- dns64-ignore-aaaa: config option to list domain names for which the

existing AAAA is ignored and dns64 processing is used on the A record. git-svn-id: file:///svn/unbound/trunk@4762 be551aaa-1e26-0410-a405-d3ace91eadb9
2024-09-21 14:47:09 +00:00 · 2018-06-29 12:58:52 +00:00 · 2018-06-29 12:58:52 +00:00 · 2beae211ee
commit 2beae211ee
parent d3ff7a9333
10 changed files with 3266 additions and 3114 deletions
--- a/Makefile.in
+++ b/Makefile.in
@ -1030,7 +1030,8 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src
 $(srcdir)/util/storage/slabhash.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \
 $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
 $(srcdir)/dnscrypt/cert.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h
+ $(srcdir)/services/modstack.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \
 $(srcdir)/util/storage/dnstree.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h
 edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
 $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h
 subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \
--- a/dns64/dns64.c
+++ b/dns64/dns64.c
@ -48,6 +48,9 @@
 #include "util/fptr_wlist.h"
 #include "util/net_help.h"
 #include "util/regional.h"
 #include "util/storage/dnstree.h"
 #include "util/data/dname.h"
 #include "sldns/str2wire.h"
 /******************************************************************************
 *                                                                            *
@ -111,6 +114,11 @@ struct dns64_env {
     * This is the CIDR length of the prefix. It needs to be between 0 and 96.
     */
    int prefix_net;
    /**
     * Tree of names for which AAAA is ignored. always synthesize from A.
     */
    rbtree_type ignore_aaaa;
 };
@ -284,6 +292,40 @@ synthesize_aaaa(const uint8_t prefix_addr[16], int prefix_net,
 *                                                                            *
 ******************************************************************************/
 /**
 * insert ignore_aaaa element into the tree
 * @param dns64_env: module env.
 * @param str: string with domain name.
 * @return false on failure.
 */
 static int
 dns64_insert_ignore_aaaa(struct dns64_env* dns64_env, char* str)
 {
 	/* parse and insert element */
 	struct name_tree_node* node;
 	node = (struct name_tree_node*)calloc(1, sizeof(*node));
 	if(!node) {
 		log_err("out of memory");
 		return 0;
 	}
 	node->name = sldns_str2wire_dname(str, &node->len);
 	if(!node->name) {
 		free(node);
 		log_err("cannot parse dns64-ignore-aaaa: %s", str);
 		return 0;
 	}
 	node->labs = dname_count_labels(node->name);
 	node->dclass = LDNS_RR_CLASS_IN;
 	if(!name_tree_insert(&dns64_env->ignore_aaaa, node,
 		node->name, node->len, node->labs, node->dclass)) {
 		/* ignore duplicate element */
 		free(node->name);
 		free(node);
 		return 1;
 	}
 	return 1;
 }
 /**
 * This function applies the configuration found in the parsed configuration
 * file \a cfg to this instance of the dns64 module. Currently only the DNS64
@ -295,6 +337,7 @@ synthesize_aaaa(const uint8_t prefix_addr[16], int prefix_net,
 static int
 dns64_apply_cfg(struct dns64_env* dns64_env, struct config_file* cfg)
 {
    struct config_strlist* s;
    verbose(VERB_ALGO, "dns64-prefix: %s", cfg->dns64_prefix);
    if (!netblockstrtoaddr(cfg->dns64_prefix ? cfg->dns64_prefix :
                DEFAULT_DNS64_PREFIX, 0, &dns64_env->prefix_addr,
@ -311,6 +354,11 @@ dns64_apply_cfg(struct dns64_env* dns64_env, struct config_file* cfg)
                cfg->dns64_prefix);
        return 0;
    }
    for(s = cfg->dns64_ignore_aaaa; s; s = s->next) {
 	    if(!dns64_insert_ignore_aaaa(dns64_env, s->str))
 		    return 0;
    }
    name_tree_init_parents(&dns64_env->ignore_aaaa);
    return 1;
 }
@ -329,7 +377,8 @@ dns64_init(struct module_env* env, int id)
        log_err("malloc failure");
        return 0;
    }
-	env->modinfo[id] = (void*)dns64_env;
+    env->modinfo[id] = (void*)dns64_env;
    name_tree_init(&dns64_env->ignore_aaaa);
    if (!dns64_apply_cfg(dns64_env, env->cfg)) {
        log_err("dns64: could not apply configuration settings.");
        return 0;
@ -337,6 +386,16 @@ dns64_init(struct module_env* env, int id)
    return 1;
 }
 /** free ignore AAAA elements */
 static void
 free_ignore_aaaa_node(rbnode_type* node, void* ATTR_UNUSED(arg))
 {
 	struct name_tree_node* n = (struct name_tree_node*)node;
 	if(!n) return;
 	free(n->name);
 	free(n);
 }
 /**
 * Deinitializes this instance of the dns64 module.
