- Add option to send DNSTAP messages over bidirectional frame streams

dnstap/dnstap_fstrm.c

@@ -92,6 +92,34 @@ void* fstrm_create_control_frame_stop(size_t* len)
 	return control;
 }
 
+void* fstrm_create_control_frame_ready(char* contenttype, size_t* len)
+{
+	uint32_t* control;
+	size_t n;
+	/* start bidirectional stream:
+	 * 4 bytes 0 escape
+	 * 4 bytes bigendian length of frame
+	 * 4 bytes bigendian type READY
+	 * 4 bytes bigendian frame option content type
+	 * 4 bytes bigendian length of string
+	 * string of content type.
+	 */
+	/* len includes the escape and framelength */
+	n = 4+4+4+4+4+strlen(contenttype);
+	control = malloc(n);
+	if(!control) {
+		return NULL;
+	}
+	control[0] = 0;
+	control[1] = htonl(4+4+4+strlen(contenttype));
+	control[2] = htonl(FSTRM_CONTROL_FRAME_READY);
+	control[3] = htonl(FSTRM_CONTROL_FIELD_TYPE_CONTENT_TYPE);
+	control[4] = htonl(strlen(contenttype));
+	memmove(&control[5], contenttype, strlen(contenttype));
+	*len = n;
+	return control;
+}
+
 void* fstrm_create_control_frame_accept(char* contenttype, size_t* len)
 {
 	uint32_t* control;

dnstap/dnstap_fstrm.h

@@ -127,6 +127,21 @@
  */
 void* fstrm_create_control_frame_start(char* contenttype, size_t* len);
 
+/**
+ * This creates an FSTRM control frame of type READY.
+ * @param contenttype: a zero delimited string with the content type.
+ * 	eg. use the constant DNSTAP_CONTENT_TYPE, which is defined as
+ * 	"protobuf:dnstap.Dnstap", for a dnstap frame stream.
+ * @param len: if a buffer is returned this is the length of that buffer.
+ * @return NULL on malloc failure.  Returns a malloced buffer with the
+ * protocol message.  The buffer starts with the 4 bytes of 0 that indicate
+ * a control frame.  The buffer should be sent without preceding it with
+ * the 'len' variable (like data frames are), but straight the content of the
+ * buffer, because the lengths are included in the buffer.  This is so that
+ * the zero control indicator can be included before the control frame length.
+ */
+void* fstrm_create_control_frame_ready(char* contenttype, size_t* len);
+
 /**
  * This creates an FSTRM control frame of type STOP.
  * @param len: if a buffer is returned this is the length of that buffer.

dnstap/dtstream.c

@@ -48,6 +48,7 @@
 #include "util/ub_event.h"
 #include "util/net_help.h"
 #include "services/outside_network.h"
+#include "sldns/sbuffer.h"
 #ifdef HAVE_SYS_UN_H
 #include <sys/un.h>
 #endif
@@ -85,6 +86,8 @@ static int dtio_add_output_event_write(struct dt_io_thread* dtio);
 static void dtio_reconnect_enable(struct dt_io_thread* dtio);
 /** stop from stop_flush event loop */
 static void dtio_stop_flush_exit(struct stop_flush_info* info);
+/** setup a start control message */
+static int dtio_control_start_send(struct dt_io_thread* dtio);
 #ifdef HAVE_SSL
 /** enable briefly waiting for a read event, for SSL negotiation */
 static int dtio_enable_brief_read(struct dt_io_thread* dtio);
@@ -261,6 +264,7 @@ int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg)
 	} else {
 		dtio->upstream_is_unix = 1;
 	}
+	dtio->is_bidirectional = cfg->dnstap_bidirectional;
 
 	if(dtio->upstream_is_unix) {
 		if(!cfg->dnstap_socket_path ||
@@ -551,6 +555,20 @@ static void dtio_cur_msg_free(struct dt_io_thread* dtio)
 	dtio->cur_msg_len_done = 0;
 }
 
+/** delete the buffer and counters used to read frame */
+static void dtio_read_frame_free(struct dt_frame_read_buf* rb)
+{
+	if(rb->buf) {
+		free(rb->buf);
+		rb->buf = NULL;
+	}
+	rb->buf_count = 0;
+	rb->buf_cap = 0;
+	rb->frame_len = 0;
+	rb->frame_len_done = 0;
+	rb->control_frame = 0;
+}
+
 /** del the output file descriptor event for listening */
 static void dtio_del_output_event(struct dt_io_thread* dtio)
 {
@@ -594,6 +612,11 @@ static void dtio_close_output(struct dt_io_thread* dtio)
 	if(dtio->cur_msg) {
 		dtio_cur_msg_free(dtio);
 	}
+
+	dtio->ready_frame_sent = 0;
+	dtio->accept_frame_received = 0;
+	dtio_read_frame_free(&dtio->read_frame);
+
 	dtio_reconnect_enable(dtio);
 }
 
@@ -855,6 +878,94 @@ static int dtio_write_more(struct dt_io_thread* dtio)
 	return 1;
 }
 
