OR_NO; cfg->permit_small_holddown = (strcmp(val, "yes") == 0);
 +	  autr_permit_small_holddown = cfg->permit_small_holddown; }
 +	else S_MEMSIZE("key-cache-size:", key_cache_size)
 +	else S_POW2("key-cache-slabs:", key_cache_slabs)
 +	else S_MEMSIZE("neg-cache-size:", neg_cache_size)
 +	else S_YNO("minimal-responses:", minimal_responses)
 +	else S_YNO("rrset-roundrobin:", rrset_roundrobin)
 +	else S_NUMBER_OR_ZERO("unknown-server-time-limit:", unknown_server_time_limit)
 +	else S_STRLIST("local-data:", local_data)
 +	else S_YNO("unblock-lan-zones:", unblock_lan_zones)
 +	else S_YNO("insecure-lan-zones:", insecure_lan_zones)
 +	else S_YNO("control-enable:", remote_control_enable)
 +	else S_STRLIST_APPEND("control-interface:", control_ifs)
 +	else S_NUMBER_NONZERO("control-port:", control_port)
 +	else S_STR("server-key-file:", server_key_file)
 +	else S_STR("server-cert-file:", server_cert_file)
 +	else S_STR("control-key-file:", control_key_file)
 +	else S_STR("control-cert-file:", control_cert_file)
 +	else S_STR("module-config:", module_conf)
 +	else S_STRLIST("python-script:", python_script)
 +	else S_STRLIST("dynlib-file:", dynlib_file)
 +	else S_YNO("disable-dnssec-lame-check:", disable_dnssec_lame_check)
 +#ifdef CLIENT_SUBNET
 +	/* Can't set max subnet prefix here, since that value is used when
 +	 * generating the address tree. */
 +	/* No client-subnet-always-forward here, module registration depends on
 +	 * this option. */
 +#endif
 +#ifdef USE_DNSTAP
 +	else S_YNO("dnstap-enable:", dnstap)
 +	else S_YNO("dnstap-bidirectional:", dnstap_bidirectional)
 +	else S_STR("dnstap-socket-path:", dnstap_socket_path)
 +	else S_STR("dnstap-ip:", dnstap_ip)
 +	else S_YNO("dnstap-tls:", dnstap_tls)
 +	else S_STR("dnstap-tls-server-name:", dnstap_tls_server_name)
 +	else S_STR("dnstap-tls-cert-bundle:", dnstap_tls_cert_bundle)
 +	else S_STR("dnstap-tls-client-key-file:", dnstap_tls_client_key_file)
 +	else S_STR("dnstap-tls-client-cert-file:",
 +		dnstap_tls_client_cert_file)
 +	else S_YNO("dnstap-send-identity:", dnstap_send_identity)
 +	else S_YNO("dnstap-send-version:", dnstap_send_version)
 +	else S_STR("dnstap-identity:", dnstap_identity)
 +	else S_STR("dnstap-version:", dnstap_version)
 +	else S_YNO("dnstap-log-resolver-query-messages:",
 +		dnstap_log_resolver_query_messages)
 +	else S_YNO("dnstap-log-resolver-response-messages:",
 +		dnstap_log_resolver_response_messages)
 +	else S_YNO("dnstap-log-client-query-messages:",
 +		dnstap_log_client_query_messages)
 +	else S_YNO("dnstap-log-client-response-messages:",
 +		dnstap_log_client_response_messages)
 +	else S_YNO("dnstap-log-forwarder-query-messages:",
 +		dnstap_log_forwarder_query_messages)
 +	else S_YNO("dnstap-log-forwarder-response-messages:",
 +		dnstap_log_forwarder_response_messages)
 +#endif
 +#ifdef USE_DNSCRYPT
 +	else S_YNO("dnscrypt-enable:", dnscrypt)
 +	else S_NUMBER_NONZERO("dnscrypt-port:", dnscrypt_port)
 +	else S_STR("dnscrypt-provider:", dnscrypt_provider)
 +	else S_STRLIST_UNIQ("dnscrypt-provider-cert:", dnscrypt_provider_cert)
 +	else S_STRLIST("dnscrypt-provider-cert-rotated:", dnscrypt_provider_cert_rotated)
 +	else S_STRLIST_UNIQ("dnscrypt-secret-key:", dnscrypt_secret_key)
 +	else S_MEMSIZE("dnscrypt-shared-secret-cache-size:",
 +		dnscrypt_shared_secret_cache_size)
 +	else S_POW2("dnscrypt-shared-secret-cache-slabs:",
 +		dnscrypt_shared_secret_cache_slabs)
 +	else S_MEMSIZE("dnscrypt-nonce-cache-size:",
 +		dnscrypt_nonce_cache_size)
 +	else S_POW2("dnscrypt-nonce-cache-slabs:",
 +		dnscrypt_nonce_cache_slabs)
 +#endif
 +	else if(strcmp(opt, "ip-ratelimit:") == 0) {
 +	    IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
 +	    infra_ip_ratelimit=cfg->ip_ratelimit;
 +	}
 +	else if(strcmp(opt, "ratelimit:") == 0) {
 +	    IS_NUMBER_OR_ZERO; cfg->ratelimit = atoi(val);
 +	    infra_dp_ratelimit=cfg->ratelimit;
 +	}
 +	else S_MEMSIZE("ip-ratelimit-size:", ip_ratelimit_size)
 +	else S_MEMSIZE("ratelimit-size:", ratelimit_size)
 +	else S_POW2("ip-ratelimit-slabs:", ip_ratelimit_slabs)
 +	else S_POW2("ratelimit-slabs:", ratelimit_slabs)
 +	else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor)
 +	else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