 *
@ -346,8 +405,14 @@ dns64_init(struct module_env* env, int id)
 void
 dns64_deinit(struct module_env* env, int id)
 {
    struct dns64_env* dns64_env;
    if (!env)
        return;
    dns64_env = (struct dns64_env*)env->modinfo[id];
    if(dns64_env) {
 	    traverse_postorder(&dns64_env->ignore_aaaa, free_ignore_aaaa_node,
 	    	NULL);
    }
    free(env->modinfo[id]);
    env->modinfo[id] = NULL;
 }
@ -440,6 +505,25 @@ generate_type_A_query(struct module_qstate* qstate, int id)
 	return module_wait_subquery;
 }
 /**
 * See if query name is in the always synth config.
 * The ignore-aaaa list has names for which the AAAA for the domain is
 * ignored and the A is always used to create the answer.
 * @param qstate: query state.
 * @param id: module id.
 * @return true if the name is covered by ignore-aaaa.
 */
 static int
 dns64_always_synth_for_qname(struct module_qstate* qstate, int id)
 {
 	struct dns64_env* dns64_env = (struct dns64_env*)qstate->env->modinfo[id];
 	int labs = dname_count_labels(qstate->qinfo.qname);
 	struct name_tree_node* node = name_tree_lookup(&dns64_env->ignore_aaaa,
 		qstate->qinfo.qname, qstate->qinfo.qname_len, labs,
 		qstate->qinfo.qclass);
 	return (node != NULL);
 }
 /**
 * Handles the "pass" event for a query. This event is received when a new query
 * is received by this module. The query may have been generated internally by
@ -468,6 +552,14 @@ handle_event_pass(struct module_qstate* qstate, int id)
 	    && qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA)
 		return generate_type_A_query(qstate, id);
 	if(dns64_always_synth_for_qname(qstate, id) &&
 	    (uintptr_t)qstate->minfo[id] == DNS64_NEW_QUERY
 	    && !(qstate->query_flags & BIT_CD)
 	    && qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
 		verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
 		return generate_type_A_query(qstate, id);
 	}
 	/* We are finished when our sub-query is finished. */
 	if ((uintptr_t)qstate->minfo[id] == DNS64_SUBQUERY_FINISHED)
 		return module_finished;
@ -501,17 +593,29 @@ handle_event_moddone(struct module_qstate* qstate, int id)
     *        synthesize in (sec 5.1.2 of RFC6147).
     *   - A successful AAAA query with an answer.
     */
-	if ( (enum dns64_qstate)qstate->minfo[id] == DNS64_INTERNAL_QUERY
+	if((enum dns64_qstate)qstate->minfo[id] != DNS64_INTERNAL_QUERY
-            || qstate->qinfo.qtype != LDNS_RR_TYPE_AAAA
+            && qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA
-	    || (qstate->query_flags & BIT_CD)
+	    && !(qstate->query_flags & BIT_CD)
-	    || (qstate->return_msg &&
+	    && !(qstate->return_msg &&
 		    qstate->return_msg->rep &&
 		    reply_find_answer_rrset(&qstate->qinfo,
 			    qstate->return_msg->rep)))
-		return module_finished;
+		/* not internal, type AAAA, not CD, and no answer RRset,
 		 * So, this is a AAAA noerror/nodata answer */
 		return generate_type_A_query(qstate, id);
-    /* So, this is a AAAA noerror/nodata answer */
+	if((enum dns64_qstate)qstate->minfo[id] != DNS64_INTERNAL_QUERY
-	return generate_type_A_query(qstate, id);
+	    && qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA
 	    && !(qstate->query_flags & BIT_CD)
 	    && dns64_always_synth_for_qname(qstate, id)) {
 		/* if it is not internal, AAAA, not CD and listed domain,
 		 * generate from A record and ignore AAAA */
 		verbose(VERB_ALGO, "dns64: ignore-aaaa and synthesize anyway");
 		return generate_type_A_query(qstate, id);
 	}
 	/* do nothing */
 	return module_finished;
 }
 /**
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,8 @@
 29 June 2018: Wouter
 	- dns64-ignore-aaaa: config option to list domain names for which the
 	  existing AAAA is ignored and dns64 processing is used on the A
 	  record.