+/** Receive bytes from dtio->fd, store in buffer. Returns 0: closed,
+ * -1: continue, >0: number of bytes read into buffer */
+static ssize_t receive_bytes(struct dt_io_thread* dtio, void* buf, size_t len) {
+	ssize_t r;
+	r = recv(dtio->fd, (void*)buf, len, 0);
+	if(r == -1) {
+		char* to = dtio->socket_path;
+		if(!to) to = dtio->ip_str;
+		if(!to) to = "";
+#ifndef USE_WINSOCK
+		if(errno == EINTR || errno == EAGAIN)
+			return -1; /* try later */
+#else
+		if(WSAGetLastError() == WSAEINPROGRESS) {
+			return -1; /* try later */
+		} else if(WSAGetLastError() == WSAEWOULDBLOCK) {
+			ub_winsock_tcp_wouldblock(
+				(dtio->stop_flush_event?
+				dtio->stop_flush_event:dtio->event),
+				UB_EV_READ);
+			return -1; /* try later */
+		}
+#endif
+		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
+			verbosity < 4)
+			return 0; /* no log retries on low verbosity */
+		log_err("dnstap io: output closed, recv %s: %s", to,
+			strerror(errno));
+		/* and close below */
+		return 0;
+	}
+	if(r == 0) {
+		if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
+			verbosity < 4)
+			return 0; /* no log retries on low verbosity */
+		verbose(VERB_DETAIL, "dnstap io: output closed by the other side");
+		/* and close below */
+		return 0;
+	}
+	/* something was received */
+	return r;
+}
+
+#ifdef HAVE_SSL
+/** Receive bytes over TLS from dtio->fd, store in buffer. Returns 0: closed,
+ * -1: continue, >0: number of bytes read into buffer */
+static int ssl_read_bytes(struct dt_io_thread* dtio, void* buf, size_t len)
+{
+	int r;
+	ERR_clear_error();
+	r = SSL_read(dtio->ssl, buf, len);
+	if(r <= 0) {
+		int want = SSL_get_error(dtio->ssl, r);
+		if(want == SSL_ERROR_ZERO_RETURN) {
+			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
+				verbosity < 4)
+				return 0; /* no log retries on low verbosity */
+			verbose(VERB_DETAIL, "dnstap io: output closed by the "
+				"other side");
+			return 0;
+		} else if(want == SSL_ERROR_WANT_READ) {
+			/* continue later */
+			return -1;
+		} else if(want == SSL_ERROR_WANT_WRITE) {
+			(void)dtio_add_output_event_write(dtio);
+			return -1;
+		} else if(want == SSL_ERROR_SYSCALL) {
+#ifdef ECONNRESET
+			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN &&
+				errno == ECONNRESET && verbosity < 4)
+				return 0; /* silence reset by peer */
+#endif
+			if(errno != 0)
+				log_err("SSL_read syscall: %s",
+					strerror(errno));
+			verbose(VERB_DETAIL, "dnstap io: output closed by the "
+				"other side");
+			return 0;
+		}
+		log_crypto_err("could not SSL_read");
+		verbose(VERB_DETAIL, "dnstap io: output closed by the "
+				"other side");
+		return 0;
+	}
+	return r;
+}
+#endif /* HAVE_SSL */
+
 /** check if the output fd has been closed,
  * it returns false if the stream is closed. */
 static int dtio_check_close(struct dt_io_thread* dtio)
@@ -864,44 +975,17 @@ static int dtio_check_close(struct dt_io_thread* dtio)
 	 * packets is okay for the framestream protocol.  And also, the
 	 * read call can return that the stream has been closed by the
 	 * other side. */
-	ssize_t r;
 	uint8_t buf[1024];
+	int r = -1;
+
+
 	if(dtio->fd == -1) return 0;
-	while(1) {
-		r = recv(dtio->fd, (void*)buf, sizeof(buf), 0);
-		if(r == -1) {
-			char* to = dtio->socket_path;
-			if(!to) to = dtio->ip_str;
-			if(!to) to = "";
-#ifndef USE_WINSOCK
-			if(errno == EINTR || errno == EAGAIN)
-				return 1; /* try later */
-#else
-			if(WSAGetLastError() == WSAEINPROGRESS) {
-				return 1; /* try later */
-			} else if(WSAGetLastError() == WSAEWOULDBLOCK) {
-				ub_winsock_tcp_wouldblock(
-					(dtio->stop_flush_event?
-					dtio->stop_flush_event:dtio->event),
-					UB_EV_READ);
-				return 1; /* try later */
-			}
-#endif
-			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN && verbosity < 4)
-				break; /* no log retries on low verbosity */
-			log_err("dnstap io: output closed, recv %s: %s", to,
-				strerror(errno));
-			/* and close below */
-			break;
-		}
-		if(r == 0) {
-			if(dtio->reconnect_timeout > DTIO_RECONNECT_TIMEOUT_MIN && verbosity < 4)
-				break; /* no log retries on low verbosity */
-			verbose(VERB_DETAIL, "dnstap io: output closed by the other side");
-			/* and close below */
-			break;
-		}
-		/* something was received, ignore it */
+
+	while(r != 0) {
+		/* not interested in buffer content, overwrite */
+		r = receive_bytes(dtio, (void*)buf, sizeof(buf));
+		if(r == -1)
+			return 1;
 	}
 	/* the other end has been closed */
 	/* close the channel */
@@ -910,6 +994,118 @@ static int dtio_check_close(struct dt_io_thread* dtio)
 	return 0;
 }
 
+/** Read accept frame. Returns -1: continue reading, 0: closed,
+ * 1: valid accept received. */
+static int dtio_read_accept_frame(struct dt_io_thread* dtio)
+{
+	int r;
+	while(dtio->read_frame.frame_len_done < 4) {
+#ifdef HAVE_SSL
+		if(dtio->ssl) {
+			r = ssl_read_bytes(dtio,
+				(uint8_t*)&dtio->read_frame.frame_len+
+				dtio->read_frame.frame_len_done,
+				4-dtio->read_frame.frame_len_done);
+		} else {
+#endif
+			r = receive_bytes(dtio,
+				(uint8_t*)&dtio->read_frame.frame_len+
+				dtio->read_frame.frame_len_done,
+				4-dtio->read_frame.frame_len_done);
+#ifdef HAVE_SSL
+		}
+#endif
+		if(r == -1)
+			return -1; /* continue reading */
+		if(r == 0) {
+			 /* connection closed */
+			goto close_connection;
+		}
+		dtio->read_frame.frame_len_done += r;
+		if(dtio->read_frame.frame_len_done < 4)
+			return -1; /* continue reading */
+
+		if(dtio->read_frame.frame_len == 0) {
+			dtio->read_frame.frame_len_done = 0;
+			dtio->read_frame.control_frame = 1;
+			continue;
+		}
+		dtio->read_frame.frame_len = ntohl(dtio->read_frame.frame_len);
+		dtio->read_frame.buf = calloc(1, dtio->read_frame.frame_len);
+		dtio->read_frame.buf_cap = dtio->read_frame.frame_len;
+		if(!dtio->read_frame.buf) {
+			log_err("dnstap io: out of memory (creating read "
+				"buffer)");
+			goto close_connection;
+		}
+	}
+	if(dtio->read_frame.buf_count < dtio->read_frame.frame_len) {
+#ifdef HAVE_SSL
+		if(dtio->ssl) {
+			r = ssl_read_bytes(dtio, dtio->read_frame.buf+
+				dtio->read_frame.buf_count,
+				dtio->read_frame.buf_cap-
+				dtio->read_frame.buf_count);
+		} else {
+#endif
+			r = receive_bytes(dtio, dtio->read_frame.buf+
+				dtio->read_frame.buf_count,
+				dtio->read_frame.buf_cap-
+				dtio->read_frame.buf_count);
+#ifdef HAVE_SSL
+		}
+#endif
+		if(r == -1)
+			return -1; /* continue reading */
+		if(r == 0) {
+			 /* connection closed */
+			goto close_connection;
+		}
+		dtio->read_frame.buf_count += r;
+		if(dtio->read_frame.buf_count < dtio->read_frame.frame_len)
+			return -1; /* continue reading */
+	}
+
+	/* Complete frame received, check if this is a valid ACCEPT control
+	 * frame. */
+	if(dtio->read_frame.frame_len < 4) {
+		verbose(VERB_OPS, "dnstap: invalid data received");
+		goto close_connection;
+	}
+	if(sldns_read_uint32(dtio->read_frame.buf) !=
+		FSTRM_CONTROL_FRAME_ACCEPT) {
+		verbose(VERB_ALGO, "dnstap: invalid control type received, "
+			"ignored");
+		dtio->ready_frame_sent = 0;
+		dtio->accept_frame_received = 0;
+		dtio_read_frame_free(&dtio->read_frame);
+		return -1;
+	}
+
+	if(dtio->read_frame.frame_len != 4+4+4+strlen(DNSTAP_CONTENT_TYPE) ||
+		memcmp(dtio->read_frame.buf+4+4+4, DNSTAP_CONTENT_TYPE,
+			strlen(DNSTAP_CONTENT_TYPE)) != 0) {
+		verbose(VERB_OPS, "dnstap: invalid content type on ACCEPT "
+			"frame");
+		goto close_connection;
+	}
+
+	if(!dtio_control_start_send(dtio)) {
+		verbose(VERB_OPS, "dnstap io: out of memory while sending "
+			"START frame");
+		goto close_connection;
+	}
+
+	dtio->accept_frame_received = 1;
+	return 1;
+
+close_connection:
+	dtio_del_output_event(dtio);
+	dtio_reconnect_slow(dtio, DTIO_RECONNECT_TIMEOUT_SLOW);
+	dtio_close_output(dtio);
+	return 0;
+}
+
 /** add the output file descriptor event for listening, read only */
 static int dtio_add_output_event_read(struct dt_io_thread* dtio)
 {
@@ -1176,7 +1372,10 @@ void dtio_output_cb(int ATTR_UNUSED(fd), short bits, void* arg)
 #endif
 