 +	else S_YNO("ip-ratelimit-backoff:", ip_ratelimit_backoff)
 +	else S_YNO("ratelimit-backoff:", ratelimit_backoff)
 +	else S_NUMBER_NONZERO("outbound-msg-retry:", outbound_msg_retry)
 +	else S_SIZET_NONZERO("fast-server-num:", fast_server_num)
 +	else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil)
 +	else S_YNO("qname-minimisation:", qname_minimisation)
 +	else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
 +	else S_YNO("pad-responses:", pad_responses)
 +	else S_SIZET_NONZERO("pad-responses-block-size:", pad_responses_block_size)
 +	else S_YNO("pad-queries:", pad_queries)
 +	else S_SIZET_NONZERO("pad-queries-block-size:", pad_queries_block_size)
 +#ifdef USE_IPSECMOD
 +	else S_YNO("ipsecmod-enabled:", ipsecmod_enabled)
 +	else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus)
 +	else if(strcmp(opt, "ipsecmod-max-ttl:") == 0)
 +	{ IS_NUMBER_OR_ZERO; cfg->ipsecmod_max_ttl = atoi(val); }
 +	else S_YNO("ipsecmod-strict:", ipsecmod_strict)
 +#endif
 +	else if(strcmp(opt, "define-tag:") ==0) {
 +		return config_add_tag(cfg, val);
 +	/* val_sig_skew_min, max and val_max_restart are copied into val_env
 +	 * during init so this does not update val_env with set_option */
 +	} else if(strcmp(opt, "val-sig-skew-min:") == 0)
 +	{ IS_NUMBER_OR_ZERO; cfg->val_sig_skew_min = (int32_t)atoi(val); }
 +	else if(strcmp(opt, "val-sig-skew-max:") == 0)
 +	{ IS_NUMBER_OR_ZERO; cfg->val_sig_skew_max = (int32_t)atoi(val); }
 +	else if(strcmp(opt, "val-max-restart:") == 0)
 +	{ IS_NUMBER_OR_ZERO; cfg->val_max_restart = (int32_t)atoi(val); }
 +	else if (strcmp(opt, "outgoing-interface:") == 0) {
 +		char* d = strdup(val);
 +		char** oi = 
 +		(char**)reallocarray(NULL, (size_t)cfg->num_out_ifs+1, sizeof(char*));
 +		if(!d || !oi) { free(d); free(oi); return -1; }
 +		if(cfg->out_ifs && cfg->num_out_ifs) {
 +			memmove(oi, cfg->out_ifs, cfg->num_out_ifs*sizeof(char*));
 +			free(cfg->out_ifs);
 +		}
 +		oi[cfg->num_out_ifs++] = d;
 +		cfg->out_ifs = oi;
 +	} else {
 +		/* unknown or unsupported (from the set_option interface):
 +		 * interface, outgoing-interface, access-control,
 +		 * stub-zone, name, stub-addr, stub-host, stub-prime
 +		 * forward-first, stub-first, forward-ssl-upstream,
 +		 * stub-ssl-upstream, forward-zone, auth-zone
 +		 * name, forward-addr, forward-host,
 +		 * ratelimit-for-domain, ratelimit-below-domain,
 +		 * local-zone-tag, access-control-view,
 +		 * send-client-subnet, client-subnet-always-forward,
 +		 * max-client-subnet-ipv4, max-client-subnet-ipv6,
 +		 * min-client-subnet-ipv4, min-client-subnet-ipv6,
 +		 * max-ecs-tree-size-ipv4, max-ecs-tree-size-ipv6, ipsecmod_hook,
 +		 * ipsecmod_whitelist. */
 +		return 0;
 +	}
 +	return 1;
 +}
 +
 +void config_print_func(char* line, void* arg)
 +{
 +	FILE* f = (FILE*)arg;
 +	(void)fprintf(f, "%s\n", line);
 +}
 +
 +/** collate func arg */
 +struct config_collate_arg {
 +	/** list of result items */
 +	struct config_strlist_head list;
 +	/** if a malloc error occurred, 0 is OK */
 +	int status;
 +};
 +
 +void config_collate_func(char* line, void* arg)
 +{
 +	struct config_collate_arg* m = (struct config_collate_arg*)arg;
 +	if(m->status)
 +		return;
 +	if(!cfg_strlist_append(&m->list, strdup(line)))
 +		m->status = 1;
 +}
 +
 +int config_get_option_list(struct config_file* cfg, const char* opt,
 +	struct config_strlist** list)
 +{
 +	struct config_collate_arg m;
 +	memset(&m, 0, sizeof(m));
 +	*list = NULL;
 +	if(!config_get_option(cfg, opt, config_collate_func, &m))
 +		return 1;
 +	if(m.status) {
 +		config_delstrlist(m.list.first);
 +		return 2;
 +	}
 +	*list = m.list.first;
 +	return 0;
 +}
 +
 +int
 +config_get_option_collate(struct config_file* cfg, const char* opt, char** str)
 +{
 +	struct config_strlist* list = NULL;
 +	int r;
 +	*str = NULL;
 +	if((r = config_get_option_list(cfg, opt, &list)) != 0)
 +		return r;
 +	*str = config_collate_cat(list);
 +	config_delstrlist(list);
 +	if(!*str) return 2;
 +	return 0;
 +}
 +
 +char*
 +config_collate_cat(struct config_strlist* list)
 +{
 +	size_t total = 0, left;
 +	struct config_strlist* s;
 +	char *r, *w;
 +	if(!list) /* no elements */
 +		return strdup("");
 +	if(list->next == NULL) /* one element , no newline at end. */
*** 1714 LINES SKIPPED ***