 28 June 2018: Wouter
 	- num.queries.tls counter for queries over TLS.
 	- log port number with err_addr logs.
--- a/util/config_file.c
+++ b/util/config_file.c
@ -1355,6 +1355,7 @@ config_delete(struct config_file* cfg)
 	free(cfg->control_key_file);
 	free(cfg->control_cert_file);
 	free(cfg->dns64_prefix);
 	config_delstrlist(cfg->dns64_ignore_aaaa);
 	free(cfg->dnstap_socket_path);
 	free(cfg->dnstap_identity);
 	free(cfg->dnstap_version);
--- a/util/config_file.h
+++ b/util/config_file.h
@ -419,6 +419,8 @@ struct config_file {
 	/* Synthetize all AAAA record despite the presence of an authoritative one */
 	int dns64_synthall;
 	/** ignore AAAAs for these domain names and use A record anyway */
 	struct config_strlist* dns64_ignore_aaaa;
 	/** true to enable dnstap support */
 	int dnstap;
--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -393,6 +393,7 @@ rrset-roundrobin{COLON}		{ YDVAR(1, VAR_RRSET_ROUNDROBIN) }
 max-udp-size{COLON}		{ YDVAR(1, VAR_MAX_UDP_SIZE) }
 dns64-prefix{COLON}		{ YDVAR(1, VAR_DNS64_PREFIX) }
 dns64-synthall{COLON}		{ YDVAR(1, VAR_DNS64_SYNTHALL) }
 dns64-ignore-aaaa{COLON}	{ YDVAR(1, VAR_DNS64_IGNORE_AAAA) }
 define-tag{COLON}		{ YDVAR(1, VAR_DEFINE_TAG) }
 local-zone-tag{COLON}		{ YDVAR(2, VAR_LOCAL_ZONE_TAG) }
 access-control-tag{COLON}	{ YDVAR(2, VAR_ACCESS_CONTROL_TAG) }
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -188,103 +188,104 @@ extern int yydebug;
    VAR_INFRA_CACHE_MIN_RTT = 398,
    VAR_DNS64_PREFIX = 399,
    VAR_DNS64_SYNTHALL = 400,
-    VAR_DNSTAP = 401,
+    VAR_DNS64_IGNORE_AAAA = 401,
-    VAR_DNSTAP_ENABLE = 402,
+    VAR_DNSTAP = 402,
-    VAR_DNSTAP_SOCKET_PATH = 403,
+    VAR_DNSTAP_ENABLE = 403,
-    VAR_DNSTAP_SEND_IDENTITY = 404,
+    VAR_DNSTAP_SOCKET_PATH = 404,
-    VAR_DNSTAP_SEND_VERSION = 405,
+    VAR_DNSTAP_SEND_IDENTITY = 405,
-    VAR_DNSTAP_IDENTITY = 406,
+    VAR_DNSTAP_SEND_VERSION = 406,
-    VAR_DNSTAP_VERSION = 407,
+    VAR_DNSTAP_IDENTITY = 407,
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 408,
+    VAR_DNSTAP_VERSION = 408,
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 409,
+    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 409,
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 410,
+    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 410,
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 411,
+    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 411,
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 412,
+    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 412,
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 413,
+    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 413,
-    VAR_RESPONSE_IP_TAG = 414,
+    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 414,
-    VAR_RESPONSE_IP = 415,
+    VAR_RESPONSE_IP_TAG = 415,
-    VAR_RESPONSE_IP_DATA = 416,
+    VAR_RESPONSE_IP = 416,
-    VAR_HARDEN_ALGO_DOWNGRADE = 417,
+    VAR_RESPONSE_IP_DATA = 417,