 	if((bits&UB_EV_READ)) {
-		if(!dtio_check_close(dtio))
+		if(dtio->ready_frame_sent && !dtio->accept_frame_received) {
+			if(dtio_read_accept_frame(dtio) <= 0)
+				return;
+		} else if(!dtio_check_close(dtio))
 			return;
 	}
 
@@ -1208,6 +1407,15 @@ void dtio_output_cb(int ATTR_UNUSED(fd), short bits, void* arg)
 
 		/* done with the current message */
 		dtio_cur_msg_free(dtio);
+
+		/* If this is a bidirectional stream the first message will be
+		 * the READY control frame. We can only continue writing after
+		 * receiving an ACCEPT control frame. */
+		if(dtio->is_bidirectional && !dtio->ready_frame_sent) {
+			dtio->ready_frame_sent = 1;
+			(void)dtio_add_output_event_read(dtio);
+			break;
+		}
 	}
 }
 
@@ -1240,6 +1448,13 @@ void dtio_cmd_cb(int fd, short ATTR_UNUSED(bits), void* arg)
 		verbose(VERB_ALGO, "dnstap io: cmd channel cmd quit");
 	} else if(r == 1 && cmd == DTIO_COMMAND_WAKEUP) {
 		verbose(VERB_ALGO, "dnstap io: cmd channel cmd wakeup");
+
+		if(dtio->is_bidirectional && !dtio->accept_frame_received) {
+			verbose(VERB_ALGO, "dnstap io: cmd wakeup ignored, "
+				"waiting for ACCEPT control frame");
+			return;
+		}
+
 		/* reregister event */
 		if(!dtio_add_output_event_write(dtio))
 			return;
@@ -1561,6 +1776,25 @@ static int dtio_control_start_send(struct dt_io_thread* dtio)
 	return 1;
 }
 
+/** setup a ready control message */
+static int dtio_control_ready_send(struct dt_io_thread* dtio)
+{
+	log_assert(dtio->cur_msg == NULL && dtio->cur_msg_len == 0);
+	dtio->cur_msg = fstrm_create_control_frame_ready(DNSTAP_CONTENT_TYPE,
+		&dtio->cur_msg_len);
+	if(!dtio->cur_msg) {
+		return 0;
+	}
+	/* setup to send the control message */
+	/* set that the buffer needs to be sent, but the length
+	 * of that buffer is already written, that way the buffer can
+	 * start with 0 length and then the length of the control frame
+	 * in it */
+	dtio->cur_msg_done = 0;
+	dtio->cur_msg_len_done = 4;
+	return 1;
+}
+
 /** open the output file descriptor for af_local */
 static int dtio_open_output_local(struct dt_io_thread* dtio)
 {
@@ -1693,7 +1927,8 @@ static void dtio_open_output(struct dt_io_thread* dtio)
 	}
 	dtio->check_nb_connect = 1;
 
-	/* the EV_READ is to catch channel close, write to write packets */
+	/* the EV_READ is to read ACCEPT control messages, and catch channel
+	 * close. EV_WRITE is to write packets */
 	ev = ub_event_new(dtio->event_base, dtio->fd,
 		UB_EV_READ | UB_EV_WRITE | UB_EV_PERSIST, &dtio_output_cb,
 		dtio);
@@ -1712,7 +1947,8 @@ static void dtio_open_output(struct dt_io_thread* dtio)
 	dtio->event = ev;
 
 	/* setup protocol control message to start */
-	if(!dtio_control_start_send(dtio)) {
+	if((!dtio->is_bidirectional && !dtio_control_start_send(dtio)) ||
+		(dtio->is_bidirectional && !dtio_control_ready_send(dtio)) ) {
 		log_err("dnstap io: out of memory");
 		ub_event_free(dtio->event);
 		dtio->event = NULL;

dnstap/dtstream.h

@@ -88,6 +88,27 @@ struct dt_msg_entry {
 	size_t len;
 };
 
+/**
+ * Containing buffer and counter for reading DNSTAP frames.
+ */
+struct dt_frame_read_buf {
+	/** Buffer containing frame, except length counter(s). */
+	void* buf;
+	/** Number of bytes written to buffer. */
+	size_t buf_count;
+	/** Capacity of the buffer. */
+	size_t buf_cap;
+
+	/** Frame length field. Will contain the 2nd length field for control
+	 * frames. */
+	uint32_t frame_len;
+	/** Number of bytes that have been written to the frame_length field. */
+	size_t frame_len_done;
+
+	/** Set to 1 if this is a control frame, 0 otherwise (ie data frame). */
+	int control_frame;
+};
+
 /**
  * IO thread that reads from the queues and writes them.
  */
@@ -171,6 +192,16 @@ struct dt_io_thread {
 	 * and client certificates can be used for authentication. */
 	int upstream_is_tls;
 
+	/** Perform bidirectional Frame Streams handshake before sending
+	 * messages. */
+	int is_bidirectional;
+	/** Set if the READY control frame has been sent. */
+	int ready_frame_sent;
+	/** Set if valid ACCEPT frame is received. */
+	int accept_frame_received;
+	/** (partially) read frame */
+	struct dt_frame_read_buf read_frame;
+
 	/** the file path for unix socket (or NULL) */
 	char* socket_path;
 	/** the ip address and port number (or NULL) */

dnstap/unbound-dnstap-socket.c

@@ -770,10 +770,11 @@ void tap_data_free(struct tap_data* data)
 
 /** reply with ACCEPT control frame to bidirectional client,
  * returns 0 on error */
-static int reply_with_accept(int fd)
+static int reply_with_accept(struct tap_data* data)
 {
 #ifdef USE_DNSTAP
 	/* len includes the escape and framelength */
+	int r;
 	size_t len = 0;
 	void* acceptframe = fstrm_create_control_frame_accept(
 		DNSTAP_CONTENT_TYPE, &len);
@@ -782,21 +783,34 @@ static int reply_with_accept(int fd)
 		return 0;
 	}
 
-	fd_set_block(fd);
-	if(send(fd, acceptframe, len, 0) == -1) {
+	fd_set_block(data->fd);
+	if(data->ssl) {
+		if((r=SSL_write(data->ssl, acceptframe, len)) <= 0) {
+			if(SSL_get_error(data->ssl, r) == SSL_ERROR_ZERO_RETURN)
+				log_err("SSL_write, peer closed connection");
+			else
+				log_err("could not SSL_write");
+			fd_set_nonblock(data->fd);
+			free(acceptframe);
+			return 0;
+		}
+	} else {
+		if(send(data->fd, acceptframe, len, 0) == -1) {
 #ifndef USE_WINSOCK
-		log_err("send failed: %s", strerror(errno));
+			log_err("send failed: %s", strerror(errno));
 #else
-		log_err("send failed: %s", wsa_strerror(WSAGetLastError()));
+			log_err("send failed: %s",
+				wsa_strerror(WSAGetLastError()));
 #endif
-		fd_set_nonblock(fd);
-		free(acceptframe);
-		return 0;
+			fd_set_nonblock(data->fd);
+			free(acceptframe);
+			return 0;
+		}
 	}
 	if(verbosity) log_info("sent control frame(accept) content-type:(%s)",
 			DNSTAP_CONTENT_TYPE);
 
-	fd_set_nonblock(fd);
+	fd_set_nonblock(data->fd);
 	free(acceptframe);
 	return 1;
 #else
@@ -1033,7 +1047,7 @@ void dtio_tap_callback(int fd, short ATTR_UNUSED(bits), void* arg)
 		FSTRM_CONTROL_FRAME_READY) {
 		data->is_bidirectional = 1;
 		if(verbosity) log_info("bidirectional stream");
-		if(!reply_with_accept(fd)) {
+		if(!reply_with_accept(data)) {
 			tap_data_free(data);
 		}
 	} else if(data->len >= 4 && sldns_read_uint32(data->frame) ==

doc/example.conf.in

@@ -1046,6 +1046,8 @@ remote-control:
 # upstream log destination, by socket path, TCP or TLS destination.
 # dnstap:
 # 	dnstap-enable: no
+# 	# if set to yes frame streams will be used in bidirectional mode
+# 	dnstap-bidirectional: yes
 # 	dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
 # 	# if "" use the unix socket in dnstap-socket-path, otherwise,
 # 	# set it to "IPaddress[@port]" of the destination.

doc/unbound.conf.5.in

@@ -2183,6 +2183,10 @@ If dnstap is enabled.  Default no.  If yes, it connects to the dnstap server
 and if any of the dnstap-log-..-messages options is enabled it sends logs
 for those messages to the server.
 .TP
+.B dnstap-bidirectional: \fI<yes or no>
+Use frame streams in bidirectional mode to transfer DNSTAP messages. Default is
+yes.
+.TP
 .B dnstap-socket-path: \fI<file name>
 Sets the unix socket file name for connecting to the server that is
 listening on that socket.  Default is "@DNSTAP_SOCKET_PATH@".

util/config_file.c

@@ -298,6 +298,7 @@ config_create(void)
 	if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH)))
 		goto error_exit;
 #endif
+	cfg->dnstap_bidirectional = 1;
 	cfg->dnstap_tls = 1;
 	cfg->disable_dnssec_lame_check = 0;
 	cfg->ip_ratelimit = 0;
@@ -639,6 +640,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 #endif
 #ifdef USE_DNSTAP
 	else S_YNO("dnstap-enable:", dnstap)
+	else S_YNO("dnstap-bidirectional:", dnstap_bidirectional)
 	else S_STR("dnstap-socket-path:", dnstap_socket_path)
 	else S_STR("dnstap-ip:", dnstap_ip)
 	else S_YNO("dnstap-tls:", dnstap_tls)
@@ -1055,6 +1057,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 #endif
 #ifdef USE_DNSTAP
 	else O_YNO(opt, "dnstap-enable", dnstap)
+	else O_YNO(opt, "dnstap-bidirectional", dnstap_bidirectional)
 	else O_STR(opt, "dnstap-socket-path", dnstap_socket_path)
 	else O_STR(opt, "dnstap-ip", dnstap_ip)
 	else O_YNO(opt, "dnstap-tls", dnstap_tls)

util/config_file.h

@@ -481,6 +481,8 @@ struct config_file {
 
 	/** true to enable dnstap support */
 	int dnstap;
+	/** using bidirectional frame streams if true */
+	int dnstap_bidirectional;
 	/** dnstap socket path */
 	char* dnstap_socket_path;
 	/** dnstap IP */

util/configlexer.lex

@@ -434,6 +434,7 @@ access-control-view{COLON}	{ YDVAR(2, VAR_ACCESS_CONTROL_VIEW) }
 local-zone-override{COLON}	{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
 dnstap{COLON}			{ YDVAR(0, VAR_DNSTAP) }
 dnstap-enable{COLON}		{ YDVAR(1, VAR_DNSTAP_ENABLE) }
+dnstap-bidirectional{COLON}	{ YDVAR(1, VAR_DNSTAP_BIDIRECTIONAL) }
 dnstap-socket-path{COLON}	{ YDVAR(1, VAR_DNSTAP_SOCKET_PATH) }
 dnstap-ip{COLON}		{ YDVAR(1, VAR_DNSTAP_IP) }
 dnstap-tls{COLON}		{ YDVAR(1, VAR_DNSTAP_TLS) }

util/configparser.h

@@ -1,8 +1,8 @@
-/* A Bison parser, made by GNU Bison 3.4.1.  */
+/* A Bison parser, made by GNU Bison 3.5.1.  */
 
 /* Bison interface for Yacc-like parsers in C
 
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2020 Free Software Foundation,
    Inc.
 