-    VAR_IP_TRANSPARENT = 418,
+    VAR_HARDEN_ALGO_DOWNGRADE = 418,
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 419,
+    VAR_IP_TRANSPARENT = 419,
-    VAR_IP_RATELIMIT = 420,
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 420,
-    VAR_IP_RATELIMIT_SLABS = 421,
+    VAR_IP_RATELIMIT = 421,
-    VAR_IP_RATELIMIT_SIZE = 422,
+    VAR_IP_RATELIMIT_SLABS = 422,
-    VAR_RATELIMIT = 423,
+    VAR_IP_RATELIMIT_SIZE = 423,
-    VAR_RATELIMIT_SLABS = 424,
+    VAR_RATELIMIT = 424,
-    VAR_RATELIMIT_SIZE = 425,
+    VAR_RATELIMIT_SLABS = 425,
-    VAR_RATELIMIT_FOR_DOMAIN = 426,
+    VAR_RATELIMIT_SIZE = 426,
-    VAR_RATELIMIT_BELOW_DOMAIN = 427,
+    VAR_RATELIMIT_FOR_DOMAIN = 427,
-    VAR_IP_RATELIMIT_FACTOR = 428,
+    VAR_RATELIMIT_BELOW_DOMAIN = 428,
-    VAR_RATELIMIT_FACTOR = 429,
+    VAR_IP_RATELIMIT_FACTOR = 429,
-    VAR_SEND_CLIENT_SUBNET = 430,
+    VAR_RATELIMIT_FACTOR = 430,
-    VAR_CLIENT_SUBNET_ZONE = 431,
+    VAR_SEND_CLIENT_SUBNET = 431,
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 432,
+    VAR_CLIENT_SUBNET_ZONE = 432,
-    VAR_CLIENT_SUBNET_OPCODE = 433,
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 433,
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 434,
+    VAR_CLIENT_SUBNET_OPCODE = 434,
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 435,
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 435,
-    VAR_CAPS_WHITELIST = 436,
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 436,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 437,
+    VAR_CAPS_WHITELIST = 437,
-    VAR_PERMIT_SMALL_HOLDDOWN = 438,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 438,
-    VAR_QNAME_MINIMISATION = 439,
+    VAR_PERMIT_SMALL_HOLDDOWN = 439,
-    VAR_QNAME_MINIMISATION_STRICT = 440,
+    VAR_QNAME_MINIMISATION = 440,
-    VAR_IP_FREEBIND = 441,
+    VAR_QNAME_MINIMISATION_STRICT = 441,
-    VAR_DEFINE_TAG = 442,
+    VAR_IP_FREEBIND = 442,
-    VAR_LOCAL_ZONE_TAG = 443,
+    VAR_DEFINE_TAG = 443,
-    VAR_ACCESS_CONTROL_TAG = 444,
+    VAR_LOCAL_ZONE_TAG = 444,
-    VAR_LOCAL_ZONE_OVERRIDE = 445,
+    VAR_ACCESS_CONTROL_TAG = 445,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 446,
+    VAR_LOCAL_ZONE_OVERRIDE = 446,
-    VAR_ACCESS_CONTROL_TAG_DATA = 447,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 447,
-    VAR_VIEW = 448,
+    VAR_ACCESS_CONTROL_TAG_DATA = 448,
-    VAR_ACCESS_CONTROL_VIEW = 449,
+    VAR_VIEW = 449,
-    VAR_VIEW_FIRST = 450,
+    VAR_ACCESS_CONTROL_VIEW = 450,
-    VAR_SERVE_EXPIRED = 451,
+    VAR_VIEW_FIRST = 451,
-    VAR_FAKE_DSA = 452,
+    VAR_SERVE_EXPIRED = 452,
-    VAR_FAKE_SHA1 = 453,
+    VAR_FAKE_DSA = 453,
-    VAR_LOG_IDENTITY = 454,
+    VAR_FAKE_SHA1 = 454,
-    VAR_HIDE_TRUSTANCHOR = 455,
+    VAR_LOG_IDENTITY = 455,
-    VAR_TRUST_ANCHOR_SIGNALING = 456,
+    VAR_HIDE_TRUSTANCHOR = 456,
-    VAR_AGGRESSIVE_NSEC = 457,
+    VAR_TRUST_ANCHOR_SIGNALING = 457,