    This program is free software: you can redistribute it and/or modify
@@ -209,133 +209,134 @@ extern int yydebug;
     VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 415,
     VAR_DNSTAP_SEND_IDENTITY = 416,
     VAR_DNSTAP_SEND_VERSION = 417,
-    VAR_DNSTAP_IDENTITY = 418,
-    VAR_DNSTAP_VERSION = 419,
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 420,
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 421,
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 422,
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 423,
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 424,
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 425,
-    VAR_RESPONSE_IP_TAG = 426,
-    VAR_RESPONSE_IP = 427,
-    VAR_RESPONSE_IP_DATA = 428,
-    VAR_HARDEN_ALGO_DOWNGRADE = 429,
-    VAR_IP_TRANSPARENT = 430,
-    VAR_IP_DSCP = 431,
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 432,
-    VAR_IP_RATELIMIT = 433,
-    VAR_IP_RATELIMIT_SLABS = 434,
-    VAR_IP_RATELIMIT_SIZE = 435,
-    VAR_RATELIMIT = 436,
-    VAR_RATELIMIT_SLABS = 437,
-    VAR_RATELIMIT_SIZE = 438,
-    VAR_RATELIMIT_FOR_DOMAIN = 439,
-    VAR_RATELIMIT_BELOW_DOMAIN = 440,
-    VAR_IP_RATELIMIT_FACTOR = 441,
-    VAR_RATELIMIT_FACTOR = 442,
-    VAR_SEND_CLIENT_SUBNET = 443,
-    VAR_CLIENT_SUBNET_ZONE = 444,
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 445,
-    VAR_CLIENT_SUBNET_OPCODE = 446,
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 447,
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 448,
-    VAR_MIN_CLIENT_SUBNET_IPV4 = 449,
-    VAR_MIN_CLIENT_SUBNET_IPV6 = 450,
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 451,
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 452,
-    VAR_CAPS_WHITELIST = 453,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 454,
-    VAR_PERMIT_SMALL_HOLDDOWN = 455,
-    VAR_QNAME_MINIMISATION = 456,
-    VAR_QNAME_MINIMISATION_STRICT = 457,
-    VAR_IP_FREEBIND = 458,
-    VAR_DEFINE_TAG = 459,
-    VAR_LOCAL_ZONE_TAG = 460,
-    VAR_ACCESS_CONTROL_TAG = 461,
-    VAR_LOCAL_ZONE_OVERRIDE = 462,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 463,
-    VAR_ACCESS_CONTROL_TAG_DATA = 464,
-    VAR_VIEW = 465,
-    VAR_ACCESS_CONTROL_VIEW = 466,
-    VAR_VIEW_FIRST = 467,
-    VAR_SERVE_EXPIRED = 468,
-    VAR_SERVE_EXPIRED_TTL = 469,
-    VAR_SERVE_EXPIRED_TTL_RESET = 470,
-    VAR_SERVE_EXPIRED_REPLY_TTL = 471,
-    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 472,
-    VAR_FAKE_DSA = 473,
-    VAR_FAKE_SHA1 = 474,
-    VAR_LOG_IDENTITY = 475,
-    VAR_HIDE_TRUSTANCHOR = 476,
-    VAR_TRUST_ANCHOR_SIGNALING = 477,
-    VAR_AGGRESSIVE_NSEC = 478,
-    VAR_USE_SYSTEMD = 479,
-    VAR_SHM_ENABLE = 480,
-    VAR_SHM_KEY = 481,
-    VAR_ROOT_KEY_SENTINEL = 482,
-    VAR_DNSCRYPT = 483,
-    VAR_DNSCRYPT_ENABLE = 484,
-    VAR_DNSCRYPT_PORT = 485,
-    VAR_DNSCRYPT_PROVIDER = 486,
-    VAR_DNSCRYPT_SECRET_KEY = 487,
-    VAR_DNSCRYPT_PROVIDER_CERT = 488,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 489,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 490,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 491,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 492,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 493,
-    VAR_IPSECMOD_ENABLED = 494,
-    VAR_IPSECMOD_HOOK = 495,
-    VAR_IPSECMOD_IGNORE_BOGUS = 496,
-    VAR_IPSECMOD_MAX_TTL = 497,
-    VAR_IPSECMOD_WHITELIST = 498,
-    VAR_IPSECMOD_STRICT = 499,
-    VAR_CACHEDB = 500,
-    VAR_CACHEDB_BACKEND = 501,
-    VAR_CACHEDB_SECRETSEED = 502,
-    VAR_CACHEDB_REDISHOST = 503,
-    VAR_CACHEDB_REDISPORT = 504,
-    VAR_CACHEDB_REDISTIMEOUT = 505,
-    VAR_CACHEDB_REDISEXPIRERECORDS = 506,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 507,
-    VAR_FOR_UPSTREAM = 508,
-    VAR_AUTH_ZONE = 509,
-    VAR_ZONEFILE = 510,
-    VAR_MASTER = 511,
-    VAR_URL = 512,
-    VAR_FOR_DOWNSTREAM = 513,
-    VAR_FALLBACK_ENABLED = 514,
-    VAR_TLS_ADDITIONAL_PORT = 515,
-    VAR_LOW_RTT = 516,
-    VAR_LOW_RTT_PERMIL = 517,
-    VAR_FAST_SERVER_PERMIL = 518,
-    VAR_FAST_SERVER_NUM = 519,
-    VAR_ALLOW_NOTIFY = 520,
-    VAR_TLS_WIN_CERT = 521,
-    VAR_TCP_CONNECTION_LIMIT = 522,
-    VAR_FORWARD_NO_CACHE = 523,
-    VAR_STUB_NO_CACHE = 524,
-    VAR_LOG_SERVFAIL = 525,
-    VAR_DENY_ANY = 526,
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 527,
-    VAR_LOG_TAG_QUERYREPLY = 528,
-    VAR_STREAM_WAIT_SIZE = 529,
-    VAR_TLS_CIPHERS = 530,
-    VAR_TLS_CIPHERSUITES = 531,
-    VAR_TLS_USE_SNI = 532,
-    VAR_IPSET = 533,
-    VAR_IPSET_NAME_V4 = 534,
-    VAR_IPSET_NAME_V6 = 535,
-    VAR_TLS_SESSION_TICKET_KEYS = 536,
-    VAR_RPZ = 537,
-    VAR_TAGS = 538,
-    VAR_RPZ_ACTION_OVERRIDE = 539,
-    VAR_RPZ_CNAME_OVERRIDE = 540,
-    VAR_RPZ_LOG = 541,
-    VAR_RPZ_LOG_NAME = 542,
-    VAR_DYNLIB = 543,
-    VAR_DYNLIB_FILE = 544
+    VAR_DNSTAP_BIDIRECTIONAL = 418,
+    VAR_DNSTAP_IDENTITY = 419,
+    VAR_DNSTAP_VERSION = 420,
+    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 421,
+    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 422,
+    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 423,
+    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 424,
+    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 425,
+    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 426,
+    VAR_RESPONSE_IP_TAG = 427,
+    VAR_RESPONSE_IP = 428,
+    VAR_RESPONSE_IP_DATA = 429,
+    VAR_HARDEN_ALGO_DOWNGRADE = 430,
+    VAR_IP_TRANSPARENT = 431,
+    VAR_IP_DSCP = 432,
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 433,
+    VAR_IP_RATELIMIT = 434,
+    VAR_IP_RATELIMIT_SLABS = 435,
+    VAR_IP_RATELIMIT_SIZE = 436,
+    VAR_RATELIMIT = 437,
+    VAR_RATELIMIT_SLABS = 438,
+    VAR_RATELIMIT_SIZE = 439,
+    VAR_RATELIMIT_FOR_DOMAIN = 440,
+    VAR_RATELIMIT_BELOW_DOMAIN = 441,
+    VAR_IP_RATELIMIT_FACTOR = 442,
+    VAR_RATELIMIT_FACTOR = 443,
+    VAR_SEND_CLIENT_SUBNET = 444,
+    VAR_CLIENT_SUBNET_ZONE = 445,
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 446,
+    VAR_CLIENT_SUBNET_OPCODE = 447,
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 448,
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 449,
+    VAR_MIN_CLIENT_SUBNET_IPV4 = 450,
+    VAR_MIN_CLIENT_SUBNET_IPV6 = 451,
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 452,
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 453,
+    VAR_CAPS_WHITELIST = 454,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 455,
+    VAR_PERMIT_SMALL_HOLDDOWN = 456,
+    VAR_QNAME_MINIMISATION = 457,
+    VAR_QNAME_MINIMISATION_STRICT = 458,
+    VAR_IP_FREEBIND = 459,
+    VAR_DEFINE_TAG = 460,
+    VAR_LOCAL_ZONE_TAG = 461,
+    VAR_ACCESS_CONTROL_TAG = 462,
+    VAR_LOCAL_ZONE_OVERRIDE = 463,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 464,
+    VAR_ACCESS_CONTROL_TAG_DATA = 465,
+    VAR_VIEW = 466,
+    VAR_ACCESS_CONTROL_VIEW = 467,
+    VAR_VIEW_FIRST = 468,
+    VAR_SERVE_EXPIRED = 469,
+    VAR_SERVE_EXPIRED_TTL = 470,
+    VAR_SERVE_EXPIRED_TTL_RESET = 471,
+    VAR_SERVE_EXPIRED_REPLY_TTL = 472,
+    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 473,
+    VAR_FAKE_DSA = 474,
+    VAR_FAKE_SHA1 = 475,
+    VAR_LOG_IDENTITY = 476,
+    VAR_HIDE_TRUSTANCHOR = 477,
+    VAR_TRUST_ANCHOR_SIGNALING = 478,
+    VAR_AGGRESSIVE_NSEC = 479,
+    VAR_USE_SYSTEMD = 480,
+    VAR_SHM_ENABLE = 481,
+    VAR_SHM_KEY = 482,
+    VAR_ROOT_KEY_SENTINEL = 483,
+    VAR_DNSCRYPT = 484,
+    VAR_DNSCRYPT_ENABLE = 485,
+    VAR_DNSCRYPT_PORT = 486,
+    VAR_DNSCRYPT_PROVIDER = 487,
+    VAR_DNSCRYPT_SECRET_KEY = 488,
+    VAR_DNSCRYPT_PROVIDER_CERT = 489,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 490,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 491,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 492,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 493,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 494,
+    VAR_IPSECMOD_ENABLED = 495,
+    VAR_IPSECMOD_HOOK = 496,
+    VAR_IPSECMOD_IGNORE_BOGUS = 497,
+    VAR_IPSECMOD_MAX_TTL = 498,
+    VAR_IPSECMOD_WHITELIST = 499,
+    VAR_IPSECMOD_STRICT = 500,
+    VAR_CACHEDB = 501,
+    VAR_CACHEDB_BACKEND = 502,
+    VAR_CACHEDB_SECRETSEED = 503,
+    VAR_CACHEDB_REDISHOST = 504,
+    VAR_CACHEDB_REDISPORT = 505,
+    VAR_CACHEDB_REDISTIMEOUT = 506,
+    VAR_CACHEDB_REDISEXPIRERECORDS = 507,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 508,
+    VAR_FOR_UPSTREAM = 509,
+    VAR_AUTH_ZONE = 510,
+    VAR_ZONEFILE = 511,
+    VAR_MASTER = 512,
+    VAR_URL = 513,
+    VAR_FOR_DOWNSTREAM = 514,
+    VAR_FALLBACK_ENABLED = 515,
+    VAR_TLS_ADDITIONAL_PORT = 516,
+    VAR_LOW_RTT = 517,
+    VAR_LOW_RTT_PERMIL = 518,
+    VAR_FAST_SERVER_PERMIL = 519,
+    VAR_FAST_SERVER_NUM = 520,
+    VAR_ALLOW_NOTIFY = 521,
+    VAR_TLS_WIN_CERT = 522,
+    VAR_TCP_CONNECTION_LIMIT = 523,
+    VAR_FORWARD_NO_CACHE = 524,
+    VAR_STUB_NO_CACHE = 525,
+    VAR_LOG_SERVFAIL = 526,
+    VAR_DENY_ANY = 527,
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 528,
+    VAR_LOG_TAG_QUERYREPLY = 529,
+    VAR_STREAM_WAIT_SIZE = 530,
+    VAR_TLS_CIPHERS = 531,
+    VAR_TLS_CIPHERSUITES = 532,
+    VAR_TLS_USE_SNI = 533,
+    VAR_IPSET = 534,
+    VAR_IPSET_NAME_V4 = 535,
+    VAR_IPSET_NAME_V6 = 536,
+    VAR_TLS_SESSION_TICKET_KEYS = 537,
+    VAR_RPZ = 538,
+    VAR_TAGS = 539,
+    VAR_RPZ_ACTION_OVERRIDE = 540,
+    VAR_RPZ_CNAME_OVERRIDE = 541,
+    VAR_RPZ_LOG = 542,
+    VAR_RPZ_LOG_NAME = 543,
+    VAR_DYNLIB = 544,
+    VAR_DYNLIB_FILE = 545
   };
 #endif
 /* Tokens.  */
@@ -499,133 +500,134 @@ extern int yydebug;
 #define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 415
 #define VAR_DNSTAP_SEND_IDENTITY 416
 #define VAR_DNSTAP_SEND_VERSION 417
-#define VAR_DNSTAP_IDENTITY 418
-#define VAR_DNSTAP_VERSION 419
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 420
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 421
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 422
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 423
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 424
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 425
-#define VAR_RESPONSE_IP_TAG 426
-#define VAR_RESPONSE_IP 427
-#define VAR_RESPONSE_IP_DATA 428
-#define VAR_HARDEN_ALGO_DOWNGRADE 429
-#define VAR_IP_TRANSPARENT 430
-#define VAR_IP_DSCP 431
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 432
-#define VAR_IP_RATELIMIT 433
-#define VAR_IP_RATELIMIT_SLABS 434
-#define VAR_IP_RATELIMIT_SIZE 435
-#define VAR_RATELIMIT 436
-#define VAR_RATELIMIT_SLABS 437
-#define VAR_RATELIMIT_SIZE 438
-#define VAR_RATELIMIT_FOR_DOMAIN 439
-#define VAR_RATELIMIT_BELOW_DOMAIN 440
-#define VAR_IP_RATELIMIT_FACTOR 441
-#define VAR_RATELIMIT_FACTOR 442
-#define VAR_SEND_CLIENT_SUBNET 443
-#define VAR_CLIENT_SUBNET_ZONE 444
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 445
-#define VAR_CLIENT_SUBNET_OPCODE 446
-#define VAR_MAX_CLIENT_SUBNET_IPV4 447
-#define VAR_MAX_CLIENT_SUBNET_IPV6 448
-#define VAR_MIN_CLIENT_SUBNET_IPV4 449
-#define VAR_MIN_CLIENT_SUBNET_IPV6 450
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 451
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 452
-#define VAR_CAPS_WHITELIST 453
-#define VAR_CACHE_MAX_NEGATIVE_TTL 454
-#define VAR_PERMIT_SMALL_HOLDDOWN 455
-#define VAR_QNAME_MINIMISATION 456
-#define VAR_QNAME_MINIMISATION_STRICT 457
-#define VAR_IP_FREEBIND 458
-#define VAR_DEFINE_TAG 459
-#define VAR_LOCAL_ZONE_TAG 460
-#define VAR_ACCESS_CONTROL_TAG 461
-#define VAR_LOCAL_ZONE_OVERRIDE 462
-#define VAR_ACCESS_CONTROL_TAG_ACTION 463
-#define VAR_ACCESS_CONTROL_TAG_DATA 464
-#define VAR_VIEW 465
-#define VAR_ACCESS_CONTROL_VIEW 466
-#define VAR_VIEW_FIRST 467
-#define VAR_SERVE_EXPIRED 468
-#define VAR_SERVE_EXPIRED_TTL 469
-#define VAR_SERVE_EXPIRED_TTL_RESET 470
-#define VAR_SERVE_EXPIRED_REPLY_TTL 471
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 472
-#define VAR_FAKE_DSA 473
-#define VAR_FAKE_SHA1 474
-#define VAR_LOG_IDENTITY 475
-#define VAR_HIDE_TRUSTANCHOR 476
-#define VAR_TRUST_ANCHOR_SIGNALING 477
-#define VAR_AGGRESSIVE_NSEC 478
-#define VAR_USE_SYSTEMD 479
-#define VAR_SHM_ENABLE 480
-#define VAR_SHM_KEY 481
-#define VAR_ROOT_KEY_SENTINEL 482
-#define VAR_DNSCRYPT 483
-#define VAR_DNSCRYPT_ENABLE 484
-#define VAR_DNSCRYPT_PORT 485
-#define VAR_DNSCRYPT_PROVIDER 486
-#define VAR_DNSCRYPT_SECRET_KEY 487
-#define VAR_DNSCRYPT_PROVIDER_CERT 488
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 489
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 490
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 491
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 492
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 493
-#define VAR_IPSECMOD_ENABLED 494
-#define VAR_IPSECMOD_HOOK 495
-#define VAR_IPSECMOD_IGNORE_BOGUS 496