-    VAR_USE_SYSTEMD = 458,
+    VAR_AGGRESSIVE_NSEC = 458,
-    VAR_SHM_ENABLE = 459,
+    VAR_USE_SYSTEMD = 459,
-    VAR_SHM_KEY = 460,
+    VAR_SHM_ENABLE = 460,
-    VAR_ROOT_KEY_SENTINEL = 461,
+    VAR_SHM_KEY = 461,
-    VAR_DNSCRYPT = 462,
+    VAR_ROOT_KEY_SENTINEL = 462,
-    VAR_DNSCRYPT_ENABLE = 463,
+    VAR_DNSCRYPT = 463,
-    VAR_DNSCRYPT_PORT = 464,
+    VAR_DNSCRYPT_ENABLE = 464,
-    VAR_DNSCRYPT_PROVIDER = 465,
+    VAR_DNSCRYPT_PORT = 465,
-    VAR_DNSCRYPT_SECRET_KEY = 466,
+    VAR_DNSCRYPT_PROVIDER = 466,
-    VAR_DNSCRYPT_PROVIDER_CERT = 467,
+    VAR_DNSCRYPT_SECRET_KEY = 467,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 468,
+    VAR_DNSCRYPT_PROVIDER_CERT = 468,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 469,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 469,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 470,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 470,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 471,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 471,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 472,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 472,
-    VAR_IPSECMOD_ENABLED = 473,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 473,
-    VAR_IPSECMOD_HOOK = 474,
+    VAR_IPSECMOD_ENABLED = 474,
-    VAR_IPSECMOD_IGNORE_BOGUS = 475,
+    VAR_IPSECMOD_HOOK = 475,
-    VAR_IPSECMOD_MAX_TTL = 476,
+    VAR_IPSECMOD_IGNORE_BOGUS = 476,
-    VAR_IPSECMOD_WHITELIST = 477,
+    VAR_IPSECMOD_MAX_TTL = 477,
-    VAR_IPSECMOD_STRICT = 478,
+    VAR_IPSECMOD_WHITELIST = 478,
-    VAR_CACHEDB = 479,
+    VAR_IPSECMOD_STRICT = 479,
-    VAR_CACHEDB_BACKEND = 480,
+    VAR_CACHEDB = 480,
-    VAR_CACHEDB_SECRETSEED = 481,
+    VAR_CACHEDB_BACKEND = 481,
-    VAR_CACHEDB_REDISHOST = 482,
+    VAR_CACHEDB_SECRETSEED = 482,
-    VAR_CACHEDB_REDISPORT = 483,
+    VAR_CACHEDB_REDISHOST = 483,
-    VAR_CACHEDB_REDISTIMEOUT = 484,
+    VAR_CACHEDB_REDISPORT = 484,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 485,
+    VAR_CACHEDB_REDISTIMEOUT = 485,
-    VAR_FOR_UPSTREAM = 486,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 486,
-    VAR_AUTH_ZONE = 487,
+    VAR_FOR_UPSTREAM = 487,
-    VAR_ZONEFILE = 488,
+    VAR_AUTH_ZONE = 488,
-    VAR_MASTER = 489,
+    VAR_ZONEFILE = 489,
-    VAR_URL = 490,
+    VAR_MASTER = 490,
-    VAR_FOR_DOWNSTREAM = 491,
+    VAR_URL = 491,
-    VAR_FALLBACK_ENABLED = 492,
+    VAR_FOR_DOWNSTREAM = 492,
-    VAR_TLS_ADDITIONAL_PORT = 493,
+    VAR_FALLBACK_ENABLED = 493,
-    VAR_LOW_RTT = 494,
+    VAR_TLS_ADDITIONAL_PORT = 494,
-    VAR_LOW_RTT_PERMIL = 495,
+    VAR_LOW_RTT = 495,
-    VAR_ALLOW_NOTIFY = 496,
+    VAR_LOW_RTT_PERMIL = 496,
-    VAR_TLS_WIN_CERT = 497
+    VAR_ALLOW_NOTIFY = 497,
    VAR_TLS_WIN_CERT = 498
  };
 #endif
 /* Tokens.  */
@ -431,103 +432,104 @@ extern int yydebug;
 #define VAR_INFRA_CACHE_MIN_RTT 398
 #define VAR_DNS64_PREFIX 399