-#define VAR_IPSECMOD_MAX_TTL 497
-#define VAR_IPSECMOD_WHITELIST 498
-#define VAR_IPSECMOD_STRICT 499
-#define VAR_CACHEDB 500
-#define VAR_CACHEDB_BACKEND 501
-#define VAR_CACHEDB_SECRETSEED 502
-#define VAR_CACHEDB_REDISHOST 503
-#define VAR_CACHEDB_REDISPORT 504
-#define VAR_CACHEDB_REDISTIMEOUT 505
-#define VAR_CACHEDB_REDISEXPIRERECORDS 506
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 507
-#define VAR_FOR_UPSTREAM 508
-#define VAR_AUTH_ZONE 509
-#define VAR_ZONEFILE 510
-#define VAR_MASTER 511
-#define VAR_URL 512
-#define VAR_FOR_DOWNSTREAM 513
-#define VAR_FALLBACK_ENABLED 514
-#define VAR_TLS_ADDITIONAL_PORT 515
-#define VAR_LOW_RTT 516
-#define VAR_LOW_RTT_PERMIL 517
-#define VAR_FAST_SERVER_PERMIL 518
-#define VAR_FAST_SERVER_NUM 519
-#define VAR_ALLOW_NOTIFY 520
-#define VAR_TLS_WIN_CERT 521
-#define VAR_TCP_CONNECTION_LIMIT 522
-#define VAR_FORWARD_NO_CACHE 523
-#define VAR_STUB_NO_CACHE 524
-#define VAR_LOG_SERVFAIL 525
-#define VAR_DENY_ANY 526
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 527
-#define VAR_LOG_TAG_QUERYREPLY 528
-#define VAR_STREAM_WAIT_SIZE 529
-#define VAR_TLS_CIPHERS 530
-#define VAR_TLS_CIPHERSUITES 531
-#define VAR_TLS_USE_SNI 532
-#define VAR_IPSET 533
-#define VAR_IPSET_NAME_V4 534
-#define VAR_IPSET_NAME_V6 535
-#define VAR_TLS_SESSION_TICKET_KEYS 536
-#define VAR_RPZ 537
-#define VAR_TAGS 538
-#define VAR_RPZ_ACTION_OVERRIDE 539
-#define VAR_RPZ_CNAME_OVERRIDE 540
-#define VAR_RPZ_LOG 541
-#define VAR_RPZ_LOG_NAME 542
-#define VAR_DYNLIB 543
-#define VAR_DYNLIB_FILE 544
+#define VAR_DNSTAP_BIDIRECTIONAL 418
+#define VAR_DNSTAP_IDENTITY 419
+#define VAR_DNSTAP_VERSION 420
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 421
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 422
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 423
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 424
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 425
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 426
+#define VAR_RESPONSE_IP_TAG 427
+#define VAR_RESPONSE_IP 428
+#define VAR_RESPONSE_IP_DATA 429
+#define VAR_HARDEN_ALGO_DOWNGRADE 430
+#define VAR_IP_TRANSPARENT 431
+#define VAR_IP_DSCP 432
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 433
+#define VAR_IP_RATELIMIT 434
+#define VAR_IP_RATELIMIT_SLABS 435
+#define VAR_IP_RATELIMIT_SIZE 436
+#define VAR_RATELIMIT 437
+#define VAR_RATELIMIT_SLABS 438
+#define VAR_RATELIMIT_SIZE 439
+#define VAR_RATELIMIT_FOR_DOMAIN 440
+#define VAR_RATELIMIT_BELOW_DOMAIN 441
+#define VAR_IP_RATELIMIT_FACTOR 442
+#define VAR_RATELIMIT_FACTOR 443
+#define VAR_SEND_CLIENT_SUBNET 444
+#define VAR_CLIENT_SUBNET_ZONE 445
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 446
+#define VAR_CLIENT_SUBNET_OPCODE 447
+#define VAR_MAX_CLIENT_SUBNET_IPV4 448
+#define VAR_MAX_CLIENT_SUBNET_IPV6 449
+#define VAR_MIN_CLIENT_SUBNET_IPV4 450
+#define VAR_MIN_CLIENT_SUBNET_IPV6 451
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 452
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 453
+#define VAR_CAPS_WHITELIST 454
+#define VAR_CACHE_MAX_NEGATIVE_TTL 455
+#define VAR_PERMIT_SMALL_HOLDDOWN 456
+#define VAR_QNAME_MINIMISATION 457
+#define VAR_QNAME_MINIMISATION_STRICT 458
+#define VAR_IP_FREEBIND 459
+#define VAR_DEFINE_TAG 460
+#define VAR_LOCAL_ZONE_TAG 461
+#define VAR_ACCESS_CONTROL_TAG 462
+#define VAR_LOCAL_ZONE_OVERRIDE 463
+#define VAR_ACCESS_CONTROL_TAG_ACTION 464
+#define VAR_ACCESS_CONTROL_TAG_DATA 465
+#define VAR_VIEW 466
+#define VAR_ACCESS_CONTROL_VIEW 467
+#define VAR_VIEW_FIRST 468
+#define VAR_SERVE_EXPIRED 469
+#define VAR_SERVE_EXPIRED_TTL 470
+#define VAR_SERVE_EXPIRED_TTL_RESET 471
+#define VAR_SERVE_EXPIRED_REPLY_TTL 472
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 473
+#define VAR_FAKE_DSA 474
+#define VAR_FAKE_SHA1 475
+#define VAR_LOG_IDENTITY 476
+#define VAR_HIDE_TRUSTANCHOR 477
+#define VAR_TRUST_ANCHOR_SIGNALING 478
+#define VAR_AGGRESSIVE_NSEC 479
+#define VAR_USE_SYSTEMD 480
+#define VAR_SHM_ENABLE 481
+#define VAR_SHM_KEY 482
+#define VAR_ROOT_KEY_SENTINEL 483
+#define VAR_DNSCRYPT 484
+#define VAR_DNSCRYPT_ENABLE 485
+#define VAR_DNSCRYPT_PORT 486
+#define VAR_DNSCRYPT_PROVIDER 487
+#define VAR_DNSCRYPT_SECRET_KEY 488
+#define VAR_DNSCRYPT_PROVIDER_CERT 489
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 490
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 491
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 492
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 493
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 494
+#define VAR_IPSECMOD_ENABLED 495
+#define VAR_IPSECMOD_HOOK 496
+#define VAR_IPSECMOD_IGNORE_BOGUS 497
+#define VAR_IPSECMOD_MAX_TTL 498
+#define VAR_IPSECMOD_WHITELIST 499
+#define VAR_IPSECMOD_STRICT 500
+#define VAR_CACHEDB 501
+#define VAR_CACHEDB_BACKEND 502
+#define VAR_CACHEDB_SECRETSEED 503
+#define VAR_CACHEDB_REDISHOST 504
+#define VAR_CACHEDB_REDISPORT 505
+#define VAR_CACHEDB_REDISTIMEOUT 506
+#define VAR_CACHEDB_REDISEXPIRERECORDS 507
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 508
+#define VAR_FOR_UPSTREAM 509
+#define VAR_AUTH_ZONE 510
+#define VAR_ZONEFILE 511
+#define VAR_MASTER 512
+#define VAR_URL 513
+#define VAR_FOR_DOWNSTREAM 514
+#define VAR_FALLBACK_ENABLED 515
+#define VAR_TLS_ADDITIONAL_PORT 516
+#define VAR_LOW_RTT 517
+#define VAR_LOW_RTT_PERMIL 518
+#define VAR_FAST_SERVER_PERMIL 519
+#define VAR_FAST_SERVER_NUM 520
+#define VAR_ALLOW_NOTIFY 521
+#define VAR_TLS_WIN_CERT 522
+#define VAR_TCP_CONNECTION_LIMIT 523
+#define VAR_FORWARD_NO_CACHE 524
+#define VAR_STUB_NO_CACHE 525
+#define VAR_LOG_SERVFAIL 526
+#define VAR_DENY_ANY 527
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 528
+#define VAR_LOG_TAG_QUERYREPLY 529
+#define VAR_STREAM_WAIT_SIZE 530
+#define VAR_TLS_CIPHERS 531
+#define VAR_TLS_CIPHERSUITES 532
+#define VAR_TLS_USE_SNI 533
+#define VAR_IPSET 534
+#define VAR_IPSET_NAME_V4 535
+#define VAR_IPSET_NAME_V6 536
+#define VAR_TLS_SESSION_TICKET_KEYS 537
+#define VAR_RPZ 538
+#define VAR_TAGS 539
+#define VAR_RPZ_ACTION_OVERRIDE 540
+#define VAR_RPZ_CNAME_OVERRIDE 541
+#define VAR_RPZ_LOG 542
+#define VAR_RPZ_LOG_NAME 543
+#define VAR_DYNLIB 544
+#define VAR_DYNLIB_FILE 545
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -635,7 +637,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 639 "util/configparser.h"
+#line 641 "util/configparser.h"
 
 };
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -119,7 +119,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH VAR_DNSTAP_IP
 %token VAR_DNSTAP_TLS VAR_DNSTAP_TLS_SERVER_NAME VAR_DNSTAP_TLS_CERT_BUNDLE
 %token VAR_DNSTAP_TLS_CLIENT_KEY_FILE VAR_DNSTAP_TLS_CLIENT_CERT_FILE
-%token VAR_DNSTAP_SEND_IDENTITY VAR_DNSTAP_SEND_VERSION
+%token VAR_DNSTAP_SEND_IDENTITY VAR_DNSTAP_SEND_VERSION VAR_DNSTAP_BIDIRECTIONAL
 %token VAR_DNSTAP_IDENTITY VAR_DNSTAP_VERSION
 %token VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES
 %token VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES
@@ -2758,7 +2758,7 @@ dtstart: VAR_DNSTAP
 	;
 contents_dt: contents_dt content_dt
 	| ;
-content_dt: dt_dnstap_enable | dt_dnstap_socket_path |
+content_dt: dt_dnstap_enable | dt_dnstap_socket_path | dt_dnstap_bidirectional |
 	dt_dnstap_ip | dt_dnstap_tls | dt_dnstap_tls_server_name |
 	dt_dnstap_tls_cert_bundle |
 	dt_dnstap_tls_client_key_file | dt_dnstap_tls_client_cert_file |
@@ -2780,6 +2780,16 @@ dt_dnstap_enable: VAR_DNSTAP_ENABLE STRING_ARG
 		free($2);
 	}
 	;
+dt_dnstap_bidirectional: VAR_DNSTAP_BIDIRECTIONAL STRING_ARG
+	{
+		OUTYY(("P(dt_dnstap_bidirectional:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->dnstap_bidirectional =
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 dt_dnstap_socket_path: VAR_DNSTAP_SOCKET_PATH STRING_ARG
 	{
 		OUTYY(("P(dt_dnstap_socket_path:%s)\n", $2));