 #define VAR_DNS64_SYNTHALL 400
-#define VAR_DNSTAP 401
+#define VAR_DNS64_IGNORE_AAAA 401
-#define VAR_DNSTAP_ENABLE 402
+#define VAR_DNSTAP 402
-#define VAR_DNSTAP_SOCKET_PATH 403
+#define VAR_DNSTAP_ENABLE 403
-#define VAR_DNSTAP_SEND_IDENTITY 404
+#define VAR_DNSTAP_SOCKET_PATH 404
-#define VAR_DNSTAP_SEND_VERSION 405
+#define VAR_DNSTAP_SEND_IDENTITY 405
-#define VAR_DNSTAP_IDENTITY 406
+#define VAR_DNSTAP_SEND_VERSION 406
-#define VAR_DNSTAP_VERSION 407
+#define VAR_DNSTAP_IDENTITY 407
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 408
+#define VAR_DNSTAP_VERSION 408
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 409
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 409
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 410
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 410
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 411
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 411
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 412
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 412
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 413
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 413
-#define VAR_RESPONSE_IP_TAG 414
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 414
-#define VAR_RESPONSE_IP 415
+#define VAR_RESPONSE_IP_TAG 415
-#define VAR_RESPONSE_IP_DATA 416
+#define VAR_RESPONSE_IP 416
-#define VAR_HARDEN_ALGO_DOWNGRADE 417
+#define VAR_RESPONSE_IP_DATA 417
-#define VAR_IP_TRANSPARENT 418
+#define VAR_HARDEN_ALGO_DOWNGRADE 418
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 419
+#define VAR_IP_TRANSPARENT 419
-#define VAR_IP_RATELIMIT 420
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 420
-#define VAR_IP_RATELIMIT_SLABS 421
+#define VAR_IP_RATELIMIT 421
-#define VAR_IP_RATELIMIT_SIZE 422
+#define VAR_IP_RATELIMIT_SLABS 422
-#define VAR_RATELIMIT 423
+#define VAR_IP_RATELIMIT_SIZE 423
-#define VAR_RATELIMIT_SLABS 424
+#define VAR_RATELIMIT 424
-#define VAR_RATELIMIT_SIZE 425
+#define VAR_RATELIMIT_SLABS 425
-#define VAR_RATELIMIT_FOR_DOMAIN 426
+#define VAR_RATELIMIT_SIZE 426
-#define VAR_RATELIMIT_BELOW_DOMAIN 427
+#define VAR_RATELIMIT_FOR_DOMAIN 427
-#define VAR_IP_RATELIMIT_FACTOR 428
+#define VAR_RATELIMIT_BELOW_DOMAIN 428
-#define VAR_RATELIMIT_FACTOR 429
+#define VAR_IP_RATELIMIT_FACTOR 429
-#define VAR_SEND_CLIENT_SUBNET 430
+#define VAR_RATELIMIT_FACTOR 430
-#define VAR_CLIENT_SUBNET_ZONE 431
+#define VAR_SEND_CLIENT_SUBNET 431
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 432
+#define VAR_CLIENT_SUBNET_ZONE 432
-#define VAR_CLIENT_SUBNET_OPCODE 433
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 433
-#define VAR_MAX_CLIENT_SUBNET_IPV4 434
+#define VAR_CLIENT_SUBNET_OPCODE 434
-#define VAR_MAX_CLIENT_SUBNET_IPV6 435
+#define VAR_MAX_CLIENT_SUBNET_IPV4 435
-#define VAR_CAPS_WHITELIST 436
+#define VAR_MAX_CLIENT_SUBNET_IPV6 436
-#define VAR_CACHE_MAX_NEGATIVE_TTL 437
+#define VAR_CAPS_WHITELIST 437
-#define VAR_PERMIT_SMALL_HOLDDOWN 438
+#define VAR_CACHE_MAX_NEGATIVE_TTL 438
-#define VAR_QNAME_MINIMISATION 439
+#define VAR_PERMIT_SMALL_HOLDDOWN 439
-#define VAR_QNAME_MINIMISATION_STRICT 440
+#define VAR_QNAME_MINIMISATION 440
-#define VAR_IP_FREEBIND 441
+#define VAR_QNAME_MINIMISATION_STRICT 441
-#define VAR_DEFINE_TAG 442
+#define VAR_IP_FREEBIND 442
-#define VAR_LOCAL_ZONE_TAG 443
+#define VAR_DEFINE_TAG 443
-#define VAR_ACCESS_CONTROL_TAG 444
+#define VAR_LOCAL_ZONE_TAG 444
-#define VAR_LOCAL_ZONE_OVERRIDE 445
+#define VAR_ACCESS_CONTROL_TAG 445
-#define VAR_ACCESS_CONTROL_TAG_ACTION 446
+#define VAR_LOCAL_ZONE_OVERRIDE 446
-#define VAR_ACCESS_CONTROL_TAG_DATA 447
+#define VAR_ACCESS_CONTROL_TAG_ACTION 447
-#define VAR_VIEW 448
+#define VAR_ACCESS_CONTROL_TAG_DATA 448
-#define VAR_ACCESS_CONTROL_VIEW 449
+#define VAR_VIEW 449
-#define VAR_VIEW_FIRST 450
+#define VAR_ACCESS_CONTROL_VIEW 450
-#define VAR_SERVE_EXPIRED 451
+#define VAR_VIEW_FIRST 451
-#define VAR_FAKE_DSA 452
+#define VAR_SERVE_EXPIRED 452
-#define VAR_FAKE_SHA1 453
+#define VAR_FAKE_DSA 453
-#define VAR_LOG_IDENTITY 454
+#define VAR_FAKE_SHA1 454
-#define VAR_HIDE_TRUSTANCHOR 455
+#define VAR_LOG_IDENTITY 455
-#define VAR_TRUST_ANCHOR_SIGNALING 456
+#define VAR_HIDE_TRUSTANCHOR 456
-#define VAR_AGGRESSIVE_NSEC 457
+#define VAR_TRUST_ANCHOR_SIGNALING 457
-#define VAR_USE_SYSTEMD 458
+#define VAR_AGGRESSIVE_NSEC 458
-#define VAR_SHM_ENABLE 459
+#define VAR_USE_SYSTEMD 459
-#define VAR_SHM_KEY 460
+#define VAR_SHM_ENABLE 460
-#define VAR_ROOT_KEY_SENTINEL 461
+#define VAR_SHM_KEY 461
-#define VAR_DNSCRYPT 462
+#define VAR_ROOT_KEY_SENTINEL 462
-#define VAR_DNSCRYPT_ENABLE 463
+#define VAR_DNSCRYPT 463
-#define VAR_DNSCRYPT_PORT 464
+#define VAR_DNSCRYPT_ENABLE 464
-#define VAR_DNSCRYPT_PROVIDER 465
+#define VAR_DNSCRYPT_PORT 465
-#define VAR_DNSCRYPT_SECRET_KEY 466
+#define VAR_DNSCRYPT_PROVIDER 466
-#define VAR_DNSCRYPT_PROVIDER_CERT 467
+#define VAR_DNSCRYPT_SECRET_KEY 467
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 468
+#define VAR_DNSCRYPT_PROVIDER_CERT 468
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 469
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 469
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 470
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 470
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 471
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 471
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 472
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 472
-#define VAR_IPSECMOD_ENABLED 473
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 473
-#define VAR_IPSECMOD_HOOK 474
+#define VAR_IPSECMOD_ENABLED 474
-#define VAR_IPSECMOD_IGNORE_BOGUS 475
+#define VAR_IPSECMOD_HOOK 475
-#define VAR_IPSECMOD_MAX_TTL 476
+#define VAR_IPSECMOD_IGNORE_BOGUS 476
-#define VAR_IPSECMOD_WHITELIST 477
+#define VAR_IPSECMOD_MAX_TTL 477
-#define VAR_IPSECMOD_STRICT 478
+#define VAR_IPSECMOD_WHITELIST 478
-#define VAR_CACHEDB 479
+#define VAR_IPSECMOD_STRICT 479
-#define VAR_CACHEDB_BACKEND 480
+#define VAR_CACHEDB 480
-#define VAR_CACHEDB_SECRETSEED 481
+#define VAR_CACHEDB_BACKEND 481
-#define VAR_CACHEDB_REDISHOST 482
+#define VAR_CACHEDB_SECRETSEED 482
-#define VAR_CACHEDB_REDISPORT 483
+#define VAR_CACHEDB_REDISHOST 483
-#define VAR_CACHEDB_REDISTIMEOUT 484
+#define VAR_CACHEDB_REDISPORT 484
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 485
+#define VAR_CACHEDB_REDISTIMEOUT 485
-#define VAR_FOR_UPSTREAM 486
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 486
-#define VAR_AUTH_ZONE 487
+#define VAR_FOR_UPSTREAM 487
-#define VAR_ZONEFILE 488
+#define VAR_AUTH_ZONE 488
-#define VAR_MASTER 489
+#define VAR_ZONEFILE 489
-#define VAR_URL 490
+#define VAR_MASTER 490
-#define VAR_FOR_DOWNSTREAM 491
+#define VAR_URL 491
-#define VAR_FALLBACK_ENABLED 492
+#define VAR_FOR_DOWNSTREAM 492
-#define VAR_TLS_ADDITIONAL_PORT 493
+#define VAR_FALLBACK_ENABLED 493
-#define VAR_LOW_RTT 494
+#define VAR_TLS_ADDITIONAL_PORT 494
-#define VAR_LOW_RTT_PERMIL 495
+#define VAR_LOW_RTT 495
-#define VAR_ALLOW_NOTIFY 496
+#define VAR_LOW_RTT_PERMIL 496
-#define VAR_TLS_WIN_CERT 497
+#define VAR_ALLOW_NOTIFY 497
 #define VAR_TLS_WIN_CERT 498
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -538,7 +540,7 @@ union YYSTYPE
 	char*	str;
-#line 542 "util/configparser.h" /* yacc.c:1909  */
+#line 544 "util/configparser.h" /* yacc.c:1909  */
 };
 typedef union YYSTYPE YYSTYPE;
--- a/util/configparser.y
+++ b/util/configparser.y
@ -114,7 +114,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
 %token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
 %token VAR_INFRA_CACHE_MIN_RTT
-%token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL
+%token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL VAR_DNS64_IGNORE_AAAA
 %token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH
 %token VAR_DNSTAP_SEND_IDENTITY VAR_DNSTAP_SEND_VERSION
 %token VAR_DNSTAP_IDENTITY VAR_DNSTAP_VERSION
@ -221,7 +221,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
 	server_so_reuseport | server_delay_close |
 	server_unblock_lan_zones | server_insecure_lan_zones |
-	server_dns64_prefix | server_dns64_synthall |
+	server_dns64_prefix | server_dns64_synthall | server_dns64_ignore_aaaa |
 	server_infra_cache_min_rtt | server_harden_algo_downgrade |
 	server_ip_transparent | server_ip_ratelimit | server_ratelimit |
 	server_ip_ratelimit_slabs | server_ratelimit_slabs |
@ -1663,6 +1663,14 @@ server_dns64_synthall: VAR_DNS64_SYNTHALL STRING_ARG
 		free($2);
 	}
 	;
 server_dns64_ignore_aaaa: VAR_DNS64_IGNORE_AAAA STRING_ARG
 	{
 		OUTYY(("P(dns64_ignore_aaaa:%s)\n", $2));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->dns64_ignore_aaaa,
 			$2))
 			fatal_exit("out of memory adding dns64-ignore-aaaa");
 	}
 	;
 server_define_tag: VAR_DEFINE_TAG STRING_ARG
 	{
 		char* p, *s = $2;